diff --git a/ee/tabby-webserver/src/schema/auth.rs b/ee/tabby-webserver/src/schema/auth.rs index a810b4a72d5a..ab1df9af2f14 100644 --- a/ee/tabby-webserver/src/schema/auth.rs +++ b/ee/tabby-webserver/src/schema/auth.rs @@ -136,6 +136,9 @@ pub enum TokenAuthError { #[error("Password is not valid")] InvalidPassword, + #[error("User is disabled")] + UserDisabled, + #[error(transparent)] Other(#[from] anyhow::Error), @@ -160,6 +163,9 @@ pub enum OAuthError { #[error("The user is not invited to access the system")] UserNotInvited, + #[error("User is disabled")] + UserDisabled, + #[error(transparent)] Other(#[from] anyhow::Error), @@ -187,6 +193,9 @@ pub enum RefreshTokenError { #[error("User not found")] UserNotFound, + #[error("User is disabled")] + UserDisabled, + #[error(transparent)] Other(#[from] anyhow::Error), diff --git a/ee/tabby-webserver/src/service/auth.rs b/ee/tabby-webserver/src/service/auth.rs index 76e3c2a53c57..f17636247558 100644 --- a/ee/tabby-webserver/src/service/auth.rs +++ b/ee/tabby-webserver/src/service/auth.rs @@ -220,6 +220,10 @@ impl AuthenticationService for DbConn { return Err(TokenAuthError::UserNotFound); }; + if !user.active { + return Err(TokenAuthError::UserDisabled); + } + if !password_verify(&input.password, &user.password_encrypted) { return Err(TokenAuthError::InvalidPassword); } @@ -250,6 +254,10 @@ impl AuthenticationService for DbConn { return Err(RefreshTokenError::UserNotFound); }; + if !user.active { + return Err(RefreshTokenError::UserDisabled); + } + let new_token = generate_refresh_token(); self.replace_refresh_token(&token, &new_token).await?; @@ -353,6 +361,9 @@ impl AuthenticationService for DbConn { }; let user = if let Some(user) = self.get_user_by_email(&email).await? { + if !user.active { + return Err(OAuthError::UserDisabled); + } user } else { let Some(invitation) = self.get_invitation_by_email(&email).await? else {