Merge pull request #195 from bcgov/bug/duplicate-users

Bug/duplicate users

Author: jujaga

app/src/db/migrations/20230810000000_009-user-identity-constraint.js

@@ -0,0 +1,28 @@
+exports.up = function (knex) {
+  return Promise.resolve()
+    // remove duplicate users - deletes all but oldest of users with matching IdentityId
+    // duplicates users may have existed in rare case where authentication of a new user was triggered concurrently
+    .then(() => knex.raw(`DELETE FROM "public"."user" AS u
+      WHERE u."userId" IN (
+        SELECT DISTINCT ON ("public"."user"."identityId") "public"."user"."userId"
+        FROM "public"."user"
+        WHERE (
+          SELECT count(*)
+          FROM "public"."user" AS user2
+          WHERE user2."identityId" = "public"."user"."identityId") > 1
+        ORDER BY "public"."user"."identityId", "public"."user"."createdAt" DESC
+      )`))
+
+    // prevent further duplicate users - add unique index over columns identityId and idp in user table
+    .then(() => knex.schema.alterTable('user', table => {
+      table.unique(['identityId', 'idp']);
+    }));
+};
+
+exports.down = function (knex) {
+  return Promise.resolve()
+    // remove unique index over columns identityId and idp in user table
+    .then(() => knex.schema.alterTable('user', table => {
+      table.dropUnique(['identityId', 'idp']);
+    }));
+};

app/src/services/user.js

@@ -3,6 +3,7 @@ const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 const { parseIdentityKeyClaims } = require('../components/utils');
 
 const { IdentityProvider, User } = require('../db/models');
+const utils = require('../db/models/utils');
 
 /**
  * The User DB Service
@@ -69,26 +70,36 @@ const service = {
   createUser: async (data, etrx = undefined) => {
     let trx;
     try {
+      let response;
       trx = etrx ? etrx : await User.startTransaction();
 
-      if (data.idp) {
-        const identityProvider = await service.readIdp(data.idp);
-        if (!identityProvider) await service.createIdp(data.idp, trx);
-      }
+      const exists = await User.query(trx)
+        .where({ 'identityId': data.identityId, idp: data.idp })
+        .first();
 
-      const obj = {
-        userId: uuidv4(),
-        identityId: data.identityId,
-        username: data.username,
-        fullName: data.fullName,
-        email: data.email,
-        firstName: data.firstName,
-        lastName: data.lastName,
-        idp: data.idp,
-        createdBy: data.userId
-      };
+      if (exists) {
+        response = exists;
+      } else { // else add new user
+        if (data.idp) { // add idp if not in db
+          const identityProvider = await service.readIdp(data.idp, trx);
+          if (!identityProvider) await service.createIdp(data.idp, trx);
+        }
+
+        response = await User.query(trx)
+          .insert({
+            userId: uuidv4(),
+            identityId: data.identityId,
+            username: data.username,
+            fullName: data.fullName,
+            email: data.email,
+            firstName: data.firstName,
+            lastName: data.lastName,
+            idp: data.idp,
+            createdBy: data.userId
+          })
+          .returning('*');
+      }
 
-      const response = await User.query(trx).insertAndFetch(obj);
       if (!etrx) await trx.commit();
       return response;
     } catch (err) {
@@ -135,27 +146,43 @@ const service = {
    */
   login: async (token) => {
     const newUser = service._tokenToUser(token);
-    const oldUser = await User.query()
-      .where('identityId', newUser.identityId)
-      .first();
+    // wrap with db transaction
+    return await utils.trxWrapper(async (trx) => {
+      // check if user exists in db
+      const oldUser = await User.query(trx)
+        .where({ 'identityId': newUser.identityId, idp: newUser.idp })
+        .first();
 
-    if (!oldUser) {
-      // Add user to system
-      return service.createUser(newUser);
-    } else {
-      // Update user data if necessary
-      return service.updateUser(oldUser.userId, newUser);
-    }
+      if (!oldUser) {
+        // Add user to system
+        return await service.createUser(newUser, trx);
+      } else {
+        // Update user data if necessary
+        return await service.updateUser(oldUser.userId, newUser, trx);
+      }
+    });
   },
 
   /**
    * @function readIdp
    * Gets an identity provider record
    * @param {string} code The identity provider code
    * @returns {Promise<object>} The result of running the find operation
+   * @throws The error encountered upon db transaction failure
    */
-  readIdp: (code) => {
-    return IdentityProvider.query().findById(code);
+  readIdp: async (code, etrx = undefined) => {
+    let trx;
+    try {
+      trx = etrx ? etrx : await IdentityProvider.startTransaction();
+
+      const response = await IdentityProvider.query(trx).findById(code);
+
+      if (!etrx) await trx.commit();
+      return response;
+    } catch (err) {
+      if (!etrx && trx) await trx.rollback();
+      throw err;
+    }
   },
 
