fix(auth/users): close MED-11 lying field — DeactivatedAt loaded + enforced on login (A-2)

The MED-11 closure shipped users.deactivated_at + DELETE /api/v1/auth/users/{id} + cascade-revoke, but the federated-user soft-delete was reversible: the next OIDC login under the same (provider, subject) tuple re-minted a session and re-elevated the user. Three legs of the chain were severed (each independently CRIT-shaped): Leg A — postgres/user.go::userColumns omitted `deactivated_at`, so scanUser never populated User.DeactivatedAt. Every Get / GetByOIDCSubject / ListAll returned DeactivatedAt = nil regardless of the column value. Leg B — postgres/user.go::Update SQL omitted `deactivated_at = $X`, so the handler's `u.DeactivatedAt = now()` mutation was a no-op write at the SQL level. Even with leg A closed, no row ever flipped. Leg C — oidc/service.go::upsertUser did not inspect DeactivatedAt on the existing-user path. Even with legs A + B closed, the OIDC login would still proceed normally. The cascade-session-revoke half of the original closure remained correct, but only for the duration of the user's current cookie. SOC 2 CC6.3 + ISO 27001 A.9.2.6 "user access removal" controls require both immediate revoke AND persistent block — this fix restores the persistent-block leg. Closure across layers: internal/repository/postgres/user.go - userColumns adds `deactivated_at` - scanUser reads via sql.NullTime intermediate (column is nullable) - Create writes deactivated_at explicitly (NULL for new active users; forward-compat for future seed-data flows that pre-populate the column) - Update writes deactivated_at on every call; nil DeactivatedAt → NULL (supports reactivation) internal/auth/oidc/service.go - New sentinel ErrUserDeactivated - upsertUser checks existing.DeactivatedAt != nil BEFORE mutating email / display_name / last_login_at — preserves last_login_at forensics on rejected login attempts (defense-in-depth pin against future "performance optimization" that reorders the gate) internal/api/handler/auth_session_oidc.go - classifyOIDCFailure adds typed errors.Is dispatch for ErrUserDeactivated → audit category "user_deactivated" (SOC/SIEM observability surface) internal/api/handler/auth_users.go - Self-deactivate guard on Deactivate: HTTP 409 + audit row auth.user_deactivate_self_rejected when caller targets own User row. Prevents an admin from one-way-door locking themselves out via the standard handler; break-glass remains the recovery path. - New Reactivate handler: inverse of Deactivate. Clears DeactivatedAt via Update; emits auth.user_reactivated audit row. Idempotent on already-active rows. Sessions revoked at deactivation stay revoked (cascade irreversible by design — user must complete fresh OIDC login). internal/api/router/router.go - POST /api/v1/auth/users/{id}/reactivate wired with auth.user.deactivate gate (reactivation is the inverse op, not a separate privilege) web/src/api/client.ts + web/src/pages/auth/UsersPage.tsx - authReactivateUser() client function - Reactivate button on deactivated rows in UsersPage Regression coverage: Postgres (testcontainers, skipped under -short): TestUserRepository_DeactivatedAt_RoundTrip — Create → set DeactivatedAt → Update → Get / GetByOIDCSubject / ListAll round-trip the value TestUserRepository_DeactivatedAt_CreateWritesNullForActive — new active user reads back DeactivatedAt = nil TestUserRepository_DeactivatedAt_CreatePersistsPreDeactivated — Create with non-nil DeactivatedAt round-trips (forward-compat path) OIDC service: TestService_HandleCallback_RejectsDeactivatedUser — errors.Is ErrUserDeactivated; CallbackResult nil; persisted email / last_login_at / deactivated_at NOT mutated by the rejected attempt TestService_HandleCallback_AllowsReactivatedUser — DeactivatedAt = nil → happy path resumes TestService_HandleCallback_DeactivatedUserPreservesForensics — defense-in-depth pin against future regressions that reorder the gate-vs-mutation sequence Classifier: TestClassifyOIDCFailure extended — typed dispatch + wrapped variant round-trip through errors.Is Handler: TestAuthUsers_Deactivate_RejectsSelfDeactivate — HTTP 409 + audit row + cascade-revoke NOT fired + row stays active TestAuthUsers_Deactivate_OtherUser_HappyPath — HTTP 204 + cascade fires + row soft-deleted TestAuthUsers_Reactivate_HappyPath / _IdempotentOnActiveUser / _UnknownID / _MissingID / _UpdateError Phase 6 verify gate green on the targeted packages: gofmt clean, go vet clean, go test -short pass across internal/auth/oidc, internal/api/handler, internal/api/router, internal/repository/postgres, internal/auth/..., internal/service/..., internal/tlsprobe/..., internal/trustanchor/..., internal/validation/... Spec at cowork/auth-bundles-fixes-2026-05-11/02-crit-deactivated-at-enforcement.md Closure annotation at cowork/auth-bundles-audit-2026-05-10.md MED-11 row. Operator advisory in CHANGELOG.md v2.1.0 release notes.
