OXDEV-10037 Handle resend otp response

Author: TitaKoleva

assets/out/src/js/module/resend-otp.js

@@ -48,11 +48,16 @@ export class ResendOtp {
         this.lock(this.textSending);
 
         try {
-            await fetch(this.url, {
+            const response = await fetch(this.url, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' }
             });
 
+            if (!response.ok) {
+                this.unlock();
+                return;
+            }
+
             const until = Date.now() + this.cooldownSeconds * 1000;
             this.storeUntil(until);
             this.startCooldown(until);

src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php

@@ -15,6 +15,7 @@
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\UserServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequestInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\JsonResponseInterface;
 
 class TwoFactorAuthController extends FrontendController
 {
@@ -31,6 +32,7 @@ public function __construct(
         private readonly UserServiceInterface $userService,
         private readonly AuthCodeRequestInterface $authCodeRequest,
         private readonly UtilsView $utilsView,
+        private readonly JsonResponseInterface $jsonResponse,
     ) {
         parent::__construct();
     }
@@ -52,6 +54,12 @@ public function handleOTP(): ?string
 
     public function resendCode(): void
     {
-        $this->authService->generate();
+        $success = $this->authService->resend();
+
+        if (!$success) {
+            $this->jsonResponse->setStatusCode(429);
+        }
+
+        $this->jsonResponse->send(['success' => $success]);
     }
 }

src/Authentication/TwoFactorAuth/Service/AuthorizeService.php

@@ -48,16 +48,25 @@ public function generate(): void
         );
 
         $userId = $this->session->get(self::USER_SESSION_KEY);
-        if (!$this->resendOTPService->canSend($userId)) {
-            return;
-        }
 
         $OTPCode = $verificator->generate($userId);
 
         $user = $this->userRepository->getUserOTPData($userId);
         $notifier = $this->notifierCollector->getNotifier('email');
         $notifier->notify($user->getEmail(), $OTPCode);
+    }
+
+    public function resend(): bool
+    {
+        $userId = $this->session->get(self::USER_SESSION_KEY);
+        if (!$this->resendOTPService->canSend($userId)) {
+            return false;
+        }
+
+        $this->generate();
         $this->resendOTPService->markAsSent($userId);
+
+        return true;
     }
 
     public function getVerificationUrl(): string

src/Authentication/TwoFactorAuth/Service/AuthorizeServiceInterface.php

@@ -13,6 +13,8 @@ public function validate(#[\SensitiveParameter] string $inputCode): void;
 
     public function generate(): void;
 
+    public function resend(): bool;
+
     public function getVerificationUrl(): string;
 
     public function getRemainingAttempts(): int;

src/Authentication/TwoFactorAuth/Transput/JsonResponse.php

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput;
+
+use OxidEsales\Eshop\Core\Utils;
+
+class JsonResponse implements JsonResponseInterface
+{
+    private int $statusCode = 200;
+
+    public function __construct(
+        private readonly Utils $utils
+    ) {
+    }
+
+    public function setStatusCode(int $code): void
+    {
+        $this->statusCode = $code;
+    }
+
+    public function send(array $data): void
+    {
+        $this->utils->setHeader('HTTP/1.1 ' . $this->statusCode);
+        $this->utils->setHeader('Content-Type: application/json');
+        $this->utils->showMessageAndExit(json_encode($data));
+    }
+}

src/Authentication/TwoFactorAuth/Transput/JsonResponseInterface.php

@@ -0,0 +1,15 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput;
+
+interface JsonResponseInterface
+{
+    public function setStatusCode(int $code): void;
+
+    public function send(array $data): void;
+}

src/Authentication/TwoFactorAuth/Transput/services.yaml

@@ -2,7 +2,13 @@ services:
   _defaults:
     autowire: true
     public: false
+    bind:
+      OxidEsales\Eshop\Core\Utils: '@=service("OxidEsales\\SecurityModule\\Core\\Registry").getUtils()'
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequestInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequest
     public: true
+
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\JsonResponseInterface:
+    class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\JsonResponse
+    public: true

tests/Unit/Authentication/TwoFactorAuth/Controller/TwoFactorAuthControllerTest.php

@@ -15,6 +15,7 @@
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\UserServiceInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\AuthCodeRequestInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Transput\JsonResponseInterface;
 use PHPUnit\Framework\TestCase;
 
 class TwoFactorAuthControllerTest extends TestCase
@@ -115,14 +116,46 @@ public function testHandleOTPPropagatesNonOTPExceptions(): void
         $controller->handleOTP();
     }
 
