OXDEV-9078 Start implementing the OTP facade - challenge validation related

Sieg · Sieg · commit 5c22fb2d691a · 2026-04-01T13:17:08.000+03:00
* Rename the OTPService to OtpFacade to better represent the idea
* isVerified challenge have completion state
* verify triggers the verification service
* invalidate challenge triggers invalidation service
diff --git a/src/Authentication/TwoFactorAuth/OTP/OTPService.php b/src/Authentication/TwoFactorAuth/OTP/OTPService.php
diff --git a/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php b/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP;
+
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpChallengeStateServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeValidatorServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface;
+
+class OtpFacade implements TwoFAServiceInterface
+{
+    public function __construct(
+        private OtpChallengeStateServiceInterface $stateService,
+        private OtpCodeValidatorServiceInterface $codeValidator,
+    ) {
+    }
+
+    public function isVerified(string $userId): bool
+    {
+        $state = $this->stateService->getChallengeState($userId);
+
+        if ($state === null || $state->getVerifiedAt() === null) {
+            return false;
+        }
+
+        return $state->getExpiresAt() > new \DateTimeImmutable();
+    }
+
+    public function triggerChallenge(string $userId): void
+    {
+        // todo-critical: implement
+    }
+
+    public function invalidateChallenge(string $userId): void
+    {
+        $this->stateService->deleteChallengeState($userId);
+    }
+
+    public function verify(string $userId, #[\SensitiveParameter] string $code): void
+    {
+        $this->codeValidator->validateCode($userId, $code);
+    }
+
+    public function resend(string $userId): void
+    {
+        // todo-critical: implement
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/OTP/services.yaml b/src/Authentication/TwoFactorAuth/OTP/services.yaml
@@ -6,7 +6,7 @@ services:
     autowire: true
     public: false
 
-  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\OTPService: ~
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\OtpFacade: ~
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepository
diff --git a/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php b/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php
@@ -0,0 +1,125 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\OTP;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\OtpFacade;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpChallengeStateServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeValidatorServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAServiceInterface;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class OTPServiceTest extends TestCase
+{
+    #[Test]
+    public function isVerifiedReturnsFalseWhenNoChallengeState(): void
+    {
+        $stateServiceMock = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceMock->expects($this->once())
+            ->method('getChallengeState')
+            ->with($userId = uniqid())
+            ->willReturn(null);
+
+        $sut = $this->getSut(stateService: $stateServiceMock);
+
+        $this->assertFalse($sut->isVerified(userId: $userId));
+    }
+
+    #[Test]
+    public function isVerifiedReturnsFalseWhenVerifiedAtIsNull(): void
+    {
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getVerifiedAt')->willReturn(null);
+
+        $stateServiceMock = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceMock->expects($this->once())
+            ->method('getChallengeState')
+            ->with($userId = uniqid())
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(stateService: $stateServiceMock);
+
+        $this->assertFalse($sut->isVerified(userId: $userId));
+    }
+
+    #[Test]
+    public function isVerifiedReturnsFalseWhenExpired(): void
+    {
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getVerifiedAt')->willReturn(new DateTimeImmutable());
+        $stateStub->method('getExpiresAt')->willReturn(new DateTimeImmutable('-1 second'));
+
+        $stateServiceMock = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceMock->expects($this->once())
+            ->method('getChallengeState')
+            ->with($userId = uniqid())
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(stateService: $stateServiceMock);
+
+        $this->assertFalse($sut->isVerified(userId: $userId));
+    }
+
+    #[Test]
+    public function isVerifiedReturnsTrueWhenVerifiedAtIsSet(): void
+    {
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getVerifiedAt')->willReturn(new DateTimeImmutable());
+        $stateStub->method('getExpiresAt')->willReturn(new DateTimeImmutable('+5 minutes'));
+
+        $stateServiceMock = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceMock->expects($this->once())
+            ->method('getChallengeState')
+            ->with($userId = uniqid())
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(stateService: $stateServiceMock);
+
+        $this->assertTrue($sut->isVerified(userId: $userId));
+    }
+
+    #[Test]
+    public function invalidateChallengeDeletesChallengeState(): void
+    {
+        $stateServiceSpy = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceSpy->expects($this->once())
+            ->method('deleteChallengeState')
+            ->with($userId = uniqid());
+
+        $sut = $this->getSut(stateService: $stateServiceSpy);
+
+        $sut->invalidateChallenge(userId: $userId);
+    }
+
+    #[Test]
+    public function verifyTriggersCodeValidator(): void
+    {
+        $codeValidatorSpy = $this->createMock(OtpCodeValidatorServiceInterface::class);
+        $codeValidatorSpy->expects($this->once())
+            ->method('validateCode')
+            ->with($userId = uniqid(), $code = uniqid());
+
+        $sut = $this->getSut(codeValidator: $codeValidatorSpy);
+
+        $sut->verify(userId: $userId, code: $code);
+    }
+
+    private function getSut(
+        OtpChallengeStateServiceInterface $stateService = null,
+        OtpCodeValidatorServiceInterface $codeValidator = null,
+    ): OtpFacade {
+        return new OtpFacade(
+            stateService: $stateService ?? $this->createStub(OtpChallengeStateServiceInterface::class),
+            codeValidator: $codeValidator ?? $this->createStub(OtpCodeValidatorServiceInterface::class),
+        );
+    }
+}
