Do not create if create API key is called on a non-existant user (Fix #4731)

BTCPayServer.Tests/GreenfieldAPITests.cs

@@ -218,6 +218,8 @@ namespace BTCPayServer.Tests
                 Permissions = new Permission[] { Permission.Create(Policies.CanViewInvoices, store.Id) },
             });
 
+            await AssertAPIError("user-not-found", () => unrestricted.CreateAPIKey("fewiofwuefo", new CreateApiKeyRequest()));
+
             // Despite the grant, the user shouldn't be able to get the invoices!
             newUserClient = acc.CreateClientFromAPIKey(newUserAPIKey.ApiKey);
             await Assert.ThrowsAsync<GreenfieldAPIException>(() => newUserClient.GetInvoices(store.Id));

BTCPayServer/Controllers/GreenField/GreenfieldApiKeysController.cs

@@ -11,6 +11,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Cors;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
 using NBitcoin;
 using NBitcoin.DataEncoders;
 
@@ -66,7 +67,14 @@ namespace BTCPayServer.Controllers.Greenfield
             {
                 Permissions = request.Permissions.Select(p => p.ToString()).Distinct().ToArray()
             });
+            try
+            {
                 await _apiKeyRepository.CreateKey(key);
+            }
+            catch (DbUpdateException)
+            {
+                return this.CreateAPIError("user-not-found", "This user does not exists");
+            }
             return Ok(FromModel(key));
         }
 

Changelog.md

@@ -9,6 +9,7 @@
 ### Bug fix
 
 * Avoid crash when some plugins are installed (#4725)
+* Greenfield: Do not create if create API key is called on a non-existant user (Fix #4731)
 
 ### Improvements