mirror of
https://github.com/simple-login/app.git
synced 2024-09-30 05:31:30 +02:00
Merge pull request #845 from simple-login/feature/api-key-require-sudo
require password to use the api key page
This commit is contained in:
commit
7464588144
@ -4,6 +4,7 @@ from flask_wtf import FlaskForm
|
|||||||
from wtforms import StringField, validators
|
from wtforms import StringField, validators
|
||||||
|
|
||||||
from app.dashboard.base import dashboard_bp
|
from app.dashboard.base import dashboard_bp
|
||||||
|
from app.dashboard.views.enter_sudo import sudo_required
|
||||||
from app.db import Session
|
from app.db import Session
|
||||||
from app.models import ApiKey
|
from app.models import ApiKey
|
||||||
|
|
||||||
@ -14,6 +15,7 @@ class NewApiKeyForm(FlaskForm):
|
|||||||
|
|
||||||
@dashboard_bp.route("/api_key", methods=["GET", "POST"])
|
@dashboard_bp.route("/api_key", methods=["GET", "POST"])
|
||||||
@login_required
|
@login_required
|
||||||
|
@sudo_required
|
||||||
def api_key():
|
def api_key():
|
||||||
api_keys = (
|
api_keys = (
|
||||||
ApiKey.filter(ApiKey.user_id == current_user.id)
|
ApiKey.filter(ApiKey.user_id == current_user.id)
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
from time import time
|
||||||
|
|
||||||
from flask import url_for
|
from flask import url_for
|
||||||
|
|
||||||
from app.db import Session
|
from app.db import Session
|
||||||
@ -5,10 +7,22 @@ from app.models import User, ApiKey
|
|||||||
from tests.utils import login
|
from tests.utils import login
|
||||||
|
|
||||||
|
|
||||||
|
def test_api_key_page_requires_password(flask_client):
|
||||||
|
r = flask_client.get(
|
||||||
|
url_for("dashboard.api_key"),
|
||||||
|
)
|
||||||
|
|
||||||
|
assert r.status_code == 302
|
||||||
|
|
||||||
|
|
||||||
def test_create_delete_api_key(flask_client):
|
def test_create_delete_api_key(flask_client):
|
||||||
user = login(flask_client)
|
user = login(flask_client)
|
||||||
Session.commit()
|
Session.commit()
|
||||||
|
|
||||||
|
# to bypass sudo mode
|
||||||
|
with flask_client.session_transaction() as session:
|
||||||
|
session["sudo_time"] = int(time())
|
||||||
|
|
||||||
# create api_key
|
# create api_key
|
||||||
create_r = flask_client.post(
|
create_r = flask_client.post(
|
||||||
url_for("dashboard.api_key"),
|
url_for("dashboard.api_key"),
|
||||||
@ -51,6 +65,10 @@ def test_delete_all_api_keys(flask_client):
|
|||||||
assert ApiKey.filter(ApiKey.user_id == user_1.id).count() == 2
|
assert ApiKey.filter(ApiKey.user_id == user_1.id).count() == 2
|
||||||
assert ApiKey.filter(ApiKey.user_id == user_2.id).count() == 1
|
assert ApiKey.filter(ApiKey.user_id == user_2.id).count() == 1
|
||||||
|
|
||||||
|
# to bypass sudo mode
|
||||||
|
with flask_client.session_transaction() as session:
|
||||||
|
session["sudo_time"] = int(time())
|
||||||
|
|
||||||
# delete all of user 1's API keys
|
# delete all of user 1's API keys
|
||||||
r = flask_client.post(
|
r = flask_client.post(
|
||||||
url_for("dashboard.api_key"),
|
url_for("dashboard.api_key"),
|
||||||
|
Loading…
Reference in New Issue
Block a user