MC-32830: Do not store admin and customer tokens in DB

Author: ogorkun

app/code/Magento/JwtUserToken/Model/ConfigurableJwtSettingsProvider.php

@@ -57,6 +57,9 @@ public function __construct(
         $this->configReader = $configReader;
     }
 
+    /**
+     * @inheritDoc
+     */
     public function prepareSettingsFor(UserContextInterface $userContext): EncryptionSettingsInterface
     {
         return $this->prepareAllAccepted()[0];

app/code/Magento/JwtUserToken/Model/Data/JwtTokenParameters.php

@@ -19,17 +19,17 @@ class JwtTokenParameters
     /**
      * @var HeaderParameterInterface[]
      */
-    private $protectedHeaderParameters;
+    private $protectedHeaderParameters = [];
 
     /**
      * @var HeaderParameterInterface[]
      */
-    private $publicHeaderParameters;
+    private $publicHeaderParameters = [];
 
     /**
      * @var ClaimInterface[]
      */
-    private $claims;
+    private $claims = [];
 
     /**
      * @return HeaderParameterInterface[]

app/code/Magento/JwtUserToken/Model/ResourceModel/FastStorageRevokedWrapper.php

@@ -88,7 +88,9 @@ private function cacheData(Revoked $revoked): void
         }
         $this->cache->save(
             (string) $revoked->getBeforeTimestamp(),
-            sprintf(self::CACHE_ID, $revoked->getUserTypeId(), $revoked->getUserId())
+            sprintf(self::CACHE_ID, $revoked->getUserTypeId(), $revoked->getUserId()),
+            [],
+            $ttlMin * 60
         );
     }
 }

dev/tests/integration/testsuite/Magento/JwtUserToken/Api/RevokedRepositoryTest.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\JwtUserToken\Api;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\JwtUserToken\Api\Data\Revoked;
+use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\TestCase;
+
+class RevokedRepositoryTest extends TestCase
+{
+    /**
+     * @var RevokedRepositoryInterface
+     */
+    private $model;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $objectManager = Bootstrap::getObjectManager();
+
+        $this->model = $objectManager->get(RevokedRepositoryInterface::class);
+    }
+
+    public function testSave(): void
+    {
+        $id = 169691;
+        $type = UserContextInterface::USER_TYPE_CUSTOMER;
+        $ts = time();
+
+        $this->model->saveRevoked(new Revoked($type, $id, $ts));
+
+        $found = $this->model->findRevoked($type, $id);
+        $this->assertNotNull($found);
+        $this->assertEquals($ts, $found->getBeforeTimestamp());
+    }
+}

dev/tests/integration/testsuite/Magento/JwtUserToken/Model/IssuerTest.php

@@ -0,0 +1,101 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\JwtUserToken\Model;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Framework\Jwt\Claim\PrivateClaim;
+use Magento\JwtUserToken\Model\Data\JwtTokenParameters;
+use Magento\JwtUserToken\Model\Data\JwtUserContext;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User as UserModel;
+use PHPUnit\Framework\TestCase;
+use Magento\Integration\Api\Data\UserTokenParametersInterface;
+use Magento\Integration\Api\Data\UserTokenParametersInterfaceFactory;
+
+class IssuerTest extends TestCase
+{
+    /**
+     * @var Issuer
+     */
+    private $model;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepo;
+
+    /**
+     * @var UserModel
+     */
+    private $userModel;
+
+    /**
+     * @var UserTokenParametersInterfaceFactory
+     */
+    private $paramsFactory;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $objectManager = Bootstrap::getObjectManager();
+
+        $this->model = $objectManager->get(Issuer::class);
+        $this->customerRepo = $objectManager->get(CustomerRepositoryInterface::class);
+        $this->userModel = $objectManager->create(UserModel::class);
+        $this->paramsFactory = $objectManager->get(UserTokenParametersInterfaceFactory::class);
+    }
+
+    /**
+     * Verify that a token can be issued for a customer.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     */
+    public function testIssueForCustomer(): void
+    {
+        $customer = $this->customerRepo->get('[email protected]');
+        /** @var UserTokenParametersInterface $params */
+        $params = $this->paramsFactory->create();
+        $jwtParams = new JwtTokenParameters();
+        $jwtParams->setClaims([new PrivateClaim('custom-claim', 'value')]);
+        $params->getExtensionAttributes()->setJwtParams($jwtParams);
+        $token = $this->model->create(
+            new JwtUserContext((int) $customer->getId(), UserContextInterface::USER_TYPE_CUSTOMER),
+            $params
+        );
+
+        $this->assertNotEmpty($token);
+    }
+
+    /**
+     * Verify that a token can be issued for an admin user.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testIssueForAdmin(): void
+    {
+        $admin = $this->userModel->loadByUsername('adminUser');
+        /** @var UserTokenParametersInterface $params */
+        $params = $this->paramsFactory->create();
+        $token = $this->model->create(
+            new JwtUserContext((int) $admin->getId(), UserContextInterface::USER_TYPE_ADMIN),
+            $params
+        );
+
+        $this->assertNotEmpty($token);
+    }
+}

