OXDEV-10116 Hide change and add reset password on oauth users

Author: TitaKoleva

metadata.php

@@ -34,7 +34,7 @@
     'email'       => 'info@oxid-esales.com',
     'extend'      => [
         \OxidEsales\Eshop\Application\Controller\NewsletterController::class => \OxidEsales\SecurityModule\Captcha\Shop\NewsletterController::class,
-        \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class => \OxidEsales\SecurityModule\Captcha\Shop\ForgotPasswordController::class,
+        \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class => \OxidEsales\SecurityModule\Shared\Controller\ForgotPasswordController::class,
         \OxidEsales\Eshop\Application\Model\User::class => \OxidEsales\SecurityModule\Shared\Model\User::class,
         \OxidEsales\Eshop\Core\InputValidator::class    => \OxidEsales\SecurityModule\Shared\Core\InputValidator::class,
         \OxidEsales\Eshop\Core\ViewConfig::class        => \OxidEsales\SecurityModule\Shared\Core\ViewConfig::class

migration/data/Version20251128093245.php

@@ -19,6 +19,8 @@ public function up(Schema $schema): void
         $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPCODE` VARCHAR(128) default NULL COMMENT "OTP code"');
         $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPEXPTIME` DATETIME default NULL COMMENT "OTP code expiration time"');
         $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPATTEMPTS` INT NOT NULL default 0 COMMENT "OTP code attempts"');
+        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPLASTSENT` DATETIME default NULL COMMENT "Last OTP sent timestamp"');
+        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMEXTERNALAUTH` TINYINT(1) NOT NULL default 0 COMMENT "User registered via external authentication"');
     }
 
     public function down(Schema $schema): void

migration/data/Version20260114104913.php

@@ -41,9 +41,10 @@ public function createUser(OAuth2UserDTOInterface $userDTO): UserDTOInterface
     {
         $userModel = $this->userFactory->create();
         $userModel->assign([
-            'OXFNAME'    => $userDTO->getFirstName(),
-            'OXLNAME'    => $userDTO->getLastName(),
-            'OXUSERNAME' => $userDTO->getEmail(),
+            'OXFNAME'          => $userDTO->getFirstName(),
+            'OXLNAME'          => $userDTO->getLastName(),
+            'OXUSERNAME'       => $userDTO->getEmail(),
+            'OESMEXTERNALAUTH' => 1,
         ]);
         $userModel->setPassword($this->passwordGenerator->generatePasswordForOAuthUser());
         $userModel->createUser();

src/Authentication/OAuth2/Infrastructure/Repository/UserRepository.php

@@ -7,13 +7,18 @@
 
 declare(strict_types=1);
 
-namespace OxidEsales\SecurityModule\Captcha\Shop;
+namespace OxidEsales\SecurityModule\Shared\Controller;
 
+use OxidEsales\Eshop\Application\Model\User;
 use OxidEsales\Eshop\Core\Exception\StandardException;
 use OxidEsales\Eshop\Core\Registry;
 use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
 use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface;
 
+/**
+ * @mixin \OxidEsales\Eshop\Application\Controller\ForgotPasswordController
+ * @eshopExtension
+ */
 class ForgotPasswordController extends ForgotPasswordController_parent
 {
     public function forgotPassword(): ?bool
@@ -36,4 +41,20 @@ public function forgotPassword(): ?bool
 
         return parent::forgotPassword();
     }
+
+    public function updatePassword()
+    {
+        $result = parent::updatePassword();
+
+        if ($result === 'forgotpwd?success=1') {
+            $userId = Registry::getSession()->getVariable('usr');
+            $user = oxNew(User::class);
+            if ($userId && $user->load($userId) && $user->getFieldData('oesmexternalauth')) {
+                $user->assign(['OESMEXTERNALAUTH' => 0]);
+                $user->save();
+            }
+        }
+
+        return $result;
+    }
 }

…aptcha/Shop/ForgotPasswordController.php …/Controller/ForgotPasswordController.phpsrc/Captcha/Shop/ForgotPasswordController.php renamed to src/Shared/Controller/ForgotPasswordController.php src/Captcha/Shop/ForgotPasswordController.php renamed to src/Shared/Controller/ForgotPasswordController.php

