Disabled users are unauthenticated

2025-12-13 07:45:56 +00:00 · 2019-03-14 16:24:16 +01:00 · 2019-03-14 16:24:16 +01:00 · b04e922afc
commit b04e922afc
parent 158ac36907
2 changed files with 26 additions and 6 deletions
--- a/src/jwt/decode.js
+++ b/src/jwt/decode.js
@ -13,7 +13,7 @@ export default async (driver, authorizationHeader) => {
  const session = driver.session()
  const query = `
    MATCH (user:User {id: {id} })
-    RETURN user {.id, .slug, .name, .avatar, .email, .role} as user
+    RETURN user {.id, .slug, .name, .avatar, .email, .role, .disabled}
    LIMIT 1
  `
  const result = await session.run(query, { id })
@ -22,6 +22,7 @@ export default async (driver, authorizationHeader) => {
    return record.get('user')
  })
  if (!currentUser) return null
+  if (currentUser.disabled) return null
  return {
    token,
    ...currentUser
--- a/src/resolvers/user_management.spec.js
+++ b/src/resolvers/user_management.spec.js
@ -73,11 +73,30 @@ describe('isLoggedIn', () => {
    })

    describe('and a corresponding user in the database', () => {
-      it('returns true', async () => {
-        // see the decoded token above
-        await factory.create('User', { id: 'u3' })
-        await expect(client.request(query)).resolves.toEqual({
-          isLoggedIn: true
+      describe('user is enabled', () => {
+        it('returns true', async () => {
+          // see the decoded token above
+          await factory.create('User', { id: 'u3' })
+          await expect(client.request(query)).resolves.toEqual({
+            isLoggedIn: true
+          })
+        })
+      })
+
+      describe('user is disabled', () => {
+        beforeEach(async () => {
+          const moderatorParams = { email: 'moderator@example.org', role: 'moderator', password: '1234' }
+          const asModerator = Factory()
+          await asModerator.create('User', moderatorParams)
+          await asModerator.authenticateAs(moderatorParams)
+          await factory.create('User', { id: 'u3' })
+          await asModerator.mutate('mutation($id: ID!) { disable(id: $id) }', { id: 'u3' })
+        })
+
+        it('returns false', async () => {
+          await expect(client.request(query)).resolves.toEqual({
+            isLoggedIn: false
+          })
        })
      })
    })