Allow for multiple api keys for a service.

2026-05-04 00:00:27 -04:00 · 2016-01-19 18:25:21 +00:00
parent 811e7c1bec
commit 1db57dca8c
7 changed files with 80 additions and 40 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -1,8 +1,7 @@
 from flask import request, jsonify, _request_ctx_stack
 from client.authentication import decode_jwt_token, get_token_issuer
 from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
-
-from app.dao.api_key_dao import get_unsigned_secret
+from app.dao.api_key_dao import get_unsigned_secrets


 def authentication_response(message, code):
@@ -21,28 +20,36 @@ def requires_auth():
    if auth_scheme != 'Bearer ':
        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)

+    auth_token = auth_header[7:]
    try:
-        auth_token = auth_header[7:]
        api_client = fetch_client(get_token_issuer(auth_token))
-        if api_client is None:
-            authentication_response("Invalid credentials", 403)
-
-        decode_jwt_token(
-            auth_token,
-            api_client['secret'],
-            request.method,
-            request.path,
-            request.data.decode() if request.data else None
-        )
-        _request_ctx_stack.top.api_user = api_client
-    except TokenRequestError:
-        return authentication_response("Invalid token: request", 403)
-    except TokenExpiredError:
-        return authentication_response("Invalid token: expired", 403)
-    except TokenPayloadError:
-        return authentication_response("Invalid token: payload", 403)
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)
+    if api_client is None:
+        authentication_response("Invalid credentials", 403)
+    # If the api_client does not have any secrets return response saying that
+    errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
+    for secret in api_client['secret']:
+        try:
+            decode_jwt_token(
+                auth_token,
+                secret,
+                request.method,
+                request.path,
+                request.data.decode() if request.data else None
+            )
+            _request_ctx_stack.top.api_user = api_client
+            return
+        except TokenRequestError:
+            errors_resp = authentication_response("Invalid token: request", 403)
+        except TokenExpiredError:
+            errors_resp = authentication_response("Invalid token: expired", 403)
+        except TokenPayloadError:
+            errors_resp = authentication_response("Invalid token: payload", 403)
+        except TokenDecodeError:
+            errors_resp = authentication_response("Invalid token: signature", 403)
+
+    return errors_resp


 def fetch_client(client):
@@ -55,5 +62,5 @@ def fetch_client(client):
    else:
        return {
            "client": client,
-            "secret": get_unsigned_secret(client)
+            "secret": get_unsigned_secrets(client)
        }