[feature] add authorization to the already-existing authentication (#365)

* add ensureUserIsAuthorizedOrRedirect to /oauth/authorize

* adding authorization (email confirm, account approve, etc) to TokenCheck

* revert un-needed changes to signin.go

* oops what happened here

* error css

* add account.SuspendedAt check

* remove redundant checks from oauth util Authed function

* wip tests

* tests passing

* stop stripping useful information from ErrAlreadyExists

* that feeling of scraping the dryer LINT off the screen

* oops I didn't mean to get rid of this NewTestRouter function

* make tests work with recorder

* re-add ConfigureTemplatesWithGin to handle template path err

Co-authored-by: tsmethurst <tobi.smethurst@protonmail.com>

1 files changed, 22 insertions, 0 deletions

diff --git a/internal/api/security/tokencheck.go b/internal/api/security/tokencheck.go
index b68f0b94f..e366af2ea 100644
--- a/internal/api/security/tokencheck.go
+++ b/internal/api/security/tokencheck.go
@@ -62,6 +62,22 @@ func (m *Module) TokenCheck(c *gin.Context) {
 			l.Warnf("no user found for userID %s", userID)
 			return
 		}
+
+		if user.ConfirmedAt.IsZero() {
+			l.Warnf("authenticated user %s has never confirmed thier email address", userID)
+			return
+		}
+
+		if !user.Approved {
+			l.Warnf("authenticated user %s's account was never approved by an admin", userID)
+			return
+		}
+
+		if user.Disabled {
+			l.Warnf("authenticated user %s's account was disabled'", userID)
+			return
+		}
+
 		c.Set(oauth.SessionAuthorizedUser, user)
 
 		// fetch account for this token
@@ -74,6 +90,12 @@ func (m *Module) TokenCheck(c *gin.Context) {
 			l.Warnf("no account found for userID %s", userID)
 			return
 		}
+
+		if !acct.SuspendedAt.IsZero() {
+			l.Warnf("authenticated user %s's account (accountId=%s) has been suspended", userID, user.AccountID)
+			return
+		}
+
 		c.Set(oauth.SessionAuthorizedAccount, acct)
 	}