fix: phone number change related

supertokens · Sep 6, 2023 · 74a9ab1 · 74a9ab1
1 parent ec286b2
commit 74a9ab1
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 6 deletions.
diff --git a/src/main/java/io/supertokens/passwordless/Passwordless.java b/src/main/java/io/supertokens/passwordless/Passwordless.java
@@ -35,7 +35,6 @@
 import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifierWithStorage;
 import io.supertokens.pluginInterface.multitenancy.TenantConfig;
-import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifierWithStorage;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.passwordless.PasswordlessCode;
@@ -670,7 +669,8 @@ public static AuthRecipeUserInfo getUserByEmail(TenantIdentifierWithStorage tena
     public static void updateUser(Main main, String userId,
                                   FieldUpdate emailUpdate, FieldUpdate phoneNumberUpdate)
             throws StorageQueryException, UnknownUserIdException, DuplicateEmailException,
-            DuplicatePhoneNumberException, UserWithoutContactInfoException, EmailChangeNotAllowedException {
+            DuplicatePhoneNumberException, UserWithoutContactInfoException, EmailChangeNotAllowedException,
+            PhoneNumberChangeNotAllowedException {
         Storage storage = StorageLayer.getStorage(main);
         updateUser(new AppIdentifierWithStorage(null, null, storage),
                 userId, emailUpdate, phoneNumberUpdate);
@@ -679,7 +679,8 @@ public static void updateUser(Main main, String userId,
     public static void updateUser(AppIdentifierWithStorage appIdentifierWithStorage, String recipeUserId,
                                   FieldUpdate emailUpdate, FieldUpdate phoneNumberUpdate)
             throws StorageQueryException, UnknownUserIdException, DuplicateEmailException,
-            DuplicatePhoneNumberException, UserWithoutContactInfoException, EmailChangeNotAllowedException {
+            DuplicatePhoneNumberException, UserWithoutContactInfoException, EmailChangeNotAllowedException,
+            PhoneNumberChangeNotAllowedException {
         PasswordlessSQLStorage storage = appIdentifierWithStorage.getPasswordlessStorage();
 
         // We do not lock the user here, because we decided that even if the device cleanup used outdated information
@@ -742,6 +743,24 @@ public static void updateUser(AppIdentifierWithStorage appIdentifierWithStorage,
                     }
                 }
                 if (phoneNumberUpdate != null && !Objects.equals(phoneNumberUpdate.newValue, lM.phoneNumber)) {
+                    if (user.isPrimaryUser) {
+                        for (String tenantId : user.tenantIds) {
+                            AuthRecipeUserInfo[] existingUsersWithNewPhoneNumber =
+                                    authRecipeSQLStorage.listPrimaryUsersByPhoneNumber_Transaction(
+                                            appIdentifierWithStorage, con,
+                                            phoneNumberUpdate.newValue);
+
+                            for (AuthRecipeUserInfo userWithSamePhoneNumber : existingUsersWithNewPhoneNumber) {
+                                if (!userWithSamePhoneNumber.tenantIds.contains(tenantId)) {
+                                    continue;
+                                }
+                                if (userWithSamePhoneNumber.isPrimaryUser && !userWithSamePhoneNumber.getSupertokensUserId().equals(user.getSupertokensUserId())) {
+                                    throw new StorageTransactionLogicException(
+                                            new PhoneNumberChangeNotAllowedException());
+                                }
+                            }
+                        }
+                    }
                     try {
                         storage.updateUserPhoneNumber_Transaction(appIdentifierWithStorage, con, recipeUserId,
                                 phoneNumberUpdate.newValue);
@@ -776,6 +795,10 @@ public static void updateUser(AppIdentifierWithStorage appIdentifierWithStorage,
             if (e.actualException instanceof EmailChangeNotAllowedException) {
                 throw (EmailChangeNotAllowedException) e.actualException;
             }
+
+            if (e.actualException instanceof PhoneNumberChangeNotAllowedException) {
+                throw (PhoneNumberChangeNotAllowedException) e.actualException;
+            }
         }
     }
 

