Flask-security

-------------

Released June 26th 2019

- (:pr:`80`) Support caching of authentication token (eregnier `opr 839 <https://github.com/mattupstate/flask-security/pull/839>`_).
This adds a new configuration variable *SECURITY_USE_VERIFY_PASSWORD_CACHE*
which enables a cache (with configurable TTL) for authentication tokens.
This is a big performance boost for those accessing Flask-Security via token
as opposed to session.
- (:pr:`81`) Support for JSON/Single-Page-Application. This completes support
for non-form based access to Flask-Security. See PR for details. (jwag956)
- (:pr:`79` Add POST logout to enhance JSON usage (jwag956).
- (:pr:`73`) Fix get_user for various DBs (jwag956).
This is a more complete fix than in opr 633.
- (:pr:`78`, :pr:`103`) Add formal openapi API spec (jwag956).
- (:pr:`86`, :pr:`94`, :pr:`98`, :pr:`101`, :pr:`104`) Add Two-factor authentication (opr 842) (baurt, jwag956).
- (:issue:`108`) Fix form field label translations (jwag956)
- (:issue:`115`) Fix form error message translations (upstream 801) (jwag956)
- (:issue:`87`) Convert entire repo to Black (baurt)

-------------

Released never

- (:pr:`53`) Use Security.render_template in mails too (noirbizarre `opr 487 <https://github.com/mattupstate/flask-security/pull/487>`_)
- (:pr:`56`) Optimize DB accesses by using an SQL JOIN when retrieving a user. (nfvs `opr 679 <https://github.com/mattupstate/flask-security/pull/679>`_)
- (:pr:`57`) Add base template to security templates (grihabor `opr 697 <https://github.com/mattupstate/flask-security/pull/697>`_)
- (:pr:`73`) datastore: get user by numeric identity attribute (jirikuncar `opr 633 <https://github.com/mattupstate/flask-security/pull/633>`_)
- (:pr:`58`) bugfix: support application factory pattern (briancappello `opr 703 <https://github.com/mattupstate/flask-security/pull/703>`_)
- (:pr:`60`) Make SECURITY_PASSWORD_SINGLE_HASH a list of scheme ignoring double hash (noirbizarre `opr 714 <https://github.com/mattupstate/flask-security/pull/714>`_)
- (:pr:`61`) Allow custom login_manager to be passed in to Flask-Security (jaza `opr 717 <https://github.com/mattupstate/flask-security/pull/717>`_)
- (:pr:`62`) Docs for OAauth2-based custom login manager (jaza `opr 727 <https://github.com/mattupstate/flask-security/pull/727>`_)
- (:pr:`63`) core: make the User model check the password (mklassen `opr 779 <https://github.com/mattupstate/flask-security/pull/779>`_)
- (:pr:`64`) Customizable send_mail (abulte `opr 730 <https://github.com/mattupstate/flask-security/pull/730>`_)
- (:pr:`68`) core: fix default for UNAUTHORIZED_VIEW (jirijunkar `opr 726 <https://github.com/mattupstate/flask-security/pull/726>`_)

These should all be backwards compatible.

Possible compatibility issues:

- 487 - prior to this, render_template() was overridable for views, but not
emails. If anyone actually relied on this behavior, this has changed.
- 703 - get factory pattern working again. There was a very complex dance between
Security() instantiation and init_app regarding kwargs. This has been rationalized (hopefully).
- 679 - SqlAlchemy SQL improvement. It is possible you will get the following error::

Got exception during processing: <class 'sqlalchemy.exc.InvalidRequestError'> -
'User.roles' does not support object population - eager loading cannot be applied.

This is likely solvable by removing ``lazy='dynamic'`` from your Role definition.


Performance improvements:

- 679 - for sqlalchemy, for each request, there would be 2 DB accesses - now
there is one.

Testing:
For datastores operations, Sqlalchemy, peewee, pony were all tested against sqlite,
postgres, and mysql real databases.

-------------

Released April 30th 2019

- (opr 439) HTTP Auth respects SECURITY_USER_IDENTITY_ATTRIBUTES (pnpnpn)
- (opr 660) csrf_enabled` deprecation fix (abulte)
- (opr 671) Fix referrer loop in _get_unauthorized_view(). (nfvs)
- (opr 675) Fix AttributeError in _request_loader (sbagan)
- (opr 676) Fix timing attack on login form (cript0nauta)
- (opr 683) Close db connection after running tests (reambus)
- (opr 691) docs: add password salt to SQLAlchemy app example (KshitijKarthick)
- (opr 692) utils: fix incorrect email sender type (switowski)
- (opr 696) Fixed broken Click link (williamhatcher)
- (opr 722) Fix password recovery confirmation on deleted user (kesara)
- (opr 747) Update login_user.html (rickwest)
- (opr 748) i18n: configurable the dirname domain (escudero)
- (opr 835) adds relevant user to reset password form for validation purposes (fuhrysteve)

