Merge branch 'b-7.2.x-password_change_token_invalidation-OXDEV-8407' into b-7.2.x

TitaKoleva · TitaKoleva · commit 6a4b8f028605 · 2024-10-17T18:58:36.000+03:00
diff --git a/CHANGELOG-v10.md b/CHANGELOG-v10.md
@@ -26,5 +26,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - New configuration options:
     - `sRefreshTokenLifetime` - options for refresh token lifetime, from 24 hours to 90 days
     - `sFingerprintCookieMode` - option for the authentication fingerprint cookie mode, same or cross origin
+- Access and refresh tokens are now invalidated when the user's password is changed
+  - New methods:
+    - `OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface::invalidateUserTokens`
+    - `OxidEsales\GraphQL\Base\Infrastructure\Token::invalidateUserTokens`
+  - New event subscriber:
+    - `OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber`
+
+## Changed
+- Renamed OxidEsales\GraphQL\Base\Infrastructure\Token::cleanUpTokens() to deleteOrphanedTokens()
 
 [10.0.0]: https://github.com/OXID-eSales/graphql-base-module/compare/v9.0.0...b-7.2.x
diff --git a/services.yaml b/services.yaml
@@ -80,6 +80,9 @@ services:
   OxidEsales\GraphQL\Base\Service\FingerprintServiceInterface:
     class: OxidEsales\GraphQL\Base\Service\FingerprintService
 
+  OxidEsales\GraphQL\Base\Service\UserModelService:
+    class: OxidEsales\GraphQL\Base\Service\UserModelService
+
   OxidEsales\GraphQL\Base\Controller\:
     resource: 'src/Controller/'
     public: true
@@ -107,6 +110,10 @@ services:
     class: OxidEsales\GraphQL\Base\Event\Subscriber\UserDeleteSubscriber
     tags: [ 'kernel.event_subscriber' ]
 
+  OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber:
+    class: OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber
+    tags: [ 'kernel.event_subscriber' ]
+
   OxidEsales\GraphQL\Base\Event\Subscriber\BeforeTokenCreationSubscriber:
     tags: [ 'kernel.event_subscriber' ]
 
diff --git a/src/Controller/Login.php b/src/Controller/Login.php
@@ -9,9 +9,8 @@
 
 namespace OxidEsales\GraphQL\Base\Controller;
 
-use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 use OxidEsales\GraphQL\Base\Service\LoginServiceInterface;
-use OxidEsales\GraphQL\Base\Service\RefreshTokenServiceInterface;
 use OxidEsales\GraphQL\Base\Service\Token;
 use TheCodingMachine\GraphQLite\Annotations\Query;
 
@@ -20,7 +19,6 @@ class Login
     public function __construct(
         protected Token $tokenService,
         protected LoginServiceInterface $loginService,
-        protected RefreshTokenServiceInterface $refreshTokenService,
     ) {
     }
 
@@ -44,13 +42,8 @@ public function token(?string $username = null, ?string $password = null): strin
      *
      * @Query
      */
-    public function login(?string $username = null, ?string $password = null): LoginDatatype
+    public function login(?string $username = null, ?string $password = null): LoginInterface
     {
-        $user = $this->loginService->login($username, $password);
-
-        return new LoginDatatype(
-            refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),
-            accessToken: $this->tokenService->createTokenForUser($user),
-        );
+        return $this->loginService->login($username, $password);
     }
 }
diff --git a/src/DataType/LoginInterface.php b/src/DataType/LoginInterface.php
@@ -9,9 +9,15 @@
 
 namespace OxidEsales\GraphQL\Base\DataType;
 
+use TheCodingMachine\GraphQLite\Annotations\Field;
+use TheCodingMachine\GraphQLite\Annotations\Type;
+
+#[Type]
 interface LoginInterface
 {
+    #[Field]
     public function refreshToken(): string;
 
