diff --git a/middleware/auth.js b/middleware/auth.js index af540b5..267f0b4 100644 --- a/middleware/auth.js +++ b/middleware/auth.js @@ -105,25 +105,41 @@ export const authenticate = async (request, reply) => { // Check if user is banned if (user.ban && user.ban.banned) { - if (user.ban.expires && new Date(user.ban.expires) > new Date()) { - return reply.status(403).send({ - error: "Forbidden", - message: "Your account is banned", - reason: user.ban.reason, - expires: user.ban.expires, - }); - } else if (!user.ban.expires) { - return reply.status(403).send({ - error: "Forbidden", - message: "Your account is permanently banned", - reason: user.ban.reason, - }); - } else { + // Check if ban has expired + if (user.ban.expires && new Date(user.ban.expires) <= new Date()) { // Ban expired, clear it user.ban.banned = false; user.ban.reason = null; user.ban.expires = null; await user.save(); + } else { + // User is currently banned + // Allow access to /api/auth/me so frontend can get ban info and redirect + const url = request.url || ""; + const routeUrl = request.routeOptions?.url || ""; + const isAuthMeEndpoint = + url.includes("/auth/me") || + routeUrl === "/me" || + routeUrl.endsWith("/me"); + + if (!isAuthMeEndpoint) { + // Block access to all other endpoints + if (user.ban.expires) { + return reply.status(403).send({ + error: "Forbidden", + message: "Your account is banned", + reason: user.ban.reason, + expires: user.ban.expires, + }); + } else { + return reply.status(403).send({ + error: "Forbidden", + message: "Your account is permanently banned", + reason: user.ban.reason, + }); + } + } + // If it's /api/auth/me, continue and attach user with ban info } }