api: Check if the API key user actually exists, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/dbl/api/__init__.py b/src/dbl/api/__init__.py
index 149ec65337e63eea6caedecf88c8f1c6e453e363..80d4799bcf071fe6b854672a773a74c7d1664e52 100644 (file)
--- a/src/dbl/api/__init__.py
+++ b/src/dbl/api/__init__.py
@@ -54,9 +54,16 @@ async def require_api_key(request: fastapi.Request, api_key: str = fastapi.Depen
                Requires that a client provides a valid API key
        """
        # Try to authenticate the user
-       user = await backend.auth(api_key)
+       key = await backend.auth(api_key)
 
-       # Fail if we could not authenticate the user
+       # Fail if we could not find the API key
+       if not key:
+               raise fastapi.HTTPException(401, "Invalid API key")
+
+       # Fetch the user
+       user = backend.users.get_by_uid(key.uid)
+
+       # Fail if we could not find the authenticated
        if user is None:
                raise fastapi.HTTPException(401, "Invalid API key")