Quick and simple security for Flask applications

Hi, I'm currently using the stable version and am finding it really hard to be able to authenticate users manually. The main reason for requiring this is to get authentication working via an ajax call. I've noticed in the dev branch there is a utility function that looks like it might do this. Is this my only option?

Cheers.

Dear @mattupstate and @jonafato:

In the light of recent Flask-Login release, I would like to ask you about plans for this package. There are many useful PRs that deserve to be merged (#494 #502 #519 #526 #528 #537 #538 #542 #544 #549 and more). Some of them are over a year old without any comment from maintainers.

If there is an interest I would offer my help with maintaining this package. Until the reply I am going to manage our fork so we can take benefits of the latest comunity work in both Flask-Login and Flask-Security packages.

Kind regards, Jiri

Which changes them to properties and causes them to raise TypeErrors all over the place.

Relevant Flask-Login changelog: https://github.com/maxcountryman/flask-login/blob/5415c146df9dd560cc9475227c34866851532e9e/test_login.py

Right now, when using @http_auth_required or @auth_token_required, if the user is unauthorized only a message is returned (_default_unauthorized_html).

With this change, it is possible to define an unauthorized callback which will be called instead.

Example using your overholt project (overholt/api/__init__.py):

from overholt.core import security

def unauthorized():
    return jsonify(dict(error='Unauthorized')), 403

def create_app(settings_override=None, register_security_blueprint=False):
    app = factory.create_app(__name__, __path__, settings_override,
                             register_security_blueprint=register_security_blueprint)
    security.unauthorized_handler(unauthorized)

I have tested it only with @http_auth_required, but @auth_required and @auth_token_required should work pretty much the same.

Hi Matt,

I've taken a stab at fixing https://github.com/mattupstate/flask-security/issues/49. This adds a set of functions like the context processor decorators. Each decorator specifies a function that returns the Form class to use for that particular view. App writers can then inherit from the existing form classes and extend with with WTForms fields as needed.

Example

    # Given a User model with extra columns:
    #   first_name = Column(String(120))
    #   last_name = Column(String(120))

    security = Security(app, user_datastore)

    from flask_security.forms import RegisterForm

    class ExtendedRegisterForm(RegisterForm):
        first_name = TextField('First Name', [Required()])
        last_name = TextField('Last Name', [Required()])

    @security.register_form
    def security_register_form():
        return ExtendedRegisterForm

I specifically did not go the model_form route. From earlier attempt I found that it got more verbose when using as opposed to this.

Let me know if anything needs changing.

I am trying to disable flash messages in general; using the following FLASH_MESSAGES = False

When I try an login with invalid credentails it still displays the flash message. Why is that? How do I turn it off.

I don't get the user_registered signal from flask-security. I have it set up this way:

...
from flask import Flask
from flask.ext.security.signals import user_registered
app = Flask(__name__)
...
@user_registered.connect_via(app)
def user_registered_sighandler(sender, **extra):
    print "user_registered_sighandler"

The user does get created and I do get the welcome email, so the register_user function in https://github.com/mattupstate/flask-security/blob/develop/flask_security/registerable.py#L26 is being executed, but the signal send is not reaching my handler. Can anyone help? I'm using: Flask==0.9, Flask-Security==1.5.4, blinker==1.2

This likely is BREAKING with the packaged version of flask-login.

We probably want a way to get backward compatibility with the released version of flask-login... or do/should we expect flask-login to implement that backward compatibility ?

Hello!

I've made the horrible mistake of not setting SECURITY_PASSWORD_HASH to something other than plain text and was hoping there was a way to either change all the password to a hashed format on the fly?

It would be pretty cool in the future if there was a method for this kind of stuff :)

I submitted a pull request to Flask-Script to allow for nested managers and would like your feedback on it. If accepted, it would be nice to have a preconfigured manager instance (the pull request actually shows an example of how flask-security could work).

https://github.com/rduplain/flask-script/pull/39

Thanks.

If the security object gets initialized before the app exists (i.e. using the factory method) and init_app is called later, security._state is never set. This makes sense because _state is dependent upon the app, however, when an attribute on security is accessed, the redefinition of __getattr__ looks for _state, which isn't set, so __getattr__ get's called, looks for _state, etc, and then bam

RuntimeError: maximum recursion depth exceeded while calling a Python object

I opened a PR, but closed it because I'm not sure if it's the right fix. I solved the issue myself by doing:

security = app.extensions['security']
@security.login_context_processor
...

but at the very least, I think there should be a better exception that gets raised (the max recursion depth really threw me off for a bit.) The solution in the PR would work, but would require the above to become something like

with app.app_context():
    @security.login_context_processor
    ...

which maybe works? Curious what other people think is a good solution.

I need @auth_required decorator to return JSON response instead of HTML since I'm working with SPA. Can anyone help me by giving a simple example please. I'm stuck guys with the documentation.

I have a SPA application in Vue and using Flask backend with Flask-Security-Too. The auth with username & password works correctly, but I'd like to add Google handling to app (later Facebook too). I imagine something like:

• On my Vue frontend the user clicks on "Login with Google"
• The frontend passes the userdata (e-mail, name, avatar, id etc...) for backend,
• I save the recievied data on backend, and return session data for frontend (I'm not sure about this) What's the best and safest way to implement this with Flask-Security-Too?

Thanks in advance!

In our application, we would like to disable 2FA for certain IP addresses (located in the corporate network). It seems to me that this is impossible with the current implementation of 2FA in flask-security.

It seems to me that it would require adding another setting (SECURITY_TWO_FACTOR_IP_WHITELIST?) and updating this condition:

flask_security/views.py:164

if cv("TWO_FACTOR"):

to check whether the IP address of the request is on the whitelist.

What do you think?

Hello, I have started using the api for twilio's sendgird. However, flask security uses flask mail. Can that be overridden? I do not use mail=Mail(app) since I am not using Flask Mail. Sending a change password email will not work. Thank you. Paul.

Hi,

there is an open CVE for flask-security that has already been adressed in the fork. It seems, this package will not receive more updates.

Are you aware that Pypi nowadays offers the possibility to yank Package releases? When you yank all versions on pypi, one gets an error when installing a flask-security package when not specifying a version. When explicitly asking for a specific version, one still gets that version installed, just with a warning. This provides a good middleground, new projects will understand that they should look for something with active maintenance or take over maintenance, and existing projects can choose what to do, but aren’t left dead on the road with a package that can’t be installed any more.

So could you consider to yank the PyPI Releases of flask-security?

Pinging @jonafato here because he looks active on github and has pypi permissions for this package.

I followed the document example of flask security with sqlAlchemy from: basic-sqlalchemy-application-with-session

When I was testing the login function, after frequent login and logout（more than 20 time in one minute）, the application will crash down and raise exception:

sqlalchemy.exc.TimeoutError: QueuePool limit of size 10 overflow 10 reached, connection timed out, timeout 30 (Background on this error at: http://sqlalche.me/e/13/3o7r)