Merge pull request #2724 from hongwei1/obp-develop

feature/addd provider to getResourceUserId  method

Author: simonredfern

obp-api/src/main/scala/code/api/directlogin.scala

@@ -575,9 +575,26 @@ object DirectLogin extends RestHelper with MdcLoggable {
     val username = directLoginParameters.getOrElse("username", "")
     val password = directLoginParameters.getOrElse("password", "")
 
-    //we first try to get the userId from local, if not find, we try to get it from external 
-    AuthUser.getResourceUserId(username, password)
-        .or(AuthUser.externalUserHelper(username, password).map(_.user.get))
+    logger.debug(s"getUserId: attempting authentication for username: $username")
+    
+    // Try local provider first
+    val localResult = AuthUser.getResourceUserId(username, password, Constant.localIdentityProvider)
+    localResult match {
+      case Full(userId) =>
+        logger.debug(s"getUserId: local authentication succeeded for username: $username, userId: $userId")
+        localResult
+      case _ =>
+        logger.debug(s"getUserId: local authentication failed for username: $username, trying external provider")
+        // Try external provider as fallback
+        val externalResult = AuthUser.getResourceUserId(username, password, s"External")
+        externalResult match {
+          case Full(userId) =>
+            logger.debug(s"getUserId: external authentication succeeded for username: $username, userId: $userId")
+          case _ =>
+            logger.debug(s"getUserId: external authentication also failed for username: $username")
+        }
+        externalResult
+    }
   }
 
 

obp-api/src/main/scala/code/api/util/Glossary.scala

@@ -5237,7 +5237,7 @@ object Glossary extends MdcLoggable  {
 				 |
 				 |1. **Check only** — validates credentials and returns user info, but does not create a session or token
 				 |2. **Requires an already-authenticated caller** with `canVerifyUserCredentials` role (or SuperAdmin)
-				 |3. **May auto-provision users** — if the local lookup fails and the external fallback via `externalUserHelper()` / `checkExternalUserViaConnector()` succeeds, a new AuthUser and ResourceUser will be created locally (same behaviour as the web login flow)
+				 |3. **May auto-provision users** — if the local lookup fails and the external fallback via `checkExternalUserViaConnector()` succeeds, a new AuthUser and ResourceUser will be created locally (same behaviour as the web login flow)
 				 |4. **Provider matching** — optionally verifies the user's provider matches what was posted (skipped if provider is empty)
 				 |
 				 |### Key Source Files

obp-api/src/main/scala/code/api/v6_0_0/APIMethods600.scala

@@ -8772,39 +8772,17 @@ trait APIMethods600 {
             decodedProvider = URLDecoder.decode(postedData.provider, StandardCharsets.UTF_8)
             // Validate credentials using the existing AuthUser mechanism
 
-            resourceUserIdBox =
-              if (decodedProvider == Constant.localIdentityProvider || decodedProvider.isEmpty) {
-                // Local provider: only check local credentials. No external fallback.
-                val result = code.model.dataAccess.AuthUser.getResourceUserId(
-                  postedData.username, postedData.password, Constant.localIdentityProvider
-                )
-                logger.info(s"verifyUserCredentials says: local getResourceUserId result: $result")
-                result
-              } else {
-                // External provider: validate via connector. Local DB stores a random UUID
-                // as password for external users, so getResourceUserId would always fail.
-                if (LoginAttempt.userIsLocked(decodedProvider, postedData.username)) {
-                  logger.info(s"verifyUserCredentials says: external user is locked, provider: ${decodedProvider}, username: ${postedData.username}")
-                  Full(code.model.dataAccess.AuthUser.usernameLockedStateCode)
-                } else {
-                  val connectorResult = code.model.dataAccess.AuthUser.externalUserHelper(
-                    postedData.username, postedData.password
-                  ).map(_.user.get)
-                  logger.info(s"verifyUserCredentials says: externalUserHelper result: $connectorResult")
-                  connectorResult match {
-                    case Full(_) =>
-                      LoginAttempt.resetBadLoginAttempts(decodedProvider, postedData.username)
-                      connectorResult
-                    case _ =>
-                      LoginAttempt.incrementBadLoginAttempts(decodedProvider, postedData.username)
-                      connectorResult
-                  }
-                }
-              }
+            resourceUserIdBox = code.model.dataAccess.AuthUser.getResourceUserId(
+              postedData.username, postedData.password, decodedProvider
+            )
             // Check if account is locked
             _ <- Helper.booleanToFuture(UsernameHasBeenLocked, 401, callContext) {
               resourceUserIdBox != Full(code.model.dataAccess.AuthUser.usernameLockedStateCode)
             }
+            // Check if email is validated
+            _ <- Helper.booleanToFuture(UserEmailNotValidated, 401, callContext) {
+              resourceUserIdBox != Full(code.model.dataAccess.AuthUser.userEmailNotValidatedStateCode)
+            }
             // Check if credentials are valid
             resourceUserId <- Future {
               resourceUserIdBox