From 47fe0f546aece58ce9c6cc519536d57b1159bb22 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Thu, 9 Mar 2023 15:18:26 -0500
Subject: [PATCH] controller logic respects store.Account.Deleted flag (#262)

---
 controller/invite.go               | 10 +++++-----
 controller/login.go                |  4 ++++
 controller/resetPassword.go        |  4 ++++
 controller/resetPasswordRequest.go |  6 +++++-
 controller/util.go                 |  2 +-
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/controller/invite.go b/controller/invite.go
index 1458418d..8f6623b1 100644
--- a/controller/invite.go
+++ b/controller/invite.go
@@ -3,7 +3,6 @@ package controller
 import (
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/openziti/zrok/controller/store"
-	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/rest_server_zrok/operations/account"
 	"github.com/openziti/zrok/util"
 	"github.com/sirupsen/logrus"
@@ -19,7 +18,7 @@ func newInviteHandler(cfg *Config) *inviteHandler {
 	}
 }
 
-func (self *inviteHandler) Handle(params account.InviteParams) middleware.Responder {
+func (h *inviteHandler) Handle(params account.InviteParams) middleware.Responder {
 	if params.Body == nil || params.Body.Email == "" {
 		logrus.Errorf("missing email")
 		return account.NewInviteBadRequest()
@@ -38,11 +37,11 @@ func (self *inviteHandler) Handle(params account.InviteParams) middleware.Respon
 	}
 	defer func() { _ = tx.Rollback() }()
 
-	if self.cfg.Registration != nil && self.cfg.Registration.TokenStrategy == "store" {
+	if h.cfg.Registration != nil && h.cfg.Registration.TokenStrategy == "store" {
 		inviteToken, err := str.GetInviteTokenByToken(params.Body.Token, tx)
 		if err != nil {
 			logrus.Errorf("cannot get invite token '%v' for '%v': %v", params.Body.Token, params.Body.Email, err)
-			return account.NewInviteBadRequest().WithPayload(rest_model_zrok.ErrorMessage("Missing invite token"))
+			return account.NewInviteBadRequest().WithPayload("missing invite token")
 		}
 		if err := str.DeleteInviteToken(inviteToken.Id, tx); err != nil {
 			logrus.Error(err)
@@ -62,9 +61,10 @@ func (self *inviteHandler) Handle(params account.InviteParams) middleware.Respon
 		SourceAddress: params.HTTPRequest.RemoteAddr,
 	}
 
+	// deleted accounts still exist as far as invites are concerned (ignore deleted flag)
 	if _, err := str.FindAccountWithEmail(params.Body.Email, tx); err == nil {
 		logrus.Errorf("found account for '%v', cannot process account request", params.Body.Email)
-		return account.NewInviteBadRequest().WithPayload(rest_model_zrok.ErrorMessage("Duplicate email found"))
+		return account.NewInviteBadRequest().WithPayload("duplicate email found")
 	} else {
 		logrus.Infof("no account found for '%v': %v", params.Body.Email, err)
 	}
diff --git a/controller/login.go b/controller/login.go
index 0e048225..ea7872ee 100644
--- a/controller/login.go
+++ b/controller/login.go
@@ -26,6 +26,10 @@ func loginHandler(params account.LoginParams) middleware.Responder {
 		logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
 		return account.NewLoginUnauthorized()
 	}
+	if a.Deleted {
+		logrus.Errorf("account '%v' deleted", params.Body.Email)
+		return account.NewLoginUnauthorized()
+	}
 	hpwd, err := rehashPassword(params.Body.Password, a.Salt)
 	if err != nil {
 		logrus.Errorf("error hashing password for '%v': %v", params.Body.Email, err)
diff --git a/controller/resetPassword.go b/controller/resetPassword.go
index 4a5aa2ad..f34a942e 100644
--- a/controller/resetPassword.go
+++ b/controller/resetPassword.go
@@ -37,6 +37,10 @@ func (handler *resetPasswordHandler) Handle(params account.ResetPasswordParams)
 		logrus.Errorf("error finding account for '%v': %v", params.Body.Token, err)
 		return account.NewResetPasswordNotFound()
 	}
+	if a.Deleted {
+		logrus.Errorf("account '%v' for '%v' deleted", a.Email, a.Token)
+		return account.NewResetPasswordNotFound()
+	}
 	hpwd, err := hashPassword(params.Body.Password)
 	if err != nil {
 		logrus.Errorf("error hashing password for '%v' (%v): %v", params.Body.Token, a.Email, err)
diff --git a/controller/resetPasswordRequest.go b/controller/resetPasswordRequest.go
index b20356e2..0ae03f1a 100644
--- a/controller/resetPasswordRequest.go
+++ b/controller/resetPasswordRequest.go
@@ -42,7 +42,11 @@ func (handler *resetPasswordRequestHandler) Handle(params account.ResetPasswordR
 
 	a, err := str.FindAccountWithEmail(params.Body.EmailAddress, tx)
 	if err != nil {
-		logrus.Infof("no account found for '%v': %v", params.Body.EmailAddress, err)
+		logrus.Errorf("no account found for '%v': %v", params.Body.EmailAddress, err)
+		return account.NewResetPasswordRequestInternalServerError()
+	}
+	if a.Deleted {
+		logrus.Errorf("account '%v' deleted", params.Body.EmailAddress)
 		return account.NewResetPasswordRequestInternalServerError()
 	}
 
diff --git a/controller/util.go b/controller/util.go
index 59ee7340..b6336cff 100644
--- a/controller/util.go
+++ b/controller/util.go
@@ -25,7 +25,7 @@ func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Princi
 	}
 	defer func() { _ = tx.Rollback() }()
 
-	if a, err := str.FindAccountWithToken(token, tx); err == nil {
+	if a, err := str.FindAccountWithToken(token, tx); err == nil && !a.Deleted {
 		principal := &rest_model_zrok.Principal{
 			ID:        int64(a.Id),
 			Token:     a.Token,