Fixes for password resets and tests

Author: silverbackdan

features/bootstrap/DoctrineContext.php

@@ -42,6 +42,7 @@
 use Silverback\ApiComponentsBundle\Form\Type\User\UserLoginType;
 use Silverback\ApiComponentsBundle\Form\Type\User\UserRegisterType;
 use Silverback\ApiComponentsBundle\Helper\Timestamped\TimestampedDataPersister;
+use Silverback\ApiComponentsBundle\Repository\User\UserRepositoryInterface;
 use Silverback\ApiComponentsBundle\Tests\Functional\TestBundle\Entity\DummyComponent;
 use Silverback\ApiComponentsBundle\Tests\Functional\TestBundle\Entity\DummyCustomTimestamped;
 use Silverback\ApiComponentsBundle\Tests\Functional\TestBundle\Entity\DummyPublishableComponent;
@@ -125,7 +126,8 @@ private function login(array $roles = [], $useAuthHeader = false): void
         $user = new User();
         $user
             ->setRoles($roles)
-            ->setUsername('user@example.com')
+            ->setUsername('new_user')
+            ->setEmailAddress('user@example.com')
             ->setPassword($this->passwordHasher->hashPassword($user, 'password'))
             ->setEnabled(true)
             ->setEmailAddressVerified(true);
@@ -919,13 +921,10 @@ public function theResourceShouldExist(string $name): void
      */
     public function thePasswordShouldBeEqualTo(string $password, string $username): void
     {
+        /** @var UserRepositoryInterface $repository */
         $repository = $this->manager->getRepository(User::class);
         /** @var AbstractUser $user */
-        $user = $repository->findOneBy(
-            [
-                'username' => $username,
-            ]
-        );
+        $user = $repository->loadUserByIdentifier($username);
         Assert::assertTrue($this->passwordHasher->isPasswordValid($user, $password));
     }
 

features/bootstrap/ProfilerContext.php

@@ -34,6 +34,7 @@
 use Symfony\Component\HttpClient\DataCollector\HttpClientDataCollector;
 use Symfony\Component\HttpKernel\Profiler\Profile as HttpProfile;
 use Symfony\Component\Mailer\DataCollector\MessageDataCollector;
+use Symfony\Component\Mailer\Event\MessageEvent;
 use Symfony\Component\Mercure\Update;
 use Symfony\Component\Mime\Header\Headers;
 use Symfony\Component\VarDumper\Cloner\Data;
@@ -209,16 +210,11 @@ public function iShouldGetAnEmail(string $emailType, string $emailAddress = 'use
         /** @var TemplatedEmail[] $messages */
         $messages = iterator_to_array($templatedEmailMessageEventSubscriber->getMessages());
 
-//        $events = $collector->getEvents()->getEvents();
-//        /** @var TemplatedEmail[] $messages */
-//        $messages = [];
-//        foreach ($events as $event) {
-//            if (!$event->isQueued()) {
-//                $messages[] = $event->getMessage();
-//            }
-//        }
+        $subjects = array_map(static function(TemplatedEmail $email) {
+            return $email->getSubject();
+        }, $messages);
 
-        Assert::assertCount(1, $messages);
+        Assert::assertCount(1, $messages, sprintf("%d messages were sent but only 1 was expected. Messages were sent with subjects '%s'", count($messages), implode("', '", $subjects)));
         Assert::assertInstanceOf(TemplatedEmail::class, $email = $messages[0]);
 
         /** @var TemplatedEmail $email */
@@ -294,7 +290,7 @@ private function validateChangeEmailVerification(array $context, Headers $header
         Assert::assertEquals('Please confirm your new email address', $headers->get('subject')->getBodyAsString());
         Assert::assertStringStartsWith(ChangeEmailConfirmationEmailFactory::MESSAGE_ID_PREFIX, $headers->get('x-message-id')->getBodyAsString());
         Assert::assertIsString($context['user']->getNewEmailConfirmationToken());
-        Assert::assertRegExp('/^http:\/\/www.website.com\/' . $pathInsert . '\/user%40example.com\/new%40example.com\/([a-z0-9]+)$/i', $context['redirect_url']);
+        Assert::assertRegExp('/^http:\/\/www.website.com\/' . $pathInsert . '\/new_user\/new%40example.com\/([a-z0-9]+)$/i', $context['redirect_url']);
     }
 
