secure mongoose auth endpoint

lib/pleroma/web/mongooseim/mongoose_im_controller.ex

@@ -26,8 +26,22 @@ def user_exists(conn, %{"user" => username}) do
   end
 
   def check_password(conn, %{"user" => username, "pass" => password}) do
+    user = Repo.get_by(User, nickname: username, local: true)
+
+    case User.account_status(user) do
+      :deactivated ->
+        conn
+        |> put_status(:not_found)
+        |> json(false)
+
+      :confirmation_pending ->
+        conn
+        |> put_status(:not_found)
+        |> json(false)
+
+      _ ->
         with %User{password_hash: password_hash} <-
-           Repo.get_by(User, nickname: username, local: true),
+               user,
              true <- Pbkdf2.checkpw(password, password_hash) do
           conn
           |> json(true)
@@ -43,4 +57,5 @@ def check_password(conn, %{"user" => username, "pass" => password}) do
             |> json(false)
         end
     end
+  end
 end