refactor(auth): drop unused OAuth2OTP transient $user field

The $user property added in this PR's earlier commits had only one
writer (AuthService::finalizeRedemption) and no readers anywhere in
the codebase. Since the field is not ORM-mapped, a future caller that
re-loaded the OTP from DB and called getUser() would silently receive
null — a footgun for no current benefit.

Remove the field, its setUser/getUser accessors, and the now-unused
Auth\User import from OAuth2OTP. Drop the matching setUser call site
in finalizeRedemption and the unused mock expectation in the unit test.

YAGNI: re-add (and bind to a defined consumer) when an actual reader
materialises.

Author: smarcet

app/Models/OAuth2/OAuth2OTP.php

@@ -14,7 +14,6 @@
 
 use App\libs\Utils\PunnyCodeHelper;
 use App\Models\Utils\BaseEntity;
-use Auth\User;
 use Doctrine\ORM\Mapping AS ORM;
 use DateTime;
 use DateInterval;
@@ -119,12 +118,6 @@ class OAuth2OTP extends BaseEntity implements Identifier
     #[ORM\ManyToOne(targetEntity: \Models\OAuth2\Client::class, inversedBy: 'otp_grants', cascade: ['persist'])]
     private $client;
 
-    /**
-     * @var User
-     * this is a transient state
-     */
-    private $user;
-
     /**
      * OAuth2OTP constructor.
      * @param int $length
@@ -505,12 +498,4 @@ public function getUserId()
     {
         return $this->user_id;
     }
-
-    public function setUser(User $user): void{
-        $this->user = $user;
-    }
-
-    public function getUser():?User{
-        return $this->user;
-    }
 }

app/libs/Auth/AuthService.php

@@ -199,8 +199,9 @@ private function findAndValidateOTP(
     }
 
     /**
-     * Marks the OTP redeemed, attaches the user (transient), revokes sibling pending OTPs.
-     * Entity methods short-circuit for inline OTPs — no special-casing needed here.
+     * Marks the OTP redeemed, stores the resolved user id, and revokes sibling
+     * pending OTPs. Entity methods short-circuit for inline OTPs — no special-
+     * casing needed here.
      *
      * Concurrency: acquires a PESSIMISTIC_WRITE row lock and re-hydrates state
      * before checking redemption. This closes the validate→redeem race window:
@@ -227,7 +228,6 @@ private function finalizeRedemption(OAuth2OTP $otp, User $user, ?Client $client)
 
         $otp->setAuthTime(time());
         $otp->setUserId($user->getId());
-        $otp->setUser($user);
         $otp->redeem();
 
         $grants2Revoke = $this->otp_repository->getByUserNameNotRedeemed($otp->getUserName(), $client);

tests/VerifyOTPChallengeTest.php

@@ -149,7 +149,6 @@ public function testSucceedsAndConsumesOTPWhenSessionUserMatchesOTPUser(): void
         // finalizeRedemption mutations expected
         $otp->shouldReceive('setAuthTime')->once();
         $otp->shouldReceive('setUserId')->once()->with(100);
-        $otp->shouldReceive('setUser')->once();
         $otp->shouldReceive('redeem')->once();
         $otp->shouldReceive('getId')->andReturn(7);