diff --git a/piccolo_api/crud/endpoints.py b/piccolo_api/crud/endpoints.py index 1daa682f..5174a1f7 100644 --- a/piccolo_api/crud/endpoints.py +++ b/piccolo_api/crud/endpoints.py @@ -366,11 +366,16 @@ def pydantic_model_filters(self) -> type[pydantic.BaseModel]: ] email_columns = self.table._meta.email_columns + secret_columns = self.table._meta.secret_columns base_model = create_pydantic_model( self.table, include_default_columns=True, - exclude_columns=(*multidimensional_array_columns, *email_columns), + exclude_columns=( + *multidimensional_array_columns, + *email_columns, + *secret_columns, + ), all_optional=True, model_name=model_name, ) diff --git a/piccolo_api/session_auth/piccolo_migrations/2019-11-12T20-47-17.py b/piccolo_api/session_auth/piccolo_migrations/session_auth_2019_11_12t20_47_17.py similarity index 100% rename from piccolo_api/session_auth/piccolo_migrations/2019-11-12T20-47-17.py rename to piccolo_api/session_auth/piccolo_migrations/session_auth_2019_11_12t20_47_17.py diff --git a/piccolo_api/session_auth/piccolo_migrations/session_auth_2026_05_27t16_15_06_677127.py b/piccolo_api/session_auth/piccolo_migrations/session_auth_2026_05_27t16_15_06_677127.py new file mode 100644 index 00000000..64a41875 --- /dev/null +++ b/piccolo_api/session_auth/piccolo_migrations/session_auth_2026_05_27t16_15_06_677127.py @@ -0,0 +1,26 @@ +from piccolo.apps.migrations.auto.migration_manager import MigrationManager +from piccolo.columns.column_types import Varchar + +ID = "2026-05-27T16:15:06:677127" +VERSION = "1.34.0" +DESCRIPTION = "Make token column secret." + + +async def forwards(): + manager = MigrationManager( + migration_id=ID, app_name="session_auth", description=DESCRIPTION + ) + + manager.alter_column( + table_class_name="SessionsBase", + tablename="sessions", + column_name="token", + db_column_name="token", + params={"secret": True}, + old_params={"secret": False}, + column_class=Varchar, + old_column_class=Varchar, + schema=None, + ) + + return manager diff --git a/piccolo_api/session_auth/tables.py b/piccolo_api/session_auth/tables.py index fd861f64..236fce34 100644 --- a/piccolo_api/session_auth/tables.py +++ b/piccolo_api/session_auth/tables.py @@ -18,22 +18,18 @@ class SessionsBase(Table, tablename="sessions"): id: Serial #: Stores the session token. - token: Varchar = Varchar(length=100, null=False) + token = Varchar(length=100, null=False, secret=True) #: Stores the user ID. - user_id: Integer = Integer(null=False) + user_id = Integer(null=False) #: Stores the expiry date for this session. - expiry_date: Timestamp = Timestamp( - default=TimestampOffset(hours=1), null=False - ) + expiry_date = Timestamp(default=TimestampOffset(hours=1), null=False) #: We set a hard limit on the expiry date - it can keep on getting extended #: up until this value, after which it's best to invalidate it, and either #: require login again, or just create a new session token. - max_expiry_date: Timestamp = Timestamp( - default=TimestampOffset(days=7), null=False - ) + max_expiry_date = Timestamp(default=TimestampOffset(days=7), null=False) @classmethod async def create_session( diff --git a/tests/crud/test_crud_endpoints.py b/tests/crud/test_crud_endpoints.py index 296c23db..e008fd5b 100644 --- a/tests/crud/test_crud_endpoints.py +++ b/tests/crud/test_crud_endpoints.py @@ -1248,6 +1248,29 @@ def test_filter_multidimensional_array(self): ) +class TestFilterSecret(TestCase): + """ + Make sure that ``Secret`` columns can't be filtered. + """ + + def setUp(self): + TopSecret.create_table(if_not_exists=True).run_sync() + TopSecret(name="My secret", confidential="secret123").save().run_sync() + + def tearDown(self): + TopSecret.alter().drop_table(if_exists=True).run_sync() + + def test_filter_secret(self): + client = TestClient(PiccoloCRUD(table=TopSecret)) + + response = client.get("/?confidential=secret") + self.assertEqual(response.status_code, 400) + self.assertEqual( + response.content, + b"confidential isn't a valid field name.", + ) + + class TestExcludeSecrets(TestCase): """ Make sure that if ``exclude_secrets`` is ``True``, then values for