OXDEV-9078 Guard the triggerChallenge with resend timeouts

Sieg · Sieg · commit 7686eb01a56d · 2026-04-16T19:52:44.000+03:00
Signed-off-by: Anton Fedurtsya &lt;anton@fedurtsya.com&gt;
diff --git a/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php b/src/Authentication/TwoFactorAuth/OTP/OtpFacade.php
@@ -43,10 +43,11 @@ public function isVerified(string $userId): bool
 
     public function triggerChallenge(string $userId): void
     {
-        $code = $this->codeGenerator->generateCode();
-
-        // todo-critical: check if we can trigger the notification
+        if (!$this->sendPolicy->canSend($userId)) {
+            return;
+        }
 
+        $code = $this->codeGenerator->generateCode();
         $this->stateService->createChallengeState($userId, $code);
         $this->notifierFactory->create($userId)->notify($userId, $code);
     }
diff --git a/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php b/tests/Unit/Authentication/TwoFactorAuth/OTP/OtpFacadeTest.php
@@ -154,6 +154,9 @@ public function verifyDoesNotMarkVerifiedWhenValidationFails(): void
     #[Test]
     public function triggerChallengeGeneratesCodeCreatesStateAndNotifies(): void
     {
+        $sendPolicyStub = $this->createStub(OtpSendPolicyServiceInterface::class);
+        $sendPolicyStub->method('canSend')->willReturn(true);
+
         $codeGeneratorStub = $this->createStub(OtpCodeGeneratorServiceInterface::class);
         $codeGeneratorStub->method('generateCode')->willReturn($code = uniqid());
 
@@ -174,11 +177,33 @@ public function triggerChallengeGeneratesCodeCreatesStateAndNotifies(): void
             stateService: $stateServiceSpy,
             codeGenerator: $codeGeneratorStub,
             notifierFactory: $notifierFactoryStub,
+            sendPolicy: $sendPolicyStub,
         );
 
         $sut->triggerChallenge(userId: $userId);
     }
 
+    #[Test]
+    public function triggerChallengeDoesNothingWhenCooldownActive(): void
+    {
+        $sendPolicyStub = $this->createStub(OtpSendPolicyServiceInterface::class);
+        $sendPolicyStub->method('canSend')->willReturn(false);
+
+        $stateServiceSpy = $this->createMock(OtpChallengeStateServiceInterface::class);
+        $stateServiceSpy->expects($this->never())->method('createChallengeState');
+
+        $notifierFactorySpy = $this->createMock(OtpNotifierFactoryInterface::class);
+        $notifierFactorySpy->expects($this->never())->method('create');
+
+        $sut = $this->getSut(
+            stateService: $stateServiceSpy,
+            notifierFactory: $notifierFactorySpy,
+            sendPolicy: $sendPolicyStub,
+        );
+
+        $sut->triggerChallenge(userId: uniqid());
+    }
+
     #[Test]
     public function resendThrowsCooldownExceptionWhenSendNotAllowed(): void
     {

Original file line number	Diff line number	Diff line change
`@@ -43,10 +43,11 @@ public function isVerified(string $userId): bool`
`43`	`43`
`44`	`44`	`public function triggerChallenge(string $userId): void`
`45`	`45`	`{`
`46`		`- $code = $this->codeGenerator->generateCode();`
`47`		`-`
`48`		`- // todo-critical: check if we can trigger the notification`
	`46`	`+ if (!$this->sendPolicy->canSend($userId)) {`
	`47`	`+ return;`
	`48`	`+ }`
`49`	`49`
	`50`	`+ $code = $this->codeGenerator->generateCode();`
`50`	`51`	`$this->stateService->createChallengeState($userId, $code);`
`51`	`52`	`$this->notifierFactory->create($userId)->notify($userId, $code);`
`52`	`53`	`}`