Skip to content

Class tigrbl_auth.backends.ApiKeyBackend

tigrbl_auth.backends.ApiKeyBackend

Authenticate a principal via raw API key string.

  • Only active, non-expired keys are valid.
  • The raw secret is never stored; verification is via BLAKE2b-256 digest.

authenticate async

authenticate(db, api_key)
Source code in tigrbl_auth/backends.py
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
async def authenticate(
    self, db: AsyncSession, api_key: str
) -> tuple[Principal, str]:
    api_key_cls = _ApiKey()
    digest = api_key_cls.digest_of(api_key)

    key_row: Optional["ApiKey"] = await db.scalar(await self._get_key_stmt(digest))
    if key_row and key_row.user:
        if not key_row.user.is_active:
            raise AuthError("user is inactive")
        key_row.touch()
        return key_row.user, "user"

    svc_row: Optional["ServiceKey"] = await db.scalar(
        await self._get_service_key_stmt(digest)
    )
    if svc_row:
        if not svc_row.service.is_active:
            raise AuthError("service is inactive")
        svc_row.touch()
        return svc_row.service, "service"

    clients: Iterable["Client"] = await db.scalars(await self._get_client_stmt())
    for client in clients:
        if client.verify_secret(api_key):
            return client, "client"

    raise AuthError("API key invalid, revoked, or expired")