Skip to content

Commit

Permalink
Merge pull request #471 from dpgaspar/update-dependencies
Browse files Browse the repository at this point in the history 
Updated dependencies and prepare for new release
  • Loading branch information
@dpgaspar
dpgaspar committed Jun 11, 2017
2 parents f22ead4 + d316ad4 commit 443eef2
Show file tree
Hide file tree
Showing 14 changed files with 166 additions and 56 deletions.
4 changes: 3 additions & 1 deletion README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ Lots of `examples <https://github.com/dpgaspar/Flask-AppBuilder/tree/master/exam
Package Version
---------------

*New 1.8.1*.
*New 1.9.0*.

BREAKING CHANGES relative to 1.8.1 when using OAUTH authentication method.

If you're already using F.A.B.
read carefully the `migration <http://flask-appbuilder.readthedocs.org/en/latest/versionmigration.html>`_ procedures.
Expand Down
53 changes: 53 additions & 0 deletions docs/versionmigration.rst
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,59 @@
Version Migration
=================

Migrating to 1.9.0
------------------

If you are using OAuth for authentication, this release will break your logins. This break is due to two reasons

One:


There was a security issue when using the default builtin information getter for the providers
(see github: Prevent masquerade attacks through oauth providers #472)
This fix will prepend the provider to the user id. So you're usernames will look like 'google_<USER_ID>'

Two:


For google OAuth we migrated from the old and deprecated google plus API to OAuth2/v2, the old User.username field
was based on the Google Plus display name, and now is based on a Google user_id.


In order to upgrade without breaking, you can override the current default OAuth information getter using something like this::


@appbuilder.sm.oauth_user_info_getter
def get_oauth_user_info(sm, provider, response=None):
# for GITHUB
if provider == 'github' or provider == 'githublocal':
me = sm.oauth_remotes[provider].get('user')
return {'username': me.data.get('login')}
# for twitter
if provider == 'twitter':
me = sm.oauth_remotes[provider].get('account/settings.json')
return {'username': me.data.get('screen_name', '')}
# for linkedin
if provider == 'linkedin':
me = sm.oauth_remotes[provider].get('people/~:(id,email-address,first-name,last-name)?format=json')
return {'username': me.data.get('id', ''),
'email': me.data.get('email-address', ''),
'first_name': me.data.get('firstName', ''),
'last_name': me.data.get('lastName', '')}
# for Google
if provider == 'google':
me = sm.oauth_remotes[provider].get('userinfo')
return {'username': me.data.get('id', ''),
'first_name': me.data.get('given_name', ''),
'last_name': me.data.get('family_name', ''),
'email': me.data.get('email', '')}


There was a Fix for the **oauth_user_info_getter** decorator also, now it will obey the doc definition.

Any help you need feel free to submit an Issue!


Migrating to 1.8.0
------------------

Expand Down
26 changes: 26 additions & 0 deletions docs/versions.rst
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,32 @@
Versions
========

Improvements and Bug fixes on 1.9.0
-----------------------------------

- Fix, Decorator oauth_user_info_getter was not according the docs, parameter bug.
- Fix, #474 Missing menu deviders
- Fix, #472 Prevent masquerade attacks through oauth providers.
- New, Optional TLS for LDAP Authentication.
- Fix, Factory setup was failing when babel get locale was being called.
- New, Bootstrap updated to version 3.3.7.
- New, flask-sqlalchemy updated to version 2.1.
- New, #453 Added support for users to login with their username or email address.
- Fix, #467 two instances of urls being generated wrongly when running under a prefix.
- Fix, redirect to actual index view rather than '/' on logout for DBAuthView.
- Fix, form actions not working under a prefix for CompactCRUDMixin.
- Fix, #457 Don't overwrite csrf_token on form fill.
- Fix, #453 [rest api] improve error messages, and return item object upon create/update.
- New, flask-babel update.
- Fix, #409 Google Oauth login and self registration.
- New, #402 column_formatters to ModelView.
- New, #374 default autosizing to app image (if any).
- New, #393 More sensible default page size.
- Fix, #397 security: don't crash on oauth errors.
- Fix, #395 flask_wtf.Form has been renamed to FlaskForm.
- Fix, #354 Improved spanish translation.
- Fix, #352 some i18n related bugs.

