Merge branch 'b-7.4.x-resend-code-OXDEV-10002' into b-7.4.x-2fa-OXDEV-9078

Author: tkcreateit

assets/out/src/js/index.js

@@ -7,6 +7,7 @@ import { PasswordStrength } from "./module/password-validator.js";
 import { PasswordGenerator } from "./module/password-generator.js";
 import { CaptchaRefresh } from "./module/captcha-refresh.js";
 import { CaptchaAudio } from "./module/captcha-audio.js";
+import { ResendOtp } from './module/resend-otp.js';
 
 document.querySelectorAll("div[data-type='passwordStrength']").forEach((el) => {
     new PasswordStrength({
@@ -46,3 +47,14 @@ document.querySelectorAll('.captcha-play').forEach((el) => {
         fieldTarget: el
     })
 });
+
+const resendBtn = document.getElementById('resend-btn');
+if (resendBtn) {
+    const resendOtp = new ResendOtp(resendBtn);
+
+    // restore cooldown on refresh
+    resendOtp.restoreIfNeeded();
+    resendBtn.addEventListener('click', function () {
+        resendOtp.resend();
+    });
+}

assets/out/src/js/module/resend-otp.js

@@ -0,0 +1,93 @@
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+export class ResendOtp {
+    constructor(button, { hintId = 'resend-hint' } = {}) {
+        this.btn = button;
+        this.hint = document.getElementById(hintId);
+
+        this.cooldownSeconds = Number(button.dataset.cooldown || 60);
+        this.url = button.dataset.url;
+        this.storageKey = `otp_resend_until_${this.url}`;
+
+        this.timer = null;
+    }
+
+    async resend() {
+        console.log('Resend OTP code requested');
+        if (this.btn.disabled) return;
+
+        this.lock('Sending…');
+
+        try {
+            await fetch(this.url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' }
+            });
+
+            const until = Date.now() + this.cooldownSeconds * 1000;
+            this.storeUntil(until);
+            this.startCooldown(until);
+
+        } catch (e) {
+            console.error(e);
+            this.unlock();
+            this.setHint('Could not resend code.');
+        }
+    }
+
+    startCooldown(until) {
+        clearInterval(this.timer);
+        console.log(`Starting OTP resend cooldown until ${new Date(until).toISOString()}`);
+        const tick = () => {
+            const remaining = Math.ceil((until - Date.now()) / 1000);
+
+            if (remaining <= 0) {
+                this.clearStoredUntil();
+                this.unlock();
+                clearInterval(this.timer);
+            } else {
+                this.lock(`Resend in ${remaining}s`);
+            }
+        };
+
+        tick();
+        this.timer = setInterval(tick, 1000);
+    }
+
+    lock(text) {
+        this.btn.disabled = true;
+        this.btn.textContent = text;
+    }
+
+    unlock() {
+        this.btn.disabled = false;
+        this.btn.textContent = 'Resend code';
+    }
+
+    setHint(text) {
+        if (this.hint) this.hint.textContent = text;
+    }
+
+    storeUntil(until) {
+        localStorage.setItem(this.storageKey, until);
+    }
+
+    getStoredUntil() {
+        return Number(localStorage.getItem(this.storageKey));
+    }
+
+    clearStoredUntil() {
+        localStorage.removeItem(this.storageKey);
+    }
+
+    restoreIfNeeded() {
+        console.log('Restoring OTP resend cooldown if needed');
+        const until = this.getStoredUntil();
+        if (until && until > Date.now()) {
+            this.startCooldown(until);
+        }
+    }
+}

metadata.php

@@ -44,7 +44,6 @@
         'captcha' => \OxidEsales\SecurityModule\Captcha\Controller\CaptchaController::class,
         'password' => \OxidEsales\SecurityModule\PasswordPolicy\Controller\PasswordAjaxController::class,
         'oauth' => \OxidEsales\SecurityModule\Authentication\OAuth2\Controller\OAuthController::class,
-        'twofactorauth' => \OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\TwoFactorAuthController::class,
     ],
     'templates'   => [
     ],

migration/data/Version20260114104913.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+namespace OxidEsales\SecurityModule\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260114104913 extends AbstractMigration
+{
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPLASTSENT` DATETIME default NULL COMMENT "Last OTP sent timestamp"');
+    }
+
+    public function down(Schema $schema): void
+    {
+    }
+}

src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php

@@ -11,6 +11,7 @@
 
 use OxidEsales\Eshop\Application\Controller\FrontendController;
 use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequestInterface;
 
@@ -24,15 +25,19 @@ class TwoFactorAuthController extends FrontendController
      */
     protected $_sThisTemplate = '@oe_security_module/templates/two_factor_auth';
 
