Merge branch 'b-7.2.x-password_change_token_invalidation-OXDEV-8407' …

…into b-7.2.x

CHANGELOG-v10.md

@@ -26,5 +26,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - New configuration options:
     - `sRefreshTokenLifetime` - options for refresh token lifetime, from 24 hours to 90 days
     - `sFingerprintCookieMode` - option for the authentication fingerprint cookie mode, same or cross origin
+- Access and refresh tokens are now invalidated when the user's password is changed
+  - New methods:
+    - `OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface::invalidateUserTokens`
+    - `OxidEsales\GraphQL\Base\Infrastructure\Token::invalidateUserTokens`
+  - New event subscriber:
+    - `OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber`
+
+## Changed
+- Renamed OxidEsales\GraphQL\Base\Infrastructure\Token::cleanUpTokens() to deleteOrphanedTokens()
 
 [10.0.0]: https://github.com/OXID-eSales/graphql-base-module/compare/v9.0.0...b-7.2.x

services.yaml

@@ -80,6 +80,9 @@ services:
   OxidEsales\GraphQL\Base\Service\FingerprintServiceInterface:
     class: OxidEsales\GraphQL\Base\Service\FingerprintService
 
+  OxidEsales\GraphQL\Base\Service\UserModelService:
+    class: OxidEsales\GraphQL\Base\Service\UserModelService
+
   OxidEsales\GraphQL\Base\Controller\:
     resource: 'src/Controller/'
     public: true
@@ -107,6 +110,10 @@ services:
     class: OxidEsales\GraphQL\Base\Event\Subscriber\UserDeleteSubscriber
     tags: [ 'kernel.event_subscriber' ]
 
+  OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber:
+    class: OxidEsales\GraphQL\Base\Event\Subscriber\PasswordChangeSubscriber
+    tags: [ 'kernel.event_subscriber' ]
+
   OxidEsales\GraphQL\Base\Event\Subscriber\BeforeTokenCreationSubscriber:
     tags: [ 'kernel.event_subscriber' ]
 

src/Controller/Login.php

@@ -9,9 +9,8 @@
 
 namespace OxidEsales\GraphQL\Base\Controller;
 
-use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 use OxidEsales\GraphQL\Base\Service\LoginServiceInterface;
-use OxidEsales\GraphQL\Base\Service\RefreshTokenServiceInterface;
 use OxidEsales\GraphQL\Base\Service\Token;
 use TheCodingMachine\GraphQLite\Annotations\Query;
 
@@ -20,7 +19,6 @@ class Login
     public function __construct(
         protected Token $tokenService,
         protected LoginServiceInterface $loginService,
-        protected RefreshTokenServiceInterface $refreshTokenService,
     ) {
     }
 
@@ -44,13 +42,8 @@ public function token(?string $username = null, ?string $password = null): strin
      *
      * @Query
      */
-    public function login(?string $username = null, ?string $password = null): LoginDatatype
+    public function login(?string $username = null, ?string $password = null): LoginInterface
     {
-        $user = $this->loginService->login($username, $password);
-
-        return new LoginDatatype(
-            refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),
-            accessToken: $this->tokenService->createTokenForUser($user),
-        );
+        return $this->loginService->login($username, $password);
     }
 }

src/DataType/LoginInterface.php

@@ -9,9 +9,15 @@
 
 namespace OxidEsales\GraphQL\Base\DataType;
 
+use TheCodingMachine\GraphQLite\Annotations\Field;
+use TheCodingMachine\GraphQLite\Annotations\Type;
+
+#[Type]
 interface LoginInterface
 {
+    #[Field]
     public function refreshToken(): string;
 
