Configuration¶
The following configuration values are used by Flask-Security:
Core¶
SECURITY_BLUEPRINT_NAME |
Specifies the name for the
Flask-Security blueprint. Defaults to
security. |
SECURITY_CLI_USERS_NAME |
Specifies the name for the command
managing users. Disable by setting
False. Defaults to users. |
SECURITY_CLI_ROLES_NAME |
Specifies the name for the command
managing roles. Disable by setting
False. Defaults to roles. |
SECURITY_URL_PREFIX |
Specifies the URL prefix for the
Flask-Security blueprint. Defaults to
None. |
SECURITY_SUBDOMAIN |
Specifies the subdomain for the
Flask-Security blueprint. Defaults to
None. |
SECURITY_FLASH_MESSAGES |
Specifies whether or not to flash
messages during security procedures.
Defaults to True. |
SECURITY_PASSWORD_HASH |
Specifies the password hash algorithm to
use when encrypting and decrypting
passwords. Recommended values for
production systems are bcrypt,
sha512_crypt, or pbkdf2_sha512.
Defaults to plaintext. |
SECURITY_PASSWORD_SALT |
Specifies the HMAC salt. This is only
used if the password hash type is set
to something other than plain text.
Defaults to None. |
SECURITY_EMAIL_SENDER |
Specifies the email address to send
emails as. Defaults to
no-reply@localhost. |
SECURITY_TOKEN_AUTHENTICATION_KEY |
Specifies the query string parameter to
read when using token authentication.
Defaults to auth_token. |
SECURITY_TOKEN_AUTHENTICATION_HEADER |
Specifies the HTTP header to read when
using token authentication. Defaults to
Authentication-Token. |
SECURITY_TOKEN_MAX_AGE |
Specifies the number of seconds before an authentication token expires. Defaults to None, meaning the token never expires. |
SECURITY_DEFAULT_HTTP_AUTH_REALM |
Specifies the default authentication
realm when using basic HTTP auth.
Defaults to Login Required |
URLs and Views¶
SECURITY_LOGIN_URL |
Specifies the login URL. Defaults to /login. |
SECURITY_LOGOUT_URL |
Specifies the logout URL. Defaults to
/logout. |
SECURITY_REGISTER_URL |
Specifies the register URL. Defaults to
/register. |
SECURITY_RESET_URL |
Specifies the password reset URL. Defaults to
/reset. |
SECURITY_CHANGE_URL |
Specifies the password change URL. Defaults to
/change. |
SECURITY_CONFIRM_URL |
Specifies the email confirmation URL. Defaults
to /confirm. |
SECURITY_POST_LOGIN_VIEW |
Specifies the default view to redirect to after
a user logs in. This value can be set to a URL
or an endpoint name. Defaults to /. |
SECURITY_POST_LOGOUT_VIEW |
Specifies the default view to redirect to after
a user logs out. This value can be set to a URL
or an endpoint name. Defaults to /. |
SECURITY_CONFIRM_ERROR_VIEW |
Specifies the view to redirect to if a
confirmation error occurs. This value can be set
to a URL or an endpoint name. If this value is
None, the user is presented the default view
to resend a confirmation link. Defaults to
None. |
SECURITY_POST_REGISTER_VIEW |
Specifies the view to redirect to after a user
successfully registers. This value can be set to
a URL or an endpoint name. If this value is
None, the user is redirected to the value of
SECURITY_POST_LOGIN_VIEW. Defaults to
None. |
SECURITY_POST_CONFIRM_VIEW |
Specifies the view to redirect to after a user
successfully confirms their email. This value
can be set to a URL or an endpoint name. If this
value is None, the user is redirected to the
value of SECURITY_POST_LOGIN_VIEW. Defaults
to None. |
SECURITY_POST_RESET_VIEW |
Specifies the view to redirect to after a user
successfully resets their password. This value
can be set to a URL or an endpoint name. If this
value is None, the user is redirected to the
value of SECURITY_POST_LOGIN_VIEW. Defaults
to None. |
SECURITY_POST_CHANGE_VIEW |
Specifies the view to redirect to after a user
successfully changes their password. This value
can be set to a URL or an endpoint name. If this
value is None, the user is redirected to the
value of SECURITY_POST_LOGIN_VIEW. Defaults
to None. |
