- Ensure users cannot login when their valid_to date is expired.

eveai_app/views/security_views.py

@@ -12,7 +12,7 @@ from sqlalchemy.exc import SQLAlchemyError
 
 from common.models.user import User, ConsentStatus
 from common.services.user import TenantServices, UserServices
-from common.utils.eveai_exceptions import EveAIException, EveAINoActiveLicense
+from common.utils.eveai_exceptions import EveAIException, EveAINoActiveLicense, EveAIUserExpired
 from common.utils.nginx_utils import prefixed_url_for
 from eveai_app.views.security_forms import SetPasswordForm, ResetPasswordForm, ForgotPasswordForm
 from common.extensions import db
@@ -46,6 +46,14 @@ def login():
                     user = User.query.filter_by(email=form.email.data).first()
                     if user is None or not verify_and_update_password(form.password.data, user):
                         raise EveAIException('Invalid email or password')
+                    # Check if the user's account is still valid based on valid_to
+                    today = dt.now(tz=tz.utc).date()
+                    if user.valid_to is not None and today > user.valid_to:
+                        current_app.logger.warning(
+                            f"Login blocked for expired user {user.id} ({user.email}); "
+                            f"today={today}, valid_to={user.valid_to}"
+                        )
+                        raise EveAIUserExpired()
                     is_valid_tenant(user.tenant_id)
                 except EveAIException as e:
                     flash(f'Failed to login user: {str(e)}', 'danger')