Fix Hibernate entity management issue with User collections

- Changed internal User.roles storage from List to Set to prevent Hibernate immutable proxy issues
- Maintained backward compatibility by keeping existing getRoles()/setRoles() methods
- Added new getRolesAsSet()/setRolesAsSet() methods for direct Set access
- All collection methods now use defensive copying to ensure mutability
- Fixed DSOidcUserService to properly assign roles to OAuth2 users
- Added comprehensive integration tests to verify User entity updates work correctly

This fixes the UnsupportedOperationException that was occurring when trying to save
User entities after modification, particularly in LoginAttemptService and OAuth2
integration scenarios.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/persistence/model/User.java

@@ -1,12 +1,17 @@
 package com.digitalsanctuary.spring.user.persistence.model;
 
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import org.springframework.data.annotation.CreatedDate;
 import org.springframework.data.annotation.LastModifiedDate;
 import org.springframework.data.jpa.domain.support.AuditingEntityListener;
 import jakarta.persistence.*;
 import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
 
 /**
  * The User Entity. Part of the basic User ->> Role ->> Privilege structure. This is the primary user data object. You can add to this, or add
@@ -92,11 +97,13 @@ public enum Provider {
 	@Temporal(TemporalType.TIMESTAMP)
 	private Date lockedDate;
 
-	/** The roles. */
+	/** The roles - stored as Set to avoid Hibernate immutable collection issues */
+	@ToString.Exclude
+	@EqualsAndHashCode.Exclude
 	@ManyToMany(cascade = {CascadeType.PERSIST, CascadeType.MERGE}, fetch = FetchType.EAGER)
 	@JoinTable(name = "users_roles", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"),
 			inverseJoinColumns = @JoinColumn(name = "role_id", referencedColumnName = "id"))
-	private List<Role> roles;
+	private Set<Role> roles = new HashSet<>();
 
 	/**
 	 * Instantiates a new user.
@@ -122,4 +129,43 @@ public void setLastActivityDate() {
 	public String getFullName() {
 		return firstName + " " + lastName;
 	}
+
+	/**
+	 * Gets the roles as a List for backward compatibility.
+	 * 
+	 * @return the roles as a List
+	 */
+	public List<Role> getRoles() {
+		return new ArrayList<>(roles);
+	}
+
+	/**
+	 * Sets the roles from a List for backward compatibility.
+	 * Creates a new HashSet to ensure the collection is mutable.
+	 * 
+	 * @param rolesList the roles to set
+	 */
+	public void setRoles(List<Role> rolesList) {
+		this.roles = new HashSet<>(rolesList != null ? rolesList : new ArrayList<>());
+	}
+
+	/**
+	 * Gets the roles as a Set (preferred method).
+	 * Returns a defensive copy to prevent external modification.
+	 * 
+	 * @return the roles as a Set
+	 */
+	public Set<Role> getRolesAsSet() {
+		return new HashSet<>(roles);
+	}
+
+	/**
+	 * Sets the roles from a Set (preferred method).
+	 * Creates a new HashSet to ensure the collection is mutable.
+	 * 
+	 * @param rolesSet the roles to set
+	 */
+	public void setRolesAsSet(Set<Role> rolesSet) {
+		this.roles = new HashSet<>(rolesSet != null ? rolesSet : new HashSet<>());
+	}
 }

src/main/java/com/digitalsanctuary/spring/user/service/DSOidcUserService.java

@@ -1,6 +1,8 @@
 package com.digitalsanctuary.spring.user.service;
 
+import java.util.Arrays;
 import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -41,6 +43,9 @@ public class DSOidcUserService implements OAuth2UserService<OidcUserRequest, Oid
 
     /** The user repository. */
     private final UserRepository userRepository;
+    
+    /** The role repository. */
+    private final RoleRepository roleRepository;
 
     OidcUserService defaultOidcUserService = new OidcUserService();
 
@@ -100,7 +105,7 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
     private User registerNewOidcUser(String registrationId, User user) {
         User.Provider provider = User.Provider.valueOf(registrationId.toUpperCase());
         user.setProvider(provider);
-        // user.setRoles(Collections.singletonList(roleRepository.findByName(RoleName.ROLE_USER)));
+        user.setRoles(Arrays.asList(roleRepository.findByName("ROLE_USER")));
         // We will trust OAuth2 providers to provide us with a verified email address.
         user.setEnabled(true);
         return userRepository.save(user);

src/test/java/com/digitalsanctuary/spring/user/service/UserUpdateIntegrationTest.java

