'\" t
.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "FLASK-SECURITY" "1" "Oct 06, 2024" "5.4.x" "Flask-Security"
.SH NAME
flask-security \- Flask-Security 5.4.3
\X'tty: link https://github.com/Flask-Middleware/flask-security'\fI\%Flask\-Security: add a drop of security to your Flask application.\fP\X'tty: link'
.sp
Flask\-Security allows you to quickly add common security mechanisms to your
Flask application. They include:
.INDENT 0.0
.IP 1. 4
Session based authentication
.IP 2. 4
Role and Permission management
.IP 3. 4
Password hashing
.IP 4. 4
Basic HTTP authentication
.IP 5. 4
Token based authentication
.IP 6. 4
Token based account activation (optional)
.IP 7. 4
Token based password recovery / resetting (optional)
.IP 8. 4
Two\-factor authentication (optional)
.IP 9. 4
Unified sign in (optional)
.IP 10. 4
User registration (optional)
.IP 11. 4
Login tracking (optional)
.IP 12. 4
JSON/Ajax Support
.IP 13. 4
WebAuthn Support (optional)
.IP 14. 4
Use \(aqsocial\(aq/Oauth for authentication (e.g. google, github, ..) (optional)
.UNINDENT
.sp
Many of these features are made possible by integrating various Flask extensions
and libraries. They include:
.INDENT 0.0
.IP \(bu 2
\X'tty: link https://flask-login.readthedocs.org/en/latest/'\fI\%Flask\-Login\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/Flask-Mailman/'\fI\%Flask\-Mailman\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/Flask-Principal/'\fI\%Flask\-Principal\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/Flask-WTF/'\fI\%Flask\-WTF\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/itsdangerous/'\fI\%itsdangerous\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/passlib/'\fI\%passlib\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/qrcode/'\fI\%QRCode\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/webauthn/'\fI\%webauthn\fP\X'tty: link'
.IP \(bu 2
\X'tty: link https://pypi.org/project/Authlib/'\fI\%authlib\fP\X'tty: link'
.UNINDENT
.sp
Additionally, it assumes you\(aqll be using a common library for your database
connections and model definitions. Flask\-Security supports the following Flask
extensions out of the box for data persistence:
.INDENT 0.0
.IP 1. 3
\X'tty: link https://pypi.python.org/pypi/flask-sqlalchemy/'\fI\%Flask\-SQLAlchemy\fP\X'tty: link'
.IP 2. 3
\X'tty: link https://pypi.python.org/pypi/mongoengine/'\fI\%MongoEngine\fP\X'tty: link'
.IP 3. 3
\X'tty: link https://docs.peewee-orm.com/en/latest/peewee/playhouse.html#flask-utils'\fI\%Peewee Flask utils\fP\X'tty: link'
.IP 4. 3
\X'tty: link https://pypi.python.org/pypi/pony/'\fI\%PonyORM\fP\X'tty: link' \- NOTE: not currently working \- Help needed!.
.IP 5. 3
\X'tty: link https://docs.sqlalchemy.org/en/20/orm/session_basics.html'\fI\%SQLAlchemy sessions\fP\X'tty: link'
.UNINDENT
.SH GETTING STARTED
.SS Installation
.sp
Installing Flask\-Security\-Too using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
pip install flask\-security\-too
.EE
.UNINDENT
.UNINDENT
.sp
will install the basic package along with its required dependencies:
.INDENT 0.0
.IP \(bu 2
Flask
.IP \(bu 2
Flask\-Login
.IP \(bu 2
Flask\-Principal
.IP \(bu 2
Flask\-WTF
.IP \(bu 2
email\-validator
.IP \(bu 2
itsdangerous
.IP \(bu 2
passlib
.IP \(bu 2
Blinker
.UNINDENT
.sp
These are not sufficient for a complete application \- other packages are
required based on features desired, password hash algorithms, storage backend, etc.
Flask\-Security\-Too has additional distribution \(aqextras\(aq that can reduce the hassle
of figuring out all the required packages. You can install these using the
standard pip syntax:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
pip install flask\-security\-too[extra1,extra2, ...]
.EE
.UNINDENT
.UNINDENT
.sp
Supported extras are:
.INDENT 0.0
.IP \(bu 2
\fBbabel\fP \- Translation services. It will install babel and Flask\-Babel.
.IP \(bu 2
\fBfsqla\fP \- Use flask\-sqlalchemy and sqlalchemy as your storage interface.
.IP \(bu 2
\fBcommon\fP \- Install Flask\-Mailman, bcrypt (the default password hash), and bleach.
.IP \(bu 2
\fBmfa\fP \- Install packages used for multi\-factor (two\-factor, unified signin, WebAuthn):
cryptography, qrcode, phonenumberslite (note that for SMS you still need
to pick an SMS provider and install appropriate packages), and webauthn.
.UNINDENT
.sp
Your application will also need a database backend:
.INDENT 0.0
.IP \(bu 2
Sqlite is supported out of the box.
.IP \(bu 2
For PostgreSQL install \X'tty: link https://pypi.org/project/psycopg2/'\fI\%psycopg2\fP\X'tty: link'\&.
.IP \(bu 2
For MySQL install \X'tty: link https://pypi.org/project/PyMySQL/'\fI\%pymysql\fP\X'tty: link'\&.
.IP \(bu 2
For MongoDB install \X'tty: link https://pypi.org/project/mongoengine/'\fI\%Mongoengine\fP\X'tty: link'\&.
.UNINDENT
.sp
For additional details on configuring your database engine connector \- refer to \X'tty: link https://docs.sqlalchemy.org/en/14/core/engines.html'\fI\%sqlalchemy_engine\fP\X'tty: link'
.SS Quick Start
.sp
There are some complete (but simple) examples available in the \fIexamples\fP directory of the
\X'tty: link https://github.com/Flask-Middleware/flask-security'\fI\%Flask\-Security repo\fP\X'tty: link'\&.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
The below quickstarts are just that \- they don\(aqt enable most of the features (such as registration, reset, etc.).
They basically create a single user, and you can login as that user... that\(aqs it.
As you add more features, additional packages (e.g. Flask\-Mailman, Flask\-Babel, qrcode) might be required
and will need to be added to your requirements.txt (or equivalent) file.
Flask\-Security does some configuration validation and will output error messages to the console
for some missing packages.
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
The default \fBSECURITY_PASSWORD_HASH\fP is \(dqbcrypt\(dq \- so be sure to install bcrypt.
If you opt for a different hash e.g. \(dqargon2\(dq you will need to install the appropriate package e.g. \X'tty: link https://pypi.org/project/argon2-cffi/'\fI\%argon_cffi\fP\X'tty: link'\&.
.UNINDENT
.UNINDENT
.sp
\fBDANGER:\fP
.INDENT 0.0
.INDENT 3.5
The examples below place secrets in source files. Never do this for your application
especially if your source code is placed in a public repo. How you pass in secrets
securely will depend on your deployment model \- however in most cases (e.g. docker, lambda)
using environment variables will be the easiest.
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP \(bu 2
\fI\%Basic SQLAlchemy Application\fP
.IP \(bu 2
\fI\%Basic SQLAlchemy Application with session\fP
.IP \(bu 2
\fI\%Basic MongoEngine Application\fP
.IP \(bu 2
\fI\%Basic Peewee Application\fP
.IP \(bu 2
\fI\%Mail Configuration\fP
.IP \(bu 2
\fI\%Proxy Configuration\fP
.IP \(bu 2
\fI\%Unit Testing Your Application\fP
.UNINDENT
.SS Basic SQLAlchemy Application
.SS SQLAlchemy Install requirements
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ python3 \-m venv pymyenv
$ . pymyenv/bin/activate
$ pip install flask\-security\-too[fsqla,common]
.EE
.UNINDENT
.UNINDENT
.SS SQLAlchemy Application
.sp
The following code sample illustrates how to get started as quickly as
possible using Flask\-SQLAlchemy and the built\-in model mixins:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
import os

from flask import Flask, render_template_string
from flask_sqlalchemy import SQLAlchemy
from flask_security import Security, SQLAlchemyUserDatastore, auth_required, hash_password
from flask_security.models import fsqla_v3 as fsqla

# Create app
app = Flask(__name__)
app.config[\(aqDEBUG\(aq] = True

# Generate a nice key using secrets.token_urlsafe()
app.config[\(aqSECRET_KEY\(aq] = os.environ.get(\(dqSECRET_KEY\(dq, \(aqpf9Wkove4IKEAXvy\-cQkeDPhv9Cb3Ag\-wyJILbq_dFw\(aq)
# Bcrypt is set as default SECURITY_PASSWORD_HASH, which requires a salt
# Generate a good salt using: secrets.SystemRandom().getrandbits(128)
app.config[\(aqSECURITY_PASSWORD_SALT\(aq] = os.environ.get(\(dqSECURITY_PASSWORD_SALT\(dq, \(aq146585145368132386173505678016728509634\(aq)

# have session and remember cookie be samesite (flask/flask_login)
app.config[\(dqREMEMBER_COOKIE_SAMESITE\(dq] = \(dqstrict\(dq
app.config[\(dqSESSION_COOKIE_SAMESITE\(dq] = \(dqstrict\(dq

# Use an in\-memory db
app.config[\(aqSQLALCHEMY_DATABASE_URI\(aq] = \(aqsqlite://\(aq
# As of Flask\-SQLAlchemy 2.4.0 it is easy to pass in options directly to the
# underlying engine. This option makes sure that DB connections from the
# pool are still valid. Important for entire application since
# many DBaaS options automatically close idle connections.
app.config[\(dqSQLALCHEMY_ENGINE_OPTIONS\(dq] = {
    \(dqpool_pre_ping\(dq: True,
}
app.config[\(dqSQLALCHEMY_TRACK_MODIFICATIONS\(dq] = False

# Create database connection object
db = SQLAlchemy(app)

# Define models
fsqla.FsModels.set_db_info(db)

class Role(db.Model, fsqla.FsRoleMixin):
    pass

class User(db.Model, fsqla.FsUserMixin):
    pass

# Setup Flask\-Security
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
app.security = Security(app, user_datastore)

# Views
@app.route(\(dq/\(dq)
@auth_required()
def home():
    return render_template_string(\(dqHello {{ current_user.email }}\(dq)

# one time setup
with app.app_context():
    # Create User to test with
    db.create_all()
    if not app.security.datastore.find_user(email=\(dqtest@me.com\(dq):
        app.security.datastore.create_user(email=\(dqtest@me.com\(dq, password=hash_password(\(dqpassword\(dq))
    db.session.commit()

if __name__ == \(aq__main__\(aq:
    app.run()
.EE
.UNINDENT
.UNINDENT
.sp
You can run this either with:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
flask run
.EE
.UNINDENT
.UNINDENT
.sp
or:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
python app.py
.EE
.UNINDENT
.UNINDENT
.SS Basic SQLAlchemy Application with session
.SS SQLAlchemy Install requirements
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ python3 \-m venv pymyenv
$ . pymyenv/bin/activate
$ pip install flask\-security\-too[common] sqlalchemy
.EE
.UNINDENT
.UNINDENT
.SS SQLAlchemy Application (w/o Flask\-SQLAlchemy)
.sp
The following code sample illustrates how to get started as quickly as
possible using \X'tty: link https://flask.palletsprojects.com/en/2.0.x/patterns/sqlalchemy/#declarative'\fI\%SQLAlchemy in a declarative way\fP\X'tty: link':
.sp
This example shows how to split your application into 3 files: app.py, database.py
and models.py.
.INDENT 0.0
.IP \(bu 2
app.py
.INDENT 2.0
.INDENT 3.5
.sp
.EX
import os

from flask import Flask, render_template_string
from flask_security import Security, current_user, auth_required, hash_password, \e
     SQLAlchemySessionUserDatastore, permissions_accepted
from database import db_session, init_db
from models import User, Role

# Create app
app = Flask(__name__)
app.config[\(aqDEBUG\(aq] = True

# Generate a nice key using secrets.token_urlsafe()
app.config[\(aqSECRET_KEY\(aq] = os.environ.get(\(dqSECRET_KEY\(dq, \(aqpf9Wkove4IKEAXvy\-cQkeDPhv9Cb3Ag\-wyJILbq_dFw\(aq)
# Bcrypt is set as default SECURITY_PASSWORD_HASH, which requires a salt
# Generate a good salt using: secrets.SystemRandom().getrandbits(128)
app.config[\(aqSECURITY_PASSWORD_SALT\(aq] = os.environ.get(\(dqSECURITY_PASSWORD_SALT\(dq, \(aq146585145368132386173505678016728509634\(aq)
# Don\(aqt worry if email has findable domain
app.config[\(dqSECURITY_EMAIL_VALIDATOR_ARGS\(dq] = {\(dqcheck_deliverability\(dq: False}

# manage sessions per request \- make sure connections are closed and returned
app.teardown_appcontext(lambda exc: db_session.close())

# Setup Flask\-Security
user_datastore = SQLAlchemySessionUserDatastore(db_session, User, Role)
app.security = Security(app, user_datastore)

# Views
@app.route(\(dq/\(dq)
@auth_required()
def home():
    return render_template_string(\(aqHello {{current_user.email}}!\(aq)

@app.route(\(dq/user\(dq)
@auth_required()
@permissions_accepted(\(dquser\-read\(dq)
def user_home():
    return render_template_string(\(dqHello {{ current_user.email }} you are a user!\(dq)

# one time setup
with app.app_context():
    init_db()
    # Create a user and role to test with
    app.security.datastore.find_or_create_role(
        name=\(dquser\(dq, permissions={\(dquser\-read\(dq, \(dquser\-write\(dq}
    )
    db_session.commit()
    if not app.security.datastore.find_user(email=\(dqtest@me.com\(dq):
        app.security.datastore.create_user(email=\(dqtest@me.com\(dq,
        password=hash_password(\(dqpassword\(dq), roles=[\(dquser\(dq])
    db_session.commit()

if __name__ == \(aq__main__\(aq:
    # run application (can also use flask run)
    app.run()
.EE
.UNINDENT
.UNINDENT
.IP \(bu 2
database.py
.INDENT 2.0
.INDENT 3.5
.sp
.EX
from sqlalchemy import create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.ext.declarative import declarative_base

engine = create_engine(\(aqsqlite:////tmp/test.db\(aq)
db_session = scoped_session(sessionmaker(autocommit=False,
                                         autoflush=False,
                                         bind=engine))
Base = declarative_base()
Base.query = db_session.query_property()

def init_db():
    # import all modules here that might define models so that
    # they will be registered properly on the metadata.  Otherwise
    # you will have to import them first before calling init_db()
    import models
    Base.metadata.create_all(bind=engine)
.EE
.UNINDENT
.UNINDENT
.IP \(bu 2
models.py
.INDENT 2.0
.INDENT 3.5
.sp
.EX
from database import Base
from flask_security import UserMixin, RoleMixin, AsaList
from sqlalchemy.orm import relationship, backref
from sqlalchemy.ext.mutable import MutableList
from sqlalchemy import Boolean, DateTime, Column, Integer, \e
                    String, ForeignKey

class RolesUsers(Base):
    __tablename__ = \(aqroles_users\(aq
    id = Column(Integer(), primary_key=True)
    user_id = Column(\(aquser_id\(aq, Integer(), ForeignKey(\(aquser.id\(aq))
    role_id = Column(\(aqrole_id\(aq, Integer(), ForeignKey(\(aqrole.id\(aq))

class Role(Base, RoleMixin):
    __tablename__ = \(aqrole\(aq
    id = Column(Integer(), primary_key=True)
    name = Column(String(80), unique=True)
    description = Column(String(255))
    permissions = Column(MutableList.as_mutable(AsaList()), nullable=True)

class User(Base, UserMixin):
    __tablename__ = \(aquser\(aq
    id = Column(Integer, primary_key=True)
    email = Column(String(255), unique=True)
    username = Column(String(255), unique=True, nullable=True)
    password = Column(String(255), nullable=False)
    last_login_at = Column(DateTime())
    current_login_at = Column(DateTime())
    last_login_ip = Column(String(100))
    current_login_ip = Column(String(100))
    login_count = Column(Integer)
    active = Column(Boolean())
    fs_uniquifier = Column(String(64), unique=True, nullable=False)
    confirmed_at = Column(DateTime())
    roles = relationship(\(aqRole\(aq, secondary=\(aqroles_users\(aq,
                         backref=backref(\(aqusers\(aq, lazy=\(aqdynamic\(aq))
.EE
.UNINDENT
.UNINDENT
.UNINDENT
.sp
You can run this either with:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
flask run
.EE
.UNINDENT
.UNINDENT
.sp
or:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
python app.py
.EE
.UNINDENT
.UNINDENT
.SS Basic MongoEngine Application
.SS MongoEngine Install requirements
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ python3 \-m venv pymyenv
$ . pymyenv/bin/activate
$ pip install flask\-security\-too[common] mongoengine
.EE
.UNINDENT
.UNINDENT
.SS MongoEngine Application
.sp
The following code sample illustrates how to get started as quickly as
possible using MongoEngine (of course you have to install and start up a
local MongoDB instance):
.INDENT 0.0
.INDENT 3.5
.sp
.EX
import os

from flask import Flask, render_template_string
from mongoengine import Document, connect
from mongoengine.fields import (
    BinaryField,
    BooleanField,
    DateTimeField,
    IntField,
    ListField,
    ReferenceField,
    StringField,
)
from flask_security import Security, MongoEngineUserDatastore, \e
    UserMixin, RoleMixin, auth_required, hash_password, permissions_accepted

# Create app
app = Flask(__name__)
app.config[\(aqDEBUG\(aq] = True

# Generate a nice key using secrets.token_urlsafe()
app.config[\(aqSECRET_KEY\(aq] = os.environ.get(\(dqSECRET_KEY\(dq, \(aqpf9Wkove4IKEAXvy\-cQkeDPhv9Cb3Ag\-wyJILbq_dFw\(aq)
# Bcrypt is set as default SECURITY_PASSWORD_HASH, which requires a salt
# Generate a good salt using: secrets.SystemRandom().getrandbits(128)
app.config[\(aqSECURITY_PASSWORD_SALT\(aq] = os.environ.get(\(dqSECURITY_PASSWORD_SALT\(dq, \(aq146585145368132386173505678016728509634\(aq)
# Don\(aqt worry if email has findable domain
app.config[\(dqSECURITY_EMAIL_VALIDATOR_ARGS\(dq] = {\(dqcheck_deliverability\(dq: False}

# Create database connection object
db_name = \(dqmydatabase\(dq
db = connect(alias=db_name, db=db_name, host=\(dqmongodb://localhost\(dq, port=27017)

class Role(Document, RoleMixin):
    name = StringField(max_length=80, unique=True)
    description = StringField(max_length=255)
    permissions = ListField(required=False)
    meta = {\(dqdb_alias\(dq: db_name}

class User(Document, UserMixin):
    email = StringField(max_length=255, unique=True)
    password = StringField(max_length=255)
    active = BooleanField(default=True)
    fs_uniquifier = StringField(max_length=64, unique=True)
    confirmed_at = DateTimeField()
    roles = ListField(ReferenceField(Role), default=[])
    meta = {\(dqdb_alias\(dq: db_name}

# Setup Flask\-Security
user_datastore = MongoEngineUserDatastore(db, User, Role)
app.security = Security(app, user_datastore)

# Views
@app.route(\(dq/\(dq)
@auth_required()
def home():
    return render_template_string(\(dqHello {{ current_user.email }}\(dq)

@app.route(\(dq/user\(dq)
@auth_required()
@permissions_accepted(\(dquser\-read\(dq)
def user_home():
    return render_template_string(\(dqHello {{ current_user.email }} you are a user!\(dq)

# one time setup
with app.app_context():
    # Create a user and role to test with
    app.security.datastore.find_or_create_role(
        name=\(dquser\(dq, permissions={\(dquser\-read\(dq, \(dquser\-write\(dq}
    )
    if not app.security.datastore.find_user(email=\(dqtest@me.com\(dq):
        app.security.datastore.create_user(email=\(dqtest@me.com\(dq,
        password=hash_password(\(dqpassword\(dq), roles=[\(dquser\(dq])

if __name__ == \(aq__main__\(aq:
    # run application (can also use flask run)
    app.run()
.EE
.UNINDENT
.UNINDENT
.SS Basic Peewee Application
.SS Peewee Install requirements
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ python3 \-m venv pymyenv
$ . pymyenv/bin/activate
$ pip install flask\-security\-too[common] peewee
.EE
.UNINDENT
.UNINDENT
.SS Peewee Application
.sp
The following code sample illustrates how to get started as quickly as
possible using Peewee:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
import os

from flask import Flask, render_template_string
from playhouse.flask_utils import FlaskDB
from peewee import *
from flask_security import Security, PeeweeUserDatastore, \e
    UserMixin, RoleMixin, auth_required, hash_password

# Create app
app = Flask(__name__)
app.config[\(aqDEBUG\(aq] = True

# Generate a nice key using secrets.token_urlsafe()
app.config[\(aqSECRET_KEY\(aq] = os.environ.get(\(dqSECRET_KEY\(dq, \(aqpf9Wkove4IKEAXvy\-cQkeDPhv9Cb3Ag\-wyJILbq_dFw\(aq)
# Bcrypt is set as default SECURITY_PASSWORD_HASH, which requires a salt
# Generate a good salt using: secrets.SystemRandom().getrandbits(128)
app.config[\(aqSECURITY_PASSWORD_SALT\(aq] = os.environ.get(\(dqSECURITY_PASSWORD_SALT\(dq, \(aq146585145368132386173505678016728509634\(aq)

app.config[\(aqDATABASE\(aq] = {
    \(aqname\(aq: \(aqexample.db\(aq,
    \(aqengine\(aq: \(aqpeewee.SqliteDatabase\(aq,
}

# Create database connection object
db = FlaskDB(app)

class Role(RoleMixin, db.Model):
    name = CharField(unique=True)
    description = TextField(null=True)
    permissions = TextField(null=True)

# N.B. order is important since db.Model also contains a get_id() \-
# we need the one from UserMixin.
class User(UserMixin, db.Model):
    email = TextField()
    password = TextField()
    active = BooleanField(default=True)
    fs_uniquifier = TextField(null=False)
    confirmed_at = DateTimeField(null=True)

class UserRoles(db.Model):
    # Because peewee does not come with built\-in many\-to\-many
    # relationships, we need this intermediary class to link
    # user to roles.
    user = ForeignKeyField(User, related_name=\(aqroles\(aq)
    role = ForeignKeyField(Role, related_name=\(aqusers\(aq)
    name = property(lambda self: self.role.name)
    description = property(lambda self: self.role.description)

    def get_permissions(self):
        return self.role.get_permissions()

# Setup Flask\-Security
user_datastore = PeeweeUserDatastore(db, User, Role, UserRoles)
app.security = Security(app, user_datastore)

# Views
@app.route(\(aq/\(aq)
@auth_required()
def home():
    return render_template_string(\(dqHello {{ current_user.email }}\(dq)

# one time setup
with app.app_context():
    # Create a user to test with
    for Model in (Role, User, UserRoles):
        Model.drop_table(fail_silently=True)
        Model.create_table(fail_silently=True)
    if not app.security.datastore.find_user(email=\(dqtest@me.com\(dq):
        app.security.datastore.create_user(email=\(dqtest@me.com\(dq, password=hash_password(\(dqpassword\(dq))

if __name__ == \(aq__main__\(aq:
    app.run()
.EE
.UNINDENT
.UNINDENT
.SS Mail Configuration
.sp
Flask\-Security integrates with an outgoing mail service via the \fBmail_util_cls\fP which
is part of initial configuration. The default class \fI\%flask_security.MailUtil\fP utilizes the
\X'tty: link https://pypi.org/project/flask-mailman/'\fI\%Flask\-Mailman\fP\X'tty: link' package. Be sure to add flask_mailman to
your requirements.txt. The older and no longer maintained package \X'tty: link https://pypi.org/project/Flask-Mail/'\fI\%Flask\-Mail\fP\X'tty: link'
is also (still) supported.
.sp
The following code illustrates a basic setup, which could be added to
the basic application code in the previous section:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# At top of file
from flask_mailman import Mail

# After \(aqCreate app\(aq
app.config[\(aqMAIL_SERVER\(aq] = \(aqsmtp.example.com\(aq
app.config[\(aqMAIL_PORT\(aq] = 587
app.config[\(aqMAIL_USE_TLS\(aq] = True
app.config[\(aqMAIL_USERNAME\(aq] = \(aqusername\(aq
app.config[\(aqMAIL_PASSWORD\(aq] = \(aqpassword\(aq
mail = Mail(app)
.EE
.UNINDENT
.UNINDENT
.sp
To learn more about the various Flask\-Mailman settings to configure it to
work with your particular email server configuration, please see the
\X'tty: link https://waynerv.github.io/flask-mailman/'\fI\%Flask\-Mailman documentation\fP\X'tty: link'\&.
.SS Proxy Configuration
.sp
The user tracking features need an additional configuration
in HTTP proxy environment. The following code illustrates a setup
with a single HTTP proxy in front of the web application:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# At top of file
from werkzeug.middleware.proxy_fix import ProxyFix

# After \(aqCreate app\(aq
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1)
.EE
.UNINDENT
.UNINDENT
.sp
To learn more about the \fBProxyFix\fP middleware, please see the
\X'tty: link https://werkzeug.palletsprojects.com/en/2.0.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix'\fI\%Werkzeug documentation\fP\X'tty: link'\&.
.SS Unit Testing Your Application
.sp
As soon as you add any of the Flask\-Security decorators to your API endpoints, it can
be frustrating to unit test your basic routing (and roles and permissions). Without getting
into the argument of the difference between unit tests and integration tests \- you can approach testing
in 2 ways:
.INDENT 0.0
.IP \(bu 2
\(aqPure\(aq unit test \- mocking out all lower level objects (such as the data store)
.IP \(bu 2
Complete app with in\-memory/temporary DB (with little or no mocking).
.UNINDENT
.sp
Look in the \X'tty: link https://github.com/Flask-Middleware/flask-security'\fI\%Flask\-Security repo\fP\X'tty: link' \fIexamples\fP directory for actual code that implements the
second approach which is much simpler and with an in\-memory DB fairly fast.
.sp
You also might want to set the following configurations in your conftest.py:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
app.config[\(dqWTF_CSRF_ENABLED\(dq] = False
# Our test emails/domain isn\(aqt necessarily valid
app.config[\(dqSECURITY_EMAIL_VALIDATOR_ARGS\(dq] = {\(dqcheck_deliverability\(dq: False}
# Make this plaintext for most tests \- reduces unit test time by 50%
app.config[\(dqSECURITY_PASSWORD_HASH\(dq] = \(dqplaintext\(dq
.EE
.UNINDENT
.UNINDENT
.SS Features
.sp
Flask\-Security allows you to quickly add common security mechanisms to your
Flask application. They include:
.SS Session Based Authentication
.sp
Session based authentication is fulfilled entirely by the \X'tty: link https://flask-login.readthedocs.org/en/latest/'\fI\%Flask\-Login\fP\X'tty: link'
extension. Flask\-Security handles the configuration of Flask\-Login automatically
based on a few of its own configuration values and uses Flask\-Login\(aqs
\X'tty: link https://flask-login.readthedocs.io/en/latest/#alternative-tokens'\fI\%alternative token\fP\X'tty: link' feature to associate the value of \fBfs_uniquifier\fP with the user.
(This enables easily invalidating all existing sessions for a given user without
having to change their user id). \X'tty: link https://flask-wtf.readthedocs.io/en/1.0.x/csrf/'\fI\%Flask\-WTF\fP\X'tty: link'
integrates with the session as well to provide out of the box CSRF support.
Flask\-Security extends that to support configurations that would require CSRF for requests that are
authenticated via session cookies, but not for requests authenticated using tokens.
.SS Role/Identity Based Access
.sp
Flask\-Security implements very basic role management out of the box. This means
that you can associate a high level role or multiple roles to any user. For
instance, you may assign roles such as \fIAdmin\fP, \fIEditor\fP, \fISuperUser\fP, or a
combination of said roles to a user. Access control is based on the role name and/or
permissions contained within the role;
and all roles should be uniquely named. This feature is implemented using the
\X'tty: link https://pypi.org/project/Flask-Principal/'\fI\%Flask\-Principal\fP\X'tty: link' extension. As with basic RBAC, permissions can be assigned to roles
to provide more granular access control. Permissions can be associated with one or
more roles (the RoleModel contains a list of permissions). The values of
permissions are completely up to the developer \- Flask\-Security simply treats them
as strings.
If you\(aqd like to implement even more granular access
control (such as per\-object), you can refer to the Flask\-Principal \X'tty: link http://packages.python.org/Flask-Principal/#granular-resource-protection'\fI\%documentation on this topic\fP\X'tty: link'\&.
.SS Password Hashing
.sp
Password hashing is enabled with \X'tty: link https://passlib.readthedocs.io/en/stable/'\fI\%passlib\fP\X'tty: link'\&. Passwords are hashed with the
\X'tty: link https://en.wikipedia.org/wiki/Bcrypt'\fI\%bcrypt\fP\X'tty: link' function by default but you can easily configure the hashing
algorithm. You should \fBalways use a hashing algorithm\fP in your production
environment. Hash algorithms not listed in \fBSECURITY_PASSWORD_SINGLE_HASH\fP
will be double hashed \- first an HMAC will be computed, then the selected hash
function will be used. In this case \- you must provide a \fBSECURITY_PASSWORD_SALT\fP\&.
A good way to generate this is:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
secrets.SystemRandom().getrandbits(128)
.EE
.UNINDENT
.UNINDENT
.sp
Bear in mind passlib does not assume which
algorithm you will choose and may require additional libraries to be installed.
.SS Password Validation and Complexity
.sp
Consult \fI\%Password Validation and Complexity\fP\&.
.SS Basic HTTP Authentication
.sp
Basic HTTP authentication is achievable using a simple view method decorator.
This feature expects the incoming authentication information to identify a user
in the system. This means that the username must be equal to their email address.
.SS Token Authentication
.sp
Token based authentication can be used by retrieving the user auth token from an
authentication endpoint (e.g. \fB/login\fP, \fB/us\-signin\fP, \fB/wan\-signin\fP).
Perform an HTTP POST with a query param of \fBinclude_auth_token\fP and the authentication details
as JSON data.
A successful call will return the authentication token. This token can be used in subsequent
requests to protected resources. The auth token should be supplied in the request
through an HTTP header or query string parameter. By default the HTTP header
name is \fIAuthentication\-Token\fP and the default query string parameter name is
\fIauth_token\fP\&.
.sp
Authentication tokens are generated using a uniquifier field in the
user\(aqs UserModel. By default that field is \fBfs_uniquifier\fP\&. This means that
if that field is changed (via \fI\%UserDatastore.set_uniquifier()\fP)
then any existing authentication tokens will no longer be valid. This value is changed
whenever a user changes their password. If this is not the desired behavior then you can add an additional
attribute to the UserModel: \fBfs_token_uniquifier\fP and that will be used instead, thus
isolating password changes from authentication tokens. That attribute can be changed via
\fI\%UserDatastore.set_token_uniquifier()\fP\&. This attribute should have \fBunique=True\fP\&.
Unlike \fBfs_uniquifier\fP, it can be set to \fBnullable\fP \- it will automatically be generated
at first use if null.
.sp
Authentication tokens have 2 options for specifying expiry time \fI\%SECURITY_TOKEN_MAX_AGE\fP
is applied to ALL authentication tokens. Each authentication token can itself have an embedded
expiry value (settable via the \fI\%SECURITY_TOKEN_EXPIRE_TIMESTAMP\fP callable).
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
While every Flask\-Security endpoint will accept an authentication token header,
there are some endpoints that require session information (e.g. a session cookie).
Please read \fI\%Freshness\fP and \fI\%CSRF\fP
.UNINDENT
.UNINDENT
.SS Two\-factor Authentication
.sp
Two\-factor authentication is enabled by generating time\-based one time passwords
(Tokens). The tokens are generated using the users \X'tty: link https://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html#overview'\fI\%totp secret\fP\X'tty: link', which is unique
per user, and is generated both on first login, and when changing the two\-factor
method (doing this causes the previous totp secret to become invalid). The token
is provided by one of 3 methods \- email, sms (service is not provided), or
an authenticator app such as Google Authenticator, LastPass Authenticator, or Authy.
By default, tokens provided by the authenticator app are
valid for 2 minutes, tokens sent by mail for up to 5 minute and tokens sent by
sms for up to 2 minutes. The QR code used to supply the authenticator app with
the secret is generated using the \X'tty: link https://pypi.org/project/qrcode/'\fI\%qrcode\fP\X'tty: link' library.
Please read \fI\%Theory of Operation\fP for more details.
.sp
The Two\-factor feature offers the ability for a user to \(aqrescue\(aq themselves if
they lose track of their secondary factor device. Rescue options include sending
a one time code via email, send an email to the application admin, and using a previously
generated and downloaded one\-time code (see \fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP).
.SS Unified Sign In
.sp
\fBThis feature is in Beta \- mostly due to it being brand new and little to no production soak time\fP
.sp
Unified sign in provides a generalized login endpoint that takes an \fIidentity\fP
and a \fIpasscode\fP; where (based on configuration):
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fIidentity\fP is any of \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP (e.g. email, username, phone)
.IP \(bu 2
\fIpasscode\fP is a password or a one\-time code (delivered via email, SMS, or authenticator app)
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Please see this \X'tty: link https://en.wikipedia.org/wiki/Multi-factor_authentication'\fI\%Wikipedia\fP\X'tty: link' article about multi\-factor authentication.
.sp
Using this feature, it is possible to not require the user to have a stored password
at all, and just require the use of a one\-time code. The mechanisms for generating
and delivering the one\-time code are similar to common two\-factor mechanisms.
.sp
This one\-time code can be configured to be delivered via email, SMS or authenticator app \-
however be aware that NIST does not recommend email for this purpose (though many web sites do so)
due to the fact that a) email may travel through
many different servers as part of being delivered \- and b) is available from any device.
.sp
Using SMS or an authenticator app means you are providing \(dqsomething you have\(dq (the mobile device)
and either \(dqsomething you know\(dq (passcode to unlock your device)
or \(dqsomething you are\(dq (biometric quality to unlock your device).
This effectively means that using a one\-time code to sign in, is in fact already two\-factor (if using
SMS or authenticator app). Many large authentication providers already offer this \- here is
\X'tty: link https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-overview'\fI\%Microsoft\(aqs\fP\X'tty: link' version.
.sp
Note that by configuring \fI\%SECURITY_US_ENABLED_METHODS\fP an application can
use this endpoint JUST with identity/password or in fact disallow passwords altogether.
.sp
Unified sign in is integrated with two\-factor authentication. Since in general
there is no need for a second factor if the initial authentication was with SMS or
an authenticator application, the \fI\%SECURITY_US_MFA_REQUIRED\fP configuration
determines which primary authentication mechanisms require a second factor. By default
limited to \fBemail\fP and \fBpassword\fP (if two\-factor is enabled).
.sp
Be aware that by default, the \fI\%SECURITY_US_SETUP_URL\fP endpoint is protected
with a freshness check (see \fI\%flask_security.auth_required()\fP) which means it requires a session
cookie to function properly. This is true even if using JSON payload or token authentication.
If you disable the freshness check then sessions aren\(aqt required.
.sp
\fICurrent Limited Functionality\fP:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Change password does not work if a user registers without a password. However
forgot\-password will allow the user to set a new password.
.IP \(bu 2
Registration and Confirmation only work with email \- so while you can enable multiple
authentication methods, you still have to register with email.
.UNINDENT
.UNINDENT
.UNINDENT
.SS WebAuthn
.sp
\fBThis feature is in Beta \- mostly due to it being brand new and little to no production soak time\fP
.sp
WebAuthn is a standardized protocol that connects authenticators (such as YubiKey and mobile biometrics)
with websites. Flask\-Security supports using WebAuthn keys as either \(aqfirst\(aq or \(aqsecondary\(aq
authenticators. Please read \fI\%WebAuthn\fP for more details.
.SS Email Confirmation
.sp
If desired you can require that new users confirm their email address.
Flask\-Security will send an email message to any new users with a confirmation
link. Upon navigating to the confirmation link, the user\(aqs account will be set to
\(aqconfirmed\(aq. The user can then sign in usually the normal mechanisms.
There is also view for resending a confirmation link to a given email
if the user happens to try to use an expired token or has lost the previous
email. Confirmation links can be configured to expire after a specified amount
of time (default 5 days).
.SS Password Reset/Recovery
.sp
Password reset and recovery is available for when a user forgets their
password. Flask\-Security sends an email to the user with a link to a view which
allows them to reset their password. Once the password is reset they are redirected to
the login page where they need to authenticate using the new password.
Password reset links can be configured to expire after a specified amount of time.
.sp
As with password change \- this will update the the user\(aqs \fBfs_uniquifier\fP attribute
which will invalidate all existing sessions AND (by default) all authentication tokens.
.SS User Registration
.sp
Flask\-Security comes packaged with a basic user registration view. This view is
very simple and new users need only supply an email address and their password.
This view can be overridden if your registration process requires more fields.
User email is validated and normalized using the
\X'tty: link https://pypi.org/project/email-validator/'\fI\%email_validator\fP\X'tty: link' package.
.sp
The \fI\%SECURITY_USERNAME_ENABLE\fP configuration option, when set to \fBTrue\fP, will add
support for the user to register a username in addition to an email. By default, the user will be
able to authenticate with EITHER email or username \- however that can be changed via the
\fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
.SS Password Change
.sp
Flask\-Security comes packaged with a basic change user password view. Unlike password
recovery, this endpoint is used when the user is already authenticated. The result
of a successful password change is not only a new password, but a new value for \fBfs_uniquifier\fP\&.
This has the effect is immediately invalidating all existing sessions. The change request
itself effectively re\-logs in the user so a new session is created. Note that since the user
is effectively re\-logged in, the same signals are sent as when the user normally authenticates.
.sp
\fINOTE\fP: The \fBfs_uniquifier\fP by default, controls both sessions and authenticated tokens.
Thus changing the password also invalidates all authentication tokens. This may not be desirable
behavior, so if the UserModel contains an attribute \fBfs_token_uniquifier\fP, then that will be used
when generating authentication tokens and so won\(aqt be affected by password changes.
.SS Login Tracking
.sp
Flask\-Security can, if configured, keep track of basic login events and
statistics. They include:
.INDENT 0.0
.IP \(bu 2
Last login date
.IP \(bu 2
Current login date
.IP \(bu 2
Last login IP address
.IP \(bu 2
Current login IP address
.IP \(bu 2
Total login count
.UNINDENT
.SS JSON/Ajax Support
.sp
Flask\-Security supports JSON/Ajax requests where appropriate. Please
look at \fI\%CSRF\fP for details on how to work with JSON and
Single Page Applications. More specifically
JSON is supported for the following operations:
.INDENT 0.0
.IP \(bu 2
Login requests
.IP \(bu 2
Unified sign in requests
.IP \(bu 2
Registration requests
.IP \(bu 2
Change password requests
.IP \(bu 2
Confirmation requests
.IP \(bu 2
Forgot password requests
.IP \(bu 2
Passwordless login requests
.IP \(bu 2
Two\-factor login requests
.IP \(bu 2
Change two\-factor method requests
.IP \(bu 2
WebAuthn registration and signin requests
.IP \(bu 2
Two\-Factor recovery code requests
.UNINDENT
.sp
In addition, Single\-Page\-Applications (like those built with Vue, Angular, and
React) are supported via customizable redirect links.
.sp
Note: All registration requests done through JSON/Ajax utilize the \fBconfirm_register_form\fP\&.
.SS Command Line Interface
.sp
Basic \X'tty: link https://palletsprojects.com/p/click/'\fI\%Click\fP\X'tty: link' commands for managing users and roles are automatically
registered. They can be completely disabled or their names can be changed.
Run \fBflask \-\-help\fP and look for users and roles.
.SS Social/Oauth Authentication
.sp
Flask\-Security provides a thin layer which integrates \X'tty: link https://authlib.org/'\fI\%authlib\fP\X'tty: link' with Flask\-Security
views and features (such as two\-factor authentication). Flask\-Security is shipped
with support for github and google \- others can be added by the application (see \X'tty: link https://github.com/authlib/loginpass'\fI\%loginpass\fP\X'tty: link'
for many examples).
.sp
See \fI\%flask_security.OAuthGlue\fP and \fI\%flask_security.FsOAuthProvider\fP
.sp
Please note \- this is for authentication only, and the authenticating user must
already be a registered user in your application. Once authenticated, all further
authorization uses Flask\-Security role/permission mechanisms.
.sp
See \X'tty: link https://docs.authlib.org/en/latest/client/flask.html'\fI\%Flask OAuth Client\fP\X'tty: link'
for details. Note in particular, that you must setup and provide provider specific
information \- and most importantly \- XX_CLIENT_ID and XX_CLIENT_SECRET should be
specified as environment variables.
.sp
We have seen issues with some providers when \fISESSION_COOKIE_SAMESITE\fP = \(dqstrict\(dq.
The handshake (sometimes just the first time when the user is being asked to accept your application)
fails due to the session cookie not getting sent as part of the redirect.
.sp
A very simple example of configuring social auth with Flask\-Security is available
in the \fIexamples\fP directory.
.SS Configuration
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
Be sure to set all configuration (in app.config[\(dqxxx\(dq]) \fIPRIOR\fP to instantiating
the Security class or calling security.init_app().
.UNINDENT
.UNINDENT
.sp
The following configuration values are used by Flask\-Security:
.SS Core
.sp
These configuration keys are used globally across all features.
.INDENT 0.0
.TP
.B SECRET_KEY
This is actually part of Flask \- but is used by Flask\-Security to sign all tokens.
It is critical this is set to a strong value. For python3 consider using: \fBsecrets.token_urlsafe()\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_BLUEPRINT_NAME
Specifies the name for the Flask\-Security blueprint.
.sp
Default: \fB\(dqsecurity\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_URL_PREFIX
Specifies the URL prefix for the Flask\-Security blueprint.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_STATIC_FOLDER
Specifies the folder name for static files (webauthn).
.sp
Default: \fB\(dqstatic\(dq\fP\&.
.sp
Added in version 5.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_STATIC_FOLDER_URL
Specifies the URL for static files used by Flask\-Security (webauthn).
See Flask documentation \X'tty: link https://flask.palletsprojects.com/en/latest/blueprints/#static-files'\fI\%https://flask.palletsprojects.com/en/latest/blueprints/#static\-files\fP\X'tty: link'
.sp
Default: \fB\(dq/fs\-static\(dq\fP\&.
.sp
Added in version 5.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SUBDOMAIN
Specifies the subdomain for the Flask\-Security blueprint. If your authenticated
content is on a different subdomain, also enable \fI\%SECURITY_REDIRECT_ALLOW_SUBDOMAINS\fP\&.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_FLASH_MESSAGES
Specifies whether or not to flash messages during security procedures.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_I18N_DOMAIN
Specifies the name for domain used for translations.
.sp
Default: \fB\(dqflask_security\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_I18N_DIRNAME
Specifies the directory containing the \fBMO\fP files used for translations.
When using flask\-babel this can also be a list of directory names \- this
enables application to override a subset of messages if desired. The
default \fBbuiltin\fP uses translations shipped with Flask\-Security.
.sp
Default: \fB\(dqbuiltin\(dq\fP\&.
.sp
Changed in version 5.2.0: \(dqbuiltin\(dq is a special name which will be interpreted as the \fBtranslations\fP
directory within the installation of Flask\-Security.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_HASH
Specifies the password hash algorithm to use when hashing passwords.
Recommended values for production systems are \fBbcrypt\fP, \fBargon2\fP, \fBsha512_crypt\fP, or
\fBpbkdf2_sha512\fP\&. Some algorithms require the installation  of a backend package (e.g. \X'tty: link https://pypi.org/project/bcrypt/'\fI\%bcrypt\fP\X'tty: link', \X'tty: link https://pypi.org/project/argon2-cffi/'\fI\%argon2\fP\X'tty: link').
.sp
Default: \fB\(dqbcrypt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_SCHEMES
List of support password hash algorithms. \fBSECURITY_PASSWORD_HASH\fP
must be from this list. Passwords encrypted with any of these schemes will be honored.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_DEPRECATED_PASSWORD_SCHEMES
List of password hash algorithms that are considered weak and
will be accepted, however on first use, will be re\-hashed to the current
setting of \fBSECURITY_PASSWORD_HASH\fP\&.
.sp
Default: \fB[\(dqauto\(dq]\fP which means any password found that wasn\(aqt
hashed using \fBSECURITY_PASSWORD_HASH\fP will be re\-hashed.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_SALT
Specifies the HMAC salt. This is required for all schemes that
are configured for double hashing. A good salt can be generated using:
\fBsecrets.SystemRandom().getrandbits(128)\fP\&.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_SINGLE_HASH
A list of schemes that should not be hashed twice. By default, passwords are
hashed twice, first with \fBSECURITY_PASSWORD_SALT\fP, and then with a random salt.
.sp
Default: a list of known schemes not working with double hashing (\fIdjango_{digest}\fP, \fIplaintext\fP).
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_HASHING_SCHEMES
List of algorithms used for encrypting/hashing sensitive data within a token
(Such as is sent with confirmation or reset password).
.sp
Default: \fB[\(dqsha256_crypt\(dq, \(dqhex_md5\(dq]\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_DEPRECATED_HASHING_SCHEMES
List of deprecated algorithms used for creating and validating tokens.
.sp
Default: \fB[\(dqhex_md5\(dq]\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_HASH_OPTIONS
Specifies additional options to be passed to the hashing method. This is deprecated as of passlib 1.7.
.sp
Deprecated since version 3.4.0: see: \fI\%SECURITY_PASSWORD_HASH_PASSLIB_OPTIONS\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_HASH_PASSLIB_OPTIONS
Pass additional options to the various hashing methods. This is a
dict of the form \fB{<scheme>__<option>: <value>, ..}\fP
e.g. {\(dqargon2__rounds\(dq: 10}.
.sp
Added in version 3.3.1.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_LENGTH_MIN
Minimum required length for passwords.
.sp
Default: \fB8\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_COMPLEXITY_CHECKER
Set to complexity checker to use (Only \fBzxcvbn\fP supported).
.sp
Default: \fBNone\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_ZXCVBN_MINIMUM_SCORE
Required \fBzxcvbn\fP password complexity score (0\-4).
Refer to \X'tty: link https://github.com/dropbox/zxcvbn#usage'\fI\%https://github.com/dropbox/zxcvbn#usage\fP\X'tty: link' for exact meanings of
different score values.
.sp
Default: \fB3\fP (Good or Strong)
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_CHECK_BREACHED
If not \fBNone\fP new/changed passwords will be checked against the
database of breached passwords at \X'tty: link https://api.pwnedpasswords.com'\fI\%https://api.pwnedpasswords.com\fP\X'tty: link'\&.
If set to \fBstrict\fP then if the site can\(aqt be reached, validation will fail.
If set to \fBbest\-effort\fP failure to reach the site will continue
with the rest of password validation.
.sp
Default: \fBNone\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_BREACHED_COUNT
Passwords with counts greater than or equal to this value are considered breached.
.sp
Default: 1  \- which might be to burdensome for some applications.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_NORMALIZE_FORM
Passwords are normalized prior to changing or comparing. This satisfies
the NIST requirement: \X'tty: link https://pages.nist.gov/800-63-3/sp800-63b.html#sec5'\fI\%5.1.1.2 Memorized Secret Verifiers\fP\X'tty: link'\&.
Normalization is performed using the Python unicodedata.normalize() method.
.sp
Default: \fB\(dqNFKD\(dq\fP
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PASSWORD_REQUIRED
If set to \fBFalse\fP then a user can register with an empty password.
This requires \fI\%SECURITY_UNIFIED_SIGNIN\fP to be enabled. By
default, the user will be able to authenticate using an email link.
Please note: this does not mean a user can sign in with an empty
password \- it means that they must have some OTHER means of authenticating.
.sp
Default: \fBTrue\fP
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TOKEN_AUTHENTICATION_KEY
Specifies the query string parameter to read when using token authentication.
.sp
Default: \fB\(dqauth_token\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TOKEN_AUTHENTICATION_HEADER
Specifies the HTTP header to read when using token authentication.
.sp
Default: \fB\(dqAuthentication\-Token\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TOKEN_MAX_AGE
Specifies the number of seconds before an authentication token expires.
.sp
Default: \fBNone\fP, meaning the token never expires.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TOKEN_EXPIRE_TIMESTAMP
A callable that returns a unix timestamp in the future when this specific
authentication token should expire. Returning 0 means no expiration.
It is passed the currently authenticated User so any fields can be used
to customize an expiration time. Of course it is called in a request
context so any information about the current request can also be used.
.sp
If BOTH this and \fI\%SECURITY_TOKEN_MAX_AGE\fP are set \- the shorter is used.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
These 2 expiry options work differently \- with this one, the actual expire
timestamp is in the auth_token. The signed token (using itsdangerous)
has the timestamp the token was generated. On validation, that is checked
against \fBSECURITY_TOKEN_MAX_AGE\fP\&. So for MAX_AGE, at the time of
validation, the token hasn\(aqt yet been associated with a User.
.UNINDENT
.UNINDENT
.sp
Default: \fBlambda user: 0\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_VALIDATOR_ARGS
Email address are validated and normalized via the \fBmail_util_cls\fP which
defaults to \fI\%MailUtil\fP\&. That uses the \X'tty: link https://pypi.org/project/email-validator/'\fI\%email_validator\fP\X'tty: link' package whose methods
have configurable options \- these can be set here and will be passed in.
For example setting this to: \fB{\(dqcheck_deliverability\(dq: False}\fP is useful
when unit testing if the emails are fake.
.sp
\fBmail_util_cls\fP has 2 methods \- \fBnormalize\fP and \fBvalidate\fP\&. Both
ensure the passed value is a valid email address, and returns a normalized
version. \fBvalidate\fP additionally, by default, verifies that the email
address can likely actually receive an email.
.sp
Default: \fBNone\fP, meaning use the defaults from email_validator package.
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_DEFAULT_HTTP_AUTH_REALM
Specifies the default authentication realm when using basic HTTP auth.
.sp
Default: \fBLogin Required\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REDIRECT_BEHAVIOR
Passwordless login, confirmation, reset password, unified signin, and oauth signin
have GET endpoints that validate the passed token and redirect to an action form.
For Single\-Page\-Applications style UIs which need to control their own internal URL routing these redirects
need to not contain forms, but contain relevant information as query parameters.
Setting this to \fB\(dqspa\(dq\fP will enable that behavior.
.sp
When this is enabled, the following must also be defined:
.INDENT 7.0
.IP \(bu 2
\fI\%SECURITY_POST_OAUTH_LOGIN_VIEW\fP  (if \fI\%SECURITY_OAUTH_ENABLE\fP is True)
.IP \(bu 2
\fI\%SECURITY_LOGIN_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_CONFIRM_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_CONFIRM_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_RESET_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_RESET_VIEW\fP
.UNINDENT
.sp
Default: \fBNone\fP which is existing html\-style form redirects.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REDIRECT_HOST
Mostly for development purposes, the UI is often developed
separately and is running on a different port than the
Flask application. In order to test redirects, the \fInetloc\fP
of the redirect URL needs to be rewritten. Setting this to e.g. \fIlocalhost:8080\fP does that.
.sp
\fBTIP:\fP
.INDENT 7.0
.INDENT 3.5
Be aware that when this is set, any of the \fI*_VIEW\fP configuration variables that are set
to URLs and not endpoints, will be redirected to this host.
.UNINDENT
.UNINDENT
.sp
Default: \fBNone\fP\&.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REDIRECT_ALLOW_SUBDOMAINS
If \fBTrue\fP then subdomains (and the root domain) of the top\-level host set
by Flask\(aqs \fBSERVER_NAME\fP configuration will be allowed as post\-view redirect targets.
This is beneficial if you wish to place your authentiation on one subdomain and
authenticated content on another, for example \fBauth.domain.tld\fP and \fBapp.domain.tld\fP\&.
.sp
Default: \fBFalse\fP\&.
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_PROTECT_MECHANISMS
Authentication mechanisms that require CSRF protection.
These are the same mechanisms as are permitted in the \fB@auth_required\fP decorator.
.sp
Default: \fB(\(dqbasic\(dq, \(dqsession\(dq, \(dqtoken\(dq)\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS
If \fBTrue\fP then CSRF will not be required for endpoints
that don\(aqt require authentication (e.g. login, logout, register, forgot_password).
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_COOKIE_NAME
The name for the CSRF cookie. This usually should be dictated by your
client\-side code  \- more information can be found at \fI\%CSRF\fP
.sp
Default: \fBNone\fP \- meaning no cookie will be sent.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_COOKIE
A dict that defines the parameters required to
set a CSRF cookie.
The complete set of parameters is described in Flask\(aqs \X'tty: link https://flask.palletsprojects.com/en/1.1.x/api/?highlight=set_cookie#flask.Response.set_cookie'\fI\%set_cookie\fP\X'tty: link' documentation.
.sp
Default: \fB{\(dqsamesite\(dq: \(dqStrict\(dq, \(dqhttponly\(dq: False, \(dqsecure\(dq: False}\fP
.sp
Changed in version 4.1.0: The \(aqkey\(aq attribute was deprecated in favor of a separate configuration
variable \fBSECURITY_CSRF_COOKIE_NAME\fP\&.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_HEADER
The HTTP Header name that will contain the CSRF token. \fBX\-XSRF\-Token\fP
is used by packages such as \X'tty: link https://github.com/axios/axios'\fI\%axios\fP\X'tty: link'\&.
.sp
Default: \fB\(dqX\-XSRF\-Token\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CSRF_COOKIE_REFRESH_EACH_REQUEST
By default, csrf_tokens have an expiration (controlled
by the configuration variable \fBWTF_CSRF_TIME_LIMIT\fP\&.
This can cause CSRF failures if say an application is left
idle for a long time. You can set that time limit to \fBNone\fP
or have the CSRF cookie sent on every request (which will give
it a new expiration time).
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SENDER
Specifies the email address to send emails as.
.sp
Default: value set to \fBMAIL_DEFAULT_SENDER\fP if Flask\-Mail is used otherwise \fBno\-reply@localhost\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USER_IDENTITY_ATTRIBUTES
Specifies which attributes of the user object can be used for credential validation.
.sp
Defines the order and matching that will be applied when validating login
credentials (either via standard login form or the unified sign in form).
The identity field in the form will be matched in order using this configuration
\- the FIRST match will then be used to look up the user in the DB.
.sp
Mapping functions take a single argument \- \fBidentity\fP from the form
and should return \fBNone\fP if the \fBidentity\fP argument isn\(aqt in a format
suitable for the attribute. If the \fBidentity\fP argument format matches, it
should be returned, optionally having had some canonicalization performed.
The returned result will be used to look up the identity in the UserDataStore
using the column name specified in the key.
.sp
The provided \fI\%flask_security.uia_phone_mapper()\fP for example performs
phone number normalization using the \fBphonenumbers\fP package.
.sp
\fBTIP:\fP
.INDENT 7.0
.INDENT 3.5
If your mapper performs any sort of canonicalization/normalization,
make sure you apply the exact same transformation in your form validator
when setting the field.
.UNINDENT
.UNINDENT
.sp
\fBDANGER:\fP
.INDENT 7.0
.INDENT 3.5
Make sure that any attributes listed here are marked Unique in your UserDataStore
model.
.UNINDENT
.UNINDENT
.sp
\fBDANGER:\fP
.INDENT 7.0
.INDENT 3.5
Make sure your mapper methods guard against malicious user input. For example,
if you allow \fBusername\fP as an identity method you could use \X'tty: link https://pypi.org/project/bleach/'\fI\%bleach\fP\X'tty: link':
.INDENT 0.0
.INDENT 3.5
.sp
.EX
def uia_username_mapper(identity):
    # we allow pretty much anything \- but we bleach it.
    return bleach.clean(identity, strip=True)
.EE
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Default:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
[
    {\(dqemail\(dq: {\(dqmapper\(dq: uia_email_mapper, \(dqcase_insensitive\(dq: True}},
]
.EE
.UNINDENT
.UNINDENT
.sp
If you enable \fI\%SECURITY_UNIFIED_SIGNIN\fP and set \fBsms\fP as a \fI\%SECURITY_US_ENABLED_METHODS\fP
and your \fISECURITY_USER_IDENTITY_ATTRIBUTES\fP contained:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
[
    {\(dqemail\(dq: {\(dqmapper\(dq: uia_email_mapper, \(dqcase_insensitive\(dq: True}},
    {\(dqus_phone_number\(dq: {\(dqmapper\(dq: uia_phone_mapper}},
]
.EE
.UNINDENT
.UNINDENT
.sp
Then after the user sets up their SMS \- they could login using their phone number and
get a text with the authentication code.
.sp
Changed in version 4.0.0: Changed from list to list of dict.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USER_IDENTITY_MAPPINGS
Added in version 3.4.0.

