flask-social
flask-social copied to clipboard
mattupstate
Flask-Social Version 1.6.3
We've got a few PRs and issues lined up, so I figured I'd create a checklist for things we'd like for Version 1.6.3 and I can work to get them in line, onto develop, and we can get a new version pushed to master and pypi shortly.
- [x] Issue #31 solved by PR #37
- [ ] Issue #24 *
- [x] Upgrade to Flask-Oauthlib as discussed in Issue #29 *
- [x] PR #33 from @pib with added tests
- [x] previous PR should allow us to implement PR #1 safely (if we are still interested)
@mattupstate would like to get feedback on this plan. The * items are ones that I will take care of, and I can take care of merging in portions of pull requests, if we decide.
Actually it was PR #33 that I was going to add tests for. I think the conclusion for #36 was that it was unneeded.
@eriktaubeneck, @mattupstate : Any update on plans to release the next version? v1.6.2 has issues with google login which seems to have been fixed on the devel branch with the move to flask-oauthlib + mods to providers/google.py. I would prefer to use Flask-Social in requirements.txt instead of the git+https:// entry for production.
@sayerhs I haven't been using flask-social at work anymore, so I haven't been able to give it nearly as much attention as I used to. Hopefully I'll get a chance soon to merge this all in, and @mattupstate can push a new version .
@eriktaubeneck Great! Let me know if there is something I can do to help speed up the process. Thanks.
@eriktaubeneck Any word on this? https://pypi.python.org/pypi/Flask-Social states 1.6.2 is still the latest and I am having issues with Google login like @sayerhs stated. Thanks!
Hey @jquacinella, sorry for the delay. I haven't been using Flask-Social at my new job, so I haven't been able to dedicate the same amount of time to the project. I believe the same is true WRT @mattupstate. We should potentially discuss bringing in more maintainers who are actively using the project.
@eriktaubeneck - I will definitely be willing to contribute. Also I think it would be good to revisit the list you have developed and see if those are still the priorities.
On Tue, Aug 11, 2015 at 11:39 AM, Erik Taubeneck [email protected] wrote:
Hey @jquacinella https://github.com/jquacinella, sorry for the delay. I haven't been using Flask-Social at my new job, so I haven't been able to dedicate the same amount of time to the project. I believe the same is true WRT @mattupstate https://github.com/mattupstate. We should potentially discuss bringing in more maintainers who are actively using the project.
— Reply to this email directly or view it on GitHub https://github.com/mattupstate/flask-social/issues/38#issuecomment-129934083 .
I think the 2 largest priorities would be switching over to Flask-Oauthlib and getting CSRF working properly.
@eriktaubeneck - It seems that https://github.com/mattupstate/flask-social/pull/37 already has migrated to Flask-Oauthlib, am I missing something?
Regarding CSRF, my understanding is that it is necessary for PUT/DELETE requests. Is that correct? My vote would be to disable that functionality, clean up the rest of the login process and then release a new version. I am not sure what the use case is for PUT/DELETE requests through json.
Ahh yes, you are correct WRT Flask-Oauthlib. It's been a little while since using the package.
For CSRF, the issue is that if you wish to use the CsrfProtect function that Flask-WTF provides, it breaks all of the social routes. You can see Issue 24 for more details. I'll also look at my old code and see if I can figure out if we got around it, it may provide clues in how to implement it.
Do you have an example of the breakage of flask social routes? Or the monkey patching code that you're using as a workaround?
On Wed, Aug 12, 2015 at 10:47 AM, Erik Taubeneck [email protected] wrote:
Ahh yes, you are correct WRT Flask-Oauthlib. It's been a little while since using the package.
For CSRF, the issue is that if you wish to use the CsrfProtect function that Flask-WTF provides, it breaks all of the social routes. You can see Issue 24 https://github.com/mattupstate/flask-social/issues/24 for more details. I'll also look at my old code and see if I can figure out if we got around it, it may provide clues in how to implement it.
— Reply to this email directly or view it on GitHub https://github.com/mattupstate/flask-social/issues/38#issuecomment-130327669 .
All we did was manually insert a csrf_token() into the form when we posted the signup, i.e.:
<form action="{{ url_for('social.connect', provider_id=provider_id) }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" {{provider_id}} </button>
</form>
Hi Erik,
So after reading Flask-WTF documentation ( http://flask-wtf.readthedocs.org/en/latest/csrf.html), it seems that this is essentially an app developer setting and the changes are mostly in the templates. So if we update the documentation and flask-social-example. I don't see anything in flask-social itself that needs fixing.
On Thu, Aug 20, 2015 at 11:22 AM, Erik Taubeneck [email protected] wrote:
All we did was manually insert a csrf_token() into the form when we posted the signup, i.e.:
— Reply to this email directly or view it on GitHub https://github.com/mattupstate/flask-social/issues/38#issuecomment-133048033 .
See the discussion here for more detail, but essentially the issue is not making Flask-Social compatible with CSRF, but to utilize it and protect someone from getting an account deleted through a CSRF attack.
