Hi Guys,

Working at a security firm right now and they tell me the next URL can be crafted in various ways to point to a phishing site after you login.

So with flask_user I can make a link to the login page like:

http://yourealsite.com/login/?next=http://my-fake-malicous-site.com/login/

If I show a phishing site with the same login page and error I can harvest peoples logins.

Solution: the next parameter should be filtered such that no domain/http/protocol is included.

As passlib duly notes, all pip versions (and HEAD too) of py-bcrypt are vulnerable to the BSD wraparound bug:

UserWarning: passlib.hash.bcrypt: Your installation of the 'pybcrypt' backend is vulnerable to the bsd wraparound bug, and should be upgraded or replaced with another backend (this warning will be fatal under passlib 1.7)

Aside from being a serious security vulnerability, being fatal in passlib 1.7+ means it will also make Flask-User unusable under that version until fixed.

Alternative backends supported by passlib like bcrypt should be considered switching to.

Happens if I delete the DB file. Works if I leave it alone for a few. Nothing with variables, this is all something with Flask-User Full Traceback:

Traceback (most recent call last):
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 2309, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 2295, in wsgi_app
    response = self.handle_exception(e)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 1741, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/ec2-user/environment/AmusedGrape/ask/server.py", line 128, in home_page
    return render_template('index.html')
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/templating.py", line 133, in render_template
    ctx.app.update_template_context(context)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask/app.py", line 792, in update_template_context
    context.update(func())
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_login/utils.py", line 368, in _user_context_processor
    return dict(current_user=_get_user())
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_login/utils.py", line 335, in _get_user
    current_app.login_manager._load_user()
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_login/login_manager.py", line 359, in _load_user
    return self.reload_user()
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_login/login_manager.py", line 321, in reload_user
    user = self.user_callback(user_id)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_user/user_manager.py", line 130, in load_user_by_user_token
    user = self.db_manager.UserClass.get_user_by_token(user_token)
  File "/home/ec2-user/environment/AmusedGrape/ask/flask/lib/python3.6/dist-packages/flask_user/user_mixin.py", line 52, in get_user_by_token
    user_password = '' if user_manager.USER_ENABLE_AUTH0 else user.password[-8:]
AttributeError: 'NoneType' object has no attribute 'password'

Using Flask-User for the first time. For the most part, I'm pretty impressed. Great project, well executed. Apologies in advance for the lengthy issue posting, but I hope all the extra detail is helpful.

The problem

I've just spent quite a while tracking down a number of unexpected behaviors due to a schema assumption that I have not found explicitly stated in the project documentation. I'm using the SQLAlchemyAdapter in my project.

For quite some time, it was impossible to figure out what was going on because there were no errors thrown by Flask-User. Instead, when it found itself unable to do something, it just dropped me back to the login page without alerting me to what the actual failure was (in dev/debug mode).

Pretty much every single bit of functionality that works with a User object expects to do so via an explicit id column/attribute existing on the User model itself.

I'm pretty sure I'm not alone in the Python world in not using id as my primary key column in my db models--because id() is part of Python's __builtin__ module. Kind of like how I never use type as an attribute, for the same reason. Instead, I've long made it a habit of using pk as the primary key attribute in db models.

How does this matter to Flask-User?

Well, in some places, I was initially able to get around this by adding an id property to my model (trying to not have to create a model with a primary key attribute different from all the other application models):

@property
def id(self):
    return self.pk

This worked for a bit, in certain spots, until I started tackling password resets. I was able to get a reset email sent off successfully, but each time I clicked on the link, I was told the token was invalid. I verified the token myself, and it was indeed valid. I also verified it had not expired (it'd only been a few seconds, but anything could happen, right?). I checked directly with the database to ensure it was indeed saved to the User object. It was.

So, I started debugging the logic from the built in reset_password() view function. That's when I landed on the problem being in UserManager.find_user_by_id(). It was returning no User object. Here's a quick refresher on the logic I copied over:

#  from reset_password() view
mgr = current_app.user_manager
is_valid, has_expired, user_id = mgr.verify_token(token, mgr.reset_password_expiration)
# returns: is_valid=True, has_expired=False, user_id=123

# next up, find the user who owns the token
user = mgr.find_user_by_id(user_id)  # here, user is None

Interestingly enough, UserManager.verify_token() was returning the user_id for the token provided to the view. So, that's when I figured it was the id attribute itself--something must be happening in the query that was actually passing an id=user_id instead of relying on a more abstract query that doesn't assume the name of the primary key column. I also guessed that my id property def was screwing up raising a helpful error (it was).

