python/fastapi-users
1
0
Fork 0
mirror of https://github.com/fastapi-users/fastapi-users.git synced 2026-03-13 07:49:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
805 Commits 8 Branches 110 Tags
dad16d90fce91418cd047fa7c108442c445cc6ba
Commit Graph

805 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
allcontributors[bot]
dad16d90fc docs: update README.md [skip ci] 2025-12-19 10:23:40 +01:00
Joschka Thurner
23784b24af remove unused oauth cooke parameter from docs 2025-12-19 10:22:41 +01:00
Joschka Thurner
ba507a78b4 add csrf token config parameters to main oauth router getter function 2025-12-19 10:22:41 +01:00
François Voron
1df7c1038d Bump version 15.0.1 → 15.0.2 
🛡️ Security Fix
----------------

A CSRF vulnerability was identified in the OAuth2 flow. To mitigate this, the authorize endpoint will set a cookie in the response, and this cookie will be expected in the callback request.

In most cases, this change should work out-of-the-box, but in certain scenarios (e.g. cross-domain setups), additional configuration may be required for the cookie to be correctly sent and received. [[Read more](https://fastapi-users.github.io/fastapi-users/dev/configuration/oauth/#csrf-cookie-configuration)]

**Thanks to @davidbors-snyk from [Snyk](https://github.com/snyk) for his research, responisble disclosure, and assistance in fixing this issue.**

Improvements
------------

* Bump dependencies
    * `python-multipart ==0.0.21`
    * `pwdlib[argon2,bcrypt] ==0.3.0`
v15.0.2 		2025-12-19 08:28:45 +01:00
dependabot[bot]
a8848ec452 Bump pwdlib[argon2,bcrypt] from 0.2.1 to 0.3.0 
Bumps [pwdlib[argon2,bcrypt]](https://github.com/frankie567/pwdlib) from 0.2.1 to 0.3.0.
- [Release notes](https://github.com/frankie567/pwdlib/releases)
- [Commits](https://github.com/frankie567/pwdlib/compare/v0.2.1...v0.3.0)

---
updated-dependencies:
- dependency-name: pwdlib[argon2,bcrypt]
  dependency-version: 0.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-19 08:27:37 +01:00
dependabot[bot]
ce42fd75a0 Bump python-multipart from 0.0.20 to 0.0.21 
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.20 to 0.0.21.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.20...0.0.21)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-19 08:27:26 +01:00
dependabot[bot]
32cd433e99 Bump actions/checkout from 5 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-19 08:27:12 +01:00
François Voron
7cf413cd76 Add a double-submit cookie in the OAuth flow 
Prevents CSRF attacks by ensuring that the state parameter is tied to a cookie.

Fix https://github.com/fastapi-users/fastapi-users/security/advisories/GHSA-5j53-63w8-8625
 2025-12-19 08:26:26 +01:00
François Voron
bcee8c9b88 Update README 2025-10-25 08:56:02 +02:00
François Voron
119a5ca40e Bump version 15.0.0 → 15.0.1 
Announcement
-------------

FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.

[[Read more](https://github.com/fastapi-users/fastapi-users/discussions/1543)]

Bug fixes
---------

* Handle expired JWT when handling OAuth callback (#1462). Thanks @mdaffad 🎉
v15.0.1 		2025-10-25 08:48:05 +02:00
François Voron
c09b16fbfe Fix docstring 2025-10-25 08:47:52 +02:00
allcontributors[bot]
eaf78f7194 docs: update .all-contributorsrc [skip ci] 2025-10-25 08:44:31 +02:00
allcontributors[bot]
b11ad37145 docs: update README.md [skip ci] 2025-10-25 08:44:31 +02:00
Muhammad Daffa Dinaya
8404f24b62 chore: lint 2025-10-25 08:43:58 +02:00
Muhammad Daffa Dinaya
3d33e3da8a fix: associate callback test 2025-10-25 08:43:58 +02:00
Muhammad Daffa Dinaya
5863445774 fix: add expired token error on oauth callback 2025-10-25 08:43:58 +02:00
othmane099
576683cccd Refactor and update docs in manager.py 2025-10-25 08:42:36 +02:00
François Voron
35668e29ad Bump version 14.0.2 → 15.0.0 
Announcement
-------------

FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.

Breaking changes
----------------

* Drop Python 3.9 support.
* Drop Pydantic v1 support.

If you still need them, you can install [v14.0.2](https://github.com/fastapi-users/fastapi-users/releases/tag/v14.0.2), which was updated at the same time as this release.
v15.0.0 		2025-10-25 08:32:14 +02:00
François Voron
c6c598e1fb Update README 2025-10-25 08:29:46 +02:00
François Voron
1b87613aef Fix Python version in CI 2025-10-25 08:29:14 +02:00
François Voron
4392060b95 Add Zed settings 2025-10-25 08:28:03 +02:00
François Voron
cd53bb8c5e Drop Pydantic v1 support 2025-10-25 08:27:54 +02:00
François Voron
fcf9a2041a Drop Python 3.9 support 2025-10-25 08:19:03 +02:00
François Voron
ae5ff025ef Update GitHub config 2025-10-25 08:12:33 +02:00
François Voron
04e7b4125b Bump version 14.0.1 → 14.0.2 
Announcements
-------------

* This is the last release to support Python 3.9 and Pydantic v1.
* FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.

