OXDEV-9078 Add a challenge state repository

Sieg · Sieg · commit adc84b4e456e · 2026-03-30T18:18:59.000+03:00
diff --git a/src/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepository.php b/src/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepository.php
@@ -0,0 +1,132 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository;
+
+use DateTimeImmutable;
+use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeState;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+
+class OtpChallengeStateRepository implements OtpChallengeStateRepositoryInterface
+{
+    private const TABLE = 'oesm_2fa_otp';
+    private const DB_DATETIME_FORMAT = 'Y-m-d H:i:s';
+
+    public function __construct(
+        private QueryBuilderFactoryInterface $queryBuilderFactory,
+    ) {
+    }
+
+    public function findByUserId(string $userId): ?OtpChallengeStateInterface
+    {
+        $builder = $this->queryBuilderFactory->create();
+        $builder->select('*')
+            ->from(self::TABLE)
+            ->where('OXUSERID = :userId')
+            ->setParameter('userId', $userId);
+
+        /** @var \Doctrine\DBAL\Result $result */
+        $result = $builder->execute();
+        $row = $result->fetchAssociative();
+
+        if (!$row) {
+            return null;
+        }
+
+        return new OtpChallengeState(
+            userId: $row['OXUSERID'],
+            codeHash: $row['CODE_HASH'],
+            attempts: (int)$row['ATTEMPTS'],
+            lastSentAt: $row['LAST_SENT_AT'] ? new DateTimeImmutable($row['LAST_SENT_AT']) : null,
+            expiresAt: new DateTimeImmutable($row['EXPIRES_AT']),
+            verifiedAt: $row['VERIFIED_AT'] ? new DateTimeImmutable($row['VERIFIED_AT']) : null,
+        );
+    }
+
+    public function createChallengeState(string $userId, string $codeHash, DateTimeImmutable $expiresAt): void
+    {
+        $this->deleteByUserId($userId);
+
+        $builder = $this->queryBuilderFactory->create();
+        $builder->insert(self::TABLE)
+            ->values([
+                'OXUSERID'     => ':userId',
+                'CODE_HASH'    => ':codeHash',
+                'ATTEMPTS'     => '0',
+                'LAST_SENT_AT' => ':lastSentAt',
+                'EXPIRES_AT'   => ':expiresAt',
+                'VERIFIED_AT'  => 'NULL',
+            ])
+            ->setParameters([
+                'userId'     => $userId,
+                'codeHash'   => $codeHash,
+                'lastSentAt' => (new DateTimeImmutable())->format(self::DB_DATETIME_FORMAT),
+                'expiresAt'  => $expiresAt->format(self::DB_DATETIME_FORMAT),
+            ]);
+
+        $builder->execute();
+    }
+
+    public function markVerified(string $userId): void
+    {
+        $builder = $this->queryBuilderFactory->create();
+        $builder->update(self::TABLE)
+            ->set('VERIFIED_AT', ':verifiedAt')
+            ->where('OXUSERID = :userId')
+            ->setParameters([
+                'userId'     => $userId,
+                'verifiedAt' => (new DateTimeImmutable())->format(self::DB_DATETIME_FORMAT),
+            ]);
+
+        $builder->execute();
+    }
+
+    public function markResent(string $userId, DateTimeImmutable $expiresAt): void
+    {
+        $builder = $this->queryBuilderFactory->create();
+        $builder->update(self::TABLE)
+            ->set('LAST_SENT_AT', ':lastSentAt')
+            ->set('EXPIRES_AT', ':expiresAt')
+            ->where('OXUSERID = :userId')
+            ->setParameters([
+                'userId'     => $userId,
+                'lastSentAt' => (new DateTimeImmutable())->format(self::DB_DATETIME_FORMAT),
+                'expiresAt'  => $expiresAt->format(self::DB_DATETIME_FORMAT),
+            ]);
+
+        $builder->execute();
+    }
+
+    public function incrementAttempts(string $userId): void
+    {
+        $builder = $this->queryBuilderFactory->create();
+        $builder->update(self::TABLE)
+            ->set('ATTEMPTS', 'ATTEMPTS + 1')
+            ->where('OXUSERID = :userId')
+            ->setParameter('userId', $userId);
+
+        $builder->execute();
+    }
+
+    public function deleteChallengeState(string $userId): void
+    {
+        $this->deleteByUserId($userId);
+    }
+
+    private function deleteByUserId(string $userId): void
+    {
+        $builder = $this->queryBuilderFactory->create();
+        $builder->delete(self::TABLE)
+            ->where('OXUSERID = :userId')
+            ->setParameter('userId', $userId);
+
+        $builder->execute();
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepositoryInterface.php b/src/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepositoryInterface.php
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+
+interface OtpChallengeStateRepositoryInterface
+{
+    public function findByUserId(string $userId): ?OtpChallengeStateInterface;
+
+    public function createChallengeState(string $userId, string $codeHash, DateTimeImmutable $expiresAt): void;
+
+    public function markVerified(string $userId): void;
+
+    public function markResent(string $userId, DateTimeImmutable $expiresAt): void;
+
+    public function incrementAttempts(string $userId): void;
+
