Merge pull request #452 from kenjis/fix-User-identites

fix: bug that when UserIdentity is changed, the correct user identities are not returned afterwards

Author: kenjis

src/Entities/User.php

@@ -121,6 +121,9 @@ public function createEmailIdentity(array $credentials): void
         $identityModel = model(UserIdentityModel::class);
 
         $identityModel->createEmailIdentity($this, $credentials);
+
+        // Ensure we will reload all identities
+        $this->identities = null;
     }
 
     /**
@@ -151,6 +154,7 @@ public function saveEmailIdentity(): bool
                 'email'    => $this->email,
                 'password' => '',
             ]);
+
             $identity = $this->getEmailIdentity();
         }
 

src/Entities/UserIdentity.php

@@ -21,7 +21,9 @@
  * though a Authenticator may want to enforce only one exists for that
  * user, like a password.
  *
- * @property Time|null $last_used_at
+ * @property Time|null   $last_used_at
+ * @property string|null $secret
+ * @property string|null $secret2
  */
 class UserIdentity extends Entity
 {

src/Models/UserIdentityModel.php

@@ -12,6 +12,7 @@
 use CodeIgniter\Shield\Entities\AccessToken;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Entities\UserIdentity;
+use CodeIgniter\Shield\Exceptions\LogicException;
 use Faker\Generator;
 
 class UserIdentityModel extends Model
@@ -59,6 +60,8 @@ public function create($data): void
      */
     public function createEmailIdentity(User $user, array $credentials): void
     {
+        $this->checkUserId($user);
+
         /** @var Passwords $passwords */
         $passwords = service('passwords');
 
@@ -72,6 +75,15 @@ public function createEmailIdentity(User $user, array $credentials): void
         $this->checkQueryReturn($return);
     }
 
+    private function checkUserId(User $user): void
+    {
+        if ($user->id === null) {
+            throw new LogicException(
+                '"$user->id" is null. You should not use the incomplete User object.'
+            );
+        }
+    }
+
     /**
      * Create an identity with 6 digits code for auth action
      *
@@ -85,7 +97,7 @@ public function createCodeIdentity(
         array $data,
         callable $codeGenerator
     ): string {
-        assert($user->id !== null);
+        $this->checkUserId($user);
 
         helper('text');
 
@@ -120,6 +132,8 @@ public function createCodeIdentity(
      */
     public function generateAccessToken(User $user, string $name, array $scopes = ['*']): AccessToken
     {
+        $this->checkUserId($user);
+
         helper('text');
 
         $return = $this->insert([
@@ -153,6 +167,8 @@ public function getAccessTokenByRawToken(string $rawToken): ?AccessToken
 
     public function getAccessToken(User $user, string $rawToken): ?AccessToken
     {
+        $this->checkUserId($user);
+
         return $this->where('user_id', $user->id)
             ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('secret', hash('sha256', $rawToken))
@@ -167,6 +183,8 @@ public function getAccessToken(User $user, string $rawToken): ?AccessToken
      */
     public function getAccessTokenById($id, User $user): ?AccessToken
     {
+        $this->checkUserId($user);
+
         return $this->where('user_id', $user->id)
             ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('id', $id)
@@ -179,6 +197,8 @@ public function getAccessTokenById($id, User $user): ?AccessToken
      */
     public function getAllAccessTokens(User $user): array
     {
+        $this->checkUserId($user);
+
         return $this
             ->where('user_id', $user->id)
             ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
@@ -208,6 +228,8 @@ public function getIdentityBySecret(string $type, ?string $secret): ?UserIdentit
      */
     public function getIdentities(User $user): array
     {
+        $this->checkUserId($user);
+
         return $this->where('user_id', $user->id)->orderBy($this->primaryKey)->findAll();
     }
 
@@ -226,6 +248,8 @@ public function getIdentitiesByUserIds(array $userIds): array
      */
     public function getIdentityByType(User $user, string $type): ?UserIdentity
     {
+        $this->checkUserId($user);
+
         return $this->where('user_id', $user->id)
             ->where('type', $type)
             ->orderBy($this->primaryKey)
@@ -241,6 +265,8 @@ public function getIdentityByType(User $user, string $type): ?UserIdentity
      */
     public function getIdentitiesByTypes(User $user, array $types): array
     {
+        $this->checkUserId($user);
+
         if ($types === []) {
             return [];
         }
@@ -265,6 +291,8 @@ public function touchIdentity(UserIdentity $identity): void
 
