./www/py-flask-security-too, Simple security for Flask apps

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 5.4.3, Package name: py311-flask-security-too-5.4.3, Maintainer: pkgsrc-user

Flask-Security allows you to quickly add common security mechanisms
to your Flask application.

This is a independently maintained version of Flask-Security based on
the 3.0.0 version of the Original.


Master sites:

Filesize: 636.941 KB

Version history: (Expand)


CVS history: (Expand)


   2024-04-19 11:19:48 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-flask-security-too: updated to 5.4.3

Version 5.4.3

Fixes

- (:issue:`950`) Regression - some templates no longer getting correct config \ 
(thanks pete7863).
- (:issue:`954`) CSRF not properly ignored for application forms using \ 
SECURITY_CSRF_PROTECT_MECHANISMS.
- (:pr:`957`) Improve jp translations (e-goto)
- (:issue:`959`) Regression - datetime_factory should still be an attribute \ 
(thanks TimotheeJeannin)
- (:issue:`942`) GENERIC_RESPONSES hide email validation/syntax errors.

Version 5.4.2

Fixes

- (:issue:`946`) OpenAPI spec missing.
- (:pr:`945`) Doc fixes (e-goto)
- (:pr:`941`) Update ES/IT translations (gissimo)

Version 5.4.0 & 5.4.1

Among other changes, this continues the process of dis-entangling Flask-Security
from Flask-Login and may require some application changes due to backwards \ 
incompatible changes.

Features & Improvements

- (:issue:`879`) Work with Flask[async]. view decorators and signals support \ 
async handlers.
- (:pr:`900`) CI support for python 3.12
- (:pr:`901`) Work with py_webauthn 2.0 (and only 2.0+)
- (:pr:`899`) Improve (and simplify) Two-Factor setup. See below for backwards \ 
compatability issues and new functionality.
- (:issue:`912`) Improve oauth debugging support. Handle next propagation in a \ 
more general way.
- (:pr:`877`) Make AnonymousUser (Flask-Login) optional and deprecated.
- (:pr:`906`) Remove undocumented and untested looking in session for possible 'next'
  redirect location.
- (:pr:`881`) No longer rely on Flask-Login.unauthorized callback. See below for \ 
implications.
- (:issue:`904`) Changes to default unauthorized handler - remove use of \ 
referrer header (see below) and document precise behavior.
- (:pr:`927`) The authentication_token format has changed - adding per-token \ 
expiry time and future session ID.
  Old tokens are still accepted.
   2024-02-12 06:25:03 by Mark Davies | Files touched by this commit (3) | Package updated
Log message:
py-flask-security-too: update to 5.3.3

Version 5.3.3
-------------

Fixes
+++++
- Once again work on open-redirect vulnerability - this time due to newer
  Werkzeug.

Version 5.3.2
-------------

Fixes
++++++
- Update Quickstart to show how to properly handle SQLAlchemy connections.
- Auth Token not returned from /tf-validate. (thanks lilz-egoto)
- Fix for latest email_validator deprecation - bump minimum to 2.0.0
- Deprecate passing in the anonymous_user class (sent to Flask-Login).

Version 5.3.1
-------------

**Please Note:**
- If your application uses webauthn you must use pydantic < 2.0
  until the issue with user_handle is resolved.
- If you want to use the latest Flask (3.0.0) you need to have Flask-Login
  changes - those aren't currently released - use the 'main' branch.

Fixes
++++++
- Compatability with Flask 3.0 (wangsha)
- Revert change in 5.3.0 that added a Referrer-Policy header.
- Fix error in quickstart (codycollier)
- Update Armenian translations (amkrtchyan-tmp)
- Update German translations. (sr-verde)
- Fix 'next' propagation when passed as form.next (thanks cariaso)

Version 5.3.0
-------------
This is a minor version bump due to some small backwards incompatible
changes to WebAuthn, recoverability (/reset), confirmation (/confirm)
and the two factor validity feature.

