Requirements: update django-allauth (#9249)

\### 0.43.0

> In previous versions, the allauth app included a base.html template. This
> template could conflict with an equally named template at project level.
> Therefore, base.html has now been moved to account/base.html -- you will need
> to check your templates and likely override account/base.html within your
> project.

We include our own base.html template,
in order to make the allauth templates
use our base template I have added a an account/base.html
file that just extends from base.html.

\### 0.44.0

> The certificate key part of the SOCIALACCOUNT_PROVIDERS configuration has been
> renamed to certificate_key. This is done to prevent the key from being
> displayed without being masked in Django debug pages.

We don't use that field nor we access it from our application.

\### 0.47.0

> Added a new setting SOCIALACCOUNT_LOGIN_ON_GET that controls whether or not the
> endpoints for initiating a social login (for example,
> "/accounts/google/login/") require a POST request to initiate the handshake. As
> requiring a POST is more secure, the default of this new setting is False.

This adds one more step for users before signing in with an external provider.

> You are about to sign in using a third party account from GitHub.
> [ Continue ]

I have changed our list to be a form,
so it stil is just a click away from our platform,
but a link from outside will require the user to click on "continue".
We can just set this setting to True if we want too
(but there is a security notice that explains why isn't a good idea https://github.com/pennersr/django-allauth/blob/master/ChangeLog.rst#security-notice)

\### 0.48.0

> The newly introduced ACCOUNT_PREVENT_ENUMERATION defaults to True impacting the
> current behavior of the password reset flow.

We want that.

> The newly introduced rate limitting is by default turned on. You will need to
> provide a 429.html template.

We want this, I have added a 429.html template :)

> The default of SOCIALACCOUNT_STORE_TOKENS has been changed to False. Rationale
> is that storing sensitive information should be opt in, not opt out. If you
> were relying on this functionality without having it explicitly turned on,
> please add it to your settings.py.

We rely on this, I have set it to true.

\### 0.49.0

> Changed naming of internal_reset_url_key attribute in
> allauth.account.views.PasswordResetFromKeyView to reset_url_key.

We don't override this view.

Closes #9122

media/css/core.css

@@ -835,18 +835,25 @@ div.project-import-remote button.remote-sync:before {
     content: "\f021";
 }
 
-a.socialaccount-provider.github:before {
+button.socialaccount-provider {
+    padding: 6px 10px 6px 10px;
+    font-size: 16px;
+    margin: 10px 5px 10px 0px;
+    line-height: 24px;
+}
+
+button.socialaccount-provider.github:before {
     font-family: FontAwesome;
     content: "\f09b";
 }
 
-a.socialaccount-provider.gitlab:before {
+button.socialaccount-provider.gitlab:before {
     font-family: FontAwesome;
     content: "\f296";
 }
 
-a.socialaccount-provider.bitbucket:before,
-a.socialaccount-provider.bitbucket_oauth2:before {
+button.socialaccount-provider.bitbucket:before,
+button.socialaccount-provider.bitbucket_oauth2:before {
     font-family: FontAwesome;
     content: "\f171";
 }

readthedocs/projects/static-src/projects/css/import.less

@@ -71,7 +71,7 @@ div.project-import-remote {
             overflow: auto;
             text-align: center;
 
-            a.socialaccount-provider {
+            button.socialaccount-provider {
                 float: none;
                 display: inline-block;
                 margin-bottom: 0.5em;

readthedocs/projects/static/projects/css/import.css

@@ -60,7 +60,7 @@ div.project-import-remote ul.socialaccount_providers li {
   overflow: auto;
   text-align: center;
 }
-div.project-import-remote ul.socialaccount_providers li a.socialaccount-provider {
+div.project-import-remote ul.socialaccount_providers li button.socialaccount-provider {
   float: none;
   display: inline-block;
   margin-bottom: 0.5em;

readthedocs/settings/base.py

@@ -637,6 +637,7 @@ def DOCKER_LIMITS(self):
     ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
     ACCOUNT_ACTIVATION_DAYS = 7
     SOCIALACCOUNT_AUTO_SIGNUP = False
+    SOCIALACCOUNT_STORE_TOKENS = True
     SOCIALACCOUNT_PROVIDERS = {
         'github': {
             'SCOPE': [