@@ -64,4 +64,11 @@ public function getRemainingAttempts(): int
     {
         return $this->getService(AuthorizeServiceInterface::class)->getRemainingAttempts();
     }
+
+    public function isExternalAuthUser(): bool
+    {
+        $user = $this->getUser();
+
+        return $user && (bool) $user->getFieldData('oesmexternalauth');
+    }
 }

src/Shared/Core/ViewConfig.php

@@ -7,14 +7,15 @@
 
 declare(strict_types=1);
 
-namespace OxidEsales\SecurityModule\Tests\Integration\Captcha\Shop;
+namespace OxidEsales\SecurityModule\Tests\Integration\Shared\Controller;
 
 use OxidEsales\Eshop\Application\Controller\ForgotPasswordController;
+use OxidEsales\Eshop\Application\Model\User;
 use OxidEsales\Eshop\Core\Registry;
 use OxidEsales\Eshop\Core\Request;
 use OxidEsales\Eshop\Core\UtilsView;
 use OxidEsales\EshopCommunity\Core\Di\ContainerFacade;
-use OxidEsales\EshopCommunity\Tests\Integration\IntegrationTestCase;
+use OxidEsales\SecurityModule\Tests\Integration\IntegrationTestCase;
 use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface;
 
 class ForgotPasswordControllerTest extends IntegrationTestCase
@@ -121,4 +122,112 @@ public function testForgotPasswordWithEmptyCaptcha()
         $subject = oxNew(ForgotPasswordController::class);
         $subject->forgotPassword();
     }
+
+    public function testUpdatePasswordClearsExternalAuthFlagOnSuccess(): void
+    {
+        $userId = uniqid();
+        $user = $this->createTestUser($userId);
+
+        $this->assertEquals(1, (int) $user->getFieldData('oesmexternalauth'));
+
+        $updateKey = $user->getFieldData('oxupdatekey');
+        $shopId = $user->getFieldData('oxshopid');
+        $uid = md5($user->getId() . $shopId . $updateKey);
+
+        $password = uniqid();
+
+        $requestMock = $this->getMockBuilder(Request::class)
+            ->disableOriginalConstructor()
+            ->onlyMethods(['getRequestParameter', 'getRequestEscapedParameter'])
+            ->getMock();
+
+        $requestMock->method('getRequestParameter')
+            ->willReturnCallback(function ($param) use ($password) {
+                return match ($param) {
+                    'password_new', 'password_new_confirm' => $password,
+                    default => null,
+                };
+            });
+
+        $requestMock->method('getRequestEscapedParameter')
+            ->willReturnCallback(function ($param) use ($uid) {
+                return match ($param) {
+                    'uid' => $uid,
+                    default => null,
+                };
+            });
+
+        Registry::set(Request::class, $requestMock);
+
+        $subject = oxNew(ForgotPasswordController::class);
+        $result = $subject->updatePassword();
+
+        $this->assertSame('forgotpwd?success=1', $result);
+
+        $updatedUser = oxNew(User::class);
+        $updatedUser->load($userId);
+        $this->assertEquals(0, (int) $updatedUser->getFieldData('oesmexternalauth'));
+    }
+
+    public function testUpdatePasswordKeepsExternalAuthFlagOnFailure(): void
+    {
+        $userId = uniqid();
+        $this->createTestUser($userId);
+        $password = uniqid();
+
+        $requestMock = $this->getMockBuilder(Request::class)
+            ->disableOriginalConstructor()
+            ->onlyMethods(['getRequestParameter', 'getRequestEscapedParameter'])
+            ->getMock();
+
+        $requestMock->method('getRequestParameter')
+            ->willReturnCallback(function ($param) use ($password) {
+                return match ($param) {
+                    'password_new', 'password_new_confirm' => $password,
+                    default => null,
+                };
+            });
+
+        $requestMock->method('getRequestEscapedParameter')
+            ->willReturnCallback(function ($param) {
+                return match ($param) {
+                    'uid' => 'invalid_uid',
+                    default => null,
+                };
+            });
+
+        Registry::set(Request::class, $requestMock);
+
+        $subject = oxNew(ForgotPasswordController::class);
+        $result = $subject->updatePassword();
+
+        $this->assertNotSame('forgotpwd?success=1', $result);
+
+        $unchangedUser = oxNew(User::class);
+        $unchangedUser->load($userId);
+        $this->assertEquals(1, (int) $unchangedUser->getFieldData('oesmexternalauth'));
+    }
+
+    /**
+     * Helper method to create the test user.
+     *
+     * @return \OxidEsales\Eshop\Application\Model\User
+     */
+    protected function createTestUser(string $userId)
+    {
+        $user = oxNew(User::class);
+        $user->setId($userId);
+        $user->assign([
+            'oxactive'            => 1,
+            'b2bparentid'         => '',
+            'b2brightdirectorder' => 1,
+            'oxpassword'          => uniqid(),
+            'oesmexternalauth'    => 1,
+        ]);
+
+        $user->save();
+        $user->setUpdateKey();
+
+        return $user;
+    }
 }

