From d7f4eca801bb702f487287eb218a9e7a133ee341 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 13 Oct 2025 15:35:58 +0200
Subject: [PATCH] Fix streaming still being authorized for suspended accounts
 (#36449)

---
 app/models/concerns/account/suspensions.rb |  4 ++++
 spec/system/streaming/streaming_spec.rb    | 24 ++++++++++++++++++++++
 streaming/index.js                         |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/app/models/concerns/account/suspensions.rb b/app/models/concerns/account/suspensions.rb
index c981fb5a2..4c9ca593a 100644
--- a/app/models/concerns/account/suspensions.rb
+++ b/app/models/concerns/account/suspensions.rb
@@ -32,6 +32,10 @@ module Account::Suspensions
       update!(suspended_at: date, suspension_origin: origin)
       create_canonical_email_block! if block_email
     end
+
+    # This terminates all connections for the given account with the streaming
+    # server:
+    redis.publish("timeline:system:#{id}", Oj.dump(event: :kill)) if local?
   end
 
   def unsuspend!
diff --git a/spec/system/streaming/streaming_spec.rb b/spec/system/streaming/streaming_spec.rb
index 737003389..f5d3ba114 100644
--- a/spec/system/streaming/streaming_spec.rb
+++ b/spec/system/streaming/streaming_spec.rb
@@ -98,4 +98,28 @@ RSpec.describe 'Streaming', :inline_jobs, :streaming do
       expect(streaming_client.open?).to be(false)
     end
   end
+
+  context 'with a suspended user account' do
+    before do
+      user.account.suspend!
+    end
+
+    it 'receives an 401 unauthorized error when trying to connect' do
+      streaming_client.connect
+
+      expect(streaming_client.status).to eq(401)
+      expect(streaming_client.open?).to be(false)
+    end
+  end
+
+  context 'when the user account is suspended whilst connected' do
+    it 'terminates the connection for the user' do
+      streaming_client.connect
+
+      user.account.suspend!
+
+      expect(streaming_client.wait_for(:closed).code).to be(1000)
+      expect(streaming_client.open?).to be(false)
+    end
+  end
 end
diff --git a/streaming/index.js b/streaming/index.js
index c769bb375..0fb3a18f8 100644
--- a/streaming/index.js
+++ b/streaming/index.js
@@ -352,7 +352,7 @@ const startServer = async () => {
    * @returns {Promise<ResolvedAccount>}
    */
   const accountFromToken = async (token, req) => {
-    const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE LIMIT 1', [token]);
+    const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id INNER JOIN accounts ON accounts.id = users.account_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE AND accounts.suspended_at IS NULL LIMIT 1', [token]);
 
     if (result.rows.length === 0) {
       throw new AuthenticationError('Invalid access token');