From 326ff1bad88c6f1ad1d8d9bd13502c3dc98b5978 Mon Sep 17 00:00:00 2001
From: Till Prochaska <1512805+tillprochaska@users.noreply.github.com>
Date: Mon, 20 Jan 2025 11:25:10 +0100
Subject: [PATCH] Add additional validation checks

These additional checks aren't necessary in theory (and we do already have tests covering these edge cases), but I think they still make sense to make them explicit and to be more resilient against potential future changes.
---
 aleph/model/role.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/aleph/model/role.py b/aleph/model/role.py
index 7d3cc8f74..fcdaa67a1 100644
--- a/aleph/model/role.py
+++ b/aleph/model/role.py
@@ -1,7 +1,7 @@
 import logging
 from datetime import datetime, timezone
 from normality import stringify
-from sqlalchemy import or_, not_, func
+from sqlalchemy import and_, or_, not_, func
 from itsdangerous import URLSafeTimedSerializer
 from werkzeug.security import generate_password_hash, check_password_hash
 
@@ -197,13 +197,18 @@ def by_email(cls, email):
 
     @classmethod
     def by_api_key(cls, api_key):
-        if api_key is None:
+        if api_key is None or not len(api_key.strip()):
             return None
 
         q = cls.all()
 
         digest = hash_api_key(api_key)
-        q = q.filter(cls.api_key_digest == digest)
+        q = q.filter(
+            and_(
+                cls.api_key_digest != None,  # noqa: E711
+                cls.api_key_digest == digest,
+            )
+        )
 
         utcnow = datetime.now(timezone.utc)
         # TODO: Exclude API keys without expiration date after deadline