checking for None type for key value before comparing digest

mitre · Sep 26, 2023 · 3a73279 · 3a73279
1 parent 3f3dd3a
commit 3a73279
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/app/service/auth_svc.py b/app/service/auth_svc.py
@@ -139,16 +139,16 @@ async def login_redirect(self, request, use_template=True):
                 raise e
 
     def request_has_valid_api_key(self, request):
-        api_key = request.headers.get(HEADER_API_KEY)
-
-        if api_key is None:
+        request_api_key = request.headers.get(HEADER_API_KEY)
+        if request_api_key is None:
             return False
-        if compare_digest(api_key, self.get_config(CONFIG_API_KEY_RED)):
-            return True
-        if compare_digest(api_key, self.get_config(CONFIG_API_KEY_BLUE)):
-            return True
+        for i in [CONFIG_API_KEY_RED, CONFIG_API_KEY_BLUE]:
+            api_key = self.get_config(i)
+            if api_key is not None and compare_digest(request_api_key, api_key):
+                return True
         return False
 
+
     async def request_has_valid_user_session(self, request):
         return await aiohttp_security_api.authorized_userid(request) is not None
 
@@ -171,9 +171,9 @@ async def get_permissions(self, request):
         identity = await identity_policy.identify(request)
         if identity in self.user_map:
             return [self.Access[p.upper()] for p in self.user_map[identity].permissions]
-        elif request.headers.get('KEY') == self.get_config('api_key_red'):
+        elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_RED):
             return self.Access.RED, self.Access.APP
-        elif request.headers.get('KEY') == self.get_config('api_key_blue'):
+        elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_BLUE):
             return self.Access.BLUE, self.Access.APP
         return ()