fix: handle locked auths with no privatekey

package.json

@@ -1,6 +1,6 @@
 {
   "name": "krist",
-  "version": "3.5.1",
+  "version": "3.5.2",
   "description": "The new Krist node written in TypeScript.",
   "type": "module",
   "scripts": {

src/krist/addresses/verify.ts

@@ -69,7 +69,9 @@ export async function verifyAddress(
     return { authed: true, address: newAddress };
   }
 
-  if (address.privatekey) { // Address exists, auth if the privatekey is equal
+  // Address exists, auth if the privatekey is equal, or handle the locked flow if it's locked (even if there's no
+  // privatekey set)
+  if (address.privatekey || address.locked) {
     const authed = !address.locked && address.privatekey === hash;
 
     if (authed) {

test/routes/login.test.ts

@@ -20,6 +20,7 @@
  */
 
 import { expect } from "chai";
+import { Address } from "../../src/database/index.js";
 import { api } from "../api.js";
 import { seed } from "../seed.js";
 
@@ -56,5 +57,21 @@ describe("v2 routes: login", function() {
       expect(res).to.be.json;
       expect(res.body).to.deep.include({ ok: true, authed: true, address: "k8juvewcui" });
     });
+
+    it("should error for locked addresses even without a privatekey", async function() {
+      const address = await Address.findOne({ where: { address: "kwsgj3x184" } });
+      if (!address) throw new Error("Address not found");
+
+      const oldPrivatekey = address.privatekey;
+      address.privatekey = null;
+      await address.save();
+
+      const res = await api().post("/login").send({ privatekey: "c" });
+      expect(res).to.be.json;
+      expect(res.body).to.deep.include({ ok: true, authed: false });
+
+      address.privatekey = oldPrivatekey;
+      await address.save();
+    });
   });
 });