+    #[Field]
     public function accessToken(): string;
 }

src/Event/Subscriber/PasswordChangeSubscriber.php

@@ -0,0 +1,103 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\GraphQL\Base\Event\Subscriber;
+
+use OxidEsales\Eshop\Application\Model\User;
+use OxidEsales\EshopCommunity\Internal\Transition\ShopEvents\AfterModelUpdateEvent;
+use OxidEsales\EshopCommunity\Internal\Transition\ShopEvents\BeforeModelUpdateEvent;
+use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface;
+use OxidEsales\GraphQL\Base\Infrastructure\Token;
+use OxidEsales\GraphQL\Base\Service\UserModelService;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+class PasswordChangeSubscriber implements EventSubscriberInterface
+{
+    /**
+     * Whether the password had been changed.
+     *
+     * @var array
+     */
+    protected array $userIdWithChangedPwd = [];
+
+    public function __construct(
+        private readonly UserModelService $userModelService,
+        private readonly RefreshTokenRepositoryInterface $refreshTokenRepository,
+        private readonly Token $tokenInfrastructure
+    ) {
+    }
+
+    /**
+     * Handle ApplicationModelChangedEvent.
+     *
+     * @param Event $event Event to be handled
+     */
+    public function handleBeforeUpdate(Event $event): void
+    {
+        /** @phpstan-ignore-next-line method.notFound */
+        $model = $event->getModel();
+
+        if (!$model instanceof User) {
+            return;
+        }
+
+        $newPassword = $model->getFieldData('oxpassword');
+        if (!$this->userModelService->isPasswordChanged($model->getId(), $newPassword)) {
+            return;
+        }
+
+        $this->userIdWithChangedPwd[$model->getId()] = true;
+    }
+
+    /**
+     * Handle ApplicationModelChangedEvent.
+     *
+     * @param Event $event Event to be handled
+     */
+    public function handleAfterUpdate(Event $event): void
+    {
+        /** @phpstan-ignore-next-line method.notFound */
+        $model = $event->getModel();
+
+        if (!$model instanceof User || !isset($this->userIdWithChangedPwd[$model->getId()])) {
+            return;
+        }
+
+        $this->refreshTokenRepository->invalidateUserTokens($model->getId());
+        $this->tokenInfrastructure->invalidateUserTokens($model->getId());
+        unset($this->userIdWithChangedPwd[$model->getId()]);
+    }
+
+    /**
+     * Returns an array of event names this subscriber wants to listen to.
+     *
+     * The array keys are event names and the value can be:
+     *
+     *  * The method name to call (priority defaults to 0)
+     *  * An array composed of the method name to call and the priority
+     *  * An array of arrays composed of the method names to call and respective
+     *    priorities, or 0 if unset
+     *
+     * For instance:
+     *
+     *  * array('eventName' => 'methodName')
+     *  * array('eventName' => array('methodName', $priority))
+     *  * array('eventName' => array(array('methodName1', $priority), array('methodName2')))
+     *
+     * @return array<class-string,string>
+     */
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            BeforeModelUpdateEvent::class => 'handleBeforeUpdate',
+            AfterModelUpdateEvent::class => 'handleAfterUpdate'
+        ];
+    }
+}

src/Event/Subscriber/UserDeleteSubscriber.php

@@ -35,7 +35,7 @@ public function handle(Event $event): Event
             return $event;
         }
 
-        $this->tokenInfrastructure->cleanUpTokens();
+        $this->tokenInfrastructure->deleteOrphanedTokens();
 
         return $event;
     }

src/Infrastructure/RefreshTokenRepository.php

@@ -87,4 +87,17 @@ public function getTokenUser(string $refreshToken): UserInterface
 
         return new UserDataType($userModel, $isAnonymous);
     }
+
+    public function invalidateUserTokens(string $userId): void
+    {
+        $queryBuilder = $this->queryBuilderFactory->create()
+            ->update('oegraphqlrefreshtoken')
+            ->where('OXUSERID = :userId')
+            ->set('EXPIRES_AT', 'NOW()')
+            ->setParameters([
+                'userId' => $userId,
+            ]);
+
+        $queryBuilder->execute();
+    }
 }

src/Infrastructure/RefreshTokenRepositoryInterface.php

@@ -24,4 +24,6 @@ public function removeExpiredTokens(): void;
      * @throws InvalidRefreshToken
      */
     public function getTokenUser(string $refreshToken): UserInterface;
+
+    public function invalidateUserTokens(string $user): void;
 }

src/Infrastructure/Token.php

@@ -62,7 +62,7 @@ public function removeExpiredTokens(UserInterface $user): void
         $queryBuilder->execute();
     }
 
-    public function cleanUpTokens(): void
+    public function deleteOrphanedTokens(): void
     {
         /** @var \Doctrine\DBAL\Driver\Statement $execute */
         $execute = $this->queryBuilderFactory->create()
@@ -155,4 +155,17 @@ public function userHasToken(UserInterface $user, string $tokenId): bool
 
         return false;
     }
+
+    public function invalidateUserTokens(string $userId): void
+    {
+        $queryBuilder = $this->queryBuilderFactory->create()
+            ->update('oegraphqltoken')
+            ->where('OXUSERID = :userId')
+            ->set('EXPIRES_AT', 'NOW()')
+            ->setParameters([
+                'userId' => $userId,
+            ]);
+
+        $queryBuilder->execute();
+    }
 }

src/Service/LoginService.php

@@ -9,7 +9,8 @@
 
 namespace OxidEsales\GraphQL\Base\Service;
 
-use OxidEsales\GraphQL\Base\DataType\UserInterface;
+use OxidEsales\GraphQL\Base\DataType\Login as LoginDatatype;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 use OxidEsales\GraphQL\Base\Infrastructure\Legacy;
 
