fix(core): Do not allow API usage when user is disabled (no-changelog) (#19485)

packages/cli/src/services/__tests__/public-api-key.service.test.ts

@@ -233,6 +233,30 @@ describe('PublicApiKeyService', () => {
 				);
 			});
 		});
+
+		it('should return false if user is disabled', async () => {
+			//Arrange
+
+			const path = '/test';
+			const method = 'GET';
+			const apiVersion = 'v1';
+
+			const owner = await createOwnerWithApiKey();
+
+			await userRepository.update({ id: owner.id }, { disabled: true });
+
+			const [{ apiKey }] = owner.apiKeys;
+
+			const middleware = publicApiKeyService.getAuthMiddleware(apiVersion);
+
+			//Act
+
+			const response = await middleware(mockReqWith(apiKey, path, method), {}, securitySchema);
+
+			//Assert
+
+			expect(response).toBe(false);
+		});
 	});
 
 	describe('redactApiKey', () => {

packages/cli/src/services/public-api-key.service.ts

@@ -119,6 +119,8 @@ export class PublicApiKeyService {
 
 			if (!user) return false;
 
+			if (user.disabled) return false;
+
 			// Legacy API keys are not JWTs and do not need to be verified.
 			if (!providedApiKey.startsWith(PREFIX_LEGACY_API_KEY)) {
 				try {