From 8470dc43ac68d8e308c5c8a94d44ddf35020dfce Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Wed, 22 Oct 2025 13:04:39 +0100
Subject: [PATCH] Check validity of token owner

---
 crates/handlers/src/admin/call_context.rs | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/crates/handlers/src/admin/call_context.rs b/crates/handlers/src/admin/call_context.rs
index 56707d2df..08e535cc9 100644
--- a/crates/handlers/src/admin/call_context.rs
+++ b/crates/handlers/src/admin/call_context.rs
@@ -17,7 +17,8 @@ use headers::{Authorization, authorization::Bearer};
 use hyper::StatusCode;
 use mas_axum_utils::record_error;
 use mas_data_model::{
-    BoxClock, Session, TokenFormatError, TokenType, User, personal::session::PersonalSession,
+    BoxClock, Session, TokenFormatError, TokenType, User,
+    personal::session::{PersonalSession, PersonalSessionOwner},
 };
 use mas_storage::{BoxRepository, RepositoryError};
 use oauth2_types::scope::Scope;
@@ -222,6 +223,23 @@ where
                     return Err(Rejection::TokenExpired);
                 }
 
+                // Check the validity of the owner of the personal session
+                match session.owner {
+                    PersonalSessionOwner::User(owner_user_id) => {
+                        let owner_user = repo
+                            .user()
+                            .lookup(owner_user_id)
+                            .await?
+                            .ok_or_else(|| Rejection::LoadUser(owner_user_id))?;
+                        if !owner_user.is_valid() {
+                            return Err(Rejection::UserLocked);
+                        }
+                    }
+                    PersonalSessionOwner::OAuth2Client(_) => {
+                        // nop: Client owners are always valid
+                    }
+                }
+
                 // Record the activity on the session
                 activity_tracker
                     .record_personal_session(&clock, &session)