python-Flask-Security-Too

pool/python-Flask-Security-Too

SHA256

Fork 1

Commit Graph

Author	SHA256	Message	Date
Steve Kowalik	0d52f70841	- Update to 4.1.2: * default_reauthn_handler doesn't honor SECURITY_URL_PREFIX * Add public API and CLI command to change a user's password. * Add type hints. Please note that many of the packages that flask-security * Add first-class support for using username for signing in. * Possible open redirect vulnerability. * Improve cookie handling and default ``samesite`` to ``Strict``. * Email validation confusion - added documentation. * Add documentation on how to override specific error messages. * Don't install global-scope tests. * Add Blinker as explicit dependency, improve/fix celery usage docs, don't require pyqrcode unless authenticator configured, improve SMS configuration variables documentation. * Your UserModel must contain ``fs_uniquifier`` * Removal of python 2.7 and <3.6 support * Remove two-factor `/tf-confirm` endpoint and use generic `freshness` mechanism. * Remove ``SECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALID(ATE)``. In addition to not making sense - the documentation has never been correct. * Add 2FA Validity Window so an application can configure how often the second factor has to be entered. * Add HTML5 Email input types to email fields. - Refresh no-mongodb.patch - Drop patches: * no-setup-dependencies.patch * fix-dependencies.patch * 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch - Add patch use-pyqrcodeng.patch: * Use pyqrcodeng rather than pyqrcode. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=14	2022-02-28 06:21:54 +00:00
Antonio Larrosa	74db06d2d0	Accepting request 900215 from home:alarrosa:branches:devel:languages:python:flask - Update to 3.4.5 * Security Vulnerability Fix. Two CSRF vulnerabilities were reported: qrcode and login. This release fixes the more severe of the 2 - the /login vulnerability. The QRcode issue has a much smaller risk profile since a) it is only for two-factor authentication using an authenticator app b) the qrcode is only available during the time the user is first setting up their authentication app. The QRcode issue has been fixed in 4.0. * Fixed - GET on /login and /change could return the callers authentication_token. This is a security concern since GETs don't have CSRF protection. This bug was introduced in 3.3.0. * Backwards Compatibility Concerns. Fix CSRF vulnerability on /login and /change that could return the callers authentication token. Now, callers can only get the authentication token on successful POST calls. - Update to 3.4.4 * Fix 3 regressions and a couple other bugs * Fixed - Basic Auth broken. When the unauthenticated handler was changed to provide a more uniform/consistent response - it broke using Basic Auth from a browser, since it always redirected rather than returning 401. Now, if the response headers contain WWW-Authenticate (which is set if basic @auth_required method is used), a 401 is returned. See below for backwards compatibility concerns. - As part of figuring out issue 359 - a redirect loop was found. In release 3.3.0 code was put in to redirect to :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was called and the caller was already authenticated. The method OBS-URL: https://build.opensuse.org/request/show/900215 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12	2021-07-08 06:18:37 +00:00
Tomáš Chvátal	f09a0096d0	- Update to 3.4.0: * (:pr:`257`) Support a unified sign in feature. Please see :ref:`unified-sign-in`. * (:pr:`265`) Add phone number validation class. This is used in both unified sign in as well as two-factor when using sms. * (:pr:`274`) Add support for 'freshness' of caller's authentication. This permits endpoints to be additionally protected by ensuring a recent authentication. * (:issue:`99`, :issue:`195`) Support pluggable password validators. Provide a default validator that offers complexity and breached support. * (:issue:`266`) Provide interface to two-factor send_token so that applications can provide error mitigation. Defaults to returning errors if can't send the verification code. * (:pr:`247`) Updated all-inclusive data models (fsqlaV2). Add fields necessary for the new unified sign in feature and changed 'username' to be unique (but not required). * (:pr:`245`) Use fs_uniquifier as the default Flask-Login 'alternative token'. Basically this means that changing the fs_uniquifier will cause outstanding auth tokens, session and remember me cookies to be invalidated. So if an account gets compromised, an admin can easily stop access. Prior to this cookies were storing the 'id' which is the user's primary key - difficult to change! (kishi85) - Enable the testing - Add patch to not require mongodb during testing: * no-mongodb.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=3	2020-04-05 08:37:47 +00:00

Author

SHA256

Message

Date

Steve Kowalik

0d52f70841

- Update to 4.1.2:

