From 560ff81561233e6141766af42ed3c155bf4a3660 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Tue, 1 Apr 2025 11:13:14 +0200
Subject: [PATCH] don't allow disabled user to log in

not a security issue as permission handler would fail anyway
---
 src/server/api/session.post.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/server/api/session.post.ts b/src/server/api/session.post.ts
index 4dda5ffd..0dcc008a 100644
--- a/src/server/api/session.post.ts
+++ b/src/server/api/session.post.ts
@@ -9,12 +9,21 @@ export default defineEventHandler(async (event) => {
   // TODO: timing can be used to enumerate usernames
 
   const user = await Database.users.getByUsername(username);
-  if (!user)
+  if (!user) {
     throw createError({
       statusCode: 401,
       statusMessage: 'Incorrect credentials',
     });
+  }
+
+  if (!user.enabled) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'User is disabled',
+    });
+  }
 
+  // todo: handle in service
   const userHashPassword = user.password;
   const passwordValid = await isPasswordValid(password, userHashPassword);
   if (!passwordValid) {