OXDEV-9992 Finalize generate otp code process and add exceptions

TitaKoleva · TitaKoleva · commit 1daefc7a0e1b · 2026-01-12T20:11:45.000+02:00
diff --git a/src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php b/src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php
@@ -40,13 +40,4 @@ public function handleOTP(): void
             Registry::getUtilsView()->addErrorToDisplay($e->getMessage());
         }
     }
-
-    public function generate(): void
-    {
-        //todo: stop execution if not ajax
-        //todo: prevent spam by rate limiting
-        //todo: should return json response with success or error message
-        $authorizeService = $this->getService(AuthorizeServiceInterface::class);
-        $authorizeService->generate();
-    }
 }
diff --git a/src/Authentication/TwoFactorAuth/Exception/UserNotFoundException.php b/src/Authentication/TwoFactorAuth/Exception/UserNotFoundException.php
@@ -0,0 +1,14 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception;
+
+class UserNotFoundException extends \Exception
+{
+}
diff --git a/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php b/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php
@@ -13,8 +13,8 @@
 use Doctrine\DBAL\Result;
 use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\User as UserDTO;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\UserNotFoundException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Factory\UserFactoryInterface;
-use RuntimeException;
 
 class UserRepository implements UserRepositoryInterface
 {
@@ -26,7 +26,6 @@ public function __construct(
 
     public function getUserOTPData(string $userName): UserDTO
     {
-        //todo: exception if not found
         $builder = $this->queryBuilderFactory->create();
         $builder->select([
                 'OXID',
@@ -42,8 +41,7 @@ public function getUserOTPData(string $userName): UserDTO
         $queryResult = $builder->execute();
         $userData = $queryResult->fetchAssociative();
         if (!$userData) {
-            //todo: throw correct exception
-            throw new RuntimeException('User not found');
+            throw new UserNotFoundException();
         }
 
         return new UserDTO(
@@ -90,7 +88,7 @@ public function resetCodeFields(string $userId): void
         $userModel->save();
     }
 
-    public function getUserPasswordHash(string $userName): string
+    public function getUserPasswordHash(string $userName): ?string
     {
         $builder = $this->queryBuilderFactory->create();
         $builder->select('OXPASSWORD')
@@ -100,6 +98,8 @@ public function getUserPasswordHash(string $userName): string
 
         /** @var Result $queryResult */
         $queryResult = $builder->execute();
-        return $queryResult->fetchOne();
+        $userPass = $queryResult->fetchOne();
+
+        return $userPass ?: null;
     }
 }
diff --git a/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php b/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php
@@ -20,5 +20,5 @@ public function resetCodeFields(string $userId): void;
 
     public function addOTPtoUser(string $userId, string $otp, DateTime $expiresAt): bool;
 
-    public function getUserPasswordHash(string $userId): string;
+    public function getUserPasswordHash(string $userId): ?string;
 }
diff --git a/src/Authentication/TwoFactorAuth/Service/UserService.php b/src/Authentication/TwoFactorAuth/Service/UserService.php
@@ -9,7 +9,8 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
 
-use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\Eshop\Core\Request;
+use OxidEsales\Eshop\Core\Utils;
 use OxidEsales\EshopCommunity\Internal\Domain\Authentication\Bridge\PasswordServiceBridgeInterface;
 use OxidEsales\EshopCommunity\Internal\Framework\Session\SessionInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
@@ -20,7 +21,9 @@ public function __construct(
         private AuthorizeServiceInterface $authorizeService,
         private UserRepositoryInterface $userRepository,
         private PasswordServiceBridgeInterface $pwdServiceBridge,
-        private SessionInterface $session
+        private SessionInterface $session,
+        private Request $request,
+        private Utils $utils,
     ) {
     }
 
@@ -29,21 +32,27 @@ public function handleLogin(string $userName): void
         $this->session->set(AuthorizeService::USER_SESSION_KEY, $userName);
         $this->session->set(
             AuthorizeService::OTP_TARGET_URL,
-            //todo: bind registry
-            Registry::getRequest()->getRequestUrl()
+            $this->request->getRequestUrl()
         );
 
+        //todo: prevent spam by rate limiting
         $this->authorizeService->generate();
 
