check pw and other auth before letting users undisable

1 files changed, 19 insertions, 19 deletions

diff --git a/src/api/routes/auth/login.ts b/src/api/routes/auth/login.ts
index a7fcd4bc..2b97ec10 100644
--- a/src/api/routes/auth/login.ts
+++ b/src/api/routes/auth/login.ts
@@ -88,25 +88,6 @@ router.post(
 			});
 		});
 
-		if (undelete) {
-			// undelete refers to un'disable' here
-			if (user.disabled)
-				await User.update({ id: user.id }, { disabled: false });
-			if (user.deleted)
-				await User.update({ id: user.id }, { deleted: false });
-		} else {
-			if (user.deleted)
-				return res.status(400).json({
-					message: "This account is scheduled for deletion.",
-					code: 20011,
-				});
-			if (user.disabled)
-				return res.status(400).json({
-					message: req.t("auth:login.ACCOUNT_DISABLED"),
-					code: 20013,
-				});
-		}
-
 		// the salt is saved in the password refer to bcrypt docs
 		const same_password = await bcrypt.compare(
 			password,
@@ -169,6 +150,25 @@ router.post(
 			});
 		}
 
+		if (undelete) {
+			// undelete refers to un'disable' here
+			if (user.disabled)
+				await User.update({ id: user.id }, { disabled: false });
+			if (user.deleted)
+				await User.update({ id: user.id }, { deleted: false });
+		} else {
+			if (user.deleted)
+				return res.status(400).json({
+					message: "This account is scheduled for deletion.",
+					code: 20011,
+				});
+			if (user.disabled)
+				return res.status(400).json({
+					message: req.t("auth:login.ACCOUNT_DISABLED"),
+					code: 20013,
+				});
+		}
+
 		const token = await generateToken(user.id);
 
 		// Notice this will have a different token structure, than discord