fix: Updates after manual testing

KShivendu · KShivendu · commit 685e725c0537 · 2023-09-08T15:44:11.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Added
+
+-   The Dashboard recipe now accepts a new `admins` property which can be used to give Dashboard Users write privileges for the user dashboard.
+
+### Changes
 
+-   Dashboard APIs now return a status code `403` for all non-GET requests if the currently logged in Dashboard User is not listed in the `admins` array
 
 ## [0.15.3] - 2023-09-24
 
diff --git a/supertokens_python/recipe/dashboard/api/validate_key.py b/supertokens_python/recipe/dashboard/api/validate_key.py
@@ -35,7 +35,7 @@ async def handle_validate_key_api(
     user_context: Dict[str, Any],
 ):
 
-    is_valid_key = validate_api_key(
+    is_valid_key = await validate_api_key(
         api_options.request, api_options.config, user_context
     )
 
diff --git a/supertokens_python/recipe/dashboard/recipe_implementation.py b/supertokens_python/recipe/dashboard/recipe_implementation.py
@@ -41,7 +41,7 @@ async def should_allow_access(
         user_context: Dict[str, Any],
     ) -> bool:
         # For cases where we're not using the API key, the JWT is being used; we allow their access by default
-        if config.api_key is not None:
+        if config.api_key is None:
             auth_header_value = request.get_header("authorization")
             if not auth_header_value:
                 return False
@@ -60,7 +60,7 @@ async def should_allow_access(
             # user is allowed to perform this operation
             if normalise_http_method(request.method()) != "get":
                 # We dont want to block the analytics API
-                if request.get_original_url().startswith(DASHBOARD_ANALYTICS_API):
+                if request.get_original_url().endswith(DASHBOARD_ANALYTICS_API):
                     return True
 
                 # We do not want to block the sign out request
@@ -77,7 +77,7 @@ async def should_allow_access(
 
                 if email_in_headers is None:
                     log_debug_message(
-                        "User Dashboard: Returniing OPERATION_NOT_ALLOWED because no email was provided in headers"
+                        "User Dashboard: Returning UNAUTHORISED_ERROR because no email was provided in headers"
                     )
                     return False
 
@@ -89,4 +89,4 @@ async def should_allow_access(
 
             return True
 
-        return validate_api_key(request, config, user_context)
+        return await validate_api_key(request, config, user_context)
diff --git a/supertokens_python/recipe/dashboard/utils.py b/supertokens_python/recipe/dashboard/utils.py
@@ -424,7 +424,7 @@ def is_recipe_initialised(recipeId: str) -> bool:
     return isRecipeInitialised
 
 
-def validate_api_key(
+async def validate_api_key(
     req: BaseRequest, config: DashboardConfig, _user_context: Dict[str, Any]
 ) -> bool:
     api_key_header_value = req.get_header("authorization")

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ async def handle_validate_key_api(`
`35`	`35`	`user_context: Dict[str, Any],`
`36`	`36`	`):`
`37`	`37`
`38`		`- is_valid_key = validate_api_key(`
	`38`	`+ is_valid_key = await validate_api_key(`
`39`	`39`	`api_options.request, api_options.config, user_context`
`40`	`40`	`)`
`41`	`41`