Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing default behavior on confirmation email #903

Closed
dadiletta opened this issue Jan 19, 2024 · 4 comments
Closed

Changing default behavior on confirmation email #903

dadiletta opened this issue Jan 19, 2024 · 4 comments

Comments

@dadiletta
Copy link 

          The default behavior changed in 5.3 - any chance you have an older version on your dev?

Look at release notes for details

Originally posted by @jwag956 in https://github.com/Flask-Middleware/flask-security/issues/829#issuecomment-1684385695

I'd like to try again to move to 5.3 but my use case requires invite emails to log users in so they can set their initial password. I'm having trouble pulling that off. Is that possible?
@jwag956
Copy link
Collaborator

jwag956 commented Jan 20, 2024

The referrer issue should be fixed as of 5.3.1
If I understand your use case - through some out of band mechanism a user has an account created - (they can't self-register) then you want to send an email that forces them to set a new password prior to logging in. I am not certain if something is different than whatever version of FS you are currently using?
If that's your use case - the forgot/reset password flow is the closest - though not probably the UX you are looking for.

Please add more info and lets see if we can figure out how to satisfy your use case.

@dadiletta
Copy link
Author

dadiletta commented Jan 24, 2024
edited
Loading

Correct, my school's app requires a teacher to invite students and a student to invite their guardian. The register_user(user_form) uses a randomly generated password before sending a confirmation email. That email introduces the concept of the app to new students and parents. The user is automatically logged in when the confirmation link is taken (as of 5.2 and not in 5.3). I have an @app.before_request check to see if the user is a first-timer, in which case they are redirected to a set password page, which quietly replaces their randomly generated password (if they aren't new, it just stores their last_seen data).

May I also add that your support of this project is incredible. I greatly appreciate the time and energy you've given.

@jwag956
Copy link
Collaborator

jwag956 commented Jan 25, 2024

Thanks - in 5.3 you can set SECURITY_AUTO_LOGIN_AFTER_CONFIRM to True to get your desired behavior.
I'll remove the deprecation warning - no real reason to not allow applications to explicitly choose what's best for them (just to be clear - auto-login after confirm or reset password goes against OWASP best-practice).

@dadiletta
Copy link
Author

Works like a charm, thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwag956 @dadiletta