Quickly add security features to your Flask application.

This is a independently maintained version of Flask-Security based on the 3.0.0 version of the Original

• Regain momentum for this critical piece of the Flask eco-system. To that end the the plan is to put out small, frequent releases starting with pulling the simplest and most obvious changes that have already been vetted in the upstream version, as well as other pull requests. This was completed with the June 29 2019 3.2.0 release.
• Continue work to get Flask-Security to be usable from Single Page Applications, such as those built with Vue and Angular, that have no html forms. This is true as of the 3.3.0 release.
• Use OWASP to guide best practice and default configurations.
• Be more opinionated and 'batteries' included by reducing reliance on abandoned projects and bundling in support for common use cases.
• Follow the Pallets lead on supported versions, documentation standards and any other guidelines for extensions that they come up with.

• Continue to add newer authentication/authorization standards:

  • 'Social Auth' integrated (using authlib) (5.1)
  • WebAuthn support (5.0)
  • Two-Factor recovery codes (5.0)
  • First-class support for username as identity (4.1)
  • Support for fresheness decorator to ensure sensitive operations have new authentication (4.0)
  • Support for email normalization and validation (4.0)
  • Unified signin (username, phone, passwordless) feature (3.4)

Issues and pull requests are welcome. Other maintainers are also welcome. Unlike the original Flask-Security - issue pull requests against the master branch. Please consult these contributing guidelines.

Install and update using pip:

pip install -U Flask-Security-Too

• Documentation
• Releases
• Issue Tracker
• Code