Include large API keys in the JSON body instead of as a header #83

* If the API key is sufficiently long, include it as part of the body of the request instead of as a header

- only set the api key header when the api key length is not too long
- Added some test cases
- Pop off the api key header when a new API key is being set that is too long
- Fixed indentation
- Fixed typo
- Added test cases

* Use PYTHON_INTEGRATION_TESTS app on Travis

* Fix test_index for python 2.6

Author: PLNech

.travis.yml

@@ -22,6 +22,6 @@ env:
   - TOXENV=coveralls-py3
   - TOXENV=py27 APPENGINE_RUNTIME=python27
   global:
-  - secure: S/H779PQk4yKOmP3HbcsrdJjls5cDQDekYhvW0nvlsSkw7L+nqEhV92Lk+JMIPOYeug66NmBSqCIhLC6NHp6TK3Z6y7wNO1JeVdtl+X7b7acRNAkMz9GqkZgLP05LyB1kGUpKfzEejxvKcKQ4iAkEVVu4N5IXcO92Y/IIMuKOe4=
-  - secure: Xtw10xjgdPiWrG6BZ+2B1UlkCBEtpVoHwttXj1nmroWqpIGOLDiAHVxgORe+mt4lIvDe2+cWJRRIeuY8f1xkbkR/FjNMf7iGbNJiARvcUe3ivX29cwOCyghN7IliyikHLwhntQcx2UFBDlMyYH5DqZYVzo22IyUFmPBMS58WqO4=
-  - secure: SLDv4lN/C6xVfd99YgNGl2vdYy95YNMd/Uqk0HjiO7TwavXPAsx7cegH6I+Q/j7XyLxFQFq4OAEWeVlnO8cebtSmu5cB1tcesf//r2lNQjrz4F7cI0bqmqbf4YzlyzPIAjSxWzELJD9l9jFbNdFMd1U8UzLt+obsLyp6AbLyqYs=
+  - secure: BGg68g6mf+VktQNzz+WQ+fbiiuzaLNHqJeXsvuN/JP8BttFVpiRQe4CYQrBIyhyqyDg07l+QGOV/5T1SuzCiRh92YNotem+RbUGvQPc9/kzfYXSmTpwe+d31qlKJ2Gwymlbi6ZTckoDGHtfh29sbHs7mfzTPfQb8untXY0p5w9o= # ALGOLIA_APPLICATION_ID
+  - secure: CAoqGDpJIREeeGieVPVvdEnDNPohZl95BEkhH0BHjYX3SLKCf9ZGw1DRcfGEPAwej3EpaUFSk4i1cHrItWll4zuZ6LQ8R/gUmsCrev3vPyFWk2DUTGxInHgPcYKpLTbQF/stgXo3YVSMBZtSky73++shbkS99KJRMGOJCLyvWp4= # ALGOLIA_API_KEY
+  - secure: ZL+IUM4D7pJX3yP2lSEaHZpxt+utEbH+wrQ8RwXAvnkwLw5WgU3lP+yS2VEkVH+3b9LZA/b/mbXKZg9Ct/j8CIdbZyRmHhCr9qF5uHrPtLHg+Rono8I8PKyHe1QidLvqo0KQvYRHnGqooVx8nZYi9ue6KEfiAz0WNjpwupqYhow= # ALGOLIA_API_KEY_SEARCH

algoliasearch/client.py

@@ -42,6 +42,9 @@
 from .helpers import urlify
 
 
+MAX_API_KEY_LENGTH = 500
+
+
 class Client(object):
     """
     Entry point in the Python Client API.
@@ -76,15 +79,14 @@ def __init__(self, app_id, api_key, hosts=None, _transport=None):
             self._transport.write_hosts = hosts
 
         self._transport.headers = {
-            'X-Algolia-API-Key': api_key,
             'X-Algolia-Application-Id': app_id,
             'Content-Type': 'gzip',
             'Accept-Encoding': 'gzip',
             'User-Agent': 'Algolia for Python (%s)' % VERSION
         }
 
         self._app_id = app_id
-        self._api_key = api_key
+        self.api_key = api_key
 
         # Fix for AppEngine bug when using urlfetch_stub
         if 'google.appengine.api.apiproxy_stub_map' in sys.modules.keys():
@@ -117,7 +119,11 @@ def api_key(self):
     @api_key.setter
     def api_key(self, value):
         self._api_key = value
-        self.set_extra_headers(**{'X-Algolia-API-Key': value})
+        if len(value) > MAX_API_KEY_LENGTH:
+            # If it was previously set, remove the header
+            self.headers.pop('X-Algolia-API-Key', None)
+        else:
+            self.set_extra_headers(**{'X-Algolia-API-Key': value})
 