     private function validateChangePasswordNotification(Headers $headers): void
@@ -307,7 +303,7 @@ private function validateUserWelcomeEmail(array $context, Headers $headers): voi
     {
         Assert::assertEquals('Welcome to New Website', $headers->get('subject')->getBodyAsString());
         Assert::assertStringStartsWith(WelcomeEmailFactory::MESSAGE_ID_PREFIX, $headers->get('x-message-id')->getBodyAsString());
-        Assert::assertRegExp('/^http:\/\/www.website.com\/verify-email\/user%40example.com\/([a-z0-9]+)$/i', $context['redirect_url']);
+        Assert::assertRegExp('/^http:\/\/www.website.com\/verify-email\/new_user\/([a-z0-9]+)$/i', $context['redirect_url']);
     }
 
     private function validatePasswordReset(array $context, Headers $headers, bool $customPath = false): void

features/user/change_password_form.feature

@@ -89,5 +89,6 @@ Feature: Register process via a form
     """
     Then the response status code should be 201
     And the JSON should be valid according to the schema file "user.schema.json"
-    And the JSON node "username" should be equal to "user@example.com"
+    And the JSON node "username" should be equal to "new_user"
+    And the JSON node "emailAddress" should be equal to "user@example.com"
     And the password should be "new_password" for username "user@example.com"

features/user/forgot_password.feature

@@ -28,7 +28,9 @@ Feature: Forgot password system
     Given there is a "password_update" form
     When I send a "GET" request to the resource "password_update_form" and the postfix "<postfix>"
     Then the response status code should be 200
+    And the JSON node "formView.children[0].vars.name" should be equal to "username"
     And the JSON node "formView.children[0].vars.value" should be equal to "<expectedUsername>"
+    And the JSON node "formView.children[1].vars.name" should be equal to "plainNewPasswordConfirmationToken"
     And the JSON node "formView.children[1].vars.value" should be equal to "<expectedToken>"
     Examples:
       | postfix                 | expectedUsername | expectedToken |
@@ -44,17 +46,41 @@ Feature: Forgot password system
     {
       "password_update": {
         "username": "username",
-        "newPasswordConfirmationToken": "abc123",
+        "plainNewPasswordConfirmationToken": "abc123",
         "plainPassword": {
           "first": "mynewpassword",
           "second": "mynewpassword"
         }
       }
     }
     """
-    Then the response status code should be 200
+    Then the response status code should be 201
     And I should get a "password_changed" email sent to the email address "test.user@example.com"
 
+  Scenario Outline: I cannot reset my password with an invalid token
+    Given there is a "password_update" form
+    And there is a user with the username "username" password "password" and role "ROLE_USER"
+    And the user has the newPasswordConfirmationToken "abc123" requested at "now"
+    When I send a "POST" request to the resource "password_update_form" and the postfix "/submit" with body:
+    """
+    {
+      "password_update": {
+        "username": "username",
+        "plainNewPasswordConfirmationToken": "INVALID",
+        "plainPassword": {
+          "first": "<password>",
+          "second": "<password>"
+        }
+      }
+    }
+    """
+    Then the response status code should be <statusCode>
+    And I should not receive any emails
+    Examples:
+      | password      | statusCode     |
+      | a             | 422            |
+      | mynewpassword | 404            |
+
   Scenario Outline: I cannot reset my password with invalid data
     Given there is a "password_update" form
     And there is a user with the username "username" password "password" and role "ROLE_USER"
@@ -64,7 +90,7 @@ Feature: Forgot password system
     {
       "password_update": {
         "username": "<username>",
-        "newPasswordConfirmationToken": "<token>",
+        "plainNewPasswordConfirmationToken": "<token>",
         "plainPassword": {
           "first": "mynewpassword",
           "second": "mynewpassword"
@@ -90,7 +116,7 @@ Feature: Forgot password system
     {
       "password_update": {
         "username": "username",
-        "newPasswordConfirmationToken": "abc123",
+        "plainNewPasswordConfirmationToken": "abc123",
         "plainPassword": {
           "first": "<passwordFirst>",
           "second": "<passwordSecond>"
@@ -110,18 +136,19 @@ Feature: Forgot password system
   Scenario: I can reset my password successfully without a specific password update form component being required
     Given there is a user with the username "username" password "password" and role "ROLE_USER"
     And the user has the newPasswordConfirmationToken "abc123" requested at "now"
-    When I send a "PATCH" request to "/component/forms/password_reset/submit" with body:
+    When I send a "POST" request to "/component/forms/password_reset/submit" with body:
     """
     {
       "password_update": {
         "username": "username",
-        "newPasswordConfirmationToken": "abc123",
+        "plainNewPasswordConfirmationToken": "abc123",
         "plainPassword": {
           "first": "mynewpassword",
           "second": "mynewpassword"
         }
       }
     }
     """
-    Then the response status code should be 200
+    Then the response status code should be 201
     And I should get a "password_changed" email sent to the email address "test.user@example.com"
+    And the JSON should be valid according to the schema file "form.schema.json"

