kallithea Changeset - c0da0ef508da

Changeset - c0da0ef508da

Parent rev.

Child rev.

[Not reviewed]

stable

0 2 0

Mads Kiilerich - 10 years ago 2015-07-07 02:09:35
madski@unity3d.com

auth: only API keys with 40 alpha-numeric characters are valid

This makes it easy to disable API keys in the database without violating the
uniqueness constraint, using something like:

UPDATE users SET api_key='-'||api_key;
UPDATE user_api_keys SET api_key='-'||api_key;

2 files changed with 5 insertions and 0 deletions:

kallithea/model/db.py

kallithea/tests/functional/test_login.py

0 comments (0 inline, 0 general)

kallithea/model/db.py

➞

Show inline comments

@@ @@ -542,6 +542,9 @@ class User(Base, BaseModel): @@
     @classmethod
     def get_by_api_key(cls, api_key, cache=False, fallback=True):
         if len(api_key) != 40 or not api_key.isalnum():
             return None
         q = cls.query().filter(cls.api_key == api_key)
         if cache:

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -325,6 +325,8 @@ class TestLoginController(TestController @@
         ('none', None, 302),
         ('empty_string', '', 302),
         ('fake_number', '123456', 302),
         ('fake_not_alnum', 'a-z', 302),
         ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 302),
         ('proper_api_key', None, 200)
     ])
     def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):

0 comments (0 inline, 0 general)