block website logins that have no corresponding user profile

[BeWelsh]

Description

title

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactoring (code improvement without changing functionality)
• Documentation update
• Configuration/infrastructure change
• Performance improvement
• Test coverage improvement

What Changed?

• Create app gate for people who log in with no associated user account (not invited), prompt logout

Testing & Validation

How this was tested

Screenshots/Recordings

• None, this PR is complete and production-ready
• The following items are intentionally deferred:

  • ---

  • ---

  • ---

Notes & Nuances

• ---

• ---

Reviewer Notes

• Areas needing extra attention: ...
• Questions for reviewers: ...

Summary by CodeRabbit

• New Features

  • Added access-denied page for unauthorized users.

• Bug Fixes

  • Deactivated user accounts are now blocked from logging in.

• Improvements

  • Enhanced loading and error messaging during authentication flow.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Backend authentication now validates user status, blocking deactivated users at two checkpoints: existing linked accounts and first-time login resolution. Frontend implements corresponding state management to track access status (loading, authorized, blocked, error) and displays an AccessDenied component when users lack authorization.

Changes

Cohort / File(s)	Summary
Backend Authentication Logic backend/app/services/user.py	Modified get_or_link_user to block authentication for deactivated users—both for existing auth0_sub matches and email-based first login resolution. Error messages updated to reflect inactive status.
Backend Authentication Tests backend/tests/test_auth.py	Added three async test cases covering inactive user scenarios: blocked first login, blocked linked account access, and successful active user login. Includes mocks for Auth0 userinfo endpoint.
Frontend State Management frontend/src/context/UserContext.tsx	Introduced discrete UserStatus type (loading, authorized, blocked, error) replacing binary meLoading/meError approach. Distinguishes HTTP 403 (blocked) from other failures and exposes status and error message separately.
Frontend UI Components frontend/src/App.tsx, frontend/src/components/AccessDenied.tsx	Extracted authenticated UI into new AuthorizedApp component; added AccessDenied component for unauthorized access; added shared LoadingScreen and ErrorScreen components. App now explicitly handles loading, blocked, and error states.

Sequence Diagram

sequenceDiagram
    participant User
    participant Frontend
    participant Auth0
    participant Backend as Backend<br/>(get_or_link_user)
    participant DB as Database

    User->>Frontend: Initiate login
    Frontend->>Auth0: Redirect to Auth0
    Auth0->>User: Display login form
    User->>Auth0: Submit credentials
    Auth0->>Frontend: Return auth code
    Frontend->>Auth0: Exchange code for token + userinfo
    Auth0->>Frontend: Return tokens & userinfo
    Frontend->>Backend: POST /auth/login with auth0_sub
    Backend->>DB: Query user by auth0_sub<br/>or email from userinfo
    alt User active
        DB->>Backend: Return active user
        Backend->>Frontend: Return user data
        Frontend->>Frontend: Set status: 'authorized'
        Frontend->>User: Render AuthorizedApp
    else User inactive/deactivated
        DB->>Backend: Return inactive user
        Backend->>Frontend: Raise LookupError
        Frontend->>Frontend: Set status: 'blocked'
        Frontend->>User: Render AccessDenied
    else No user record
        DB->>Backend: No record found
        Backend->>Frontend: Raise LookupError
        Frontend->>Frontend: Set status: 'error'
        Frontend->>User: Display error message
    end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 A rabbit hops through gates of care,
Checking which users may pass there,
Deactivated? Access denied!
With loading screens and errors guiding,
The system bounces, blocks with pride! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete. While Type of Change is marked and one bullet point is provided under What Changed, critical sections lack detail: Testing & Validation is empty (just numbered placeholders), Unfinished Work checklist is incomplete, and Notes & Nuances/Reviewer Notes contain only placeholder asterisks.	Complete the Testing & Validation section with specific test cases or manual testing steps performed. Fill in or remove placeholder sections under Unfinished Work, Notes & Nuances, and Reviewer Notes with actual content or explicit statements that none apply.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main feature: blocking logins for users without corresponding profiles.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/block-non-users

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}