Flask-security

-------------

Released June 12, 2020

Minor fixes for a regression and a couple other minor changes

Fixed
+++++

- (:issue:`340`) Fix regression where tf_phone_number was required, even if SMS wasn't configured.
- (:pr:`342`) Pick up some small documentation fixes from 4.0.0.

-------------

Released May 2, 2020

Only change is to move repo to the Flask-Middleware github organization.

--------------

Released April 22, 2020

Fix a bunch of bugs in new unified sign in along with a couple other major issues.

Fixed
+++++
- (:issue:`298`) Alternative ID feature ran afoul of postgres/psycopg2 finickiness.
- (:issue:`300`) JSON 401 responses had WWW-Authenticate Header attached - that caused
browsers to pop up their own login/password form. Not what applications want.
- (:issue:`280`) Allow admin/api to setup TFA (and unified sign in) out of band.
Please see :meth:`.UserDatastore.tf_set`, :meth:`.UserDatastore.tf_reset`,
:meth:`.UserDatastore.us_set`, :meth:`.UserDatastore.us_reset` and
:meth:`.UserDatastore.reset_user_access`.
- (:pr:`305`) We used form._errors which wasn't very pythonic, and it was
removed in WTForms 2.3.0.
- (:pr:`310`) WTForms 2.3.0 made email_validator optional - we need it.

-------------

Released March 31, 2020

Features
++++++++
- (:pr:`257`) Support a unified sign in feature. Please see :ref:`configuration:unified signin`.
- (:pr:`265`) Add phone number validation class. This is used in both unified sign in
as well as two-factor when using ``sms``.
- (:pr:`274`) Add support for 'freshness' of caller's authentication. This permits endpoints
to be additionally protected by ensuring a recent authentication.
- (:issue:`99`, :issue:`195`) Support pluggable password validators. Provide a default
validator that offers complexity and breached support.
- (:issue:`266`) Provide interface to two-factor send_token so that applications
can provide error mitigation. Defaults to returning errors if can't send the verification code.
- (:pr:`247`) Updated all-inclusive data models (fsqlaV2). Add fields necessary for the new unified sign in feature
and changed 'username' to be unique (but not required).
- (:pr:`245`) Use fs_uniquifier as the default Flask-Login 'alternative token'. Basically
this means that changing the fs_uniquifier will cause outstanding auth tokens, session and remember me
cookies to be invalidated. So if an account gets compromised, an admin can easily stop access. Prior to this
cookies were storing the 'id' which is the user's primary key - difficult to change! (kishi85)

Fixed
+++++
- (:issue:`273`) Don't allow reset password for accounts that are disabled.
- (:issue:`282`) Add configuration that disallows GET for logout. Allowing GET can
cause some denial of service issues. The default still allows GET for backwards
compatibility. (kantorii)
- (:issue:`258`) Reset password wasn't integrated into the two-factor feature and therefore
two-factor auth could be bypassed.
- (:issue:`254`) Allow lists and sets as underlying permissions. (pffs)
- (:issue:`251`) Allow a registration form to have additional fields that aren't part of the user model
that are just passed to the user_registered.send signal, where the application can perform arbitrary
additional actions required during registration. (kuba-lilz)
- (:issue:`249`) Add configuration to disable the 'role-joining' optimization for SQLAlchemy. (pffs)
- (:issue:`238`) Fix more issues with atomically setting the new TOTP secret when setting up two-factor. (kishi85)
- (:pr:`240`) Fix Quart Compatibility. (ristellise)
- (:issue:`232`) CSRF Cookie not being set when using 'Remember Me' cookie to re-sign in. (kishi85)
- (:issue:`229`) Two-factor enabled accounts didn't work with the Remember Me feature. (kishi85)

As part of adding unified sign in, there were many similarities with two-factor.
Some refactoring was done to unify naming, configuration variables etc.
It should all be backwards compatible.

- In TWO_FACTOR_ENABLED_METHODS "mail" was changed to "email". "mail" will still
be honored if already stored in DB. Also "google_authenticator" is now just "authenticator".
- TWO_FACTOR_SECRET, TWO_FACTOR_URI_SERVICE_NAME, TWO_FACTOR_SMS_SERVICE, and TWO_FACTOR_SMS_SERVICE_CONFIG
have all been deprecated in favor of names that are the same for two-factor and unified sign in.

Other changes with possible backwards compatibility issues:

- ``/tf-setup`` never did any phone number validation. Now it does.
- ``two_factor_setup.html`` template - the chosen_method check was changed to ``email``.
If you have your own custom template - be sure make that change.

-------------

Released February 11, 2020

Minor changes required to work with latest released Werkzeug and Flask-Login.

-------------

Released December 7, 2019

- (:issue:`215`) Fixed 2FA totp secret regeneration bug (kishi85)
- (:issue:`172`) Fixed 'next' redirect error in login view
- (:issue:`221`) Fixed regressions in login view when already authenticated user
again does a GET or POST.
- (:issue:`219`) Added example code for unit testing FS protected routes.
- (:issue:`223`) Integrated two-factor auth into registration and confirmation.

Thanks to kuba-lilz and kishi85 for finding and providing detailed issue reports.

In Flask-Security 3.3.0 the login view was changed to allow already authenticated
users to access the view. Prior to 3.3.0, the login view was protected with
anonymous_user_required - so any access (via GET or POST) would simply redirect
the user to the ``POST_LOGIN_VIEW``. With the 3.3.0 changes, both GET and POST
behaved oddly. GET simply returned the login template, and POST attempted to
log out the current user, and log in the new user. This was problematic since
this couldn't possibly work with CSRF.
The old behavior has been restored, with the subtle change that older Flask-Security
releases did not look at "next" in the form or request for the redirect,
and now, all redirects from the login view will honor "next".