# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 2015-07-07 02:09:35
# Node ID c0da0ef508da341b376b522cb1e14a7e49858055
# Parent  9a02f9ef28d7955ea8681b1985e9df59732898df

auth: only API keys with 40 alpha-numeric characters are valid

This makes it easy to disable API keys in the database without violating the
uniqueness constraint, using something like:

    UPDATE users SET api_key='-'||api_key;
    UPDATE user_api_keys SET api_key='-'||api_key;

diff --git a/kallithea/model/db.py b/kallithea/model/db.py
--- a/kallithea/model/db.py
+++ b/kallithea/model/db.py
@@ -542,6 +542,9 @@ class User(Base, BaseModel):
 
     @classmethod
     def get_by_api_key(cls, api_key, cache=False, fallback=True):
+        if len(api_key) != 40 or not api_key.isalnum():
+            return None
+
         q = cls.query().filter(cls.api_key == api_key)
 
         if cache:
diff --git a/kallithea/tests/functional/test_login.py b/kallithea/tests/functional/test_login.py
--- a/kallithea/tests/functional/test_login.py
+++ b/kallithea/tests/functional/test_login.py
@@ -325,6 +325,8 @@ class TestLoginController(TestController
         ('none', None, 302),
         ('empty_string', '', 302),
         ('fake_number', '123456', 302),
+        ('fake_not_alnum', 'a-z', 302),
+        ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 302),
         ('proper_api_key', None, 200)
     ])
     def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):