Enforce user has auth.credentials_login to be able to login

Change-type: minor
balena-io · Jun 5, 2024 · 664f24e · 664f24e
1 parent 4c7e5b8
commit 664f24e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/features/auth/login.ts b/src/features/auth/login.ts
@@ -3,6 +3,7 @@ import { errors, sbvrUtils } from '@balena/pinejs';
 import { comparePassword, findUser } from '../../infra/auth/auth.js';
 import { loginUserXHR } from '../../infra/auth/jwt.js';
 import { captureException } from '../../infra/error-handling/index.js';
+import { permissions } from '@balena/pinejs';
 
 import type { SetupOptions } from '../../index.js';
 
@@ -23,6 +24,11 @@ export const login =
 				if (!user) {
 					throw new NotFoundError('User not found.');
 				}
+				const userPermissions = await permissions.getUserPermissions(user.id);
+
+				if (!userPermissions.includes('auth.credentials_login')) {
+					throw new BadRequestError('User not allowed to login.');
+				}
 
 				const matches = await comparePassword(password, user.password);
 				if (!matches) {