default username recovery to false

pallets-eco · Dec 13, 2024 · 7ae5671 · 7ae5671
1 parent 87ef66f
commit 7ae5671
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -1159,7 +1159,7 @@ Recoverable
 
    Specifies whether username recovery is enabled.
 
-   Default: ``True``.
+   Default: ``False``.
 
    .. versionadded:: 5.6.0
 
@@ -1175,15 +1175,15 @@ Recoverable
 
    Sets subject for the username recovery email.
 
-   Default: ``_("Your requested username")``
+   Default: ``_("Your requested username")``.
 
    .. versionadded:: 5.6.0
 
 .. py:data:: SECURITY_USERNAME_RECOVERY_TEMPLATE
 
    Specifies the path to the template for the username recovery page.
 
-   Default: ``"security/recover_username.html"``
+   Default: ``"security/recover_username.html"``.
 
    .. versionadded:: 5.6.0
 

diff --git a/flask_security/core.py b/flask_security/core.py
@@ -327,7 +327,7 @@
         "webauthn": "flask_security.webauthn.WebAuthnTfPlugin",
     },
     "UNIFIED_SIGNIN": False,
-    "USERNAME_RECOVERY": True,
+    "USERNAME_RECOVERY": False,
     "USERNAME_RECOVERY_TEMPLATE": "security/recover_username.html",
     "USERNAME_RECOVERY_URL": "/recover-username",
     "US_SETUP_SALT": "us-setup-salt",

diff --git a/flask_security/forms.py b/flask_security/forms.py
@@ -34,7 +34,7 @@
 )
 
 from werkzeug.datastructures import MultiDict
-from wtforms.validators import Optional, StopValidation, Email
+from wtforms.validators import Optional, StopValidation
 
 from .babel import is_lazy_string, make_lazy_string
 from .confirmable import requires_confirmation
@@ -871,11 +871,10 @@ class TwoFactorRescueForm(Form):
     submit = SubmitField(get_form_field_label("submit"))
 
 
-class UsernameRecoveryForm(Form):
+class UsernameRecoveryForm(Form, UserEmailFormMixin):
     """The username recovery form"""
 
-    email = StringField(get_form_field_label("Email"), validators=[Required(), Email()])
-    submit = SubmitField(get_form_field_label("recover_password"))
+    submit = SubmitField(get_form_field_label("recover_username"))
 
 
 class DummyForm(Form):

diff --git a/flask_security/views.py b/flask_security/views.py
@@ -38,7 +38,6 @@
     after_this_request,
     current_app,
     jsonify,
-    render_template,
     request,
     session,
 )
@@ -1162,9 +1161,12 @@ def recover_username():
             send_username_recovery_email(user)
 
         do_flash(*get_message("USERNAME_RECOVERY_REQUEST", email=form.email.data))
+
+        if _security._want_json(request):
+            return base_render_json(form, include_auth_token=True)
         return redirect(url_for_security("login"))
 
-    return render_template(
+    return _security.render_template(
         cv("USERNAME_RECOVERY_TEMPLATE"), username_recovery_form=form
     )
 
@@ -1286,9 +1288,12 @@ def create_blueprint(app, state, import_name):
             methods=["GET", "POST"],
             endpoint="reset_password",
         )(reset_password)
-        bp.route(
-            username_recovery_url, methods=["GET", "POST"], endpoint="recover_username"
-        )(recover_username)
+        if cv("USERNAME_RECOVERY", app=app):
+            bp.route(
+                username_recovery_url,
+                methods=["GET", "POST"],
+                endpoint="recover_username",
+            )(recover_username)
 
     if state.changeable:
         bp.route(