.sp
Deprecated since version 4.0.0: Superseded by \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_API_ENABLED_METHODS
Various endpoints of Flask\-Security require the caller to be authenticated.
This variable controls which of the methods \- \fBtoken\fP, \fBsession\fP, \fBbasic\fP
will be allowed. The default does NOT include \fBbasic\fP since if \fBbasic\fP
is in the list, and if the user is NOT authenticated, then the standard/required
response of 401 with the \fBWWW\-Authenticate\fP header is returned. This is
rarely what the client wants.
.sp
Default: \fB[\(dqsession\(dq, \(dqtoken\(dq]\fP\&.
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_DEFAULT_REMEMBER_ME
Specifies the default \(dqremember me\(dq value used when logging in a user.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RETURN_GENERIC_RESPONSES
If set to \fBTrue\fP Flask\-Security will return generic responses to endpoints
that could be used to enumerate users. Please see \fI\%Generic Responses \- Avoiding User Enumeration\fP\&.
.sp
Default: \fBFalse\fP
.sp
Added in version 5.0.0.

.UNINDENT
.SS Core \- Multi\-factor
.sp
These are used by the Two\-Factor and Unified Signin features.
.INDENT 0.0
.TP
.B SECURITY_TOTP_SECRETS
Secret used to encrypt the totp_password both into DB and into the session cookie.
Best practice is to set this to:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
from passlib import totp
\(dq{1: <result of totp.generate_secret()>}\(dq
.EE
.UNINDENT
.UNINDENT
.sp
See: \X'tty: link https://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html#totp-encryption-setup'\fI\%Totp\fP\X'tty: link' for details.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TOTP_ISSUER
Specifies the name of the service or application that the user is authenticating to.
This will be the name displayed by most authenticator apps.
.sp
Default: \fBNone\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SMS_SERVICE
Specifies the name of the sms service provider. Out of the box
\(dqTwilio\(dq is supported. For other sms service providers you will need
to subclass \fI\%SmsSenderBaseClass\fP and register it:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
SmsSenderFactory.senders[<service\-name>] = <service\-class>
.EE
.UNINDENT
.UNINDENT
.sp
Default: \fBDummy\fP which does nothing.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SMS_SERVICE_CONFIG
Specifies a dictionary of basic configurations needed for use of a sms service.
For \(dqTwilio\(dq the following keys are required (fill in from your Twilio dashboard):
.sp
Default: \fB{\(aqACCOUNT_SID\(aq: NONE, \(aqAUTH_TOKEN\(aq: NONE, \(aqPHONE_NUMBER\(aq: NONE}\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_PHONE_REGION_DEFAULT
Assigns a default \(aqregion\(aq for phone numbers used for two\-factor or
unified sign in. All other phone numbers will require a region prefix to
be accepted.
.sp
Default: \fB\(dqUS\(dq\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_FRESHNESS
A timedelta used to protect endpoints that alter sensitive information.
This is used to protect the following endpoints:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_US_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_REGISTER_URL\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Setting this to a negative number will disable any freshness checking and
the endpoints:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_VERIFY_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_SEND_CODE_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_VERIFY_URL\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
won\(aqt be registered.
Setting this to 0 results in undefined behavior.
Please see \fI\%flask_security.check_and_update_authn_fresh()\fP for details.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
This stores freshness information in the session \- which must be presented
(usually via a Cookie) to the above endpoints. To disable this, set it
to \fBtimedelta(minutes=\-1)\fP
.UNINDENT
.UNINDENT
.sp
Default: timedelta(hours=24)
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_FRESHNESS_GRACE_PERIOD
A timedelta that provides a grace period when altering sensitive
information.
This is used to protect the endpoints:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_US_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_REGISTER_URL\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
N.B. To avoid strange behavior, be sure to set the grace period less than
the freshness period.
Please see \fI\%flask_security.check_and_update_authn_fresh()\fP for details.
.sp
Default: timedelta(hours=1)
.sp
Added in version 3.4.0.

.UNINDENT
.SS Core \- Compatibility
.sp
These are flags that change various backwards compatability functionality.
.INDENT 0.0
.TP
.B SECURITY_ANONYMOUS_USER_DISABLED
If set to \fITrue\fP then \fI\%flask_security.current_user\fP will be \fINone\fP for unauthenticated
users instead of pointing to an AnonymousUser object. Note that Flask\-Login intends
to deprecate the entire AnonymousUser concept.
.sp
Default: \fBFalse\fP\&.
.sp
Added in version 5.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_BACKWARDS_COMPAT_UNAUTHN
If set to \fBTrue\fP then the default behavior for authentication
failures from one of Flask\-Security\(aqs decorators will be restored to
be compatible with releases prior to 3.3.0 (return 401 and some static html).
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_BACKWARDS_COMPAT_AUTH_TOKEN
If set to \fBTrue\fP then an Authentication\-Token will be returned
on every successful call to login, reset\-password, change\-password
as part of the JSON response. This was the default prior to release 3.3.0
\- however sending Authentication\-Tokens (which by default don\(aqt expire)
to session based UIs is a bad security practice.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.SS Core \- rarely need changing
.INDENT 0.0
.TP
.B SECURITY_DATETIME_FACTORY
Specifies the default datetime factory. The default is naive\-UTC which
corresponds to many DB\(aqs DateTime type.
.sp
Default:\fBflask_security.naive_utcnow\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CONFIRM_SALT
Specifies the salt value when generating confirmation links/tokens.
.sp
Default: \fB\(dqconfirm\-salt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_SALT
Specifies the salt value when generating password reset links/tokens.
.sp
Default: \fB\(dqreset\-salt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGIN_SALT
Specifies the salt value when generating login links/tokens.
.sp
Default: \fB\(dqlogin\-salt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REMEMBER_SALT
Specifies the salt value when generating remember tokens.
Remember tokens are used instead of user ID\(aqs as it is more secure.
.sp
Default: \fB\(dqremember\-salt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_VALIDITY_SALT
Specifies the salt value when generating two factor validity tokens.
.sp
Default: \fB\(dqtf\-validity\-salt\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SETUP_SALT
Default: \fB\(dqus\-setup\-salt\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_SALT
Default: \fB\(dqwan\-salt\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_PLAINTEXT
Sends email as plaintext using \fB*.txt\fP template.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_HTML
Sends email as HTML using \fB*.html\fP template.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CLI_USERS_NAME
Specifies the name for the command managing users. Disable by setting \fBFalse\fP\&.
.sp
Default: \fB\(dqusers\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CLI_ROLES_NAME
Specifies the name for the command managing roles. Disable by setting \fBFalse\fP\&.
.sp
Default: \fB\(dqroles\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_JOIN_USER_ROLES
Specifies whether to set the \fBUserModel.roles\fP loading relationship to \fBjoined\fP when a \fBroles\fP attribute
is present for a SQLAlchemy Datastore. Setting this to \fBFalse\fP restores pre 3.3.0 behavior and is required if the \fBroles\fP attribute
is not a joinable attribute on the \fBUserModel\fP\&. The default setting improves performance by only requiring a single
DB call.
.sp
Default: \fBTrue\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.SS Login/Logout
.INDENT 0.0
.TP
.B SECURITY_LOGIN_URL
Specifies the login URL.
.sp
Default: \fB\(dq/login\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGOUT_URL
Specifies the logout URL.
.sp
Default:\fB\(dq/logout\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGOUT_METHODS
Specifies the HTTP request methods that the logout URL accepts. Specify \fBNone\fP to disable the logout URL (and implement your own).
Configuring with just \fB[\(dqPOST\(dq]\fP is slightly more secure. The default includes \fB\(dqGET\(dq\fP for backwards compatibility.
.sp
Default: \fB[\(dqGET\(dq, \(dqPOST\(dq]\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_LOGIN_VIEW
Specifies the default view to redirect to after a user logs in. This value can be set to a URL
or an endpoint name. Defaults to the Flask config \fBAPPLICATION_ROOT\fP value which itself defaults to \fB\(dq/\(dq\fP\&.
Note that if the request URL or form has a \fBnext\fP parameter, that will take precedence.
.sp
Default: \fBAPPLICATION_ROOT\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_LOGOUT_VIEW
Specifies the default view to redirect to after a user logs out. This value can be set to a URL
or an endpoint name. Defaults to the Flask config \fBAPPLICATION_ROOT\fP value which itself defaults to \fB\(dq/\(dq\fP\&.
Note that if the request URL or form has a \fBnext\fP parameter, that will take precedence.
.sp
Default: \fBAPPLICATION_ROOT\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_UNAUTHORIZED_VIEW
Specifies the view to redirect to if a user attempts to access a URL/endpoint that they do
not have permission to access. This can be a callable (which returns a URL or \fBNone\fP) or an endpoint or a URL.
If this value is \fBNone\fP or the configured callable returns \fBNone\fP or empty, the user is presented with a default HTTP 403 response.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGIN_USER_TEMPLATE
Specifies the path to the template for the user login page.
.sp
Default: \fB\(dqsecurity/login_user.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_VERIFY_URL
Specifies the re\-authenticate URL. If \fI\%SECURITY_FRESHNESS\fP evaluates to < 0; this
endpoint won\(aqt be registered.
.sp
Default: \fB\(dq/verify\(dq\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_VERIFY_TEMPLATE
Specifies the path to the template for the verify password page.
.sp
Default: \fB\(dqsecurity/verify.html\(dq\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_VERIFY_URL
Specifies the default view to redirect to after a user successfully re\-authenticates either via
the \fI\%SECURITY_VERIFY_URL\fP or the \fI\%SECURITY_US_VERIFY_URL\fP\&.
Normally this won\(aqt need to be set and after the verification/re\-authentication, the referring
view (held in the \fBnext\fP parameter) will be redirected to.
.sp
Default: \fBNone\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.SS Registerable
.INDENT 0.0
.TP
.B SECURITY_REGISTERABLE
Specifies if Flask\-Security should create a user registration endpoint.
.sp
Default: \fBFalse\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_REGISTER_EMAIL
Specifies whether registration email is sent.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_REGISTER
Sets the subject for the confirmation email.
.sp
Default: \fB_(\(dqWelcome\(dq)\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REGISTER_USER_TEMPLATE
Specifies the path to the template for the user registration page.
.sp
Default: \fB\(dqsecurity/register_user.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_REGISTER_VIEW
Specifies the view to redirect to after a user successfully registers.
This value can be set to a URL or an endpoint name. If this value is
\fBNone\fP, the user is redirected to the value of \fBSECURITY_POST_LOGIN_VIEW\fP\&.
Note that if the request URL or form has a \fBnext\fP parameter, that will take precedence.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REGISTER_URL
Specifies the register URL.
.sp
Default: \fB\(dq/register\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USERNAME_ENABLE
If set to True, the default registration form and template, and
login form and template will have
a username field added. This requires that your user model contain the
field \fBusername\fP\&. It MUST be set as \(aqunique\(aq and if you don\(aqt want
to require a username, it should be set as \(aqnullable\(aq.
.sp
If you already have added a username field to your forms, don\(aqt set this
option \- the system will throw an exception at init_app time.
.sp
Validation and normalization is encapsulated in \fI\%UsernameUtil\fP\&.
Note that the default validation restricts username input to be unicode
letters and numbers. It also uses \fBbleach\fP to scrub any risky input. Be
sure your application requirements includes \X'tty: link https://pypi.org/project/bleach/'\fI\%bleach\fP\X'tty: link'\&.
.sp
Default: \fBFalse\fP
.sp
Added in version 4.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USERNAME_REQUIRED
If username is enabled, is it required as part of registration?
.sp
Default: \fBFalse\fP
.sp
Added in version 4.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USERNAME_MIN_LENGTH
Minimum length of a username.
.sp
Default: \fB4\fP
.sp
Added in version 4.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USERNAME_MAX_LENGTH
Maximum length of a username.
.sp
Default: \fB32\fP
.sp
Added in version 4.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_USERNAME_NORMALIZE_FORM
Usernames, by default, are normalized using the Python unicodedata.normalize() method.
.sp
Default: \fB\(dqNFKD\(dq\fP
.sp
Added in version 4.1.0.

.UNINDENT
.SS Confirmable
.INDENT 0.0
.TP
.B SECURITY_CONFIRMABLE
Specifies if users are required to confirm their email address when
registering a new account. If this value is \fITrue\fP, Flask\-Security creates an endpoint to handle
confirmations and requests to resend confirmation instructions.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CONFIRM_EMAIL_WITHIN
Specifies the amount of time a user has before their confirmation
link expires. Always pluralize the time unit for this value.
.sp
Default: \fB\(dq5 days\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CONFIRM_URL
Specifies the email confirmation URL.
.sp
Default: \fB\(dq/confirm\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_CONFIRMATION_TEMPLATE
Specifies the path to the template for the resend confirmation instructions page.
.sp
Default: \fB\(dqsecurity/send_confirmation.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_CONFIRM
Sets the subject for the email confirmation message.
.sp
Default: \fB_(\(dqPlease confirm your email\(dq)\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CONFIRM_ERROR_VIEW
Specifies the view to redirect to if a confirmation error occurs.
This value can be set to a URL or an endpoint name.
If this value is \fBNone\fP, the user is presented the default view
to resend a confirmation link. In the case of \fBSECURITY_REDIRECT_BEHAVIOR\fP == \fB\(dqspa\(dq\fP
query params in the redirect will contain the error.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_CONFIRM_VIEW
Specifies the view to redirect to after a user successfully confirms their email.
This value can be set to a URL or an endpoint name. If this value is \fBNone\fP, the user is redirected to the
value of \fBSECURITY_POST_LOGIN_VIEW\fP\&.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_AUTO_LOGIN_AFTER_CONFIRM
If \fBTrue\fP, then the user corresponding to the confirmation token will be automatically signed in.
If \fBFalse\fP (the default) then the user will be requires to authenticate using the usual mechanism(s).
Note that the confirmation token is not valid after being used once. This is not recommended by OWASP
however an application that is by invite only (no self\-registration) might find this useful.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGIN_WITHOUT_CONFIRMATION
Specifies if a user may login before confirming their email when
the value of \fBSECURITY_CONFIRMABLE\fP is set to \fBTrue\fP\&.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_REQUIRES_CONFIRMATION_ERROR_VIEW
Specifies a redirect page if the users tries to login, reset password or us\-signin with an unconfirmed account.
If an URL endpoint is specified, flashes an error messages and redirects.
Default behavior is to reload the form with an error message without redirecting to an other page.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.SS Changeable
.sp
Configuration variables for the \fBSECURITY_CHANGEABLE\fP feature:
.INDENT 0.0
.TP
.B SECURITY_CHANGEABLE
Specifies if Flask\-Security should enable the change password endpoint.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CHANGE_URL
Specifies the password change URL.
.sp
Default: \fB\(dq/change\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_CHANGE_VIEW
Specifies the view to redirect to after a user successfully changes their password.
This value can be set to a URL or an endpoint name.
If this value is \fBNone\fP, the user is redirected  to the
value of \fBSECURITY_POST_LOGIN_VIEW\fP\&.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_CHANGE_PASSWORD_TEMPLATE
Specifies the path to the template for the change password page.
.sp
Default: \fB\(dqsecurity/change_password.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_PASSWORD_CHANGE_EMAIL
Specifies whether password change email is sent.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE
Sets the subject for the password change notice.
.sp
Default: \fB_(\(dqYour password has been changed\(dq)\fP\&.
.UNINDENT
.SS Recoverable
.INDENT 0.0
.TP
.B SECURITY_RECOVERABLE
Specifies if Flask\-Security should create a password reset/recover endpoint.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_URL
Specifies the password reset URL.
.sp
Default: \fB\(dq/reset\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_PASSWORD_TEMPLATE
Specifies the path to the template for the reset password page.
.sp
Default: \fB\(dqsecurity/reset_password.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_FORGOT_PASSWORD_TEMPLATE
Specifies the path to the template for the forgot password page.
.sp
Default: \fB\(dqsecurity/forgot_password.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_RESET_VIEW
Specifies the view to redirect to after a user successfully resets their password.
This value can be set to a URL or an endpoint name. If this
value is \fBNone\fP, the user is redirected to the value of \fB\&.login\fP if
\fI\%SECURITY_AUTO_LOGIN_AFTER_RESET\fP is \fBFalse\fP or \fI\%SECURITY_POST_LOGIN_VIEW\fP
if \fBTrue\fP
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_VIEW
Specifies the view/URL to redirect to after a GET reset\-password link.
This is only valid if \fI\%SECURITY_REDIRECT_BEHAVIOR\fP == \fB\(dqspa\(dq\fP\&.
Query params in the redirect will contain the \fBtoken\fP\&.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_AUTO_LOGIN_AFTER_RESET
If \fBFalse\fP then on successful reset the user will be required to signin again.
Note that the reset token is not valid after being used once.
If \fBTrue\fP, then the user corresponding to the
reset token will be automatically signed in. Note: auto\-login is contrary
to OWASP best security practices. This option is for backwards compatibility
and is deprecated.
.sp
Default: \fBFalse\fP\&.
.sp
Added in version 5.3.0.

.sp
Deprecated since version 5.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_ERROR_VIEW
Specifies the view/URL to redirect to after a GET reset\-password link when there is an error.
This is only valid if \fI\%SECURITY_REDIRECT_BEHAVIOR\fP == \fBspa\fP\&.
Query params in the redirect will contain the error.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_RESET_PASSWORD_WITHIN
Specifies the amount of time a user has before their password reset link expires.
Always pluralize the time unit for this value.
.sp
Default: \fB\(dq1 days\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_PASSWORD_RESET_EMAIL
Specifies whether password reset email is sent. These are instructions
including a link that can be clicked on.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL
Specifies whether password reset notice email is sent. This is sent once
a user\(aqs password was successfully reset.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_PASSWORD_RESET
Sets the subject for the password reset email.
.sp
Default: \fB_(\(dqPassword reset instructions\(dq)\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_PASSWORD_NOTICE
Sets subject for the password notice.
.sp
Default: \fB_(\(dqYour password has been reset\(dq)\fP\&.
.UNINDENT
.SS Two\-Factor
.sp
Configuration related to the two\-factor authentication feature.
.sp
Added in version 3.2.0.

.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR
Specifies if Flask\-Security should enable the two\-factor login feature.
If set to \fBTrue\fP, in addition to their passwords, users will be required to
enter a code that is sent to them. Note that unless
\fBSECURITY_TWO_FACTOR_REQUIRED\fP is set \- this is opt\-in.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_REQUIRED
If set to \fBTrue\fP then all users will be required to setup and use two factor authorization.
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_ENABLED_METHODS
Specifies the default enabled methods for two\-factor authentication.
.sp
Default: \fB[\(aqemail\(aq, \(aqauthenticator\(aq, \(aqsms\(aq]\fP which are the only currently supported methods.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SECRET
Deprecated since version 3.4.0: see: \fI\%SECURITY_TOTP_SECRETS\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_URI_SERVICE_NAME
Deprecated since version 3.4.0: see: \fI\%SECURITY_TOTP_ISSUER\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SMS_SERVICE
Deprecated since version 3.4.0: see: \fI\%SECURITY_SMS_SERVICE\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SMS_SERVICE_CONFIG
Deprecated since version 3.4.0: see: \fI\%SECURITY_SMS_SERVICE_CONFIG\fP

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_AUTHENTICATOR_VALIDITY
Specifies the number of seconds access token is valid.
.sp
Default: \fB120\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_MAIL_VALIDITY
Specifies the number of seconds access token is valid.
.sp
Default: \fB300\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SMS_VALIDITY
Specifies the number of seconds access token is valid.
.sp
Default: \fB120\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_RESCUE_MAIL
Specifies the email address users send mail to when they can\(aqt complete the
two\-factor authentication login.
.sp
Default: \fB\(dqno\-reply@localhost\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_TWO_FACTOR
Sets the subject for the two factor feature.
.sp
Default: \fB_(\(dqTwo\-factor Login\(dq)\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_TWO_FACTOR_RESCUE
Sets the subject for the two factor help function.
.sp
Default: \fB_(\(dqTwo\-factor Rescue\(dq)\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_VERIFY_CODE_TEMPLATE
Specifies the path to the template for the verify code page for the two\-factor authentication process.
.sp
Default: \fB\(dqsecurity/two_factor_verify_code.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SETUP_TEMPLATE
Specifies the path to the template for the setup page for the two factor authentication process.
.sp
Default: \fB\(dqsecurity/two_factor_setup.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SETUP_URL
Specifies the two factor setup URL.
.sp
Default: \fB\(dq/tf\-setup\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_TOKEN_VALIDATION_URL
Specifies the two factor token validation URL.
.sp
Default: \fB\(dq/tf\-validate\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_RESCUE_URL
Specifies the two factor rescue URL.
.sp
Default: \fB\(dq/tf\-rescue\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SELECT_URL
Specifies the two factor select URL. This is used when the user has
setup more than one second factor.
.sp
Default: \fB\(dq/tf\-select\(dq\fP\&.
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_ERROR_VIEW
Specifies a URL or endpoint to redirect to if the system detects that
a two\-factor endpoint is being accessed without the proper state. For example
if \fBtf\-validate\fP is accessed but the caller hasn\(aqt yet successfully passed the
primary authentication.
.sp
Default: \fB\(dq.login\(dq\fP
.sp
Added in version 5.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_POST_SETUP_VIEW
Specifies the view to redirect to after a user successfully setups a two\-factor method (non\-json).
This value can be set to a URL or an endpoint name.
.sp
Default: \fB\(dq.two_factor_setup\(dq\fP
.sp
Added in version 5.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_SELECT_TEMPLATE
Specifies the path to the template for the select method page for the two\-factor authentication process.
This is used when more than one two\-factor method has been setup (e.g. SMS and Webauthn).
.sp
Default: \fB\(dqsecurity/two_factor_select.html\(dq\fP\&.
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_ALWAYS_VALIDATE
Specifies whether the application should require a two factor code upon every login.
If set to \fBFalse\fP then the 2 values below are used to determine when
a code is required. Note that this is cookie based \- so a new browser
session will always require a fresh two\-factor code.
.sp
Default: \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_LOGIN_VALIDITY
Specifies the expiration of the two factor validity cookie and verification of the token.
.sp
Default: \fB\(dq30 Days\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_VALIDITY_COOKIE
A dictionary containing the parameters of the two factor validity cookie.
The complete set of parameters is described in Flask\(aqs \X'tty: link https://flask.palletsprojects.com/en/1.1.x/api/?highlight=set_cookie#flask.Response.set_cookie'\fI\%set_cookie\fP\X'tty: link' documentation.
.sp
Default: \fB{\(aqhttponly\(aq: True, \(aqsecure\(aq: False, \(aqsamesite\(aq: None}\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_IMPLEMENTATIONS
A dictionary of supported second factor implementations. All of these must
implement the TfPluginBase interface.
.sp
Default: \fB{\(dqcode\(dq: \(dqflask_security.twofactor.CodeTfPlugin\(dq, \(dqwebauthn\(dq: \(dqflask_security.webauthn.WebAuthnTfPlugin\(dq,}\fP
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_TWO_FACTOR_RESCUE_EMAIL
If True, then the \(aqemail\(aq option for two\-factor rescue is enabled \- allowing a user to
recover a missing/inoperable second factor device by requesting a one time code sent to their email.
While this is very convenient is has the downside that if a user\(aqs email is hacked, their second factor
is useless to protect their account.
.sp
Default: \fBTrue\fP
.sp
Added in version 5.0.0.

.UNINDENT
.SS Unified Signin
.INDENT 0.0
.INDENT 3.5
Unified sign in provides a generalized sign in endpoint that takes an \fIidentity\fP
and a \fIpasscode\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_UNIFIED_SIGNIN
To enable this feature \- set this to \fBTrue\fP\&.
.sp
Default: \fBFalse\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SIGNIN_URL
Sign in a user with an identity and a passcode.
.sp
Default: \fB\(dq/us\-signin\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SIGNIN_SEND_CODE_URL
Endpoint that given an identity, and a previously setup authentication method, will
generate and return a one time code. This isn\(aqt necessary when using an authenticator
app.
.sp
Default: \fB\(dq/us\-signin/send\-code\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SETUP_URL
Endpoint for setting up and validating SMS or an authenticator app for use in
receiving one\-time codes.
.sp
Default: \fB\(dq/us\-setup\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_VERIFY_LINK_URL
This endpoint handles the \(aqmagic link\(aq that is sent when the user requests a code
via email. It is mostly just accessed via a \fBGET\fP from an email reader.
.sp
Default: \fB\(dq/us\-verify\-link\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_VERIFY_URL
This endpoint handles re\-authentication, the caller must be already authenticated
and then enter in their primary credentials (password/passcode) again. This is
used when an endpoint (such as \fB/us\-setup\fP) fails freshness checks.
This endpoint won\(aqt be registered if \fI\%SECURITY_FRESHNESS\fP evaluates to < 0.
.sp
Default: \fB\(dq/us\-verify\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_VERIFY_SEND_CODE_URL
As part of \fB/us\-verify\fP, this endpoint will send the appropriate code.
This endpoint won\(aqt be registered if \fI\%SECURITY_FRESHNESS\fP evaluates to < 0.
.sp
Default: \fB\(dq/us\-verify/send\-code\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_POST_SETUP_VIEW
Specifies the view to redirect to after a user successfully setups an authentication method (non\-json).
This value can be set to a URL or an endpoint name.
.sp
Default: \fB\(dq.us\-setup\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SIGNIN_TEMPLATE
Default: \fB\(dqsecurity/us_signin.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SETUP_TEMPLATE
Default: \fB\(dqsecurity/us_setup.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_VERIFY_TEMPLATE
Default: \fB\(dqsecurity/us_verify.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_ENABLED_METHODS
Specifies the default enabled methods for unified signin authentication.
Be aware that \fBpassword\fP only affects this \fBSECURITY_US_SIGNIN_URL\fP endpoint.
Removing it from here won\(aqt stop users from using the \fBSECURITY_LOGIN_URL\fP endpoint
(unless you replace the login endpoint using \fI\%SECURITY_US_SIGNIN_REPLACES_LOGIN\fP).
.sp
This config variable defines which methods can be used to provide authentication data.
\fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP controls what sorts of identities can be used.
.sp
Default: \fB[\(dqpassword\(dq, \(dqemail\(dq, \(dqauthenticator\(dq, \(dqsms\(dq]\fP \- which are the only supported options.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_MFA_REQUIRED
A list of \fBUS_ENABLED_METHODS\fP that will require two\-factor
authentication. This is of course dependent on the settings of \fI\%SECURITY_TWO_FACTOR\fP
and \fI\%SECURITY_TWO_FACTOR_REQUIRED\fP\&. Note that even with REQUIRED, only
methods listed here will trigger a two\-factor cycle.
.sp
Default: \fB[\(dqpassword\(dq, \(dqemail\(dq]\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_TOKEN_VALIDITY
Specifies the number of seconds access token/code is valid.
.sp
Default: \fB120\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_EMAIL_SUBJECT
Sets the email subject when sending the verification code via email.
.sp
Default: \fB_(\(dqVerification Code\(dq)\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SETUP_WITHIN
Specifies the amount of time a user has before their setup
token expires. Always pluralize the time unit for this value.
.sp
Default: \fB\(dq30 minutes\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_US_SIGNIN_REPLACES_LOGIN
If set, then the \fI\%SECURITY_LOGIN_URL\fP will be registered to the \fBus\-signin\fP endpoint.
Doing this will mean that logout will properly redirect to the us\-signin endpoint.
.sp
Default: \fBFalse\fP
.UNINDENT
.sp
Additional relevant configuration variables:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP \- Defines the order and methods for parsing and validating identity.
.IP \(bu 2
\fI\%SECURITY_PASSWORD_REQUIRED\fP \- Can a user register w/o a password?
.IP \(bu 2
\fI\%SECURITY_DEFAULT_REMEMBER_ME\fP
.IP \(bu 2
\fI\%SECURITY_SMS_SERVICE\fP \- When SMS is enabled in \fI\%SECURITY_US_ENABLED_METHODS\fP\&.
.IP \(bu 2
\fI\%SECURITY_SMS_SERVICE_CONFIG\fP
.IP \(bu 2
\fI\%SECURITY_TOTP_SECRETS\fP
.IP \(bu 2
\fI\%SECURITY_TOTP_ISSUER\fP
.IP \(bu 2
\fI\%SECURITY_PHONE_REGION_DEFAULT\fP
.IP \(bu 2
\fI\%SECURITY_LOGIN_ERROR_VIEW\fP \- The user is redirected here if
\fI\%SECURITY_US_VERIFY_LINK_URL\fP has an error and the request is json and
\fI\%SECURITY_REDIRECT_BEHAVIOR\fP equals \fB\(dqspa\(dq\fP\&.
.IP \(bu 2
\fI\%SECURITY_FRESHNESS\fP \- Used to protect /us\-setup.
.IP \(bu 2
\fI\%SECURITY_FRESHNESS_GRACE_PERIOD\fP \- Used to protect /us\-setup.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Passwordless
.sp
This feature is DEPRECATED as of 5.0.0. Please use unified signin feature instead.
.INDENT 0.0
.TP
.B SECURITY_PASSWORDLESS
Specifies if Flask\-Security should enable the passwordless login feature.
If set to \fBTrue\fP, users are not required to enter a password to login but are
sent an email with a login link.
\fBThis feature is being replaced with a more generalized passwordless feature
that includes using SMS or authenticator applications for generating codes.\fP
.sp
Default: \fBFalse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_SEND_LOGIN_TEMPLATE
Specifies the path to the template for the send login instructions page for
passwordless logins.
.sp
Default:\fB\(dqsecurity/send_login.html\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_EMAIL_SUBJECT_PASSWORDLESS
Sets the subject for the passwordless feature.
.sp
Default: \fB_(\(dqLogin instructions\(dq)\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGIN_WITHIN
Specifies the amount of time a user has before a login link expires.
Always pluralize the time unit for this value.
.sp
Default: \fB\(dq1 days\(dq\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_LOGIN_ERROR_VIEW
Specifies the view/URL to redirect to after the following login/authentication errors:
.INDENT 7.0
.IP \(bu 2
GET passwordless link where the link is expired/incorrect
.IP \(bu 2
GET unified sign in magic link when there is an error.
.IP \(bu 2
GET on oauthresponse where there was an OAuth protocol error.
.IP \(bu 2
GET on oauthresponse where the returned identity isn\(aqt registered.
.UNINDENT
.sp
This is only valid if \fI\%SECURITY_REDIRECT_BEHAVIOR\fP == \fB\(dqspa\(dq\fP\&.
Query params in the redirect will contain the error.
.sp
Default: \fBNone\fP\&.
.UNINDENT
.SS Trackable
.INDENT 0.0
.TP
.B SECURITY_TRACKABLE
Specifies if Flask\-Security should track basic user login statistics. If set to \fBTrue\fP, ensure your
models have the required fields/attributes and make sure to commit changes after calling
\fBlogin_user\fP\&. Be sure to use \X'tty: link http://flask.pocoo.org/docs/0.10/deploying/wsgi-standalone/#proxy-setups'\fI\%ProxyFix\fP\X'tty: link' if you are using a proxy.
.sp
Default: \fBFalse\fP
.UNINDENT
.SS WebAuthn
.INDENT 0.0
.INDENT 3.5
Added in version 5.0.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WEBAUTHN
To enable this feature \- set this to \fBTrue\fP\&. Please see \fI\%Models\fP for
required additions to your database models.
.sp
Default: \fBFalse\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_REGISTER_URL
Endpoint for registering WebAuthn credentials.
.sp
Default: \fB\(dq/wan\-register\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_SIGNIN_URL
Endpoint for signing in using a WebAuthn credential.
.sp
Default: \fB\(dq/wan\-signin\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_DELETE_URL
Endpoint for removing a WebAuthn credential.
.sp
Default: \fB\(dq/wan\-delete\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_VERIFY_URL
Endpoint for re\-authenticating using a WebAuthn credential.
.sp
Default: \fB\(dq/wan\-verify\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_POST_REGISTER_VIEW
Specifies the view to redirect to after a user successfully registers a new WebAuthn key (non\-json).
This value can be set to a URL or an endpoint name.
.sp
Default: \fB\(dq.wan\-register\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_REGISTER_TEMPLATE
Default: \fB\(dqsecurity/wan_register.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_SIGNIN_TEMPLATE
Default: \fB\(dqsecurity/wan_signin.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_VERIFY_TEMPLATE
Default: \fB\(dqsecurity/wan_verify.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_RP_NAME
The Relying Party (that\(aqs us!) name passed as part of credential
creation. Defined in the \X'tty: link https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictionary-pkcredentialentity'\fI\%spec\fP\X'tty: link'\&.
.sp
Default: \fB\(dqMy Flask App\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_REGISTER_WITHIN
Specifies the amount of time a user has before their register
token expires. Always pluralize the time unit for this value.
.sp
Default: \fB\(dq30 minutes\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_REGISTER_TIMEOUT
Specifies the timeout that is passed as part of PublicKeyCredentialCreationOptions.
In milliseconds.
.sp
Default: \fB60000\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_SIGNIN_WITHIN
Specifies the amount of time a user has before their signin
token expires. Always pluralize the time unit for this value.
.sp
Default: \fB\(dq1 minutes\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_SIGNIN_TIMEOUT
Specifies the timeout that is passed as part of PublicKeyCredentialRequestOptions.
In milliseconds.
.sp
Default: \fB60000\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_ALLOW_AS_FIRST_FACTOR
If True then a WebAuthn credential/key may be registered for use as the first (or only)
authentication factor. This will set the default \fBAuthenticatorSelectionCriteria\fP
to require a cross\-platform key.
.sp
Default: \fBTrue\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_ALLOW_AS_MULTI_FACTOR
If True then a WebAuthn credential/key can be used
as both a primary and a secondary factor. This requires that the key
supports \(aqUserVerification\(aq.
.sp
Default: \fBTrue\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_ALLOW_USER_HINTS
If True then an unauthenticated user can request a list of registered
WebAuthn credentials/keys. This allows the use of non\-resident (non\-discoverable)
keys, but has the possible security concern that it allows \(aquser discovery\(aq.
Look at \X'tty: link https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-username-enumeration'\fI\%https://www.w3.org/TR/2021/REC\-webauthn\-2\-20210408/#sctn\-username\-enumeration\fP\X'tty: link'
for a good writeup.
.sp
If this is \fBFalse\fP and \fI\%SECURITY_WAN_ALLOW_AS_FIRST_FACTOR\fP is \fBTrue\fP
(the default) then by default, \fBAuthenticatorSelectionCriteria\fP will be set
to require a Resident key.
.sp
Default: \fBTrue\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_WAN_ALLOW_AS_VERIFY
Sets which type of WebAuthn security credential, if any, may be used for
reauthentication/verify events. This is a list with possible values:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fB\(dqfirst\(dq\fP \- just keys registered as \(dqfirst\(dq usage are allowed
.IP \(bu 2
\fB\(dqsecondary\(dq\fP \- just keys registered as \(dqsecondary\(dq are allowed
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B If list is empty or \fBNone\fP WebAuthn keys aren\(aqt allowed. This also means that the
:py:data:\fBSECURITY_WAN_VERIFY\fP endpoint won\(aqt be registered.
.UNINDENT
.sp
Default: \fB[\(dqfirst\(dq, \(dqsecondary\(dq]\fP
.UNINDENT
.sp
Additional relevant configuration variables:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_FRESHNESS\fP \- Used to protect /us\-setup.
.IP \(bu 2
\fI\%SECURITY_FRESHNESS_GRACE_PERIOD\fP \- Used to protect /us\-setup.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Recovery Codes
.INDENT 0.0
.INDENT 3.5
Added in version 5.0.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODES
To enable this feature \- set this to \fBTrue\fP\&. Please see \fI\%Models\fP for
required additions to your database models. This enables a user to generate and
use a recovery code for two\-factor authentication. This works for all two\-factor
mechanisms \- including WebAuthn. Note that these code are single use and
the user should be advised to write them down and store in a safe place.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODES_N
How many recovery codes to generate.
.sp
Default:: \fB5\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODES_URL
Endpoint for displaying and generating recovery codes.
.sp
Default: \fB\(dq/mf\-recovery\-codes\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODES_TEMPLATE
Default: \fB\(dqsecurity/mf_recovery_codes.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_URL
Endpoint for entering a recovery code.
.sp
Default: \fB\(dq/mf\-recovery\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_TEMPLATE
Default: \fB\(dqsecurity/mf_recovery.html\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODES_KEYS
A list of keys used to encrypt the recovery codes at rest (i.e. in the database).
The default implementation uses cryptography.fernet (\X'tty: link https://cryptography.io/en/latest/fernet/#cryptography.fernet.Fernet'\fI\%https://cryptography.io/en/latest/fernet/#cryptography.fernet.Fernet\fP\X'tty: link')
\- so the keys should be generated by:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
from cryptography.fernet import Fernet
key = Fernet.generate_key()
.EE
.UNINDENT
.UNINDENT
.sp
Multiple keys can be configured allowing for key rotation.
.sp
Default: \fBNone\fP \- recovery codes will NOT be encrypted on disk
.sp
Added in version 5.1.0.

.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_MULTI_FACTOR_RECOVERY_CODE_TTL
An integer passed to decrypt specifying the maximum age of the code.
.sp
Default: \fBNone\fP \- no TTL will be enforced.
.sp
Added in version 5.1.0.

.UNINDENT
.sp
Additional relevant configuration variables:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_FRESHNESS\fP \- Used to protect /mf\-recovery\-codes.
.IP \(bu 2
\fI\%SECURITY_FRESHNESS_GRACE_PERIOD\fP \- Used to protect /mf\-recovery\-codes.
.IP \(bu 2
\fI\%SECURITY_TOTP_SECRETS\fP \- TOTP/passlib is used to generate the codes.
.IP \(bu 2
\fI\%SECURITY_TOTP_ISSUER\fP
.UNINDENT
.UNINDENT
.UNINDENT
.SS Social Oauth
.INDENT 0.0
.INDENT 3.5
Added in version 5.1.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_OAUTH_ENABLE
To enable using external Oauth providers \- set this to \fBTrue\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_OAUTH_BUILTIN_PROVIDERS
A list of built\-in providers to register.
.sp
Default: \fB[\(dqgoogle\(dq, \(dqgithub\(dq]\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_OAUTH_START_URL
Endpoint for starting an Oauth authentication operation.
.sp
Default: \fB\(dq/login/oauthstart\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_OAUTH_RESPONSE_URL
Endpoint used as Oauth redirect.
.sp
Default: \fB\(dq/login/oauthresponse\(dq\fP
.UNINDENT
.INDENT 0.0
.TP
.B SECURITY_POST_OAUTH_LOGIN_VIEW
Specifies the view/URL to redirect to after a successful authentication (login)
using social oauth.
This is only valid if \fI\%SECURITY_REDIRECT_BEHAVIOR\fP == \fB\(dqspa\(dq\fP\&.
Query params in the redirect will contain \fIidentity\fP and \fIemail\fP\&.
.sp
Default: \fBNone\fP\&.
.sp
Added in version 5.4.0.