+    public function deleteChallengeState(string $userId): void;
+}
diff --git a/tests/Integration/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepositoryTest.php b/tests/Integration/Authentication/TwoFactorAuth/OTP/Infrastructure/Repository/OtpChallengeStateRepositoryTest.php
@@ -0,0 +1,181 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Integration\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository;
+
+use DateTimeImmutable;
+use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepository;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface;
+use OxidEsales\SecurityModule\Tests\Integration\IntegrationTestCase;
+use PHPUnit\Framework\Attributes\Test;
+
+class OtpChallengeStateRepositoryTest extends IntegrationTestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->cleanupTable();
+    }
+
+    #[Test]
+    public function findByUserIdReturnsNullWhenNotFound(): void
+    {
+        $sut = $this->getSut();
+
+        $result = $sut->findByUserId(uniqid());
+
+        $this->assertNull($result);
+    }
+
+    #[Test]
+    public function createChallengeStateAndFind(): void
+    {
+        $sut = $this->getSut();
+
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: $codeHash = uniqid(),
+            expiresAt: $expiresAt = new DateTimeImmutable('+5 minutes'),
+        );
+
+        $result = $sut->findByUserId($userId);
+
+        $this->assertInstanceOf(OtpChallengeStateInterface::class, $result);
+        $this->assertSame($userId, $result->getUserId());
+        $this->assertSame($codeHash, $result->getCodeHash());
+        $this->assertSame(0, $result->getAttempts());
+        $this->assertNotNull($result->getLastSentAt());
+        $this->assertSame($expiresAt->format('Y-m-d H:i:s'), $result->getExpiresAt()->format('Y-m-d H:i:s'));
+        $this->assertNull($result->getVerifiedAt());
+    }
+
+    #[Test]
+    public function createChallengeStateOverwritesExistingChallengeState(): void
+    {
+        $sut = $this->getSut();
+
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: 'first_hash',
+            expiresAt: new DateTimeImmutable('+5 minutes'),
+        );
+
+        $sut->createChallengeState(
+            userId: $userId,
+            codeHash: 'second_hash',
+            expiresAt: $secondExpiresAt = new DateTimeImmutable('+10 minutes'),
+        );
+
+        $result = $sut->findByUserId($userId);
+
+        $this->assertSame('second_hash', $result->getCodeHash());
+        $this->assertSame(
+            $secondExpiresAt->format('Y-m-d H:i:s'),
+            $result->getExpiresAt()->format('Y-m-d H:i:s')
+        );
+    }
+
+    #[Test]
+    public function markVerifiedSetsVerifiedAt(): void
+    {
+        $sut = $this->getSut();
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: uniqid(),
+            expiresAt: new DateTimeImmutable('+5 minutes'),
+        );
+
+        $sut->markVerified($userId);
+
+        $result = $sut->findByUserId($userId);
+        $this->assertNotNull($result->getVerifiedAt());
+    }
+
+    #[Test]
+    public function markResentUpdatesLastSentAtAndExpiresAt(): void
+    {
+        $sut = $this->getSut();
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: uniqid(),
+            expiresAt: new DateTimeImmutable('+5 minutes'),
+        );
+
+        $sut->markResent(
+            userId: $userId,
+            expiresAt: $newExpiresAt = new DateTimeImmutable('+10 minutes'),
+        );
+
+        $result = $sut->findByUserId($userId);
+        $this->assertGreaterThanOrEqual(
+            new DateTimeImmutable('-2 seconds'),
+            $result->getLastSentAt()
+        );
+        $this->assertSame($newExpiresAt->format('Y-m-d H:i:s'), $result->getExpiresAt()->format('Y-m-d H:i:s'));
+    }
+
+    #[Test]
+    public function incrementAttempts(): void
+    {
+        $sut = $this->getSut();
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: uniqid(),
+            expiresAt: new DateTimeImmutable('+5 minutes'),
+        );
+
+        $sut->incrementAttempts($userId);
+
+        $result = $sut->findByUserId($userId);
+        $this->assertSame(1, $result->getAttempts());
+    }
+
+    #[Test]
+    public function deleteChallengeStateRemovesChallenge(): void
+    {
+        $sut = $this->getSut();
+        $sut->createChallengeState(
+            userId: $userId = uniqid(),
+            codeHash: uniqid(),
+            expiresAt: new DateTimeImmutable('+5 minutes'),
+        );
+
+        $sut->deleteChallengeState($userId);
+
+        $this->assertNull($sut->findByUserId($userId));
+    }
+
+    #[Test]
+    public function deleteChallengeStateNonExistentUserDoesNotExplode(): void
+    {
+        $sut = $this->getSut();
+
+        $sut->deleteChallengeState(uniqid());
+
+        $this->addToAssertionCount(1);
+    }
+
+    private function getSut(): OtpChallengeStateRepositoryInterface
+    {
+        return new OtpChallengeStateRepository(
+            queryBuilderFactory: $this->get(QueryBuilderFactoryInterface::class),
+        );
+    }
+
+    private function cleanupTable(): void
+    {
+        $this->get(QueryBuilderFactoryInterface::class)
+            ->create()
+            ->getConnection()
+            ->executeStatement('DELETE FROM oesm_2fa_otp');
+    }
+}
