Bump flask-security-too from 5.3.1 to 5.4.1

[dependabot]

Bumps flask-security-too from 5.3.1 to 5.4.1.

Release notes

Sourced from flask-security-too's releases.

Release 5.4.1

Features and fixes release. As always - consult CHANGES for complete details.

Note: 5.4.0 had some logistics issues - so this is 5.4.1

5.3.3 Release

Fix for CVE-2023-49438

5.3.2 Release

Small bug-fix release - with many JSON API documentation fixes.

Changelog

Sourced from flask-security-too's changelog.

Version 5.4.0 & 5.4.1

Released February 26, 2024

Among other changes, this continues the process of dis-entangling Flask-Security from Flask-Login and may require some application changes due to backwards incompatible changes.

Features & Improvements +++++++++++++++++++++++

• (:issue:879) Work with Flask[async]. view decorators and signals support async handlers.
• (:pr:900) CI support for python 3.12
• (:pr:901) Work with py_webauthn 2.0 (and only 2.0+)
• (:pr:899) Improve (and simplify) Two-Factor setup. See below for backwards compatability issues and new functionality.
• (:issue:912) Improve oauth debugging support. Handle next propagation in a more general way.
• (:pr:877) Make AnonymousUser (Flask-Login) optional and deprecated.
• (:pr:906) Remove undocumented and untested looking in session for possible 'next' redirect location.
• (:pr:881) No longer rely on Flask-Login.unauthorized callback. See below for implications.
• (:issue:904) Changes to default unauthorized handler - remove use of referrer header (see below) and document precise behavior.
• (:pr:927) The authentication_token format has changed - adding per-token expiry time and future session ID. Old tokens are still accepted.

Docs and Chores +++++++++++++++

• (:pr:889) Improve method translations for unified signin and two factor. Remove support for Flask-Babelex.
• (:pr:911) Chore - stop setting all config as attributes. init_app(**kwargs) can only set forms, flags, and utility classes.
• (:pr:873) Update Spanish and Italian translations. (gissimo)
• (:pr:855) Improve translations for two-factor method selection. (gissimo)
• (:pr:866) Improve German translations. (sr-verde)
• (:pr:911) Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM - it has a reasonable use case.
• (:pr:931) Update message extraction - note that the CONFIRM_REGISTRATION message was changed to improve readability.

Fixes +++++

• (:issue:845) us-signin magic link should use fs_uniquifier (not email).
• (:issue:893) Improve open-redirect vulnerability mitigation. (see below)
• (:issue:875) user_datastore.create_user has side effects on mutable inputs. (NoRePercussions)
• (:pr:878) The long deprecated _unauthorized_callback/handler has been removed.
• (:issue:884) Oauth re-used POST_LOGIN_VIEW which caused confusion. See below for the new configuration and implications.
• (:pr:908) Improve CSRF documentation and testing. Fix bug where a CSRF failure could return an HTML page even if the request was JSON.
• (:issue:925) Register with JSON and authentication token failed CSRF. (lilz-egoto)
• (:issue:870) Fix 2 issues with CSRF configuration.
• (:pr:914) It was possible that if :data:SECURITY_EMAIL_VALIDATOR_ARGS were set that deliverability would be checked even for login.

... (truncated)

Commits

• e94e1df Release 5.4.1 (#940)
• 42edd25 make tox and github action use same python version (#939)
• 4e7b943 Add empty dictionary as default to validator args (#938)
• de87aeb Try to fix some issues with readthedocs failing latex build. (#935)
• 79ac2b5 Ready for 5.4 (#934)
• a0602ef Chore update messages. (#931)
• e423abd Chore - tests and docs (#930)
• cfc66b4 Fix 2 CSRF issues. (#928)
• 263b2c2 Change auth_tokens to be versionable, extendable, expirable. (#927)
• 6d6c15a fixed bug where csrf_token was not recognized for register json api. wrote a ...
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Superseded by #623.