.UNINDENT
.SS Feature Flags
.sp
All feature flags. By default all are \(aqFalse\(aq/not enabled.
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_CONFIRMABLE\fP
.IP \(bu 2
\fI\%SECURITY_REGISTERABLE\fP
.IP \(bu 2
\fI\%SECURITY_RECOVERABLE\fP
.IP \(bu 2
\fI\%SECURITY_TRACKABLE\fP
.IP \(bu 2
\fI\%SECURITY_PASSWORDLESS\fP
.IP \(bu 2
\fI\%SECURITY_CHANGEABLE\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR\fP
.IP \(bu 2
\fI\%SECURITY_UNIFIED_SIGNIN\fP
.IP \(bu 2
\fI\%SECURITY_WEBAUTHN\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP
.IP \(bu 2
\fI\%SECURITY_OAUTH_ENABLE\fP
.UNINDENT
.SS URLs and Views
.sp
A list of all URLs and Views:
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_LOGIN_URL\fP
.IP \(bu 2
\fI\%SECURITY_LOGOUT_URL\fP
.IP \(bu 2
\fI\%SECURITY_VERIFY_URL\fP
.IP \(bu 2
\fI\%SECURITY_REGISTER_URL\fP
.IP \(bu 2
\fI\%SECURITY_RESET_URL\fP
.IP \(bu 2
\fI\%SECURITY_CHANGE_URL\fP
.IP \(bu 2
\fI\%SECURITY_CONFIRM_URL\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES_URL\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_URL\fP
.IP \(bu 2
\fI\%SECURITY_OAUTH_START_URL\fP
.IP \(bu 2
\fI\%SECURITY_OAUTH_RESPONSE_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SELECT_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_TOKEN_VALIDATION_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_RESCUE_URL\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_POST_SETUP_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_LOGIN_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_LOGOUT_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_CONFIRM_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_REGISTER_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_CONFIRM_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_RESET_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_CHANGE_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_POST_OAUTH_LOGIN_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_UNAUTHORIZED_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_RESET_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_RESET_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_LOGIN_ERROR_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_US_SIGNIN_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_SETUP_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_SIGNIN_SEND_CODE_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_LINK_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_SEND_CODE_URL\fP
.IP \(bu 2
\fI\%SECURITY_US_POST_SETUP_VIEW\fP
.IP \(bu 2
\fI\%SECURITY_WAN_REGISTER_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_SIGNIN_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_DELETE_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_VERIFY_URL\fP
.IP \(bu 2
\fI\%SECURITY_WAN_POST_REGISTER_VIEW\fP
.UNINDENT
.SS Template Paths
.sp
A list of all templates:
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_FORGOT_PASSWORD_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_LOGIN_USER_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_VERIFY_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_REGISTER_USER_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_RESET_PASSWORD_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_CHANGE_PASSWORD_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_SEND_CONFIRMATION_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_SEND_LOGIN_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_VERIFY_CODE_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SELECT_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_TWO_FACTOR_SETUP_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_US_SIGNIN_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_US_SETUP_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_WAN_REGISTER_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_WAN_SIGNIN_TEMPLATE\fP
.IP \(bu 2
\fI\%SECURITY_WAN_VERIFY_TEMPLATE\fP
.UNINDENT
.SS Messages
.sp
The following are the messages Flask\-Security uses.  They are tuples; the first
element is the message and the second element is the error level.
.sp
The default messages and error levels can be found in \fBcore.py\fP\&.
.INDENT 0.0
.IP \(bu 2
\fBSECURITY_MSG_ALREADY_CONFIRMED\fP
.IP \(bu 2
\fBSECURITY_MSG_API_ERROR\fP
.IP \(bu 2
\fBSECURITY_MSG_ANONYMOUS_USER_REQUIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_CODE_HAS_BEEN_SENT\fP
.IP \(bu 2
\fBSECURITY_MSG_CONFIRMATION_EXPIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_CONFIRMATION_REQUEST\fP
.IP \(bu 2
\fBSECURITY_MSG_CONFIRMATION_REQUIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_CONFIRM_REGISTRATION\fP
.IP \(bu 2
\fBSECURITY_MSG_DISABLED_ACCOUNT\fP
.IP \(bu 2
\fBSECURITY_MSG_EMAIL_ALREADY_ASSOCIATED\fP
.IP \(bu 2
\fBSECURITY_MSG_EMAIL_CONFIRMED\fP
.IP \(bu 2
\fBSECURITY_MSG_EMAIL_NOT_PROVIDED\fP
.IP \(bu 2
\fBSECURITY_MSG_FAILED_TO_SEND_CODE\fP
.IP \(bu 2
\fBSECURITY_MSG_FORGOT_PASSWORD\fP
.IP \(bu 2
\fBSECURITY_MSG_GENERIC_AUTHN_FAILED\fP
.IP \(bu 2
\fBSECURITY_MSG_GENERIC_RECOVERY\fP
.IP \(bu 2
\fBSECURITY_MSG_GENERIC_US_SIGNIN\fP
.IP \(bu 2
\fBSECURITY_MSG_IDENTITY_ALREADY_ASSOCIATED\fP
.IP \(bu 2
\fBSECURITY_MSG_IDENTITY_NOT_REGISTERED\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_CODE\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_CONFIRMATION_TOKEN\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_EMAIL_ADDRESS\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_LOGIN_TOKEN\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_PASSWORD\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_PASSWORD_CODE\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_RECOVERY_CODE\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_REDIRECT\fP
.IP \(bu 2
\fBSECURITY_MSG_INVALID_RESET_PASSWORD_TOKEN\fP
.IP \(bu 2
\fBSECURITY_MSG_LOGIN\fP
.IP \(bu 2
\fBSECURITY_MSG_LOGIN_EMAIL_SENT\fP
.IP \(bu 2
\fBSECURITY_MSG_LOGIN_EXPIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_NO_RECOVERY_CODES_SETUP\fP
.IP \(bu 2
\fBSECURITY_MSG_OAUTH_HANDSHAKE_ERROR\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORDLESS_LOGIN_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_BREACHED\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_BREACHED_SITE_ERROR\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_CHANGE\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_INVALID_LENGTH\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_IS_THE_SAME\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_MISMATCH\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_NOT_PROVIDED\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_REQUIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_RESET\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_RESET_EXPIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_RESET_NO_LOGIN\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_RESET_REQUEST\fP
.IP \(bu 2
\fBSECURITY_MSG_PASSWORD_TOO_SIMPLE\fP
.IP \(bu 2
\fBSECURITY_MSG_PHONE_INVALID\fP
.IP \(bu 2
\fBSECURITY_MSG_REAUTHENTICATION_REQUIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_REAUTHENTICATION_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_REFRESH\fP
.IP \(bu 2
\fBSECURITY_MSG_RETYPE_PASSWORD_MISMATCH\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_INVALID_TOKEN\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_LOGIN_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_CHANGE_METHOD_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_PERMISSION_DENIED\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_METHOD_NOT_AVAILABLE\fP
.IP \(bu 2
\fBSECURITY_MSG_TWO_FACTOR_DISABLED\fP
.IP \(bu 2
\fBSECURITY_MSG_UNAUTHORIZED\fP
.IP \(bu 2
\fBSECURITY_MSG_UNAUTHENTICATED\fP
.IP \(bu 2
\fBSECURITY_MSG_US_METHOD_NOT_AVAILABLE\fP
.IP \(bu 2
\fBSECURITY_MSG_US_SETUP_EXPIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_US_SETUP_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_US_SPECIFY_IDENTITY\fP
.IP \(bu 2
\fBSECURITY_MSG_USE_CODE\fP
.IP \(bu 2
\fBSECURITY_MSG_USER_DOES_NOT_EXIST\fP
.IP \(bu 2
\fBSECURITY_MSG_USERNAME_INVALID_LENGTH\fP
.IP \(bu 2
\fBSECURITY_MSG_USERNAME_ILLEGAL_CHARACTERS\fP
.IP \(bu 2
\fBSECURITY_MSG_USERNAME_DISALLOWED_CHARACTERS\fP
.IP \(bu 2
\fBSECURITY_MSG_USERNAME_NOT_PROVIDED\fP
.IP \(bu 2
\fBSECURITY_MSG_USERNAME_ALREADY_ASSOCIATED\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_EXPIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_NAME_REQUIRED\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_NAME_INUSE\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_NAME_NOT_FOUND\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_CREDENTIAL_DELETED\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_REGISTER_SUCCESSFUL\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_CREDENTIAL_ID_INUSE\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_UNKNOWN_CREDENTIAL_ID\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_ORPHAN_CREDENTIAL_ID\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_NO_VERIFY\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_CREDENTIAL_WRONG_USAGE\fP
.IP \(bu 2
\fBSECURITY_MSG_WEBAUTHN_MISMATCH_USER_HANDLE\fP
.UNINDENT
.SS Models
.SS Basics
.sp
Flask\-Security assumes you\(aqll be using libraries such as SQLAlchemy,
MongoEngine, Peewee or PonyORM to define a \fIUser\fP
and \fIRole\fP data model. The fields on your models must follow a particular convention
depending on the functionality your app requires. Aside from this, you\(aqre free
to add any additional fields to your model(s) if you want.
.SS Packaged Models
.sp
As more features are added to Flask\-Security, the list of required fields and tables grow.
As you use these features, and therefore require these fields and tables, database migrations are required;
which are a bit of a pain. To make things easier \- Flask\-Security includes mixins that
contain ALL the fields and tables required for all features. They also contain
various \fIbest practice\fP fields \- such as update and create times. These mixins can
be easily extended to add any sort of custom fields and can be found in the
\fImodels\fP module (today there is just one for using Flask\-SQLAlchemy).
.sp
The provided models are versioned since they represent actual DB models, and any
changes require a schema migration (and perhaps a data migration). Applications
must specifically import the version they want (and handle any required migration).
Your application code should import just the required version e.g.:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask_security.models import fsqla_v3 as fsqla
.EE
.UNINDENT
.UNINDENT
.sp
A single method \fBfsqla.FsModels.set_db_info\fP is provided to glue the supplied models to your
DB instance. This is only needed if you use the packaged models.
.SS Model Specification
.sp
Your \fIUser\fP model needs a Primary Key \- Flask\-Security doesn\(aqt actually reference
this \- so it can be any name or type your application needs. It should be used in the
foreign relationship between \fIUser\fP and \fIRole\fP\&. The \fIWebAuthn\fP model also
references this primary key (which can be overridden by providing a
suitable implementation of \fI\%flask_security.WebAuthnMixin.get_user_mapping()\fP).
.sp
At the bare minimum your \fIUser\fP and \fIRole\fP model should include the following fields:
.sp
\fBUser\fP
.INDENT 0.0
.IP \(bu 2
primary key
.IP \(bu 2
\fBemail\fP (for most features \- unique, non\-nullable)
.IP \(bu 2
\fBpassword\fP (string, nullable)
.IP \(bu 2
\fBactive\fP (boolean, non\-nullable)
.IP \(bu 2
\fBfs_uniquifier\fP (string, 64 bytes, unique, non\-nullable)
.UNINDENT
.sp
\fBRole\fP
.INDENT 0.0
.IP \(bu 2
primary key
.IP \(bu 2
\fBname\fP (unique, non\-nullable)
.IP \(bu 2
\fBdescription\fP (string)
.UNINDENT
.SS Additional Functionality
.sp
Depending on the application\(aqs configuration, additional fields may need to be
added to your database models. Note some fields are specified as \(aqlist of string\(aq
the ORM you are using is responsible for translating the list of string to a suitable
DB data type. For standard SQL\-like databases, Flask\-Security provides a utility
method \fI\%AsaList\fP\&.
.SS Confirmable
.sp
If you enable account confirmation by setting your application\(aqs
\fI\%SECURITY_CONFIRMABLE\fP configuration value to \fITrue\fP, your \fIUser\fP model will
require the following additional field:
.INDENT 0.0
.IP \(bu 2
\fBconfirmed_at\fP (datetime)
.UNINDENT
.SS Trackable
.sp
If you enable user tracking by setting your application\(aqs \fI\%SECURITY_TRACKABLE\fP
configuration value to \fITrue\fP, your \fIUser\fP model will require the following
additional fields:
.INDENT 0.0
.IP \(bu 2
\fBlast_login_at\fP (datetime)
.IP \(bu 2
\fBcurrent_login_at\fP (datetime)
.IP \(bu 2
\fBlast_login_ip\fP (string)
.IP \(bu 2
\fBcurrent_login_ip\fP (string)
.IP \(bu 2
\fBlogin_count\fP (integer)
.UNINDENT
.SS Two_Factor
.sp
If you enable two\-factor by setting your application\(aqs \fI\%SECURITY_TWO_FACTOR\fP
configuration value to \fITrue\fP, your \fIUser\fP model will require the following
additional fields:
.INDENT 0.0
.IP \(bu 2
\fBtf_totp_secret\fP (string, 255 bytes, nullable)
.IP \(bu 2
\fBtf_primary_method\fP (string)
.UNINDENT
.sp
If you include \(aqsms\(aq in \fI\%SECURITY_TWO_FACTOR_ENABLED_METHODS\fP, your \fIUser\fP model
will require the following additional field:
.INDENT 0.0
.IP \(bu 2
\fBtf_phone_number\fP (string, 128 bytes, nullable)
.UNINDENT
.SS Unified Sign In
.sp
If you enable unified sign in by setting your application\(aqs \fI\%SECURITY_UNIFIED_SIGNIN\fP
configuration value to \fITrue\fP, your \fIUser\fP model will require the following
additional fields:
.INDENT 0.0
.IP \(bu 2
\fBus_totp_secrets\fP (an arbitrarily long Text field)
.UNINDENT
.sp
If you include \(aqsms\(aq in \fI\%SECURITY_US_ENABLED_METHODS\fP, your \fIUser\fP model
will require the following additional field:
.INDENT 0.0
.IP \(bu 2
\fBus_phone_number\fP (string, 64 bytes, nullable, unique)
.UNINDENT
.SS Separate Identity Domains
.sp
If you want authentication tokens to not be invalidated when the user changes their
password add the following to your \fIUser\fP model:
.INDENT 0.0
.IP \(bu 2
\fBfs_token_uniquifier\fP (string, 64 bytes, unique, non\-nullable)
.UNINDENT
.SS Username
.sp
If you set \fI\%SECURITY_USERNAME_ENABLE\fP to \fITrue\fP, then your \fIUser\fP model
requires the following additional field:
.INDENT 0.0
.IP \(bu 2
\fBusername\fP (string, 64 bytes, unique, nullable)
.UNINDENT
.SS Permissions
.sp
If you want to protect endpoints with permissions, and assign permissions to roles
that are then assigned to users, the \fBRole\fP model requires:
.INDENT 0.0
.IP \(bu 2
\fBpermissions\fP (list of UnicodeText, nullable)
.UNINDENT
.SS WebAuthn
.sp
Flask Security can act as a WebAuthn Relying Party by enabling
\fI\%SECURITY_WEBAUTHN\fP\&. This requires an additional table as well as
references from the User model. Users can have many WebAuthn credentials, and
Flask\-Security must be able to locate a User record based on a credential id.
.sp
\fBIMPORTANT:\fP
.INDENT 0.0
.INDENT 3.5
It is important that you maintain data consistency when deleting WebAuthn
records or users.
.UNINDENT
.UNINDENT
.sp
The \(aqWebAuthn\(aq model requires the following fields:
.INDENT 0.0
.IP \(bu 2
\fBid\fP (primary key)
.IP \(bu 2
\fBcredential_id\fP (binary, 1024 bytes, indexed, non\-nullable, unique)
.IP \(bu 2
\fBpublic_key\fP (binary, 1024 bytes, non\-nullable)
.IP \(bu 2
\fBsign_count\fP (integer, default=0, non\-nullable)
.IP \(bu 2
\fBtransports\fP (list of string/UnicodeText, nullable)
.IP \(bu 2
\fBextensions\fP (string, 255 bytes)
.IP \(bu 2
\fBlastuse_datetime\fP (datetime, non\-nullable)
.IP \(bu 2
\fBname\fP (string, 64 bytes, non\-nullable)
.IP \(bu 2
\fBusage\fP (string, 64 bytes, non\-nullable)
.IP \(bu 2
\fBbackup_state\fP (boolean, non\-nullable)
.IP \(bu 2
\fBdevice_type\fP (string, 64 bytes, non\-nullable) (The spec calls this \fBBackup Eligibility\fP)
.UNINDENT
.sp
There needs to be a bi\-directional relationship between the WebAuthn record and
the User record (since we need to look up the \fBUser\fP based on a WebAuthn \fBcredential_id\fP\&.
.sp
\fBFor SQLAlchemy\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
Add the following to the WebAuthn model (assuming your primary key is named \(ga\(gaid\(ga\(ga):

    @declared_attr
    def user_id(cls):
        return Column(
            Integer,
            ForeignKey(\(dquser.id\(dq, ondelete=\(dqCASCADE\(dq),
            nullable=False,
        )

Add the following to the User model:

    @declared_attr
    def webauthn(cls):
        return relationship(\(dqWebAuthn\(dq, backref=\(dqusers\(dq, cascade=\(dqall, delete\(dq)
.EE
.UNINDENT
.UNINDENT
.sp
\fBFor mongoengine\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
Add the following to the WebAuthn model:

    user = ReferenceField(\(dqUser\(dq)
    def get_user_mapping(self) \-> dict[str, str]:
        \(dq\(dq\(dqReturn the mapping from webauthn back to User\(dq\(dq\(dq
        return dict(id=self.user.id)

Add the following to the User model:

    webauthn = ListField(ReferenceField(WebAuthn, reverse_delete_rule=PULL), default=[])

To make sure all WebAuthn objects are deleted if the User is deleted:

    User.register_delete_rule(WebAuthn, \(dquser\(dq, CASCADE)
.EE
.UNINDENT
.UNINDENT
.sp
\fBFor peewee\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
Add the following to the WebAuthn model:

    user = ForeignKeyField(User, backref=\(dqwebauthn\(dq)

This will add a column called \(ga\(gauser_id\(ga\(ga that references the User model\(aqs
\(ga\(gaid\(ga\(ga primary key field. It will also create a virtual column \(ga\(gawebauthn\(ga\(ga
as part of the User model. Note that the default Peewee datastore implementation
calls \(ga\(gadelete_instance(recursive=True)\(ga\(ga which correctly deals with ensuring
that WebAuthn records get deleted if a User is deleted.
.EE
.UNINDENT
.UNINDENT
.sp
The \fIUser\fP model needs the following additional fields:
.INDENT 0.0
.IP \(bu 2
\fBfs_webauthn_user_handle\fP (string, 64 bytes, unique).
This is used as the \fIPublicKeyCredentialUserEntity\fP \fIid\fP value.
.UNINDENT
.SS Recovery Codes
.sp
If \fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP is set to \fBTrue\fP then
the \fIUser\fP model needs the following field:
.INDENT 0.0
.IP \(bu 2
\fBmf_recovery_codes\fP (list of string/UnicodeText, nullable)
.UNINDENT
.sp
A recovery code can be used in place of any configured second\-factor authenticator
(e.g. SMS, WebAuthn, ...).
.SS Custom User Payload
.sp
If you want a custom payload for JSON API responses, define
the method \fIget_security_payload\fP in your User model. The method must return a
serializable object:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
class User(db.Model, UserMixin):
    id = db.Column(db.Integer, primary_key=True)
    email = TextField()
    password = TextField()
    active = BooleanField(default=True)
    confirmed_at = DateTimeField(null=True)
    name = db.Column(db.String(80))

    # Custom User Payload
    def get_security_payload(self):
        rv = super().get_security_payload()
        # :meth:\(gaUser.calc_username\(ga
        rv[\(dqusername\(dq] = self.calc_username()
        rv[\(dqconfirmation_needed\(dq] = self.confirmed_at is None
        return rv
.EE
.UNINDENT
.UNINDENT
.SH CUSTOMIZING AND USAGE PATTERNS
.SS Customizing
.sp
Flask\-Security bootstraps your application with various views for handling its
configured features to get you up and running as quickly as possible. However,
you\(aqll probably want to change the way these views look to be more in line with
your application\(aqs visual design.
.SS Views
.sp
Flask\-Security is packaged with a default template for each view it presents to
a user. Templates are located within a subfolder named \fBsecurity\fP\&. The
following is a list of view templates:
.INDENT 0.0
.IP \(bu 2
\fIsecurity/forgot_password.html\fP
.IP \(bu 2
\fIsecurity/login_user.html\fP
.IP \(bu 2
\fIsecurity/mf_recovery.html\fP
.IP \(bu 2
\fIsecurity/mf_recovery_codes.html\fP
.IP \(bu 2
\fIsecurity/register_user.html\fP
.IP \(bu 2
\fIsecurity/reset_password.html\fP
.IP \(bu 2
\fIsecurity/change_password.html\fP
.IP \(bu 2
\fIsecurity/send_confirmation.html\fP
.IP \(bu 2
\fIsecurity/send_login.html\fP
.IP \(bu 2
\fIsecurity/verify.html\fP
.IP \(bu 2
\fIsecurity/two_factor_select.html\fP
.IP \(bu 2
\fIsecurity/two_factor_setup.html\fP
.IP \(bu 2
\fIsecurity/two_factor_verify_code.html\fP
.IP \(bu 2
\fIsecurity/us_signin.html\fP
.IP \(bu 2
\fIsecurity/us_setup.html\fP
.IP \(bu 2
\fIsecurity/us_verify.html\fP
.IP \(bu 2
\fIsecurity/wan_register.html\fP
.IP \(bu 2
\fIsecurity/wan_signin.html\fP
.IP \(bu 2
\fIsecurity/wan_verify.html\fP
.UNINDENT
.sp
Overriding these templates is simple:
.INDENT 0.0
.IP 1. 3
Create a folder named \fBsecurity\fP within your application\(aqs templates folder
.IP 2. 3
Create a template with the same name for the template you wish to override
.UNINDENT
.sp
You can also specify custom template file paths in the \fI\%configuration\fP\&.
.sp
Each template is passed a template context object that includes the following,
including the objects/values that are passed to the template by the main
Flask application context processor:
.INDENT 0.0
.IP \(bu 2
\fB<template_name>_form\fP: A form object for the view.
.IP \(bu 2
\fBsecurity\fP: The Flask\-Security extension object.
.IP \(bu 2
\fBurl_for_security\fP: A function that returns the configured URL for the passed Security endpoint.
.IP \(bu 2
\fB_fsdomain\fP: A function used to \fItag\fP strings for extraction and localization.
.IP \(bu 2
\fB_fs_is_user_authenticated\fP: Returns True if argument (user) is authenticated.
Usually the \fIcurrent_user\fP proxy is the appropriate argument.
.UNINDENT
.sp
To add more values to the template context, you can specify a context processor
for all views or a specific view. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
security = Security(app, user_datastore)

# This processor is added to all templates
@security.context_processor
def security_context_processor():
    return dict(hello=\(dqworld\(dq)

# This processor is added to only the register view
@security.register_context_processor
def security_register_processor():
    return dict(something=\(dqelse\(dq)
.EE
.UNINDENT
.UNINDENT
.sp
The following is a list of all the available context processor decorators:
.INDENT 0.0
.IP \(bu 2
\fBcontext_processor\fP: All views
.IP \(bu 2
\fBforgot_password_context_processor\fP: Forgot password view
.IP \(bu 2
\fBlogin_context_processor\fP: Login view
.IP \(bu 2
\fBmf_recovery_codes_context_processor\fP: Setup recovery codes view
.IP \(bu 2
\fBmf_recovery_context_processor\fP: Use recovery code view
.IP \(bu 2
\fBregister_context_processor\fP: Register view
.IP \(bu 2
\fBreset_password_context_processor\fP: Reset password view
.IP \(bu 2
\fBchange_password_context_processor\fP: Change password view
.IP \(bu 2
\fBsend_confirmation_context_processor\fP: Send confirmation view
.IP \(bu 2
\fBsend_login_context_processor\fP: Send login view
.IP \(bu 2
\fBmail_context_processor\fP: Whenever an email will be sent
.IP \(bu 2
\fBtf_select_context_processor\fP: Two factor select view
.IP \(bu 2
\fBtf_setup_context_processor\fP: Two factor setup view
.IP \(bu 2
\fBtf_token_validation_context_processor\fP: Two factor token validation view
.IP \(bu 2
\fBus_signin_context_processor\fP: Unified sign in view
.IP \(bu 2
\fBus_setup_context_processor\fP: Unified sign in setup view
.IP \(bu 2
\fBwan_register_context_processor\fP: WebAuthn registration view
.IP \(bu 2
\fBwan_signin_context_processor\fP: WebAuthn sign in view
.IP \(bu 2
\fBwan_verify_context_processor\fP: WebAuthn verify view
.UNINDENT
.SS Forms
.sp
All forms can be overridden. For each form used, you can specify a
replacement class. This allows you to add extra fields to any
form or override validators. For example it is often desired to add additional
personal information fields to the registration form:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask_security import RegisterForm
from wtforms import StringField
from wtforms.validators import DataRequired

class ExtendedRegisterForm(RegisterForm):
    first_name = StringField(\(aqFirst Name\(aq, [DataRequired()])
    last_name = StringField(\(aqLast Name\(aq, [DataRequired()])

security = Security(app, user_datastore,
         register_form=ExtendedRegisterForm)
.EE
.UNINDENT
.UNINDENT
.sp
For the \fBregister_form\fP and \fBconfirm_register_form\fP, only fields that
exist in the user model are passed (as kwargs) to \fI\%UserDatastore.create_user()\fP\&.
Thus, in the above case, the \fBfirst_name\fP and \fBlast_name\fP fields will only
be passed if the model looks like:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
class User(db.Model, UserMixin):
    id = db.Column(db.Integer, primary_key=True)
    email = db.Column(db.String(255), unique=True)
    password = db.Column(db.String(255))
    first_name = db.Column(db.String(255))
    last_name = db.Column(db.String(255))
.EE
.UNINDENT
.UNINDENT
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
Adding fields is fine \- however re\-defining existing fields could cause
various views to no longer function. Many fields have complex (and not
publicly exposed) validators that have side effects.
.UNINDENT
.UNINDENT
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
It is important to ALWAYS subclass the base Flask\-Security form and not
attempt to just redefine the class. This is due to the validation method
of many of the forms performs critical additional validation AND will change
or add values to the form as a side\-effect. See below for how to do this.
.UNINDENT
.UNINDENT
.sp
If you need to override an existing field in a form (to override/add validators),
and you want to define a re\-usable validator \- use multiple inheritance \- be extremely
careful about the order of the inherited classes:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from wtforms import PasswordField, ValidationError
from wtforms.validators import DataRequired

def password_validator(form, field):
    if field.data.startswith(\(dqPASS\(dq):
        raise ValidationError(\(dqReally \- don\(aqt start a password with PASS\(dq)

class NewPasswordFormMixinEx:
    password = PasswordField(\(dqpassword\(dq,
                             validators=[DataRequired(message=\(dqPASSWORD_NOT_PROVIDED\(dq),
                                         password_validator])

class MyRegisterForm(NewPasswordFormMixinEx, ConfirmRegisterForm):
    pass

app.config[\(dqSECURITY_CONFIRM_REGISTER_FORM\(dq] = MyRegisterForm
.EE
.UNINDENT
.UNINDENT
.sp
The following is a list of all the available form overrides:
.INDENT 0.0
.IP \(bu 2
\fBlogin_form\fP: Login form
.IP \(bu 2
\fBverify_form\fP: Verify form
.IP \(bu 2
\fBconfirm_register_form\fP: Confirmable register form
.IP \(bu 2
\fBregister_form\fP: Register form
.IP \(bu 2
\fBforgot_password_form\fP: Forgot password form
.IP \(bu 2
\fBreset_password_form\fP: Reset password form
.IP \(bu 2
\fBchange_password_form\fP: Change password form
.IP \(bu 2
\fBsend_confirmation_form\fP: Send confirmation form
.IP \(bu 2
\fBmf_recovery_codes_form\fP: Setup recovery codes form
.IP \(bu 2
\fBmf_recovery_form\fP: Use recovery code form
.IP \(bu 2
\fBpasswordless_login_form\fP: Passwordless login form
.IP \(bu 2
\fBtwo_factor_verify_code_form\fP: Two\-factor verify code form
.IP \(bu 2
\fBtwo_factor_select_form\fP: Two\-factor select form
.IP \(bu 2
\fBtwo_factor_setup_form\fP: Two\-factor setup form
.IP \(bu 2
\fBtwo_factor_rescue_form\fP: Two\-factor help user form
.IP \(bu 2
\fBus_signin_form\fP: Unified sign in form
.IP \(bu 2
\fBus_setup_form\fP: Unified sign in setup form
.IP \(bu 2
\fBus_setup_validate_form\fP: Unified sign in setup validation form
.IP \(bu 2
\fBus_verify_form\fP: Unified sign in verify form
.IP \(bu 2
\fBwan_delete_form\fP: WebAuthn delete a registered key form
.IP \(bu 2
\fBwan_register_form\fP: WebAuthn initiate registration ceremony form
.IP \(bu 2
\fBwan_register_response_form\fP: WebAuthn registration ceremony form
.IP \(bu 2
\fBwan_signin_form\fP: WebAuthn initiate sign in ceremony form
.IP \(bu 2
\fBwan_signin_response_form\fP: WebAuthn sign in ceremony form
.IP \(bu 2
\fBwan_verify_form\fP: WebAuthn verify form
.UNINDENT
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
Changing/extending the form class won\(aqt directly change how it is displayed.
You need to ALSO provide your own template and explicitly add the new fields you want displayed.
.UNINDENT
.UNINDENT
.SS Controlling Form Instantiation
.sp
This is an advanced concept! Please see \fI\%Security.set_form_info()\fP and
\fI\%FormInfo\fP\&.
.sp
This is an example of providing your own form instantiator using the \(aqform clone\(aq pattern.
In this example we are injecting an external \fIservice\fP into the form for use in validation:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask_security import FormInfo

class MyLoginForm(LoginForm):
    def __init__(self, *args, service=None, **kwargs):
        super().__init__(*args, **kwargs)
        self.myservice = service

    def instantiator(self, form_name, form_cls, *args, **kwargs):
        return MyLoginForm(*args, service=self.myservice, **kwargs)

    def validate(self, **kwargs: t.Any) \-> bool:
        if not super().validate(**kwargs):  # pragma: no cover
            return False
        if not self.myservice(self.email.data):
            self.email.errors.append(\(dqNot happening\(dq)
            return False
        return True

# A silly service that only allows \(aqmatt\(aq\(aq log in!
def login_checker(email):
    return True if email == \(dqmatt@lp.com\(dq else False

with app.test_request_context():
    # Flask\-WTForms require a request context.
    fi = MyLoginForm(formdata=None, service=login_checker)
app.security.set_form_info(\(dqlogin_form\(dq, FormInfo(fi.instantiator))
.EE
.UNINDENT
.UNINDENT
.SS Customizing the Login Form
.sp
This is an example of how to modify the registration and login form to add support for
a single input field to accept both email and username (mimicking legacy Flask\-Security behavior).
Flask\-Security supports username as a configuration option so this is not strictly needed
any more, however, Flask\-Security\(aqs LoginForm uses 2 different input fields (so that
appropriate input attributes can be set):
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask_security import (
        RegisterForm,
        LoginForm,
        Security,
        lookup_identity,
        uia_username_mapper,
        unique_identity_attribute,
    )
    from werkzeug.local import LocalProxy
    from wtforms import StringField, ValidationError, validators

    def username_validator(form, field):
        # Side\-effect \- field.data is updated to normalized value.
        # Use proxy to we can declare this prior to initializing Security.
        _security = LocalProxy(lambda: app.extensions[\(dqsecurity\(dq])
        msg, field.data = _security._username_util.validate(field.data)
        if msg:
            raise ValidationError(msg)

    class MyRegisterForm(RegisterForm):
        # Note that unique_identity_attribute uses the defined field \(aqmapper\(aq to
        # normalize. We validate before that to give better error messages and
        # to set the normalized value into the form for saving.
        username = StringField(
            \(dqUsername\(dq,
            validators=[
                validators.data_required(),
                username_validator,
                unique_identity_attribute,
            ],
        )

    class MyLoginForm(LoginForm):
        email = StringField(\(dqemail\(dq, [validators.data_required()])

        def validate(self, **kwargs):
            self.user = lookup_identity(self.email.data)
            # Setting \(aqifield\(aq informs the default login form validation
            # handler that the identity has already been confirmed.
            self.ifield = self.email
            if not super().validate(**kwargs):
                return False
            return True

    # Allow registration with email, but login only with username
    app.config[\(dqSECURITY_USER_IDENTITY_ATTRIBUTES\(dq] = [
        {\(dqusername\(dq: {\(dqmapper\(dq: uia_username_mapper}}
    ]
    security = Security(
        datastore=sqlalchemy_datastore,
        register_form=MyRegisterForm,
        login_form=MyLoginForm,
    )
    security.init_app(app)
.EE
.UNINDENT
.UNINDENT
.SS Localization
.sp
All messages, form labels, and form strings are localizable. Flask\-Security uses
\X'tty: link https://pypi.org/project/Flask-Babel/'\fI\%Flask\-Babel\fP\X'tty: link' to manage its messages.
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
Be sure to explicitly initialize your babel extension:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
import flask_babel

flask_babel.Babel(app)
.EE
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
All translations are tagged with a domain, as specified by the configuration variable
\fBSECURITY_I18N_DOMAIN\fP (default: \(dqflask_security\(dq). For messages and labels all this
works seamlessly.  For strings inside templates it is necessary to explicitly ask for
the \(dqflask_security\(dq domain, since your application itself might have its own domain.
Flask\-Security places the method \fB_fsdomain\fP in jinja2\(aqs global environment and
uses that in all templates.
In order to reference a Flask\-Security translation from ANY template (such as if you copied and
modified an existing security template) just use that method:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
{{ _fsdomain(\(dqLogin\(dq) }}
.EE
.UNINDENT
.UNINDENT
.sp
Be aware that Flask\-Security will validate and normalize email input using the
\X'tty: link https://pypi.org/project/email-validator/'\fI\%email_validator\fP\X'tty: link' package.
The normalized form is stored in the DB.
.SS Overriding Messages
.sp
It is possible to change one or more messages (either the original default english
and/or a specific translation). Adding the following to your app:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
app.config[\(dqSECURITY_MSG_INVALID_PASSWORD\(dq] = (\(dqPassword no\-worky\(dq, \(dqerror\(dq)
.EE
.UNINDENT
.UNINDENT
.sp
will change the default message in english.
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
The string messages themselves are a \(aqkey\(aq into the translation .po/.mo files.
Do not pass in gettext(\(aqstring\(aq) or lazy_gettext(\(aqstring).
.UNINDENT
.UNINDENT
.sp
If you need translations then you
need to create your own \fBtranslations\fP directory and add the appropriate .po files
and compile them. Finally, add your translations directory path to the configuration.
In this example, create a file \fBflask_security.po\fP under a directory:
\fBtranslations/fr_FR/LC_MESSAGES\fP (for french) with the following contents:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
msgid \(dq\(dq
msgstr \(dq\(dq

msgid \(dqPassword no\-worky\(dq
msgstr \(dqPasse \- no\-worky\(dq
.EE
.UNINDENT
.UNINDENT
.sp
Then compile it with:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
pybabel compile \-d translations/ \-i translations/fr_FR/LC_MESSAGES/flask_security.po \-l fr_FR \-D flask_security
.EE
.UNINDENT
.UNINDENT
.sp
Finally add your translations directory to your configuration:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
app.config[\(dqSECURITY_I18N_DIRNAME\(dq] = [\(dqbuiltin\(dq, \(dqtranslations\(dq]
.EE
.UNINDENT
.UNINDENT
.SS Emails
.sp
Flask\-Security is also packaged with a default template for each email that it
may send. Templates are located within the subfolder named \fBsecurity/email\fP\&.
The following is a list of email templates:
.INDENT 0.0
.IP \(bu 2
\fIsecurity/email/confirmation_instructions.html\fP
.IP \(bu 2
\fIsecurity/email/confirmation_instructions.txt\fP
.IP \(bu 2
\fIsecurity/email/login_instructions.html\fP
.IP \(bu 2
\fIsecurity/email/login_instructions.txt\fP
.IP \(bu 2
\fIsecurity/email/reset_instructions.html\fP
.IP \(bu 2
\fIsecurity/email/reset_instructions.txt\fP
.IP \(bu 2
\fIsecurity/email/reset_notice.html\fP
.IP \(bu 2
\fIsecurity/email/reset_notice.txt\fP
.IP \(bu 2
\fIsecurity/email/change_notice.txt\fP
.IP \(bu 2
\fIsecurity/email/change_notice.html\fP
.IP \(bu 2
\fIsecurity/email/welcome.html\fP
.IP \(bu 2
\fIsecurity/email/welcome.txt\fP
.IP \(bu 2
\fIsecurity/email/welcome_existing.html\fP
.IP \(bu 2
\fIsecurity/email/welcome_existing.txt\fP
.IP \(bu 2
\fIsecurity/email/welcome_existing_username.html\fP
.IP \(bu 2
\fIsecurity/email/welcome_existing_username.txt\fP
.IP \(bu 2
\fIsecurity/email/two_factor_instructions.html\fP
.IP \(bu 2
\fIsecurity/email/two_factor_instructions.txt\fP
.IP \(bu 2
\fIsecurity/email/two_factor_rescue.html\fP
.IP \(bu 2
\fIsecurity/email/two_factor_rescue.txt\fP
.IP \(bu 2
\fIsecurity/email/us_instructions.html\fP
.IP \(bu 2
\fIsecurity/email/us_instructions.txt\fP
.UNINDENT
.sp
Overriding these templates is simple:
.INDENT 0.0
.IP 1. 3
Create a folder named \fBsecurity\fP within your application\(aqs templates folder
.IP 2. 3
Create a folder named \fBemail\fP within the \fBsecurity\fP folder
.IP 3. 3
Create a template with the same name for the template you wish to override
.UNINDENT
.sp
Each template is passed a template context object that includes values as described below.
In addition, the \fBsecurity\fP object is always passed \- you can for example render
any security configuration variable via \fBsecurity.lower_case_variable_name\fP
and don\(aqt include the prefix \fBsecurity_\fP (e.g. \fB{{ security.confirm_url }\fP)}.
If you require more values in the
templates, you can specify an email context processor with the
\fBmail_context_processor\fP decorator. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
security = Security(app, user_datastore)

# This processor is added to all emails
@security.mail_context_processor
def security_mail_processor():
    return dict(hello=\(dqworld\(dq)
.EE
.UNINDENT
.UNINDENT
.sp
There are many configuration variables associated with emails, and each template
will receive a slightly different context. The \fBGate Config\fP column are configuration variables that if set
to \fBFalse\fP will bypass sending of the email (they all default to \fBTrue\fP).
In most cases, in addition to an email being sent, a \fI\%Signal\fP is sent.
The table below summarizes all this:
.TS
box center;
l|l|l|l|l.
T{
\fBTemplate Name\fP
T}	T{
\fBGate Config\fP
T}	T{
\fBSubject Config\fP
T}	T{
\fBContext Vars\fP
T}	T{
\fBSignal Sent\fP
T}
_
T{
welcome
T}	T{
SECURITY_SEND_REGISTER_EMAIL
T}	T{
SECURITY_EMAIL_SUBJECT_REGISTER
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
confirmation_link
.IP \(bu 2
confirmation_token
.UNINDENT
T}	T{
user_registered
T}
_
T{
confirmation_instructions
T}	T{
N/A
T}	T{
SECURITY_EMAIL_SUBJECT_CONFIRM
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
confirmation_link
.IP \(bu 2
confirmation_token
.UNINDENT
T}	T{
confirm_instructions_sent
T}
_
T{
login_instructions
T}	T{
N/A
T}	T{
SECURITY_EMAIL_SUBJECT_PASSWORDLESS
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
login_link
.IP \(bu 2
login_token
.UNINDENT
T}	T{
login_instructions_sent
T}
_
T{
reset_instructions
T}	T{
SEND_PASSWORD_RESET_EMAIL
T}	T{
SECURITY_EMAIL_SUBJECT_PASSWORD_RESET
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
reset_link
.IP \(bu 2
reset_token
.UNINDENT
T}	T{
reset_password_instructions_sent
T}
_
T{
reset_notice
T}	T{
SEND_PASSWORD_RESET_NOTICE_EMAIL
T}	T{
SECURITY_EMAIL_SUBJECT_PASSWORD_NOTICE
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.UNINDENT
T}	T{
password_reset
T}
_
T{
change_notice
T}	T{
SEND_PASSWORD_CHANGE_EMAIL
T}	T{
SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.UNINDENT
T}	T{
password_changed
T}
_
T{
two_factor_instructions
T}	T{
N/A
T}	T{
SECURITY_EMAIL_SUBJECT_TWO_FACTOR
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
token
.IP \(bu 2
username
.UNINDENT
T}	T{
tf_security_token_sent
T}
_
T{
two_factor_rescue
T}	T{
N/A
T}	T{
SECURITY_EMAIL_SUBJECT_TWO_FACTOR_RESCUE
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.UNINDENT
T}	T{
N/A
T}
_
T{
us_instructions
T}	T{
N/A
T}	T{
SECURITY_US_EMAIL_SUBJECT
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
login_token
.IP \(bu 2
login_link
.IP \(bu 2
username
.UNINDENT
T}	T{
us_security_token_sent
T}
_
T{
welcome_existing
T}	T{
SECURITY_SEND_REGISTER_EMAIL
SECURITY_RETURN_GENERIC_RESPONSES
T}	T{
SECURITY_EMAIL_SUBJECT_REGISTER
T}	T{
.INDENT 0.0
.IP \(bu 2
user
.IP \(bu 2
recovery_link
.UNINDENT
T}	T{
user_not_registered
T}
_
T{
welcome_existing_username
T}	T{
SECURITY_SEND_REGISTER_EMAIL
SECURITY_RETURN_GENERIC_RESPONSES
T}	T{
SECURITY_EMAIL_SUBJECT_REGISTER
T}	T{
.INDENT 0.0
.IP \(bu 2
email
.IP \(bu 2
username
.UNINDENT
T}	T{
user_not_registered
T}
.TE
.sp
When sending an email, Flask\-Security goes through the following steps:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 3
Calls the email context processor as described above
.IP 2. 3
Calls \fBrender_template\fP (as configured at Flask\-Security initialization time) with the
context and template to produce a text and/or html version of the message
.IP 3. 3
Calls \fI\%MailUtil.send_mail()\fP with all the required parameters.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
The default implementation of \fBMailUtil.send_mail\fP uses flask\-mailman to create and send the message.
By providing your own implementation, you can use any available python email handling package.
.sp
Email subjects are by default localized \- see above section on Localization to learn how
to customize them.
.SS Emails with Celery
.sp
Sometimes it makes sense to send emails via a task queue, such as \X'tty: link http://www.celeryproject.org/'\fI\%Celery\fP\X'tty: link'\&.
This is supported by providing your own implementation of the \fI\%MailUtil\fP class:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask_security import MailUtil
class MyMailUtil(MailUtil):

    def send_mail(self, template, subject, recipient, sender, body, html, **kwargs):
        send_flask_mail.delay(
            subject=subject,
            from_email=sender,
            to=[recipient],
            body=body,
            html=html,
        )
.EE
.UNINDENT
.UNINDENT
.sp
Then register your class as part of Flask\-Security initialization:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
from flask import Flask
from flask_mailman import EmailMultiAlternatives, Mail
from flask_security import Security, SQLAlchemyUserDatastore
from celery import Celery

mail = Mail()
security = Security()
celery = Celery()


@celery.task
def send_flask_mail(**kwargs):
    with app.app_context():
        with mail.get_connection() as connection:
            html = kwargs.pop(\(dqhtml\(dq, None)
            msg = EmailMultiAlternatives(**kwargs, connection=connection)
            if html:
                msg.attach_alternative(html, \(dqtext/html\(dq)
            msg.send()

def create_app(config):
    \(dq\(dq\(dqInitialize Flask instance.\(dq\(dq\(dq

    app = Flask(__name__)
    app.config.from_object(config)

    mail.init_app(app)
    datastore = SQLAlchemyUserDatastore(db, User, Role)
    security.init_app(app, datastore, mail_util_cls=MyMailUtil)

    return app
.EE
.UNINDENT
.UNINDENT
.SS Responses
.sp
Flask\-Security will likely be a very small piece of your application,
so Flask\-Security makes it easy to override all aspects of API responses.
.SS JSON Response
.sp
Applications that support a JSON based API need to be able to have a uniform
API response. Flask\-Security has a default way to render its API responses \- which can
be easily overridden by providing a callback function via \fI\%Security.render_json()\fP\&.
Be aware that Flask\-Security subclasses Flask\(aqs JSONProvider interface and sets
it on \fIapp.json_provider_cls\fP\&.
.SS 401, 403, Oh My
.sp
For a very long read and discussion; look at \X'tty: link https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses'\fI\%this\fP\X'tty: link'\&. Out of the box, Flask\-Security in
tandem with Flask\-Login, behaves as follows:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
If authentication fails as the result of a \fI@login_required\fP, \fI@auth_required(\(dqsession\(dq, \(dqtoken\(dq)\fP,
or \fI@token_auth_required\fP then if the request \(aqwants\(aq a JSON
response, \fI\%Security.render_json()\fP is called with a 401 status code.
If not then the \fISECURITY_MSG_UNAUTHENTICATED\fP message is flashed and the request is
redirected to the \fIlogin\fP view.
.IP \(bu 2
If authentication fails as the result of a \fI@http_auth_required\fP or \fI@auth_required(\(dqbasic\(dq)\fP
then a 401 is returned along with the http header \fBWWW\-Authenticate\fP set to
\fBBasic realm=\(dqxxxx\(dq\fP\&. The realm name is defined by \fI\%SECURITY_DEFAULT_HTTP_AUTH_REALM\fP\&.
.IP \(bu 2
If authorization fails as the result of \fI@roles_required\fP, \fI@roles_accepted\fP,
\fI@permissions_required\fP, or \fI@permissions_accepted\fP, then if the request \(aqwants\(aq a JSON
response, \fI\%Security.render_json()\fP is called with a 403 status code. If not,
then if \fI\%SECURITY_UNAUTHORIZED_VIEW\fP is defined, the response will redirected.
If \fI\%SECURITY_UNAUTHORIZED_VIEW\fP is not defined, then \fBabort(403)\fP is called.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
All this can be easily changed by registering any or all of \fI\%Security.render_json()\fP,
\fI\%Security.unauthn_handler()\fP and \fI\%Security.unauthz_handler()\fP\&.
.sp
The decision on whether to return JSON is based on:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Was the request content\-type \(dqapplication/json\(dq (e.g. request.is_json()) OR
.IP \(bu 2
Is the \(aqbest\(aq value of the \fBAccept\fP HTTP header \(dqapplication/json\(dq
.UNINDENT
.UNINDENT
.UNINDENT
.SS Redirects
.sp
Flask\-Security uses redirects frequently (when using forms), and most of the redirect
destinations are configurable. When Flask\-Security initiates a redirect it (almost) always flashes a message
that provides some context for the user.
In addition, Flask\-Security \- both in its views and default templates, attempts to propagate
any \fInext\fP query param and in fact, an existing \fI?next=/xx\fP will override most of the configuration redirect URLs.
.sp
As a complex example consider an unauthenticated user accessing a \fI@auth_required\fP endpoint, and the user has
two\-factor authentication set up.:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
GET(\(dq/protected\(dq) \- The \fIdefault_unauthn_handler\fP will redirect to \fB/login?next=/protected\fP
.IP \(bu 2
The login form/template will pick any \fI?next=/xx\fP argument off the request URL and append it to form action.
.IP \(bu 2
When the form is submitted if will do a POST(\(dq/login?next=/protected\(dq)
.IP \(bu 2
Assuming correct authentication, the system will send out a 2\-factor code and redirect to \fB/tf\-verify?next=/protected\fP
.IP \(bu 2
The two_factor_validation_form/template also pulls any \fI?next=/xx\fP and appends to the form action.
.IP \(bu 2
When the \fItf\-validate\fP form is submitted it will do a POST(\(dq/tf\-validate?next=/protected\(dq).
.IP \(bu 2
Assuming a correct code, the user is authenticated and is redirected. That redirection first
looks for a \(aqnext\(aq in the request.args then in request.form and finally will use the value of \fI\%SECURITY_POST_LOGIN_VIEW\fP\&.
In this example it will find the \fBnext=/protected\fP in the request.args and redirect to \fB/protected\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.SS WebAuthn
.sp
WebAuthn/FIDO2 is a \X'tty: link https://www.w3.org/TR/webauthn-2/'\fI\%W3C standard\fP\X'tty: link' that defines a cryptographic protocol between a
relying party (your Flask application) and an authenticator. In simple terms this allows connecting
your Flask application to a variety of authenticators including dedicated hardware (e.g. YubiKey) and
devices that have cryptographic capabilities (e.g. a mobile phone with fingerprint or face id).
.sp
This protocol is supported by all major browsers, however as of Spring 2022, few web application actually
support it, and those that do normally just support using a WebAuthn key as an additional, optional, second factor.
.sp
Note that a WebAuthn key can possibly satisfy a complete 2\-factor authentication requirement \- something you have
and something you are (think a mobile device with face\-Id). Flask\-Security supports this use case.
.SS Key Concepts
.sp
While the spec is quite complex \- there are 2 important concepts to know. WebAuthn keys
can be classified as \(aqplatform\(aq/\(aqcross\-platform\(aq and \(aqresident\(aq/or not. If a key is a \fBplatform\fP key
that means it is tied to a particular device. If you set up a second factor WebAuthn key that is a \fBplatform\fP
key you will ONLY BE ABLE TO AUTHENTICATE using that device. For that reason it is a best practice to make sure
there is at least one second\-factor authentication method setup that is NOT platform specific (such as SMS, an authenticator app, etc.).
.sp
Flask\-Security requires that when registering a WebAuthn key, the user must specify whether the key
will be used for first/primary authentication or for multi\-factor/second authentication.
.sp
It should be noted the the current spec REQUIRES javascript to communicate from your front\-end to the browser.
Flask\-Security ships with the basic required JS (static/{webauthn.js,base64.js}).
An application should be able to simply wire those into their templates or javascript.
.SS Configuration
.sp
As with many features in Flask\-Security, configuration is a combination of config variables,
constructor parameters, and a sub\-classable utility class. The WebAuthn spec offers a lot of
flexibility in supporting a wide range of authenticators. The default configuration is:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Allow a WebAuthn key to be used for first/primary authentication (\fI\%SECURITY_WAN_ALLOW_AS_FIRST_FACTOR\fP = \fBTrue\fP)
.IP \(bu 2
Allow a WebAuthn key to be used as a multi\-factor (both first and secondary) if
the key supports it (\fI\%SECURITY_WAN_ALLOW_AS_MULTI_FACTOR\fP = \fBTrue\fP)
.IP \(bu 2
Allow both \(aqfirst\(aq and \(aqsecondary\(aq WebAuthn keys to be used for \(aqfreshness\(aq verification
(\fI\%SECURITY_WAN_ALLOW_AS_VERIFY\fP = \fBTrue\fP)
.IP \(bu 2
Allow returning WebAuthn key names to un\-authenticated users (\fI\%SECURITY_WAN_ALLOW_USER_HINTS\fP = \fBTrue\fP)
Please see \X'tty: link https://www.w3.org/TR/webauthn-2/#sctn-unprotected-account-detection'\fI\%this\fP\X'tty: link' portion of the WebAuthn spec for security implications.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
The bundled \fI\%WebauthnUtil\fP class implements the following defaults:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
The \fBAuthenticatorSelectionCriteria\fP is set to \fBCROSS_PLATFORM\fP for webauthn keys being
registered for first/primary authentication.
.IP \(bu 2
The \fBUserVerificationRequirement\fP is set to \fBDISCOURAGED\fP for keys used for secondary
authentication, and \fBPREFERRED\fP for keys used for first/primary or multi\-factor.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Two\-factor Configurations
.sp
Two\-factor authentication provides a second layer of security to any type of
login, requiring extra information or a secondary device to log in, in addition
to ones login credentials. The added feature includes the ability to add a
secondary authentication method using either via email, sms message, or an
Authenticator app such as Google, Lastpass, or Authy.
.sp
The following code sample illustrates how to get started as quickly as
possible using SQLAlchemy and two\-factor feature. In this example both
email and an authenticator app is supported as a second factor. See below
for information about SMS.
.SS Basic SQLAlchemy Two\-Factor Application
.SS SQLAlchemy Install requirements
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ python3 \-m venv pymyenv
$ . pymyenv/bin/activate
$ pip install flask\-security\-too[common,mfa,fsqla]
.EE
.UNINDENT
.UNINDENT
.SS Two\-factor Application
.sp
The following code sample illustrates how to get started as quickly as
possible using SQLAlchemy:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
import os
from flask import Flask, current_app, render_template_string
from flask_sqlalchemy import SQLAlchemy
from flask_security import Security, SQLAlchemyUserDatastore, \e
    UserMixin, RoleMixin, auth_required
from flask_mailman import Mail

