Peace,
First, thank you so much for this wonderful package, and thank you again for the continued support.
My issue is this:
SECURITY_CONFIRMABLE = True
SECURITY_SEND_REGISTER_EMAIL = True
SECURITY_LOGIN_WITHOUT_CONFIRMATION = False

When I register a user, I get the message that a confirmation email was sent (and the email is received indeed). However, I am able to log in without clicking on the confirmation link. Is this expected? What I expected is to be redirected to the confirm view so that another email is sent. I should not be allowed to be login if I have not confirmed the email.

In fact, after I register and get the flash message that an email was sent to me for further action, I click on the /confirm URL (not the link in the email) to see whether I am confirmed. I enter my registered email and the system flashes "Your email has already been confirmed" without even clicking on the link in the email. I don't think this is by design. Somehow, I am automatically confirmed without using the link in the email, even if the configuration parameters are set to do otherwise.

what am I doing wrong?

Hmm - interesting - no - that's not by design. The code looks at the 'confirmed_at' column in your user model - what does that look like?

note: the email that I get after registration is actually a welcome email:
Welcome xxxxx!
You can confirm your email through the link below:
Confirm my account

@jwag956: Now that you mentioned that, i think i know what is wrong! I added a default value to that confirmed_at column.
confirmed_at = db.Column(db.DateTime, default=datetime.utcnow)
let me remove it and test it.

indeed! it worked. thanks a lot for the comment. i should not have added a default attribute:
confirmed_at = db.Column(db.DateTime)
issue solved.