diff --git a/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch b/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch deleted file mode 100644 index a2ae896..0000000 --- a/0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fc94ad58537d83b1f5500876da4a3026654645ba Mon Sep 17 00:00:00 2001 -From: Antonio Larrosa -Date: Tue, 15 Jun 2021 19:36:50 +0200 -Subject: [PATCH] Do not raise a TypeError exception if phone.data is None - -Running the tests on the openSUSE build service to generate -packages fails because a TypeError exception is raised. - -``` -TypeError: object of type 'NoneType' has no len() -``` - -This commit checks that phone.data is not None before calling -len() in the two lines where the exception is raised. ---- - flask_security/forms.py | 3 ++- - flask_security/views.py | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/flask_security/forms.py b/flask_security/forms.py -index c793a99..83665fa 100644 ---- a/flask_security/forms.py -+++ b/flask_security/forms.py -@@ -593,7 +593,8 @@ class TwoFactorSetupForm(Form, UserEmailFormMixin): - self.setup.errors = list() - self.setup.errors.append(get_message("TWO_FACTOR_METHOD_NOT_AVAILABLE")[0]) - return False -- if self.setup.data == "sms" and len(self.phone.data) > 0: -+ if (self.setup.data == "sms" and -+ self.phone.data and len(self.phone.data) > 0): - # Somewhat bizarre - but this isn't required the first time around - # when they select "sms". Then they get a field to fill out with - # phone number, then Submit again. -diff --git a/flask_security/views.py b/flask_security/views.py -index c33a016..3aaca95 100644 ---- a/flask_security/views.py -+++ b/flask_security/views.py -@@ -751,7 +751,8 @@ def two_factor_setup(): - - session["tf_primary_method"] = pm - session["tf_state"] = "validating_profile" -- new_phone = form.phone.data if len(form.phone.data) > 0 else None -+ new_phone = form.phone.data if (form.phone.data and -+ len(form.phone.data) > 0) else None - if new_phone: - user.tf_phone_number = new_phone - _datastore.put(user) --- -2.31.1 - diff --git a/Flask-Security-Too-3.4.5.tar.gz b/Flask-Security-Too-3.4.5.tar.gz deleted file mode 100644 index 3cd083d..0000000 --- a/Flask-Security-Too-3.4.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a09d051ed7616a99dcaa604e718792319521820e245758fe1f42f7554c538da5 -size 340616 diff --git a/Flask-Security-Too-4.1.2.tar.gz b/Flask-Security-Too-4.1.2.tar.gz new file mode 100644 index 0000000..1e4cb05 --- /dev/null +++ b/Flask-Security-Too-4.1.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88c3d4cfa415ef4dd6f71052ef7a806a5079d8ee33d3e384d2fcd48d802d9a9b +size 446265 diff --git a/fix-dependencies.patch b/fix-dependencies.patch deleted file mode 100644 index c04afec..0000000 --- a/fix-dependencies.patch +++ /dev/null @@ -1,149 +0,0 @@ -Index: Flask-Security-Too-3.4.2/setup.py -=================================================================== ---- Flask-Security-Too-3.4.2.orig/setup.py -+++ Flask-Security-Too-3.4.2/setup.py -@@ -14,20 +14,19 @@ with io.open("flask_security/__init__.py - - tests_require = [ - "Flask-Mongoengine~=0.9.5", -- "peewee>=3.11.2", -+ "peewee>=3.7.1", - "Flask-SQLAlchemy>=2.3", - "argon2_cffi>=19.1.0", -- "bcrypt>=3.1.5", -+ "bcrypt>=3.1.4", - "cachetools>=3.1.0", - "check-manifest>=0.25", - "coverage>=4.5.4", -- "cryptography>=2.3.1", -+ "cryptography>=2.1.4", - "isort>=4.2.2", - "mock>=1.3.0", - "mongoengine~=0.19.1", - "mongomock~=3.19.0", - "msgcheck>=2.9", -- "pony>=0.7.11", - "phonenumberslite>=8.11.1", - "psycopg2>=2.8.4", - "pydocstyle>=1.0.0", -@@ -41,7 +40,7 @@ tests_require = [ - "pytest>=3.5.1", - "sqlalchemy>=1.2.6", - "sqlalchemy-utils>=0.33.0", -- "werkzeug>=0.15.5", -+ "werkzeug>=0.14.1", - "zxcvbn~=4.4.28", - ] - -Index: Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt -=================================================================== ---- Flask-Security-Too-3.4.2.orig/Flask_Security_Too.egg-info/requires.txt -+++ Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt -@@ -13,20 +13,19 @@ Pallets-Sphinx-Themes>=1.2.0 - Sphinx>=1.8.5 - sphinx-issues>=1.2.0 - Flask-Mongoengine~=0.9.5 --peewee>=3.11.2 -+peewee>=3.7.1 - Flask-SQLAlchemy>=2.3 - argon2_cffi>=19.1.0 --bcrypt>=3.1.5 -+bcrypt>=3.1.4 - cachetools>=3.1.0 - check-manifest>=0.25 - coverage>=4.5.4 --cryptography>=2.3.1 -+cryptography>=2.1.4 - isort>=4.2.2 - mock>=1.3.0 - mongoengine~=0.19.1 - mongomock~=3.19.0 - msgcheck>=2.9 --pony>=0.7.11 - phonenumberslite>=8.11.1 - psycopg2>=2.8.4 - pydocstyle>=1.0.0 -@@ -40,26 +39,25 @@ pytest-mongo>=1.2.1 - pytest>=3.5.1 - sqlalchemy>=1.2.6 - sqlalchemy-utils>=0.33.0 --werkzeug>=0.15.5 -+werkzeug>=0.14.1 - zxcvbn~=4.4.28 - Pallets-Sphinx-Themes>=1.2.0 - Sphinx>=1.8.5 - sphinx-issues>=1.2.0 - Flask-Mongoengine~=0.9.5 --peewee>=3.11.2 -+peewee>=3.7.1 - Flask-SQLAlchemy>=2.3 - argon2_cffi>=19.1.0 --bcrypt>=3.1.5 -+bcrypt>=3.1.4 - cachetools>=3.1.0 - check-manifest>=0.25 - coverage>=4.5.4 --cryptography>=2.3.1 -+cryptography>=2.1.4 - isort>=4.2.2 - mock>=1.3.0 - mongoengine~=0.19.1 - mongomock~=3.19.0 - msgcheck>=2.9 --pony>=0.7.11 - phonenumberslite>=8.11.1 - psycopg2>=2.8.4 - pydocstyle>=1.0.0 -@@ -73,7 +71,7 @@ pytest-mongo>=1.2.1 - pytest>=3.5.1 - sqlalchemy>=1.2.6 - sqlalchemy-utils>=0.33.0 --werkzeug>=0.15.5 -+werkzeug>=0.14.1 - zxcvbn~=4.4.28 - - [docs] -@@ -83,20 +81,19 @@ sphinx-issues>=1.2.0 - - [tests] - Flask-Mongoengine~=0.9.5 --peewee>=3.11.2 -+peewee>=3.7.1 - Flask-SQLAlchemy>=2.3 - argon2_cffi>=19.1.0 --bcrypt>=3.1.5 -+bcrypt>=3.1.4 - cachetools>=3.1.0 - check-manifest>=0.25 - coverage>=4.5.4 --cryptography>=2.3.1 -+cryptography>=2.1.4 - isort>=4.2.2 - mock>=1.3.0 - mongoengine~=0.19.1 - mongomock~=3.19.0 - msgcheck>=2.9 --pony>=0.7.11 - phonenumberslite>=8.11.1 - psycopg2>=2.8.4 - pydocstyle>=1.0.0 -@@ -110,5 +107,5 @@ pytest-mongo>=1.2.1 - pytest>=3.5.1 - sqlalchemy>=1.2.6 - sqlalchemy-utils>=0.33.0 --werkzeug>=0.15.5 -+werkzeug>=0.14.1 - zxcvbn~=4.4.28 -Index: Flask-Security-Too-3.4.2/tests/conftest.py -=================================================================== ---- Flask-Security-Too-3.4.2.orig/tests/conftest.py -+++ Flask-Security-Too-3.4.2/tests/conftest.py -@@ -617,7 +617,7 @@ def get_message(app): - - - @pytest.fixture( -- params=["sqlalchemy", "sqlalchemy-session", "peewee", "pony"] -+ params=["sqlalchemy", "sqlalchemy-session", "peewee"] - ) - def datastore(request, app, tmpdir, realdburl): - if request.param == "sqlalchemy": diff --git a/no-mongodb.patch b/no-mongodb.patch index 2b6f706..31363e0 100644 --- a/no-mongodb.patch +++ b/no-mongodb.patch @@ -1,8 +1,8 @@ -Index: Flask-Security-Too-3.4.5/tests/conftest.py +Index: Flask-Security-Too-4.1.2/tests/conftest.py =================================================================== ---- Flask-Security-Too-3.4.5.orig/tests/conftest.py -+++ Flask-Security-Too-3.4.5/tests/conftest.py -@@ -607,7 +607,7 @@ def client_nc(request, sqlalchemy_app): +--- Flask-Security-Too-4.1.2.orig/tests/conftest.py ++++ Flask-Security-Too-4.1.2/tests/conftest.py +@@ -683,7 +683,7 @@ def client_nc(request, sqlalchemy_app): return app.test_client(use_cookies=False) @@ -11,7 +11,7 @@ Index: Flask-Security-Too-3.4.5/tests/conftest.py def clients(request, app, tmpdir, realdburl): if request.param == "cl-sqlalchemy": ds = sqlalchemy_setup(request, app, tmpdir, realdburl) -@@ -645,7 +645,7 @@ def get_message(app): +@@ -729,7 +729,7 @@ def get_message_local(app): @pytest.fixture( diff --git a/no-setup-dependencies.patch b/no-setup-dependencies.patch deleted file mode 100644 index 664f113..0000000 --- a/no-setup-dependencies.