From 49cea59b944c0f90a126ce8d06391182887922b4 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Tue, 16 Jan 2024 00:12:55 +0200
Subject: [PATCH] do not authenticate archived users

---
 app/controllers/api/api_base_controller.rb | 2 +-
 app/models/user.rb                         | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/api_base_controller.rb b/app/controllers/api/api_base_controller.rb
index 21dccc77..6232e3dc 100644
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@@ -44,7 +44,7 @@ module Api
         if request.headers['X-Auth-Token'].present?
           sha256 = Digest::SHA256.hexdigest(request.headers['X-Auth-Token'])
 
-          User.joins(:access_token).find_by(access_token: { sha256: })
+          User.joins(:access_token).active.find_by(access_token: { sha256: })
         end
 
       render json: { error: 'Not authenticated' }, status: :unauthorized unless current_user
diff --git a/app/models/user.rb b/app/models/user.rb
index 18bd9477..c9a433c1 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -59,7 +59,7 @@ class User < ApplicationRecord
   has_many :encrypted_configs, dependent: :destroy, class_name: 'EncryptedUserConfig'
   has_many :email_messages, dependent: :destroy, foreign_key: :author_id, inverse_of: :author
 
-  devise :two_factor_authenticatable, :recoverable, :rememberable, :validatable, :trackable
+  devise :two_factor_authenticatable, :recoverable, :rememberable, :validatable, :trackable, :lockable
 
   attribute :role, :string, default: ADMIN_ROLE
   attribute :uuid, :string, default: -> { SecureRandom.uuid }
@@ -72,7 +72,7 @@ class User < ApplicationRecord
   end
 
   def active_for_authentication?
-    !archived_at?
+    super && !archived_at?
   end
 
   def remember_me