chore: Add PR's requested changes

matiasperrone-exo · matiasperrone-exo · commit 133b2a8a32d6 · 2026-04-28T21:50:09.000Z
diff --git a/app/Http/Controllers/SocialLoginController.php b/app/Http/Controllers/SocialLoginController.php
@@ -157,7 +157,7 @@ public function callback($provider)
             if(!$user->canLogin()) {
                 throw new AuthenticationException
                 (
-                    "We are sorry, your username does not match an existing record."
+                    "username does not match an existing record."
                 );
             }
 
diff --git a/app/libs/Auth/AuthService.php b/app/libs/Auth/AuthService.php
@@ -153,7 +153,7 @@ public function login(string $username, string $password, bool $remember_me): bo
         if (!Auth::attempt(['username' => $username, 'password' => $password], $remember_me)) {
             throw new AuthenticationException
             (
-                "We are sorry, your username or password does not match an existing record."
+                "username or password does not match an existing record."
             );
         }
         Log::debug("AuthService::login: clearing principal");
@@ -162,7 +162,7 @@ public function login(string $username, string $password, bool $remember_me): bo
         if(is_null($current_user) || !$current_user->canLogin())
             throw new AuthenticationException
             (
-                "We are sorry, your username or password does not match an existing record."
+                "username or password does not match an existing record."
             );
         $this->principal_service->register
         (
@@ -264,7 +264,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
 
             if(!$user->canLogin()){
                 Log::warning(sprintf("AuthService::loginWithOTP user %s cannot login ( is not active ).", $user->getId()));
-                throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");
+                throw new AuthenticationException("username or password does not match an existing record.");
             }
 
             $otp->setAuthTime(time());
diff --git a/app/libs/Auth/Models/User.php b/app/libs/Auth/Models/User.php
@@ -2473,7 +2473,13 @@ public function setTwoFactorEnforcedAt(?\DateTime $at): void
      */
     public function shouldRequire2FA(): bool
     {
-        return ($this->isAdmin() || (bool) $this->two_factor_enabled);
+        $enforcedGroups = config('two_factor.enforced_groups', []);
+        foreach ($enforcedGroups as $slug) {
+            if ($this->belongToGroup($slug)) {
+                return true;
+            }
+        }
+        return (bool) $this->two_factor_enabled;
     }
 
     /**
diff --git a/tests/CustomAuthProviderTest.php b/tests/CustomAuthProviderTest.php
@@ -12,16 +12,24 @@
 * limitations under the License.
 **/
 use Auth\CustomAuthProvider;
+use Auth\User;
 use Utils\Services\UtilsServiceCatalog;
 use OpenId\Services\OpenIdServiceCatalog;
 use Auth\Repositories\IUserRepository;
 use Auth\IAuthenticationExtensionService;
 use Illuminate\Support\Facades\App;
+use Mockery;
 /**
  * Class CustomAuthProviderTest
  */
 final class CustomAuthProviderTest extends TestCase {
 
+    public function tearDown(): void
+    {
+        parent::tearDown();
+        Mockery::close();
+    }
+
     /**
      * @return CustomAuthProvider
      */
@@ -39,4 +47,31 @@ public function testCreateProvider(){
 
         return $provider;
     }
+
+    public function testValidateCredentialsReturnsFalseWhenUserCannotLoginDueToUnverifiedEmail(): void
+    {
+        // A freshly constructed User has active=true, email_verified=false → canLogin()=false.
+        // This covers the canLogin()===false branch for a reason other than isActive().
+        $user = new User();
+
+        $repo = Mockery::mock(IUserRepository::class);
+        $repo->shouldReceive('getByEmailOrName')
+            ->with('unverified@example.com')
+            ->andReturn($user);
+
+        $provider = new CustomAuthProvider(
+            $repo,
+            App::make(IAuthenticationExtensionService::class),
+            App::make(OpenIdServiceCatalog::UserService),
+            App::make(UtilsServiceCatalog::CheckPointService),
+            App::make(UtilsServiceCatalog::TransactionService)
+        );
+
+        $result = $provider->validateCredentials(
+            $user,
+            ['username' => 'unverified@example.com', 'password' => 'any-password']
+        );
+
+        $this->assertFalse($result);
+    }
 }
diff --git a/tests/unit/UserTwoFactorTest.php b/tests/unit/UserTwoFactorTest.php
@@ -83,25 +83,34 @@ public function testShouldRequire2FA_adminUser(): void
         $this->assertTrue($user->shouldRequire2FA());
     }
 
-    public function testShouldRequire2FA_oauth2AdminUser(): void
+    public function testShouldRequire2FA_BelongsToAnEnforcedGroup(): void
     {
-        // Guard against the gotcha: shouldRequire2FA() must look at the full
-        // config('two_factor.enforced_groups') list, not just call isAdmin().
-        $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::AdminGroup)]);
+        config(['two_factor.enforced_groups' => []]);
+        $this->assertSame([], config('two_factor.enforced_groups'), "Config value 'two_factor.enforced_groups' is set");
 
-        $this->assertTrue($user->isAdmin(), IGroupSlugs::AdminGroup.' is an admin group per isAdmin()');
-        $this->assertTrue($user->shouldRequire2FA());
+        $groups = [
+            IGroupSlugs::SuperAdminGroup,
+            IGroupSlugs::AdminGroup,
+            IGroupSlugs::OAuth2ServerAdminGroup,
+        ];
+        config(['two_factor.enforced_groups' => $groups]);
+        $this->assertSame($groups, config('two_factor.enforced_groups'), "Config value 'two_factor.enforced_groups' is set");
 
