Path to this page:
Subject: CVS commit: pkgsrc/www/py-flask-security-too
From: Mark Davies
Date: 2024-02-12 06:25:03
Message id: 20240212052503.7869AF9AA@cvs.NetBSD.org
Log Message:
py-flask-security-too: update to 5.3.3
Version 5.3.3
-------------
Fixes
+++++
- Once again work on open-redirect vulnerability - this time due to newer
Werkzeug.
Version 5.3.2
-------------
Fixes
++++++
- Update Quickstart to show how to properly handle SQLAlchemy connections.
- Auth Token not returned from /tf-validate. (thanks lilz-egoto)
- Fix for latest email_validator deprecation - bump minimum to 2.0.0
- Deprecate passing in the anonymous_user class (sent to Flask-Login).
Version 5.3.1
-------------
**Please Note:**
- If your application uses webauthn you must use pydantic < 2.0
until the issue with user_handle is resolved.
- If you want to use the latest Flask (3.0.0) you need to have Flask-Login
changes - those aren't currently released - use the 'main' branch.
Fixes
++++++
- Compatability with Flask 3.0 (wangsha)
- Revert change in 5.3.0 that added a Referrer-Policy header.
- Fix error in quickstart (codycollier)
- Update Armenian translations (amkrtchyan-tmp)
- Update German translations. (sr-verde)
- Fix 'next' propagation when passed as form.next (thanks cariaso)
Version 5.3.0
-------------
This is a minor version bump due to some small backwards incompatible
changes to WebAuthn, recoverability (/reset), confirmation (/confirm)
and the two factor validity feature.
Fixes
++++++
- Webauthn Updates to handling of transport.
- Fix MongoDB support by eliminating dependency on flask-mongoengine.
Improve MongoDB quickstart.
- Fix Quickstart for SQLAlchemy with scoped session.
- Login no longer, by default, checks for email deliverability.
- Token authentication is no longer accepted on endpoints which only allow
'session' as authentication-method. (N247S)
- /reset and /confirm and GENERIC_RESPONSES and additional form args don't mix.
- Reset password can be exploited and other OWASP improvements.
- Confirmation can be exploited and other OWASP improvements.
- Convert to pyproject.toml, build, remove setup.py/.cfg.
- the tf_validity feature now ONLY sets a cookie - and the token is no longer
returned as part of a JSON response.
- Fix login/unified signin templates to properly send CSRF token. Add more tests.
- Improve Social Oauth example code.
Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
- To align with the W3C WebAuthn Level2 and 3 spec - transports are now
part of the registration response. This has been changed BOTH in the
server code (using webauthn data structures) as well as the sample
javascript code. If an application has their own javascript front end
code - it might need to be changed.
- The tf_validity feature :py:data:`SECURITY_TWO_FACTOR_ALWAYS_VALIDATE`
used to set a cookie if the request was form based, and return the token
as part of a JSON response. Now, this feature is ONLY cookie based and
the token is no longer returned as part of any response.
- Reset password was changed to adhere to OWASP recommendations and reduce
possible exploitation:
- A new email (with new token) is no longer sent upon expired token. Users
must restart the reset password process.
- The user is no longer automatically logged in upon successful password
reset. For backwards compatibility :py:data:`SECURITY_AUTO_LOGIN_AFTER_RESET`
can be set to ``True``. Note that this compatibility feature is deprecated
and will be removed in a future release.
- Identity information (identity, email) is no longer sent as part of the
URL redirect query params.
- The SECURITY_MSG_PASSWORD_RESET_EXPIRED message no longer contains the
user's identity/email.
- The default for :py:data:`SECURITY_RESET_PASSWORD_WITHIN` has been changed
from `5 days` to `1 days`.
- The response to GET /reset/<token> sets the HTTP header `Referrer-Policy`
to `no-referrer` as suggested by OWASP.
*PLEASE NOTE: this was backed out in 5.3.1*
- Confirm email was changed to adhere to OWASP recommendations and reduce
possible exploitation:
- A new email (with new token) is no longer sent upon expired token. Users
must restart the confirmation process.
- Identity information (identity, email) is no longer sent as part of the
URL redirect query params.
- The :py:data:`SECURITY_AUTO_LOGIN_AFTER_CONFIRM` configuration variable
now defaults to ``False`` - meaning after a successful email confirmation,
the user must still sign in using the usual mechanisms. This is to align
better with OWASP best practices. Setting it to ``True`` will restore
prior behavior.
- The SECURITY_MSG_CONFIRMATION_EXPIRED message no longer contains the
user's identity/email.
- The response to GET /reset/<token> sets the HTTP header `Referrer-Policy`
to `no-referrer` as suggested by OWASP.
*PLEASE NOTE: this was backed out in 5.3.1*
Files: