diff --git a/src/porchlight/authn/routes.py b/src/porchlight/authn/routes.py index 2ef2cea..a7ae50d 100644 --- a/src/porchlight/authn/routes.py +++ b/src/porchlight/authn/routes.py @@ -50,6 +50,9 @@ async def login_password( if not password_service.verify(credential.password_hash, password): return HTMLResponse(error_html) + if not user.active: + return HTMLResponse(error_html) + request.session["userid"] = user.userid request.session["username"] = user.username @@ -77,6 +80,8 @@ async def register_magic_link(request: Request, token: str) -> Response: existing_user = await user_repo.get_by_username(link.username) if existing_user is not None: + if not existing_user.active: + return HTMLResponse("

This account has been deactivated.

", status_code=400) user = existing_user else: userid = await generate_unique_userid(user_repo) @@ -147,6 +152,9 @@ async def login_webauthn_complete(request: Request) -> Response: if user is None: return JSONResponse({"error": "User not found"}, status_code=400) + if not user.active: + return JSONResponse({"error": "Authentication failed"}, status_code=400) + request.session["userid"] = user.userid request.session["username"] = user.username diff --git a/tests/test_authn_active.py b/tests/test_authn_active.py new file mode 100644 index 0000000..71329b8 --- /dev/null +++ b/tests/test_authn_active.py @@ -0,0 +1,69 @@ +from datetime import UTC, datetime + +import pytest +from httpx import AsyncClient + +from porchlight.authn.password import PasswordHasher, PasswordService +from porchlight.models import PasswordCredential, User + +from tests.conftest import get_csrf_token + + +async def _create_inactive_user_with_password(client: AsyncClient) -> None: + """Create an inactive user with a password credential.""" + app = client._transport.app + user_repo = app.state.user_repo + cred_repo = app.state.credential_repo + + user = User( + userid="inactive-01", + username="inactive", + active=False, + created_at=datetime.now(UTC), + updated_at=datetime.now(UTC), + ) + await user_repo.create(user) + + svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192)) + await cred_repo.create_password( + PasswordCredential(user_id=user.userid, password_hash=svc.hash("password123!Secure")) + ) + + +@pytest.mark.asyncio +async def test_inactive_user_cannot_login_password(client: AsyncClient) -> None: + await _create_inactive_user_with_password(client) + token = await get_csrf_token(client) + + response = await client.post( + "/login/password", + data={"username": "inactive", "password": "password123!Secure"}, + headers={"HX-Request": "true", "X-CSRF-Token": token}, + ) + + assert "Invalid username or password" in response.text + + +@pytest.mark.asyncio +async def test_inactive_user_cannot_register_magic_link(client: AsyncClient) -> None: + """If an inactive user exists, magic link registration should reject them.""" + app = client._transport.app + user_repo = app.state.user_repo + magic_link_service = app.state.magic_link_service + + user = User( + userid="inactive-02", + username="deactivated", + active=False, + created_at=datetime.now(UTC), + updated_at=datetime.now(UTC), + ) + await user_repo.create(user) + + link = await magic_link_service.create( + username="deactivated", created_by="admin", note="test" + ) + + response = await client.get(f"/register/{link.token}", follow_redirects=False) + + assert response.status_code == 400 or "deactivated" in response.text.lower() or "Invalid" in response.text