test(email): add DataProvider coverage for throwIfIsAuthenticatedWithDifferentAccount

vitormattos · backportbot-libresign[bot] · commit 501c5548ab41 · 2026-03-03T01:10:28.000Z
Six cases covering all branches of the guard:
- not authenticated → pass
- authenticated email matches signer email → pass
- authenticated user has no email set → throw
- authenticated user has different email → throw
- wrong email but token in progress (code set, not yet identified) → pass
- wrong email and token already used (identified) → throw

Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/tests/php/Unit/Service/IdentifyMethod/EmailTest.php b/tests/php/Unit/Service/IdentifyMethod/EmailTest.php
@@ -136,4 +136,86 @@ public static function providerThrowIfNeedToCreateAccount(): array {
 			'method_enabled_user_exists_not_logged_in' => [false, true, true, false, true, false, 'User already exists. Please login.'],
 		];
 	}
+
+	#[DataProvider('providerThrowIfIsAuthenticatedWithDifferentAccount')]
+	public function testThrowIfIsAuthenticatedWithDifferentAccount(
+		?string $userEmail,
+		string $signerEmail,
+		?string $code,
+		bool $identified,
+		string $errorMessage = '',
+	): void {
+		if ($errorMessage) {
+			$this->expectException(LibresignException::class);
+			$this->expectExceptionMessageMatches("/.*$errorMessage.*/");
+		} else {
+			$this->expectNotToPerformAssertions();
+		}
+
+		if ($userEmail !== null) {
+			$user = $this->createMock(IUser::class);
+			$user->method('getEMailAddress')->willReturn($userEmail);
+			$this->userSession->method('getUser')->willReturn($user);
+		} else {
+			$this->userSession->method('getUser')->willReturn(null);
+		}
+
+		$identifyMethod = $this->getClass();
+		$identifyMethod->getEntity()->setIdentifierValue($signerEmail);
+		if ($code !== null) {
+			$identifyMethod->getEntity()->setCode($code);
+		}
+		if ($identified) {
+			$identifyMethod->getEntity()->setIdentifiedAtDate(new \DateTime());
+		}
+
+		self::invokePrivate($identifyMethod, 'throwIfIsAuthenticatedWithDifferentAccount');
+	}
+
+	public static function providerThrowIfIsAuthenticatedWithDifferentAccount(): array {
+		return [
+			'not_authenticated' => [
+				'userEmail' => null,
+				'signerEmail' => 'signer@example.com',
+				'code' => null,
+				'identified' => false,
+				'errorMessage' => '',
+			],
+			'authenticated_email_matches' => [
+				'userEmail' => 'signer@example.com',
+				'signerEmail' => 'signer@example.com',
+				'code' => null,
+				'identified' => false,
+				'errorMessage' => '',
+			],
+			'authenticated_no_email_on_user' => [
+				'userEmail' => '',
+				'signerEmail' => 'signer@example.com',
+				'code' => null,
+				'identified' => false,
+				'errorMessage' => 'This document is not yours',
+			],
+			'authenticated_wrong_email' => [
+				'userEmail' => 'admin@example.com',
+				'signerEmail' => 'signer@example.com',
+				'code' => null,
+				'identified' => false,
+				'errorMessage' => 'This document is not yours',
+			],
+			'authenticated_wrong_email_token_in_progress' => [
+				'userEmail' => 'admin@example.com',
+				'signerEmail' => 'signer@example.com',
+				'code' => 'abc123',
+				'identified' => false,
+				'errorMessage' => '',
+			],
+			'authenticated_wrong_email_token_already_identified' => [
+				'userEmail' => 'admin@example.com',
+				'signerEmail' => 'signer@example.com',
+				'code' => 'abc123',
+				'identified' => true,
+				'errorMessage' => 'This document is not yours',
+			],
+		];
+	}
 }
