Changelog
All notable changes to RobustAuth will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Unreleased
0.1.1 - 2026-06-03
Fixed
Corrected default
LOGIN_SERIALIZERpath fromrobust_auth.serializers.UsernameLoginSerializertorobustauth.serializers.UsernameLoginSerializer
0.1.0 - 2026-06-03
Added
Opaque token authentication with SHA-256 hashed storage
Short-lived access tokens with configurable TTL
Refresh token rotation — old token invalidated on every use
Refresh token reuse detection with full family revocation
Session model with UUID primary key and state tracking (
active,revoked,expired)Session policies:
single,multi,max_countAutomatic oldest-session revocation when
MAX_SESSIONSlimit is hitDevice and browser fingerprinting via optional
user-agentslibraryIP address and User-Agent tracking per session
Login history audit log (
login_success,login_failure,logout,token_refresh,token_reuse,password_change,session_revoked,forced_logout)Brute-force protection via configurable failure threshold and signals
Automatic session revocation on password change
Sliding session support with configurable inactivity TTL
RobustTokenAuthenticationDRF backend (Bearerand legacyTokenprefix)RobustAuthMiddlewareattachingrequest.robust_sessionto all requests7 REST API endpoints: login, refresh, logout, logout-all, sessions list, session revoke, login history
Django admin integration with session revocation action
5 extensibility signals:
user_logged_in,user_logged_out,token_reuse_detected,session_limit_reached,brute_force_threshold_hitrobustauth_cleanupmanagement command with--dry-runsupportInitial migration
Full test suite (31 tests)
PyPI packaging via
pyproject.toml