DG26-10: API key creation inconsistency (#2845)

jakub-tldr · web-flow · commit 81dacc613a1a · 2026-04-30T15:30:09.000+02:00
diff --git a/crates/defguard_core/src/enterprise/handlers/api_tokens.rs b/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
@@ -49,6 +49,16 @@ pub async fn add_api_token(
         ));
     }
 
+    if !user.is_active {
+        error!(
+            "User {} attempted to create API token for inactive user {username}",
+            session.user.username
+        );
+        return Err(WebError::Forbidden(
+            "Cannot create API token for inactive user",
+        ));
+    }
+
     // TODO: check if the name is already used
 
     // generate token string
diff --git a/crates/defguard_core/tests/integration/api/api_tokens.rs b/crates/defguard_core/tests/integration/api/api_tokens.rs
@@ -363,11 +363,33 @@ async fn dg25_3_test_token_invalidation(_: PgPoolOptions, options: PgConnectOpti
     let user_details = fetch_user_details(&client, "hpotter").await;
     assert!(!user_details.user.is_active);
 
+    // cannot create a new token for an inactive user
+    let response = client
+        .post("/api/v1/user/hpotter/api_token")
+        .json(&AddApiTokenData {
+            name: "inactive user token".into(),
+        })
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+
+    // re-enable the user
+    let mut user_details = fetch_user_details(&client, "hpotter").await;
+    user_details.user.is_active = true;
+    let response = client
+        .put("/api/v1/user/hpotter")
+        .json(&user_details.user)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let user_details = fetch_user_details(&client, "hpotter").await;
+    assert!(user_details.user.is_active);
+
     // log out
     let response = client.post("/api/v1/auth/logout").send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
-    // cannot use token for authentication anymore
+    // cannot use token for authentication anymore after reactivation
     let response = client
         .get("/api/v1/me")
         .header(
diff --git a/web/messages/en/modal.json b/web/messages/en/modal.json
@@ -116,6 +116,7 @@
   "modal_add_api_title": "Add API token",
   "modal_add_api_token_copy_copy_label": "API Token",
   "modal_add_api_token_copy_warning": "Please copy and save the API token below now. You won't be able to see it again.",
+  "modal_add_api_token_disabled_user_error": "Can't create API token for disabled user",
   "modal_rename_api_title": "Rename API token",
   "modal_add_user_title": "Add new user",
   "modal_add_new_device_title": "Add new device",
diff --git a/web/src/pages/user-profile/UserProfilePage/tabs/ProfileApiTokensTab/ProfileApiTokensTab.tsx b/web/src/pages/user-profile/UserProfilePage/tabs/ProfileApiTokensTab/ProfileApiTokensTab.tsx
@@ -3,6 +3,7 @@ import { LayoutGrid } from '../../../../../shared/components/LayoutGrid/LayoutGr
 import { Button } from '../../../../../shared/defguard-ui/components/Button/Button';
 import { EmptyStateFlexible } from '../../../../../shared/defguard-ui/components/EmptyStateFlexible/EmptyStateFlexible';
 import { SizedBox } from '../../../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { Snackbar } from '../../../../../shared/defguard-ui/providers/snackbar/snackbar';
 import { ThemeSpacing } from '../../../../../shared/defguard-ui/types';
 import { openModal } from '../../../../../shared/hooks/modalControls/modalsSubjects';
 import { ModalName } from '../../../../../shared/hooks/modalControls/modalTypes';
@@ -44,8 +45,20 @@ export const ProfileApiTokensTab = ({ availability, isLoading }: Props) => {
 
 const AvailableProfileApiTokensTab = () => {
   const username = useUserProfile((s) => s.user.username);
+  const isUserActive = useUserProfile((s) => s.user.is_active);
   const apiTokens = useUserProfile((s) => s.apiTokens);
 
+  const handleAddApiToken = () => {
+    if (!isUserActive) {
+      Snackbar.error(m.modal_add_api_token_disabled_user_error());
+      return;
+    }
+
+    openModal(ModalName.AddApiToken, {
+      username,
+    });
+  };
+
   return (
     <>
       {apiTokens.length === 0 && (
@@ -57,11 +70,7 @@ const AvailableProfileApiTokensTab = () => {
             iconLeft: 'add-token',
             testId: 'add-token',
             text: m.profile_api_tokens_add(),
-            onClick: () => {
-              openModal(ModalName.AddApiToken, {
-                username,
-              });
-            },
+            onClick: handleAddApiToken,
           }}
         />
       )}
@@ -72,11 +81,7 @@ const AvailableProfileApiTokensTab = () => {
             <Button
               text={m.profile_api_tokens_add()}
               iconLeft="add-token"
-              onClick={() => {
-                openModal(ModalName.AddApiToken, {
-                  username,
-                });
-              }}
+              onClick={handleAddApiToken}
             />
           </ProfileTabHeader>
           <ProfileApiTokensTable />
