Expired APIKey's are considered as valid APIKey #261
Description
Describe the bug
Expired API key is not checked using APIKey models is_valid method.
To Reproduce
Steps to reproduce the behavior:
- Create One
APIKeyand set any older date than now - Make request with the APIKey and you'll be able to see contents which is only meant to be for valid API Key
Expected behavior
When we're checking APIKey's validity then has_expired should also be taken into consideration.
Additional context
If we do the following then we can avoid this problem:
def is_valid(self, key: str) -> bool:
key_generator = type(self).objects.key_generator
valid = key_generator.verify(key, self.hashed_key)
# Transparently update the key to use the preferred hasher
# if it is using an outdated hasher.
if valid and not key_generator.using_preferred_hasher(self.hashed_key):
# Note that since the PK includes the hashed key,
# they will be internally inconsistent following this upgrade.
# See: https://github.com/florimondmanca/djangorestframework-api-key/issues/128
self.hashed_key = key_generator.hash(key)
self.save()
return bool(valid and not self.has_expired)