Infinite loop with Django, MongoDB and Djongo with HasApiKey - Solved?

[Manu-Fraile]

Hi! I found a bug when using HasApiKey as the permission class for my views. In my project I'm using Django, MongoDB and Djongo. The issue was that while checking the Api-Key I always ended up in an infinite loop inside djongo.

I found a solution that is working good for me by rewriting the method has_permission inside the BaseHasApiKey class:

def has_permission(self, request: HttpRequest, view: typing.Any) -> bool:
        assert self.model is not None, (
            "%s must define `.model` with the API key model to use"
            % self.__class__.__name__
        )
        key = self.get_key(request)
        # TODO rewrite KeyParser to handle custom header
        request_keyword, request_auth = request.META.get("HTTP_AUTHORIZATION").split(" ")
        request_prefix, _ = request_auth.split(".")

        if key and request_keyword == self.key_parser.keyword and self.model.objects.filter(prefix=request_prefix).exists():
            key_model = self.model.objects.get(prefix=request_prefix)
            return key_model.is_valid(key)
        else:
            return False

If I am breaking anything that I'm not aware of, please let me know. On the other hand, if this could contribute somehow, do not hesitate to let me know.

Cheers!

[florimondmanca]

Hello @Manu-Fraile

Could you provide a traceback for the infinite loop you’re using? Was that a maximum recursion depth error? Where does it say it loops on exactly?