Quick and simple security for Flask applications

Overview
Issues
  • Allow manual authentication

    Allow manual authentication

    Hi, I'm currently using the stable version and am finding it really hard to be able to authenticate users manually. The main reason for requiring this is to get authentication working via an ajax call. I've noticed in the dev branch there is a utility function that looks like it might do this. Is this my only option?

    Cheers.

    opened by leaanthony 35
  • Integration and release processes.

    Integration and release processes.

    Dear @mattupstate and @jonafato:

    In the light of recent Flask-Login release, I would like to ask you about plans for this package. There are many useful PRs that deserve to be merged (#494 #502 #519 #526 #528 #537 #538 #542 #544 #549 and more). Some of them are over a year old without any comment from maintainers.

    If there is an interest I would offer my help with maintaining this package. Until the reply I am going to manage our fork so we can take benefits of the latest comunity work in both Flask-Login and Flask-Security packages.

    Kind regards, Jiri

    opened by jirikuncar 31
  • is_authenticated() etc. methods break with Flask-Login 0.3.0

    is_authenticated() etc. methods break with Flask-Login 0.3.0

    Which changes them to properties and causes them to raise TypeErrors all over the place.

    Relevant Flask-Login changelog: https://github.com/maxcountryman/flask-login/blob/5415c146df9dd560cc9475227c34866851532e9e/test_login.py

    opened by boydgreenfield 26
  • Allow overriding of an unauthorized callback.

    Allow overriding of an unauthorized callback.

    Right now, when using @http_auth_required or @auth_token_required, if the user is unauthorized only a message is returned (_default_unauthorized_html).

    With this change, it is possible to define an unauthorized callback which will be called instead.

    Example using your overholt project (overholt/api/__init__.py):

    from overholt.core import security
    
    def unauthorized():
        return jsonify(dict(error='Unauthorized')), 403
    
    def create_app(settings_override=None, register_security_blueprint=False):
        app = factory.create_app(__name__, __path__, settings_override,
                                 register_security_blueprint=register_security_blueprint)
        security.unauthorized_handler(unauthorized)
    
    

    I have tested it only with @http_auth_required, but @auth_required and @auth_token_required should work pretty much the same.

    opened by nfvs 25
  • Configurable forms

    Configurable forms

    Hi Matt,

    I've taken a stab at fixing https://github.com/mattupstate/flask-security/issues/49. This adds a set of functions like the context processor decorators. Each decorator specifies a function that returns the Form class to use for that particular view. App writers can then inherit from the existing form classes and extend with with WTForms fields as needed.

    Example

        # Given a User model with extra columns:
        #   first_name = Column(String(120))
        #   last_name = Column(String(120))
    
        security = Security(app, user_datastore)
    
        from flask_security.forms import RegisterForm
    
        class ExtendedRegisterForm(RegisterForm):
            first_name = TextField('First Name', [Required()])
            last_name = TextField('Last Name', [Required()])
    
        @security.register_form
        def security_register_form():
            return ExtendedRegisterForm
    
    

    I specifically did not go the model_form route. From earlier attempt I found that it got more verbose when using as opposed to this.

    Let me know if anything needs changing.

    opened by eskil 23
  • FLASH_MESSAGES configuration does not seem to be working.

    FLASH_MESSAGES configuration does not seem to be working.

    I am trying to disable flash messages in general; using the following FLASH_MESSAGES = False

    When I try an login with invalid credentails it still displays the flash message. Why is that? How do I turn it off.

    invalid question 
    opened by Ben095 19
  • Not getting user_registered signal

    Not getting user_registered signal

    I don't get the user_registered signal from flask-security. I have it set up this way:

    ...
    from flask import Flask
    from flask.ext.security.signals import user_registered
    app = Flask(__name__)
    ...
    @user_registered.connect_via(app)
    def user_registered_sighandler(sender, **extra):
        print "user_registered_sighandler"
    

    The user does get created and I do get the welcome email, so the register_user function in https://github.com/mattupstate/flask-security/blob/develop/flask_security/registerable.py#L26 is being executed, but the signal send is not reaching my handler. Can anyone help? I'm using: Flask==0.9, Flask-Security==1.5.4, blinker==1.2

    opened by ekw 17
  • changes required to work with recent version of flask-login

    changes required to work with recent version of flask-login

    This likely is BREAKING with the packaged version of flask-login.

