donBarbos / telegram-bot-template

🤖 Template for telegram bot using postgres, pgbouncer, redis, docker, amplitude, prometheus, grafana, CI with admin panel
GNU Lesser General Public License v3.0
278 stars 51 forks source link

chore(deps-dev): bump flask-security-too from 5.3.3 to 5.4.0 #164

Closed dependabot[bot] closed 8 months ago

dependabot[bot] commented 8 months ago

Bumps flask-security-too from 5.3.3 to 5.4.0.

Changelog

Sourced from flask-security-too's changelog.

Version 5.4.0

Released February 26, 2024

Among other changes, this continues the process of dis-entangling Flask-Security from Flask-Login and may require some application changes due to backwards incompatible changes.

Features & Improvements +++++++++++++++++++++++

  • (:issue:879) Work with Flask[async]. view decorators and signals support async handlers.
  • (:pr:900) CI support for python 3.12
  • (:pr:901) Work with py_webauthn 2.0 (and only 2.0+)
  • (:pr:899) Improve (and simplify) Two-Factor setup. See below for backwards compatability issues and new functionality.
  • (:issue:912) Improve oauth debugging support. Handle next propagation in a more general way.
  • (:pr:877) Make AnonymousUser (Flask-Login) optional and deprecated.
  • (:pr:906) Remove undocumented and untested looking in session for possible 'next' redirect location.
  • (:pr:881) No longer rely on Flask-Login.unauthorized callback. See below for implications.
  • (:issue:904) Changes to default unauthorized handler - remove use of referrer header (see below) and document precise behavior.
  • (:pr:927) The authentication_token format has changed - adding per-token expiry time and future session ID. Old tokens are still accepted.

Docs and Chores +++++++++++++++

  • (:pr:889) Improve method translations for unified signin and two factor. Remove support for Flask-Babelex.
  • (:pr:911) Chore - stop setting all config as attributes. init_app(**kwargs) can only set forms, flags, and utility classes.
  • (:pr:873) Update Spanish and Italian translations. (gissimo)
  • (:pr:855) Improve translations for two-factor method selection. (gissimo)
  • (:pr:866) Improve German translations. (sr-verde)
  • (:pr:911) Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM - it has a reasonable use case.
  • (:pr:931) Update message extraction - note that the CONFIRM_REGISTRATION message was changed to improve readability.

Fixes +++++

  • (:issue:845) us-signin magic link should use fs_uniquifier (not email).
  • (:issue:893) Improve open-redirect vulnerability mitigation. (see below)
  • (:issue:875) user_datastore.create_user has side effects on mutable inputs. (NoRePercussions)
  • (:pr:878) The long deprecated _unauthorized_callback/handler has been removed.
  • (:issue:884) Oauth re-used POST_LOGIN_VIEW which caused confusion. See below for the new configuration and implications.
  • (:pr:908) Improve CSRF documentation and testing. Fix bug where a CSRF failure could return an HTML page even if the request was JSON.
  • (:issue:925) Register with JSON and authentication token failed CSRF. (lilz-egoto)
  • (:issue:870) Fix 2 issues with CSRF configuration.
  • (:pr:914) It was possible that if :data:SECURITY_EMAIL_VALIDATOR_ARGS were set that deliverability would be checked even for login.

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 8 months ago

Superseded by #167.