Merge commit '246ae08aef3ad42be7e9c69f442e7680584e2880' into ACPT-1718

Author: JacobBrownAustin

app/code/Magento/Cookie/etc/di.xml

@@ -7,5 +7,6 @@
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <preference for="Magento\Framework\Stdlib\CookieManagerInterface" type="Magento\Framework\Stdlib\Cookie\PhpCookieManager" />
+    <preference for="Magento\Framework\Stdlib\CookieDisablerInterface" type="Magento\Framework\Stdlib\Cookie\PhpCookieDisabler" />
 </config>
 

app/etc/di.xml

@@ -94,6 +94,7 @@
     <preference for="Magento\Framework\Stdlib\Cookie\CookieScopeInterface" type="Magento\Framework\Stdlib\Cookie\CookieScope" />
     <preference for="Magento\Framework\Stdlib\Cookie\CookieReaderInterface" type="Magento\Framework\Stdlib\Cookie\PhpCookieReader" />
     <preference for="Magento\Framework\Stdlib\CookieManagerInterface" type="Magento\Framework\Stdlib\Cookie\PhpCookieManager" />
+    <preference for="Magento\Framework\Stdlib\CookieDisablerInterface" type="Magento\Framework\Stdlib\Cookie\PhpCookieDisabler" />
     <preference for="Magento\Framework\TranslateInterface" type="Magento\Framework\Translate" />
     <preference for="Magento\Framework\Config\ScopeListInterface" type="interceptionConfigScope" />
     <preference for="Magento\Framework\View\Design\Theme\Label\ListInterface" type="Magento\Theme\Model\ResourceModel\Theme\Collection" />

dev/tests/api-functional/testsuite/Magento/GraphQl/GraphQl/GraphQlSessionTest.php

@@ -48,6 +48,10 @@ public function setUp(): void
     /**
      * Test for checking if graphQL query sets session cookies
      *
+     * Note: The reason why the first response doesn't have cookies, but the subsequent responses do is
+     * because Magento/Framework/App/PageCache/Kernel.php removes Set-Cookie headers when the response has a
+     * public Cache-Control.  This test asserts that behaviour.
+     *
      * @magentoApiDataFixture Magento/Catalog/_files/categories.php
      * @magentoConfigFixture graphql/session/disable 0
      */
@@ -71,8 +75,7 @@ public function testCheckSessionCookieWithGetCategoryList(): void
         $result = $this->graphQlClient->getWithResponseHeaders($query, [], '', [], true);
         $this->assertEmpty($result['cookies']);
         // perform secondary request after cookies have been flushed
-        $result = $this->graphQlClient->getWithResponseHeaders($query, [], '', []);
-
+        $result = $this->graphQlClient->getWithResponseHeaders($query, [], '', [], true);
         // may have other cookies than session
         $this->assertNotEmpty($result['cookies']);
         $this->assertAnyCookieMatchesRegex('/PHPSESSID=[a-z0-9]+;/', $result['cookies']);
@@ -280,4 +283,46 @@ private function assertNoCookiesMatchRegex(string $pattern, array $cookies): voi
         }
         $this->assertTrue($result, 'Failed assertion. At least one cookie in the array matches pattern: ' . $pattern);
     }
+
+    /**
+     * Tests that Magento\Customer\Model\Session works properly when graphql/session/disable=0
+     *
+     * @magentoApiDataFixture Magento/Customer/_files/customer.php
+     * @magentoConfigFixture graphql/session/disable 0
+     */
+    public function testCustomerCanQueryOwnEmailUsingSession() : void
+    {
+        $query = '{customer{email}}';
+        $result = $this->graphQlClient->postWithResponseHeaders($query, [], '', $this->getAuthHeaders(), true);
+        // cookies are never empty and session is restarted for the authorized customer regardless current session
+        $this->assertNotEmpty($result['cookies']);
+        $this->assertAnyCookieMatchesRegex('/PHPSESSID=[a-z0-9]+;/', $result['cookies']);
+        $this->assertEquals('customer@example.com', $result['body']['customer']['email'] ?? '');
+        $result = $this->graphQlClient->postWithResponseHeaders($query, [], '', $this->getAuthHeaders());
+        // cookies are never empty and session is restarted for the authorized customer
+        // regardless current session and missing flush
+        $this->assertNotEmpty($result['cookies']);
+        $this->assertAnyCookieMatchesRegex('/PHPSESSID=[a-z0-9]+;/', $result['cookies']);
+        $this->assertEquals('customer@example.com', $result['body']['customer']['email'] ?? '');
+        /* Note: This third request is the actual one that tests that the session cookie is properly used.
+         * This time we don't send the Authorization header and rely on Cookie header instead.
+         * Because of bug in postWithResponseHeaders's $flushCookies parameter not being properly used,
+         * We have to manually set cookie header ourselves. :-(
+         */
+        $cookiesToSend = '';
+        foreach ($result['cookies'] as $cookie) {
+            preg_match('/^([^;]*);/', $cookie, $matches);
+            if (!strlen($matches[1] ?? '')) {
+                continue;
+            }
+            if (!empty($cookiesToSend)) {
+                $cookiesToSend .= '; ';
+            }
+            $cookiesToSend .= $matches[1];
+        }
+        $result = $this->graphQlClient->postWithResponseHeaders($query, [], '', ['Cookie: ' . $cookiesToSend]);
+        $this->assertNotEmpty($result['cookies']);
+        $this->assertAnyCookieMatchesRegex('/PHPSESSID=[a-z0-9]+;/', $result['cookies']);
+        $this->assertEquals('customer@example.com', $result['body']['customer']['email'] ?? '');
+    }
 }

