Prevent asciicast upload for revoked tokens

app/models/user.rb

@@ -41,7 +41,10 @@ class User < ActiveRecord::Base
   def self.for_api_token(token)
     return nil if token.blank?
 
-    joins(:api_tokens).where('api_tokens.token' => token).first
+    joins(:api_tokens).where(
+      'api_tokens.token' => token,
+      'api_tokens.revoked_at' => nil,
+    ).first
   end
 
   def self.for_auth_token(auth_token)

spec/api/asciicast_create_spec.rb

@@ -417,6 +417,14 @@ describe "Asciicast creation" do
       end
     end
 
+    context 'when given token has been revoked' do
+      let(:token) { create(:revoked_api_token).token }
+
+      it 'returns 401 status' do
+        expect(response.status).to eq(401)
+      end
+    end
+
     context 'when given token is invalid' do
       let(:token) { 'foo' }
 

spec/factories/api_tokens.rb

@@ -7,4 +7,8 @@ FactoryGirl.define do
       "2b4b4e02-6613-11e1-9be5-#{Kernel.format('%012i', n)}"
     end
   end
+
+  factory :revoked_api_token, parent: :api_token do
+    revoked_at 1.day.ago
+  end
 end