Django Rest Framework Passwordless Versions Save

• Now passes the context to the authentication serializer.
• Bumps the test versions from 3.6 and 3.7 to 3.7 and 3.8.
• Cleans up some formatting issues mixing ' and ".

• Supports Django 4.0 via https://github.com/aaronn/django-rest-framework-passwordless/pull/104
• Bumps a bunch of dependencies.

This update bumps a few dependencies for security and changes how tokens are generated on collision.

1. We now catch pre_save behavior to avoid changing old invalid keys for historical reasons.
2. We now retry 3 times to generate a unique key before throwing a validation error.
3. IMPORTANT: We have removed the unique constraint– this is to prevent old inactive keys from colliding with each other.

This release adds demo users via the 'PASSWORDLESS_DEMO_USERS': {} setting for App Store Approvals. Thanks for the contribution @budlight.

• This takes a mapping of user pk to token.key.

Token Generation

• If a token already exists for the demo user, the first one will be returned.
• If a token doesn't already exist for the demo user, it will be created with the value mapped to the user key in the dict.

Token Expiry

• Any user with a token in this dict will not have their token invalidated on use.
• validate_token_age will always return True if the token's user is in the demo list.

Future Avenues

• A future variant of this can rely on a model and an admin interface instead of hardcoding a demo user into settings.
• This would doubly be better because demo credentials can be enabled and disabled.
• Also, doesn't require a redeploy, which is nice.

– Improves the regex to be more e.164 compliant. – Bumps the max_length from 15 to 17.

This adds case-insensitive aliases for logins. Be warned that if your database already has users with two of the same emails you may need to do manual cleanup work to resolve that conflict after this update.

• Fixes a few typos
• Fixes a few bugs
• Bumped a few dependencies
• Caught a 500 when there's a mismatch between a token and a user, now should 400.

Added ability to specify serializer for authentication token with

'PASSWORDLESS_AUTH_TOKEN_SERIALIZER': 'drfpasswordless.serializers.TokenResponseSerializer'

This will (for example) allow you to instead of returning DRF's token, return a JWT with access and refresh tokens.

A few big changes in 1.5.0:

• You can now specify the url endpoint prefixes– check out the settings section or see urls.py.
• Now validates against a VERIFY and AUTH type to make sure tokens can't be used interchangably.
• Now validates against the authenticating alias– so token must be POSTed with email or mobile corresponding to the user that created it.

This version drops Python 2 Support:

Requires:

• Python 3.7
• DRF 3.10+