2026-06-10 22:38:51 +00:00 · 2026-05-11 02:21:05 +00:00
parent 191384c1d2
commit 78485f7429
12 changed files with 877 additions and 14 deletions
@@ -115,6 +115,24 @@ func (h *AuthUsersHandler) Deactivate(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusBadRequest, "missing user id")
 		return
 	}
+	// Audit 2026-05-11 A-2 — self-deactivate guard. An admin that
+	// deactivates their own User row immediately invalidates their next
+	// login (upsertUser at internal/auth/oidc/service.go rejects with
+	// ErrUserDeactivated); the cascade-revoke then kicks them out of the
+	// active session, leaving the tenant without an admin able to
+	// reactivate themselves. Break-glass credentials (Bundle 2 Phase 7.5)
+	// remain the recovery path, but the operator should not be able to
+	// trip the foot-gun through the standard handler. 409 (not 403) —
+	// the request is well-formed and authenticated; the conflict is
+	// between the action and the actor's own identity. Audit row records
+	// the rejection so an upstream SIEM can spot accidental triggers.
+	if caller.ActorType == domain.ActorTypeUser && caller.ActorID == id {
+		_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_deactivate_self_rejected",
+			domain.EventCategoryAuth, "user", id,
+			map[string]interface{}{"user_id": id, "reason": "self_deactivate_blocked"})
+		Error(w, http.StatusConflict, "cannot deactivate your own account; use break-glass recovery or have another admin act")
+		return
+	}
 	u, gerr := h.users.Get(r.Context(), id)
 	if gerr != nil {
 		if errors.Is(gerr, repository.ErrUserNotFound) {
@@ -157,6 +175,67 @@ func (h *AuthUsersHandler) Deactivate(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }

+// Reactivate clears users.deactivated_at, allowing the federated user
+// to log in again via their OIDC provider. The next OIDC callback for
+// the (provider_id, subject) tuple goes through upsertUser, which now
+// passes the DeactivatedAt == nil gate, and the user's account
+// information (email, display_name, last_login_at) updates normally.
+//
+// Audit 2026-05-11 A-2 — Reactivate is the inverse of Deactivate. The
+// original MED-11 closure only shipped Deactivate; with A-2 closure the
+// DeactivatedAt field now actually gates login, so the operator needs a
+// supported way to undo a soft-delete without hand-editing the database.
+//
+// Gate: same auth.user.deactivate permission. Reactivation is the
+// inverse op, not a separate privilege — anyone who can deactivate must
+// be able to undo their own mistake.
+//
+// Idempotent: reactivating an already-active user returns 204 with no
+// row write.
+//
+// No session-side-effect: reactivation does NOT mint a session. The
+// user must complete a fresh OIDC login through their provider; sessions
+// from before the deactivation stay revoked (the cascade-revoke in
+// Deactivate is irreversible by design).
+func (h *AuthUsersHandler) Reactivate(w http.ResponseWriter, r *http.Request) {
+	caller, err := callerFromRequest(r)
+	if err != nil {
+		writeAuthError(w, err)
+		return
+	}
+	id := r.PathValue("id")
+	if id == "" {
+		Error(w, http.StatusBadRequest, "missing user id")
+		return
+	}
+	u, gerr := h.users.Get(r.Context(), id)
+	if gerr != nil {
+		if errors.Is(gerr, repository.ErrUserNotFound) {
+			Error(w, http.StatusNotFound, "user not found")
+			return
+		}
+		Error(w, http.StatusInternalServerError, "could not load user")
+		return
+	}
+	// Idempotent: reactivating an already-active user is a no-op.
+	if u.DeactivatedAt == nil {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+	u.DeactivatedAt = nil
+	if uerr := h.users.Update(r.Context(), u); uerr != nil {
+		Error(w, http.StatusInternalServerError, "could not reactivate user")
+		return
+	}
+	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_reactivated",
+		domain.EventCategoryAuth, "user", u.ID,
+		map[string]interface{}{
+			"user_id":          u.ID,
+			"oidc_provider_id": u.OIDCProviderID,
+		})
+	w.WriteHeader(http.StatusNoContent)
+}
+
 // =============================================================================
 // MED-12 — Auth runtime config read endpoint.
 // =============================================================================