From 658d1656fafa18d5e58be81ef4e02178f6cbd4a6 Mon Sep 17 00:00:00 2001
From: Daniel Oaks <daniel@danieloaks.net>
Date: Wed, 11 Jan 2017 01:02:26 +1000
Subject: [PATCH] accounts: Only allow verified accounts to SASL auth

---
 irc/accounts.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/irc/accounts.go b/irc/accounts.go
index 2ec3fd26..9ab9b84d 100644
--- a/irc/accounts.go
+++ b/irc/accounts.go
@@ -198,6 +198,12 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
 	// load and check acct data all in one update to prevent races.
 	// as noted elsewhere, change to proper locking for Account type later probably
 	err = server.store.Update(func(tx *buntdb.Tx) error {
+		// confirm account is verified
+		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
+		if err != nil {
+			return errSaslFail
+		}
+
 		creds, err := loadAccountCredentials(tx, accountKey)
 		if err != nil {
 			return err
@@ -251,6 +257,12 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
 			return errSaslFail
 		}
 
+		// confirm account is verified
+		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
+		if err != nil {
+			return errSaslFail
+		}
+
 		// confirm the certfp in that account's credentials
 		creds, err := loadAccountCredentials(tx, accountKey)
 		if err != nil || creds.Certificate != client.certfp {