MC-32830: Do not store admin and customer tokens in DB

Author: ogorkun

app/code/Magento/Integration/Api/Exception/UserTokenException.php

@@ -26,6 +26,7 @@ public function __construct(
         ?UserContextInterface $forContext = null
     ) {
         parent::__construct($message, 0, $previous);
+        $this->context = $forContext;
     }
 
     public function getUserContext(): ?UserContextInterface

app/code/Magento/Integration/Model/OpaqueToken/Issuer.php

@@ -39,12 +39,12 @@ public function __construct(TokenModelFactory $tokenFactory)
     public function create(UserContextInterface $userContext, UserTokenParametersInterface $params): string
     {
         /** @var Token $token */
-        $token = $this->tokenModelFactory->create();
+        $token = $this->tokenFactory->create();
 
         if ($userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER) {
-            $token = $token->createCustomerToken($userContext->getUserId())->getToken();
+            $token = $token->createCustomerToken($userContext->getUserId());
         } elseif ($userContext->getUserType() === UserContextInterface::USER_TYPE_ADMIN) {
-            $token = $token->createAdminToken($userContext->getUserId())->getToken();
+            $token = $token->createAdminToken($userContext->getUserId());
         } else {
             throw new UserTokenException('Can only create tokens for customers and admin users');
         }

app/code/Magento/Integration/Model/OpaqueToken/Reader.php

@@ -53,7 +53,7 @@ public function read(string $token): UserToken
         if ($tokenModel->getRevoked()) {
             throw new UserTokenException('Token was revoked');
         }
-        $userType = $tokenModel->getUserType();
+        $userType = (int) $tokenModel->getUserType();
         if ($userType !== CustomUserContext::USER_TYPE_ADMIN && $userType !== CustomUserContext::USER_TYPE_CUSTOMER) {
             throw new UserTokenException('Invalid token found');
         }
@@ -72,7 +72,7 @@ public function read(string $token): UserToken
         );
         $lifetimeHours = $userType === CustomUserContext::USER_TYPE_ADMIN
             ? $this->helper->getAdminTokenLifetime() : $this->helper->getCustomerTokenLifetime();
-        $expires = $issued->add(new \DateInterval("P{$lifetimeHours}H"));
+        $expires = $issued->add(new \DateInterval("PT{$lifetimeHours}H"));
 
         return new UserToken(new CustomUserContext((int) $userId, (int) $userType), new Data($issued, $expires));
     }

app/code/Magento/Integration/Model/UserToken/ExpirationValidator.php

@@ -11,15 +11,29 @@
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Integration\Api\Data\UserToken;
 use Magento\Integration\Api\UserTokenValidatorInterface;
+use Magento\Framework\Stdlib\DateTime\DateTime as DtUtil;
 
 class ExpirationValidator implements UserTokenValidatorInterface
 {
+    /**
+     * @var DtUtil
+     */
+    private $datetimeUtil;
+
+    /**
+     * @param DtUtil $datetimeUtil
+     */
+    public function __construct(DtUtil $datetimeUtil)
+    {
+        $this->datetimeUtil = $datetimeUtil;
+    }
+
     /**
      * @inheritDoc
      */
     public function validate(UserToken $token): void
     {
-        if ($token->getData()->getExpires()->getTimestamp() <= time()) {
+        if ($token->getData()->getExpires()->getTimestamp() <= $this->datetimeUtil->gmtTimestamp()) {
             throw new AuthorizationException(__('Consumer key has expired'));
         }
     }

app/code/Magento/Integration/Test/Unit/Model/CompositeUserTokenValidatorTest.php

@@ -0,0 +1,31 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Test\Unit\Model;
+
+use Magento\Integration\Api\Data\UserToken;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+use Magento\Integration\Model\CompositeUserTokenValidator;
+use PHPUnit\Framework\TestCase;
+
+class CompositeUserTokenValidatorTest extends TestCase
+{
+    public function testValidate(): void
+    {
+        $userToken = $this->createMock(UserToken::class);
+
+        $validator1 = $this->createMock(UserTokenValidatorInterface::class);
+        $validator1->expects($this->once())->method('validate')->with($userToken);
+
+        $validator2 = $this->createMock(UserTokenValidatorInterface::class);
+        $validator2->expects($this->once())->method('validate')->with($userToken);
+
+        $model = new CompositeUserTokenValidator([$validator1, $validator2]);
+        $model->validate($userToken);
+    }
+}

app/code/Magento/Integration/Test/Unit/Model/UserToken/ExpirationValidatorTest.php

