fix(auth): reject disabled/locked users in API token middleware

checkAPITokenAndPutItInContext now returns 401 Unauthorized when the
token owner's account is disabled or locked, instead of a 500 error.
Also fixes the API token test to match the actual middleware behavior.
This commit is contained in:
kolaente 2026-03-23 12:31:58 +01:00 committed by kolaente
parent 525f5ee407
commit cd6148511a
2 changed files with 8 additions and 9 deletions

View File

@ -92,6 +92,10 @@ func checkAPITokenAndPutItInContext(tokenHeaderValue string, c *echo.Context) er
}
u, err := user.GetUserByID(s, token.OwnerID)
if user.IsErrAccountDisabled(err) || user.IsErrAccountLocked(err) {
log.Debugf("[auth] Tried authenticating with token %d but the owner's account is disabled or locked", token.ID)
return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
}
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Internal Server Error").Wrap(err)
}

View File

@ -104,18 +104,13 @@ func TestAPIToken(t *testing.T) {
res := httptest.NewRecorder()
c := e.NewContext(req, res)
h := routes.SetupTokenMiddleware()(func(c *echo.Context) error {
u, err := auth.GetAuthFromClaims(c)
if err != nil {
return err
}
return c.JSON(http.StatusOK, u)
return c.String(http.StatusOK, "test")
})
req.Header.Set(echo.HeaderAuthorization, "Bearer tk_disabled_user_test_token_000000001234abcd") // Token 4 (disabled user 17)
err = h(c)
require.Error(t, err)
assert.True(t, user.IsErrAccountDisabled(err), "expected ErrAccountDisabled, got: %v", err)
require.NoError(t, h(c))
assert.Equal(t, http.StatusUnauthorized, res.Code)
assert.Contains(t, res.Body.String(), `"code":11`)
})
t.Run("jwt", func(t *testing.T) {
e, err := setupTestEnv()