rest: check for disabled token (user)

when authenticating a token, and not just when authenticating a
user/ticket.

Reported-By: Dominik Jäger <d.jaeger@proxmox.com>

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

src/server/rest.rs

@@ -623,6 +623,10 @@ fn check_auth(
                 .ok_or_else(|| format_err!("failed to split API token header"))?;
             let tokenid: Authid = tokenid.parse()?;
 
+            if !user_info.is_active_auth_id(&tokenid) {
+                bail!("user account or token disabled or expired.");
+            }
+
             let tokensecret = parts.next()
                 .ok_or_else(|| format_err!("failed to split API token header"))?;
             let tokensecret = percent_decode_str(tokensecret)