Skip to content

Commit

Permalink
Fix permission check for read-only API keys
Browse files Browse the repository at this point in the history
  • Loading branch information
ivntsng committed Nov 26, 2024
1 parent 731fcb2 commit 7afbbca
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 3 deletions.
11 changes: 10 additions & 1 deletion store/app/model.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
from datetime import datetime, timedelta
from typing import Literal, Self, cast, get_args

from pydantic import BaseModel
from pydantic import BaseModel, field_validator

from store.app.errors import InternalError
from store.app.utils.password import hash_password
Expand Down Expand Up @@ -152,6 +152,15 @@ class APIKey(StoreBaseModel):
ttl: int | None = None
created_at: int

@field_validator("permissions", mode="before")
@classmethod
def convert_permissions_to_set(
cls, v: list[APIKeyPermission] | set[APIKeyPermission] | None
) -> set[APIKeyPermission] | None:
if isinstance(v, list):
return set(v)
return v

@classmethod
def create(cls, user_id: str, source: APIKeySource, permissions: APIKeyPermissionSet) -> Self:
if permissions == "full":
Expand Down
7 changes: 5 additions & 2 deletions store/app/routers/teleop/webrtc.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,10 @@

from store.app.db import Crud
from store.app.model import TeleopICECandidate, User
from store.app.security.user import get_session_user_with_write_permission
from store.app.security.user import (
get_session_user_with_read_permission,
get_session_user_with_write_permission,
)

router = APIRouter()

Expand Down Expand Up @@ -84,7 +87,7 @@ class CheckAuthResponse(BaseModel):

@router.get("/check", response_model=CheckAuthResponse)
async def check_auth(
user: Annotated[User, Depends(get_session_user_with_write_permission)],
user: Annotated[User, Depends(get_session_user_with_read_permission)],
) -> CheckAuthResponse:
"""Validates the user's API key and returns their user ID."""
return CheckAuthResponse(user_id=user.id)

0 comments on commit 7afbbca

Please sign in to comment.