So, I checked out the find_user_by_id() source, and found:

# inside flask_user/__init__.py
def find_user_by_id(self, user_id):
        return self.db_adapter.find_object(self.db_adapter.UserClass, id=user_id)

That call to SQLAlchemyAdapter.find_object in turn calls:

# inside db_adapters.py
query = query.filter(field==field_value)  # case sensitive!!

Eureka!

That filter() method from SQLAlchemy is an attribute-specific query method. So, it wasn't failing because my id property was an attribute, but it was failing to have the desired effect (finding the user by its primary key value).

I know, I know, this wouldn't be happening if I'd just used the id column like the docs show.

The problem is, I didn't actually notice the User model schema until I was hours into working with Flask-User. I know, still my fault. But I wanted to create this issue anyway, both to offer some feedback, and provide some help in case others experience the same thing.

Suggestions for schema-agnostic primary key queries

The major motivator for submitting this issue is to suggest this is, while still arguably a developer's fault for not thinking the schema matters so dearly, an opportunity to improve Flask-User's handling of primary key queries and any needs to refer to and/or work with User objects by their primary key values.

I'm not sure about the other db adapter classes, but I know SQLAlchemy offers a handy helper method when it comes to looking up objects by their primary keys -- it's the Query.get() method! All you have to do is provide it the object's primary key as a single argument (no field names, keywords, or anything else required). An example implementation could be as simple as:

# in db_adapters.py
# for SQLAlchemy, not sure about others

def get_object(self, ObjectClass, pk):
        """ Find single object of class 'ObjectClass' by specified primary key"""
        return ObjectClass.query.get(pk)

Query.get() is guaranteed to always return one and only one object based on its underlying identity field as defined in its model. So, it's the easiest query that can be made via SQLAlchemy. It would also help make Flask-User less coupled to an assumed schema for User models.

Suggestion for schema-agnostic primary key usage

Because Flask-User depends on Flask-Login (and even offers its own UserMixin developers can use that extend's Flask-Login's own UserMixin class), I felt like this was a pretty good situation to highlight how relying on certain schema columns/attributes was a bit too much coupling for an extension.

Flask-Login already expects a get_id() method, and its UserMixin includes this method, as well as instructing developers to implement their own method if they need to specify how to get the id value for their custom User models. Moreover, it also instructs developers to specify their own user_loader() method to ensure that whatever the id value is, the LoginManager can query it from the db. I haven't gone through all the Flask-User code, but it seems to me the best de-coupled approach would be for Flask-User to rely, like Flask-Login does, on the result of the get_id() method whenever it needs a User object's primary key value. When it needs to query by that value, it should use the query.get() method from SQLAlchemy, instead of filtering on a schema-dependent primary key attribute value.

From what I can see, Flask-User implements the Flask-Login requirement for a user_loader method via its _user_loader() method. That method calls the schema-dependent find_user_by_id() method that I've already detailed above. Based on my suggestions, and barring any other areas I haven't yet found in the code, if find_user_by_id() was changed to use a get() instead of a filter() query call, this would instantly decouple Flask-User from its schema dependence for primary keys (for SQLAlchemy, at least).

It doesn't solve other schema-dependence issues, but those attributes are, for the most part, pretty sensible as far as field names are concerned (and they don't clash with __builtin__ methods/keywords). However, I still think it'd be helpful to point out that the fields are required--and required to be named exactly as they appear--in the docs. Even better would be to offer users a way to specify those fields that Flask-User requires for its functionality to work properly. That could be as easy as a dict or tuple passed in so people could specify field mappings.

Thanks for an overall fantastic extension.

I'm using minimal app version. Is it possible to add the remember_me option with Flask-User? Also, why there is no recipe or example that shows how to use Flask-User with 'session'.

Flask_User is breaking the installation on AWS using ElasticBeanStalk. The specific portion of the error log is as follows:

Collecting Flask-User==1.0.1.3 (from -r /opt/python/ondeck/app/requirements.txt (line 16))
Using cached https://files.pythonhosted.org/packages/fd/e6/092c5c74251372568665f59e4df78d3450992289d5023e2abb77eee7b905/Flask-User-1.0.1.3.tar.gz
Complete output from command python setup.py egg_info:

