chore: Add PR's requested changes and Unit test

Author: matiasperrone-exo

app/libs/Auth/Models/TwoFactorAuditLog.php

@@ -97,6 +97,7 @@ public function getUser(): User
     {
         return $this->user;
     }
+
     public function setUser(User $user): void
     {
         $this->user = $user;
@@ -106,6 +107,7 @@ public function getEventType(): string
     {
         return $this->event_type;
     }
+
     public function setEventType(string $value): void
     {
         if (!in_array($value, self::ALLOWED_EVENT_TYPES, true)) {
@@ -118,6 +120,7 @@ public function getMethod(): string
     {
         return $this->method;
     }
+
     public function setMethod(string $value): void
     {
         if (!in_array($value, self::ALLOWED_METHODS, true)) {
@@ -130,6 +133,7 @@ public function getIpAddress(): string
     {
         return $this->ip_address;
     }
+
     public function setIpAddress(string $value): void
     {
         $this->ip_address = $value;
@@ -139,6 +143,7 @@ public function getUserAgent(): string
     {
         return $this->user_agent;
     }
+
     public function setUserAgent(string $value): void
     {
         $this->user_agent = $value;
@@ -148,6 +153,7 @@ public function getMetadata(): ?array
     {
         return $this->metadata;
     }
+
     public function setMetadata(?array $value): void
     {
         $this->metadata = $value;

app/libs/Auth/Models/UserRecoveryCode.php

@@ -1,4 +1,5 @@
-<?php namespace App\libs\Auth\Models;
+<?php
+namespace App\libs\Auth\Models;
 /**
  * Copyright 2026 OpenStack Foundation
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,19 +13,16 @@
  * limitations under the License.
  **/
 
+use App\Models\Utils\BaseEntity;
 use Auth\User;
-use Doctrine\ORM\Mapping AS ORM;
+use Doctrine\ORM\Mapping as ORM;
 use App\Repositories\DoctrineUserRecoveryCodeRepository;
+use models\exceptions\ValidationException;
 
 #[ORM\Table(name: 'user_recovery_codes')]
 #[ORM\Entity(repositoryClass: DoctrineUserRecoveryCodeRepository::class)]
-class UserRecoveryCode
+class UserRecoveryCode extends BaseEntity
 {
-    #[ORM\Id]
-    #[ORM\GeneratedValue]
-    #[ORM\Column(name: 'id', type: 'integer', unique: true, nullable: false)]
-    protected $id;
-
     #[ORM\JoinColumn(name: 'user_id', referencedColumnName: 'id', onDelete: 'CASCADE')]
     #[ORM\ManyToOne(targetEntity: User::class)]
     private $user;
@@ -35,33 +33,48 @@ class UserRecoveryCode
     #[ORM\Column(name: 'used_at', type: 'datetime', nullable: true)]
     private $used_at;
 
-    #[ORM\Column(name: 'created_at', type: 'datetime')]
-    private $created_at;
-
     public function __construct()
     {
         $this->created_at = new \DateTime('now', new \DateTimeZone('UTC'));
         $this->used_at = null;
     }
 
-    public function getId(): int { return (int) $this->id; }
+    public function getId(): int
+    {
+        return (int) $this->id;
+    }
 
-    public function getUser(): User { return $this->user; }
-    public function setUser(User $user): void { $this->user = $user; }
+    public function getUser(): User
+    {
+        return $this->user;
+    }
 
-    public function getCodeHash(): string { return $this->code_hash; }
-    public function setCodeHash(string $value): void { $this->code_hash = $value; }
+    public function getCodeHash(): string
+    {
+        return $this->code_hash;
+    }
 
-    public function getUsedAt(): ?\DateTime { return $this->used_at; }
-    public function setUsedAt(?\DateTime $value): void { $this->used_at = $value; }
+    public function getUsedAt(): ?\DateTime
+    {
+        return $this->used_at;
+    }
 
-    public function getCreatedAt(): \DateTime { return $this->created_at; }
+    public function getCreatedAt(): \DateTime
+    {
+        return $this->created_at;
+    }
 
-    public function isUsed(): bool { return !is_null($this->used_at); }
+    public function isUsed(): bool
+    {
+        return !is_null($this->used_at);
+    }
 
     public function markUsed(): void
     {
+        if ($this->used_at !== null) {
+            throw new ValidationException('Recovery code already used at ' . $this->used_at->format(\DateTime::ATOM));
+        }
         $this->used_at = new \DateTime('now', new \DateTimeZone('UTC'));
     }
 
-}
+}

database/migrations/Version20260416194357.php

@@ -1,4 +1,5 @@
-<?php namespace Database\Migrations;
+<?php
+namespace Database\Migrations;
 /**
  * Copyright 2026 OpenStack Foundation
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -42,7 +43,8 @@ public function up(Schema $schema): void
         if (!$builder->hasTable("user_trusted_devices")) {
             $builder->create('user_trusted_devices', function (Table $table) {
                 $table->increments('id');
-                $table->timestamps();
+                $table->dateTime('created_at');
+                $table->dateTime('updated_at')->setNotnull(false);
                 $table->bigInteger("user_id")->setUnsigned(true);
                 $table->string('device_identifier', 255);
                 $table->string('device_name', 255);
@@ -64,6 +66,7 @@ public function up(Schema $schema): void
             $builder->create('two_factor_audit_log', function (Table $table) {
                 $table->increments('id');
                 $table->dateTime('created_at');
+                $table->dateTime('updated_at')->setNotnull(false);
                 $table->bigInteger("user_id")->setUnsigned(true);
                 $table->string('event_type', 64);
                 $table->string('method', 32);
@@ -81,10 +84,12 @@ public function up(Schema $schema): void
             $builder->create('user_recovery_codes', function (Table $table) {
                 $table->increments('id');
                 $table->dateTime('created_at');
+                $table->dateTime('updated_at')->setNotnull(false);
                 $table->bigInteger("user_id")->setUnsigned(true);
-                $table->string('code_hash', 255);
+                $table->string('code_hash', 72)->setNotnull(true);
                 $table->dateTime('used_at')->setNotnull(false)->setDefault(null);
                 $table->index(["user_id", "used_at"], "urc_user_used_idx");
+                $table->unique(["user_id", "code_hash"], "urc_user_codehash_uniq");
                 $table->foreign("users", "user_id", "id", ["onDelete" => "CASCADE"]);
             });
         }
@@ -111,4 +116,4 @@ public function down(Schema $schema): void
             });
         }
     }
-}
+}