Bug fixes and improvements
--------------------------

* Bump dependencies:
    * `email-validator >=1.1.0,<2.4`
    * `redis >=4.3.3,<8.0.0`
v14.0.2 		2025-10-25 08:00:45 +02:00
François Voron
5a000d114b Update README 2025-10-24 18:14:51 +02:00
François Voron
1d91040207 Fix depreciation warning 2025-10-24 18:06:39 +02:00
François Voron
df930dc20b Fix linting 2025-10-24 18:03:28 +02:00
Ramon
2b64cb304b Update HTTPX OAuth link oauth.md 
The old link was opening some broken/incomplete website.

Updated the link to point to https://frankie567.github.io/httpx-oauth/usage/
 2025-10-24 17:30:52 +02:00
dependabot[bot]
68afb3bc6f Update email-validator requirement from <2.3,>=1.1.0 to >=1.1.0,<2.4 
Updates the requirements on [email-validator](https://github.com/JoshData/python-email-validator) to permit the latest version.
- [Release notes](https://github.com/JoshData/python-email-validator/releases)
- [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/JoshData/python-email-validator/compare/v1.1.0...v2.3.0)

---
updated-dependencies:
- dependency-name: email-validator
  dependency-version: 2.3.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-24 17:30:17 +02:00
Jaeung Jang
c3729da0cf fix typo 
duplicate text: "call the"
 2025-10-24 17:27:34 +02:00
Tommaso Comparin
76d7f5a2ec Fix :param verified in current_user and current_user_token docstring 2025-10-24 17:27:11 +02:00
dependabot[bot]
899ec22c3e Bump actions/checkout from 4 to 5 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-24 17:26:58 +02:00
dependabot[bot]
73e5c22350 Update redis requirement from <6.0.0,>=4.3.3 to >=4.3.3,<8.0.0 
Updates the requirements on [redis](https://github.com/redis/redis-py) to permit the latest version.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](https://github.com/redis/redis-py/compare/v4.3.3...v7.0.0)

---
updated-dependencies:
- dependency-name: redis
  dependency-version: 7.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-24 17:26:48 +02:00
dependabot[bot]
34f662d137 Bump github/codeql-action from 3 to 4 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-24 17:26:12 +02:00
dependabot[bot]
7f80895ff1 Bump actions/setup-python from 5 to 6 
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-24 17:26:03 +02:00
François Voron
9d78b2a35d Bump version 14.0.0 → 14.0.1 
Improvements
------------

* Bump dependencies
    * `pyjwt[crypto] ==2.10.1`
    * `python-multipart ==0.0.20`
v14.0.1 		2025-01-04 14:16:19 +01:00
François Voron
8ea78fd49b Bump dependencies 2025-01-04 14:13:38 +01:00
dependabot[bot]
d1b52a2b86 Bump python-multipart from 0.0.17 to 0.0.20 
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.17 to 0.0.20.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.17...0.0.20)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-04 13:32:37 +01:00
dependabot[bot]
005dbefa20 Bump codecov/codecov-action from 4 to 5 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-18 12:51:39 +01:00
cyberksh
9c24c684e6 config: update repo name in mkdocs.yml 2024-11-13 15:11:40 +01:00
allcontributors[bot]
a881996f92 docs: update .all-contributorsrc [skip ci] 2024-11-07 15:53:46 +01:00
allcontributors[bot]
d82e35bcd5 docs: update README.md [skip ci] 2024-11-07 15:53:46 +01:00
Nima Xin
514e5bab40 Fix database URL examples in docs 2024-11-07 15:53:37 +01:00
François Voron
38fe6cd530 Bump version 13.0.0 → 14.0.0 
Breaking changes
----------------

* Drop Python 3.8 support

Improvements
------------

* Bump dependencies:
    * `python-multipart ==0.0.17`
    * `pwdlib[argon2,bcrypt] ==0.2.1`
    * `pyjwt[crypto] ==2.9.0`
v14.0.0 		2024-11-03 13:16:05 +00:00
dependabot[bot]
9f4a1ea15b Bump python-multipart from 0.0.16 to 0.0.17 
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.16 to 0.0.17.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.16...0.0.17)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-03 14:12:48 +01:00
dependabot[bot]
55285d1e08 Bump github/codeql-action from 2 to 3 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-03 14:06:12 +01:00
dependabot[bot]
d9cbeeb43c Bump actions/checkout from 3 to 4 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-03 14:06:00 +01:00
dependabot[bot]
21a2804c73 Bump actions/setup-python from 4 to 5 
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-03 14:05:50 +01:00
François Voron
55adea47bc Add Dependabot for GitHub Actions 2024-11-03 13:04:09 +00:00