Bug fixes and improvements
--------------------------
* Add cookie parameters added in 15.0.1 to `FastAPIUsers.get_oauth_router` and `FastAPIUsers.get_oauth_associate_router`. Thanks @jthurner 🎉
🛡️ Security Fix
----------------
A CSRF vulnerability was identified in the OAuth2 flow. To mitigate this, the authorize endpoint will set a cookie in the response, and this cookie will be expected in the callback request.
In most cases, this change should work out-of-the-box, but in certain scenarios (e.g. cross-domain setups), additional configuration may be required for the cookie to be correctly sent and received. [[Read more](https://fastapi-users.github.io/fastapi-users/dev/configuration/oauth/#csrf-cookie-configuration)]
**Thanks to @davidbors-snyk from [Snyk](https://github.com/snyk) for his research, responisble disclosure, and assistance in fixing this issue.**
Improvements
------------
* Bump dependencies
* `python-multipart ==0.0.21`
* `pwdlib[argon2,bcrypt] ==0.3.0`
Announcement
-------------
FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
[[Read more](https://github.com/fastapi-users/fastapi-users/discussions/1543)]
Bug fixes
---------
* Handle expired JWT when handling OAuth callback (#1462). Thanks @mdaffad 🎉
Announcement
-------------
FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
Breaking changes
----------------
* Drop Python 3.9 support.
* Drop Pydantic v1 support.
If you still need them, you can install [v14.0.2](https://github.com/fastapi-users/fastapi-users/releases/tag/v14.0.2), which was updated at the same time as this release.
Announcements
-------------
* This is the last release to support Python 3.9 and Pydantic v1.
* FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
Bug fixes and improvements
--------------------------
* Bump dependencies:
* `email-validator >=1.1.0,<2.4`
* `redis >=4.3.3,<8.0.0`
Breaking change
---------------
The underlying password hashing library has been changed from `passlib` to `pwdlib`. This change is breaking only if you were using a custom `CryptContext`. Otherwise, you can upgrade without any changes.
Improvements
------------
* Python 3.12 support
* Password are now hashed using the Argon2 algorithm by default. Passwords created with the previous default algorithm (bcrypt) will still be verified correctly and upgraded to Argon2 when the user logs in.
* Bump dependencies
* `python-multipart ==0.0.9`
Bug fixes
---------
* Fix a bug when trying to update user with a `None` password. Thanks @fotinakis 🎉
* Fix static type checking error with `AccessTokenProtocol`. Thanks @Nerixjk 🎉
Improvements
------------
* Bump dependencies
* `redis >=4.3.3,<6.0.0`
Pydantic V2 support
-------------------
This version brings Pydantic V2 support. Like FastAPI, it keeps backward-compatibility with Pydantic V1, so you can upgrade safely and at your own pace.
Apart your own Pydantic schemas, no changes are needed to your FastAPI Users setup.
Thanks @AdamIsrael for the initial work and research 🎉
Breaking changes
----------------
* Transport classes now always build full response objects instead of using the implicit FastAPI `Response` object.
* If you were not implementing your own custom transport classes, you will have nothing to do.
* If you implemented custom classes, you should adapt them so they return a `Response` object. [[Example](8959a12d56/fastapi_users/authentication/transport/bearer.py)]
* Cookie transport now returns a proper `204 No Content` response on logout, which should please OpenAPI Generators. Thanks @caniko 🎉
New features
------------
* `on_after_login` method now accepts `response` in argument, which is the `Response` object built by the transport. [[Documentation](https://fastapi-users.github.io/fastapi-users/latest/configuration/user-manager/#on_after_login)] Thanks @sorasful 🎉
Bug fixes
---------
* Fix#1166: add type hint to /users/{id} routes. Thanks @gegnew 🎉
* Fix `/verify` route returning `null` user ID with Beanie. Thanks @jankadel 🎉
Improvements
------------
* Ensure the reset password token can be used only once.
* Change JWT access token structure to use standard `sub` claim instead of `user_id`.
* ⚠ Existing JWT will be invalidated
* Change verify and reset password tokens structure to use standard `sub` claim instead of `user_id`.
Improvements
------------
* Bump `httpx-oauth >=0.4,<0.11`
* With `httpx-oauth >= 0.10`, the OAuth2 client may be not able to return an email address depending on the OAuth Provider. In this case, the error `OAUTH_NOT_AVAILABLE_EMAIL` is raised during `/callback`. [[Documentation](https://fastapi-users.github.io/fastapi-users/10.2/usage/routes/#get-callback)]
* Enable Python 3.11 support in CI
New features
------------
* Trigger custom logic after user login with `on_after_login`. [[Documentation]()] Thanks @antont 🎉
Improvements
------------
* Bump dependencies:
* `email-validator >=1.1.0,<1.4`
* `pyjwt[crypto] ==2.5.0`
* Use Hatch for environment and package management
* Use a generic Protocol model for User instead of Pydantic
* Remove UserDB Pydantic schema
* Harmonize schema variable naming to avoid confusions
* Revamp OAuth account model management
* Revamp AccessToken DB strategy to adopt generic model approach
* Make ID a generic instead of forcing UUIDs
* Improve generic typing
* Improve Strategy typing
* Tweak base DB typing
* Don't set Pydantic schemas on FastAPIUsers class: pass it directly on router creation
* Add IntegerIdMixin and export related classes
* Start to revamp doc for V10
* Revamp OAuth documentation
* Fix code highlights
* Write the 9.x.x ➡️ 10.x.x migration doc
* Fix pyproject.toml
