Hello community,
here is the log from the commit of package python-Flask-Security-Too for
openSUSE:Factory checked in at 2020-07-10 14:13:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Flask-Security-Too (Old)
and /work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.3060 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Flask-Security-Too"
Fri Jul 10 14:13:07 2020 rev:5 rq:819755 version:3.4.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-Flask-Security-Too/python-Flask-Security-Too.changes
2020-05-14 23:27:12.709297501 +0200
+++
/work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.3060/python-Flask-Security-Too.changes
2020-07-10 14:13:08.851581897 +0200
@@ -1,0 +2,6 @@
+Wed Jul 1 10:13:03 UTC 2020 - Marketa Calabkova <mcalabk...@suse.com>
+
+- Update to 3.4.3
+ * Minor fixes for a regression and a couple other minor changes
+
+-------------------------------------------------------------------
Old:
----
Flask-Security-Too-3.4.2.tar.gz
New:
----
Flask-Security-Too-3.4.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-Flask-Security-Too.spec ++++++
--- /var/tmp/diff_new_pack.y2rwTi/_old 2020-07-10 14:13:09.515584078 +0200
+++ /var/tmp/diff_new_pack.y2rwTi/_new 2020-07-10 14:13:09.519584091 +0200
@@ -19,7 +19,7 @@
%define skip_python2 1
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-Flask-Security-Too
-Version: 3.4.2
+Version: 3.4.3
Release: 0
Summary: Security for Flask apps
License: MIT
++++++ Flask-Security-Too-3.4.2.tar.gz -> Flask-Security-Too-3.4.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/CHANGES.rst
new/Flask-Security-Too-3.4.3/CHANGES.rst
--- old/Flask-Security-Too-3.4.2/CHANGES.rst 2020-05-03 03:41:32.000000000
+0200
+++ new/Flask-Security-Too-3.4.3/CHANGES.rst 2020-06-13 18:53:19.000000000
+0200
@@ -14,10 +14,23 @@
.. _here: https://github.com/Flask-Middleware/flask-security/issues/85
+Version 3.4.3
+-------------
+
+Released June 12, 2020
+
+Minor fixes for a regression and a couple other minor changes
+
+Fixed
++++++
+
+- (:issue:`340`) Fix regression where tf_phone_number was required, even if
SMS wasn't configured.
+- (:pr:`xx`) Pick up some small documentation fixes from 4.0.0.
+
Version 3.4.2
-------------
-Released May x, 2020
+Released May 2, 2020
Only change is to move repo to the Flask-Middleware github organization.
@@ -95,6 +108,8 @@
Other changes with possible backwards compatibility issues:
- ``/tf-setup`` never did any phone number validation. Now it does.
+- ``two_factor_setup.html`` template - the chosen_method check was changed to
``email``.
+ If you have your own custom template - be sure make that change.
Version 3.3.3
-------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/PKG-INFO
new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/PKG-INFO
--- old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/PKG-INFO
2020-05-03 03:49:26.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/PKG-INFO
2020-06-13 19:01:06.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: Flask-Security-Too
-Version: 3.4.2
+Version: 3.4.3
Summary: Simple security for Flask apps.
Home-page: https://github.com/Flask-Middleware/flask-security
Author: Matt Wright & Chris Wagner
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/requires.txt
--- old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt
2020-05-03 03:49:26.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/requires.txt
2020-06-13 19:01:06.000000000 +0200
@@ -35,7 +35,7 @@
pytest-black>=0.3.8
pytest-cache>=1.0
pytest-cov>=2.5.1
-pytest-flake8>=1.0.4
+pytest-flake8>=1.0.6
pytest-mongo>=1.2.1
pytest>=3.5.1
sqlalchemy>=1.2.6
@@ -68,7 +68,7 @@
pytest-black>=0.3.8
pytest-cache>=1.0
pytest-cov>=2.5.1
-pytest-flake8>=1.0.4
+pytest-flake8>=1.0.6
pytest-mongo>=1.2.1
pytest>=3.5.1
sqlalchemy>=1.2.6
@@ -105,7 +105,7 @@
pytest-black>=0.3.8
pytest-cache>=1.0
pytest-cov>=2.5.1
-pytest-flake8>=1.0.4
+pytest-flake8>=1.0.6
pytest-mongo>=1.2.1
pytest>=3.5.1
sqlalchemy>=1.2.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/PKG-INFO
new/Flask-Security-Too-3.4.3/PKG-INFO
--- old/Flask-Security-Too-3.4.2/PKG-INFO 2020-05-03 03:49:26.000000000
+0200
+++ new/Flask-Security-Too-3.4.3/PKG-INFO 2020-06-13 19:01:06.000000000
+0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: Flask-Security-Too
-Version: 3.4.2
+Version: 3.4.3
Summary: Simple security for Flask apps.