# Create app
app = Flask(__name__)
app.config[\(aqDEBUG\(aq] = True
# Generate a nice key using secrets.token_urlsafe()
app.config[\(aqSECRET_KEY\(aq] = os.environ.get(\(dqSECRET_KEY\(dq, \(aqpf9Wkove4IKEAXvy\-cQkeDPhv9Cb3Ag\-wyJILbq_dFw\(aq)
# Bcrypt is set as default SECURITY_PASSWORD_HASH, which requires a salt
# Generate a good salt using: secrets.SystemRandom().getrandbits(128)
app.config[\(aqSECURITY_PASSWORD_SALT\(aq] = os.environ.get(\(dqSECURITY_PASSWORD_SALT\(dq, \(aq146585145368132386173505678016728509634\(aq)

app.config[\(aqSQLALCHEMY_DATABASE_URI\(aq] = \(aqsqlite://\(aq

app.config[\(aqSECURITY_TWO_FACTOR_ENABLED_METHODS\(aq] = [\(aqemail\(aq,
  \(aqauthenticator\(aq]  # \(aqsms\(aq also valid but requires an sms provider
app.config[\(aqSECURITY_TWO_FACTOR\(aq] = True
app.config[\(aqSECURITY_TWO_FACTOR_RESCUE_MAIL\(aq] = \(dqput_your_mail@gmail.com\(dq

app.config[\(aqSECURITY_TWO_FACTOR_ALWAYS_VALIDATE\(aq] = False
app.config[\(aqSECURITY_TWO_FACTOR_LOGIN_VALIDITY\(aq] = \(dq1 week\(dq

# Generate a good totp secret using: passlib.totp.generate_secret()
app.config[\(aqSECURITY_TOTP_SECRETS\(aq] = {\(dq1\(dq: \(dqTjQ9Qa31VOrfEzuPy4VHQWPCTmRzCnFzMKLxXYiZu9B\(dq}
app.config[\(aqSECURITY_TOTP_ISSUER\(aq] = \(dqput_your_app_name\(dq

app.config[\(dqSQLALCHEMY_ENGINE_OPTIONS\(dq] = {
    \(dqpool_pre_ping\(dq: True,
}
app.config[\(dqSQLALCHEMY_TRACK_MODIFICATIONS\(dq] = False

# Create database connection object
db = SQLAlchemy(app)

# Define models
roles_users = db.Table(\(aqroles_users\(aq,
    db.Column(\(aquser_id\(aq, db.Integer(), db.ForeignKey(\(aquser.id\(aq)),
    db.Column(\(aqrole_id\(aq, db.Integer(), db.ForeignKey(\(aqrole.id\(aq)))

class Role(db.Model, RoleMixin):
  id = db.Column(db.Integer(), primary_key=True)
  name = db.Column(db.String(80), unique=True)
  description = db.Column(db.String(255))

class User(db.Model, UserMixin):
    id = db.Column(db.Integer, primary_key=True)
    email = db.Column(db.String(255), unique=True)
    # Make username unique but not required.
    username = db.Column(db.String(255), unique=True, nullable=True)
    password = db.Column(db.String(255))
    active = db.Column(db.Boolean())
    fs_uniquifier = db.Column(db.String(255), unique=True, nullable=False)
    confirmed_at = db.Column(db.DateTime())
    roles = db.relationship(\(aqRole\(aq, secondary=roles_users,
                            backref=db.backref(\(aqusers\(aq, lazy=\(aqdynamic\(aq))
    tf_phone_number = db.Column(db.String(128), nullable=True)
    tf_primary_method = db.Column(db.String(64), nullable=True)
    tf_totp_secret = db.Column(db.String(255), nullable=True)

# Setup Flask\-Security
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
app.security = Security(app, user_datastore)

mail = Mail(app)

# Views
@app.route(\(aq/\(aq)
@auth_required()
def home():
    return render_template_string(\(dqHello {{ current_user.email }}\(dq)

# one time setup
with app.app_context():
    # Create a user to test with
    db.create_all()
    if not app.security.datastore.find_user(email=\(aqtest@me.com\(aq):
        app.security.datastore.create_user(email=\(aqtest@me.com\(aq, password=\(aqpassword\(aq)
    db.session.commit()

if __name__ == \(aq__main__\(aq:
    app.run()
.EE
.UNINDENT
.UNINDENT
.SS Adding SMS
.sp
Using SMS as a second factor requires access to an SMS service provider such as \(dqTwilio\(dq.
Flask\-Security supports Twilio out of the box.
For other sms service providers you will need to subclass \fI\%SmsSenderBaseClass\fP and register it:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.INDENT 3.5
.sp
.EX
SmsSenderFactory.senders[<service\-name>] = <service\-class>
.EE
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
You need to install additional packages:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
pip install phonenumberslite twilio
.EE
.UNINDENT
.UNINDENT
.sp
And set additional configuration variables:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
app.config[\(dqSECURITY_TWO_FACTOR_ENABLED_METHODS\(dq] = [\(aqemail\(aq,
  \(aqauthenticator\(aq, \(aqsms\(aq]
app.config[\(dqSECURITY_SMS_SERVICE\(dq] = \(dqTwilio\(dq
app.config[\(dqSECURITY_SMS_SERVICE_CONFIG\(dq =
  {\(aqACCOUNT_SID\(aq: <from twilio>, \(aqAUTH_TOKEN\(aq: <from twilio>, \(aqPHONE_NUMBER\(aq: <from twilio>}
.EE
.UNINDENT
.UNINDENT
.SS Theory of Operation
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
The Two\-factor feature requires that session cookies be received and sent as part of the API.
This is true regardless of whether the application uses forms or JSON.
.UNINDENT
.UNINDENT
.sp
The Two\-factor (2FA) API has four paths:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Normal login once everything set up
.IP \(bu 2
Changing 2FA setup
.IP \(bu 2
Initial login/registration when 2FA is required
.IP \(bu 2
Rescue
.UNINDENT
.UNINDENT
.UNINDENT
.sp
When using forms, the flow from one state to the next is handled by the forms themselves. When using JSON
the application must of course explicitly access the appropriate endpoints. The descriptions below describe the JSON access pattern.
.SS Normal Login
.sp
In the normal case, when the user has already setup their preferred 2FA method (e.g. email, SMS, authenticator app),
then the flow starts with the authentication process using the \fB/login\fP or \fB/us\-signin\fP endpoints, providing
their identity and password. If 2FA is required, the response will indicate that. Then, the application must POST to the \fB/tf\-validate\fP
with the correct code.
.SS Changing 2FA Setup
.sp
An authenticated user can change their 2FA configuration (primary_method, phone number, etc.). In order to prevent a user from being
locked out, the new configuration must be validated before it is stored permanently. The user starts with a GET on \fB/tf\-setup\fP\&. This will return
a list of configured 2FA methods the user can choose from, and the existing configuration. This must be followed with a POST on \fB/tf\-setup\fP with the new primary
method (and phone number if SMS). In the case of SMS, a code will be sent to the phone/device and again use \fB/tf\-validate\fP to confirm code.
In the case of setting up an authenticator app, the response to the POST will contain the QRcode image as well
as the required information for manual entry.
Once the code  has been successfully
entered, the new configuration will be permanently stored.
.SS Initial login/registration
.sp
This is basically a combination of the above two \- initial POST to \fB/login\fP will return indicating that 2FA is required. The user must then POST to \fB/tf\-setup\fP to setup
the desired 2FA method, and finally have the user enter the code and POST to \fB/tf\-validate\fP\&.
.SS Rescue
.sp
Life happens \- if the user doesn\(aqt have their mobile devices (SMS) or authenticator app, then they can use the \fB/tf\-rescue\fP endpoint to
see possible recovery options. Flask\-Security supports the following:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Have a one\-time code sent to their email (if \fI\%SECURITY_TWO_FACTOR_RESCUE_EMAIL\fP is set to \fBTrue\fP).
.IP \(bu 2
Send an email to the application administrators.
.IP \(bu 2
Use a previously setup one\-time recovery code (see \fI\%SECURITY_MULTI_FACTOR_RECOVERY_CODES\fP)
.UNINDENT
.UNINDENT
.UNINDENT
.SS Validity
.sp
Sometimes it can be preferable to enter the 2FA code once a day/week/month, especially if a user logs in and out of a website multiple times.  This allows the
security of a two factor authentication but with a slightly better user experience.  This can be achieved by setting \fI\%SECURITY_TWO_FACTOR_ALWAYS_VALIDATE\fP to \fBFalse\fP,
and clicking the \(aqRemember\(aq button on the login form. Once the two factor code is validated, a cookie is set to allow skipping the validation step.  The cookie is named
\fBtf_validity\fP and contains the signed token containing the user\(aqs \fBfs_uniquifier\fP\&.  The cookie and token are both set to expire after the time delta given in
\fI\%SECURITY_TWO_FACTOR_LOGIN_VALIDITY\fP\&.  Note that setting \fBSECURITY_TWO_FACTOR_LOGIN_VALIDITY\fP to 0 is equivalent to \fBSECURITY_TWO_FACTOR_ALWAYS_VALIDATE\fP being \fBTrue\fP\&.
.SS Working with Single Page Applications
.sp
\X'tty: link https://en.wikipedia.org/wiki/Single-page_application'\fI\%Single Page Applications (spa)\fP\X'tty: link' are a popular model for both separating
user interface from application/backend code as well as providing a responsive
user experience. Angular and Vue are popular Javascript frameworks for writing SPAs.
An added benefit is that the UI can be developed completely independently (in a separate repo)
and take advantage of the latest Javascript packing and bundling technologies that are
evolving rapidly, and not make the Flask application have to deal with things
like Flask\-Webpack or webassets.
.sp
For the purposes of this application note \- this implies:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
The user interface code is delivered by some other means than the Flask application.
In particular this means that there are no opportunities to inject context/environment
via a templating language.
.IP \(bu 2
The user interface interacts with the backend Flask application via JSON requests
and responses \- not forms. The external (json/form) API is described \fI\%here\fP
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
SPAs are still browser based \- so they have the same security vulnerabilities as
traditional html/form\-based applications.
.IP \(bu 2
SPAs handle all routing/redirection via code, so redirects need context.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Configuration
.sp
An example configuration:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# no forms so no concept of flashing
SECURITY_FLASH_MESSAGES = False

# Need to be able to route backend flask API calls. Use \(aqaccounts\(aq
# to be the Flask\-Security endpoints.
SECURITY_URL_PREFIX = \(aq/api/accounts\(aq

# Turn on all the great Flask\-Security features
SECURITY_RECOVERABLE = True
SECURITY_TRACKABLE = True
SECURITY_CHANGEABLE = True
SECURITY_CONFIRMABLE = True
SECURITY_REGISTERABLE = True
SECURITY_UNIFIED_SIGNIN = True

# These need to be defined to handle redirects \- these are part of the apps UI
# As defined in the API documentation \- they will receive the relevant context
SECURITY_POST_CONFIRM_VIEW = \(dq/confirmed\(dq
SECURITY_CONFIRM_ERROR_VIEW = \(dq/confirm\-error\(dq
SECURITY_RESET_VIEW = \(dq/reset\-password\(dq
SECURITY_RESET_ERROR_VIEW = \(dq/reset\-password\-error\(dq
SECURITY_LOGIN_ERROR_VIEW = \(dq/login\-error\(dq
SECURITY_POST_OAUTH_LOGIN_VIEW = \(dq/post\-oauth\-login\(dq
SECURITY_REDIRECT_BEHAVIOR = \(dqspa\(dq

# CSRF protection is critical for all session\-based browser UIs

# enforce CSRF protection for session / browser \- but allow token\-based
# API calls to go through
SECURITY_CSRF_PROTECT_MECHANISMS = [\(dqsession\(dq, \(dqbasic\(dq]
SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS = True

# Send Cookie with csrf\-token. This is the default for Axios and Angular.
SECURITY_CSRF_COOKIE_NAME = \(dqXSRF\-TOKEN\(dq
WTF_CSRF_CHECK_DEFAULT = False
WTF_CSRF_TIME_LIMIT = None

# In your app
# Enable CSRF on all api endpoints.
flask_wtf.CSRFProtect(app)

# Initialize Flask\-Security
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore)

# Optionally define and set unauthorized callbacks
security.unauthz_handler(<your unauth handler>)
.EE
.UNINDENT
.UNINDENT
.sp
When in development mode, the Flask application will run by default on port 5000.
The UI might want to run on port 8080. In order to test redirects you need to set:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
SECURITY_REDIRECT_HOST = \(aqlocalhost:8080\(aq
.EE
.UNINDENT
.UNINDENT
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
The \fIlogout\fP endpoint doesn\(aqt take a body \- be sure to add \fIcontent_type=\(dqapplication/json\(dq\fP
header to your POST(\(dq/logout\(dq) request so that no redirection is done.
.UNINDENT
.UNINDENT
.SS Client side authentication options
.sp
Depending on your SPA architecture and vision you can choose between cookie or token based authentication.
.sp
For both there is more documentation and some examples. In both cases, you need to understand and handle \fI\%CSRF\fP concerns.
.SS Security Considerations
.sp
Static elements such as your UI should be served with an industrial\-grade web server \- such
as \X'tty: link https://www.nginx.com/'\fI\%Nginx\fP\X'tty: link'\&. This is also where various security measures should be handled such as injecting
standard security headers such as:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fBStrict\-Transport\-Security\fP
.IP \(bu 2
\fBX\-Frame\-Options\fP
.IP \(bu 2
\fBContent Security Policy\fP
.IP \(bu 2
\fBX\-Content\-Type\-Options\fP
.IP \(bu 2
\fBX\-XSS\-Protection\fP
.IP \(bu 2
\fBReferrer policy\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
There are a lot of different ways to host a SPA as the javascript part itself is quit easily hosted from any static
webserver. A couple of deployment options and their configurations will be describer here.
.SS Nginx
.sp
When serving a SPA from a Nginx webserver the Flask backend, with Flask\-Security\-Too, will probably be served via
Nginx\(aqs reverse proxy feature. The javascript is served from Nginx itself and all calls to a certain path will be routed
to the reversed proxy. The example below routes all http requests to \fI\(dq/api/\(dq\fP to the Flask backend and handles all other
requests directly from javascript. This has a couple of benefits as all the requests happen within the same domain so you
don\(aqt have to worry about \X'tty: link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS'\fI\%CORS\fP\X'tty: link' problems:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
server {
    listen       80;
    server_name  www.example.com;

    #access_log  /var/log/nginx/host.access.log  main;

    root   /usr/share/nginx/html;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html;
    }

    # Location of assets folder
    location ~ ^/(static)/  {
        gzip_static on;
        gzip_types text/plain text/xml text/css text/comma\-separated\-values
            text/javascript application/x\-javascript application/atom+xml;
        expires max;
    }

    # redirect server error pages to the static page /50x.html
    # 400 error\(aqs will be handled from the SPA
    error_page   500 502 503 504  /50x.html;
        location = /50x.html {
    }

    # route all api requests to the flask app, served by gunicorn
    location /api/ {
        proxy_pass http://localhost:8080/api/;
    }

    # OR served via uwsgi
    location /api/ {
        include ..../uwsgi_params;
        uwsgi_pass unix:/tmp/uwsgi.sock;
        uwsgi_pass_header AUTHENTICATION\-TOKEN;
    }
}
.EE
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
The example doesn\(aqt include SSL setup to keep it simple and still suitable for a more complex kubernetes setup
where Nginx is often used as a load balancer and another Nginx with SSL setup runs in front of it.
.UNINDENT
.UNINDENT
.SS Amazon lambda gateway / Serverless
.sp
Most Flask apps can be deployed to Amazon\(aqs lambda gateway without much hassle by using \X'tty: link https://github.com/Miserlou/Zappa'\fI\%Zappa\fP\X'tty: link'\&.
You\(aqll get automatic horizontal scaling, seamless upgrades, automatic SSL certificate renewal and a very cheap way of
hosting a backend without being responsible for any infrastructure. Depending on how you design your app you could
choose to host your backend from an api specific domain: e.g. \fIapi.example.com\fP\&. When your SPA deployment structure is
capable of routing the AJAX/XHR request from your javascript app to the separate backend; use it. When you want to use
the backend from another e.g. \fIwww.example.com\fP you have some deal with some \X'tty: link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS'\fI\%CORS\fP\X'tty: link' setup as your browser will block
cross\-domain POST requests. There is a Flask package for that: \X'tty: link https://github.com/corydolphin/flask-cors'\fI\%Flask\-CORS\fP\X'tty: link'\&.
.sp
The setup of CORS is simple:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
CORS(
    app,
    supports_credentials=True,  # needed for cross domain cookie support
    resources=\(dq/*\(dq,
    allow_headers=\(dq*\(dq,
    origins=\(dqhttps://www.example.com\(dq,
    expose_headers=\(dqAuthorization,Content\-Type,Authentication\-Token,XSRF\-TOKEN\(dq,
)
.EE
.UNINDENT
.UNINDENT
.sp
You can then host your javascript app from an S3 bucket, with or without Cloudfront, GH\-pages or from any static webserver.
.sp
Some background material:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Specific to \X'tty: link https://www.savjee.be/2018/05/Content-security-policy-and-aws-s3-cloudfront/'\fI\%S3\fP\X'tty: link' but easily adaptable.
.IP \(bu 2
\X'tty: link https://github.com/GoogleCloudPlatform/flask-talisman'\fI\%Flask\-Talisman\fP\X'tty: link' \- useful if serving everything from your Flask application \- also
useful as a good list of things to consider.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Security Patterns
.sp
\fBDANGER:\fP
.INDENT 0.0
.INDENT 3.5
Be aware that starting in Flask 2.2.0, they recommend extensions store context information
on \fBg\fP which is the application context. Prior to this many extensions (including
Flask\-Security and Flask\-Login) stored things like user credential information on the
request context. These are now stored on \fBg\fP i.e. the application context. It is imperative
that applications not mistakenly push their own application context and forget to pop it \- in that
case Flask won\(aqt push a new application context nor will it pop it at the end of the request \- thus
credential information could leak from one user request to another.
.UNINDENT
.UNINDENT
.SS Authentication and Authorization
.sp
Flask\-Security provides a set of authentication decorators:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%auth_required()\fP
.IP \(bu 2
\fI\%http_auth_required()\fP
.IP \(bu 2
\fI\%auth_token_required()\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
and a set of authorization decorators:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%roles_required()\fP
.IP \(bu 2
\fI\%roles_accepted()\fP
.IP \(bu 2
\fI\%permissions_required()\fP
.IP \(bu 2
\fI\%permissions_accepted()\fP
.UNINDENT
.UNINDENT
.UNINDENT
.sp
In addition, Flask\-Login provides @login_required. In order to take advantage of all the
Flask\-Security features, it is recommended to NOT use @login_required.
.sp
Also, if you annotate your endpoints with JUST an authorization decorator, you will never
get a 401 response, and (for forms) you won\(aqt be redirected to your login page. In this case
you will always get a 403 status code (assuming you don\(aqt override the default handlers).
.sp
While these annotations are quick and easy, it is likely that they won\(aqt completely satisfy
all an application\(aqs authorization requirements. A common example might be that a user can
only edit their own posts/documents. In cases like this \- it is nice to have a uniform way
of handling all authorization errors. A simple way to do this is to use a special exception
class that you can raise either in response to Flask\-Security authorization failures, or in your
own code. Then use Flask\(aqs \fBerrorhandler\fP to catch that exception and create the appropriate API response:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
Class MyForbiddenException(Exception):
    def __init__(self, msg=\(aqNot permitted with your privileges\(aq, status=http.HTTPStatus.FORBIDDEN):
        self.info = {\(aqstatus\(aq: status, \(aqmsgs\(aq: [msg]}

_security = app.extensions[\(dqsecurity\(dq]

@_security.unauthz_handler
def my_unauthz_handler(func, params):
    raise MyForbiddenException()

@app.errorhandler(MyForbiddenException)
def my_exception(ex):
    return flask.jsonify(ex.info), ex.info[\(aqstatus\(aq]

@app.route(\(aq/doc/<int:doc_id>\(aq, methods=[\(aqPATCH\(aq])
@auth_required(\(aqtoken\(aq, \(aqsession\(aq)
def doc_patch(doc_id):
    doc = fetch_doc(doc_id)
    if not current_user.has_role(\(aqadmin\(aq) and doc.owner != current_user:
        raise MyForbiddenException(msg=\(aqYou can only update docs you own\(aq)
.EE
.UNINDENT
.UNINDENT
.SS A note about Basic Auth
.sp
Basic Auth is supported in Flask\-Security, using the @http_auth_required() decorator. If a request for an endpoint
protected with @http_auth_required is received, and the request doesn\(aqt contain the appropriate HTTP Headers, a 401 is returned
along with the required WWW\-Authenticate header. In this case there won\(aqt be a usable session cookie returned so all future requests
will also require credentials to be sent. Effectively the caller is temporarily \(aqlogged in\(aq at the beginning of each request and \(aqlogged out\(aq again
at the end of the request. Most (all?) browsers intercept this response and pop up a login dialog box and remember, for the site, the entered credentials.
This effectively bypasses any of the normal Flask\-Security login forms. By default, the Flask\-Security endpoints that require the caller be
authenticated do NOT support \fBbasic\fP \- however the \fI\%SECURITY_API_ENABLED_METHODS\fP can be used to override this.
.SS Freshness
.sp
A common pattern for browser\-based sites is to use sessions to manage identity. This is usually
implemented using session cookies. These cookies expire once the session (browser tab) is closed. This is very
convenient, and keeps the users from having to constantly re\-authenticate. The downside is that sessions can easily be
open for days or weeks. This adds to the security risk that some bad\-actor or XSS gets control of the browser and then can
do anything the user can. To mitigate that, operations that change fundamental identity characteristics (such as email, password, etc.)
can be protected by requiring a \(aqfresh\(aq or recent authentication. Flask\-Security supports this with the following:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%auth_required()\fP takes parameters that define how recent the authentication must have happened. In addition a grace
period can be specified so that multiple step operations don\(aqt require re\-authentication in the middle.
.IP \(bu 2
A default \fI\%Security.reauthn_handler()\fP that is called when a request fails the recent authentication check.
.IP \(bu 2
\fI\%SECURITY_VERIFY_URL\fP, \fI\%SECURITY_US_VERIFY_URL\fP, \fI\%SECURITY_WAN_VERIFY_URL\fP endpoints
that request the user to re\-authenticate.
.IP \(bu 2
\fBVerifyForm\fP, \fBUsVerifyForm\fP, \fBWebAuthnVerifyForm\fP forms that can be extended.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Flask\-Security itself uses this as part of securing the following endpoints:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\&.wan_register (\(dq/wan\-register\(dq)
.IP \(bu 2
\&.wan_delete (\(dq/wan\-delete\(dq)
.IP \(bu 2
\&.tf_setup (\(dq/tf\-setup\(dq)
.IP \(bu 2
\&.us_setup (\(dq/us\-setup\(dq)
.IP \(bu 2
\&.mf_recovery_codes (\(dq/mf\-recovery\-codes\(dq)
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Using the \fI\%SECURITY_FRESHNESS\fP and \fI\%SECURITY_FRESHNESS_GRACE_PERIOD\fP configuration variables.
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
Freshness requires a session (cookie) be sent as part of the request. Without
a session, freshness will fail. If your application doesn\(aqt/can\(aqt send session cookies
you can disable freshness by setting \fBSECURITY_FRESHNESS\fP to \fBtimedelta(minutes=\-1)\fP
.UNINDENT
.UNINDENT
.SS Open Redirect Exposure
.sp
Flask\-Security, accepts a \fBnext=xx\fP parameter (either
as a query param OR in the POSTed form) which it will use when completing an operation
which results in a redirection. If a malicious user/
application can inject an arbitrary \fBnext\fP parameter which redirects to an external
location, this results in a security vulnerability called an \fIopen redirect\fP\&.
The following endpoints accept a \fBnext\fP parameter:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\&.login (\(dq/login\(dq)
.IP \(bu 2
\&.logout (\(dq/logout\(dq)
.IP \(bu 2
\&.register (\(dq/register\(dq)
.IP \(bu 2
\&.verify (\(dq/verify\(dq)
.IP \(bu 2
\&.two_factor_token_validation (\(dq/tf\-validate\(dq)
.IP \(bu 2
\&.wan_verify_response (\(dq/wan\-verify\(dq)
.IP \(bu 2
\&.wan_signin_response (\(dq/wan\-signin\(dq)
.IP \(bu 2
\&.us_signin (\(dq/us\-signin\(dq)
.IP \(bu 2
\&.us_verify (\(dq/us\-verify\(dq)
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Flask\-Security always quotes the path portion of a user supplied URL.
This \X'tty: link https://www.cve.org/CVERecord?id=CVE-2021-32618'\fI\%link\fP\X'tty: link' provides background of why simple parsing of URLs isn\(aqt enough.
.SS Password Validation and Complexity
.sp
There is a large body of references (and endless discussions) around how to get users to create
good passwords. The \X'tty: link https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'\fI\%OWASP Authentication cheatsheet\fP\X'tty: link'
is a useful place to start. Flask\-Security has a default password validator that:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Checks for minimum and maximum length (minimum is configurable via \fI\%SECURITY_PASSWORD_LENGTH_MIN\fP).
The default is 8 characters as defined by \X'tty: link https://pages.nist.gov/800-63-3/sp800-63b.html'\fI\%NIST\fP\X'tty: link'\&.
.IP \(bu 2
If \fI\%SECURITY_PASSWORD_CHECK_BREACHED\fP is set, will use the API for \X'tty: link https://haveibeenpwned.com'\fI\%haveibeenpwned\fP\X'tty: link' to
check if the password is on a list of breached passwords. The configuration variable \fI\%SECURITY_PASSWORD_BREACHED_COUNT\fP
can be used to set the minimum allowable \(aqbreaches\(aq.
.IP \(bu 2
If \fI\%SECURITY_PASSWORD_COMPLEXITY_CHECKER\fP is set to \fBzxcvbn\fP and the
package \X'tty: link https://pypi.org/project/zxcvbn/'\fI\%zxcvbn\fP\X'tty: link' is installed, it will check the password for complexity.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Be aware that \fBzxcvbn\fP is not actively being maintained, and has localization issues.
.sp
In addition to validation, unicode passwords should be normalized as specified
by NIST requirement: \X'tty: link https://pages.nist.gov/800-63-3/sp800-63b.html#sec5'\fI\%5.1.1.2 Memorized Secret Verifiers\fP\X'tty: link'\&. Normalization can
be disabled by setting the \fI\%SECURITY_PASSWORD_NORMALIZE_FORM\fP to \fBNone\fP\&.
Validation and normalization is encapsulated in \fI\%PasswordUtil\fP\&.
This can be overridden by passing your class at app initialization time.
The \fI\%PasswordUtil.validate()\fP is passed additional kwargs to allow custom
validators more flexibility.
A custom validator can still call the underlying methods where appropriate:
\fI\%flask_security.password_length_validator()\fP, \fI\%flask_security.password_complexity_validator()\fP,
and \fI\%flask_security.password_breached_validator()\fP\&.
.SS Generic Responses \- Avoiding User Enumeration
.sp
How an application responds to API requests that contain identity or authentication information
can give would\-be attackers insight into active users on the system. OWASP has a great \X'tty: link https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages'\fI\%cheat\-sheet\fP\X'tty: link' describing
this and useful ways to avoid it. Flask\-Security supports this by setting the
\fI\%SECURITY_RETURN_GENERIC_RESPONSES\fP configuration to \fBTrue\fP\&. As documented in the cheat\-sheet \- this does
come with some usability concerns. The following endpoints are affected:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fI\%SECURITY_REGISTER_URL\fP \- The same response will be returned whether the email (or username) is already in the
system or not. JSON requests will ALWAYS return 200. If \fI\%SECURITY_CONFIRMABLE\fP is set (it should be!), the
\fISECURITY_MSG_CONFIRM_REGISTRATION\fP message will be flashed for both new and existing email addresses. Detailed errors will still
be returned for things like insufficient password complexity, etc.. In the case of trying to register an existing email, an email will be sent to that email address
explaining that they are already registered and displaying the associated username (if any) and provide a hint on how to reset their
password if they forgot it. In the case of a new email but an already registered username, an email will be sent saying that the
user must try registering again with a different username.
.IP \(bu 2
\fI\%SECURITY_LOGIN_URL\fP \- For any errors (unknown username, inactive account, bad password) the \fISECURITY_MSG_GENERIC_AUTHN_FAILED\fP
message will be returned.
.IP \(bu 2
\fI\%SECURITY_RESET_URL\fP \- In all cases the \fISECURITY_MSG_PASSWORD_RESET_REQUEST\fP message will be flashed. For JSON
a 200 will always be returned (whether an email was sent or not).
\fBNote\fP: If the application overrides the form and adds an additional field (e.g. \fIcaptcha\fP) and that field has
a validation error, a normal form error response will be returned (and JSON will return a 400).
.IP \(bu 2
\fI\%SECURITY_CONFIRM_URL\fP \- In all cases the \fISECURITY_MSG_CONFIRMATION_REQUEST\fP message will be flashed. For JSON
a 200 will always be returned (whether an email was sent or not).
\fBNote\fP: If the application overrides the form and adds an additional field (e.g. \fIcaptcha\fP) and that field has
a validation error, a normal form error response will be returned (and JSON will return a 400).
.IP \(bu 2
\fI\%SECURITY_US_SIGNIN_SEND_CODE_URL\fP \- The \fISECURITY_MSG_GENERIC_US_SIGNIN\fP message will be flashed in all cases \-
whether a selected method is setup for the user or not.
.IP \(bu 2
\fI\%SECURITY_US_SIGNIN_URL\fP \- For any errors (unknown username, inactive account, bad passcode) the \fISECURITY_MSG_GENERIC_AUTHN_FAILED\fP
message will be returned.
.IP \(bu 2
\fI\%SECURITY_US_VERIFY_LINK_URL\fP \- For any errors (unknown username, inactive account, bad passcode) the \fISECURITY_MSG_GENERIC_AUTHN_FAILED\fP
message will be returned.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
In the case of an application using a \fBusername\fP as an identity it should be noted that it is possible for a bad\-actor to enumerate usernames, albeit slowly,
by parsing emails.
.sp
Note also that \fI\%SECURITY_REQUIRES_CONFIRMATION_ERROR_VIEW\fP is ignored in these cases. If your application is using WebAuthn, be sure
to set \fI\%SECURITY_WAN_ALLOW_USER_HINTS\fP to \fBFalse\fP\&.
.SS CSRF
.sp
By default, Flask\-Security, via Flask\-WTForms protects all form based POSTS
from CSRF attacks using well vetted per\-session hidden\-form\-field csrf\-tokens.
.sp
Any web application that relies on session cookies for authentication must have CSRF protection.
For more details please read this \X'tty: link https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md'\fI\%OWASP CSRF cheatsheet\fP\X'tty: link'\&.
A couple important take\-aways \- first \- it isn\(aqt about forms versus JSON \- it is about
how the API is authenticated (session cookies versus authentication token). Second there is the
concern about \(aqlogin CSRF\(aq \- is protection needed prior to authentication (yes if
you have a really secure/popular site).
.sp
Flask\-Security strives to support various options for both its endpoints (e.g. \fB/login\fP)
and the application endpoints (protected with Flask\-Security decorators such as \fI\%auth_required()\fP).
.sp
If your application just uses forms that are derived from \fBFlask\-WTF::Flaskform\fP \- you are done.
Note that all of Flask\-Security\(aqs endpoints are form based (regardless of how the request was made).
.SS Behind\-The\-Scenes
.INDENT 0.0
.TP
.B Depending on configuration, there are 3 places CSRF tokens can be checked:
.INDENT 7.0
.IP 1. 3
As part of form validation for any form derived from FlaskForm (which all Flask\-Security
forms are. An error here is recorded in the \fBcsrf_token\fP field and the calling view
decided whether to return 200 or 400 (all Flask\-Security views return 200 with form field errors).
This is the default if no other configuration changes are made.
.IP 2. 3
As part of an @before_request handler that Flask\-WTF sets up if CSRFprotect() is called. On error
this always returns HTTP 400 and small snippet of HTML. This can be disabled
by setting config[\(dqWTF_CSRF_CHECK_DEFAULT\(dq] = True.
.IP 3. 3
As part of a Flask\-Security decorator (\fI\%unauth_csrf()\fP, \fI\%auth_required()\fP). On
error either a JSON response is returned OR CSRFError exception is raised and 400 is returned with the small snippet of HTML
(the exception and default response is part of Flask\-WTF).
.UNINDENT
.UNINDENT
.SS CSRF: Single\-Page\-Applications and AJAX/XHR
.sp
If you are thinking about using authentication tokens in your browser\-based UI \- read
\X'tty: link https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage'\fI\%this article\fP\X'tty: link'
on how and where to store authentication tokens. While the
article is talking about JWT it applies to Flask\-Security tokens as well.
.sp
In general, it is considered more secure (and easier) to use sessions for browser
based UI, and tokens for service to service and scripts.
.sp
For SPA, and especially those that aren\(aqt served via your flask application, there are difficulties
with actually retrieving and using a CSRF token. There are 2 normal ways to do this:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Have the csrf\-token available via a JSON GET request that can be attached as a
header in every mutating request.
.IP \(bu 2
Have a cookie that can be read via javascript whose value is the csrf\-token that
can be attached as a header in every mutating request.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Flask\-Security supports both solutions.
.SS Explicit fetch and send of csrf\-token
.sp
The current session CSRF token
is returned on every JSON GET request (to a Flask\-Security endpoint) as \fBresponse[\(aqcsrf_token\(ga]\fP\&.
For web applications that ARE served via flask, it is even easier to get the csrf\-token \-
\X'tty: link https://flask-wtf.readthedocs.io/en/1.2.x/csrf/'\fI\%https://flask\-wtf.readthedocs.io/en/1.2.x/csrf/\fP\X'tty: link' gives some useful tips.
.sp
Armed with the csrf\-token, the UI must include that in every mutating operation.
Be careful NOT to include the csrf\-token in non\-mutating requests (such as GETs).
If your application uses GET to actually modify state \- please stop.
.sp
An example using \X'tty: link https://github.com/axios/axios'\fI\%axios\fP\X'tty: link'
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# This will fetch the csrf\-token. Note that we do a GET on the login endpoint
# which will get us the csrf\-token even though we aren\(aqt yet logged in.
# Note further the \(aqdata: null\(aq and explicit Content\-Type header \- these are
# critical, otherwise Flask\-Security will return the login form.
axios.get(\(aq/login\(aq,{data: null, headers: {\(aqContent\-Type\(aq: \(aqapplication/json\(aq}}).then(function (resp) {
  csrf_token = resp.data[\(aqresponse\(aq][\(aqcsrf_token\(aq]
})


# This will add the token header to each outgoing mutating request.
axios.interceptors.request.use(function (config) {
  if ([\(dqpost\(dq, \(dqdelete\(dq, \(dqpatch\(dq, \(dqput\(dq].includes(config[\(dqmethod\(dq])) {
    if (csrf_token !== \(aq\(aq) {
      config.headers[\(dqX\-CSRF\-Token\(dq] = csrf_token
    }
  }
  return config;
}, function (error) {
  // Do something with request error
  return Promise.reject(error);
});
.EE
.UNINDENT
.UNINDENT
.sp
Note that we use the header name \fBX\-CSRF\-Token\fP as that is one of the default
headers configured in Flask\-WTF (\fIWTF_CSRF_HEADERS\fP)
.sp
To protect your application\(aqs endpoints (that presumably are not using Flask forms),
you need to enable CSRF as described in the FlaskWTF \X'tty: link https://flask-wtf.readthedocs.io/en/1.2.x/csrf/'\fI\%documentation\fP\X'tty: link':
.INDENT 0.0
.INDENT 3.5
.sp
.EX
flask_wtf.CSRFProtect(app)
.EE
.UNINDENT
.UNINDENT
.sp
This will turn on CSRF protection on ALL endpoints, including Flask\-Security. This protection differs slightly from
the default that is part of FlaskForm in that it will first look at the request body and see if it can find a form field that contains
the csrf\-token, and if it can\(aqt, it will check if the request has a header that is listed in \fIWTF_CSRF_HEADERS\fP and use that.
Be aware that if you enable this it will ONLY work if you send the session cookie on each request.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
It is IMPORTANT that you initialize/call \fBCSRFProtect\fP PRIOR to initializing Flask_Security.
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
Calling CSRFProtect(app) will setup a @before_request handler to verify CSRF \- this occurs BEFORE any Flask\-Security decorators
or other view/form logic. One side effect is that CSRFProtect, on error, will raise a BadRequest error which returns a small
piece of HTML by default \- your application will need to add a Flask ErrorHandler to change that. Alternatively, and recommended
is to set \fIWTF_CSRF_CHECK_DEFAULT\fP to \fIFalse\fP \- which will disable the @before_request and let Flask\-Security handle CSRF protection
including properly returning a JSON response if the caller asks for it.
.UNINDENT
.UNINDENT
.SS Using a Cookie
.sp
You can instruct Flask\-Security to send a cookie that contains the csrf token. This can be very
convenient since various javascript AJAX packages are pre\-configured to extract the contents of a cookie
and send it on every mutating request as an HTTP header. \X'tty: link https://github.com/axios/axios'\fI\%axios\fP\X'tty: link' for example has a default configuration
that it will look for a cookie named \fBXSRF\-TOKEN\fP and will send the contents of that back
in an HTTP header called \fBX\-XSRF\-Token\fP\&. This means that if you use that package you don\(aqt need to make
any changes to your UI and just need the following configuration:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# Have cookie sent
app.config[\(dqSECURITY_CSRF_COOKIE_NAME\(dq] = \(dqXSRF\-TOKEN\(dq

# Don\(aqt have csrf tokens expire (they are invalid after logout)
app.config[\(dqWTF_CSRF_TIME_LIMIT\(dq] = None

# You can\(aqt get the cookie until you are logged in.
app.config[\(dqSECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS\(dq] = True

# Enable CSRF protection
flask_wtf.CSRFProtect(app)
.EE
.UNINDENT
.UNINDENT
.sp
Angular\(aqs \X'tty: link https://angular.io/guide/http#security-xsrf-protection'\fI\%httpClient\fP\X'tty: link' also supports this.
.sp
For React based projects you are free to choose your http client (\fIfetch\fP is bundled by default). Retrieving the token is easy:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
fetch(url, {
  credentials: \(aqinclude\(aq,
  mode: \(aqcors\(aq,
  headers: {
    \(aqAccept\(aq: \(aqapplication/json\(aq,
    \(aqX\-XSRF\-TOKEN\(aq: getCookieValue(\(aqXSRF\-TOKEN\(aq)
  }
});
.EE
.UNINDENT
.UNINDENT
.sp
Sending the token on every mutating request is something that you should implement yourself. As an example an API call to an API
endpoint that does CSRF validation:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
function addUser(details) {
  return fetch(\(aqhttps://api.example.com/user\(aq, {
    mode: \(aqcors\(aq,
    method: \(aqPOST\(aq,
    credentials: \(aqinclude\(aq,
    body: JSON.stringify(details),
    headers: {
      \(aqContent\-Type\(aq: \(aqapplication/json\(aq,
      \(aqAccept\(aq: \(aqapplication/json\(aq,
      \(aqX\-XSRF\-TOKEN\(aq: getCookieValue(\(aqXSRF\-TOKEN\(aq)
    }
  }).then(response => {
    return response.json().then(data => {
      if (response.ok) {
        return data;
      } else {
        return Promise.reject({status: response.status, data});
      }
    });
  });
}
.EE
.UNINDENT
.UNINDENT
.sp
When you have axios setup correctly, this is a lot easier:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
function addUser(details) {
  return axios.post(\(aqhttps://api.example.com/user\(aq, details);
}
.EE
.UNINDENT
.UNINDENT
.SS CSRF: Enable protection for session auth, but not token auth
.sp
As mentioned above, CSRF is critical for any mutating operation where the authentication credentials are \(aqinvisibly\(aq sent \- such as a session cookie \-
from a browser. But if your endpoint a) can only be authenticated with an attached token or b) can be called either via session OR token;
it is often desirable not to force token API users to deal with CSRF. To solve this, we need to keep CSRFProtect from checking the csrf\-token early in the
request and instead defer that decision to later decorators/code. Flask\-Security\(aqs authentication decorators (\fI\%auth_required()\fP,
\fI\%auth_token_required()\fP, and \fI\%http_auth_required()\fP all support calling csrf protection based on configuration:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# Disable pre\-request CSRF
app.config[\(dqWTF_CSRF_CHECK_DEFAULT\(dq] = False

# Check csrf for session and http auth (but not token)
app.config[\(dqSECURITY_CSRF_PROTECT_MECHANISMS\(dq] = [\(dqsession\(dq, \(dqbasic\(dq]

