Put API key in the path (not query string) cc: #300

2025-04-11 15:51:19 +00:00 · 2020-02-14 16:39:31 +02:00 · 2020-02-14 16:39:31 +02:00 · e52ac9af91
commit e52ac9af91
parent 12b946acf3
4 changed files with 11 additions and 8 deletions
--- a/hc/front/tests/test_metrics.py
+++ b/hc/front/tests/test_metrics.py
@ -13,7 +13,7 @@ class MetricsTestCase(BaseTestCase):
        self.check.save()

        key = "R" * 32
-        self.url = "/projects/%s/checks/metrics/?api_key=%s" % (self.project.code, key)
+        self.url = "/projects/%s/checks/metrics/%s" % (self.project.code, key)

    def test_it_works(self):
        r = self.client.get(self.url)
@ -38,6 +38,6 @@ class MetricsTestCase(BaseTestCase):
        self.assertEqual(r.status_code, 400)

    def test_it_checks_api_key(self):
-        url = "/projects/%s/checks/metrics/?api_key=%s" % (self.project.code, "X" * 32)
+        url = "/projects/%s/checks/metrics/%s" % (self.project.code, "X" * 32)
        r = self.client.get(url)
        self.assertEqual(r.status_code, 403)
--- a/hc/front/urls.py
+++ b/hc/front/urls.py
@ -70,7 +70,11 @@ urlpatterns = [
    path("projects/<uuid:code>/checks/add/", views.add_check, name="hc-add-check"),
    path("checks/cron_preview/", views.cron_preview),
    path("projects/<uuid:code>/checks/status/", views.status, name="hc-status"),
-    path("projects/<uuid:code>/checks/metrics/", views.metrics, name="hc-metrics"),
+    path(
+        "projects/<uuid:code>/checks/metrics/<slug:key>",
+        views.metrics,
+        name="hc-metrics",
+    ),
    path("checks/<uuid:code>/", include(check_urls)),
    path("integrations/", include(channel_urls)),
    path("docs/", views.serve_doc, name="hc-docs"),
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -1542,12 +1542,11 @@ def add_msteams(request):
    return render(request, "integrations/add_msteams.html", ctx)


-def metrics(request, code):
-    api_key = request.GET.get("api_key", "")
-    if len(api_key) != 32:
+def metrics(request, code, key):
+    if len(key) != 32:
        return HttpResponseBadRequest()

-    q = Project.objects.filter(code=code, api_key_readonly=api_key)
+    q = Project.objects.filter(code=code, api_key_readonly=key)
    try:
        project = q.get()
    except Project.DoesNotExist:
--- a/templates/accounts/project.html
+++ b/templates/accounts/project.html
@ -45,7 +45,7 @@
                        </p>
                        <p>
                            Prometheus metrics endpoint:
-                            <a href="{% url 'hc-metrics' project.code %}?api_key={{ project.api_key_readonly }}">here</a>
+                            <a href="{% url 'hc-metrics' project.code project.api_key_readonly %}">here</a>
                        </p>
                        {% endif %}
                        <button