From aaa0397c3a48657ecc2ffcd6f1beddbb2d7b8413 Mon Sep 17 00:00:00 2001
From: Diego Leme <contato@diegoleme.com.br>
Date: Tue, 11 Apr 2023 10:22:00 -0300
Subject: [PATCH] Block refresh token of suspended users (#17927)

* Block refresh token of suspended users

* Add diegoleme as contributor

---------

Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
---
 api/src/services/authentication.ts | 14 ++++++++++++++
 contributors.yml                   |  1 +
 2 files changed, 15 insertions(+)

diff --git a/api/src/services/authentication.ts b/api/src/services/authentication.ts
index 259f90664d..9704099ccb 100644
--- a/api/src/services/authentication.ts
+++ b/api/src/services/authentication.ts
@@ -255,6 +255,8 @@ export class AuthenticationService {
 
 	async refresh(refreshToken: string): Promise<Record<string, any>> {
 		const { nanoid } = await import('nanoid');
+		const STALL_TIME = env['LOGIN_STALL_TIME'];
+		const timeStart = performance.now();
 
 		if (!refreshToken) {
 			throw new InvalidCredentialsException();
@@ -304,6 +306,18 @@ export class AuthenticationService {
 			throw new InvalidCredentialsException();
 		}
 
+		if (record.user_id && record.user_status !== 'active') {
+			await this.knex('directus_sessions').where({ token: refreshToken }).del();
+
+			if (record.user_status === 'suspended') {
+				await stall(STALL_TIME, timeStart);
+				throw new UserSuspendedException();
+			} else {
+				await stall(STALL_TIME, timeStart);
+				throw new InvalidCredentialsException();
+			}
+		}
+
 		if (record.user_id) {
 			const provider = getAuthProvider(record.user_provider);
 
diff --git a/contributors.yml b/contributors.yml
index 14e65aaab3..e36880efb0 100644
--- a/contributors.yml
+++ b/contributors.yml
@@ -7,6 +7,7 @@
 - bicouy0
 - Nitwel
 - azrikahar
+- diegoleme
 - u12206050
 - that1matt
 - jaads