From f07faa48b63f82f36757062daf19d10ae70191be Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 6 Dec 2018 22:39:17 +0100
Subject: [PATCH] WFE: return unauthorized prob from NewAccount for deactivated
 accounts.

Returns a specific unauthorized problem when `newAccount` is called with a public key matching a deactivated account. This is a compromise on contradicting conditions in [7.3.6](https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.6) (*"Once an account is deactivated, the server MUST NOT accept further requests authorized by that account's key."*) and [7.3.1](https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.1) (*"If the server receives a newAccount request signed with a key for which it already has an account registered with the provided account key, then it MUST return a response with a 200 (OK) status code and provide the URL of that account in the Location header field. The body of this response represents the account object as it existed on the server before this request."*) of [draft-16](https://tools.ietf.org/html/draft-ietf-acme-acme-16).

Fixes #179.
---
 wfe/wfe.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/wfe/wfe.go b/wfe/wfe.go
index c60b7de3..5b927970 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -941,11 +941,18 @@ func (wfe *WebFrontEndImpl) NewAccount(
 	// Lookup existing account to exit early if it exists
 	existingAcct, _ := wfe.db.GetAccountByKey(postData.jwk)
 	if existingAcct != nil {
-		// If there is an existing account then return a Location header pointing to
-		// the account and a 200 OK response
-		acctURL := wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, existingAcct.ID))
-		response.Header().Set("Location", acctURL)
-		_ = wfe.writeJsonResponse(response, http.StatusOK, existingAcct)
+		if existingAcct.Status == acme.StatusDeactivated {
+			// If there is an existing, but deactivated account, then return an unauthorized
+			// problem informing the user that this account was deactivated
+			wfe.sendError(acme.UnauthorizedProblem(
+				"An account with the provided public key exists but is deactivated"), response)
+		} else {
+			// If there is an existing account then return a Location header pointing to
+			// the account and a 200 OK response
+			acctURL := wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, existingAcct.ID))
+			response.Header().Set("Location", acctURL)
+			_ = wfe.writeJsonResponse(response, http.StatusOK, existingAcct)
+		}
 		return
 	} else if existingAcct == nil && newAcctReq.OnlyReturnExisting {
 		// If there *isn't* an existing account and the created account request