add support for KEGBOT_INSECURE_SHARED_API_KEY

docs/source/settings.rst

@@ -57,6 +57,13 @@ These values can be set in the shell environment of the server program.
     pending invitations. Generally, you should only change this value if it has
     become compromised.
 
+.. data:: KEGBOT_INSECURE_SHARED_API_KEY
+
+    If set, a random value, like a password, that will always be accepted as
+    an API key. As the name suggests, it is insecure to use this feature,
+    which is intended only for use in special standalone/embedded installs
+    (e.g. a single-user, offline Raspberry Pi) where there is no risk of exposure.
+
 .. data:: KEGBOT_SETUP_ENABLED
 
     If set to ``true``, the server will enable "setup mode". The server can

pykeg/config.py

@@ -102,6 +102,7 @@ def is_setup():
 Setting("KEGBOT_DATA_DIR", "/kegbot-data")
 Setting("KEGBOT_IN_DOCKER", False, typefn=boolstr)
 Setting("KEGBOT_SECRET_KEY", "not-configured")
+Setting("KEGBOT_INSECURE_SHARED_API_KEY", "")
 Setting("KEGBOT_SETUP_ENABLED", False, typefn=boolstr)
 Setting("KEGBOT_DATABASE_URL", os.getenv("DATABASE_URL", "mysql://root@localhost/kegbot"))
 Setting("KEGBOT_REDIS_URL", os.getenv("REDIS_URL", "redis://localhost:6379/0"))

pykeg/web/api/util.py

@@ -65,6 +65,10 @@ def check_api_key(request):
     if not keystr:
         raise kbapi.NoAuthTokenError('The parameter "api_key" is required')
 
+    shared_key = settings.KEGBOT["KEGBOT_INSECURE_SHARED_API_KEY"]
+    if shared_key and keystr == shared_key:
+        return
+
     try:
         api_key = models.ApiKey.objects.get(key=keystr)
     except models.ApiKey.DoesNotExist: