OXDEV-9927 Generate and send OTP to correct mail

Author: NikolaIvanovski

src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php

@@ -1,37 +1,49 @@
 <?php
 
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller;
 
 use OxidEsales\Eshop\Application\Controller\FrontendController;
+use OxidEsales\Eshop\Core\Registry;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeServiceInterface;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\OTPRequestInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequestInterface;
 
 class TwoFactorAuthController extends FrontendController
 {
     protected $_sThisTemplate = '@oe_security_module/templates/two_factor_auth';
 
     public function handleOTP(): void
     {
-        $OTPRequest = $this->getService(OTPRequestInterface::class);
+        $OTPRequest = $this->getService(AuthCodeRequestInterface::class);
 
         //todo: catch only OTP exception that will be shown to user, maybe some abstract OTP exception?
         try {
             $authorizeService = $this->getService(AuthorizeServiceInterface::class);
             $authorizeService->validate(
-                $OTPRequest->getOTPCode()
+                $OTPRequest->getCode()
             );
+
+            //todo: redirect to originally requested page after successful OTP validation
+            //todo: create correct session for logged in user (from service, handleLogin?)
         } catch (\Exception $e) {
-            //todo: display error message to user
+            //todo: display translated error message to user
+            Registry::getUtilsView()->addErrorToDisplay($e->getMessage());
         }
     }
 
     public function generate(): void
     {
+        //todo: use session to get email/username
+        $username = uniqid();
+
         //todo: stop execution if not ajax
         //todo: prevent spam by rate limiting
         //todo: should return json response with success or error message
-
         $authorizeService = $this->getService(AuthorizeServiceInterface::class);
-        $authorizeService->generate();
+        $authorizeService->generate($username);
     }
 }

src/Authentication/TwoFactorAuth/DTO/User.php

@@ -9,15 +9,15 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO;
 
-use DateTimeImmutable;
+use DateTime;
 
 class User implements UserInterface
 {
     public function __construct(
         private readonly string $userId,
         private readonly ?string $code,
         private readonly ?int $attempts,
-        private readonly ?int $expiresAt,
+        private readonly ?DateTime $expiresAt,
     ) {
     }
 
@@ -36,13 +36,9 @@ public function getAttempts(): ?int
         return $this->attempts;
     }
 
-    public function getExpiresAt(): ?DateTimeImmutable
+    public function getExpiresAt(): ?DateTime
     {
         //todo: possible bug - should be null if not set
-        $expireAt = $this->expiresAt ?? time();
-
-        $dateTime = new DateTimeImmutable();
-
-        return $dateTime->setTimestamp($expireAt);
+        return $this->expiresAt;
     }
 }

src/Authentication/TwoFactorAuth/DTO/UserInterface.php

@@ -7,7 +7,7 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO;
 
-use DateTimeImmutable;
+use DateTime;
 
 interface UserInterface
 {
@@ -17,5 +17,5 @@ public function getCode(): ?string;
 
     public function getAttempts(): ?int;
 
-    public function getExpiresAt(): ?DateTimeImmutable;
+    public function getExpiresAt(): ?DateTime;
 }

src/Authentication/TwoFactorAuth/Exception/AttemptLimitExceededException.php

@@ -1,5 +1,10 @@
 <?php
 
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception;
 
 class AttemptLimitExceededException extends \Exception

src/Authentication/TwoFactorAuth/Infrastructure/Provider/Email/EmailAdapter.php

@@ -26,6 +26,7 @@ public function getName(): string
 
     public function notify(string $recipient, string $code): void
     {
+        //todo: replayto is same as recipient
         $emailModel = $this->emailFactory->create();
         $emailModel->sendEmail(
             $recipient,

src/Authentication/TwoFactorAuth/Infrastructure/Provider/NotifierAdapterInterface.php