@@ -0,0 +1,90 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Test\Unit\Model\UserToken;
+
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Integration\Api\Data\UserToken;
+use Magento\Integration\Api\Data\UserTokenDataInterface;
+use Magento\Integration\Model\UserToken\ExpirationValidator;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Magento\Framework\Stdlib\DateTime\DateTime as DtUtil;
+
+class ExpirationValidatorTest extends TestCase
+{
+    /**
+     * @var ExpirationValidator
+     */
+    private $model;
+
+    /**
+     * @var DtUtil|MockObject
+     */
+    private $datetimeUtilMock;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->datetimeUtilMock = $this->createMock(DtUtil::class);
+        $this->model = new ExpirationValidator($this->datetimeUtilMock);
+    }
+
+    public function getUserTokens(): array
+    {
+        $currentTs = \DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 14:00:00')
+            ->getTimestamp();
+
+        $pastToken = $this->createMock(UserToken::class);
+        $pastData = $this->createMock(UserTokenDataInterface::class);
+        $pastData->method('getExpires')
+            ->willReturn(\DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 12:00:00'));
+        $pastToken->method('getData')->willReturn($pastData);
+
+        $exactToken = $this->createMock(UserToken::class);
+        $exactData = $this->createMock(UserTokenDataInterface::class);
+        $exactData->method('getExpires')
+            ->willReturn(\DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 14:00:00'));
+        $exactToken->method('getData')->willReturn($exactData);
+
+        $futureToken = $this->createMock(UserToken::class);
+        $futureData = $this->createMock(UserTokenDataInterface::class);
+        $futureData->method('getExpires')
+            ->willReturn(\DateTimeImmutable::createFromFormat('Y-m-d H:i:s', '2021-04-07 16:00:00'));
+        $futureToken->method('getData')->willReturn($futureData);
+
+        return [
+            'past' => [$pastToken, false, $currentTs],
+            'exact' => [$exactToken, false, $currentTs],
+            'future' => [$futureToken, true, $currentTs]
+        ];
+    }
+
+    /**
+     * Test "validate" method.
+     *
+     * @param UserToken $userToken
+     * @param bool $isValid
+     * @param int $currentTimestamp
+     * @throws AuthorizationException
+     * @dataProvider getUserTokens
+     */
+    public function testValidate(UserToken $userToken, bool $isValid, int $currentTimestamp): void
+    {
+        if (!$isValid) {
+            $this->expectException(AuthorizationException::class);
+        }
+        $this->datetimeUtilMock->method('gmtTimestamp')->willReturn($currentTimestamp);
+
+        $this->model->validate($userToken);
+    }
+}

dev/tests/integration/testsuite/Magento/Integration/Model/OpaqueToken/IssuerTest.php

@@ -0,0 +1,91 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Model\OpaqueToken;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Integration\Model\CustomUserContext;
+use Magento\Integration\Model\UserToken\UserTokenParameters;
+use Magento\Integration\Model\UserToken\UserTokenParametersFactory;
+use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\TestCase;
+use Magento\User\Model\User as UserModel;
+
+class IssuerTest extends TestCase
+{
+    /**
+     * @var Issuer
+     */
+    private $model;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepo;
+
+    /**
+     * @var UserModel
+     */
+    private $userModel;
+
+    /**
+     * @var UserTokenParametersFactory
+     */
+    private $paramsFactory;
+
+    protected function setUp(): void
+    {
+        $objectManager = Bootstrap::getObjectManager();
+
+        $this->model = $objectManager->get(Issuer::class);
+        $this->customerRepo = $objectManager->get(CustomerRepositoryInterface::class);
+        $this->userModel = $objectManager->create(UserModel::class);
+        $this->paramsFactory = $objectManager->get(UserTokenParametersFactory::class);
+    }
+
+    /**
+     * Verify that a token can be issued for a customer.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     */
+    public function testIssueForCustomer(): void
+    {
+        $customer = $this->customerRepo->get('[email protected]');
+        /** @var UserTokenParameters $params */
+        $params = $this->paramsFactory->create();
+        $token = $this->model->create(
+            new CustomUserContext((int) $customer->getId(), UserContextInterface::USER_TYPE_CUSTOMER),
+            $params
+        );
+
+        $this->assertNotEmpty($token);
+    }
+
+    /**
+     * Verify that a token can be issued for an admin user.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testIssueForAdmin(): void
+    {
+        $admin = $this->userModel->loadByUsername('adminUser');
+        /** @var UserTokenParameters $params */
+        $params = $this->paramsFactory->create();
+        $token = $this->model->create(
+            new CustomUserContext((int) $admin->getId(), UserContextInterface::USER_TYPE_ADMIN),
+            $params
+        );
+
+        $this->assertNotEmpty($token);
+    }
+}

