Describe the bug
Expired API key is not checked using APIKey models is_valid method.
To Reproduce
Steps to reproduce the behavior:
Create One APIKey and set any older date than now
Make request with the APIKey and you'll be able to see contents which is only meant to be for valid API Key
Expected behavior
When we're checking APIKey's validity then has_expired should also be taken into consideration.
Additional context
If we do the following then we can avoid this problem:
def is_valid(self, key: str) -> bool:
key_generator = type(self).objects.key_generator
valid = key_generator.verify(key, self.hashed_key)
# Transparently update the key to use the preferred hasher
# if it is using an outdated hasher.
if valid and not key_generator.using_preferred_hasher(self.hashed_key):
# Note that since the PK includes the hashed key,
# they will be internally inconsistent following this upgrade.
# See: https://github.com/florimondmanca/djangorestframework-api-key/issues/128
self.hashed_key = key_generator.hash(key)
self.save()
return bool(valid and not self.has_expired)
Describe the bug Expired API key is not checked using
APIKeymodelsis_validmethod.To Reproduce Steps to reproduce the behavior:
APIKeyand set any older date than nowExpected behavior When we're checking APIKey's validity then has_expired should also be taken into consideration.
Additional context If we do the following then we can avoid this problem:
@florimondmanca