ACP2E-3992: Customer password reset through GraphQL doesn't honour the restrictions

Author: soklymeach

app/code/Magento/Security/Test/Unit/Model/Plugin/AccountManagementTest.php

@@ -117,10 +117,10 @@ public static function beforeInitiatePasswordResetDataProvider()
             [Area::AREA_ADMINHTML, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 0],
             [Area::AREA_ADMINHTML, PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST, 1],
             [Area::AREA_FRONTEND, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
+            [Area::AREA_GRAPHQL, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
             // This should never happen, but let's cover it with tests
             [Area::AREA_FRONTEND, PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST, 1],
             [Area::AREA_WEBAPI_REST, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
-            [Area::AREA_GRAPHQL, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
         ];
     }
 }

dev/tests/integration/framework/Magento/TestFramework/ApplicationStateComparator/_files/state-skip-list.php

@@ -290,6 +290,7 @@
         Magento\Framework\Cache\LockGuardedCacheLoader::class => null,
         Magento\Framework\View\Asset\PreProcessor\Pool::class => null,
         Magento\Framework\App\Area::class => null,
+        Magento\Security\Model\ResourceModel\PasswordResetRequestEvent::class => null,
         Magento\Store\Model\Store\Interceptor::class => null,
         Magento\Framework\TestFramework\ApplicationStateComparator\Comparator::class => null, // Yes, our test uses mutable state itself :-)
         Magento\Framework\GraphQl\Query\QueryParser::class => null, // reloads as a ReloadProcessor

dev/tests/integration/testsuite/Magento/GraphQl/App/GraphQlCustomerMutationsTest.php

@@ -12,6 +12,7 @@
 use Magento\Framework\App\Area;
 use Magento\Framework\App\State;
 use Magento\Framework\Exception\SecurityViolationException;
+use Magento\Security\Model\ResourceModel\PasswordResetRequestEvent\Collection as PasswordResetRequestEventCollection;
 use Magento\Customer\Api\CustomerRepositoryInterface;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Registry;
@@ -21,7 +22,7 @@
  * Tests the dispatch method in the GraphQl Controller class using a simple product query
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
- * @magentoDbIsolation enabled
+ * @magentoDbIsolation disabled
  * @magentoAppIsolation enabled
  * @magentoAppArea graphql
  */
@@ -50,6 +51,9 @@ protected function setUp(): void
      */
     protected function tearDown(): void
     {
+        $this->graphQlStateDiff->getTestObjectManager()
+            ->create(PasswordResetRequestEventCollection::class)
+            ->deleteRecordsOlderThen(time() + 1);
         $this->graphQlStateDiff->tearDown();
         $this->graphQlStateDiff = null;
         parent::tearDown();

dev/tests/integration/testsuite/Magento/GraphQl/App/State/GraphQlStateDiff.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2023 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -153,7 +153,7 @@ public function testState(
         } elseif ($operationName==='applyCouponToCart') {
             $this->removeCouponFromCart($variables);
         } elseif ($operationName==='resetPassword') {
-            $variables2['resetPasswordToken'] = $this->getResetPasswordToken($variables['email']);
+            $variables2['resetPasswordToken'] = $variables['resetPasswordToken'];
             $variables2['email'] = $variables['email'];
             $variables2['newPassword'] = $variables['newPassword'];
         }