chore: Add PR's requested changes

Author: matiasperrone-exo

app/libs/Auth/AuthService.php

@@ -1,5 +1,4 @@
-<?php
-namespace Auth;
+<?php namespace Auth;
 /**
  * Copyright 2016 OpenStack Foundation
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -97,19 +96,21 @@ final class AuthService extends AbstractService implements IAuthService
      * @param IAuthUserService $auth_user_service
      * @param ISecurityContextService $security_context_service
      * @param ITransactionService $tx_service
+     * @params ISecurityContextService $security_context_service
      */
     public function __construct
     (
-        IUserRepository $user_repository,
-        IOAuth2OTPRepository $otp_repository,
-        IPrincipalService $principal_service,
-        IUserService $user_service,
-        IUserActionService $user_action_service,
-        ICacheService $cache_service,
-        IAuthUserService $auth_user_service,
+        IUserRepository         $user_repository,
+        IOAuth2OTPRepository    $otp_repository,
+        IPrincipalService       $principal_service,
+        IUserService            $user_service,
+        IUserActionService      $user_action_service,
+        ICacheService           $cache_service,
+        IAuthUserService        $auth_user_service,
         ISecurityContextService $security_context_service,
-        ITransactionService $tx_service
-    ) {
+        ITransactionService     $tx_service
+    )
+    {
         parent::__construct($tx_service);
         $this->user_repository = $user_repository;
         $this->principal_service = $principal_service;
@@ -134,11 +135,7 @@ public function isUserLogged()
      */
     public function getCurrentUser(): ?User
     {
-        $user = Auth::user();
-        if ($user instanceof User) {
-            return $user;
-        }
-        return null;
+        return Auth::user();
     }
 
     /**
@@ -152,19 +149,20 @@ public function login(string $username, string $password, bool $remember_me): bo
     {
         Log::debug("AuthService::login");
 
+        $this->last_login_error = "";
         if (!Auth::attempt(['username' => $username, 'password' => $password], $remember_me)) {
             throw new AuthenticationException
             (
-                "username or password does not match an existing record."
+                "We are sorry, your username or password does not match an existing record."
             );
         }
         Log::debug("AuthService::login: clearing principal");
         $this->principal_service->clear();
         $current_user = $this->getCurrentUser();
-        if (is_null($current_user) || !$current_user->canLogin())
+        if(is_null($current_user) || !$current_user->canLogin())
             throw new AuthenticationException
             (
-                "username or password does not match an existing record."
+                "We are sorry, your username or password does not match an existing record."
             );
         $this->principal_service->register
         (
@@ -178,35 +176,23 @@ public function login(string $username, string $password, bool $remember_me): bo
     /**
      * @param string $username
      * @param string $password
-     * @return User
+     * @return User|null
      * @throws AuthenticationException
      */
     public function validateCredentials(string $username, string $password): User
     {
         Log::debug("AuthService::validateCredentials");
 
-        // retrieveByCredentials swallows AuthenticationLockedUserLoginAttempt and returns null,
-        // so pre-check lock state here to surface a distinct message for locked accounts.
-        $existing = $this->user_repository->getByEmailOrName($username);
-        if (!is_null($existing) && !$existing->isActive()) {
-            throw new AuthenticationException(
-                sprintf("User %s is locked.", $username)
-            );
+        /**
+         * @var User|null $user
+         */
+        $user = Auth::getProvider()->retrieveByCredentials(['username' => $username, 'password' => $password]);
+        if (!$user) {
+            throw new AuthenticationException();
         }
 
-        // Known cost: retrieveByCredentials() calls user_repository->getByEmailOrName() internally
-        // (CustomAuthProvider line ~122), duplicating the query above. Eliminating it would require
-        // either changing the provider API to accept a pre-fetched User, or moving
-        // LockUserCounterMeasure checkpoint logic out of the provider — both out of scope here.
-        $user = Auth::getProvider()->retrieveByCredentials([
-            'username' => $username,
-            'password' => $password,
-        ]);
-
-        if (is_null($user) || !$user instanceof User || !$user->canLogin()) {
-            throw new AuthenticationException(
-                "username or password does not match an existing record."
-            );
+        if (!$user->isActive()) {
+            throw new AuthenticationException("User is locked.");
         }
 
         return $user;
@@ -220,6 +206,7 @@ public function validateCredentials(string $username, string $password): User
     public function loginUser(User $user, bool $remember): void
     {
         Log::debug("AuthService::loginUser");
+        if (!$user->canLogin()) throw new AuthenticationException("User is not active or cannot login.");
         Auth::login($user, $remember);
     }
 
@@ -278,13 +265,11 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
                 throw new AuthenticationException("Single-use code mismatch.");
             }
 
