From 1952f368a8d52a80b5be4da2c2b2c8bed7471365 Mon Sep 17 00:00:00 2001
From: Son <nguyenkims@users.noreply.github.com>
Date: Mon, 21 Mar 2022 14:40:47 +0100
Subject: [PATCH 1/2] require password to use the api key page

---
 app/dashboard/views/api_key.py   |  2 ++
 tests/dashboard/test_api_keys.py | 20 +++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/dashboard/views/api_key.py b/app/dashboard/views/api_key.py
index de0c8e9d..83335c7e 100644
--- a/app/dashboard/views/api_key.py
+++ b/app/dashboard/views/api_key.py
@@ -4,6 +4,7 @@ from flask_wtf import FlaskForm
 from wtforms import StringField, validators
 
 from app.dashboard.base import dashboard_bp
+from app.dashboard.views.enter_sudo import sudo_required
 from app.db import Session
 from app.models import ApiKey
 
@@ -14,6 +15,7 @@ class NewApiKeyForm(FlaskForm):
 
 @dashboard_bp.route("/api_key", methods=["GET", "POST"])
 @login_required
+@sudo_required
 def api_key():
     api_keys = (
         ApiKey.filter(ApiKey.user_id == current_user.id)
diff --git a/tests/dashboard/test_api_keys.py b/tests/dashboard/test_api_keys.py
index 108ca6f6..d4677883 100644
--- a/tests/dashboard/test_api_keys.py
+++ b/tests/dashboard/test_api_keys.py
@@ -1,14 +1,28 @@
-from flask import url_for
+from time import time
+
+from flask import url_for, request
 
 from app.db import Session
 from app.models import User, ApiKey
 from tests.utils import login
 
 
+def test_api_key_page_requires_password(flask_client):
+    r = flask_client.get(
+        url_for("dashboard.api_key"),
+    )
+
+    assert r.status_code == 302
+
+
 def test_create_delete_api_key(flask_client):
     user = login(flask_client)
     Session.commit()
 
+    # to bypass sudo mode
+    with flask_client.session_transaction() as session:
+        session["sudo_time"] = int(time())
+
     # create api_key
     create_r = flask_client.post(
         url_for("dashboard.api_key"),
@@ -51,6 +65,10 @@ def test_delete_all_api_keys(flask_client):
     assert ApiKey.filter(ApiKey.user_id == user_1.id).count() == 2
     assert ApiKey.filter(ApiKey.user_id == user_2.id).count() == 1
 
+    # to bypass sudo mode
+    with flask_client.session_transaction() as session:
+        session["sudo_time"] = int(time())
+
     # delete all of user 1's API keys
     r = flask_client.post(
         url_for("dashboard.api_key"),

From 2baebe7934b7a00688551996f2720f0e30c43560 Mon Sep 17 00:00:00 2001
From: Son <nguyenkims@users.noreply.github.com>
Date: Mon, 21 Mar 2022 14:43:27 +0100
Subject: [PATCH 2/2] remove unused import

---
 tests/dashboard/test_api_keys.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/dashboard/test_api_keys.py b/tests/dashboard/test_api_keys.py
index d4677883..7621b503 100644
--- a/tests/dashboard/test_api_keys.py
+++ b/tests/dashboard/test_api_keys.py
@@ -1,6 +1,6 @@
 from time import time
 
-from flask import url_for, request
+from flask import url_for
 
 from app.db import Session
 from app.models import User, ApiKey