Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expired APIKey's are considered as valid APIKey #261

Open
xalien10 opened this issue Feb 29, 2024 · 0 comments
Open

Expired APIKey's are considered as valid APIKey #261

xalien10 opened this issue Feb 29, 2024 · 0 comments

Comments

@xalien10
Copy link

xalien10 commented Feb 29, 2024

Describe the bug
Expired API key is not checked using APIKey models is_valid method.

To Reproduce
Steps to reproduce the behavior:

  1. Create One APIKey and set any older date than now
  2. Make request with the APIKey and you'll be able to see contents which is only meant to be for valid API Key

Expected behavior
When we're checking APIKey's validity then has_expired should also be taken into consideration.

Additional context
If we do the following then we can avoid this problem:

def is_valid(self, key: str) -> bool:
    key_generator = type(self).objects.key_generator
    valid = key_generator.verify(key, self.hashed_key)

    # Transparently update the key to use the preferred hasher
    # if it is using an outdated hasher.
    if valid and not key_generator.using_preferred_hasher(self.hashed_key):
        # Note that since the PK includes the hashed key,
        # they will be internally inconsistent following this upgrade.
        # See: https://github.com/florimondmanca/djangorestframework-api-key/issues/128
        self.hashed_key = key_generator.hash(key)
        self.save()

    return bool(valid and not self.has_expired)

@florimondmanca

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant