fix: improve handling of disabled accounts during login and sign-up

Check for disabled accounts before throwing generic errors. Login now
returns a specific error instead of "bad credentials", and sign-up
detects disabled accounts instead of causing a constraint violation.

Closes #3276

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Anty0

backend/app/src/test/kotlin/io/tolgee/controllers/PublicControllerTest.kt

@@ -3,6 +3,7 @@ package io.tolgee.controllers
 import com.posthog.server.PostHog
 import io.tolgee.dtos.misc.CreateProjectInvitationParams
 import io.tolgee.dtos.request.auth.SignUpDto
+import io.tolgee.fixtures.andAssertError
 import io.tolgee.fixtures.andAssertResponse
 import io.tolgee.fixtures.andIsBadRequest
 import io.tolgee.fixtures.andIsOk
@@ -130,6 +131,50 @@ class PublicControllerTest : AbstractControllerTest() {
     performPost("/api/public/sign_up", dto).andIsUnauthorized
   }
 
+  @Test
+  fun `returns error when signing up with disabled account email`() {
+    val dto =
+      SignUpDto(
+        name = "Pavel Novak",
+        password = "aaaaaaaaa",
+        email = "disabled@test.com",
+      )
+    performPost("/api/public/sign_up", dto).andIsOk
+
+    val user = userAccountService.findActive("disabled@test.com")!!
+    userAccountService.disable(user.id)
+
+    val dto2 =
+      SignUpDto(
+        name = "Another User",
+        password = "bbbbbbbbb",
+        email = "disabled@test.com",
+      )
+    performPost("/api/public/sign_up", dto2)
+      .andIsBadRequest
+      .andAssertError
+      .hasCode("user_account_disabled")
+  }
+
+  @Test
+  fun `returns error when logging in with disabled account`() {
+    val dto =
+      SignUpDto(
+        name = "Login Disabled",
+        password = "aaaaaaaaa",
+        email = "login-disabled@test.com",
+      )
+    performPost("/api/public/sign_up", dto).andIsOk
+
+    val user = userAccountService.findActive("login-disabled@test.com")!!
+    userAccountService.disable(user.id)
+
+    doAuthentication("login-disabled@test.com", "aaaaaaaaa")
+      .andIsUnauthorized
+      .andAssertError
+      .hasCode("user_account_disabled")
+  }
+
   @Test
   fun testSignUpValidationBlankEmail() {
     val dto = SignUpDto(name = "Pavel Novak", password = "aaaa", email = "")

backend/data/src/main/kotlin/io/tolgee/constants/Message.kt

@@ -147,6 +147,7 @@ enum class Message {
   CANNOT_SET_VIEW_LANGUAGES_WITHOUT_FOR_LEVEL_BASED_PERMISSIONS,
   CANNOT_SET_DIFFERENT_TRANSLATE_AND_STATE_CHANGE_LANGUAGES_FOR_LEVEL_BASED_PERMISSIONS,
   CANNOT_DISABLE_YOUR_OWN_ACCOUNT,
+  USER_ACCOUNT_DISABLED,
   SUBSCRIPTION_NOT_FOUND,
   INVOICE_DOES_NOT_HAVE_USAGE,
   CUSTOMER_NOT_FOUND,

backend/data/src/main/kotlin/io/tolgee/repository/UserAccountRepository.kt

@@ -110,6 +110,9 @@ interface UserAccountRepository : JpaRepository<UserAccount, Long> {
   @Query("from UserAccount ua where ua.id = :id and ua.deletedAt is null and ua.disabledAt is null")
   fun findActive(id: Long): UserAccount?
 
+  @Query("from UserAccount ua where ua.username = :username and ua.deletedAt is null")
+  fun findActiveOrDisabled(username: String): UserAccount?
+
   @Query("from UserAccount ua left join fetch ua.emailVerification where ua.isInitialUser = true")
   fun findInitialUser(): UserAccount?
 

backend/data/src/main/kotlin/io/tolgee/security/thirdParty/ThirdPartyUserHandler.kt

@@ -116,7 +116,10 @@ class ThirdPartyUserHandler(
   }
 
   private fun createUser(data: ThirdPartyUserDetails): UserAccount {
-    userAccountService.findActive(data.username)?.let {
+    userAccountService.findActiveOrDisabled(data.username)?.let {
+      if (it.disabledAt != null) {
+        throw AuthenticationException(Message.USER_ACCOUNT_DISABLED)
+      }
       throw AuthenticationException(Message.USERNAME_ALREADY_EXISTS)
     }
 

backend/data/src/main/kotlin/io/tolgee/service/security/SignUpService.kt

@@ -27,7 +27,10 @@ class SignUpService(
 ) {
   @Transactional
   fun signUp(dto: SignUpDto): JwtAuthenticationResponse? {
-    userAccountService.findActive(dto.email)?.let {
+    userAccountService.findActiveOrDisabled(dto.email)?.let {
+      if (it.disabledAt != null) {
+        throw BadRequestException(Message.USER_ACCOUNT_DISABLED)
+      }
       throw BadRequestException(Message.USERNAME_ALREADY_EXISTS)
     }
 

backend/data/src/main/kotlin/io/tolgee/service/security/UserAccountService.kt

@@ -92,6 +92,10 @@ class UserAccountService(
     return userAccountRepository.findActive(username)
   }
 
+  fun findActiveOrDisabled(username: String): UserAccount? {
+    return userAccountRepository.findActiveOrDisabled(username)
+  }
+
   operator fun get(username: String): UserAccount {
     return this.findActive(username) ?: throw NotFoundException(Message.USER_NOT_FOUND)
   }

backend/data/src/main/kotlin/io/tolgee/service/security/UserCredentialsService.kt

@@ -20,6 +20,9 @@ class UserCredentialsService(
   ): UserAccount {
     val userAccount = userAccountService.findActive(username)
     if (userAccount == null) {
+      userAccountService.findActiveOrDisabled(username)?.let {
+        throw AuthenticationException(Message.USER_ACCOUNT_DISABLED)
+      }
       throw AuthenticationException(Message.BAD_CREDENTIALS)
     }
 

webapp/src/service/apiSchema.generated.ts

@@ -2717,6 +2717,7 @@ export interface components {
         | "cannot_set_view_languages_without_for_level_based_permissions"
         | "cannot_set_different_translate_and_state_change_languages_for_level_based_permissions"
         | "cannot_disable_your_own_account"
+        | "user_account_disabled"
         | "subscription_not_found"
         | "invoice_does_not_have_usage"
         | "customer_not_found"
@@ -6092,6 +6093,7 @@ export interface components {
         | "cannot_set_view_languages_without_for_level_based_permissions"
         | "cannot_set_different_translate_and_state_change_languages_for_level_based_permissions"
         | "cannot_disable_your_own_account"
+        | "user_account_disabled"
         | "subscription_not_found"
         | "invoice_does_not_have_usage"
         | "customer_not_found"

webapp/src/translationTools/useErrorTranslation.ts

@@ -11,6 +11,8 @@ export function useErrorTranslation() {
 
       case 'bad_credentials':
         return t('bad_credentials');
+      case 'user_account_disabled':
+        return t('user_account_disabled');
       case 'invalid_otp_code':
         return t('invalid_otp_code');
       case 'invitation_code_does_not_exist_or_expired':