2 files changed, 22 insertions, 1 deletions

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index 738d26b21..0b5842523 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -40,7 +40,7 @@ sub get_login_info {
     my ($self) = @_;
     my $cgi = Bugzilla->cgi;
     my $dbh = Bugzilla->dbh;
-    my ($user_id, $login_cookie);
+    my ($user_id, $login_cookie, $is_internal);
 
     if (!Bugzilla->request_cache->{auth_no_automatic_login}) {
         $login_cookie = $cgi->cookie("Bugzilla_logincookie");
@@ -82,6 +82,7 @@ sub get_login_info {
                 {
                     ThrowUserError('auth_invalid_token', { token => $api_token });
                 }
+                $is_internal = 1;
             }
         }
     }
@@ -112,6 +113,15 @@ sub get_login_info {
 
         # If the cookie is valid, return a valid username.
         if (defined $db_cookie && $login_cookie eq $db_cookie) {
+
+            # forbid logging in with a cookie if only api-keys are allowed
+            if (i_am_webservice() && !$is_internal) {
+                my $user = Bugzilla::User->new({ id => $user_id, cache => 1 });
+                if ($user->settings->{api_key_only}->{value} eq 'on') {
+                    ThrowUserError('invalid_cookies_or_token');
+                }
+            }
+
             # If we logged in successfully, then update the lastused 
             # time on the login cookie
             $dbh->do("UPDATE logincookies SET lastused = NOW() 
diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index aaa1b6c87..ea86346e1 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -53,6 +53,7 @@ sub check_credentials {
     }
 
     my $password = $login_data->{password};
+    return { failure => AUTH_NODATA } unless defined $login_data->{password};
     my $real_password_crypted = $user->cryptpassword;
 
     # Using the internal crypted password as the salt,
@@ -105,6 +106,16 @@ sub check_credentials {
         $user->update();
     }
 
+    if (i_am_webservice() && $user->settings->{api_key_only}->{value} eq 'on') {
+        # api-key verification happens in Auth/Login/APIKey
+        # token verification happens in Auth/Login/Cookie
+        # if we get here from an api call then we must be using user/pass
+        return {
+            failure    => AUTH_ERROR,
+            user_error => 'invalid_auth_method',
+        };
+    }
+
     return $login_data;
 }