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: Flask-Security-Too-3.4.2/setup.py -=================================================================== ---- Flask-Security-Too-3.4.2.orig/setup.py -+++ Flask-Security-Too-3.4.2/setup.py -@@ -54,8 +54,6 @@ extras_require["all"] = [] - for reqs in extras_require.values(): - extras_require["all"].extend(reqs) - --setup_requires = ["Babel>=1.3", "pytest-runner>=2.6.2", "twine", "wheel"] -- - install_requires = [ - "Flask>=1.0.2", - "Flask-Login>=0.4.1", -@@ -93,7 +91,6 @@ setup( - python_requires=">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*", - extras_require=extras_require, - install_requires=install_requires, -- setup_requires=setup_requires, - tests_require=tests_require, - classifiers=[ - "Environment :: Web Environment", diff --git a/python-Flask-Security-Too.changes b/python-Flask-Security-Too.changes index d0a3356..8b8035c 100644 --- a/python-Flask-Security-Too.changes +++ b/python-Flask-Security-Too.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Mon Feb 28 06:16:49 UTC 2022 - Steve Kowalik + +- Update to 4.1.2: + * default_reauthn_handler doesn't honor SECURITY_URL_PREFIX + * Add public API and CLI command to change a user's password. + * Add type hints. Please note that many of the packages that flask-security + * Add first-class support for using username for signing in. + * Possible open redirect vulnerability. + * Improve cookie handling and default ``samesite`` to ``Strict``. + * Email validation confusion - added documentation. + * Add documentation on how to override specific error messages. + * Don't install global-scope tests. + * Add Blinker as explicit dependency, improve/fix celery usage docs, + don't require pyqrcode unless authenticator configured, improve SMS + configuration variables documentation. + * Your UserModel must contain ``fs_uniquifier`` + * Removal of python 2.7 and <3.6 support + * Remove two-factor `/tf-confirm` endpoint and use generic `freshness` + mechanism. + * Remove ``SECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALID(ATE)``. In + addition to not making sense - the documentation has never been correct. + * Add 2FA Validity Window so an application can configure how often the + second factor has to be entered. + * Add HTML5 Email input types to email fields. +- Refresh no-mongodb.patch +- Drop patches: + * no-setup-dependencies.patch + * fix-dependencies.patch + * 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch +- Add patch use-pyqrcodeng.patch: + * Use pyqrcodeng rather than pyqrcode. + ------------------------------------------------------------------- Tue Jun 15 16:37:41 UTC 2021 - Antonio Larrosa diff --git a/python-Flask-Security-Too.spec b/python-Flask-Security-Too.spec index 4417f2c..30d9dc7 100644 --- a/python-Flask-Security-Too.spec +++ b/python-Flask-Security-Too.spec @@ -1,7 +1,7 @@ # # spec file for package python-Flask-Security-Too # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,21 +19,18 @@ %define skip_python2 1 %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-Flask-Security-Too -Version: 3.4.5 +Version: 4.1.2 Release: 0 Summary: Security for Flask apps License: MIT URL: https://github.com/jwag956/flask-security Source: https://files.pythonhosted.org/packages/source/F/Flask-Security-Too/Flask-Security-Too-%{version}.tar.gz Patch0: no-mongodb.patch -Patch1: