From aaacf4c31124e612e38640a6b1a58da70fe960d2 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 31 May 2022 13:32:36 +0200
Subject: [PATCH] access check: include user/token id in expired exception

not that relevant for the user as the daemon auth log already
contains that info, but for token it can be nice.

The API response is always just a plain "401 auth failure" in any
case (expired or wrong creds)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/PVE/AccessControl.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 1a7bc49..d0dbabc 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -484,7 +484,7 @@ sub verify_token {
     my $token_info = $user->{tokens}->{$token};
 
     my $ctime = time();
-    die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
+    die "token '$token' access expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
 
     die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
 
@@ -662,7 +662,7 @@ sub check_user_enabled {
     my $expire = $usercfg->{users}->{$username}->{expire};
 
     if ($expire && $expire < $ctime) {
-	die "account expired\n" if !$noerr;
+	die "user '$username' access expired\n" if !$noerr;
 	return undef;
     }
 
-- 
2.39.2