Change DEPRECATED_HASHING_SCHEMES to "auto". (#1009)

Add docs to say these are passed directly to passlib.

CHANGES.rst

@@ -16,14 +16,15 @@ Features & Improvements
 - (:pr:`991`) Add support /tf-setup to not require sessions (use a state token).
 - (:issue:`994`) Add support for Flask-SQLAlchemy-Lite - including new all-inclusive models
   that conform to sqlalchemy latest best-practice (type-annotated).
-- (:pr:`xxx`) Convert other sqlalchemy-based datastores from legacy 'model.query' to best-practice 'select'
+- (:pr:`1007`) Convert other sqlalchemy-based datastores from legacy 'model.query' to best-practice 'select'
 
 Fixes
 +++++
 - (:pr:`972`) Set :py:data:`SECURITY_CSRF_COOKIE` at beginning (GET /login) of authentication
   ritual - just as we return the CSRF token. (thanks @e-goto)
 - (:issue:`973`) login and unified sign in should handle GET for authenticated user consistently.
 - (:pr:`995`) Don't show sms options if not defined in US_ENABLED_METHODS. (fredipevcin)
+- (:pr:`xxx`) Change :py:data:`SECURITY_DEPRECATED_HASHING_SCHEMES` to ``["auto"]``.
 
 Docs and Chores
 +++++++++++++++
@@ -32,6 +33,7 @@ Docs and Chores
 - (:pr:`981` and :pr:`977`) Improve docs
 - (:pr:`992`) The long deprecated `get_token_status` is no longer exported
 - (:pr:`992`) Drop Python 3.8 support.
+- (:issue:`1001`) Try a different approach to typing User and Role models.
 
 Backwards Compatibility Concerns
 +++++++++++++++++++++++++++++++++

docs/configuration.rst

@@ -416,12 +416,14 @@ Core - Passwords and Tokens
 
     List of supported password hash algorithms. ``SECURITY_PASSWORD_HASH``
     must be from this list. Passwords encrypted with any of these schemes will be honored.
+    This is passed directly to `passlib's CryptoContext`_.
 
 .. py:data:: SECURITY_DEPRECATED_PASSWORD_SCHEMES
 
     List of password hash algorithms that are considered weak and
     will be accepted, however on first use, will be re-hashed to the current
     setting of ``SECURITY_PASSWORD_HASH``.
+    This is passed directly to `passlib's CryptoContext`_.
 
     Default: ``["auto"]`` which means any password found that wasn't
     hashed using ``SECURITY_PASSWORD_HASH`` will be re-hashed.
@@ -445,13 +447,18 @@ Core - Passwords and Tokens
 
     List of algorithms used for encrypting/hashing sensitive data within a token
     (Such as is sent with confirmation or reset password).
+    This is passed directly to `passlib's CryptoContext`_.
 
     Default: ``["sha256_crypt", "hex_md5"]``.
 .. py:data:: SECURITY_DEPRECATED_HASHING_SCHEMES
 
     List of deprecated algorithms used for creating and validating tokens.
+    This is passed directly to `passlib's CryptoContext`_.
 
-    Default: ``["hex_md5"]``.
+    Default: ``["auto"]``.
+
+.. versionchanged:: 5.5.0
+        Default changed from ``hex_md5`` to ``auto``.
 
 .. py:data:: SECURITY_PASSWORD_HASH_OPTIONS
 
@@ -1995,3 +2002,5 @@ The default messages and error levels can be found in ``core.py``.
 * ``SECURITY_MSG_WEBAUTHN_NO_VERIFY``
 * ``SECURITY_MSG_WEBAUTHN_CREDENTIAL_WRONG_USAGE``
 * ``SECURITY_MSG_WEBAUTHN_MISMATCH_USER_HANDLE``
+
+.. _passlib's CryptoContext: https://passlib.readthedocs.io/en/stable/lib/passlib.context.html

flask_security/core.py

@@ -160,6 +160,7 @@
         # And always last one...
         "plaintext",
     ],
+    "DEPRECATED_PASSWORD_SCHEMES": ["auto"],
     "PASSWORD_HASH_OPTIONS": {},  # Deprecated at passlib 1.7
     "PASSWORD_HASH_PASSLIB_OPTIONS": {},  # passlib >= 1.7.1 method to pass options
     # (as part of CryptoContext.using)
@@ -169,7 +170,8 @@
     "PASSWORD_BREACHED_COUNT": 1,
     "PASSWORD_NORMALIZE_FORM": "NFKD",
     "PASSWORD_REQUIRED": True,
-    "DEPRECATED_PASSWORD_SCHEMES": ["auto"],
+    "HASHING_SCHEMES": ["sha256_crypt", "hex_md5"],
+    "DEPRECATED_HASHING_SCHEMES": ["auto"],
     "LOGIN_URL": "/login",
     "LOGOUT_URL": "/logout",
     "REGISTER_URL": "/register",
@@ -297,8 +299,6 @@
     "FRESHNESS_GRACE_PERIOD": timedelta(hours=1),
     "FRESHNESS_ALLOW_AUTH_TOKEN": True,
     "API_ENABLED_METHODS": ["session", "token"],
-    "HASHING_SCHEMES": ["sha256_crypt", "hex_md5"],
-    "DEPRECATED_HASHING_SCHEMES": ["hex_md5"],
     "DATETIME_FACTORY": naive_utcnow,
     "TOTP_SECRETS": None,
     "TOTP_ISSUER": None,