Issue #3258402: Password grant type: access token for blocked accont

src/Repositories/UserRepository.php

@@ -2,13 +2,22 @@
 
 namespace Drupal\simple_oauth\Repositories;
 
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\user\UserAuthInterface;
+use Drupal\user\UserInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use Drupal\simple_oauth\Entities\UserEntity;
 
 class UserRepository implements UserRepositoryInterface {
+  use StringTranslationTrait;
+
+  /**
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  protected $entityTypeManager;
 
   /**
    * @var \Drupal\user\UserAuthInterface
@@ -18,10 +27,13 @@ class UserRepository implements UserRepositoryInterface {
   /**
    * UserRepository constructor.
    *
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
+   *   The entity type manager.
    * @param \Drupal\user\UserAuthInterface $user_auth
    *   The service to check the user authentication.
    */
-  public function __construct(UserAuthInterface $user_auth) {
+  public function __construct(EntityTypeManagerInterface $entity_type_manager, UserAuthInterface $user_auth) {
+    $this->entityTypeManager = $entity_type_manager;
     $this->userAuth = $user_auth;
   }
 
@@ -30,13 +42,29 @@ class UserRepository implements UserRepositoryInterface {
    */
   public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity) {
     // TODO: Use authenticateWithFloodProtection when #2825084 lands.
-    if ($uid = $this->userAuth->authenticate($username, $password)) {
-      $user = new UserEntity();
-      $user->setIdentifier($uid);
+    $uid = $this->userAuth->authenticate($username, $password);
+
+    if ($uid === FALSE) {
+      return NULL;
+    }
+
+    $user_entity = $this->entityTypeManager->getStorage('user')->load($uid);
 
-      return $user;
+    if (!$user_entity instanceof UserInterface) {
+      return NULL;
     }
-    return NULL;
+
+    if ($user_entity->isBlocked()) {
+      $hint = $this->t('The username %name has not been activated or is blocked.', ['%name' => $user_entity->getDisplayName()]);
+      $hint = strip_tags($hint);
+
+      throw OAuthServerException::accessDenied($hint);
+    }
+
+    $user = new UserEntity();
+    $user->setIdentifier($uid);
+
+    return $user;
   }
 
 }