From 88a35e139dd91b4f932ea5fd4ddfec4a6116239b Mon Sep 17 00:00:00 2001
From: timedout <git@nexy7574.co.uk>
Date: Tue, 6 Jan 2026 21:47:58 +0000
Subject: [PATCH] fix: Correctly return M_USER_LOCKED during login

---
 src/api/client/session.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/api/client/session.rs b/src/api/client/session.rs
index 8cd61410..d295a5b3 100644
--- a/src/api/client/session.rs
+++ b/src/api/client/session.rs
@@ -13,6 +13,7 @@ use futures::StreamExt;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
+		error::ErrorKind,
 		session::{
 			get_login_token,
 			get_login_types::{
@@ -185,6 +186,10 @@ pub(crate) async fn handle_login(
 		return Err!(Request(Unknown("User ID does not belong to this homeserver")));
 	}
 
+	if services.users.is_locked(&user_id)? {
+		return Err(Error::BadRequest(ErrorKind::UserLocked, "This account has been locked."));
+	}
+
 	if services.users.is_login_disabled(&user_id).await {
 		warn!(%user_id, "user attempted to log in with a login-disabled account");
 		return Err!(Request(Forbidden("This account is not permitted to log in.")));