diff --git a/examples/automatic_user_loading.py b/examples/automatic_user_loading.py index a09f7ce3..f45fe1b3 100644 --- a/examples/automatic_user_loading.py +++ b/examples/automatic_user_loading.py @@ -1,8 +1,9 @@ +from hmac import compare_digest + from flask import Flask from flask import jsonify from flask import request from flask_sqlalchemy import SQLAlchemy -from werkzeug.security import safe_str_cmp from flask_jwt_extended import create_access_token from flask_jwt_extended import current_user @@ -29,7 +30,7 @@ class User(db.Model): # NOTE: In a real application make sure to properly hash and salt passwords def check_password(self, password): - return safe_str_cmp(password, "password") + return compare_digest(password, "password") # Register a callback function that takes whatever object is passed in as the diff --git a/flask_jwt_extended/tokens.py b/flask_jwt_extended/tokens.py index a21a53d3..2b98b8d0 100644 --- a/flask_jwt_extended/tokens.py +++ b/flask_jwt_extended/tokens.py @@ -2,9 +2,9 @@ from datetime import datetime from datetime import timedelta from datetime import timezone +from hmac import compare_digest import jwt -from werkzeug.security import safe_str_cmp from flask_jwt_extended.exceptions import CSRFError from flask_jwt_extended.exceptions import JWTDecodeError @@ -110,7 +110,7 @@ def _decode_jwt( if csrf_value: if "csrf" not in decoded_token: raise JWTDecodeError("Missing claim: csrf") - if not safe_str_cmp(decoded_token["csrf"], csrf_value): + if not compare_digest(decoded_token["csrf"], csrf_value): raise CSRFError("CSRF double submit tokens do not match") return decoded_token diff --git a/requirements.txt b/requirements.txt index 069f3cbf..4e337e77 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,49 +1,50 @@ alabaster==0.7.12 appdirs==1.4.4 -Babel==2.9.0 +Babel==2.9.1 black==20.8b1 bleach==3.3.0 certifi==2020.12.5 -cffi==1.14.4 +cffi==1.14.5 cfgv==3.2.0 chardet==4.0.0 -click==7.1.2 +click==8.0.0 colorama==0.4.4 -cryptography==3.3.2 +cryptography==3.4.7 distlib==0.3.1 -docutils==0.16 +docutils==0.17.1 filelock==3.0.12 -Flask==1.1.2 -identify==1.5.13 +Flask==2.0.0 +identify==2.2.4 idna==2.10 imagesize==1.2.0 -itsdangerous==1.1.0 +importlib-metadata==4.0.1 +itsdangerous==2.0.0 Jinja2==2.11.3 -keyring==21.8.0 +keyring==23.0.1 MarkupSafe==1.1.1 mypy-extensions==0.4.3 -nodeenv==1.5.0 -packaging==20.8 -Pallets-Sphinx-Themes==1.2.3 +nodeenv==1.6.0 +packaging==20.9 +Pallets-Sphinx-Themes==2.0.0 pathspec==0.8.1 pkginfo==1.7.0 pluggy==0.13.1 -pre-commit==2.9.3 +pre-commit==2.12.1 py==1.10.0 pycparser==2.20 -Pygments==2.7.4 -PyJWT==2.0.1 +Pygments==2.9.0 +PyJWT==2.1.0 pyparsing==2.4.7 -pytz==2020.5 -PyYAML==5.4 -readme-renderer==28.0 -regex==2020.11.13 +pytz==2021.1 +PyYAML==5.4.1 +readme-renderer==29.0 +regex==2021.4.4 requests==2.25.1 requests-toolbelt==0.9.1 -rfc3986==1.4.0 -six==1.15.0 -snowballstemmer==2.0.0 -Sphinx==3.4.3 +rfc3986==1.5.0 +six==1.16.0 +snowballstemmer==2.1.0 +Sphinx==4.0.1 sphinxcontrib-applehelp==1.0.2 sphinxcontrib-devhelp==1.0.2 sphinxcontrib-htmlhelp==1.0.3 @@ -51,12 +52,13 @@ sphinxcontrib-jsmath==1.0.1 sphinxcontrib-qthelp==1.0.3 sphinxcontrib-serializinghtml==1.1.4 toml==0.10.2 -tox==3.21.1 -tqdm==4.56.0 -twine==3.3.0 -typed-ast==1.4.2 -typing-extensions==3.7.4.3 +tox==3.23.1 +tqdm==4.60.0 +twine==3.4.1 +typed-ast==1.4.3 +typing-extensions==3.10.0.0 urllib3==1.26.4 -virtualenv==20.3.1 +virtualenv==20.4.6 webencodings==0.5.1 -Werkzeug==1.0.1 +Werkzeug==2.0.0 +zipp==3.4.1 diff --git a/setup.py b/setup.py index f2ac7646..54c81581 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ platforms="any", install_requires=[ "Werkzeug>=0.14", # Needed for SameSite cookie functionality - "Flask>=1.0,<2.0", + "Flask>=1.0,<3.0", "PyJWT>=2.0,<3.0", ], extras_require={"asymmetric_crypto": ["cryptography>=3.0,<4.0"]},