Mercurial > kallithea
changeset 5218:c0da0ef508da stable
auth: only API keys with 40 alpha-numeric characters are valid
This makes it easy to disable API keys in the database without violating the
uniqueness constraint, using something like:
UPDATE users SET api_key='-'||api_key;
UPDATE user_api_keys SET api_key='-'||api_key;
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Tue, 07 Jul 2015 02:09:35 +0200 |
parents | 9a02f9ef28d7 |
children | c9cfaeb1cdfe |
files | kallithea/model/db.py kallithea/tests/functional/test_login.py |
diffstat | 2 files changed, 5 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/model/db.py Tue Jul 07 02:09:35 2015 +0200 +++ b/kallithea/model/db.py Tue Jul 07 02:09:35 2015 +0200 @@ -542,6 +542,9 @@ @classmethod def get_by_api_key(cls, api_key, cache=False, fallback=True): + if len(api_key) != 40 or not api_key.isalnum(): + return None + q = cls.query().filter(cls.api_key == api_key) if cache:
--- a/kallithea/tests/functional/test_login.py Tue Jul 07 02:09:35 2015 +0200 +++ b/kallithea/tests/functional/test_login.py Tue Jul 07 02:09:35 2015 +0200 @@ -325,6 +325,8 @@ ('none', None, 302), ('empty_string', '', 302), ('fake_number', '123456', 302), + ('fake_not_alnum', 'a-z', 302), + ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 302), ('proper_api_key', None, 200) ]) def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):