Home-page: https://github.com/Flask-Middleware/flask-security
Author: Matt Wright & Chris Wagner
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/docs/conf.py
new/Flask-Security-Too-3.4.3/docs/conf.py
--- old/Flask-Security-Too-3.4.2/docs/conf.py 2020-05-03 03:41:32.000000000
+0200
+++ new/Flask-Security-Too-3.4.3/docs/conf.py 2020-06-13 18:53:19.000000000
+0200
@@ -58,7 +58,7 @@
# built documents.
#
# The short X.Y version.
-version = "3.4.2"
+version = "3.4.3"
# The full version, including alpha/beta/rc tags.
release = version
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/docs/configuration.rst
new/Flask-Security-Too-3.4.3/docs/configuration.rst
--- old/Flask-Security-Too-3.4.2/docs/configuration.rst 2020-05-03
03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/docs/configuration.rst 2020-06-13
18:53:19.000000000 +0200
@@ -388,13 +388,16 @@
.. py:data:: SECURITY_FRESHNESS
A timedelta used to protect endpoints that alter sensitive information.
- This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`.
+ This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`, and
+ :py:data:`SECURITY_TWO_FACTOR_SETUP_URL`.
Refer to :meth:`flask_security.auth_required` for details.
Setting this to a negative number will disable any freshness checking and
the endpoints :py:data:`SECURITY_VERIFY_URL`,
:py:data:`SECURITY_US_VERIFY_URL`
and :py:data:`SECURITY_US_VERIFY_SEND_CODE_URL` won't be registered.
Setting this to 0 results in undefined behavior.
+ Please see :meth:`flask_security.check_and_update_authn_fresh` for details.
+
Default: timedelta(hours=24)
.. versionadded:: 3.4.0
@@ -403,7 +406,8 @@
A timedelta that provides a grace period when altering sensitive
information.
- This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`.
+ This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`, and
+ :py:data:`SECURITY_TWO_FACTOR_SETUP_URL`.
Refer to :meth:`flask_security.auth_required` for details.
N.B. To avoid strange behavior, be sure to set the grace period less than
the freshness period.
@@ -543,14 +547,20 @@
Specifies the path to the template for the user login page.
- Default:``security/login_user.html``.
+ Default: ``"security/login_user.html"``.
.. py:data:: SECURITY_VERIFY_URL
Specifies the re-authenticate URL. If :py:data:`SECURITY_FRESHNESS`
evaluates to < 0; this
endpoint won't be registered.
- Default: ``"/verify"``
+ Default: ``"/verify"``.
+
+.. py:data:: SECURITY_VERIFY_TEMPLATE
+
+ Specifies the path to the template for the verify password page.
+
+ Default: ``"security/verify.html"``.
.. py:data:: SECURITY_POST_VERIFY_URL
@@ -657,7 +667,7 @@
Specifies if a user may login before confirming their email when
the value of ``SECURITY_CONFIRMABLE`` is set to ``True``.
- Default:``False``.
+ Default: ``False``.
Changeable
----------
@@ -1004,6 +1014,8 @@
.. py:data:: SECURITY_US_EMAIL_SUBJECT
+ Sets the email subject when sending the verification code via email.
+
Default: ``_("Verification Code")``
.. py:data:: SECURITY_US_SETUP_WITHIN
@@ -1109,6 +1121,7 @@
* ``SECURITY_LOGIN_URL``
* ``SECURITY_LOGOUT_URL``
+* :py:data:`SECURITY_VERIFY_URL`
* ``SECURITY_REGISTER_URL``
* ``SECURITY_RESET_URL``
* ``SECURITY_CHANGE_URL``
@@ -1144,6 +1157,7 @@
* ``SECURITY_FORGOT_PASSWORD_TEMPLATE``
* ``SECURITY_LOGIN_USER_TEMPLATE``
+* :py:data:`SECURITY_VERIFY_TEMPLATE`
* ``SECURITY_REGISTER_USER_TEMPLATE``
* ``SECURITY_RESET_PASSWORD_TEMPLATE``
* ``SECURITY_CHANGE_PASSWORD_TEMPLATE``
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/__init__.py
new/Flask-Security-Too-3.4.3/flask_security/__init__.py
--- old/Flask-Security-Too-3.4.2/flask_security/__init__.py 2020-05-03
03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/flask_security/__init__.py 2020-06-13
18:53:19.000000000 +0200
@@ -101,4 +101,4 @@
verify_and_update_password,
)
-__version__ = "3.4.2"
+__version__ = "3.4.3"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/twofactor.py
new/Flask-Security-Too-3.4.3/flask_security/twofactor.py
--- old/Flask-Security-Too-3.4.2/flask_security/twofactor.py 2020-05-03
03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/flask_security/twofactor.py 2020-06-13
18:53:19.000000000 +0200
@@ -170,7 +170,7 @@
msg = user.tf_send_security_token(
method=user.tf_primary_method,
totp_secret=user.tf_totp_secret,
- phone_number=user.tf_phone_number,
+ phone_number=getattr(user, "tf_phone_number", None),
)
if msg:
# send code didn't work
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-Security-Too-3.4.2/flask_security/unified_signin.py