diff --git a/...ain/java/io/supertokens/passwordless/exceptions/PhoneNumberChangeNotAllowedException.java b/...ain/java/io/supertokens/passwordless/exceptions/PhoneNumberChangeNotAllowedException.java
@@ -0,0 +1,20 @@
+/*
+ *    Copyright (c) 2023, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.passwordless.exceptions;
+
+public class PhoneNumberChangeNotAllowedException extends Exception {
+}
diff --git a/src/main/java/io/supertokens/webserver/api/passwordless/UserAPI.java b/src/main/java/io/supertokens/webserver/api/passwordless/UserAPI.java
@@ -22,6 +22,7 @@
 import io.supertokens.emailpassword.exceptions.EmailChangeNotAllowedException;
 import io.supertokens.passwordless.Passwordless;
 import io.supertokens.passwordless.Passwordless.FieldUpdate;
+import io.supertokens.passwordless.exceptions.PhoneNumberChangeNotAllowedException;
 import io.supertokens.passwordless.exceptions.UserWithoutContactInfoException;
 import io.supertokens.pluginInterface.RECIPE_ID;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
@@ -30,7 +31,6 @@
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.passwordless.exception.DuplicatePhoneNumberException;
-import io.supertokens.pluginInterface.useridmapping.UserIdMapping;
 import io.supertokens.useridmapping.UserIdType;
 import io.supertokens.utils.SemVer;
 import io.supertokens.utils.Utils;
@@ -187,6 +187,11 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IO
             result.addProperty("status", "EMAIL_CHANGE_NOT_ALLOWED_ERROR");
             result.addProperty("reason", "New email is associated with another primary user ID");
             super.sendJsonResponse(200, result, resp);
+        } catch (PhoneNumberChangeNotAllowedException e) {
+            JsonObject result = new JsonObject();
+            result.addProperty("status", "PHONE_NUMBER_CHANGE_NOT_ALLOWED_ERROR");
+            result.addProperty("reason", "New phone number is associated with another primary user ID");
+            super.sendJsonResponse(200, result, resp);
         }
     }
 }
diff --git a/src/test/java/io/supertokens/test/accountlinking/MultitenantTest.java b/src/test/java/io/supertokens/test/accountlinking/MultitenantTest.java
@@ -23,13 +23,13 @@
 import io.supertokens.authRecipe.exception.AccountInfoAlreadyAssociatedWithAnotherPrimaryUserIdException;
 import io.supertokens.emailpassword.EmailPassword;
 import io.supertokens.emailpassword.exceptions.EmailChangeNotAllowedException;
-import io.supertokens.emailpassword.exceptions.WrongCredentialsException;
 import io.supertokens.featureflag.EE_FEATURES;
 import io.supertokens.featureflag.FeatureFlagTestContent;
 import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
 import io.supertokens.multitenancy.Multitenancy;
 import io.supertokens.multitenancy.exception.*;
 import io.supertokens.passwordless.Passwordless;
+import io.supertokens.passwordless.exceptions.PhoneNumberChangeNotAllowedException;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
 import io.supertokens.pluginInterface.emailpassword.exceptions.DuplicateEmailException;
 import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
@@ -52,7 +52,6 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.function.Function;
 
 import static org.junit.Assert.*;
 
@@ -287,6 +286,46 @@ public void testVariousCases() throws Exception {
                         new UpdatePlessUserEmail(t1, 1, "[email protected]").expect(new EmailChangeNotAllowedException()),
                 }),
 