# Enable CSRF protection
flask_wtf.CSRFProtect(app)

@app.route(\(dq/\(dq)
@auth_required(\(dqtoken\(dq, \(dqsession\(dq)
def home_page():
.EE
.UNINDENT
.UNINDENT
.sp
With this configuration, CSRF won\(aqt be required if the caller uses an authentication token, but if it uses
the session cookie it will.
.SS CSRF: Pro\-Tips
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 3
Be aware that for CSRF to work, callers MUST send the session cookie. So
for pure API (token based), and no session cookie \- there is no way to support \(aqlogin CSRF\(aq.
So your app must set \fI\%SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS\fP
(or clients must use CSRF/session cookie for logging
in then once they have an authentication token, no further need for cookie).
.IP 2. 3
If you enable CSRFProtect(app) and you want to send request data as JSON,
then you must include the CSRF token in the header (e.g. X\-CSRF\-Token)
.IP 3. 3
You must enable CSRFProtect(app) if you want to accept the CSRF token in the request
header.
.IP 4. 3
Annotate each of your endpoints with a @auth_required decorator (and don\(aqt rely
on just a @role_required or @login_required decorator) so that Flask\-Security
gets control at the appropriate place.
.IP 5. 3
If you can\(aqt use a decorator, Flask\-Security exposes the underlying method
\fI\%flask_security.handle_csrf()\fP\&.
.IP 6. 3
Consider starting by setting \fI\%SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS\fP to True. Your
application likely doesn\(aqt need \(aqlogin CSRF\(aq protection, and it is frustrating
to not even be able to login via API!
.IP 7. 3
If you have unauthenticated endpoints that you want to protect with CSRF then
use the \fI\%flask_security.unauth_csrf()\fP decorator.
.UNINDENT
.UNINDENT
.UNINDENT
.SH API
.INDENT 0.0
.INDENT 3.5
\fI\%OpenApi Spec\fP
.UNINDENT
.UNINDENT
.SS API
.sp
The external (json/form) API is described \fI\%here\fP
.SS Core
.INDENT 0.0
.TP
.B class flask_security.Security(app=None, datastore=None, register_blueprint=True, login_form=<class \(aqflask_security.forms.LoginForm\(aq>, verify_form=<class \(aqflask_security.forms.VerifyForm\(aq>, confirm_register_form=<class \(aqflask_security.forms.ConfirmRegisterForm\(aq>, register_form=<class \(aqflask_security.forms.RegisterForm\(aq>, forgot_password_form=<class \(aqflask_security.forms.ForgotPasswordForm\(aq>, reset_password_form=<class \(aqflask_security.forms.ResetPasswordForm\(aq>, change_password_form=<class \(aqflask_security.forms.ChangePasswordForm\(aq>, send_confirmation_form=<class \(aqflask_security.forms.SendConfirmationForm\(aq>, passwordless_login_form=<class \(aqflask_security.forms.PasswordlessLoginForm\(aq>, two_factor_verify_code_form=<class \(aqflask_security.forms.TwoFactorVerifyCodeForm\(aq>, two_factor_setup_form=<class \(aqflask_security.forms.TwoFactorSetupForm\(aq>, two_factor_rescue_form=<class \(aqflask_security.forms.TwoFactorRescueForm\(aq>, two_factor_select_form=<class \(aqflask_security.tf_plugin.TwoFactorSelectForm\(aq>, mf_recovery_codes_form=<class \(aqflask_security.recovery_codes.MfRecoveryCodesForm\(aq>, mf_recovery_form=<class \(aqflask_security.recovery_codes.MfRecoveryForm\(aq>, us_signin_form=<class \(aqflask_security.unified_signin.UnifiedSigninForm\(aq>, us_setup_form=<class \(aqflask_security.unified_signin.UnifiedSigninSetupForm\(aq>, us_setup_validate_form=<class \(aqflask_security.unified_signin.UnifiedSigninSetupValidateForm\(aq>, us_verify_form=<class \(aqflask_security.unified_signin.UnifiedVerifyForm\(aq>, wan_register_form=<class \(aqflask_security.webauthn.WebAuthnRegisterForm\(aq>, wan_register_response_form=<class \(aqflask_security.webauthn.WebAuthnRegisterResponseForm\(aq>, wan_signin_form=<class \(aqflask_security.webauthn.WebAuthnSigninForm\(aq>, wan_signin_response_form=<class \(aqflask_security.webauthn.WebAuthnSigninResponseForm\(aq>, wan_delete_form=<class \(aqflask_security.webauthn.WebAuthnDeleteForm\(aq>, wan_verify_form=<class \(aqflask_security.webauthn.WebAuthnVerifyForm\(aq>, mail_util_cls=<class \(aqflask_security.mail_util.MailUtil\(aq>, password_util_cls=<class \(aqflask_security.password_util.PasswordUtil\(aq>, phone_util_cls=<class \(aqflask_security.phone_util.PhoneUtil\(aq>, render_template=<function default_render_template>, totp_cls=<class \(aqflask_security.totp.Totp\(aq>, username_util_cls=<class \(aqflask_security.username_util.UsernameUtil\(aq>, webauthn_util_cls=<class \(aqflask_security.webauthn_util.WebauthnUtil\(aq>, mf_recovery_codes_util_cls=<class \(aqflask_security.recovery_codes.MfRecoveryCodesUtil\(aq>, oauth=None, **kwargs)
The \fI\%Security\fP class initializes the Flask\-Security extension.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- The application.
.IP \(bu 2
\fBdatastore\fP (\fI\%UserDatastore\fP\fI | \fP\fINone\fP) \-\- An instance of a user datastore.
.IP \(bu 2
\fBregister_blueprint\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link') \-\- to register the Security blueprint or not.
.IP \(bu 2
\fBlogin_form\fP (\fIt.Type\fP\fI[\fP\fI\%LoginForm\fP\fI]\fP) \-\- set form for the login view
.IP \(bu 2
\fBverify_form\fP (\fIt.Type\fP\fI[\fP\fI\%VerifyForm\fP\fI]\fP) \-\- set form for re\-authentication due to freshness check
.IP \(bu 2
\fBregister_form\fP (\fIt.Type\fP\fI[\fP\fI\%RegisterForm\fP\fI]\fP) \-\- set form for the register view when
\fISECURITY_CONFIRMABLE\fP is false
.IP \(bu 2
\fBconfirm_register_form\fP (\fIt.Type\fP\fI[\fP\fI\%ConfirmRegisterForm\fP\fI]\fP) \-\- set form for the register view when
\fISECURITY_CONFIRMABLE\fP is true
.IP \(bu 2
\fBforgot_password_form\fP (\fIt.Type\fP\fI[\fP\fI\%ForgotPasswordForm\fP\fI]\fP) \-\- set form for the forgot password view
.IP \(bu 2
\fBreset_password_form\fP (\fIt.Type\fP\fI[\fP\fI\%ResetPasswordForm\fP\fI]\fP) \-\- set form for the reset password view
.IP \(bu 2
\fBchange_password_form\fP (\fIt.Type\fP\fI[\fP\fI\%ChangePasswordForm\fP\fI]\fP) \-\- set form for the change password view
.IP \(bu 2
\fBsend_confirmation_form\fP (\fIt.Type\fP\fI[\fP\fI\%SendConfirmationForm\fP\fI]\fP) \-\- set form for the send confirmation view
.IP \(bu 2
\fBpasswordless_login_form\fP (\fIt.Type\fP\fI[\fP\fI\%PasswordlessLoginForm\fP\fI]\fP) \-\- set form for the passwordless login view
.IP \(bu 2
\fBtwo_factor_setup_form\fP (\fIt.Type\fP\fI[\fP\fI\%TwoFactorSetupForm\fP\fI]\fP) \-\- set form for the 2FA setup view
.IP \(bu 2
\fBtwo_factor_verify_code_form\fP (\fIt.Type\fP\fI[\fP\fI\%TwoFactorVerifyCodeForm\fP\fI]\fP) \-\- set form the the 2FA verify code view
.IP \(bu 2
\fBtwo_factor_rescue_form\fP (\fIt.Type\fP\fI[\fP\fI\%TwoFactorRescueForm\fP\fI]\fP) \-\- set form for the 2FA rescue view
.IP \(bu 2
\fBtwo_factor_select_form\fP (\fIt.Type\fP\fI[\fP\fI\%TwoFactorSelectForm\fP\fI]\fP) \-\- set form for selecting between active 2FA methods
.IP \(bu 2
\fBmf_recovery_codes_form\fP (\fIt.Type\fP\fI[\fP\fI\%MfRecoveryCodesForm\fP\fI]\fP) \-\- set form for retrieving and setting recovery codes
.IP \(bu 2
\fBmf_recovery_form\fP (\fIt.Type\fP\fI[\fP\fI\%MfRecoveryForm\fP\fI]\fP) \-\- set form for multi factor recovery
.IP \(bu 2
\fBus_signin_form\fP (\fIt.Type\fP\fI[\fP\fI\%UnifiedSigninForm\fP\fI]\fP) \-\- set form for the unified sign in view
.IP \(bu 2
\fBus_setup_form\fP (\fIt.Type\fP\fI[\fP\fI\%UnifiedSigninSetupForm\fP\fI]\fP) \-\- set form for the unified sign in setup view
.IP \(bu 2
\fBus_setup_validate_form\fP (\fIt.Type\fP\fI[\fP\fI\%UnifiedSigninSetupValidateForm\fP\fI]\fP) \-\- set form for the unified sign in setup validate view
.IP \(bu 2
\fBus_verify_form\fP (\fIt.Type\fP\fI[\fP\fI\%UnifiedVerifyForm\fP\fI]\fP) \-\- set form for re\-authenticating due to freshness check
.IP \(bu 2
\fBwan_register_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnRegisterForm\fP\fI]\fP) \-\- set form for registering a webauthn security key
.IP \(bu 2
\fBwan_register_response_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnRegisterResponseForm\fP\fI]\fP) \-\- set form for registering a webauthn security key
.IP \(bu 2
\fBwan_signin_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnSigninForm\fP\fI]\fP) \-\- set form for authenticating with a webauthn security key
.IP \(bu 2
\fBwan_signin_response_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnSigninResponseForm\fP\fI]\fP) \-\- set form for authenticating with a webauthn
.IP \(bu 2
\fBwan_delete_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnDeleteForm\fP\fI]\fP) \-\- set form for deleting a webauthn security key
.IP \(bu 2
\fBwan_verify_form\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthnVerifyForm\fP\fI]\fP) \-\- set form for using a webauthn key to verify authenticity
.IP \(bu 2
\fBmail_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%MailUtil\fP\fI]\fP) \-\- Class to use for sending emails. Defaults to \fI\%MailUtil\fP
.IP \(bu 2
\fBpassword_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%PasswordUtil\fP\fI]\fP) \-\- Class to use for password normalization/validation.
Defaults to \fI\%PasswordUtil\fP
.IP \(bu 2
\fBphone_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%PhoneUtil\fP\fI]\fP) \-\- Class to use for phone number utilities.
Defaults to \fI\%PhoneUtil\fP
.IP \(bu 2
\fBrender_template\fP (\fIt.Callable\fP\fI[\fP\fI\&...\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP) \-\- function to use to render templates. The default is Flask\(aqs
render_template() function.
.IP \(bu 2
\fBtotp_cls\fP (\fIt.Type\fP\fI[\fP\fI\%Totp\fP\fI]\fP) \-\- Class to use as TOTP factory. Defaults to \fI\%Totp\fP
.IP \(bu 2
\fBusername_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%UsernameUtil\fP\fI]\fP) \-\- Class to use for normalizing and validating usernames.
Defaults to \fI\%UsernameUtil\fP
.IP \(bu 2
\fBwebauthn_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%WebauthnUtil\fP\fI]\fP) \-\- Class to use for customizing WebAuthn registration
and signin. Defaults to \fI\%WebauthnUtil\fP
.IP \(bu 2
\fBmf_recovery_codes_util_cls\fP (\fIt.Type\fP\fI[\fP\fI\%MfRecoveryCodesUtil\fP\fI]\fP) \-\- Class for generating, checking, encrypting
and decrypting recovery codes. Defaults to \fI\%MfRecoveryCodesUtil\fP
.IP \(bu 2
\fBoauth\fP (\fIOAuth\fP\fI | \fP\fINone\fP) \-\- An instance of authlib.integrations.flask_client.OAuth. If not set,
Flask\-Security will create one.
.IP \(bu 2
\fBkwargs\fP (\fIt.Any\fP)
.UNINDENT
.UNINDENT
.sp
\fBTIP:\fP
.INDENT 7.0
.INDENT 3.5
Be sure that all your configuration values have been set PRIOR to
instantiating this class. Some configuration values are set as attributes
on the instance and therefore won\(aqt track any changes.
.UNINDENT
.UNINDENT
.sp
Added in version 3.4.0: \fBverify_form\fP added as part of freshness/re\-authentication

.sp
Added in version 3.4.0: \fBus_signin_form\fP, \fBus_setup_form\fP, \fBus_setup_validate_form\fP, and
\fBus_verify_form\fP added as part of the \fI\%Unified Sign In\fP feature.

.sp
Added in version 3.4.0: \fBtotp_cls\fP added to enable applications to implement replay protection \- see
\fI\%Totp\fP\&.

.sp
Added in version 3.4.0: \fBphone_util_cls\fP added to allow different phone number
 parsing implementations \- see \fI\%PhoneUtil\fP

.sp
Added in version 4.0.0: \fBmail_util_cls\fP added to isolate mailing handling.
\fBpassword_util_cls\fP added to encapsulate password validation/normalization.

.sp
Added in version 4.1.0: \fBusername_util_cls\fP added to encapsulate username handling.

.sp
Added in version 5.0.0: \fBwan_register_form\fP, \fBwan_register_response_form\fP,
 \fBwebauthn_signin_form\fP, \fBwan_signin_response_form\fP,
 \fBwebauthn_delete_form\fP, \fBwebauthn_verify_form\fP, \fBtf_select_form\fP\&.

.sp
Added in version 5.0.0: \fBWebauthnUtil\fP class.

.sp
Added in version 5.0.0: Added support for multi\-factor recovery codes \fBmf_recovery_codes_form\fP,
\fBmf_recovery_form\fP\&.

.sp
Added in version 5.1.0: \fBmf_recovery_codes_util_cls\fP, \fBoauth\fP

.sp
Deprecated since version 4.0.0: \fBsend_mail\fP and \fBsend_mail_task\fP\&. Replaced with \fBmail_util_cls\fP\&.
\fBtwo_factor_verify_password_form\fP removed.
\fBpassword_validator\fP removed in favor of the new \fBpassword_util_cls\fP\&.

.sp
Deprecated since version 5.0.0: Passing in a LoginManager instance. Removed in 5.1.0

.sp
Deprecated since version 5.0.0: json_encoder_cls is no longer honored since Flask 2.2 has deprecated it.

.sp
Deprecated since version 5.3.1: Passing in an anonymous_user class. Removed in 5.4.0

.INDENT 7.0
.TP
.B init_app(app, datastore=None, register_blueprint=None, **kwargs)
Initializes the Flask\-Security extension for the specified
application and datastore implementation.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The application.
.IP \(bu 2
\fBdatastore\fP (\fI\%UserDatastore\fP\fI | \fP\fINone\fP) \-\- An instance of a user datastore.
.IP \(bu 2
\fBregister_blueprint\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- to register the Security blueprint or not.
.IP \(bu 2
\fBkwargs\fP (\fIt.Any\fP) \-\- Can be used to override/initialize any of the form names,
flags, and utility classes.
All other kwargs are ignored.
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.sp
If you create the Security instance with both an \(aqapp\(aq and \(aqdatastore\(aq
you shouldn\(aqt call this \- it will be called as part of the constructor.
.UNINDENT
.INDENT 7.0
.TP
.B reauthn_handler(cb)
Callback when endpoint required a fresh authentication.
This is called by \fI\%auth_required()\fP\&.
.INDENT 7.0
.TP
.B Parameters
\fBcb\fP (\fIt.Callable\fP\fI[\fP\fI[\fP\fItimedelta\fP\fI, \fP\fItimedelta\fP\fI]\fP\fI, \fP\fIResponseValue\fP\fI]\fP) \-\- 
.sp
Callback function with signature (within, grace)
.INDENT 7.0
.TP
.B within
timedelta that endpoint required fresh authentication within.
.TP
.B grace
timedelta of grace period that endpoint allowed.
.UNINDENT

.TP
.B Return type
None
.UNINDENT
.sp
Should return a Response or something Flask can create a Response from.
Can raise an exception if it is handled as part of
\fBflask.errorhandler(<exception>)\fP
.sp
The default implementation will return a 401 response if the request was JSON,
otherwise will redirect to \fI\%SECURITY_US_VERIFY_URL\fP
(if \fI\%SECURITY_UNIFIED_SIGNIN\fP is enabled)
else to \fI\%SECURITY_VERIFY_URL\fP\&.
If both of those are None it sends an \fBabort(401)\fP\&.
.sp
See \fI\%flask_security.auth_required()\fP for details about freshness checking.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 7.0
.TP
.B render_json(cb)
Callback to render response payload as JSON.
.INDENT 7.0
.TP
.B Parameters
\fBcb\fP (\fIt.Callable\fP\fI[\fP\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\fIt.Any\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/functions.html#int'\fI\%int\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP\fI, \fP\fI\%User\fP\fI | \fP\fINone\fP\fI]\fP\fI, \fP\fIResponseValue\fP\fI]\fP) \-\- 
.sp
Callback function with
signature (payload, code, headers=None, user=None)
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.TP
.B payload
A dict. Please see the formal API spec for details.
.TP
.B code
Http status code
.TP
.B headers
Headers object
.TP
.B user
the UserDatastore object (or None). Note that this is usually
the same as current_user \- but not always.
.UNINDENT
.UNINDENT
.UNINDENT

.TP
.B Return type
None
.UNINDENT
.sp
The default implementation simply returns:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
headers[\(dqContent\-Type\(dq] = \(dqapplication/json\(dq
payload = dict(meta=dict(code=code), response=payload)
return make_response(jsonify(payload), code, headers)
.EE
.UNINDENT
.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
Note that this has nothing to do with how the response is serialized.
That is controlled by Flask and starting with Flask 2.2 that is managed
by sub\-classing Flask::JSONProvider. Flask\-Security does this to add
serializing lazy\-strings.
.UNINDENT
.UNINDENT
.sp
This can be used by applications to unify all their JSON API responses.
This is called in a request context and should return a Response or something
Flask can create a Response from.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 7.0
.TP
.B set_form_info(name, form_info)
Set form instantiation info.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBname\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Name of form.
.IP \(bu 2
\fBform_info\fP (\fI\%FormInfo\fP) \-\- see \fI\%FormInfo\fP
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.INDENT 7.0
.INDENT 3.5
.IP "Advanced"
.sp
Forms (which are all FlaskForms) are instantiated at the start of each
request. Normally this is done as part of a view by simply calling the
form class constructor \- Flask\-WTForms handles filling it in from
various request attributes.
.sp
The form classes themselves can be extended (e.g. to add or change fields)
and the derived class can be set at \fISecurity\fP constructor time,
\fIinit_app\fP time, or using this method.
.sp
This default implementation is suitable for most applications.
.sp
Some application might want to control the instantiation of forms, for
example to be able to inject additional validation services.
Using this method, a callable \fIinstantiator\fP can be set that Flask\-Security
will call to return a properly instantiated form.
.sp
\fBDANGER:\fP
.INDENT 0.0
.INDENT 3.5
Do not perform any validation as part of instantiation \- many views have
a bunch of logic PRIOR to calling the form validator.
.sp
Added in version 5.1.0.

.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B unauthn_handler(cb)
Callback for failed authentication.
This is called by \fI\%auth_required()\fP, \fI\%auth_token_required()\fP
or \fI\%http_auth_required()\fP if authentication fails.
It is also called from Flask\-Login\(aqs @login_required decorator.
.INDENT 7.0
.TP
.B Parameters
\fBcb\fP (\fIt.Callable\fP\fI[\fP\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP\fI]\fP\fI, \fP\fIResponseValue\fP\fI]\fP) \-\- 
.sp
Callback function with signature (mechanisms=None, headers=None)
.INDENT 7.0
.TP
.B mechanisms
List of which authentication mechanisms were tried
.TP
.B headers
dict of headers to return
.UNINDENT

.TP
.B Return type
None
.UNINDENT
.sp
Should return a Response or something Flask can create a Response from.
Can raise an exception if it is handled as part of
\fBflask.errorhandler(<exception>)\fP
.sp
The default implementation will return a 401 response if the request was JSON,
otherwise will redirect to the \fIlogin\fP view.
.sp
Added in version 3.3.0.

.sp
Changed in version 5.4.0: No longer calls Flask\-Login and has complete logic built\-in.

.UNINDENT
.INDENT 7.0
.TP
.B unauthz_handler(cb)
Callback for failed authorization.
This is called by the \fI\%roles_required()\fP, \fI\%roles_accepted()\fP,
\fI\%permissions_required()\fP, or \fI\%permissions_accepted()\fP
if a role or permission is missing.
.INDENT 7.0
.TP
.B Parameters
\fBcb\fP (\fIt.Callable\fP\fI[\fP\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP\fI]\fP\fI, \fP\fIResponseValue\fP\fI]\fP) \-\- 
.sp
Callback function with signature (func, params)
.INDENT 7.0
.TP
.B func_name
the decorator function name (e.g. \(aqroles_required\(aq)
.TP
.B params
list of what (if any) was passed to the decorator.
.UNINDENT

.TP
.B Return type
None
.UNINDENT
.sp
Should return a Response or something Flask can create a Response from.
Can raise an exception if it is handled as part of
flask.errorhandler(<exception>)
.sp
With the passed parameters the application could deliver a concise error
message.
.sp
Added in version 3.3.0.

.sp
Changed in version 5.1.0: Pass in the function name, not the function!

.UNINDENT
.INDENT 7.0
.TP
.B want_json(fn)
Function that returns True if response should be JSON (based on the request)
.INDENT 7.0
.TP
.B Parameters
\fBfn\fP (\fIt.Callable\fP\fI[\fP\fI[\fP\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Request'\fI\%flask.Request\fP\X'tty: link'\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'\fI]\fP) \-\- 
.sp
Function with the following signature (request)
.INDENT 7.0
.TP
.B request
Werkzueg/Flask request
.UNINDENT

.TP
.B Return type
None
.UNINDENT
.sp
The default implementation returns True if either the Content\-Type is
\(dqapplication/json\(dq or the best Accept header value is \(dqapplication/json\(dq.
.sp
Added in version 3.3.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.current_user
A proxy for the current user.
.UNINDENT
.SS Protecting Views
.sp
All Flask\-Security decorators are compatible with Flask\(aqs async implementation.
This is accomplished by wrapping function calls with flask.ensure_async().
Please see \X'tty: link https://flask.palletsprojects.com/en/3.0.x/async-await/#using-async-and-await'\fI\%Flask async\fP\X'tty: link'\&.
.INDENT 0.0
.TP
.B flask_security.anonymous_user_required(f)
Decorator which requires that caller NOT be logged in.
If a logged in user accesses an endpoint protected with this decorator
they will be redirected to the \fI\%SECURITY_POST_LOGIN_VIEW\fP\&.
If the caller requests a JSON response, a 400 will be returned.
.sp
Changed in version 3.3.0: Support for JSON response was added.

.INDENT 7.0
.TP
.B Parameters
\fBf\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI\&...\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'\fI]\fP)
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.http_auth_required(realm)
Decorator that protects endpoints using Basic HTTP authentication.
.INDENT 7.0
.TP
.B Parameters
\fBrealm\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link') \-\- optional realm name
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
If authentication fails, then a 401 with the \(aqWWW\-Authenticate\(aq header set will be
returned.
.sp
Once authenticated, if so configured, CSRF protection will be tested.
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.auth_token_required(fn)
Decorator that protects endpoints using token authentication. The token
should be added to the request by the client by using a query string
variable with a name equal to the configuration value of
\fI\%SECURITY_TOKEN_AUTHENTICATION_KEY\fP or in a request header named that of
the configuration value of \fI\%SECURITY_TOKEN_AUTHENTICATION_HEADER\fP
.sp
Once authenticated, if so configured, CSRF protection will be tested.
.INDENT 7.0
.TP
.B Parameters
\fBfn\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI\&...\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'\fI]\fP)
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.auth_required(*auth_methods, within=\-1, grace=None)
Decorator that protects endpoints through multiple mechanisms.
Example:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
@app.route(\(aq/dashboard\(aq)
@auth_required(\(aqtoken\(aq, \(aqsession\(aq)
def dashboard():
    return \(aqDashboard\(aq
.EE
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBauth_methods\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP\fI] \fP\fI| \fP\fINone\fP) \-\- Specified mechanisms (token, basic, session). If not specified
then all current available mechanisms (except \(dqbasic\(dq) will be tried. A callable
can also be passed (useful if you need app/request context). The callable
must return a list.
.IP \(bu 2
\fBwithin\fP (\X'tty: link https://docs.python.org/3/library/functions.html#int'\fI\%int\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/functions.html#float'\fI\%float\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/datetime.html#datetime.timedelta'\fI\%timedelta\fP\X'tty: link'\fI]\fP) \-\- 
.sp
Add \(aqfreshness\(aq check to authentication. Is either an int
specifying # of minutes, or a callable that returns a timedelta. For timedeltas,
timedelta.total_seconds() is used for the calculations:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
If > 0, then the caller must have authenticated within the time specified
(as measured using the session cookie).
.IP \(bu 2
If 0 and not within the grace period (see below) the caller will
always be redirected to re\-authenticate.
.IP \(bu 2
If < 0 (the default) no freshness check is performed.
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Note that Basic Auth, by definition, is always \(aqfresh\(aq and will never result in
a redirect/error.

.IP \(bu 2
\fBgrace\fP (\X'tty: link https://docs.python.org/3/library/functions.html#int'\fI\%int\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/functions.html#float'\fI\%float\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI]\fP\fI, \fP\X'tty: link https://docs.python.org/3/library/datetime.html#datetime.timedelta'\fI\%timedelta\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP) \-\- Add a grace period for freshness checks. As above, either an int
or a callable returning a timedelta. If not specified then
\fI\%SECURITY_FRESHNESS_GRACE_PERIOD\fP is used. The grace period allows
callers to complete the required operations w/o being prompted again.
See \fI\%flask_security.check_and_update_authn_fresh()\fP for details.
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
Note that regardless of order specified \- they will be tried in the following
order: token, session, basic.
.sp
The first mechanism that succeeds is used, following that, depending on
configuration, CSRF protection will be tested.
.sp
On authentication failure \fI\%Security.unauthn_handler()\fP will be called.
.INDENT 7.0
.TP
.B As a side effect, upon successful authentication, the request global
\fBfs_authn_via\fP will be set to the method (\(dqbasic\(dq, \(dqtoken\(dq, \(dqsession\(dq)
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
If \(dqbasic\(dq is specified in addition to other methods, then if authentication
fails, a 401 with the \(dqWWW\-Authenticate\(dq header will be returned \- rather than
being redirected to the login view.
.UNINDENT
.UNINDENT
.sp
Changed in version 3.3.0: If \fBauth_methods\fP isn\(aqt specified, then all will be tried. Authentication
mechanisms will always be tried in order of \fBtoken\fP, \fBsession\fP, \fBbasic\fP
regardless of how they are specified in the \fBauth_methods\fP parameter.

.sp
Changed in version 3.4.0: Added \fBwithin\fP and \fBgrace\fP parameters to enforce a freshness check.

.sp
Changed in version 3.4.4: If \fBauth_methods\fP isn\(aqt specified try all mechanisms EXCEPT \fBbasic\fP\&.

.sp
Changed in version 4.0.0: auth_methods can be passed as a callable.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.roles_required(*roles)
Decorator which specifies that a user must have all the specified roles.
Example:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
@app.route(\(aq/dashboard\(aq)
@roles_required(\(aqadmin\(aq, \(aqeditor\(aq)
def dashboard():
    return \(aqDashboard\(aq
.EE
.UNINDENT
.UNINDENT
.sp
The current user must have both the \fIadmin\fP role and \fIeditor\fP role in order
to view the page.
.INDENT 7.0
.TP
.B Parameters
\fBroles\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The required roles.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.roles_accepted(*roles)
Decorator which specifies that a user must have at least one of the
specified roles. Example:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
@app.route(\(aq/create_post\(aq)
@roles_accepted(\(aqeditor\(aq, \(aqauthor\(aq)
def create_post():
    return \(aqCreate Post\(aq
.EE
.UNINDENT
.UNINDENT
.sp
The current user must have either the \fIeditor\fP role or \fIauthor\fP role in
order to view the page.
.INDENT 7.0
.TP
.B Parameters
\fBroles\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The possible roles.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.permissions_required(*fsperms)
Decorator which specifies that a user must have all the specified permissions.
Example:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
@app.route(\(aq/dashboard\(aq)
@permissions_required(\(aqadmin\-write\(aq, \(aqeditor\-write\(aq)
def dashboard():
    return \(aqDashboard\(aq
.EE
.UNINDENT
.UNINDENT
.sp
The current user must have BOTH permissions (via the roles it has)
to view the page.
.sp
N.B. Don\(aqt confuse these permissions with flask\-principle Permission()!
.INDENT 7.0
.TP
.B Parameters
\fBfsperms\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The required permissions.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.permissions_accepted(*fsperms)
Decorator which specifies that a user must have at least one of the
specified permissions. Example:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
@app.route(\(aq/create_post\(aq)
@permissions_accepted(\(aqeditor\-write\(aq, \(aqauthor\-wrote\(aq)
def create_post():
    return \(aqCreate Post\(aq
.EE
.UNINDENT
.UNINDENT
.sp
The current user must have one of the permissions (via the roles it has)
to view the page.
.sp
N.B. Don\(aqt confuse these permissions with flask\-principle Permission()!
.INDENT 7.0
.TP
.B Parameters
\fBfsperms\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The possible permissions.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.unauth_csrf(fall_through=False)
Decorator for endpoints that don\(aqt need authentication
but do want CSRF checks (available via Header rather than just form).
This is required when setting \fIWTF_CSRF_CHECK_DEFAULT\fP = \fBFalse\fP since in that
case, without this decorator, the form validation will attempt to do the CSRF
check, and that will fail since the csrf\-token is in the header (for pure JSON
requests).
.sp
This decorator does nothing unless Flask\-WTF::CSRFProtect has been initialized.
.sp
This decorator does nothing if \fIWTF_CSRF_ENABLED\fP == \fBFalse\fP\&.
.sp
This decorator does nothing if the caller is authenticated.
.sp
This decorator will suppress CSRF if caller isn\(aqt authenticated and has set the
\fI\%SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS\fP config variable to \fBTrue\fP\&.
.sp
Added in version 3.3.0.

.sp
Changed in version 5.4.3: The fall_through parameter is now ignored.
Add code to properly handle JSON errors.

.INDENT 7.0
.TP
.B Parameters
\fBfall_through\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'[[\&...], \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.handle_csrf(method, json_response=False)
Invoke CSRF protection based on authentication method.
.sp
Usually this is called as part of a decorator, but if that isn\(aqt
appropriate, endpoint code can call this directly.
.sp
If CSRF protection is appropriate, this will call flask_wtf::protect() which
will raise a CSRFError(BadRequest) on CSRF failure.
.sp
This routine does nothing if any of these are true:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 3
\fIWTF_CSRF_ENABLED\fP is set to False
.IP 2. 3
the Flask\-WTF CSRF module hasn\(aqt been initialized
.IP 3. 3
csrfProtect already checked and accepted the token
.UNINDENT
.UNINDENT
.UNINDENT
.sp
This means in the default config \- CSRF is done as part of form validation
not here. Only if the application calls CSRFProtect(app) will this method
do anything. Furthermore \- since this is called PRIOR to form instantiation
if the request is JSON \- it MUST send the csrf_token as a header.
.sp
If the passed in method is not in
\fI\%SECURITY_CSRF_PROTECT_MECHANISMS\fP then in addition to
no CSRF code being run, the flask_wtf request global \(aqcsrf_valid\(aq will be set
so that downstream code knows to ignore any CSRF checks.
.sp
Returns None if all ok, returns a Response with JSON error if request
wanted JSON \- else re\-raises the CSRFError exception.
.sp
Added in version 3.3.0.

.sp
Changed in version 5.4.3: Use flask_wtf request global \(aqcsrf_valid\(aq instead of our own to handle
application forms that aren\(aqt derived from our forms.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBjson_response\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link')
.UNINDENT
.TP
.B Return type
ResponseValue | None
.UNINDENT
.UNINDENT
.SS User Object Helpers
.INDENT 0.0
.TP
.B class flask_security.UserMixin
Mixin for \fIUser\fP model definitions
.INDENT 7.0
.TP
.B augment_auth_token(tdata)
Override this to add/modify parts of the auth token.
Additions to the dict can be made and verified in verify_auth_token()
.sp
Added in version 5.4.0.

.INDENT 7.0
.TP
.B Parameters
\fBtdata\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'\fI]\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B calc_username()
Come up with the best \(aqusername\(aq based on how the app
is configured (via \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP).
Returns the first non\-null match (and converts to string).
In theory this should NEVER be the empty string unless the user
record isn\(aqt actually valid.
.sp
Added in version 3.4.0.

.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B get_auth_token()
Constructs the user\(aqs authentication token.
.INDENT 7.0
.TP
.B Raises
\X'tty: link https://docs.python.org/3/library/exceptions.html#ValueError'\fI\%ValueError\fP\X'tty: link' \-\- If \fBfs_token_uniquifier\fP is part of model but not set.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | \X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link'
.UNINDENT
.sp
Optionally use a separate uniquifier so that changing password doesn\(aqt
invalidate auth tokens.
.sp
The returned value is securely signed using the \fBremember_token_serializer\fP
.sp
Changed in version 4.0.0: If user model has \fBfs_token_uniquifier\fP \- use that (raise ValueError
if not set). Otherwise, fallback to using \fBfs_uniquifier\fP\&.

.sp
Changed in version 5.4.0: New format \- a dict with a version string. Add a token\-based expiry
option as well as a session id.

.UNINDENT
.INDENT 7.0
.TP
.B get_id()
Returns the user identification attribute. \(aqAlternative\-token\(aq for
Flask\-Login. This is always \fBfs_uniquifier\fP\&.
.sp
Added in version 3.4.0.

.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B get_redirect_qparams(existing=None)
Return user info that will be added to redirect query params.
.INDENT 7.0
.TP
.B Parameters
\fBexisting\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP) \-\- A dict that will be updated.
.TP
.B Returns
A dict whose keys will be query params and values will be query values.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
The returned dict will always have an \(aqidentity\(aq key/value.
If the User Model contains \(aqemail\(aq, an \(aqemail\(aq key/value will be added.
All keys provided in \(aqexisting\(aq will also be merged in.
.sp
Added in version 3.2.0.

.sp
Changed in version 4.0.0: Add \(aqidentity\(aq using UserMixin.calc_username() \- email is optional.

.UNINDENT
.INDENT 7.0
.TP
.B get_security_payload()
Serialize user object as response payload.
Override this to return any/all of the user object in JSON responses.
Return a dict.
.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B has_permission(permission)
Returns \fITrue\fP if user has this permission (via a role it has).
.INDENT 7.0
.TP
.B Parameters
\fBpermission\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- permission string name
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 7.0
.TP
.B has_role(role)
Returns \fITrue\fP if the user identifies with the specified role.
.INDENT 7.0
.TP
.B Parameters
\fBrole\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fI\%Role\fP) \-\- A role name or \fIRole\fP instance
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B property is_active: \X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
Returns \fITrue\fP if the user is active.
.UNINDENT
.INDENT 7.0
.TP
.B tf_send_security_token(method, **kwargs)
Generate and send the security code for two\-factor.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The method in which the code will be sent
.IP \(bu 2
\fBkwargs\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link') \-\- Opaque parameters that are subject to change at any time
.UNINDENT
.TP
.B Returns
None if successful, error message if not.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.sp
This is a wrapper around \fI\%tf_send_security_token()\fP
that can be overridden to manage any errors.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 7.0
.TP
.B us_send_security_token(method, **kwargs)
Generate and send the security code for unified sign in.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The method in which the code will be sent
.IP \(bu 2
\fBkwargs\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link') \-\- Opaque parameters that are subject to change at any time
.UNINDENT
.TP
.B Returns
None if successful, error message if not.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.sp
This is a wrapper around \fI\%us_send_security_token()\fP
that can be overridden to manage any errors.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 7.0
.TP
.B verify_and_update_password(password)
Returns \fBTrue\fP if the password is valid for the specified user.
.sp
Additionally, the hashed password in the database is updated if the
hashing algorithm happens to have changed.
.sp
N.B. you MUST call DB commit if you are using a session\-based datastore
(such as SqlAlchemy) since the user instance might have been altered
(i.e. \fBapp.security.datastore.commit()\fP).
This is usually handled in the view.
.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- A plaintext password to verify
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
Added in version 3.2.0.

.UNINDENT
.INDENT 7.0
.TP
.B verify_auth_token(tdata)
Override this to perform additional verification of contents of auth token.
Prior to this being called the token has been validated (via signing)
and has not expired (either with MAX_AGE or specific \(aqexp\(aq value).
.INDENT 7.0
.TP
.B Parameters
\fBtdata\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'\fI]\fP) \-\- a dictionary just as in augment_auth_token()
.TP
.B Returns
True if auth token represented by tdata is valid, False otherwise.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
Added in version 3.3.0.

.sp
Changed in version 5.4.0: Now receives a dictionary.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.RoleMixin
Mixin for \fIRole\fP model definitions
.INDENT 7.0
.TP
.B get_permissions()
Return set of permissions associated with role.
.sp
Added in version 3.3.0.

.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#set'\fI\%set\fP\X'tty: link'
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnMixin
.INDENT 7.0
.TP
.B get_user_mapping()
Return the filter needed by find_user() to get the user
associated with this webauthn credential.
Note that this probably has to be overridden using mongoengine.
.sp
Added in version 5.0.0.

.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.UNINDENT
.SS Datastores
.INDENT 0.0
.TP
.B class flask_security.UserDatastore(user_model, role_model, webauthn_model=None)
Abstracted user datastore.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser_model\fP (\fIt.Type\fP\fI[\fP\fI\%User\fP\fI]\fP) \-\- A user model class definition
.IP \(bu 2
\fBrole_model\fP (\fIt.Type\fP\fI[\fP\fI\%Role\fP\fI]\fP) \-\- A role model class definition
.IP \(bu 2
\fBwebauthn_model\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthn\fP\fI] \fP\fI| \fP\fINone\fP) \-\- A model used to store webauthn registrations
.UNINDENT
.UNINDENT
.sp
\fBIMPORTANT:\fP
.INDENT 7.0
.INDENT 3.5
For mutating operations, the user/role will be added to the
datastore (by calling self.put(<object>). If the datastore is session based
(such as for SQLAlchemyDatastore) it is up to caller to actually
commit the transaction by calling datastore.commit().
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
You must implement get_user_mapping in your WebAuthn model
if your User model doesn\(aqt have a primary key Column called \(aqid\(aq
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B activate_user(user)
Activates a specified user. Returns \fITrue\fP if a change was made.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP) \-\- The user to activate
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B add_permissions_to_role(role, permissions)
Add one or more permissions to role.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBrole\fP (\fI\%Role\fP\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The role to modify. Can be a Role object or
string role name
.IP \(bu 2
\fBpermissions\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#set'\fI\%set\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- a set, list, tuple or comma separated string.
.UNINDENT
.TP
.B Returns
True if permissions added, False if role doesn\(aqt exist.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
Caller must commit to DB.
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 7.0
.TP
.B add_role_to_user(user, role)
Adds a role to a user.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- The user to manipulate.
.IP \(bu 2
\fBrole\fP (\fI\%Role\fP\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The role to add to the user. Can be a Role object or
string role name
.UNINDENT
.TP
.B Returns
True is role was added, False if role already existed.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B create_role(**kwargs)
Creates and returns a new role from the given parameters.
Supported params (depending on RoleModel):
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBname\fP \-\- Role name
.IP \(bu 2
\fBpermissions\fP \-\- 
.sp
a list, set, tuple or comma separated string.
These are user\-defined strings that correspond to args used with
@permissions_required()
.sp
Added in version 3.3.0.


.IP \(bu 2
\fBkwargs\fP (\fIt.Any\fP)
.UNINDENT
.TP
.B Return type
\fI\%Role\fP
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B create_user(**kwargs)
Creates and returns a new user from the given parameters.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBemail\fP \-\- required.
.IP \(bu 2
\fBpassword\fP \-\- Hashed password.
.IP \(bu 2
\fBroles\fP \-\- list of roles to be added to user.
Can be Role objects or strings
.IP \(bu 2
\fBkwargs\fP (\fIt.Any\fP)
.UNINDENT
.TP
.B Return type
\fI\%User\fP
.UNINDENT
.sp
Any other element of the User data model may be supplied as well.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
No normalization is done on email \- it is assumed the caller has already
done that.
.sp
Best practice is:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
try:
    enorm = app.security._mail_util.validate(email)
except ValueError:
.EE
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fBDANGER:\fP
.INDENT 7.0
.INDENT 3.5
Be aware that whatever \fIpassword\fP is passed in will
be stored directly in the DB. Do NOT pass in a plaintext password!
Best practice is to pass in \fBhash_password(plaintext_password)\fP\&.
.sp
Furthermore, no validation nor normalization is done on the password
(e.g for minimum length).
.sp
Best practice is:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
pbad, pnorm = app.security._password_util.validate(password, True)
.EE
.UNINDENT
.UNINDENT
.sp
Look for \fIpbad\fP being None. Pass the normalized password \fIpnorm\fP to this
method.
.UNINDENT
.UNINDENT
.sp
The new user\(aqs \fBactive\fP property will be set to \fBTrue\fP
unless explicitly set to \fBFalse\fP in \fIkwargs\fP (e.g. active = False)
.UNINDENT
.INDENT 7.0
.TP
.B deactivate_user(user)
Deactivates a specified user. Returns \fITrue\fP if a change was made.
.sp
This will immediately disallow access to all endpoints that require
authentication either via session or tokens.
The user will not be able to log in again.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP) \-\- The user to deactivate
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B delete_user(user)
Deletes the specified user.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP) \-\- The user to delete
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B delete_webauthn(webauthn)
.INDENT 7.0
.TP
.B Parameters
\fBwebauthn\fP (\fI\%WebAuthn\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B find_or_create_role(name, **kwargs)
Returns a role matching the given name or creates it with any
additionally provided parameters.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBname\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBkwargs\fP (\fIt.Any\fP)
.UNINDENT
.TP
.B Return type
\fI\%Role\fP
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B find_role(role)
Returns a role matching the provided name.
.INDENT 7.0
.TP
.B Parameters
\fBrole\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\fI\%Role\fP | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B find_user(**kwargs)
Returns a user matching the provided parameters.
Besides keyword arguments used to filter the results,
\(aqcase_insensitive\(aq can be passed (defaults to False)
.INDENT 7.0
.TP
.B Parameters
\fBkwargs\fP (\fIt.Any\fP)
.TP
.B Return type
\fI\%User\fP | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B find_webauthn(credential_id)
Returns a credential matching the id.
.INDENT 7.0
.TP
.B Parameters
\fBcredential_id\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link')
.TP
.B Return type
\fI\%WebAuthn\fP | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B remove_permissions_from_role(role, permissions)
Remove one or more permissions from a role.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBrole\fP (\fI\%Role\fP\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The role to modify. Can be a Role object or
string role name
.IP \(bu 2
\fBpermissions\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#set'\fI\%set\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- a set, list, tuple or a comma separated string.
.UNINDENT
.TP
.B Returns
True if permissions removed, False if role doesn\(aqt exist.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
Caller must commit to DB.
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 7.0
.TP
.B remove_role_from_user(user, role)
Removes a role from a user.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- The user to manipulate. Can be an User object or email
.IP \(bu 2
\fBrole\fP (\fI\%Role\fP\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The role to remove from the user. Can be a Role object or
string role name
.UNINDENT
.TP
.B Returns
True if role was removed, False if role doesn\(aqt exist or user didn\(aqt
have role.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B reset_user_access(user)
Use this method to reset user authentication methods in the case of compromise.
This will:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
reset fs_uniquifier \- which causes session cookie, remember cookie, auth
tokens to be unusable
.IP \(bu 2
reset fs_token_uniquifier (if present) \- cause auth tokens to be unusable
.IP \(bu 2
remove all unified signin TOTP secrets so those can\(aqt be used
.IP \(bu 2
remove all two\-factor secrets so those can\(aqt be used
.IP \(bu 2
remove all registered webauthn credentials
.IP \(bu 2
remove all one\-time recovery codes
.IP \(bu 2
will NOT affect password
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Note that if using unified sign in and allow \(aqemail\(aq as a way to receive a code;
this will also get reset. If the user registered w/o a password then they likely
will have no way to authenticate.
.sp
Note \- this method isn\(aqt used directly by Flask\-Security \- it is provided
as a helper for an application\(aqs administrative needs.
.sp
Remember to call commit on DB if needed.
.sp
Added in version 3.4.1.

.sp
Changed in version 5.0.0: Added webauthn and recovery codes reset.

.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B set_token_uniquifier(user, uniquifier=None)
Set user\(aqs auth token identity key.
This will immediately render outstanding auth tokens invalid.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- User to modify
.IP \(bu 2
\fBuniquifier\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- Unique value \- if none then uuid.uuid4().hex is used
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.sp
This method is a no\-op if the user model doesn\(aqt contain the attribute
\fBfs_token_uniquifier\fP
.sp
Added in version 4.0.0.

.UNINDENT
.INDENT 7.0
.TP
.B set_uniquifier(user, uniquifier=None)
Set user\(aqs Flask\-Security identity key.
This will immediately render outstanding auth tokens,
session cookies and remember cookies invalid.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- User to modify
.IP \(bu 2
\fBuniquifier\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- Unique value \- if none then uuid.uuid4().hex is used
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 7.0
.TP
.B tf_reset(user)
Disable two\-factor auth for user.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B tf_set(user, primary_method, totp_secret=None, phone=None)
Set two\-factor info into user record.
This carefully only changes things if different.
.sp
If totp_secret isn\(aqt provided \- existing one won\(aqt be changed.
If phone isn\(aqt provided, the existing phone number won\(aqt be changed.
.sp
This could be called from an application to apiori setup a user for two factor
without the user having to go through the setup process.
.sp
To get a totp_secret \- use \fBapp.security._totp_factory.generate_totp_secret()\fP
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP)
.IP \(bu 2
\fBprimary_method\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBtotp_secret\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP)
.IP \(bu 2
\fBphone\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP)
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B toggle_active(user)
Toggles a user\(aqs active status. Always returns True.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP)
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B us_reset(user, method=None)
Disable unified sign in for user.
This will disable authenticator app and SMS, and email.
N.B. if user has no password they may not be able to authenticate at all.
.sp
Added in version 3.4.1.

.sp
Changed in version 5.0.0: Added optional method argument to delete just a single method

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP)
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP)
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B us_set(user, method, totp_secret=None, phone=None)
Set unified sign in info into user record.
.sp
If totp_secret isn\(aqt provided \- existing one won\(aqt be changed.
If phone isn\(aqt provided, the existing phone number won\(aqt be changed.
.sp
This could be called from an application to apiori setup a user for unified
sign in without the user having to go through the setup process.
.sp
To get a totp_secret \- use \fBapp.security._totp_factory.generate_totp_secret()\fP
.sp
Added in version 3.4.1.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP)
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBtotp_secret\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP)
.IP \(bu 2
\fBphone\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP)
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B webauthn_reset(user)
Reset access via webauthn credentials.
This will DELETE all registered credentials.
There doesn\(aqt appear to be any reason to change the user\(aqs
fs_webauthn_user_handle.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.SQLAlchemyUserDatastore(db, user_model, role_model, webauthn_model=None)
Bases: \fI\%SQLAlchemyDatastore\fP, \fI\%UserDatastore\fP
.sp
A UserDatastore implementation that assumes the
use of
\X'tty: link https://pypi.python.org/pypi/flask-sqlalchemy/'\fI\%Flask\-SQLAlchemy\fP\X'tty: link'
for datastore transactions.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBdb\fP (\X'tty: link https://flask-sqlalchemy.palletsprojects.com/en/3.1.x/api/#flask_sqlalchemy.SQLAlchemy'\fI\%flask_sqlalchemy.SQLAlchemy\fP\X'tty: link')
.IP \(bu 2
\fBuser_model\fP (\fIt.Type\fP\fI[\fP\fI\%User\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBrole_model\fP (\fIt.Type\fP\fI[\fP\fI\%Role\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBwebauthn_model\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthn\fP\fI] \fP\fI| \fP\fINone\fP) \-\- See \fI\%Models\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.SQLAlchemySessionUserDatastore(session, user_model, role_model, webauthn_model=None)
Bases: \fI\%SQLAlchemyUserDatastore\fP, \fI\%SQLAlchemyDatastore\fP
.sp
A UserDatastore implementation that directly uses
\X'tty: link https://docs.sqlalchemy.org/en/14/orm/session_basics.html'\fI\%SQLAlchemy\(aqs\fP\X'tty: link'
session API.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBsession\fP (\X'tty: link https://docs.sqlalchemy.org/en/20/orm/contextual.html#sqlalchemy.orm.scoped_session'\fI\%sqlalchemy.orm.scoping.scoped_session\fP\X'tty: link')
.IP \(bu 2
\fBuser_model\fP (\fIt.Type\fP\fI[\fP\fI\%User\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBrole_model\fP (\fIt.Type\fP\fI[\fP\fI\%Role\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBwebauthn_model\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthn\fP\fI] \fP\fI| \fP\fINone\fP) \-\- See \fI\%Models\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.MongoEngineUserDatastore(db, user_model, role_model, webauthn_model=None)
Bases: \fI\%MongoEngineDatastore\fP, \fI\%UserDatastore\fP
.sp
A UserDatastore implementation that assumes the
use of
\X'tty: link https://pypi.org/project/mongoengine/'\fI\%MongoEngine\fP\X'tty: link'
for datastore transactions.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBdb\fP (\fImongoengine.connection\fP)
.IP \(bu 2
\fBuser_model\fP (\fIt.Type\fP\fI[\fP\fI\%User\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBrole_model\fP (\fIt.Type\fP\fI[\fP\fI\%Role\fP\fI]\fP) \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBwebauthn_model\fP (\fIt.Type\fP\fI[\fP\fI\%WebAuthn\fP\fI] \fP\fI| \fP\fINone\fP) \-\- See \fI\%Models\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.PeeweeUserDatastore(db, user_model, role_model, role_link, webauthn_model=None)
Bases: \fI\%PeeweeDatastore\fP, \fI\%UserDatastore\fP
.sp
A UserDatastore implementation that assumes the
use of
\X'tty: link https://docs.peewee-orm.com/en/latest/peewee/playhouse.html#flask-utils'\fI\%Peewee Flask utils\fP\X'tty: link'
for datastore transactions.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.PonyUserDatastore(db, user_model, role_model, webauthn_model=None)
Bases: \fI\%PonyDatastore\fP, \fI\%UserDatastore\fP
.sp
A UserDatastore implementation that assumes the
use of
\X'tty: link https://pypi.python.org/pypi/pony/'\fI\%PonyORM\fP\X'tty: link'
for datastore transactions.
.sp
Code primarily from \X'tty: link https://github.com/ET-CS'\fI\%https://github.com/ET\-CS\fP\X'tty: link' but taken over after
being abandoned.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBdb\fP
.IP \(bu 2
\fBuser_model\fP \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBrole_model\fP \-\- See \fI\%Models\fP\&.
.IP \(bu 2
\fBwebauthn_model\fP \-\- See \fI\%Models\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.datastore.SQLAlchemyDatastore(db)
Internal class implementing DataStore interface.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.datastore.MongoEngineDatastore(db)
Internal class implementing DataStore interface.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.datastore.PeeweeDatastore(db)
Internal class implementing DataStore interface.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.datastore.PonyDatastore(db)
Internal class implementing DataStore interface.
.UNINDENT
.INDENT 0.0
.TP
.B class User
The User model. This must be provided by the application.
See \fI\%Models\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B class Role
The Role model. This must be provided by the application.
See \fI\%Models\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B class WebAuthn
The WebAuthn model. This must be provided by the application.
See \fI\%Models\fP\&.
.UNINDENT
.SS Packaged Models
.INDENT 0.0
.TP
.B class flask_security.models.fsqla.FsModels
Helper class for model mixins.
This records the \fBdb\fP (which is a Flask\-SqlAlchemy object) for use in
mixins.
.INDENT 7.0
.TP
.B classmethod set_db_info(appdb, user_table_name=\(aquser\(aq, role_table_name=\(aqrole\(aq, webauthn_table_name=\(aqwebauthn\(aq)
Initialize Model.
This needs to be called after the DB object has been created
(e.g. db = Sqlalchemy()).
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
This should only be used if you are utilizing the fsqla data
models. With your own models you would need similar but slightly
difficult code.
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.SS Utils
.INDENT 0.0
.TP
.B flask_security.lookup_identity(identity)
Lookup identity in DB.
This loops through, in order, \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP,
and first calls the mapper function to validate/normalize.
Then the db.find_user is called on the specified user model attribute.
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.login_user(user, remember=None, authn_via=None)
Perform the login routine.
.sp
If \fI\%SECURITY_TRACKABLE\fP is used, make sure you commit changes after this
request (i.e. \fBapp.security.datastore.commit()\fP).
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- The user to login
.IP \(bu 2
\fBremember\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- Flag specifying if the remember cookie should be set.
If \fBNone\fP use value of \fI\%SECURITY_DEFAULT_REMEMBER_ME\fP
.IP \(bu 2
\fBauthn_via\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP) \-\- A list of strings denoting which mechanism(s) the user
authenticated with.
These should be one or more of [\(dqpassword\(dq, \(dqsms\(dq, \(dqauthenticator\(dq, \(dqemail\(dq] or
other \(aqauto\-login\(aq mechanisms.
.UNINDENT
.TP
.B Returns
True if user successfully logged in.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.logout_user()
Logs out the current user.
.sp
This will also clean up the remember me cookie if it exists.
.sp
This sends an \fBidentity_changed\fP signal to note that the current
identity is now the \fIAnonymousIdentity\fP
.INDENT 7.0
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.check_and_update_authn_fresh(within, grace, method=None)
Check if user authenticated within specified time and update grace period.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBwithin\fP (\X'tty: link https://docs.python.org/3/library/datetime.html#datetime.timedelta'\fI\%timedelta\fP\X'tty: link') \-\- A timedelta specifying the maximum time in the past that the caller
authenticated that is still considered \(aqfresh\(aq.
.IP \(bu 2
\fBgrace\fP (\X'tty: link https://docs.python.org/3/library/datetime.html#datetime.timedelta'\fI\%timedelta\fP\X'tty: link') \-\- A timedelta that, if the current session is considered \(aqfresh\(aq
will set a grace period for which freshness won\(aqt be checked.
The intent here is that the caller shouldn\(aqt get part\-way though
a set of operations and suddenly be required to authenticate again.
.IP \(bu 2
\fBmethod\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- Optional \- if set and == \(dqbasic\(dq then will always return True.
(since basic\-auth sends username/password on every request)
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
If within.total_seconds() is negative, will always return True (always \(aqfresh\(aq).
This effectively just disables this entire mechanism.
.sp
If \(dqfs_gexp\(dq is in the session and the current timestamp is less than that,
return True and extend grace time (i.e. set fs_gexp to current time + grace).
.sp
If not within the grace period, and within.total_seconds() is 0,
return False (not fresh).
.sp
Be aware that for this to work, sessions and therefore session cookies
must be functioning and being sent as part of the request. If the required
state isn\(aqt in the session cookie then return False (not \(aqfresh\(aq).
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
Be sure the caller is already authenticated PRIOR to calling this method.
.UNINDENT
.UNINDENT
.sp
Added in version 3.4.0.