dev/tests/integration/testsuite/Magento/JwtUserToken/Model/ReaderTest.php

@@ -0,0 +1,172 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\JwtUserToken\Model;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Framework\App\Config\MutableScopeConfigInterface;
+use Magento\Framework\Jwt\Claim\PrivateClaim;
+use Magento\Framework\Jwt\Header\PrivateHeaderParameter;
+use Magento\Framework\Jwt\Jwe\JweEncryptionSettingsInterface;
+use Magento\Framework\Jwt\Jwk;
+use Magento\Framework\Jwt\Jws\JwsInterface;
+use Magento\JwtUserToken\Api\ConfigReaderInterface;
+use Magento\JwtUserToken\Api\Data\JwtTokenDataInterface;
+use Magento\JwtUserToken\Model\Config\ConfigReader;
+use Magento\JwtUserToken\Model\Data\JwtTokenParameters;
+use Magento\JwtUserToken\Model\Data\JwtUserContext;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\ObjectManager;
+use Magento\User\Model\User as UserModel;
+use PHPUnit\Framework\TestCase;
+use Magento\Integration\Api\Data\UserTokenParametersInterface;
+use Magento\Integration\Api\Data\UserTokenParametersInterfaceFactory;
+
+class ReaderTest extends TestCase
+{
+    /**
+     * @var Reader
+     */
+    private $model;
+
+    /**
+     * @var Issuer
+     */
+    private $issuer;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepo;
+
+    /**
+     * @var UserModel
+     */
+    private $userModel;
+
+    /**
+     * @var UserTokenParametersInterfaceFactory
+     */
+    private $paramsFactory;
+
+    /**
+     * @var MutableScopeConfigInterface
+     */
+    private $config;
+
+    public function getJwtCases(): array
+    {
+        return [
+            'jws-hs256' => [Jwk::ALGORITHM_HS256, JweEncryptionSettingsInterface::CONTENT_ENCRYPTION_ALGO_A128GCM],
+            'jws-hs384' => [Jwk::ALGORITHM_HS384, JweEncryptionSettingsInterface::CONTENT_ENCRYPTION_ALGO_A128GCM],
+            'jwe-a128kw-a128gcm' => [
+                Jwk::ALGORITHM_A128KW,
+                JweEncryptionSettingsInterface::CONTENT_ENCRYPTION_ALGO_A128GCM
+            ],
+            'jwe-a256gcmkw-a192hs384' => [
+                Jwk::ALGORITHM_A256GCMKW,
+                JweEncryptionSettingsInterface::CONTENT_ENCRYPTION_ALGO_A192_HS384
+            ],
+        ];
+    }
+
+    /**
+     * Verify that a JWT token can be issued for a customer using various algorithms.
+     *
+     * @param string $jwtAlg JWT algorithm to use.
+     * @param string $jweAlg JWE content encryption algorithm.
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     * @dataProvider getJwtCases
+     */
+    public function testIssueForCustomer(string $jwtAlg, string $jweAlg): void
+    {
+        $this->config->setValue('webapi/jwtauth/jwt_alg', $jwtAlg);
+        $this->config->setValue('webapi/jwtauth/jwe_alg', $jweAlg);
+
+        $customer = $this->customerRepo->get('[email protected]');
+        /** @var UserTokenParametersInterface $params */
+        $params = $this->paramsFactory->create();
+        $jwtParams = new JwtTokenParameters();
+        $jwtParams->setClaims([new PrivateClaim($claim = 'custom-claim', $claimValue = 'value')]);
+        $jwtParams->setProtectedHeaderParameters(
+            [new PrivateHeaderParameter($header = 'custom-header', $headerValue = 42)]