@@ -1,5 +1,10 @@
 <?php
 
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Provider;
 
 interface NotifierAdapterInterface

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php

@@ -22,28 +22,43 @@ public function __construct(
     ) {
     }
 
-    public function getUserOTPData(string $userId): UserDTO
+    public function getUserOTPData(string $userName): UserDTO
     {
         //todo: exception if not found
-        //todo: use query builder
-        $userModel = $this->userFactory->create();
-        $userModel->load($userId);
+        //todo: separate method for id and username?
+        $builder = $this->queryBuilderFactory->create();
+        $builder->select([
+                'OXID',
+                'OESMOTPCODE',
+                'OESMOTPATTEMPTS',
+                'OESMOTPEXPTIME'
+            ])
+            ->from('oxuser')
+            ->where('oxusername = :userName')
+            ->orWhere('oxid = :userName')
+            ->setParameter('userName', $userName);
+
+        $userData = $builder->execute()->fetchAssociative();
+        if (!$userData) {
+            //todo: throw correct exception
+            throw new \RuntimeException('User not found');
+        }
 
         return new UserDTO(
-            $userModel->getId(),
-            $userModel->getFieldData('OESMOTPCODE'),
-            (int) $userModel->getFieldData('OESMOTPATTEMPTS'),
-            (int) $userModel->getFieldData('OESMOTPEXPTIME')
+            $userData['OXID'],
+            $userData['OESMOTPCODE'],
+            $userData['OESMOTPATTEMPTS'],
+            new DateTime($userData['OESMOTPEXPTIME'])
         );
     }
 
-    public function addOTPtoUser(string $userId, string $otp, int $expiresAt): bool
+    public function addOTPtoUser(string $userId, string $otp, DateTime $expiresAt): bool
     {
         $userModel = $this->userFactory->create();
         $userModel->load($userId);
         $userModel->assign([
             'OESMOTPCODE'       => $otp,
-            'OESMOTPEXPTIME'    => $expiresAt,
+            'OESMOTPEXPTIME'    => $expiresAt->format('Y-m-d H:i:s'),
             'OESMOTPATTEMPTS'   => 0,
         ]);
         $userModel->save();

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php

@@ -7,17 +7,18 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository;
 
+use DateTime;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\User as UserDTO;
 
 interface UserRepositoryInterface
 {
-    public function getUserOTPData(string $userId): UserDTO;
+    public function getUserOTPData(string $userName): UserDTO;
 
     public function updateAttempts(string $userId, int $attempts): void;
 
     public function resetCodeFields(string $userId): void;
 
-    public function addOTPtoUser(string $userId, string $otp, int $expiresAt): bool;
+    public function addOTPtoUser(string $userId, string $otp, DateTime $expiresAt): bool;
 
     public function getUserPasswordHash(string $userId): string;
 }

src/Authentication/TwoFactorAuth/Service/AuthorizeService.php

@@ -9,12 +9,15 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
 
+use OxidEsales\EshopCommunity\Internal\Framework\Session\SessionInterface;
+
 class AuthorizeService implements AuthorizeServiceInterface
 {
     public function __construct(
         private ModuleSettingsServiceInterface $moduleSettings,
         private VerificationCollectorServiceInterface $verificationCollectorService,
         private NotifierCollectorInterface $notifierCollectorService,
+        private SessionInterface $session
     ) {
     }
 
@@ -26,22 +29,35 @@ public function validate(string $inputCode): void
             $activeVerificator
         );
 
-        //todo: use session to get user id
-        $verificator->validateCode('7b4dfcca4669a8bbfcbd29c77cbc82f3', $inputCode);
+        //todo: use session to get email/username or userId
+        $userName = $this->session->get('pending_otp_user');
+
+        $verificator->validateCode($userName, $inputCode);
     }
 
-    public function generate(): void
+    public function generate(string $userName): void
     {
         $activeVerificator = $this->moduleSettings->getTwoFactorAuthType();
 
         $verificator = $this->verificationCollectorService->getVerificator(
             $activeVerificator
         );
-        //todo: use session to get user id
-        $OTPCode = $verificator->generate(uniqid());
+
+        $OTPCode = $verificator->generate($userName);
 
         //todo: module setting?
         $notifier = $this->notifierCollectorService->getNotifier('email');
-        $notifier->notify('localhost@localhost.local', $OTPCode);
+        $notifier->notify($userName, $OTPCode);
+    }
+
+    public function getVerificationUrl(): string
+    {
+        $activeVerificator = $this->moduleSettings->getTwoFactorAuthType();
+
+        $verificator = $this->verificationCollectorService->getVerificator(
+            $activeVerificator
+        );
+
+        return $verificator->getVerificationUrl();
     }
 }

src/Authentication/TwoFactorAuth/Service/AuthorizeServiceInterface.php

@@ -11,5 +11,7 @@ interface AuthorizeServiceInterface
 {
     public function validate(string $inputCode): void;
 
-    public function generate(): void;
+    public function generate(string $userName): void;
+
+    public function getVerificationUrl(): string;
 }