   /**
@@ -222,7 +249,7 @@ const service = {
         trx = etrx ? etrx : await User.startTransaction();
 
         if (data.idp) {
-          const identityProvider = await service.readIdp(data.idp);
+          const identityProvider = await service.readIdp(data.idp, trx);
           if (!identityProvider) await service.createIdp(data.idp, trx);
         }
 

app/tests/unit/services/user.spec.js

@@ -1,6 +1,7 @@
 const { NIL: SYSTEM_USER } = require('uuid');
 
 const { resetModel, trxBuilder } = require('../../common/helper');
+const utils = require('../../../src/db/models/utils');
 const IdentityProvider = require('../../../src/db/models/tables/identityProvider');
 const User = require('../../../src/db/models/tables/user');
 
@@ -23,10 +24,12 @@ jest.mock('../../../src/db/models/tables/user', () => ({
 
   first: jest.fn(),
   findById: jest.fn(),
+  insert: jest.fn(),
   insertAndFetch: jest.fn(),
   modify: jest.fn(),
   patchAndFetchById: jest.fn(),
   query: jest.fn(),
+  returning: jest.fn(),
   select: jest.fn(),
   throwIfNotFound: jest.fn(),
   where: jest.fn(),
@@ -106,20 +109,21 @@ describe('createUser', () => {
   });
 
   it('Creates an idp if no matching idp exists in database', async () => {
+    User.first.mockResolvedValue(undefined);
     readIdpSpy.mockResolvedValue(false);
 
     await service.createUser(user);
 
     expect(readIdpSpy).toHaveBeenCalledTimes(1);
-    expect(readIdpSpy).toHaveBeenCalledWith('idir');
+    expect(readIdpSpy).toHaveBeenCalledWith('idir', userTrx);
     expect(createIdpSpy).toHaveBeenCalledTimes(1);
-    expect(createIdpSpy).toHaveBeenCalledWith('idir', expect.anything());
+    expect(createIdpSpy).toHaveBeenCalledWith('idir', userTrx);
 
     expect(User.startTransaction).toHaveBeenCalledTimes(1);
-    expect(User.query).toHaveBeenCalledTimes(1);
+    expect(User.query).toHaveBeenCalledTimes(2);
     expect(User.query).toHaveBeenCalledWith(expect.anything());
-    expect(User.insertAndFetch).toHaveBeenCalledTimes(1);
-    expect(User.insertAndFetch).toBeCalledWith(
+    expect(User.insert).toHaveBeenCalledTimes(1);
+    expect(User.insert).toBeCalledWith(
       expect.objectContaining({
         ...user,
         userId: expect.any(String)
@@ -129,18 +133,19 @@ describe('createUser', () => {
   });
 
   it('Skips creating an idp if matching idp already exists in database', async () => {
+    User.first.mockResolvedValue(false);
     readIdpSpy.mockReturnValue(true);
+
     await service.createUser(user);
 
     expect(readIdpSpy).toHaveBeenCalledTimes(1);
-    expect(readIdpSpy).toHaveBeenCalledWith('idir');
     expect(createIdpSpy).toHaveBeenCalledTimes(0);
 
     expect(User.startTransaction).toHaveBeenCalledTimes(1);
-    expect(User.query).toHaveBeenCalledTimes(1);
+    expect(User.query).toHaveBeenCalledTimes(2);
     expect(User.query).toHaveBeenCalledWith(expect.anything());
-    expect(User.insertAndFetch).toHaveBeenCalledTimes(1);
-    expect(User.insertAndFetch).toBeCalledWith(
+    expect(User.insert).toHaveBeenCalledTimes(1);
+    expect(User.insert).toBeCalledWith(
       expect.objectContaining({
         ...user,
         userId: expect.any(String)
@@ -159,13 +164,7 @@ describe('createUser', () => {
     expect(User.startTransaction).toHaveBeenCalledTimes(1);
     expect(User.query).toHaveBeenCalledTimes(1);
     expect(User.query).toHaveBeenCalledWith(expect.anything());
-    expect(User.insertAndFetch).toHaveBeenCalledTimes(1);
-    expect(User.insertAndFetch).toBeCalledWith(
-      expect.objectContaining({
-        ...systemUser,
-        userId: expect.any(String)
-      })
-    );
+    expect(User.insert).toHaveBeenCalledTimes(0);
     expect(userTrx.commit).toHaveBeenCalledTimes(1);
   });
 });
@@ -202,64 +201,75 @@ describe('listIdps', () => {
 
