ninja-api-key Development Assistant

This skill provides expert guidance for developing and maintaining ninja-api-key, a Django package that implements API Key authentication for Django Ninja with enhanced security features.

Project Overview

ninja-api-key is a Django package forked from django-ninja-apikey that provides secure API Key authentication for Django Ninja REST framework. It integrates with Django's authentication system and uses Django's password hashing for secure key storage.

Core Components

APIKey Model

Stores API keys with prefix, hashed key, user association, labels, expiration, and revocation status

Uses Django's password hashing system (`PASSWORD_HASHERS`) for secure storage

Key format: `{prefix}.{key}` (8-character prefix + 56-character key)

Located in `models.py`

APIKeyAuth Authentication Class

Extends Django Ninja's `APIKeyHeader`

Authenticates via `X-API-Key` header

Integrates with Django's user system and permissions

Located in `security.py`

Security Features

Keys are hashed before storage using `make_password()`

Supports expiration dates, revocation, and inactive user checks

Includes custom SHA256 hasher for performance optimization

Secure random generation using `get_random_string()`

Step-by-Step Instructions

1. Adding New Features

**Before implementing:**

Review existing patterns in `models.py`, `security.py`, and `admin.py`

Use `get_user_model()` for user model references

Follow Django conventions and naming patterns

Ensure compatibility with Django Ninja framework

**Implementation steps:**

1. Add model changes to `models.py` if needed

2. Create corresponding migration: `python manage.py makemigrations`

3. Update `admin.py` if admin interface changes are needed

4. Add authentication logic to `security.py` if needed

5. Write comprehensive tests in `ninja_apikey/tests/`

6. Update CHANGELOG.md with detailed description (see section 5)

7. Update documentation if user-facing changes exist

2. Authentication Flow Implementation

When modifying authentication logic, follow this flow:

1. **Extract key**: Get API key from `X-API-Key` header

2. **Parse key**: Split into prefix and key components using `{prefix}.{key}` format

3. **Lookup**: Find `APIKey` record by prefix

4. **Verify**: Check key against hashed value using `check_password()`

5. **Validate**: Ensure key is not revoked and not expired

6. **User check**: Verify associated user is active

7. **Set context**: Set `request.user` and return user object

3. Testing Guidelines

**Test structure:**

`tests/test_security.py`: Authentication flow, key validation

`tests/test_models.py`: Model behavior, key generation

`tests/test_admin.py`: Django admin integration

`tests/test_hashers.py`: Password hasher compatibility

**Writing tests:**

```python

import pytest

from django.test import override_settings

from ninja_apikey.models import APIKey

@pytest.mark.django_db

def test_api_key_authentication(admin_user):

# Create API key

key_data = APIKey.objects.create_key(

user=admin_user,

label="Test Key"

)

# Test authentication logic

# Use parametrized tests for multiple scenarios

```

**Run tests:**

Full suite: `pytest`

With coverage: `pytest --cov=ninja_apikey`

Specific file: `pytest ninja_apikey/tests/test_security.py`

4. Code Style and Quality

**Before committing:**

1. Run Black formatter: `black ninja_apikey/` (line length: 88)

2. Run Ruff linter: `ruff check ninja_apikey/`

3. Check import sorting: `isort ninja_apikey/ --profile black`

4. Run pre-commit hooks: `pre-commit run --all-files`

**Code patterns:**

Use Django's timezone utilities for datetime handling

Use `@override_settings` for mocking Django settings in tests

Use parametrized tests (`@pytest.mark.parametrize`) for multiple scenarios

Follow Django model patterns and conventions

5. Changelog Maintenance

**Always update CHANGELOG.md** following [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format with an additional **Internal** section:

**Sections:**

`Added`: New features

`Changed`: Changes in existing functionality

`Deprecated`: Soon-to-be removed features

`Removed`: Removed features

`Fixed`: Bug fixes

`Security`: Security improvements

`Internal`: Development-related changes (refactoring, tooling, CI/CD, dependencies)

**Add entries to `[Unreleased]` section:**

```markdown

[Unreleased]

Added

New feature X that allows Y (#123)

Fixed

Fixed authentication issue with expired keys (#456)

Internal

Updated pytest to version 8.0

Refactored key generation logic for better maintainability

```

**Breaking changes:** Flag clearly with **BREAKING:** prefix in description

6. Common Use Cases

**Basic API protection:**

```python

from ninja import NinjaAPI

from ninja_apikey.security import APIKeyAuth

api = NinjaAPI(auth=APIKeyAuth())

@api.get("/protected")

def protected_endpoint(request):

return f"Hello, {request.user}!"

```

**Endpoint-specific protection:**

```python

from ninja_apikey.security import APIKeyAuth

auth = APIKeyAuth()

@api.get("/specific", auth=auth)

def specific_endpoint(request):

return {"user": request.user.username}

```

**Performance optimization with custom hasher:**

```python

In Django settings.py

PASSWORD_HASHERS = [

"ninja_apikey.hashers.SHA256PasswordHasher",

"django.contrib.auth.hashers.Argon2PasswordHasher",

# ... other hashers

]

```

7. Key Generation and Management

**Generating keys programmatically:**

```python

from ninja_apikey.models import APIKey

Create new API key

key_data = APIKey.objects.create_key(

user=user,

label="My API Key",

expiration_date=None # Optional expiration

)

key_data is a KeyData namedtuple with:

- prefix: 8-character prefix

- key: 56-character key

- api_key: Full key string (prefix.key)

```

**Key validation:**

Keys are automatically hashed on creation using `make_password()`

Use Django admin interface for key management (viewing, revoking)

Keys can be revoked without deletion for audit purposes

Important Constraints

1. **Security First**: Always hash keys before storage, never log or display raw keys after generation

2. **Django Compatibility**: Maintain compatibility with Django LTS versions

3. **Django Ninja Integration**: Ensure authentication works seamlessly with Django Ninja patterns

4. **Backward Compatibility**: Avoid breaking changes to model structure or authentication API

5. **Testing Required**: All code changes must include comprehensive tests

6. **Documentation**: Update CHANGELOG.md with every user-facing or internal change

File Structure Reference

```

ninja_apikey/

├── models.py # APIKey model definition

├── security.py # Authentication classes and key utilities

├── admin.py # Django admin integration

├── hashers.py # Custom password hashers

├── migrations/ # Database migrations

└── tests/

├── test_security.py

├── test_models.py

├── test_admin.py

└── test_hashers.py

```

Dependencies

**Core:**

Django (2.2+)

django-ninja

**Testing:**

pytest

pytest-django

pytest-cov

**Optional (enhanced hashing):**

django[argon2]

django[bcrypt]

ninja-api-key

ninja-api-key Development Assistant

Project Overview

Core Components

APIKey Model

APIKeyAuth Authentication Class

Security Features

Step-by-Step Instructions

1. Adding New Features

2. Authentication Flow Implementation

3. Testing Guidelines

4. Code Style and Quality

5. Changelog Maintenance

[Unreleased]

Added

Fixed

Internal

6. Common Use Cases

In Django settings.py

7. Key Generation and Management

Create new API key

key_data is a KeyData namedtuple with:

- prefix: 8-character prefix

- key: 56-character key

- api_key: Full key string (prefix.key)

Important Constraints

File Structure Reference

Dependencies

Reviews (0)