Flask-Social Version 1.6.3

[eriktaubeneck]

We've got a few PRs and issues lined up, so I figured I'd create a checklist for things we'd like for Version 1.6.3 and I can work to get them in line, onto develop, and we can get a new version pushed to master and pypi shortly.

• Issue Connection data does not update if token changes #31 solved by PR reauth: check for updated oauth tokens, update if necessary #37
• Issue Add CSRF protection to social route #24 *
• Upgrade to Flask-Oauthlib as discussed in Issue Develop discussion and plan forward #29 *
• PR Only use provider and provider user IDs to find connection #33 from @pib with added tests
• previous PR should allow us to implement PR Get email from facebook #1 safely (if we are still interested)

@mattupstate would like to get feedback on this plan. The * items are ones that I will take care of, and I can take care of merging in portions of pull requests, if we decide.

[pib]

Actually it was PR #33 that I was going to add tests for. I think the conclusion for #36 was that it was unneeded.

[eriktaubeneck]

Yep. Typo, my bad. Thanks! (and fixed)

[sayerhs]

@eriktaubeneck, @mattupstate : Any update on plans to release the next version? v1.6.2 has issues with google login which seems to have been fixed on the devel branch with the move to flask-oauthlib + mods to providers/google.py. I would prefer to use Flask-Social in requirements.txt instead of the git+https:// entry for production.

[eriktaubeneck]

@sayerhs I haven't been using flask-social at work anymore, so I haven't been able to give it nearly as much attention as I used to. Hopefully I'll get a chance soon to merge this all in, and @mattupstate can push a new version .

[sayerhs]

@eriktaubeneck Great! Let me know if there is something I can do to help speed up the process. Thanks.

[jquacinella]

@eriktaubeneck Any word on this? https://pypi.python.org/pypi/Flask-Social states 1.6.2 is still the latest and I am having issues with Google login like @sayerhs stated. Thanks!

[eriktaubeneck]

Hey @jquacinella, sorry for the delay. I haven't been using Flask-Social at my new job, so I haven't been able to dedicate the same amount of time to the project. I believe the same is true WRT @mattupstate. We should potentially discuss bringing in more maintainers who are actively using the project.

[sayerhs]

@eriktaubeneck - I will definitely be willing to contribute. Also I think
it would be good to revisit the list you have developed and see if those
are still the priorities.

On Tue, Aug 11, 2015 at 11:39 AM, Erik Taubeneck notifications@github.com
wrote:

Hey @jquacinella https://github.com/jquacinella, sorry for the delay. I
haven't been using Flask-Social at my new job, so I haven't been able to
dedicate the same amount of time to the project. I believe the same is true
WRT @mattupstate https://github.com/mattupstate. We should potentially
discuss bringing in more maintainers who are actively using the project.

—
Reply to this email directly or view it on GitHub
#38 (comment)
.

[eriktaubeneck]

I think the 2 largest priorities would be switching over to Flask-Oauthlib and getting CSRF working properly.

[sayerhs]

@eriktaubeneck - It seems that #37 already has migrated to Flask-Oauthlib, am I missing something? Regarding CSRF, my understanding is that it is necessary for PUT/DELETE requests. Is that correct? My vote would be to disable that functionality, clean up the rest of the login process and then release a new version. I am not sure what the use case is for PUT/DELETE requests through json.

[eriktaubeneck]

Ahh yes, you are correct WRT Flask-Oauthlib. It's been a little while since using the package.

For CSRF, the issue is that if you wish to use the CsrfProtect function that Flask-WTF provides, it breaks all of the social routes. You can see Issue 24 for more details. I'll also look at my old code and see if I can figure out if we got around it, it may provide clues in how to implement it.

[sayerhs]

Do you have an example of the breakage of flask social routes? Or the
monkey patching code that you're using as a workaround?

On Wed, Aug 12, 2015 at 10:47 AM, Erik Taubeneck notifications@github.com
wrote:

Ahh yes, you are correct WRT Flask-Oauthlib. It's been a little while
since using the package.

For CSRF, the issue is that if you wish to use the CsrfProtect function
that Flask-WTF provides, it breaks all of the social routes. You can see Issue
24 #24 for more
details. I'll also look at my old code and see if I can figure out if we
got around it, it may provide clues in how to implement it.

—
Reply to this email directly or view it on GitHub
#38 (comment)
.

[eriktaubeneck]

All we did was manually insert a csrf_token() into the form when we posted the signup, i.e.:

<form action="{{ url_for('social.connect', provider_id=provider_id) }}" method="POST">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
    <button type="submit" {{provider_id}} </button>
</form>

[sayerhs]

Hi Erik,

So after reading Flask-WTF documentation (
http://flask-wtf.readthedocs.org/en/latest/csrf.html), it seems that this
is essentially an app developer setting and the changes are mostly in the
templates. So if we update the documentation and flask-social-example. I
don't see anything in flask-social itself that needs fixing.

On Thu, Aug 20, 2015 at 11:22 AM, Erik Taubeneck notifications@github.com
wrote:

All we did was manually insert a csrf_token() into the form when we
posted the signup, i.e.:

—
Reply to this email directly or view it on GitHub
#38 (comment)
.

[eriktaubeneck]

See the discussion here for more detail, but essentially the issue is not making Flask-Social compatible with CSRF, but to utilize it and protect someone from getting an account deleted through a CSRF attack.

[KeNaCo]

Is here someone active?

[oleksandr-l5]

+1