From 933c96914ba01005488d71f48a11d5477d5f8134 Mon Sep 17 00:00:00 2001
From: Mufeed Ali <fushinari@protonmail.com>
Date: Sun, 20 Feb 2022 13:36:29 +0530
Subject: [PATCH] app: Fail when giving invalid API keys

When an API key is passed, fail in the case of an invalid API key even
if an API key is not required. This allows the user to know that the API
key is invalid. Otherwise, they work under the assumption that the API
key is correct, even though it is not.
---
 app/app.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/app.py b/app/app.py
index 6a78a1d..b3be7ce 100644
--- a/app/app.py
+++ b/app/app.py
@@ -174,11 +174,19 @@ def create_app(args):
                 if flood.has_violation(ip):
                     flood.decrease(ip)
 
-            if args.api_keys and args.require_api_key_origin:
+            if args.api_keys:
                 ak = get_req_api_key()
-
                 if (
-                        api_keys_db.lookup(ak) is None and request.headers.get("Origin") != args.require_api_key_origin
+                    ak and api_keys_db.lookup(ak) is None
+                ):
+                    abort(
+                        403,
+                        description="Invalid API key",
+                    )
+                elif (
+                    args.require_api_key_origin
+                    and api_keys_db.lookup(ak) is None
+                    and request.headers.get("Origin") != args.require_api_key_origin
                 ):
                     abort(
                         403,