Fixes
++++++
- Webauthn Updates to handling of transport.
- Fix MongoDB support by eliminating dependency on flask-mongoengine.
  Improve MongoDB quickstart.
- Fix Quickstart for SQLAlchemy with scoped session.
- Login no longer, by default, checks for email deliverability.
- Token authentication is no longer accepted on endpoints which only allow
  'session' as authentication-method. (N247S)
- /reset and /confirm and GENERIC_RESPONSES and additional form args don't mix.
- Reset password can be exploited and other OWASP improvements.
- Confirmation can be exploited and other OWASP improvements.
- Convert to pyproject.toml, build, remove setup.py/.cfg.
- the tf_validity feature now ONLY sets a cookie - and the token is no longer
  returned as part of a JSON response.
- Fix login/unified signin templates to properly send CSRF token. Add more tests.
- Improve Social Oauth example code.

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++

- To align with the W3C WebAuthn Level2 and 3 spec - transports are now
  part of the registration response.  This has been changed BOTH in the
  server code (using webauthn data structures) as well as the sample
  javascript code. If an application has their own javascript front end
  code - it might need to be changed.
- The tf_validity feature :py:data:`SECURITY_TWO_FACTOR_ALWAYS_VALIDATE`
  used to set a cookie if the request was form based, and return the token
  as part of a JSON response. Now, this feature is ONLY cookie based and
  the token is no longer returned as part of any response.
- Reset password was changed to adhere to OWASP recommendations and reduce
  possible exploitation:
  - A new email (with new token) is no longer sent upon expired token. Users
    must restart the reset password process.
  - The user is no longer automatically logged in upon successful password
    reset. For backwards compatibility :py:data:`SECURITY_AUTO_LOGIN_AFTER_RESET`
    can be set to ``True``.  Note that this compatibility feature is deprecated
    and will be removed in a future release.
  - Identity information (identity, email) is no longer sent as part of the
    URL redirect query params.
  - The SECURITY_MSG_PASSWORD_RESET_EXPIRED message no longer contains the
    user's identity/email.
  - The default for :py:data:`SECURITY_RESET_PASSWORD_WITHIN` has been changed
    from `5 days` to `1 days`.
  - The response to GET /reset/<token> sets the HTTP header `Referrer-Policy`
    to `no-referrer` as suggested by OWASP.
    *PLEASE NOTE: this was backed out in 5.3.1*
- Confirm email was changed to adhere to OWASP recommendations and reduce
  possible exploitation:
  - A new email (with new token) is no longer sent upon expired token. Users
    must restart the confirmation process.
  - Identity information (identity, email) is no longer sent as part of the
    URL redirect query params.
  - The :py:data:`SECURITY_AUTO_LOGIN_AFTER_CONFIRM` configuration variable
    now defaults to ``False`` - meaning after a successful email confirmation,
    the user must still sign in using the usual mechanisms. This is to align
    better with OWASP best practices. Setting it to ``True`` will restore
    prior behavior.
  - The SECURITY_MSG_CONFIRMATION_EXPIRED message no longer contains the
    user's identity/email.
  - The response to GET /reset/<token> sets the HTTP header `Referrer-Policy`
    to `no-referrer` as suggested by OWASP.
    *PLEASE NOTE: this was backed out in 5.3.1*
   2023-08-02 01:20:57 by Thomas Klausner | Files touched by this commit (158)
Log message:
*: remove more references to Python 3.7
   2023-06-06 14:42:56 by Taylor R Campbell | Files touched by this commit (1319)
Log message:
Mass-change BUILD_DEPENDS to TOOL_DEPENDS outside mk/.

Almost all uses, if not all of them, are wrong, according to the
semantics of BUILD_DEPENDS (packages built for target available for
use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for
host available for use _as_ tools at build-time).

No change to BUILD_DEPENDS as used correctly inside buildlink3.

As proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
   2023-06-04 02:02:53 by Mark Davies | Files touched by this commit (4)
Log message:
py-flask-security-too: add version 5.2.0

Flask-Security allows you to quickly add common security mechanisms
to your Flask application.

This is a independently maintained version of Flask-Security based on
the 3.0.0 version of the Original.