.sp
Changed in version 4.0.0: Added \fImethod\fP parameter.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.get_hmac(password)
Returns a Base64 encoded HMAC+SHA512 of the password signed with
the salt specified by \fI\%SECURITY_PASSWORD_SALT\fP\&.
.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link') \-\- The password to sign
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.get_request_attr(name)
Retrieve a request local attribute.
.sp
Current public attributes are:
.INDENT 7.0
.TP
\fBfs_authn_via\fP
will be set to the authentication mechanism (session, token, basic)
that the current request was authenticated with.
.UNINDENT
.sp
Returns None if attribute doesn\(aqt exist.
.sp
Added in version 4.0.0.

.sp
Changed in version 4.1.5: Use \(aqg\(aq rather than request_ctx stack which is going away post Flask 2.2

.INDENT 7.0
.TP
.B Parameters
\fBname\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.verify_password(password, password_hash)
Returns \fBTrue\fP if the password matches the supplied hash.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link') \-\- A plaintext password to verify
.IP \(bu 2
\fBpassword_hash\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link') \-\- The expected hash value of the password
(usually from your database)
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Make sure that the password passed in has already been normalized.
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.verify_and_update_password(password, user)
Returns \fBTrue\fP if the password is valid for the specified user.
.sp
Additionally, the hashed password in the database is updated if the
hashing algorithm happens to have changed.
.sp
N.B. you MUST call DB commit if you are using a session\-based datastore
(such as SqlAlchemy) since the user instance might have been altered
(i.e. \fBapp.security.datastore.commit()\fP).
This is usually handled in the view.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link') \-\- A plaintext password to verify
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- The user to verify against
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link'
.UNINDENT
.sp
\fBTIP:\fP
.INDENT 7.0
.INDENT 3.5
This should not be called directly \- rather use
\fI\%UserMixin.verify_and_update_password()\fP
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.hash_password(password)
Hash the specified plaintext password.
.sp
Unless the hash algorithm (as specified by
\fI\%SECURITY_PASSWORD_HASH\fP) is listed in
the configuration variable \fI\%SECURITY_PASSWORD_SINGLE_HASH\fP,
perform a double hash \- first create an HMAC from the plaintext password
and the value of \fI\%SECURITY_PASSWORD_SALT\fP,
then use the configured hashing algorithm.
This satisfies OWASP/ASVS section 2.4.5: \(aqprovide additional
iteration of a key derivation\(aq.
.sp
Added in version 2.0.2.

.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#bytes'\fI\%bytes\fP\X'tty: link') \-\- The plaintext password to hash
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.admin_change_password(user, new_passwd, notify=True)
Administratively change a user\(aqs password.
Note that this will immediately render the user\(aqs existing sessions (and possibly
authentication tokens) invalid.
.sp
It is up to the caller to inform the user of their new password by some
out\-of\-band means.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- The user object to change
.IP \(bu 2
\fBnew_passwd\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The new plain\-text password to assign to the user.
.IP \(bu 2
\fBnotify\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link') \-\- If True and \fI\%SECURITY_SEND_PASSWORD_CHANGE_EMAIL\fP is True
send the \(aqchange_notice\(aq email to the user.
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.uia_phone_mapper(identity)
Used to match identity as a phone number. This is a simple proxy
to \fI\%PhoneUtil\fP
.sp
See \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
.sp
Added in version 3.4.0.

.INDENT 7.0
.TP
.B Parameters
\fBidentity\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.uia_email_mapper(identity)
Used to match identity as an email.
.INDENT 7.0
.TP
.B Returns
Normalized email or None if not valid email.
.TP
.B Parameters
\fBidentity\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.sp
See \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.uia_username_mapper(identity)
Used to match identity as a username. This is a simple proxy
to \fI\%UsernameUtil\fP
.sp
See \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
.sp
Added in version 4.1.0.

.INDENT 7.0
.TP
.B Parameters
\fBidentity\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.url_for_security(endpoint, **values)
Return a URL for the security blueprint
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBendpoint\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- the endpoint of the URL (name of the function)
.IP \(bu 2
\fBvalues\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link') \-\- the variable arguments of the URL rule
.IP \(bu 2
\fB_external\fP \-\- if set to \fITrue\fP, an absolute URL is generated. Server
address can be changed via \fISERVER_NAME\fP configuration variable which
defaults to \fIlocalhost\fP\&.
.IP \(bu 2
\fB_anchor\fP \-\- if provided this is added as anchor to the URL.
.IP \(bu 2
\fB_method\fP \-\- if provided this explicitly specifies an HTTP method.
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.send_mail(subject, recipient, template, **context)
Send an email.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBsubject\fP \-\- Email subject
.IP \(bu 2
\fBrecipient\fP \-\- Email recipient
.IP \(bu 2
\fBtemplate\fP \-\- The name of the email template
.IP \(bu 2
\fBcontext\fP \-\- The context to render the template with
.UNINDENT
.UNINDENT
.sp
This formats the email and passes it off to \fI\%MailUtil\fP to actually send the
message.
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.check_and_get_token_status(token, serializer_name, within)
Get the status of a token and return data.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBtoken\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The token to check
.IP \(bu 2
\fBserializer_name\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The name of the serializer. Can be one of the
following: \fBconfirm\fP, \fBlogin\fP, \fBreset\fP, \fBus_setup\fP
\fBremember\fP, \fBtwo_factor_validity\fP, \fBwan\fP
.IP \(bu 2
\fBwithin\fP (\X'tty: link https://docs.python.org/3/library/datetime.html#datetime.timedelta'\fI\%timedelta\fP\X'tty: link') \-\- max age \- passed as a timedelta
.UNINDENT
.TP
.B Returns
a tuple of (expired, invalid, data)
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.get_url(endpoint_or_url, qparams=None)
Returns a URL if a valid endpoint is found. Otherwise, returns the
provided value.
.sp
\fBWARNING:\fP
.INDENT 7.0
.INDENT 3.5
If an endpoint ISN\(aqT provided, then it is assumed that the URL
is external to Flask and if the spa configuration REDIRECT_HOST
is set will redirect to that host. This could be an issue in
development.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBendpoint_or_url\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- The endpoint name or URL to default to
.IP \(bu 2
\fBqparams\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI] \fP\fI| \fP\fINone\fP) \-\- additional query params to add to end of url
.UNINDENT
.TP
.B Returns
URL
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.password_length_validator(password)
Test password for length.
.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Plain text password to check
.TP
.B Returns
\fBNone\fP if password conforms to length requirements,
a list of error/suggestions if not.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'] | None
.UNINDENT
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.password_complexity_validator(password, is_register, **kwargs)
Test password for complexity.
.sp
Currently just supports \(aqzxcvbn\(aq.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Plain text password to check
.IP \(bu 2
\fBis_register\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link') \-\- if True then kwargs are arbitrary additional info. (e.g.
info from a registration form). If False, must be a SINGLE key \(dquser\(dq that
corresponds to the current_user. All string values will be extracted and
sent to the complexity checker.
.IP \(bu 2
\fBkwargs\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link')
.UNINDENT
.TP
.B Returns
\fBNone\fP if password is complex enough, a list of error/suggestions if not.
Be aware that zxcvbn does not (easily) provide a way to localize messages.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'] | None
.UNINDENT
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.password_breached_validator(password)
Check if password on breached list.
Does nothing unless \fI\%SECURITY_PASSWORD_CHECK_BREACHED\fP is set.
If password is found on the breached list, return an error if the count is
greater than or equal to \fI\%SECURITY_PASSWORD_BREACHED_COUNT\fP\&.
Uses \fI\%pwned()\fP\&.
.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Plain text password to check
.TP
.B Returns
\fBNone\fP if password passes breached tests, else a list of error messages.
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'] | None
.UNINDENT
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.pwned(password)
Check password against pwnedpasswords API using k\-Anonymity.
\X'tty: link https://haveibeenpwned.com/API/v3'\fI\%https://haveibeenpwned.com/API/v3\fP\X'tty: link'
.INDENT 7.0
.TP
.B Returns
Count of password in DB (0 means hasn\(aqt been compromised)
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/functions.html#int'\fI\%int\fP\X'tty: link'
.UNINDENT
.sp
Can raise HTTPError
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.unique_identity_attribute(form, field)
A validator that checks the field data against all configured
\fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
This can be used as part of registration.
.sp
Be aware that the \(dqmapper\(dq function likely also normalizes the input in addition
to validating it.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBform\fP
.IP \(bu 2
\fBfield\fP
.UNINDENT
.TP
.B Returns
Nothing; if field data corresponds to an existing User, ValidationError
is raised.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B flask_security.us_send_security_token(user, method, totp_secret, phone_number, send_magic_link=False)
Generate and send the security code.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP \-\- The user to send the code to
.IP \(bu 2
\fBmethod\fP \-\- The method in which the code will be sent
.IP \(bu 2
\fBtotp_secret\fP \-\- the unique shared secret of the user
.IP \(bu 2
\fBphone_number\fP \-\- If \(aqsms\(aq phone number to send to
.IP \(bu 2
\fBsend_magic_link\fP \-\- If true a magic link that can be clicked on will be sent.
This shouldn\(aqt be sent during a setup.
.UNINDENT
.UNINDENT
.sp
There is no return value \- it is assumed that exceptions are thrown by underlying
methods that callers can catch.
.sp
Flask\-Security code should NOT call this directly \-
call \fI\%UserMixin.us_send_security_token()\fP
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B flask_security.tf_send_security_token(user, method, totp_secret, phone_number)
Sends the security token via email/sms for the specified user.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP \-\- The user to send the code to
.IP \(bu 2
\fBmethod\fP \-\- The method in which the code will be sent
(\(aqemail\(aq or \(aqsms\(aq, or \(aqauthenticator\(aq) at the moment
.IP \(bu 2
\fBtotp_secret\fP \-\- a unique shared secret of the user
.IP \(bu 2
\fBphone_number\fP \-\- If \(aqsms\(aq phone number to send to
.UNINDENT
.UNINDENT
.sp
There is no return value \- it is assumed that exceptions are thrown by underlying
methods that callers can catch.
.sp
Flask\-Security code should NOT call this directly \-
call \fI\%UserMixin.tf_send_security_token()\fP
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.AsaList(*args, **kwargs)
SQL\-like DBs don\(aqt have a List type \- so do that here by converting to a comma
separate string.
For SQLAlchemy\-based datastores, this can be used as:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
Column(MutableList.as_mutable(AsaList()), nullable=True)
.EE
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBargs\fP (\fIAny\fP)
.IP \(bu 2
\fBkwargs\fP (\fIAny\fP)
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.SmsSenderBaseClass
.INDENT 7.0
.TP
.B abstract send_sms(from_number, to_number, msg)
Abstract method for sending sms messages
.sp
Added in version 3.2.0.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBfrom_number\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBto_number\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBmsg\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.SmsSenderFactory
.INDENT 7.0
.TP
.B classmethod createSender(name, *args, **kwargs)
Initialize an SMS sender.
.INDENT 7.0
.TP
.B Parameters
\fBname\fP \-\- Name as registered in SmsSenderFactory:senders (e.g. \(aqTwilio\(aq)
.UNINDENT
.sp
Added in version 3.2.0.

.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class OauthCbType[oauth: OAuth, token: t.Any]
This callback is called when the oauth
redirect happens. It must take the response from the provider and return
a tuple of <user_model_field_name, value> \- which will be used
to look up the user in the datastore.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.OAuthGlue(app, oauthapp=None)
Provide the necessary glue between the Flask\-Security login process and
authlib oauth client code.
.sp
There are some builtin providers which can be used or not \- configured via
\fI\%SECURITY_OAUTH_BUILTIN_PROVIDERS\fP\&. Any other provider can be registered
using \fI\%register_provider_ext()\fP\&.
.sp
See \X'tty: link https://docs.authlib.org/en/latest/client/flask.html'\fI\%Flask OAuth Client\fP\X'tty: link'
.sp
Added in version 5.1.0.

.sp
Changed in version 5.4.0: Added register_provider_ext which allows applications more control to
manage new providers (such as extended error handling).

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.IP \(bu 2
\fBoauthapp\fP (\fIOAuth\fP\fI | \fP\fINone\fP)
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B register_provider(name, registration_info, fetch_identity_cb)
Add a provider to the list.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBname\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Name of provider. This is used as part of the
\fI\%SECURITY_OAUTH_START_URL\fP\&.
.IP \(bu 2
\fBregistration_info\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\fIt.Any\fP\fI] \fP\fI| \fP\fINone\fP) \-\- Sent directly to authlib. Set this to None
if you already have registered the provider directly with OAuth.
.IP \(bu 2
\fBfetch_identity_cb\fP (\fI\%OauthCbType\fP) \-\- This callback is called when the oauth
redirect happens. It must take the response from the provider and return
a tuple of <user_model_field_name, value> \- which will be used
to look up the user in the datastore.
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.sp
The provider can be registered with OAuth here or already be done by the
application. If you register directly with OAuth make sure to use
the same \fIname\fP\&.
.sp
Deprecated since version 5.4.0: Use \fI\%register_provider_ext()\fP instead.

.UNINDENT
.INDENT 7.0
.TP
.B register_provider_ext(provider)
Register a provider via an instance of subclass.
This is the new way \- to provide more control for applications
.sp
The authlib provider can be registered here (by calling Oauth)
or already be done by the application.
If you register directly with OAuth make sure to use
the same \fIname\fP when instantiating the class.
.INDENT 7.0
.TP
.B Parameters
\fBprovider\fP (\fI\%FsOAuthProvider\fP)
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.FsOAuthProvider(name, registration_info=None, fetch_identity_cb=None)
Subclass this or instantiate to add new oauth providers.
.sp
Subclassing allows for customizing additional aspects of the oauth flow
in particular \- a custom error path for oauth flow state mismatches and
other errors thrown by authlib.
.sp
Call security.oauthglue.register_provider_ext(myproviderclass(\(dqmyprovider\(dq))
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBname\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- a name for provider \- must match what was passed if this
is already registered with Oauth.
.IP \(bu 2
\fBregistration_info\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\fIt.Any\fP\fI] \fP\fI| \fP\fINone\fP) \-\- This dict is passed directly to Oauth as
part of registration \- not needed if provider already registered with
Oauth
.IP \(bu 2
\fBfetch_identity_cb\fP (\fI\%OauthCbType\fP\fI | \fP\fINone\fP) \-\- Call back from response to oauth flow.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B authlib_config()
Return dict with authlib configuration.
This is called as part of provider registration.
.INDENT 7.0
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', \X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link']
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B fetch_identity_cb(oauth, token)
This callback is called when the oauth
redirect happens. It must take the response from the provider and return
a tuple of <user_model_field_name, value> \- which will be used
to look up the user in the datastore.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBoauth\fP (\fIOAuth\fP)
.IP \(bu 2
\fBtoken\fP (\fIt.Any\fP)
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', t.Any]
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B oauth_response_failure(e)
Called if authlib authorize_access_token throws an error.
.sp
N.B. flashing doesn\(aqt seem to work in some cases \- if the session
cookie has samesite=\(aqstrict\(aq and it is the first registration.
.INDENT 7.0
.TP
.B Parameters
\fBe\fP (\fIOAuthError\fP)
.TP
.B Return type
ResponseValue
.UNINDENT
.UNINDENT
.UNINDENT
.SS Extendable Classes
.sp
Each of the following classes can be extended and passed in as part of
Security() instantiation.
.INDENT 0.0
.TP
.B class flask_security.PhoneUtil(app)
Provide parsing and validation for user inputted phone numbers.
Subclass this to use a different underlying phone number parsing library.
.sp
To provide your own implementation, pass in the class as \fBphone_util_cls\fP
at init time. Your class will be instantiated once as part of
Flask\-Security initialization.
.sp
Added in version 3.4.0.

.sp
Changed in version 4.0.0: __init__ takes app argument, and is instantiated at Flask\-Security
initialization time rather than at first request.

.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
Instantiate class.
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The Flask application being initialized.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B get_canonical_form(input_data)
Validate and return a canonical form to be stored in DB
and compared against.
Returns \fBNone\fP if input isn\(aqt a valid phone number.
.INDENT 7.0
.TP
.B Parameters
\fBinput_data\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B validate_phone_number(input_data)
Return \fBNone\fP if a valid phone number else
the \fBPHONE_INVALID\fP error message.
.INDENT 7.0
.TP
.B Parameters
\fBinput_data\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.MailUtil(app)
Utility class providing methods for validating, normalizing and sending emails.
.sp
This default class uses the email_validator package to handle validation and
normalization, and the flask_mailman package (if initialized) to send emails.
.sp
To provide your own implementation, pass in the class as \fBmail_util_cls\fP
at init time.  Your class will be instantiated once as part of app initialization.
.sp
Added in version 4.0.0.

.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
Instantiate class.
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The Flask application being initialized.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B normalize(email)
Given an input email \- return a normalized version or
raise EmailValidateException if field value isn\(aqt syntactically valid.
.sp
This is called by forms that use email as an identity to be looked up.
.sp
Must be called in app context and uses \fI\%SECURITY_EMAIL_VALIDATOR_ARGS\fP
config variable to pass any relevant arguments to
email_validator.validate_email() method.
.sp
This defaults to NOT checking for deliverability (i.e. DNS checks).
.INDENT 7.0
.TP
.B Parameters
\fBemail\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B send_mail(template, subject, recipient, sender, body, html, **kwargs)
Send an email via the Flask\-Mailman or Flask\-Mail or other mail extension.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBtemplate\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- the Template name. The message has already been rendered
however this might be useful to differentiate why the email is being sent.
.IP \(bu 2
\fBsubject\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Email subject
.IP \(bu 2
\fBrecipient\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Email recipient
.IP \(bu 2
\fBsender\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link') \-\- who to send email as (see \fI\%SECURITY_EMAIL_SENDER\fP)
.IP \(bu 2
\fBbody\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- the rendered body (text)
.IP \(bu 2
\fBhtml\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\fINone\fP) \-\- the rendered body (html)
.IP \(bu 2
\fBkwargs\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link') \-\- the entire context
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.sp
It is possible that sender is a lazy_string for localization (unlikely but..)
so we cast to str() here to force localization.
.UNINDENT
.INDENT 7.0
.TP
.B validate(email)
Validate the given email.
If valid, the normalized version is returned.
This is used by forms/views that require an email that likely can have an
actual email sent to it.
.sp
Must be called in app context and uses \fI\%SECURITY_EMAIL_VALIDATOR_ARGS\fP
config variable to pass any relevant arguments to
email_validator.validate_email() method.
.sp
EmailValidationException is thrown on invalid email.
.INDENT 7.0
.TP
.B Parameters
\fBemail\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.EmailValidateException(message)
This is raised for any email validation errors.
This can be used by custom MailUtil implementations to provide
custom error messages.
.INDENT 7.0
.TP
.B Parameters
\fBmessage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.PasswordUtil(app)
Utility class providing methods for validating and normalizing passwords.
.sp
To provide your own implementation, pass in the class as \fBpassword_util_cls\fP
at init time.  Your class will be instantiated once as part of app initialization.
.sp
Added in version 4.0.0.

.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
Instantiate class.
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The Flask application being initialized.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B normalize(password)
Given an input password \- return a normalized version (using Python\(aqs
unicodedata.normalize()).
Must be called in app context and uses
\fI\%SECURITY_PASSWORD_NORMALIZE_FORM\fP config variable.
.INDENT 7.0
.TP
.B Parameters
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B validate(password, is_register, **kwargs)
Password validation.
Called in app/request context.
.sp
If is_register is True then kwargs will be the contents of the register form.
If is_register is False, then there is a single kwarg \(dquser\(dq which has the
current user data model.
.sp
The password is first normalized then validated.
Return value is a tuple ([msgs], normalized_password)
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBpassword\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBis_register\fP (\X'tty: link https://docs.python.org/3/library/functions.html#bool'\fI\%bool\fP\X'tty: link')
.IP \(bu 2
\fBkwargs\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Any'\fI\%Any\fP\X'tty: link')
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link' | None, \X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link']
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.MfRecoveryCodesUtil(app)
Handle creation, checking, encrypting and decrypting recovery codes.
Since these are rarely used \- keep them encrypted until needed \- yes
if someone gets access to memory they can find the key...
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.UsernameUtil(app)
Utility class providing methods for validating and normalizing usernames.
.sp
To provide your own implementation, pass in the class as \fBusername_util_cls\fP
at init time.  Your class will be instantiated once as part of app initialization.
.sp
Added in version 4.1.0.

.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
Instantiate class.
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The Flask application being initialized.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B check_username(username)
Given a username \- check for allowable character categories.
This is broken out so applications can easily override this method only.
.sp
By default allow letters and numbers (using unicodedata.category).
.sp
Returns None if allowed, error message if not allowed.
.INDENT 7.0
.TP
.B Parameters
\fBusername\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B normalize(username)
Given an input username \- return a clean (using bleach) and normalized
(using Python\(aqs unicodedata.normalize()) version.
Must be called in app context and uses
\fI\%SECURITY_USERNAME_NORMALIZE_FORM\fP config variable.
.INDENT 7.0
.TP
.B Parameters
\fBusername\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B validate(username)
Username validation.
Called in app/request context.
.sp
The username is first validated then normalized.
Input is restricted/validated via a call to check_username.
Return value is a tuple (msg, normalized_username). msg will be None if
properly validated.
.sp
It is important that None be returned if data is an empty string since
otherwise DBs will complain since the field is unique/nullable.
.INDENT 7.0
.TP
.B Parameters
\fBusername\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#tuple'\fI\%tuple\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None, \X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link' | None]
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebauthnUtil(app)
Utility class allowing an application to fine\-tune various Relying Party
attributes.
.sp
To provide your own implementation, pass in the class as \fBwebauthn_util_cls\fP
at init time.  Your class will be instantiated once as part of app initialization.
.sp
Added in version 5.0.0.

.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link')
.UNINDENT
.INDENT 7.0
.TP
.B __init__(app)
Instantiate class.
.INDENT 7.0
.TP
.B Parameters
\fBapp\fP (\X'tty: link https://flask.palletsprojects.com/en/3.0.x/api/#flask.Flask'\fI\%flask.Flask\fP\X'tty: link') \-\- The Flask application being initialized.
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B authentication_options(user, usage, existing_options)
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP\fI | \fP\fINone\fP) \-\- User object \- could be used to configure on a per\-user basis.
However, this can be null.
.IP \(bu 2
\fBusage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP) \-\- Either \(dqfirst\(dq or \(dqsecondary\(dq (webauthn is being used as a second
factor for authentication)
.IP \(bu 2
\fBexisting_options\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\fIt.Any\fP\fI]\fP) \-\- Currently filled in authentication options.
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', t.Any]
.UNINDENT
.INDENT 7.0
.TP
.B Return a dict that will be sent in to
py\-webauthn generate_authentication_options
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B authenticator_selection(user, usage)
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- User object \- could be used to configure on a per\-user basis.
.IP \(bu 2
\fBusage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Either \(dqfirst\(dq or \(dqsecondary\(dq (webauthn is being used as a second
factor for authentication
.UNINDENT
.TP
.B Return type
AuthenticatorSelectionCriteria
.UNINDENT
.sp
Part of the registration ceremony is providing information about what kind
of authenticators the app is interested in.
See: \X'tty: link https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictionary-authenticatorSelection'\fI\%https://www.w3.org/TR/2021/REC\-webauthn\-2\-20210408/#dictionary\-authenticatorSelection\fP\X'tty: link'
.INDENT 7.0
.TP
.B The main options are:
.INDENT 7.0
.IP \(bu 2
whether you want a ResidentKey (discoverable)
.IP \(bu 2
Attachment \- platform or cross\-platform
.IP \(bu 2
Does the key have to provide user\-verification
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B Note:
If the key isn\(aqt resident then it isn\(aqt discoverable which means that
the user won\(aqt be able to use that key unless they identify themselves
(use the key as a second factor OR type in their identity). If they are forced
to type in their identity PRIOR to being authenticated, then there is the
possibility that the app will leak username information.
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP)
.IP \(bu 2
\fBusage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.UNINDENT
.TP
.B Return type
AuthenticatorSelectionCriteria
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B registration_options(user, usage, existing_options)
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- User object \- could be used to configure on a per\-user basis.
.IP \(bu 2
\fBusage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link') \-\- Either \(dqfirst\(dq or \(dqsecondary\(dq (webauthn is being used as a second
factor for authentication)
.IP \(bu 2
\fBexisting_options\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI, \fP\fIt.Any\fP\fI]\fP) \-\- Currently filled in registration options.
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'[\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link', t.Any]
.UNINDENT
.sp
Return a dict that will be sent in to py\-webauthn generate_registration_options
.UNINDENT
.INDENT 7.0
.TP
.B user_verification(user, usage)
As part of signin \- do we want/need user verification.
This is called from /wan\-signin and /wan\-verify
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP\fI | \fP\fINone\fP) \-\- User object \- could be used to configure on a per\-user basis.
Note that this may not be set on initial wan\-signin.
.IP \(bu 2
\fBusage\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#list'\fI\%list\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP) \-\- List of  \(dqfirst\(dq, \(dqsecondary\(dq (webauthn is being used as a second
factor for authentication). Note that in the \fBverify\fP/\fBreauthentication\fP
case this list is derived from \fI\%SECURITY_WAN_ALLOW_AS_VERIFY\fP
.UNINDENT
.TP
.B Return type
UserVerificationRequirement
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.Totp(secrets, issuer)
Encapsulate usage of Passlib TOTP functionality.
.sp
Flask\-Security doesn\(aqt implement any replay\-attack protection out of the box
as suggested by:
\X'tty: link https://passlib.readthedocs.io/en/stable/narr/totp-tutorial.html#match-verify'\fI\%https://passlib.readthedocs.io/en/stable/narr/totp\-tutorial.html#match\-verify\fP\X'tty: link'
.sp
Subclass this and implement the get/set last_counter methods. Your subclass can
be registered at Flask\-Security creation/initialization time.
.sp
Added in version 3.4.0.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBsecrets\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#dict'\fI\%dict\fP\X'tty: link'\fI[\fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI | \fP\X'tty: link https://docs.python.org/3/library/functions.html#int'\fI\%int\fP\X'tty: link'\fI, \fP\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'\fI]\fP)
.IP \(bu 2
\fBissuer\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B generate_qrcode(username, totp)
.INDENT 7.0
.TP
.B Generate QRcode
Using username, totp, generate the actual QRcode image.
This method can be overridden to fine\-tune how the image is created \-
such as size, color etc.
.sp
It must return a string suitable for use in an <img src=xx> tag.
.UNINDENT
.sp
Added in version 4.0.0.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBusername\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.IP \(bu 2
\fBtotp\fP (\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link')
.UNINDENT
.TP
.B Return type
\X'tty: link https://docs.python.org/3/library/stdtypes.html#str'\fI\%str\fP\X'tty: link'
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B get_last_counter(user)
Implement this to fetch stored last_counter from cache.
.INDENT 7.0
.TP
.B Parameters
\fBuser\fP (\fI\%User\fP) \-\- User model
.TP
.B Returns
last_counter as stored in set_last_counter()
.TP
.B Return type
TotpMatch | None
.UNINDENT
.UNINDENT
.INDENT 7.0
.TP
.B set_last_counter(user, tmatch)
Implement this to cache last_counter.
.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBuser\fP (\fI\%User\fP) \-\- User model
.IP \(bu 2
\fBtmatch\fP (\fITotpMatch\fP) \-\- a TotpMatch as returned from totp.verify()
.UNINDENT
.TP
.B Return type
None
.UNINDENT
.UNINDENT
.UNINDENT
.SS Forms
.INDENT 0.0
.TP
.B class flask_security.ChangePasswordForm(*args, **kwargs)
The default change password form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.ConfirmRegisterForm(*args, **kwargs)
This form is used for registering when \(aqconfirmable\(aq is set.
The only difference between this and the other RegisterForm is that
this one doesn\(aqt require re\-typing in the password...
.sp
We want to support OWASP best\-practice around mitigating user enumeration.
To that end we run through the entire validation regardless \- this allows us
to still return important bad\-password messages.
In the case of an existing email or username \- we set form.existing_xx so that
the view can decide how to match responses (e.g. json responses always return 200).
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.ForgotPasswordForm(*args, **kwargs)
The default forgot password form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.LoginForm(*args, **kwargs)
The default login form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.MfRecoveryCodesForm(*args, **kwargs)
Generate and fetch recovery codes
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.MfRecoveryForm(*args, **kwargs)
Accept recovery code for second factor authentication
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.PasswordlessLoginForm(*args, **kwargs)
The passwordless login form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.RegisterForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.ResetPasswordForm(*args, **kwargs)
The default reset password form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.SendConfirmationForm(*args, **kwargs)
The default send confirmation form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.TwoFactorVerifyCodeForm(*args, **kwargs)
The Two\-factor token validation form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.TwoFactorSetupForm(*args, **kwargs)
The Two\-factor token validation form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.TwoFactorSelectForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.TwoFactorRescueForm(*args, **kwargs)
The Two\-factor Rescue validation form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.UnifiedSigninForm(*args, **kwargs)
A unified login form
For either identity/password or request and enter code.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.UnifiedSigninSetupForm(*args, **kwargs)
Setup form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.UnifiedSigninSetupValidateForm(*args, **kwargs)
The unified sign in setup validation form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.UnifiedVerifyForm(*args, **kwargs)
Verify authentication.
This is for freshness \(aqreauthentication\(aq required.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.VerifyForm(*args, **kwargs)
The verify authentication form
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnRegisterForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnRegisterResponseForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnSigninForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnSigninResponseForm(*args, **kwargs)
This form is used both for signin (primary/first or secondary) and verify.
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnDeleteForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.WebAuthnVerifyForm(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.Form(*args, **kwargs)
.UNINDENT
.INDENT 0.0
.TP
.B class flask_security.FormInfo(instantiator=<function _default_form_instantiator>, cls=None)
Each view form has a name \- assigned by Flask\-Security.
As part of every request, the form is instantiated using (usually) request.form or
request.json.
The default instantiator simply uses the class constructor \- however
applications can provide their OWN instantiator which can do pretty much anything
as long as it returns an instantiated form. The \(aqcls\(aq argument is optional since
the instantiator COULD be form specific.
.sp
The instantiator callable will always be called from a flask request context
and receive the following arguments:
.INDENT 7.0
.INDENT 3.5
.sp
.EX
(name, form_cls_name (optional), **kwargs)
.EE
.UNINDENT
.UNINDENT
.sp
kwargs will always have \fIformdata\fP and often will have \fImeta\fP\&. All kwargs
must be passed to the underlying form constructor.
.sp
See \fI\%flask_security.Security.set_form_info()\fP
.sp
Added in version 5.1.0.

.INDENT 7.0
.TP
.B Parameters
.INDENT 7.0
.IP \(bu 2
\fBinstantiator\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Callable'\fI\%Callable\fP\X'tty: link'\fI[\fP\fI[\fP\fI\&...\fP\fI]\fP\fI, \fP\fI\%Form\fP\fI]\fP)
.IP \(bu 2
\fBcls\fP (\X'tty: link https://docs.python.org/3/library/typing.html#typing.Type'\fI\%Type\fP\X'tty: link'\fI[\fP\fI\%Form\fP\fI] \fP\fI| \fP\fINone\fP)
.UNINDENT
.UNINDENT
.UNINDENT
.SS Signals
.sp
See the \X'tty: link https://flask.palletsprojects.com/en/2.3.x/signals/'\fI\%Flask documentation on signals\fP\X'tty: link' for information on how to use these
signals in your code.
All Flask\-Security signals are compatible with Blinker\(aqs async implementation.
See \X'tty: link https://blinker.readthedocs.io/en/stable/#async-receivers'\fI\%Blinker async\fP\X'tty: link'
.sp
\fBTIP:\fP
.INDENT 0.0
.INDENT 3.5
Remember to add \fB**extra_args\fP to your signature so that if we add
additional parameters in the future your code doesn\(aqt break.
.UNINDENT
.UNINDENT
.sp
See the documentation for the signals provided by the Flask\-Login and
Flask\-Principal extensions. In addition to those signals, Flask\-Security
sends the following signals.
.INDENT 0.0
.TP
.B user_authenticated
Sent when a user successfully authenticates. In addition to the app (which is the
sender), it is passed \fIuser\fP, and \fIauthn_via\fP arguments. The \fIauthn_via\fP argument
specifies how the user authenticated \- it will be a list with possible values
of \fBpassword\fP, \fBsms\fP, \fBauthenticator\fP, \fBemail\fP, \fBconfirm\fP, \fBreset\fP,
\fBregister\fP\&.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B user_unauthenticated
Sent when a user fails to authenticate. It is sent from the \fIdefault_unauthn_handler\fP\&.
It is passed the app (which is the sender).
.INDENT 7.0
.INDENT 3.5
Added in version 5.4.0.

.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B user_registered
Sent when a user registers on the site. In addition to the app (which is the
sender), it is passed \fIuser\fP, \fIconfirm_token\fP (deprecated), \fIconfirmation_token\fP and \fIform_data\fP arguments.
\fIform_data\fP is a dictionary representation of registration form\(aqs content
received with the registration request.
.UNINDENT
.INDENT 0.0
.TP
.B user_not_registered
Sent when a user attempts to register, but is already registered. This is ONLY sent
when \fI\%SECURITY_RETURN_GENERIC_RESPONSES\fP is enabled. It is passed the
following arguments:
.INDENT 7.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fIuser\fP \- The existing user model
.IP \(bu 2
\fIexisting_email\fP \- True if attempting to register an existing email
.IP \(bu 2
\fIexisting_username\fP\- True if attempting to register an existing username
.IP \(bu 2
\fIform_data\fP \- the entire contents of the posted request form
.UNINDENT
.UNINDENT
.UNINDENT
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B user_confirmed
Sent when a user is confirmed. In addition to the app (which is the
sender), it is passed a \fIuser\fP argument.
.UNINDENT
.INDENT 0.0
.TP
.B confirm_instructions_sent
Sent when a user requests confirmation instructions. In addition to the app
(which is the sender), it is passed a \fIuser\fP and \fIconfirmation_token\fP arguments.
.UNINDENT
.INDENT 0.0
.TP
.B login_instructions_sent
Sent when passwordless login is used and user logs in. In addition to the app
(which is the sender), it is passed \fIuser\fP and \fIlogin_token\fP arguments.
.UNINDENT
.INDENT 0.0
.TP
.B password_reset
Sent when a user completes a password reset. In addition to the app (which is
the sender), it is passed a \fIuser\fP argument.
.UNINDENT
.INDENT 0.0
.TP
.B password_changed
Sent when a user completes a password change. In addition to the app (which is
the sender), it is passed a \fIuser\fP argument.
.UNINDENT
.INDENT 0.0
.TP
.B reset_password_instructions_sent
Sent when a user requests a password reset. In addition to the app (which is
the sender), it is passed \fIuser\fP, \fItoken\fP (deprecated), and \fIreset_token\fP arguments.
.UNINDENT
.INDENT 0.0
.TP
.B tf_code_confirmed
Sent when a user performs two\-factor authentication login on the site. In
addition to the app (which is the sender), it is passed \fIuser\fP
and \fImethod\fP arguments.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B tf_profile_changed
Sent when two\-factor is used and user logs in. In addition to the app
(which is the sender), it is passed \fIuser\fP and \fImethod\fP arguments.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B tf_disabled
Sent when two\-factor is disabled. In addition to the app
(which is the sender), it is passed \fIuser\fP argument.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B tf_security_token_sent
Sent when a two factor security/access code is sent. In addition to the app
(which is the sender), it is passed \fIuser\fP, \fImethod\fP, \fIlogin_token\fP and \fItoken\fP (deprecated) arguments.
.sp
Added in version 3.3.0.

.UNINDENT
.INDENT 0.0
.TP
.B us_security_token_sent
Sent when a unified sign in access code is sent. In addition to the app
(which is the sender), it is passed \fIuser\fP, \fImethod\fP, \fItoken\fP (deprecated),
\fIlogin_token\fP,
\fIphone_number\fP, and \fIsend_magic_link\fP arguments.
.sp
Added in version 3.4.0.

.UNINDENT
.INDENT 0.0
.TP
.B us_profile_changed
Sent when user completes changing their unified sign in profile. In addition to the app
(which is the sender), it is passed \fIuser\fP, \fImethods\fP, and \fIdelete\fP arguments.
\fIdelete\fP will be set to \fBTrue\fP if the user removed a sign in option.
.sp
Added in version 3.4.0.

.sp
Changed in version 5.0.0: Added delete argument and changed \fImethod\fP to \fImethods\fP which is now a list.

.UNINDENT
.INDENT 0.0
.TP
.B wan_registered
Sent when a WebAuthn credential was successfully created. In addition to the app
(which is the sender), it is passed \fIuser\fP and \fIname\fP arguments.
.sp
Added in version 5.0.0.

.UNINDENT
.INDENT 0.0
.TP
.B wan_deleted
Sent when a WebAuthn credential was deleted. In addition to the app
(which is the sender), it is passed \fIuser\fP and \fIname\fP arguments.
.sp
Added in version 5.0.0.

