fix(webserver): Prevent disabled accounts from authenticating (#1311)

ee/tabby-webserver/src/schema/auth.rs

@@ -136,6 +136,9 @@ pub enum TokenAuthError {
     #[error("Password is not valid")]
     InvalidPassword,
 
+    #[error("User is disabled")]
+    UserDisabled,
+
     #[error(transparent)]
     Other(#[from] anyhow::Error),
 
@@ -160,6 +163,9 @@ pub enum OAuthError {
     #[error("The user is not invited to access the system")]
     UserNotInvited,
 
+    #[error("User is disabled")]
+    UserDisabled,
+
     #[error(transparent)]
     Other(#[from] anyhow::Error),
 
@@ -187,6 +193,9 @@ pub enum RefreshTokenError {
     #[error("User not found")]
     UserNotFound,
 
+    #[error("User is disabled")]
+    UserDisabled,
+
     #[error(transparent)]
     Other(#[from] anyhow::Error),
 

ee/tabby-webserver/src/service/auth.rs

@@ -220,6 +220,10 @@ impl AuthenticationService for DbConn {
             return Err(TokenAuthError::UserNotFound);
         };
 
+        if !user.active {
+            return Err(TokenAuthError::UserDisabled);
+        }
+
         if !password_verify(&input.password, &user.password_encrypted) {
             return Err(TokenAuthError::InvalidPassword);
         }
@@ -250,6 +254,10 @@ impl AuthenticationService for DbConn {
             return Err(RefreshTokenError::UserNotFound);
         };
 
+        if !user.active {
+            return Err(RefreshTokenError::UserDisabled);
+        }
+
         let new_token = generate_refresh_token();
         self.replace_refresh_token(&token, &new_token).await?;
 
@@ -353,6 +361,9 @@ impl AuthenticationService for DbConn {
         };
 
         let user = if let Some(user) = self.get_user_by_email(&email).await? {
+            if !user.active {
+                return Err(OAuthError::UserDisabled);
+            }
             user
         } else {
             let Some(invitation) = self.get_invitation_by_email(&email).await? else {