Forbid API tokens for /me endpoint

Author: jtgeibel

src/controllers/user/me.rs

@@ -13,7 +13,7 @@ use crate::views::{EncodableMe, EncodablePrivateUser, EncodableVersion, OwnedCra
 
 /// Handles the `GET /me` route.
 pub fn me(req: &mut dyn RequestExt) -> EndpointResult {
-    let user_id = req.authenticate()?.user_id();
+    let user_id = req.authenticate()?.forbid_api_token_auth()?.user_id();
     let conn = req.db_conn()?;
 
     let (user, verified, email, verification_sent): (User, Option<bool>, Option<String>, bool) =

src/tests/token.rs

@@ -1,4 +1,4 @@
-use crate::{user::UserShowPrivateResponse, RequestHelper, TestApp};
+use crate::{RequestHelper, TestApp};
 use cargo_registry::{
     models::ApiToken,
     schema::api_tokens,
@@ -272,17 +272,6 @@ fn revoke_token_success() {
     });
 }
 
-#[test]
-fn token_gives_access_to_me() {
-    let url = "/api/v1/me";
-    let (_, anon, user, token) = TestApp::init().with_token();
-
-    anon.get(url).assert_forbidden();
-
-    let json: UserShowPrivateResponse = token.get(url).good();
-    assert_eq!(json.user.name, user.as_model().name);
-}
-
 #[test]
 fn using_token_updates_last_used_at() {
     let url = "/api/v1/me";
@@ -293,7 +282,7 @@ fn using_token_updates_last_used_at() {
     assert_none!(token.as_model().last_used_at);
 
     // Use the token once
-    token.get::<EncodableMe>("/api/v1/me").good();
+    token.search("");
 
     let token: ApiToken =
         app.db(|conn| assert_ok!(ApiToken::belonging_to(user.as_model()).first(conn)));