dev/tests/static/framework/Magento/PhpStan/Formatters/FilteredErrorFormatter.php

@@ -76,7 +76,8 @@ public function formatErrors(AnalysisResult $analysisResult, Output $output): in
             $analysisResult->isDefaultLevelUsed(),
             $analysisResult->getProjectConfigFile(),
             $analysisResult->isResultCacheSaved(),
-            $analysisResult->getPeakMemoryUsageBytes()
+            $analysisResult->getPeakMemoryUsageBytes(),
+            $analysisResult->isResultCacheUsed(),
         );
 
         return $this->tableErrorFormatter->formatErrors($clearedAnalysisResult, $output);

lib/internal/Magento/Framework/App/PageCache/Kernel.php

@@ -7,6 +7,7 @@
 
 use Magento\Framework\App\State as AppState;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Stdlib\CookieDisablerInterface;
 
 /**
  * Builtin cache processor
@@ -68,6 +69,9 @@ class Kernel
      */
     private $identifierForSave;
 
+    // phpcs:disable Magento2.Commenting.ClassPropertyPHPDocFormatting
+    private readonly CookieDisablerInterface $cookieDisabler;
+
     /**
      * @param Cache $cache
      * @param \Magento\Framework\App\PageCache\IdentifierInterface $identifier
@@ -79,6 +83,7 @@ class Kernel
      * @param AppState|null $state
      * @param \Magento\PageCache\Model\Cache\Type|null $fullPageCache
      * @param  \Magento\Framework\App\PageCache\IdentifierInterface|null $identifierForSave
+     * @param CookieDisablerInterface|null $cookieDisabler
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -91,7 +96,8 @@ public function __construct(
         \Magento\Framework\Serialize\SerializerInterface $serializer = null,
         AppState $state = null,
         \Magento\PageCache\Model\Cache\Type $fullPageCache = null,
-        \Magento\Framework\App\PageCache\IdentifierInterface $identifierForSave = null
+        \Magento\Framework\App\PageCache\IdentifierInterface $identifierForSave = null,
+        ?CookieDisablerInterface $cookieDisabler = null,
     ) {
         $this->cache = $cache;
         $this->identifier = $identifier;
@@ -113,6 +119,7 @@ public function __construct(
         $this->identifierForSave = $identifierForSave ?? ObjectManager::getInstance()->get(
             \Magento\Framework\App\PageCache\IdentifierInterface::class
         );
+        $this->cookieDisabler = $cookieDisabler ?? ObjectManager::getInstance()->get(CookieDisablerInterface::class);
     }
 
     /**
@@ -163,9 +170,7 @@ public function process(\Magento\Framework\App\Response\Http $response)
                 if ($this->state->getMode() != AppState::MODE_DEVELOPER) {
                     $response->clearHeader('X-Magento-Tags');
                 }
-                if (!headers_sent()) {
-                    header_remove('Set-Cookie');
-                }
+                $this->cookieDisabler->setCookiesDisabled(true);
 
                 $this->fullPageCache->save(
                     $this->serializer->serialize($this->getPreparedData($response)),

lib/internal/Magento/Framework/Session/SessionManager.php

@@ -638,13 +638,6 @@ private function initIniOptions()
      */
     public function _resetState(): void
     {
-        if (session_status() === PHP_SESSION_ACTIVE) {
-            session_write_close();
-            session_id('');
-        }
-        session_name('PHPSESSID');
-        session_unset();
         static::$urlHostCache = [];
-        $_SESSION = [];
     }
 }

lib/internal/Magento/Framework/Stdlib/Cookie/PhpCookieDisabler.php

@@ -0,0 +1,26 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Stdlib\Cookie;
+
+use Magento\Framework\Stdlib\CookieDisablerInterface;
+
+/**
+ * Disables sending the cookies that are currently set.
+ */
+class PhpCookieDisabler implements CookieDisablerInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function setCookiesDisabled(bool $disabled) : void
+    {
+        if ($disabled && !headers_sent()) {
+            header_remove('Set-Cookie');
+        }
+    }
+}

lib/internal/Magento/Framework/Stdlib/CookieDisablerInterface.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Stdlib;
+
+/**
+ * This interface is for when you need to disable all cookies from being sent in the HTTP response
+ */
+interface CookieDisablerInterface
+{
+    /**
+     * Set Cookies Disabled.  If true, cookies won't be sent.
+     *
+     * @param bool $disabled
+     * @return void
+     */
+    public function setCookiesDisabled(bool $disabled) : void;
+}