Add additional validation checks (#4104)

* Add tests for additional edge cases * Add additional validation checks These additional checks aren't necessary in theory (and we do already have tests covering these edge cases), but I think they still make sense to make them explicit and to be more resilient against potential future changes.
alephdata · Jan 20, 2025 · 8f23001 · 8f23001
1 parent e2bb30a
commit 8f23001
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/aleph/model/role.py b/aleph/model/role.py
@@ -1,7 +1,7 @@
 import logging
 from datetime import datetime, timezone
 from normality import stringify
-from sqlalchemy import or_, not_, func
+from sqlalchemy import and_, or_, not_, func
 from itsdangerous import URLSafeTimedSerializer
 from werkzeug.security import generate_password_hash, check_password_hash
 
@@ -197,13 +197,18 @@ def by_email(cls, email):
 
     @classmethod
     def by_api_key(cls, api_key):
-        if api_key is None:
+        if api_key is None or not len(api_key.strip()):
             return None
 
         q = cls.all()
 
         digest = hash_api_key(api_key)
-        q = q.filter(cls.api_key_digest == digest)
+        q = q.filter(
+            and_(
+                cls.api_key_digest != None,  # noqa: E711
+                cls.api_key_digest == digest,
+            )
+        )
 
         utcnow = datetime.now(timezone.utc)
         # TODO: Exclude API keys without expiration date after deadline

diff --git a/aleph/tests/test_view_context.py b/aleph/tests/test_view_context.py
@@ -75,6 +75,10 @@ def test_authz_header_api_key_invalid(self):
         res = self.client.get(f"/api/2/roles/{self.role.id}", headers=headers)
         assert res.status_code == 403
 
+        headers = {"Authorization": "ApiKey   "}
+        res = self.client.get(f"/api/2/roles/{self.role.id}", headers=headers)
+        assert res.status_code == 403
+
         headers = {"Authorization": ""}
         res = self.client.get(f"/api/2/roles/{self.role.id}", headers=headers)
         assert res.status_code == 403
@@ -83,6 +87,10 @@ def test_authz_header_api_key_invalid(self):
         res = self.client.get(f"/api/2/roles/{self.role.id}", headers=headers)
         assert res.status_code == 403
 
+        headers = {"Authorization": "   "}
+        res = self.client.get(f"/api/2/roles/{self.role.id}", headers=headers)
+        assert res.status_code == 403
+
     def test_authz_url_param_api_key(self):
         query_string = {"api_key": "1234567890"}
         res = self.client.get(f"/api/2/roles/{self.role.id}", query_string=query_string)
@@ -97,3 +105,7 @@ def test_authz_url_params_api_key_invalid(self):
         query_string = {"api_key": ""}
         res = self.client.get(f"/api/2/roles/{self.role.id}", query_string=query_string)
         assert res.status_code == 403
+
+        query_string = {"api_key": "   "}
+        res = self.client.get(f"/api/2/roles/{self.role.id}", query_string=query_string)
+        assert res.status_code == 403