Merge branch 'AC-9196' of https://github.com/magento-gl/security-package into AC-9196

Author: glo05363

.github/CONTRIBUTING.md

@@ -19,11 +19,11 @@ For more detailed information on contribution please read our [beginners guide](
 2. Pull requests (PRs) must be accompanied by a meaningful description of their purpose. Comprehensive descriptions increase the chances of a pull request being merged quickly and without additional clarification requests.
 3. Commits must be accompanied by meaningful commit messages. Please see the [Magento Pull Request Template](https://github.com/magento/magento2/blob/2.3-develop/.github/PULL_REQUEST_TEMPLATE.md) for more information.
 4. PRs which include bug fixes must be accompanied with a step-by-step description of how to reproduce the bug.
-3. PRs which include new logic or new features must be submitted along with:
-* Unit/integration test coverage
-* Proposed [documentation](https://devdocs.magento.com) updates. Documentation contributions can be submitted via the [devdocs GitHub](https://github.com/magento/devdocs).
-4. For larger features or changes, please [open an issue](https://github.com/magento/magento2/issues) to discuss the proposed changes prior to development. This may prevent duplicate or unnecessary effort and allow other contributors to provide input.
-5. All automated tests must pass (all builds on [Travis CI](https://travis-ci.org/magento/magento2) must be green).
+5. PRs which include new logic or new features must be submitted along with:
+   * Unit/integration test coverage
+   * Proposed [documentation](https://developer.adobe.com/commerce) updates. Use feedback buttons __Edit in GitHub__ and __Log an issue__ at the top of a relevant topic.
+6. For larger features or changes, please [open an issue](https://github.com/magento/magento2/issues) to discuss the proposed changes prior to development. This may prevent duplicate or unnecessary effort and allow other contributors to provide input.
+7. All automated tests must pass (all builds on [Travis CI](https://travis-ci.org/magento/magento2) must be green).
 
 ## Contribution process
 

ReCaptchaFrontendUi/view/frontend/web/js/reCaptcha.js

@@ -73,8 +73,14 @@ define(
              * @param {String} token
              */
             reCaptchaCallback: function (token) {
+                var submitButton;
+
                 if (this.getIsInvisibleRecaptcha()) {
                     this.tokenField.value = token;
+                    submitButton = this.$parentForm.find('button:not([type]), [type=submit]');
+                    if (submitButton.length) { //eslint-disable-line max-depth
+                        submitButton.attr('disabled', false);
+                    }
                     this.$parentForm.submit();
                 }
             },
@@ -155,18 +161,17 @@ define(
 
                 if (this.getIsInvisibleRecaptcha() && parentForm.length > 0) {
                     parentForm.submit(function (event) {
+                        var submitButton;
+
                         if (!this.tokenField.value) {
+                            submitButton = this.$parentForm.find('button:not([type]), [type=submit]');
+                            if (submitButton.length) { //eslint-disable-line max-depth
+                                submitButton.attr('disabled', true);
+                            }
                             // eslint-disable-next-line no-undef
                             grecaptcha.execute(widgetId);
                             event.preventDefault(event);
                             event.stopImmediatePropagation();
-                            if (this.$parentForm.valid()) {
-                                let formSubmitButton = this.$parentForm.find('button:not([type]), [type=submit]');
-
-                                if (formSubmitButton.length) { //eslint-disable-line max-depth
-                                    formSubmitButton.attr('disabled', true);
-                                }
-                            }
                         }
                     }.bind(this));
 

TwoFactorAuth/view/adminhtml/web/js/u2fkey/auth.js

@@ -84,6 +84,10 @@ define([
          */
         waitForTouch: function () {
             this.idle(false);
+            if (!navigator.credentials) {
+                this.currentStep('no-webauthn');
+                return;
+            }
             navigator.credentials.get({
                 publicKey: this.authenticateData.credentialRequestOptions
             })
@@ -158,8 +162,8 @@ define([
         _onCredentialError: function (u2fError) {
             this.idle(true);
 
