Breaking change
---------------
The underlying password hashing library has been changed from `passlib` to `pwdlib`. This change is breaking only if you were using a custom `CryptContext`. Otherwise, you can upgrade without any changes.
Improvements
------------
* Python 3.12 support
* Password are now hashed using the Argon2 algorithm by default. Passwords created with the previous default algorithm (bcrypt) will still be verified correctly and upgraded to Argon2 when the user logs in.
* Bump dependencies
* `python-multipart ==0.0.9`
Bug fixes
---------
* Fix a bug when trying to update user with a `None` password. Thanks @fotinakis 🎉
* Fix static type checking error with `AccessTokenProtocol`. Thanks @Nerixjk 🎉
Improvements
------------
* Bump dependencies
* `redis >=4.3.3,<6.0.0`
Pydantic V2 support
-------------------
This version brings Pydantic V2 support. Like FastAPI, it keeps backward-compatibility with Pydantic V1, so you can upgrade safely and at your own pace.
Apart your own Pydantic schemas, no changes are needed to your FastAPI Users setup.
Thanks @AdamIsrael for the initial work and research 🎉
Breaking changes
----------------
* Transport classes now always build full response objects instead of using the implicit FastAPI `Response` object.
* If you were not implementing your own custom transport classes, you will have nothing to do.
* If you implemented custom classes, you should adapt them so they return a `Response` object. [[Example](8959a12d56/fastapi_users/authentication/transport/bearer.py)]
* Cookie transport now returns a proper `204 No Content` response on logout, which should please OpenAPI Generators. Thanks @caniko 🎉
New features
------------
* `on_after_login` method now accepts `response` in argument, which is the `Response` object built by the transport. [[Documentation](https://fastapi-users.github.io/fastapi-users/latest/configuration/user-manager/#on_after_login)] Thanks @sorasful 🎉
Bug fixes
---------
* Fix#1166: add type hint to /users/{id} routes. Thanks @gegnew 🎉
* Fix `/verify` route returning `null` user ID with Beanie. Thanks @jankadel 🎉
* Update verify.py
When using a schema setup as proposed in the documentation like: ReadUser, CreateUser, UpdateUser and BaseUser in the combination with MongoDB / Beanie, the verify() method will not "enforce" the `user_schema` but instead will return the `BaseUser` which will cause serialisation errors as such:
```
pydantic.error_wrappers.ValidationError: 1 validation error for ReadUser
response -> id
```
because the mapping between MongoDBs internal `_id` and the Pydantic `id` does not work.
* use `from_orm`
* Revamp Transport so they always build a full Response object
* Fix linting
* Add private methods to set cookies on CookieTransport
* Change on_after_login login_return parameter to response
Improvements
------------
* Ensure the reset password token can be used only once.
* Change JWT access token structure to use standard `sub` claim instead of `user_id`.
* ⚠ Existing JWT will be invalidated
* Change verify and reset password tokens structure to use standard `sub` claim instead of `user_id`.
Improvements
------------
* Bump `httpx-oauth >=0.4,<0.11`
* With `httpx-oauth >= 0.10`, the OAuth2 client may be not able to return an email address depending on the OAuth Provider. In this case, the error `OAUTH_NOT_AVAILABLE_EMAIL` is raised during `/callback`. [[Documentation](https://fastapi-users.github.io/fastapi-users/10.2/usage/routes/#get-callback)]
* Enable Python 3.11 support in CI
New features
------------
* Trigger custom logic after user login with `on_after_login`. [[Documentation]()] Thanks @antont 🎉
Improvements
------------
* Bump dependencies:
* `email-validator >=1.1.0,<1.4`
* `pyjwt[crypto] ==2.5.0`
* Use Hatch for environment and package management
* on_after_login minimal impl.
Questions: is the spot logical for after method? Is after the internal login call.
Would before_login be needed? Maybe not, as auth is the way to do pre-login things.
Added fastapi request as a param just in case, as other callbacks had it too.
Docs addition is missing.
* tried to complete the implementation, but the test with user_manager.on_after_login.called fails though
* move on_after_login tests to right place, to TestLogin. These ones pass.
TODO: check TestCallback
* on_after_login tests to TestCallback too, for oauth. Apparently test_redirect_url_router fires the callback too, I guess that's correct, am not using oauth myself.
* fix formatting with make format
* docs for on_after_login
Co-authored-by: Toni Alatalo <toni.alatalo@gmail.com>