features/user/register_form.feature

@@ -15,7 +15,8 @@ Feature: Register process via a form
     """
     {
       "user_register": {
-        "username": "user@example.com",
+        "username": "new_user",
+        "emailAddress": "user@example.com",
         "plainPassword": {
           "first": "password",
           "second": "password"
@@ -31,7 +32,7 @@ Feature: Register process via a form
     {
         "@context": "/contexts/User",
         "@type": "User",
-        "username": "user@example.com",
+        "username": "new_user",
         "emailAddress": "user@example.com",
         "_metadata": {
           "persisted": true
@@ -41,14 +42,15 @@ Feature: Register process via a form
     And the JSON should be valid according to the schema file "user.schema.json"
     And I should get a "user_welcome" email sent
 
-  Scenario: Submit a duplicate user registration form
+  Scenario Outline: Submit a duplicate user registration form
     Given there is a "register" form
-    And there is a user with the username "user@email.com" password "password" and role "ROLE_USER"
+    And there is a user with the username "new_user" password "password" and role "ROLE_USER" and the email address "user@example.com"
     When I send a "POST" request to the resource "register_form" and the postfix "/submit" with body:
     """
     {
       "user_register": {
-        "username": "user@email.com",
+        "username": "<username>",
+        "emailAddress": "<emailAddress>",
         "plainPassword": {
           "first": "pw",
           "second": "pw"
@@ -58,9 +60,13 @@ Feature: Register process via a form
     """
     And the response status code should be 422
     And the response should be in JSON
-    And the JSON node "formView.children[0].vars.errors[0]" should be equal to "Sorry, that user already exists in the database."
-    And the JSON node "formView.children[1].children[0].vars.errors[0]" should be equal to "Your password must be more than 6 characters long."
+    And the JSON node "<errorPath>" should be equal to "<errorMessage>"
+    And the JSON node "formView.children[2].children[0].vars.errors[0]" should be equal to "Your password must be more than 6 characters long."
     And the JSON should be valid according to the schema file "form.schema.json"
+    Examples:
+    | username       | emailAddress         | errorPath                           | errorMessage                                              |
+    | new_user       | different@email.com  | formView.children[0].vars.errors[0] | Sorry, that user already exists in the database.          |
+    | different_user | user@example.com     | formView.children[1].vars.errors[0] | Sorry, that email address already exists in the database. |
 
   Scenario: Submit an invalid user registration form
     Given there is a "register" form
@@ -76,5 +82,6 @@ Feature: Register process via a form
     And the response status code should be 422
     And the response should be in JSON
     And the JSON node "formView.children[0].vars.errors[0]" should be equal to "Please enter a username."
-    And the JSON node "formView.children[1].children[0].vars.errors[0]" should be equal to "Please enter your desired password."
+    And the JSON node "formView.children[1].vars.errors[0]" should be equal to "Please enter your email address."
+    And the JSON node "formView.children[2].children[0].vars.errors[0]" should be equal to "Please enter your desired password."
     And the JSON should be valid according to the schema file "form.schema.json"

src/Entity/User/AbstractUser.php

@@ -39,11 +39,11 @@ abstract class AbstractUser implements SymfonyUserInterface, PasswordAuthenticat
     use IdTrait;
     use TimestampedTrait;
 
-    #[Assert\NotBlank(message: 'Please enter a username.', groups: ['Default'])]
+    #[Assert\NotBlank(message: 'Please enter a username.', allowNull: false, groups: ['Default'])]
     #[Groups(['User:superAdmin', 'User:output', 'Form:cwa_resource:read'])]
     protected ?string $username;
 
