OXDEV-9078 Fix resend cooldown and attempts on OTP page

TitaKoleva · TitaKoleva · commit 169941a5ff82 · 2026-04-09T17:38:11.000+03:00
diff --git a/assets/out/src/js/module/resend-otp.js b/assets/out/src/js/module/resend-otp.js
@@ -10,8 +10,6 @@ export class ResendOtp {
             submitButtonId = 'auth_submit',
             attemptsDisplayId = 'remaining-attempts',
             codeInputId = 'auth_code',
-            // todo-high: use attempts from resend request response
-            maxAttempts = 5,
         } = options;
 
         this.btn = button;
@@ -20,9 +18,7 @@ export class ResendOtp {
         this.attemptsDisplay = document.getElementById(attemptsDisplayId);
         this.codeInput = document.getElementById(codeInputId);
 
-        // todo-low: add admin setting for cooldown seconds
         this.cooldownSeconds = Number(button.dataset.cooldown || 60);
-        this.maxAttempts = maxAttempts;
         this.url = button.dataset.url;
         this.textDefault = button.dataset.textDefault;
         this.textSending = button.dataset.textSending;
@@ -55,16 +51,24 @@ export class ResendOtp {
                 headers: { 'Content-Type': 'application/json' }
             });
 
+            if (response.status === 429) {
+                const until = Date.now() + this.cooldownSeconds * 1000;
+                this.storeUntil(until);
+                this.startCooldown(until);
+                return;
+            }
+
             if (!response.ok) {
                 this.unlock();
+                this.setHint(this.textError);
                 return;
             }
 
+            const data = await response.json();
             const until = Date.now() + this.cooldownSeconds * 1000;
             this.storeUntil(until);
             this.startCooldown(until);
-
-            this.resetAttempts();
+            this.resetAttempts(data.remainingAttempts);
 
         } catch (e) {
             console.error(e);
@@ -73,9 +77,9 @@ export class ResendOtp {
         }
     }
 
-    resetAttempts() {
+    resetAttempts(count) {
         if (this.attemptsDisplay) {
-            this.attemptsDisplay.textContent = this.maxAttempts;
+            this.attemptsDisplay.textContent = count;
         }
         this.enableSubmit();
     }
@@ -143,8 +147,16 @@ export class ResendOtp {
     }
 
     restoreOnRefresh() {
-        const until = this.getStoredUntil();
-        if (until && until > Date.now()) {
+        const stored = this.getStoredUntil();
+        if (stored && stored > Date.now()) {
+            this.startCooldown(stored);
+            return;
+        }
+
+        const serverRemaining = Number(this.btn.dataset.cooldownRemaining || 0);
+        if (serverRemaining > 0) {
+            const until = Date.now() + serverRemaining * 1000;
+            this.storeUntil(until);
             this.startCooldown(until);
         }
     }
diff --git a/src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php b/src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php
@@ -11,7 +11,7 @@
 
 use OxidEsales\Eshop\Application\Controller\FrontendController;
 use OxidEsales\Eshop\Core\UtilsView;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\InvalidCodeException;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\CodeValidationException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\ResendCooldownException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAResendableInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface;
@@ -47,7 +47,7 @@ public function handleOTP(): ?string
         try {
             $this->twoFAService->verify($userId, $code);
             $this->twoFAUserService->loginUser($userId);
-        } catch (InvalidCodeException $e) {
+        } catch (CodeValidationException $e) {
             $this->utilsView->addErrorToDisplay($e);
         }
 
@@ -64,15 +64,12 @@ public function resendCode(): void
         $userId = $this->twoFAUserService->getPendingUserId();
         try {
             $this->twoFAService->resend($userId);
-            $this->jsonResponse->send(['success' => true]);
+            $this->jsonResponse->send([
+                'success' => true,
+                'remainingAttempts' => $this->twoFAService->getRemainingAttempts($userId),
+            ]);
         } catch (ResendCooldownException) {
             $this->jsonResponse->send(['success' => false], 429);
         }
     }
-
-    public function render()
-    {
-        // todo-high: send attempts left for the user
-        return parent::render();
-    }
 }
diff --git a/src/Authentication/TwoFactorAuth/Factory/services.yaml b/src/Authentication/TwoFactorAuth/Factory/services.yaml
@@ -11,3 +11,4 @@ services:
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface:
     factory: ['@OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Factory\TwoFAServiceFactoryInterface', 'create']
+    public: true
diff --git a/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php b/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php
@@ -80,4 +80,9 @@ public function getRemainingAttempts(string $userId): int
 
         return max(0, $this->codeValidator->getMaxAttempts() - $attempts);
     }
+
+    public function getCooldownRemaining(string $userId): int
+    {
+        return $this->sendPolicy->getCooldownRemaining($userId);
+    }
 }
diff --git a/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyService.php b/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyService.php
@@ -23,20 +23,25 @@ public function __construct(
     }
 
     public function canSend(string $userId): bool
+    {
+        return $this->getCooldownRemaining($userId) === 0;
+    }
+
+    public function getCooldownRemaining(string $userId): int
     {
         $state = $this->stateRepository->findByUserId($userId);
 
         if ($state === null) {
-            return true;
+            return 0;
         }
 
