Fix AuthenticationEventListener to handle different authentication types properly

devondragon · claude · devondragon · commit 823e25e767aa · 2025-07-22T14:04:05.000-06:00
- Add support for DSUserDetails, OAuth2User, and String principals - Extract username/email from appropriate sources based on principal type - Handle OAuth2 authentication where email might be in attributes - Fall back gracefully when username cannot be extracted - Update tests to reflect proper behavior for edge cases - Ensure backward compatibility with existing authentication flows This fix addresses the issue where DSUserDetails had a null user in OAuth2 authentication scenarios by properly extracting the username from different principal types. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/gradle.properties b/gradle.properties
@@ -1,3 +1,3 @@
-version=3.2.4-SNAPSHOT
+version=3.3.0-SNAPSHOT
 mavenCentralPublishing=true
 mavenCentralAutomaticPublishing=true
diff --git a/src/main/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListener.java b/src/main/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListener.java
@@ -3,7 +3,9 @@
 import org.springframework.context.event.EventListener;
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.stereotype.Component;
+import com.digitalsanctuary.spring.user.service.DSUserDetails;
 import com.digitalsanctuary.spring.user.service.LoginAttemptService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -22,28 +24,74 @@ public class AuthenticationEventListener {
 
     /**
      * This method listens for successful authentications and handles account lockout functionality.
+     * It properly handles different authentication types including form login, OAuth2, and OIDC.
      *
      * @param success the success event
      */
     @EventListener
     public void onSuccess(AuthenticationSuccessEvent success) {
-        // Handle successful authentication, e.g. logging or auditing
-        log.debug("Authentication success: " + success.getAuthentication().getName());
-        String username = success.getAuthentication().getName();
-        loginAttemptService.loginSucceeded(username);
+        // Extract username/email based on the principal type
+        String username = null;
+        Object principal = success.getAuthentication().getPrincipal();
+        
+        if (principal instanceof DSUserDetails) {
+            // Form login or custom authentication
+            username = ((DSUserDetails) principal).getUsername();
+            log.debug("Authentication success for DSUserDetails: {}", username);
+        } else if (principal instanceof OAuth2User) {
+            // OAuth2/OIDC authentication - try to get email
+            OAuth2User oauth2User = (OAuth2User) principal;
+            username = oauth2User.getAttribute("email");
+            if (username == null) {
+                // Fallback to name if email is not available
+                username = oauth2User.getName();
+            }
+            log.debug("Authentication success for OAuth2User: {}", username);
+        } else if (principal instanceof String) {
+            // Basic authentication or remember-me
+            username = (String) principal;
+            log.debug("Authentication success for String principal: {}", username);
+        } else {
+            // Fallback to getName() method for unknown principal types
+            username = success.getAuthentication().getName();
+            log.debug("Authentication success for unknown principal type {}: {}", 
+                     principal != null ? principal.getClass().getName() : "null", username);
+        }
+        
+        // Only process login success if we have a valid username
+        if (username != null && !username.trim().isEmpty()) {
+            loginAttemptService.loginSucceeded(username);
+        } else {
+            log.warn("Could not extract valid username from authentication event - not tracking");
+        }
     }
 
     /**
      * This method listens for authentication failures and handles account lockout functionality.
+     * It properly handles different authentication types including form login, OAuth2, and OIDC.
      *
      * @param failure the failure event
      */
     @EventListener
     public void onFailure(AbstractAuthenticationFailureEvent failure) {
-        // Handle unsuccessful authentication, e.g. logging or auditing
-        log.debug("Authentication failure: " + failure.getException().getMessage());
+        // For failures, try to get username from getName() first (the attempted username)
         String username = failure.getAuthentication().getName();
-        loginAttemptService.loginFailed(username);
+        
+        // If getName() is null/empty, try to extract from principal
+        if (username == null || username.trim().isEmpty()) {
+            Object principal = failure.getAuthentication().getPrincipal();
+            if (principal instanceof String) {
+                username = (String) principal;
+            }
+        }
+        
+        // Only process login failure if we have a valid username
+        if (username != null && !username.trim().isEmpty()) {
+            log.debug("Authentication failure for user '{}': {}", username, failure.getException().getMessage());
+            loginAttemptService.loginFailed(username);
+        } else {
+            log.warn("Could not extract valid username from authentication failure event - not tracking");
+        }
     }
 
