v0.10.0

WARNING Breaking changes:

1. ALTCHA_HMAC_KEY is now mandatory.
   If it's not set in your Django settings, the app will raise ImproperlyConfigured at
   the first challenge creation or validation, instead of silently generating a random
   fallback key.

2. ALTCHA_CACHE_ALIAS now defaults to "default" instead of using a dedicated LocMemCache
   instance. This means django-altcha automatically benefits from whatever cache backend your
   project already has configured.
   Projects that explicitly set ALTCHA_CACHE_ALIAS are not affected.
   Removed the internal LocMemCache fallback. Cache configuration is now fully handled
   through Django's CACHES setting.

What's Changed

• feat!: refactor the ALTCHA_* settings loading by @tdruez in #34
• feat!: make the ALTCHA_HMAC_KEY setting mandatory by @tdruez in #35
• feat!: refactor the cache configuration using "default" when not provided by @tdruez in #36
• chore: bump version to 0.10.0 for release by @tdruez in #37

Full Changelog: v0.9.1...v0.10.0

v0.9.1

What's Changed

• chore: set explicit workflow permissions and pin down actions by @tdruez in #29
• chore: rework the pypi-release workflow to use trusted publishing by @tdruez in #30
• fix: replace altcha.i18n.js bundle by proper dist_i18n/all.js by @tdruez in #31
• chore: bump version to 0.9.1 by @tdruez in #32

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

• added support for altcha translations by @xgimp in #23
• chore: upgrade altcha-lib-py to v1.0.0 and bundled JS library to latest v2.3.0 release by @tdruez in #25
• Add documentation about "Replay Attack Protection" by @tdruez in #26
• Bump version to 0.9.0 for release by @tdruez in #27

New Contributors

• @xgimp made their first contribution in #23

Full Changelog: v0.4.0...v0.9.0

v0.4.0

What's Changed

• Upgrade bundled JS lib to latest ALTCHA v2.2.4 release by @tdruez in #20
• Add support for Python 3.14 by @tdruez in #21

Full Changelog: v0.3.0...v0.4.0

v0.3.0

Important Security Note

Providing an ALTCHA_HMAC_KEY value in your Django settings is now required.
https://django-altcha.readthedocs.io/en/latest/installation.html#installation

What's Changed

• Add the ALTCHA_HMAC_KEY setup as part of the installation #15 by @tdruez in #16
• Add a ALTCHA_VERIFICATION_ENABLED setting by @tdruez in #17
• Bump version to 0.3.0 for release by @tdruez in #18

Full Changelog: v0.2.0...v0.3.0

v0.2.0

Important Security Note

If you have previously set and used a static ALTCHA_HMAC_KEY, you must rotate this key as part of upgrading to this release.

Earlier versions of django-altcha accepted challenges that were generated without an expiration (expires) value.
This allowed older challenges to remain valid indefinitely.
As a result, any attacker with access to an old challenge could reuse it to bypass CAPTCHA validation.

To fully benefit from the security improvements in this release, you must also invalidate any existing challenges by rotating the HMAC key used to generate and verify them.

What's Changed

• Add support for altcha 0.2.0 by @tdruez in #8
• Add challenge expiration support by @tdruez in #7
• Add a AltchaChallengeView to allow challengeurl a setup by @tdruez in #9
• Add protection against replay attacks #10 by @tdruez in #11
• Bump version for 0.2.0 release by @tdruez in #12

Credits

• Special thanks to Alex Vandiver alexmv@zulip.com for reporting these issues.

Full Changelog: v0.1.3...v0.2.0

v0.1.3

What's Changed

• Propagate the AltchaField maxnumber option to the get_altcha_challe… by @tdruez in #6

Full Changelog: v0.1.2...v0.1.3

v0.1.2

Full Changelog: v0.1.1...v0.1.2

v0.1.1

What's Changed

• Add unit tests by @tdruez in #3

Full Changelog: v0.1.0...v0.1.1

v0.1.0

What's Changed

• Initial working version release 0.1.0 by @tdruez in #1

New Contributors

• @tdruez made their first contribution in #1

Full Changelog: https://github.com/aboutcode-org/django-altcha/commits/v0.1.0