Everything is fine until I try to create a session for a blocked User. When I try, I get a "201 Created" Response and a Cookie is set. But because the User is blocked, every following request to the Accounts Endpoint results in a "401 Unauthorized" Response. Even the deleteSession Request. I cant even login to the Appwrite Backend until I manually remove all Cookies and clear the Cache.
To me it looks like something is wrong with Cookie mechanics for blocked Users. (there should no cookie get set when a blocked user tries to login, right?)
Tested and reproduced multiple times with Playground for JS and an Appwrite Server v0.6.2 in a Docker Container.
At the Appwrite Discord Support Channel we tried to figure out what could be the Problem on my side and decided to open an Issue.
To get out of this state and be able to login again, you have to manually delete the Appwrite Cookies (and maybe the local storage but i'm not sure here)
Trying to login a blocked account shold not result in a 201 created session and not set a cookie.
As described above.
If needed I can provide requests/responses as HAR files.
Thanks for reporting this issue @RingoRohe. I've started working on a fix on this branch: https://github.com/appwrite/appwrite/tree/bug-777-blocked-users-can-create-sessions - I have to add a couple of tests and then I'll submit a PR.
Change tested, reviewed and merged to 0.7.x
Version 0.7 is out with the fix 馃殌