(:issue:956) Add support for changing registered user's email (:py:data:SECURITY_CHANGE_EMAIL).
(:issue:944) Change default password hash to argon2 (was bcrypt). See below for details.
(:pr:990) Add freshness capability to auth tokens (enables /us-setup to function w/ just auth tokens).
(:pr:991) Add support to /tf-setup to not require sessions (use a state token).
(:issue:994) Add support for Flask-SQLAlchemy-Lite - including new all-inclusive models
that conform to sqlalchemy latest best-practice (type-annotated).
(:pr:1007) Convert other sqlalchemy-based datastores from legacy 'model.query' to best-practice 'select'
(:issue:983) Allow applications more flexibility defining allowable redirects.
Fixes
+++++
(:pr:972) Set :py:data:SECURITY_CSRF_COOKIE at beginning (GET /login) of authentication
ritual - just as we return the CSRF token. (thanks @e-goto)
(:issue:973) login and unified sign in should handle GET for authenticated user consistently.
(:pr:995) Don't show sms options if not defined in US_ENABLED_METHODS. (fredipevcin)
(:pr:1009) Change :py:data:SECURITY_DEPRECATED_HASHING_SCHEMES to ["auto"].
Docs and Chores
+++++++++++++++
(:pr:979) Update Russian translations (ademaro)
(:pr:1004) Update ES and IT translations (gissimo)
(:pr:981 and :pr:977) Improve docs
(:pr:992) The long deprecated get_token_status is no longer exported
(:pr:992) Drop Python 3.8 support.
(:issue:1001) Try a different approach to typing User and Role models.
Notes around the change to argon2 as the default password hash:
applications should add the argon2_cffi package to their requirements (it is included in the flask_security[common] extras).
leave bcrypt installed so that old passwords still work.
the default configuration will re-hash passwords with argon2 upon first use.
Changes to /tf-setup
The old path - using state set in the session still works as before. The new path is
just for the case an authenticated user wants to change their 2FA setup.
Changes to sqlalchemy-based datastores
Flask-Security no longer uses the legacy model.query - all DB access is done via
select(xx).where(xx). As a result the find_user() method now only takes a SINGLE
column:value from its kwargs - in prior releases all kwargs were passed into the query.filter.
Commits
49a7429 codecov trying to get working again (#1014)
a024bf3 Bump the github-actions group with 3 updates (#1013)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
donBarbos
commented
3 months ago
⚠️ Dependabot is rebasing this PR ⚠️
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps flask-security-too from 5.4.3 to 5.5.0.
Release notes
Sourced from flask-security-too's releases.
Changelog
Sourced from flask-security-too's changelog.
Commits
49a7429codecov trying to get working again (#1014)a024bf3Bump the github-actions group with 3 updates (#1013)83fe995Ready for 5.5.0 (#1012)26e6325Allow more flexibility in allowed redirect targets. (#1011)8970b35Change DEPRECATED_HASHING_SCHEMES to "auto". (#1009)c17a616Try a different approach to typing datastores. (#1008)394e86cUse 'modern' query for all sqlalchemy datastores (#1007)5744f9dES and IT translations for changing email (#1004)adf31c8Don't show sms option if it's not defined in US_ENABLED_METHODS (#995)25ad68dAdd support for Flask-SQLAlchemy-Lite datastore (#994)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show