Prevent login if user is disabled

Author: CarsonF

src/common/exceptions/unauthenticated.exception.ts

@@ -2,11 +2,16 @@ import { HttpStatus } from '@nestjs/common';
 import { ClientException } from './exception';
 
 /**
- * We cannot identify the requester.
+ * Any authentication-related problem
  */
-export class UnauthenticatedException extends ClientException {
+export abstract class AuthenticationException extends ClientException {
   readonly status = HttpStatus.UNAUTHORIZED;
+}
 
+/**
+ * We cannot identify the requester.
+ */
+export class UnauthenticatedException extends AuthenticationException {
   constructor(message?: string, previous?: Error) {
     super(message ?? `Not authenticated`, previous);
   }

src/core/authentication/authentication.gel.repository.ts

@@ -64,17 +64,17 @@ export class AuthenticationGelRepository
     },
   );
 
-  async getPasswordHash({ email }: LoginInput) {
-    return await this.db.run(this.getPasswordHashQuery, { email });
+  async getInfoForLogin({ email }: LoginInput) {
+    return await this.db.run(this.getInfoForLoginQuery, { email });
   }
-  private readonly getPasswordHashQuery = e.params(
+  private readonly getInfoForLoginQuery = e.params(
     { email: e.str },
-    ({ email }) => {
-      const identity = e.select(e.Auth.Identity, (identity) => ({
+    ({ email }) =>
+      e.select(e.Auth.Identity, (identity) => ({
         filter_single: e.op(identity.user.email, '=', email),
-      }));
-      return identity.passwordHash;
-    },
+        passwordHash: true,
+        status: identity.user.status,
+      })),
   );
 
   async connectSessionToUser(input: LoginInput, session: Session): Promise<ID> {

src/core/authentication/authentication.repository.ts

@@ -2,6 +2,7 @@ import { Injectable } from '@nestjs/common';
 import { node, relation } from 'cypher-query-builder';
 import { DateTime } from 'luxon';
 import { type ID, type Role, ServerException } from '~/common';
+import { type UserStatus } from '../../components/user/dto';
 import { DatabaseService, DbTraceLayer, OnIndex } from '../database';
 import {
   ACTIVE,
@@ -97,27 +98,34 @@ export class AuthenticationRepository {
       .run();
   }
 
-  async getPasswordHash(input: LoginInput) {
+  async getInfoForLogin(input: LoginInput) {
     const result = await this.db
       .query()
-      .raw(
-        `
-    MATCH
-      (:EmailAddress {value: $email})
-      <-[:email {active: true}]-
-      (user:User)
-      -[:password {active: true}]->
-      (password:Property)
-    RETURN
-      password.value as pash
-    `,
-        {
-          email: input.email,
-        },
-      )
-      .asResult<{ pash: string }>()
+      .match([
+        [
+          node('email', 'EmailAddress', {
+            value: input.email,
+          }),
+          relation('in', '', 'email', ACTIVE),
+          node('user', 'User'),
+        ],
+        [
+          node('user'),
+          relation('out', '', 'password', ACTIVE),
+          node('password', 'Property'),
+        ],
+        [
+          node('user'),
+          relation('out', '', 'status', ACTIVE),
+          node('status', 'Property'),
+        ],
+      ])
+      .return<{ passwordHash: string; status: UserStatus }>([
+        'password.value as passwordHash',
+        'status.value as status',
+      ])
       .first();
-    return result?.pash ?? null;
+    return result ?? null;
   }
 
   async connectSessionToUser(input: LoginInput, session: Session) {

src/core/authentication/authentication.service.ts

@@ -2,6 +2,7 @@ import { Injectable } from '@nestjs/common';
 import { ModuleRef } from '@nestjs/core';
 import { EmailService } from '@seedcompany/nestjs-email';
 import {
+  AuthenticationException,
   DuplicateException,
   type ID,
   InputException,
@@ -73,11 +74,14 @@ export class AuthenticationService {
   }
 
   async login(input: LoginInput): Promise<ID> {
-    const hash = await this.repo.getPasswordHash(input);
+    const info = await this.repo.getInfoForLogin(input);
 
-    if (!(await this.crypto.verify(hash, input.password))) {
+    if (!(await this.crypto.verify(info?.passwordHash, input.password))) {
       throw new UnauthenticatedException('Invalid credentials');
     }
+    if (info!.status === 'Disabled') {
+      throw new UserDisabledException();
+    }
 
     const userId = await this.repo.connectSessionToUser(
       input,
@@ -152,3 +156,9 @@ export class AuthenticationService {
     await this.repo.removeAllEmailTokensForEmail(emailToken.email);
   }
 }
+
+export class UserDisabledException extends AuthenticationException {
+  constructor() {
+    super('User is disabled');
+  }
+}