fix(api): reject API key auth for deactivated user accounts

[sriramveeraghanta]

Description

The external API's custom API key authentication (APIKeyAuthentication.validate_api_token) only verified that the APIToken row itself was active and unexpired — it never checked the owning user's is_active flag. DRF's IsAuthenticated only checks user.is_authenticated, which is always True for a real User instance regardless of is_active. As a result, a user whose account was deactivated by an administrator could continue to use a previously issued API key indefinitely, bypassing the deactivation.

This was reported via a bug-bounty submission (rated Critical). Deactivation does not revoke existing API tokens (the self-service deactivation flow deletes sessions but leaves tokens active), so the auth layer was the only gate — and it was missing the check.

Fix: add user__is_active=True to the validate_api_token() lookup so a token tied to a disabled account fails the query and is rejected with the existing generic AuthenticationFailed ("Given API token is not valid"). Folding it into the query keeps the change atomic (single query, matches existing idiom) and avoids disclosing account state to the caller.

Applied to both:

• plane/api/middleware/api_authentication.py — the external REST API (the reachable vulnerability, wired into BaseAPIView).
• plane/app/middleware/api_authentication.py — an identical, currently-unused copy, fixed for parity so the gap can't be silently reintroduced if it gets wired up later.

Note: because APIKeyAuthentication sets no WWW-Authenticate header, DRF surfaces the denial as 403 Forbidden rather than 401 — either way, access is denied.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

Added automated coverage (written test-first, both verified to fail before the fix):

• Unit (plane/tests/unit/middleware/test_api_authentication.py):
  • validate_api_token authenticates a token for an active user (unchanged behavior).
  • validate_api_token raises AuthenticationFailed once the owning user is deactivated.
• Contract (plane/tests/contract/api/test_authentication.py):
  • Active user can reach GET /api/v1/users/me/ with their API key (200).
  • Deactivated user is denied at GET /api/v1/users/me/ with the same key (403/401) — previously returned 200, demonstrating the bypass is closed end-to-end.

Manual scenario to confirm: generate an API key for a user, deactivate the account, then call any /api/v1/... endpoint with X-Api-Key — the request should be rejected instead of succeeding.

References

• Bug-bounty report: "Authentication Bypass via Inactive User Account" (API key auth missing user.is_active check).
• Out of scope here: the same report's second item (rate-limiter DoS via None cache key) was assessed as not exploitable — throttles run after permission checks and django_redis tolerates a None key — so no change was made for it.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Security

  • API key authentication now requires the associated user account to be active. Existing API keys belonging to deactivated users will no longer authenticate requests.

• Tests

  • Added test coverage to verify API key authentication behavior for both active and deactivated user accounts.

[github-actions]

No React Doctor issues found. 🎉

_{Reviewed by React Doctor for commit 5a0056d.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9117a556-79d9-4c4d-b694-0f46b926a9a3

📥 Commits

Reviewing files that changed from the base of the PR and between 373f149 and 5a0056d.

📒 Files selected for processing (4)

• apps/api/plane/api/middleware/api_authentication.py
• apps/api/plane/app/middleware/api_authentication.py
• apps/api/plane/tests/contract/api/test_authentication.py
• apps/api/plane/tests/unit/middleware/test_api_authentication.py

---

📝 Walkthrough

Walkthrough

This PR enforces that API tokens can only authenticate users with active accounts. The middleware constraint is added to both API implementations, rejecting tokens from deactivated users. Unit and contract tests verify the authentication fails once an account is deactivated.

Changes

API Token Active User Check

Layer / File(s)	Summary
Middleware token validation constraint apps/api/plane/api/middleware/api_authentication.py, apps/api/plane/app/middleware/api_authentication.py	API token lookups add user__is_active=True filter so tokens for inactive users will not authenticate.
Unit tests for middleware validation apps/api/plane/tests/unit/middleware/test_api_authentication.py	Verifies validate_api_token succeeds for active users and raises AuthenticationFailed after user deactivation.
Contract tests for API key endpoint access apps/api/plane/tests/contract/api/test_authentication.py	Tests the /api/v1/users/me/ endpoint returns 200 for active users and 401/403 for deactivated users with valid API keys.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop and a bound, the token's now sound,
Only active users pass the authentication round!
The middleware checks with a filter so tight,
Deactivated accounts? They've lost their flight. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: rejecting API key authentication for deactivated user accounts, which is the core security fix in this PR.
Description check	✅ Passed	The PR description comprehensively covers all required template sections with detailed explanations, including bug context, fix rationale, files changed, test scenarios, and references.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/api-key-auth-inactive-user-bypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR closes a critical authentication bypass in the external API key auth flow by ensuring API keys are rejected when the owning user account has been deactivated (user.is_active = False). The change is implemented as an atomic filter in the token lookup (preventing account-state disclosure) and is covered by both unit- and endpoint-level contract tests.

Changes:

• Add user__is_active=True to APIKeyAuthentication.validate_api_token() token validation queries (in both middleware copies).
• Add unit tests covering validate_api_token() for active vs deactivated users.
• Add contract tests proving end-to-end denial on a live endpoint when the user is deactivated.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
apps/api/plane/api/middleware/api_authentication.py	Reject API key auth if the token’s owning user is deactivated (user__is_active=True).
apps/api/plane/app/middleware/api_authentication.py	Apply the same deactivated-user rejection to the mirrored middleware for parity.
apps/api/plane/tests/unit/middleware/test_api_authentication.py	Unit coverage: active user authenticates; deactivated user raises AuthenticationFailed.
apps/api/plane/tests/contract/api/test_authentication.py	Contract coverage: /api/v1/users/me/ succeeds for active users and is denied after deactivation.