Add OAuth info to the User entity

Author: codedmonkey

migrations/Version20260427080101.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+final class Version20260427080101 extends AbstractMigration
+{
+    public function __construct(
+        Connection $connection,
+        LoggerInterface $logger,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+    ) {
+        parent::__construct($connection, $logger);
+    }
+
+    public function getDescription(): string
+    {
+        return 'Add OAuth info to users';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ADD oauth_provider VARCHAR(255) DEFAULT NULL
+        SQL);
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ADD oauth_sub VARCHAR(255) DEFAULT NULL
+        SQL);
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ALTER password DROP NOT NULL
+        SQL);
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" DROP oauth_provider
+        SQL);
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" DROP oauth_sub
+        SQL);
+
+        // Generate a random password for each user that loses its OAuth credentials
+        $users = $this->connection->fetchAllAssociative('SELECT id FROM "user" WHERE password IS NULL');
+        foreach ($users as $user) {
+            $hashedPassword = $this->passwordHasher->hashPassword(new User(), bin2hex(random_bytes(16)));
+            $this->addSql(<<<'SQL'
+                UPDATE "user" SET password = ? WHERE id = ?
+            SQL, [$hashedPassword, $user['id']]);
+        }
+
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ALTER password SET NOT NULL
+        SQL);
+    }
+}

src/Doctrine/Entity/User.php

@@ -39,14 +39,25 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFact
     #[Column(type: Types::STRING, length: 64, enumType: UserRole::class)]
     private UserRole $role = UserRole::User;
 
-    #[Column]
+    /**
+     * User's (hashed) password.
+     *
+     * The password can only be NULL when OAuth credentials are available.
+     */
+    #[Column(nullable: true)]
     private ?string $password = null;
 
     private ?string $plainPassword = null;
 
     #[Column(nullable: true)]
     private ?string $totpSecret = null;
 
+    #[Column(nullable: true)]
+    private ?string $oauthProvider = null;
+
+    #[Column(nullable: true)]
+    private ?string $oauthSub = null;
+
     public function getId(): ?int
     {
         return $this->id;
@@ -130,6 +141,26 @@ public function setTotpSecret(?string $totpSecret): void
         $this->totpSecret = $totpSecret;
     }
 
+    public function getOauthProvider(): ?string
+    {
+        return $this->oauthProvider;
+    }
+
+    public function setOauthProvider(?string $oauthProvider): void
+    {
+        $this->oauthProvider = $oauthProvider;
+    }
+
+    public function getOauthSub(): ?string
+    {
+        return $this->oauthSub;
+    }
+
+    public function setOauthSub(?string $oauthSub): void
+    {
+        $this->oauthSub = $oauthSub;
+    }
+
     public function getUserIdentifier(): string
     {
         return (string) $this->username;

src/Doctrine/EventListener/UserListener.php

@@ -18,6 +18,11 @@ public function __construct(
 
     public function prePersist(User $user): void
     {
+        if (null !== $user->getOauthProvider() && null !== $user->getOauthSub()) {
+            // Skip password hashing for users authenticating through OAuth
+            return;
+        }
+
         if (null === $user->getPlainPassword()) {
             throw new \LogicException('A new user can\'t be created without a password.');
         }

src/Doctrine/MigrationFactory.php

@@ -5,24 +5,32 @@
 use CodedMonkey\Dirigent\Encryption\Encryption;
 use Doctrine\DBAL\Connection;
 use Doctrine\Migrations\AbstractMigration;
-use Doctrine\Migrations\Version\MigrationFactory as BaseMigrationFactory;
+use Doctrine\Migrations\Version\MigrationFactory as MigrationFactoryInterface;
+use DoctrineMigrations\Version20250311205816;
+use DoctrineMigrations\Version20260427080101;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
-readonly class MigrationFactory implements BaseMigrationFactory
+readonly class MigrationFactory implements MigrationFactoryInterface
 {
     public function __construct(
         private Connection $connection,
         private LoggerInterface $logger,
         private Encryption $encryptionUtility,
+        private UserPasswordHasherInterface $passwordHasher,
     ) {
     }
 
     public function createVersion(string $migrationClassName): AbstractMigration
     {
-        if (str_contains($migrationClassName, '20250311205816')) {
-            return new $migrationClassName($this->connection, $this->logger, $this->encryptionUtility);
-        }
+        $additionalParameters = match ($migrationClassName) {
+            Version20250311205816::class => [$this->encryptionUtility],
+            Version20260427080101::class => [$this->passwordHasher],
+            default => [],
+        };
 
-        return new $migrationClassName($this->connection, $this->logger);
+        $parameters = [$this->connection, $this->logger, ...$additionalParameters];
+
+        return new $migrationClassName(...$parameters);
     }
 }