-        //todo: return full url
         $redirectUrl = $this->authorizeService->getVerificationUrl();
-        Registry::getUtils()->redirect(Registry::getConfig()->getShopHomeUrl() . 'cl=' . $redirectUrl);
+        $this->utils->redirect($redirectUrl);
     }
 
     public function checkPassword(string $userName, string $password): bool
     {
-        //todo: got exception if user not found
-        $userPasswordHash = $this->userRepository->getUserPasswordHash($userName);
+        try {
+            $userPasswordHash = $this->userRepository->getUserPasswordHash($userName);
+        } catch (\Throwable $e) {
+            return false;
+        }
+
+        if ($userPasswordHash === null) {
+            return false;
+        }
 
         return $this->pwdServiceBridge
             ->verifyPassword($password, $userPasswordHash);
diff --git a/src/Authentication/TwoFactorAuth/Service/Verificator/OTP/OTPVerificator.php b/src/Authentication/TwoFactorAuth/Service/Verificator/OTP/OTPVerificator.php
@@ -9,7 +9,7 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP;
 
-use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\Eshop\Core\Config;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\InvalidCodeException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP\Generator\OTPGeneratorInterface;
@@ -22,6 +22,7 @@ public function __construct(
         private OTPGeneratorInterface $otpGenerator,
         private OTPValidatorInterface $otpValidator,
         private UserRepositoryInterface $userRepository,
+        private Config $config,
     ) {
     }
 
@@ -50,10 +51,7 @@ public function validateCode(string $userName, string $inputCode): void
 
     public function generate(string $userName): string
     {
-        //todo: userId from parameter or DTO
         $otpData = $this->userRepository->getUserOTPData($userName);
-
-        //todo: stop if user not found?
         //todo: wait time between generations, in case of abuse like
         //spamming the generate button or
         //user hit limit and try to generate new code to bypass it
@@ -63,6 +61,6 @@ public function generate(string $userName): string
 
     public function getVerificationUrl(): string
     {
-        return 'twofactorauth';
+        return $this->config->getShopHomeUrl() . 'cl=twofactorauth';
     }
 }
diff --git a/src/Authentication/TwoFactorAuth/Service/Verificator/services.yaml b/src/Authentication/TwoFactorAuth/Service/Verificator/services.yaml
@@ -5,6 +5,8 @@ services:
   _defaults:
     autowire: true
     public: false
+    bind:
+      OxidEsales\Eshop\Core\Config: '@=service("OxidEsales\\SecurityModule\\Core\\Registry").getConfig()'
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP\OTPVerificator:
     tags: [ 'security.twofa.tag.verificator' ]
diff --git a/src/Authentication/TwoFactorAuth/Service/services.yaml b/src/Authentication/TwoFactorAuth/Service/services.yaml
@@ -5,6 +5,9 @@ services:
   _defaults:
     autowire: true
     public: false
+    bind:
+      OxidEsales\Eshop\Core\Request: '@=service("OxidEsales\\SecurityModule\\Core\\Registry").getRequest()'
+      OxidEsales\Eshop\Core\Utils: '@=service("OxidEsales\\SecurityModule\\Core\\Registry").getUtils()'
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\ModuleSettingsServiceInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\ModuleSettingsService
diff --git a/src/Shared/Model/User.php b/src/Shared/Model/User.php
@@ -61,11 +61,11 @@ public function checkValues($sLogin, $sPassword, $sPassword2, $aInvAddress, $aDe
      */
     public function login($userName, $password, $setSessionCookie = false): bool
     {
-        //todo: login should be reworded, disabled captcha is killing OTP login flow
-        if (!$this->isCaptchaEnabled()) {
-//            return parent::login($userName, $password, $setSessionCookie);
+        if ($this->isAdmin()) {
+            return parent::login($userName, $password, $setSessionCookie);
         }
-        if (!$this->isAdmin()) {
+
+        if ($this->isCaptchaEnabled()) {
             $captchaService = $this->getService(CaptchaServiceInterface::class);
 
             try {
@@ -77,19 +77,22 @@ public function login($userName, $password, $setSessionCookie = false): bool
             }
         }
 
-        if (!$this->isOTPEnabled() || $this->isAdmin()) {
-            return parent::login($userName, $password, $setSessionCookie);
-        }
+        if ($this->isOTPEnabled()) {
+            $userService = $this->getService(UserServiceInterface::class);
+            if (!$userService->checkPassword($userName, $password)) {
+                throw oxNew(UserException::class, 'ERROR_MESSAGE_USER_NOVALIDLOGIN');
+            }
 
