feat: enhance authentication logic to throw specific exceptions for login failures

aspirantzhang · aspirantzhang · commit 63ed7e076d5a · 2025-03-24T13:52:55.000+08:00
diff --git a/contexts/Authorization/Application/Coordinators/AuthenticationCoordinator.php b/contexts/Authorization/Application/Coordinators/AuthenticationCoordinator.php
@@ -31,7 +31,7 @@ public function __construct(
 
     public function login(LoginDTO $dto)
     {
-        $user = $this->userRepository->getByEmail($dto->email);
+        $user = $this->userRepository->getByEmailOrThrowAuthFailure($dto->email);
         $user->authenticate($dto->password);
 
         $token = $this->userRepository->generateLoginToken($user);
diff --git a/contexts/Authorization/Domain/Repositories/UserRepository.php b/contexts/Authorization/Domain/Repositories/UserRepository.php
@@ -24,7 +24,7 @@ public function changePassword(UserIdentity $user): void;
 
     public function existsByEmail(string $email): bool;
 
-    public function getByEmail(string $email): UserIdentity;
+    public function getByEmailOrThrowAuthFailure(string $email): UserIdentity;
 
     public function generateLoginToken(UserIdentity $user): string;
 }
diff --git a/contexts/Authorization/Domain/UserIdentity/Exceptions/AuthenticationFailureException.php b/contexts/Authorization/Domain/UserIdentity/Exceptions/AuthenticationFailureException.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Contexts\Authorization\Domain\UserIdentity\Exceptions;
+
+use App\Exceptions\BizException;
+
+class AuthenticationFailureException extends BizException
+{
+    public static function make(string $message = ''): self
+    {
+        $message = $message ?: 'Invalid login credentials or account access restricted';
+        return (new static($message))->code(401);
+    }
+}
diff --git a/contexts/Authorization/Domain/UserIdentity/Models/UserIdentity.php b/contexts/Authorization/Domain/UserIdentity/Models/UserIdentity.php
@@ -4,14 +4,14 @@
 
 namespace Contexts\Authorization\Domain\UserIdentity\Models;
 
-use App\Exceptions\BizException;
 use Carbon\CarbonImmutable;
 use Contexts\Authorization\Domain\Role\Models\RoleId;
 use Contexts\Authorization\Domain\UserIdentity\Events\PasswordChangedEvent;
 use Contexts\Authorization\Domain\UserIdentity\Events\RoleAssignedEvent;
 use Contexts\Authorization\Domain\UserIdentity\Events\RoleRemovedEvent;
 use Contexts\Shared\Domain\BaseDomainModel;
 use Contexts\Authorization\Domain\UserIdentity\Events\UserAuthenticatedEvent;
+use Contexts\Authorization\Domain\UserIdentity\Exceptions\AuthenticationFailureException;
 
 class UserIdentity extends BaseDomainModel
 {
@@ -55,15 +55,13 @@ public function syncRoles(RoleIdCollection $newRoles): void
     public function authenticate(string $plainTextPassword): void
     {
         if ($this->status->isActive() === false) {
-            throw BizException::make('Invalid login credentials or account access restricted')
-                ->code(401)
+            throw AuthenticationFailureException::make()
                 ->logMessage('User account is not active')
                 ->logContext($this->getUserSummary());
         }
 
         if (! $this->password->verify($plainTextPassword)) {
-            throw BizException::make('Invalid login credentials or account access restricted')
-                ->code(401)
+            throw AuthenticationFailureException::make()
                 ->logMessage('Invalid password')
                 ->logContext($this->getUserSummary());
         }
diff --git a/contexts/Authorization/Infrastructure/Persistence/UserPersistence.php b/contexts/Authorization/Infrastructure/Persistence/UserPersistence.php
@@ -13,6 +13,7 @@
 use Contexts\Authorization\Infrastructure\Records\UserRecord;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
+use Contexts\Authorization\Domain\UserIdentity\Exceptions\AuthenticationFailureException;
 
 class UserPersistence implements UserRepository
 {
@@ -102,16 +103,28 @@ public function existsByEmail(string $email): bool
         return UserRecord::where('email', $email)->exists();
     }
 
