Fix API key controller, when user update description or activity

4 months ago · a2da95760c
2 changed files with 15 additions and 4 deletions
--- a/application/src/main/java/org/thingsboard/server/controller/ApiKeyController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/ApiKeyController.java
@ -77,7 +77,11 @@ public class ApiKeyController extends BaseController {
        User user = checkUserId(apiKeyInfo.getUserId(), Operation.WRITE);
        apiKeyInfo.setTenantId(user.getTenantId());
        checkEntity(apiKeyInfo.getId(), apiKeyInfo, Resource.API_KEY);
-        return checkNotNull(apiKeyService.saveApiKey(apiKeyInfo.getTenantId(), apiKeyInfo));
+        ApiKey savedApiKey = checkNotNull(apiKeyService.saveApiKey(apiKeyInfo.getTenantId(), apiKeyInfo));
+        if (apiKeyInfo.getId() != null) {
+            savedApiKey.setValue(null);
+        }
+        return savedApiKey;
    }

    @ApiOperation(value = "Get User Api Keys (getUserApiKeys)",
@ -121,7 +125,7 @@ public class ApiKeyController extends BaseController {
        ApiKey apiKey = checkApiKeyId(apiKeyId, Operation.WRITE);
        checkUserId(apiKey.getUserId(), Operation.WRITE);
        apiKey.setDescription(description.orElse(null));
-        return apiKeyService.saveApiKey(apiKey.getTenantId(), apiKey);
+        return new ApiKeyInfo(apiKeyService.saveApiKey(apiKey.getTenantId(), apiKey));
    }

    @ApiOperation(value = "Enable or disable API key (enableApiKey)",
@ -137,7 +141,7 @@ public class ApiKeyController extends BaseController {
        ApiKey apiKey = checkApiKeyId(apiKeyId, Operation.WRITE);
        checkUserId(apiKey.getUserId(), Operation.WRITE);
        apiKey.setEnabled(enabledValue);
-        return apiKeyService.saveApiKey(apiKey.getTenantId(), apiKey);
+        return new ApiKeyInfo(apiKeyService.saveApiKey(apiKey.getTenantId(), apiKey));
    }

    @ApiOperation(value = "Delete API key by ID (deleteApiKey)",
--- a/application/src/test/java/org/thingsboard/server/controller/ApiKeyControllerTest.java
+++ b/application/src/test/java/org/thingsboard/server/controller/ApiKeyControllerTest.java
@ -53,7 +53,14 @@ public class ApiKeyControllerTest extends AbstractControllerTest {
        Assert.assertEquals(tenantId, savedApiKey.getTenantId());
        Assert.assertEquals(tenantAdminUser.getId(), savedApiKey.getUserId());

-        doDelete("/api/apiKey/" + savedApiKey.getId()).andExpect(status().isOk());
+        String newDescription = "Updated API Key Description";
+        savedApiKey.setDescription(newDescription);
+        ApiKey updatedApiKey = doPost("/api/apiKey", savedApiKey, ApiKey.class);
+        Assert.assertNotNull(updatedApiKey);
+        Assert.assertEquals(newDescription, updatedApiKey.getDescription());
+        Assert.assertNull("Verify we do not expose API key value on update", updatedApiKey.getValue());
+
+        doDelete("/api/apiKey/" + updatedApiKey.getId()).andExpect(status().isOk());
    }

    @Test