Hello community, here is the log from the commit of package python-Flask-Security-Too for openSUSE:Factory checked in at 2020-07-10 14:13:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-Flask-Security-Too (Old) and /work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Flask-Security-Too" Fri Jul 10 14:13:07 2020 rev:5 rq:819755 version:3.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-Flask-Security-Too/python-Flask-Security-Too.changes 2020-05-14 23:27:12.709297501 +0200 +++ /work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.3060/python-Flask-Security-Too.changes 2020-07-10 14:13:08.851581897 +0200 @@ -1,0 +2,6 @@ +Wed Jul 1 10:13:03 UTC 2020 - Marketa Calabkova <mcalabk...@suse.com> + +- Update to 3.4.3 + * Minor fixes for a regression and a couple other minor changes + +------------------------------------------------------------------- Old: ---- Flask-Security-Too-3.4.2.tar.gz New: ---- Flask-Security-Too-3.4.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-Flask-Security-Too.spec ++++++ --- /var/tmp/diff_new_pack.y2rwTi/_old 2020-07-10 14:13:09.515584078 +0200 +++ /var/tmp/diff_new_pack.y2rwTi/_new 2020-07-10 14:13:09.519584091 +0200 @@ -19,7 +19,7 @@ %define skip_python2 1 %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-Flask-Security-Too -Version: 3.4.2 +Version: 3.4.3 Release: 0 Summary: Security for Flask apps License: MIT ++++++ Flask-Security-Too-3.4.2.tar.gz -> Flask-Security-Too-3.4.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/CHANGES.rst new/Flask-Security-Too-3.4.3/CHANGES.rst --- old/Flask-Security-Too-3.4.2/CHANGES.rst 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/CHANGES.rst 2020-06-13 18:53:19.000000000 +0200 @@ -14,10 +14,23 @@ .. _here: https://github.com/Flask-Middleware/flask-security/issues/85 +Version 3.4.3 +------------- + +Released June 12, 2020 + +Minor fixes for a regression and a couple other minor changes + +Fixed ++++++ + +- (:issue:`340`) Fix regression where tf_phone_number was required, even if SMS wasn't configured. +- (:pr:`xx`) Pick up some small documentation fixes from 4.0.0. + Version 3.4.2 ------------- -Released May x, 2020 +Released May 2, 2020 Only change is to move repo to the Flask-Middleware github organization. @@ -95,6 +108,8 @@ Other changes with possible backwards compatibility issues: - ``/tf-setup`` never did any phone number validation. Now it does. +- ``two_factor_setup.html`` template - the chosen_method check was changed to ``email``. + If you have your own custom template - be sure make that change. Version 3.3.3 ------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/PKG-INFO new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/PKG-INFO --- old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/PKG-INFO 2020-05-03 03:49:26.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/PKG-INFO 2020-06-13 19:01:06.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Flask-Security-Too -Version: 3.4.2 +Version: 3.4.3 Summary: Simple security for Flask apps. Home-page: https://github.com/Flask-Middleware/flask-security Author: Matt Wright & Chris Wagner diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/requires.txt --- old/Flask-Security-Too-3.4.2/Flask_Security_Too.egg-info/requires.txt 2020-05-03 03:49:26.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/Flask_Security_Too.egg-info/requires.txt 2020-06-13 19:01:06.000000000 +0200 @@ -35,7 +35,7 @@ pytest-black>=0.3.8 pytest-cache>=1.0 pytest-cov>=2.5.1 -pytest-flake8>=1.0.4 +pytest-flake8>=1.0.6 pytest-mongo>=1.2.1 pytest>=3.5.1 sqlalchemy>=1.2.6 @@ -68,7 +68,7 @@ pytest-black>=0.3.8 pytest-cache>=1.0 pytest-cov>=2.5.1 -pytest-flake8>=1.0.4 +pytest-flake8>=1.0.6 pytest-mongo>=1.2.1 pytest>=3.5.1 sqlalchemy>=1.2.6 @@ -105,7 +105,7 @@ pytest-black>=0.3.8 pytest-cache>=1.0 pytest-cov>=2.5.1 -pytest-flake8>=1.0.4 +pytest-flake8>=1.0.6 pytest-mongo>=1.2.1 pytest>=3.5.1 sqlalchemy>=1.2.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/PKG-INFO new/Flask-Security-Too-3.4.3/PKG-INFO --- old/Flask-Security-Too-3.4.2/PKG-INFO 2020-05-03 03:49:26.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/PKG-INFO 2020-06-13 19:01:06.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: Flask-Security-Too -Version: 3.4.2 +Version: 3.4.3 Summary: Simple security for Flask apps. Home-page: https://github.com/Flask-Middleware/flask-security Author: Matt Wright & Chris Wagner diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/docs/conf.py new/Flask-Security-Too-3.4.3/docs/conf.py --- old/Flask-Security-Too-3.4.2/docs/conf.