Hi, when using current_user instance I was having a weird bug with MongoEngine, then I decided to debug and when checking:

ipdb> type(current_user)
<class 'werkzeug.local.LocalProxy'>

That's not desired if I will use it directly. MongoEngine complains when using that instance during query/update, etc... Is there any way to unwrap the proxy? Right now I have to query to the DB to get the real object.

Thanks

The current release version does not work well with Flask 0.10 and the current code in Flask-Login in master does not work with Werkzeug 0.9.

The two changes that break it:

• sessions in flask can no longer contain binary data
• headers are now unicode.

Fixes #508.

This removes all support for and references to Python 2.7, including in the test matrix. Most changes were performed through running 2to3 but some work was performed manually, such as imports and removing the _compat module. Running make clean reports all is well.

Can we keep the global import namespace compatible with 0.3.x version for utils introduced in 088ac3cf5e0597d59224fcfb0536bea031a9ae17 ?

__init__.py

from utils import _create_identifier, ...

__all__ = ('_create_identifier', ...)

Thanks!

-- Make sure these boxes are checked before submitting your issue--thank you!

• [x] Ensure you are using the latest PyPI release.
• [x] Read the CHANGES document thoroughly.
• [x] Provide a clear and simple set of steps to reproduce your issue for others.

The code that calculates a user's identifier uses the remote address or the contents of the X-Forwarded-For header doesn't account for the fact that the X-Forwarded-For header can contain a comma separated list of remote addresses, which is the case for scenarios in which 2+ proxy servers are involved in the request forwarding. This caveat causes Flask-Login to unexpectedly log users out when the combination of proxy servers that routed a previous request change.

See http://tools.ietf.org/html/rfc7239 for more information about X-Forwarded-For standard.

Some session backends will try to detect changes made to the session dictionary and only save if the session was modified. The pop() call will set modified = True in such a backend. By checking if the "remember" key exists before we pop it we avoid this behaviour.

Bumps jinja2 from 2.10.3 to 2.11.3.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

For apps with multiple User models, is there any way to alter the user_loader / load_user() to be able to distinguish between the models? The standard is

@login_manager.user_loader
def load_user(user_id):
    return User.get(user_id)

I need to somehow discern which model the user_id passed belongs to and insert a condition to replace User.get() with the appropriate model.

This https://github.com/maxcountryman/flask-login/commit/9c8f3ca7441fa0abb506093c7161b5aa4cad88df has created me a lot of problems using forms with csrf token enabled and session protection set to strong this is the issue that I was getting as well https://github.com/lepture/flask-wtf/issues/197 and unsetting the session_protection made it work.

I can't figure out how I can make it work again using 'strong', could you please provide me some useful links or examples?

Right now you can only force-logout a remember-me token by using a custom token. It would be nice if there was a clean way to do this for active sessions, too.

From a quick look at the code this could probably be done by making get_id return e.g. a tuple of userid, token and the user_loader handling this token accordingly (retrieving the user from the DB and checking if the tokens match). However, the documentation is quite clear about the user id having to be unicode and a second look at the code shows that the user id actually converted to a string at some point: data = encode_cookie(str(session['user_id'])) (actually, shouldn't this be unicode and not str?).

Sure, I could use a custom string representation such as id:token but it feels dirty.

Flask 0.10+ makes it impossible to use login_manager.login_message = lazy_gettext('Please log in') (no more pickle), thus buggering localisation of flask-login's flash messages.

Add a localize_callback attribute to LoginManager that, if present, will be called with login_message and needs_refresh_message and whose return value will be sent flash.

Describe the bug I have a test that makes use of two fixtures. One provides an anonymous client, and another provides an authenticated client. Should I run the following code, the test fails and the user info returned is that of the authenticated user, although I am using the anonymous client.

#Note: APIAwareFlaskLoginClient extends FlaskLoginClient to request a csrf prior to each post

@pytest.fixture
def app():
    app = create_app()
    app.test_client_class = APIAwareFlaskLoginClient

    with app.app_context():
        # reinit the database at each test
        db.drop_all()
        db.create_all()

        with Transaction(db) as session:
            session.add(Owner(email='a', name='b', password='c'))

    yield app

@pytest.fixture
def client(app):
    return app.test_client()

@pytest.fixture
def authenticated_client(app):
    client = app.test_client()
    client.post("/api/auth/login", json=dict(email='a', password='c', remember='1'))
    return client

def test_anonymous_after_auth(client, authenticated_client):
    response = client.get('/api/auth/user')
    assert response.status_code == 401

Should I remove the authenticated_client from the method signature, everything works as expected. Is this a bug, or I am doing something wrong?

Environment (please complete the following information):

• OS: Linux
• Python 3.10.8
• flask-login 0.6.2

Describe the bug The documentation on the ReadTheDocs website is out of date.

There was a broken link that was fixed in 2019 (https://github.com/maxcountryman/flask-login/commit/dc6103ac), but the ReadTheDocs website still has the old link (https://flask-login.readthedocs.io/en/latest/#login-example).

The latest docs should be regenerated/pushed to ReadTheDocs to resolve the bug.

To Reproduce Steps to reproduce the behavior:

1. Go to https://flask-login.readthedocs.io/en/latest/#login-example
2. Click on 'this Flask Snippet' link
3. See error

Expected behavior Link should go to https://web.archive.org/web/20120517003641/http://flask.pocoo.org/snippets/62/

Screenshots

Desktop (please complete the following information):

• OS: macOS
• Browser: chrome
• Version

Version 0.6.0 has:

• UserMixin.is_authenticated will return whatever is_active returns by default. This prevents inactive users from logging in. #486, #530

Based on the comments in the above issues, the case for doing this was to prevent inactive users from logging in but an inactive user is not the same as a user who can't authenticate due to invalid credentials. These are much different things.

In 0.5.0 you could do:

    @login_manager.user_loader
    def load_user(uid):
        user = user_model.query.get(uid)

        if not user.is_active():
            login_manager.login_message = 'This account has been disabled.'
            return None

        return user

And then if an inactive user tried to login they would receive a custom flash message. This lets them know they have an account but they've been disabled.

With 0.6.0 this code path doesn't seem to execute because the user gets blocked before they would be loaded so you end up with whatever message you would send to the user when their authentication failed. This is a regression in behavior.

I thought a potential workaround in 0.6.0 would have been to add this to my user model (the default in 0.5.0):

    def is_authenticated(self):
        return True

But this had no effect. I'm still not able to execute the user loader that would have presented a custom flash message.

How can we get the old behavior back where end users of this library can handle inactive users after they've been authenticated?

The only thing that might be relevant to runtime inspection is __version__, which is already exported. The rest is package metadata that should be in setup.cfg, which can be inspected with importlib.metadata if needed.

Flask-Login has no way to guarantee that this header is correct because it doesn't know how many proxies the app is or isn't deployed behind. Instead, it should always read request.remote_addr, and assume that the user has configured ProxyFix if necessary.