readthedocs/templates/429.html

@@ -0,0 +1,28 @@
+{% extends "base.html" %}
+{% load core_tags %}
+{% load i18n %}
+
+{% block title %}
+  {% trans "Too many requests" %}
+{% endblock %}
+
+{% block header-wrapper %}
+  {% include "error_header.html" %}
+{% endblock %}
+
+{% block notify %}{% endblock %}
+
+{# Hide the language select form so we don't set a CSRF cookie #}
+{% block language-select-form %}{% endblock %}
+
+{% block content %}
+<pre style="line-height: 1.25; white-space: pre;">
+              .--~~,__
+ :-....,-------`~~'._.'
+  `-,,,  ,_      ;'~U'
+   _,-' ,'`-__; '--.
+  (_/'~~      ''''(;
+
+ Too many requests! Try again in a bit.
+</pre>
+{% endblock %}

readthedocs/templates/account/base.html

@@ -0,0 +1 @@
+{% extends "base.html" %}

readthedocs/templates/socialaccount/snippets/provider_list.html

@@ -7,28 +7,30 @@
   {% if provider.id == "openid" %}
     {% for brand in provider.get_brands %}
       <li>
-        <a title="{{ brand.name }}"
-           class="socialaccount-provider {{ provider.id }} {{ brand.id }} button"
-           href="{% provider_login_url provider.id openid=brand.openid_url process=process next=next %}"
-           >
-           {% blocktrans trimmed with brand_name=brand.name verbiage=verbiage|default:'Connect to' %}
-             {{ verbiage }} {{ brand_name }}
-           {% endblocktrans %}
-        </a>
+        <form action="{% provider_login_url provider.id openid=brand.openid_url process=process next=next %}" method="post">
+          {% csrf_token %}
+          <button
+              class="socialaccount-provider {{ provider.id }} {{ brand.id }} button"
+              type="submit"
+              title="{{ brand.name }}">
+            {% trans verbiage|default:'Connect to' %} {{ brand.name }}
+          </button>
+        </form>
       </li>
     {% endfor %}
   {% endif %}
   {% if provider.id != 'bitbucket' %}
   {% if allowed_providers and provider.id in allowed_providers or not allowed_providers %}
     <li>
-      <a title="{{ provider.name }}"
-         class="socialaccount-provider {{ provider.id }} button"
-         href="{% provider_login_url provider.id process=process scope=scope auth_params=auth_params next=next %}"
-         >
-         {% blocktrans trimmed with provider_name=provider.name verbiage=verbiage|default:'Connect to' %}
-           {{ verbiage }} {{ provider_name }}
-         {% endblocktrans %}
-      </a>
+      <form action="{% provider_login_url provider.id process=process scope=scope auth_params=auth_params next=next %}" method="post">
+        {% csrf_token %}
+        <button
+            class="socialaccount-provider {{ provider.id }} button"
+            type="submit"
+            title="{{ provider.name }}">
+          {% trans verbiage|default:'Connect to' %} {{ provider.name }}
+        </button>
+      </form>
     </li>
   {% endif %}
   {% endif %}

requirements/pip.txt

@@ -40,13 +40,7 @@ redis==3.5.3  # pyup: ignore
 
 celery==5.2.6
 
-# When upgrading to 0.43.0 we should double check the ``base.html`` change
-# described in the changelog. In previous versions, the allauth app included a
-# ``base.html`` template. This template could conflict with an equally named
-# template at project level. Therefore, ``base.html`` has now been moved to
-# ``account/base.html`` -- you will need to check your templates and likely
-# override ``account/base.html`` within your project.
-django-allauth==0.42.0  # pyup: ignore
+django-allauth==0.50.0
 requests-oauthlib==1.3.1
 
 GitPython==3.1.27

tox.ini

@@ -11,7 +11,6 @@ setenv =
     LANG=en_US.UTF-8
     LC_ALL=en_US.UTF-8
     DJANGO_SETTINGS_SKIP_LOCAL=True
-    VIRTUALENV_SETUPTOOLS=58.3.0
 passenv = CI TRAVIS TRAVIS_* HOME
 deps =
   -r requirements/testing.txt