Shall we create an empty setup.py with only dependency on Flask-Security==3.0.0 and warning message?

This package requires Flask-WTF>=1.0.0, but it breaks with the latest Flask-WTF 1.1.0 released yesterday, where an error message TypeError: validate() takes 1 positional argument but 2 were given is obtained from this line:

The failure is due to a change introduced in wtforms/flask-wtf#479. To fix the problem, an optional argument extra_validators=None should be added to each of the validate methods in forms.py. Alternatively, add **kwargs to the validate methods as done in Flask-Middleware/flask-security#566. Until a new fixed release is made of this package, it will be necessary to pin Flask-WTF<1.1.0.

Login template throwing an exception due to the i18n markup introduced in #33

Environment:
Mac OS 10.11.6
Python 2.7
Flask==0.12.2
Flask-BabelEx==0.9.3
Flask-Login==0.4.0
Flask-Mail==0.9.1
Flask-Principal==0.4.0
-e git+https://github.com/inveniosoftware/flask-security-fork.git@cb2b3bb080dde4ec7f207522ca7d901e095e5b84#egg=Flask_Security_Fork
Flask-WTF==0.14.2
itsdangerous==0.24
Jinja2==2.9.6

Traceback (most recent call last)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1997, in call
return self.wsgi_app(environ, start_response)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1985, in wsgi_app
response = self.handle_exception(e)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1540, in handle_exception
reraise(exc_type, exc_value, tb)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/src/flask-security/flask_security/decorators.py", line 230, in wrapper
return f(*args, **kwargs)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/src/flask-security/flask_security/views.py", line 88, in login
**_ctx('login'))
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/src/flask-security/flask_security/core.py", line 517, in render_template
return render_template(*args, **kwargs)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/templating.py", line 134, in render_template
context, ctx.app)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/flask/templating.py", line 116, in _render
rv = template.render(context)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
return self.environment.handle_exception(exc_info, True)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
reraise(exc_type, exc_value, tb)
File "/Users/paulmorris/Documents/dev/Virtualenvs/mwi-tool/src/flask-security/flask_security/templates/security/login_user.html", line 3, in top-level template code

{{ _('Login') }}

Hello,

flask_sqlalchemy_session is an alternative flask sqlalchemy module that doesn't have a tight coupling between sqlalchemy and flask. Which is nice if your code isn't using flask all the time (say you have some command line apps too).

Anyway... what do you think about adding support in for it? Below is what I'm using so far. Seems to work for me :) If you'll accept something like this, I can work up a pull request.

cheers!

class PretendFlaskSQLAlchemyDb(object):
    """ This is a pretend db object, so we can just pass in a session.
    """
    def __init__(self, session):
        self.session = session

class SQLAlchemyUserDatastore(SQLAlchemyDatastore, UserDatastore):
    """A SQLAlchemy datastore implementation for Flask-Security that assumes the
    use of the Flask-SQLAlchemy extension.
    """
    def __init__(self, db, user_model, role_model):
        SQLAlchemyDatastore.__init__(self, db)
        UserDatastore.__init__(self, user_model, role_model)

    def get_user(self, identifier):
        if self._is_numeric(identifier):
            return self.db.session.query(self.user_model).get(identifier)
        for attr in get_identity_attributes():
            query = getattr(self.user_model, attr).ilike(identifier)
            rv = self.db.session.query(self.user_model).filter(query).first()
            if rv is not None:
                return rv

    def _is_numeric(self, value):
        try:
            int(value)
        except (TypeError, ValueError):
            return False
        return True

    def find_user(self, **kwargs):
        return self.db.session.query(self.user_model).filter_by(**kwargs).first()

    def find_role(self, role):
        return self.db.session.query(self.user_model).filter_by(name=role).first()


class SQLAlchemySessionUserDatastore(SQLAlchemyUserDatastore):
    """A SQLAlchemy datastore implementation for Flask-Security that assumes the
       use of the flask_sqlalchemy_session extension.
    """
    def __init__(self, session, user_model, role_model):
        SQLAlchemyUserDatastore.__init__(self,
                                         PretendFlaskSQLAlchemyDb(session),
                                         user_model,
                                         role_model)

I can use the other examples but what is the import for flask-pony ?

