Skip to content

fix(auth): reject token refresh and access validation for non-active users#940

Merged
RUKAYAT-CODER merged 2 commits into
rinafcode:mainfrom
DTriple-p:fix/802-user-status-check
Jun 29, 2026
Merged

fix(auth): reject token refresh and access validation for non-active users#940
RUKAYAT-CODER merged 2 commits into
rinafcode:mainfrom
DTriple-p:fix/802-user-status-check

Conversation

@DTriple-p

Copy link
Copy Markdown
Contributor

Closes #802

Description

This PR resolves issue #802 by ensuring that user suspension (UserStatus.SUSPENDED) and inactivity (UserStatus.INACTIVE) statuses are validated during both token refresh and access token validation. Previously, inactive or suspended users could continuously refresh their tokens and remain authenticated indefinitely.

Changes

1. auth.service.ts

  • Imported UserStatus.
  • Added a validation check in refreshTokens() to throw an UnauthorizedException if the user status is not ACTIVE.

2. jwt.strategy.ts

  • Imported UserStatus and UnauthorizedException.
  • Added a check in validate() to throw an UnauthorizedException if the validating user status is not ACTIVE.

3. Unit Tests

  • Updated auth.service.spec.ts with test cases covering token refresh attempts from SUSPENDED and INACTIVE users.
  • Created jwt.strategy.spec.ts to verify access token validation logic for active, inactive, suspended, and non-existent users.

Verification

  • TypeScript Compilation: Ran npm run typecheck successfully without errors.
  • Unit Tests: Ran the unit tests sequential-in-band:
    npx jest --runInBand src/auth/auth.service.spec.ts src/auth/jwt.strategy.spec.ts

@drips-wave

drips-wave Bot commented Jun 29, 2026

Copy link
Copy Markdown

@Agbasimere Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Great work on this PR
I really appreciate the effort you put into this—everything
kindly fix your workflow
pull from the main first before pushing

@DTriple-p

Copy link
Copy Markdown
Contributor Author

@RUKAYAT-CODER Pls kindly review.

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Thank you for contributing to the project.

@RUKAYAT-CODER RUKAYAT-CODER merged commit 93d6b21 into rinafcode:main Jun 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

AuthService does not check user suspension status during token refresh

2 participants