* default_reauthn_handler doesn't honor SECURITY_URL_PREFIX
  * Add public API and CLI command to change a user's password.
  * Add type hints. Please note that many of the packages that flask-security
  * Add first-class support for using username for signing in.
  * Possible open redirect vulnerability.
  * Improve cookie handling and default ``samesite`` to ``Strict``.
  * Email validation confusion - added documentation.
  * Add documentation on how to override specific error messages.
  * Don't install global-scope tests.
  * Add Blinker as explicit dependency, improve/fix celery usage docs,
    don't require pyqrcode unless authenticator configured, improve SMS
    configuration variables documentation.
  * Your UserModel must contain ``fs_uniquifier``
  * Removal of python 2.7 and <3.6 support
  * Remove two-factor `/tf-confirm` endpoint and use generic `freshness`
    mechanism.
  * Remove ``SECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALID(ATE)``. In
    addition to not making sense - the documentation has never been correct.
  * Add 2FA Validity Window so an application can configure how often the
    second factor has to be entered.
  * Add HTML5 Email input types to email fields.
- Refresh no-mongodb.patch
- Drop patches:
  * no-setup-dependencies.patch
  * fix-dependencies.patch
  * 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch
- Add patch use-pyqrcodeng.patch:
  * Use pyqrcodeng rather than pyqrcode.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=14

2022-02-28 06:21:54 +00:00

Antonio Larrosa

74db06d2d0

Accepting request 900215 from home:alarrosa:branches:devel:languages:python:flask

- Update to 3.4.5
  * Security Vulnerability Fix. Two CSRF vulnerabilities were
    reported: qrcode and login. This release fixes the more severe
    of the 2 - the /login vulnerability. The QRcode issue has a
    much smaller risk profile since a) it is only for two-factor
    authentication using an authenticator app b) the qrcode is only
    available during the time the user is first setting up their
    authentication app. The QRcode issue has been fixed in 4.0.
  * Fixed
    - GET on /login and /change could return the callers
      authentication_token. This is a security concern since GETs
      don't have CSRF protection. This bug was introduced in 3.3.0.
  * Backwards Compatibility Concerns. Fix CSRF vulnerability on
    /login and /change that could return the callers authentication
    token. Now, callers can only get the authentication token on
    successful POST calls.
- Update to 3.4.4
  * Fix 3 regressions and a couple other bugs
  * Fixed
    - Basic Auth broken. When the unauthenticated handler was
      changed to provide a more uniform/consistent response - it
      broke using Basic Auth from a browser, since it always
      redirected rather than returning 401. Now, if the response
      headers contain WWW-Authenticate (which is set if basic
      @auth_required method is used), a 401 is returned. See below
      for backwards compatibility concerns.
    - As part of figuring out issue 359 - a redirect loop was
      found. In release 3.3.0 code was put in to redirect to
      :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
      called and the caller was already authenticated. The method

OBS-URL: https://build.opensuse.org/request/show/900215
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12

2021-07-08 06:18:37 +00:00

Tomáš Chvátal

f09a0096d0

- Update to 3.4.0:

* (:pr:`257`) Support a unified sign in feature. Please see :ref:`unified-sign-in`.
  * (:pr:`265`) Add phone number validation class. This is used in both unified sign in as well as two-factor when using sms.
  * (:pr:`274`) Add support for 'freshness' of caller's authentication. This permits endpoints to be additionally protected by ensuring a recent authentication.
  * (:issue:`99`, :issue:`195`) Support pluggable password validators. Provide a default validator that offers complexity and breached support.
  * (:issue:`266`) Provide interface to two-factor send_token so that applications can provide error mitigation. Defaults to returning errors if can't send the verification code.
  * (:pr:`247`) Updated all-inclusive data models (fsqlaV2). Add fields necessary for the new unified sign in feature and changed 'username' to be unique (but not required).
  * (:pr:`245`) Use fs_uniquifier as the default Flask-Login 'alternative token'. Basically this means that changing the fs_uniquifier will cause outstanding auth tokens, session and remember me cookies to be invalidated. So if an account gets compromised, an admin can easily stop access. Prior to this cookies were storing the 'id' which is the user's primary key - difficult to change! (kishi85)
- Enable the testing
- Add patch to not require mongodb during testing:
  * no-mongodb.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=3

2020-04-05 08:37:47 +00:00

3 Commits