fix: block inactive users from all authentication paths
Add active-user checks to password login, WebAuthn login, and magic link registration to prevent deactivated accounts from authenticating. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
aff6ddb99b
commit
23ca6272a2
2 changed files with 77 additions and 0 deletions
|
|
@ -50,6 +50,9 @@ async def login_password(
|
|||
if not password_service.verify(credential.password_hash, password):
|
||||
return HTMLResponse(error_html)
|
||||
|
||||
if not user.active:
|
||||
return HTMLResponse(error_html)
|
||||
|
||||
request.session["userid"] = user.userid
|
||||
request.session["username"] = user.username
|
||||
|
||||
|
|
@ -77,6 +80,8 @@ async def register_magic_link(request: Request, token: str) -> Response:
|
|||
|
||||
existing_user = await user_repo.get_by_username(link.username)
|
||||
if existing_user is not None:
|
||||
if not existing_user.active:
|
||||
return HTMLResponse("<p>This account has been deactivated.</p>", status_code=400)
|
||||
user = existing_user
|
||||
else:
|
||||
userid = await generate_unique_userid(user_repo)
|
||||
|
|
@ -147,6 +152,9 @@ async def login_webauthn_complete(request: Request) -> Response:
|
|||
if user is None:
|
||||
return JSONResponse({"error": "User not found"}, status_code=400)
|
||||
|
||||
if not user.active:
|
||||
return JSONResponse({"error": "Authentication failed"}, status_code=400)
|
||||
|
||||
request.session["userid"] = user.userid
|
||||
request.session["username"] = user.username
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue