OXDEV-9078 Add a service to work with challenge state

Author: Sieg

src/Authentication/TwoFactorAuth/OTP/Service/OtpChallengeStateService.php

@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\{
+    DTO\OtpChallengeStateInterface,
+    Infrastructure\Repository\OtpChallengeStateRepositoryInterface,
+};
+
+class OtpChallengeStateService implements OtpChallengeStateServiceInterface
+{
+    public function __construct(
+        private OtpChallengeStateRepositoryInterface $challengeStateRepository,
+        private OtpCodeHasherServiceInterface $codeHasher,
+    ) {
+    }
+
+    public function getChallengeState(string $userId): ?OtpChallengeStateInterface
+    {
+        return $this->challengeStateRepository->findByUserId($userId);
+    }
+
+    public function createChallengeState(string $userId, #[\SensitiveParameter] string $code): void
+    {
+        // todo-medium: get expiration from settings, test should be improved also to check the value given to repo
+        $expiresAt = new DateTimeImmutable('+5 minutes');
+        $codeHash = $this->codeHasher->hash($code);
+
+        $this->challengeStateRepository->createChallengeState($userId, $codeHash, $expiresAt);
+    }
+
+    // todo-high: challenge if we want this second method to exist.
+    public function refreshChallengeState(string $userId, #[\SensitiveParameter] string $code): void
+    {
+        // todo-medium: get expiration from settings, test should be improved also to check the value given to repo
+        $expiresAt = new DateTimeImmutable('+5 minutes');
+        $codeHash = $this->codeHasher->hash($code);
+
+        $this->challengeStateRepository->refreshChallengeState($userId, $codeHash, $expiresAt);
+    }
+
+    public function markVerified(string $userId): void
+    {
+        $this->challengeStateRepository->markVerified($userId);
+    }
+
+    public function incrementAttempts(string $userId): void
+    {
+        $this->challengeStateRepository->incrementAttempts($userId);
+    }
+
+    public function deleteChallengeState(string $userId): void
+    {
+        $this->challengeStateRepository->deleteChallengeState($userId);
+    }
+}

src/Authentication/TwoFactorAuth/OTP/Service/OtpChallengeStateServiceInterface.php

@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service;
+
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+
+interface OtpChallengeStateServiceInterface
+{
+    public function getChallengeState(string $userId): ?OtpChallengeStateInterface;
+
+    public function createChallengeState(string $userId, #[\SensitiveParameter] string $code): void;
+
+    public function refreshChallengeState(string $userId, #[\SensitiveParameter] string $code): void;
+
+    public function markVerified(string $userId): void;
+
+    public function incrementAttempts(string $userId): void;
+
+    public function deleteChallengeState(string $userId): void;
+}

tests/Unit/Authentication/TwoFactorAuth/OTP/Service/OtpChallengeStateServiceTest.php

@@ -0,0 +1,132 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Tests\Unit\Authentication\TwoFactorAuth\OTP\Service;
+
+use DateTimeImmutable;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\DTO\OtpChallengeStateInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Infrastructure\Repository\OtpChallengeStateRepositoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpChallengeStateService;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\OTP\Service\OtpCodeHasherServiceInterface;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class OtpChallengeStateServiceTest extends TestCase
+{
+    #[Test]
+    public function getChallengeStateProxiesToRepository(): void
+    {
+        $stateStub = $this->createStub(OtpChallengeStateInterface::class);
+
+        $repositoryMock = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositoryMock->expects($this->once())
+            ->method('findByUserId')
+            ->with($userId = uniqid())
+            ->willReturn($stateStub);
+
+        $sut = $this->getSut(repository: $repositoryMock);
+
+        $this->assertSame($stateStub, $sut->getChallengeState(userId: $userId));
+    }
+
+    #[Test]
+    public function createChallengeStateHashesCodeAndPassesToRepository(): void
+    {
+        $hasherMock = $this->createMock(OtpCodeHasherServiceInterface::class);
+        $hasherMock->expects($this->once())
+            ->method('hash')
+            ->with($code = uniqid())
+            ->willReturn($codeHash = uniqid());
+
+        $repositorySpy = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositorySpy->expects($this->once())
+            ->method('createChallengeState')
+            ->with(
+                $userId = uniqid(),
+                $codeHash,
+                $this->callback(fn(DateTimeImmutable $expiresAt) => $expiresAt > new DateTimeImmutable())
+            );
+
+        $sut = $this->getSut(repository: $repositorySpy, hasher: $hasherMock);
+
+        $sut->createChallengeState(userId: $userId, code: $code);
+    }
+
+    #[Test]
+    public function refreshChallengeStateHashesCodeAndPassesToRepository(): void
+    {
+        $hasherMock = $this->createMock(OtpCodeHasherServiceInterface::class);
+        $hasherMock->expects($this->once())
+            ->method('hash')
+            ->with($code = uniqid())
+            ->willReturn($codeHash = uniqid());
+
+        $repositorySpy = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositorySpy->expects($this->once())
+            ->method('refreshChallengeState')
+            ->with(
+                $userId = uniqid(),
+                $codeHash,
+                $this->callback(fn(DateTimeImmutable $expiresAt) => $expiresAt > new DateTimeImmutable())
+            );
+
+        $sut = $this->getSut(repository: $repositorySpy, hasher: $hasherMock);
+
+        $sut->refreshChallengeState(userId: $userId, code: $code);
+    }
+
+    #[Test]
+    public function markVerifiedProxiesToRepository(): void
+    {
+        $repositorySpy = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositorySpy->expects($this->once())
+            ->method('markVerified')
+            ->with($userId = uniqid());
+
+        $sut = $this->getSut(repository: $repositorySpy);
+
+        $sut->markVerified(userId: $userId);
+    }
+
+    #[Test]
+    public function incrementAttemptsProxiesToRepository(): void
+    {
+        $repositorySpy = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositorySpy->expects($this->once())
+            ->method('incrementAttempts')
+            ->with($userId = uniqid());
+
+        $sut = $this->getSut(repository: $repositorySpy);
+
+        $sut->incrementAttempts(userId: $userId);
+    }
+
+    #[Test]
+    public function deleteChallengeStateProxiesToRepository(): void
+    {
+        $repositorySpy = $this->createMock(OtpChallengeStateRepositoryInterface::class);
+        $repositorySpy->expects($this->once())
+            ->method('deleteChallengeState')
+            ->with($userId = uniqid());
+
+        $sut = $this->getSut(repository: $repositorySpy);
+
+        $sut->deleteChallengeState(userId: $userId);
+    }
+
+    private function getSut(
+        OtpChallengeStateRepositoryInterface $repository = null,
+        OtpCodeHasherServiceInterface $hasher = null,
+    ): OtpChallengeStateService {
+        return new OtpChallengeStateService(
+            challengeStateRepository: $repository ?? $this->createStub(OtpChallengeStateRepositoryInterface::class),
+            codeHasher: $hasher ?? $this->createStub(OtpCodeHasherServiceInterface::class),
+        );
+    }
+}