Allow for multiple api keys for a service.

2026-02-01 07:35:34 -05:00 · 2016-01-19 18:25:21 +00:00
parent 811e7c1bec
commit 1db57dca8c
7 changed files with 80 additions and 40 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -1,8 +1,7 @@
 from flask import request, jsonify, _request_ctx_stack
 from client.authentication import decode_jwt_token, get_token_issuer
 from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
-
-from app.dao.api_key_dao import get_unsigned_secret
+from app.dao.api_key_dao import get_unsigned_secrets


 def authentication_response(message, code):
@@ -21,28 +20,36 @@ def requires_auth():
    if auth_scheme != 'Bearer ':
        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)

+    auth_token = auth_header[7:]
    try:
-        auth_token = auth_header[7:]
        api_client = fetch_client(get_token_issuer(auth_token))
-        if api_client is None:
-            authentication_response("Invalid credentials", 403)
-
-        decode_jwt_token(
-            auth_token,
-            api_client['secret'],
-            request.method,
-            request.path,
-            request.data.decode() if request.data else None
-        )
-        _request_ctx_stack.top.api_user = api_client
-    except TokenRequestError:
-        return authentication_response("Invalid token: request", 403)
-    except TokenExpiredError:
-        return authentication_response("Invalid token: expired", 403)
-    except TokenPayloadError:
-        return authentication_response("Invalid token: payload", 403)
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)
+    if api_client is None:
+        authentication_response("Invalid credentials", 403)
+    # If the api_client does not have any secrets return response saying that
+    errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
+    for secret in api_client['secret']:
+        try:
+            decode_jwt_token(
+                auth_token,
+                secret,
+                request.method,
+                request.path,
+                request.data.decode() if request.data else None
+            )
+            _request_ctx_stack.top.api_user = api_client
+            return
+        except TokenRequestError:
+            errors_resp = authentication_response("Invalid token: request", 403)
+        except TokenExpiredError:
+            errors_resp = authentication_response("Invalid token: expired", 403)
+        except TokenPayloadError:
+            errors_resp = authentication_response("Invalid token: payload", 403)
+        except TokenDecodeError:
+            errors_resp = authentication_response("Invalid token: signature", 403)
+
+    return errors_resp


 def fetch_client(client):
@@ -55,5 +62,5 @@ def fetch_client(client):
    else:
        return {
            "client": client,
-            "secret": get_unsigned_secret(client)
+            "secret": get_unsigned_secrets(client)
        }
--- a/app/dao/api_key_dao.py
+++ b/app/dao/api_key_dao.py
@@ -30,12 +30,20 @@ def get_model_api_keys(service_id=None, raise_=True):
    return ApiKey.query.filter_by().all()


-def get_unsigned_secret(service_id):
+def get_unsigned_secrets(service_id):
    """
-    There should only be one valid api_keys for each service.
    This method can only be exposed to the Authentication of the api calls.
    """
-    api_key = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).one()
+    api_keys = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).all()
+    keys = [_get_secret(x.secret) for x in api_keys]
+    return keys
+
+
+def get_unsigned_secret(key_id):
+    """
+    This method can only be exposed to the Authentication of the api calls.
+    """
+    api_key = ApiKey.query.filter_by(id=key_id, expiry_date=None).one()
    return _get_secret(api_key.secret)


--- a/app/service/rest.py
+++ b/app/service/rest.py
@@ -75,7 +75,7 @@ def get_service(service_id=None):
    return jsonify(data=data)


-@service.route('/<int:service_id>/api-key/renew', methods=['POST'])
+@service.route('/<int:service_id>/api-key', methods=['POST'])
 def renew_api_key(service_id=None):
    try:
        service = get_model_services(service_id=service_id)
@@ -92,10 +92,11 @@ def renew_api_key(service_id=None):
        # create a new one
        # TODO: what validation should be done here?
        secret_name = request.get_json()['name']
-        save_model_api_key(ApiKey(service=service, name=secret_name))
+        key = ApiKey(service=service, name=secret_name)
+        save_model_api_key(key)
    except DAOException as e:
        return jsonify(result='error', message=str(e)), 400
-    unsigned_api_key = get_unsigned_secret(service_id)
+    unsigned_api_key = get_unsigned_secret(key.id)
    return jsonify(data=unsigned_api_key), 201