SECURITY_UNAUTHORIZED_VIEW |
Specifies the view to redirect to if a user
attempts to access a URL/endpoint that they do
not have permission to access. If this value is
None, the user is presented with a default
HTTP 403 response. Defaults to None. |
Template Paths¶
SECURITY_FORGOT_PASSWORD_TEMPLATE |
Specifies the path to the template for
the forgot password page. Defaults to
security/forgot_password.html. |
SECURITY_LOGIN_USER_TEMPLATE |
Specifies the path to the template for
the user login page. Defaults to
security/login_user.html. |
SECURITY_REGISTER_USER_TEMPLATE |
Specifies the path to the template for
the user registration page. Defaults to
security/register_user.html. |
SECURITY_RESET_PASSWORD_TEMPLATE |
Specifies the path to the template for
the reset password page. Defaults to
security/reset_password.html. |
SECURITY_CHANGE_PASSWORD_TEMPLATE |
Specifies the path to the template for
the change password page. Defaults to
security/change_password.html. |
SECURITY_SEND_CONFIRMATION_TEMPLATE |
Specifies the path to the template for
the resend confirmation instructions
page. Defaults to
security/send_confirmation.html. |
SECURITY_SEND_LOGIN_TEMPLATE |
Specifies the path to the template for
the send login instructions page for
passwordless logins. Defaults to
security/send_login.html. |
Feature Flags¶
SECURITY_CONFIRMABLE |
Specifies if users are required to confirm their email
address when registering a new account. If this value
is True, Flask-Security creates an endpoint to handle
confirmations and requests to resend confirmation
instructions. The URL for this endpoint is specified
by the SECURITY_CONFIRM_URL configuration option.
Defaults to False. |
SECURITY_REGISTERABLE |
Specifies if Flask-Security should create a user
registration endpoint. The URL for this endpoint is
specified by the SECURITY_REGISTER_URL
configuration option. Defaults to False. |
SECURITY_RECOVERABLE |
Specifies if Flask-Security should create a password
reset/recover endpoint. The URL for this endpoint is
specified by the SECURITY_RESET_URL configuration
option. Defaults to False. |
SECURITY_TRACKABLE |
Specifies if Flask-Security should track basic user
login statistics. If set to True, ensure your
models have the required fields/attribues. Be sure to
use ProxyFix <http://flask.pocoo.org/docs/0.10/deploying/wsgi-standalone/#proxy-setups> if you are using a proxy. Defaults to
False |
SECURITY_PASSWORDLESS |
Specifies if Flask-Security should enable the
passwordless login feature. If set to True, users
are not required to enter a password to login but are
sent an email with a login link. This feature is
experimental and should be used with caution. Defaults
to False. |
SECURITY_CHANGEABLE |
Specifies if Flask-Security should enable the
change password endpoint. The URL for this endpoint is
specified by the SECURITY_CHANGE_URL configuration
option. Defaults to False. |
Email¶
SECURITY_EMAIL_SUBJECT_REGISTER |
Sets the subject for the
confirmation email. Defaults
to Welcome |
SECURITY_EMAIL_SUBJECT_PASSWORDLESS |
Sets the subject for the
passwordless feature. Defaults
to Login instructions |
SECURITY_EMAIL_SUBJECT_PASSWORD_NOTICE |
Sets subject for the password
notice. Defaults to Your
password has been reset |
SECURITY_EMAIL_SUBJECT_PASSWORD_RESET |
Sets the subject for the
password reset email. Defaults
to Password reset
instructions |
SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE |
Sets the subject for the
password change notice.
Defaults to Your password
has been changed |
SECURITY_EMAIL_SUBJECT_CONFIRM |
Sets the subject for the email
confirmation message. Defaults
to Please confirm your
email |
SECURITY_EMAIL_PLAINTEXT |
Sends email as plaintext using
*.txt template. Defaults
to True. |
SECURITY_EMAIL_HTML |
Sends email as HTML using
*.html template. Defaults
to True. |
Miscellaneous¶
SECURITY_USER_IDENTITY_ATTRIBUTES |
Specifies which attributes of the
user object can be used for login.