+    public function __construct(
+        private readonly AuthorizeServiceInterface $authService,
+        private readonly AuthCodeRequestInterface $authCodeRequest,
+    ) {
+        parent::__construct();
+    }
+
     public function handleOTP(): void
     {
-        $OTPRequest = $this->getService(AuthCodeRequestInterface::class);
-
         //todo: catch only OTP exception that will be shown to user, maybe some abstract OTP exception?
         try {
-            $authorizeService = $this->getService(AuthorizeServiceInterface::class);
-            $authorizeService->validate(
-                $OTPRequest->getCode()
+            $this->authService->validate(
+                $this->authCodeRequest->getCode()
             );
 
             //todo: redirect to originally requested page after successful OTP validation
@@ -42,4 +47,9 @@ public function handleOTP(): void
             Registry::getUtilsView()->addErrorToDisplay($e->getMessage());
         }
     }
+
+    public function resendCode(): void
+    {
+        $this->authService->generate();
+    }
 }

src/Authentication/TwoFactorAuth/Controller/services.yaml

@@ -0,0 +1,9 @@
+services:
+  _defaults:
+    autowire: true
+    public: false
+
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\TwoFactorAuthController:
+    public: true
+    tags:
+        - { name: 'oxid.view_controller', controller_key: 'twofactorauth' }

src/Authentication/TwoFactorAuth/DTO/User.php

@@ -18,6 +18,7 @@ public function __construct(
         private readonly int $attempts,
         private readonly ?string $code,
         private readonly ?DateTimeInterface $expiresAt,
+        private readonly ?DateTimeInterface $lastSentAt
     ) {
     }
 
@@ -40,4 +41,9 @@ public function getExpiresAt(): ?DateTimeInterface
     {
         return $this->expiresAt;
     }
+
+    public function getLastSentAt(): ?DateTimeInterface
+    {
+        return $this->lastSentAt;
+    }
 }

src/Authentication/TwoFactorAuth/DTO/UserInterface.php

@@ -18,4 +18,6 @@ public function getCode(): ?string;
     public function getAttempts(): int;
 
     public function getExpiresAt(): ?DateTimeInterface;
+
+    public function getLastSentAt(): ?DateTimeInterface;
 }

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php

@@ -10,8 +10,10 @@
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository;
 
 use DateTime;
+use DateTimeImmutable;
 use Doctrine\DBAL\Result;
 use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\UserInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\User as UserDTO;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\UserNotFoundException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Factory\UserFactoryInterface;
@@ -24,14 +26,15 @@ public function __construct(
     ) {
     }
 
-    public function getUserOTPData(string $userName): UserDTO
+    public function getUserOTPData(string $userName): UserInterface
     {
         $builder = $this->queryBuilderFactory->create();
         $builder->select([
                 'OXID',
                 'OESMOTPCODE',
                 'OESMOTPATTEMPTS',
-                'OESMOTPEXPTIME'
+                'OESMOTPEXPTIME',
+                'OESMOTPLASTSENT',
             ])
             ->from('oxuser')
             ->where('oxusername = :userName')
@@ -48,7 +51,8 @@ public function getUserOTPData(string $userName): UserDTO
             $userData['OXID'],
             $userData['OESMOTPATTEMPTS'],
             $userData['OESMOTPCODE'],
-            $userData['OESMOTPEXPTIME'] ? new DateTime($userData['OESMOTPEXPTIME']) : null
+            $userData['OESMOTPEXPTIME'] ? new DateTime($userData['OESMOTPEXPTIME']) : null,
+            $userData['OESMOTPLASTSENT'] ? new DateTime($userData['OESMOTPLASTSENT']) : null,
         );
     }
 
@@ -81,9 +85,10 @@ public function resetCodeFields(string $userId): void
         $userModel = $this->userFactory->create();
         $userModel->load($userId);
         $userModel->assign([
-            'OESMOTPCODE'     => '',
-            'OESMOTPEXPTIME'  => 0,
+            'OESMOTPCODE'     => null,
+            'OESMOTPEXPTIME'  => null,
             'OESMOTPATTEMPTS' => 0,
+            'OESMOTPLASTSENT' => null,
         ]);
         $userModel->save();
     }
@@ -102,4 +107,14 @@ public function getUserPasswordHash(string $userName): ?string
 
         return $userPass ?: null;
     }
+
+    public function markOtpAsSent(string $userId): void
+    {
+        $userModel = $this->userFactory->create();
+        $userModel->load($userId);
+        $userModel->assign([
+            'OESMOTPLASTSENT' => (new DateTimeImmutable())->format('Y-m-d H:i:s')
+        ]);
+        $userModel->save();
+    }
 }

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php

@@ -8,11 +8,11 @@
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository;
 
 use DateTime;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\User as UserDTO;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DTO\UserInterface;
 
 interface UserRepositoryInterface
 {
-    public function getUserOTPData(string $userName): UserDTO;
+    public function getUserOTPData(string $userName): UserInterface;
 
     public function updateAttempts(string $userId, int $attempts): void;
 
@@ -21,4 +21,6 @@ public function resetCodeFields(string $userId): void;
     public function addOTPtoUser(string $userId, string $otp, DateTime $expiresAt): bool;
 
     public function getUserPasswordHash(string $userId): ?string;
+
+    public function markOtpAsSent(string $userId): void;
 }