-    #[Assert\NotBlank(groups: ['Default'])]
+    #[Assert\NotBlank(message: 'Please enter your email address.', allowNull: false, groups: ['Default'])]
     #[Assert\Email]
     #[Groups(['User:superAdmin', 'User:output', 'Form:cwa_resource:read'])]
     protected ?string $emailAddress;

src/EventListener/Form/EntityPersistFormListener.php

@@ -21,6 +21,7 @@
 use Silverback\ApiComponentsBundle\Exception\InvalidArgumentException;
 use Silverback\ApiComponentsBundle\Helper\Timestamped\TimestampedDataPersister;
 use Silverback\ApiComponentsBundle\Helper\User\UserDataProcessor;
+use Silverback\ApiComponentsBundle\Serializer\Normalizer\UserNormalizer;
 use Silverback\ApiComponentsBundle\Utility\ClassMetadataTrait;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
@@ -95,7 +96,9 @@ public function __invoke(FormSuccessEvent $event): void
             if (\count($oldData)) {
                 $normalized = $this->normalizer->normalize($oldData);
                 /** @var AbstractUser $oldUser */
-                $oldUser = $this->normalizer->denormalize($normalized, \get_class($data));
+                $oldUser = $this->normalizer->denormalize($normalized, \get_class($data), null, [
+                    UserNormalizer::ALREADY_CALLED => true
+                ]);
             }
 
             $this->userDataProcessor->processChanges($data, $oldUser);

src/EventListener/Form/User/PasswordUpdateListener.php

@@ -15,7 +15,9 @@
 
 use Silverback\ApiComponentsBundle\Entity\User\AbstractUser;
 use Silverback\ApiComponentsBundle\Event\FormSuccessEvent;
+use Silverback\ApiComponentsBundle\EventListener\Form\EntityPersistFormListener;
 use Silverback\ApiComponentsBundle\EventListener\Form\FormSuccessEventListenerInterface;
+use Silverback\ApiComponentsBundle\Form\Type\User\ChangePasswordType;
 use Silverback\ApiComponentsBundle\Form\Type\User\PasswordUpdateType;
 use Silverback\ApiComponentsBundle\Helper\User\UserDataProcessor;
 use Silverback\ApiComponentsBundle\Helper\User\UserMailer;
@@ -24,15 +26,10 @@
 /**
  * @author Daniel West <daniel@silverback.is>
  */
-class PasswordUpdateListener implements FormSuccessEventListenerInterface
-{
-    private UserDataProcessor $userDataProcessor;
-    private UserMailer $userMailer;
-
-    public function __construct(UserDataProcessor $userDataProcessor, UserMailer $userMailer)
+class PasswordUpdateListener extends EntityPersistFormListener {
+    public function __construct(private readonly UserDataProcessor $userDataProcessor)
     {
-        $this->userDataProcessor = $userDataProcessor;
-        $this->userMailer = $userMailer;
+        parent::__construct(PasswordUpdateType::class, AbstractUser::class, false);
     }
 
     public function __invoke(FormSuccessEvent $event): void
@@ -45,14 +42,13 @@ public function __invoke(FormSuccessEvent $event): void
             return;
         }
 
-        $user = $this->userDataProcessor->passwordReset((string) $formDataUser->getUsername(), (string) $formDataUser->getNewPasswordConfirmationToken(), (string) $formDataUser->getPlainPassword());
+        $user = $this->userDataProcessor->passwordReset($formDataUser->getUsername(), (string) $formDataUser->plainNewPasswordConfirmationToken, (string) $formDataUser->getPlainPassword());
+
         if (!$user) {
             $event->result = new Response(null, Response::HTTP_NOT_FOUND);
-
             return;
         }
 
-        $this->userMailer->sendPasswordChangedEmail($user);
-        $event->result = new Response(null, Response::HTTP_OK);
+        parent::__invoke($event);
     }
 }

src/Factory/Form/FormViewFactory.php

@@ -39,7 +39,7 @@ public function create(Form $form): FormView
     {
         $builder = $this->formFactory->createBuilder($form->formType);
 
-        if (!($currentAction = $builder->getAction()) || '' === $currentAction) {
+        if (!$builder->getAction()) {
             $builder->setAction($this->getFormAction($form));
         }