Fixing several gaps with Role and Authority handling for OAuth2 based Users.

devondragon · devondragon · commit 1e08c5c10dcf · 2025-02-23T19:47:24.000-07:00
Add LoginHelperService and AuthorityService for user authentication and authority management
diff --git a/.gitignore b/.gitignore
@@ -135,3 +135,4 @@ application-local.yml
 /java_pid20864.hprof
 /java_pid23168.hprof
 /project_concatenated.txt
+/repomix-output.txt
diff --git a/gradle.properties b/gradle.properties
@@ -1 +1 @@
-version=3.1.0-SNAPSHOT
+version=3.1.0-SNAPSHOT
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/AuthorityService.java b/src/main/java/com/digitalsanctuary/spring/user/service/AuthorityService.java
@@ -0,0 +1,53 @@
+package com.digitalsanctuary.spring.user.service;
+
+import java.util.Collection;
+import java.util.stream.Collectors;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import com.digitalsanctuary.spring.user.persistence.model.Privilege;
+import com.digitalsanctuary.spring.user.persistence.model.Role;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * The AuthorityService class provides helper methods for generating Spring Security's GrantedAuthority objects from a collection of roles and
+ * privileges.
+ */
+@Slf4j
+@RequiredArgsConstructor
+@Service
+@Transactional
+public class AuthorityService {
+
+    /**
+     * Generates the list of authorities for the given user from their roles and privileges.
+     *
+     * @param user The user whose authorities to generate.
+     * @return The list of authorities for the user.
+     */
+    public Collection<? extends GrantedAuthority> getAuthoritiesFromUser(User user) {
+        return getAuthoritiesFromRoles(user.getRoles());
+    }
+
+    /**
+     *
+     * Returns a collection of Spring Security's GrantedAuthority objects that corresponds to the privileges associated with the given collection of
+     * roles.
+     *
+     * @param roles a collection of roles whose privileges should be converted into Spring Security's GrantedAuthority objects
+     * @return a collection of Spring Security's GrantedAuthority objects that corresponds to the privileges associated with the given collection of
+     *         roles
+     */
+    public Collection<? extends GrantedAuthority> getAuthoritiesFromRoles(Collection<Role> roles) {
+        // flatMap streams the roles, and maps each Role to its privileges (a Collection of Privilege objects).
+        // The stream of Collection<Privilege> objects is then flattened into a single stream of Privilege objects.
+        // Finally, each Privilege is mapped to its name as a String, wrapped in a SimpleGrantedAuthority object,
+        // and collected into a Set of GrantedAuthority objects.
+        return roles.stream().flatMap(role -> role.getPrivileges().stream()).map(Privilege::getName).map(SimpleGrantedAuthority::new)
+                .collect(Collectors.toSet());
+    }
+
+}
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserService.java b/src/main/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserService.java
@@ -1,13 +1,18 @@
 package com.digitalsanctuary.spring.user.service;
 
+import java.util.Arrays;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import com.digitalsanctuary.spring.user.audit.AuditEvent;
 import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -34,12 +39,26 @@
  */
 @Slf4j
 @Service
+@Transactional
 @RequiredArgsConstructor
 public class DSOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {
 
     /** The user repository. */
     private final UserRepository userRepository;
 
+    /** The role repository. */
+    private final RoleRepository roleRepository;
+
+    private final LoginHelperService loginHelperService;
+
+
+
+    /** The Event Publisher. */
+    private final ApplicationEventPublisher eventPublisher;
+
+    /** The user role name. */
+    private static final String USER_ROLE_NAME = "ROLE_USER";
+
     DefaultOAuth2UserService defaultOAuth2UserService = new DefaultOAuth2UserService();
 
     /**
@@ -68,7 +87,7 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
                     "Sorry! An error occurred while processing your login request.");
         }
         log.debug("handleOAuthLoginSuccess: looking up user with email: {}", user.getEmail());
-        User existingUser = userRepository.findByEmail(user.getEmail());
+        User existingUser = userRepository.findByEmail(user.getEmail().toLowerCase());
         log.debug("handleOAuthLoginSuccess: existingUser: {}", existingUser);
         if (existingUser != null && registrationId != null) {
             log.debug("handleOAuthLoginSuccess: existingUser.getProvider(): {}", existingUser.getProvider());
@@ -97,12 +116,17 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
      * @param user The User object representing the authenticated user.
      * @return A User object representing the newly registered user.
      */
+    @Transactional
     private User registerNewOAuthUser(String registrationId, User user) {
         User.Provider provider = User.Provider.valueOf(registrationId.toUpperCase());
         user.setProvider(provider);
-        // user.setRoles(Collections.singletonList(roleRepository.findByName(RoleName.ROLE_USER)));
+        user.setRoles(Arrays.asList(roleRepository.findByName(USER_ROLE_NAME)));
         // We will trust OAuth2 providers to provide us with a verified email address.
         user.setEnabled(true);
+        AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(user).action("OAuth2 Registration Success").actionStatus("Success")
+                .message("Registration Confirmed. User logged in.").build();
+
+        eventPublisher.publishEvent(registrationAuditEvent);
         return userRepository.save(user);
     }
 
