Make sure access/email/password tokens are valid

src/Api/AccessToken.php

@@ -1,6 +1,7 @@
 <?php namespace Flarum\Api;
 
 use Flarum\Core\Model;
+use DateTime;
 
 /**
  * @todo document database columns with @property
@@ -43,6 +44,17 @@ class AccessToken extends Model
         return $token;
     }
 
+    /**
+     * Get the given token only if it is valid.
+     *
+     * @param string $token
+     * @return static|null
+     */
+    public static function valid($token)
+    {
+        return static::where('id', $token)->where('expires_at', '>', new DateTime)->first();
+    }
+
     /**
      * Define the relationship with the owner of this access token.
      *

src/Api/Middleware/LoginWithHeader.php

@@ -34,7 +34,7 @@ class LoginWithHeader implements MiddlewareInterface
         $header = $request->getHeaderLine('authorization');
         if (starts_with($header, $this->prefix) &&
             ($token = substr($header, strlen($this->prefix))) &&
-            ($accessToken = AccessToken::where('id', $token)->first())
+            ($accessToken = AccessToken::valid($token))
         ) {
             $this->app->instance('flarum.actor', $user = $accessToken->user);