Flask-Security-Invenio Changelog

Here you can see the full list of changes between each Flask-Security-Invenio release.

Version 3.1.1

Released February 9th 2022

Version 3.1.0

Released February 9th 2022

  • Removed token and baisc authentication.

  • Removed MongoDB, PonyORM, Peewee support.

  • Removed remember me support.

  • Removed JSON/AJAX support.

  • Removed passwordless login.

  • Added support for single hashing only specific algorithms.

Version 3.0.2

Released April 30th 2019

  • (opr #439) HTTP Auth respects SECURITY_USER_IDENTITY_ATTRIBUTES (pnpnpn)

  • (opr #660) csrf_enabled` deprecation fix (abulte)

  • (opr #671) Fix referrer loop in _get_unauthorized_view(). (nfvs)

  • (opr #675) Fix AttributeError in _request_loader (sbagan)

  • (opr #676) Fix timing attack on login form (cript0nauta)

  • (opr #683) Close db connection after running tests (reambus)

  • (opr #691) docs: add password salt to SQLAlchemy app example (KshitijKarthick)

  • (opr #692) utils: fix incorrect email sender type (switowski)

  • (opr #696) Fixed broken Click link (williamhatcher)

  • (opr #722) Fix password recovery confirmation on deleted user (kesara)

  • (opr #747) Update login_user.html (rickwest)

  • (opr #748) i18n: configurable the dirname domain (escudero)

  • (opr #835) adds relevant user to reset password form for validation purposes (fuhrysteve)

These are bug fixes and a couple very small additions. No change in behavior and no new functionality. ‘opr#’ is the original pull request from https://github.com/mattupstate/flask-security

Version 3.0.1

Released April 28th 2019

  • Support 3.7 as part of CI

  • Rebrand to this forked repo

  • (#15) Build docs and translations as part of CI

  • (#17) Move to msgcheck from pytest-translations

  • (opr #669) Fix for Read the Docs (jirikuncar)

  • (opr #710) Spanish translation (maukoquiroga)

  • (opr #712) i18n: improvements of German translations (eseifert)

  • (opr #713) i18n: add Portuguese (Brazilian) translation (dinorox)

  • (opr #719) docs: fix anchor links and typos (kesara)

  • (opr #751) i18n: fix missing space (abulte)

  • (opr #762) docs: fixed proxy import (lsmith)

  • (opr #767) Update customizing.rst (allanice001)

  • (opr #776) i18n: add Portuguese (Portugal) translation (micael-grilo)

  • (opr #791) Fix documentation for mattupstate#781 (fmerges)

  • (opr #796) Chinese translations (Steinkuo)

  • (opr #808) Clarify that a commit is needed after login_user (christophertull)

  • (opr #823) Add Turkish translation (Admicos)

  • (opr #831) Catalan translation (miceno)

These are all documentation and i18n changes - NO code changes. All except the last 3 were accepted and reviewed by the original Flask-Security team. Thanks as always to all the contributors.

Version 3.0.0

Released May 29th 2017

  • Fixed a bug when user clicking confirmation link after confirmation and expiration causes confirmation email to resend. (see #556)

  • Added support for I18N.

  • Added options SECURITY_EMAIL_PLAINTEXT and SECURITY_EMAIL_HTML for sending respecively plaintext and HTML version of email.

  • Fixed validation when missing login information.

  • Fixed condition for token extraction from JSON body.

  • Better support for universal bdist wheel.

  • Added port of CLI using Click configurable using options SECURITY_CLI_USERS_NAME and SECURITY_CLI_ROLES_NAME.

  • Added new configuration option SECURITY_DATETIME_FACTORY which can be used to force default timezone for newly created datetimes. (see mattupstate/flask-security#466)

  • Better IP tracking if using Flask 0.12.

  • Renamed deprecated Flask-WFT base form class.

  • Added tests for custom forms configured using app config.

  • Added validation and tests for next argument in logout endpoint. (see #499)

  • Bumped minimal required versions of several packages.