 describe('login', () => {
   const createUserSpy = jest.spyOn(service, 'createUser');
-  const updateUserSpy = jest.spyOn(service, 'updateUser');
   const tokenToUserSpy = jest.spyOn(service, '_tokenToUser');
+  const trxWrapperSpy = jest.spyOn(utils, 'trxWrapper');
+  const updateUserSpy = jest.spyOn(service, 'updateUser');
 
   beforeEach(() => {
-    tokenToUserSpy.mockReset();
     createUserSpy.mockReset();
+    tokenToUserSpy.mockReset();
+    trxWrapperSpy.mockReset();
     updateUserSpy.mockReset();
 
     service._tokenToUser = jest.fn().mockReturnValue(user);
   });
 
   afterAll(() => {
-    tokenToUserSpy.mockRestore();
     createUserSpy.mockRestore();
+    tokenToUserSpy.mockRestore();
+    trxWrapperSpy.mockReset();
     updateUserSpy.mockRestore();
   });
 
   it('Adds a new user record', async () => {
     User.first.mockResolvedValue(undefined);
+    createUserSpy.mockResolvedValue(user);
+    trxWrapperSpy.mockImplementation(callback => callback({}));
+
     await service.login(token);
 
     expect(User.query).toHaveBeenCalledTimes(1);
-    expect(User.query).toHaveBeenCalledWith();
+    expect(User.query).toHaveBeenCalledWith(expect.any(Object));
     expect(User.where).toHaveBeenCalledTimes(1);
-    expect(User.where).toHaveBeenCalledWith('identityId', user.identityId);
+    expect(User.where).toHaveBeenCalledWith({ identityId: user.identityId, idp: user.idp });
     expect(User.first).toHaveBeenCalledTimes(1);
     expect(User.first).toHaveBeenCalledWith();
 
     expect(createUserSpy).toHaveBeenCalledTimes(1);
-    expect(createUserSpy).toHaveBeenCalledWith(user);
+    expect(createUserSpy).toHaveBeenCalledWith(user, expect.any(Object));
     expect(updateUserSpy).toHaveBeenCalledTimes(0);
   });
 
   it('Updates an existing user record', async () => {
+    trxWrapperSpy.mockImplementation(callback => callback({}));
     User.first.mockResolvedValue({ ...user, userId: 'a96f2809-d6f4-4cef-a02a-3f72edff06d7' });
+
     await service.login(token);
 
     expect(User.query).toHaveBeenCalledTimes(1);
-    expect(User.query).toHaveBeenCalledWith();
+    expect(User.query).toHaveBeenCalledWith(expect.any(Object));
     expect(User.where).toHaveBeenCalledTimes(1);
-    expect(User.where).toHaveBeenCalledWith('identityId', user.identityId);
+    expect(User.where).toHaveBeenCalledWith({ identityId: user.identityId, idp: user.idp });
     expect(User.first).toHaveBeenCalledTimes(1);
     expect(User.first).toHaveBeenCalledWith();
 
     expect(createUserSpy).toHaveBeenCalledTimes(0);
     expect(updateUserSpy).toHaveBeenCalledTimes(1);
-    expect(updateUserSpy).toHaveBeenCalledWith('a96f2809-d6f4-4cef-a02a-3f72edff06d7', expect.objectContaining(user));
+    expect(updateUserSpy).toHaveBeenCalledWith('a96f2809-d6f4-4cef-a02a-3f72edff06d7', expect.objectContaining(user), expect.any(Object));
   });
 });
 
 describe('readIdp', () => {
-  it('Query identityProvider by code', () => {
-    service.readIdp('idir');
+  it('Query identityProvider by code', async () => {
+    await service.readIdp('idir');
 
+    expect(IdentityProvider.startTransaction).toHaveBeenCalledTimes(1);
+    expect(IdentityProvider.startTransaction).toHaveBeenCalledWith();
     expect(IdentityProvider.query).toHaveBeenCalledTimes(1);
-    expect(IdentityProvider.query).toHaveBeenCalledWith();
+    expect(IdentityProvider.query).toHaveBeenCalledWith(identityProviderTrx);
     expect(IdentityProvider.findById).toHaveBeenCalledTimes(1);
     expect(IdentityProvider.findById).toHaveBeenCalledWith('idir');
+    expect(identityProviderTrx.commit).toHaveBeenCalledTimes(1);
   });
 });