Sample Improvement (Part 2/2)

Author: mckaragoz

samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Program.cs

@@ -17,6 +17,7 @@
 using MudExtensions.Services;
 using Scalar.AspNetCore;
 using CodeBeam.UltimateAuth.Sample.BlazorServer.Infrastructure;
+using CodeBeam.UltimateAuth.Users.Contracts;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -46,6 +47,7 @@
     o.Login.MaxFailedAttempts = 2;
     o.Login.LockoutDuration = TimeSpan.FromSeconds(10);
     o.UserIdentifiers.AllowMultipleUsernames = true;
+    o.LoginIdentifiers.AllowedTypes = new HashSet<UserIdentifierType>() { UserIdentifierType.Username, UserIdentifierType.Email };
 })
     .AddUltimateAuthUsersInMemory()
     .AddUltimateAuthUsersReference()

src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs

@@ -252,7 +252,7 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
 
         services.Configure<UAuthLoginIdentifierOptions>(opt =>
         {
-            opt.AllowedBuiltIns = new HashSet<UserIdentifierType>
+            opt.AllowedTypes = new HashSet<UserIdentifierType>
             {
                 UserIdentifierType.Username,
                 UserIdentifierType.Email

src/CodeBeam.UltimateAuth.Server/Options/UAuthLoginIdentifierOptions.cs

@@ -3,7 +3,7 @@
 namespace CodeBeam.UltimateAuth.Server.Options;
 public sealed class UAuthLoginIdentifierOptions
 {
-    public ISet<UserIdentifierType> AllowedBuiltIns { get; set; } =
+    public ISet<UserIdentifierType> AllowedTypes { get; set; } =
         new HashSet<UserIdentifierType>
         {
             UserIdentifierType.Username,
@@ -17,12 +17,15 @@ public sealed class UAuthLoginIdentifierOptions
     public bool EnableCustomResolvers { get; set; } = true;
     public bool CustomResolversFirst { get; set; } = true;
 
+    public bool EnforceGlobalUniquenessForAllIdentifiers { get; set; } = false;
+
     internal UAuthLoginIdentifierOptions Clone() => new()
     {
-        AllowedBuiltIns = new HashSet<UserIdentifierType>(AllowedBuiltIns),
+        AllowedTypes = new HashSet<UserIdentifierType>(AllowedTypes),
         RequireVerificationForEmail = RequireVerificationForEmail,
         RequireVerificationForPhone = RequireVerificationForPhone,
         EnableCustomResolvers = EnableCustomResolvers,
         CustomResolversFirst = CustomResolversFirst,
+        EnforceGlobalUniquenessForAllIdentifiers = EnforceGlobalUniquenessForAllIdentifiers
     };
 }

src/users/CodeBeam.UltimateAuth.Users.Reference/Infrastructure/LoginIdentifierResolver.cs

@@ -39,7 +39,7 @@ public LoginIdentifierResolver(
 
         var builtInType = DetectBuiltInType(normalized);
 
-        if (!_options.AllowedBuiltIns.Contains(builtInType))
+        if (!_options.AllowedTypes.Contains(builtInType))
         {
             if (_options.EnableCustomResolvers && !_options.CustomResolversFirst)
                 return await TryCustomAsync(tenant, normalized, ct);
@@ -112,8 +112,7 @@ public LoginIdentifierResolver(
         return null;
     }
 
-    private static string Normalize(string identifier)
-        => identifier.Trim();
+    private static string Normalize(string identifier) => identifier.Trim();
 
     private static UserIdentifierType DetectBuiltInType(string normalized)
     {

src/users/CodeBeam.UltimateAuth.Users.Reference/Services/UserApplicationService.cs

