🔒️ Add option to ban malicious users (#1600)

lukevella · Mar 2, 2025 · 83bf083 · 83bf083
1 parent b214de7
commit 83bf083
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 0 deletions.
diff --git a/apps/web/declarations/next-auth.d.ts b/apps/web/declarations/next-auth.d.ts
@@ -25,6 +25,7 @@ declare module "next-auth" {
     timeZone?: string | null;
     timeFormat?: TimeFormat | null;
     weekStart?: number | null;
+    banned?: boolean | null;
   }
 
   interface NextAuthRequest extends NextRequest {

diff --git a/apps/web/src/next-auth.ts b/apps/web/src/next-auth.ts
@@ -100,6 +100,11 @@ const {
         if (isBlocked) {
           return false;
         }
+
+        // Check if user is banned
+        if (user.banned) {
+          return false;
+        }
       }
 
       // For now, we don't allow users to login unless they have

diff --git a/apps/web/src/trpc/client/provider.tsx b/apps/web/src/trpc/client/provider.tsx
@@ -7,6 +7,7 @@ import {
   QueryClientProvider,
 } from "@tanstack/react-query";
 import { httpBatchLink, TRPCClientError } from "@trpc/client";
+import { signOut } from "next-auth/react";
 import { useState } from "react";
 import superjson from "superjson";
 
@@ -49,6 +50,14 @@ export function TRPCProvider(props: { children: React.ReactNode }) {
                       defaultValue: "Please try again later.",
                     }),
                   });
+                  break;
+                case "FORBIDDEN":
+                  signOut({
+                    redirect: false,
+                  }).then(() => {
+                    window.location.href = "/login";
+                  });
+
                   break;
                 default:
                   console.error(error);

diff --git a/apps/web/src/trpc/trpc.ts b/apps/web/src/trpc/trpc.ts
@@ -1,3 +1,4 @@
+import { prisma } from "@rallly/database";
 import { initTRPC, TRPCError } from "@trpc/server";
 import { Ratelimit } from "@upstash/ratelimit";
 import { kv } from "@vercel/kv";
@@ -47,6 +48,31 @@ export const requireUserMiddleware = middleware(async ({ ctx, next }) => {
     });
   }
 
+  if (!ctx.user.isGuest) {
+    const user = await prisma.user.findUnique({
+      where: {
+        id: ctx.user.id,
+      },
+      select: {
+        banned: true,
+      },
+    });
+
+    if (!user) {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message: "Logged in user does not exist anymore",
+      });
+    }
+
+    if (user.banned) {
+      throw new TRPCError({
+        code: "FORBIDDEN",
+        message: "Your account has been banned",
+      });
+    }
+  }
+
   return next({
     ctx: {
       user: ctx.user,

diff --git a/packages/database/prisma/migrations/20250302163530_add_user_ban_fields/migration.sql b/packages/database/prisma/migrations/20250302163530_add_user_ban_fields/migration.sql
@@ -0,0 +1,4 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "ban_reason" TEXT,
+ADD COLUMN     "banned" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "banned_at" TIMESTAMP(3);
diff --git a/packages/database/prisma/schema.prisma b/packages/database/prisma/schema.prisma
@@ -50,6 +50,9 @@ model User {
   createdAt      DateTime    @default(now()) @map("created_at")
   updatedAt      DateTime?   @updatedAt @map("updated_at")
   customerId     String?     @map("customer_id")
+  banned         Boolean     @default(false)
+  bannedAt       DateTime?   @map("banned_at")
+  banReason      String?     @map("ban_reason")
 
   comments       Comment[]
   polls          Poll[]