do not authenticate archived users

app/controllers/api/api_base_controller.rb

@@ -44,7 +44,7 @@ module Api
         if request.headers['X-Auth-Token'].present?
           sha256 = Digest::SHA256.hexdigest(request.headers['X-Auth-Token'])
 
-          User.joins(:access_token).find_by(access_token: { sha256: })
+          User.joins(:access_token).active.find_by(access_token: { sha256: })
         end
 
       render json: { error: 'Not authenticated' }, status: :unauthorized unless current_user

app/models/user.rb

@@ -59,7 +59,7 @@ class User < ApplicationRecord
   has_many :encrypted_configs, dependent: :destroy, class_name: 'EncryptedUserConfig'
   has_many :email_messages, dependent: :destroy, foreign_key: :author_id, inverse_of: :author
 
-  devise :two_factor_authenticatable, :recoverable, :rememberable, :validatable, :trackable
+  devise :two_factor_authenticatable, :recoverable, :rememberable, :validatable, :trackable, :lockable
 
   attribute :role, :string, default: ADMIN_ROLE
   attribute :uuid, :string, default: -> { SecureRandom.uuid }
@@ -72,7 +72,7 @@ class User < ApplicationRecord
   end
 
   def active_for_authentication?
-    !archived_at?
+    super && !archived_at?
   end
 
   def remember_me