flask-security

flask-security copied to clipboard

For forgot and passwordless login - add 2FA via SMS/google authenticator to augment the email link. Much of the SMS framework is available from the 2FA work that was added....

jwag956

Change/Reset Email feature with confirmation email

3

I think FS should support changing/resetting of email with confirmation. It is pretty easy to implement and I believe it would be useful for a lot of different projects. What...

angelxz

From SO: I have a flask application running on a production environment, and one of the user requested a password reset, which sent out an email to them with a...

jwag956

Add support for anti-brute force

3

OWASP https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements 2.2.1 talks about brute force mitigation: Verify that no more than 100 failed attempts per hour is possible on a single account. This can probably be implemented as...

jwag956

With 2FA and unified sign in - there are now quite a few different ways users can authenticate. While these features are useful, they are 'global'. Applications might want to...

jwag956

TLS client-cert authentication built-in?

10

Given that client certificates are commonly regarded as the best method of verifying if the user is authorized or not it would be really nice if Flask-Security could allow such...

TaaviE

Proposal - change Security object to accept instances instead of classes

3

Core Security object now accepts classes for various logic - registration, login, etc ```python flask_security.Security( app=application, datastore=user_datastore, register_form=MyCustomUserRegistrationForm, confirm_register_form=MyCustomConfirmUserRegistrationForm, login_form=MyCustomLoginForm) ``` Passing custom logic as classes means we don't have...

kuba-lilz

Changing email address

3

Hey, I am currently rewriting my edit user view. Until now, when a user changes their email address, I’ll update the mail address, deactivate the user, remove the `confirmed_at` value...

sr-verde

CSRF protection doesn't turn off on token requests

1

Hey, I am trying to [disable CSRF protection for token-based access](https://flask-security-too.readthedocs.io/en/stable/patterns.html#csrf-enable-protection-for-session-auth-but-not-token-auth). But I can't get it to work. The form doesn't validate because of `{'csrf_token': ['The CSRF token is missing.']}`....

sr-verde

OAuth Providers 2FA Redirect

1

- After OAuth login with Google, if user has 2fa enabled, it cannot redirect to a custom component. It automatically redirects to /tf-validate, which has dated UI design. Changing 'redirect_uri'...

AI-OQC