-        $userService = $this->getService(UserServiceInterface::class);
-        if (!$userService->checkPassword($userName, $password)) {
-            //todo: log invalid login attempt and throw exception
-            return false; // invalid login
-        }
+            try {
+                $userService->handleLogin($userName);
+            } catch (\Exception $e) {
+                throw oxNew(UserException::class, 'ERROR_MESSAGE_USER_NOVALIDLOGIN');
+            }
 
-        $userService->handleLogin($userName);
+            return false;
+        }
 
-        return false;
+        return parent::login($userName, $password, $setSessionCookie);
     }
 
     private function isCaptchaEnabled(): bool
diff --git a/tests/Unit/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryTest.php b/tests/Unit/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryTest.php
@@ -0,0 +1,75 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\Infrastructure\Repository;
+
+use DateTime;
+use Doctrine\DBAL\Query\QueryBuilder;
+use Doctrine\DBAL\Result;
+use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Factory\UserFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepository;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
+use PHPUnit\Framework\TestCase;
+
+class UserRepositoryTest extends TestCase
+{
+    public function getSut(
+        UserFactoryInterface $userFactory = null,
+        QueryBuilderFactoryInterface $qbFactory = null,
+    ): UserRepositoryInterface {
+        return new UserRepository(
+            userFactory: $userFactory ?? $this->createMock(UserFactoryInterface::class),
+            queryBuilderFactory: $qbFactory ?? $this->createMock(QueryBuilderFactoryInterface::class),
+        );
+    }
+
+    public function testGetUserOtpDataReturnsDto(): void
+    {
+        $data = [
+            'OXID' => uniqid(),
+            'OESMOTPCODE' => uniqid(),
+            'OESMOTPATTEMPTS' => random_int(1, 10),
+            'OESMOTPEXPTIME' => '2026-01-01T10:00:00',
+        ];
+
+        $qb = $this->createMock(QueryBuilder::class);
+        $qb->method('select')->willReturnSelf();
+        $qb->method('from')->willReturnSelf();
+        $qb->method('where')->willReturnSelf();
+        $qb->method('setParameter')->willReturnSelf();
+
+        $qbFactory = $this->createMock(QueryBuilderFactoryInterface::class);
+        $qbFactory->expects($this->once())
+            ->method('create')
+            ->willReturn($qb);
+
+        $result = $this->createMock(Result::class);
+        $qb->expects($this->once())
+            ->method('execute')
+            ->willReturn($result);
+
+        $result->expects($this->once())
+            ->method('fetchAssociative')
+            ->willReturn($data);
+
+        $repository = $this->getSut(
+            qbFactory: $qbFactory,
+        );
+        $dto = $repository->getUserOTPData('user');
+
+        $this->assertSame($data['OXID'], $dto->getId());
+        $this->assertSame($data['OESMOTPATTEMPTS'], $dto->getAttempts());
+        $this->assertSame($data['OESMOTPCODE'], $dto->getCode());
+        $this->assertEquals(
+            new DateTime($data['OESMOTPEXPTIME']),
+            $dto->getExpiresAt()
+        );
+    }
+}
diff --git a/tests/Unit/Authentication/TwoFactorAuth/Service/UserServiceTest.php b/tests/Unit/Authentication/TwoFactorAuth/Service/UserServiceTest.php
diff --git a/tests/Unit/Authentication/TwoFactorAuth/Service/Verificator/OTP/OTPVerificatorTest.php b/tests/Unit/Authentication/TwoFactorAuth/Service/Verificator/OTP/OTPVerificatorTest.php

