Bug fixes and improvements
--------------------------
* Add cookie parameters added in 15.0.1 to `FastAPIUsers.get_oauth_router` and `FastAPIUsers.get_oauth_associate_router`. Thanks @jthurner 🎉
🛡️ Security Fix
----------------
A CSRF vulnerability was identified in the OAuth2 flow. To mitigate this, the authorize endpoint will set a cookie in the response, and this cookie will be expected in the callback request.
In most cases, this change should work out-of-the-box, but in certain scenarios (e.g. cross-domain setups), additional configuration may be required for the cookie to be correctly sent and received. [[Read more](https://fastapi-users.github.io/fastapi-users/dev/configuration/oauth/#csrf-cookie-configuration)]
**Thanks to @davidbors-snyk from [Snyk](https://github.com/snyk) for his research, responisble disclosure, and assistance in fixing this issue.**
Improvements
------------
* Bump dependencies
* `python-multipart ==0.0.21`
* `pwdlib[argon2,bcrypt] ==0.3.0`
Announcement
-------------
FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
[[Read more](https://github.com/fastapi-users/fastapi-users/discussions/1543)]
Bug fixes
---------
* Handle expired JWT when handling OAuth callback (#1462). Thanks @mdaffad 🎉
Announcement
-------------
FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
Breaking changes
----------------
* Drop Python 3.9 support.
* Drop Pydantic v1 support.
If you still need them, you can install [v14.0.2](https://github.com/fastapi-users/fastapi-users/releases/tag/v14.0.2), which was updated at the same time as this release.
Announcements
-------------
* This is the last release to support Python 3.9 and Pydantic v1.
* FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.
Bug fixes and improvements
--------------------------
* Bump dependencies:
* `email-validator >=1.1.0,<2.4`
* `redis >=4.3.3,<8.0.0`
Breaking change
---------------
The underlying password hashing library has been changed from `passlib` to `pwdlib`. This change is breaking only if you were using a custom `CryptContext`. Otherwise, you can upgrade without any changes.
Improvements
------------
* Python 3.12 support
* Password are now hashed using the Argon2 algorithm by default. Passwords created with the previous default algorithm (bcrypt) will still be verified correctly and upgraded to Argon2 when the user logs in.
* Bump dependencies
* `python-multipart ==0.0.9`
Bug fixes
---------
* Fix a bug when trying to update user with a `None` password. Thanks @fotinakis 🎉
* Fix static type checking error with `AccessTokenProtocol`. Thanks @Nerixjk 🎉
Improvements
------------
* Bump dependencies
* `redis >=4.3.3,<6.0.0`
Pydantic V2 support
-------------------
This version brings Pydantic V2 support. Like FastAPI, it keeps backward-compatibility with Pydantic V1, so you can upgrade safely and at your own pace.
Apart your own Pydantic schemas, no changes are needed to your FastAPI Users setup.
Thanks @AdamIsrael for the initial work and research 🎉
Breaking changes
----------------
* Transport classes now always build full response objects instead of using the implicit FastAPI `Response` object.
* If you were not implementing your own custom transport classes, you will have nothing to do.
* If you implemented custom classes, you should adapt them so they return a `Response` object. [[Example](8959a12d56/fastapi_users/authentication/transport/bearer.py)]
* Cookie transport now returns a proper `204 No Content` response on logout, which should please OpenAPI Generators. Thanks @caniko 🎉
New features
------------
* `on_after_login` method now accepts `response` in argument, which is the `Response` object built by the transport. [[Documentation](https://fastapi-users.github.io/fastapi-users/latest/configuration/user-manager/#on_after_login)] Thanks @sorasful 🎉
Bug fixes
---------
* Fix#1166: add type hint to /users/{id} routes. Thanks @gegnew 🎉
* Fix `/verify` route returning `null` user ID with Beanie. Thanks @jankadel 🎉
* Update verify.py
When using a schema setup as proposed in the documentation like: ReadUser, CreateUser, UpdateUser and BaseUser in the combination with MongoDB / Beanie, the verify() method will not "enforce" the `user_schema` but instead will return the `BaseUser` which will cause serialisation errors as such:
```
pydantic.error_wrappers.ValidationError: 1 validation error for ReadUser
response -> id
```
because the mapping between MongoDBs internal `_id` and the Pydantic `id` does not work.
* use `from_orm`
* Revamp Transport so they always build a full Response object
* Fix linting
* Add private methods to set cookies on CookieTransport
* Change on_after_login login_return parameter to response
