From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 2 Mar 2026 17:44:09 +0000 (+0000)
Subject: api: Check if the API key user actually exists, too
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3201f0af8315a8169bbb932900d204af4d27629c;p=dbl.git

api: Check if the API key user actually exists, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/dbl/api/__init__.py b/src/dbl/api/__init__.py
index 149ec65..80d4799 100644
--- a/src/dbl/api/__init__.py
+++ b/src/dbl/api/__init__.py
@@ -54,9 +54,16 @@ async def require_api_key(request: fastapi.Request, api_key: str = fastapi.Depen
 		Requires that a client provides a valid API key
 	"""
 	# Try to authenticate the user
-	user = await backend.auth(api_key)
+	key = await backend.auth(api_key)
 
-	# Fail if we could not authenticate the user
+	# Fail if we could not find the API key
+	if not key:
+		raise fastapi.HTTPException(401, "Invalid API key")
+
+	# Fetch the user
+	user = backend.users.get_by_uid(key.uid)
+
+	# Fail if we could not find the authenticated
 	if user is None:
 		raise fastapi.HTTPException(401, "Invalid API key")