Fix JWT: don't provide token to inactive user

BEMServer · May 21, 2024 · 8f0072b · 8f0072b
1 parent 29ac41c
commit 8f0072b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/bemserver_api/extensions/smorest.py b/src/bemserver_api/extensions/smorest.py
@@ -196,6 +196,6 @@ class GetJWTRespSchema(Schema):
 def get_token(creds):
     """Get an authentication token"""
     user = auth.get_user_by_email(creds["email"])
-    if user is None or not user.check_password(creds["password"]):
+    if user is None or not user.check_password(creds["password"]) or not user.is_active:
         return flask.jsonify({"status": "failure"})
     return {"status": "success", "token": auth.encode(user).decode("utf-8")}
diff --git a/tests/extensions/test_smorest.py b/tests/extensions/test_smorest.py
@@ -4,6 +4,7 @@
 class TestSmorest:
     def test_get_token(self, app, users):
         user_1 = users["Active"]["user"]
+        user_2 = users["Inactive"]["user"]
 
         client = app.test_client()
         payload = {"email": user_1.email, "password": "@ctive"}
@@ -12,6 +13,13 @@ def test_get_token(self, app, users):
         assert resp.json["status"] == "success"
         assert "token" in resp.json
 
+        # Inactive user
+        client = app.test_client()
+        payload = {"email": user_2.email, "password": "in@ctive"}
+        resp = client.post("/auth/token", json=payload)
+        assert resp.status_code == 200
+        assert resp.json == {"status": "failure"}
+
         # Wrong password
         client = app.test_client()
         payload = {"email": user_1.email, "password": "dummy"}