* Fix 2 Flask apps in same thread with USERNAME_ENABLE set. There was a
too aggressive config check.
* Fix json/flask backwards compatibility hack.
* Fix unified signup when two-factor not enabled. (sebdroid)
* Add dependency on setuptools (pkg_resources). (hroncok)
* Option to encrypt recovery codes.
* Support for authentication via 'social' oauth.
* Support for Python 3.11
* Fixes for Flask-SQLAlchemy 3.0.0. (jrast)
* Fixes for sqlalchemy 2.0.0 (jrast)
* Webauthn and Unified signin features now properly take into account
blueprint prefixes.
* Properly propagate ?next=/xx - the verify, webauthn, and unified signin
endpoints, that had multiple redirects, needed fixes.
* Two factor redirects ignored url_prefix. Added a
SECURITY_TWO_FACTOR_ERROR_VIEW configuration option.
* Add configurations for static folder/URL and make sure templates
reference blueprint relative static folder.
* Send entire context to MailUtil::send_mail (patrickyan)
* Support for Flask-Babel 3.0.0
* Add configuration option SECURITY_TWO_FACTOR_POST_SETUP_VIEW which is
redirected to upon successful change of a two factor method.
* The ability to pass in a LoginManager instance which was deprecated in
5.0 has been removed.
- Drop patch support-Flask-SQLAlchemy-3.0.patch, now included upstream.
- Refresh all other patches.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=27
* Role permissions backwards compatibility bug.
* Fix Change Password regression.
* Support for WebAuthn.
* Support Two-factor recovery codes.
* Provide option to prevent user enumeration (i.e. Generic Responses).
* Support for Python 3.10.
* Support for Flask >= 2.2.
* Add custom HTML attributes to improve user experience.
* Make the required zxcvbn complexity score configurable.
* Get rid of Flask-Mail. Flask-Mailman is now the default preferred email
package.
* A delete option has been added to us-setup (form and view).
* Improve username support - the LoginForm now has a separate field for
username.
* Fix test and other failures with newer Flask-Login/Werkzeug versions.
* Fix test failures with newer Flask versions.
- Drop patch endswith-assert.patch:
* Included upstream.
- Rebase patches no-mongodb.patch and use-pyqrcodeng.patch
- Update {Build,}Requires versions.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=23
* default_reauthn_handler doesn't honor SECURITY_URL_PREFIX
* Add public API and CLI command to change a user's password.
* Add type hints. Please note that many of the packages that flask-security
* Add first-class support for using username for signing in.
* Possible open redirect vulnerability.
* Improve cookie handling and default ``samesite`` to ``Strict``.
* Email validation confusion - added documentation.
* Add documentation on how to override specific error messages.
* Don't install global-scope tests.
* Add Blinker as explicit dependency, improve/fix celery usage docs,
don't require pyqrcode unless authenticator configured, improve SMS
configuration variables documentation.
* Your UserModel must contain ``fs_uniquifier``
* Removal of python 2.7 and <3.6 support
* Remove two-factor `/tf-confirm` endpoint and use generic `freshness`
mechanism.
* Remove ``SECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALID(ATE)``. In
addition to not making sense - the documentation has never been correct.
* Add 2FA Validity Window so an application can configure how often the
second factor has to be entered.
* Add HTML5 Email input types to email fields.
- Refresh no-mongodb.patch
- Drop patches:
* no-setup-dependencies.patch
* fix-dependencies.patch
* 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch
- Add patch use-pyqrcodeng.patch:
* Use pyqrcodeng rather than pyqrcode.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=14
- Update to 3.4.5
* Security Vulnerability Fix. Two CSRF vulnerabilities were
reported: qrcode and login. This release fixes the more severe
of the 2 - the /login vulnerability. The QRcode issue has a
much smaller risk profile since a) it is only for two-factor
authentication using an authenticator app b) the qrcode is only
available during the time the user is first setting up their
authentication app. The QRcode issue has been fixed in 4.0.
