feat: add ability to revoke an API key

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

aboutcode/api_auth/__init__.py

@@ -91,6 +91,11 @@ def regenerate(cls, user):
         cls.objects.filter(user=user).delete()
         return cls.create_token(user)
 
+    @classmethod
+    def revoke(cls, user):
+        """Delete any existing token instance for the user."""
+        return cls.objects.filter(user=user).delete()
+
 
 class APITokenAuthentication(TokenAuthentication):
     """

dejacode/urls.py

@@ -37,6 +37,7 @@
 from dje.views import GenerateAPIKeyView
 from dje.views import GlobalSearchListView
 from dje.views import IntegrationsStatusView
+from dje.views import RevokeAPIKeyView
 from dje.views import UnreadNotificationsList
 from dje.views import api_docs_view
 from dje.views import home_view
@@ -91,6 +92,7 @@
     path("account/", include("django.contrib.auth.urls")),
     path("account/profile/", AccountProfileView.as_view(), name="account_profile"),
     path("account/generate_api_key/", GenerateAPIKeyView.as_view(), name="generate_api_key"),
+    path("account/revoke_api_key/", RevokeAPIKeyView.as_view(), name="revoke_api_key"),
     path("logout/", auth_views.LogoutView.as_view(next_page="login"), name="logout"),
     path(
         "login/",

dje/models.py

@@ -1841,6 +1841,10 @@ def regenerate_api_key(self):
         """Regenerate the user API key."""
         return APIToken.regenerate(user=self)
 
+    def revoke_api_key(self):
+        """Revoke the user API key."""
+        return APIToken.revoke(user=self)
+
     def serialize_user_data(self):
         fields = [
             "email",

dje/templates/account/profile.html

@@ -26,36 +26,39 @@
 
   <hr class="my-4">
   {% include 'includes/header_title.html' with pretitle='REST API' title='API key' %}
-  <form class="mb-5" autocomplete="off">
-    <div class="row">
-      <div class="col-6">
-        <div>
-          <p>
-            Your personal API key provides access to the <a href="{% url 'api-docs:docs-index' %}" target="_blank">REST API</a>.<br>
-            <strong>Treat it like a password and keep it secure.</strong>
-          </p>
-          {% if request.user.api_token %}
-            <div class="alert alert-primary m-0 mb-3" role="alert">
-              Your API key <strong>{{ request.user.api_token.prefix }}...</strong>
-              was generated on {{ request.user.api_token.created }}<br>
-              For security reasons, the full key is only shown once at generation time.<br>
-              If you lose it, you will need to regenerate a new one.
-            </div>
-          {% else %}
-            <div class="alert alert-warning m-0 mb-3" role="alert">
-              <strong>No API key created.</strong><br>
-              Generate one using the button below to access the REST API.
-            </div>
-          {% endif %}
-        </div>
-        <div>
-          <a href="#" class="btn btn-outline-dark" data-bs-toggle="modal" data-bs-target="#generate-api-key">
-            Generate API key
-          </a>
-        </div>
+  <div class="row">
+    <div class="col-6">
+      <div>
+        <p>
+          Your personal API key provides access to the <a href="{% url 'api-docs:docs-index' %}" target="_blank">REST API</a>.<br>
+          <strong>Treat it like a password and keep it secure.</strong>
+        </p>
+        {% if request.user.api_token %}
+          <div class="alert alert-primary m-0 mb-3" role="alert">
+            Your API key <strong>{{ request.user.api_token.prefix }}...</strong>
+            was generated on {{ request.user.api_token.created }}<br>
+            For security reasons, the full key is only shown once at generation time.<br>
+            If you lose it, you will need to regenerate a new one.
+          </div>
+        {% else %}
+          <div class="alert alert-warning m-0 mb-3" role="alert">
+            <strong>No API key created.</strong><br>
+            Generate one using the button below to access the REST API.
+          </div>
+        {% endif %}
+      </div>
+      <div>
+        <a href="#" class="btn btn-outline-dark" data-bs-toggle="modal" data-bs-target="#generate-api-key">
+          Generate API key
+        </a>
+        {% if request.user.api_token %}
+          <form action="{% url 'revoke_api_key' %}" id="revoke-api-key-form" class="d-inline" method="post">{% csrf_token %}
+            <button type="submit" class="btn btn-outline-danger">Revoke API key</button>
+          </form>
+        {% endif %}
       </div>
     </div>
-  </form>
+  </div>
 
   <div class="modal" tabindex="-1" role="dialog" id="generate-api-key">
     <div class="modal-dialog" role="document">

dje/tests/test_api_auth.py

@@ -56,6 +56,13 @@ def test_api_auth_api_token_model_regenerate(self):
         APIToken.regenerate(user=self.base_user)
         self.assertEqual(1, APIToken.objects.count())
 
+    def test_api_auth_api_token_model_revoke(self):
+        self.assertEqual(0, APIToken.objects.count())
+        APIToken.regenerate(user=self.base_user)
+        self.assertEqual(1, APIToken.objects.count())
+        APIToken.revoke(user=self.base_user)
+        self.assertEqual(0, APIToken.objects.count())
+
     def test_api_auth_api_token_authentication_get_model(self):
         self.assertEqual(APIToken, APITokenAuthentication().get_model())
 

dje/tests/test_views.py

@@ -12,6 +12,7 @@
 from django.contrib.auth.models import Group
 from django.contrib.contenttypes.models import ContentType
 from django.core import mail
+from django.core.exceptions import ObjectDoesNotExist
 from django.core.paginator import Paginator
 from django.shortcuts import resolve_url
 from django.test import TestCase
@@ -309,6 +310,23 @@ def test_account_profile_view_regenerate_api_key(self):
         self.assertIn("Copy your API key now, it will not be shown again:", message)
         self.assertIn(new_token_prefix, message)
 
+    def test_account_profile_view_revoke_api_key(self):
+        url = reverse("revoke_api_key")
+        self.client.login(username=self.user.username, password="secret")
+
+        self.user.regenerate_api_key()
+        initial_token_prefix = self.user.api_token.prefix
+        self.assertEqual(8, len(initial_token_prefix))
+
+        response = self.client.post(url, follow=True)
+        self.user.refresh_from_db()
+        message = "DejacodeUser has no api_token"
+        with self.assertRaisesMessage(ObjectDoesNotExist, message):
+            self.user.api_token
+
+        message = list(response.context["messages"])[0].message
+        self.assertEqual("API key revoked.", message)
+
     @override_settings(REFERENCE_DATASPACE="Dataspace", TEMPLATE_DATASPACE=None)
     def test_clone_dataset_view(self):
         template_dataspace = Dataspace.objects.create(name="Template")

dje/views.py

@@ -2091,6 +2091,13 @@ def post(self, request, *args, **kwargs):
         return redirect(reverse_lazy("account_profile"))
 
 
+class RevokeAPIKeyView(LoginRequiredMixin, View):
+    def post(self, request, *args, **kwargs):
+        request.user.revoke_api_key()
+        messages.success(request, "API key revoked.")
+        return redirect(reverse_lazy("account_profile"))
+
+
 @login_required
 def docs_models_view(request):
     from dje.admin import dejacode_site