Defaults to ['email']. |
SECURITY_SEND_REGISTER_EMAIL |
Specifies whether registration
email is sent. Defaults to
True. |
SECURITY_SEND_PASSWORD_CHANGE_EMAIL |
Specifies whether password change
email is sent. Defaults to
True. |
SECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL |
Specifies whether password reset
notice email is sent. Defaults to
True. |
SECURITY_CONFIRM_EMAIL_WITHIN |
Specifies the amount of time a
user has before their confirmation
link expires. Always pluralized
the time unit for this value.
Defaults to 5 days. |
SECURITY_RESET_PASSWORD_WITHIN |
Specifies the amount of time a
user has before their password
reset link expires. Always
pluralized the time unit for this
value. Defaults to 5 days. |
SECURITY_LOGIN_WITHIN |
Specifies the amount of time a
user has before a login link
expires. This is only used when
the passwordless login feature is
enabled. Always pluralized the
time unit for this value.
Defaults to 1 days. |
SECURITY_LOGIN_WITHOUT_CONFIRMATION |
Specifies if a user may login
before confirming their email when
the value of
SECURITY_CONFIRMABLE is set to
True. Defaults to False. |
SECURITY_CONFIRM_SALT |
Specifies the salt value when
generating confirmation
links/tokens. Defaults to
confirm-salt. |
SECURITY_RESET_SALT |
Specifies the salt value when
generating password reset
links/tokens. Defaults to
reset-salt. |
SECURITY_LOGIN_SALT |
Specifies the salt value when
generating login links/tokens.
Defaults to login-salt. |
SECURITY_REMEMBER_SALT |
Specifies the salt value when
generating remember tokens.
Remember tokens are used instead
of user ID’s as it is more
secure. Defaults to
remember-salt. |
SECURITY_DEFAULT_REMEMBER_ME |
Specifies the default “remember
me” value used when logging in
a user. Defaults to False. |
SECURITY_DATETIME_FACTORY |
Specifies the default datetime
factory. Defaults to
datetime.datetime.utcnow. |
Messages¶
The following are the messages Flask-Security uses. They are tuples; the first element is the message and the second element is the error level.
The default messages and error levels can be found in core.py.
SECURITY_MSG_ALREADY_CONFIRMEDSECURITY_MSG_CONFIRMATION_EXPIREDSECURITY_MSG_CONFIRMATION_REQUESTSECURITY_MSG_CONFIRMATION_REQUIREDSECURITY_MSG_CONFIRM_REGISTRATIONSECURITY_MSG_DISABLED_ACCOUNTSECURITY_MSG_EMAIL_ALREADY_ASSOCIATEDSECURITY_MSG_EMAIL_CONFIRMEDSECURITY_MSG_EMAIL_NOT_PROVIDEDSECURITY_MSG_FORGOT_PASSWORDSECURITY_MSG_INVALID_CONFIRMATION_TOKENSECURITY_MSG_INVALID_EMAIL_ADDRESSSECURITY_MSG_INVALID_LOGIN_TOKENSECURITY_MSG_INVALID_PASSWORDSECURITY_MSG_INVALID_REDIRECTSECURITY_MSG_INVALID_RESET_PASSWORD_TOKENSECURITY_MSG_LOGINSECURITY_MSG_LOGIN_EMAIL_SENTSECURITY_MSG_LOGIN_EXPIREDSECURITY_MSG_PASSWORDLESS_LOGIN_SUCCESSFULSECURITY_MSG_PASSWORD_CHANGESECURITY_MSG_PASSWORD_INVALID_LENGTHSECURITY_MSG_PASSWORD_IS_THE_SAMESECURITY_MSG_PASSWORD_MISMATCHSECURITY_MSG_PASSWORD_NOT_PROVIDEDSECURITY_MSG_PASSWORD_NOT_SETSECURITY_MSG_PASSWORD_RESETSECURITY_MSG_PASSWORD_RESET_EXPIREDSECURITY_MSG_PASSWORD_RESET_REQUESTSECURITY_MSG_REFRESHSECURITY_MSG_RETYPE_PASSWORD_MISMATCHSECURITY_MSG_UNAUTHORIZEDSECURITY_MSG_USER_DOES_NOT_EXIST
