for MPP-3817: prevent all Relay operations when user.is_active = False

[groovecoder]

This PR fixes #MPP-3817.

How to test:

1. Run new python manage.py deactivate_user a number of ways (See --help for details)
2. After deactivating a user, make sure they cannot perform any of the following:
   • Existing sessions are signed out
   • Cannot sign back in
   • Cannot make any API requests
   • Cannot receive any emails
   • Cannot reply to any previous emails
   • Cannot receive any text messages
   • Cannot receive any forwarded phone calls

Note: some tests may be easiest on the dev server.

• l10n changes have been submitted to the l10n repository, if any.
• I've added a unit test to test for potential regressions of this bug.
• I've added or updated relevant docs in the docs/ directory.
• All UI revisions follow the coding standards, and use Protocol tokens where applicable (see /frontend/src/styles/tokens.scss).
• Commits in this PR are minimal and have descriptive commit messages.

[sentry-io]

🔍 Existing Issues For Review

Your pull request is modifying functions with the following pre-existing issues:

📄 File: emails/views.py

Function	Unhandled Issue
_sns_message	NonPrintableDefect: the following ASCII non-printables found in header: ['\x7f'] emai... Event Count: 21

---

_{Did you find this useful? React with a 👍 or 👎}

[say-yawn]

Thanks @groovecoder for the extensive code to prevent Relay operations for users that are not active. Changes look good with some minor suggestions in review. Also some additional suggestions:

• (blocking) We are missing the is_active check on _reply_allowed
• (non-blocking) Can we refactor to add the is_active check in the has_premium check instead?

[say-yawn]

(suggestion, blocking) Descriptive success message with the identifier key and value for better logging.

[say-yawn]

(question) Should we consider a place to log why the account was deactivated as well?

[groovecoder]

Updated message with identifier key and value.

[say-yawn]

Code changes look good. While manually running tests I noted:

• Instruction uses python manage.py deactivate_user_by_token it should be python manage.py deactivate_user instead
• (blocking) After deactivating the user and while signed-in I get the following error:

NoReverseMatch at /accounts/fxa/login/callback/

Reverse for 'account_inactive' not found. 'account_inactive' is not a valid view function or pattern name.

Seems like allauth tries to send the user to the "account_inactive" page and fails because we have no view setup for that.

[groovecoder]

* (blocking) After deactivating the user and while signed-in I get the following error:

NoReverseMatch at /accounts/fxa/login/callback/

Reverse for 'account_inactive' not found. 'account_inactive' is not a valid view function or pattern name.

Seems like allauth tries to send the user to the "account_inactive" page and fails because we have no view setup for that.

Were you using http://127.0.0.1:8000 or http://localhost:3000?

[jwhitlock]

I've only enabled some of the allauth endpoints:

fx-private-relay/privaterelay/urls.py

Lines 30 to 38 in b961ce0

	path("accounts/fxa/login/", fxa_views.oauth2_login, name="fxa_login"),
	path(
	"accounts/fxa/login/callback/", fxa_views.oauth2_callback, name="fxa_callback"
	),
	path("accounts/logout/", allauth_views.logout, name="account_logout"),
	path(
	"accounts/profile/subdomain", views.profile_subdomain, name="profile_subdomain"
	),
	path("accounts/profile/refresh", views.profile_refresh, name="profile_refresh"),

You'll need to enable more of them, or all of them. I disabled most because we have proper Django-side template to render them, or support features like a second social account. This way the user would get a 404 instead of a 500.

https://github.com/pennersr/django-allauth/blob/5d21115d5bc63ebc130ce7625785900b30f06b30/allauth/account/urls.py#L12

[say-yawn]

Were you using http://127.0.0.1:8000 or http://localhost:3000?

@groovecoder, I was using http://127.0.0.1:8000. Does it work for you? For me, adding path("accounts/logout/", allauth_views.logout, name="account_inactive"), on privaterelay/urls.py did the trick too.

[groovecoder]

In 59a8b4f I added a new accounts/account_inactive nextjs page to display the error message in the Relay layout. I made our custom allauth adapter redirect deactivated users to that url.

[say-yawn]

59a8b4f was not committed in this branch but the latest commit f937381 was exactly the same with a new pending string for api-error-account-is-inactive.

Checked that when user is inactive it sends the user to the /accounts/account_inactive/ and displays the following error message: