From 4a214b099e323e9e9b5e89648a9be40ac226eb8a Mon Sep 17 00:00:00 2001
From: Eli Ribble <eli@gleipnir.technology>
Date: Tue, 21 Apr 2026 19:37:26 +0000
Subject: [PATCH] Disallow login or sessions from inactive users

---
 auth/auth.go     | 20 +++++++++++++++++---
 platform/user.go |  3 +++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index bb22736e..e19be03a 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -13,9 +13,9 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-type NoCredentialsError struct{}
+type InactiveUser struct{}
 
-func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }
+func (e InactiveUser) Error() string { return "That user is not active" }
 
 type InvalidCredentials struct{}
 
@@ -25,6 +25,10 @@ type InvalidUsername struct{}
 
 func (e InvalidUsername) Error() string { return "That username doesn't exist" }
 
+type NoCredentialsError struct{}
+
+func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }
+
 type AuthenticatedHandler func(http.ResponseWriter, *http.Request, platform.User)
 type EnsureAuth struct {
 	handler AuthenticatedHandler
@@ -81,7 +85,14 @@ func GetAuthenticatedUser(r *http.Request) (*platform.User, error) {
 		}
 		username := sessionManager.GetString(ctx, "username")
 		if user_id > 0 && username != "" {
-			return platform.UserByID(ctx, int32(user_id))
+			user, err := platform.UserByID(ctx, int32(user_id))
+			if err != nil {
+				return nil, fmt.Errorf("user by ID: %w", err)
+			}
+			if !user.IsActive {
+				return nil, fmt.Errorf("user is inactive")
+			}
+			return user, nil
 		}
 	}
 	// If we can't get the user from the session try to get from auth headers
@@ -206,6 +217,9 @@ func validateUser(ctx context.Context, username string, password string) (*platf
 		log.Info().Str("username", username).Str("password", redact(password)).Msg("Invalid username")
 		return nil, InvalidUsername{}
 	}
+	if !user.IsActive {
+		return nil, InactiveUser{}
+	}
 	if !validatePassword(password, user.PasswordHash) {
 		log.Info().Str("username", username).Str("password", redact(password)).Str("hash", passwordHash).Msg("Invalid password for user")
 		return nil, InvalidCredentials{}
diff --git a/platform/user.go b/platform/user.go
index b309ac9b..2f44bfe1 100644
--- a/platform/user.go
+++ b/platform/user.go
@@ -30,6 +30,7 @@ type User struct {
 	DisplayName      string
 	ID               int
 	Initials         string
+	IsActive         bool
 	IsDronePilot     bool
 	IsWarrant        bool
 	Organization     Organization
@@ -62,6 +63,7 @@ func newUser(ctx context.Context, org Organization, user *models.User) User {
 		DisplayName:      user.DisplayName,
 		ID:               int(user.ID),
 		Initials:         extractInitials(user.DisplayName),
+		IsActive:         user.IsActive,
 		IsDronePilot:     user.IsDronePilot,
 		IsWarrant:        user.IsWarrant,
 		Organization:     org,
@@ -273,6 +275,7 @@ func toUser(user *models.User) User {
 	return User{
 		DisplayName:      user.DisplayName,
 		ID:               int(user.ID),
+		IsActive:         user.IsActive,
 		Initials:         extractInitials(user.DisplayName),
 		Organization:     Organization{},
 		PasswordHash:     user.PasswordHash,