Merge branch 'main' into logout-template

# Conflicts:
#	packages/hidp/hidp/otp/views.py

Author: ramonakira

.github/actions/build-hidp-docs/action.yml

@@ -9,6 +9,8 @@ runs:
       uses: ./.github/actions/setup-python
       with:
         working-directory: './packages/hidp'
+        python-version: '3.13'
+        django-version: '5.2'
 
     - name: Build documentation
       run: |

.github/actions/python-qa/action.yml

@@ -4,6 +4,10 @@ description: Lint, checks & tests
 inputs:
   working-directory:
     description: The working directory to run the commands in
+  python-version:
+    description: The Python version to use
+  django-version:
+    description: The Django version to use as dependency
 
 runs:
   using: composite
@@ -13,10 +17,15 @@ runs:
       uses: ./.github/actions/setup-python
       with:
         working-directory: ${{ inputs.working-directory }}
+        python-version: ${{ inputs.python-version }}
+        django-version: ${{ inputs.django-version }}
 
     - name: Lint, check, test and build (if applicable)
       run: |
         source ~/.venv/bin/activate
+        UV_DJANGO_VERSION=$(uv pip list | sed -nE 's/^django[[:space:]]+([0-9]+\.[0-9]+)\..*/\1/p')
+        echo "Detected uv Django version: $UV_DJANGO_VERSION"
+        echo "Expected Django version: $DJANGO_VERSION"
         make test
       working-directory: ${{ inputs.working-directory }}
       shell: bash

.github/actions/setup-python/action.yml

@@ -4,6 +4,10 @@ description: Setup Python and install dependencies
 inputs:
   working-directory:
     description: The working directory to run the commands in
+  python-version:
+    description: The Python version to use
+  django-version:
+    description: The Django version to use as dependency
 
 runs:
   using: composite
@@ -12,7 +16,7 @@ runs:
     - name: Setup Python
       uses: actions/setup-python@v5
       with:
-        python-version: "3.12"
+        python-version: ${{ inputs.python-version }}
 
     - name: Install system packages (gettext)
       run: |
@@ -30,6 +34,13 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       shell: bash
 
+    - name: Set Django version
+      run: |
+        echo ::group::Set Django version environment variable
+        echo "DJANGO_VERSION=${{ inputs.django-version }}" >> $GITHUB_ENV
+        echo ::endgroup::
+      shell: bash
+
     - name: Install dependencies
       run: |
         echo ::group::Create/activate virtualenv

.github/workflows/release.yml

@@ -39,6 +39,8 @@ jobs:
         uses: ./.github/actions/python-qa
         with:
           working-directory: './packages/hidp'
+          django-version: '5.2'
+          python-version: '3.13'
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/test.yml

@@ -13,13 +13,22 @@ on:
 
 jobs:
   test:
-    name: Linting, checks & tests
+    name: Linting, checks & tests (${{ toJSON(matrix) }})
 
     strategy:
       matrix:
-        working-directory:
-          - './packages/hidp'
-          - './project'
+        django-version: ['4.2', '5.2']
+        python-version: ['3.9', '3.10', '3.11', '3.12', '3.13']
+        working-directory: ['./packages/hidp']
+        exclude:
+          - django-version: '4.2'
+            python-version: '3.13'
+          - django-version: '5.2'
+            python-version: '3.9'
+        include:
+          - working-directory: './project'
+            python-version: '3.12'
+            django-version: '4.2'
 
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -40,10 +49,12 @@ jobs:
         uses: ./.github/actions/python-qa
         with:
           working-directory: ${{ matrix.working-directory }}
+          django-version: ${{ matrix.django-version }}
+          python-version: ${{ matrix.python-version }}
 
       - name: Build documentation
         uses: ./.github/actions/build-hidp-docs
-        if: ${{ matrix.working-directory == './packages/hidp' }}
+        if: ${{ matrix.working-directory == './packages/hidp' && matrix.django-version == '4.2' && matrix.python-version == '3.12' }}
 
   # Report success/failure
   success:

README.md

@@ -2,15 +2,19 @@
 
 Leukeleu's headless identity provider.
 
+## Documentation
+
+Read the [online documentation](https://leukeleu.github.io/django-hidp/) for usage and installation instructions.
+
 ## Development
 
 See [docker/README.md](docker/README.md)
 
 ## Releasing
 
 Each PR merged to `main` will automatically run the `release-drafter` workflow. This will create/update
-draft releases for both the next release candidate and the next final release. The draft release will
-contain all the PRs merged since the previous release of the same type.
+draft releases for the next final release. The draft release will contain all the PRs merged since the
+previous release.
 
 Publishing a release is done by editing the draft release, double checking the PRs and then clicking the
 "Publish release" button. This will create a new release and tag the commit with the version number.