dev/tests/integration/testsuite/Magento/Integration/Model/OpaqueToken/ReaderTest.php

@@ -0,0 +1,111 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Integration\Model\OpaqueToken;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Integration\Model\CustomUserContext;
+use Magento\Integration\Model\UserToken\UserTokenParameters;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User as UserModel;
+use PHPUnit\Framework\TestCase;
+use Magento\Integration\Model\UserToken\UserTokenParametersFactory;
+
+class ReaderTest extends TestCase
+{
+    /**
+     * @var Reader
+     */
+    private $model;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepo;
+
+    /**
+     * @var UserModel
+     */
+    private $userModel;
+
+    /**
+     * @var UserTokenParametersFactory
+     */
+    private $paramsFactory;
+
+    /**
+     * @var Issuer
+     */
+    private $issuer;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        $objectManager = Bootstrap::getObjectManager();
+
+        $this->model = $objectManager->get(Reader::class);
+        $this->customerRepo = $objectManager->get(CustomerRepositoryInterface::class);
+        $this->userModel = $objectManager->create(UserModel::class);
+        $this->paramsFactory = $objectManager->get(UserTokenParametersFactory::class);
+        $this->issuer = $objectManager->get(Issuer::class);
+    }
+
+    /**
+     * Verify that a token can be accepted for a customer.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     */
+    public function testReadingCustomer(): void
+    {
+        //Preparing the token
+        $customer = $this->customerRepo->get('[email protected]');
+        /** @var UserTokenParameters $params */
+        $params = $this->paramsFactory->create(
+            ['issued' => $issued = (new \DateTimeImmutable())->sub(new \DateInterval('PT1H'))]
+        );
+        $token = $this->issuer->create(
+            new CustomUserContext((int) $customer->getId(), UserContextInterface::USER_TYPE_CUSTOMER),
+            $params
+        );
+
+        $data = $this->model->read($token);
+        $this->assertEquals(UserContextInterface::USER_TYPE_CUSTOMER, $data->getUserContext()->getUserType());
+        $this->assertEquals((int) $customer->getId(), $data->getUserContext()->getUserId());
+        $this->assertEquals($issued->format('Y-m-d H:i:s'), $data->getData()->getIssued()->format('Y-m-d H:i:s'));
+        $this->assertGreaterThan($issued, $data->getData()->getExpires());
+    }
+
+    /**
+     * Verify that a token can be accepted for an admin user.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testRadingAdmin(): void
+    {
+        //Preparing the token
+        $admin = $this->userModel->loadByUsername('adminUser');
+        /** @var UserTokenParameters $params */
+        $params = $this->paramsFactory->create();
+        $token = $this->issuer->create(
+            new CustomUserContext((int) $admin->getId(), UserContextInterface::USER_TYPE_ADMIN),
+            $params
+        );
+
+        $data = $this->model->read($token);
+        $this->assertEquals(UserContextInterface::USER_TYPE_ADMIN, $data->getUserContext()->getUserType());
+        $this->assertEquals((int) $admin->getId(), $data->getUserContext()->getUserId());
+        $this->assertGreaterThan($data->getData()->getIssued(), $data->getData()->getExpires());
+    }
+}