Revoke API keys when changing broadcast settings

On a regular Notify service anyone with permission can create an API key. If this service then is given permission to send emergency alerts it will have an API key which can create emergency alerts. This feels dangerous. Secondly, if a service which legitimately has an API key for sending alerts in training mode is changed to live mode you now have an API key which people will think isn’t going to create a real alert but actually will. This feels really dangerous. Neither of these scenarios are things we should be doing, but having them possible still makes me feel uncomfortable. This commit revokes all API keys for a service when its broadcast settings change, same way we remove all permissions for its users.
2026-02-04 02:11:11 -05:00 · 2021-07-29 09:56:17 +01:00
parent 312a895822
commit 43bcb56ff4
2 changed files with 30 additions and 0 deletions
--- a/app/dao/broadcast_service_dao.py
+++ b/app/dao/broadcast_service_dao.py
@@ -9,6 +9,7 @@ from app.models import (
    EMAIL_AUTH_TYPE,
    INVITE_PENDING,
    VIEW_ACTIVITY,
+    ApiKey,
    InvitedUser,
    Organisation,
    Permission,
@@ -67,6 +68,13 @@ def set_broadcast_service_type(service, service_mode, broadcast_channel, provide
        status=INVITE_PENDING
    ).update({'permissions': VIEW_ACTIVITY})

+    # Revoke any API keys to avoid a regular API key being used to send alerts
+    ApiKey.query.filter_by(
+        service_id=service.id
+    ).update({
+        ApiKey.expiry_date: datetime.utcnow()
+    })
+
    # Add service to organisation
    organisation = Organisation.query.filter_by(
        id=current_app.config['BROADCAST_ORGANISATION_ID']