-    public function getByEmail(string $email): UserIdentity
+    public function getByEmailOrThrowAuthFailure(string $email): UserIdentity
     {
-        $record = UserRecord::where('email', $email)->firstOrFail();
+        try {
+            $record = UserRecord::where('email', $email)->firstOrFail();
+        } catch (ModelNotFoundException $e) {
+            throw AuthenticationFailureException::make()
+                ->logMessage('User not found')
+                ->logContext(['email' => $email]);
+        }
 
         return $record->toDomain();
     }
 
     public function generateLoginToken(UserIdentity $user): string
     {
-        $record = UserRecord::findOrFail($user->getId()->getValue());
+        try {
+            $record = UserRecord::findOrFail($user->getId()->getValue());
+        } catch (ModelNotFoundException $e) {
+            throw AuthenticationFailureException::make()
+                ->logMessage('User not found')
+                ->logContext(['user_id' => $user->getId()->getValue()]);
+        }
 
         return $record->createToken('login', ['*'], now()->addDay())->plainTextToken;
     }
diff --git a/contexts/Authorization/Tests/Feature/AuthenticationTest.php b/contexts/Authorization/Tests/Feature/AuthenticationTest.php
@@ -73,8 +73,8 @@
         'password' => 'password',
     ]);
 
-    $response->assertStatus(404);
-    // $response->assertJson([
-    //     'message' => 'Invalid login credentials or account access restricted',
-    // ]);
+    $response->assertStatus(401);
+    $response->assertJson([
+        'message' => 'Invalid login credentials or account access restricted',
+    ]);
 });
diff --git a/contexts/Authorization/Tests/Feature/Infrastructure/Persistence/UserPersistenceTest.php b/contexts/Authorization/Tests/Feature/Infrastructure/Persistence/UserPersistenceTest.php
@@ -16,6 +16,7 @@
 use Contexts\Authorization\Infrastructure\Records\RoleRecord;
 use Contexts\Authorization\Infrastructure\Records\UserRecord;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
+use Contexts\Authorization\Domain\UserIdentity\Exceptions\AuthenticationFailureException;
 
 beforeEach(function () {
     $this->userLabelUniquenessService = mock(UserEmailUniquenessService::class);
@@ -463,7 +464,7 @@
     $savedUser = $userPersistence->create($createdUser);
 
     // Retrieve the user using getByEmail
-    $retrievedUser = $userPersistence->getByEmail('retrieve-by-email@example.com');
+    $retrievedUser = $userPersistence->getByEmailOrThrowAuthFailure('retrieve-by-email@example.com');
 
     // Assert the retrieved user matches the created one
     expect($retrievedUser->getId()->getValue())->toBe($savedUser->getId()->getValue());
@@ -472,12 +473,12 @@
     expect($retrievedUser->getPassword()->verify('password123'))->toBeTrue();
 });
 
-it('throws an exception when retrieving a user with non-existent email', function () {
+it('throws an auth failure exception when retrieving a user with non-existent email', function () {
     $userPersistence = new UserPersistence();
 
     // Attempt to retrieve a non-existent user by email
-    $userPersistence->getByEmail('nonexistent-email@example.com');
-})->throws(ModelNotFoundException::class);
+    $userPersistence->getByEmailOrThrowAuthFailure('nonexistent-email@example.com');
+})->throws(AuthenticationFailureException::class);
 
 it('can generate a login token for a user', function () {
     // Create a test user
@@ -511,4 +512,4 @@
 
     // Attempt to generate a token for a non-existent user
     $userPersistence->generateLoginToken($nonExistentUser);
-})->throws(ModelNotFoundException::class);
+})->throws(AuthenticationFailureException::class);
diff --git a/contexts/Authorization/Tests/Unit/Domain/UserIdentity/Models/UserIdentityTest.php b/contexts/Authorization/Tests/Unit/Domain/UserIdentity/Models/UserIdentityTest.php
@@ -16,6 +16,7 @@
 use Contexts\Authorization\Domain\UserIdentity\Models\UserId;
 use Contexts\Authorization\Domain\UserIdentity\Models\UserIdentity;
 use Contexts\Authorization\Domain\UserIdentity\Models\UserStatus;
+use Contexts\Authorization\Domain\UserIdentity\Exceptions\AuthenticationFailureException;
 
 beforeEach(function () {
     $this->email = new Email('test@example.com');
@@ -576,11 +577,11 @@
     $exception = null;
     try {
         $user->authenticate($this->plainPassword);
-    } catch (BizException $e) {
+    } catch (AuthenticationFailureException $e) {
         $exception = $e;
     }
 
