- Use
autocomplete="one-time-code"
on form inputs - Set
Auto-Submitted
header in emails - Align handling of localhost as a secure context with upstream. Notably,
this means that
DEBUG
no longer has any effect and that127.0.0.1
is no longer treated as a secure context. - Drop support for Python 3.8
- Add suport for
LoginRequiredMiddleware
from django 5.1
- Fix failed package build
- Set ID field independent of
DEFAULT_AUTO_FIELD
- Add support for async in
MFAEnforceMiddleware
- Fix: include
login_failed_subject.txt
in package - Add support for django 5.0, drop support for django 4.1
- Add support for python 3.12, drop support for python 3.7
- Replace setup.py by pyproject.toml
- Add setting
MFA_FIDO2_USER_VERIFICATION
- Allow to use FIDO2 on localhost without HTTPS if DEBUG is True (thanks to humphrey)
- Avoid autocompletion in the code field
- Fix minimum supported django version (3.2) in the package
- Add french translation (thanks to hleroy)
- Autofocus in auth form
- Work around rendering bug in qrcode (see lincolnloop/python-qrcode#317)
- Add option to send an email on failed login
- Add new setting
MFA_TOTP_VALID_WINDOW
to compensate for clock drifts (thanks to Tobias Bölz)
- Adapt to fido2 1.0.0
- Pin fido2 dependency
- Security fix: The admin login was not adapted, so it could be used to
bypass MFA. As a fix, django-mfa3 will now automatically patch
AdminSite
so the admin login redirects to regular login. (CVE-2022-24857) - Drop support for django 2.2
- Use a more efficient string encoding for FIDO2 messages
- Drop support for python 3.6, add support for python 3.10
- Drop support for django 3.1, add support for django 4.0
- No longer include MFA code in credentials for
user_login_failed
- Add recovery codes. Check the example templates for references to "recovery" to see what needs to be changed.
- Add new setting
MFA_METHODS
to change the set of enabled methods.
- Fix usage with custom User models that use a different username field (thanks to Ashok Argent-Katwala)
- Security fix: Do not allow users to see the names of/delete other user's keys (secrets were not leaked)
- Fix packaging: include .mo files
- Fix packaging: include templatetags
- Fix packaging: exclude tests
- Convert qrcode to template filter. In templates, change
{{ mfa_data.qrcode|safe }}
to{% load mfa %} {{ mfa_data.url|qrcode }}
. - Fix form validation on missing code
- Add german translation
- Use
never_cache
andsensitive_post_parameters
decorators - Do not generate a new challenge on validation errors
- Trigger
user_login_failed
on failed second factor. This can be used to integrating with external rate limiting solutions such as django-axes. - Fix: include JS files in python package
- Render qrcode server-side
- Convenience: redirect to TOTP auth if no FIDO2 key exists
- Add optional
MFAEnforceMiddleware
- Tweak admin UI
- Tweak example templates
initial release