Add new database fields for user, change mis-named, fix tests - rate limiting not in play

Author: silverbackdan

features/bootstrap/DoctrineContext.php

@@ -271,13 +271,17 @@ public function theUserEmailIsNotVerified(?string $verificationToken = null): vo
     }
 
     /**
-     * @Given the user has a new email address :emailAddress and confirmation token :token
+     * @Given /^the user has a new email address "([^" ]*)" and confirmation token "([^" ]*)"(?: and the email was sent at "([^"]*)"|)$/i
      */
-    public function theUserHasANewEmailAddress(string $emailAddress, string $verificationToken): void
+    public function theUserHasANewEmailAddress(string $emailAddress, string $verificationToken, string $emailSentAt = 'now'): void
     {
         /** @var User $user */
         $user = $this->iriConverter->getResourceFromIri($this->restContext->resources['user']);
-        $user->setNewEmailAddress($emailAddress)->setNewEmailConfirmationToken($this->passwordHasher->hashPassword($user, $verificationToken));
+        $user
+            ->setNewEmailAddress($emailAddress)
+            ->setNewEmailConfirmationToken($this->passwordHasher->hashPassword($user, $verificationToken))
+            ->setNewEmailAddressChangeRequestedAt(new \DateTime($emailSentAt))
+        ;
         $this->manager->flush();
     }
 

features/user/new_email_address.feature

@@ -165,15 +165,15 @@ Feature: Register process via a form
   Scenario: I can resend a new email address confirmation email with a new token
     Given there is a "new_email" form
     And there is a user with the username "my_username" password "password" and role "ROLE_USER" and the email address "user@example.com"
-    And the user has a new email address "new@example.com" and confirmation token abc123
+    And the user has a new email address "new@example.com" and confirmation token "abc123" and the email was sent at "-1 day"
     And I add "referer" header equal to "http://www.website.com"
     When I send a "GET" request to "/resend-verify-new-email/my_username"
     Then the response status code should be 200
     And I should get a "change_email_confirmation" email sent to the email address "user@example.com"
 
   Scenario: I can verify my new email address
     Given there is a user with the username "my_username" password "password" and role "ROLE_USER" and the email address "old@email.com"
-    And the user has a new email address "new@email.com" and confirmation token abc123
+    And the user has a new email address "new@email.com" and confirmation token "abc123"
     And I add "referer" header equal to "http://www.website.com"
     When I send a "GET" request to "/confirm-email/my_username/new@email.com/abc123"
     Then the response status code should be 200
@@ -184,7 +184,7 @@ Feature: Register process via a form
   Scenario: Email verification reset if another user now has confirmed email same as the one this user is trying to confirm
     Given there is a user with the username "new@email.com" password "password" and role "ROLE_USER" and the email address "new@email.com"
     And there is a user with the username "another_user" password "password" and role "ROLE_USER"
-    And the user has a new email address "new@email.com" and confirmation token abc123
+    And the user has a new email address "new@email.com" and confirmation token "abc123"
     When I send a "GET" request to "/confirm-email/another_user/new@email.com/abc123"
     Then the response status code should be 401
     And the new email address should be "test.user@example.com" for username "another_user"

src/Entity/User/AbstractUser.php

@@ -117,6 +117,9 @@ abstract class AbstractUser implements SymfonyUserInterface, PasswordAuthenticat
     #[ApiProperty(readable: false, writable: false)]
     protected ?\DateTime $emailLastUpdatedAt = null;
 
+    #[ApiProperty(readable: false, writable: false)]
+    protected ?\DateTime $emailAddressVerificationRequestedAt = null;
+
     /**
      * `final` to make `createFromPayload` safe. Could instead make an interface? Or abstract and force child to define constructor?
      */
@@ -253,9 +256,6 @@ public function getNewEmailAddress(): ?string
     public function setNewEmailAddress(?string $newEmailAddress): self
     {
         $this->newEmailAddress = $newEmailAddress;
-        if ($newEmailAddress) {
-            $this->newEmailAddressChangeRequestedAt = new \DateTime();
-        }
 
         return $this;
     }
@@ -268,9 +268,6 @@ public function getNewEmailConfirmationToken(): ?string
     public function setNewEmailConfirmationToken(?string $newEmailConfirmationToken): self
     {
         $this->newEmailConfirmationToken = $newEmailConfirmationToken;
-        if ($newEmailConfirmationToken) {
-            $this->newEmailAddressChangeRequestedAt = new \DateTime();
-        }
 
         return $this;
     }
@@ -280,6 +277,11 @@ public function getNewEmailAddressChangeRequestedAt(): ?\DateTime
         return $this->newEmailAddressChangeRequestedAt;
     }
 
+    public function setNewEmailAddressChangeRequestedAt(?\DateTime $newEmailAddressChangeRequestedAt): void
+    {
+        $this->newEmailAddressChangeRequestedAt = $newEmailAddressChangeRequestedAt;
+    }
+
     public function isEmailAddressVerified(): bool
     {
         return $this->emailAddressVerified;
@@ -300,9 +302,16 @@ public function getEmailAddressVerifyToken(): ?string
     public function setEmailAddressVerifyToken(?string $emailAddressVerifyToken): void
     {
         $this->emailAddressVerifyToken = $emailAddressVerifyToken;
-        if ($emailAddressVerifyToken) {
-            $this->emailLastUpdatedAt = new \DateTime();
-        }
+    }
+
+    public function getEmailAddressVerificationRequestedAt(): ?\DateTime
+    {
+        return $this->emailAddressVerificationRequestedAt;
+    }
+
+    public function setEmailAddressVerificationRequestedAt(?\DateTime $emailAddressVerificationRequestedAt): void
+    {
+        $this->emailAddressVerificationRequestedAt = $emailAddressVerificationRequestedAt;
     }
 
     public function isPasswordRequestLimitReached($ttl): bool
@@ -323,7 +332,7 @@ public function isNewEmailVerifyRequestLimitReached($ttl): bool
 
     public function isEmailVerifyRequestLimitReached($ttl): bool
     {
-        $lastRequest = $this->emailLastUpdatedAt;
+        $lastRequest = $this->getEmailAddressVerificationRequestedAt();
 
         return $lastRequest instanceof \DateTime
             && $lastRequest->getTimestamp() + $ttl > time();
@@ -349,7 +358,6 @@ public function serialize(): string
      */
     public function unserialize(string $serialized): self
     {
-        $id = null;
         [
             $id,
             $this->username,

src/Resources/config/doctrine-orm/User.AbstractUser.orm.xml

@@ -18,7 +18,8 @@
         <field name="newEmailConfirmationToken" column="new_email_verification_token" nullable="true"/>
         <field name="newEmailAddressChangeRequestedAt" column="new_email_address_change_requested_at" type="datetime" nullable="true"/>
         <field name="emailAddressVerified" column="email_address_verified" type="boolean"/>
-        <field name="emailAddressVerifyToken" column="restore_access_token" length="255" nullable="true"/>
+        <field name="emailAddressVerifyToken" column="email_address_verify_token" length="255" nullable="true"/>
+        <field name="emailAddressVerificationRequestedAt" column="email_address_verification_requested_at" type="datetime" nullable="true"/>
         <field name="emailLastUpdatedAt" column="email_last_updated_at" type="datetime" nullable="true"/>
     </mapped-superclass>
 </doctrine-mapping>