     public function deleteIdentitiesByType(User $user, string $type): void
     {
+        $this->checkUserId($user);
+
         $return = $this->where('user_id', $user->id)
             ->where('type', $type)
             ->delete();
@@ -277,6 +305,8 @@ public function deleteIdentitiesByType(User $user, string $type): void
      */
     public function revokeAccessToken(User $user, string $rawToken): void
     {
+        $this->checkUserId($user);
+
         $return = $this->where('user_id', $user->id)
             ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('secret', hash('sha256', $rawToken))
@@ -290,6 +320,8 @@ public function revokeAccessToken(User $user, string $rawToken): void
      */
     public function revokeAllAccessTokens(User $user): void
     {
+        $this->checkUserId($user);
+
         $return = $this->where('user_id', $user->id)
             ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->delete();

src/Models/UserModel.php

@@ -225,7 +225,8 @@ public function activate(User $user): void
      */
     public function insert($data = null, bool $returnID = true)
     {
-        $this->tempUser = $data instanceof User ? $data : null;
+        // Clone User object for not changing the passed object.
+        $this->tempUser = $data instanceof User ? clone $data : null;
 
         $result = parent::insert($data, $returnID);
 
@@ -245,7 +246,8 @@ public function insert($data = null, bool $returnID = true)
      */
     public function update($id = null, $data = null): bool
     {
-        $this->tempUser = $data instanceof User ? $data : null;
+        // Clone User object for not changing the passed object.
+        $this->tempUser = $data instanceof User ? clone $data : null;
 
         try {
             /** @throws DataException */
@@ -303,6 +305,9 @@ protected function saveEmailIdentity(array $data): array
             /** @var User $user */
             $user = $this->find($this->db->insertID());
 
+            // If you get identity (email/password), the User object must have the id.
+            $this->tempUser->id = $user->id;
+
             $user->email         = $this->tempUser->email ?? '';
             $user->password      = $this->tempUser->password ?? '';
             $user->password_hash = $this->tempUser->password_hash ?? '';

tests/Unit/UserModelTest.php

@@ -5,6 +5,7 @@
 namespace Tests\Unit;
 
 use CodeIgniter\Shield\Entities\User;
+use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Test\DatabaseTestTrait;
 use Tests\Support\TestCase;
@@ -62,6 +63,22 @@ public function testInsertUserObject(): void
         ]);
     }
 
+    /**
+     * @see https://github.com/codeigniter4/shield/issues/450
+     */
+    public function testSaveNewUserAndGetEmailIdentity(): void
+    {
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('"$user->id" is null. You should not use the incomplete User object.');
+
+        $users = $this->createUserModel();
+        $user  = $this->createNewUser();
+
+        $users->save($user);
+
+        $user->getEmailIdentity();
+    }
+
     /**
      * This test is not correct.
      *

tests/Unit/UserTest.php

@@ -55,7 +55,7 @@ public function testGetIdentitiesByType(): void
         $this->assertEmpty($this->user->getIdentities('foo'));
     }
 
-    public function testModelfindAllWithIdentities(): void
+    public function testModelFindAllWithIdentities(): void
     {
         fake(UserModel::class);
         fake(UserIdentityModel::class, ['user_id' => $this->user->id, 'type' => 'password']);
@@ -69,7 +69,7 @@ public function testModelfindAllWithIdentities(): void
         $this->assertCount(2, $identities);
     }
 
-    public function testModelfindByIdWithIdentities(): void
+    public function testModelFindByIdWithIdentities(): void
     {
         fake(UserModel::class);
         fake(UserIdentityModel::class, ['user_id' => $this->user->id, 'type' => 'password']);
@@ -216,4 +216,30 @@ public function testUpdatePasswordHash(): void
             'secret2' => $hash,
         ]);
     }
+
+    public function testCreateEmailIdentity(): void
+    {
+        $identity = $this->user->getEmailIdentity();
+        $this->assertNull($identity);
+
+        $this->user->createEmailIdentity([
+            'email'    => 'foo@example.com',
+            'password' => 'passbar',
+        ]);
+
+        $identity = $this->user->getEmailIdentity();
+        $this->assertSame('foo@example.com', $identity->secret);
+    }
+
+    public function testSaveEmailIdentity(): void
+    {
+        $hash                      = service('passwords')->hash('passbar');
+        $this->user->email         = 'foo@example.com';
+        $this->user->password_hash = $hash;
+
+        $this->user->saveEmailIdentity();
+
+        $identity = $this->user->getEmailIdentity();
+        $this->assertSame('foo@example.com', $identity->secret);
+    }
 }