+    #[Field]
     public function accessToken(): string;
 }
diff --git a/src/Event/Subscriber/PasswordChangeSubscriber.php b/src/Event/Subscriber/PasswordChangeSubscriber.php
@@ -0,0 +1,103 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\GraphQL\Base\Event\Subscriber;
+
+use OxidEsales\Eshop\Application\Model\User;
+use OxidEsales\EshopCommunity\Internal\Transition\ShopEvents\AfterModelUpdateEvent;
+use OxidEsales\EshopCommunity\Internal\Transition\ShopEvents\BeforeModelUpdateEvent;
+use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface;
+use OxidEsales\GraphQL\Base\Infrastructure\Token;
+use OxidEsales\GraphQL\Base\Service\UserModelService;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+class PasswordChangeSubscriber implements EventSubscriberInterface
+{
+    /**
+     * Whether the password had been changed.
+     *
+     * @var array
+     */
+    protected array $userIdWithChangedPwd = [];
+
+    public function __construct(
+        private readonly UserModelService $userModelService,
+        private readonly RefreshTokenRepositoryInterface $refreshTokenRepository,
+        private readonly Token $tokenInfrastructure
+    ) {
+    }
+
+    /**
+     * Handle ApplicationModelChangedEvent.
+     *
+     * @param Event $event Event to be handled
+     */
+    public function handleBeforeUpdate(Event $event): void
+    {
+        /** @phpstan-ignore-next-line method.notFound */
+        $model = $event->getModel();
+
+        if (!$model instanceof User) {
+            return;
+        }
+
+        $newPassword = $model->getFieldData('oxpassword');
+        if (!$this->userModelService->isPasswordChanged($model->getId(), $newPassword)) {
+            return;
+        }
+
+        $this->userIdWithChangedPwd[$model->getId()] = true;
+    }
+
+    /**
+     * Handle ApplicationModelChangedEvent.
+     *
+     * @param Event $event Event to be handled
+     */
+    public function handleAfterUpdate(Event $event): void
+    {
+        /** @phpstan-ignore-next-line method.notFound */
+        $model = $event->getModel();
+
+        if (!$model instanceof User || !isset($this->userIdWithChangedPwd[$model->getId()])) {
+            return;
+        }
+
+        $this->refreshTokenRepository->invalidateUserTokens($model->getId());
+        $this->tokenInfrastructure->invalidateUserTokens($model->getId());
+        unset($this->userIdWithChangedPwd[$model->getId()]);
+    }
+
+    /**
+     * Returns an array of event names this subscriber wants to listen to.
+     *
+     * The array keys are event names and the value can be:
+     *
+     *  * The method name to call (priority defaults to 0)
+     *  * An array composed of the method name to call and the priority
+     *  * An array of arrays composed of the method names to call and respective
+     *    priorities, or 0 if unset
+     *
+     * For instance:
+     *
+     *  * array('eventName' => 'methodName')
+     *  * array('eventName' => array('methodName', $priority))
+     *  * array('eventName' => array(array('methodName1', $priority), array('methodName2')))
+     *
+     * @return array<class-string,string>
+     */
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            BeforeModelUpdateEvent::class => 'handleBeforeUpdate',
+            AfterModelUpdateEvent::class => 'handleAfterUpdate'
+        ];
+    }
+}
diff --git a/src/Event/Subscriber/UserDeleteSubscriber.php b/src/Event/Subscriber/UserDeleteSubscriber.php
@@ -35,7 +35,7 @@ public function handle(Event $event): Event
             return $event;
         }
 
-        $this->tokenInfrastructure->cleanUpTokens();
+        $this->tokenInfrastructure->deleteOrphanedTokens();
 
         return $event;
     }
diff --git a/src/Infrastructure/RefreshTokenRepository.php b/src/Infrastructure/RefreshTokenRepository.php
@@ -87,4 +87,17 @@ public function getTokenUser(string $refreshToken): UserInterface
 
         return new UserDataType($userModel, $isAnonymous);
     }
+
+    public function invalidateUserTokens(string $userId): void
+    {
+        $queryBuilder = $this->queryBuilderFactory->create()
+            ->update('oegraphqlrefreshtoken')
+            ->where('OXUSERID = :userId')
+            ->set('EXPIRES_AT', 'NOW()')
+            ->setParameters([
+                'userId' => $userId,
+            ]);
+
+        $queryBuilder->execute();
+    }
 }
diff --git a/src/Infrastructure/RefreshTokenRepositoryInterface.php b/src/Infrastructure/RefreshTokenRepositoryInterface.php
@@ -24,4 +24,6 @@ public function removeExpiredTokens(): void;
      * @throws InvalidRefreshToken
      */
     public function getTokenUser(string $refreshToken): UserInterface;
+
+    public function invalidateUserTokens(string $user): void;
 }
diff --git a/src/Infrastructure/Token.php b/src/Infrastructure/Token.php
@@ -62,7 +62,7 @@ public function removeExpiredTokens(UserInterface $user): void
         $queryBuilder->execute();
     }
 
