Don't require email for password users

Author: LaurentTreguier

src/main/java/app/fyreplace/api/data/dev/DataSeeder.java

@@ -15,6 +15,7 @@
 import app.fyreplace.api.data.Subscription;
 import app.fyreplace.api.data.User;
 import app.fyreplace.api.data.Vote;
+import io.quarkus.elytron.security.common.BcryptUtil;
 import io.quarkus.runtime.ShutdownEvent;
 import io.quarkus.runtime.StartupEvent;
 import jakarta.enterprise.context.ApplicationScoped;
@@ -46,8 +47,9 @@ public void onShutdown(@Observes final ShutdownEvent event) {
 
     @Transactional
     public void insertData() {
-        range(0, 20).forEach(i -> createUser("user_" + i, true, i % 2 == 0));
-        range(0, 10).forEach(i -> createUser("user_inactive_" + i, false, false));
+        createUser("demo", true, false, true);
+        range(0, 20).forEach(i -> createUser("user_" + i, true, i % 2 == 0, false));
+        range(0, 10).forEach(i -> createUser("user_inactive_" + i, false, false, false));
         final var user = User.findByUsername("user_0");
         range(0, 20).forEach(i -> createPost(user, "Post " + i, true, false));
         range(0, 20).forEach(i -> createPost(user, "Draft " + i, false, false));
@@ -76,7 +78,8 @@ public void deleteData() {
     }
 
     @Transactional(Transactional.TxType.REQUIRES_NEW)
-    public User createUser(final String username, final boolean active, final boolean hasAvatar) {
+    public User createUser(
+            final String username, final boolean active, final boolean hasAvatar, final boolean usesPassword) {
         final var user = new User();
         user.username = username;
         user.active = active;
@@ -94,14 +97,21 @@ public User createUser(final String username, final boolean active, final boolea
             }
         }
 
-        final var email = new Email();
-        email.user = user;
-        email.email = username + "@example.org";
-        email.verified = active;
-        email.persist();
+        if (usesPassword) {
+            final var password = new Password();
+            password.user = user;
+            password.password = BcryptUtil.bcryptHash(username + "_password");
+            password.persist();
+        } else {
+            final var email = new Email();
+            email.user = user;
+            email.email = username + "@example.org";
+            email.verified = active;
+            email.persist();
+            user.mainEmail = email;
+            user.persist();
+        }
 
-        user.mainEmail = email;
-        user.persist();
         return user;
     }
 

src/main/java/app/fyreplace/api/endpoints/TokensEndpoint.java

@@ -60,8 +60,10 @@ public final class TokensEndpoint {
     @CacheResult(cacheName = "requests", keyGenerator = DuplicateRequestKeyGenerator.class)
     public Response createToken(@NotNull @Valid final TokenCreation input) {
         final var email = getEmail(input.identifier());
-        final var password = Password.<Password>find("user", email.user).firstResult();
+        final var password =
+                Password.<Password>find("user.username", input.identifier()).firstResult();
         final RandomCode randomCode;
+        final User user;
 
         try (final var stream = RandomCode.<RandomCode>stream("email", email)) {
             randomCode = stream.filter(rc -> BcryptUtil.matches(input.secret(), rc.code))
@@ -71,18 +73,16 @@ public Response createToken(@NotNull @Valid final TokenCreation input) {
 
         if (randomCode != null) {
             randomCode.validateEmail();
+            user = email.user;
         } else if (password != null && BcryptUtil.matches(input.secret(), password.password)) {
-            email.verified = true;
-            email.persist();
+            user = password.user;
         } else {
             throw new BadRequestException();
         }
 
-        email.user.active = true;
-        email.user.persist();
-        return Response.status(Status.CREATED)
-                .entity(jwtService.makeJwt(email.user))
-                .build();
+        user.active = true;
+        user.persist();
+        return Response.status(Status.CREATED).entity(jwtService.makeJwt(user)).build();
     }
 
     @GET
@@ -118,7 +118,7 @@ public Response createNewToken(
             @NotNull @Valid final NewTokenCreation input,
             @QueryParam("customDeepLinks") final boolean customDeepLinks) {
         final var email = getEmail(input.identifier());
-        final var hasPassword = Password.count("user", email.user) > 0;
+        final var hasPassword = Password.count("user.username", input.identifier()) > 0;
 
         if (hasPassword) {
             throw new ForbiddenException("user_has_password");

src/test/java/app/fyreplace/api/testing/UserTestsBase.java

@@ -11,8 +11,8 @@ public class UserTestsBase extends TransactionalTestsBase {
     @Override
     public void beforeEach() {
         super.beforeEach();
-        range(0, getActiveUserCount()).forEach(i -> dataSeeder.createUser("user_" + i, true, false));
-        range(0, getInactiveUserCount()).forEach(i -> dataSeeder.createUser("user_inactive_" + i, false, false));
+        range(0, getActiveUserCount()).forEach(i -> dataSeeder.createUser("user_" + i, true, false, false));
+        range(0, getInactiveUserCount()).forEach(i -> dataSeeder.createUser("user_inactive_" + i, false, false, false));
     }
 
     public int getActiveUserCount() {

src/test/java/app/fyreplace/api/testing/endpoints/tokens/CreateNewTokenTests.java

@@ -5,6 +5,7 @@
 import static java.util.Objects.requireNonNull;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
+import app.fyreplace.api.data.Email;
 import app.fyreplace.api.data.NewTokenCreation;
 import app.fyreplace.api.data.Password;
 import app.fyreplace.api.data.User;
@@ -51,9 +52,10 @@ public void createNewTokenWhileUserHasPassword() {
             password.user = user;
             password.password = BcryptUtil.bcryptHash("password");
             password.persist();
+            Email.delete("user", user);
         });
         given().contentType(ContentType.JSON)
-                .body(new NewTokenCreation(user.mainEmail.email))
+                .body(new NewTokenCreation(user.username))
                 .post("new")
                 .then()
                 .statusCode(403);

src/test/java/app/fyreplace/api/testing/endpoints/tokens/CreateTokenTests.java

@@ -100,15 +100,13 @@ public void createTokenWithPassword() {
         final var randomCodeCount = RandomCode.count();
         assertFalse(password.user.mainEmail.verified);
         given().contentType(ContentType.JSON)
-                .body(new TokenCreation(password.user.mainEmail.email, "password"))
+                .body(new TokenCreation(password.user.username, "password"))
                 .post()
                 .then()
                 .statusCode(201)
                 .contentType(ContentType.TEXT)
                 .body(isA(String.class));
         assertEquals(randomCodeCount, RandomCode.count());
-        final var email = Email.<Email>find("id", password.user.mainEmail.id).firstResult();
-        assertTrue(email.verified);
     }
 
     @Test
@@ -165,6 +163,7 @@ public void beforeEach() {
         password.user = User.findByUsername("user_inactive_1");
         password.password = BcryptUtil.bcryptHash("password");
         password.persist();
+        Email.delete("user", password.user);
     }
 
     private RandomCode makeRandomCode(final String username, final String code) {