server,db: flag for disabling user login

db/migrations/0008_users_active_or_inactive.sql

@@ -0,0 +1,4 @@
+-- +migrate Up
+ALTER TABLE authd_user ADD COLUMN disabled boolean;
+
+UPDATE authd_user SET "disabled" = FALSE;

db/user.go

@@ -417,6 +417,7 @@ type userModel struct {
 	Email         string `db:"email"`
 	EmailVerified bool   `db:"email_verified"`
 	DisplayName   string `db:"display_name"`
+	Disabled      bool   `db:"disabled"`
 	Admin         bool   `db:"admin"`
 	CreatedAt     int64  `db:"created_at"`
 }
@@ -428,6 +429,7 @@ func (u *userModel) user() (user.User, error) {
 		Email:         u.Email,
 		EmailVerified: u.EmailVerified,
 		Admin:         u.Admin,
+		Disabled:      u.Disabled,
 	}
 
 	if u.CreatedAt != 0 {
@@ -444,6 +446,7 @@ func newUserModel(u *user.User) (*userModel, error) {
 		Email:         u.Email,
 		EmailVerified: u.EmailVerified,
 		Admin:         u.Admin,
+		Disabled:      u.Disabled,
 	}
 
 	if !u.CreatedAt.IsZero() {

server/server.go

@@ -326,6 +326,10 @@ func (s *Server) Login(ident oidc.Identity, key string) (string, error) {
 		return "", err
 	}
 
+	if usr.Disabled {
+		return "", user.ErrorNotFound
+	}
+
 	ses, err = s.SessionManager.AttachUser(sessionID, usr.ID)
 	if err != nil {
 		return "", err

server/server_test.go

@@ -261,6 +261,74 @@ func TestServerLoginUnrecognizedSessionKey(t *testing.T) {
 	}
 }
 
+func TestServerLoginDisabledUser(t *testing.T) {
+	ci := oidc.ClientIdentity{
+		Credentials: oidc.ClientCredentials{
+			ID:     "XXX",
+			Secret: "secrete",
+		},
+		Metadata: oidc.ClientMetadata{
+			RedirectURLs: []url.URL{
+				url.URL{
+					Scheme: "http",
+					Host:   "client.example.com",
+					Path:   "/callback",
+				},
+			},
+		},
+	}
+	ciRepo := client.NewClientIdentityRepo([]oidc.ClientIdentity{ci})
+
+	km := &StaticKeyManager{
+		signer: &StaticSigner{sig: []byte("beer"), err: nil},
+	}
+
+	sm := session.NewSessionManager(session.NewSessionRepo(), session.NewSessionKeyRepo())
+	sm.GenerateCode = staticGenerateCodeFunc("fakecode")
+	sessionID, err := sm.NewSession("test_connector_id", ci.Credentials.ID, "bogus", ci.Metadata.RedirectURLs[0], "", false, []string{"openid"})
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	userRepo, err := makeNewUserRepo()
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	err = userRepo.Create(nil, user.User{
+		ID:       "disabled-1",
+		Email:    "disabled@example.com",
+		Disabled: true,
+	})
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	err = userRepo.AddRemoteIdentity(nil, "disabled-1", user.RemoteIdentity{
+		ConnectorID: "test_connector_id",
+		ID:          "disabled-connector-id",
+	})
+
+	srv := &Server{
+		IssuerURL:          url.URL{Scheme: "http", Host: "server.example.com"},
+		KeyManager:         km,
+		SessionManager:     sm,
+		ClientIdentityRepo: ciRepo,
+		UserRepo:           userRepo,
+	}
+
+	ident := oidc.Identity{ID: "disabled-connector-id", Name: "elroy", Email: "elroy@example.com"}
+	key, err := sm.NewSessionKey(sessionID)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	_, err = srv.Login(ident, key)
+	if err == nil {
+		t.Errorf("disabled user was allowed to log in")
+	}
+}
+
 func TestServerCodeToken(t *testing.T) {
 	ci := oidc.ClientIdentity{
 		Credentials: oidc.ClientCredentials{

user/user.go

@@ -41,6 +41,8 @@ type User struct {
 
 	Admin bool
 
+	Disabled bool
+
 	CreatedAt time.Time
 }