@@ -17,7 +17,7 @@ internal sealed class UserApplicationService : IUserApplicationService
     private readonly IUserProfileStore _profileStore;
     private readonly IUserIdentifierStore _identifierStore;
     private readonly IEnumerable<IUserLifecycleIntegration> _integrations;
-    private readonly UAuthUserIdentifierOptions _identifierOptions;
+    private readonly UAuthServerOptions _options;
     private readonly IClock _clock;
 
     public UserApplicationService(
@@ -34,7 +34,7 @@ public UserApplicationService(
         _profileStore = profileStore;
         _identifierStore = identifierStore;
         _integrations = integrations;
-        _identifierOptions = options.Value.UserIdentifiers;
+        _options = options.Value;
         _clock = clock;
     }
 
@@ -229,6 +229,17 @@ public async Task AddUserIdentifierAsync(AccessContext context, AddUserIdentifie
                 EnsureVerificationRequirements(request.Type, isVerified: false );
             }
 
+            var mustBeUnique = _options.LoginIdentifiers.EnforceGlobalUniquenessForAllIdentifiers ||
+                (request.IsPrimary && _options.LoginIdentifiers.AllowedTypes.Contains(request.Type));
+
+            if (mustBeUnique)
+            {
+                var exists = await _identifierStore.ExistsAsync(context.ResourceTenant, request.Type, request.Value, innerCt);
+
+                if (exists)
+                    throw new UAuthIdentifierConflictException("identifier_already_exists");
+            }
+
             await _identifierStore.CreateAsync(context.ResourceTenant,
                 new UserIdentifier
                 {
@@ -256,14 +267,25 @@ public async Task UpdateUserIdentifierAsync(AccessContext context, UpdateUserIde
 
             EnsureOverrideAllowed(context);
 
-            if (identifier.Type == UserIdentifierType.Username && !_identifierOptions.AllowUsernameChange)
+            if (identifier.Type == UserIdentifierType.Username && !_options.UserIdentifiers.AllowUsernameChange)
             {
                 throw new UAuthIdentifierValidationException("username_change_not_allowed");
             }
 
             if (string.Equals(identifier.Value, request.NewValue, StringComparison.Ordinal))
                 throw new UAuthIdentifierValidationException("identifier_value_unchanged");
 
+            var mustBeUnique = _options.LoginIdentifiers.EnforceGlobalUniquenessForAllIdentifiers ||
+                (identifier.IsPrimary && _options.LoginIdentifiers.AllowedTypes.Contains(identifier.Type));
+
+            if (mustBeUnique)
+            {
+                var existing = await _identifierStore.GetAsync(identifier.Tenant, identifier.Type, request.NewValue, innerCt);
+
+                if (existing is not null && existing.Id != identifier.Id && !existing.IsDeleted)
+                    throw new UAuthIdentifierConflictException("identifier_already_exists");
+            }
+
             await _identifierStore.UpdateValueAsync(identifier.Id, request.NewValue, _clock.UtcNow, innerCt);
         });
 
@@ -282,6 +304,20 @@ public async Task SetPrimaryUserIdentifierAsync(AccessContext context, SetPrimar
 
             EnsureVerificationRequirements(identifier.Type, identifier.IsVerified);
 
+            var identifiers = await _identifierStore.GetByUserAsync(identifier.Tenant, identifier.UserKey, innerCt);
+            var activeIdentifiers = identifiers.Where(i => !i.IsDeleted).ToList();
+
+            if (identifier.IsPrimary)
+                throw new UAuthIdentifierValidationException("identifier_already_primary");
+
+            if (_options.LoginIdentifiers.EnforceGlobalUniquenessForAllIdentifiers)
+            {
+                var exists = await _identifierStore.ExistsAsync(identifier.Tenant, identifier.Type, identifier.Value, innerCt);
+
+                if (exists)
+                    throw new UAuthIdentifierConflictException("identifier_already_exists");
+            }
+
             await _identifierStore.SetPrimaryAsync(request.IdentifierId, innerCt);
         });
 
@@ -303,14 +339,18 @@ public async Task UnsetPrimaryUserIdentifierAsync(AccessContext context, UnsetPr
 
             var identifiers = await _identifierStore.GetByUserAsync(identifier.Tenant, identifier.UserKey, innerCt);
 
