Flask-security

-------------

Released April 19, 2022

Fixes
+++++
- (:issue:`594`) Fix test failures with newer Flask versions.

-------------

Released March 2, 2022

Fixes
+++++
- (:issue:`581`) Fix bug when attempting to disable register_blueprint. (halali)
- (:pr:`539`) Fix example documentation re: generating localized messages. (kazuhei2)
- (:pr:`546`) Make roles joinedload compatible with SQLAlchemy 2.0. (keats)
- (:pr:`586`) Ship py.typed as part of package.
- (:issue:`580`) Improve documentation around use of bleach and include in common install extra.

-------------

Released September 22, 2021

Fixes
+++++
- (:issue:`526`) default_reauthn_handler doesn't honor SECURITY_URL_PREFIX
- (:pr:`528`) Improve German translations (sr-verde)
- (:pr:`527`) Fix two-factor sample code (djpnewton)

--------------

Released September 10, 2021

Fixes
+++++
- (:issue:`518`) Fix corner case where Security object was being reused in tests.
- (:issue:`512`) If USERNAME_ENABLE is set, change LoginForm field from EmailField
to StringField. Also - dynamically add fields to Login and Registration forms
rather than always having them - this made the RegistrationForm much simpler.
- (:issue:`516`) Improved username feature handling solved issue of always requiring
bleach.
- (:issue:`513`) Improve documentation of default username validation.

-------------

Released July 23, 2021

Features
++++++++
- (:issue:`474`) Add public API and CLI command to change a user's password.
- (:issue:`140`) Add type hints. Please note that many of the packages that flask-security
depends on aren't typed yet - so there are likely errors in some of the types.
- (:issue:`466`) Add first-class support for using username for signing in.

Fixes
+++++
- (:issue:`483`) 4.0 doesn't accept 3.4 authentication tokens. (kuba-lilz)
- (:issue:`490`) Flask-Mail sender name can be a tuple. (hrishikeshrt)
- (:issue:`486`) Possible open redirect vulnerability.
- (:pr:`478`) Improve/update German translation. (sr-verde)
- (:issue:`488`) Improve handling of Babel packages.
- (:pr:`496`) Documentation improvements, distribution extras, fix single message
override.
- (:issue:`497`) Improve cookie handling and default ``samesite`` to ``Strict``.

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
- (:pr:`488`) In 4.0.0, with the addition of Flask-Babel support, Flask-Security enforced that
if it could import either Flask-Babel or Flask-BabelEx, that those modules had
been initialized as proper Flask extensions. Prior to 4.0.0, just Flask-BabelEx
was supported - and that didn't require any explicit initialization. Flask-Babel
DOES require explicit initialization. However for some applications that don't
completely control their environment (such as system pre-installed versions of
python) this caused applications that didn't even want translation services to
fail on startup. With this release, Flask-Security still attempts to import
one or the other package - however if those modules are NOT initialized,
Flask-Security will simply ignore them and no translations will occur.
- (:issue:`497`) The CSRF_COOKIE and TWO_FACTOR_VALIDITY cookie had their defaults
changed to set ``samesite=Strict``. This follows the Flask-Security goal of
making things more secure out-of-the-box.
- (:issue:`140`) Type hinting. For the most part this of course has no runtime effects.
However, this required a fairly major overhaul of how Flask-Security is initialized in
order to provide valid types for the many constructor attributes. There are no known
compatability concerns - however initialization used to convert all arguments into kwargs
then add those as attributes and merge with application constants. That no longer happens
and it is possible that some corner cases don't behave precisely as they did before.

-------------

Released April 2, 2021

Features
++++++++

Fixes
+++++
- (:issue:`461`) 4.0 doesn't accept 3.4 authentication tokens. (kuba-lilz)
- (:issue:`460`) 2-fa error: Failed to send code - improved documentation and debuggability.
- (:issue:`454`) 2-fa error: TypeError - fixed documentation.
- (:issue:`443`) Calling create user without any arguments - fixed underlying cause
of translating form errors in the CLI.
- (:issue:`442`) Email validation confusion - added documentation.
- (:issue:`450`) Add documentation on how to override specific error messages.
- (:pr:`439`) Don't install global-scope tests. (mgorny)
- (:pr:`470`) Add note about updating DB using MySQL. (jugmac00)
- (:pr:`468`) Fix documentation - uia_phone_number should be uia_phone_mapper. (dvrg)
- (:pr:`457`) Improve chinese translations. (zxjlm)
- (:pr:`453`) Improve basque and spanish translations. (mmozos)
- (:pr:`448`) Add Afrikaans translations. (lonelyvikingmichael)
- (:pr:`467`) Add Blinker as explicit dependency, improve/fix celery usage docs,
dont require pyqrcode unless authenticator configured, improve SMS configuration
variables documentation.