diff --git a/pkg/routes/api_tokens.go b/pkg/routes/api_tokens.go index 015b3542b..f85371173 100644 --- a/pkg/routes/api_tokens.go +++ b/pkg/routes/api_tokens.go @@ -92,6 +92,10 @@ func checkAPITokenAndPutItInContext(tokenHeaderValue string, c *echo.Context) er } u, err := user.GetUserByID(s, token.OwnerID) + if user.IsErrAccountDisabled(err) || user.IsErrAccountLocked(err) { + log.Debugf("[auth] Tried authenticating with token %d but the owner's account is disabled or locked", token.ID) + return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized") + } if err != nil { return echo.NewHTTPError(http.StatusInternalServerError, "Internal Server Error").Wrap(err) } diff --git a/pkg/webtests/api_tokens_test.go b/pkg/webtests/api_tokens_test.go index 02cda6185..e47f53a16 100644 --- a/pkg/webtests/api_tokens_test.go +++ b/pkg/webtests/api_tokens_test.go @@ -104,18 +104,13 @@ func TestAPIToken(t *testing.T) { res := httptest.NewRecorder() c := e.NewContext(req, res) h := routes.SetupTokenMiddleware()(func(c *echo.Context) error { - u, err := auth.GetAuthFromClaims(c) - if err != nil { - return err - } - - return c.JSON(http.StatusOK, u) + return c.String(http.StatusOK, "test") }) req.Header.Set(echo.HeaderAuthorization, "Bearer tk_disabled_user_test_token_000000001234abcd") // Token 4 (disabled user 17) - err = h(c) - require.Error(t, err) - assert.True(t, user.IsErrAccountDisabled(err), "expected ErrAccountDisabled, got: %v", err) + require.NoError(t, h(c)) + assert.Equal(t, http.StatusUnauthorized, res.Code) + assert.Contains(t, res.Body.String(), `"code":11`) }) t.Run("jwt", func(t *testing.T) { e, err := setupTestEnv()