 }
diff --git a/src/test/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListenerOAuth2Test.java b/src/test/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListenerOAuth2Test.java
@@ -0,0 +1,288 @@
+package com.digitalsanctuary.spring.user.listener;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.service.DSUserDetails;
+import com.digitalsanctuary.spring.user.service.LoginAttemptService;
+
+/**
+ * Test class for AuthenticationEventListener OAuth2 authentication handling.
+ * Verifies that the listener correctly extracts usernames from different principal types.
+ */
+@ExtendWith(MockitoExtension.class)
+class AuthenticationEventListenerOAuth2Test {
+
+    @Mock
+    private LoginAttemptService loginAttemptService;
+
+    @Mock
+    private OAuth2User oauth2User;
+
+    @Mock
+    private DSUserDetails dsUserDetails;
+
+    @InjectMocks
+    private AuthenticationEventListener authenticationEventListener;
+
+    private User testUser;
+
+    @BeforeEach
+    void setUp() {
+        testUser = new User();
+        testUser.setEmail("test@example.com");
+        testUser.setFirstName("Test");
+        testUser.setLastName("User");
+    }
+
+    @Test
+    void onSuccess_withDSUserDetailsPrincipal_extractsEmailCorrectly() {
+        // Given
+        when(dsUserDetails.getUsername()).thenReturn("test@example.com");
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            dsUserDetails, null, dsUserDetails.getAuthorities());
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth);
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded("test@example.com");
+    }
+
+    @Test
+    void onSuccess_withOAuth2UserPrincipalWithEmail_extractsEmailCorrectly() {
+        // Given
+        when(oauth2User.getAttribute("email")).thenReturn("oauth@example.com");
+        
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            oauth2User, null, oauth2User.getAuthorities());
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth);
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded("oauth@example.com");
+    }
+
+    @Test
+    void onSuccess_withOAuth2UserPrincipalWithoutEmail_fallsBackToName() {
+        // Given
+        when(oauth2User.getAttribute("email")).thenReturn(null);
+        when(oauth2User.getName()).thenReturn("oauth_user_123");
+        
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            oauth2User, null, oauth2User.getAuthorities());
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth);
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded("oauth_user_123");
+    }
+
+    @Test
+    void onSuccess_withStringPrincipal_extractsUsernameCorrectly() {
+        // Given
+        String username = "testuser@example.com";
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            username, null);
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth);
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded(username);
+    }
+
+    @Test
+    void onSuccess_withUnknownPrincipalType_fallsBackToGetName() {
+        // Given
+        Object unknownPrincipal = new Object() {
+            @Override
+            public String toString() {
+                return "unknown_principal";
+            }
+        };
+        
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            unknownPrincipal, null);
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth) {
+            @Override
+            public Authentication getAuthentication() {
+                return new Authentication() {
+                    @Override
+                    public String getName() {
+                        return "fallback@example.com";
+                    }
+                    
+                    @Override
+                    public Collection<? extends GrantedAuthority> getAuthorities() {
+                        return auth.getAuthorities();
+                    }
+                    
+                    @Override
+                    public Object getCredentials() {
+                        return auth.getCredentials();
+                    }
+                    
+                    @Override
+                    public Object getDetails() {
+                        return auth.getDetails();
+                    }
+                    
+                    @Override
+                    public Object getPrincipal() {
+                        return unknownPrincipal;
+                    }
+                    
+                    @Override
+                    public boolean isAuthenticated() {
+                        return auth.isAuthenticated();
+                    }
+                    
+                    @Override
+                    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+                        auth.setAuthenticated(isAuthenticated);
+                    }
+                };
+            }
+        };
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded("fallback@example.com");
+    }
+
+    @Test
+    void onSuccess_withNullUsername_doesNotCallLoginAttemptService() {
+        // Given
+        when(oauth2User.getAttribute("email")).thenReturn(null);
+        when(oauth2User.getName()).thenReturn(null);
+        
+        // Create an authentication with a custom implementation that returns null for getName()
+        Authentication auth = new Authentication() {
+            @Override
+            public String getName() {
+                return null;
+            }
+            
+            @Override
+            public Collection<? extends GrantedAuthority> getAuthorities() {
+                return oauth2User.getAuthorities();
+            }
+            
+            @Override
+            public Object getCredentials() {
+                return null;
+            }
+            
+            @Override
+            public Object getDetails() {
+                return null;
+            }
+            
+            @Override
+            public Object getPrincipal() {
+                return oauth2User;
+            }
+            
+            @Override
+            public boolean isAuthenticated() {
+                return true;
+            }
+            
+            @Override
+            public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+            }
+        };
+        
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth);
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService, never()).loginSucceeded(anyString());
+    }
+
+    @Test
+    void onSuccess_withNullPrincipal_handlesGracefully() {
+        // Given
+        UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+            null, null);
+        AuthenticationSuccessEvent event = new AuthenticationSuccessEvent(auth) {
+            @Override
+            public Authentication getAuthentication() {
+                return new Authentication() {
+                    @Override
+                    public String getName() {
+                        return "auth_name@example.com";
+                    }
+                    
+                    @Override
+                    public Collection<? extends GrantedAuthority> getAuthorities() {
+                        return auth.getAuthorities();
+                    }
+                    
+                    @Override
+                    public Object getCredentials() {
+                        return auth.getCredentials();
+                    }
+                    
+                    @Override
+                    public Object getDetails() {
+                        return auth.getDetails();
+                    }
+                    
+                    @Override
+                    public Object getPrincipal() {
+                        return null;
+                    }
+                    
+                    @Override
+                    public boolean isAuthenticated() {
+                        return auth.isAuthenticated();
+                    }
+                    
+                    @Override
+                    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
+                        auth.setAuthenticated(isAuthenticated);
+                    }
+                };
+            }
+        };
+
+        // When
+        authenticationEventListener.onSuccess(event);
+
+        // Then
+        verify(loginAttemptService).loginSucceeded("auth_name@example.com");
+    }
+}
diff --git a/src/test/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListenerTest.java b/src/test/java/com/digitalsanctuary/spring/user/listener/AuthenticationEventListenerTest.java
