more checks for collab auth token

2025-11-10 09:22:05 +10:00 · 2025-07-07 15:11:45 -07:00
4 changed files with 15 additions and 10 deletions
--- a/apps/server/src/collaboration/extensions/authentication.extension.ts
+++ b/apps/server/src/collaboration/extensions/authentication.extension.ts
@ -46,6 +46,10 @@ export class AuthenticationExtension implements Extension {
      throw new UnauthorizedException();
    }

+    if (user.deactivatedAt || user.deletedAt) {
+      throw new UnauthorizedException();
+    }
+
    const page = await this.pageRepo.findById(pageId);
    if (!page) {
      this.logger.warn(`Page not found: ${pageId}`);
--- a/apps/server/src/core/auth/auth.controller.ts
+++ b/apps/server/src/core/auth/auth.controller.ts
@ -108,7 +108,7 @@ export class AuthController {
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
-    return this.authService.getCollabToken(user.id, workspace.id);
+    return this.authService.getCollabToken(user, workspace.id);
  }

  @UseGuards(JwtAuthGuard)
--- a/apps/server/src/core/auth/services/auth.service.ts
+++ b/apps/server/src/core/auth/services/auth.service.ts
@ -22,7 +22,7 @@ import { ForgotPasswordDto } from '../dto/forgot-password.dto';
 import ForgotPasswordEmail from '@docmost/transactional/emails/forgot-password-email';
 import { UserTokenRepo } from '@docmost/db/repos/user-token/user-token.repo';
 import { PasswordResetDto } from '../dto/password-reset.dto';
-import { UserToken, Workspace } from '@docmost/db/types/entity.types';
+import { User, UserToken, Workspace } from '@docmost/db/types/entity.types';
 import { UserTokenType } from '../auth.constants';
 import { KyselyDB } from '@docmost/db/types/kysely.types';
 import { InjectKysely } from 'nestjs-kysely';
@ -222,9 +222,9 @@ export class AuthService {
    }
  }

-  async getCollabToken(userId: string, workspaceId: string) {
+  async getCollabToken(user: User, workspaceId: string) {
    const token = await this.tokenService.generateCollabToken(
-      userId,
+      user,
      workspaceId,
    );
    return { token };
--- a/apps/server/src/core/auth/services/token.service.ts
+++ b/apps/server/src/core/auth/services/token.service.ts
@ -22,7 +22,7 @@ export class TokenService {
  ) {}

  async generateAccessToken(user: User): Promise<string> {
-    if (user.deletedAt) {
+    if (user.deactivatedAt || user.deletedAt) {
      throw new ForbiddenException();
    }

@ -35,12 +35,13 @@ export class TokenService {
    return this.jwtService.sign(payload);
  }

-  async generateCollabToken(
-    userId: string,
-    workspaceId: string,
-  ): Promise<string> {
+  async generateCollabToken(user: User, workspaceId: string): Promise<string> {
+    if (user.deactivatedAt || user.deletedAt) {
+      throw new ForbiddenException();
+    }
+
    const payload: JwtCollabPayload = {
-      sub: userId,
+      sub: user.id,
      workspaceId,
      type: JwtType.COLLAB,
    };