Thank you

I think there is some weird behaviour when using SECURITY_CONFIRMABLE.

The documentation states the following, so this is a flag to enable confirmation of an email address.

SECURITY_CONFIRMABLE
Specifies if users are required to confirm their email address when registering a new account. If this value is True, Flask-Security creates an endpoint to handle confirmations and requests to resend confirmation instructions. The URL for this endpoint is specified by the SECURITY_CONFIRM_URL configuration option. Defaults to False.

But when set to True it also removes the retype password field, so I think this is mixing up email confirimation and "password confirmation".

register_user.html

{% if register_user_form.password_confirm %}
    {{ render_field_with_errors(register_user_form.password_confirm) }}
  {% endif %}

I think it has to do with the following two forms:
forms.py

class ConfirmRegisterForm(Form, RegisterFormMixin,
                          UniqueEmailFormMixin, NewPasswordFormMixin):
    pass


class RegisterForm(ConfirmRegisterForm, PasswordConfirmFormMixin,
                   NextFormMixin):
    def __init__(self, *args, **kwargs):
        super(RegisterForm, self).__init__(*args, **kwargs)
        if not self.next.data:
            self.next.data = request.args.get('next', '')

views.py

def register():
    """View function which handles a registration request."""

    if _security.confirmable or request.json:
        form_class = _security.confirm_register_form
    else:
        form_class = _security.register_form

Describe the bug

A login bug was reported which can be reproduced by doing the following:

1. Go to the login page
2. Enter any arbitrary large integer in the email field.
3. Enter any value in the password field and login

-> This results in a Internal Server Error (500)

Expected behavior

Ideally, we shouldn't allow anything but emails from the login field. But for other use cases as well, decoupling the method based on usage (get_user_by_email, get_user_by_id) should be a good idea.

There have been quite a number of changes since the last published version. I was wondering if you're planning to push 2.0.2 soon? (really need some changes on PyPI)

Package version (if known): Current master (2023-10-04)

Describe the bug

After making a minor change in the setup.cfg-file the github-actions do not run through. I think the error is not related to the changes that were made (see #57)

Tests (3.8, pypi)
failed Oct 4, 2023 in 48s

Run ./run-tests.sh
lists of files in version control and sdist match

Configuration error:
There is a programmable error in your configuration file:

Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages/sphinx/config.py", line 332, in eval_config_file
    exec(code, namespace)
  File "/home/runner/work/flask-security-fork/flask-security-fork/docs/conf.py", line 18, in <module>
    from flask_security import __version__
  File "/home/runner/work/flask-security-fork/flask-security-fork/flask_security/__init__.py", line 29, in <module>
    from flask_login import login_required
  File "/opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages/flask_login/__init__.py", line 12, in <module>
    from .login_manager import LoginManager
  File "/opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages/flask_login/login_manager.py", line 33, in <module>
    from .utils import _create_identifier
  File "/opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages/flask_login/utils.py", line 14, in <module>
    from werkzeug.urls import url_decode
ImportError: cannot import name 'url_decode' from 'werkzeug.urls' (/opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages/werkzeug/urls.py)

Error: Process completed with exit code 2.

Expected behavior

github-actions should run through for the master-branch

How do you see the idea of unify the messages USER_DOES_NOT_EXIST and INVALID_PASSWORD?

If they are split or in a different position somebody could do a User Enumeration.

Testing for User Enumeration and Guessable User Account

This might be a issue with flask-login.
The login out removes the session cookies, but if it's captured before removal, it can be used to access the service as authenticated user.

To recreate:

• Login
• Capture cookie through a browser plugin or a man in the middle proxy
• Logout
• Send a request with captured cookie
• Able to access service as an authenticated user

I found that with SECURITY_TRACKABLE enabled, flask-login.login_fresh() could identify if the session is stale which checks the User-Agent, IP address etc.
But if the request is coming from the same IP address and same User-Agent, flask-login still doesn't identify it as stale.

At the moment confirmation token can be logs user in automatically.
I suggest this behavior should be, so this can be configured as required.

Other issue with the current confirmation tokens is they can be reused to login without using password as long as that token is not expired.