fix: address PR #278 review feedback

- Add LoginHelperService.userLoginHelper(User, OidcUserInfo, OidcIdToken) overload
  so DSOidcUserService can build an immutable DSUserDetails with OIDC tokens in
  one step, eliminating the need for @Setter on DSUserDetails fields
- Remove @Setter from DSUserDetails.oidcUserInfo / oidcIdToken to restore immutability
- Remove @transactional from private registerNewOidcUser/registerNewOAuthUser methods
  (silently ignored by Spring AOP proxy; class-level @transactional covers them)
- Swap audit event publication to after save() in both services to prevent false-positive
  audit records when save throws (e.g. unique-constraint violation)
- Use trim() + toLowerCase(Locale.ROOT) for email normalization to handle locale edge
  cases and leading/trailing whitespace in both extraction and lookup
- Fix import ordering in DSOidcUserService.java to alphabetical per CLAUDE.md
- Add JavaDoc on loginHelperService field in DSOidcUserService
- Update DSOidcUserServiceTest: use 3-arg userLoginHelper mock, assert non-empty
  authorities, assert eventPublisher.publishEvent() called on new registration,
  update shouldPreserveOidcTokensInDSUserDetails to use the new constructor path

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserService.java

@@ -126,18 +126,17 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
      * @param user The User object representing the authenticated user.
      * @return A User object representing the newly registered user.
      */
-    @Transactional
     private User registerNewOAuthUser(String registrationId, User user) {
         User.Provider provider = User.Provider.valueOf(registrationId.toUpperCase());
         user.setProvider(provider);
         user.setRoles(Arrays.asList(roleRepository.findByName(USER_ROLE_NAME)));
         // We will trust OAuth2 providers to provide us with a verified email address.
         user.setEnabled(true);
-        AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(user).action("OAuth2 Registration Success").actionStatus("Success")
+        User savedUser = userRepository.save(user);
+        AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(savedUser).action("OAuth2 Registration Success").actionStatus("Success")
                 .message("Registration Confirmed. User logged in.").build();
-
         eventPublisher.publishEvent(registrationAuditEvent);
-        return userRepository.save(user);
+        return savedUser;
     }
 
     /**

src/main/java/com/digitalsanctuary/spring/user/service/DSOidcUserService.java

@@ -1,16 +1,7 @@
 package com.digitalsanctuary.spring.user.service;
 
 import java.util.Arrays;
-import com.digitalsanctuary.spring.user.audit.AuditEvent;
-import com.digitalsanctuary.spring.user.persistence.model.User;
-import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
-import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
-import com.digitalsanctuary.spring.user.registration.RegistrationContext;
-import com.digitalsanctuary.spring.user.registration.RegistrationDecision;
-import com.digitalsanctuary.spring.user.registration.RegistrationGuard;
-import com.digitalsanctuary.spring.user.registration.RegistrationSource;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
+import java.util.Locale;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
@@ -22,6 +13,16 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
+import com.digitalsanctuary.spring.user.audit.AuditEvent;
+import com.digitalsanctuary.spring.user.persistence.model.User;
+import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
+import com.digitalsanctuary.spring.user.persistence.repository.UserRepository;
+import com.digitalsanctuary.spring.user.registration.RegistrationContext;
+import com.digitalsanctuary.spring.user.registration.RegistrationDecision;
+import com.digitalsanctuary.spring.user.registration.RegistrationGuard;
+import com.digitalsanctuary.spring.user.registration.RegistrationSource;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 
 /**
  * OIDC user service implementation for handling OpenID Connect authentication (Keycloak).
@@ -49,6 +50,7 @@ public class DSOidcUserService implements OAuth2UserService<OidcUserRequest, Oid
     /** The role repository. */
     private final RoleRepository roleRepository;
 
+    /** The login helper service. */
     private final LoginHelperService loginHelperService;
 
