fix: disable user API keys when user account is disabled

Security enhancement to prevent disabled users from using API keys: - Auto-disable all API keys when user is disabled/deleted - Add user status validation during API key authentication - Prevent API usage even if key is active but user is disabled - Add comprehensive logging for security audit trail This ensures disabled users cannot bypass restrictions through existing API keys and maintains system security integrity. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-22 16:43:35 +00:00 · 2025-08-14 16:25:42 +08:00
parent 6b4ce99237
commit 94eed70cf2
2 changed files with 33 additions and 1 deletions
--- a/src/services/apiKeyService.js
+++ b/src/services/apiKeyService.js
@@ -126,6 +126,20 @@ class ApiKeyService {
        return { valid: false, error: 'API key has expired' }
      }

+      // 如果API Key属于某个用户，检查用户是否被禁用
+      if (keyData.userId) {
+        try {
+          const userService = require('./userService')
+          const user = await userService.getUserById(keyData.userId, false)
+          if (!user || !user.isActive) {
+            return { valid: false, error: 'User account is disabled' }
+          }
+        } catch (error) {
+          logger.error('❌ Error checking user status during API key validation:', error)
+          return { valid: false, error: 'Unable to validate user status' }
+        }
+      }
+
      // 获取使用统计（供返回数据使用）
      const usage = await redis.getUsageStats(keyData.id)

--- a/src/services/userService.js
+++ b/src/services/userService.js
@@ -259,9 +259,18 @@ class UserService {
      await redis.set(`${this.userPrefix}${userId}`, JSON.stringify(user))
      logger.info(`🔄 Updated user status: ${user.username} -> ${isActive ? 'active' : 'disabled'}`)

-      // 如果禁用用户，删除所有会话
+      // 如果禁用用户，删除所有会话并禁用其所有API Keys
      if (!isActive) {
        await this.invalidateUserSessions(userId)
+
+        // Disable all user's API keys when user is disabled
+        try {
+          const apiKeyService = require('./apiKeyService')
+          const result = await apiKeyService.disableUserApiKeys(userId)
+          logger.info(`🔑 Disabled ${result.count} API keys for disabled user: ${user.username}`)
+        } catch (error) {
+          logger.error('❌ Error disabling user API keys during user disable:', error)
+        }
      }

      return user
@@ -420,6 +429,15 @@ class UserService {
      // 删除所有会话
      await this.invalidateUserSessions(userId)

+      // Disable all user's API keys when user is deleted
+      try {
+        const apiKeyService = require('./apiKeyService')
+        const result = await apiKeyService.disableUserApiKeys(userId)
+        logger.info(`🔑 Disabled ${result.count} API keys for deleted user: ${user.username}`)
+      } catch (error) {
+        logger.error('❌ Error disabling user API keys during user deletion:', error)
+      }
+
      logger.info(`🗑️ Soft deleted user: ${user.username} (${userId})`)
      return user
    } catch (error) {