    We probably want a way to get backward compatibility with the released version of flask-login... or do/should we expect flask-login to implement that backward compatibility ?

    opened by asmodehn 16
  • Possibility to change password encryption

    Possibility to change password encryption

    Hello!

    I've made the horrible mistake of not setting SECURITY_PASSWORD_HASH to something other than plain text and was hoping there was a way to either change all the password to a hashed format on the fly?

    It would be pretty cool in the future if there was a method for this kind of stuff :)

    opened by Dinoshauer 16
  • Feedback on Flask-Script commands / manager

    Feedback on Flask-Script commands / manager

    I submitted a pull request to Flask-Script to allow for nested managers and would like your feedback on it. If accepted, it would be nice to have a preconfigured manager instance (the pull request actually shows an example of how flask-security could work).

    https://github.com/rduplain/flask-script/pull/39

    Thanks.

    feature dependency 
    opened by techniq 16
  • Maximum recursion depth exceeded

    Maximum recursion depth exceeded

    If the security object gets initialized before the app exists (i.e. using the factory method) and init_app is called later, security._state is never set. This makes sense because _state is dependent upon the app, however, when an attribute on security is accessed, the redefinition of __getattr__ looks for _state, which isn't set, so __getattr__ get's called, looks for _state, etc, and then bam

    RuntimeError: maximum recursion depth exceeded while calling a Python object
    

    I opened a PR, but closed it because I'm not sure if it's the right fix. I solved the issue myself by doing:

    security = app.extensions['security']
    @security.login_context_processor
    ...
    

    but at the very least, I think there should be a better exception that gets raised (the max recursion depth really threw me off for a bit.) The solution in the PR would work, but would require the above to become something like

    with app.app_context():
        @security.login_context_processor
        ...
    

    which maybe works? Curious what other people think is a good solution.

    wontfix 
    opened by eriktaubeneck 15
  • @auth_required JSON Response

    @auth_required JSON Response

    I need @auth_required decorator to return JSON response instead of HTML since I'm working with SPA. Can anyone help me by giving a simple example please. I'm stuck guys with the documentation.

    opened by Aaron-Ochieng 3
  • [Question] Is there any way to use Google auth with SPA?

    [Question] Is there any way to use Google auth with SPA?

    I have a SPA application in Vue and using Flask backend with Flask-Security-Too. The auth with username & password works correctly, but I'd like to add Google handling to app (later Facebook too). I imagine something like:

    • On my Vue frontend the user clicks on "Login with Google"
    • The frontend passes the userdata (e-mail, name, avatar, id etc...) for backend,
    • I save the recievied data on backend, and return session data for frontend (I'm not sure about this) What's the best and safest way to implement this with Flask-Security-Too?

    Thanks in advance!

    opened by husudosu 1
  • 2FA whitelist

    2FA whitelist

    In our application, we would like to disable 2FA for certain IP addresses (located in the corporate network). It seems to me that this is impossible with the current implementation of 2FA in flask-security.

    It seems to me that it would require adding another setting (SECURITY_TWO_FACTOR_IP_WHITELIST?) and updating this condition:

    flask_security/views.py:164

    if cv("TWO_FACTOR"):
    

    to check whether the IP address of the request is on the whitelist.

    What do you think?

    opened by lchojnacki 1
  • Not using flask mail

    Not using flask mail

    Hello, I have started using the api for twilio's sendgird. However, flask security uses flask mail. Can that be overridden? I do not use mail=Mail(app) since I am not using Flask Mail. Sending a change password email will not work. Thank you. Paul.

    opened by Paulfuther 1
  • Open CVE, please consider to yank pypi versions

    Open CVE, please consider to yank pypi versions

    Hi,

    there is an open CVE for flask-security that has already been adressed in the fork. It seems, this package will not receive more updates.

