reuse ApiKey if same device

2020-02-05 18:05:26 +07:00 · 2020-02-05 18:05:26 +07:00 · 14b48835ae
parent 98487aba10
commit 14b48835ae
3 changed files with 35 additions and 4 deletions
--- a/app/api/views/auth_login.py
+++ b/app/api/views/auth_login.py
@ -56,8 +56,11 @@ def auth_login():
        ret["mfa_key"] = s.sign(str(user.id))
        ret["api_key"] = None
    else:
-        api_key = ApiKey.create(user.id, device)
-        db.session.commit()
+        api_key = ApiKey.get_by(user_id=user.id, name=device)
+        if not api_key:
+            LOG.d("create new api key for %s and %s", user, device)
+            api_key = ApiKey.create(user.id, device)
+            db.session.commit()
        ret["mfa_key"] = None
        ret["api_key"] = api_key.code

--- a/app/api/views/auth_mfa.py
+++ b/app/api/views/auth_mfa.py
@ -6,6 +6,7 @@ from itsdangerous import Signer, BadSignature
 from app.api.base import api_bp
 from app.config import FLASK_SECRET
 from app.extensions import db
+from app.log import LOG
 from app.models import User, ApiKey


@ -58,8 +59,12 @@ def auth_mfa():
        "name": user.name,
    }

-    api_key = ApiKey.create(user.id, device)
-    db.session.commit()
+    api_key = ApiKey.get_by(user_id=user.id, name=device)
+    if not api_key:
+        LOG.d("create new api key for %s and %s", user, device)
+        api_key = ApiKey.create(user.id, device)
+        db.session.commit()
+
    ret["api_key"] = api_key.code

    return jsonify(**ret), 200
--- a/tests/api/test_auth_login.py
+++ b/tests/api/test_auth_login.py
@ -40,3 +40,26 @@ def test_auth_login_success_mfa_enabled(flask_client):
    assert r.json["mfa_enabled"] == True
    assert r.json["mfa_key"]
    assert r.json["name"] == "Test User"
+
+
+def test_auth_login_device_exist(flask_client):
+    User.create(email="a@b.c", password="password", name="Test User", activated=True)
+    db.session.commit()
+
+    r = flask_client.post(
+        url_for("api.auth_login"),
+        json={"email": "a@b.c", "password": "password", "device": "Test Device"},
+    )
+
+    assert r.status_code == 200
+    api_key = r.json["api_key"]
+    assert r.json["mfa_enabled"] == False
+    assert r.json["mfa_key"] is None
+    assert r.json["name"] == "Test User"
+
+    # same device, should return same api_key
+    r = flask_client.post(
+        url_for("api.auth_login"),
+        json={"email": "a@b.c", "password": "password", "device": "Test Device"},
+    )
+    assert r.json["api_key"] == api_key