Improvements and Bug fixes on 1.8.1
-----------------------------------

Expand Down
29 changes: 29 additions & 0 deletions examples/oauth/app/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,35 @@ def form_post(self, form):
else:
flash(self.message, 'info')

"""
Example of an decorator to override the OAuth provider information getter
@appbuilder.sm.oauth_user_info_getter
def get_oauth_user_info(sm, provider, response=None):
# for GITHUB
if provider == 'github' or provider == 'githublocal':
me = sm.oauth_remotes[provider].get('user')
return {'username': "github_" + me.data.get('login')}
# for twitter
if provider == 'twitter':
me = sm.oauth_remotes[provider].get('account/settings.json')
return {'username': "twitter_" + me.data.get('screen_name', '')}
# for linkedin
if provider == 'linkedin':
me = sm.oauth_remotes[provider].get('people/~:(id,email-address,first-name,last-name)?format=json')
return {'username': "linkedin_" + me.data.get('id', ''),
'email': me.data.get('email-address', ''),
'first_name': me.data.get('firstName', ''),
'last_name': me.data.get('lastName', '')}
# for Google
if provider == 'google':
me = sm.oauth_remotes[provider].get('userinfo')
return {'username': me.data.get('id', ''),
'first_name': me.data.get('given_name', ''),
'last_name': me.data.get('family_name', ''),
'email': me.data.get('email', '')}
"""


appbuilder.add_view(SendTweet, "Tweet", icon="fa-twitter", label='Tweet')

Expand Down
34 changes: 17 additions & 17 deletions examples/oauth/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,24 @@
OAUTH_PROVIDERS = [
{'name':'twitter', 'icon':'fa-twitter',
'remote_app': {
'consumer_key':os.environ.get('TWITTER_KEY'),
'consumer_secret':os.environ.get('TWITTER_SECRET'),
'base_url':'https://api.twitter.com/1.1/',
'request_token_url':'https://api.twitter.com/oauth/request_token',
'access_token_url':'https://api.twitter.com/oauth/access_token',
'authorize_url':'https://api.twitter.com/oauth/authenticate'}
'consumer_key': os.environ.get('TWITTER_KEY'),
'consumer_secret': os.environ.get('TWITTER_SECRET'),
'base_url': 'https://api.twitter.com/1.1/',
'request_token_url': 'https://api.twitter.com/oauth/request_token',
'access_token_url': 'https://api.twitter.com/oauth/access_token',
'authorize_url': 'https://api.twitter.com/oauth/authenticate'}
},
{'name':'google', 'icon':'fa-google', 'token_key':'access_token',
{'name': 'google', 'icon': 'fa-google', 'token_key': 'access_token',
'remote_app': {
'consumer_key':'GOOGLE_KEY',
'consumer_secret':'GOOGLE_SECRET',
'base_url':'https://www.googleapis.com/plus/v1/',
'request_token_params':{
'scope': 'https://www.googleapis.com/auth/userinfo.email'
'consumer_key': os.environ.get('GOOGLE_KEY'),
'consumer_secret': os.environ.get('GOOGLE_SECRET'),
'base_url': 'https://www.googleapis.com/oauth2/v2/',
'request_token_params': {
'scope': 'email profile'
},
'request_token_url':None,
'access_token_url':'https://accounts.google.com/o/oauth2/token',
'authorize_url':'https://accounts.google.com/o/oauth2/auth'}
'request_token_url': None,
'access_token_url': 'https://accounts.google.com/o/oauth2/token',
'authorize_url': 'https://accounts.google.com/o/oauth2/auth'}
}
]

Expand All @@ -63,10 +63,10 @@
#AUTH_ROLE_PUBLIC = 'Public'

# Will allow user self registration
#AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION = True

# The default user self registration role
#AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_USER_REGISTRATION_ROLE = "Admin"

# When using LDAP Auth, setup the ldap server
#AUTH_LDAP_SERVER = "ldap://ldapserver.new"
Expand Down
14 changes: 8 additions & 6 deletions flask_appbuilder/babel/manager.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import os
from flask import session
from flask import session, has_request_context
from flask_babel import Babel
from ..basemanager import BaseManager
from .. import translations
Expand Down Expand Up @@ -35,8 +35,10 @@ def babel_default_locale(self):
return self.appbuilder.get_app.config['BABEL_DEFAULT_LOCALE']

def get_locale(self):
locale = session.get('locale')
if locale:
return locale
session['locale'] = self.babel_default_locale
return session['locale']
if has_request_context():
locale = session.get('locale')
if locale:
return locale
session['locale'] = self.babel_default_locale
return session['locale']

