feat(svc): reject disabled users in Login, LoginWithPasskey, and Refresh

This commit is contained in:
2026-07-04 17:13:02 +08:00
parent bff131ba42
commit 118b7e4d2a
2 changed files with 179 additions and 1 deletions
+21
View File
@@ -72,6 +72,7 @@ func (s *AuthService) Register(ctx context.Context, username, email, password st
Username: username,
Email: email,
PasswordHash: passwordHash,
Status: model.StatusActive,
}
if err := s.userRepo.Create(ctx, user); err != nil {
@@ -94,6 +95,10 @@ func (s *AuthService) Login(ctx context.Context, email, password string) (*Token
return nil, model.NewInternalError("find user", err)
}
if user.Status != model.StatusActive {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid email or password"}
}
if err := auth.VerifyPassword(user.PasswordHash, password); err != nil {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid email or password"}
}
@@ -126,6 +131,14 @@ func (s *AuthService) Refresh(ctx context.Context, refreshTokenStr string) (*Tok
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid token"}
}
user, err := s.userRepo.FindByID(ctx, claims.UserID)
if err != nil {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid token"}
}
if user.Status != model.StatusActive {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid token"}
}
if err := s.sessionRepo.Delete(ctx, session.ID); err != nil {
return nil, model.NewInternalError("delete old session", err)
}
@@ -188,6 +201,14 @@ func (s *AuthService) LoginWithPasskey(ctx context.Context, tokenStr string) (*T
return nil, model.NewInternalError("find credential", err)
}
user, err := s.userRepo.FindByIDIncludeDeleted(ctx, cred.UserID)
if err != nil {
return nil, model.NewInternalError("find user", err)
}
if user.Status != model.StatusActive {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid passkey"}
}
if cred.Type != "app_passkey" {
return nil, &model.AppError{Status: http.StatusUnauthorized, Message: "invalid credential type"}
}