From 2cac589860f5820e247b9e56752c8545298bd76d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= <mbajtos@cz.ibm.com>
Date: Thu, 23 Feb 2017 12:56:13 +0100
Subject: [PATCH] Fix access-token invalidation for missing relation

Fix the code invalidating access tokens on user email/password changes
to correctly handle the case when the relation
"AccessToken belongs to (subclassed) user" is not configured.
---
 common/models/user.js |  3 ++-
 test/user.test.js     | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/common/models/user.js b/common/models/user.js
index bf1715db..bcd08705 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -692,7 +692,8 @@ module.exports = function(User) {
     // add principalType in AccessToken.query if using polymorphic relations
     // between AccessToken and User
     var relatedUser = AccessToken.relations.user;
-    var isRelationPolymorphic = relatedUser.polymorphic && !relatedUser.modelTo;
+    var isRelationPolymorphic = relatedUser && relatedUser.polymorphic &&
+      !relatedUser.modelTo;
     if (isRelationPolymorphic) {
       query.principalType = this.modelName;
     }
diff --git a/test/user.test.js b/test/user.test.js
index fdf63dc2..f9b7d5d7 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -2370,6 +2370,28 @@ describe('User', function() {
       });
     });
 
+    // See https://github.com/strongloop/loopback/issues/3215
+    it('handles subclassed user with no accessToken relation', () => {
+      // setup a new LoopBack app, we don't want to use shared models
+      app = loopback({localRegistry: true, loadBuiltinModels: true});
+      app.set('remoting', {errorHandler: {debug: true, log: false}});
+      app.dataSource('db', {connector: 'memory'});
+      const User = app.registry.createModel({
+        name: 'user',
+        base: 'User',
+      });
+      app.model(User, {dataSource: 'db'});
+      app.enableAuth({dataSource: 'db'});
+      expect(app.models.User.modelName).to.eql('user');
+
+      return User.create(validCredentials)
+        .then(u => {
+          u.email = 'updated@example.com';
+          return u.save();
+          // the test passes when save() does not throw any error
+        });
+    });
+
     function assertPreservedTokens(done) {
       AccessToken.find({where: {userId: user.pk}}, function(err, tokens) {
         if (err) return done(err);