Fixing bug in last-auth-time update for deactivated users.

krulis-martin · krulis-martin · commit eacbeb84cb6a · 2025-02-12T14:14:55.000+01:00
diff --git a/app/V1Module/presenters/LoginPresenter.php b/app/V1Module/presenters/LoginPresenter.php
@@ -22,6 +22,7 @@
 use App\Security\Roles;
 use App\Security\TokenScope;
 use Nette\Security\AuthenticationException;
+use Nette\Http\IResponse;
 
 /**
  * Endpoints used to log a user in
@@ -201,6 +202,14 @@ public function actionRefresh()
         $token = $this->getAccessToken();
 
         $user = $this->getCurrentUser();
+        if (!$user->isAllowed()) {
+            throw new ForbiddenRequestException(
+                "Forbidden Request - User account was disabled",
+                IResponse::S403_Forbidden,
+                FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
+            );
+        }
+
         $user->updateLastAuthenticationAt();
         $this->users->flush();
 
@@ -247,6 +256,14 @@ public function actionIssueRestrictedToken()
         $this->validateEffectiveRole($effectiveRole);
 
         $user = $this->getCurrentUser();
+        if (!$user->isAllowed()) {
+            throw new ForbiddenRequestException(
+                "Forbidden Request - User account was disabled",
+                IResponse::S403_Forbidden,
+                FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
+            );
+        }
+
         $user->updateLastAuthenticationAt();
         $this->users->flush();
 
@@ -265,7 +282,7 @@ private function validateScopeRoles(?array $scopes, $expiration)
     {
         $forbiddenScopes = [
             TokenScope::CHANGE_PASSWORD =>
-                "Password change tokens can only be issued through the password reset endpoint",
+            "Password change tokens can only be issued through the password reset endpoint",
             TokenScope::EMAIL_VERIFICATION => "E-mail verification tokens must be received via e-mail",
         ];
 
diff --git a/app/V1Module/security/AccessManager.php b/app/V1Module/security/AccessManager.php
@@ -112,15 +112,15 @@ public function getUser(AccessToken $token): User
         if (!$user) {
             throw new ForbiddenRequestException(
                 "Forbidden Request - User does not exist",
-                IResponse::S403_FORBIDDEN,
+                IResponse::S403_Forbidden,
                 FrontendErrorMappings::E403_001__USER_NOT_EXIST
             );
         }
 
         if (!$user->isAllowed()) {
             throw new ForbiddenRequestException(
                 "Forbidden Request - User account was disabled",
-                IResponse::S403_FORBIDDEN,
+                IResponse::S403_Forbidden,
                 FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
             );
         }
@@ -148,7 +148,7 @@ public function issueToken(
         if (!$user->isAllowed()) {
             throw new ForbiddenRequestException(
                 "Forbidden Request - User account was disabled",
-                IResponse::S403_FORBIDDEN,
+                IResponse::S403_Forbidden,
                 FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
             );
         }
diff --git a/app/V1Module/security/CredentialsAuthenticator.php b/app/V1Module/security/CredentialsAuthenticator.php
@@ -4,10 +4,12 @@
 
 use App\Exceptions\FrontendErrorMappings;
 use App\Exceptions\WrongCredentialsException;
+use App\Exceptions\ForbiddenRequestException;
 use App\Model\Entity\User;
 use App\Model\Repository\Logins;
 use Nette;
 use Nette\Security\Passwords;
+use Nette\Http\IResponse;
 
 class CredentialsAuthenticator
 {
@@ -40,8 +42,15 @@ public function authenticate(string $username, string $password)
                 "The username or password is incorrect.",
                 FrontendErrorMappings::E400_101__WRONG_CREDENTIALS_LOCAL
             );
+        } elseif (!$user->isAllowed()) {
+            throw new ForbiddenRequestException(
+                "Forbidden Request - User account was disabled",
+                IResponse::S403_Forbidden,
+                FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
+            );
         }
 
+
         return $user;
     }
 }
diff --git a/app/helpers/ExternalLogin/ExternalServiceAuthenticator.php b/app/helpers/ExternalLogin/ExternalServiceAuthenticator.php
@@ -7,6 +7,7 @@
 use App\Exceptions\WrongCredentialsException;
 use App\Exceptions\InvalidExternalTokenException;
 use App\Exceptions\InvalidArgumentException;
+use App\Exceptions\ForbiddenRequestException;
 use App\Model\Entity\Instance;
 use App\Model\Entity\User;
 use App\Model\Repository\ExternalLogins;
@@ -15,6 +16,7 @@
 use App\Model\Repository\Instances;
 use App\Helpers\EmailVerificationHelper;
 use Nette\Utils\Arrays;
+use Nette\Http\IResponse;
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
 use DomainException;
@@ -148,8 +150,15 @@ public function authenticate(string $authName, string $token, string $instanceId
                 FrontendErrorMappings::E400_104__EXTERNAL_AUTH_FAILED_USER_NOT_FOUND,
                 ["service" => $authName]
             );
+        } elseif (!$user->isAllowed()) {
+            throw new ForbiddenRequestException(
+                "Forbidden Request - User account was disabled",
+                IResponse::S403_Forbidden,
+                FrontendErrorMappings::E403_002__USER_NOT_ALLOWED
+            );
         }
 
+
         return $user;
     }
 
