Ensure inactive users cannot get auth tokens (#218)
This was already the case bug we missed some checks