don't allow disabled user to log in

not a security issue as permission handler would fail anyway

src/server/api/session.post.ts

@@ -9,12 +9,21 @@ export default defineEventHandler(async (event) => {
   // TODO: timing can be used to enumerate usernames
 
   const user = await Database.users.getByUsername(username);
-  if (!user)
+  if (!user) {
     throw createError({
       statusCode: 401,
       statusMessage: 'Incorrect credentials',
     });
+  }
+
+  if (!user.enabled) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'User is disabled',
+    });
+  }
 
+  // todo: handle in service
   const userHashPassword = user.password;
   const passwordValid = await isPasswordValid(password, userHashPassword);
   if (!passwordValid) {