-            var otherLoginIdentifiers = identifiers
-                .Where(i => !i.IsDeleted &&
-                            IsLoginIdentifier(i.Type) &&
-                            i.Id != identifier.Id)
-                .ToList();
+            var activeIdentifiers = identifiers.Where(i => !i.IsDeleted).ToList();
+
+            var primaryLoginIdentifiers = activeIdentifiers
+            .Where(i =>
+                i.IsPrimary &&
+                _options.LoginIdentifiers.AllowedTypes.Contains(i.Type))
+            .ToList();
 
-            if (otherLoginIdentifiers.Count == 0)
-                throw new UAuthIdentifierConflictException("cannot_unset_last_primary_login_identifier");
+            if (primaryLoginIdentifiers.Count == 1 && primaryLoginIdentifiers[0].Id == identifier.Id)
+            {
+                throw new UAuthIdentifierConflictException("cannot_unset_last_login_identifier");
+            }
 
             await _identifierStore.UnsetPrimaryAsync(request.IdentifierId, innerCt);
         });
@@ -345,8 +385,7 @@ public async Task DeleteUserIdentifierAsync(AccessContext context, DeleteUserIde
             if (identifier.IsPrimary)
                 throw new UAuthIdentifierValidationException("cannot_delete_primary_identifier");
 
-            if (_identifierOptions.RequireUsernameIdentifier &&
-            identifier.Type == UserIdentifierType.Username)
+            if (_options.UserIdentifiers.RequireUsernameIdentifier && identifier.Type == UserIdentifierType.Username)
             {
                 var activeUsernames = identifiers
                     .Where(i => !i.IsDeleted && i.Type == UserIdentifierType.Username)
@@ -419,35 +458,35 @@ private void EnsureMultipleIdentifierAllowed(UserIdentifierType type, IReadOnlyL
         if (!hasSameType)
             return;
 
-        if (type == UserIdentifierType.Username && !_identifierOptions.AllowMultipleUsernames)
+        if (type == UserIdentifierType.Username && !_options.UserIdentifiers.AllowMultipleUsernames)
             throw new InvalidOperationException("multiple_usernames_not_allowed");
 
-        if (type == UserIdentifierType.Email && !_identifierOptions.AllowMultipleEmail)
+        if (type == UserIdentifierType.Email && !_options.UserIdentifiers.AllowMultipleEmail)
             throw new InvalidOperationException("multiple_emails_not_allowed");
 
-        if (type == UserIdentifierType.Phone && !_identifierOptions.AllowMultiplePhone)
+        if (type == UserIdentifierType.Phone && !_options.UserIdentifiers.AllowMultiplePhone)
             throw new InvalidOperationException("multiple_phones_not_allowed");
     }
 
     private void EnsureVerificationRequirements(UserIdentifierType type, bool isVerified)
     {
-        if (type == UserIdentifierType.Email && _identifierOptions.RequireEmailVerification && !isVerified)
+        if (type == UserIdentifierType.Email && _options.UserIdentifiers.RequireEmailVerification && !isVerified)
         {
             throw new InvalidOperationException("email_verification_required");
         }
 
-        if (type == UserIdentifierType.Phone && _identifierOptions.RequirePhoneVerification && !isVerified)
+        if (type == UserIdentifierType.Phone && _options.UserIdentifiers.RequirePhoneVerification && !isVerified)
         {
             throw new InvalidOperationException("phone_verification_required");
         }
     }
 
     private void EnsureOverrideAllowed(AccessContext context)
     {
-        if (context.IsSelfAction && !_identifierOptions.AllowUserOverride)
+        if (context.IsSelfAction && !_options.UserIdentifiers.AllowUserOverride)
             throw new InvalidOperationException("user_override_not_allowed");
 
-        if (!context.IsSelfAction && !_identifierOptions.AllowAdminOverride)
+        if (!context.IsSelfAction && !_options.UserIdentifiers.AllowAdminOverride)
             throw new InvalidOperationException("admin_override_not_allowed");
     }