Send email notification when API key is (re-)generated

aleph/templates/email/api_key_generated.html

@@ -0,0 +1,13 @@
+{% extends "email/layout.html" %}
+
+{% block content -%}
+{% if event == "regenerated" -%}
+{% trans -%}
+Your API key has been regenerated. If that wasn’t you, please contact an administrator.
+{%- endtrans %}
+{% else -%}
+{% trans -%}
+An API key has been generated for your account. If that wasn’t you, please contact an administrator.
+{%- endtrans %}
+{%- endif %}
+{%- endblock %}

aleph/templates/email/api_key_generated.txt

@@ -0,0 +1,13 @@
+{% extends "email/layout.txt" %}
+
+{% block content -%}
+{% if event == "regenerated" -%}
+{% trans -%}
+Your API key has been regenerated. If that wasn’t you, please contact an administrator.
+{%- endtrans %}
+{% else -%}
+{% trans -%}
+An API key has been generated for your account. If that wasn’t you, please contact an administrator.
+{%- endtrans %}
+{%- endif %}
+{%- endblock %}

aleph/tests/test_roles_api.py

@@ -249,6 +249,32 @@ def test_generate_api_key(self):
         res = self.client.get(url, headers={"Authorization": new_key})
         self.assertEqual(res.status_code, 200)
 
+    def test_generate_api_key_notification(self):
+        role, headers = self.login(email="[email protected]")
+        url = f"/api/2/roles/{role.id}/generate_api_key"
+
+        with mail.record_messages() as outbox:
+            assert len(outbox) == 0
+            self.client.post(url, headers=headers)
+            assert len(outbox) == 1
+
+            msg = outbox[0]
+            assert msg.recipients == ["[email protected]"]
+            assert msg.subject == "[Aleph] API key generated"
+            assert "An API key has been generated for your account" in msg.body
+            assert "An API key has been generated for your account" in msg.html
+
+        with mail.record_messages() as outbox:
+            assert len(outbox) == 0
+            self.client.post(url, headers=headers)
+            assert len(outbox) == 1
+
+            msg = outbox[0]
+            assert msg.recipients == ["[email protected]"]
+            assert msg.subject == "[Aleph] API key regenerated"
+            assert "Your API key has been regenerated" in msg.body
+            assert "Your API key has been regenerated" in msg.html
+
     def test_new_roles_no_api_key(self):
         SETTINGS.PASSWORD_LOGIN = True
         email = "[email protected]"

aleph/views/roles_api.py

@@ -1,7 +1,7 @@
 import logging
 from banal import ensure_list
 from flask_babel import gettext
-from flask import Blueprint, request
+from flask import Blueprint, request, render_template
 from itsdangerous import BadSignature
 from werkzeug.exceptions import BadRequest
 
@@ -10,6 +10,7 @@
 from aleph.search import QueryParser, DatabaseQueryResult
 from aleph.model import Role
 from aleph.logic.roles import challenge_role, update_role, create_user, get_deep_role
+from aleph.logic.mail import email_role
 from aleph.util import is_auto_admin
 from aleph.views.serializers import RoleSerializer
 from aleph.views.util import require, jsonify, parse_request, obj_or_404
@@ -270,6 +271,13 @@ def generate_api_key(id):
     role = obj_or_404(Role.by_id(id))
     require(request.authz.can_write_role(role.id))
 
+    event = "regenerated" if role.has_api_key else "generated"
+    params = {"role": role, "event": event}
+    plain = render_template("email/api_key_generated.txt", **params)
+    html = render_template("email/api_key_generated.html", **params)
+    subject = f"API key {event}"
+    email_role(role, subject, html=html, plain=plain)
+
     role.generate_api_key()
     db.session.add(role)
     db.session.commit()