All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- All Python code is now 100% covered by tests (#32, #33, #35, #36 by Stormheg)
- Browser automation tests using Playwright and Chromium have been added to ensure the JavaScript implementation works as expected (#39, #43 by Stormheg)
- The default JavaScript implementation is now built using Node 22
- The default JavaScript implementation for interacting with the browser api has been updated to use
@simplewebauthn/browser
v11
- An extra system check was added to prevent misconfiguration of
OTP_WEBAUTHN_SUPPORTED_COSE_ALGORITHMS
(#27 by Stormheg)
- Explicitly define
AllowAny
permission class for API views (#19 by nijel) - Make
WebAuthnCredentialManager
inherit fromDeviceManager
(#23 by nijel) - Clarify
username_field_selector
example in README (#20 by nijel) - Clarify custom credential model usage instructions (#26 by jmichalicek)
- Avoid logging None as exception in the py_webauthn exception rewriter (#28 by nijel)
- A crash during Passkey registration was fixed when custom list of supported algorithms was used (#27 by Stormheg)
- You can now call
as_credential_descriptors
on a queryset ofWebAuthnCredential
objects (#27 by Stormheg)
-
The custom
__str__
representation forWebAuthnCredential
is removed because displaying a AAGUID is not a friendly representation. It now defaults back to the django-otp default:name + (username)
(#27 by Stormheg) -
The default
ModelAdmin
forWebAuthnCredential
credential is no longer automatically registered. (#27 by Stormheg)-
You can instead register it manually in your
admin.py
file# admin.py from django.contrib import admin from django_otp_webauthn.admin import WebAuthnCredentialAdmin from django_otp_webauthn.models import WebAuthnCredential admin.site.register(WebAuthnCredential, WebAuthnCredentialAdmin)
-
- The built-in Passkey registration and verification views error handling has been reworked. (#12 by Stormheg)
- A regression in v0.2.0 was fixed were
AuthenticationDisabled
would incorrectly be raised. (Issue #10 by jmichalicek; fixed in #12 by Stormheg) - Support for
CSRF_USE_SESSIONS = True
was added. (Issue #14 by nijel; fixed in #15 by nijel and Stormheg) - An issue that prevented MySQL from being used as the database backend was fixed. (Issue #17 by nijel; fixed in #18 by Stormheg)
- The unused
RegistrationDisabled
,AuthenticationDisabled
, andLoginRequired
exceptions are removed. (#12 by Stormheg)
- Support for having multiple
AUTHENTICATION_BACKENDS
was added. (#8 by jmichalicek)- Action required: add
django_otp_webauthn.backends.WebAuthnBackend
to yourAUTHENTICATION_BACKENDS
setting if you want to use passwordless login.
- Action required: add
- The default manager for the
WebAuthnCredential
model now includes aas_credential_descriptors
method to make it easier to format the credentials for use in custom implementations.
- A bug was fixed with Python 3.11 and older that caused an exception when authenticating with a WebAuthn credential. (#6 by jmichalicek)
- The
http://localhost:8000
default value forOTP_WEBAUTHN_ALLOWED_ORIGINS
was removed. - Use more appropriate examples for the
OTP_WEBAUTHN_*
settings in the README. - Update admonition in the README to reflect the current state of the project. We have moved from don't use in production to use at your own risk.
- The helper classes'
get_credential_display_name
andget_credential_name
methods are now correctly called. Previously, the users' full name was being used as the credential name, bypassing above methods.
- Set discoverable credential policy to
required
at registration time whenOTP_WEBAUTHN_ALLOW_PASSWORDLESS_LOGIN
is set toTrue
. This is to ensure a credential capable of passwordless login is created.
- Make is easier to override the helper class using the new
OTP_WEBAUTHN_HELPER_CLASS
setting. Pass it a dotted path to your custom helper class and it will be used instead of the default one.
- An issue with the button label not showing any text was fixed.
WebAuthnCredential
now inherits fromdjango_otp.models.TimestampMixin
to add acreated_at
andlast_used_at
fields. Subsequently, this raises the minimumdjango-otp
version to1.4.0+
.
- Switch to
hatch
for managing the project.
- Initial release.