Protect social unlink from account lockout

Keep social unlink disabled when removing the last available sign-in method.
Expose the capability to the settings UI and enforce the same rule on the unbind endpoint.
Add frontend and controller coverage for the allowed and blocked cases.

Author: vtm9

apps/codebattle/assets/js/__tests__/UserSettings.test.jsx

@@ -49,6 +49,7 @@ const preloadedState = {
       name: "Diman",
       lang: "ts",
       avatarUrl: "/assets/images/logo.svg",
+      canUnlinkSocial: false,
       discordName: null,
       discordId: null,
       error: "",
@@ -216,4 +217,56 @@ describe("UserSettings test cases", () => {
 
     expect(await findByRole("alert")).toHaveClass("alert-danger");
   });
+
+  test("unlink button is disabled when it is the last sign-in method", () => {
+    const customStore = configureStore({
+      reducer,
+      preloadedState: {
+        user: {
+          settings: {
+            ...preloadedState.user.settings,
+            githubId: 19,
+            githubName: "octocat",
+            canUnlinkSocial: false,
+            discordId: null,
+            discordName: null,
+          },
+        },
+      },
+    });
+
+    const { getByRole } = setup(
+      <Provider store={customStore}>
+        <UserSettings />
+      </Provider>,
+    );
+
+    expect(getByRole("button", { name: "Unlink Github" })).toBeDisabled();
+  });
+
+  test("unlink button stays enabled when another sign-in method exists", () => {
+    const customStore = configureStore({
+      reducer,
+      preloadedState: {
+        user: {
+          settings: {
+            ...preloadedState.user.settings,
+            githubId: 19,
+            githubName: "octocat",
+            canUnlinkSocial: true,
+            discordId: null,
+            discordName: null,
+          },
+        },
+      },
+    });
+
+    const { getByRole } = setup(
+      <Provider store={customStore}>
+        <UserSettings />
+      </Provider>,
+    );
+
+    expect(getByRole("button", { name: "Unlink Github" })).toBeEnabled();
+  });
 });

apps/codebattle/assets/js/widgets/pages/settings/UserSettings.jsx

@@ -65,10 +65,6 @@ function Notification({ notification, onClose }) {
 }
 
 function SocialButtons({ settings }) {
-  const onlyOneProviderLinked =
-    providers.filter((provider) => !!settings[mapUserPropNameByProviderName[provider]]).length ===
-    1;
-
   return providers.map((provider) => {
     const providerPropName = mapUserPropNameByProviderName[provider];
     const isLinked = !!settings[providerPropName];
@@ -87,7 +83,7 @@ function SocialButtons({ settings }) {
             data-method="delete"
             data-csrf={csrfToken}
             data-to={`/auth/${provider}`}
-            disabled={onlyOneProviderLinked}
+            disabled={!settings.canUnlinkSocial}
           >
             {`Unlink ${formatedProviderName}`}
           </button>

apps/codebattle/lib/codebattle/user.ex

@@ -263,6 +263,10 @@ defmodule Codebattle.User do
     |> Repo.update()
   end
 
+  def can_unlink_social?(user) do
+    available_login_methods_count(user) > 1
+  end
+
   def update_subscription_type(user_id, type) do
     user_id
     |> get!()
@@ -303,6 +307,20 @@ defmodule Codebattle.User do
 
   def subscription_types, do: @subscription_types
 
+  defp available_login_methods_count(user) do
+    Enum.count(
+      [
+        present?(user.github_id),
+        present?(user.discord_id),
+        present?(user.firebase_uid) or present?(user.password_hash),
+        present?(user.external_oauth_id)
+      ],
+      & &1
+    )
+  end
+
+  defp present?(value), do: not is_nil(value) and value != ""
+
   defp assign_clan(changeset, %{:clan => clan}, _user_id) when clan in ["", nil],
     do: change(changeset, %{clan: nil, clan_id: nil})
 

apps/codebattle/lib/codebattle_web/controllers/api/v1/settings_controller.ex

@@ -11,6 +11,9 @@ defmodule CodebattleWeb.Api.V1.SettingsController do
       name: current_user.name,
       clan: current_user.clan,
       locale: current_user.locale,
+      can_unlink_social: User.can_unlink_social?(current_user),
+      discord_id: current_user.discord_id,
+      discord_name: current_user.discord_name,
       github_id: current_user.github_id,
       github_name: current_user.github_name,
       sound_settings: current_user.sound_settings,
@@ -32,6 +35,7 @@ defmodule CodebattleWeb.Api.V1.SettingsController do
           name: user.name,
           clan: user.clan,
           locale: user.locale,
+          can_unlink_social: User.can_unlink_social?(user),
           sound_settings: user.sound_settings,
           lang: user.lang,
           style_lang: user.style_lang,

apps/codebattle/lib/codebattle_web/controllers/auth_bind_controller.ex

@@ -64,15 +64,19 @@ defmodule CodebattleWeb.AuthBindController do
   end
 
   def unbind(conn, params) do
-    current_user = conn.assigns.current_user
+    current_user = Codebattle.Repo.reload(conn.assigns.current_user)
 
     case_result =
-      case params["provider"] do
-        "github" ->
-          GithubUser.unbind(current_user)
-
-        "discord" ->
-          DiscordUser.unbind(current_user)
+      if Codebattle.User.can_unlink_social?(current_user) do
+        case params["provider"] do
+          "github" ->
+            GithubUser.unbind(current_user)
+
+          "discord" ->
+            DiscordUser.unbind(current_user)
+        end
+      else
+        {:error, gettext("You need at least one authentication method to sign in.")}
       end
 
     case case_result do

apps/codebattle/lib/codebattle_web/plugs/assign_gon.ex

@@ -35,6 +35,7 @@ defmodule CodebattleWeb.Plugs.AssignGon do
     user
     |> Map.take([
       :avatar_url,
+      :can_unlink_social,
       :clan,
       :clan_id,
       :discord_avatar,
@@ -65,6 +66,7 @@ defmodule CodebattleWeb.Plugs.AssignGon do
       :subscription_type,
       :sound_settings
     ])
+    |> Map.put(:can_unlink_social, Codebattle.User.can_unlink_social?(user))
     |> Map.put(:is_admin, Codebattle.User.admin?(user))
   end
 end

apps/codebattle/test/codebattle_web/controllers/auth_bind_controller_test.exs

@@ -120,5 +120,31 @@ defmodule CodebattleWeb.AuthBindControllerTest do
       assert user.github_id == nil
       assert user.github_name == nil
     end
+
+    test "does not unbind the last available social sign-in method", %{conn: conn} do
+      user =
+        insert(:user,
+          github_id: 42,
+          github_name: "octocat",
+          discord_id: nil,
+          discord_name: nil,
+          discord_avatar: nil,
+          firebase_uid: nil,
+          password_hash: nil,
+          external_oauth_id: nil
+        )
+
+      conn =
+        conn
+        |> put_session(:user_id, user.id)
+        |> delete("/auth/github")
+
+      user = Repo.reload!(user)
+
+      assert user.github_id == 42
+      assert user.github_name == "octocat"
+      assert redirected_to(conn) == "/settings"
+      assert Phoenix.Flash.get(conn.assigns.flash, :danger) =~ "at least one authentication method"
+    end
   end
 end