All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- The default JavaScript implementation is now built using Node 22
- The default JavaScript implementation for interacting with the browser api has been updated to use
@simplewebauthn/browserv11
- An extra system check was added to prevent misconfiguration of
OTP_WEBAUTHN_SUPPORTED_COSE_ALGORITHMS(#27 by Stormheg)
- Explicitly define
AllowAnypermission class for API views (#19 by nijel) - Make
WebAuthnCredentialManagerinherit fromDeviceManager(#23 by nijel) - Clarify
username_field_selectorexample in README (#20 by nijel) - Clarify custom credential model usage instructions (#26 by jmichalicek)
- Avoid logging None as exception in the py_webauthn exception rewriter (#28 by nijel)
- A crash during Passkey registration was fixed when custom list of supported algorithms was used (#27 by Stormheg)
- You can now call
as_credential_descriptorson a queryset ofWebAuthnCredentialobjects (#27 by Stormheg)
-
The custom
__str__representation forWebAuthnCredentialis removed because displaying a AAGUID is not a friendly representation. It now defaults back to the django-otp default:name + (username)(#27 by Stormheg) -
The default
ModelAdminforWebAuthnCredentialcredential is no longer automatically registered. (#27 by Stormheg)-
You can instead register it manually in your
admin.pyfile# admin.py from django.contrib import admin from django_otp_webauthn.admin import WebAuthnCredentialAdmin from django_otp_webauthn.models import WebAuthnCredential admin.site.register(WebAuthnCredential, WebAuthnCredentialAdmin)
-
- The built-in Passkey registration and verification views error handling has been reworked. (#12 by Stormheg)
- A regression in v0.2.0 was fixed were
AuthenticationDisabledwould incorrectly be raised. (Issue #10 by jmichalicek; fixed in #12 by Stormheg) - Support for
CSRF_USE_SESSIONS = Truewas added. (Issue #14 by nijel; fixed in #15 by nijel and Stormheg) - An issue that prevented MySQL from being used as the database backend was fixed. (Issue #17 by nijel; fixed in #18 by Stormheg)
- The unused
RegistrationDisabled,AuthenticationDisabled, andLoginRequiredexceptions are removed. (#12 by Stormheg)
- Support for having multiple
AUTHENTICATION_BACKENDSwas added. (#8 by jmichalicek)- Action required: add
django_otp_webauthn.backends.WebAuthnBackendto yourAUTHENTICATION_BACKENDSsetting if you want to use passwordless login.
- Action required: add
- The default manager for the
WebAuthnCredentialmodel now includes aas_credential_descriptorsmethod to make it easier to format the credentials for use in custom implementations.
- A bug was fixed with Python 3.11 and older that caused an exception when authenticating with a WebAuthn credential. (#6 by jmichalicek)
- The
http://localhost:8000default value forOTP_WEBAUTHN_ALLOWED_ORIGINSwas removed. - Use more appropriate examples for the
OTP_WEBAUTHN_*settings in the README. - Update admonition in the README to reflect the current state of the project. We have moved from don't use in production to use at your own risk.
- The helper classes'
get_credential_display_nameandget_credential_namemethods are now correctly called. Previously, the users' full name was being used as the credential name, bypassing above methods.
- Set discoverable credential policy to
requiredat registration time whenOTP_WEBAUTHN_ALLOW_PASSWORDLESS_LOGINis set toTrue. This is to ensure a credential capable of passwordless login is created.
- Make is easier to override the helper class using the new
OTP_WEBAUTHN_HELPER_CLASSsetting. Pass it a dotted path to your custom helper class and it will be used instead of the default one.
- An issue with the button label not showing any text was fixed.
WebAuthnCredentialnow inherits fromdjango_otp.models.TimestampMixinto add acreated_atandlast_used_atfields. Subsequently, this raises the minimumdjango-otpversion to1.4.0+.
- Switch to
hatchfor managing the project.
- Initial release.