Use itsdangerous to sign CSRF tokens and check expiration instead of doing it
ourselves. (264_)
All tokens are URL safe, removing the url_safe parameter from
generate_csrf. (206_)
All tokens store a timestamp, which is checked in validate_csrf. The
time_limit parameter of generate_csrf is removed.
Remove the app attribute from CsrfProtect, use current_app.
(264_)
CsrfProtect protects the DELETE method by default. (264_)
The same CSRF token is generated for the lifetime of a request. It is exposed
as request.csrf_token for use during testing. (227, 264)
CsrfProtect.error_handler is deprecated. (264_)
Handlers that return a response work in addition to those that raise an
error. The behavior was not clear in previous docs.
(200, 209, 243, 252)
Use Form.Meta instead of deprecated SecureForm for CSRF (and
everything else). (216, 271)
csrf_enabled parameter is still recognized but deprecated. All other
attributes and methods from SecureForm are removed. (271_)
Provide WTF_CSRF_FIELD_NAME to configure the name of the CSRF token.
(271_)
validate_csrf raises wtforms.ValidationError with specific messages
instead of returning True or False. This breaks anything that was
calling the method directly. (239, 271)
CSRF errors are logged as well as raised. (239_)
CsrfProtect is renamed to CSRFProtect. A deprecation warning is issued
when using the old name. CsrfError is renamed to CSRFError without
deprecation. (271_)
FileField is deprecated because it no longer provides functionality over
the provided validators. Use wtforms.FileField directly. (272_)
There's a new version of Flask-WTF available. You are currently using 0.13.1. I have updated it to 0.14.2
These links might come in handy: PyPI | Changelog | Repo | Docs
Changelog
Got merge conflicts? Close this PR and delete the branch. I'll create a new PR for you.
Happy merging! 🤖