Flask-security

-------------

Released March 18, 2025

Fixes
+++++
- (:issue:`1077`) Fix runtime modification of a config string (TWO_FACTOR_METHODS)
- (:issue:`1078`) Fix CLI user_create when model doesn't contain username
- (:issue:`1076`) xxx_util_cls instances should be public and documented.

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
As part of :issue:`1076` the following cleanup was done:

- The xxx_util_cls arguments are now stored in 'private' instance variables - they are never
used after Flask-Security initialization and have never been documented.
- The xxx_util_cls options should only be set as part of Flask-Security construction.
Setting them via init_app(kwargs) or app.config["SECURITY_XX"] has been deprecated.

-------------

Released February 12, 2025

Features & Improvements
+++++++++++++++++++++++
- (:issue:`1038`) Add support for 'secret_key' rotation (jamesejr)
- (:issue:`980`) Add support for username recovery in simple login flows (jamesejr)
- (:issue:`1055`) Add support for changing username
- (:pr:`1048`) Add support for Python 3.13
- (:issue:`1043`) Unify Register forms (and split out re-type password option) Please read :ref:`register_form_migration`.

Fixes
+++++
- (:pr:`1062`) Fix duplicate HTML ids in templates.
- (:pr:`1067`) Fix more duplicate HTML ids in templates.
- (:issue:`1064`) Ensure templates pass W3C validation (see below)

Docs and Chores
+++++++++++++++
- (:pr:`1052`) Remove deprecated TWO_FACTOR configuration variables
- (:pr:`1069`) Update ES and IT translations (gissimo)
- (:pr:`1071`) Improve templates - two-factor is hyphenated, re-authenticate is not.
Also try to embed links into xlatable strings.

Notes
+++++
Python 3.13 removed ``crypt``, which passlib attempts to import and use as
part of its safe_crypt() method (fallback is to return None).
However - that method only appears to be called in a few crypt handlers and
for bcrypt - only for the built-in bcrypt - not if the bcrypt package is installed.
passlib is not maintained - a new fork (10/1/2024) (https://pypi.org/project/libpass/)
seems promising and has been tested with python 3.13 and Flask-Security. If that fork matures we will
change the dependencies appropriately.

The register forms have been combined - or more accurately - there is a new RegisterFormV2
that subsumes the features of both the old RegisterForm and ConfirmRegisterForm.
Please read :ref:`register_form_migration`.

The SECURITY_TWO_FACTOR_{SECRET, URI_SERVICE_NAME, SMS_SERVICE, SMS_SERVICE_CONFIG}
have been removed (they have been deprecated for a while). Use the equivalent
:py:data:`SECURITY_TOTP_SECRETS`, :py:data:`SECURITY_TOTP_ISSUER`, :py:data:`SECURITY_SMS_SERVICE` and
:py:data:`SECURITY_SMS_SERVICE_CONFIG`.

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
The fixes to all the templates to pass W3C validation could introduce some incompatibilities:

- All templates now have a default <title> - before, the <title> element was empty.
- The HTML id of the rescue form submit button was changed to 'rescue'
- The HTML id of the webauthn delete form name field was changed to 'delete-name'
- Some template headings were changed to improve consistency
- The csrf_token HTML id was changed on us_setup.html, wan_register.html, two_factor_setup.html
two_factor_verify_code.html, us_verify.html, verify.html for the second form on the page.
- On us_setup.html and two_factor_setup.html the submit code button HTML id was changed.

-------------

Released August 5, 2024

More attempts to upload to pypi both flask-security and flask-security-too.
No code changes - however the build manifest changed so the source distribution
contents might be slightly different.

Docs and Chores
+++++++++++++++
- (:pr:`1019`) Separate publish workflows for each pypi package

-------------

Released August 1, 2024

I am pleased to announce that Flask-Security-Too is now part of pallets-eco and has returned
to be released as 'Flask-Security'. For the foreseeable future, we will publish the same release to both
Flask-Security and Flask-Security-Too on PyPI.

There are no code changes.

Docs and Chores
+++++++++++++++
- (:pr:`1015`) Convert docs, links, badges, etc to pallets-eco

-------------

Released July 24, 2024

Features & Improvements
+++++++++++++++++++++++
- (:issue:`956`) Add support for changing registered user's email (:py:data:`SECURITY_CHANGE_EMAIL`).
- (:issue:`944`) Change default password hash to argon2 (was bcrypt). See below for details.
- (:pr:`990`) Add freshness capability to auth tokens (enables /us-setup to function w/ just auth tokens).
- (:pr:`991`) Add support to /tf-setup to not require sessions (use a state token).
- (:issue:`994`) Add support for Flask-SQLAlchemy-Lite - including new all-inclusive models
that conform to sqlalchemy latest best-practice (type-annotated).
- (:pr:`1007`) Convert other sqlalchemy-based datastores from legacy 'model.query' to best-practice 'select'
- (:issue:`983`) Allow applications more flexibility defining allowable redirects.

Fixes
+++++
- (:pr:`972`) Set :py:data:`SECURITY_CSRF_COOKIE` at beginning (GET /login) of authentication
ritual - just as we return the CSRF token. (thanks e-goto)
- (:issue:`973`) login and unified sign in should handle GET for authenticated user consistently.
- (:pr:`995`) Don't show sms options if not defined in US_ENABLED_METHODS. (fredipevcin)
- (:pr:`1009`) Change :py:data:`SECURITY_DEPRECATED_HASHING_SCHEMES` to ``["auto"]``.

Docs and Chores
+++++++++++++++
- (:pr:`979`) Update Russian translations (ademaro)
- (:pr:`1004`) Update ES and IT translations (gissimo)
- (:pr:`981` and :pr:`977`) Improve docs
- (:pr:`992`) The long deprecated `get_token_status` is no longer exported
- (:pr:`992`) Drop Python 3.8 support.
- (:issue:`1001`) Try a different approach to typing User and Role models.

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
- Notes around the change to argon2 as the default password hash:
- applications should add the argon2_cffi package to their requirements (it is included in the flask_security[common] extras).
- leave bcrypt installed so that old passwords still work.
- the default configuration will re-hash passwords with argon2 upon first use.
- Changes to /tf-setup
The old path - using state set in the session still works as before. The new path is
just for the case an authenticated user wants to change their 2FA setup.
- Changes to sqlalchemy-based datastores
Flask-Security no longer uses the legacy model.query - all DB access is done via
`select(xx).where(xx)`. As a result the find_user() method now only takes a SINGLE
column:value from its kwargs - in prior releases all kwargs were passed into the query.filter.

-------------

Released March 23, 2024

Fixes
+++++
- (:issue:`950`) Regression - some templates no longer getting correct config (thanks pete7863).
- (:issue:`954`) CSRF not properly ignored for application forms using :py:data:`SECURITY_CSRF_PROTECT_MECHANISMS`.
- (:pr:`957`) Improve jp translations (e-goto)
- (:issue:`959`) Regression - datetime_factory should still be an attribute (thanks TimotheeJeannin)
- (:issue:`942`) :py:data:`SECURITY_RETURN_GENERIC_RESPONSES` hid email validation/syntax errors.