fix(security): isActive defense-in-depth, MIME magic bytes upload, tenantId=origins OAuth

2026-03-15 17:34:19 +01:00
parent ef4c23d6a2
commit 379a9a115b
3 changed files with 30 additions and 1 deletions
--- a/backend/src/middleware/auth.middleware.ts
+++ b/backend/src/middleware/auth.middleware.ts
@@ -64,6 +64,11 @@ export const requireAuth = async (
      return;
    }

+    if (!data.data.user.isActive) {
+      res.status(401).json({ success: false, error: "ACCOUNT_DISABLED", message: "Account is disabled" });
+      return;
+    }
+
    (req as AuthenticatedRequest).user = data.data.user;
    next();
  } catch (err) {