     private final RegistrationGuard registrationGuard;
@@ -87,8 +89,11 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
             throw new OAuth2AuthenticationException(new OAuth2Error("Missing Email"),
                     "Unable to retrieve email address from " + registrationId + ". Please ensure you have granted email permissions.");
         }
-        log.debug("handleOidcLoginSuccess: looking up user with email: {}", user.getEmail());
-        User existingUser = userRepository.findByEmail(user.getEmail().toLowerCase());
+        // Normalize email for consistent lookup — getUserFromKeycloakOidc2User already lowercases,
+        // but we normalize again here defensively in case additional sources are added.
+        String normalizedEmail = user.getEmail().trim().toLowerCase(Locale.ROOT);
+        log.debug("handleOidcLoginSuccess: looking up user with email: {}", normalizedEmail);
+        User existingUser = userRepository.findByEmail(normalizedEmail);
         log.debug("handleOidcLoginSuccess: existingUser: {}", existingUser);
         if (existingUser != null && registrationId != null) {
             log.debug("handleOidcLoginSuccess: existingUser.getProvider(): {}", existingUser.getProvider());
@@ -102,12 +107,12 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
             existingUser = updateExistingUser(existingUser, user);
             return userRepository.save(existingUser);
         } else {
-            log.debug("handleOidcLoginSuccess: registering new user with email: {}", user.getEmail());
+            log.debug("handleOidcLoginSuccess: registering new user with email: {}", normalizedEmail);
             RegistrationDecision decision = registrationGuard.evaluate(
-                    new RegistrationContext(user.getEmail(), RegistrationSource.OIDC, registrationId));
+                    new RegistrationContext(normalizedEmail, RegistrationSource.OIDC, registrationId));
             if (!decision.allowed()) {
                 log.info("Registration denied for email: {} source: OIDC provider: {} reason: {}",
-                        user.getEmail(), registrationId, decision.reason());
+                        normalizedEmail, registrationId, decision.reason());
                 throw new OAuth2AuthenticationException(
                         new OAuth2Error("registration_denied", decision.reason(), null), decision.reason());
             }
@@ -125,18 +130,17 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
      * @param user The User object representing the authenticated user.
      * @return A User object representing the newly registered user.
      */
-    @Transactional
     private User registerNewOidcUser(String registrationId, User user) {
         User.Provider provider = User.Provider.valueOf(registrationId.toUpperCase());
         user.setProvider(provider);
         user.setRoles(Arrays.asList(roleRepository.findByName("ROLE_USER")));
         // We will trust OIDC providers to provide us with a verified email address.
         user.setEnabled(true);
-        AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(user).action("OIDC Registration Success").actionStatus("Success")
+        User savedUser = userRepository.save(user);
+        AuditEvent registrationAuditEvent = AuditEvent.builder().source(this).user(savedUser).action("OIDC Registration Success").actionStatus("Success")
                 .message("Registration Confirmed. User logged in.").build();
-
         eventPublisher.publishEvent(registrationAuditEvent);
-        return userRepository.save(user);
+        return savedUser;
     }
 
     /**
@@ -167,11 +171,8 @@ public User getUserFromKeycloakOidc2User(OidcUser principal) {
         }
         log.debug("Principal attributes: {}", principal.getAttributes());
         User user = new User();
-/*        user.setEmail(principal.getAttribute("email"));
-        user.setFirstName(principal.getAttribute("given_name"));
-        user.setLastName(principal.getAttribute("family_name"));*/
         String email = principal.getEmail();
-        user.setEmail(email != null ? email.toLowerCase() : null);
+        user.setEmail(email != null ? email.trim().toLowerCase(Locale.ROOT) : null);
         user.setFirstName(principal.getGivenName());
         user.setLastName(principal.getFamilyName());
         user.setProvider(User.Provider.KEYCLOAK);
@@ -194,9 +195,6 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         String registrationId = userRequest.getClientRegistration().getRegistrationId();
         log.debug("registrationId: {}", registrationId);
         User dbUser = handleOidcLoginSuccess(registrationId, user);
-        DSUserDetails dsUserDetails = loginHelperService.userLoginHelper(dbUser);
-        dsUserDetails.setOidcUserInfo(user.getUserInfo());
-        dsUserDetails.setOidcIdToken(user.getIdToken());
-        return dsUserDetails;
+        return loginHelperService.userLoginHelper(dbUser, user.getUserInfo(), user.getIdToken());
     }
 }

src/main/java/com/digitalsanctuary/spring/user/service/DSUserDetails.java

@@ -11,7 +11,6 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import lombok.Builder;
-import lombok.Setter;
 import lombok.ToString;
 
 /**
@@ -55,11 +54,9 @@ public class DSUserDetails implements UserDetails, OidcUser {
 	private Map<String, Object> attributes;
 
 	/** The Oidc user properties. */
-	@Setter
 	private OidcUserInfo oidcUserInfo;
 
 	/** The Oidc user token. */
-	@Setter
 	private OidcIdToken oidcIdToken;
 
