-------------
Released July 27, 2023
This is a minor version bump due to some small backwards incompatible changes to
WebAuthn, recoverability (/reset), confirmation (/confirm) and the two factor validity feature.
Fixes
++++++
- (:pr:`807`) Webauthn Updates to handling of transport.
- (:pr:`809`) Fix MongoDB support by eliminating dependency on flask-mongoengine.
Improve MongoDB quickstart.
- (:issue:`801`) Fix Quickstart for SQLAlchemy with scoped session.
- (:issue:`806`) Login no longer, by default, checks for email deliverability.
- (:issue:`791`) Token authentication is no longer accepted on endpoints which only allow
'session' as authentication-method. (N247S)
- (:issue:`814`) /reset and /confirm and GENERIC_RESPONSES and additional form args don't mix.
- (:issue:`281`) Reset password can be exploited and other OWASP improvements.
- (:pr:`817`) Confirmation can be exploited and other OWASP improvements.
- (:pr:`819`) Convert to pyproject.toml, build, remove setup.py/.cfg.
- (:pr:`823`) the tf_validity feature now ONLY sets a cookie - and the token is no longer
returned as part of a JSON response.
- (:pr:`825`) Fix login/unified signin templates to properly send CSRF token. Add more tests.
- (:pr:`826`) Improve Social Oauth example code.
Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
- To align with the W3C WebAuthn Level2 and 3 spec - transports are now part of the registration response.
This has been changed BOTH in the server code (using webauthn data structures) as well as the sample
javascript code. If an application has their own javascript front end code - it might need to be changed.
- The tf_validity feature :py:data:`SECURITY_TWO_FACTOR_ALWAYS_VALIDATE` used to set a cookie if the request was
form based, and return the token as part of a JSON response. Now, this feature is ONLY cookie based and the token
is no longer returned as part of any response.
- Reset password was changed to adhere to OWASP recommendations and reduce possible exploitation:
- A new email (with new token) is no longer sent upon expired token. Users must restart
the reset password process.
- The user is no longer automatically logged in upon successful password reset. For
backwards compatibility :py:data:`SECURITY_AUTO_LOGIN_AFTER_RESET` can be set to ``True``.
Note that this compatibility feature is deprecated and will be removed in a future release.
- Identity information (identity, email) is no longer sent as part of the URL redirect
query params.
- The SECURITY_MSG_PASSWORD_RESET_EXPIRED message no longer contains the user's identity/email.
- The default for :py:data:`SECURITY_RESET_PASSWORD_WITHIN` has been changed from `5 days` to `1 days`.
- The response to GET /reset/<token> sets the HTTP header `Referrer-Policy` to `no-referrer` as suggested
by OWASP. *PLEASE NOTE: this was backed out in 5.3.1*
- Confirm email was changed to adhere to OWASP recommendations and reduce possible exploitation:
- A new email (with new token) is no longer sent upon expired token. Users must restart
the confirmation process.
- Identity information (identity, email) is no longer sent as part of the URL redirect
query params.
- The :py:data:`SECURITY_AUTO_LOGIN_AFTER_CONFIRM` configuration variable now defaults to ``False`` - meaning
after a successful email confirmation, the user must still sign in using the usual mechanisms. This is to
align better with OWASP best practices. Setting it to ``True`` will restore prior behavior.
- The SECURITY_MSG_CONFIRMATION_EXPIRED message no longer contains the user's identity/email.
- The response to GET /reset/<token> sets the HTTP header `Referrer-Policy` to `no-referrer` as suggested
by OWASP. *PLEASE NOTE: this was backed out in 5.3.1*