     @deprecated
     def enableRateLimitForward(self, admin_api_key, end_user_ip,
@@ -489,4 +495,8 @@ def generate_secured_api_key(self, private_api_key, queryParameters,
         return str(base64.b64encode(("%s%s" % (securedKey, queryParameters)).encode('utf-8')).decode('utf-8'))
 
     def _req(self, is_search, path, meth, params=None, data=None):
+        if len(self.api_key) > MAX_API_KEY_LENGTH:
+            if data is None:
+                data = {}
+            data['apiKey'] = self.api_key
         return self._transport.req(is_search, path, meth, params, data)

tests/test_client.py

@@ -11,7 +11,7 @@
 except ImportError:
     import unittest
 
-from algoliasearch.client import Client
+from algoliasearch.client import Client, MAX_API_KEY_LENGTH
 
 from .helpers import safe_index_name
 from .helpers import get_api_client
@@ -88,6 +88,20 @@ def test_change_api_key(self):
         self.assertEqual(client._api_key, 'your_api_key')
         self.assertEqual(client.headers['X-Algolia-API-Key'], 'your_api_key')
 
+    def test_change_api_key_too_long(self):
+        client = get_api_client()
+        api_key = 'a' * (MAX_API_KEY_LENGTH + 1)
+        client.api_key = api_key
+        self.assertEqual(client._api_key, api_key)
+        self.assertFalse('X-Algolia-API-Key' in client.headers)
+
+    def test_change_api_key_max_length(self):
+        client = get_api_client()
+        api_key = 'a' * MAX_API_KEY_LENGTH
+        client.api_key = api_key
+        self.assertEqual(client._api_key, api_key)
+        self.assertEqual(client.headers['X-Algolia-API-Key'], api_key)
+
     def test_subclassing_client(self):
         class SubClient(Client):
             def __init__(self, user_name, *args, **kwargs):

tests/test_index.py

@@ -2,6 +2,7 @@
 
 from __future__ import unicode_literals
 
+import os
 import time
 from random import randint
 from decimal import Decimal
@@ -12,6 +13,7 @@
 except ImportError:
     import unittest
 
+from algoliasearch.client import MAX_API_KEY_LENGTH
 from algoliasearch.helpers import AlgoliaException
 
 from .helpers import safe_index_name
@@ -277,6 +279,33 @@ def test_search(self):
         res_ids = [elt['objectID'] for elt in res['hits']]
         self.assertIn(self.objectIDs[2], res_ids)
 
+    def test_search_with_short_secured_api_key(self):
+        old_key = self.client.api_key
+
+        secured_api_key = self.client.generate_secured_api_key(
+            os.environ['ALGOLIA_API_KEY_SEARCH'],
+            dict(filters=''),
+        )
+        assert len(secured_api_key) < MAX_API_KEY_LENGTH
+        self.client.api_key = secured_api_key
+        res = self.index.search('')
+        self.assertEqual(res['nbHits'], 5)
+        self.client.api_key = old_key
+
+    def test_search_with_long_secured_api_key(self):
+        old_key = self.client.api_key
+
+        tags = set('x{0}'.format(100000 + i) for i in range(1000))
+        secured_api_key = self.client.generate_secured_api_key(
+            os.environ['ALGOLIA_API_KEY_SEARCH'],
+            dict(filters=' OR '.join(tags)),
+        )
+        assert len(secured_api_key) > MAX_API_KEY_LENGTH
+        self.client.api_key = secured_api_key
+        res = self.index.search('')
+        self.assertEqual(res['nbHits'], 0)
+        self.client.api_key = old_key
+
 
 class IndexWithModifiableDataTest(IndexTest):
     """Tests that use one index with initial data and modify it."""

tests/test_old.py

@@ -59,11 +59,11 @@ def test_wrong_app_id(self):
             pass
 
     def test_retry(self):
-      try:
-          client = algoliasearch.Client(os.environ['ALGOLIA_APPLICATION_ID'], os.environ['ALGOLIA_API_KEY'], ["fakeapp-1.algolianet.com", "fakeapp-2.algolianet.com", os.environ['ALGOLIA_APPLICATION_ID'] + ".algolianet.com"])
-          client.listIndexes
-      except algoliasearch.AlgoliaException as e:
-          self.assertTrue(false)
+        try:
+            client = algoliasearch.Client(os.environ['ALGOLIA_APPLICATION_ID'], os.environ['ALGOLIA_API_KEY'], ["fakeapp-1.algolianet.com", "fakeapp-2.algolianet.com", os.environ['ALGOLIA_APPLICATION_ID'] + ".algolianet.com"])
+            client.listIndexes
+        except algoliasearch.AlgoliaException as e:
+            self.assertTrue(False)
 
     def test_network(self):
         batch = []