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/docs/conf.py 2020-06-13 18:53:19.000000000 +0200 @@ -58,7 +58,7 @@ # built documents. # # The short X.Y version. -version = "3.4.2" +version = "3.4.3" # The full version, including alpha/beta/rc tags. release = version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/docs/configuration.rst new/Flask-Security-Too-3.4.3/docs/configuration.rst --- old/Flask-Security-Too-3.4.2/docs/configuration.rst 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/docs/configuration.rst 2020-06-13 18:53:19.000000000 +0200 @@ -388,13 +388,16 @@ .. py:data:: SECURITY_FRESHNESS A timedelta used to protect endpoints that alter sensitive information. - This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`. + This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`, and + :py:data:`SECURITY_TWO_FACTOR_SETUP_URL`. Refer to :meth:`flask_security.auth_required` for details. Setting this to a negative number will disable any freshness checking and the endpoints :py:data:`SECURITY_VERIFY_URL`, :py:data:`SECURITY_US_VERIFY_URL` and :py:data:`SECURITY_US_VERIFY_SEND_CODE_URL` won't be registered. Setting this to 0 results in undefined behavior. + Please see :meth:`flask_security.check_and_update_authn_fresh` for details. + Default: timedelta(hours=24) .. versionadded:: 3.4.0 @@ -403,7 +406,8 @@ A timedelta that provides a grace period when altering sensitive information. - This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`. + This is used to protect the endpoint: :py:data:`SECURITY_US_SETUP_URL`, and + :py:data:`SECURITY_TWO_FACTOR_SETUP_URL`. Refer to :meth:`flask_security.auth_required` for details. N.B. To avoid strange behavior, be sure to set the grace period less than the freshness period. @@ -543,14 +547,20 @@ Specifies the path to the template for the user login page. - Default:``security/login_user.html``. + Default: ``"security/login_user.html"``. .. py:data:: SECURITY_VERIFY_URL Specifies the re-authenticate URL. If :py:data:`SECURITY_FRESHNESS` evaluates to < 0; this endpoint won't be registered. - Default: ``"/verify"`` + Default: ``"/verify"``. + +.. py:data:: SECURITY_VERIFY_TEMPLATE + + Specifies the path to the template for the verify password page. + + Default: ``"security/verify.html"``. .. py:data:: SECURITY_POST_VERIFY_URL @@ -657,7 +667,7 @@ Specifies if a user may login before confirming their email when the value of ``SECURITY_CONFIRMABLE`` is set to ``True``. - Default:``False``. + Default: ``False``. Changeable ---------- @@ -1004,6 +1014,8 @@ .. py:data:: SECURITY_US_EMAIL_SUBJECT + Sets the email subject when sending the verification code via email. + Default: ``_("Verification Code")`` .. py:data:: SECURITY_US_SETUP_WITHIN @@ -1109,6 +1121,7 @@ * ``SECURITY_LOGIN_URL`` * ``SECURITY_LOGOUT_URL`` +* :py:data:`SECURITY_VERIFY_URL` * ``SECURITY_REGISTER_URL`` * ``SECURITY_RESET_URL`` * ``SECURITY_CHANGE_URL`` @@ -1144,6 +1157,7 @@ * ``SECURITY_FORGOT_PASSWORD_TEMPLATE`` * ``SECURITY_LOGIN_USER_TEMPLATE`` +* :py:data:`SECURITY_VERIFY_TEMPLATE` * ``SECURITY_REGISTER_USER_TEMPLATE`` * ``SECURITY_RESET_PASSWORD_TEMPLATE`` * ``SECURITY_CHANGE_PASSWORD_TEMPLATE`` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/__init__.py new/Flask-Security-Too-3.4.3/flask_security/__init__.py --- old/Flask-Security-Too-3.4.2/flask_security/__init__.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/flask_security/__init__.py 2020-06-13 18:53:19.000000000 +0200 @@ -101,4 +101,4 @@ verify_and_update_password, ) -__version__ = "3.4.2" +__version__ = "3.4.3" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/twofactor.py new/Flask-Security-Too-3.4.3/flask_security/twofactor.py --- old/Flask-Security-Too-3.4.2/flask_security/twofactor.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/flask_security/twofactor.py 2020-06-13 18:53:19.000000000 +0200 @@ -170,7 +170,7 @@ msg = user.tf_send_security_token( method=user.tf_primary_method, totp_secret=user.tf_totp_secret, - phone_number=user.tf_phone_number, + phone_number=getattr(user, "tf_phone_number", None), ) if msg: # send code didn't work diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/unified_signin.py new/Flask-Security-Too-3.4.3/flask_security/unified_signin.py --- old/Flask-Security-Too-3.4.2/flask_security/unified_signin.