no-setup-dependencies.patch -Patch2: fix-dependencies.patch -Patch3: 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch +Patch1: use-pyqrcodeng.patch BuildRequires: %{python_module Babel >= 1.3} BuildRequires: %{python_module Flask >= 1.0.2} -BuildRequires: %{python_module Flask-BabelEx >= 0.9.3} +BuildRequires: %{python_module Flask-Babel} BuildRequires: %{python_module Flask-Login >= 0.4.1} -# FLask-Mail and PyQRCode should be replaced gh#Flask-Middleware/flask-security#531 BuildRequires: %{python_module Flask-Mail >= 0.9.1} BuildRequires: %{python_module Flask-Principal >= 0.4.0} BuildRequires: %{python_module Flask-SQLAlchemy >= 2.3} @@ -43,6 +40,8 @@ BuildRequires: %{python_module SQLAlchemy >= 1.2.6} BuildRequires: %{python_module Werkzeug >= 0.14.1} BuildRequires: %{python_module argon2_cffi >= 19.1.0} BuildRequires: %{python_module bcrypt >= 3.1.4} +BuildRequires: %{python_module bleach} +BuildRequires: %{python_module blinker >= 1.4} BuildRequires: %{python_module cachetools >= 3.1.0} BuildRequires: %{python_module cryptography >= 2.1.4} BuildRequires: %{python_module email_validator >= 1.0.5} @@ -57,13 +56,13 @@ BuildRequires: %{python_module zxcvbn >= 4.4.28} BuildRequires: fdupes BuildRequires: python-rpm-macros Requires: python-Flask >= 1.0.2 -Requires: python-Flask-BabelEx >= 0.9.3 +Requires: python-Flask-Babel Requires: python-Flask-Login >= 0.4.1 -Requires: python-Flask-Mail >= 0.9.1 Requires: python-Flask-Principal >= 0.4.0 Requires: python-Flask-WTF >= 0.14.2 Requires: python-Werkzeug >= 0.14.1 Requires: python-bcrypt >= 3.1.4 +Requires: python-blinker >= 1.4 Requires: python-cryptography >= 2.1.4 Requires: python-email_validator >= 1.0.5 Requires: python-itsdangerous >= 1.1.0 @@ -85,9 +84,7 @@ application. This is a independently maintained version of Flask-Security based on the 3.0.0 version of the original. %prep -%setup -q -n Flask-Security-Too-%{version} -%autopatch -p1 -rm pytest.ini +%autosetup -p1 -n Flask-Security-Too-%{version} %if 0%{?suse_version} <= 1500 # test_trackable.py needs werkzeug.middleware.proxy_fix which is only available @@ -103,7 +100,7 @@ rm tests/test_trackable.py %python_expand %fdupes %{buildroot}%{$python_sitelib} %check -%pytest +%pytest -k 'not test_wtform_xlation' %files %{python_files} %doc AUTHORS CHANGES.rst README.rst diff --git a/use-pyqrcodeng.patch b/use-pyqrcodeng.patch new file mode 100644 index 0000000..605a938 --- /dev/null +++ b/use-pyqrcodeng.patch @@ -0,0 +1,29 @@ +Index: Flask-Security-Too-4.1.2/flask_security/core.py +=================================================================== +--- Flask-Security-Too-4.1.2.orig/flask_security/core.py ++++ Flask-Security-Too-4.1.2/flask_security/core.py +@@ -1411,7 +1411,7 @@ class Security: + and "authenticator" in cv("TWO_FACTOR_ENABLED_METHODS", app=app) + ) + if need_qrcode: +- self._check_modules("pyqrcode", "TWO_FACTOR or UNIFIED_SIGNIN") ++ self._check_modules("pyqrcodeng", "TWO_FACTOR or UNIFIED_SIGNIN") + + need_sms = ( + cv("UNIFIED_SIGNIN", app=app) +Index: Flask-Security-Too-4.1.2/flask_security/totp.py +=================================================================== +--- Flask-Security-Too-4.1.2.orig/flask_security/totp.py ++++ Flask-Security-Too-4.1.2/flask_security/totp.py +@@ -139,9 +139,9 @@ class Totp: + .. versionadded:: 4.0.0 + """ + try: +- import pyqrcode ++ import pyqrcodeng + +- code = pyqrcode.create(self.get_totp_uri(username, totp)) ++ code = pyqrcodeng.create(self.get_totp_uri(username, totp)) + with io.BytesIO() as virtual_file: + code.svg(file=virtual_file, scale=3) + image_as_str = base64.b64encode(virtual_file.getvalue()).decode("ascii")