ITISFoundation · giancarloromeo · Apr 23, 2025 · Jan 24, 2025 · Feb 5, 2025 · Mar 10, 2025
@@ -0,0 +1,28 @@
+"""hash exising api_secret data
+
+Revision ID: 742123f0933a
+Revises: b0c988e3f348
+Create Date: 2025-03-13 09:39:43.895529+00:00
+
+"""
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "742123f0933a"
+down_revision = "b0c988e3f348"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute(
+        """
+        UPDATE api_keys
+        SET api_secret = crypt(api_secret, gen_salt('bf', 10))
+        """
+    )
+
+
+def downgrade():
+    pass
@@ -0,0 +1,23 @@
+"""add index to api_key column
+
+Revision ID: b0c988e3f348
+Revises: 381336fa8001
+Create Date: 2025-03-13 08:53:05.722855+00:00
+
+"""
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "b0c988e3f348"
+down_revision = "381336fa8001"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_index(op.f("ix_api_keys_api_key"), "api_keys", ["api_key"], unique=False)
+
+
+def downgrade():
+    op.drop_index(op.f("ix_api_keys_api_key"), table_name="api_keys")
@@ -1,4 +1,4 @@
-""" API keys to access public API
+"""API keys to access public API
 
 
 These keys grant the client authorization to the API resources
@@ -10,6 +10,7 @@
  +--------+                                +---------------+
 
 """
+
 import sqlalchemy as sa
 from sqlalchemy.sql import func
 
@@ -52,7 +53,7 @@
         nullable=False,
         doc="Identified product",
     ),
-    sa.Column("api_key", sa.String(), nullable=False),
+    sa.Column("api_key", sa.String(), nullable=False, index=True),
     sa.Column("api_secret", sa.String(), nullable=False),
     sa.Column(
         "created",

@@ -22,8 +22,11 @@ async def get_user(
         self, api_key: str, api_secret: str
     ) -> UserAndProductTuple | None:
         stmt = sa.select(tbl.api_keys.c.user_id, tbl.api_keys.c.product_name).where(
-            (tbl.api_keys.c.api_key == api_key)
-            & (tbl.api_keys.c.api_secret == api_secret),
+            (tbl.api_keys.c.api_key == api_key)  # NOTE: keep order, api_key is indexed
+            & (
+                tbl.api_keys.c.api_secret
+                == sa.func.crypt(api_secret, tbl.api_keys.c.api_secret)
+            )
         )
         result: UserAndProductTuple | None = None
         try:

@@ -255,31 +255,39 @@ async def create_fake_api_keys(
     create_product_names: Callable[[PositiveInt], AsyncGenerator[str, None]],
 ) -> AsyncGenerator[Callable[[PositiveInt], AsyncGenerator[ApiKeyInDB, None]], None]:
     async def _generate_fake_api_key(n: PositiveInt):
-        users = create_user_ids(n)
-        products = create_product_names(n)
+        users, products = create_user_ids(n), create_product_names(n)
+        excluded_column = "api_secret"
+        returning_cols = [col for col in api_keys.c if col.name != excluded_column]
+
         for _ in range(n):
             product = await anext(products)
             user = await anext(users)
+            api_key = random_api_key(product, user)
+            plain_api_secret = api_key.pop("api_secret")
             result = await connection.execute(
                 api_keys.insert()
-                .values(**random_api_key(product, user))
-                .returning(sa.literal_column("*"))
+                .values(
+                    api_secret=sa.func.crypt(plain_api_secret, sa.func.gen_salt("bf")),
+                    **api_key,
+                )
+                .returning(*returning_cols)
             )
             row = await result.fetchone()
             assert row
             _generate_fake_api_key.row_ids.append(row.id)
-            yield ApiKeyInDB.model_validate(row)
+            yield ApiKeyInDB.model_validate({"api_secret": plain_api_secret, **row})
 
     _generate_fake_api_key.row_ids = []
     yield _generate_fake_api_key
 
-    for row_id in _generate_fake_api_key.row_ids:
-        await connection.execute(api_keys.delete().where(api_keys.c.id == row_id))
+    await connection.execute(
+        api_keys.delete().where(api_keys.c.id.in_(_generate_fake_api_key.row_ids))
+    )
 
 
 @pytest.fixture
 async def auth(
-    create_fake_api_keys: Callable[[PositiveInt], AsyncGenerator[ApiKeyInDB, None]]
+    create_fake_api_keys: Callable[[PositiveInt], AsyncGenerator[ApiKeyInDB, None]],
 ) -> httpx.BasicAuth:
     """overrides auth and uses access to real repositories instead of mocks"""
     async for key in create_fake_api_keys(1):

@@ -1,5 +1,4 @@
 import uuid
-from typing import cast
 from uuid import uuid5
 
 from aiocache import cached  # type: ignore[import-untyped]
@@ -8,7 +7,7 @@
 from models_library.rpc.webserver.auth.api_keys import ApiKeyGet
 from models_library.users import UserID
 
-from ._api_auth_rpc import get_or_create_api_key_and_secret
+from ._api_auth_rpc import create_api_key
 
 
 def create_unique_api_name_for(product_name: ProductName, user_id: UserID) -> str:
@@ -24,14 +23,14 @@ def _cache_key(fct, *_, **kwargs):
 
