From b04e922afc0ad2ce64c260d05bb166bbe8b5e53d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Thu, 14 Mar 2019 16:24:16 +0100
Subject: [PATCH] Disabled users are unauthenticated

---
 src/jwt/decode.js                     |  3 ++-
 src/resolvers/user_management.spec.js | 29 ++++++++++++++++++++++-----
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/jwt/decode.js b/src/jwt/decode.js
index 0ab1e4529..6abc06dc1 100644
--- a/src/jwt/decode.js
+++ b/src/jwt/decode.js
@@ -13,7 +13,7 @@ export default async (driver, authorizationHeader) => {
   const session = driver.session()
   const query = `
     MATCH (user:User {id: {id} })
-    RETURN user {.id, .slug, .name, .avatar, .email, .role} as user
+    RETURN user {.id, .slug, .name, .avatar, .email, .role, .disabled}
     LIMIT 1
   `
   const result = await session.run(query, { id })
@@ -22,6 +22,7 @@ export default async (driver, authorizationHeader) => {
     return record.get('user')
   })
   if (!currentUser) return null
+  if (currentUser.disabled) return null
   return {
     token,
     ...currentUser
diff --git a/src/resolvers/user_management.spec.js b/src/resolvers/user_management.spec.js
index c4b09df37..6df1b1626 100644
--- a/src/resolvers/user_management.spec.js
+++ b/src/resolvers/user_management.spec.js
@@ -73,11 +73,30 @@ describe('isLoggedIn', () => {
     })
 
     describe('and a corresponding user in the database', () => {
-      it('returns true', async () => {
-        // see the decoded token above
-        await factory.create('User', { id: 'u3' })
-        await expect(client.request(query)).resolves.toEqual({
-          isLoggedIn: true
+      describe('user is enabled', () => {
+        it('returns true', async () => {
+          // see the decoded token above
+          await factory.create('User', { id: 'u3' })
+          await expect(client.request(query)).resolves.toEqual({
+            isLoggedIn: true
+          })
+        })
+      })
+
+      describe('user is disabled', () => {
+        beforeEach(async () => {
+          const moderatorParams = { email: 'moderator@example.org', role: 'moderator', password: '1234' }
+          const asModerator = Factory()
+          await asModerator.create('User', moderatorParams)
+          await asModerator.authenticateAs(moderatorParams)
+          await factory.create('User', { id: 'u3' })
+          await asModerator.mutate('mutation($id: ID!) { disable(id: $id) }', { id: 'u3' })
+        })
+
+        it('returns false', async () => {
+          await expect(client.request(query)).resolves.toEqual({
+            isLoggedIn: false
+          })
         })
       })
     })