chore(deps-dev): bump flask-security-too from 5.3.3 to 5.4.1

[dependabot[bot]]

Bumps flask-security-too from 5.3.3 to 5.4.1.

Release notes

Sourced from flask-security-too's releases.

Release 5.4.1

Features and fixes release. As always - consult CHANGES for complete details.

Note: 5.4.0 had some logistics issues - so this is 5.4.1

Changelog

Sourced from flask-security-too's changelog.

Version 5.4.0 & 5.4.1

Released February 26, 2024

Among other changes, this continues the process of dis-entangling Flask-Security from Flask-Login and may require some application changes due to backwards incompatible changes.

Features & Improvements +++++++++++++++++++++++

• (:issue:879) Work with Flask[async]. view decorators and signals support async handlers.
• (:pr:900) CI support for python 3.12
• (:pr:901) Work with py_webauthn 2.0 (and only 2.0+)
• (:pr:899) Improve (and simplify) Two-Factor setup. See below for backwards compatability issues and new functionality.
• (:issue:912) Improve oauth debugging support. Handle next propagation in a more general way.
• (:pr:877) Make AnonymousUser (Flask-Login) optional and deprecated.
• (:pr:906) Remove undocumented and untested looking in session for possible 'next' redirect location.
• (:pr:881) No longer rely on Flask-Login.unauthorized callback. See below for implications.
• (:issue:904) Changes to default unauthorized handler - remove use of referrer header (see below) and document precise behavior.
• (:pr:927) The authentication_token format has changed - adding per-token expiry time and future session ID. Old tokens are still accepted.

Docs and Chores +++++++++++++++

• (:pr:889) Improve method translations for unified signin and two factor. Remove support for Flask-Babelex.
• (:pr:911) Chore - stop setting all config as attributes. init_app(**kwargs) can only set forms, flags, and utility classes.
• (:pr:873) Update Spanish and Italian translations. (gissimo)
• (:pr:855) Improve translations for two-factor method selection. (gissimo)
• (:pr:866) Improve German translations. (sr-verde)
• (:pr:911) Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM - it has a reasonable use case.
• (:pr:931) Update message extraction - note that the CONFIRM_REGISTRATION message was changed to improve readability.

Fixes +++++

• (:issue:845) us-signin magic link should use fs_uniquifier (not email).
• (:issue:893) Improve open-redirect vulnerability mitigation. (see below)
• (:issue:875) user_datastore.create_user has side effects on mutable inputs. (NoRePercussions)
• (:pr:878) The long deprecated _unauthorized_callback/handler has been removed.
• (:issue:884) Oauth re-used POST_LOGIN_VIEW which caused confusion. See below for the new configuration and implications.
• (:pr:908) Improve CSRF documentation and testing. Fix bug where a CSRF failure could return an HTML page even if the request was JSON.
• (:issue:925) Register with JSON and authentication token failed CSRF. (lilz-egoto)
• (:issue:870) Fix 2 issues with CSRF configuration.
• (:pr:914) It was possible that if :data:SECURITY_EMAIL_VALIDATOR_ARGS were set that deliverability would be checked even for login.

... (truncated)

Commits

• e94e1df Release 5.4.1 (#940)
• 42edd25 make tox and github action use same python version (#939)
• 4e7b943 Add empty dictionary as default to validator args (#938)
• de87aeb Try to fix some issues with readthedocs failing latex build. (#935)
• 79ac2b5 Ready for 5.4 (#934)
• a0602ef Chore update messages. (#931)
• e423abd Chore - tests and docs (#930)
• cfc66b4 Fix 2 CSRF issues. (#928)
• 263b2c2 Change auth_tokens to be versionable, extendable, expirable. (#927)
• 6d6c15a fixed bug where csrf_token was not recognized for register json api. wrote a ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Looks like flask-security-too is up-to-date now, so this is no longer needed.