These are bug fixes and a couple very small additions.
No change in behavior and no new functionality.
'opr' is the original pull request from https://github.com/mattupstate/flask-security

--------------

Released April 28th 2019

- Support 3.7 as part of CI
- Rebrand to this forked repo
- (15) Build docs and translations as part of CI
- (17) Move to msgcheck from pytest-translations
- (opr 669) Fix for Read the Docs (jirikuncar)
- (opr 710) Spanish translation (maukoquiroga)
- (opr 712) i18n: improvements of German translations (eseifert)
- (opr 713) i18n: add Portuguese (Brazilian) translation (dinorox)
- (opr 719) docs: fix anchor links and typos (kesara)
- (opr 751) i18n: fix missing space (abulte)
- (opr 762) docs: fixed proxy import (lsmith)
- (opr 767) Update customizing.rst (allanice001)
- (opr 776) i18n: add Portuguese (Portugal) translation (micael-grilo)
- (opr 791) Fix documentation for mattupstate781 (fmerges)
- (opr 796) Chinese translations (Steinkuo)
- (opr 808) Clarify that a commit is needed after login_user (christophertull)
- (opr 823) Add Turkish translation (Admicos)
- (opr 831) Catalan translation (miceno)

These are all documentation and i18n changes - NO code changes. All except the last 3 were accepted and reviewed by
the original Flask-Security team.
Thanks as always to all the contributors.

-------------

Released May 29th 2017

- Fixed a bug when user clicking confirmation link after confirmation
and expiration causes confirmation email to resend. (see 556)
- Added support for I18N.
- Added options `SECURITY_EMAIL_PLAINTEXT` and `SECURITY_EMAIL_HTML`
for sending respectively plaintext and HTML version of email.
- Fixed validation when missing login information.
- Fixed condition for token extraction from JSON body.
- Better support for universal bdist wheel.
- Added port of CLI using Click configurable using options
`SECURITY_CLI_USERS_NAME` and `SECURITY_CLI_ROLES_NAME`.
- Added new configuration option `SECURITY_DATETIME_FACTORY` which can
be used to force default timezone for newly created datetimes.
(see mattupstate/flask-security466)
- Better IP tracking if using Flask 0.12.
- Renamed deprecated Flask-WFT base form class.
- Added tests for custom forms configured using app config.
- Added validation and tests for next argument in logout endpoint. (see 499)
- Bumped minimal required versions of several packages.
- Extended test matric on Travis CI for minimal and released package versions.
- Added of .editorconfig and forced tests for code style.
- Fixed a security bug when validating a confirmation token, also checks
if the email that the token was created with matches the user's current email.
- Replaced token loader with request loader.
- Changed trackable behavior of `login_user` when IP can not be detected from a request from 'untrackable' to `None` value.
- Use ProxyFix instead of inspecting X-Forwarded-For header.
- Fix identical problem with app as with datastore.
- Removed always-failing assertion.
- Fixed failure of init_app to set self.datastore.
- Changed to new style flask imports.
- Added proper error code when returning JSON response.
- Changed obsolete Required validator from WTForms to DataRequired. Bumped Flask-WTF to 0.13.
- Fixed missing `SECURITY_SUBDOMAIN` in config docs.
- Added cascade delete in PeeweeDatastore.
- Added notes to docs about `SECURITY_USER_IDENTITY_ATTRIBUTES`.
- Inspect value of `SECURITY_UNAUTHORIZED_VIEW`.
- Send password reset instructions if an attempt has expired.
- Added "Forgot password?" link to LoginForm description.
- Upgraded passlib, and removed bcrypt version restriction.
- Removed a duplicate line ('retype_password': 'Retype Password') in forms.py.
- Various documentation improvement.

-------------

Released December 2nd 2015

- Added `SECURITY_TOKEN_MAX_AGE` configuration setting
- Fixed calls to `SQLAlchemyUserDatastore.get_user(None)` (this now returns `False` instead of raising a `TypeError`
- Fixed URL generation adding extra slashes in some cases (see GitHub 343)
- Fixed handling of trackable IP addresses when the `X-Forwarded-For` header contains multiple values
- Include WWW-Authenticate headers in `auth_required` authentication checks
- Fixed error when `check_token` function is used with a json list
- Added support for custom `AnonymousUser` classes
- Restricted `forgot_password` endpoint to anonymous users
- Allowed unauthorized callback to be overridden
- Fixed issue where passwords cannot be reset if currently set to `None`
- Ensured that password reset tokens are invalidated after use
- Updated `is_authenticated` and `is_active` functions to support Flask-Login changes
- Various documentation improvements