-            if (!empty($otpClaim->getScope()) && !$otp->allowScope($otpClaim->getScope()))
+            if(!empty($otpClaim->getScope()) && !$otp->allowScope($otpClaim->getScope()))
                 throw new InvalidOTPException("Single-use code requested scopes escalates former scopes.");
 
-            if (
-                ($otp->hasClient() && is_null($client)) ||
-                ($otp->hasClient() && !is_null($client) && $client->getClientId() != $otp->getClient()->getClientId())
-            ) {
+            if (($otp->hasClient() && is_null($client)) ||
+                ($otp->hasClient() && !is_null($client) && $client->getClientId() != $otp->getClient()->getClientId())) {
                 throw new AuthenticationException("Single-use code audience mismatch.");
             }
 
@@ -306,16 +291,17 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
                     ],
                     $otp
                 );
-            } else {
-                if ($user->isActive()) {
+            }
+            else{
+                if($user->isActive()) {
                     // verify email
                     $user->verifyEmail(false);
                 }
             }
 
-            if (!$user->canLogin()) {
+            if(!$user->canLogin()){
                 Log::warning(sprintf("AuthService::loginWithOTP user %s cannot login ( is not active ).", $user->getId()));
-                throw new AuthenticationException("username or password does not match an existing record.");
+                throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");
             }
 
             $otp->setAuthTime(time());
@@ -329,7 +315,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
                 $client
             );
 
-            foreach ($grants2Revoke as $otp2Revoke) {
+            foreach ($grants2Revoke as $otp2Revoke){
                 try {
                     Log::debug(sprintf("AuthService::loginWithOTP revoking otp %s ", $otp2Revoke->getValue()));
                     if ($otp2Revoke->getValue() !== $otpClaim->getValue())
@@ -350,12 +336,12 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
      * @param bool $clear_security_ctx
      * @return void
      */
-    public function logout(bool $clear_security_ctx = true): void
+    public function logout(bool $clear_security_ctx = true):void
     {
         Log::debug("AuthService::logout");
         $current_user = $this->getCurrentUser();
         // check if we have user on session
-        if (!is_null($current_user)) {
+        if(!is_null($current_user)) {
             $ip = IPHelper::getUserIp();
             Log::debug(sprintf("AuthService::logout we have user %s from ip %s", $current_user->getId(), $ip));
             $this->user_action_service->addUserAction
@@ -369,7 +355,7 @@ public function logout(bool $clear_security_ctx = true): void
         // regular flow
         $this->invalidateSession();
         $this->principal_service->clear();
-        if ($clear_security_ctx)
+        if($clear_security_ctx)
             $this->security_context_service->clear();
         Auth::logout();
         // put in past
@@ -489,7 +475,8 @@ public function unwrapUserId(string $user_id): string
             $unwrapped_name = $this->decrypt($user_id);
             $parts = explode(':', $unwrapped_name);
             return intval($parts[1]);
-        } catch (Exception $ex) {
+        }
+        catch (Exception $ex){
             Log::warning($ex);
         }
         return $user_id;
@@ -552,8 +539,7 @@ public function registerRPLogin(string $client_id): void
                 $rps = $zlib->uncompress($rps);
                 $rps .= '|';
             }
-            if (is_null($rps))
-                $rps = "";
+            if (is_null($rps)) $rps = "";
 
             if (!str_contains($rps, $client_id))
                 $rps .= $client_id;
@@ -592,7 +578,8 @@ public function getLoggedRPs(): array
                 $rps = $zlib->uncompress($rps);
                 return explode('|', $rps);
             }
-        } catch (Exception $ex) {
+        }
+        catch (Exception $ex){
             Log::warning($ex);
         }
         return [];
@@ -659,17 +646,14 @@ public function invalidateSession(): void
     public function postLoginUserActions(int $user_id): void
     {
         Log::debug(sprintf("AuthService::postLoginUserActions user %s", $user_id));
-        $this->tx_service->transaction(function () use ($user_id) {
+        $this->tx_service->transaction(function () use($user_id){
             $user = $this->user_repository->getById($user_id);
-            if (!$user instanceof User)
-                return;
+            if(!$user instanceof User) return;
 
             if (!$user->isActive()) {
-                Log::warning(sprintf("AuthService::postLoginUserActions user %s is not active.", $user_id));
-                throw new AuthenticationLockedUserLoginAttempt(
-                    $user->getEmail(),
-                    sprintf("User %s is locked.", $user->getEmail())
-                );
+               Log::warning(sprintf("AuthService::postLoginUserActions user %s is not active.", $user_id));
+                throw new AuthenticationLockedUserLoginAttempt($user->getEmail(),
+                    sprintf("User %s is locked.", $user->getEmail()));
             }
 
             //update user fields