David Lord
David Lord
This is a constant source of confusion for users. They don't understand why `is_authenticated` is always true for `UserMixin` even if it's not the logged in user. They get tripped...
Flask-Login has no way to guarantee that this header is correct because it doesn't know how many proxies the app is or isn't deployed behind. Instead, it should always read...
Currently, `login_manager.session_protection` is only considered if `app.config` does not have the `SESSION_PROTECTION` key. Session protection is the only config that works this way, and this is not a standard pattern...
Extensions should namespace any values they use in `app.config` and `g` with their name (without the "Flask-" prefix). It's usually a good idea to set the default config in `init_app`...
The only thing that might be relevant to runtime inspection is `__version__`, which is already exported. The rest is package metadata that should be in `setup.cfg`, which can be inspected...
It should not be possible to disable login. Especially not as a config, it doesn't make sense to configure this per-deployment. I'm not sure how it would even be used...
Currently we store default values for app config and extension attributes in the `flask_login.config` module. Some of those values are exported from `__init__.py`. Those exports and defaults don't mean anything,...
I just updated MyPy in Jinja, and had to ignore the return type of `sum` in one of my functions because MyPy started saying it wasn't compatible with the `TypeVar`...
This is a description of the issue that #222 tries to solve. After investigating further, and based on differences between SQLAlchemy 1.3 and 1.4, I don't think I'll be able...
Every time there's an issue that requires looking at the lexer and parser, I worry due to the amount of complexity and under-documented behavior. The lexer depends on a bunch...