@@ -0,0 +1,252 @@
+package com.digitalsanctuary.spring.user.service;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+import java.util.Arrays;
+import java.util.HashSet;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.digitalsanctuary.spring.user.persistence.model.Role;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
+import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+
+import jakarta.persistence.EntityManager;
+import jakarta.persistence.PersistenceContext;
+
+/**
+ * Integration test to verify that User entity updates work correctly with Hibernate.
+ * This test specifically validates the fix for the UnsupportedOperationException
+ * that was occurring when trying to update User entities with collection fields.
+ */
+@SpringBootTest
+@TestPropertySource(properties = {
+    "user.registration.sendVerificationEmail=false",
+    "user.security.failedLoginAttempts=3",
+    "user.security.accountLockoutDuration=1"
+})
+class UserUpdateIntegrationTest {
+
+    @Autowired
+    private UserRepository userRepository;
+
+    @Autowired
+    private RoleRepository roleRepository;
+
+    @Autowired
+    private LoginAttemptService loginAttemptService;
+
+    @PersistenceContext
+    private EntityManager entityManager;
+
+    private Role userRole;
+    private Role adminRole;
+
+    @BeforeEach
+    void setUp() {
+        // Clean up
+        userRepository.deleteAll();
+        roleRepository.deleteAll();
+
+        // Create roles
+        userRole = new Role("ROLE_USER", "Basic user role");
+        userRole = roleRepository.save(userRole);
+
+        adminRole = new Role("ROLE_ADMIN", "Administrator role");
+        adminRole = roleRepository.save(adminRole);
+    }
+
+    @Test
+    @Transactional
+    void testUserUpdateWithRolesCollection_NoUnsupportedOperationException() {
+        // Create user with roles using List (backward compatible method)
+        User user = new User();
+        user.setEmail("[email protected]");
+        user.setFirstName("Test");
+        user.setLastName("User");
+        user.setPassword("password");
+        user.setEnabled(true);
+        user.setRoles(Arrays.asList(userRole));
+        
+        user = userRepository.save(user);
+        assertThat(user.getId()).isNotNull();
+        assertThat(user.getRoles()).hasSize(1);
+
+        // Clear the session to simulate real-world scenario
+        entityManager.flush();
+        entityManager.clear();
+
+        // Load user again (simulating a new transaction)
+        User loadedUser = userRepository.findByEmail("[email protected]");
+        assertThat(loadedUser).isNotNull();
+
+        // This should NOT throw UnsupportedOperationException
+        assertDoesNotThrow(() -> {
+            loadedUser.setFailedLoginAttempts(3);
+            loadedUser.setLocked(true);
+            userRepository.save(loadedUser);
+        });
+
+        // Verify the update worked
+        entityManager.flush();
+        entityManager.clear();
+        
+        User verifiedUser = userRepository.findByEmail("[email protected]");
+        assertThat(verifiedUser.getFailedLoginAttempts()).isEqualTo(3);
+        assertThat(verifiedUser.isLocked()).isTrue();
+    }
+
+    @Test
+    @Transactional
+    void testLoginAttemptService_CanUpdateUser() {
+        // Create user with roles
+        User user = new User();
+        user.setEmail("[email protected]");
+        user.setFirstName("Login");
+        user.setLastName("Test");
+        user.setPassword("password");
+        user.setEnabled(true);
+        user.setRoles(Arrays.asList(userRole));
+        
+        userRepository.save(user);
+
+        // Clear session
+        entityManager.flush();
+        entityManager.clear();
+
+        // Test login failed - this should work without UnsupportedOperationException
+        assertDoesNotThrow(() -> {
+            loginAttemptService.loginFailed("[email protected]");
+        });
+
+        User updatedUser = userRepository.findByEmail("[email protected]");
+        assertThat(updatedUser.getFailedLoginAttempts()).isEqualTo(1);
+
+        // Test multiple failures leading to account lock
+        assertDoesNotThrow(() -> {
+            loginAttemptService.loginFailed("[email protected]");
