CVE-2021-3967: Only regenerate the API key by authing with the old key.

2025-11-22 07:21:23 +00:00 · 2022-02-18 21:49:17 +01:00
parent 9288f00cd7
commit d5db254ca8
3 changed files with 23 additions and 2 deletions
--- a/static/js/settings_account.js
+++ b/static/js/settings_account.js
@@ -359,8 +359,15 @@ export function set_up() {
        }

        $("#regenerate_api_key").on("click", (e) => {
+            const email = page_params.delivery_email;
+            const api_key = $("#api_key_value").text();
+            const authorization_header = "Basic " + btoa(`${email}:${api_key}`);
+
            channel.post({
-                url: "/json/users/me/api_key/regenerate",
+                // This endpoint is only accessible with the previous API key,
+                // via our usual HTTP Basic auth mechanism.
+                url: "/api/v1/users/me/api_key/regenerate",
+                headers: {Authorization: authorization_header},
                success(data) {
                    $("#api_key_value").text(data.api_key);
                },