+        );
+        $params->getExtensionAttributes()->setJwtParams($jwtParams);
+        $token = $this->issuer->create(
+            new JwtUserContext((int) $customer->getId(), UserContextInterface::USER_TYPE_CUSTOMER),
+            $params
+        );
+
+        $data = $this->model->read($token);
+        $this->assertInstanceOf(JwtTokenDataInterface::class, $data->getData());
+        /** @var JwtTokenDataInterface $tokenData */
+        $tokenData = $data->getData();
+        $this->assertEquals(UserContextInterface::USER_TYPE_CUSTOMER, $data->getUserContext()->getUserType());
+        $this->assertEquals((int) $customer->getId(), $data->getUserContext()->getUserId());
+        $this->assertGreaterThan($tokenData->getIssued(), $tokenData->getExpires());
+        $claims = [];
+        foreach ($tokenData->getJwtClaims()->getClaims() as $item) {
+            $claims[$item->getName()] = $item;
+        }
+        $this->assertArrayHasKey($claim, $claims);
+        $this->assertEquals($claimValue, $claims[$claim]->getValue());
+        $headerFound = $tokenData->getJwtHeader()->getParameter($header);
+        $this->assertNotNull($headerFound);
+        $this->assertEquals($headerValue, $headerFound->getValue());
+        $this->assertEquals($jwtAlg, $tokenData->getJwtHeader()->getParameter('alg')->getValue());
+        if ($enc = $tokenData->getJwtHeader()->getParameter('enc')) {
+            $this->assertEquals($jweAlg, $enc->getValue());
+        }
+    }
+
+    /**
+     * Verify that a token can be issued for an admin user.
+     *
+     * @return void
+     * @throws \Throwable
+     * @magentoDataFixture Magento/User/_files/user_with_role.php
+     */
+    public function testIssueForAdminCases(): void
+    {
+        $admin = $this->userModel->loadByUsername('adminUser');
+        /** @var UserTokenParametersInterface $params */
+        $params = $this->paramsFactory->create();
+        $token = $this->issuer->create(
+            new JwtUserContext((int) $admin->getId(), UserContextInterface::USER_TYPE_ADMIN),
+            $params
+        );
+
+        $data = $this->model->read($token);
+        $this->assertInstanceOf(JwtTokenDataInterface::class, $data->getData());
+        /** @var JwtTokenDataInterface $tokenData */
+        $this->assertEquals(UserContextInterface::USER_TYPE_ADMIN, $data->getUserContext()->getUserType());
+        $this->assertEquals((int) $admin->getId(), $data->getUserContext()->getUserId());
+        $this->assertGreaterThan($data->getData()->getIssued(), $data->getData()->getExpires());
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        /** @var ObjectManager $objectManager */
+        $objectManager = Bootstrap::getObjectManager();
+
+        $this->model = $objectManager->get(Reader::class);
+        $this->issuer = $objectManager->get(Issuer::class);
+        $this->customerRepo = $objectManager->get(CustomerRepositoryInterface::class);
+        $this->userModel = $objectManager->create(UserModel::class);
+        $this->paramsFactory = $objectManager->get(UserTokenParametersInterfaceFactory::class);
+        $this->config = $objectManager->get(MutableScopeConfigInterface::class);
+    }
+}