-    expect($exception)->toBeInstanceOf(BizException::class);
+    expect($exception)->toBeInstanceOf(AuthenticationFailureException::class);
     expect($exception->getMessage())->toBe('Invalid login credentials or account access restricted');
 });
 
@@ -599,7 +600,7 @@
         $exception = $e;
     }
 
-    expect($exception)->toBeInstanceOf(BizException::class);
+    expect($exception)->toBeInstanceOf(AuthenticationFailureException::class);
     expect($exception->getMessage())->toBe('Invalid login credentials or account access restricted');
 });
 

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public function __construct(`
`31`	`31`
`32`	`32`	`public function login(LoginDTO $dto)`
`33`	`33`	`{`
`34`		`- $user = $this->userRepository->getByEmail($dto->email);`
	`34`	`+ $user = $this->userRepository->getByEmailOrThrowAuthFailure($dto->email);`
`35`	`35`	`$user->authenticate($dto->password);`
`36`	`36`
`37`	`37`	`$token = $this->userRepository->generateLoginToken($user);`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public function changePassword(UserIdentity $user): void;`
`24`	`24`
`25`	`25`	`public function existsByEmail(string $email): bool;`
`26`	`26`
`27`		`- public function getByEmail(string $email): UserIdentity;`
	`27`	`+ public function getByEmailOrThrowAuthFailure(string $email): UserIdentity;`
`28`	`28`
`29`	`29`	`public function generateLoginToken(UserIdentity $user): string;`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`use Contexts\Authorization\Infrastructure\Records\UserRecord;`
`14`	`14`	`use Illuminate\Contracts\Pagination\LengthAwarePaginator;`
`15`	`15`	`use Illuminate\Database\Eloquent\ModelNotFoundException;`
	`16`	`+use Contexts\Authorization\Domain\UserIdentity\Exceptions\AuthenticationFailureException;`
`16`	`17`
`17`	`18`	`class UserPersistence implements UserRepository`
`18`	`19`	`{`
`@@ -102,16 +103,28 @@ public function existsByEmail(string $email): bool`
`102`	`103`	`return UserRecord::where('email', $email)->exists();`
`103`	`104`	`}`
`104`	`105`
`105`		`- public function getByEmail(string $email): UserIdentity`
	`106`	`+ public function getByEmailOrThrowAuthFailure(string $email): UserIdentity`
`106`	`107`	`{`
`107`		`- $record = UserRecord::where('email', $email)->firstOrFail();`
	`108`	`+ try {`
	`109`	`+ $record = UserRecord::where('email', $email)->firstOrFail();`
	`110`	`+ } catch (ModelNotFoundException $e) {`
	`111`	`+ throw AuthenticationFailureException::make()`
	`112`	`+ ->logMessage('User not found')`
	`113`	`+ ->logContext(['email' => $email]);`
	`114`	`+ }`
`108`	`115`
`109`	`116`	`return $record->toDomain();`
`110`	`117`	`}`
`111`	`118`
`112`	`119`	`public function generateLoginToken(UserIdentity $user): string`
`113`	`120`	`{`
`114`		`- $record = UserRecord::findOrFail($user->getId()->getValue());`
	`121`	`+ try {`
	`122`	`+ $record = UserRecord::findOrFail($user->getId()->getValue());`
	`123`	`+ } catch (ModelNotFoundException $e) {`
	`124`	`+ throw AuthenticationFailureException::make()`
	`125`	`+ ->logMessage('User not found')`
	`126`	`+ ->logContext(['user_id' => $user->getId()->getValue()]);`
	`127`	`+ }`
`115`	`128`
`116`	`129`	`return $record->createToken('login', ['*'], now()->addDay())->plainTextToken;`
`117`	`130`	`}`