  • Extended test matric on Travis CI for minimal and released package versions.

  • Added of .editorconfig and forced tests for code style.

  • Fixed a security bug when validating a confirmation token, also checks if the email that the token was created with matches the user’s current email.

  • Replaced token loader with request loader.

  • Changed trackable behavior of login_user when IP can not be detected from a request from ‘untrackable’ to None value.

  • Use ProxyFix instead of inspecting X-Forwarded-For header.

  • Fix identical problem with app as with datastore.

  • Removed always-failing assertion.

  • Fixed failure of init_app to set self.datastore.

  • Changed to new style flask imports.

  • Added proper error code when returning JSON response.

  • Changed obsolette Required validator from WTForms to DataRequired. Bumped Flask-WTF to 0.13.

  • Fixed missing SECURITY_SUBDOMAIN in config docs.

  • Added cascade delete in PeeweeDatastore.

  • Added notes to docs about SECURITY_USER_IDENTITY_ATTRIBUTES.

  • Inspect value of SECURITY_UNAUTHORIZED_VIEW.

  • Send password reset instructions if an attempt has expired.

  • Added “Forgot password?” link to LoginForm description.

  • Upgraded passlib, and removed bcrypt version restriction.

  • Removed a duplicate line (‘retype_password’: ‘Retype Password’) in forms.py.

  • Various documentation improvement.

Version 1.7.5

Released December 2nd 2015

  • Added SECURITY_TOKEN_MAX_AGE configuration setting

  • Fixed calls to SQLAlchemyUserDatastore.get_user(None) (this now returns False instead of raising a TypeError

  • Fixed URL generation adding extra slashes in some cases (see GitHub #343)

  • Fixed handling of trackable IP addresses when the X-Forwarded-For header contains multiple values

  • Include WWW-Authenticate headers in @auth_required authentication checks

  • Fixed error when check_token function is used with a json list

  • Added support for custom AnonymousUser classes

  • Restricted forgot_password endpoint to anonymous users

  • Allowed unauthorized callback to be overridden

  • Fixed issue where passwords cannot be reset if currently set to None

  • Ensured that password reset tokens are invalidated after use

  • Updated is_authenticated and is_active functions to support Flask-Login changes

  • Various documentation improvements

Version 1.7.4

Released October 13th 2014

  • Fixed a bug related to changing existing passwords from plaintext to hashed

  • Fixed a bug in form validation that did not enforce case insensivitiy

  • Fixed a bug with validating redirects

Version 1.7.3

Released June 10th 2014

  • Fixed a bug where redirection to SECURITY_POST_LOGIN_VIEW was not respected

  • Fixed string encoding in various places to be friendly to unicode

  • Now using werkzeug.security.safe_str_cmp to check tokens

  • Removed user information from JSON output on /reset responses

  • Added Python 3.4 support

Version 1.7.2

Released May 6th 2014

  • Updated IP tracking to check for X-Forwarded-For header

  • Fixed a bug regarding the re-hashing of passwords with a new algorithm

  • Fixed a bug regarding the password_changed signal.

Version 1.7.1

Released January 14th 2014

  • Fixed a bug where passwords would fail to verify when specifying a password hash algorithm

Version 1.7.0

Released January 10th 2014

  • Python 3.3 support!

  • Dependency updates

  • Fixed a bug when SECURITY_LOGIN_WITHOUT_CONFIRMATION = True did not allow users to log in

  • Added SECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL configuraiton option to optionally send password reset notice emails

  • Add documentation for @security.send_mail_task

  • Move to request.get_json as request.json is now deprecated in Flask

  • Fixed a bug when using AJAX to change a user’s password

  • Added documentation for select functions in the flask_security.utils module

  • Fixed a bug in flask_security.forms.NextFormMixin

  • Added CHANGE_PASSWORD_TEMPLATE configuration option to optionally specify a different change password template

  • Added the ability to specify addtional fields on the user model to be used for identifying the user via the USER_IDENTITY_ATTRIBUTES configuration option