@@ -184,8 +208,8 @@ public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2Authentic
         String registrationId = userRequest.getClientRegistration().getRegistrationId();
         log.debug("registrationId: " + registrationId);
         User dbUser = handleOAuthLoginSuccess(registrationId, user);
-        DSUserDetails dsUserDetails = new DSUserDetails(dbUser);
-        return dsUserDetails;
+        DSUserDetails userDetails = loginHelperService.userLoginHelper(dbUser);
+        return userDetails;
     }
 
 }
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/DSUserDetailsService.java b/src/main/java/com/digitalsanctuary/spring/user/service/DSUserDetailsService.java
@@ -1,16 +1,9 @@
 package com.digitalsanctuary.spring.user.service;
 
-import java.util.Collection;
-import java.util.Date;
-import java.util.stream.Collectors;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
-import com.digitalsanctuary.spring.user.persistence.model.Privilege;
-import com.digitalsanctuary.spring.user.persistence.model.Role;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
@@ -29,8 +22,7 @@ public class DSUserDetailsService implements UserDetailsService {
 	/** The user repository. */
 	private final UserRepository userRepository;
 
-	/** The login attempt service. */
-	private final LoginAttemptService loginAttemptService;
+	private final LoginHelperService loginHelperService;
 
 	/** The request. */
 	// private final HttpServletRequest request;
@@ -44,44 +36,12 @@ public class DSUserDetailsService implements UserDetailsService {
 	 */
 	@Override
 	public DSUserDetails loadUserByUsername(final String email) throws UsernameNotFoundException {
-		log.debug("DSUserDetailsService.loadUserByUsername:" + "called with username: {}", email);
-
-		try {
-			User user = userRepository.findByEmail(email);
-			if (user == null) {
-				throw new UsernameNotFoundException("No user found with email/username: " + email);
-			}
-			// Updating lastActivity date for this login
-			user.setLastActivityDate(new Date());
-
-			// Check if the user account is locked, but should be unlocked now, and unlock it
-			user = loginAttemptService.checkIfUserShouldBeUnlocked(user);
-
-			Collection<? extends GrantedAuthority> authorities = getAuthorities(user.getRoles());
-			DSUserDetails userDetails = new DSUserDetails(user, authorities);
-			return userDetails;
-		} catch (final Exception e) {
-			log.error("DSUserDetailsService.loadUserByUsername:" + "Exception!", e);
-			throw new RuntimeException(e);
+		log.debug("DSUserDetailsService.loadUserByUsername: called with username: {}", email);
+		User dbUser = userRepository.findByEmail(email);
+		if (dbUser == null) {
+			throw new UsernameNotFoundException("No user found with email/username: " + email);
 		}
-	}
-
-	/**
-	 *
-	 * Returns a collection of Spring Security's GrantedAuthority objects that corresponds to the privileges associated with the given collection of
-	 * roles.
-	 *
-	 * @param roles a collection of roles whose privileges should be converted into Spring Security's GrantedAuthority objects
-	 * @return a collection of Spring Security's GrantedAuthority objects that corresponds to the privileges associated with the given collection of
-	 *         roles
-	 */
-	private Collection<? extends GrantedAuthority> getAuthorities(Collection<Role> roles) {
-		// flatMap streams the roles, and maps each Role to its privileges (a Collection of Privilege objects).
-		// The stream of Collection<Privilege> objects is then flattened into a single stream of Privilege objects.
-		// Finally, each Privilege is mapped to its name as a String, wrapped in a SimpleGrantedAuthority object,
-		// and collected into a Set of GrantedAuthority objects.
-		return roles.stream().flatMap(role -> role.getPrivileges().stream()).map(Privilege::getName).map(SimpleGrantedAuthority::new)
-				.collect(Collectors.toSet());
+		return loginHelperService.userLoginHelper(dbUser);
 	}
 
