From 7a60edf0bd3258fdd3078ecee0a68aecbbccdcf5 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 13 Oct 2025 16:03:15 +0200
Subject: [PATCH] Fix streaming still being authorized for suspended accounts
 (#36451)

---
 app/models/account.rb | 4 ++++
 streaming/index.js    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/models/account.rb b/app/models/account.rb
index dac44d3ec47..a7ea9e8964e 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -254,6 +254,10 @@ class Account < ApplicationRecord
       update!(suspended_at: date, suspension_origin: origin)
       create_canonical_email_block! if block_email
     end
+
+    # This terminates all connections for the given account with the streaming
+    # server:
+    redis.publish("timeline:system:#{id}", Oj.dump(event: :kill)) if local?
   end
 
   def unsuspend!
diff --git a/streaming/index.js b/streaming/index.js
index 8ec3188ecb0..36f0610ca9a 100644
--- a/streaming/index.js
+++ b/streaming/index.js
@@ -455,7 +455,7 @@ const startServer = async () => {
         return;
       }
 
-      client.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes, devices.device_id FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id LEFT OUTER JOIN devices ON oauth_access_tokens.id = devices.access_token_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE LIMIT 1', [token], (err, result) => {
+      client.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes, devices.device_id FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id INNER JOIN accounts ON accounts.id = users.account_id LEFT OUTER JOIN devices ON oauth_access_tokens.id = devices.access_token_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE AND accounts.suspended_at IS NULL LIMIT 1', [token], (err, result) => {
         done();
 
         if (err) {