org.matrix.login.jwt login succeeded even if user is deactivated

[laurent-treeb]

Version: 1.46 to 1.54

1. Server configured with jwt_config.enabled=true
2. Login a test user with type=org.matrix.login.jwt and token
3. With admin user, deactivate the test user /_synapse/admin/v1/deactivate/{userid}
4. Relogin the test user with type=org.matrix.login.jwt and token
   • -> here the login is success
   • => should be refused with 403 M_USER_DEACTIVATED

[laurent-treeb]

Pull request related : #12276

[laurent-treeb]

The pull request doesn't manage the reactivation of the user.
When a user is reactivate via
/_synapse/admin/v2/users/{userid} and "deactivated": false
a password value is required.

But in case of org.matrix.login.jwt, there is no password, so maybe the password should be optional on reactivation, but i don't evaluate the impact on others features.

[anoadragon453]

Thank you for filing this and for providing a PR that aims to fix it! I agree that a JWT user should be unable to log in when their account is deactivated.

When a user is reactivate via /_synapse/admin/v2/users/{userid} and "deactivated": false a password value is required.

The inability to reactivate users without a local password is tracked at #10397.

[bradjones1]

Is this not a security issue?