-            if (['AbortError', 'NS_ERROR_ABORT', 'NotAllowedError'].indexOf(u2fError.name) === -1) {
-                error.display($t('Unable to register your device'));
+            if (['AbortError', 'NS_ERROR_ABORT'].indexOf(u2fError.name) === -1) {
+                error.display($t(u2fError.message));
             }
         }
     });

TwoFactorAuth/view/adminhtml/web/js/u2fkey/configure.js

@@ -78,6 +78,10 @@ define([
          */
         waitForTouch: function () {
             this.idle(false);
+            if (!navigator.credentials) {
+                this.currentStep('no-webauthn');
+                return;
+            }
             navigator.credentials.create({
                 publicKey: this.registerData.publicKey
             })
@@ -150,8 +154,8 @@ define([
         _onCredentialError: function (u2fError) {
             this.idle(true);
 
-            if (['AbortError', 'NS_ERROR_ABORT', 'NotAllowedError'].indexOf(u2fError.name) === -1) {
-                error.display($t('Unable to register your device'));
+            if (['AbortError', 'NS_ERROR_ABORT'].indexOf(u2fError.name) === -1) {
+                error.display($t(u2fError.message));
             }
         }
     });

TwoFactorAuth/view/adminhtml/web/template/u2fkey/auth.html

@@ -9,7 +9,7 @@
         <fieldset class="admin__fieldset">
             <legend class="admin__legend">
                 <span translate="'2FA - U2F key verification'"></span>
-            </legend><br/>
+            </legend><br>
             <div class="tfa-u2f-touch-key">
                 <h3 translate="'Plug in your U2F key and follow instructions'"></h3>
                 <div visible="$data.idle" class="tfa-u2f-try-again">
@@ -27,6 +27,10 @@ <h3 translate="'Plug in your U2F key and follow instructions'"></h3>
         </div>
         <div translate="'Redirecting to Magento Admin Panel...'"></div>
     </div>
+    <div visible='currentStep() === "no-webauthn"'
+         translate="'Error! Your browser does not support WebAuthn or you are not using a secure connection'"
+    >
+    </div>
     <div visible='$data.loading' class="tfa-waitbox">
         <div data-role="spinner">
             <div class="spinner">

TwoFactorAuth/view/adminhtml/web/template/u2fkey/configure.html

@@ -9,7 +9,7 @@
         <fieldset class="admin__fieldset">
             <legend class="admin__legend">
                 <span translate="'2FA - U2F key device registration'"></span>
-            </legend><br/>
+            </legend><br>
             <div id="u2f-touch-key">
                 <h3 translate="'Plug in your U2F key and follow instructions'"></h3>
                 <div visible="$data.idle" class="tfa-u2f-try-again">
@@ -27,6 +27,10 @@ <h3 translate="'Plug in your U2F key and follow instructions'"></h3>
         </div>
         <div translate="'Redirecting to Magento Admin Panel...'"></div>
     </div>
+    <div visible='currentStep() === "no-webauthn"'
+         translate="'Error! Your browser does not support WebAuthn or you are not using a secure connection'"
+    >
+    </div>
     <div visible='$data.loading' class="tfa-waitbox">
         <div data-role="spinner">
             <div class="spinner">

dev/tests/js/jasmine/tests/app/code/Magento/ReCaptchaFrontendUi/frontend/js/reCaptcha.test.js