-    public function cleanUpTokens(): void
+    public function deleteOrphanedTokens(): void
     {
         /** @var \Doctrine\DBAL\Driver\Statement $execute */
         $execute = $this->queryBuilderFactory->create()
@@ -155,4 +155,17 @@ public function userHasToken(UserInterface $user, string $tokenId): bool
 
         return false;
     }
+
+    public function invalidateUserTokens(string $userId): void
+    {
+        $queryBuilder = $this->queryBuilderFactory->create()
+            ->update('oegraphqltoken')
+            ->where('OXUSERID = :userId')
+            ->set('EXPIRES_AT', 'NOW()')
+            ->setParameters([
+                'userId' => $userId,
+            ]);
+
+        $queryBuilder->execute();
+    }
 }
diff --git a/src/Service/LoginService.php b/src/Service/LoginService.php
@@ -9,7 +9,8 @@
 
 namespace OxidEsales\GraphQL\Base\Service;
 
-use OxidEsales\GraphQL\Base\DataType\UserInterface;
+use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 use OxidEsales\GraphQL\Base\Infrastructure\Legacy;
 
 /**
@@ -19,11 +20,18 @@ class LoginService implements LoginServiceInterface
 {
     public function __construct(
         private readonly Legacy $legacyInfrastructure,
+        protected Token $tokenService,
+        protected RefreshTokenServiceInterface $refreshTokenService,
     ) {
     }
 
-    public function login(?string $userName, ?string $password): UserInterface
+    public function login(?string $userName, ?string $password): LoginInterface
     {
-        return $this->legacyInfrastructure->login($userName, $password);
+        $user = $this->legacyInfrastructure->login($userName, $password);
+
+        return new LoginDatatype(
+            refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),
+            accessToken: $this->tokenService->createTokenForUser($user),
+        );
     }
 }
diff --git a/src/Service/LoginServiceInterface.php b/src/Service/LoginServiceInterface.php
@@ -9,12 +9,12 @@
 
 namespace OxidEsales\GraphQL\Base\Service;
 
-use OxidEsales\GraphQL\Base\DataType\UserInterface;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 
 /**
  * User login service
  */
 interface LoginServiceInterface
 {
-    public function login(?string $userName, ?string $password): UserInterface;
+    public function login(?string $userName, ?string $password): LoginInterface;
 }
diff --git a/src/Service/Token.php b/src/Service/Token.php
@@ -11,7 +11,6 @@
 
 use DateTimeImmutable;
 use Lcobucci\JWT\UnencryptedToken;
-use OxidEsales\GraphQL\Base\DataType\User as UserDataType;
 use OxidEsales\GraphQL\Base\DataType\UserInterface;
 use OxidEsales\GraphQL\Base\Event\BeforeTokenCreation;
 use OxidEsales\GraphQL\Base\Exception\InvalidLogin;
diff --git a/src/Service/UserModelService.php b/src/Service/UserModelService.php
@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\GraphQL\Base\Service;
+
+use OxidEsales\GraphQL\Base\Infrastructure\Legacy;
+
+/**
+ * User model service
+ */
+class UserModelService
+{
+    public function __construct(
+        private readonly Legacy $legacyInfrastructure,
+    ) {
+    }
+
+    public function isPasswordChanged(string $userId, ?string $passwordNew): bool
+    {
+        $userModel = $this->legacyInfrastructure->getUserModel($userId);
+        $currentPassword = $userModel->getFieldData('oxpassword');
+        if (!$passwordNew || !$currentPassword) {
+            return false;
+        }
+
+        return $currentPassword !== $passwordNew;
+    }
+}
diff --git a/tests/Integration/Infrastructure/RefreshTokenRepositoryTest.php b/tests/Integration/Infrastructure/RefreshTokenRepositoryTest.php
@@ -10,10 +10,11 @@
 namespace OxidEsales\GraphQL\Base\Tests\Integration\Infrastructure;
 
 use DateTime;
+use DateTimeImmutable;
 use Doctrine\DBAL\Connection;
 use OxidEsales\EshopCommunity\Internal\Framework\Database\ConnectionProviderInterface;
+use OxidEsales\GraphQL\Base\DataType\UserInterface;
 use OxidEsales\GraphQL\Base\Exception\InvalidRefreshToken;
-use OxidEsales\GraphQL\Base\Exception\InvalidToken;
 use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepository;
 use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface;
 use OxidEsales\GraphQL\Base\Tests\Integration\TestCase;
@@ -138,6 +139,39 @@ public function testGetTokenUserExplodesOnWrongToken(): void
         $sut->getTokenUser(uniqid());
     }
 
