Expired APIKey's are considered as valid APIKey

Question

Expired APIKey's are considered as valid APIKey

Opened this issue 4 months ago · 0 comments

xalien10 commented 4 months ago

Describe the bug
Expired API key is not checked using APIKey models is_valid method.

To Reproduce
Steps to reproduce the behavior:

Create One APIKey and set any older date than now
Make request with the APIKey and you'll be able to see contents which is only meant to be for valid API Key

Expected behavior
When we're checking APIKey's validity then has_expired should also be taken into consideration.

Additional context
If we do the following then we can avoid this problem:

def is_valid(self, key: str) -> bool:
    key_generator = type(self).objects.key_generator
    valid = key_generator.verify(key, self.hashed_key)

    # Transparently update the key to use the preferred hasher
    # if it is using an outdated hasher.
    if valid and not key_generator.using_preferred_hasher(self.hashed_key):
        # Note that since the PK includes the hashed key,
        # they will be internally inconsistent following this upgrade.
        # See: https://github.com/florimondmanca/djangorestframework-api-key/issues/128
        self.hashed_key = key_generator.hash(key)
        self.save()

    return bool(valid and not self.has_expired)

@florimondmanca