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/flask_security/unified_signin.py 2020-06-13 18:53:19.000000000 +0200 @@ -344,7 +344,7 @@ msg = user.us_send_security_token( method, totp_secret=totp_secrets[method], - phone_number=user.us_phone_number, + phone_number=getattr(user, "us_phone_number", None), send_magic_link=True, ) code_sent = True diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/flask_security/views.py new/Flask-Security-Too-3.4.3/flask_security/views.py --- old/Flask-Security-Too-3.4.2/flask_security/views.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/flask_security/views.py 2020-06-13 18:53:19.000000000 +0200 @@ -734,7 +734,7 @@ msg = user.tf_send_security_token( method=pm, totp_secret=session["tf_totp_secret"], - phone_number=user.tf_phone_number, + phone_number=getattr(user, "tf_phone_number", None), ) if msg: # send code didn't work @@ -921,7 +921,7 @@ msg = form.user.tf_send_security_token( method="email", totp_secret=form.user.tf_totp_secret, - phone_number=form.user.tf_phone_number, + phone_number=getattr(form.user, "tf_phone_number", None), ) if msg: rproblem = "" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/setup.py new/Flask-Security-Too-3.4.3/setup.py --- old/Flask-Security-Too-3.4.2/setup.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/setup.py 2020-06-13 18:53:19.000000000 +0200 @@ -36,7 +36,7 @@ "pytest-black>=0.3.8", "pytest-cache>=1.0", "pytest-cov>=2.5.1", - "pytest-flake8>=1.0.4", + "pytest-flake8>=1.0.6", "pytest-mongo>=1.2.1", "pytest>=3.5.1", "sqlalchemy>=1.2.6", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-Security-Too-3.4.2/tests/test_two_factor.py new/Flask-Security-Too-3.4.3/tests/test_two_factor.py --- old/Flask-Security-Too-3.4.2/tests/test_two_factor.py 2020-05-03 03:41:32.000000000 +0200 +++ new/Flask-Security-Too-3.4.3/tests/test_two_factor.py 2020-06-13 18:53:19.000000000 +0200 @@ -962,3 +962,78 @@ response = client.post("/tf-rescue", json=rescue_data, headers=headers) assert response.status_code == 500 assert response.json["response"]["errors"]["help_setup"][0] == "Failed Again" + + +@pytest.mark.settings(two_factor_enabled_methods=["email"]) +def test_no_sms(app, get_message): + # Make sure that don't require tf_phone_number if SMS isn't an option. + from sqlalchemy import ( + Boolean, + Column, + Integer, + String, + ) + from sqlalchemy.orm import relationship, backref + from flask_sqlalchemy import SQLAlchemy + from flask_security.models import fsqla_v2 as fsqla + from flask_security import Security, UserMixin, hash_password + + app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:" + db = SQLAlchemy(app) + + fsqla.FsModels.set_db_info(db) + + class Role(db.Model, fsqla.FsRoleMixin): + pass + + class User(db.Model, UserMixin): + id = Column(Integer, primary_key=True) + email = Column(String(255), unique=True, nullable=False) + password = Column(String(255), nullable=False) + active = Column(Boolean(), nullable=False) + + # Faster token checking + fs_uniquifier = Column(String(64), unique=True, nullable=False) + + # 2FA + tf_primary_method = Column(String(64), nullable=True) + tf_totp_secret = Column(String(255), nullable=True) + + roles = relationship( + "Role", secondary="roles_users", backref=backref("users", lazy="dynamic") + ) + + with app.app_context(): + db.create_all() + + ds = SQLAlchemyUserDatastore(db, User, Role) + app.security = Security(app, datastore=ds) + + with app.app_context(): + client = app.test_client() + + ds.create_user( + email="t...@lp.com", password=hash_password("password"), + ) + ds.commit() + + data = dict(email="t...@lp.com", password="password") + client.post("/login", data=data, follow_redirects=True) + client.post( + "/tf-confirm", data=dict(password="password"), follow_redirects=True + ) + + testMail = TestMail() + app.extensions["mail"] = testMail + response = client.post( + "/tf-setup", data=dict(setup="email"), follow_redirects=True + ) + msg = b"To complete logging in, please enter the code sent to your mail" + assert msg in response.data + + code = testMail.msg.body.split()[-1] + # sumbit right token and show appropriate response + response = client.post( + "/tf-validate", data=dict(code=code), follow_redirects=True + ) + assert b"You successfully changed your two-factor method" in response.data