  • An error is now shown if a user tries to change their password and the password is the same as before. The message can be customed with the SECURITY_MSG_PASSWORD_IS_SAME configuration option

  • Fixed a bug in MongoEngineUserDatastore where user model would not be updated when using the add_role_to_user method

  • Added SECURITY_SEND_PASSWORD_CHANGE_EMAIL configuration option to optionally disable password change email from being sent

  • Fixed a bug in the find_or_create_role method of the PeeWee datastore

  • Removed pypy tests

  • Fixed some tests

  • Include CHANGES and LICENSE in MANIFEST.in

  • A bit of documentation cleanup

  • A bit of code cleanup including removal of unnecessary utcnow call and simplification of get_max_age method

Version 1.6.9

Released August 20th 2013

  • Fix bug in SQLAlchemy datastore’s get_user function

  • Fix bug in PeeWee datastore’s remove_role_from_user function

  • Fixed import error caused by new Flask-WTF release

Version 1.6.8

Released August 1st 2013

  • Fixed bug with case sensitivity of email address during login

  • Code cleanup regarding token_callback

  • Ignore validation errors in find_user function for MongoEngineUserDatastore

Version 1.6.7

Released July 11th 2013

  • Made password length form error message configurable

  • Fixed email confirmation bug that prevented logged in users from confirming their email

Version 1.6.6

Released June 28th 2013

  • Fixed dependency versions

Version 1.6.5

Released June 20th 2013

  • Fixed bug in flask.ext.security.confirmable.generate_confirmation_link

Version 1.6.4

Released June 18th 2013

  • Added SECURITY_DEFAULT_REMEMBER_ME configuration value to unify behavior between endpoints

  • Fixed Flask-Login dependency problem

  • Added optional next parameter to registration endpoint, similar to that of login

Version 1.6.3

Released May 8th 2013

  • Fixed bug in regards to imports with latest version of MongoEngine

Version 1.6.2

Released April 4th 2013

  • Fixed bug with http basic auth

Version 1.6.1

Released April 3rd 2013

  • Fixed bug with signals

Version 1.6.0

Released March 13th 2013

  • Added Flask-Pewee support

  • Password hashing is now more flexible and can be changed to a different type at will

  • Flask-Login messages are configurable

  • AJAX requests must now send a CSRF token for security reasons

  • Form messages are now configurable

  • Forms can now be extended with more fields

  • Added change password endpoint

  • Added the user to the request context when successfully authenticated via http basic and token auth

  • The Flask-Security blueprint subdomain is now configurable

  • Redirects to other domains are now not allowed during requests that may redirect

  • Template paths can be configured

  • The welcome/register email can now optionally be sent to the user

  • Passwords can now contain non-latin characters

  • Fixed a bug when confirming an account but the account has been deleted

Version 1.5.4

Released January 6th 2013

  • Fix bug in forms with csrf_enabled parameter not accounting attempts to login using JSON data

Version 1.5.3

Released December 23rd 2012

  • Change dependency requirement

Version 1.5.2

Released December 11th 2012

  • Fix a small bug in flask_security.utils.login_user method

Version 1.5.1

Released November 26th 2012

  • Fixed bug with next form variable

  • Added better documentation regarding Flask-Mail configuration

  • Added ability to configure email subjects

Version 1.5.0

Released October 11th 2012

  • Major release. Upgrading from previous versions will require a bit of work to accomodate API changes. See documentation for a list of new features and for help on how to upgrade.

Version 1.2.3

Released June 12th 2012

  • Fixed a bug in the RoleMixin eq/ne functions

Version 1.2.2

Released April 27th 2012

  • Fixed bug where roles_required and roles_accepted did not pass the next argument to the login view

Version 1.2.1

Released March 28th 2012

  • Added optional user model mixin parameter for datastores

  • Added CreateRoleCommand to available Flask-Script commands

Version 1.2.0

Released March 12th 2012

  • Added configuration option SECURITY_FLASH_MESSAGES which can be set to a boolean value to specify if Flask-Security should flash messages or not.

Version 1.1.0

Initial release