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+In case you have found a security issue within ANY HIdP project please do NOT open public GitHub issues, pull requests or anything that could leak sensitive information to the public.
+
+Leukeleu asks you to instead responsibly report the security issue by email to [email protected].
+
+Your email is sent to the security team of Leukeleu. A member of the organization will respond to you acknowledging your initial email and then, depending on the action to be taken, further follow-up emails afterwards.
+
+## Scope of this policy
+
+This policy applies to all HIdP projects hosted under the GitHub organization [Leukeleu](`github.com/leukeleu`).
+
+## Supported Versions
+
+We currently support the following versions of HIdP projects with security updates:
+- Latest stable release
+- Previous stable release
+
+## Response Time
+
+Leukeleu aims to respond to security reports within 5 business days. Resolution times may vary depending on the complexity of the issue.
+
+## Third-Party Dependencies
+
+If the security issue is related to a third-party dependency, we recommend reporting the issue directly to the respective maintainers. Leukeleu will assist in updating the dependency once a fix is available. 

packages/hidp/Makefile

@@ -141,7 +141,9 @@ clean:
 ##
 
 ../../var/requirements_frozen.txt:
-	uv pip compile pyproject.toml --extra oidc_provider -q -o "${@}" --no-annotate --no-header
+	# Pin Django directly to LTS version provided by the test matrix
+	echo 'Django~=${DJANGO_VERSION}.0' > ../../var/constraints.txt
+	uv pip compile pyproject.toml --extra oidc_provider -q -o "${@}" --no-annotate --no-header --constraints ../../var/constraints.txt
 	@echo "### Package dependencies :package:" >> ${GITHUB_STEP_SUMMARY}
 	@echo '```' >> ${GITHUB_STEP_SUMMARY}
 	@cat "${@}" >> ${GITHUB_STEP_SUMMARY}

packages/hidp/docs/index.md

@@ -14,6 +14,7 @@ registering and authenticating users in Django projects.
 :maxdepth: 2
 installation
 installation-extras
+registration
 configure-oidc-clients
 configure-as-oidc-provider
 content-security-policy
@@ -24,6 +25,7 @@ templates
 translations
 management-commands
 rate-limiting
+terms-of-service
 :::
 
 # Indices and tables

packages/hidp/docs/installation.md

@@ -4,7 +4,7 @@
 full-featured authentication system for Django projects.
 
 HIdP provides all the default Django authentication functionalities and more:
-- Registration (including email verification)
+- Registration (including email verification) (see [Registration](project:registration.md))
 - OpenID Connect (OIDC) Clients (Google and Microsoft included)
 - One-time passwords (OTP)
 - Rate limiting
@@ -101,12 +101,18 @@ AUTH_USER_MODEL = "accounts.User"
 ```
 
 ### `REGISTRATION_ENABLED`
-Enable or disable registration in your Django settings (default is `False`):
+Enable or disable registration in your Django settings:
 
 ```python
 REGISTRATION_ENABLED = False
 ```
 
+:::{note}
+If `REGISTRATION_ENABLED` is not defined, it defaults to `True`. In a future version of HIdP, registration will be disabled if `REGISTRATION_ENABLED` is not defined. It is recommended to explicitly set `REGISTRATION_ENABLED` to `True` or `False` in your settings.
+:::
+
+See [Registration](project:registration.md) for more information on how HIdP handles account registration.
+
 ### `OTP_TOTP_ISSUER`
 
 Specifies the issuer name to be used in the Time-based One-Time Password (TOTP) URI.
@@ -138,8 +144,8 @@ LOGOUT_REDIRECT_URL = "/"
 HIdP comes with a set of extra password validators that can be added to
 `settings.AUTH_PASSWORD_VALIDATORS` if desired. See [Password Validators](project:password-validation.md)
 for more information.
-
 :::
+
 ### OpenID Connect based login (social accounts)
 
 To enable users to log in using an existing Google, Microsoft or any other provider that
@@ -184,10 +190,16 @@ urlpatterns = [
 
 ### Cache
 
-HIdP requires a caching implementation, in order for the rate limits to properly work
-and to store OIDC Provider signing keys. See [Django's cache framework](https://docs.djangoproject.com/en/stable/topics/cache/#django-s-cache-framework).
+HIdP requires a working Django cache backend to support rate limiting and to store
+OIDC Provider signing keys. A persistent and reliable cache is necessary for correct
+operation, especially for features like rate limiting and session management.
+
+For production deployments, it is strongly recommended to use a robust cache backend
+such as Redis or Memcached. For more details on cache requirements for rate limiting,
+see the [django-ratelimit documentation](https://django-ratelimit.readthedocs.io/en/stable/installation.html#create-or-use-a-compatible-cache)
+and [Django's cache framework](https://docs.djangoproject.com/en/stable/topics/cache/#django-s-cache-framework).
 
-For example a Redis cache:
+#### Redis Cache Configuration:
 
 ```python
 CACHES = {