- if err == auth.ErrObsoleteToken {
- // If the token exists in our own database, salt it
- // for the remote. Otherwise, assume it was issued by
- // the remote, and pass it through unmodified.
- currentUser, err := h.validateAPItoken(req, creds.Tokens[0])
- if err == sql.ErrNoRows {
- // Not ours; pass through unmodified.
- token = creds.Tokens[0]
- } else if err != nil {
+ if err == auth.ErrObsoleteToken || err == auth.ErrTokenFormat {
+ // If the token exists in our own database for our own
+ // user, salt it for the remote. Otherwise, assume it
+ // was issued by the remote, and pass it through
+ // unmodified.
+ currentUser, ok, err := h.validateAPItoken(req, creds.Tokens[0])
+ if err != nil {