         $lastSentAt = $state->getLastSentAt();
         if ($lastSentAt === null) {
-            return true;
+            return 0;
         }
 
         $elapsed = (new DateTimeImmutable())->getTimestamp() - $lastSentAt->getTimestamp();
 
-        return $elapsed >= self::RESEND_COOLDOWN_SECONDS;
+        return max(0, self::RESEND_COOLDOWN_SECONDS - $elapsed);
     }
 }
diff --git a/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceInterface.php b/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceInterface.php
@@ -10,4 +10,6 @@
 interface OtpSendPolicyServiceInterface
 {
     public function canSend(string $userId): bool;
+
+    public function getCooldownRemaining(string $userId): int;
 }
diff --git a/src/Authentication/TwoFactorAuth/Service/TwoFAResendableInterface.php b/src/Authentication/TwoFactorAuth/Service/TwoFAResendableInterface.php
@@ -17,4 +17,6 @@ interface TwoFAResendableInterface
     public function resend(string $userId): void;
 
     public function getRemainingAttempts(string $userId): int;
+
+    public function getCooldownRemaining(string $userId): int;
 }
diff --git a/src/Shared/Core/ViewConfig.php b/src/Shared/Core/ViewConfig.php
@@ -10,6 +10,9 @@
 namespace OxidEsales\SecurityModule\Shared\Core;
 
 use OxidEsales\SecurityModule\Authentication\OAuth2\Service\ProviderCollectorInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAResendableInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserServiceInterface;
 use OxidEsales\SecurityModule\Captcha\Captcha\Image\Service\ImageCaptchaService;
 use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
 use OxidEsales\SecurityModule\PasswordPolicy\Service\ModuleSettingsServiceInterface as PasswordSettingsServiceInterface;
@@ -61,8 +64,24 @@ public function getActiveProviders(): iterable
 
     public function getRemainingAttempts(): int
     {
-        // todo-critical: implement
-        return 5;
+        $twoFAService = $this->getService(TwoFAServiceInterface::class);
+        if (!$twoFAService instanceof TwoFAResendableInterface) {
+            return 0;
+        }
+
+        $userId = $this->getService(TwoFAUserServiceInterface::class)->getPendingUserId();
+        return $twoFAService->getRemainingAttempts($userId);
+    }
+
+    public function getResendCooldownRemaining(): int
+    {
+        $twoFAService = $this->getService(TwoFAServiceInterface::class);
+        if (!$twoFAService instanceof TwoFAResendableInterface) {
+            return 0;
+        }
+
+        $userId = $this->getService(TwoFAUserServiceInterface::class)->getPendingUserId();
+        return $twoFAService->getCooldownRemaining($userId);
     }
 
     public function isExternalAuthUser(): bool
diff --git a/tests/Unit/Authentication/TwoFactorAuth/Controller/TwoFactorAuthControllerTest.php b/tests/Unit/Authentication/TwoFactorAuth/Controller/TwoFactorAuthControllerTest.php
@@ -87,11 +87,14 @@ public function resendCodeSendsSuccessResponse(): void
         $twoFAServiceSpy->expects($this->once())
             ->method('resend')
             ->with($userId);
+        $twoFAServiceSpy->method('getRemainingAttempts')
+            ->with($userId)
+            ->willReturn($remaining = 3);
 
         $jsonResponseSpy = $this->createMock(JsonResponseInterface::class);
         $jsonResponseSpy->expects($this->once())
             ->method('send')
-            ->with(['success' => true]);
+            ->with(['success' => true, 'remainingAttempts' => $remaining]);
 
         $this->getSut(
             twoFAService: $twoFAServiceSpy,
diff --git a/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php b/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php
@@ -260,6 +260,17 @@ public function getRemainingAttemptsSubtractsCurrentAttempts(): void
         $this->assertSame(2, $sut->getRemainingAttempts(uniqid()));
     }
 
+    #[Test]
+    public function getCooldownRemainingDelegatesToSendPolicy(): void
+    {
+        $sendPolicyMock = $this->createMock(OtpSendPolicyServiceInterface::class);
+        $sendPolicyMock->method('getCooldownRemaining')
+            ->with($userId = uniqid())
+            ->willReturn(42);
+
+        $this->assertSame(42, $this->getSut(sendPolicy: $sendPolicyMock)->getCooldownRemaining($userId));
+    }
+
     #[Test]
     public function getRemainingAttemptsReturnsZeroWhenAttemptsExceedMax(): void
     {
diff --git a/tests/Unit/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceTest.php b/tests/Unit/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceTest.php
@@ -92,6 +92,69 @@ public function canSendReturnsFalseWhenCooldownHasNotPassed(): void
         $this->assertFalse($sut->canSend($userId));
     }
 