         $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::SuperAdminGroup)]);
-        $this->assertTrue($user->isAdmin(), IGroupSlugs::SuperAdminGroup.' is an admin group per isAdmin()');
-        $this->assertTrue($user->shouldRequire2FA());
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
+
 
+        $this->assignGroups($user, array_map([$this, 'buildGroup'], $groups));
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::SuperAdminGroup), "The user belongs to ".IGroupSlugs::SuperAdminGroup." group");
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::AdminGroup), "The user belongs to ".IGroupSlugs::AdminGroup." group");
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::OAuth2ServerAdminGroup), "The user belongs to ".IGroupSlugs::OAuth2ServerAdminGroup." group");
+        $this->assertTrue($user->shouldRequire2FA(), "The user does belong to an enforced group");
+
+        $groups = [IGroupSlugs::RawUsersGroup];
         $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::OAuth2ServerAdminGroup)]);
-        $this->assertFalse($user->isAdmin(), IGroupSlugs::OAuth2ServerAdminGroup.' is NOT an admin group per isAdmin()');
-        $this->assertFalse($user->shouldRequire2FA());
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
+        $this->assignGroups($user, array_map([$this, 'buildGroup'], $groups));
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
     }
 
     public function testShouldRequire2FA_regularUser_enabled(): void
@@ -200,6 +209,29 @@ public function testSetTwoFactorMethod_invalidMethod_throws(): void
         $setter->invoke($user, 'bogus');
     }
 
+    public function testShouldRequire2FA_configDrivenEnforcement(): void
+    {
+        // Users in enforced_groups must require 2FA even if two_factor_enabled=false
+        // and even if isAdmin() returns false for their group (OAuth2/OpenId admins).
+        $groupsUnderTest = [
+            IGroupSlugs::OAuth2ServerAdminGroup,
+            IGroupSlugs::OpenIdServerAdminsGroup,
+        ];
+
+        foreach ($groupsUnderTest as $groupSlug) {
+            $user = new User();
+            $this->assignGroups($user, [$this->buildGroup($groupSlug)]);
+            $this->assertFalse($user->isTwoFactorEnabled());
+            $this->assertFalse($user->isAdmin(), "$groupSlug must NOT be covered by isAdmin()");
+            $this->assertTrue($user->shouldRequire2FA(), "$groupSlug is in enforced_groups — shouldRequire2FA() must return true regardless of the stored flag");
+        }
+
+        // Sanity: a regular user with two_factor_enabled=false is NOT enforced
+        $regular = new User();
+        $this->assignGroups($regular, [$this->buildGroup(IGroupSlugs::RawUsersGroup)]);
+        $this->assertFalse($regular->shouldRequire2FA());
+    }
+
     public function testShouldRequire2FA_emptyEnforcedGroups_fallsThroughToFlag(): void
     {
         // Locks in the config fall-through: when enforced_groups is empty,

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ public function callback($provider)`
`157`	`157`	`if(!$user->canLogin()) {`
`158`	`158`	`throw new AuthenticationException`
`159`	`159`	`(`
`160`		`- "We are sorry, your username does not match an existing record."`
	`160`	`+ "username does not match an existing record."`
`161`	`161`	`);`
`162`	`162`	`}`
`163`	`163`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ public function login(string $username, string $password, bool $remember_me): bo`
`153`	`153`	`if (!Auth::attempt(['username' => $username, 'password' => $password], $remember_me)) {`
`154`	`154`	`throw new AuthenticationException`
`155`	`155`	`(`
`156`		`- "We are sorry, your username or password does not match an existing record."`
	`156`	`+ "username or password does not match an existing record."`
`157`	`157`	`);`
`158`	`158`	`}`
`159`	`159`	`Log::debug("AuthService::login: clearing principal");`
`@@ -162,7 +162,7 @@ public function login(string $username, string $password, bool $remember_me): bo`
`162`	`162`	`if(is_null($current_user) \|\| !$current_user->canLogin())`
`163`	`163`	`throw new AuthenticationException`
`164`	`164`	`(`
`165`		`- "We are sorry, your username or password does not match an existing record."`
	`165`	`+ "username or password does not match an existing record."`
`166`	`166`	`);`
`167`	`167`	`$this->principal_service->register`
`168`	`168`	`(`
`@@ -264,7 +264,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $`
`264`	`264`
`265`	`265`	`if(!$user->canLogin()){`
`266`	`266`	`Log::warning(sprintf("AuthService::loginWithOTP user %s cannot login ( is not active ).", $user->getId()));`
`267`		`- throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");`
	`267`	`+ throw new AuthenticationException("username or password does not match an existing record.");`
`268`	`268`	`}`
`269`	`269`
`270`	`270`	`$otp->setAuthTime(time());`
Original file line number	Diff line number	Diff line change
`@@ -2473,7 +2473,13 @@ public function setTwoFactorEnforcedAt(?\DateTime $at): void`
`2473`	`2473`	`*/`
`2474`	`2474`	`public function shouldRequire2FA(): bool`
`2475`	`2475`	`{`
`2476`		`- return ($this->isAdmin() \|\| (bool) $this->two_factor_enabled);`
	`2476`	`+ $enforcedGroups = config('two_factor.enforced_groups', []);`
	`2477`	`+ foreach ($enforcedGroups as $slug) {`
	`2478`	`+ if ($this->belongToGroup($slug)) {`
	`2479`	`+ return true;`
	`2480`	`+ }`
	`2481`	`+ }`
	`2482`	`+ return (bool) $this->two_factor_enabled;`
`2477`	`2483`	`}`
`2478`	`2484`
`2479`	`2485`	`/**`