When using LDAP authentication, the API authentication fails to reject invalid access tokens.
I believe this is because the function authToken in html/includes/api_functions.inc.php does:
$username = get_user(…)
if (!empty($username)) .
This will always be true if LDAP is enabled since the function get_user in html/includes/authentication/ldap-authorization.inc.php returns an array:
$userlist = array(
‘username’ => $username,
‘realname’ => $realname,
‘user_id’ => $user_id,
‘email’ => $email,
);
This array will always be returned to the authToken function as long as the X-Auth-Token header is set, and it doesn’t matter what it is set to.