Revert "DG26-4: Extending the number of locations"

.github/workflows/sbom.yml

@@ -36,6 +36,9 @@ jobs:
 
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'spdx-json'
@@ -47,6 +50,9 @@ jobs:
 
       - name: Create Docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
@@ -57,6 +63,9 @@ jobs:
 
       - name: Create security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           scan-type: 'fs'
           format: 'json'
@@ -68,6 +77,9 @@ jobs:
 
       - name: Create docker image security advisory file with Trivy
         uses: aquasecurity/trivy-action@v0.36.0
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'

.trivyignore.yaml

@@ -5,3 +5,9 @@ vulnerabilities:
 - id: GHSA-w5hq-g745-h8pq
   expired_at: 2026-05-23
   statement: "Waiting for upstream patch in paraglide"
+- id: CVE-2026-29111
+  expired_at: 2026-05-31
+  statement: "No fixed version available in debian:13-slim - waiting for Debian to backport systemd patch"
+- id: CVE-2025-69720
+  expired_at: 2026-05-31
+  statement: "No fixed version available in debian:13-slim - waiting for Debian to release ncurses patch"

crates/defguard_core/src/enterprise/handlers/api_tokens.rs

@@ -49,6 +49,16 @@ pub async fn add_api_token(
         ));
     }
 
+    if !user.is_active {
+        error!(
+            "User {} attempted to create API token for inactive user {username}",
+            session.user.username
+        );
+        return Err(WebError::Forbidden(
+            "Cannot create API token for inactive user",
+        ));
+    }
+
     // TODO: check if the name is already used
 
     // generate token string

crates/defguard_core/tests/integration/api/api_tokens.rs

@@ -363,11 +363,33 @@ async fn dg25_3_test_token_invalidation(_: PgPoolOptions, options: PgConnectOpti
     let user_details = fetch_user_details(&client, "hpotter").await;
     assert!(!user_details.user.is_active);
 
+    // cannot create a new token for an inactive user
+    let response = client
+        .post("/api/v1/user/hpotter/api_token")
+        .json(&AddApiTokenData {
+            name: "inactive user token".into(),
+        })
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+
+    // re-enable the user
+    let mut user_details = fetch_user_details(&client, "hpotter").await;
+    user_details.user.is_active = true;
+    let response = client
+        .put("/api/v1/user/hpotter")
+        .json(&user_details.user)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let user_details = fetch_user_details(&client, "hpotter").await;
+    assert!(user_details.user.is_active);
+
     // log out
     let response = client.post("/api/v1/auth/logout").send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
-    // cannot use token for authentication anymore
+    // cannot use token for authentication anymore after reactivation
     let response = client
         .get("/api/v1/me")
         .header(

web/messages/en/modal.json

@@ -116,6 +116,7 @@
   "modal_add_api_title": "Add API token",
   "modal_add_api_token_copy_copy_label": "API Token",
   "modal_add_api_token_copy_warning": "Please copy and save the API token below now. You won't be able to see it again.",
+  "modal_add_api_token_disabled_user_error": "Can't create API token for disabled user",
   "modal_rename_api_title": "Rename API token",
   "modal_add_user_title": "Add new user",
   "modal_add_new_device_title": "Add new device",

web/src/pages/user-profile/UserProfilePage/tabs/ProfileApiTokensTab/ProfileApiTokensTab.tsx

@@ -3,6 +3,7 @@ import { LayoutGrid } from '../../../../../shared/components/LayoutGrid/LayoutGr
 import { Button } from '../../../../../shared/defguard-ui/components/Button/Button';
 import { EmptyStateFlexible } from '../../../../../shared/defguard-ui/components/EmptyStateFlexible/EmptyStateFlexible';
 import { SizedBox } from '../../../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { Snackbar } from '../../../../../shared/defguard-ui/providers/snackbar/snackbar';
 import { ThemeSpacing } from '../../../../../shared/defguard-ui/types';
 import { openModal } from '../../../../../shared/hooks/modalControls/modalsSubjects';
 import { ModalName } from '../../../../../shared/hooks/modalControls/modalTypes';
@@ -44,8 +45,20 @@ export const ProfileApiTokensTab = ({ availability, isLoading }: Props) => {
 
 const AvailableProfileApiTokensTab = () => {
   const username = useUserProfile((s) => s.user.username);
+  const isUserActive = useUserProfile((s) => s.user.is_active);
   const apiTokens = useUserProfile((s) => s.apiTokens);
 
+  const handleAddApiToken = () => {
+    if (!isUserActive) {
+      Snackbar.error(m.modal_add_api_token_disabled_user_error());
+      return;
+    }
+
+    openModal(ModalName.AddApiToken, {
+      username,
+    });
+  };
+
   return (
     <>
       {apiTokens.length === 0 && (
@@ -57,11 +70,7 @@ const AvailableProfileApiTokensTab = () => {
             iconLeft: 'add-token',
             testId: 'add-token',
             text: m.profile_api_tokens_add(),
-            onClick: () => {
-              openModal(ModalName.AddApiToken, {
-                username,
-              });
-            },
+            onClick: handleAddApiToken,
           }}
         />
       )}
@@ -72,11 +81,7 @@ const AvailableProfileApiTokensTab = () => {
             <Button
               text={m.profile_api_tokens_add()}
               iconLeft="add-token"
-              onClick={() => {
-                openModal(ModalName.AddApiToken, {
-                  username,
-                });
-              }}
+              onClick={handleAddApiToken}
             />
           </ProfileTabHeader>
           <ProfileApiTokensTable />