+    #[Test]
+    public function getCooldownRemainingReturnsZeroWhenNoStateExists(): void
+    {
+        $userId = uniqid();
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn(null);
+
+        $this->assertSame(0, $this->getSut(stateRepository: $repositoryMock)->getCooldownRemaining($userId));
+    }
+
+    #[Test]
+    public function getCooldownRemainingReturnsZeroWhenLastSentAtIsNull(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')->willReturn(null);
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $this->assertSame(0, $this->getSut(stateRepository: $repositoryMock)->getCooldownRemaining($userId));
+    }
+
+    #[Test]
+    public function getCooldownRemainingReturnsZeroWhenCooldownHasPassed(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')->willReturn(new DateTimeImmutable('-61 seconds'));
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $this->assertSame(0, $this->getSut(stateRepository: $repositoryMock)->getCooldownRemaining($userId));
+    }
+
+    #[Test]
+    public function getCooldownRemainingReturnsRemainingSecondsWhenCooldownIsActive(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')->willReturn(new DateTimeImmutable('-30 seconds'));
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(stateRepository: $repositoryMock);
+
+        $this->assertEqualsWithDelta(30, $sut->getCooldownRemaining($userId), 1);
+    }
+
     private function getSut(
         OtpChallengeStateRepositoryInterface $stateRepository = null,
     ): OtpSendPolicyServiceInterface {
diff --git a/views/twig/templates/two_factor_auth.html.twig b/views/twig/templates/two_factor_auth.html.twig
@@ -45,6 +45,7 @@
                                             class="btn btn-link btn-sm px-0"
                                             type="button"
                                             data-cooldown="60"
+                                            data-cooldown-remaining="{{ oViewConf.getResendCooldownRemaining() }}"
                                             data-url="{{ seo_url({ ident: oViewConf.getSelfLink()|cat("cl=twofactorauth&fnc=resendCode") }) }}"
                                             data-text-default="{{ translate({ ident: "RESEND_CODE" }) }}"
                                             data-text-sending="{{ translate({ ident: "RESEND_CODE_SENDING" }) }}"

Original file line number	Diff line number	Diff line change
`@@ -11,3 +11,4 @@ services:`
`11`	`11`
`12`	`12`	`OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface:`
`13`	`13`	`factory: ['@OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Factory\TwoFAServiceFactoryInterface', 'create']`
	`14`	`+ public: true`
Original file line number	Diff line number	Diff line change
`@@ -80,4 +80,9 @@ public function getRemainingAttempts(string $userId): int`
`80`	`80`
`81`	`81`	`return max(0, $this->codeValidator->getMaxAttempts() - $attempts);`
`82`	`82`	`}`
	`83`	`+`
	`84`	`+ public function getCooldownRemaining(string $userId): int`
	`85`	`+ {`
	`86`	`+ return $this->sendPolicy->getCooldownRemaining($userId);`
	`87`	`+ }`
`83`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,20 +23,25 @@ public function __construct(`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`public function canSend(string $userId): bool`
	`26`	`+ {`
	`27`	`+ return $this->getCooldownRemaining($userId) === 0;`
	`28`	`+ }`
	`29`	`+`
	`30`	`+ public function getCooldownRemaining(string $userId): int`
`26`	`31`	`{`
`27`	`32`	`$state = $this->stateRepository->findByUserId($userId);`
`28`	`33`
`29`	`34`	`if ($state === null) {`
`30`		`- return true;`
	`35`	`+ return 0;`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`$lastSentAt = $state->getLastSentAt();`
`34`	`39`	`if ($lastSentAt === null) {`
`35`		`- return true;`
	`40`	`+ return 0;`
`36`	`41`	`}`
`37`	`42`
`38`	`43`	`$elapsed = (new DateTimeImmutable())->getTimestamp() - $lastSentAt->getTimestamp();`
`39`	`44`
`40`		`- return $elapsed >= self::RESEND_COOLDOWN_SECONDS;`
	`45`	`+ return max(0, self::RESEND_COOLDOWN_SECONDS - $elapsed);`
`41`	`46`	`}`
`42`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,6 @@`
`10`	`10`	`interface OtpSendPolicyServiceInterface`
`11`	`11`	`{`
`12`	`12`	`public function canSend(string $userId): bool;`
	`13`	`+`
	`14`	`+ public function getCooldownRemaining(string $userId): int;`
`13`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,6 @@ interface TwoFAResendableInterface`
`17`	`17`	`public function resend(string $userId): void;`
`18`	`18`
`19`	`19`	`public function getRemainingAttempts(string $userId): int;`
	`20`	`+`
	`21`	`+ public function getCooldownRemaining(string $userId): int;`
`20`	`22`	`}`