 /**
@@ -19,11 +20,18 @@ class LoginService implements LoginServiceInterface
 {
     public function __construct(
         private readonly Legacy $legacyInfrastructure,
+        protected Token $tokenService,
+        protected RefreshTokenServiceInterface $refreshTokenService,
     ) {
     }
 
-    public function login(?string $userName, ?string $password): UserInterface
+    public function login(?string $userName, ?string $password): LoginInterface
     {
-        return $this->legacyInfrastructure->login($userName, $password);
+        $user = $this->legacyInfrastructure->login($userName, $password);
+
+        return new LoginDatatype(
+            refreshToken: $this->refreshTokenService->createRefreshTokenForUser($user),
+            accessToken: $this->tokenService->createTokenForUser($user),
+        );
     }
 }

src/Service/LoginServiceInterface.php

@@ -9,12 +9,12 @@
 
 namespace OxidEsales\GraphQL\Base\Service;
 
-use OxidEsales\GraphQL\Base\DataType\UserInterface;
+use OxidEsales\GraphQL\Base\DataType\LoginInterface;
 
 /**
  * User login service
  */
 interface LoginServiceInterface
 {
-    public function login(?string $userName, ?string $password): UserInterface;
+    public function login(?string $userName, ?string $password): LoginInterface;
 }

src/Service/Token.php

@@ -11,7 +11,6 @@
 
 use DateTimeImmutable;
 use Lcobucci\JWT\UnencryptedToken;
-use OxidEsales\GraphQL\Base\DataType\User as UserDataType;
 use OxidEsales\GraphQL\Base\DataType\UserInterface;
 use OxidEsales\GraphQL\Base\Event\BeforeTokenCreation;
 use OxidEsales\GraphQL\Base\Exception\InvalidLogin;

src/Service/UserModelService.php

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\GraphQL\Base\Service;
+
+use OxidEsales\GraphQL\Base\Infrastructure\Legacy;
+
+/**
+ * User model service
+ */
+class UserModelService
+{
+    public function __construct(
+        private readonly Legacy $legacyInfrastructure,
+    ) {
+    }
+
+    public function isPasswordChanged(string $userId, ?string $passwordNew): bool
+    {
+        $userModel = $this->legacyInfrastructure->getUserModel($userId);
+        $currentPassword = $userModel->getFieldData('oxpassword');
+        if (!$passwordNew || !$currentPassword) {
+            return false;
+        }
+
+        return $currentPassword !== $passwordNew;
+    }
+}

tests/Integration/Infrastructure/RefreshTokenRepositoryTest.php

@@ -10,10 +10,11 @@
 namespace OxidEsales\GraphQL\Base\Tests\Integration\Infrastructure;
 
 use DateTime;
+use DateTimeImmutable;
 use Doctrine\DBAL\Connection;
 use OxidEsales\EshopCommunity\Internal\Framework\Database\ConnectionProviderInterface;
+use OxidEsales\GraphQL\Base\DataType\UserInterface;
 use OxidEsales\GraphQL\Base\Exception\InvalidRefreshToken;
-use OxidEsales\GraphQL\Base\Exception\InvalidToken;
 use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepository;
 use OxidEsales\GraphQL\Base\Infrastructure\RefreshTokenRepositoryInterface;
 use OxidEsales\GraphQL\Base\Tests\Integration\TestCase;
@@ -138,6 +139,39 @@ public function testGetTokenUserExplodesOnWrongToken(): void
         $sut->getTokenUser(uniqid());
     }
 
+    public function testInvalidateRefreshTokens(): void
+    {
+        $expires = new DateTimeImmutable('+8 hours');
+        $this->addToken(
+            oxid: 'pwd_change_token',
+            expires: $expires->format('Y-m-d H:i:s'),
+            userId: $userId = '_testUser',
+            token: $token = uniqid(),
+        );
+
+        $sut = $this->getSut();
+        $sut->invalidateUserTokens($userId);
+
+        $this->expectException(InvalidRefreshToken::class);
+        $sut->getTokenUser($token);
+    }
+
+    public function testInvalidateRefreshTokensWrongUserId(): void
+    {
+        $expires = new DateTimeImmutable('+8 hours');
+        $this->addToken(
+            oxid: 'pwd_change_token',
+            expires: $expires->format('Y-m-d H:i:s'),
+            userId: '_testUser',
+            token: $token = uniqid(),
+        );
+
+        $sut = $this->getSut();
+        $sut->invalidateUserTokens('some_user_id');
+
+        $this->assertTrue($sut->getTokenUser($token) instanceof UserInterface);
+    }
+
     private function getDbConnection(): Connection
     {
         return $this->get(ConnectionProviderInterface::class)->get();