…ha/Shop/ForgotPasswordControllerTest.php …troller/ForgotPasswordControllerTest.phptests/Integration/Captcha/Shop/ForgotPasswordControllerTest.php renamed to tests/Integration/Shared/Controller/ForgotPasswordControllerTest.php tests/Integration/Captcha/Shop/ForgotPasswordControllerTest.php renamed to tests/Integration/Shared/Controller/ForgotPasswordControllerTest.php

@@ -29,5 +29,5 @@ class_alias(
 
 class_alias(
     \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class,
-    \OxidEsales\SecurityModule\Captcha\Shop\ForgotPasswordController_parent::class
+    \OxidEsales\SecurityModule\Shared\Controller\ForgotPasswordController_parent::class
 );

tests/PhpStan/phpstan-bootstrap.php

@@ -106,9 +106,10 @@ public function testCreateUser(): void
 
         $userModel = $this->createMock(UserModel::class);
         $userModel->method('assign')->with([
-            'OXFNAME'    => $firstName,
-            'OXLNAME'    => $lastName,
-            'OXUSERNAME' => $username,
+            'OXFNAME'          => $firstName,
+            'OXLNAME'          => $lastName,
+            'OXUSERNAME'       => $username,
+            'OESMEXTERNALAUTH' => 1,
         ]);
         $userModel->method('setPassword')->with($password);
 

tests/Unit/Authentication/OAuth2/Infrastructure/Repository/UserRepositoryTest.php

@@ -0,0 +1,65 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\Transput;
+
+use OxidEsales\Eshop\Core\Utils;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\JsonResponse;
+use PHPUnit\Framework\TestCase;
+
+class JsonResponseTest extends TestCase
+{
+    public function testSendSetsCorrectHeaders(): void
+    {
+        $utilsMock = $this->createMock(Utils::class);
+
+        $headers = [];
+        $utilsMock->method('setHeader')->willReturnCallback(function ($value) use (&$headers) {
+            $headers[] = $value;
+        });
+        $utilsMock->method('showMessageAndExit');
+
+        $sut = new JsonResponse($utilsMock);
+        $sut->send(['key' => 'value']);
+
+        $this->assertContains('HTTP/1.1 200', $headers);
+        $this->assertContains('Content-Type: application/json', $headers);
+    }
+
+    public function testSendOutputsJsonEncodedData(): void
+    {
+        $data = ['status' => 'ok', 'code' => 123];
+
+        $utilsMock = $this->createMock(Utils::class);
+        $utilsMock->method('setHeader');
+        $utilsMock->expects($this->once())
+            ->method('showMessageAndExit')
+            ->with(json_encode($data));
+
+        $sut = new JsonResponse($utilsMock);
+        $sut->send($data);
+    }
+
+    public function testSendWithCustomStatusCode(): void
+    {
+        $utilsMock = $this->createMock(Utils::class);
+
+        $headers = [];
+        $utilsMock->method('setHeader')->willReturnCallback(function ($value) use (&$headers) {
+            $headers[] = $value;
+        });
+        $utilsMock->method('showMessageAndExit');
+
+        $sut = new JsonResponse($utilsMock);
+        $sut->setStatusCode(429);
+        $sut->send([]);
+
+        $this->assertContains('HTTP/1.1 429', $headers);
+    }
+}