@@ -0,0 +1,134 @@
+/************************************************************************
+ *
+ * Copyright 2023 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
+ */
+
+/* eslint-disable max-nested-callbacks */
+define([
+    'squire'
+], function (Squire) {
+    'use strict';
+
+    var injector = new Squire(),
+        mocks = {
+            'Magento_ReCaptchaFrontendUi/js/registry': {
+                ds: [],
+                captchaList: [],
+                tokenFields: []
+            },
+            'Magento_ReCaptchaFrontendUi/js/reCaptchaScriptLoader': {
+                addReCaptchaScriptTag: jasmine.createSpy('reCaptchaScriptLoader.addReCaptchaScriptTag')
+            },
+            'Magento_ReCaptchaFrontendUi/js/nonInlineReCaptchaRenderer': {
+                add: jasmine.createSpy('nonInlineReCaptchaRenderer.add')
+            }
+        },
+        reCaptchaModel,
+        formElement,
+        submitButtonElement,
+        $;
+
+    beforeEach(function (done) {
+        injector.mock(mocks);
+        injector.require(['jquery', 'Magento_ReCaptchaFrontendUi/js/reCaptcha'], function (jq, reCaptchaUiComponent) {
+            reCaptchaModel = new reCaptchaUiComponent();
+            $ = jq;
+            done();
+        });
+        formElement = document.createElement('form');
+        submitButtonElement = document.createElement('button');
+        formElement.appendChild(submitButtonElement);
+        window.document.body.appendChild(formElement);
+        window.grecaptcha = {
+            render: jasmine.createSpy('window.grecaptcha.render'),
+            execute: jasmine.createSpy('window.grecaptcha.execute')
+        };
+    });
+
+    afterEach(function () {
+        try {
+            injector.clean();
+            injector.remove();
+        } catch (e) {
+        }
+        formElement.remove();
+        formElement = undefined;
+        submitButtonElement = undefined;
+    });
+
+    describe('Magento_ReCaptchaFrontendUi/js/reCaptcha', function () {
+        describe('Invisible ReCaptcha', function () {
+            beforeEach(function () {
+                reCaptchaModel.getIsInvisibleRecaptcha = jasmine.createSpy().and.returnValue(true);
+            });
+
+            describe('"initParentForm" method', function () {
+                it(
+                    'should disable submit button, prevent submit handlers from executing and execute recaptcha' +
+                    ' on submit',
+                    function () {
+                        var request = {
+                            send: jasmine.createSpy('request.send')
+                        };
+
+                        // check that submit button is enabled
+                        expect(submitButtonElement.disabled).toBeFalse();
+                        $(formElement).on('submit', function (event) {
+                            event.preventDefault();
+                            request.send();
+                        });
+                        reCaptchaModel.initParentForm($(formElement), 'test');
+                        $(formElement).submit();
+                        // check that submit button is disabled
+                        expect(submitButtonElement.disabled).toBeTrue();
+                        // check that grecaptcha is executed
+                        expect(window.grecaptcha.execute).toHaveBeenCalledOnceWith('test');
+                        // check that other submit handlers are not executed
+                        expect(request.send).not.toHaveBeenCalled();
+                    });
+
+                it('should add a token input field to the form', function () {
+                    submitButtonElement.disabled = true;
+                    reCaptchaModel.initParentForm($(formElement), 'test');
+                    expect(submitButtonElement.disabled).toBeFalse();
+                    expect(reCaptchaModel.tokenField).not.toBeNull();
+                    expect($(reCaptchaModel.tokenField).parents('form').is($(formElement))).toBeTrue();
+                });
+            });
+            describe('"reCaptchaCallback" method', function () {
+                it('should enable submit button, set token input value and submit the form', function () {
+                    var request = {
+                        send: jasmine.createSpy('request.send')
+                    };
+
+                    submitButtonElement.disabled = true;
+                    reCaptchaModel.$parentForm = $(formElement);
+                    reCaptchaModel.tokenField = $('<input type="text" name="token" style="display: none" />')[0];
+
+                    $(formElement).on('submit', function (event) {
+                        event.preventDefault();
+                        request.send();
+                    });
+                    reCaptchaModel.reCaptchaCallback('testtoken');
+                    // check that submit button is enabled
+                    expect(submitButtonElement.disabled).toBeFalse();
+                    // check that token input value is set
+                    expect(reCaptchaModel.tokenField.value).toEqual('testtoken');
+                    // check that form is submitted
+                    expect(request.send).toHaveBeenCalled();
+                });
+            });
+        });
+    });
+});