 }
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/LoginHelperService.java b/src/main/java/com/digitalsanctuary/spring/user/service/LoginHelperService.java
@@ -0,0 +1,45 @@
+package com.digitalsanctuary.spring.user.service;
+
+import java.util.Collection;
+import java.util.Date;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * The LoginHelperService class provides helper methods for authenticating users after login. This class is used by the DSUserDetailsService and
+ * DSOAuth2UserService classes to authenticate users after they have been successfully authenticated.
+ */
+@Slf4j
+@RequiredArgsConstructor
+@Service
+@Transactional
+public class LoginHelperService {
+
+    /** The login attempt service. */
+    private final LoginAttemptService loginAttemptService;
+
+    private final AuthorityService authorityService;
+
+    /**
+     * Helper method to authenticate a user after login. This method is called from the DSUserDetailsService and DSOAuth2UserService classes after a
+     * user has been successfully authenticated.
+     *
+     * @param dbUser The user to authenticate.
+     * @return The user details object.
+     */
+    public DSUserDetails userLoginHelper(User dbUser) {
+        // Updating lastActivity date for this login
+        dbUser.setLastActivityDate(new Date());
+
+        // Check if the user account is locked, but should be unlocked now, and unlock it
+        dbUser = loginAttemptService.checkIfUserShouldBeUnlocked(dbUser);
+
+        Collection<? extends GrantedAuthority> authorities = authorityService.getAuthoritiesFromUser(dbUser);
+        DSUserDetails userDetails = new DSUserDetails(dbUser, authorities);
+        return userDetails;
+    }
+}
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java b/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java
@@ -10,7 +10,6 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -22,8 +21,6 @@
 import com.digitalsanctuary.spring.user.dto.UserDto;
 import com.digitalsanctuary.spring.user.exceptions.UserAlreadyExistException;
 import com.digitalsanctuary.spring.user.persistence.model.PasswordResetToken;
-import com.digitalsanctuary.spring.user.persistence.model.Privilege;
-import com.digitalsanctuary.spring.user.persistence.model.Role;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.persistence.model.VerificationToken;
 import com.digitalsanctuary.spring.user.persistence.repository.PasswordResetTokenRepository;
@@ -101,8 +98,7 @@
  * </p>
  * <ul>
  * <li>{@link #emailExists(String)}: Checks if an email exists in the user repository.</li>
- * <li>{@link #getAuthorities(User)}: Generates the list of authorities for a user.</li>
- * <li>{@link #authenticateUser(DSUserDetails, List)}: Authenticates a user by setting the authentication object in the security context.</li>
+ * <li>{@link #authenticateUser(DSUserDetails, Collection)}: Authenticates a user by setting the authentication object in the security context.</li>
  * <li>{@link #storeSecurityContextInSession()}: Stores the current security context in the session.</li>
  * </ul>
  *
@@ -193,6 +189,8 @@ public String getValue() {
 	/** The user verification service. */
 	public final UserVerificationService userVerificationService;
 
+	private final AuthorityService authorityService;
+
 	/** The user details service. */
 	private final DSUserDetailsService dsUserDetailsService;
 
@@ -323,7 +321,8 @@ public void changeUserPassword(final User user, final String password) {
 	 * @return true, if successful
 	 */
 	public boolean checkIfValidOldPassword(final User user, final String oldPassword) {
-		System.out.println(user.getPassword() + " " + oldPassword);
+		// Removed System.out.println, using log.debug for minimal output (avoid logging passwords in production)
+		log.debug("Verifying old password for user: {}", user.getEmail());
 		return passwordEncoder.matches(oldPassword, user.getPassword());
 	}
 
@@ -334,7 +333,7 @@ public boolean checkIfValidOldPassword(final User user, final String oldPassword
 	 * @return true, if the email address is already in the user repository
 	 */
 	private boolean emailExists(final String email) {
-		return userRepository.findByEmail(email) != null;
+		return userRepository.findByEmail(email.toLowerCase()) != null;
 	}
 
 	/**
@@ -395,7 +394,7 @@ public void authWithoutPassword(User user) {
 		}
 
 		// Generate authorities from user roles and privileges
-		List<GrantedAuthority> authorities = getAuthorities(user);
+		Collection<? extends GrantedAuthority> authorities = authorityService.getAuthoritiesFromUser(user);
 
 		// Authenticate user
 		authenticateUser(userDetails, authorities);
@@ -406,26 +405,13 @@ public void authWithoutPassword(User user) {
 		log.debug("UserService.authWithoutPassword: authenticated user: {}", user.getEmail());
 	}
 
-	/**
-	 * Generates the list of authorities for the given user from their roles and privileges.
-	 *
-	 * @param user The user whose authorities to generate.
-	 * @return The list of authorities for the user.
-	 */
-
-	private List<GrantedAuthority> getAuthorities(User user) {
-		List<Privilege> privileges =
-				user.getRoles().stream().map(Role::getPrivileges).flatMap(Collection::stream).distinct().collect(Collectors.toList());
-		return privileges.stream().map(p -> new SimpleGrantedAuthority(p.getName())).collect(Collectors.toList());
-	}
-
 	/**
 	 * Authenticates the user by creating an authentication object and setting it in the security context.
 	 *
 	 * @param userDetails The user details.
 	 * @param authorities The list of authorities for the user.
 	 */
-	private void authenticateUser(DSUserDetails userDetails, List<GrantedAuthority> authorities) {
+	private void authenticateUser(DSUserDetails userDetails, Collection<? extends GrantedAuthority> authorities) {
 		Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, null, authorities);
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 	}
@@ -448,4 +434,6 @@ private void storeSecurityContextInSession() {
 		session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
 	}
 
+
+
 }

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-version=3.1.0-SNAPSHOT`
	`1`	`+version=3.1.0-SNAPSHOT`