server: fail closed when Apple disabled status cannot be verified

When resolving an Apple user without email (subsequent logins), if both
Firebase getUserByProviderUid and getUserByEmail throw (e.g., Firebase
is temporarily unreachable), reject the login rather than allowing it
through with an unverified disabled status.  Previously, transient
Firebase failures would leave isDisabled=false and allow potentially
disabled accounts to log in.

Author: bpowers

src/server/auth/oauth-handlers.ts

@@ -175,22 +175,32 @@ async function resolveAppleUserWithoutEmail(
   // cross-provider collisions
   const existingUser = await users.findOneByScan({ providerUserId: appleSub, provider: 'apple' });
   if (existingUser) {
+    // Fail closed: if we can't verify the account isn't disabled (e.g.
+    // Firebase is temporarily unreachable), reject the login rather than
+    // risk letting a disabled account through.
+    let statusVerified = false;
     let isDisabled = false;
     try {
       const fbUser = await firebaseAdmin.getUserByProviderUid('apple.com', appleSub);
       isDisabled = fbUser?.disabled ?? false;
+      statusVerified = true;
     } catch {
       // If provider lookup fails, fallback to email lookup
       if (existingUser.getEmail()) {
         try {
           const fbUser = await firebaseAdmin.getUserByEmail(existingUser.getEmail());
           isDisabled = fbUser?.disabled ?? false;
+          statusVerified = true;
         } catch {
-          // If neither lookup works, proceed with login
+          // Neither lookup succeeded
         }
       }
     }
 
+    if (!statusVerified) {
+      logger.error(`Cannot verify disabled status for Apple user ${appleSub}, rejecting login`);
+      return { status: 'disabled' };
+    }
     if (isDisabled) {
       return { status: 'disabled' };
     }

src/server/tests/oauth-handlers.test.ts

@@ -769,6 +769,54 @@ describe('createAppleOAuthCallbackHandler', () => {
       expect(req.login).not.toHaveBeenCalled();
     });
 
+    it('should reject login when Firebase disabled status cannot be verified (fail-closed)', async () => {
+      const deps = createAppleMockDeps();
+      const handler = createAppleOAuthCallbackHandler(deps);
+
+      (deps.stateStore as jest.Mocked<OAuthStateStore>).validate.mockResolvedValue({
+        valid: true,
+        returnUrl: '/projects/test',
+      });
+      (deps.stateStore as jest.Mocked<OAuthStateStore>).invalidate.mockResolvedValue();
+
+      (exchangeAppleCode as jest.Mock).mockResolvedValue({
+        access_token: 'test-access-token',
+        id_token: 'test-id-token',
+        expires_in: 3600,
+        token_type: 'Bearer',
+      });
+
+      (verifyAppleIdToken as jest.Mock).mockResolvedValue({
+        sub: 'apple-user-unverifiable',
+      });
+
+      const existingUser = new User();
+      existingUser.setId('user-unverifiable');
+      existingUser.setEmail('user@example.com');
+      existingUser.setProvider('apple');
+      existingUser.setProviderUserId('apple-user-unverifiable');
+
+      (deps.users as jest.Mocked<Table<User>>).findOneByScan.mockResolvedValue(existingUser);
+
+      // Both Firebase lookups fail (e.g., Firebase is temporarily unavailable)
+      (deps.firebaseAdmin as jest.Mocked<admin.auth.Auth>).getUserByProviderUid.mockRejectedValue(
+        new Error('Service unavailable'),
+      );
+      (deps.firebaseAdmin as jest.Mocked<admin.auth.Auth>).getUserByEmail.mockRejectedValue(
+        new Error('Service unavailable'),
+      );
+
+      const req = createMockRequest({}, { code: 'test-code', state: 'valid-state' });
+      const { res, getRedirectUrl } = createMockResponse();
+
+      await handler(req as Request, res as Response, jest.fn());
+
+      // Should reject login when disabled status cannot be verified
+      // (returns account_disabled since we fail closed)
+      expect(getRedirectUrl()).toBe('/?error=account_disabled');
+      expect(req.login).not.toHaveBeenCalled();
+    });
+
     it('should login existing user by providerUserId when Apple omits email', async () => {
       const deps = createAppleMockDeps();
       const handler = createAppleOAuthCallbackHandler(deps);