+                new TestCase(new TestCaseStep[]{
+                        new CreatePlessUserWithPhone(t1, "+1000001"),
+                        new CreatePlessUserWithPhone(t1, "+1000003"),
+                        new CreatePlessUserWithPhone(t2, "+1000002"),
+                        new MakePrimaryUser(t1, 0),
+                        new LinkAccounts(t1, 0, 2),
+                        new MakePrimaryUser(t2, 1),
+                        new UpdatePlessUserPhone(t1, 0, "+1000003").expect(new PhoneNumberChangeNotAllowedException()),
+                }),
+
+                new TestCase(new TestCaseStep[]{
+                        new CreatePlessUserWithPhone(t1, "+1000001"),
+                        new CreatePlessUserWithPhone(t1, "+1000003"),
+                        new CreatePlessUserWithPhone(t2, "+1000002"),
+                        new MakePrimaryUser(t1, 0),
+                        new LinkAccounts(t1, 0, 2),
+                        new MakePrimaryUser(t2, 1),
+                        new UpdatePlessUserPhone(t1, 1, "+1000001").expect(new PhoneNumberChangeNotAllowedException()),
+                }),
+
+                new TestCase(new TestCaseStep[]{
+                        new CreateEmailPasswordUser(t1, "[email protected]"),
+                        new CreateEmailPasswordUser(t1, "[email protected]"),
+                        new CreateEmailPasswordUser(t2, "[email protected]"),
+                        new MakePrimaryUser(t1, 0),
+                        new LinkAccounts(t1, 0, 2),
+                        new MakePrimaryUser(t2, 1),
+                        new UpdateEmailPasswordUserEmail(t1, 0, "[email protected]").expect(new EmailChangeNotAllowedException()),
+                }),
+
+                new TestCase(new TestCaseStep[]{
+                        new CreateEmailPasswordUser(t1, "[email protected]"),
+                        new CreateEmailPasswordUser(t1, "[email protected]"),
+                        new CreateEmailPasswordUser(t2, "[email protected]"),
+                        new MakePrimaryUser(t1, 0),
+                        new LinkAccounts(t1, 0, 2),
+                        new MakePrimaryUser(t2, 1),
+                        new UpdateEmailPasswordUserEmail(t1, 1, "[email protected]").expect(new EmailChangeNotAllowedException()),
+                }),
+
                 new TestCase(new TestCaseStep[]{
                         new CreateEmailPasswordUser(t1, "[email protected]"),
                         new CreateThirdPartyUser(t2, "google", "googleid", "[email protected]"),
@@ -606,6 +645,24 @@ public void execute(Main main) throws Exception {
         }
     }
 
+    private static class UpdateEmailPasswordUserEmail extends TestCaseStep {
+        TenantIdentifier tenantIdentifier;
+        int userIndex;
+        String email;
+
+        public UpdateEmailPasswordUserEmail(TenantIdentifier tenantIdentifier, int userIndex, String email) {
+            this.tenantIdentifier = tenantIdentifier;
+            this.userIndex = userIndex;
+            this.email = email;
+        }
+
+        @Override
+        public void execute(Main main) throws Exception {
+            TenantIdentifierWithStorage tenantIdentifierWithStorage = tenantIdentifier.withStorage(StorageLayer.getStorage(tenantIdentifier, main));
+            EmailPassword.updateUsersEmailOrPassword(tenantIdentifierWithStorage.toAppIdentifierWithStorage(), main, TestCase.users.get(userIndex).getSupertokensUserId(), email, null);
+        }
+    }
+
     private static class UpdatePlessUserEmail extends TestCaseStep {
         TenantIdentifier tenantIdentifier;
         int userIndex;
@@ -623,4 +680,22 @@ public void execute(Main main) throws Exception {
             Passwordless.updateUser(tenantIdentifierWithStorage.toAppIdentifierWithStorage(), TestCase.users.get(userIndex).getSupertokensUserId(), new Passwordless.FieldUpdate(email), null);
         }
     }
+
+    private static class UpdatePlessUserPhone extends TestCaseStep {
+        TenantIdentifier tenantIdentifier;
+        int userIndex;
+        String phoneNumber;
+
+        public UpdatePlessUserPhone(TenantIdentifier tenantIdentifier, int userIndex, String phoneNumber) {
+            this.tenantIdentifier = tenantIdentifier;
+            this.userIndex = userIndex;
+            this.phoneNumber = phoneNumber;
+        }
+
+        @Override
+        public void execute(Main main) throws Exception {
+            TenantIdentifierWithStorage tenantIdentifierWithStorage = tenantIdentifier.withStorage(StorageLayer.getStorage(tenantIdentifier, main));
+            Passwordless.updateUser(tenantIdentifierWithStorage.toAppIdentifierWithStorage(), TestCase.users.get(userIndex).getSupertokensUserId(), null, new Passwordless.FieldUpdate(phoneNumber));
+        }
+    }
 }