+    public function testInvalidateRefreshTokens(): void
+    {
+        $expires = new DateTimeImmutable('+8 hours');
+        $this->addToken(
+            oxid: 'pwd_change_token',
+            expires: $expires->format('Y-m-d H:i:s'),
+            userId: $userId = '_testUser',
+            token: $token = uniqid(),
+        );
+
+        $sut = $this->getSut();
+        $sut->invalidateUserTokens($userId);
+
+        $this->expectException(InvalidRefreshToken::class);
+        $sut->getTokenUser($token);
+    }
+
+    public function testInvalidateRefreshTokensWrongUserId(): void
+    {
+        $expires = new DateTimeImmutable('+8 hours');
+        $this->addToken(
+            oxid: 'pwd_change_token',
+            expires: $expires->format('Y-m-d H:i:s'),
+            userId: '_testUser',
+            token: $token = uniqid(),
+        );
+
+        $sut = $this->getSut();
+        $sut->invalidateUserTokens('some_user_id');
+
+        $this->assertTrue($sut->getTokenUser($token) instanceof UserInterface);
+    }
+
     private function getDbConnection(): Connection
     {
         return $this->get(ConnectionProviderInterface::class)->get();
diff --git a/tests/Integration/Infrastructure/TokenTest.php b/tests/Integration/Infrastructure/TokenTest.php
diff --git a/tests/Unit/Controller/LoginTest.php b/tests/Unit/Controller/LoginTest.php
diff --git a/tests/Unit/Event/Subscriber/PasswordChangeSubscriberTest.php b/tests/Unit/Event/Subscriber/PasswordChangeSubscriberTest.php
diff --git a/tests/Unit/Service/LoginServiceTest.php b/tests/Unit/Service/LoginServiceTest.php
diff --git a/tests/Unit/Service/UserModelServiceTest.php b/tests/Unit/Service/UserModelServiceTest.php