Original file line number	Diff line number	Diff line change
`@@ -40,13 +40,4 @@ public function handleOTP(): void`
`40`	`40`	`Registry::getUtilsView()->addErrorToDisplay($e->getMessage());`
`41`	`41`	`}`
`42`	`42`	`}`
`43`		`-`
`44`		`- public function generate(): void`
`45`		`- {`
`46`		`- //todo: stop execution if not ajax`
`47`		`- //todo: prevent spam by rate limiting`
`48`		`- //todo: should return json response with success or error message`
`49`		`- $authorizeService = $this->getService(AuthorizeServiceInterface::class);`
`50`		`- $authorizeService->generate();`
`51`		`- }`
`52`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,8 @@`
`13`	`13`	`use Doctrine\DBAL\Result;`
`14`	`14`	`use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;`
`15`	`15`	`use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\User as UserDTO;`
	`16`	`+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\UserNotFoundException;`
`16`	`17`	`use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Factory\UserFactoryInterface;`
`17`		`-use RuntimeException;`
`18`	`18`
`19`	`19`	`class UserRepository implements UserRepositoryInterface`
`20`	`20`	`{`
`@@ -26,7 +26,6 @@ public function __construct(`
`26`	`26`
`27`	`27`	`public function getUserOTPData(string $userName): UserDTO`
`28`	`28`	`{`
`29`		`- //todo: exception if not found`
`30`	`29`	`$builder = $this->queryBuilderFactory->create();`
`31`	`30`	`$builder->select([`
`32`	`31`	`'OXID',`
`@@ -42,8 +41,7 @@ public function getUserOTPData(string $userName): UserDTO`
`42`	`41`	`$queryResult = $builder->execute();`
`43`	`42`	`$userData = $queryResult->fetchAssociative();`
`44`	`43`	`if (!$userData) {`
`45`		`- //todo: throw correct exception`
`46`		`- throw new RuntimeException('User not found');`
	`44`	`+ throw new UserNotFoundException();`
`47`	`45`	`}`
`48`	`46`
`49`	`47`	`return new UserDTO(`
`@@ -90,7 +88,7 @@ public function resetCodeFields(string $userId): void`
`90`	`88`	`$userModel->save();`
`91`	`89`	`}`
`92`	`90`
`93`		`- public function getUserPasswordHash(string $userName): string`
	`91`	`+ public function getUserPasswordHash(string $userName): ?string`
`94`	`92`	`{`
`95`	`93`	`$builder = $this->queryBuilderFactory->create();`
`96`	`94`	`$builder->select('OXPASSWORD')`
`@@ -100,6 +98,8 @@ public function getUserPasswordHash(string $userName): string`
`100`	`98`
`101`	`99`	`/** @var Result $queryResult */`
`102`	`100`	`$queryResult = $builder->execute();`
`103`		`- return $queryResult->fetchOne();`
	`101`	`+ $userPass = $queryResult->fetchOne();`
	`102`	`+`
	`103`	`+ return $userPass ?: null;`
`104`	`104`	`}`
`105`	`105`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,5 @@ public function resetCodeFields(string $userId): void;`
`20`	`20`
`21`	`21`	`public function addOTPtoUser(string $userId, string $otp, DateTime $expiresAt): bool;`
`22`	`22`
`23`		`- public function getUserPasswordHash(string $userId): string;`
	`23`	`+ public function getUserPasswordHash(string $userId): ?string;`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP;`
`11`	`11`
`12`		`-use OxidEsales\Eshop\Core\Registry;`
	`12`	`+use OxidEsales\Eshop\Core\Config;`
`13`	`13`	`use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\InvalidCodeException;`
`14`	`14`	`use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;`
`15`	`15`	`use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP\Generator\OTPGeneratorInterface;`
`@@ -22,6 +22,7 @@ public function __construct(`
`22`	`22`	`private OTPGeneratorInterface $otpGenerator,`
`23`	`23`	`private OTPValidatorInterface $otpValidator,`
`24`	`24`	`private UserRepositoryInterface $userRepository,`
	`25`	`+ private Config $config,`
`25`	`26`	`) {`
`26`	`27`	`}`
`27`	`28`
`@@ -50,10 +51,7 @@ public function validateCode(string $userName, string $inputCode): void`
`50`	`51`
`51`	`52`	`public function generate(string $userName): string`
`52`	`53`	`{`
`53`		`- //todo: userId from parameter or DTO`
`54`	`54`	`$otpData = $this->userRepository->getUserOTPData($userName);`
`55`		`-`
`56`		`- //todo: stop if user not found?`
`57`	`55`	`//todo: wait time between generations, in case of abuse like`
`58`	`56`	`//spamming the generate button or`
`59`	`57`	`//user hit limit and try to generate new code to bypass it`
`@@ -63,6 +61,6 @@ public function generate(string $userName): string`
`63`	`61`
`64`	`62`	`public function getVerificationUrl(): string`
`65`	`63`	`{`
`66`		`- return 'twofactorauth';`
	`64`	`+ return $this->config->getShopHomeUrl() . 'cl=twofactorauth';`
`67`	`65`	`}`
`68`	`66`	`}`