Typing Part 3.

This adds types to the Security constructor and init_app. This required major refactoring of how initialization happened since prior to this
all arguments were added to kwargs (including default forms, config variables, etc) then set as attributes on the instance. Not easy to provide types for each one.
We remove all that, remove the _SecurityState class and concept.

Furthermore - in many places - we change from using _securyty.attr and use config_value("xxx").

Improve performance of config_value - no reason to create a dictonary every time - just query the key!

Add typing to more tests and views to help verify the types make sense.

Fix view responses - the types should be flask.ResponsValue - not Response

Fix 'within' and 'grace' typing - then can take floats.

closes: #140

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
     -   id: check-merge-conflict
     -   id: fix-byte-order-marker
 -   repo: https://github.com/asottile/pyupgrade
-    rev: v2.19.4
+    rev: v2.20.0
     hooks:
     -   id: pyupgrade
         args: [--py36-plus]

CHANGES.rst

@@ -8,23 +8,22 @@ Version 4.1.0
 
 Released TBD
 
-This release was bumped to 4.1.0 on the small chance that the change in the way
-babel packages are tried and used might break existing applications.
-
 Features
 ++++++++
 - (:issue:`474`) Add public API and CLI command to change a user's password.
+- (:issue:`140`) Add type hints. Please note that many of the packages that flask-security
+  depends on aren't typed yet - so there are likely errors in some of the types.
 
 Fixes
 +++++
 - (:issue:`483`) 4.0 doesn't accept 3.4 authentication tokens. (kuba-lilz)
 - (:issue:`490`) Flask-Mail sender name can be a tuple. (hrishikeshrt)
 - (:issue:`486`) Possible open redirect vulnerability.
 - (:pr:`478`) Improve/update German translation. (sr-verde)
-- (:issue:`488`) Improve handling of Babel packages
+- (:issue:`488`) Improve handling of Babel packages.
 - (:pr:`496`) Documentation improvements, distribution extras, fix single message
-    override.
-- (:issue:`497`) Improve cookie handling and default samesite to Strict
+  override.
+- (:issue:`497`) Improve cookie handling and default ``samesite`` to ``Strict``.
 
 Backwards Compatibility Concerns
 +++++++++++++++++++++++++++++++++
@@ -39,8 +38,14 @@ Backwards Compatibility Concerns
   one of the other package - however if those modules are NOT initialized,
   Flask-Security will simply ignore them and no translations will occur.
 - (:issue:`497`) The CSRF_COOKIE and TWO_FACTOR_VALIDITY cookie had their defaults
-  changed to set ``samesite=Strict``. This follows the Flask-Security directive of
+  changed to set ``samesite=Strict``. This follows the Flask-Security goal of
   making things more secure out-of-the-box.
+- (:issue:`140`) Type hinting. For the most part this of course has no runtime effects.
+  However, this required a fairly major overhaul of how Flask-Security is initialized in
+  order to provide valid types for the many constructor attributes. There are no known
+  compatability concerns - however initialization used to convert all arguments into kwargs
+  then add those as attributes and merge with application constants. That no longer happens
+  and it is possible that some corner cases don't behave precisely as they did before.
 
 Version 4.0.1
 -------------

docs/conf.py

@@ -100,6 +100,7 @@
 nitpick_ignore = [
     ("py:attr", "LoginManager.unauthorized"),
     ("py:class", "flask_mongoengine.MongoEngine"),
+    ("py:class", "ResponseValue"),
     ("py:class", "function"),
 ]
 autodoc_typehints = "description"
@@ -112,7 +113,9 @@
     "itsdangerous": ("https://itsdangerous.palletsprojects.com/", None),
     "sqlalchemy": ("https://docs.sqlalchemy.org/", None),
     "wtforms": ("https://wtforms.readthedocs.io/", None),
+    "flask_wtforms": ("https://flask-wtf.readthedocs.io", None),
     "flask_sqlalchemy": ("https://flask-sqlalchemy.palletsprojects.com/", None),
+    "flask_login": ("https://flask-login.readthedocs.io/en/latest/", None),
     "passlib": ("https://passlib.readthedocs.io/en/stable", None),
 }