Adding endpoints for creating, updating, and removing external IDs.

Author: krulis-martin

app/V1Module/presenters/UsersPresenter.php

@@ -7,11 +7,13 @@
 use App\Exceptions\InvalidArgumentException;
 use App\Exceptions\NotFoundException;
 use App\Exceptions\WrongCredentialsException;
+use App\Model\Entity\ExternalLogin;
 use App\Model\Entity\Group;
 use App\Model\Entity\Login;
 use App\Model\Entity\SecurityEvent;
 use App\Model\Entity\User;
 use App\Model\Entity\UserUiData;
+use App\Model\Repository\ExternalLogins;
 use App\Model\Repository\Logins;
 use App\Model\Repository\SecurityEvents;
 use App\Exceptions\BadRequestException;
@@ -36,6 +38,12 @@ class UsersPresenter extends BasePresenter
      */
     public $logins;
 
+    /**
+     * @var ExternalLogins
+     * @inject
+     */
+    public $externalLogins;
+
     /**
      * @var SecurityEvents
      * @inject
@@ -294,7 +302,7 @@ private function changeUserEmail(User $user, ?string $email)
         }
 
         if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
-            throw new InvalidArgumentException("Provided email is not in correct format");
+            throw new InvalidArgumentException('email', "Provided email is not in correct format");
         }
 
         $oldEmail = $user->getEmail();
@@ -375,7 +383,7 @@ private function changeUserPassword(
 
         if (!$password || !$passwordConfirm) {
             // old password was provided but the new ones not, illegal state
-            throw new InvalidArgumentException("New password was not provided");
+            throw new InvalidArgumentException('password|passwordConfirm', "New password was not provided");
         }
 
         // passwords need to be handled differently
@@ -764,4 +772,76 @@ public function actionSetAllowed(string $id)
         $this->users->flush();
         $this->sendSuccessResponse($this->userViewFactory->getUser($user));
     }
+
+    public function checkUpdateExternalLogin(string $id, string $service)
+    {
+        $user = $this->users->findOrThrow($id);
+        if (!$this->userAcl->canSetExternalIds($user)) {
+            throw new ForbiddenRequestException();
+        }
+
+        // in the future, we might consider cross-checking the service ID
+    }
+
+    /**
+     * Add or update existing external ID of given authentication service.
+     * @POST
+     * @param string $id identifier of the user
+     * @param string $service identifier of the authentication service (login type)
+     * @Param(type="post", name="externalId", validation="string:1..128")
+     * @throws InvalidArgumentException
+     */
+    public function actionUpdateExternalLogin(string $id, string $service)
+    {
+        $user = $this->users->findOrThrow($id);
+
+        // make sure the external ID is not used for another user
+        $externalId = $this->getRequest()->getPost("externalId");
+        $anotherUser = $this->externalLogins->getUser($service, $externalId);
+        if ($anotherUser) {
+            if ($anotherUser->getId() !== $id) {
+                // oopsie, this external ID is alreay used for a different user
+                throw new InvalidArgumentException('externalId', "This ID is already used by another user.");
+            }
+            // otherwise the external ID is already set to this user, so there is nothing to change...
+        } else {
+            // create/update external login entry
+            $login = $this->externalLogins->findByUser($user, $service);
+            if ($login) {
+                $login->setExternalId($externalId);
+            } else {
+                $login = new ExternalLogin($user, $service, $externalId);
+            }
+
+            $this->externalLogins->persist($login);
+        }
+
+        $this->sendSuccessResponse($this->userViewFactory->getUser($user));
+    }
+
+    public function checkRemoveExternalLogin(string $id, string $service)
+    {
+        $user = $this->users->findOrThrow($id);
+        if (!$this->userAcl->canSetExternalIds($user)) {
+            throw new ForbiddenRequestException();
+        }
+
+        // in the future, we might consider cross-checking the service ID
+    }
+
+    /**
+     * Remove external ID of given authentication service.
+     * @DELETE
+     * @param string $id identifier of the user
+     * @param string $service identifier of the authentication service (login type)
+     */
+    public function actionRemoveExternalLogin(string $id, string $service)
+    {
+        $user = $this->users->findOrThrow($id);
+        $login = $this->externalLogins->findByUser($user, $service);
+        if ($login) {
+            $this->externalLogins->remove($login);
+        }
+        $this->sendSuccessResponse($this->userViewFactory->getUser($user));
+    }
 }

app/V1Module/router/RouterFactory.php

@@ -493,6 +493,8 @@ private static function createUsersRoutes(string $prefix): RouteList
         $router[] = new PostRoute("$prefix/<id>/create-local", "Users:createLocalAccount");
         $router[] = new PostRoute("$prefix/<id>/role", "Users:setRole");
         $router[] = new PostRoute("$prefix/<id>/allowed", "Users:setAllowed");
+        $router[] = new PostRoute("$prefix/<id>/external-login/<service>", "Users:updateExternalLogin");
+        $router[] = new DeleteRoute("$prefix/<id>/external-login/<service>", "Users:removeExternalLogin");
         $router[] = new GetRoute("$prefix/<id>/calendar-tokens", "UserCalendars:userCalendars");
         $router[] = new PostRoute("$prefix/<id>/calendar-tokens", "UserCalendars:createCalendar");
         $router[] = new GetRoute("$prefix/<id>/pending-reviews", "AssignmentSolutionReviews:pending");

app/V1Module/security/ACL/IUserPermissions.php

@@ -36,6 +36,8 @@ public function canSetRole(User $user): bool;
 
     public function canSetIsAllowed(User $user): bool;
 
+    public function canSetExternalIds(User $user): bool;
+
     public function canInvalidateTokens(User $user): bool;
 
     public function canForceChangePassword(User $user): bool;

app/config/permissions.neon

@@ -400,6 +400,7 @@ permissions:
         - updateProfile
         - updatePersonalData
         - setIsAllowed
+        - setExternalIds
         - createLocalAccount
         - invalidateTokens
 

app/helpers/FailureHelper/FailureHelper.php

@@ -15,7 +15,6 @@
  */
 class FailureHelper
 {
-
     public const TYPE_BACKEND_ERROR = "BACKEND ERROR";
     public const TYPE_API_ERROR = "API ERROR";
 

app/model/entity/ExternalLogin.php

@@ -6,7 +6,8 @@
 
 /**
  * @ORM\Entity
- * @ORM\Table(uniqueConstraints={@ORM\UniqueConstraint(columns={"auth_service", "external_id"})})
+ * @ORM\Table(uniqueConstraints={@ORM\UniqueConstraint(columns={"auth_service", "user_id"}),
+ *                               @ORM\UniqueConstraint(columns={"auth_service", "external_id"})})
  */
 class ExternalLogin
 {

migrations/Version20250209140028.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20250209140028 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_9845B893AFB9BA21A76ED395 ON external_login (auth_service, user_id)');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('DROP INDEX UNIQ_9845B893AFB9BA21A76ED395 ON external_login');
+    }
+}