Fix for returning expired token during authentication (#10228) (#10233)

melektron · web-flow · commit c5ffb952c843 · 2025-09-02T10:19:28.000+10:00
diff --git a/src/backend/InvenTree/users/api.py b/src/backend/InvenTree/users/api.py
@@ -1,6 +1,5 @@
 """DRF API definition for the 'users' app."""
 
-import datetime
 import logging
 
 from django.contrib.auth import authenticate, get_user, login, logout
@@ -326,24 +325,7 @@ def get(self, request, *args, **kwargs):
             user = request.user
             name = request.query_params.get('name', '')
 
-            name = ApiToken.sanitize_name(name)
-
-            today = datetime.date.today()
-
-            # Find existing token, which has not expired
-            token = ApiToken.objects.filter(
-                user=user, name=name, revoked=False, expiry__gte=today
-            ).first()
-
-            if not token:
-                # User is authenticated, and requesting a token against the provided name.
-                token = ApiToken.objects.create(user=request.user, name=name)
-
-                logger.info(
-                    "Created new API token for user '%s' (name='%s')",
-                    user.username,
-                    name,
-                )
+            token = ApiToken.get_or_create(user=user, token_name=name)
 
             # Add some metadata about the request
             token.set_metadata('user_agent', request.headers.get('user-agent', ''))
diff --git a/src/backend/InvenTree/users/models.py b/src/backend/InvenTree/users/models.py
@@ -58,13 +58,9 @@ def default_token_expiry():
 
 def default_create_token(token_model, user, serializer):
     """Generate a default value for the token."""
-    token = token_model.objects.filter(user=user, name='', revoked=False)
-
-    if token.exists():
-        return token.first()
-
-    else:
-        return token_model.objects.create(user=user, name='')
+    # this implementation only works for inventree API tokens
+    assert token_model is ApiToken
+    return ApiToken.get_or_create(user=user, token_name='')
 
 
 class ApiToken(AuthToken, InvenTree.models.MetadataMixin):
@@ -94,6 +90,28 @@ def generate_key(cls, prefix='inv-'):
 
         return prefix + str(AuthToken.generate_key()) + suffix
 
+    @classmethod
+    def get_or_create(cls, user, token_name: str):
+        """Gets or creates a valid API token for the given user. Only call from authenticated context."""
+        token_name = cls.sanitize_name(token_name)
+        today = datetime.date.today()
+
+        # Find existing token, which has not expired
+        token = cls.objects.filter(
+            user=user, name=token_name, revoked=False, expiry__gte=today
+        ).first()
+
+        # create new token if no matching one exists.
+        if not token:
+            token = cls.objects.create(user=user, name=token_name)
+            logger.info(
+                "Created new API token for user '%s' (name='%s')",
+                user.username,
+                token_name,
+            )
+
+        return token
+
     # Override the 'key' field - force it to be unique
     key = models.CharField(
         default=default_token,
