fix(auth): publish InteractiveAuthenticationSuccessEvent from authWithoutPassword()

devondragon · devondragon · commit 6132ea698c61 · 2026-02-21T21:24:34.000-07:00
authWithoutPassword() bypassed Spring Security's normal authentication flow and never published InteractiveAuthenticationSuccessEvent. This meant BaseAuthenticationListener never fired (session profiles not populated) and AuthenticationEventListener.onSuccess() never fired (brute-force login attempt counters not reset). - Publish InteractiveAuthenticationSuccessEvent after storing security context in session - Add test verifying event is published on successful auth - Add verify(never) assertions to error-path tests Fixes #260
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java b/src/main/java/com/digitalsanctuary/spring/user/service/UserService.java
@@ -10,6 +10,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -554,6 +555,12 @@ public void authWithoutPassword(User user) {
 		// Store security context in session
 		storeSecurityContextInSession();
 
+		// Publish authentication event for listeners (session profile, brute-force reset)
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		if (authentication != null) {
+			eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authentication, this.getClass()));
+		}
+
 		log.debug("UserService.authWithoutPassword: authenticated user: {}", user.getEmail());
 	}
 
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java
@@ -27,6 +27,8 @@
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.session.SessionInformation;
@@ -477,6 +479,18 @@ void authWithoutPassword_authenticatesValidUser() {
                 SecurityContext securityContext = mock(SecurityContext.class);
                 mockedSecurityHolder.when(SecurityContextHolder::getContext).thenReturn(securityContext);
 
+                // Capture the authentication set on the context and return it on getAuthentication()
+                ArgumentCaptor<Authentication> authCaptor = ArgumentCaptor.forClass(Authentication.class);
+
+                // Use thenAnswer to capture and store the authentication set
+                final Authentication[] storedAuth = new Authentication[1];
+                org.mockito.Mockito.doAnswer(invocation -> {
+                    storedAuth[0] = invocation.getArgument(0);
+                    return null;
+                }).when(securityContext).setAuthentication(any());
+
+                when(securityContext.getAuthentication()).thenAnswer(invocation -> storedAuth[0]);
+
                 // When
                 userService.authWithoutPassword(testUser);
 
@@ -488,6 +502,53 @@ void authWithoutPassword_authenticatesValidUser() {
             }
         }
 
+        @Test
+        @DisplayName("authWithoutPassword - publishes InteractiveAuthenticationSuccessEvent")
+        void shouldPublishInteractiveAuthenticationSuccessEventWhenAuthSucceeds() {
+            // Given
+            DSUserDetails userDetails = new DSUserDetails(testUser);
+            Collection<? extends GrantedAuthority> authorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
+
+            when(dsUserDetailsService.loadUserByUsername(testUser.getEmail())).thenReturn(userDetails);
+            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) authorities);
+
+            HttpServletRequest mockRequest = mock(HttpServletRequest.class);
+            HttpSession mockSession = mock(HttpSession.class);
+            ServletRequestAttributes attrs = mock(ServletRequestAttributes.class);
+
+            when(attrs.getRequest()).thenReturn(mockRequest);
+            when(mockRequest.getSession(true)).thenReturn(mockSession);
+
+            try (MockedStatic<RequestContextHolder> mockedHolder = mockStatic(RequestContextHolder.class);
+                    MockedStatic<SecurityContextHolder> mockedSecurityHolder = mockStatic(
+                            SecurityContextHolder.class)) {
+
+                mockedHolder.when(RequestContextHolder::getRequestAttributes).thenReturn(attrs);
+                SecurityContext securityContext = mock(SecurityContext.class);
+                mockedSecurityHolder.when(SecurityContextHolder::getContext).thenReturn(securityContext);
+
+                // Return the authentication that was set
+                final Authentication[] storedAuth = new Authentication[1];
+                org.mockito.Mockito.doAnswer(invocation -> {
+                    storedAuth[0] = invocation.getArgument(0);
+                    return null;
+                }).when(securityContext).setAuthentication(any());
+                when(securityContext.getAuthentication()).thenAnswer(invocation -> storedAuth[0]);
+
+                // When
+                userService.authWithoutPassword(testUser);
+
+                // Then
+                ArgumentCaptor<InteractiveAuthenticationSuccessEvent> eventCaptor =
+                        ArgumentCaptor.forClass(InteractiveAuthenticationSuccessEvent.class);
+                verify(eventPublisher).publishEvent(eventCaptor.capture());
+
+                InteractiveAuthenticationSuccessEvent event = eventCaptor.getValue();
+                assertThat(event).isNotNull();
+                assertThat(event.getAuthentication().getPrincipal()).isEqualTo(userDetails);
+            }
+        }
+
         @Test
         @DisplayName("authWithoutPassword - handles null user")
         void authWithoutPassword_handlesNullUser() {
@@ -497,6 +558,7 @@ void authWithoutPassword_handlesNullUser() {
             // Then
             verify(dsUserDetailsService, never()).loadUserByUsername(any());
             verify(authorityService, never()).getAuthoritiesFromUser(any());
+            verify(eventPublisher, never()).publishEvent(any());
         }
 
         @Test
@@ -511,6 +573,7 @@ void authWithoutPassword_handlesUserWithNullEmail() {
             // Then
             verify(dsUserDetailsService, never()).loadUserByUsername(any());
             verify(authorityService, never()).getAuthoritiesFromUser(any());
+            verify(eventPublisher, never()).publishEvent(any());
         }
 
         @Test
@@ -525,6 +588,7 @@ void authWithoutPassword_handlesUserNotFound() {
 
             // Then
             verify(authorityService, never()).getAuthoritiesFromUser(any());
+            verify(eventPublisher, never()).publishEvent(any());
         }
 
         @Test
