letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Don't allow creating personal sessions for deactivated users

Browse Source
This commit is contained in:
Olivier 'reivilibre
2025-10-22 11:31:17 +01:00
parent c94e4ea27b
commit 29c3da5d0e
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
crates/handlers/src/admin/v1/personal_sessions/add.rs
View File

@@ -32,6 +32,9 @@ pub enum RouteError {
#[error("User not found")]
UserNotFound,
#[error("User is not active")]
UserDeactivated,
#[error("Invalid scope")]
InvalidScope,
}
@@ -46,6 +49,7 @@ impl IntoResponse for RouteError {
let status = match self {
Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
Self::UserNotFound => StatusCode::NOT_FOUND,
Self::UserDeactivated => StatusCode::GONE,
Self::InvalidScope => StatusCode::BAD_REQUEST,
};
(status, sentry_event_id, Json(error)).into_response()
@@ -114,6 +118,10 @@ pub async fn handler(
.await?
.ok_or(RouteError::UserNotFound)?;
if actor_user.deactivated_at.is_some() {
return Err(RouteError::UserDeactivated);
}
let scope: Scope = params.scope.parse().map_err(|_| RouteError::InvalidScope)?;
// Create the personal session