Describe the bug OneTimeTokenAuthenticationProvider does not validate UserDetails account status checks (isEnabled, isAccountNonExpired, isAccountNonLocked). Users can authenticate with one-time tokens even when their accounts are disabled, expired, or locked. Currently, these checks must be handled manually in OneTimeTokenGenerationSuccessHandler, but we expect the AuthenticationProvider to handle these checks automatically like DaoAuthenticationProvider does.
To Reproduce 1. Create a UserDetails implementation that returns false for isEnabled(), isAccountNonExpired(), or isAccountNonLocked() 2. Attempt to authenticate using a valid one-time token for this user 3. Authentication succeeds despite the account status 4. Account status validation must be implemented separately in OneTimeTokenGenerationSuccessHandler
Expected behavior
Authentication should fail when UserDetails returns false for any of the following methods:
- isEnabled() - account is disabled
- isAccountNonExpired() - account has expired
- isAccountNonLocked() - account is locked