Mercurial > kallithea

changeset 5218:c0da0ef508da stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: only API keys with 40 alpha-numeric characters are valid This makes it easy to disable API keys in the database without violating the uniqueness constraint, using something like: UPDATE users SET api_key='-'||api_key; UPDATE user_api_keys SET api_key='-'||api_key;
author Mads Kiilerich <madski@unity3d.com>
date Tue, 07 Jul 2015 02:09:35 +0200
parents 9a02f9ef28d7
children c9cfaeb1cdfe
files kallithea/model/db.py kallithea/tests/functional/test_login.py
diffstat 2 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/model/db.py	Tue Jul 07 02:09:35 2015 +0200
+++ b/kallithea/model/db.py	Tue Jul 07 02:09:35 2015 +0200
@@ -542,6 +542,9 @@
 
     @classmethod
     def get_by_api_key(cls, api_key, cache=False, fallback=True):
+        if len(api_key) != 40 or not api_key.isalnum():
+            return None
+
         q = cls.query().filter(cls.api_key == api_key)
 
         if cache:
--- a/kallithea/tests/functional/test_login.py	Tue Jul 07 02:09:35 2015 +0200
+++ b/kallithea/tests/functional/test_login.py	Tue Jul 07 02:09:35 2015 +0200
@@ -325,6 +325,8 @@
         ('none', None, 302),
         ('empty_string', '', 302),
         ('fake_number', '123456', 302),
+        ('fake_not_alnum', 'a-z', 302),
+        ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 302),
         ('proper_api_key', None, 200)
     ])
     def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):