+            loginAttemptService.loginFailed("[email protected]");
+        });
+
+        updatedUser = userRepository.findByEmail("[email protected]");
+        assertThat(updatedUser.getFailedLoginAttempts()).isEqualTo(3);
+        assertThat(updatedUser.isLocked()).isTrue();
+
+        // Test login success - should reset attempts
+        assertDoesNotThrow(() -> {
+            loginAttemptService.loginSucceeded("[email protected]");
+        });
+
+        updatedUser = userRepository.findByEmail("[email protected]");
+        assertThat(updatedUser.getFailedLoginAttempts()).isEqualTo(0);
+        assertThat(updatedUser.isLocked()).isFalse();
+    }
+
+    @Test
+    @Transactional
+    void testUserRolesUpdate_UsingNewSetMethods() {
+        // Create user with roles using the new Set methods
+        User user = new User();
+        user.setEmail("[email protected]");
+        user.setFirstName("Set");
+        user.setLastName("Test");
+        user.setPassword("password");
+        user.setEnabled(true);
+        user.setRolesAsSet(new HashSet<>(Arrays.asList(userRole)));
+        
+        user = userRepository.save(user);
+
+        // Clear session
+        entityManager.flush();
+        entityManager.clear();
+
+        // Load and update roles
+        User loadedUser = userRepository.findByEmail("[email protected]");
+        
+        // Add admin role using Set method
+        assertDoesNotThrow(() -> {
+            var currentRoles = loadedUser.getRolesAsSet();
+            currentRoles.add(adminRole);
+            loadedUser.setRolesAsSet(currentRoles);
+            userRepository.save(loadedUser);
+        });
+
+        // Verify
+        entityManager.flush();
+        entityManager.clear();
+        
+        User verifiedUser = userRepository.findByEmail("[email protected]");
+        assertThat(verifiedUser.getRoles()).hasSize(2);
+        assertThat(verifiedUser.getRoles()).extracting(Role::getName)
+            .containsExactlyInAnyOrder("ROLE_USER", "ROLE_ADMIN");
+    }
+
+    @Test
+    @Transactional
+    void testBackwardCompatibility_ListMethodsStillWork() {
+        // Create user using old List-based API
+        User user = new User();
+        user.setEmail("[email protected]");
+        user.setFirstName("Compat");
+        user.setLastName("Test");
+        user.setPassword("password");
+        user.setEnabled(true);
+        
+        // Use List-based setter (backward compatible)
+        user.setRoles(Arrays.asList(userRole, adminRole));
+        userRepository.save(user);
+
+        // Clear session
+        entityManager.flush();
+        entityManager.clear();
+
+        // Load and verify List-based getter works
+        User loadedUser = userRepository.findByEmail("[email protected]");
+        var rolesList = loadedUser.getRoles(); // Returns List<Role>
+        
+        assertThat(rolesList).isInstanceOf(java.util.List.class);
+        assertThat(rolesList).hasSize(2);
+        assertThat(rolesList).extracting(Role::getName)
+            .containsExactlyInAnyOrder("ROLE_USER", "ROLE_ADMIN");
+    }
+
+    @Test
+    @Transactional
+    void testMultipleUpdatesInSameTransaction() {
+        // Create user
+        User user = new User();
+        user.setEmail("[email protected]");
+        user.setFirstName("Multi");
+        user.setLastName("Update");
+        user.setPassword("password");
+        user.setEnabled(true);
+        user.setRoles(Arrays.asList(userRole));
+        
+        user = userRepository.save(user);
+        final Long userId = user.getId();
+
+        // Multiple updates in same transaction should work
+        assertDoesNotThrow(() -> {
+            User userToUpdate = userRepository.findById(userId).orElseThrow();
+            userToUpdate.setFailedLoginAttempts(1);
+            userRepository.save(userToUpdate);
+            
+            userToUpdate.setFailedLoginAttempts(2);
+            userRepository.save(userToUpdate);
+            
+            userToUpdate.setLocked(true);
+            userRepository.save(userToUpdate);
+        });
+
+        User finalUser = userRepository.findById(userId).orElseThrow();
+        assertThat(finalUser.getFailedLoginAttempts()).isEqualTo(2);
+        assertThat(finalUser.isLocked()).isTrue();
+    }
+}