feat: do not authenticate deactivated users, deactivate and reactivate service account

Author: hamir-suspect

guard/lib/guard/front_repo/user.ex

@@ -90,7 +90,9 @@ defmodule Guard.FrontRepo.User do
   def active_user_by_token(token) do
     case FrontRepo.one(
            from(u in FrontRepo.User,
-             where: u.authentication_token == ^token and is_nil(u.blocked_at)
+             where:
+               u.authentication_token == ^token and is_nil(u.blocked_at) and
+                 (is_nil(u.deactivated) or u.deactivated == false)
            )
          ) do
       nil -> {:error, :not_found}
@@ -101,7 +103,9 @@ defmodule Guard.FrontRepo.User do
   def active_user_by_id(id) do
     case FrontRepo.one(
            from(u in FrontRepo.User,
-             where: u.id == ^id and is_nil(u.blocked_at)
+             where:
+               u.id == ^id and is_nil(u.blocked_at) and
+                 (is_nil(u.deactivated) or u.deactivated == false)
            )
          ) do
       nil ->
@@ -115,7 +119,9 @@ defmodule Guard.FrontRepo.User do
   def active_user_by_email(email) do
     case FrontRepo.one(
            from(u in FrontRepo.User,
-             where: u.email == ^email and is_nil(u.blocked_at)
+             where:
+               u.email == ^email and is_nil(u.blocked_at) and
+                 (is_nil(u.deactivated) or u.deactivated == false)
            )
          ) do
       nil ->

guard/lib/guard/store/service_account.ex

@@ -27,7 +27,7 @@ defmodule Guard.Store.ServiceAccount do
       query =
         build_service_account_query()
         |> where([sa, u], sa.id == ^service_account_id)
-        |> where([sa, u], is_nil(u.blocked_at) and u.deactivated == false)
+        |> where([sa, u], is_nil(u.blocked_at))
 
       case FrontRepo.one(query) do
         nil -> {:error, :not_found}
@@ -55,7 +55,7 @@ defmodule Guard.Store.ServiceAccount do
       query =
         build_service_account_query()
         |> where([sa, u], u.org_id == ^org_id)
-        |> where([sa, u], is_nil(u.blocked_at) and u.deactivated == false)
+        |> where([sa, u], is_nil(u.blocked_at))
         |> order_by([sa, u], asc: u.created_at, asc: sa.id)
         # Get one extra to check if there are more
         |> limit(^(page_size + 1))

guard/test/guard/store/service_account_test.exs

@@ -32,14 +32,14 @@ defmodule Guard.Store.ServiceAccountTest do
       assert {:error, :not_found} = ServiceAccount.find(non_existent_id)
     end
 
-    test "returns error when service account is deactivated" do
+    test "returns deactivated service account" do
       {:ok, %{service_account: created_sa, user: user}} = ServiceAccountFactory.insert()
 
       # Deactivate the user
       User.changeset(user, %{deactivated: true, deactivated_at: DateTime.utc_now()})
       |> FrontRepo.update()
 
-      assert {:error, :not_found} = ServiceAccount.find(created_sa.id)
+      assert {:ok, %{deactivated: true}} = ServiceAccount.find(created_sa.id)
     end
 
     test "returns error when service account is blocked" do
@@ -106,23 +106,6 @@ defmodule Guard.Store.ServiceAccountTest do
       assert result2.next_page_token == nil
     end
 
-    test "filters out deactivated service accounts" do
-      org_id = Ecto.UUID.generate()
-      {:ok, %{service_account: sa1}} = ServiceAccountFactory.insert(org_id: org_id, name: "SA1")
-
-      {:ok, %{service_account: _sa2, user: user2}} =
-        ServiceAccountFactory.insert(org_id: org_id, name: "SA2")
-
-      # Deactivate second service account
-      User.changeset(user2, %{deactivated: true, deactivated_at: DateTime.utc_now()})
-      |> FrontRepo.update()
-
-      {:ok, result} = ServiceAccount.find_by_org(org_id, 10, nil)
-
-      assert length(result.service_accounts) == 1
-      assert List.first(result.service_accounts).id == sa1.id
-    end
-
     test "returns error for invalid org_id" do
       assert {:error, :invalid_org_id} = ServiceAccount.find_by_org("invalid-uuid", 10, nil)
     end
@@ -312,7 +295,7 @@ defmodule Guard.Store.ServiceAccountTest do
       assert user.deactivated_at != nil
 
       # Verify service account is no longer findable
-      assert {:error, :not_found} = ServiceAccount.find(sa.id)
+      assert {:ok, %{deactivated: true}} = ServiceAccount.find(sa.id)
     end
 
     test "returns error when service account not found" do