From f6b9c69ce6eb268cbee8f3cb35a360b891393fe5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eric=20Dub=C3=A9?=
 <7225168+KernelDeimos@users.noreply.github.com>
Date: Mon, 2 Mar 2026 17:10:42 -0500
Subject: [PATCH] fix(auth): add explicit check for access token suspension
 (#2576)

---
 src/backend/src/middleware/configurable_auth.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/backend/src/middleware/configurable_auth.js b/src/backend/src/middleware/configurable_auth.js
index c2e854318..0bb002c2a 100644
--- a/src/backend/src/middleware/configurable_auth.js
+++ b/src/backend/src/middleware/configurable_auth.js
@@ -19,6 +19,7 @@
 const APIError = require('../api/APIError');
 const config = require('../config');
 const { LegacyTokenError } = require('../services/auth/AuthService');
+const { AccessTokenActorType } = require('../services/auth/Actor');
 const { Context } = require('../util/context');
 const jwt = require('jsonwebtoken');
 
@@ -163,10 +164,17 @@ const configurable_auth = options => async (req, res, next) => {
         }
         context.set('user', actor.type.user);
     }
+    if ( actor.type instanceof AccessTokenActorType ) {
+        // AccessTokenActorType has no .user; the effective user is the authorizer's user
+        const authorizerUser = actor.type.authorizer?.type?.user;
+        if ( authorizerUser?.suspended ) {
+            throw APIError.create('forbidden');
+        }
+    }
 
     // === Populate Request ===
     req.actor = actor;
-    req.user = actor.type.user;
+    req.user = actor.type.user ?? (actor.type instanceof AccessTokenActorType ? actor.type.authorizer?.type?.user : undefined);
     req.token = token;
 
     next();