Flask-security

-------------

Released TBD

Added:

- (784) i18n: added Japanese translation (kantorii)
- (776) i18n: add Portuguese (Portugal) translation (micael-grilo)
- (796) i18n: added Chinese-Simple translation (Steinkuo)
- (779) Let User model specify password verification and update methods (mklassen)
- (748) i18n: configurable the dirname domain (escudero)
- (743) tests: improved translations checks (jirikuncar)
- (730) Customizable send_mail (abulte)
- (727) Docs for OAauth2-based custom login manager (Jaza)
- (717) Allow custom login_manager to be passed in to Flask-Security (Jaza)
- (703) Support application factory pattern, simplified keyword arguments (briancappello)
- (714) Make SECURITY_PASSWORD_SINGLE_HASH a list of scheme ignoring double hash (noirbizarre)
- (697) Add base template to security templates (grihabor)
- (691) Documentation/Quickstart: Fix SQLAlchemy app example for missing render method and adding salt (KshitijKarthick)
- (713) i18n: add brazilian portuguese translation (dinorox)
- (487) Use Security.render_template in mails too (noirbizarre)
- (679) Optimize DB accesses by using an SQL JOIN when retrieving a user. Make `roles` in user model query optimization "optional". (nfvs)

Fixed:
- (767) docs: fixed proxy import (biomap)
- (750) docs: add missing imports (allanice001)
- (747) Removed redundant `next` parameter from login_user.html (rickwest)
- (439) HTTP Auth now respects SECURITY_USER_IDENTITY_ATTRIBUTES (pnpnpn)
- (700) Anchor links in website are not working (alemangui)
- (722) password recovery confirmation on deleted user (kesara)
- (678) AttributeError: 'NoneType' object has no attribute 'password' (alemangui, kesara)
- (662) bug: User is logged in automatically on email confimation. (kesara)
- (692) utils: fix incorrect email sender type (switowski)
- (685) Error with email sender (williamcheng-web)
- (675) Fix AttributeError in _request_loader (sbagan)
- (696) Fixed broken Click link (williamhatcher)
- (710) i18n: Spanish translation (maukoquiroga)
- (712) Improve German translation (eseifert)
- (357) bug: Avoid Timing Attack (cancan101, fixed cript0nauta (676))
- (693) Making sure we pass the sender address in send_mail() as a string (695 by ochronus)
- (506) bug: WindowsError when running tests under Windows (reambus in 683)
- (681) bug: Error when request is JSON but a list rather than an object (682 by Morabaraba)
- (670) bug: _get_unauthorized_view() results in a redirect loop if the referrer is the page we just came from (nfvs in 671)
- (669) Fix for Read the Docs. Builds and release dates. (jirikuncar)
- (660) `csrf_enabled` deprecation in flask-wtf fix. (abulte)

Removed:
- (664) Remove automatic login on email confirmation. (kesara)

-------------

Released May 29th 2017

- Fixed a bug when user clicking confirmation link after confirmation
and expiration causes confirmation email to resend. (see 556)
- Added support for I18N.
- Added options `SECURITY_EMAIL_PLAINTEXT` and `SECURITY_EMAIL_HTML`
for sending respecively plaintext and HTML version of email.
- Fixed validation when missing login information.
- Fixed condition for token extraction from JSON body.
- Better support for universal bdist wheel.
- Added port of CLI using Click configurable using options
`SECURITY_CLI_USERS_NAME` and `SECURITY_CLI_ROLES_NAME`.
- Added new configuration option `SECURITY_DATETIME_FACTORY` which can
be used to force default timezone for newly created datetimes.
(see mattupstate/flask-security466)
- Better IP tracking if using Flask 0.12.
- Renamed deprecated Flask-WFT base form class.
- Added tests for custom forms configured using app config.
- Added validation and tests for next argument in logout endpoint. (see 499)
- Bumped minimal required versions of several packages.
- Extended test matric on Travis CI for minimal and released package versions.
- Added of .editorconfig and forced tests for code style.
- Fixed a security bug when validating a confirmation token, also checks
if the email that the token was created with matches the user's current email.
- Replaced token loader with request loader.
- Changed trackable behavior of `login_user` when IP can not be detected from a request from 'untrackable' to `None` value.
- Use ProxyFix instead of inspecting X-Forwarded-For header.
- Fix identical problem with app as with datastore.
- Removed always-failing assertion.
- Fixed failure of init_app to set self.datastore.
- Changed to new style flask imports.
- Added proper error code when returning JSON response.
- Changed obsolette Required validator from WTForms to DataRequired. Bumped Flask-WTF to 0.13.
- Fixed missing `SECURITY_SUBDOMAIN` in config docs.
- Added cascade delete in PeeweeDatastore.
- Added notes to docs about `SECURITY_USER_IDENTITY_ATTRIBUTES`.
- Inspect value of `SECURITY_UNAUTHORIZED_VIEW`.
- Send password reset instructions if an attempt has expired.
- Added "Forgot password?" link to LoginForm description.
- Upgraded passlib, and removed bcrypt version restriction.
- Removed a duplicate line ('retype_password': 'Retype Password') in forms.py.
- Various documentation improvement.

-------------

Released December 2nd 2015

- Added `SECURITY_TOKEN_MAX_AGE` configuration setting
- Fixed calls to `SQLAlchemyUserDatastore.get_user(None)` (this now returns `False` instead of raising a `TypeError`
- Fixed URL generation adding extra slashes in some cases (see GitHub 343)
- Fixed handling of trackable IP addresses when the `X-Forwarded-For` header contains multiple values
- Include WWW-Authenticate headers in `auth_required` authentication checks
- Fixed error when `check_token` function is used with a json list
- Added support for custom `AnonymousUser` classes
- Restricted `forgot_password` endpoint to anonymous users
- Allowed unauthorized callback to be overridden
- Fixed issue where passwords cannot be reset if currently set to `None`
- Ensured that password reset tokens are invalidated after use
- Updated `is_authenticated` and `is_active` functions to support Flask-Login changes
- Various documentation improvements

-------------

Released October 13th 2014

- Fixed a bug related to changing existing passwords from plaintext to hashed
- Fixed a bug in form validation that did not enforce case insensivitiy
- Fixed a bug with validating redirects

-------------

Released June 10th 2014

- Fixed a bug where redirection to `SECURITY_POST_LOGIN_VIEW` was not respected
- Fixed string encoding in various places to be friendly to unicode
- Now using `werkzeug.security.safe_str_cmp` to check tokens
- Removed user information from JSON output on `/reset` responses
- Added Python 3.4 support

-------------

Released May 6th 2014

- Updated IP tracking to check for `X-Forwarded-For` header
- Fixed a bug regarding the re-hashing of passwords with a new algorithm
- Fixed a bug regarding the `password_changed` signal.