.UNINDENT
.SH ADDITIONAL NOTES
.SS Contributing
.sp
Contributions are welcome.  If you would like add features or fix bugs,
please review the information below.
.sp
One source of history or ideas are the \X'tty: link https://github.com/Flask-Middleware/flask-security/issues'\fI\%bug reports\fP\X'tty: link'\&.
There you can find ideas for requested features, or the remains of rejected
ideas.
.sp
If you have a \(aqbig idea\(aq \- please file an issue first so it can be discussed
prior to you spending a lot of time developing. New features need to be generally
useful \- if your feature has limited applicability, consider making a small
change that ENABLES your feature, rather than trying to get the entire feature
into Flask\-Security.
.SS Checklist
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
All new code and bug fixes need unit tests
.IP \(bu 2
If you change/add to the external API be sure to update docs/openapi.yaml
.IP \(bu 2
Additions to configuration variables and/or messages must be documented
.IP \(bu 2
Make sure any new public API methods have good docstrings, are picked up by
the api.rst document, and are exposed in __init__.py if appropriate.
.IP \(bu 2
Add appropriate info to CHANGES.rst
.UNINDENT
.UNINDENT
.UNINDENT
.SS Getting the code
.sp
The code is hosted on a GitHub repo at
\X'tty: link https://github.com/Flask-Middleware/flask-security'\fI\%https://github.com/Flask\-Middleware/flask\-security\fP\X'tty: link'\&.  To get a working environment, follow
these steps:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 4
(Optional, but recommended) Create a Python 3.6 (or greater) virtualenv to work in,
and activate it.
.IP 2. 4
.INDENT 4.0
.TP
.B Fork the repo \X'tty: link https://github.com/Flask-Middleware/flask-security'\fI\%Flask\-Security\fP\X'tty: link'
(look for the \(dqFork\(dq button).
.UNINDENT
.IP 3. 4
Clone your fork locally:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ git clone https://github.com/<your\-username>/flask\-security
.EE
.UNINDENT
.UNINDENT
.IP 4. 4
Change directory to flask_security:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ cd flask_security
.EE
.UNINDENT
.UNINDENT
.IP 5. 4
Install the requirements:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ pip install \-r requirements/dev.txt
.EE
.UNINDENT
.UNINDENT
.IP 6. 4
Install pre\-commit hooks:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ pre\-commit install
.EE
.UNINDENT
.UNINDENT
.IP 7. 4
Create a branch for local development:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ git checkout \-b name\-of\-your\-bugfix\-or\-feature
.EE
.UNINDENT
.UNINDENT
.IP 8. 4
Develop the Feature/Bug Fix and edit
.IP 9. 4
Write Tests for your code in:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
tests/
.EE
.UNINDENT
.UNINDENT
.IP 10. 4
When done, verify unit tests, syntax etc. all pass:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ pip install \-r requirements/tests.txt
$ sphinx\-build docs docs/_build/html
$ tox \-e compile_catalog
$ pytest tests
$ pre\-commit run \-\-all\-files
.EE
.UNINDENT
.UNINDENT
.IP 11. 4
Use tox:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ tox  # run everything CI does
$ tox \-e py38\-low  # make sure works with older dependencies
$ tox \-e style  # run pre\-commit/style checks
.EE
.UNINDENT
.UNINDENT
.IP 12. 4
When the tests are successful, commit your changes
and push your branch to GitHub:
.INDENT 4.0
.INDENT 3.5
.sp
.EX
$ git add .
$ git commit \-m \(dqYour detailed description of your changes.\(dq
$ git push origin name\-of\-your\-bugfix\-or\-feature
.EE
.UNINDENT
.UNINDENT
.IP 13. 4
Submit a pull request through the GitHub website.
.IP 14. 4
Be sure that the CI tests and coverage checks pass.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Updating the Swagger API document
.sp
When making changes to the external API, you need to update the openapi.yaml
formal specification. To do this \- install the swagger editor locally:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ npm \-g install swagger\-editor\-dist http\-server
.EE
.UNINDENT
.UNINDENT
.sp
Then in a browser navigate to:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
file:///usr/local/lib/node_modules/swagger\-editor\-dist/index.html#
.EE
.UNINDENT
.UNINDENT
.sp
Edit \- it is a WYSIWYG editor and will show you errors. Once you save (as yaml) you
need to look at what it will render as:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ sphinx\-build docs docs/_build/html
$ http\-server \-p 8081
.EE
.UNINDENT
.UNINDENT
.sp
Then in your browser navigate to:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
http://localhost:8081/docs/_build/html/index.html
or
http://localhost:8081/docs/_build/html/_static/openapi_view.html
.EE
.UNINDENT
.UNINDENT
.sp
Please note that changing \fBopenapi.yaml\fP won\(aqt re\-trigger a docs build \- so you might
have to manually delete \fBdocs/_build\fP\&.
.SS Updating Translations
.sp
If you change any translatable strings (such as new messages, modified forms, etc.)
you need to re\-generate the translations:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ tox \-e extract_messages
$ tox \-e update_catalog
$ tox \-e compile_catalog
.EE
.UNINDENT
.UNINDENT
.SS Testing
.sp
Unit tests are critical since Flask\-Security is a piece of middleware. They also
help other contributors understand any subtleties in the code and edge conditions that
need to be handled.
.SS Datastore
.sp
By default the unit tests use an in\-memory sqlite DB to test datastores (except for
MongoDatastore which uses mongomock). While this is sufficient for most changes, changes
to the datastore layer require testing against a real DB (the CI tests test against
postgres). It is easy to run the unit tests against a real DB instance. First
of course install and start the DB locally then:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# For postgres
pytest \-\-realdburl postgresql://<user>@localhost/
# For mysql
pytest \-\-realdburl \(dqmysql+pymysql://root:<password>@localhost/\(dq
# For mongodb
pytest \-\-realmongodburl \(dqlocalhost\(dq
.EE
.UNINDENT
.UNINDENT
.SS Views
.sp
Much of Flask\-Security is concerned with form\-based views. These can be difficult to test
especially translations etc. In the tests directory is a stand\-alone Flask application
\fBview_scaffold.py\fP that can be run and you can point your browser to it and walk
through the various views.
.SS Flask\-Security Changelog
.sp
Here you can see the full list of changes between each Flask\-Security release.
.SS Version 5.4.3
.sp
Released March 23, 2024
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/950'\fI\%#950\fP\X'tty: link') Regression \- some templates no longer getting correct config (thanks pete7863).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/954'\fI\%#954\fP\X'tty: link') CSRF not properly ignored for application forms using SECURITY_CSRF_PROTECT_MECHANISMS.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/957'\fI\%#957\fP\X'tty: link') Improve jp translations (e\-goto)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/959'\fI\%#959\fP\X'tty: link') Regression \- datetime_factory should still be an attribute (thanks TimotheeJeannin)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/942'\fI\%#942\fP\X'tty: link') GENERIC_RESPONSES hide email validation/syntax errors.
.UNINDENT
.SS Version 5.4.2
.sp
Released March 8, 2024
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/946'\fI\%#946\fP\X'tty: link') OpenAPI spec missing.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/945'\fI\%#945\fP\X'tty: link') Doc fixes (e\-goto)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/941'\fI\%#941\fP\X'tty: link') Update ES/IT translations (gissimo)
.UNINDENT
.SS Version 5.4.0 & 5.4.1
.sp
Released February 26, 2024
.sp
Among other changes, this continues the process of dis\-entangling Flask\-Security
from Flask\-Login and may require some application changes due to backwards incompatible changes.
.SS Features & Improvements
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/879'\fI\%#879\fP\X'tty: link') Work with Flask[async]. view decorators and signals support async handlers.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/900'\fI\%#900\fP\X'tty: link') CI support for python 3.12
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/901'\fI\%#901\fP\X'tty: link') Work with py_webauthn 2.0 (and only 2.0+)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/899'\fI\%#899\fP\X'tty: link') Improve (and simplify) Two\-Factor setup. See below for backwards compatability issues and new functionality.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/912'\fI\%#912\fP\X'tty: link') Improve oauth debugging support. Handle next propagation in a more general way.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/877'\fI\%#877\fP\X'tty: link') Make AnonymousUser (Flask\-Login) optional and deprecated.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/906'\fI\%#906\fP\X'tty: link') Remove undocumented and untested looking in session for possible \(aqnext\(aq
redirect location.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/881'\fI\%#881\fP\X'tty: link') No longer rely on Flask\-Login.unauthorized callback. See below for implications.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/904'\fI\%#904\fP\X'tty: link') Changes to default unauthorized handler \- remove use of referrer header (see below) and document precise behavior.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/927'\fI\%#927\fP\X'tty: link') The authentication_token format has changed \- adding per\-token expiry time and future session ID.
Old tokens are still accepted.
.UNINDENT
.SS Docs and Chores
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/889'\fI\%#889\fP\X'tty: link') Improve method translations for unified signin and two factor. Remove support for Flask\-Babelex.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/911'\fI\%#911\fP\X'tty: link') Chore \- stop setting all config as attributes. init_app(**kwargs) can only
set forms, flags, and utility classes (see below for compatibility concerns).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/873'\fI\%#873\fP\X'tty: link') Update Spanish and Italian translations. (gissimo)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/855'\fI\%#855\fP\X'tty: link') Improve translations for two\-factor method selection. (gissimo)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/866'\fI\%#866\fP\X'tty: link') Improve German translations. (sr\-verde)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/911'\fI\%#911\fP\X'tty: link') Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM \- it has a reasonable use case.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/931'\fI\%#931\fP\X'tty: link') Update message extraction \- note that the CONFIRM_REGISTRATION message was changed to improve
readability.
.UNINDENT
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/845'\fI\%#845\fP\X'tty: link') us\-signin magic link should use fs_uniquifier (not email).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/893'\fI\%#893\fP\X'tty: link') Improve open\-redirect vulnerability mitigation. (see below)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/875'\fI\%#875\fP\X'tty: link') user_datastore.create_user has side effects on mutable inputs. (NoRePercussions)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/878'\fI\%#878\fP\X'tty: link') The long deprecated _unauthorized_callback/handler has been removed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/884'\fI\%#884\fP\X'tty: link') Oauth re\-used POST_LOGIN_VIEW which caused confusion. See below for the new configuration and implications.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/908'\fI\%#908\fP\X'tty: link') Improve CSRF documentation and testing. Fix bug where a CSRF failure could
return an HTML page even if the request was JSON.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/925'\fI\%#925\fP\X'tty: link') Register with JSON and authentication token failed CSRF. (lilz\-egoto)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/870'\fI\%#870\fP\X'tty: link') Fix 2 issues with CSRF configuration.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/914'\fI\%#914\fP\X'tty: link') It was possible that if \fI\%SECURITY_EMAIL_VALIDATOR_ARGS\fP were set that
deliverability would be checked even for login.
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
Passing in an AnonymousUser class as part of Security initialization has been removed.
.IP \(bu 2
The never\-public method _get_unauthorized_response has been removed.
.IP \(bu 2
Social\-Oauth \- a new configuration variable \fI\%SECURITY_POST_OAUTH_LOGIN_VIEW\fP was introduced
and it replaces \fI\%SECURITY_POST_LOGIN_VIEW\fP in the oauthresponse logic when
\fI\%SECURITY_REDIRECT_BEHAVIOR\fP == \fI\(dqspa\(dq\fP\&.
.IP \(bu 2
Two\-Factor setup. Prior to this release when setting up \(dqSMS\(dq the \fI/tf\-setup\fP endpoint could
be POSTed to w/o a phone number, and then another POST could be made to set the phone number.
This has always been confusing and added complexity to the code. Now, if \(dqSMS\(dq is selected, the phone number
must be supplied (which has always been supported).
Other changes:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
The default two\-factor\-setup.html template now has a more generic \fI\(dqEnter code to complete setup\(dq\fP message.
.IP \(bu 2
Make sure the \fI\(dqdisable\(dq\fP option first.
.IP \(bu 2
Adding any currently configured two\-factor method on setup failure.
.IP \(bu 2
The two_factor_verify template won\(aqt show the rescue form if it isn\(aqt set.
.IP \(bu 2
A GET on /tf\-validate now returns the two\-factor\-validate\-form always \- before
if the client was validating a new method, it would return the two\-factor\-setup\-form
.IP \(bu 2
After successfully disabling two\-factor the client is redirected to \fI\%SECURITY_TWO_FACTOR_POST_SETUP_VIEW\fP
rather than \fI\%SECURITY_POST_LOGIN_VIEW\fP\&.
.UNINDENT
.UNINDENT
.UNINDENT
.IP \(bu 2
.INDENT 2.0
.TP
.B Bring unauthenticated handling completely into Flask\-Security:
Prior to this release, Flask\-Security\(aqs \fI\%Security.unauthn_handler()\fP \- called when
a request wasn\(aqt properly authenticated \- handled JSON requests then delegated
form responses to Flask\-Login\(aqs unauthenticated_callback. That logic has been moved
into Flask\-Security and Flask\-Login is configured to call back into Flask\-Security\(aqs
handler. While the logic is very similar the following differences might be observed:
.INDENT 7.0
.IP \(bu 2
Flask\-Login\(aqs FORCE_HOST_FOR_REDIRECTS configuration isn\(aqt honored
.IP \(bu 2
Flask\-Login\(aqs USE_SESSION_FOR_NEXT configuration isn\(aqt honored
.IP \(bu 2
The flashed message is SECURITY_MSG_UNAUTHENTICATED rather than SECURITY_MSG_LOGIN.
Furthermore SECURITY_MSG_UNAUTHENTICATED was reworded to read better.
.IP \(bu 2
Flask\-Login uses \fIurlencode\fP to encode the \fInext\fP query param \- which quotes the \(aq/\(aq character.
Werkzeug (which Flask\-Security uses to build the URL) uses \fIquote\fP
which considers \(aq/\(aq a safe character and isn\(aqt encoded.
.IP \(bu 2
The signal sent on an unauthenticated request has changed to \fI\%user_unauthenticated\fP\&.
Flask\-Login used to send a \fIuser_unauthorized\fP signal.
.UNINDENT
.UNINDENT
.IP \(bu 2
Flask\-Security no longer configures anything related to Flask\-Login\(aqs \fIfresh_login\fP logic.
This shouldn\(aqt be used \- instead use Flask\-Security\(aqs \fI\%flask_security.auth_required()\fP decorator.
.IP \(bu 2
Support for Flask\-Babelex has been removed. Please convert to Flask\-Babel.
.IP \(bu 2
JSON error response has changed due to issue with WTForms form\-level errors. When WTForms
introduced form\-level errors they added it to the form.errors response using \fINone\fP as a key.
When serializing it, it would turn into \(dqnull\(dq. However, if there is more than one error
the default settings for JSON serialization in Flask attempt to sort the keys \- which fails
with the \fINone\fP key. An issue has been filed with WTForms \- and maybe it will be changed.
Flask\-Security now changes any \fINone\fP key to \fI\(dq\(dq\fP\&.
.IP \(bu 2
The default unauthorized handler behavior has changed slightly and is now documented. The default
(\fI\%SECURITY_UNAUTHORIZED_VIEW\fP == \fBNone\fP) has not changed (a default HTTP 403 response).
The precise behavior when \fI\%SECURITY_UNAUTHORIZED_VIEW\fP was set was never documented.
The important change is that Flask\-Security no longer ever looks at the request.referrer header and
will never redirect to it. If an application needs that, it can provide a callable that can return
that or any other header.
.IP \(bu 2
Configuration variables (and other things) are no longer added as attributes on the Security instance.
For example \fIsecurity.username_enable\fP no longer exists \- this could be an issue in code or templates.
For templates, Flask places \fIconfig\fP in the Jinja context \- so rather than using an attribute, use
\fIconfig[\(dqSECURITY_USERNAME_ENABLE\(dq]\fP for the example above.
.IP \(bu 2
Open Redirect mitigation. Release 4.1.0 had a fix for \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/486'\fI\%#486\fP\X'tty: link' involving a potential
open redirect. This was very low priority since the default configuration of Werkzeug (always
convert the Location header to absolute URL) rendered the vulnerability un\-exploitable. The solution at that
time was to add an optional regex looking for these bizarre URLs that from a HTTP spec perspective
are relative, but various browsers would interpret as absolute. In Werkzeug release 2.1 the
default was changed so that the Location header was allowed to be a relative URL. This made the
open redirect vulnerability much more likely to be exploitable. More recently, additional bizarre
URLs were found, as documented in \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/893'\fI\%#893\fP\X'tty: link'\&. More work was done and a patch release 5.3.3
was published.  This fix utilized changing the Werkzeug default back to absolute and an updated
regex. Comments and thoughts by @gmanfuncky proposed a much better solution and that is in 5.4.
This implementation is independent of Werkzeug (and relative Location headers are again the default).
The entire regex option has been removed.
Instead, any user\-supplied path used as a redirect is parsed and quoted.
.UNINDENT
.SS Notes
.INDENT 0.0
.IP \(bu 2
Historically, the \fBcurrent_user\fP proxy (managed by Flask\-Login) always pointed to a user object.
If the user wasn\(aqt authenticated, it pointed to an AnonymousUser object. With this release,
setting \fI\%SECURITY_ANONYMOUS_USER_DISABLED\fP to \fITrue\fP will force \fBcurrent_user\fP to be set
to \fINone\fP if the requesting user isn\(aqt authenticated. It should be noted that this is in support
of a proposal by the Pallets team to remove AnonymousUser from Flask\-Login \- as well as deprecating
the \fIis_authenticated\fP property. The default behavior (\fIFalse\fP) should be the same as prior releases.
A new function \fI_fs_is_user_authenticated\fP is now part of the render_template context that
templates can use instead of \fIcurrent_user.is_authenticated\fP\&.
.UNINDENT
.SS Version 5.3.3
.sp
Released December 29, 2023
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/893'\fI\%#893\fP\X'tty: link') Once again work on open\-redirect vulnerability \- this time due to newer Werkzeug.
Addresses: CVE\-2023\-49438
.UNINDENT
.SS Version 5.3.2
.sp
Released October 23, 2023
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/859'\fI\%#859\fP\X'tty: link') Update Quickstart to show how to properly handle SQLAlchemy connections.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/861'\fI\%#861\fP\X'tty: link') Auth Token not returned from /tf\-validate. (thanks lilz\-egoto)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/864'\fI\%#864\fP\X'tty: link') Fix for latest email_validator deprecation \- bump minimum to 2.0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/865'\fI\%#865\fP\X'tty: link') Deprecate passing in the anonymous_user class (sent to Flask\-Login).
.UNINDENT
.SS Version 5.3.1
.sp
Released October 14, 2023
.sp
\fBPlease Note:\fP
.INDENT 0.0
.IP \(bu 2
If your application uses webauthn you must use pydantic < 2.0
until the issue with user_handle is resolved.
.UNINDENT
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/847'\fI\%#847\fP\X'tty: link') Compatability with Flask 3.0 (wangsha)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/829'\fI\%#829\fP\X'tty: link') Revert change in 5.3.0 that added a Referrer\-Policy header.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/826'\fI\%#826\fP\X'tty: link') Fix error in quickstart (codycollier)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/835'\fI\%#835\fP\X'tty: link') Update Armenian translations (amkrtchyan\-tmp)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/831'\fI\%#831\fP\X'tty: link') Update German translations. (sr\-verde)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/853'\fI\%#853\fP\X'tty: link') Fix \(aqnext\(aq propagation when passed as form.next (thanks cariaso)
.UNINDENT
.SS Version 5.3.0
.sp
Released July 27, 2023
.sp
This is a minor version bump due to some small backwards incompatible changes to
WebAuthn, recoverability (/reset), confirmation (/confirm) and the two factor validity feature.
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/807'\fI\%#807\fP\X'tty: link') Webauthn Updates to handling of transport.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/809'\fI\%#809\fP\X'tty: link') Fix MongoDB support by eliminating dependency on flask\-mongoengine.
Improve MongoDB quickstart.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/801'\fI\%#801\fP\X'tty: link') Fix Quickstart for SQLAlchemy with scoped session.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/806'\fI\%#806\fP\X'tty: link') Login no longer, by default, checks for email deliverability.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/791'\fI\%#791\fP\X'tty: link') Token authentication is no longer accepted on endpoints which only allow
\(aqsession\(aq as authentication\-method. (N247S)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/814'\fI\%#814\fP\X'tty: link') /reset and /confirm and GENERIC_RESPONSES and additional form args don\(aqt mix.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/281'\fI\%#281\fP\X'tty: link') Reset password can be exploited and other OWASP improvements.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/817'\fI\%#817\fP\X'tty: link') Confirmation can be exploited and other OWASP improvements.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/819'\fI\%#819\fP\X'tty: link') Convert to pyproject.toml, build, remove setup.py/.cfg.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/823'\fI\%#823\fP\X'tty: link') the tf_validity feature now ONLY sets a cookie \- and the token is no longer
returned as part of a JSON response.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/825'\fI\%#825\fP\X'tty: link') Fix login/unified signin templates to properly send CSRF token. Add more tests.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/826'\fI\%#826\fP\X'tty: link') Improve Social Oauth example code.
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
To align with the W3C WebAuthn Level2 and 3 spec \- transports are now part of the registration response.
This has been changed BOTH in the server code (using webauthn data structures) as well as the sample
javascript code. If an application has their own javascript front end code \- it might need to be changed.
.IP \(bu 2
The tf_validity feature \fI\%SECURITY_TWO_FACTOR_ALWAYS_VALIDATE\fP used to set a cookie if the request was
form based, and return the token as part of a JSON response. Now, this feature is ONLY cookie based and the token
is no longer returned as part of any response.
.IP \(bu 2
Reset password was changed to adhere to OWASP recommendations and reduce possible exploitation:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
A new email (with new token) is no longer sent upon expired token. Users must restart
the reset password process.
.IP \(bu 2
The user is no longer automatically logged in upon successful password reset. For
backwards compatibility \fI\%SECURITY_AUTO_LOGIN_AFTER_RESET\fP can be set to \fBTrue\fP\&.
Note that this compatibility feature is deprecated and will be removed in a future release.
.IP \(bu 2
Identity information (identity, email) is no longer sent as part of the URL redirect
query params.
.IP \(bu 2
The SECURITY_MSG_PASSWORD_RESET_EXPIRED message no longer contains the user\(aqs identity/email.
.IP \(bu 2
The default for \fI\%SECURITY_RESET_PASSWORD_WITHIN\fP has been changed from \fI5 days\fP to \fI1 days\fP\&.
.IP \(bu 2
The response to GET /reset/<token> sets the HTTP header \fIReferrer\-Policy\fP to \fIno\-referrer\fP as suggested
by OWASP. \fIPLEASE NOTE: this was backed out in 5.3.1\fP
.UNINDENT
.UNINDENT
.UNINDENT
.IP \(bu 2
Confirm email was changed to adhere to OWASP recommendations and reduce possible exploitation:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
A new email (with new token) is no longer sent upon expired token. Users must restart
the confirmation process.
.IP \(bu 2
Identity information (identity, email) is no longer sent as part of the URL redirect
query params.
.IP \(bu 2
The \fI\%SECURITY_AUTO_LOGIN_AFTER_CONFIRM\fP configuration variable now defaults to \fBFalse\fP \- meaning
after a successful email confirmation, the user must still sign in using the usual mechanisms. This is to
align better with OWASP best practices. Setting it to \fBTrue\fP will restore prior behavior.
.IP \(bu 2
The SECURITY_MSG_CONFIRMATION_EXPIRED message no longer contains the user\(aqs identity/email.
.IP \(bu 2
The response to GET /reset/<token> sets the HTTP header \fIReferrer\-Policy\fP to \fIno\-referrer\fP as suggested
by OWASP. \fIPLEASE NOTE: this was backed out in 5.3.1\fP
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.SS Version 5.2.0
.sp
Released May 6, 2023
.sp
Note: Due to rapid deprecation and removal of APIs from the Pallets team,
maintaining the testing of back versions of various packages is taking too
much time and effort. In this release only current versions of the various
dependent packages are being tested.
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/764'\fI\%#764\fP\X'tty: link') Remove old Werkzeug compatibility check.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/777'\fI\%#777\fP\X'tty: link') Compatibility with Quart.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/780'\fI\%#780\fP\X'tty: link') Remove dependence on pkg_resources / setuptools (use importlib_resources package)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/792'\fI\%#792\fP\X'tty: link') Fix tests to work with latest Werkzeug/Flask. Update requirements_low to match current releases.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/792'\fI\%#792\fP\X'tty: link') Drop support for Python 3.7
.UNINDENT
.SS Known Issues
.INDENT 0.0
.IP \(bu 2
Flask\-mongoengine hasn\(aqt released in a while and currently will not work with latest Flask and Flask\-Security\-Too
(this is due to the JSONEncoder being deprecated and removed).
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
The removal of pkg_resources required changing the config variable \fI\%SECURITY_I18N_DIRNAME\fP\&.
If your application modified or extended this configuration variable, a small change will be required.
.UNINDENT
.SS Version 5.1.2
.sp
Released March 12, 2023
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/771'\fI\%#771\fP\X'tty: link') Hungarian translations not working.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/769'\fI\%#769\fP\X'tty: link') Fix documentation for send_mail. (gg)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/768'\fI\%#768\fP\X'tty: link') Fix for latest mongoengine and mongomock.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/766'\fI\%#766\fP\X'tty: link') Fix inappropriate use of &thinsp& in French translations. (maxdup)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/773'\fI\%#773\fP\X'tty: link') Improve documentation around subclassing forms.
.UNINDENT
.SS Version 5.1.1
.sp
Released March 1, 2023
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/740'\fI\%#740\fP\X'tty: link') Fix 2 Flask apps in same thread with USERNAME_ENABLE set.
There was a too aggressive config check.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/739'\fI\%#739\fP\X'tty: link') Update Russian translations. (ademaro)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/743'\fI\%#743\fP\X'tty: link') Run all templates through a linter. (ademaro)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/757'\fI\%#757\fP\X'tty: link') Fix json/flask backwards compatibility hack.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/759'\fI\%#759\fP\X'tty: link') Fix quickstarts \- make sure they run using \fIflask run\fP
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/755'\fI\%#755\fP\X'tty: link') Fix unified signup when two\-factor not enabled. (sebdroid)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/763'\fI\%#763\fP\X'tty: link') Add dependency on setuptools (pkg_resources). (hroncok)
.UNINDENT
.SS Version 5.1.0
.sp
Released January 23, 2023
.SS Features
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/667'\fI\%#667\fP\X'tty: link') Expose form instantiation. See \fI\%Controlling Form Instantiation\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/693'\fI\%#693\fP\X'tty: link') Option to encrypt recovery codes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/716'\fI\%#716\fP\X'tty: link') Support for authentication via \(aqsocial\(aq oauth.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/721'\fI\%#721\fP\X'tty: link') Support for Python 3.11
.UNINDENT
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/678'\fI\%#678\fP\X'tty: link') Fixes for Flask\-SQLAlchemy 3.0.0. (jrast)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/680'\fI\%#680\fP\X'tty: link') Fixes for sqlalchemy 2.0.0 (jrast)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/697'\fI\%#697\fP\X'tty: link') Webauthn and Unified signin features now properly take into
account blueprint prefixes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/699'\fI\%#699\fP\X'tty: link') Properly propagate \fI?next=/xx\fP \- the verify, webauthn, and unified
signin endpoints, that had multiple redirects, needed fixes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/696'\fI\%#696\fP\X'tty: link') Add Hungarian translations. (xQwexx)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/701'\fI\%#701\fP\X'tty: link') Two factor redirects ignored url_prefix. Added a \fI\%SECURITY_TWO_FACTOR_ERROR_VIEW\fP
configuration option.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/704'\fI\%#704\fP\X'tty: link') Add configurations for static folder/URL and make sure templates reference
blueprint relative static folder.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/709'\fI\%#709\fP\X'tty: link') Make (some) templates look better by using single quotes instead of
double quotes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/690'\fI\%#690\fP\X'tty: link') Send entire context to MailUtil::send_mail (patrickyan)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/728'\fI\%#728\fP\X'tty: link') Support for Flask\-Babel 3.0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/692'\fI\%#692\fP\X'tty: link') Add configuration option \fI\%SECURITY_TWO_FACTOR_POST_SETUP_VIEW\fP which
is redirected to upon successful change of a two factor method.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/733'\fI\%#733\fP\X'tty: link') The ability to pass in a LoginManager instance which was deprecated in
5.0 has been removed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/732'\fI\%#732\fP\X'tty: link') If \fI\%SECURITY_USERNAME_REQUIRED\fP was \fBTrue\fP then users couldn\(aqt login
with just an email.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/734'\fI\%#734\fP\X'tty: link') If \fI\%SECURITY_USERNAME_ENABLE\fP is set, bleach is a requirement.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/736'\fI\%#736\fP\X'tty: link') The unauthz_handler now takes a function name, not the function!
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
Each form class used to be set as an attribute on the Security object. With
the new form instantiation model, they no longer are.
.IP \(bu 2
After a successful update/change of a two\-factor method, the user was redirected to
\fI\%SECURITY_POST_LOGIN_VIEW\fP\&. Now it redirects to \fI\%SECURITY_TWO_FACTOR_POST_SETUP_VIEW\fP
which defaults to \fI\(dq.two_factor_setup\(dq\fP\&.
.IP \(bu 2
The \fI\%Security.unauthz_handler()\fP now takes a function name \- not the function \-
which never made sense.
.UNINDENT
.SS Version 5.0.2
.sp
Released September 23, 2022
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/673'\fI\%#673\fP\X'tty: link') Role permissions backwards compatibility bug. For SQL based datastores
that use Flask\-Security\(aqs models.fsqla_vx \- there should be NO issues. If you declare
your own models \- please see the 5.0.0 releases notes for required change.
.UNINDENT
.SS Version 5.0.1
.sp
Released September 6, 2022
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/662'\fI\%#662\fP\X'tty: link') Fix Change Password regression. (tysonholub)
.UNINDENT
.SS Version 5.0.0
.sp
Released August 27, 2022
.sp
\fBPLEASE READ CHANGE NOTES CAREFULLY \- THERE ARE LIKELY REQUIRED CHANGES YOU WILL HAVE TO MAKE.\fP
.SS Features
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/475'\fI\%#475\fP\X'tty: link') Support for WebAuthn.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/479'\fI\%#479\fP\X'tty: link') Support Two\-factor recovery codes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/585'\fI\%#585\fP\X'tty: link') Provide option to prevent user enumeration (i.e. Generic Responses).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/532'\fI\%#532\fP\X'tty: link') Support for Python 3.10.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/657'\fI\%#657\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/655'\fI\%#655\fP\X'tty: link') Support for Flask >= 2.2.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/540'\fI\%#540\fP\X'tty: link') Improve Templates in support of JS required by WebAuthn.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/608'\fI\%#608\fP\X'tty: link') Add Icelandic translations. (ofurkusi)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/650'\fI\%#650\fP\X'tty: link') Update German translations. (sr\-verde)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/256'\fI\%#256\fP\X'tty: link') Add custom HTML attributes to improve user experience.
This changed LoginForm quite a bit \- please see backwards compatability concerns
below. The default LoginForm and template should be the same as before.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/638'\fI\%#638\fP\X'tty: link') The JSON errors response has been unified. Please see backwards
compatibility concerns below.
.IP \(bu 2
Updated all\-inclusive data models (fsqla_v3). Add fields necessary for the new WebAuthn and
Two\-Factor recovery codes features.
Changed \fIus_phone_number\fP to be unique (but not required). Changed \fIpassword\fP to be nullable.
.UNINDENT
.SS Deprecations
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/568'\fI\%#568\fP\X'tty: link') Deprecate the old passwordless feature in favor of Unified Signin.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/568'\fI\%#568\fP\X'tty: link') Deprecate replacing login_manager so we can possibly vendor that in in the future.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/654'\fI\%#654\fP\X'tty: link') The previously deprecated methods RoleMixin.add_permissions and
RoleMixin.remove_permissions have been removed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/657'\fI\%#657\fP\X'tty: link') The ability to pass in a json_encoder_cls as part of initialization has been removed
since Flask 2.2 has deprecated and replaced that functionality.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/655'\fI\%#655\fP\X'tty: link') Flask has deprecated @before_first_request. This was used mostly in examples/quickstart.
These have been changed to use app.app_context() prior to running the app. Flask\-Security itself used it in
2 places \- to populate \fI_\fP in jinja globals if Babel wasn\(aqt initialized and to perform
various configuration sanity checks w.r.t. WTF CSRF. All Flask\-Security templates have been converted
to use \fI_fsdomain\fP rather than \fB_\fP so Flask\-Security no longer sets \fB_\fP into jinja2 globals.
The configuration checks
have been moved to the end of Security::init_app() \- so it is now imperative that \fIFlaskWTF::CSRFProtect()\fP
be called PRIOR to initializing Flask\-Security.
.IP \(bu 2
encrypt_password method has been removed. It has been deprecated since 2.0.2
.IP \(bu 2
get_token_status has been deprecated.
.UNINDENT
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/591'\fI\%#591\fP\X'tty: link') Make the required zxcvbn complexity score configurable. (mephi42)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/531'\fI\%#531\fP\X'tty: link') Get rid of Flask\-Mail. Flask\-Mailman is now the default preferred email package.
Flask\-Mail is still supported so there should be no backwards compatability issues.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/597'\fI\%#597\fP\X'tty: link') A delete option has been added to us\-setup (form and view).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/625'\fI\%#625\fP\X'tty: link') Improve username support \- the LoginForm now has a separate field for username if
\fBSECURITY_USERNAME_ENABLE\fP is True, and properly displays input fields only if the associated
field is an identity attribute (as specified by \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/627'\fI\%#627\fP\X'tty: link') Improve empty password handling. Prior, an unguessable password was set into the user
record when a user registered without a password \- now, the DB user model has been changed to
allow nullable passwords. This provides a better user experience since Flask\-Security now
knows if a user has an empty password or not. Since registering without a password is not
a mainstream feature, a new configuration variable \fI\%SECURITY_PASSWORD_REQUIRED\fP
has been added (defaults to \fBTrue\fP).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/479'\fI\%#479\fP\X'tty: link') A new configuration option \fI\%SECURITY_TWO_FACTOR_RESCUE_EMAIL\fP has been added
that allows disabling that feature \- defaults to backwards compatible \fBTrue\fP
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/658'\fI\%#658\fP\X'tty: link') us_phone_number needs to be validated to be unique.
.UNINDENT
.SS Backward Compatibility Concerns
.sp
For unified signin:
.INDENT 0.0
.IP \(bu 2
The redirect after a successful us\-setup used to redirect to \fBSECURITY_US_POST_SETUP_VIEW\fP or
\fBSECURITY_POST_LOGIN_VIEW\fP (which would default to \(aq/\(aq). Now it just redirects to
\fBSECURITY_US_POST_SETUP_VIEW\fP which defaults back to the \fB/us\-setup\fP view.
.IP \(bu 2
The ability to authenticate using a one\-time email link was automatically setup by the system
for all users.
\(dqemail\(dq now behaves like the other unified sign in methods and must be explicitly set up \- with the
exception that if a user registers WITHOUT a password, the system will setup the one\-time email link
option \- since otherwise the user would never be able to authenticate.
.IP \(bu 2
\fB/us\-signin/send\-code\fP didn\(aqt used to check if the user account required confirmation it just sent a code
and the \fB/us\-signin\fP endpoint did the confirmation check. Now \fBsend\-code\fP does the confirmation check and
won\(aqt send a code unless the user is confirmed.
.IP \(bu 2
In \fBus\-verify\fP the \(aqcode_methods\(aq item now lists just active/setup methods that generate a code
not ALL possible methods that generate a code.
.IP \(bu 2
\fBSECURITY_US_VERIFY_SEND_CODE_URL\fP and \fBSECURITY_US_SIGNIN_SEND_CODE_URL\fP endpoints are now POST only.
.IP \(bu 2
Empty passwords were always permitted when \fBSECURITY_UNIFIED_SIGNIN\fP was enabled \- now an additional configuration
variable \fBSECURITY_PASSWORD_REQUIRED\fP must be set to False.
.IP \(bu 2
\fBSECURITY_US_VERIFY_SEND_CODE_URL\fP and \fBSECURITY_US_SIGNIN_SEND_CODE_URL\fP used to send \fBcode_sent\fP to the template.
Now they flash the \fBSECURITY_MSG_CODE_HAS_BEEN_SENT\fP message.
.IP \(bu 2
With the addition of being able to delete a previously setup up sign in method, the signal \fIus_profile_changed\fP arguments
have changed. \fImethod\fP is now \fImethods\fP and is a list, and a new argument \fIdelete\fP is True if a sign in option was deleted.
.UNINDENT
.sp
Login:
.INDENT 0.0
.IP \(bu 2
Since the beginning of time, the flask\-security login form has accepted any input in the
\(aqemail\(aq field, and used that to check if it corresponds to any field in \fBSECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
This has always been problematic and confusing \- and with the addition of HTML attributes for various
form fields \- having a field with multiple possible inputs is no longer a viable user experience.
This is no longer supported, and the LoginForm now declares the \fBemail\fP field to be of type \fBEmailField\fP
which requires a valid (after normalization) email address. The most common usage of this legacy feature was to allow
an email or username \- Flask\-Security now has core support for a \fBusername\fP option \- see \fI\%SECURITY_USERNAME_ENABLE\fP\&.
Please see \fI\%Customizing the Login Form\fP for an example of how to replicate the legacy behavior.
.IP \(bu 2
Some error messages have changed \- \fBUSER_DOES_NOT_EXIST\fP is now returned for any identity error including an empty value.
.UNINDENT
.sp
Other:
.INDENT 0.0
.IP \(bu 2
A very old piece of code in registrable, would immediately commit to the DB when a new user was created.
It is now consistent with all other views, and has the caller responsible for committing the transaction \- usually by
setting up a flask \fBafter_this_request\fP action. This could affect an application that captured the registration signal
and stored the \fBuser\fP object for later use \- this user object would likely be invalid after the request is finished.
.IP \(bu 2
Some fields have custom HTML attributes attached to them (e.g. autocomplete, type, etc). These are stored as part of the
form in the \fBrender_kw\fP attribute. This could cause some confusion if an app had its own templates and set different
attributes.
.IP \(bu 2
The keys for \(dq/tf\-rescue\(dq select options have changed to be more \(aqaction\(aq oriented:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fIlost_device\fP \-> \fIemail\fP
.IP \(bu 2
\fIno_mail_access\fP \-> \fIhelp\fP
.UNINDENT
.UNINDENT
.UNINDENT
.IP \(bu 2
JSON error responses. \fBTHIS IS A BREAKING CHANGE\fP\&.
In earlier releases, the JSON error response could have either a \fIerror\fP key which was for rare cases
where there was a single non\-form related error, or an \fIerrors\fP key which was a a dict as defined by WTForms.
Now, the \fIerrors\fP key will contain a list of (localized) messages \- both non\-form related as well as any form related.
The key \fIfield_errors\fP will contain the dict as specified by WTForms. Please note that starting with WTForms 3.0
form\-level errors are supported and show up in the dict with the field name/key of \(dqnone\(dq. There are no changes to non\-error
related JSON responses.
.IP \(bu 2
Permissions \fBTHIS IS A BREAKING CHANGE\fP\&. The Role Model now stores permissions as a list, and requires that the underlying DB ORM map that to a supported
DB type. For SQLAlchemy, this is mapped to a comma separated string (as before). For
SQLAlchemy DBs the underlying Column type (UnicodeText) didn\(aqt change so no data migration should be required.
However, the ORM Column type did change and requires the following change to your model:
.INDENT 2.0
.INDENT 3.5
.sp
.EX
from flask_security import AsaList
from sqlalchemy.ext.mutable import MutableList
class Role(Base, RoleMixin):
    ...
    permissions = Column(MutableList.as_mutable(AsaList()), nullable=True)
    ...
.EE
.UNINDENT
.UNINDENT
.sp
If your application makes use of Flask\-Security\(aqs models.fsqla_vX classes \- no changes are required.
For Mongo, a ListField can be directly used.
.IP \(bu 2
CSRF \- As mentioned above, it is now required that \fIFlaskWTF::CSRFProtect()\fP, if used, must be called PRIOR to initializing Flask\-Security.
.IP \(bu 2
json_encoder_cls \- As mentioned above \- Flask\-Security initialization no longer accepts overriding the json_encoder class. If this is required,
update to Flask >=2.2 and implement Flask\(aqs JSONProvider interface.
.UNINDENT
.sp
For templates:
.INDENT 0.0
.IP \(bu 2
Pretty much every template was modified to replace <p> with <div class=xx> to make
styling possible and to make more complex forms more readable.
.IP \(bu 2
Many forms had places where things weren\(aqt properly localizable \- that has (hopefully) been fixed.
.IP \(bu 2
The \fBus_setup.html\fP template was modified to add ability to delete an existing set up method.
.UNINDENT
.SS DB Migration
.sp
To use the new WebAuthn feature a new table and two new columns in the User model are required.
To ease updates \- Flask\-Security will automatically create a fs_webauthn_user_handle
upon first use for existing users.
If you are using Alembic the schema migration is easy:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
op.add_column(\(aquser\(aq, sa.Column(\(aqfs_webauthn_user_handle\(aq, sa.String(length=64), nullable=True, unique=True))
.EE
.UNINDENT
.UNINDENT
.sp
If you want to allow for empty passwords as part of registration then set \fI\%SECURITY_PASSWORD_REQUIRED\fP to \fBFalse\fP\&.
In addition you need to change your DB schema to allow the \fBpassword\fP field to be nullable.
.SS Version 4.1.5
.sp
Released July 28, 2022
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/644'\fI\%#644\fP\X'tty: link') Fix test and other failures with newer Flask\-Login/Werkzeug versions.
.UNINDENT
.SS Version 4.1.4
.sp
Released April 19, 2022
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/594'\fI\%#594\fP\X'tty: link') Fix test failures with newer Flask versions.
.UNINDENT
.SS Version 4.1.3
.sp
Released March 2, 2022
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/581'\fI\%#581\fP\X'tty: link') Fix bug when attempting to disable register_blueprint. (halali)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/539'\fI\%#539\fP\X'tty: link') Fix example documentation re: generating localized messages. (kazuhei2)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/546'\fI\%#546\fP\X'tty: link') Make roles joinedload compatible with SQLAlchemy 2.0. (keats)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/586'\fI\%#586\fP\X'tty: link') Ship py.typed as part of package.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/580'\fI\%#580\fP\X'tty: link') Improve documentation around use of bleach and include in common install extra.
.UNINDENT
.SS Version 4.1.2
.sp
Released September 22, 2021
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/526'\fI\%#526\fP\X'tty: link') default_reauthn_handler doesn\(aqt honor SECURITY_URL_PREFIX
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/528'\fI\%#528\fP\X'tty: link') Improve German translations (sr\-verde)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/527'\fI\%#527\fP\X'tty: link') Fix two\-factor sample code (djpnewton)
.UNINDENT
.SS Version 4.1.1
.sp
Released September 10, 2021
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/518'\fI\%#518\fP\X'tty: link') Fix corner case where Security object was being reused in tests.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/512'\fI\%#512\fP\X'tty: link') If USERNAME_ENABLE is set, change LoginForm field from EmailField
to StringField. Also \- dynamically add fields to Login and Registration forms
rather than always having them \- this made the RegistrationForm much simpler.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/516'\fI\%#516\fP\X'tty: link') Improved username feature handling solved issue of always requiring
bleach.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/513'\fI\%#513\fP\X'tty: link') Improve documentation of default username validation.
.UNINDENT
.SS Version 4.1.0
.sp
Released July 23, 2021
.SS Features
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/474'\fI\%#474\fP\X'tty: link') Add public API and CLI command to change a user\(aqs password.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/140'\fI\%#140\fP\X'tty: link') Add type hints. Please note that many of the packages that flask\-security
depends on aren\(aqt typed yet \- so there are likely errors in some of the types.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/466'\fI\%#466\fP\X'tty: link') Add first\-class support for using username for signing in.
.UNINDENT
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/483'\fI\%#483\fP\X'tty: link') 4.0 doesn\(aqt accept 3.4 authentication tokens. (kuba\-lilz)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/490'\fI\%#490\fP\X'tty: link') Flask\-Mail sender name can be a tuple. (hrishikeshrt)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/486'\fI\%#486\fP\X'tty: link') Possible open redirect vulnerability.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/478'\fI\%#478\fP\X'tty: link') Improve/update German translation. (sr\-verde)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/488'\fI\%#488\fP\X'tty: link') Improve handling of Babel packages.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/496'\fI\%#496\fP\X'tty: link') Documentation improvements, distribution extras, fix single message
override.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/497'\fI\%#497\fP\X'tty: link') Improve cookie handling and default \fBsamesite\fP to \fBStrict\fP\&.
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/488'\fI\%#488\fP\X'tty: link') In 4.0.0, with the addition of Flask\-Babel support, Flask\-Security enforced that
if it could import either Flask\-Babel or Flask\-BabelEx, that those modules had
been initialized as proper Flask extensions. Prior to 4.0.0, just Flask\-BabelEx
was supported \- and that didn\(aqt require any explicit initialization. Flask\-Babel
DOES require explicit initialization. However for some applications that don\(aqt
completely control their environment (such as system pre\-installed versions of
python) this caused applications that didn\(aqt even want translation services to
fail on startup. With this release, Flask\-Security still attempts to import
one or the other package \- however if those modules are NOT initialized,
Flask\-Security will simply ignore them and no translations will occur.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/497'\fI\%#497\fP\X'tty: link') The CSRF_COOKIE and TWO_FACTOR_VALIDITY cookie had their defaults
changed to set \fBsamesite=Strict\fP\&. This follows the Flask\-Security goal of
making things more secure out\-of\-the\-box.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/140'\fI\%#140\fP\X'tty: link') Type hinting. For the most part this of course has no runtime effects.
However, this required a fairly major overhaul of how Flask\-Security is initialized in
order to provide valid types for the many constructor attributes. There are no known
compatability concerns \- however initialization used to convert all arguments into kwargs
then add those as attributes and merge with application constants. That no longer happens
and it is possible that some corner cases don\(aqt behave precisely as they did before.
.UNINDENT
.SS Version 4.0.1
.sp
Released April 2, 2021
.SS Features
.SS Fixes
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/461'\fI\%#461\fP\X'tty: link') 4.0 doesn\(aqt accept 3.4 authentication tokens. (kuba\-lilz)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/460'\fI\%#460\fP\X'tty: link') 2\-fa error: Failed to send code \- improved documentation and debuggability.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/454'\fI\%#454\fP\X'tty: link') 2\-fa error: TypeError \- fixed documentation.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/443'\fI\%#443\fP\X'tty: link') Calling create user without any arguments \- fixed underlying cause
of translating form errors in the CLI.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/442'\fI\%#442\fP\X'tty: link') Email validation confusion \- added documentation.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/450'\fI\%#450\fP\X'tty: link') Add documentation on how to override specific error messages.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/439'\fI\%#439\fP\X'tty: link') Don\(aqt install global\-scope tests. (mgorny)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/470'\fI\%#470\fP\X'tty: link') Add note about updating DB using MySQL. (jugmac00)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/468'\fI\%#468\fP\X'tty: link') Fix documentation \- uia_phone_number should be uia_phone_mapper. (dvrg)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/457'\fI\%#457\fP\X'tty: link') Improve chinese translations. (zxjlm)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/453'\fI\%#453\fP\X'tty: link') Improve basque and spanish translations. (mmozos)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/448'\fI\%#448\fP\X'tty: link') Add Afrikaans translations. (lonelyvikingmichael)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/467'\fI\%#467\fP\X'tty: link') Add Blinker as explicit dependency, improve/fix celery usage docs,
dont require pyqrcode unless authenticator configured, improve SMS configuration
variables documentation.
.UNINDENT
.SS Version 4.0.0
.sp
Released January 26, 2021
.sp
\fBPLEASE READ CHANGE NOTES CAREFULLY \- THERE ARE LIKELY REQUIRED CHANGES YOU WILL HAVE TO MAKE TO EVEN START YOUR APPLICATION WITH 4.0\fP
.SS Start Here
.INDENT 0.0
.IP \(bu 2
Your UserModel must contain \fBfs_uniquifier\fP
.IP \(bu 2
Either uninstall Flask\-BabelEx (if you don\(aqt need translations) or add either Flask\-Babel (>=2.0) or Flask\-BabelEx to your
dependencies AND be sure to initialize it in your app.
.IP \(bu 2
Add Flask\-Mail to your dependencies.
.IP \(bu 2
If you have unicode emails or passwords read change notes below.
.UNINDENT
.SS Version 4.0.0rc2
.sp
Released January 18, 2021
.SS Features & Cleanup
.INDENT 0.0
.IP \(bu 2
Removal of python 2.7 and <3.6 support
.IP \(bu 2
Removal of token caching feature (a relatively new feature that had some systemic issues)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/328'\fI\%#328\fP\X'tty: link') Remove dependence on Flask\-Mail and refactor.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/335'\fI\%#335\fP\X'tty: link') Remove two\-factor \fI/tf\-confirm\fP endpoint and use generic \fIfreshness\fP mechanism.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/336'\fI\%#336\fP\X'tty: link') Remove \fBSECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALID(ATE)\fP\&. In addition to
not making sense \- the documentation has never been correct.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/339'\fI\%#339\fP\X'tty: link') Require \fBfs_uniquifier\fP in the UserModel and stop using/referencing the UserModel
primary key.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/349'\fI\%#349\fP\X'tty: link') Change \fBSECURITY_USER_IDENTITY_ATTRIBUTES\fP configuration variable semantics.
.IP \(bu 2
Remove (all?) requirements around having an \(aqemail\(aq column in the UserModel. API change \-
JSON SPA redirects used to always include a query param \(aqemail=xx\(aq. While that is still sent
(if and only if) the UserModel contains an \(aqemail\(aq columns, a new query param \(aqidentity\(aq is returned
which returns the value of \fI\%UserMixin.calc_username()\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/382'\fI\%#382\fP\X'tty: link') Improvements and documentation for two\-factor authentication.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/394'\fI\%#394\fP\X'tty: link') Add support for email validation and normalization (see \fI\%MailUtil\fP).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/231'\fI\%#231\fP\X'tty: link') Normalize unicode passwords (see \fI\%PasswordUtil\fP).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/391'\fI\%#391\fP\X'tty: link') Option to redirect to \fI/confirm\fP if user hits an endpoint that requires
confirmation. New option \fI\%SECURITY_REQUIRES_CONFIRMATION_ERROR_VIEW\fP which if set and the user
hits the \fI/login\fP, \fI/reset\fP, or \fI/us\-signin\fP endpoint, and they require confirmation the response will be a redirect. (SnaKyEyeS)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/366'\fI\%#366\fP\X'tty: link') Allow redirects on sub\-domains. Please see \fI\%SECURITY_REDIRECT_ALLOW_SUBDOMAINS\fP\&. (willcroft)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/376'\fI\%#376\fP\X'tty: link') Have POST redirects default to Flask\(aqs \fBAPPLICATION_ROOT\fP\&. Previously the default configuration was \fB/\fP\&.
Now it first looks at Flask\(aqs \fIAPPLICATION_ROOT\fP configuration and uses that (which also by default is \fB/\fP\&. (tysonholub)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/401'\fI\%#401\fP\X'tty: link') Add 2FA Validity Window so an application can configure how often the second factor has to be entered. (baurt)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/403'\fI\%#403\fP\X'tty: link') Add HTML5 Email input types to email fields. This has some backwards compatibility concerns outlined below. (drola)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/413'\fI\%#413\fP\X'tty: link') Add hy_AM translations. (rudolfamirjanyan)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/410'\fI\%#410\fP\X'tty: link') Add Basque and fix Spanish translations. (mmozos)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/408'\fI\%#408\fP\X'tty: link') Polish translations. (kamil559)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/390'\fI\%#390\fP\X'tty: link') Update ru_RU translations. (TitaniumHocker)
.UNINDENT
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/389'\fI\%#389\fP\X'tty: link') Fixes for translations. First \- email subjects were never being translated. Second, converted
all templates to use _fsdomain(xx) rather than _(xx) so that they get translated regardless of the app\(aqs domain.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/381'\fI\%#381\fP\X'tty: link') Support Flask\-Babel 2.0 which has backported Domain support. Flask\-Security now supports
Flask\-Babel (>=2.00), Flask\-BabelEx, as well as no translation support. Please see backwards compatibility notes below.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/352'\fI\%#352\fP\X'tty: link') Fix issue with adding/deleting permissions \- all mutating methods must be at the datastore layer so that
db.put() can be called. Added \fI\%UserDatastore.add_permissions_to_role()\fP and \fI\%UserDatastore.remove_permissions_from_role()\fP\&.
The methods \fI\&.RoleMixin.add_permissions\fP and \fI\&.RoleMixin.remove_permissions\fP have been deprecated.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/395'\fI\%#395\fP\X'tty: link') Provide ability to change table names for User and Role tables in the fsqla model.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/338'\fI\%#338\fP\X'tty: link') All sessions are invalidated when a user changes or resets their password. This is accomplished by
changing the user\(aqs \fIfs_uniquifier\fP\&. The user is automatically re\-logged in (and a new session
created) after a successful change operation.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/418'\fI\%#418\fP\X'tty: link') Two\-factor (and to a lesser extent unified sign in) QRcode fetching wasn\(aqt protected via CSRF. The
fix makes things secure and simpler (always good); however read below for compatibility concerns. In addition, the elements that make up the QRcode (key, username, issuer) area also made available to the form
and returned as part of the JSON return value \- this allows for manual or other ways to initialize the authenticator
app.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/421'\fI\%#421\fP\X'tty: link') GET on \fI/login\fP and \fI/change\fP could return the callers authentication_token. This is a security
concern since GETs don\(aqt have CSRF protection. This bug was introduced in 3.3.0.
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/328'\fI\%#328\fP\X'tty: link') Remove dependence on Flask\-Mail and refactor. The \fBsend_mail_task\fP and
\fBsend_mail\fP methods as part of Flask\-Security initialization
have been removed and replaced with a new \fI\%MailUtil\fP class.
The utility method \fI\%send_mail()\fP can still be used.
If your application didn\(aqt use either of the deprecated methods, then the only change required
is to add Flask\-Mail to your package requirements (since Flask\-Security no longer lists it).
Please see the \fI\%Emails\fP for updated examples.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/335'\fI\%#335\fP\X'tty: link') Convert two\-factor setup flow to use the freshness feature rather than
its own verify password endpoint. This COMPLETELY removes the \fB/tf\-confirm\fP endpoint
and associated form: \fBtwo_factor_verify_password_form\fP\&. Now, when /tf\-setup is invoked,
the \fI\%flask_security.check_and_update_authn_fresh()\fP is invoked, and if the current session isn\(aqt \(aqfresh\(aq
the caller will be redirected to a verify endpoint (either \fI\%SECURITY_VERIFY_URL\fP or
\fI\%SECURITY_US_VERIFY_URL\fP). The simplest change would be to call \fB/verify\fP everywhere
the application used to call \fB/tf\-confirm\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/339'\fI\%#339\fP\X'tty: link') Require \fBfs_uniquifier\fP\&. In 3.3 the \fBfs_uniquifier\fP was added in the UserModel to fix
the slow authentication token issue. In 3.4 the \fBfs_uniquifier\fP was used to implement Flask\-Login\(aqs
\fIAlternative Token\fP feature \- thus decoupling the primary key (id) from any security context.
All along, there have been a few issues with applications not wanting to use the name \(aqid\(aq in their
model, or wanting a different type for their primary key. With this change, Flask\-Security no longer
interprets or uses the UserModel primary key \- just the \fBfs_uniquifier\fP field. See the changes section for 3.3
for information on how to do the schema and data upgrades required to add this field. There is also an API change \-
the JSON response (via UserModel.get_security_payload()) returned the \fBuser.id\fP field. With this change
the default is an empty directory \- override \fI\%UserMixin.get_security_payload()\fP to return any portion of the UserModel you need.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/349'\fI\%#349\fP\X'tty: link') \fI\%SECURITY_USER_IDENTITY_ATTRIBUTES\fP has changed syntax and semantics. It now contains
the combined information from the old \fBSECURITY_USER_IDENTITY_ATTRIBUTES\fP and the newly introduced in 3.4 \fI\%SECURITY_USER_IDENTITY_MAPPINGS\fP\&.
This enabled changing the underlying way we validate credentials in the login form and unified sign in form.
In prior releases we simply tried to look up the form value as the PK of the UserModel \- this often failed and then
looped through the other \fBSECURITY_USER_IDENTITY_ATTRIBUTES\fP\&. This had a history of issues, including many applications not
wanting to have a standard PK for the user model. Now, using the mapping configuration, the UserModel attribute/column the input
corresponds to is determined, then the UserModel is queried specifically for that \fIattribute:value\fP pair. If you application
didn\(aqt change the variable, no modifications are required.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/354'\fI\%#354\fP\X'tty: link') The \fI\%flask_security.PhoneUtil\fP is now initialized as part of Flask\-Security initialization rather than
\fB@app.before_first_request\fP (since that broke the CLI). Since it isn\(aqt called in an application context, the \fIapp\fP being initialized is
passed as an argument to \fI__init__\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/381'\fI\%#381\fP\X'tty: link') When using Flask\-Babel (>= 2.0) it is required that the application initialize Flask\-Babel (e.g. Babel(app)).
Flask\-BabelEx would self\-initialize so it didn\(aqt matter. Flask\-Security will throw a run time error upon first request if Flask\-Babel
OR FLask\-BabelEx
is installed, but not initialized. Also, Flask\-Security no longer has a dependency on either Flask\-Babel or Flask\-BabelEx \- if neither
are installed, it falls back to a dummy translation. \fIIf your application expects translation services, it must specify the appropriate\fP
\fIdependency AND initialize it.\fP
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/394'\fI\%#394\fP\X'tty: link') Email input is now normalized prior to being stored in the DB. Previously, it was validated, but the raw input
was stored. Normalization and validation rely on the \X'tty: link https://pypi.org/project/email-validator/'\fI\%email_validator\fP\X'tty: link' package.
The \fI\%MailUtil\fP class provides the interface for normalization and validation \- allowing all this to be customized.
If you have unicode local or domain parts \- existing users may have difficulties logging in. Administratively you need to
read each user record, normalize the email (see \fI\%MailUtil\fP), and write it back.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/381'\fI\%#381\fP\X'tty: link') Passwords are now, by default, normalized using Python\(aqs unicodedata.normalize() method.
The \fI\%SECURITY_PASSWORD_NORMALIZE_FORM\fP defaults to \(dqNKFD\(dq. This brings Flask\-Security
in line with the NIST recommendations outlined in \X'tty: link https://pages.nist.gov/800-63-3/sp800-63b.html#sec5'\fI\%Memorized Secret Verifiers\fP\X'tty: link'
If your users have unicode passwords
they may have difficulty authenticating. You can turn off this normalization or have your users reset their passwords.
Password normalization and validation has been encapsulated in a new \fI\%PasswordUtil\fP class. This replaces
the method \fBpassword_validator\fP introduced in 3.4.0.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/403'\fI\%#403\fP\X'tty: link') By default all forms that have an email as input now use the wtforms html5 \fBEmailField\fP\&. For most applications this will
make the user experience slightly nicer \- especially for mobile devices. Some applications use the email form field for other
identity attributes (such as username). If your application does this you will probably need to subclass \fBLoginForm\fP and change
the email type back to StringField.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/338'\fI\%#338\fP\X'tty: link') By default, both passwords and authentication tokens use the same attribute \fBfs_uniquifier\fP to
uniquely identify the user. This means that if the user changes or resets their password, all authentication tokens
also become invalid. This could be viewed as a feature or a bug. If this behavior isn\(aqt desired, add another
uniquifier: \fBfs_token_uniquifier\fP to your UserModel and that will be used to generate authentication tokens.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/418'\fI\%#418\fP\X'tty: link') Fix CSRF vulnerability w.r.t. getting QRcodes. Both two\-factor and unified\-signup had a separate
GET endpoint to fetch the QRcode when setting up an authenticator app. GETS don\(aqt have any CSRF protection. Both
of those endpoints have been completely removed, and the QRcode is embedded in a successful POST of the setup form.
The changes to the templates are minimal and of course if you didn\(aqt override the template \- there is no
compatibility concern.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/421'\fI\%#421\fP\X'tty: link') Fix CSRF vulnerability on \fI/login\fP and \fI/change\fP that could return the callers authentication token.
Now, callers can only get the authentication token on successful POST calls.
.UNINDENT
.SS Version 3.4.5
.sp
Released January 8, 2021
.sp
Security Vulnerability Fix.
.sp
Two CSRF vulnerabilities were reported: \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/418'\fI\%qrcode\fP\X'tty: link' and \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/421'\fI\%login\fP\X'tty: link'\&. This release
fixes the more severe of the 2 \- the \fI/login\fP vulnerability. The QRcode issue
has a much smaller risk profile since a) it is only for two\-factor authentication
using an authenticator app b) the qrcode is only available during the time
the user is first setting up their authentication app.
The QRcode issue has been fixed in 4.0.
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/421'\fI\%#421\fP\X'tty: link') GET on \fI/login\fP and \fI/change\fP could return the callers authentication_token. This is a security
concern since GETs don\(aqt have CSRF protection. This bug was introduced in 3.3.0.
.UNINDENT
.SS Backwards Compatibility Concerns
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/421'\fI\%#421\fP\X'tty: link') Fix CSRF vulnerability on \fI/login\fP and \fI/change\fP that could return the callers authentication token.
Now, callers can only get the authentication token on successful POST calls.
.UNINDENT
.SS Version 3.4.4
.sp
Released July 27, 2020
.sp
Bug/regression fixes.
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/359'\fI\%#359\fP\X'tty: link') Basic Auth broken. When the unauthenticated handler was changed to provide a more
uniform/consistent response \- it broke using Basic Auth from a browser, since it always redirected rather than
returning 401. Now, if the response headers contain  \fBWWW\-Authenticate\fP
(which is set if \fBbasic\fP @auth_required method is used), a 401 is returned. See below
for backwards compatibility concerns.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/362'\fI\%#362\fP\X'tty: link') As part of figuring out issue 359 \- a redirect loop was found. In release 3.3.0 code was put
in to redirect to \fI\%SECURITY_POST_LOGIN_VIEW\fP when GET or POST was called and the caller was already authenticated. The
method used would honor the request \fBnext\fP query parameter. This could cause redirect loops. The pre\-3.3.0 behavior
of redirecting to \fI\%SECURITY_POST_LOGIN_VIEW\fP and ignoring the \fBnext\fP parameter has been restored.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/347'\fI\%#347\fP\X'tty: link') Fix peewee. Turns out \- due to lack of unit tests \- peewee hasn\(aqt worked since
\(aqpermissions\(aq were added in 3.3. Furthermore, changes in 3.4 around get_id and alternative tokens also
didn\(aqt work since peewee defines its own \fIget_id\fP method.
.UNINDENT
.SS Compatibility Concerns
.sp
In 3.3.0, \fI\%flask_security.auth_required()\fP was changed to add a default argument if none was given. The default
include all current methods \- \fBsession\fP, \fBtoken\fP, and \fBbasic\fP\&. However \fBbasic\fP really isn\(aqt like the others
and requires that we send back a \fBWWW\-Authenticate\fP header if authentication fails (and return a 401 and not redirect).
\fBbasic\fP has been removed from the default set and must once again be explicitly requested.
.SS Version 3.4.3
.sp
Released June 12, 2020
.sp
Minor fixes for a regression and a couple other minor changes
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/340'\fI\%#340\fP\X'tty: link') Fix regression where tf_phone_number was required, even if SMS wasn\(aqt configured.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/342'\fI\%#342\fP\X'tty: link') Pick up some small documentation fixes from 4.0.0.
.UNINDENT
.SS Version 3.4.2
.sp
Released May 2, 2020
.sp
Only change is to move repo to the Flask\-Middleware github organization.
.SS Version 3.4.1
.sp
Released April 22, 2020
.sp
Fix a bunch of bugs in new unified sign in along with a couple other major issues.
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/298'\fI\%#298\fP\X'tty: link') Alternative ID feature ran afoul of postgres/psycopg2 finickiness.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/300'\fI\%#300\fP\X'tty: link') JSON 401 responses had WWW\-Authenticate Header attached \- that caused
browsers to pop up their own login/password form. Not what applications want.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/280'\fI\%#280\fP\X'tty: link') Allow admin/api to setup TFA (and unified sign in) out of band.
Please see \fI\%UserDatastore.tf_set()\fP, \fI\%UserDatastore.tf_reset()\fP,
\fI\%UserDatastore.us_set()\fP, \fI\%UserDatastore.us_reset()\fP and
\fI\%UserDatastore.reset_user_access()\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/305'\fI\%#305\fP\X'tty: link') We used form._errors which wasn\(aqt very pythonic, and it was
removed in WTForms 2.3.0.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/310'\fI\%#310\fP\X'tty: link') WTForms 2.3.0 made email_validator optional \- we need it.
.UNINDENT
.SS Version 3.4.0
.sp
Released March 31, 2020
.SS Features
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/257'\fI\%#257\fP\X'tty: link') Support a unified sign in feature. Please see \fI\%Unified Sign In\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/265'\fI\%#265\fP\X'tty: link') Add phone number validation class. This is used in both unified sign in
as well as two\-factor when using \fBsms\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/274'\fI\%#274\fP\X'tty: link') Add support for \(aqfreshness\(aq of caller\(aqs authentication. This permits endpoints
to be additionally protected by ensuring a recent authentication.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/99'\fI\%#99\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/195'\fI\%#195\fP\X'tty: link') Support pluggable password validators. Provide a default
validator that offers complexity and breached support.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/266'\fI\%#266\fP\X'tty: link') Provide interface to two\-factor send_token so that applications
can provide error mitigation. Defaults to returning errors if can\(aqt send the verification code.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/247'\fI\%#247\fP\X'tty: link') Updated all\-inclusive data models (fsqlaV2). Add fields necessary for the new unified sign in feature
and changed \(aqusername\(aq to be unique (but not required).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/245'\fI\%#245\fP\X'tty: link') Use fs_uniquifier as the default Flask\-Login \(aqalternative token\(aq. Basically
this means that changing the fs_uniquifier will cause outstanding auth tokens, session and remember me
cookies to be invalidated. So if an account gets compromised, an admin can easily stop access. Prior to this
cookies were storing the \(aqid\(aq which is the user\(aqs primary key \- difficult to change! (kishi85)
.UNINDENT
.SS Fixed
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/273'\fI\%#273\fP\X'tty: link') Don\(aqt allow reset password for accounts that are disabled.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/282'\fI\%#282\fP\X'tty: link') Add configuration that disallows GET for logout. Allowing GET can
cause some denial of service issues. The default still allows GET for backwards
compatibility. (kantorii)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/258'\fI\%#258\fP\X'tty: link') Reset password wasn\(aqt integrated into the two\-factor feature and therefore
two\-factor auth could be bypassed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/254'\fI\%#254\fP\X'tty: link') Allow lists and sets as underlying permissions. (pffs)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/251'\fI\%#251\fP\X'tty: link') Allow a registration form to have additional fields that aren\(aqt part of the user model
that are just passed to the user_registered.send signal, where the application can perform arbitrary
additional actions required during registration. (kuba\-lilz)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/249'\fI\%#249\fP\X'tty: link') Add configuration to disable the \(aqrole\-joining\(aq optimization for SQLAlchemy. (pffs)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/238'\fI\%#238\fP\X'tty: link') Fix more issues with atomically setting the new TOTP secret when setting up two\-factor. (kishi85)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/240'\fI\%#240\fP\X'tty: link') Fix Quart Compatibility. (ristellise)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/232'\fI\%#232\fP\X'tty: link') CSRF Cookie not being set when using \(aqRemember Me\(aq cookie to re\-sign in. (kishi85)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/229'\fI\%#229\fP\X'tty: link') Two\-factor enabled accounts didn\(aqt work with the Remember Me feature. (kishi85)
.UNINDENT
.sp
As part of adding unified sign in, there were many similarities with two\-factor.
Some refactoring was done to unify naming, configuration variables etc.
It should all be backwards compatible.
.INDENT 0.0
.IP \(bu 2
In TWO_FACTOR_ENABLED_METHODS \(dqmail\(dq was changed to \(dqemail\(dq. \(dqmail\(dq will still
be honored if already stored in DB. Also \(dqgoogle_authenticator\(dq is now just \(dqauthenticator\(dq.
.IP \(bu 2
TWO_FACTOR_SECRET, TWO_FACTOR_URI_SERVICE_NAME, TWO_FACTOR_SMS_SERVICE, and TWO_FACTOR_SMS_SERVICE_CONFIG
have all been deprecated in favor of names that are the same for two\-factor and unified sign in.
.UNINDENT
.sp
Other changes with possible backwards compatibility issues:
.INDENT 0.0
.IP \(bu 2
\fB/tf\-setup\fP never did any phone number validation. Now it does.
.IP \(bu 2
\fBtwo_factor_setup.html\fP template \- the chosen_method check was changed to \fBemail\fP\&.
If you have your own custom template \- be sure make that change.
.UNINDENT
.SS Version 3.3.3
.sp
Released February 11, 2020
.sp
Minor changes required to work with latest released Werkzeug and Flask\-Login.
.SS Version 3.3.2
.sp
Released December 7, 2019
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/215'\fI\%#215\fP\X'tty: link') Fixed 2FA totp secret regeneration bug (kishi85)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/172'\fI\%#172\fP\X'tty: link') Fixed \(aqnext\(aq redirect error in login view
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/221'\fI\%#221\fP\X'tty: link') Fixed regressions in login view when already authenticated user
again does a GET or POST.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/219'\fI\%#219\fP\X'tty: link') Added example code for unit testing FS protected routes.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/223'\fI\%#223\fP\X'tty: link') Integrated two\-factor auth into registration and confirmation.
.UNINDENT
.sp
Thanks to kuba\-lilz and kishi85 for finding and providing detailed issue reports.
.sp
In Flask\-Security 3.3.0 the login view was changed to allow already authenticated
users to access the view. Prior to 3.3.0, the login view was protected with
@anonymous_user_required \- so any access (via GET or POST) would simply redirect
the user to the \fBPOST_LOGIN_VIEW\fP\&. With the 3.3.0 changes, both GET and POST
behaved oddly. GET simply returned the login template, and POST attempted to
log out the current user, and log in the new user. This was problematic since
this couldn\(aqt possibly work with CSRF.
The old behavior has been restored, with the subtle change that older Flask\-Security
releases did not look at \(dqnext\(dq in the form or request for the redirect,
and now, all redirects from the login view will honor \(dqnext\(dq.
.SS Version 3.3.1
.sp
Released November 16, 2019
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/197'\fI\%#197\fP\X'tty: link') Add \X'tty: link https://gitlab.com/pgjones/quart/'\fI\%Quart\fP\X'tty: link' compatibility (Ristellise)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/194'\fI\%#194\fP\X'tty: link') Add Python 3.8 support into CI (jdevera)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/196'\fI\%#196\fP\X'tty: link') Improve docs around Single Page Applications and React (acidjunk)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/201'\fI\%#201\fP\X'tty: link') fsqla model was added to __init__.py making Sqlalchemy a required package.
That is wrong and has been removed. Applications must now explicitly import from \fBflask_security.models\fP
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/204'\fI\%#204\fP\X'tty: link') Fix/improve examples and quickstart to show one MUST call hash_password() when
creating users programmatically. Also show real SECRET_KEYs and PASSWORD_SALTs and how to generate them.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/209'\fI\%#209\fP\X'tty: link') Add argon2 as an allowable password hash.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/210'\fI\%#210\fP\X'tty: link') Improve integration with Flask\-Admin. Actually \- this PR improves localization support
by adding a method \fB_fsdomain\fP to jinja2\(aqs global environment. Added documentation
around localization.
.UNINDENT
.SS Version 3.3.0
.sp
Released September 26, 2019
.sp
\fBThere are several default behavior changes that might break existing applications.
Most have configuration variables that restore prior behavior\fP\&.
.sp
\fBIf you use Authentication Tokens (rather than session cookies) you MUST make a (small) change.
Please see below for details.\fP
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/120'\fI\%#120\fP\X'tty: link') Native support for Permissions as part of Roles. Endpoints can be
protected via permissions that are evaluated based on role(s) that the user has.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/126'\fI\%#126\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/93'\fI\%#93\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/issues/96'\fI\%#96\fP\X'tty: link') Revamp entire CSRF handling. This adds support for Single Page Applications
and having CSRF protection for browser(session) authentication but ignored for
token based authentication. Add extensive documentation about all the options.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/156'\fI\%#156\fP\X'tty: link') Token authentication is slow. Please see below for details on how to enable a new, fast implementation.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/130'\fI\%#130\fP\X'tty: link') Enable applications to provide their own \fI\%render_json()\fP method so that they can create
unified API responses.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/121'\fI\%#121\fP\X'tty: link') Unauthorized callback not quite right. Split into 2 different callbacks \- one for
unauthorized and one for unauthenticated. Made default unauthenticated handler use Flask\-Login\(aqs unauthenticated
method to make everything uniform. Extensive documentation added. \fI\&.Security.unauthorized_callback\fP has been deprecated.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/120'\fI\%#120\fP\X'tty: link') Add complete User and Role model mixins that support all features. Modify tests and Quickstart documentation
to show how to use these. Please see \fI\%Responses\fP for details.
.IP \(bu 2
Improve documentation for \fI\%UserDatastore.create_user()\fP to make clear that hashed password
should be passed in.
.IP \(bu 2
Improve documentation for \fI\%UserDatastore\fP and \fI\%verify_and_update_password()\fP
to make clear that caller must commit changes to DB if using a session based datastore.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/122'\fI\%#122\fP\X'tty: link') Clarify when to use \fBconfirm_register_form\fP rather than \fBregister_form\fP\&.
.IP \(bu 2
Fix bug in 2FA that didn\(aqt commit DB after using \fIverify_and_update_password\fP\&.
.IP \(bu 2
Fix bug(s) in UserDatastore where changes to user \fBactive\fP flag weren\(aqt being added to DB.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/127'\fI\%#127\fP\X'tty: link') JSON response was failing due to LazyStrings in error response.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/117'\fI\%#117\fP\X'tty: link') Making a user inactive should stop all access immediately.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/134'\fI\%#134\fP\X'tty: link') Confirmation token can no longer be reused. Added
\fISECURITY_AUTO_LOGIN_AFTER_CONFIRM\fP option for applications that don\(aqt want the user
to be automatically logged in after confirmation (defaults to True \- existing behavior).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/159'\fI\%#159\fP\X'tty: link') The \fB/register\fP endpoint returned the Authentication Token even though
confirmation was required. This was a huge security hole \- it has been fixed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/160'\fI\%#160\fP\X'tty: link') The 2FA totp_secret would be regenerated upon submission, making QRCode not work. (malware\-watch)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/166'\fI\%#166\fP\X'tty: link') \fIdefault_render_json\fP uses \fBflask.make_response\fP and forces the Content\-Type to JSON for generating the response (koekie)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/166'\fI\%#166\fP\X'tty: link') \fISECURITY_MSG_UNAUTHENTICATED\fP added to the configuration.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/168'\fI\%#168\fP\X'tty: link') When using the @auth_required or @auth_token_required decorators, the token
would be verified twice, and the DB would be queried twice for the user. Given how slow
token verification is \- this was a significant issue. That has been fixed.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/84'\fI\%#84\fP\X'tty: link') The \fI\%anonymous_user_required()\fP was not JSON friendly \- always
performing a redirect. Now, if the request \(aqwants\(aq a JSON response \- it will receive a 400 with an error
message defined by \fISECURITY_MSG_ANONYMOUS_USER_REQUIRED\fP\&.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/145'\fI\%#145\fP\X'tty: link') Improve 2FA templates to that they can be localized. (taavie)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/173'\fI\%#173\fP\X'tty: link') \fISECURITY_UNAUTHORIZED_VIEW\fP didn\(aqt accept a url (just an endpoint). All other view
configurations did. That has been fixed.
.UNINDENT
.SS Possible compatibility issues
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/164'\fI\%#164\fP\X'tty: link') In prior releases, the Authentication Token was returned as part of the JSON response to each
successful call to \fI/login\fP, \fI/change\fP, or \fI/reset/{token}\fP API call. This is not a great idea since
for browser\-based UIs that used JSON request/response, and used session based authentication \- they would
be sent this token \- even though it was likely ignored. Since these tokens by default have no expiration time
this exposed a needless security hole. The new default behavior is to ONLY return the Authentication Token from those APIs
if the query param \fBinclude_auth_token\fP is added to the request. Prior behavior can be restored by setting
the \fISECURITY_BACKWARDS_COMPAT_AUTH_TOKEN\fP configuration variable.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/120'\fI\%#120\fP\X'tty: link') \fI\%RoleMixin\fP now has a method \fI\%get_permissions()\fP which is called as part
each request to add Permissions to the authenticated user. It checks if the RoleModel
has a property \fBpermissions\fP and assumes it is a comma separated string of permissions.
If your model already has such a property this will likely fail. You need to override \fI\%get_permissions()\fP
and simply return an emtpy set.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/121'\fI\%#121\fP\X'tty: link') Changes the default (failure) behavior for views protected with @auth_required, @token_auth_required,
or @http_auth_required. Before, a 401 was returned with some stock html. Now, Flask\-Login.unauthorized() is
called (the same as @login_required does) \- which by default redirects to a login page/view. If you had provided your own
\fI\&.Security.unauthorized_callback\fP there are no changes \- that will still be called first. The old default
behavior can be restored by setting \fISECURITY_BACKWARDS_COMPAT_UNAUTHN\fP to True. Please see \fI\%Responses\fP for details.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/127'\fI\%#127\fP\X'tty: link') Fix for LazyStrings in json error response. The fix for this has Flask\-Security registering
its own JsonEncoder on its blueprint. If you registered your own JsonEncoder for your app \- it will no
longer be called when serializing responses to Flask\-Security endpoints. You can register your JsonEncoder
on Flask\-Security\(aqs blueprint by sending it as \fIjson_encoder_cls\fP as part of initialization. Be aware that your
JsonEncoder needs to handle LazyStrings (see speaklater).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/84'\fI\%#84\fP\X'tty: link') Prior to this fix \- anytime the decorator \fI\%anonymous_user_required()\fP failed, it caused a redirect to
the post_login_view. Now, if the caller wanted a JSON response, it will return a 400.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/156'\fI\%#156\fP\X'tty: link') Faster Authentication Token introduced the following non\-backwards compatible behavior change:
.INDENT 2.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Since the old Authentication Token algorithm used the (hashed) user\(aqs password, those tokens would be invalidated
whenever the user changed their password. This is not likely to be what most users expect. Since the new
Authentication Token algorithm doesn\(aqt refer to the user\(aqs password, changing the user\(aqs password won\(aqt invalidate
outstanding Authentication Tokens. The method \fI\%UserDatastore.set_uniquifier()\fP can be used by an administrator
to change a user\(aqs \fBfs_uniquifier\fP \- but nothing the user themselves can do to invalidate their Authentication Tokens.
Setting the \fISECURITY_BACKWARDS_COMPAT_AUTH_TOKEN_INVALIDATE\fP configuration variable will cause the user\(aqs \fBfs_uniquifier\fP to
be changed when they change their password, thus restoring prior behavior.
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.SS New fast authentication token implementation
.sp
Current auth tokens are slow because they use the user\(aqs password (hashed) as a uniquifier (the
user id isn\(aqt really enough since it might be reused). This requires checking the (hashed) password against
what is in the token on EVERY request \- however hashing is (on purpose) slow. So this can add almost a whole second
to every request.
.sp
To solve this, a new attribute in the User model was added \- \fBfs_uniquifier\fP\&. If this is present in your
User model, then it will be used instead of the password for ensuring the token corresponds to the correct user.
This is very fast. If that attribute is NOT present \- then the behavior falls back to the existing (slow) method.
.SS DB Migration
.sp
To use the new UserModel mixins or to add the column \fBuser.fs_uniquifier\fP to speed up token
authentication, a schema AND data migration needs to happen. If you are using Alembic the schema migration is
easy \- but you need to add \fBfs_uniquifier\fP values to all your existing data. You can
add code like this to your migrations::update method:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# be sure to MODIFY this line to make nullable=True:
op.add_column(\(aquser\(aq, sa.Column(\(aqfs_uniquifier\(aq, sa.String(length=64), nullable=True))

