From 19603a33f3fa5322d7fb8a190928dd00f44e87f9 Mon Sep 17 00:00:00 2001
From: Hannah Wolfe <erisds@gmail.com>
Date: Wed, 4 Nov 2015 16:59:56 +0000
Subject: [PATCH] Check client is enabled before auth

no issue

- add a check that the client has status 'enabled' to client auth strategy
- this permits the disabling of clients easily
- update tests
---
 core/server/middleware/auth-strategies.js      |  2 +-
 .../unit/middleware/auth-strategies_spec.js    | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/core/server/middleware/auth-strategies.js b/core/server/middleware/auth-strategies.js
index 877d85eeb2..5f221f15e7 100644
--- a/core/server/middleware/auth-strategies.js
+++ b/core/server/middleware/auth-strategies.js
@@ -17,7 +17,7 @@ strategies = {
             .then(function then(model) {
                 if (model) {
                     var client = model.toJSON({include: ['trustedDomains']});
-                    if (client.secret === clientSecret) {
+                    if (client.status === 'enabled' && client.secret === clientSecret) {
                         return done(null, client);
                     }
                 }
diff --git a/core/test/unit/middleware/auth-strategies_spec.js b/core/test/unit/middleware/auth-strategies_spec.js
index 22f35b43ae..2fe14eb90a 100644
--- a/core/test/unit/middleware/auth-strategies_spec.js
+++ b/core/test/unit/middleware/auth-strategies_spec.js
@@ -12,7 +12,8 @@ var should           = require('should'),
 
     fakeClient =  {
         slug: 'ghost-admin',
-        secret: 'not_available'
+        secret: 'not_available',
+        status: 'enabled'
     },
 
     fakeValidToken = {
@@ -96,6 +97,21 @@ describe('Auth Strategies', function () {
                 done();
             }).catch(done);
         });
+
+        it('shouldn\'t auth client that is disabled', function (done) {
+            var clientId = 'ghost-admin',
+                clientSecret = 'not_available';
+
+            fakeClient.status = 'disabled';
+
+            authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
+                clientStub.calledOnce.should.be.true;
+                clientStub.calledWith({slug: clientId}).should.be.true;
+                next.called.should.be.true;
+                next.calledWith(null, false).should.be.true;
+                done();
+            }).catch(done);
+        });
     });
 
     describe('Bearer Strategy', function () {