MettaChain · LaGodxy · Apr 22, 2026 · Apr 22, 2026
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -69,6 +69,7 @@ model User {
   phone         String?
   role          UserRole  @default(USER)
   isVerified    Boolean   @default(false) @map("is_verified")
+  isBlocked     Boolean   @default(false) @map("is_blocked")
   twoFactorEnabled Boolean @default(false) @map("two_factor_enabled")
   twoFactorSecret  String? @map("two_factor_secret")
   twoFactorBackupCodes String[] @default([]) @map("two_factor_backup_codes")

diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -104,6 +104,10 @@
       throw new UnauthorizedException('Invalid credentials');
     }
 
+    if (user.isBlocked) {
+      throw new UnauthorizedException('Your account has been blocked. Please contact support.');
+    }
+
     const passwordMatches = await comparePassword(data.password, user.password);
     if (!passwordMatches) {
       throw new UnauthorizedException('Invalid credentials');
@@ -166,6 +170,10 @@
       throw new UnauthorizedException('User no longer exists');
     }
 
+    if (user.isBlocked) {
+      throw new UnauthorizedException('Your account has been blocked');
+    }
+
     if (user.id !== payload.sub) {
       throw new UnauthorizedException('Refresh token does not match the authenticated user');
     }
@@ -410,7 +418,7 @@
      orderBy: { createdAt: 'desc' },
    });

    return apiKeys.map((apiKey: any) => this.toApiKeyResponse(apiKey));
  }

  async rotateApiKey(user: AuthUserPayload, apiKeyId: string) {
@@ -491,6 +499,10 @@
       throw new UnauthorizedException('Invalid API key');
     }
 
+    if (apiKey.user.isBlocked) {
+      throw new UnauthorizedException('User account is blocked');
+    }
+
     await this.prisma.apiKey.update({
       where: { id: apiKey.id },
       data: {
@@ -506,7 +518,7 @@
    };
  }

  private async issueTokenPair(user: any) {
    const accessJti = randomUUID();
    const refreshJti = randomUUID();

@@ -588,7 +600,7 @@
    return `pc_${randomToken(24)}`;
  }

  private toApiKeyResponse(apiKey: any) {
    return {
      id: apiKey.id,
      name: apiKey.name,

diff --git a/src/users/users.controller.ts b/src/users/users.controller.ts
@@ -26,6 +26,16 @@ export class UsersController {
     return this.usersService.update(id, updateUserDto);
   }
 
+  @Post(':id/block')
+  block(@Param('id') id: string) {
+    return this.usersService.block(id);
+  }
+
+  @Post(':id/unblock')
+  unblock(@Param('id') id: string) {
+    return this.usersService.unblock(id);
+  }
+
   @Delete(':id')
   remove(@Param('id') id: string) {
     return this.usersService.remove(id);

diff --git a/src/users/users.service.ts b/src/users/users.service.ts
@@ -102,6 +102,30 @@ export class UsersService {
     });
   }
 
+  async block(id: string) {
+    return this.prisma.user.update({
+      where: { id },
+      data: { isBlocked: true },
+      select: {
+        id: true,
+        email: true,
+        isBlocked: true,
+      },
+    });
+  }
+
+  async unblock(id: string) {
+    return this.prisma.user.update({
+      where: { id },
+      data: { isBlocked: false },
+      select: {
+        id: true,
+        email: true,
+        isBlocked: true,
+      },
+    });
+  }
+
   async remove(id: string) {
     return this.prisma.user.delete({
       where: { id },