http: session/login reject disabled users; mid-session disable kicks immediately

internal/server/http/jobs.go

@@ -152,6 +152,12 @@ func (s *Server) requireUser(r *stdhttp.Request) (*store.User, bool) {
 	if err != nil {
 		return nil, false
 	}
+	if u.DisabledAt != nil {
+		// Disabled mid-session — kill the session and reject the
+		// request as if it were unauthenticated.
+		_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value))
+		return nil, false
+	}
 	return u, true
 }