diff --git a/services/graphql-server/src/auth-context/create.js b/services/graphql-server/src/auth-context/create.js
index e70981b37..b665261b0 100644
--- a/services/graphql-server/src/auth-context/create.js
+++ b/services/graphql-server/src/auth-context/create.js
@@ -1,4 +1,7 @@
-const { AuthenticationError } = require('apollo-server-express');
+const {
+  AuthenticationError,
+  ForbiddenError,
+} = require('apollo-server-express');
 const UserContext = require('./context');
 
 const expression = /^Bearer (?<token>.+)/;
@@ -9,6 +12,10 @@ module.exports = async ({ req, userService }) => {
 
   if (!expression.test(authorization)) throw new AuthenticationError('The provided credentials are invalid.');
   const { token } = authorization.match(expression).groups;
-  const user = await userService.checkAuth(token);
-  return new UserContext({ user, token });
+  try {
+    const user = await userService.checkAuth(token);
+    return new UserContext({ user, token });
+  } catch (e) {
+    throw new ForbiddenError('The provided credentials are no longer valid.');
+  }
 };
diff --git a/services/graphql-server/src/user/user-service.js b/services/graphql-server/src/user/user-service.js
index eb7c4879a..36f1c07d4 100644
--- a/services/graphql-server/src/user/user-service.js
+++ b/services/graphql-server/src/user/user-service.js
@@ -2,6 +2,13 @@ const { AuthenticationError } = require('apollo-server-express');
 const bcrypt = require('bcryptjs');
 const TokenService = require('./token-service');
 
+const activeCriteria = {
+  accountNonExpired: true,
+  accountNonLocked: true,
+  credentialsNonExpired: true,
+  enabled: true,
+};
+
 const UserService = class UserService {
   constructor({ basedb }) {
     this.basedb = basedb;
@@ -11,10 +18,7 @@ const UserService = class UserService {
   async login(username, plaintext) {
     const criteria = {
       username,
-      accountNonExpired: true,
-      accountNonLocked: true,
-      credentialsNonExpired: true,
-      enabled: true,
+      ...activeCriteria,
     };
     const user = await this.basedb.findOne('platform.User', criteria);
     if (!user || !user.password) throw new AuthenticationError('The provided user credentials are invalid.');
@@ -32,7 +36,10 @@ const UserService = class UserService {
 
   async checkAuth(token) {
     const { uid } = await this.tokenService.validate(token);
-    return this.basedb.findOne('platform.User', { _id: uid });
+    return this.basedb.strictFindOne('platform.User', {
+      _id: uid,
+      ...activeCriteria,
+    });
   }
 };