new/Flask-Security-Too-3.4.3/flask_security/unified_signin.py
--- old/Flask-Security-Too-3.4.2/flask_security/unified_signin.py
2020-05-03 03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/flask_security/unified_signin.py
2020-06-13 18:53:19.000000000 +0200
@@ -344,7 +344,7 @@
msg = user.us_send_security_token(
method,
totp_secret=totp_secrets[method],
- phone_number=user.us_phone_number,
+ phone_number=getattr(user, "us_phone_number", None),
send_magic_link=True,
)
code_sent = True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/views.py
new/Flask-Security-Too-3.4.3/flask_security/views.py
--- old/Flask-Security-Too-3.4.2/flask_security/views.py 2020-05-03
03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/flask_security/views.py 2020-06-13
18:53:19.000000000 +0200
@@ -734,7 +734,7 @@
msg = user.tf_send_security_token(
method=pm,
totp_secret=session["tf_totp_secret"],
- phone_number=user.tf_phone_number,
+ phone_number=getattr(user, "tf_phone_number", None),
)
if msg:
# send code didn't work
@@ -921,7 +921,7 @@
msg = form.user.tf_send_security_token(
method="email",
totp_secret=form.user.tf_totp_secret,
- phone_number=form.user.tf_phone_number,
+ phone_number=getattr(form.user, "tf_phone_number", None),
)
if msg:
rproblem = ""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/setup.py
new/Flask-Security-Too-3.4.3/setup.py
--- old/Flask-Security-Too-3.4.2/setup.py 2020-05-03 03:41:32.000000000
+0200
+++ new/Flask-Security-Too-3.4.3/setup.py 2020-06-13 18:53:19.000000000
+0200
@@ -36,7 +36,7 @@
"pytest-black>=0.3.8",
"pytest-cache>=1.0",
"pytest-cov>=2.5.1",
- "pytest-flake8>=1.0.4",
+ "pytest-flake8>=1.0.6",
"pytest-mongo>=1.2.1",
"pytest>=3.5.1",
"sqlalchemy>=1.2.6",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Security-Too-3.4.2/tests/test_two_factor.py
new/Flask-Security-Too-3.4.3/tests/test_two_factor.py
--- old/Flask-Security-Too-3.4.2/tests/test_two_factor.py 2020-05-03
03:41:32.000000000 +0200
+++ new/Flask-Security-Too-3.4.3/tests/test_two_factor.py 2020-06-13
18:53:19.000000000 +0200
@@ -962,3 +962,78 @@
response = client.post("/tf-rescue", json=rescue_data, headers=headers)
assert response.status_code == 500
assert response.json["response"]["errors"]["help_setup"][0] == "Failed
Again"
+
+
+@pytest.mark.settings(two_factor_enabled_methods=["email"])
+def test_no_sms(app, get_message):
+ # Make sure that don't require tf_phone_number if SMS isn't an option.
+ from sqlalchemy import (
+ Boolean,
+ Column,
+ Integer,
+ String,
+ )
+ from sqlalchemy.orm import relationship, backref
+ from flask_sqlalchemy import SQLAlchemy
+ from flask_security.models import fsqla_v2 as fsqla
+ from flask_security import Security, UserMixin, hash_password
+
+ app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
+ db = SQLAlchemy(app)
+
+ fsqla.FsModels.set_db_info(db)
+
+ class Role(db.Model, fsqla.FsRoleMixin):
+ pass
+
+ class User(db.Model, UserMixin):
+ id = Column(Integer, primary_key=True)
+ email = Column(String(255), unique=True, nullable=False)
+ password = Column(String(255), nullable=False)
+ active = Column(Boolean(), nullable=False)
+
+ # Faster token checking
+ fs_uniquifier = Column(String(64), unique=True, nullable=False)
+
+ # 2FA
+ tf_primary_method = Column(String(64), nullable=True)
+ tf_totp_secret = Column(String(255), nullable=True)
+
+ roles = relationship(
+ "Role", secondary="roles_users", backref=backref("users",
lazy="dynamic")
+ )
+
+ with app.app_context():
+ db.create_all()
+
+ ds = SQLAlchemyUserDatastore(db, User, Role)
+ app.security = Security(app, datastore=ds)
+
+ with app.app_context():
+ client = app.test_client()
+
+ ds.create_user(
+ email="t...@lp.com", password=hash_password("password"),
+ )
+ ds.commit()
+
+ data = dict(email="t...@lp.com", password="password")
+ client.post("/login", data=data, follow_redirects=True)
+ client.post(
+ "/tf-confirm", data=dict(password="password"),
follow_redirects=True
+ )
+
+ testMail = TestMail()
+ app.extensions["mail"] = testMail
+ response = client.post(
+ "/tf-setup", data=dict(setup="email"), follow_redirects=True
+ )
+ msg = b"To complete logging in, please enter the code sent to your
mail"
+ assert msg in response.data
+
+ code = testMail.msg.body.split()[-1]
+ # sumbit right token and show appropriate response
+ response = client.post(
+ "/tf-validate", data=dict(code=code), follow_redirects=True
+ )
+ assert b"You successfully changed your two-factor method" in
response.data