Installed /tmp/pip-build-k2s8h7v3/Flask-User/.eggs/Flask_Login-0.4.1-py3.6.egg
Searching for Flask
Downloading https://files.pythonhosted.org/packages/c1/ff/bd9a4d2d81bf0c07d9e53e8cd3d675c56553719bbefd372df69bf1b3c1e4/Flask-Login-0.4.1.tar.gz#sha256=c815c1ac7b3e35e2081685e389a665f2c74d7e077cb93cecabaea352da4752ec
Best match: Flask Login-0.4.1
Processing Flask-Login-0.4.1.tar.gz
Writing /tmp/easy_install-wwxz50l_/Flask-Login-0.4.1/setup.cfg
Running Flask-Login-0.4.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-wwxz50l_/Flask-Login-0.4.1/egg-dist-tmp-qnbi69bv
removing '/tmp/pip-build-k2s8h7v3/Flask-User/.eggs/Flask_Login-0.4.1-py3.6.egg' (and everything under it)
creating /tmp/pip-build-k2s8h7v3/Flask-User/.eggs/Flask_Login-0.4.1-py3.6.egg
Extracting Flask_Login-0.4.1-py3.6.egg to /tmp/pip-build-k2s8h7v3/Flask-User/.eggs

Installed /tmp/pip-build-k2s8h7v3/Flask-User/.eggs/Flask_Login-0.4.1-py3.6.egg
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-build-k2s8h7v3/Flask-User/setup.py", line 87, in <module>
tests_require=['pytest'],
File "/usr/lib64/python3.6/distutils/core.py", line 108, in setup
_setup_distribution = dist = klass(attrs)
File "/opt/python/run/venv/local/lib/python3.6/site-packages/setuptools/dist.py", line 315, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/opt/python/run/venv/local/lib/python3.6/site-packages/setuptools/dist.py", line 361, in fetch_build_eggs
replace_conflicting=True,
File "/opt/python/run/venv/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 853, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'Flask' distribution was not found and is required by Flask-Login

----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-k2s8h7v3/Flask-User/
You are using pip version 9.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
2019-01-09 07:00:25,743 ERROR Error installing dependencies: Command '/opt/python/run/venv/bin/pip install -r /opt/python/ondeck/app/requirements.txt' returned non-zero exit status 1
Traceback (most recent call last):
File "/opt/elasticbeanstalk/hooks/appdeploy/pre/03deploy.py", line 22, in main
install_dependencies()
File "/opt/elasticbeanstalk/hooks/appdeploy/pre/03deploy.py", line 18, in install_dependencies
check_call('%s install -r %s' % (os.path.join(APP_VIRTUAL_ENV, 'bin', 'pip'), requirements_file), shell=True)
File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '/opt/python/run/venv/bin/pip install -r /opt/python/ondeck/app/requirements.txt' returned non-zero exit status 1.

Any help on the issue would be appreciated. It seems flask_user is unable to identify the existing installation of Flask library.

I just try to use Flask-User to secure Flask-Admin's views, add users with different roles.

But I have problem with integrating Flask-user's views into Flask-Admin's interface. Just changing template extending raise jinja2 extension.

I have trying to create Flask-Admin's views that will do the same thing that Flask-User's views do. But how can I remove built-in library endpoints from app?

NOTE I have tried to change view functions but it do nothing.

I'm looking to send an invite via email to a user, sort of like an admin tool to add users without them "registering" through the normal process.

I see in the USER_REQUIRE_INVITATION config variable with the comment "not yet implemented." I'm wondering if you are in the process of fleshing out this functionality or is it more of a wish list?

As it stands right now I'm attempting to manually go in and generate this process. My plan is to utilize the password reset (user_manager.generate_token(), reset_password_link, User.reset_password_token, etc.) functionality that has already been created but send it to a custom view, email template, etc.

Would you suggest this as the best course of action? The reason why I'm asking is if there is a plan to incorporate "user invitation" functionality, I would be more than willing to fork Flask-User and attempt to contribute.

Awesome package btw, the customizability and readability of the package has been really great.

If the translation block in jinja2 templates contain an expression, like the following:

{% trans %}Log in as {{username}} {% endtrans  %}

the rendering process would throw an error saying invalid key.

Is there a setting to have the user automatically logged in once they register as opposed to redirecting them to the login page? Or, do I need to override the registration call to implement this myself?

I looked through the documentation and didn't seem to find any configuration setting for such an action.

Thanks!

c88b376 tried to make things easier to manage by doing from flask_user import __version__ as flask_user_version in setup.py. However, that has an undesirable consequence: users who don't already have passlib installed could face an ImportError, preventing installation of Flask-User.

To reproduce (ensure passlib is not already installed):

$ pip install --no-cache-dir Flask-User==0.6.17
Collecting Flask-User==0.6.17 (from -r requirements.txt (line 13))
  Downloading Flask-User-0.6.17.tar.gz (62kB)
    100% |████████████████████████████████| 71kB 6.0MB/s
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-c6f9o6kh/Flask-User/setup.py", line 5, in <module>
        from flask_user import __version__ as flask_user_version
      File "/tmp/pip-build-c6f9o6kh/Flask-User/flask_user/__init__.py", line 7, in <module>
        from passlib.context import CryptContext
    ImportError: No module named 'passlib'

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-c6f9o6kh/Flask-User/

Note that if the packages are cached, it could also appear to work fine, which is why --no-cache-dir is needed.

