Among other changes, this continues the process of dis-entangling Flask-Security
from Flask-Login and may require some application changes due to backwards incompatible changes.
Features & Improvements
+++++++++++++++++++++++
(:issue:879) Work with Flask[async]. view decorators and signals support async handlers.
(:pr:900) CI support for python 3.12
(:pr:901) Work with py_webauthn 2.0 (and only 2.0+)
(:pr:899) Improve (and simplify) Two-Factor setup. See below for backwards compatability issues and new functionality.
(:issue:912) Improve oauth debugging support. Handle next propagation in a more general way.
(:pr:877) Make AnonymousUser (Flask-Login) optional and deprecated.
(:pr:906) Remove undocumented and untested looking in session for possible 'next'
redirect location.
(:pr:881) No longer rely on Flask-Login.unauthorized callback. See below for implications.
(:issue:904) Changes to default unauthorized handler - remove use of referrer header (see below) and document precise behavior.
(:pr:927) The authentication_token format has changed - adding per-token expiry time and future session ID.
Old tokens are still accepted.
Docs and Chores
+++++++++++++++
(:pr:889) Improve method translations for unified signin and two factor. Remove support for Flask-Babelex.
(:pr:911) Chore - stop setting all config as attributes. init_app(**kwargs) can only
set forms, flags, and utility classes.
(:pr:873) Update Spanish and Italian translations. (gissimo)
(:pr:855) Improve translations for two-factor method selection. (gissimo)
(:pr:866) Improve German translations. (sr-verde)
(:pr:911) Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM - it has a reasonable use case.
(:pr:931) Update message extraction - note that the CONFIRM_REGISTRATION message was changed to improve
readability.
Fixes
+++++
(:issue:845) us-signin magic link should use fs_uniquifier (not email).
(:issue:893) Improve open-redirect vulnerability mitigation. (see below)
(:issue:875) user_datastore.create_user has side effects on mutable inputs. (NoRePercussions)
(:pr:878) The long deprecated _unauthorized_callback/handler has been removed.
(:issue:884) Oauth re-used POST_LOGIN_VIEW which caused confusion. See below for the new configuration and implications.
(:pr:908) Improve CSRF documentation and testing. Fix bug where a CSRF failure could
return an HTML page even if the request was JSON.
(:issue:925) Register with JSON and authentication token failed CSRF. (lilz-egoto)
(:issue:870) Fix 2 issues with CSRF configuration.
(:pr:914) It was possible that if :data:SECURITY_EMAIL_VALIDATOR_ARGS were set that
deliverability would be checked even for login.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps flask-security-too from 5.3.3 to 5.4.0.
Changelog
Sourced from flask-security-too's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show