refactor(api): Use passwordHash from User model

Author: bpetetot

api/src/identity-access-management/domain/models/User.js

@@ -96,7 +96,15 @@ class User {
       (authenticationMethod) => authenticationMethod.identityProvider === NON_OIDC_IDENTITY_PROVIDERS.PIX.code,
     );
 
-    return pixAuthenticationMethod ? pixAuthenticationMethod.authenticationComplement.shouldChangePassword : null;
+    return pixAuthenticationMethod ? pixAuthenticationMethod.authenticationComplement?.shouldChangePassword : null;
+  }
+
+  get passwordHash() {
+    const pixAuthenticationMethod = this.authenticationMethods.find(
+      (authenticationMethod) => authenticationMethod.identityProvider === NON_OIDC_IDENTITY_PROVIDERS.PIX.code,
+    );
+
+    return pixAuthenticationMethod ? pixAuthenticationMethod.authenticationComplement?.password : null;
   }
 
   get shouldSeeDataProtectionPolicyInformationBanner() {

api/src/identity-access-management/domain/services/pix-authentication-service.js

@@ -18,18 +18,15 @@ async function getUserByUsernameAndPassword({
   dependencies = { userLoginRepository, cryptoService },
 }) {
   const foundUser = await userRepository.getByUsernameOrEmailWithRolesAndPassword(username);
-  const passwordHash = foundUser.authenticationMethods[0].authenticationComplement.password;
 
   let userLogin = await dependencies.userLoginRepository.findByUserId(foundUser.id);
   if (!userLogin) {
     userLogin = await dependencies.userLoginRepository.create({ userId: foundUser.id });
   }
 
   try {
-    await dependencies.cryptoService.checkPassword({
-      password,
-      passwordHash,
-    });
+    const passwordHash = foundUser.passwordHash;
+    await dependencies.cryptoService.checkPassword({ password, passwordHash });
   } catch (error) {
     if (error instanceof PasswordNotMatching) {
       userLogin.incrementFailureCount();

api/tests/identity-access-management/unit/domain/models/User.test.js

@@ -428,6 +428,43 @@ describe('Unit | Identity Access Management | Domain | Model | User', function (
     });
   });
 
+  describe('#passwordHash', function () {
+    context('when there is a Pix authentication method', function () {
+      it('returns the password hash', function () {
+        // given
+        const hashedPassword = 'xxx';
+        const pixAuthenticationMethod =
+          domainBuilder.buildAuthenticationMethod.withPixAsIdentityProviderAndHashedPassword({ hashedPassword });
+
+        // when
+        const user = new User({
+          id: 1,
+          authenticationMethods: [pixAuthenticationMethod],
+        });
+
+        // then
+        expect(user.passwordHash).to.equal(hashedPassword);
+      });
+    });
+
+    context('when there is no Pix authentication method', function () {
+      it('returns null', function () {
+        // given
+        const poleEmploiAuthenticationMethod =
+          domainBuilder.buildAuthenticationMethod.withPoleEmploiAsIdentityProvider();
+
+        // when
+        const user = new User({
+          id: 1,
+          authenticationMethods: [poleEmploiAuthenticationMethod],
+        });
+
+        // then
+        expect(user.passwordHash).to.be.null;
+      });
+    });
+  });
+
   describe('#shouldSeeDataProtectionPolicyInformationBanner', function () {
     context('when user has not seen data protection policy but data protection date is not setted', function () {
       it('should return false', function () {