FAForever · Brutus5000 · Sep 27, 2021 · Sep 26, 2021
diff --git a/src/main/kotlin/com/faforever/userservice/domain/User.kt b/src/main/kotlin/com/faforever/userservice/domain/User.kt
@@ -23,11 +23,14 @@ data class User(
     val ip: String?,
     @Column("steamid")
     val steamId: Long?,
+    val gogId: String?,
 ) {
 
     override fun toString(): String =
         // Do NOT expose personal information here!!
         "User(id=$id, username='$username')"
+
+    val hasGameOwnershipVerified = steamId != null || gogId != null
 }
 
 @Table("group_permission")

diff --git a/src/main/kotlin/com/faforever/userservice/domain/UserService.kt b/src/main/kotlin/com/faforever/userservice/domain/UserService.kt
@@ -139,7 +139,7 @@ class UserService(
                             }
                     }
                     .switchIfEmpty {
-                        if (user.steamId == null && loginRequest.requestedScope.contains(OAuthScope.LOBBY)) {
+                        if (loginRequest.requestedScope.contains(OAuthScope.LOBBY) && !user.hasGameOwnershipVerified) {
                             LOG.debug("Lobby login blocked for user '$usernameOrEmail' because of missing game ownership verification")
                             hydraService.rejectLoginRequest(
                                 challenge,

diff --git a/src/test/kotlin/com/faforever/userservice/UserServiceApplicationTests.kt b/src/test/kotlin/com/faforever/userservice/UserServiceApplicationTests.kt
@@ -64,7 +64,7 @@ class UserServiceApplicationTests {
         private const val hydraRedirectUrl = "someHydraRedirectUrl"
         private val revokeRequest = RevokeRefreshTokensRequest("1", null, true)
 
-        private val user = User(1, username, password, email, null, 0)
+        private val user = User(1, username, password, email, null, 0, null)
         private val mockServer = ClientAndServer(mockServerPort)
 
         @JvmStatic
@@ -265,7 +265,7 @@ class UserServiceApplicationTests {
 
     @Test
     fun postLoginWithNonLinkedUserWithLobbyScope() {
-        val unlinkedUser = User(1, username, password, email, null, null)
+        val unlinkedUser = User(1, username, password, email, null, null, null)
         `when`(userRepository.findByUsernameOrEmail(username, username)).thenReturn(Mono.just(unlinkedUser))
         `when`(passwordEncoder.matches(password, password)).thenReturn(true)
         `when`(loginLogRepository.findFailedAttemptsByIp(anyString()))
@@ -302,9 +302,87 @@ class UserServiceApplicationTests {
         verify(banRepository).findAllByPlayerIdAndLevel(anyLong(), anyOrNull())
     }
 
+    @Test
+    fun postLoginWithGogLinkedUserWithLobbyScope() {
+        val unlinkedUser = User(1, username, password, email, null, null, "someGogId")
+        `when`(userRepository.findByUsernameOrEmail(username, username)).thenReturn(Mono.just(unlinkedUser))
+        `when`(passwordEncoder.matches(password, password)).thenReturn(true)
+        `when`(loginLogRepository.findFailedAttemptsByIp(anyString()))
+            .thenReturn(Mono.just(FailedAttemptsSummary(null, null, null, null)))
+        `when`(loginLogRepository.save(anyOrNull()))
+            .thenAnswer { Mono.just(it.arguments[0]) }
+        `when`(banRepository.findAllByPlayerIdAndLevel(anyLong(), anyOrNull())).thenReturn(
+            Flux.empty()
+        )
+
+        mockLoginRequest(scopes = listOf(OAuthScope.LOBBY))
+        mockLoginAccept()
+
+        webTestClient
+            .mutateWith(csrf())
+            .post()
+            .uri("/oauth2/login?login_challenge=$challenge")
+            .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
+            .body(
+                BodyInserters.fromFormData("login_challenge", challenge)
+                    .with("usernameOrEmail", username)
+                    .with("password", password)
+            )
+            .exchange()
+            .expectStatus().is3xxRedirection
+            .expectHeader()
+            .location(hydraRedirectUrl)
+            .expectBody(String::class.java)
+
+        verify(userRepository).findByUsernameOrEmail(username, username)
+        verify(passwordEncoder).matches(password, password)
+        verify(loginLogRepository).findFailedAttemptsByIp(anyString())
+        verify(loginLogRepository).save(anyOrNull())
+        verify(banRepository).findAllByPlayerIdAndLevel(anyLong(), anyOrNull())
+    }
+
+    @Test
+    fun postLoginWithSteamLinkedUserWithLobbyScope() {
+        val unlinkedUser = User(1, username, password, email, null, 123456L, null)
+        `when`(userRepository.findByUsernameOrEmail(username, username)).thenReturn(Mono.just(unlinkedUser))
+        `when`(passwordEncoder.matches(password, password)).thenReturn(true)
+        `when`(loginLogRepository.findFailedAttemptsByIp(anyString()))
+            .thenReturn(Mono.just(FailedAttemptsSummary(null, null, null, null)))
+        `when`(loginLogRepository.save(anyOrNull()))
+            .thenAnswer { Mono.just(it.arguments[0]) }
+        `when`(banRepository.findAllByPlayerIdAndLevel(anyLong(), anyOrNull())).thenReturn(
+            Flux.empty()
+        )
+
+        mockLoginRequest(scopes = listOf(OAuthScope.LOBBY))
+        mockLoginAccept()
+
+        webTestClient
+            .mutateWith(csrf())
+            .post()
+            .uri("/oauth2/login?login_challenge=$challenge")
+            .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
+            .body(
+                BodyInserters.fromFormData("login_challenge", challenge)
+                    .with("usernameOrEmail", username)
+                    .with("password", password)
+            )
+            .exchange()
+            .expectStatus().is3xxRedirection
+            .expectHeader()
+            .location(hydraRedirectUrl)
+            .expectBody(String::class.java)
+
+        verify(userRepository).findByUsernameOrEmail(username, username)
+        verify(passwordEncoder).matches(password, password)
+        verify(loginLogRepository).findFailedAttemptsByIp(anyString())
+        verify(loginLogRepository).save(anyOrNull())
+        verify(banRepository).findAllByPlayerIdAndLevel(anyLong(), anyOrNull())
+    }
+
     @Test
     fun postLoginWithNonLinkedUserWithoutLobbyScope() {
-        val unlinkedUser = User(1, username, password, email, null, null)
+        val unlinkedUser = User(1, username, password, email, null, null, null)
         `when`(userRepository.findByUsernameOrEmail(username, username)).thenReturn(Mono.just(unlinkedUser))
         `when`(passwordEncoder.matches(password, password)).thenReturn(true)
         `when`(loginLogRepository.findFailedAttemptsByIp(anyString()))