python-Flask-Security-Too/python-Flask-Security-Too.changes

-------------------------------------------------------------------
Tue Jun 15 16:37:41 UTC 2021 - Antonio Larrosa <alarrosa@suse.com>

- Update to 3.4.5
  * Security Vulnerability Fix. Two CSRF vulnerabilities were
    reported: qrcode and login. This release fixes the more severe
    of the 2 - the /login vulnerability. The QRcode issue has a
    much smaller risk profile since a) it is only for two-factor
    authentication using an authenticator app b) the qrcode is only
    available during the time the user is first setting up their
    authentication app. The QRcode issue has been fixed in 4.0.
  * Fixed
    - GET on /login and /change could return the callers
      authentication_token. This is a security concern since GETs
      don't have CSRF protection. This bug was introduced in 3.3.0.
  * Backwards Compatibility Concerns. Fix CSRF vulnerability on
    /login and /change that could return the callers authentication
    token. Now, callers can only get the authentication token on
    successful POST calls.

- Update to 3.4.4
  * Fix 3 regressions and a couple other bugs
  * Fixed
    - Basic Auth broken. When the unauthenticated handler was
      changed to provide a more uniform/consistent response - it
      broke using Basic Auth from a browser, since it always
      redirected rather than returning 401. Now, if the response
      headers contain WWW-Authenticate (which is set if basic
      @auth_required method is used), a 401 is returned. See below
      for backwards compatibility concerns.
    - As part of figuring out issue 359 - a redirect loop was
      found. In release 3.3.0 code was put in to redirect to
      :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
      called and the caller was already authenticated. The method
      used would honor the request next query parameter. This could
      cause redirect loops. The pre-3.3.0 behavior of redirecting
      to :py:data:`SECURITY_POST_LOGIN_VIEW` and ignoring the next
      parameter has been restored.
    - Fix peewee. Turns out - due to lack of unit tests - peewee
      hasn't worked since 'permissions' were added in 3.3.
      Furthermore, changes in 3.4 around get_id and alternative
      tokens also didn't work since peewee defines its own get_id
      method.
  * Compatibility Concerns. In 3.3.0, flask_security.auth_required
    was changed to add a default argument if none was given. The
    default include all current methods - session, token, and
    basic. However basic really isn't like the others and requires
    that we send back a WWW-Authenticate header if authentication
    fails (and return a 401 and not redirect). basic has been
    removed from the default set and must once again be explicitly
    requested.
- Rebase patch to remove another case where mongo is used:
  * no-mongodb.patch
- Rebase patch to fix context:
  * fix-dependencies.patch
- Add patch to fix failed tests (so an exception is not
  raised if phone.data is None). Submitted upstream at
  gh#Flask-Middleware/flask-security#495:
  * 0001-Do-not-raise-a-TypeError-exception-if-phone.data-is-.patch

-------------------------------------------------------------------
Wed Jul  1 10:13:03 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>

- Update to 3.4.3
  * Minor fixes for a regression and a couple other minor changes

-------------------------------------------------------------------
Thu May 14 07:12:48 UTC 2020 - Antonio Larrosa <alarrosa@suse.com>

- Decrease dependencies which aren't really required so we can build
  in SLE/Leap:
  * Werkzeug 0.15.5 requirement decreased to 0.14.1
  * cryptography 2.3.1 requirement decreased to 2.1.4
  * bcrypt 3.1.5 requirement decreased to 3.1.4
  * peewee 3.11.2 requirement decreased to 3.7.1
  * Remove python-pony requirement
- Add patch that applies previous dependency changes:
  * fix-dependencies.patch

-------------------------------------------------------------------
Thu May 14 06:27:54 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

- Add patch to not pull in babel/twine/pytest-runner as
  upstream needs those but we really don't require them during
  a rpm build:
  * no-setup-dependencies.patch

-------------------------------------------------------------------
Thu May  7 10:42:20 UTC 2020 - Antonio Larrosa <alarrosa@suse.com>

- Update to 3.4.2:
  * The flask-security repo was moved to a github organization
    Flask-Middleware.

- Update to 3.4.1:
  * Fix a bunch of bugs in new unified sign in along with a couple
    other major issues.
  * (:issue:`298`) Alternative ID feature ran afoul of
    postgres/psycopg2 finickiness.
  * (:issue:`300`) JSON 401 responses had WWW-Authenticate Header
    attached - that caused browsers to pop up their own login/password
    form. Not what applications want.
  * (:issue:`280`) Allow admin/api to setup TFA (and unified sign in)
    out of band. Please see :meth:`.UserDatastore.tf_set`,
    :meth:`.UserDatastore.tf_reset`, :meth:`.UserDatastore.us_set`,
    :meth:`.UserDatastore.us_reset` and
    :meth:`.UserDatastore.reset_user_access`.
  * (:pr:`305`) We used form._errors which wasn't very pythonic,
    and it was removed in WTForms 2.3.0.
  * (:pr:`310`) WTForms 2.3.0 made email_validator optional,
    we need it.

- Added Requires python-bcrypt and python-email_validator,
  Recommends python-PyQRCode, python-SQLAlchemy, python-zxcvbn
  and Suggests python-argon2_cffi and python-phonenumbers

-------------------------------------------------------------------
Sun Apr  5 07:58:15 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

- Update to 3.4.0:
  * (:pr:`257`) Support a unified sign in feature.
    Please see :ref:`unified-sign-in`.
  * (:pr:`265`) Add phone number validation class. This is used in
    both unified sign in as well as two-factor when using sms.
  * (:pr:`274`) Add support for 'freshness' of caller's authentication.
    This permits endpoints to be additionally protected by ensuring a
    recent authentication.
  * (:issue:`99`, :issue:`195`) Support pluggable password validators.
    Provide a default validator that offers complexity and breached support.
  * (:issue:`266`) Provide interface to two-factor send_token so that
    applications can provide error mitigation. Defaults to returning
    errors if can't send the verification code.
  * (:pr:`247`) Updated all-inclusive data models (fsqlaV2). Add
    fields necessary for the new unified sign in feature and changed
    'username' to be unique (but not required).
  * (:pr:`245`) Use fs_uniquifier as the default Flask-Login
    'alternative token'. Basically this means that changing the
    fs_uniquifier will cause outstanding auth tokens, session and
    remember me cookies to be invalidated. So if an account gets
    compromised, an admin can easily stop access. Prior to this cookies
    were storing the 'id' which is the user's primary key - difficult
    to change! (kishi85)
- Enable the testing
- Add patch to not require mongodb during testing:
  * no-mongodb.patch

-------------------------------------------------------------------
Tue Mar 24 15:35:47 UTC 2020 - Antonio Larrosa <alarrosa@suse.com>

- Initial release of python-Flask-Security-Too 3.3.0