Merge pull request #207 from seibert-media/fix-keys

LefGian · web-flow · commit afbb49247b35 · 2025-12-17T08:57:18.000+01:00
Miscellaneous fixes
diff --git a/pyproject.toml b/pyproject.toml
@@ -45,7 +45,7 @@ dependencies = [
 ]
 
 # dynamic = ["version"] - Currently unsupported by uv_build
-version = '0.11.5'  # Also change in teamvault/__version__.py
+version = '0.11.6'  # Also change in teamvault/__version__.py
 
 [dependency-groups]
 dev = [
diff --git a/teamvault/__version__.py b/teamvault/__version__.py
@@ -1 +1 @@
-__version__ = "0.11.5"  # Also change in pyproject.toml
+__version__ = "0.11.6"  # Also change in pyproject.toml
diff --git a/teamvault/apps/secrets/api/views.py b/teamvault/apps/secrets/api/views.py
@@ -167,6 +167,8 @@ def data_get(request, hashid):
     except SecretPermissionError:
         raise PermissionDenied
     if secret_revision.secret.content_type == ContentType.PASSWORD:
+        if not isinstance(data, dict):
+            return Response({'password': data})
         return Response({'password': data["password"]})
     elif secret_revision.secret.content_type == ContentType.FILE:
         return Response({'file': b64encode(data).decode('ascii')})
diff --git a/teamvault/apps/secrets/services/revision.py b/teamvault/apps/secrets/services/revision.py
@@ -202,16 +202,17 @@ def _build_revision(
         # merge missing fields for PASSWORD type
         if content_type == ContentType.PASSWORD and secret.current_revision:
             prev = secret.current_revision.peek_data(actor)
-            payload.setdefault('password', prev.get('password'))
-            if 'otp_key' in prev:
-                for fld in ('otp_key', 'digits', 'algorithm'):
-                    payload.setdefault(fld, prev.get(fld))
-
-        sha_src = (
-            payload['password']
-            if content_type == ContentType.PASSWORD and 'password' in payload
-            else dumps(payload, sort_keys=True)
-        )
+            if 'password' not in payload and 'password' in prev:
+                payload['password'] = prev['password']
+
+            # Preserve OTP fields only when the previous revision actually had them.
+            if 'otp_key' not in payload and 'otp_key' in prev:
+                payload['otp_key'] = prev['otp_key']
+                for fld in ('digits', 'algorithm'):
+                    if fld in prev:
+                        payload[fld] = prev[fld]
+
+        sha_src = dumps(payload, sort_keys=True)
         sha_sum = sha256(sha_src.encode()).hexdigest()
 
         revision, created = SecretRevision.objects.get_or_create(
diff --git a/teamvault/apps/secrets/tests/models/test_secret_crud.py b/teamvault/apps/secrets/tests/models/test_secret_crud.py
@@ -150,6 +150,42 @@ def test_update_file_payload_roundtrip(self):
         self.assertIsInstance(got, (bytes, bytearray))
         self.assertEqual(got, raw)
 
+    def test_otp_only_update_creates_new_revision(self):
+        s: Secret = new_secret(self.owner, name="otp-add")
+        rev_before = s.current_revision
+        self.assertFalse(rev_before.otp_key_set)
+
+        changes_before = SecretChange.objects.filter(secret=s).count()
+
+        # OTP-only update: omit password, keep existing via merge logic.
+        RevisionService.save_payload(
+            secret=s,
+            actor=self.owner,
+            payload={
+                "otp_key": "JBSWY3DPEHPK3PXP",
+                "digits": "6",
+                "algorithm": "SHA1",
+            },
+        )
+
+        s.refresh_from_db()
+        rev_after = s.current_revision
+        self.assertNotEqual(rev_after.id, rev_before.id)
+        self.assertTrue(rev_after.otp_key_set)
+        self.assertEqual(rev_after.get_data(self.owner)["otp_key"], "JBSWY3DPEHPK3PXP")
+
+        # Re-saving identical OTP-only payload should be a no-op.
+        RevisionService.save_payload(
+            secret=s,
+            actor=self.owner,
+            payload={
+                "otp_key": "JBSWY3DPEHPK3PXP",
+                "digits": "6",
+                "algorithm": "SHA1",
+            },
+        )
+        self.assertEqual(SecretChange.objects.filter(secret=s).count(), changes_before + 1)
+
     def test_delete_marks_secret_and_denies_visibility_and_read(self):
         s: Secret = new_secret(self.owner, name="todelete", access_policy=AccessPolicy.ANY)
         s.status = SecretStatus.DELETED
diff --git a/teamvault/apps/settings/config.py b/teamvault/apps/settings/config.py
@@ -4,7 +4,7 @@
 from hashlib import sha1
 from os import environ, umask
 from os.path import exists, isfile
-from random import choice
+from secrets import choice
 from string import ascii_letters, digits, punctuation
 from urllib.parse import urlparse
 

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ dependencies = [`
`45`	`45`	`]`
`46`	`46`
`47`	`47`	`# dynamic = ["version"] - Currently unsupported by uv_build`
`48`		`-version = '0.11.5' # Also change in teamvault/__version__.py`
	`48`	`+version = '0.11.6' # Also change in teamvault/__version__.py`
`49`	`49`
`50`	`50`	`[dependency-groups]`
`51`	`51`	`dev = [`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.11.5" # Also change in pyproject.toml`
	`1`	`+__version__ = "0.11.6" # Also change in pyproject.toml`