fix: address PR #285 review feedback

devondragon · devondragon · commit 7c372cfbf26c · 2026-03-22T15:12:58.000-06:00
- DSUserDetails.getAttributes(): return Collections.unmodifiableMap so callers cannot mutate the internal map, preventing hard-to-debug security issues - buildFallbackAttributes(): build 'name' claim without calling getFullName() to avoid "Test null" / "null User" values when only one name part is set; now safely skips missing parts and only adds the claim when non-empty - DSUserDetailsTest: add @ExtendWith(MockitoExtension.class) per project conventions; add tests for first-name-only, last-name-only, and unmodifiable-map scenarios - LoginHelperServiceTest: replace raw (Collection) cast with typed field declaration (Collection<? extends GrantedAuthority>) and doReturn() stubs to eliminate unchecked warnings - DSOAuth2UserServiceTest / DSOidcUserServiceTest: replace raw any(Map.class) matchers with typed ArgumentMatchers.<Map<String,Object>>any()
diff --git a/src/main/java/com/digitalsanctuary/spring/user/service/DSUserDetails.java b/src/main/java/com/digitalsanctuary/spring/user/service/DSUserDetails.java
@@ -2,6 +2,7 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import org.springframework.security.core.GrantedAuthority;
@@ -160,8 +161,18 @@ private static Map<String, Object> buildFallbackAttributes(User user) {
 		if (user.getLastName() != null) {
 			attrs.put("family_name", user.getLastName());
 		}
-		if (user.getFirstName() != null || user.getLastName() != null) {
-			attrs.put("name", user.getFullName());
+		StringBuilder name = new StringBuilder();
+		if (user.getFirstName() != null && !user.getFirstName().trim().isEmpty()) {
+			name.append(user.getFirstName().trim());
+		}
+		if (user.getLastName() != null && !user.getLastName().trim().isEmpty()) {
+			if (name.length() > 0) {
+				name.append(' ');
+			}
+			name.append(user.getLastName().trim());
+		}
+		if (name.length() > 0) {
+			attrs.put("name", name.toString());
 		}
 		return attrs;
 	}
@@ -247,7 +258,7 @@ public User getUser() {
 
 	@Override
 	public Map<String, Object> getAttributes() {
-		return attributes;
+		return Collections.unmodifiableMap(attributes);
 	}
 
 	@Override
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserServiceTest.java
@@ -5,6 +5,8 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
+import org.mockito.ArgumentMatchers;
+
 import static org.mockito.Mockito.*;
 
 import java.util.Arrays;
@@ -416,7 +418,7 @@ void shouldLoadUserThroughOAuth2RequestFlow() {
             when(spyService.defaultOAuth2UserService.loadUser(userRequest)).thenReturn(googleUser);
             
             DSUserDetails mockUserDetails = mock(DSUserDetails.class);
-            when(loginHelperService.userLoginHelper(any(User.class), any(Map.class))).thenReturn(mockUserDetails);
+            when(loginHelperService.userLoginHelper(any(User.class), ArgumentMatchers.<Map<String, Object>>any())).thenReturn(mockUserDetails);
             when(userRepository.findByEmail("loadtest@gmail.com")).thenReturn(null);
             when(userRepository.save(any(User.class))).thenAnswer(invocation -> invocation.getArgument(0));
 
@@ -425,7 +427,7 @@ void shouldLoadUserThroughOAuth2RequestFlow() {
 
             // Then
             assertThat(result).isEqualTo(mockUserDetails);
-            verify(loginHelperService).userLoginHelper(any(User.class), any(Map.class));
+            verify(loginHelperService).userLoginHelper(any(User.class), ArgumentMatchers.<Map<String, Object>>any());
             verify(userRepository).save(any(User.class));
         }
     }
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/DSOidcUserServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/DSOidcUserServiceTest.java
@@ -4,6 +4,7 @@
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
+import org.mockito.ArgumentMatchers;
 
 import java.util.Arrays;
 import java.util.List;
@@ -373,7 +374,7 @@ void shouldLoadUserThroughOidcRequestFlow() {
                 user.setId(999L);
                 return user;
             });
-            when(loginHelperService.userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class), any(Map.class)))
+            when(loginHelperService.userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class), ArgumentMatchers.<Map<String, Object>>any()))
                     .thenAnswer(invocation -> {
                         User user = invocation.getArgument(0);
                         OidcUserInfo oidcUserInfo = invocation.getArgument(1);
@@ -396,7 +397,7 @@ void shouldLoadUserThroughOidcRequestFlow() {
             assertThat(dsUserDetails.getAttributes()).isNotEmpty();
 
             verify(userRepository).save(any(User.class));
-            verify(loginHelperService).userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class), any(Map.class));
+            verify(loginHelperService).userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class), ArgumentMatchers.<Map<String, Object>>any());
         }
 
         @Test
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/DSUserDetailsTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/DSUserDetailsTest.java
@@ -11,6 +11,8 @@
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
@@ -23,6 +25,7 @@
  * <p>Verifies that {@code getAttributes()} satisfies the {@code OAuth2User} contract across all
  * constructor paths: OAuth2, OIDC, and local/password login.</p>
  */
+@ExtendWith(MockitoExtension.class)
 @DisplayName("DSUserDetails Tests")
 class DSUserDetailsTest {
 
