Commit Graph

679 Commits

Author SHA1 Message Date
Matt Wright cbd0db7c39 Merge pull request #398 from jonafato/bcrypt-hotfix
Restrict bcrypt to <2.0.0
2015-06-24 22:23:36 -05:00
Jon Banafato 398f5c920b Restrict bcrypt to <2.0.0
As of 2.0.0, passlib no longer correctly identifies bcrypt as bcrypt
(instead, it mistakenly applies pybcrypt logic to bcrypt). This results
in all Python 3 logic involving bcrypt failing. As a hotfix, we should
require users to be on a version of bcrypt that passlib can handle a fix
can be pushed into passlib.
2015-06-23 13:23:07 -04:00
Matt Wright 33252ae178 Merge pull request #389 from nickretallack/develop
Reset Password Fixes
2015-05-26 14:59:30 -04:00
Nick Retallack c10c9050c7 test: reset password on a user who has no password
The user may have been invited via a social network or an invitation
system.
2015-05-11 23:22:30 -07:00
Nick Retallack 5697ff80c3 ignore the eggs readme 2015-05-11 23:16:04 -07:00
Nick Retallack 4411470202 test: invalidate used password reset tokens
Also pep8 compliance and suggested changes.
2015-05-11 23:12:05 -07:00
Nick Retallack a0e2037747 invalidate password reset tokens when the passwords changes
Check that the previous password is the same as it was when this
password reset request was generated.
2015-05-11 21:52:57 -07:00
Nick Retallack 7884d637c5 prevent password reset from breaking if you have no password
If you've just been invited, or are using social auth, you have no
password set, so the reset password feature causes a crash.  This
doesn't need to happen.
2015-05-11 21:52:57 -07:00
Matt Wright 8a14abaa1e Fix failing test 2015-05-02 14:57:34 -04:00
Matt Wright 6b55e9613a Merge pull request #255 from nfvs/unauthorized_override
Allow overriding of an unauthorized callback.
2015-05-02 14:45:57 -04:00
Matt Wright d08aac6d35 Fix pymongo version issue 2015-05-02 14:34:31 -04:00
Nuno Santos 10fd1844d8 Allow overriding of unauthorized callback.
Related to issue #255.
2015-05-02 20:17:38 +02:00
Matt Wright 72d3a4b5e3 Merge branch 'develop' of github.com:mattupstate/flask-security into develop 2015-05-02 13:57:29 -04:00
Matt Wright 6541640ee8 Merge pull request #373 from lnielsen/anonymoususer
Add support for custom AnonymousUser class.
2015-05-02 13:57:20 -04:00
Matt Wright 9cda8baff3 Fix #367 2015-05-02 13:55:05 -04:00
Matt Wright 8a62b5f193 Merge pull request #361 from nfvs/add_headers_to_auth_required
Include WWW-Authenticate headers in @auth_required.
2015-05-02 13:50:23 -04:00
Matt Wright 2e08ec87a6 Merge pull request #352 from fuhrysteve/develop
X-Forwarded-For can contain multiple IP addresses
2015-05-02 13:46:21 -04:00
Matt Wright 4d3c1c0bdc Merge pull request #347 from Jaza/slash-url-suffix
re #343: Add slash before or after token in flask-security URLs correctly
2015-05-02 13:43:36 -04:00
Matt Wright cd8982fa65 Merge pull request #342 from alexef/patch-1
Fail silently for get_user(None)
2015-05-02 13:30:01 -04:00
Matt Wright c8a3549e2d Merge pull request #331 from Diaoul/patch-2
Fix ActivateUserCommand docstring
2015-05-02 13:29:21 -04:00
Matt Wright 03d9cf2f0d Merge pull request #330 from Diaoul/patch-1
Fix RemoveRoleCommand docstring
2015-05-02 13:29:07 -04:00
Matt Wright e4d9d3ad17 Merge pull request #322 from waltaskew/develop
Add configuration for token expiration
2015-05-02 13:27:11 -04:00
Matt Wright f2a5e4b614 Normalize import paths. Fixes #313 2015-05-02 13:25:26 -04:00
Matt Wright 916f5ee012 Use StringField instead of TextField. Fixes #312 2015-05-02 13:05:46 -04:00
Matt Wright bc1f5dd7f9 Stricter tests for signals and a small docs update. Fixes #308 2015-05-02 12:59:02 -04:00
Matt Wright 4659d10c5c forgot password endpoint should be for anonymous users only. Fixes #291 2015-05-02 12:11:05 -04:00
Lars Holm Nielsen a4581681e5 Fix PEP8 error. 2015-03-06 13:09:05 +01:00
Lars Holm Nielsen 248ea5d272 Custom AnonymousUser support.
(addresses #362)
2015-03-06 12:45:17 +01:00
Nuno Santos 3681823fcf Include WWW-Authenticate headers in @auth_required.
When using @http_auth_required, the WWW-Authenticate header is included,
but when using @auth_required('basic'), it is not. This change includes
that header in every @auth_required call that contains the 'basic'
method.
2015-01-30 11:27:53 +01:00
Stephen J. Fuhry 923ad720a1 X-Forwarded-For can contain multiple IP addresses
From the nginx docs:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
> $proxy_add_x_forwarded_for
> the “X-Forwarded-For” client request header field with the $remote_addr
> variable appended to it, separated by a comma. If the “X-Forwarded-For”
> field is not present in the client request header, the
> $proxy_add_x_forwarded_for variable is equal to the $remote_addr
> variable.

