From c9c059a0081b0db51704bd195f8d103ed93f2229 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Mon, 23 Jan 2023 16:12:29 +0100
Subject: [PATCH] api: ensure user is active when authenticating

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/api/authentication.py  | 10 ++++++++++
 authentik/api/tests/test_auth.py | 17 +++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/authentik/api/authentication.py b/authentik/api/authentication.py
index 1077812f9..e6377336d 100644
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -31,6 +31,16 @@ def validate_auth(header: bytes) -> Optional[str]:
 
 
 def bearer_auth(raw_header: bytes) -> Optional[User]:
+    """raw_header in the Format of `Bearer ....`"""
+    user = auth_user_lookup(raw_header)
+    if not user:
+        return None
+    if not user.is_active:
+        raise AuthenticationFailed("Token invalid/expired")
+    return user
+
+
+def auth_user_lookup(raw_header: bytes) -> Optional[User]:
     """raw_header in the Format of `Bearer ....`"""
     from authentik.providers.oauth2.models import RefreshToken
 
diff --git a/authentik/api/tests/test_auth.py b/authentik/api/tests/test_auth.py
index 388408f5b..773eeccee 100644
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@@ -9,7 +9,7 @@ from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.authentication import bearer_auth
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
@@ -36,9 +36,18 @@ class TestAPIAuth(TestCase):
 
     def test_bearer_valid(self):
         """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
+        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=create_test_admin_user())
         self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
 
+    def test_bearer_valid_deactivated(self):
+        """Test valid token"""
+        user = create_test_admin_user()
+        user.is_active = False
+        user.save()
+        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=user)
+        with self.assertRaises(AuthenticationFailed):
+            bearer_auth(f"Bearer {token.key}".encode())
+
     def test_managed_outpost(self):
         """Test managed outpost"""
         with self.assertRaises(AuthenticationFailed):
@@ -56,7 +65,7 @@ class TestAPIAuth(TestCase):
             name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
         )
         refresh = RefreshToken.objects.create(
-            user=get_anonymous_user(),
+            user=create_test_admin_user(),
             provider=provider,
             refresh_token=generate_id(),
             _scope=SCOPE_AUTHENTIK_API,
@@ -69,7 +78,7 @@ class TestAPIAuth(TestCase):
             name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
         )
         refresh = RefreshToken.objects.create(
-            user=get_anonymous_user(),
+            user=create_test_admin_user(),
             provider=provider,
             refresh_token=generate_id(),
             _scope="",