remove old api secret

src/c3nav/api/models.py

@@ -2,13 +2,20 @@ import string
 
 from django.conf import settings
 from django.db import models
+from django.db.models import Q
+from django.utils import timezone
 from django.utils.crypto import constant_time_compare, get_random_string
 from django.utils.translation import gettext_lazy as _
 
 
 class SecretQuerySet(models.QuerySet):
     def get_by_secret(self, secret):
-        self.filter(secret=secret, )
+        return self.filter(api_secret=secret).valid_only()
+
+    def valid_only(self):
+        return self.filter(
+            Q(valid_until__isnull=True) | Q(valid_until__gte=timezone.now()),
+        )
 
 
 class Secret(models.Model):
@@ -22,6 +29,8 @@ class Secret(models.Model):
     scope_mesh = models.BooleanField(_('mesh access'), default=False)
     valid_until = models.DateTimeField(null=True, verbose_name=_('valid_until'))
 
+    objects = models.Manager.from_queryset(SecretQuerySet)()
+
     def scopes_display(self):
         return [
             field.verbose_name for field in self._meta.get_fields()

src/c3nav/api/newauth.py

@@ -5,8 +5,6 @@ from importlib import import_module
 
 from django.contrib.auth import get_user as auth_get_user
 from django.contrib.auth.models import AnonymousUser
-from django.db.models import Q
-from django.utils import timezone
 from django.utils.functional import SimpleLazyObject, lazy
 from ninja.security import HttpBearer
 
@@ -77,10 +75,7 @@ class APITokenAuth(HttpBearer):
             )
         elif token.startswith("secret:"):
             try:
-                secret = Secret.objects.filter(
-                    Q(api_secret=token.removeprefix("secret:")),
-                    Q(valid_until__isnull=True) | Q(valid_until__gte=timezone.now()),
-                ).select_related("user", "user__permissions").get()
+                secret = Secret.objects.get_by_secret(token.removeprefix("secret:")).get()
             except Secret.DoesNotExist:
                 raise APITokenInvalid