Use the last IP address in X-Forwarded-For. For this to work properly
behind a trusted proxy, you must be using ProxyFix as described in the
flask & werkzeug documentation.
2014-12-29 08:31:19 -05:00
Jeremy Epstein 665b164618 split docstring into multiple lines to make travis CI happy 2014-11-28 13:50:25 +11:00
Jeremy Epstein 4d70f016ad re #343: Add slash before or after token in flask-security URLs correctly 2014-11-28 10:36:31 +11:00
Alex Eftimie 7e4fc94601 Fail silently for get_user(None)
get_user(identifier) checks if the identifier is a number by trying to convert it to int. This works for strings, but in a particular case, when identifier is None, it fails. Checking for both TypeError and ValueError fixes it.
2014-11-19 14:11:58 +02:00
Antoine Bertin 6cfe662dc6 Fix ActivateUserCommand docstring 2014-10-21 11:26:17 +02:00
Antoine Bertin 8c45271bf9 Fix RemoveRoleCommand docstring 2014-10-21 10:27:17 +02:00
Matt Wright c7d0ea9cce Add additional item to CHANGES 1.7.4 2014-10-13 13:47:35 -04:00
Matt Wright 94c7c09dc2 Bump version number to 1.7.4 2014-10-13 13:38:44 -04:00
Matt Wright f6405797f1 Update CHANGES 2014-10-13 13:38:16 -04:00
Matt Wright 2cffb6634d Fix case sensitivity when searching for users by email address. Fixes #323. 2014-10-13 13:34:11 -04:00
Matt Wright 824a52b883 Merge branch 'develop' of github.com:mattupstate/flask-security into develop 2014-10-13 13:25:08 -04:00
Matt Wright fe7e4c4afc Add additional steps to the test_change_hash_type and make change to verify_and_update_password to make the test pass. Fixes #328. 2014-10-13 13:25:01 -04:00
Matt Wright 591bc27a5e Merge pull request #318 from boydgreenfield/develop
Prevent open redirects when a malformed URL is passed to ?next=
2014-10-13 11:54:32 -04:00
waltaskew 897b2fceab Add configuration for token expiration 2014-10-01 15:59:28 -04:00
Nick Greenfield 5bc37add88 Update to use (url_next.netloc or url_next.scheme) in the validate_redirect_url open redirect patch. 2014-10-01 09:49:00 -07:00
Nick Greenfield 8b036f2a3e Prevent open redirects when a malformed URL is passed to ?next=
Example: "/login?next=http:///google.com" (note 3rd slash)
2014-09-26 11:08:58 -07:00
Matt Wright 76ad77a233 Compare a string (not bytes) for PY3 support 2014-09-17 11:39:19 -04:00
Matt Wright 679cee7969 Add default/global context processor. Fixes #306 2014-09-17 11:27:44 -04:00
Matt Wright 3d7b97ac31 Forgot password form should not validate if user has not confirmed their email address yet. Fixes #298 2014-09-17 11:21:31 -04:00
Matt Wright 3a0af73231 Merge pull request #281 from sjml/patch-1
Fixing typo in documentation
2014-09-17 10:03:53 -04:00
Matt Wright 3458391791 Merge pull request #284 from tony/patch-1
Typo
2014-09-17 10:02:27 -04:00