# update existing rows with unique fs_uniquifier
import uuid
user_table = sa.Table(\(aquser\(aq, sa.MetaData(), sa.Column(\(aqid\(aq, sa.Integer, primary_key=True),
                      sa.Column(\(aqfs_uniquifier\(aq, sa.String))
conn = op.get_bind()
for row in conn.execute(sa.select([user_table.c.id])):
    conn.execute(user_table.update().values(fs_uniquifier=uuid.uuid4().hex).where(user_table.c.id == row[\(aqid\(aq]))

# finally \- set nullable to false
op.alter_column(\(aquser\(aq, \(aqfs_uniquifier\(aq, nullable=False)

# for MySQL the previous line has to be replaced with...
# op.alter_column(\(aquser\(aq, \(aqfs_uniquifier\(aq, existing_type=sa.String(length=64), nullable=False)
.EE
.UNINDENT
.UNINDENT
.SS Version 3.2.0
.sp
Released June 26th 2019
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/80'\fI\%#80\fP\X'tty: link') Support caching of authentication token (eregnier \X'tty: link https://github.com/mattupstate/flask-security/pull/839'\fI\%opr #839\fP\X'tty: link').
This adds a new configuration variable \fISECURITY_USE_VERIFY_PASSWORD_CACHE\fP
which enables a cache (with configurable TTL) for authentication tokens.
This is a big performance boost for those accessing Flask\-Security via token
as opposed to session.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/81'\fI\%#81\fP\X'tty: link') Support for JSON/Single\-Page\-Application. This completes support
for non\-form based access to Flask\-Security. See PR for details. (jwag956)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/79'\fI\%#79\fP\X'tty: link' Add POST logout to enhance JSON usage (jwag956).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/73'\fI\%#73\fP\X'tty: link') Fix get_user for various DBs (jwag956).
This is a more complete fix than in opr #633.
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/78'\fI\%#78\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/103'\fI\%#103\fP\X'tty: link') Add formal openapi API spec (jwag956).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/86'\fI\%#86\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/94'\fI\%#94\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/98'\fI\%#98\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/101'\fI\%#101\fP\X'tty: link', \X'tty: link https://github.com/Flask-Middleware/flask-security/pull/104'\fI\%#104\fP\X'tty: link') Add Two\-factor authentication (opr #842) (baurt, jwag956).
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/108'\fI\%#108\fP\X'tty: link') Fix form field label translations (jwag956)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/115'\fI\%#115\fP\X'tty: link') Fix form error message translations (upstream #801) (jwag956)
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/issues/87'\fI\%#87\fP\X'tty: link') Convert entire repo to Black (baurt)
.UNINDENT
.SS Version 3.1.0
.sp
Released never
.INDENT 0.0
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/53'\fI\%#53\fP\X'tty: link') Use Security.render_template in mails too (noirbizarre \X'tty: link https://github.com/mattupstate/flask-security/pull/487'\fI\%opr #487\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/56'\fI\%#56\fP\X'tty: link') Optimize DB accesses by using an SQL JOIN when retrieving a user. (nfvs \X'tty: link https://github.com/mattupstate/flask-security/pull/679'\fI\%opr #679\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/57'\fI\%#57\fP\X'tty: link') Add base template to security templates (grihabor \X'tty: link https://github.com/mattupstate/flask-security/pull/697'\fI\%opr #697\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/73'\fI\%#73\fP\X'tty: link') datastore: get user by numeric identity attribute (jirikuncar \X'tty: link https://github.com/mattupstate/flask-security/pull/633'\fI\%opr #633\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/58'\fI\%#58\fP\X'tty: link') bugfix: support application factory pattern (briancappello \X'tty: link https://github.com/mattupstate/flask-security/pull/703'\fI\%opr #703\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/60'\fI\%#60\fP\X'tty: link') Make SECURITY_PASSWORD_SINGLE_HASH a list of scheme ignoring double hash (noirbizarre \X'tty: link https://github.com/mattupstate/flask-security/pull/714'\fI\%opr #714\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/61'\fI\%#61\fP\X'tty: link') Allow custom login_manager to be passed in to Flask\-Security (jaza \X'tty: link https://github.com/mattupstate/flask-security/pull/717'\fI\%opr #717\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/62'\fI\%#62\fP\X'tty: link') Docs for OAauth2\-based custom login manager (jaza \X'tty: link https://github.com/mattupstate/flask-security/pull/727'\fI\%opr #727\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/63'\fI\%#63\fP\X'tty: link') core: make the User model check the password (mklassen \X'tty: link https://github.com/mattupstate/flask-security/pull/779'\fI\%opr #779\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/64'\fI\%#64\fP\X'tty: link') Customizable send_mail (abulte \X'tty: link https://github.com/mattupstate/flask-security/pull/730'\fI\%opr #730\fP\X'tty: link')
.IP \(bu 2
(\X'tty: link https://github.com/Flask-Middleware/flask-security/pull/68'\fI\%#68\fP\X'tty: link') core: fix default for UNAUTHORIZED_VIEW (jirijunkar \X'tty: link https://github.com/mattupstate/flask-security/pull/726'\fI\%opr #726\fP\X'tty: link')
.UNINDENT
.sp
These should all be backwards compatible.
.sp
Possible compatibility issues:
.INDENT 0.0
.IP \(bu 2
#487 \- prior to this, render_template() was overridable for views, but not
emails. If anyone actually relied on this behavior, this has changed.
.IP \(bu 2
#703 \- get factory pattern working again. There was a very complex dance between
Security() instantiation and init_app regarding kwargs. This has been rationalized (hopefully).
.IP \(bu 2
#679 \- SqlAlchemy SQL improvement. It is possible you will get the following error:
.INDENT 2.0
.INDENT 3.5
.sp
.EX
Got exception during processing: <class \(aqsqlalchemy.exc.InvalidRequestError\(aq> \-
\(aqUser.roles\(aq does not support object population \- eager loading cannot be applied.
.EE
.UNINDENT
.UNINDENT
.sp
This is likely solvable by removing \fBlazy=\(aqdynamic\(aq\fP from your Role definition.
.UNINDENT
.sp
Performance improvements:
.INDENT 0.0
.IP \(bu 2
#679 \- for sqlalchemy, for each request, there would be 2 DB accesses \- now
there is one.
.UNINDENT
.sp
Testing:
For datastores operations, Sqlalchemy, peewee, pony were all tested against sqlite,
postgres, and mysql real databases.
.SS Version 3.0.2
.sp
Released April 30th 2019
.INDENT 0.0
.IP \(bu 2
(opr #439) HTTP Auth respects SECURITY_USER_IDENTITY_ATTRIBUTES (pnpnpn)
.IP \(bu 2
(opr #660) csrf_enabled\(ga deprecation fix (abulte)
.IP \(bu 2
(opr #671) Fix referrer loop in _get_unauthorized_view(). (nfvs)
.IP \(bu 2
(opr #675) Fix AttributeError in _request_loader (sbagan)
.IP \(bu 2
(opr #676) Fix timing attack on login form (cript0nauta)
.IP \(bu 2
(opr #683) Close db connection after running tests (reambus)
.IP \(bu 2
(opr #691) docs: add password salt to SQLAlchemy app example (KshitijKarthick)
.IP \(bu 2
(opr #692) utils: fix incorrect email sender type (switowski)
.IP \(bu 2
(opr #696) Fixed broken Click link (williamhatcher)
.IP \(bu 2
(opr #722) Fix password recovery confirmation on deleted user (kesara)
.IP \(bu 2
(opr #747) Update login_user.html (rickwest)
.IP \(bu 2
(opr #748) i18n: configurable the dirname domain (escudero)
.IP \(bu 2
(opr #835) adds relevant user to reset password form for validation purposes (fuhrysteve)
.UNINDENT
.sp
These are bug fixes and a couple very small additions.
No change in behavior and no new functionality.
\(aqopr#\(aq is the original pull request from \X'tty: link https://github.com/mattupstate/flask-security'\fI\%https://github.com/mattupstate/flask\-security\fP\X'tty: link'
.SS Version 3.0.1
.sp
Released April 28th 2019
.INDENT 0.0
.IP \(bu 2
Support 3.7 as part of CI
.IP \(bu 2
Rebrand to this forked repo
.IP \(bu 2
(#15) Build docs and translations as part of CI
.IP \(bu 2
(#17) Move to msgcheck from pytest\-translations
.IP \(bu 2
(opr #669) Fix for Read the Docs (jirikuncar)
.IP \(bu 2
(opr #710) Spanish translation (maukoquiroga)
.IP \(bu 2
(opr #712) i18n: improvements of German translations (eseifert)
.IP \(bu 2
(opr #713) i18n: add Portuguese (Brazilian) translation (dinorox)
.IP \(bu 2
(opr #719) docs: fix anchor links and typos (kesara)
.IP \(bu 2
(opr #751) i18n: fix missing space (abulte)
.IP \(bu 2
(opr #762) docs: fixed proxy import (lsmith)
.IP \(bu 2
(opr #767) Update customizing.rst (allanice001)
.IP \(bu 2
(opr #776) i18n: add Portuguese (Portugal) translation (micael\-grilo)
.IP \(bu 2
(opr #791) Fix documentation for mattupstate#781 (fmerges)
.IP \(bu 2
(opr #796) Chinese translations (Steinkuo)
.IP \(bu 2
(opr #808) Clarify that a commit is needed after login_user (christophertull)
.IP \(bu 2
(opr #823) Add Turkish translation (Admicos)
.IP \(bu 2
(opr #831) Catalan translation (miceno)
.UNINDENT
.sp
These are all documentation and i18n changes \- NO code changes. All except the last 3 were accepted and reviewed by
the original Flask\-Security team.
Thanks as always to all the contributors.
.SS Version 3.0.0
.sp
Released May 29th 2017
.INDENT 0.0
.IP \(bu 2
Fixed a bug when user clicking confirmation link after confirmation
and expiration causes confirmation email to resend. (see #556)
.IP \(bu 2
Added support for I18N.
.IP \(bu 2
Added options \fISECURITY_EMAIL_PLAINTEXT\fP and \fISECURITY_EMAIL_HTML\fP
for sending respectively plaintext and HTML version of email.
.IP \(bu 2
Fixed validation when missing login information.
.IP \(bu 2
Fixed condition for token extraction from JSON body.
.IP \(bu 2
Better support for universal bdist wheel.
.IP \(bu 2
Added port of CLI using Click configurable using options
\fISECURITY_CLI_USERS_NAME\fP and \fISECURITY_CLI_ROLES_NAME\fP\&.
.IP \(bu 2
Added new configuration option \fISECURITY_DATETIME_FACTORY\fP which can
be used to force default timezone for newly created datetimes.
(see mattupstate/flask\-security#466)
.IP \(bu 2
Better IP tracking if using Flask 0.12.
.IP \(bu 2
Renamed deprecated Flask\-WFT base form class.
.IP \(bu 2
Added tests for custom forms configured using app config.
.IP \(bu 2
Added validation and tests for next argument in logout endpoint. (see #499)
.IP \(bu 2
Bumped minimal required versions of several packages.
.IP \(bu 2
Extended test matric on Travis CI for minimal and released package versions.
.IP \(bu 2
Added of .editorconfig and forced tests for code style.
.IP \(bu 2
Fixed a security bug when validating a confirmation token, also checks
if the email that the token was created with matches the user\(aqs current email.
.IP \(bu 2
Replaced token loader with request loader.
.IP \(bu 2
Changed trackable behavior of \fIlogin_user\fP when IP can not be detected from a request from \(aquntrackable\(aq to \fINone\fP value.
.IP \(bu 2
Use ProxyFix instead of inspecting X\-Forwarded\-For header.
.IP \(bu 2
Fix identical problem with app as with datastore.
.IP \(bu 2
Removed always\-failing assertion.
.IP \(bu 2
Fixed failure of init_app to set self.datastore.
.IP \(bu 2
Changed to new style flask imports.
.IP \(bu 2
Added proper error code when returning JSON response.
.IP \(bu 2
Changed obsolete Required validator from WTForms to DataRequired. Bumped Flask\-WTF to 0.13.
.IP \(bu 2
Fixed missing \fISECURITY_SUBDOMAIN\fP in config docs.
.IP \(bu 2
Added cascade delete in PeeweeDatastore.
.IP \(bu 2
Added notes to docs about \fISECURITY_USER_IDENTITY_ATTRIBUTES\fP\&.
.IP \(bu 2
Inspect value of \fISECURITY_UNAUTHORIZED_VIEW\fP\&.
.IP \(bu 2
Send password reset instructions if an attempt has expired.
.IP \(bu 2
Added \(dqForgot password?\(dq link to LoginForm description.
.IP \(bu 2
Upgraded passlib, and removed bcrypt version restriction.
.IP \(bu 2
Removed a duplicate line (\(aqretype_password\(aq: \(aqRetype Password\(aq) in forms.py.
.IP \(bu 2
Various documentation improvement.
.UNINDENT
.SS Version 1.7.5
.sp
Released December 2nd 2015
.INDENT 0.0
.IP \(bu 2
Added \fISECURITY_TOKEN_MAX_AGE\fP configuration setting
.IP \(bu 2
Fixed calls to \fISQLAlchemyUserDatastore.get_user(None)\fP (this now returns \fIFalse\fP instead of raising a \fITypeError\fP
.IP \(bu 2
Fixed URL generation adding extra slashes in some cases (see GitHub #343)
.IP \(bu 2
Fixed handling of trackable IP addresses when the \fIX\-Forwarded\-For\fP header contains multiple values
.IP \(bu 2
Include WWW\-Authenticate headers in \fI@auth_required\fP authentication checks
.IP \(bu 2
Fixed error when \fIcheck_token\fP function is used with a json list
.IP \(bu 2
Added support for custom \fIAnonymousUser\fP classes
.IP \(bu 2
Restricted \fIforgot_password\fP endpoint to anonymous users
.IP \(bu 2
Allowed unauthorized callback to be overridden
.IP \(bu 2
Fixed issue where passwords cannot be reset if currently set to \fINone\fP
.IP \(bu 2
Ensured that password reset tokens are invalidated after use
.IP \(bu 2
Updated \fIis_authenticated\fP and \fIis_active\fP functions to support Flask\-Login changes
.IP \(bu 2
Various documentation improvements
.UNINDENT
.SS Version 1.7.4
.sp
Released October 13th 2014
.INDENT 0.0
.IP \(bu 2
Fixed a bug related to changing existing passwords from plaintext to hashed
.IP \(bu 2
Fixed a bug in form validation that did not enforce case insensitivity
.IP \(bu 2
Fixed a bug with validating redirects
.UNINDENT
.SS Version 1.7.3
.sp
Released June 10th 2014
.INDENT 0.0
.IP \(bu 2
Fixed a bug where redirection to \fISECURITY_POST_LOGIN_VIEW\fP was not respected
.IP \(bu 2
Fixed string encoding in various places to be friendly to unicode
.IP \(bu 2
Now using \fIwerkzeug.security.safe_str_cmp\fP to check tokens
.IP \(bu 2
Removed user information from JSON output on \fI/reset\fP responses
.IP \(bu 2
Added Python 3.4 support
.UNINDENT
.SS Version 1.7.2
.sp
Released May 6th 2014
.INDENT 0.0
.IP \(bu 2
Updated IP tracking to check for \fIX\-Forwarded\-For\fP header
.IP \(bu 2
Fixed a bug regarding the re\-hashing of passwords with a new algorithm
.IP \(bu 2
Fixed a bug regarding the \fIpassword_changed\fP signal.
.UNINDENT
.SS Version 1.7.1
.sp
Released January 14th 2014
.INDENT 0.0
.IP \(bu 2
Fixed a bug where passwords would fail to verify when specifying a password hash algorithm
.UNINDENT
.SS Version 1.7.0
.sp
Released January 10th 2014
.INDENT 0.0
.IP \(bu 2
Python 3.3 support!
.IP \(bu 2
Dependency updates
.IP \(bu 2
Fixed a bug when \fISECURITY_LOGIN_WITHOUT_CONFIRMATION = True\fP did not allow users to log in
.IP \(bu 2
Added \fISECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL\fP configuration option to optionally send password reset notice emails
.IP \(bu 2
Add documentation for \fI@security.send_mail_task\fP
.IP \(bu 2
Move to \fIrequest.get_json\fP as \fIrequest.json\fP is now deprecated in Flask
.IP \(bu 2
Fixed a bug when using AJAX to change a user\(aqs password
.IP \(bu 2
Added documentation for select functions in the \fIflask_security.utils\fP module
.IP \(bu 2
Fixed a bug in \fIflask_security.forms.NextFormMixin\fP
.IP \(bu 2
Added \fICHANGE_PASSWORD_TEMPLATE\fP configuration option to optionally specify a different change password template
.IP \(bu 2
Added the ability to specify addtional fields on the user model to be used for identifying the user via the \fIUSER_IDENTITY_ATTRIBUTES\fP configuration option
.IP \(bu 2
An error is now shown if a user tries to change their password and the password is the same as before. The message can be customed with the \fISECURITY_MSG_PASSWORD_IS_SAME\fP configuration option
.IP \(bu 2
Fixed a bug in \fIMongoEngineUserDatastore\fP where user model would not be updated when using the \fIadd_role_to_user\fP method
.IP \(bu 2
Added \fISECURITY_SEND_PASSWORD_CHANGE_EMAIL\fP configuration option to optionally disable password change email from being sent
.IP \(bu 2
Fixed a bug in the \fIfind_or_create_role\fP method of the PeeWee datastore
.IP \(bu 2
Removed pypy tests
.IP \(bu 2
Fixed some tests
.IP \(bu 2
Include CHANGES and LICENSE in MANIFEST.in
.IP \(bu 2
A bit of documentation cleanup
.IP \(bu 2
A bit of code cleanup including removal of unnecessary utcnow call and simplification of get_max_age method
.UNINDENT
.SS Version 1.6.9
.sp
Released August 20th 2013
.INDENT 0.0
.IP \(bu 2
Fix bug in SQLAlchemy datastore\(aqs \fIget_user\fP function
.IP \(bu 2
Fix bug in PeeWee datastore\(aqs \fIremove_role_from_user\fP function
.IP \(bu 2
Fixed import error caused by new Flask\-WTF release
.UNINDENT
.SS Version 1.6.8
.sp
Released August 1st 2013
.INDENT 0.0
.IP \(bu 2
Fixed bug with case sensitivity of email address during login
.IP \(bu 2
Code cleanup regarding token_callback
.IP \(bu 2
Ignore validation errors in find_user function for MongoEngineUserDatastore
.UNINDENT
.SS Version 1.6.7
.sp
Released July 11th 2013
.INDENT 0.0
.IP \(bu 2
Made password length form error message configurable
.IP \(bu 2
Fixed email confirmation bug that prevented logged in users from confirming their email
.UNINDENT
.SS Version 1.6.6
.sp
Released June 28th 2013
.INDENT 0.0
.IP \(bu 2
Fixed dependency versions
.UNINDENT
.SS Version 1.6.5
.sp
Released June 20th 2013
.INDENT 0.0
.IP \(bu 2
Fixed bug in \fIflask.ext.security.confirmable.generate_confirmation_link\fP
.UNINDENT
.SS Version 1.6.4
.sp
Released June 18th 2013
.INDENT 0.0
.IP \(bu 2
Added \fISECURITY_DEFAULT_REMEMBER_ME\fP configuration value to unify behavior between endpoints
.IP \(bu 2
Fixed Flask\-Login dependency problem
.IP \(bu 2
Added optional \fInext\fP parameter to registration endpoint, similar to that of login
.UNINDENT
.SS Version 1.6.3
.sp
Released May 8th 2013
.INDENT 0.0
.IP \(bu 2
Fixed bug in regards to imports with latest version of MongoEngine
.UNINDENT
.SS Version 1.6.2
.sp
Released April 4th 2013
.INDENT 0.0
.IP \(bu 2
Fixed bug with http basic auth
.UNINDENT
.SS Version 1.6.1
.sp
Released April 3rd 2013
.INDENT 0.0
.IP \(bu 2
Fixed bug with signals
.UNINDENT
.SS Version 1.6.0
.sp
Released March 13th 2013
.INDENT 0.0
.IP \(bu 2
Added Flask\-Pewee support
.IP \(bu 2
Password hashing is now more flexible and can be changed to a different type at will
.IP \(bu 2
Flask\-Login messages are configurable
.IP \(bu 2
AJAX requests must now send a CSRF token for security reasons
.IP \(bu 2
Form messages are now configurable
.IP \(bu 2
Forms can now be extended with more fields
.IP \(bu 2
Added change password endpoint
.IP \(bu 2
Added the user to the request context when successfully authenticated via http basic and token auth
.IP \(bu 2
The Flask\-Security blueprint subdomain is now configurable
.IP \(bu 2
Redirects to other domains are now not allowed during requests that may redirect
.IP \(bu 2
Template paths can be configured
.IP \(bu 2
The welcome/register email can now optionally be sent to the user
.IP \(bu 2
Passwords can now contain non\-latin characters
.IP \(bu 2
Fixed a bug when confirming an account but the account has been deleted
.UNINDENT
.SS Version 1.5.4
.sp
Released January 6th 2013
.INDENT 0.0
.IP \(bu 2
Fix bug in forms with \fIcsrf_enabled\fP parameter not accounting attempts to login using JSON data
.UNINDENT
.SS Version 1.5.3
.sp
Released December 23rd 2012
.INDENT 0.0
.IP \(bu 2
Change dependency requirement
.UNINDENT
.SS Version 1.5.2
.sp
Released December 11th 2012
.INDENT 0.0
.IP \(bu 2
Fix a small bug in \fIflask_security.utils.login_user\fP method
.UNINDENT
.SS Version 1.5.1
.sp
Released November 26th 2012
.INDENT 0.0
.IP \(bu 2
Fixed bug with \fInext\fP form variable
.IP \(bu 2
Added better documentation regarding Flask\-Mail configuration
.IP \(bu 2
Added ability to configure email subjects
.UNINDENT
.SS Version 1.5.0
.sp
Released October 11th 2012
.INDENT 0.0
.IP \(bu 2
Major release. Upgrading from previous versions will require a bit of work to
accommodate API changes. See documentation for a list of new features and for
help on how to upgrade.
.UNINDENT
.SS Version 1.2.3
.sp
Released June 12th 2012
.INDENT 0.0
.IP \(bu 2
Fixed a bug in the RoleMixin eq/ne functions
.UNINDENT
.SS Version 1.2.2
.sp
Released April 27th 2012
.INDENT 0.0
.IP \(bu 2
Fixed bug where \fIroles_required\fP and \fIroles_accepted\fP did not pass the next
argument to the login view
.UNINDENT
.SS Version 1.2.1
.sp
Released March 28th 2012
.INDENT 0.0
.IP \(bu 2
Added optional user model mixin parameter for datastores
.IP \(bu 2
Added CreateRoleCommand to available Flask\-Script commands
.UNINDENT
.SS Version 1.2.0
.sp
Released March 12th 2012
.INDENT 0.0
.IP \(bu 2
Added configuration option \fISECURITY_FLASH_MESSAGES\fP which can be set to a
boolean value to specify if Flask\-Security should flash messages or not.
.UNINDENT
.SS Version 1.1.0
.sp
Initial release
Flask\-Security was written by Matt Wright and various contributors.
.sp
Flask\-Security\-Too is an independently maintained repo:
.SS Development Lead
.INDENT 0.0
.IP \(bu 2
Chris Wagner <\X'tty: link mailto:jwag956@github.com'\fI\%jwag956@github.com\fP\X'tty: link'>
.UNINDENT
.SS Maintainer
.INDENT 0.0
.IP \(bu 2
Chris Wagner <\X'tty: link mailto:jwag956@github.com'\fI\%jwag956@github.com\fP\X'tty: link'>
.UNINDENT
.SS Patches and Suggestions
.sp
Alexander Sukharev
Alexey Poryadin
Andrew J. Camenga
Anthony Plunkett
Artem Andreev
Catherine Wise
Chris Haines
Christophe Simonis
David Ignacio
Eric Butler
Eskil Heyn Olsen
Iuri de Silvio
Jay Goel
Jiri Kuncar
Joe Esposito
Joe Hand
Josh Purvis
Kostyantyn Leschenko
Luca Invernizzi
Manuel Ebert
Martin Maillard
Paweł Krześniak
Robert Clark
Rodrigue Cloutier
Rotem Yaari
Srijan Choudhary
Tristan Escalada
Vadim Kotov
Walt Askew
John Paraskevopoulos
Chris Wagner
Eric Regnier
Gal Stainfeld
Ivan Piskunov
Tyler Baur
Glenn Lehman
.SH AUTHOR
Matt Wright & Chris Wagner
.SH COPYRIGHT
2012-2024
.\" Generated by docutils manpage writer.
.