    Are you aware that Pypi nowadays offers the possibility to yank Package releases? When you yank all versions on pypi, one gets an error when installing a flask-security package when not specifying a version. When explicitly asking for a specific version, one still gets that version installed, just with a warning. This provides a good middleground, new projects will understand that they should look for something with active maintenance or take over maintenance, and existing projects can choose what to do, but aren’t left dead on the road with a package that can’t be installed any more.

    So could you consider to yank the PyPI Releases of flask-security?

    Pinging @jonafato here because he looks active on github and has pypi permissions for this package.

    opened by do3cc 2
  • QueuePool limit of size overflow when frequently login and out

    QueuePool limit of size overflow when frequently login and out

    I followed the document example of flask security with sqlAlchemy from: basic-sqlalchemy-application-with-session

    When I was testing the login function, after frequent login and logout(more than 20 time in one minute), the application will crash down and raise exception:

    sqlalchemy.exc.TimeoutError: QueuePool limit of size 10 overflow 10 reached, connection timed out, timeout 30 (Background on this error at: http://sqlalche.me/e/13/3o7r)

    opened by yanqingjing 0
Owner
Matt Wright
Matt Wright
Strong, Simple, and Precise security for Flask APIs (using jwt)

flask-praetorian Strong, Simple, and Precise security for Flask APIs API security should be strong, simple, and precise like a Roman Legionary. This p

Tucker Beck 312 May 27, 2022
Strong, Simple, and Precise security for Flask APIs (using jwt)

flask-praetorian Strong, Simple, and Precise security for Flask APIs API security should be strong, simple, and precise like a Roman Legionary. This p

Tucker Beck 266 Feb 15, 2021
Flask JWT Router is a Python library that adds authorised routes to a Flask app.

Read the docs: Flask-JWT-Router Flask JWT Router Flask JWT Router is a Python library that adds authorised routes to a Flask app. Both basic & Google'

Joe Gasewicz 52 Mar 26, 2022
User Authentication in Flask using Flask-Login

User-Authentication-in-Flask Set up & Installation. 1 .Clone/Fork the git repo and create an environment Windows git clone https://github.com/Dev-Elie

ONDIEK ELIJAH OCHIENG 19 May 20, 2022
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 984 May 31, 2022
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 962 Feb 4, 2021
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 962 Feb 19, 2021
This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes

SyscallExtractorAnalyzer This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes Goals Teach

Truvis Thornton 19 Apr 12, 2022
Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS).

Welcome to Corsair_scan Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a mechanism that allow

Santander Security Research 115 Apr 25, 2022
row level security for FastAPI framework

Row Level Permissions for FastAPI While trying out the excellent FastApi framework there was one peace missing for me: an easy, declarative way to def

Holger Frey 262 May 27, 2022
API-key based security utilities for FastAPI, focused on simplicity of use

FastAPI simple security API key based security package for FastAPI, focused on simplicity of use: Full functionality out of the box, no configuration

Tolki 111 May 27, 2022
Luca Security Concept

Luca Security Concept This is the document source of luca's security concept. Please go here for the HTML version: https://luca-app.de/securityconcept

luca 44 Feb 18, 2022
Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Miguel Grinberg 1.1k Jun 1, 2022
Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Miguel Grinberg 940 Feb 13, 2021
Simple Login - Login Extension for Flask - maintainer @cuducos

Login Extension for Flask The simplest way to add login to flask! Top Contributors Add yourself, send a PR! How it works First install it from PyPI. p

Flask Extensions 171 May 30, 2022
Simple Login - Login Extension for Flask - maintainer @cuducos

Login Extension for Flask The simplest way to add login to flask! Top Contributors Add yourself, send a PR! How it works First install it from PyPI. p

Flask Extensions 132 Feb 10, 2021
Simple Login - Login Extension for Flask - maintainer @cuducos

Login Extension for Flask The simplest way to add login to flask! How it works First, install it from PyPI: $ pip install flask_simplelogin Then, use

Flask Extensions 171 May 30, 2022
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.2k May 31, 2022
Simplifying third-party authentication for web applications.

Velruse is a set of authentication routines that provide a unified way to have a website user authenticate to a variety of different identity provider

Ben Bangert 253 Jan 20, 2022