Original file line number	Diff line number	Diff line change
`@@ -9,9 +9,8 @@`
`9`	`9`
`10`	`10`	`namespace OxidEsales\GraphQL\Base\Controller;`
`11`	`11`
`12`		`-use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;`
	`12`	`+use OxidEsales\GraphQL\Base\DataType\LoginInterface;`
`13`	`13`	`use OxidEsales\GraphQL\Base\Service\LoginServiceInterface;`
`14`		`-use OxidEsales\GraphQL\Base\Service\RefreshTokenServiceInterface;`
`15`	`14`	`use OxidEsales\GraphQL\Base\Service\Token;`
`16`	`15`	`use TheCodingMachine\GraphQLite\Annotations\Query;`
`17`	`16`
`@@ -20,7 +19,6 @@ class Login`
`20`	`19`	`public function __construct(`
`21`	`20`	`protected Token $tokenService,`
`22`	`21`	`protected LoginServiceInterface $loginService,`
`23`		`- protected RefreshTokenServiceInterface $refreshTokenService,`
`24`	`22`	`) {`
`25`	`23`	`}`
`26`	`24`
`@@ -44,13 +42,8 @@ public function token(?string $username = null, ?string $password = null): strin`
`44`	`42`	`*`
`45`	`43`	`* @Query`
`46`	`44`	`*/`
`47`		`- public function login(?string $username = null, ?string $password = null): LoginDatatype`
	`45`	`+ public function login(?string $username = null, ?string $password = null): LoginInterface`
`48`	`46`	`{`
`49`		`- $user = $this->loginService->login($username, $password);`
`50`		`-`
`51`		`- return new LoginDatatype(`
`52`		`- refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),`
`53`		`- accessToken: $this->tokenService->createTokenForUser($user),`
`54`		`- );`
	`47`	`+ return $this->loginService->login($username, $password);`
`55`	`48`	`}`
`56`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,9 +9,15 @@`
`9`	`9`
`10`	`10`	`namespace OxidEsales\GraphQL\Base\DataType;`
`11`	`11`
	`12`	`+use TheCodingMachine\GraphQLite\Annotations\Field;`
	`13`	`+use TheCodingMachine\GraphQLite\Annotations\Type;`
	`14`	`+`
	`15`	`+#[Type]`
`12`	`16`	`interface LoginInterface`
`13`	`17`	`{`
	`18`	`+ #[Field]`
`14`	`19`	`public function refreshToken(): string;`
`15`	`20`
	`21`	`+ #[Field]`
`16`	`22`	`public function accessToken(): string;`
`17`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public function handle(Event $event): Event`
`35`	`35`	`return $event;`
`36`	`36`	`}`
`37`	`37`
`38`		`- $this->tokenInfrastructure->cleanUpTokens();`
	`38`	`+ $this->tokenInfrastructure->deleteOrphanedTokens();`
`39`	`39`
`40`	`40`	`return $event;`
`41`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,6 @@ public function removeExpiredTokens(): void;`
`24`	`24`	`* @throws InvalidRefreshToken`
`25`	`25`	`*/`
`26`	`26`	`public function getTokenUser(string $refreshToken): UserInterface;`
	`27`	`+`
	`28`	`+ public function invalidateUserTokens(string $user): void;`
`27`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ public function removeExpiredTokens(UserInterface $user): void`
`62`	`62`	`$queryBuilder->execute();`
`63`	`63`	`}`
`64`	`64`
`65`		`- public function cleanUpTokens(): void`
	`65`	`+ public function deleteOrphanedTokens(): void`
`66`	`66`	`{`
`67`	`67`	`/** @var \Doctrine\DBAL\Driver\Statement $execute */`
`68`	`68`	`$execute = $this->queryBuilderFactory->create()`
`@@ -155,4 +155,17 @@ public function userHasToken(UserInterface $user, string $tokenId): bool`
`155`	`155`
`156`	`156`	`return false;`
`157`	`157`	`}`
	`158`	`+`
	`159`	`+ public function invalidateUserTokens(string $userId): void`
	`160`	`+ {`
	`161`	`+ $queryBuilder = $this->queryBuilderFactory->create()`
	`162`	`+ ->update('oegraphqltoken')`
	`163`	`+ ->where('OXUSERID = :userId')`
	`164`	`+ ->set('EXPIRES_AT', 'NOW()')`
	`165`	`+ ->setParameters([`
	`166`	`+ 'userId' => $userId,`
	`167`	`+ ]);`
	`168`	`+`
	`169`	`+ $queryBuilder->execute();`
	`170`	`+ }`
`158`	`171`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@`
`9`	`9`
`10`	`10`	`namespace OxidEsales\GraphQL\Base\Service;`
`11`	`11`
`12`		`-use OxidEsales\GraphQL\Base\DataType\UserInterface;`
	`12`	`+use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;`
	`13`	`+use OxidEsales\GraphQL\Base\DataType\LoginInterface;`
`13`	`14`	`use OxidEsales\GraphQL\Base\Infrastructure\Legacy;`
`14`	`15`
`15`	`16`	`/**`
`@@ -19,11 +20,18 @@ class LoginService implements LoginServiceInterface`
`19`	`20`	`{`
`20`	`21`	`public function __construct(`
`21`	`22`	`private readonly Legacy $legacyInfrastructure,`
	`23`	`+ protected Token $tokenService,`
	`24`	`+ protected RefreshTokenServiceInterface $refreshTokenService,`
`22`	`25`	`) {`
`23`	`26`	`}`
`24`	`27`
`25`		`- public function login(?string $userName, ?string $password): UserInterface`
	`28`	`+ public function login(?string $userName, ?string $password): LoginInterface`
`26`	`29`	`{`
`27`		`- return $this->legacyInfrastructure->login($userName, $password);`
	`30`	`+ $user = $this->legacyInfrastructure->login($userName, $password);`
	`31`	`+`
	`32`	`+ return new LoginDatatype(`
	`33`	`+ refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),`
	`34`	`+ accessToken: $this->tokenService->createTokenForUser($user),`
	`35`	`+ );`
`28`	`36`	`}`
`29`	`37`	`}`