security: enforce disabled account check in auth middleware

[dkhalife]

Problem

The \User.Disabled\ field existed in the DB schema but was never checked during authentication. A disabled user could authenticate and access all HTTP and WebSocket endpoints.

Root Cause

\�erifyAccessToken(), \VerifyWSToken(), and \�ypassAuth()\ all call \EnsureUser()\ but the returned user's \Disabled\ field was never inspected.

Fix

*\�piserver/internal/repos/user/user.go*

• Added exported sentinel \ErrDisabledUser\
• \EnsureUser()\ now returns \ErrDisabledUser\ when the fetched user has \Disabled = true\

This single change covers all three auth paths (HTTP, WebSocket, dev bypass) since they all flow through \EnsureUser(). The middleware already propagates errors as \401 Unauthorized, so no middleware changes were needed.

*\�piserver/internal/repos/user/user_test.go*

• Added \TestEnsureUserDisabled\ to verify a disabled user is rejected with \ErrDisabledUser\

Testing

All 12 existing + new tests pass (\go test ./...).

[Copilot]

Pull request overview

This PR closes a security gap in the Go API server by enforcing the User.Disabled flag during identity resolution, preventing disabled accounts from authenticating across HTTP and WebSocket entrypoints (and the dev auth bypass) that rely on EnsureUser().

Changes:

• Add exported sentinel ErrDisabledUser in the user repo package.
• Update EnsureUser() to reject existing users with Disabled=true.
• Add a unit test verifying EnsureUser() returns ErrDisabledUser for disabled accounts.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
apiserver/internal/repos/user/user.go	Introduces ErrDisabledUser and blocks EnsureUser() from returning a disabled user.
apiserver/internal/repos/user/user_test.go	Adds coverage to ensure disabled users are rejected with the sentinel error.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!