secure mongoose auth endpoint

diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
index 04d823b362a7d807972340330c702f628f9102c9..744cf5227e02a5e648a5e403f4ffd753d285a3d4 100644 (file)
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@@ -26,21 +26,36 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
   end
 
   def check_password(conn, %{"user" => username, "pass" => password}) do
-    with %User{password_hash: password_hash} <-
-           Repo.get_by(User, nickname: username, local: true),
-         true <- Pbkdf2.checkpw(password, password_hash) do
-      conn
-      |> json(true)
-    else
-      false ->
+    user = Repo.get_by(User, nickname: username, local: true)
+
+    case User.account_status(user) do
+      :deactivated ->
         conn
-        |> put_status(:forbidden)
+        |> put_status(:not_found)
         |> json(false)
 
-      _ ->
+      :confirmation_pending ->
         conn
         |> put_status(:not_found)
         |> json(false)
+
+      _ ->
+        with %User{password_hash: password_hash} <-
+               user,
+             true <- Pbkdf2.checkpw(password, password_hash) do
+          conn
+          |> json(true)
+        else
+          false ->
+            conn
+            |> put_status(:forbidden)
+            |> json(false)
+
+          _ ->
+            conn
+            |> put_status(:not_found)
+            |> json(false)
+        end
     end
   end
 end