Merge remote-tracking branch 'origin/ACP2E-3992' into PR_2025_08_04_chittima

chittima · chittima · commit be42227df899 · 2025-08-04T16:07:22.000-05:00
diff --git a/app/code/Magento/Security/Model/Plugin/AccountManagement.php b/app/code/Magento/Security/Model/Plugin/AccountManagement.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2016 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -80,7 +80,8 @@ public function beforeInitiatePasswordReset(
     ) {
         if ($this->scope->getCurrentScope() == Area::AREA_FRONTEND
             || $this->passwordRequestEvent == PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST
-            || ($this->scope->getCurrentScope() == Area::AREA_WEBAPI_REST
+            || (($this->scope->getCurrentScope() == Area::AREA_WEBAPI_REST
+                    || $this->scope->getCurrentScope() == Area::AREA_GRAPHQL)
             && $this->passwordRequestEvent == PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST)) {
             $this->securityManager->performSecurityCheck(
                 $this->passwordRequestEvent,
diff --git a/app/code/Magento/Security/Test/Unit/Model/Plugin/AccountManagementTest.php b/app/code/Magento/Security/Test/Unit/Model/Plugin/AccountManagementTest.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2016 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -117,6 +117,7 @@ public static function beforeInitiatePasswordResetDataProvider()
             [Area::AREA_ADMINHTML, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 0],
             [Area::AREA_ADMINHTML, PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST, 1],
             [Area::AREA_FRONTEND, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
+            [Area::AREA_GRAPHQL, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
             // This should never happen, but let's cover it with tests
             [Area::AREA_FRONTEND, PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST, 1],
             [Area::AREA_WEBAPI_REST, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
diff --git a/dev/tests/integration/framework/Magento/TestFramework/ApplicationStateComparator/_files/state-skip-list.php b/dev/tests/integration/framework/Magento/TestFramework/ApplicationStateComparator/_files/state-skip-list.php
@@ -290,6 +290,7 @@
         Magento\Framework\Cache\LockGuardedCacheLoader::class => null,
         Magento\Framework\View\Asset\PreProcessor\Pool::class => null,
         Magento\Framework\App\Area::class => null,
+        Magento\Security\Model\ResourceModel\PasswordResetRequestEvent::class => null,
         Magento\Store\Model\Store\Interceptor::class => null,
         Magento\Framework\TestFramework\ApplicationStateComparator\Comparator::class => null, // Yes, our test uses mutable state itself :-)
         Magento\Framework\GraphQl\Query\QueryParser::class => null, // reloads as a ReloadProcessor
diff --git a/dev/tests/integration/testsuite/Magento/GraphQl/App/GraphQlCustomerMutationsTest.php b/dev/tests/integration/testsuite/Magento/GraphQl/App/GraphQlCustomerMutationsTest.php
@@ -1,12 +1,18 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2023 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
 namespace Magento\GraphQl\App;
 
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\Customer\Api\AccountManagementInterface;
+use Magento\Framework\App\Area;
+use Magento\Framework\App\State;
+use Magento\Framework\Exception\SecurityViolationException;
+use Magento\Security\Model\ResourceModel\PasswordResetRequestEvent\Collection as PasswordResetRequestEventCollection;
 use Magento\Customer\Api\CustomerRepositoryInterface;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Registry;
@@ -45,6 +51,9 @@ protected function setUp(): void
      */
     protected function tearDown(): void
     {
+        $this->graphQlStateDiff->getTestObjectManager()
+            ->create(PasswordResetRequestEventCollection::class)
+            ->deleteRecordsOlderThen(time() + 1);
         $this->graphQlStateDiff->tearDown();
         $this->graphQlStateDiff = null;
         parent::tearDown();
@@ -155,6 +164,37 @@ public function testResetPassword(): void
         );
     }
 
+    /**
+     * Test that GraphQL password reset requests are subject to security checks (rate limiting)
+     * This test verifies our fix to include GraphQL area in security checks
+     *
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     * @magentoConfigFixture current_store customer/password/password_reset_protection_type 1
+     * @magentoConfigFixture current_store customer/password/max_number_password_reset_requests 1
+     * @magentoConfigFixture current_store customer/password/min_time_between_password_reset_requests 10
+     * @return void
+     */
+    public function testGraphQlPasswordResetSecurityLimiting(): void
+    {
+        $email = 'customer@example.com';
+        $query = $this->getRequestPasswordResetEmailMutation();
+        $this->graphQlStateDiff->testState(
+            $query,
+            ['email' => $email],
+            [],
+            [],
+            'requestPasswordResetEmail',
+            '"data":{"requestPasswordResetEmail":',
+            $this
+        );
+        $this->expectException(SecurityViolationException::class);
+        $objectManager = Bootstrap::getObjectManager();
+        $accountManagement = $objectManager->get(AccountManagementInterface::class);
+        $appState = $objectManager->get(State::class);
+        $appState->setAreaCode(Area::AREA_GRAPHQL);
+        $accountManagement->initiatePasswordReset($email, 'reset_password_template');
+    }
+
     /**
      * @magentoDataFixture Magento/Customer/_files/customer.php
      * @return void
diff --git a/dev/tests/integration/testsuite/Magento/GraphQl/App/State/GraphQlStateDiff.php b/dev/tests/integration/testsuite/Magento/GraphQl/App/State/GraphQlStateDiff.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2025 Adobe
+ * Copyright 2023 Adobe
  * All Rights Reserved.
  */
 declare(strict_types=1);
@@ -153,7 +153,7 @@ public function testState(
         } elseif ($operationName==='applyCouponToCart') {
             $this->removeCouponFromCart($variables);
         } elseif ($operationName==='resetPassword') {
-            $variables2['resetPasswordToken'] = $this->getResetPasswordToken($variables['email']);
+            $variables2['resetPasswordToken'] = $variables['resetPasswordToken'];
             $variables2['email'] = $variables['email'];
             $variables2['newPassword'] = $variables['newPassword'];
         }