-    public function testResendCodeCallsGenerate(): void
+    public function testResendCodeSendsSuccessResponse(): void
     {
         $authServiceMock = $this->createMock(AuthorizeServiceInterface::class);
         $authServiceMock->expects($this->once())
-            ->method('generate');
+            ->method('resend')
+            ->willReturn(true);
+
+        $jsonResponseMock = $this->createMock(JsonResponseInterface::class);
+        $jsonResponseMock->expects($this->never())
+            ->method('setStatusCode');
+        $jsonResponseMock->expects($this->once())
+            ->method('send')
+            ->with(['success' => true]);
+
+        $controller = $this->getSut(
+            authService: $authServiceMock,
+            jsonResponse: $jsonResponseMock,
+        );
+
+        $controller->resendCode();
+    }
+
+    public function testResendCodeSends429WhenCooldownActive(): void
+    {
+        $authServiceMock = $this->createMock(AuthorizeServiceInterface::class);
+        $authServiceMock->expects($this->once())
+            ->method('resend')
+            ->willReturn(false);
+
+        $jsonResponseMock = $this->createMock(JsonResponseInterface::class);
+        $jsonResponseMock->expects($this->once())
+            ->method('setStatusCode')
+            ->with(429);
+        $jsonResponseMock->expects($this->once())
+            ->method('send')
+            ->with(['success' => false]);
 
         $controller = $this->getSut(
             authService: $authServiceMock,
+            jsonResponse: $jsonResponseMock,
         );
 
         $controller->resendCode();
@@ -133,12 +166,14 @@ private function getSut(
         UserServiceInterface $userService = null,
         AuthCodeRequestInterface $authCodeRequest = null,
         UtilsView $utilsView = null,
+        JsonResponseInterface $jsonResponse = null,
     ): TwoFactorAuthController {
         return new TwoFactorAuthController(
             authService: $authService ?? $this->createStub(AuthorizeServiceInterface::class),
             userService: $userService ?? $this->createStub(UserServiceInterface::class),
             authCodeRequest: $authCodeRequest ?? $this->createStub(AuthCodeRequestInterface::class),
             utilsView: $utilsView ?? $this->createStub(UtilsView::class),
+            jsonResponse: $jsonResponse ?? $this->createStub(JsonResponseInterface::class),
         );
     }
 }

tests/Unit/Authentication/TwoFactorAuth/Service/AuthorizeServiceTest.php

@@ -141,9 +141,6 @@ public function testGenerateNotifiesUser(): void
             ->method('notify')
             ->with($userEmail, $generatedCode);
 
-        $resendOTPStub = $this->createStub(ResendOTPServiceInterface::class);
-        $resendOTPStub->method('canSend')->willReturn(true);
-
         $userStub = $this->createStub(UserInterface::class);
         $userStub->method('getEmail')->willReturn($userEmail);
 
@@ -174,15 +171,14 @@ public function testGenerateNotifiesUser(): void
             moduleSettings: $settingsStub,
             verifyCollector: $collectorStub,
             notifierCollector: $notifierCollectorStub,
-            resendOTPService: $resendOTPStub,
             userRepository: $userRepositoryStub,
             session: $sessionStub
         );
 
         $sut->generate();
     }
 
-    public function testGenerateSendsOtpAndMarksAsSent(): void
+    public function testResendSendsOtpAndMarksAsSent(): void
     {
         $userEmail = 'user@example.com';
 
@@ -223,21 +219,11 @@ public function testGenerateSendsOtpAndMarksAsSent(): void
             session: $sessionStub
         );
 
-        $sut->generate();
+        $this->assertTrue($sut->resend());
     }
 
-    public function testGenerateDoesNothingWhenCannotSend(): void
+    public function testResendReturnsFalseWhenCooldownActive(): void
     {
-        $verificatorMock = $this->createMock(VerificatorAdapterInterface::class);
-        $verificatorMock
-            ->expects($this->never())
-            ->method('generate');
-
-        $notifierMock = $this->createMock(NotifierAdapterInterface::class);
-        $notifierMock
-            ->expects($this->never())
-            ->method('notify');
-
         $resendOTPMock = $this->createMock(ResendOTPServiceInterface::class);
         $resendOTPMock
             ->method('canSend')
@@ -246,35 +232,17 @@ public function testGenerateDoesNothingWhenCannotSend(): void
             ->expects($this->never())
             ->method('markAsSent');
 
-        $settingsStub = $this->createStub(ModuleSettingsServiceInterface::class);
-        $settingsStub
-            ->method('getTwoFactorAuthType')
-            ->willReturn('otp');
-
-        $collectorStub = $this->createStub(VerificationCollectorServiceInterface::class);
-        $collectorStub
-            ->method('getVerificator')
-            ->willReturn($verificatorMock);
-
-        $notifierCollectorStub = $this->createStub(NotifierCollectorInterface::class);
-        $notifierCollectorStub
-            ->method('getNotifier')
-            ->willReturn($notifierMock);
-
         $sessionStub = $this->createStub(SessionInterface::class);
         $sessionStub
             ->method('get')
             ->willReturn(uniqid());
 
         $sut = $this->getSut(
-            moduleSettings: $settingsStub,
-            verifyCollector: $collectorStub,
-            notifierCollector: $notifierCollectorStub,
             resendOTPService: $resendOTPMock,
             session: $sessionStub
         );
 
-        $sut->generate();
+        $this->assertFalse($sut->resend());
     }
 
     public function testGetRemainingAttemptsReturnsValueFromVerificator(): void