fixes #2389

app/controllers/application_controller.rb

@@ -14,6 +14,7 @@ class ApplicationController < ActionController::Base
 
   rescue_from Exception, :with => :rescue_exception
   rescue_from User::PrivilegeError, :with => :access_denied
+  rescue_from SessionLoader::AuthenticationFailure, :with => :authentication_failed
   rescue_from Danbooru::Paginator::PaginationError, :with => :render_pagination_limit
 
 protected
@@ -47,6 +48,18 @@ protected
     render :template => "static/error", :status => 410
   end
 
+  def authentication_failed
+    respond_to do |fmt|
+      fmt.html do
+        render :text => "authentication failed", :status => 401
+      end
+
+      fmt.json do
+        render :json => {:success => false, :reason => "authentication failed"}, :status => 401
+      end
+    end
+  end
+
   def access_denied(exception = nil)
     previous_url = params[:url] || request.fullpath
 

app/logical/session_loader.rb

@@ -1,4 +1,6 @@
 class SessionLoader
+  class AuthenticationFailure < Exception ; end
+
   attr_reader :session, :cookies, :request, :params
 
   def initialize(session, cookies, request, params)
@@ -57,11 +59,19 @@ private
   def authenticate_api_key(name, api_key)
     CurrentUser.ip_addr = request.remote_ip
     CurrentUser.user = User.authenticate_api_key(name, api_key)
+
+    if CurrentUser.user.nil?
+      raise AuthenticationFailure.new
+    end
   end
   
   def authenticate_legacy_api_key(name, password_hash)
     CurrentUser.ip_addr = request.remote_ip
     CurrentUser.user = User.authenticate_hash(name, password_hash)
+
+    if CurrentUser.user.nil?
+      raise AuthenticationFailure.new
+    end
   end
 
   def load_session_user