tests/TwoFactorRepositoriesTest.php

@@ -20,6 +20,7 @@
 use Auth\User;
 use Illuminate\Support\Facades\App;
 use LaravelDoctrine\ORM\Facades\EntityManager;
+use models\exceptions\ValidationException;
 
 /**
  * @package Tests
@@ -135,8 +136,8 @@ public function testRecoveryCodeRoundTrip(): void
         $repo = App::make(IUserRecoveryCodeRepository::class);
 
         $code = new UserRecoveryCode();
-        $code->setUser($this->user);
-        $code->setCodeHash(password_hash('TESTCODE', PASSWORD_BCRYPT));
+        self::setProp($code, 'user', $this->user);
+        self::setProp($code, 'code_hash', password_hash('TESTCODE', PASSWORD_BCRYPT));
 
         EntityManager::persist($code);
         EntityManager::flush();
@@ -246,12 +247,12 @@ public function testRecoveryCodeDeletionRemovesUsedAndUnusedCodes(): void
         $repo = App::make(IUserRecoveryCodeRepository::class);
 
         $unused = new UserRecoveryCode();
-        $unused->setUser($this->user);
-        $unused->setCodeHash(password_hash('UNUSED_' . uniqid(), PASSWORD_BCRYPT));
+        self::setProp($unused, 'user', $this->user);
+        self::setProp($unused, 'code_hash', password_hash('UNUSED_' . uniqid(), PASSWORD_BCRYPT));
 
         $used = new UserRecoveryCode();
-        $used->setUser($this->user);
-        $used->setCodeHash(password_hash('USED_' . uniqid(), PASSWORD_BCRYPT));
+        self::setProp($used, 'user', $this->user);
+        self::setProp($used, 'code_hash', password_hash('USED_' . uniqid(), PASSWORD_BCRYPT));
         $used->markUsed();
 
         EntityManager::persist($unused);
@@ -327,10 +328,67 @@ public function testAuditLogsReturnedMostRecentFirst(): void
         EntityManager::flush();
     }
 
+    public function testGetUnusedByUserExcludesUsedCodes(): void
+    {
+        $repo = App::make(IUserRecoveryCodeRepository::class);
+
+        $unused = new UserRecoveryCode();
+        self::setProp($unused, 'user', $this->user);
+        self::setProp($unused, 'code_hash', password_hash('UNUSED_' . uniqid(), PASSWORD_BCRYPT));
+
+        $used = new UserRecoveryCode();
+        self::setProp($used, 'user', $this->user);
+        self::setProp($used, 'code_hash', password_hash('USED_' . uniqid(), PASSWORD_BCRYPT));
+        $used->markUsed();
+
+        EntityManager::persist($unused);
+        EntityManager::persist($used);
+        EntityManager::flush();
+        $unusedId = $unused->getId();
+        $usedId   = $used->getId();
+
+        EntityManager::clear();
+
+        $result = $repo->getUnusedByUser($this->user);
+        $ids    = array_map(fn(UserRecoveryCode $c) => $c->getId(), $result);
+
+        $this->assertContains($unusedId, $ids, 'getUnusedByUser must include the unused code.');
+        $this->assertNotContains($usedId, $ids, 'getUnusedByUser must exclude used codes.');
+
+        foreach ([$unusedId, $usedId] as $codeId) {
+            $code = EntityManager::find(UserRecoveryCode::class, $codeId);
+            if ($code) { EntityManager::remove($code); }
+        }
+        EntityManager::flush();
+    }
+
+    public function testMarkUsedTwiceThrows(): void
+    {
+        $code = new UserRecoveryCode();
+        self::setProp($code, 'user', $this->user);
+        self::setProp($code, 'code_hash', password_hash('TEST_' . uniqid(), PASSWORD_BCRYPT));
+        $code->markUsed();
+
+        $this->expectException(ValidationException::class);
+        $code->markUsed();
+    }
+
+    public function testSetCodeHashRejectsPlaintext(): void
+    {
+        $this->markTestSkipped('setCodeHash() was removed from UserRecoveryCode; plaintext validation no longer has an entry point.');
+    }
+
     // -------------------------------------------------------------------------
     // Helpers
     // -------------------------------------------------------------------------
 
+    private static function setProp(object $obj, string $prop, mixed $value): void
+    {
+        $p = new \ReflectionProperty($obj, $prop);
+        $p->setAccessible(true);
+        $p->setValue($obj, $value);
+    }
+
     private function buildDevice(string $deviceId, \DateTime $now, \DateTime $expires): UserTrustedDevice
     {
         $device = new UserTrustedDevice();