BuildError werkzeug.routing.exceptions.BuildError: Could not build url for endpoint 'signinpage'. Did you mean 'loginagent' instead?

Traceback (most recent call last) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 2548, in call return self.wsgi_app(environ, start_response) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 2528, in wsgi_app response = self.handle_exception(e) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 2525, in wsgi_app response = self.full_dispatch_request() File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 1822, in full_dispatch_request rv = self.handle_user_exception(e) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 1820, in full_dispatch_request rv = self.dispatch_request() File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 1796, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) File "C:\Users\varunaveem\Desktop\IBM-Project-1392-1658386621-main\Final_Deliverables\Customer Care Registry\app.py", line 30, in home return render_template('index.html',mes=message) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\templating.py", line 147, in render_template return _render(app, template, context) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\templating.py", line 130, in _render rv = template.render(context) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\jinja2\environment.py", line 1301, in render self.environment.handle_exception() File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\jinja2\environment.py", line 936, in handle_exception raise rewrite_traceback_stack(source=source) File "C:\Users\varunaveem\Desktop\IBM-Project-1392-1658386621-main\Final_Deliverables\Customer Care Registry\templates\index.html", line 1, in top-level template code {% extends 'base.html' %} File "C:\Users\varunaveem\Desktop\IBM-Project-1392-1658386621-main\Final_Deliverables\Customer Care Registry\templates\base.html", line 61, in top-level template code {% block body %} File "C:\Users\varunaveem\Desktop\IBM-Project-1392-1658386621-main\Final_Deliverables\Customer Care Registry\templates\index.html", line 48, in block 'body' <span File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 2031, in url_for return self.handle_url_build_error(error, endpoint, values) File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\flask\app.py", line 2020, in url_for rv = url_adapter.build( # type: ignore[union-attr] File "C:\Users\varunaveem\AppData\Local\Programs\Python\Python310\lib\site-packages\werkzeug\routing\map.py", line 917, in build raise BuildError(endpoint, values, method, self) werkzeug.routing.exceptions.BuildError: Could not build url for endpoint 'signinpage'. Did you mean 'loginagent' instead? The debugger caught an exception in your WSGI application. You can now look at the traceback which led to the error. To switch between the interactive traceback and the plaintext one, you can click on the "Traceback" headline. From the text traceback you can also create a paste of it. For code execution mouse-over the frame you want to debug and click on the console icon on the right side.

I like Flask-User a lot it is amazing and saves me a lot of boilerplates.

You have done a really great job here 👏.

Nowadays when I create a project I use latest Bootstrap currently v5 and Flask-User uses Bootstrap v3.

So I am forced to downgrade the project bootstrap version to v3 to avoid any conflicts.

Any other solution I find in my little head 🐵 right now will bring another set of boilerplates 😅.

So is there is a chance to upgrade to latest version or pointing me to a better idea.

Thanks again for everything 😊.

Hello, First of all, congratulations for the excellent work on this project. We recently detected that the project on PyPi is listed as "Yanked". I have been reported that doing pip install Flask-User does not work due to the state of the project and the version number must be added to be able to install. On the other hand, a warning message is observed during the installation and a reason why the project is marked as Yanked is not indicated.

My questions are:

1. What can we do to avoid the mentioned problems and continue using the module normally?
2. Since when is the project marked as Yanked?
3. Is this due to a bug in the module?
4. Or is it because the project is no longer in active development and will be removed or deprecated?
5. Should we look for an alternative project?

Thank you very much

Greetings, Mauro

When USER_ENABLE_EMAIL is false, I would expect the email_validator to not be needed. It does not make sense to add this library when config explicitly states no e-mail related functionality should be used.

While working on some projects, I've found out that Flask-User doesn't properly hold initialization without passed app, db and UserClass objects. And even if you want to firstly create UserManager and then init_app, you have to do smth like UserManager(app=None, ...), which looks inconsistent and odd.

Hello, apparently Flask-User is not compatible with newest pymongo (4.0).

This is the error I get:

"TypeError: 'Collection' object is not callable. If you meant to call the 'authenticate' method on a 'Database' object it is failing because no such method exists."

You can read more about this: https://debugah.com/solved-typeerror-collection-object-is-not-callable-if-you-meant-to-call-the-authenticate-method-on-a-database-object-it-is-failing-because-no-such-method-exists-23011/