Fix null MFA field handling for backward compatibility

- Add getMfaStatus helper method to handle null MFA fields in database
- Update token and identity deserialization to use helper method
- Add tests for backward compatibility with existing database records
- Prevents NullPointerException when MFA field is missing from stored data

Author: dauglyon

src/main/java/us/kbase/auth2/lib/storage/mongo/MongoStorage.java

@@ -569,6 +569,10 @@ private DisplayName getDisplayName(final String displayName) throws AuthStorageE
 		}
 	}
 
+	private MfaStatus getMfaStatus(final String mfaString) {
+		return mfaString != null ? MfaStatus.valueOf(mfaString) : MfaStatus.UNKNOWN;
+	}
+	
 	private EmailAddress getEmail(final String email) throws AuthStorageException {
 		if (email == null) {
 			return EmailAddress.UNKNOWN;
@@ -971,7 +975,7 @@ private StoredToken getToken(final Document t) throws AuthStorageException {
 						t.getDate(Fields.TOKEN_EXPIRY).toInstant())
 				.withNullableTokenName(getTokenName(t.getString(Fields.TOKEN_NAME)))
 				.withContext(toTokenCreationContext(t))
-				.withMfa(MfaStatus.valueOf(t.getString(Fields.TOKEN_MFA)))
+				.withMfa(getMfaStatus(t.getString(Fields.TOKEN_MFA)))
 				.build();
 	}
 
@@ -1795,7 +1799,7 @@ private Set<RemoteIdentity> toIdentities(final List<Document> ids) {
 					i.getString(Fields.IDENTITIES_USER),
 					i.getString(Fields.IDENTITIES_NAME),
 					i.getString(Fields.IDENTITIES_EMAIL),
-					MfaStatus.valueOf(i.getString(Fields.IDENTITIES_MFA)));
+					getMfaStatus(i.getString(Fields.IDENTITIES_MFA)));
 			ret.add(new RemoteIdentity(rid, det));
 		}
 		return ret;

src/test/java/us/kbase/test/auth2/lib/storage/mongo/MongoStorageTokensTest.java

@@ -126,6 +126,30 @@ TokenType.LOGIN, id, new UserName("bar"))
 		assertThat("incorrect token", st, is(expected));
 	}
 
+	@Test
+	public void getWithNullMfa() throws Exception {
+		/* Tests backwards compatibility with old tokens that don't have an MFA field
+		 * in the db.
+		 */
+		final UUID id = UUID.randomUUID();
+		final Instant now = Instant.now().truncatedTo(ChronoUnit.MILLIS); // mongo truncates
+		final StoredToken ht = StoredToken.getBuilder(
+				TokenType.LOGIN, id, new UserName("bar"))
+			.withLifeTime(now, now.plusSeconds(10)).build();
+		storage.storeToken(ht, "nJKFR6Xc4vzCeI3jT+FjlC9k5Q/qVw0zd0gi1erL8ew=");
+		
+		// Remove the MFA field to simulate old database records
+		db.getCollection("tokens").updateOne(new Document("id", id.toString()),
+				new Document("$unset", new Document("mfa", "")));
+		
+		final StoredToken expected = StoredToken.getBuilder(
+				TokenType.LOGIN, id, new UserName("bar"))
+			.withLifeTime(now, now.plusSeconds(10)).build();
+
+		final StoredToken st = storage.getToken(new IncomingToken("sometoken").getHashedToken());
+		assertThat("incorrect token", st, is(expected));
+	}
+	
 	@Test
 	public void storeTokenFailNull() throws Exception {
 		final StoredToken st = StoredToken.getBuilder(

src/test/java/us/kbase/test/auth2/lib/storage/mongo/MongoStorageUserCreateGetTest.java

@@ -13,6 +13,7 @@
 import java.util.Optional;
 import java.util.UUID;
 
+import org.bson.Document;
 import org.junit.Test;
 
 import com.google.common.collect.ImmutableMap;
@@ -653,4 +654,32 @@ public void getUserByRemoteIdWithMfa() throws Exception {
 		assertThat("incorrect is disabled", u.isDisabled(), is(false));
 		assertThat("incorrect is local", u.isLocal(), is(false));
 	}
+	
+	@Test
+	public void getUserWithNullMfaIdentity() throws Exception {
+		/* Tests backwards compatibility with old identities that don't have an MFA field
+		 * in the db.
+		 */
+		storage.createUser(NewUser.getBuilder(
+				new UserName("olduser"), UID, new DisplayName("Old User"), NOW, REMOTE_MFA_NULL)
+				.withEmailAddress(new EmailAddress("[email protected]"))
+				.build());
+		
+		// Remove the MFA field from the identity to simulate old database records
+		db.getCollection("users").updateOne(
+				new Document("user", "olduser"),
+				new Document("$unset", new Document("identities.0.mfa", "")));
+		
+		final AuthUser u = storage.getUser(REMOTE_MFA_NULL).get();
+		
+		// Should retrieve successfully with MFA defaulting to UNKNOWN
+		final RemoteIdentity expectedIdentity = new RemoteIdentity(
+				new RemoteIdentityID("orcid", "0000-0001-1234-0000"),
+				new RemoteIdentityDetails("orciduser3", "ORCID User 3", "[email protected]", MfaStatus.UNKNOWN));
+		
+		assertThat("incorrect identities", u.getIdentities(), is(set(expectedIdentity)));
+		assertThat("incorrect username", u.getUserName(), is(new UserName("olduser")));
+		assertThat("incorrect display name", u.getDisplayName(), is(new DisplayName("Old User")));
+		assertThat("incorrect email", u.getEmail(), is(new EmailAddress("[email protected]")));
+	}
 }