* Fixed
- GET on /login and /change could return the callers
authentication_token. This is a security concern since GETs
don't have CSRF protection. This bug was introduced in 3.3.0.
* Backwards Compatibility Concerns. Fix CSRF vulnerability on
/login and /change that could return the callers authentication
token. Now, callers can only get the authentication token on
successful POST calls.
- Update to 3.4.4
* Fix 3 regressions and a couple other bugs
* Fixed
- Basic Auth broken. When the unauthenticated handler was
changed to provide a more uniform/consistent response - it
broke using Basic Auth from a browser, since it always
redirected rather than returning 401. Now, if the response
headers contain WWW-Authenticate (which is set if basic
@auth_required method is used), a 401 is returned. See below
for backwards compatibility concerns.
- As part of figuring out issue 359 - a redirect loop was
found. In release 3.3.0 code was put in to redirect to
:py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
called and the caller was already authenticated. The method
OBS-URL: https://build.opensuse.org/request/show/900215
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12
- Update to 3.4.2:
* The flask-security repo was moved to a github organization
Flask-Middleware.
- Update to 3.4.1:
* Fix a bunch of bugs in new unified sign in along with a couple
other major issues.
* (:issue:`298`) Alternative ID feature ran afoul of
postgres/psycopg2 finickiness.
* (:issue:`300`) JSON 401 responses had WWW-Authenticate Header
attached - that caused browsers to pop up their own login/password
form. Not what applications want.
* (:issue:`280`) Allow admin/api to setup TFA (and unified sign in)
out of band. Please see :meth:`.UserDatastore.tf_set`,
:meth:`.UserDatastore.tf_reset`, :meth:`.UserDatastore.us_set`,
:meth:`.UserDatastore.us_reset` and
:meth:`.UserDatastore.reset_user_access`.
* (:pr:`305`) We used form._errors which wasn't very pythonic,
and it was removed in WTForms 2.3.0.
* (:pr:`310`) WTForms 2.3.0 made email_validator optional,
we need it.
- Added Requires python-bcrypt and python-email_validator,
Recommends python-PyQRCode, python-SQLAlchemy, python-zxcvbn
and Suggests python-argon2_cffi and python-phonenumbers
* (:pr:`257`) Support a unified sign in feature.
Please see :ref:`unified-sign-in`.
* (:pr:`265`) Add phone number validation class. This is used in
both unified sign in as well as two-factor when using sms.
* (:pr:`274`) Add support for 'freshness' of caller's authentication.
This permits endpoints to be additionally protected by ensuring a
OBS-URL: https://build.opensuse.org/request/show/801217
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=5
* (:pr:`257`) Support a unified sign in feature. Please see :ref:`unified-sign-in`.
* (:pr:`265`) Add phone number validation class. This is used in both unified sign in as well as two-factor when using sms.
* (:pr:`274`) Add support for 'freshness' of caller's authentication. This permits endpoints to be additionally protected by ensuring a recent authentication.
* (:issue:`99`, :issue:`195`) Support pluggable password validators. Provide a default validator that offers complexity and breached support.
* (:issue:`266`) Provide interface to two-factor send_token so that applications can provide error mitigation. Defaults to returning errors if can't send the verification code.
* (:pr:`247`) Updated all-inclusive data models (fsqlaV2). Add fields necessary for the new unified sign in feature and changed 'username' to be unique (but not required).
* (:pr:`245`) Use fs_uniquifier as the default Flask-Login 'alternative token'. Basically this means that changing the fs_uniquifier will cause outstanding auth tokens, session and remember me cookies to be invalidated. So if an account gets compromised, an admin can easily stop access. Prior to this cookies were storing the 'id' which is the user's primary key - difficult to change! (kishi85)
- Enable the testing
- Add patch to not require mongodb during testing:
* no-mongodb.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=3
