From dda9e6ac048811fd5a9dec0e366f950f70ae2d87 Mon Sep 17 00:00:00 2001
From: imperosol <thgirod@hotmail.com>
Date: Mon, 26 May 2025 07:42:44 +0200
Subject: [PATCH] Forbid authentication with revoked keys

---
 apikey/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apikey/auth.py b/apikey/auth.py
index 00212c1b..d1489f7f 100644
--- a/apikey/auth.py
+++ b/apikey/auth.py
@@ -14,7 +14,7 @@ class ApiKeyAuth(APIKeyHeader):
         hasher = get_hasher()
         hashed_key = hasher.encode(key)
         try:
-            key_obj = ApiKey.objects.get(hashed_key=hashed_key)
+            key_obj = ApiKey.objects.get(revoked=False, hashed_key=hashed_key)
         except ApiKey.DoesNotExist:
             return None
         return key_obj.client