OXDEV-9078 Use resend policy and implement resend in OTP service

Author: Sieg

src/Authentication/TwoFactorAuth/Exception/ResendCooldownException.php

@@ -0,0 +1,18 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception;
+
+class ResendCooldownException extends TwoFAException
+{
+    public function __construct()
+    {
+        parent::__construct('ERROR_RESEND_COOLDOWN');
+    }
+}

src/Authentication/TwoFactorAuth/OTP/OtpFacade.php

@@ -9,10 +9,12 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP;
 
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\ResendCooldownException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Notifier\Factory\OtpNotifierFactoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpChallengeStateServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeGeneratorServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeValidatorServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface;
 
 class OtpFacade implements TwoFAServiceInterface
@@ -22,6 +24,7 @@ public function __construct(
         private OtpCodeValidatorServiceInterface $codeValidator,
         private OtpCodeGeneratorServiceInterface $codeGenerator,
         private OtpNotifierFactoryInterface $notifierFactory,
+        private OtpSendPolicyServiceInterface $sendPolicy,
     ) {
     }
 
@@ -59,6 +62,12 @@ public function verify(string $userId, #[\SensitiveParameter] string $code): voi
 
     public function resend(string $userId): void
     {
-        // todo-critical: implement
+        if (!$this->sendPolicy->canSend($userId)) {
+            throw new ResendCooldownException();
+        }
+
+        $code = $this->codeGenerator->generateCode();
+        $this->stateService->refreshChallengeState($userId, $code);
+        $this->notifierFactory->create($userId)->notify($userId, $code);
     }
 }

src/Authentication/TwoFactorAuth/OTP/Service/services.yaml

@@ -14,3 +14,6 @@ services:
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeHasherServiceInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeHasherService
+
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyServiceInterface:
+    class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyService

src/Authentication/TwoFactorAuth/Service/TwoFAServiceInterface.php

@@ -8,6 +8,7 @@
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
 
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\CodeValidationException;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\ResendCooldownException;
 
 interface TwoFAServiceInterface
 {
@@ -22,5 +23,7 @@ public function invalidateChallenge(string $userId): void;
      */
     public function verify(string $userId, #[\SensitiveParameter] string $code): void;
 
+    // todo-low: consider extracting resend to a separate ResendableInterface, not all 2FA methods support it (e.g. TOTP)
+    /** @throws ResendCooldownException */
     public function resend(string $userId): void;
 }

tests/Integration/ServiceAvailabilityTest.php

@@ -45,11 +45,14 @@ public static function serviceAvailabilityDataProvider(): array
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface::class],
 
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface::class],
+            [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpChallengeStateServiceInterface::class],
+            [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeValidatorServiceInterface::class],
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeGeneratorServiceInterface::class],
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeHasherServiceInterface::class],
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFASettingsInterface::class],
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Notifier\OtpNotifierInterface::class],
             [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Notifier\Factory\OtpNotifierFactoryInterface::class],
+            [\OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyServiceInterface::class],
         ];
         // phpcs:enable
     }

tests/Unit/Authentication/TwoFactorAuth/Exception/ResendCooldownExceptionTest.php

@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\Exception;
+
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\ResendCooldownException;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\TwoFAException;
+use PHPUnit\Framework\TestCase;
+
+class ResendCooldownExceptionTest extends TestCase
+{
+    public function testException(): void
+    {
+        $exception = new ResendCooldownException();
+
+        $this->assertInstanceOf(TwoFAException::class, $exception);
+        $this->assertSame('ERROR_RESEND_COOLDOWN', $exception->getMessage());
+    }
+}

tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php

@@ -17,6 +17,8 @@
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeGeneratorServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeValidatorServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\ResendCooldownException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\InvalidCodeException;
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\TestCase;
@@ -177,17 +179,69 @@ public function triggerChallengeGeneratesCodeCreatesStateAndNotifies(): void
         $sut->triggerChallenge(userId: $userId);
     }
 
+    #[Test]
+    public function resendThrowsCooldownExceptionWhenSendNotAllowed(): void
+    {
+        $sendPolicyStub = $this->createStub(OtpSendPolicyServiceInterface::class);
+        $sendPolicyStub->method('canSend')
+            ->with($userId = uniqid())
+            ->willReturn(false);
+
+        $sut = $this->getSut(sendPolicy: $sendPolicyStub);
+
+        $this->expectException(ResendCooldownException::class);
+
+        $sut->resend(userId: $userId);
+    }
+
+    #[Test]
+    public function resendRefreshesStateAndNotifiesWhenAllowed(): void
+    {
+        $sendPolicyStub = $this->createStub(OtpSendPolicyServiceInterface::class);
+        $sendPolicyStub->method('canSend')
+            ->with($userId = uniqid())
+            ->willReturn(true);
+
+        $codeGeneratorStub = $this->createStub(OtpCodeGeneratorServiceInterface::class);
+        $codeGeneratorStub->method('generateCode')
+            ->willReturn($code = uniqid());
+
+        $stateServiceSpy = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceSpy->expects($this->once())
+            ->method('refreshChallengeState')
+            ->with($userId, $code);
+
+        $notifierSpy = $this->createMock(OtpNotifierInterface::class);
+        $notifierSpy->expects($this->once())
+            ->method('notify')
+            ->with($userId, $code);
+
+        $notifierFactoryStub = $this->createStub(OtpNotifierFactoryInterface::class);
+        $notifierFactoryStub->method('create')->willReturn($notifierSpy);
+
+        $sut = $this->getSut(
+            stateService: $stateServiceSpy,
+            codeGenerator: $codeGeneratorStub,
+            notifierFactory: $notifierFactoryStub,
+            sendPolicy: $sendPolicyStub,
+        );
+
+        $sut->resend(userId: $userId);
+    }
+
     private function getSut(
         OtpChallengeStateServiceInterface $stateService = null,
         OtpCodeValidatorServiceInterface $codeValidator = null,
         OtpCodeGeneratorServiceInterface $codeGenerator = null,
         OtpNotifierFactoryInterface $notifierFactory = null,
+        OtpSendPolicyServiceInterface $sendPolicy = null,
     ): OtpFacade {
         return new OtpFacade(
             stateService: $stateService ?? $this->createStub(OtpChallengeStateServiceInterface::class),
             codeValidator: $codeValidator ?? $this->createStub(OtpCodeValidatorServiceInterface::class),
             codeGenerator: $codeGenerator ?? $this->createStub(OtpCodeGeneratorServiceInterface::class),
             notifierFactory: $notifierFactory ?? $this->createStub(OtpNotifierFactoryInterface::class),
+            sendPolicy: $sendPolicy ?? $this->createStub(OtpSendPolicyServiceInterface::class),
         );
     }
 }