Authentication by phone number or email

maksaimer · November 2, 2021, 3:29pm

We have a new type of user “CompanyUser” class extends the “User” class. There are two additional fields email and phone number. Now we want to authorise an user by two this fields. How can I customize an user search by username when we do authentication via rest api? As I understood now it works by the username field in the User class.

gorbunkov · November 12, 2021, 12:33pm

Hi,
Could you please explain your task - do you want to pass either email or phone number in the access token request instead of the username? And then you want to search for users that have the passed value in any of the database columns (EMAIL or PHONE_NUMBER), right?

maksaimer · November 12, 2021, 1:22pm

Yes, I have two three columns USERNAME (standard), EMAIL and PHONE_NUMBER (custom).

gorbunkov · November 16, 2021, 12:49pm

You may try changing the DatabaseUserRepository.loadUserByUsername method.
The method will first try to find the user by username, then by email.

The method may look like this:

    @Override
    public User loadUserByUsername(String username) throws UsernameNotFoundException {
        String actualUsername = username;
        List<User> users = dataManager.load(getUserClass())
                .query("where e.username = :username")
                .parameter("username", username)
                .list();

        //try to find the user by email
        if (users.isEmpty()) {
            users = dataManager.load(getUserClass())
                    .query("where e.email = :email")
                    .parameter("email", username)
                    .list();

            if (!users.isEmpty()) {
                //obtain the username in order to create authorities (find assigned roles)
                actualUsername = users.get(0).getUsername();
            }
        }
        if (!users.isEmpty()) {
            User user = users.get(0);
            if (user instanceof AcceptsGrantedAuthorities) {
                ((AcceptsGrantedAuthorities) user).setAuthorities(createAuthorities(actualUsername));
            }
            return user;
        } else {
            throw new UsernameNotFoundException("User not found");
        }
    }

    //just copied the following two methods from AbstractDatabaseUserRepository because they are private there
    private Collection<? extends GrantedAuthority> createAuthorities(String username) {
        return roleAssignmentRepository.getAssignmentsByUsername(username).stream()
                .map(this::createAuthority)
                .filter(Objects::nonNull)
                .collect(Collectors.toList());
    }

    private GrantedAuthority createAuthority(RoleAssignment roleAssignment) {
        GrantedAuthority authority = null;
        if (RoleAssignmentRoleType.RESOURCE.equals(roleAssignment.getRoleType())) {
            ResourceRole role = resourceRoleRepository.findRoleByCode(roleAssignment.getRoleCode());
            if (role != null) {
                authority = RoleGrantedAuthority.ofResourceRole(role);
            }
        } else if (RoleAssignmentRoleType.ROW_LEVEL.equals(roleAssignment.getRoleType())) {
            RowLevelRole role = rowLevelRoleRepository.findRoleByCode(roleAssignment.getRoleCode());
            if (role != null) {
                authority = RoleGrantedAuthority.ofRowLevelRole(role);
            }
        }
        return authority;
    }