From 352362b9c34a4fcac5a9fb7bca4d2d6e27eaf239 Mon Sep 17 00:00:00 2001
From: Hornwitser <code@hornwitser.no>
Date: Tue, 8 Jul 2025 16:23:31 +0200
Subject: [PATCH] Ignore deleted users when looking up a user

After the change to converting users to tombstones instead of removing
them from the database several places would accidentally use deleted
user accounts instead of ignoring them.
---
 server/streams.ts       | 2 +-
 server/utils/session.ts | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/streams.ts b/server/streams.ts
index 7298d73..0f7709f 100644
--- a/server/streams.ts
+++ b/server/streams.ts
@@ -151,7 +151,7 @@ export async function broadcastEvent(event: ApiEvent) {
 		} else {
 			let userType: ApiAccount["type"] | undefined;
 			if (streamData.accountId !== undefined) {
-				userType = users.find(a => a.id === streamData.accountId)?.type
+				userType = users.find(a => !a.deleted && a.id === streamData.accountId)?.type
 			}
 			const data = encodeEvent(event, userType)
 			sendMessage(stream, `id: ${id}\nevent: update\ndata: ${data}\n\n`);
diff --git a/server/utils/session.ts b/server/utils/session.ts
index 194e5c2..0aeeebe 100644
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@@ -74,7 +74,7 @@ export async function setServerSession(event: H3Event, account: ServerUser) {
 async function rotateSession(event: H3Event, sessions: ServerSession[], session: ServerSession) {
 	const runtimeConfig = useRuntimeConfig(event);
 	const users = await readUsers();
-	const account = users.find(user => user.id === session.accountId);
+	const account = users.find(user => !user.deleted && user.id === session.accountId);
 	const now = Date.now();
 	const newSession: ServerSession = {
 		accountId: account?.id,
@@ -137,7 +137,7 @@ export async function requireServerSessionWithUser(event: H3Event) {
 	const session = await requireServerSession(event, message);
 	const users = await readUsers();
 	const account = users.find(user => user.id === session.accountId);
-	if (session.accountId === undefined || !account)
+	if (session.accountId === undefined || !account || account.deleted)
 		throw createError({
 			statusCode: 401,
 			statusMessage: "Uauthorized",
@@ -164,7 +164,7 @@ export async function requireServerSessionWithAdmin(event: H3Event) {
 
 export async function serverSessionToApi(event: H3Event, session: ServerSession): Promise<ApiSession> {
 	const users = await readUsers();
-	const account = users.find(user => user.id === session.accountId);
+	const account = users.find(user => !user.deleted && user.id === session.accountId);
 	const subscriptions = await readSubscriptions();
 	const push = Boolean(
 		subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)