OXDEV-9078 Add resend cooldown checking service

Sieg · Sieg · commit f63822d038a2 · 2026-04-06T17:13:44.000+03:00
diff --git a/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyService.php b/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyService.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface;
+
+class OtpSendPolicyService implements OtpSendPolicyServiceInterface
+{
+    private const RESEND_COOLDOWN_SECONDS = 60;
+
+    public function __construct(
+        private OtpChallengeStateRepositoryInterface $challengeStateRepository,
+    ) {
+    }
+
+    public function canSend(string $userId): bool
+    {
+        $state = $this->challengeStateRepository->findByUserId($userId);
+
+        if ($state === null) {
+            return true;
+        }
+
+        $lastSentAt = $state->getLastSentAt();
+        if ($lastSentAt === null) {
+            return true;
+        }
+
+        $elapsed = (new DateTimeImmutable())->getTimestamp() - $lastSentAt->getTimestamp();
+
+        return $elapsed >= self::RESEND_COOLDOWN_SECONDS;
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceInterface.php b/src/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceInterface.php
@@ -0,0 +1,13 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service;
+
+interface OtpSendPolicyServiceInterface
+{
+    public function canSend(string $userId): bool;
+}
diff --git a/tests/Unit/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceTest.php b/tests/Unit/Authentication/TwoFactorAuth/OTP/Service/OtpSendPolicyServiceTest.php
@@ -0,0 +1,101 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\OTP\Service;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyService;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpSendPolicyServiceInterface;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class OtpSendPolicyServiceTest extends TestCase
+{
+    #[Test]
+    public function canSendReturnsTrueWhenNoStateExists(): void
+    {
+        $userId = uniqid();
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn(null);
+
+        $sut = $this->getSut(challengeStateRepository: $repositoryMock);
+
+        $this->assertTrue($sut->canSend($userId));
+    }
+
+    #[Test]
+    public function canSendReturnsTrueWhenLastSentAtIsNull(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')
+            ->willReturn(null);
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(challengeStateRepository: $repositoryMock);
+
+        $this->assertTrue($sut->canSend($userId));
+    }
+
+    #[Test]
+    public function canSendReturnsTrueWhenCooldownHasPassed(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')
+            ->willReturn(new DateTimeImmutable('-61 seconds'));
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(challengeStateRepository: $repositoryMock);
+
+        $this->assertTrue($sut->canSend($userId));
+    }
+
+    #[Test]
+    public function canSendReturnsFalseWhenCooldownHasNotPassed(): void
+    {
+        $userId = uniqid();
+
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+        $stateStub->method('getLastSentAt')
+            ->willReturn(new DateTimeImmutable('-30 seconds'));
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->method('findByUserId')
+            ->with($userId)
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(challengeStateRepository: $repositoryMock);
+
+        $this->assertFalse($sut->canSend($userId));
+    }
+
+    private function getSut(
+        OtpChallengeStateRepositoryInterface $challengeStateRepository = null,
+    ): OtpSendPolicyServiceInterface {
+        return new OtpSendPolicyService(
+            challengeStateRepository: $challengeStateRepository ?? $this->createStub(OtpChallengeStateRepositoryInterface::class),
+        );
+    }
+}