 
 @cached(ttl=3, key_builder=_cache_key)
-async def _get_or_create_for(
+async def _create_for(
     app: FastAPI,
     *,
     product_name: ProductName,
     user_id: UserID,
 ) -> ApiKeyGet:
     display_name = create_unique_api_name_for(product_name, user_id)
-    return await get_or_create_api_key_and_secret(
+    return await create_api_key(
         app,
         user_id=user_id,
         product_name=product_name,
@@ -40,34 +39,36 @@ async def _get_or_create_for(
     )
 
 
-async def get_or_create_user_api_key(
+async def create_user_api_key(
     app: FastAPI,
     product_name: ProductName,
     user_id: UserID,
 ) -> str:
-    data = await _get_or_create_for(
+    data: ApiKeyGet = await _create_for(
         app,
         product_name=product_name,
         user_id=user_id,
     )
-    return cast(str, data.api_key)
+    assert data.api_key
+    return data.api_key
 
 
-async def get_or_create_user_api_secret(
+async def create_user_api_secret(
     app: FastAPI,
     product_name: ProductName,
     user_id: UserID,
 ) -> str:
-    data = await _get_or_create_for(
+    data: ApiKeyGet = await _create_for(
         app,
         product_name=product_name,
         user_id=user_id,
     )
-    return cast(str, data.api_secret)
+    assert data.api_secret
+    return data.api_secret
 
 
 __all__: tuple[str, ...] = (
-    "get_or_create_user_api_key",
-    "get_or_create_user_api_secret",
     "create_unique_api_name_for",
+    "create_user_api_key",
+    "create_user_api_secret",
 )
@@ -15,7 +15,7 @@
 #
 
 
-async def get_or_create_api_key_and_secret(
+async def create_api_key(
     app: FastAPI,
     *,
     product_name: ProductName,
@@ -26,10 +26,11 @@ async def get_or_create_api_key_and_secret(
     rpc_client = get_rabbitmq_rpc_client(app)
     result = await rpc_client.request(
         WEBSERVER_RPC_NAMESPACE,
-        TypeAdapter(RPCMethodName).validate_python("get_or_create_api_key"),
+        TypeAdapter(RPCMethodName).validate_python("create_api_key"),
         user_id=user_id,
         display_name=display_name,
         expiration=expiration,
         product_name=product_name,
+        raise_on_conflict=False,
     )
     return ApiKeyGet.model_validate(result)
@@ -32,7 +32,7 @@
     resolve_variables_from_context,
 )
 from ..db.repositories.services_environments import ServicesEnvironmentsRepository
-from ._api_auth import get_or_create_user_api_key, get_or_create_user_api_secret
+from ._api_auth import create_user_api_key, create_user_api_secret
 from ._user import request_user_email, request_user_role
 
 _logger = logging.getLogger(__name__)
@@ -130,11 +130,9 @@ def create(cls, app: FastAPI):
 
         table.register_from_handler("OSPARC_VARIABLE_USER_EMAIL")(request_user_email)
         table.register_from_handler("OSPARC_VARIABLE_USER_ROLE")(request_user_role)
-        table.register_from_handler("OSPARC_VARIABLE_API_KEY")(
-            get_or_create_user_api_key
-        )
+        table.register_from_handler("OSPARC_VARIABLE_API_KEY")(create_user_api_key)
         table.register_from_handler("OSPARC_VARIABLE_API_SECRET")(
-            get_or_create_user_api_secret
+            create_user_api_secret
         )
 
         _logger.debug(

@@ -360,7 +360,7 @@ async def _create(
 
     # mocks RPC interface
     mocker.patch(
-        "simcore_service_director_v2.modules.osparc_variables._api_auth.get_or_create_api_key_and_secret",
+        "simcore_service_director_v2.modules.osparc_variables._api_auth.create_api_key",
         side_effect=_create,
         autospec=True,
     )
@@ -1,5 +1,3 @@
-from datetime import timedelta
-
 from aiohttp import web
 from models_library.api_schemas_webserver import WEBSERVER_RPC_NAMESPACE
 from models_library.api_schemas_webserver.auth import ApiKeyCreateRequest
@@ -23,13 +21,15 @@ async def create_api_key(
     user_id: UserID,
     product_name: ProductName,
     api_key: ApiKeyCreateRequest,
+    raise_on_conflict: bool = True,
 ) -> ApiKeyGet:
     created_api_key: ApiKey = await _service.create_api_key(
         app,
         user_id=user_id,
         product_name=product_name,
         display_name=api_key.display_name,
         expiration=api_key.expiration,
+        raise_on_conflict=raise_on_conflict,
     )
 
     return ApiKeyGet.model_validate(created_api_key)
@@ -52,25 +52,6 @@ async def get_api_key(
     return ApiKeyGet.model_validate(api_key)
 
 
-@router.expose()
-async def get_or_create_api_key(
-    app: web.Application,
-    *,
-    user_id: UserID,
-    product_name: ProductName,
-    display_name: str,
-    expiration: timedelta | None = None,
-) -> ApiKeyGet:
-    api_key: ApiKey = await _service.get_or_create_api_key(
-        app,
-        user_id=user_id,
-        product_name=product_name,
-        display_name=display_name,
-        expiration=expiration,
-    )
-    return ApiKeyGet.model_validate(api_key)
-
-
 @router.expose()
 async def delete_api_key(
     app: web.Application,