Add a way to lock users

crates/handlers/src/compat/login.rs

@@ -335,6 +335,7 @@ async fn token_login(
         .user()
         .lookup(session.user_id)
         .await?
+        .filter(mas_data_model::User::is_valid)
         .ok_or(RouteError::UserNotFound)?;
 
     repo.compat_sso_login().exchange(clock, login).await?;
@@ -355,6 +356,7 @@ async fn user_password_login(
         .user()
         .find_by_username(&username)
         .await?
+        .filter(mas_data_model::User::is_valid)
         .ok_or(RouteError::UserNotFound)?;
 
     // Lookup its password

crates/handlers/src/oauth2/introspection.rs

@@ -188,6 +188,7 @@ pub(crate) async fn post(
                 .browser_session()
                 .lookup(session.user_session_id)
                 .await?
+                .filter(|b| b.user.is_valid())
                 // XXX: is that the right error to bubble up?
                 .ok_or(RouteError::UnknownToken)?;
 
@@ -227,6 +228,7 @@ pub(crate) async fn post(
                 .browser_session()
                 .lookup(session.user_session_id)
                 .await?
+                .filter(|b| b.user.is_valid())
                 // XXX: is that the right error to bubble up?
                 .ok_or(RouteError::UnknownToken)?;
 
@@ -265,6 +267,7 @@ pub(crate) async fn post(
                 .user()
                 .lookup(session.user_id)
                 .await?
+                .filter(mas_data_model::User::is_valid)
                 // XXX: is that the right error to bubble up?
                 .ok_or(RouteError::UnknownToken)?;
 
@@ -311,6 +314,7 @@ pub(crate) async fn post(
                 .user()
                 .lookup(session.user_id)
                 .await?
+                .filter(mas_data_model::User::is_valid)
                 // XXX: is that the right error to bubble up?
                 .ok_or(RouteError::UnknownToken)?;
 

crates/handlers/src/upstream_oauth2/link.rs

@@ -23,7 +23,7 @@ use mas_axum_utils::{
     csrf::{CsrfExt, ProtectedForm},
     SessionInfoExt,
 };
-use mas_data_model::UpstreamOAuthProviderImportPreference;
+use mas_data_model::{UpstreamOAuthProviderImportPreference, User};
 use mas_jose::jwt::Jwt;
 use mas_keystore::Encrypter;
 use mas_storage::{
@@ -239,6 +239,8 @@ pub(crate) async fn get(
                 .user()
                 .lookup(user_id)
                 .await?
+                // XXX: is that right?
+                .filter(User::is_valid)
                 .ok_or(RouteError::UserNotFound)?;
 
             let ctx = UpstreamExistingLinkContext::new(user)
@@ -263,6 +265,7 @@ pub(crate) async fn get(
                 .user()
                 .lookup(user_id)
                 .await?
+                .filter(mas_data_model::User::is_valid)
                 .ok_or(RouteError::UserNotFound)?;
 
             let ctx = UpstreamExistingLinkContext::new(user).with_csrf(csrf_token.form_value());
@@ -390,6 +393,7 @@ pub(crate) async fn post(
                 .user()
                 .lookup(user_id)
                 .await?
+                .filter(mas_data_model::User::is_valid)
                 .ok_or(RouteError::UserNotFound)?;
 
             repo.browser_session().add(&mut rng, &clock, &user).await?

crates/handlers/src/views/login.rs

@@ -202,6 +202,7 @@ async fn login(
         .find_by_username(username)
         .await
         .map_err(|_e| FormError::Internal)?
+        .filter(mas_data_model::User::is_valid)
         .ok_or(FormError::InvalidCredentials)?;
 
     // And its password