 	/**

src/main/java/com/digitalsanctuary/spring/user/service/LoginHelperService.java

@@ -3,6 +3,8 @@
 import java.util.Collection;
 import java.util.Date;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import com.digitalsanctuary.spring.user.persistence.model.User;
@@ -49,4 +51,24 @@ public DSUserDetails userLoginHelper(User dbUser) {
         DSUserDetails userDetails = new DSUserDetails(dbUser, authorities);
         return userDetails;
     }
+
+    /**
+     * Helper method to authenticate an OIDC user after login, attaching the OIDC-specific tokens
+     * and claims to the principal while keeping {@link DSUserDetails} immutable.
+     *
+     * @param dbUser       The user to authenticate.
+     * @param oidcUserInfo The OIDC user info claims.
+     * @param oidcIdToken  The OIDC ID token.
+     * @return The user details object with OIDC tokens set.
+     */
+    public DSUserDetails userLoginHelper(User dbUser, OidcUserInfo oidcUserInfo, OidcIdToken oidcIdToken) {
+        // Updating lastActivity date for this login
+        dbUser.setLastActivityDate(new Date());
+
+        // Check if the user account is locked, but should be unlocked now, and unlock it
+        dbUser = loginAttemptService.checkIfUserShouldBeUnlocked(dbUser);
+
+        Collection<? extends GrantedAuthority> authorities = authorityService.getAuthoritiesFromUser(dbUser);
+        return new DSUserDetails(dbUser, oidcUserInfo, oidcIdToken, authorities);
+    }
 }

src/test/java/com/digitalsanctuary/spring/user/service/DSOidcUserServiceTest.java

@@ -3,11 +3,10 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.*;
 
-import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
@@ -16,15 +15,19 @@
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import com.digitalsanctuary.spring.user.audit.AuditEvent;
 import com.digitalsanctuary.spring.user.fixtures.OidcUserTestDataBuilder;
-import org.springframework.context.ApplicationEventPublisher;
 import com.digitalsanctuary.spring.user.persistence.model.Role;
 import com.digitalsanctuary.spring.user.persistence.model.User;
 import com.digitalsanctuary.spring.user.persistence.repository.RoleRepository;
@@ -104,6 +107,7 @@ void shouldCreateNewUserFromKeycloakOidc() {
             assertThat(result.getRoles()).containsExactly(userRole);
 
             verify(userRepository).save(any(User.class));
+            verify(eventPublisher).publishEvent(any(AuditEvent.class));
         }
 
         @Test
@@ -182,6 +186,7 @@ void shouldHandleKeycloakUserWithMinimalClaims() {
             assertThat(result.getFirstName()).isNull();
             assertThat(result.getLastName()).isNull();
             assertThat(result.getProvider()).isEqualTo(User.Provider.KEYCLOAK);
+            verify(eventPublisher).publishEvent(any(AuditEvent.class));
         }
 
         @Test
@@ -367,10 +372,14 @@ void shouldLoadUserThroughOidcRequestFlow() {
                 user.setId(999L);
                 return user;
             });
-            when(loginHelperService.userLoginHelper(any(User.class))).thenAnswer(invocation -> {
-                User user = invocation.getArgument(0);
-                return new DSUserDetails(user, new ArrayList<>());
-            });
+            when(loginHelperService.userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class)))
+                    .thenAnswer(invocation -> {
+                        User user = invocation.getArgument(0);
+                        OidcUserInfo oidcUserInfo = invocation.getArgument(1);
+                        OidcIdToken oidcIdToken = invocation.getArgument(2);
+                        return new DSUserDetails(user, oidcUserInfo, oidcIdToken,
+                                List.of(new SimpleGrantedAuthority("ROLE_USER")));
+                    });
 
             // When
             OidcUser result = spyService.loadUser(userRequest);
@@ -381,9 +390,10 @@ void shouldLoadUserThroughOidcRequestFlow() {
             DSUserDetails dsUserDetails = (DSUserDetails) result;
             assertThat(dsUserDetails.getIdToken()).isNotNull();
             assertThat(dsUserDetails.getUserInfo()).isNotNull();
+            assertThat(dsUserDetails.getAuthorities()).isNotEmpty();
 
             verify(userRepository).save(any(User.class));
-            verify(loginHelperService).userLoginHelper(any(User.class));
+            verify(loginHelperService).userLoginHelper(any(User.class), any(OidcUserInfo.class), any(OidcIdToken.class));
         }
 
         @Test
@@ -399,16 +409,11 @@ void shouldPreserveOidcTokensInDSUserDetails() {
             dbUser.setEmail("tokens@keycloak.com");
             dbUser.setProvider(User.Provider.KEYCLOAK);
 
-            // When
+            // When - Simulate what LoginHelperService.userLoginHelper() does for OIDC path
             User extractedUser = service.getUserFromKeycloakOidc2User(keycloakUser);
-            
-            // Simulate what happens in loadUser
-            DSUserDetails dsUserDetails = DSUserDetails.builder()
-                .user(dbUser)
-                .oidcUserInfo(keycloakUser.getUserInfo())
-                .oidcIdToken(keycloakUser.getIdToken())
-                .grantedAuthorities(keycloakUser.getAuthorities())
-                .build();
+
+            DSUserDetails dsUserDetails = new DSUserDetails(dbUser, keycloakUser.getUserInfo(),
+                    keycloakUser.getIdToken(), keycloakUser.getAuthorities());
 
             // Then
             assertThat(dsUserDetails.getIdToken()).isEqualTo(keycloakUser.getIdToken());