31 changes: 16 additions & 15 deletions flask_appbuilder/security/manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,15 +318,14 @@ def my_oauth_user_info(sm, provider, response=None):
return {}
"""
def wraps(provider, response=None):
ret = f(self.oauth_remotes, provider, response=response)
ret = f(self, provider, response=response)
# Checks if decorator is well behaved and returns a dict as supposed.
if not type(ret) == dict:
log.error("OAuth user info decorated function did not returned a dict, but: {0}".format(type(ret)))
return {}
return ret
self.oauth_user_info = wraps
return wraps


def get_oauth_token_key_name(self, provider):
"""
Expand Down Expand Up @@ -371,30 +370,30 @@ def get_oauth_user_info(self, provider, resp=None):
if provider == 'github' or provider == 'githublocal':
me = self.appbuilder.sm.oauth_remotes[provider].get('user')
log.debug("User info from Github: {0}".format(me.data))
return {'username': me.data.get('login')}
return {'username': "github_" + me.data.get('login')}
# for twitter
if provider == 'twitter':
me = self.appbuilder.sm.oauth_remotes[provider].get('account/settings.json')
log.debug("User info from Twitter: {0}".format(me.data))
return {'username': me.data.get('screen_name','')}
return {'username': "twitter_" + me.data.get('screen_name', '')}
# for linkedin
if provider == 'linkedin':
me = self.appbuilder.sm.oauth_remotes[provider].get('people/~:(id,email-address,first-name,last-name)?format=json')
log.debug("User info from Linkedin: {0}".format(me.data))
return {'username': me.data.get('id',''),
'email': me.data.get('email-address',''),
'first_name': me.data.get('firstName',''),
'last_name': me.data.get('lastName','')}
return {'username': "linkedin_" + me.data.get('id', ''),
'email': me.data.get('email-address', ''),
'first_name': me.data.get('firstName', ''),
'last_name': me.data.get('lastName', '')}
# for Google
if provider == 'google':
me = self.appbuilder.sm.oauth_remotes[provider].get('userinfo')
log.debug("User info from Google: {0}".format(me.data))
return {'username': me.data.get('id',''),
'first_name': me.data.get('given_name',''),
'last_name': me.data.get('family_name',''),
'email': me.data.get('email','')}
else: return {}

return {'username': "google_" + me.data.get('id', ''),
'first_name': me.data.get('given_name', ''),
'last_name': me.data.get('family_name', ''),
'email': me.data.get('email', '')}
else:
return {}

def register_views(self):
if self.auth_user_registration:
Expand Down Expand Up @@ -588,7 +587,6 @@ def _bind_ldap(self, ldap, con, username, password):
except ldap.INVALID_CREDENTIALS:
return False


def auth_user_ldap(self, username, password):
"""
Method for authenticating user, auth LDAP style.
Expand Down Expand Up @@ -716,6 +714,9 @@ def auth_user_oauth(self, userinfo):
email=userinfo['email'],
role=self.find_role(self.auth_user_registration_role)
)
if not user:
log.error("Error creating a new OAuth user %s" % userinfo['username'])
return None
self.update_user_auth_stat(user)
return user

Expand Down
7 changes: 4 additions & 3 deletions flask_appbuilder/static/appbuilder/css/bootstrap.min.css
View file

Large diffs are not rendered by default.

10 changes: 5 additions & 5 deletions flask_appbuilder/static/appbuilder/js/bootstrap.min.js
View file

Large diffs are not rendered by default.

4 changes: 0 additions & 4 deletions flask_appbuilder/templates/appbuilder/general/security/login_oauth.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,5 @@
</div>
</div>

<script type="text/javascript">
set_openid('login/google/', 'google');
signin();
</script>

{% endblock %}
4 changes: 2 additions & 2 deletions flask_appbuilder/version.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
VERSION_MAJOR = 1
VERSION_MINOR = 8
VERSION_BUILD = 1
VERSION_MINOR = 9
VERSION_BUILD = 0
VERSION_INFO = (VERSION_MAJOR, VERSION_MINOR, VERSION_BUILD)
VERSION_STRING = "%d.%d.%d" % VERSION_INFO

Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ colorama>=0.3.9,<0.3.99
click>=6.7,<6.99
Flask>=0.12.1,<0.12.99
Flask-Login>=0.2.11,<0.2.99
Flask-SQLAlchemy==2.0
Flask-SQLAlchemy>=2.0,<2.1.99
Flask-OpenID>=1.2.5,<1.2.99
Flask-WTF>=0.14.2,<0.14.99
Flask-Babel>=0.11.2,<0.11.99
Expand Down
2 changes: 1 addition & 1 deletion rtd_requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Flask>=0.10
Flask-Babel>=0.10
Flask-Login>=0.2.0
Flask-OpenID>=1.2.0
Flask-SQLAlchemy==2.0
Flask-SQLAlchemy>=2.0,<2.1.99
Flask-WTF>=0.9.1


2 changes: 1 addition & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ def desc():
'Flask-Babel>=0.10.0',
'Flask-Login==0.2.11',
'Flask-OpenID>=1.1.0',
'Flask-SQLAlchemy==2.0',
'Flask-SQLAlchemy>=2.0,<2.1.99',
'Flask-WTF>=0.12',
],
tests_require=[
Expand Down

0 comments on commit 443eef2

Please sign in to comment.