Merge pull request #845 from simple-login/feature/api-key-require-sudo

require password to use the api key page

app/dashboard/views/api_key.py

@@ -4,6 +4,7 @@ from flask_wtf import FlaskForm
 from wtforms import StringField, validators
 
 from app.dashboard.base import dashboard_bp
+from app.dashboard.views.enter_sudo import sudo_required
 from app.db import Session
 from app.models import ApiKey
 
@@ -14,6 +15,7 @@ class NewApiKeyForm(FlaskForm):
 
 @dashboard_bp.route("/api_key", methods=["GET", "POST"])
 @login_required
+@sudo_required
 def api_key():
     api_keys = (
         ApiKey.filter(ApiKey.user_id == current_user.id)

tests/dashboard/test_api_keys.py

@@ -1,3 +1,5 @@
+from time import time
+
 from flask import url_for
 
 from app.db import Session
@@ -5,10 +7,22 @@ from app.models import User, ApiKey
 from tests.utils import login
 
 
+def test_api_key_page_requires_password(flask_client):
+    r = flask_client.get(
+        url_for("dashboard.api_key"),
+    )
+
+    assert r.status_code == 302
+
+
 def test_create_delete_api_key(flask_client):
     user = login(flask_client)
     Session.commit()
 
+    # to bypass sudo mode
+    with flask_client.session_transaction() as session:
+        session["sudo_time"] = int(time())
+
     # create api_key
     create_r = flask_client.post(
         url_for("dashboard.api_key"),
@@ -51,6 +65,10 @@ def test_delete_all_api_keys(flask_client):
     assert ApiKey.filter(ApiKey.user_id == user_1.id).count() == 2
     assert ApiKey.filter(ApiKey.user_id == user_2.id).count() == 1
 
+    # to bypass sudo mode
+    with flask_client.session_transaction() as session:
+        session["sudo_time"] = int(time())
+
     # delete all of user 1's API keys
     r = flask_client.post(
         url_for("dashboard.api_key"),