Make sure users can't login from launchpad if they're deactivated

Just in case the SignalId::User deletion failed.
This commit is contained in:
Mike Dalessio
2025-07-15 18:36:31 -04:00
parent 9f887e17f5
commit e69023993c
3 changed files with 11 additions and 3 deletions
@@ -7,7 +7,8 @@ class Sessions::LaunchpadController < ApplicationController
end
def update
if user = Current.account.signal_account.authenticate(sig: @sig).try(:peer)
user = Current.account.signal_account.authenticate(sig: @sig).try(:peer)
if user.present? && user.active?
start_new_session_for user
redirect_to after_authentication_url
else
+1 -1
View File
@@ -23,7 +23,7 @@ class User < ApplicationRecord
def deactivate
sessions.delete_all
accesses.destroy_all
signal_user.destroy
SignalId::Database.on_master { signal_user&.destroy }
update! active: false, email_address: deactived_email_address
end
@@ -21,9 +21,16 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest
assert parsed_cookies.signed[:session_token]
end
test "returns 401 when the sig is invalid" do
test "create checks user.active?" do
user = users(:david)
user.update! active: false
put session_launchpad_path(params: { sig: user.signal_user.perishable_signature })
assert_response :unauthorized
end
test "returns 401 when the sig is invalid" do
put session_launchpad_path(params: { sig: "invalid" })
assert_response :unauthorized