From b02c910b1e360b3287faad9c7b6ae7b4d34fa16b Mon Sep 17 00:00:00 2001
From: "J. King" <jking@jkingweb.ca>
Date: Sun, 10 Mar 2019 15:54:43 -0400
Subject: [PATCH] Make token creation check that the user exists

---
 lib/Database.php                     | 2 ++
 tests/cases/Database/SeriesToken.php | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/lib/Database.php b/lib/Database.php
index 01cd91a..df614b5 100644
--- a/lib/Database.php
+++ b/lib/Database.php
@@ -392,6 +392,8 @@ class Database {
         // If the user isn't authorized to perform this action then throw an exception.
         if (!Arsse::$user->authorize($user, __FUNCTION__)) {
             throw new User\ExceptionAuthz("notAuthorized", ["action" => __FUNCTION__, "user" => $user]);
+        } elseif (!$this->userExists($user)) {
+            throw new User\Exception("doesNotExist", ["action" => __FUNCTION__, "user" => $user]);
         }
         // generate a token if it's not provided
         $id = $id ?? UUID::mint()->hex;
diff --git a/tests/cases/Database/SeriesToken.php b/tests/cases/Database/SeriesToken.php
index 738fc58..ff85407 100644
--- a/tests/cases/Database/SeriesToken.php
+++ b/tests/cases/Database/SeriesToken.php
@@ -96,6 +96,11 @@ trait SeriesToken {
         $this->compareExpectations($state);
     }
 
+    public function testCreateATokenForAMissingUser() {
+        $this->assertException("doesNotExist", "User");
+        Arsse::$db->tokenCreate("fever.login", "jane.doe@example.biz");
+    }
+
     public function testCreateATokenWithoutAuthority() {
         Phake::when(Arsse::$user)->authorize->thenReturn(false);
         $this->assertException("notAuthorized", "User", "ExceptionAuthz");