@@ -83,6 +86,44 @@ void shouldReturnEmptyMapForMinimalUser() {
             assertThat(details.getAttributes()).isEmpty();
         }
 
+        @Test
+        @DisplayName("Should build name from first name only without 'null' suffix")
+        void shouldBuildNameFromFirstNameOnly() {
+            User user = new User();
+            user.setFirstName("Test");
+
+            DSUserDetails details = new DSUserDetails(user);
+
+            assertThat(details.getAttributes()).containsEntry("given_name", "Test");
+            assertThat(details.getAttributes()).containsEntry("name", "Test");
+            assertThat((String) details.getAttributes().get("name")).doesNotContain("null");
+        }
+
+        @Test
+        @DisplayName("Should build name from last name only without 'null' prefix")
+        void shouldBuildNameFromLastNameOnly() {
+            User user = new User();
+            user.setLastName("User");
+
+            DSUserDetails details = new DSUserDetails(user);
+
+            assertThat(details.getAttributes()).containsEntry("family_name", "User");
+            assertThat(details.getAttributes()).containsEntry("name", "User");
+            assertThat((String) details.getAttributes().get("name")).doesNotContain("null");
+        }
+
+        @Test
+        @DisplayName("Should return an unmodifiable map from getAttributes()")
+        void shouldReturnUnmodifiableAttributes() {
+            Map<String, Object> providerAttrs = new HashMap<>();
+            providerAttrs.put("email", "test@example.com");
+
+            DSUserDetails details = new DSUserDetails(testUser,
+                    List.of(new SimpleGrantedAuthority("ROLE_USER")), providerAttrs);
+
+            assertThat(details.getAttributes()).isUnmodifiable();
+        }
+
         @Test
         @DisplayName("getAttribute('email') should return email for OAuth2 user")
         void shouldSupportGetAttributePattern() {
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/LoginHelperServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/LoginHelperServiceTest.java
@@ -2,6 +2,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import java.time.Instant;
@@ -96,7 +97,7 @@ void shouldUpdateLastActivityDate() {
             // Given
             Date beforeLogin = testUser.getLastActivityDate();
             when(loginAttemptService.checkIfUserShouldBeUnlocked(any(User.class))).thenAnswer(invocation -> invocation.getArgument(0));
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -122,7 +123,7 @@ void shouldCheckUserUnlockStatus() {
             unlockedUser.setLockedDate(null);
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(unlockedUser);
-            when(authorityService.getAuthoritiesFromUser(unlockedUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(unlockedUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -138,7 +139,7 @@ void shouldCheckUserUnlockStatus() {
         void shouldCreateUserDetailsWithAuthorities() {
             // Given
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -178,7 +179,7 @@ void shouldHandleLockedUserThatRemainsLocked() {
             testUser.setLockedDate(lockedDate);
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser); // User remains locked
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -196,7 +197,7 @@ void shouldHandleDisabledUser() {
             // Given
             testUser.setEnabled(false);
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -217,7 +218,7 @@ void shouldPreserveUserStateDuringProcess() {
             // Note: imageUrl and usingMfa fields don't exist in User class
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -253,7 +254,7 @@ void shouldAutomaticallyUnlockUserAfterDuration() {
             unlockedUser.setEnabled(true);
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(unlockedUser);
-            when(authorityService.getAuthoritiesFromUser(unlockedUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(unlockedUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -271,7 +272,7 @@ void shouldTrackTimingOfLastActivityUpdate() {
             // Given
             Date testStartTime = new Date();
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -359,7 +360,7 @@ void shouldCreateCompleteUserDetails() {
             testUser.setLastName("User");
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -383,7 +384,7 @@ void shouldHandleOAuth2User() {
             testUser.setPassword(null); // OAuth2 users don't have passwords
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -407,7 +408,7 @@ void shouldHandleNullLastActivityDate() {
             testUser.setLastActivityDate(null);
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -422,7 +423,7 @@ void shouldHandleNullLastActivityDate() {
         void shouldHandleRapidSuccessiveLogins() {
             // Given
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When - Simulate rapid successive logins
             DSUserDetails result1 = loginHelperService.userLoginHelper(testUser);
@@ -459,7 +460,7 @@ void shouldPassOAuth2AttributesToDSUserDetails() {
             providerAttrs.put("picture", "https://example.com/photo.jpg");
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser, providerAttrs);
@@ -477,7 +478,7 @@ void shouldPassOAuth2AttributesToDSUserDetails() {
         void shouldFallBackWhenOAuth2AttributesNull() {
             // Given
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser);
@@ -503,7 +504,7 @@ void shouldPassOidcAttributesToDSUserDetails() {
             providerAttrs.put("extra_claim", "extra_value");
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser, userInfo, idToken, providerAttrs);
@@ -528,7 +529,7 @@ void shouldFallBackToIdTokenClaimsWhenOidcAttributesNull() {
             OidcUserInfo userInfo = new OidcUserInfo(Map.of("sub", "oidc-sub-123"));
 
             when(loginAttemptService.checkIfUserShouldBeUnlocked(testUser)).thenReturn(testUser);
-            when(authorityService.getAuthoritiesFromUser(testUser)).thenReturn((Collection) testAuthorities);
+            doReturn(testAuthorities).when(authorityService).getAuthoritiesFromUser(testUser);
 
             // When
             DSUserDetails result = loginHelperService.userLoginHelper(testUser, userInfo, idToken);
