fix: block inactive users from all authentication paths

Add active-user checks to password login, WebAuthn login, and magic
link registration to prevent deactivated accounts from authenticating.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-03-31 15:18:51 +02:00
parent aff6ddb99b
commit 23ca6272a2
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
2 changed files with 77 additions and 0 deletions

View file

@ -50,6 +50,9 @@ async def login_password(
if not password_service.verify(credential.password_hash, password):
return HTMLResponse(error_html)
if not user.active:
return HTMLResponse(error_html)
request.session["userid"] = user.userid
request.session["username"] = user.username
@ -77,6 +80,8 @@ async def register_magic_link(request: Request, token: str) -> Response:
existing_user = await user_repo.get_by_username(link.username)
if existing_user is not None:
if not existing_user.active:
return HTMLResponse("<p>This account has been deactivated.</p>", status_code=400)
user = existing_user
else:
userid = await generate_unique_userid(user_repo)
@ -147,6 +152,9 @@ async def login_webauthn_complete(request: Request) -> Response:
if user is None:
return JSONResponse({"error": "User not found"}, status_code=400)
if not user.active:
return JSONResponse({"error": "Authentication failed"}, status_code=400)
request.session["userid"] = user.userid
request.session["username"] = user.username