LYNX-319: 401 and 403 HTTP response codes for GraphQL API

sivaschenko · sivaschenko · commit 4bb425a6cd84 · 2024-01-15T18:34:41.000Z
diff --git a/app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php b/app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php
@@ -0,0 +1,97 @@
+<?php
+/************************************************************************
+ *
+ * Copyright 2023 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ***********************************************************************
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+
+/**
+ * Validate the token if it is present in headers
+ */
+class AuthorizationRequestValidator implements HttpRequestValidatorInterface
+{
+    /**
+     * @var UserTokenReaderInterface
+     *
+     * phpcs:disable Magento2.Commenting.ClassPropertyPHPDocFormatting
+     */
+    private readonly UserTokenReaderInterface $userTokenReader;
+
+    /**
+     * @var UserTokenValidatorInterface
+     *
+     * phpcs:disable Magento2.Commenting.ClassPropertyPHPDocFormatting
+     */
+    private readonly UserTokenValidatorInterface $userTokenValidator;
+
+    /**
+     * @param UserTokenReaderInterface $tokenReader
+     * @param UserTokenValidatorInterface $tokenValidator
+     */
+    public function __construct(
+        UserTokenReaderInterface $tokenReader,
+        UserTokenValidatorInterface $tokenValidator
+    ) {
+        $this->userTokenReader = $tokenReader;
+        $this->userTokenValidator = $tokenValidator;
+    }
+
+    /**
+     * Validate the authorization header bearer token if it is set
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlAuthenticationException
+     */
+    public function validate(HttpRequestInterface $request): void
+    {
+        $authorizationHeaderValue = $request->getHeader('Authorization');
+        if (!$authorizationHeaderValue) {
+            return;
+        }
+
+        $headerPieces = explode(' ', $authorizationHeaderValue);
+        if (count($headerPieces) !== 2) {
+            return;
+        }
+
+        $tokenType = strtolower(reset($headerPieces));
+        if ($tokenType !== 'bearer') {
+            return;
+        }
+
+        $bearerToken = end($headerPieces);
+        try {
+            $token = $this->userTokenReader->read($bearerToken);
+        } catch (UserTokenException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+
+        try {
+            $this->userTokenValidator->validate($token);
+        } catch (AuthorizationException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+    }
+}
diff --git a/app/code/Magento/CustomerGraphQl/etc/graphql/di.xml b/app/code/Magento/CustomerGraphQl/etc/graphql/di.xml
@@ -214,4 +214,11 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\GraphQl\Controller\HttpRequestProcessor">
+        <arguments>
+            <argument name="requestValidators" xsi:type="array">
+                <item name="authorizationValidator" xsi:type="object">Magento\CustomerGraphQl\Controller\HttpRequestValidator\AuthorizationRequestValidator</item>
+            </argument>
+        </arguments>
+    </type>
 </config>
diff --git a/app/code/Magento/GraphQl/Controller/GraphQl.php b/app/code/Magento/GraphQl/Controller/GraphQl.php
@@ -19,6 +19,8 @@
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Controller\Result\JsonFactory;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Query\Fields as QueryFields;
 use Magento\Framework\GraphQl\Query\QueryParser;
 use Magento\Framework\GraphQl\Query\QueryProcessor;
@@ -181,10 +183,9 @@ public function dispatch(RequestInterface $request): ResponseInterface
     {
         $this->areaList->getArea(Area::AREA_GRAPHQL)->load(Area::PART_TRANSLATE);
 
-        $statusCode = 200;
         $jsonResult = $this->jsonFactory->create();
         $data = $this->getDataFromRequest($request);
-        $result = [];
+        $result = ['errors' => []];
 
         $schema = null;
         try {
@@ -205,8 +206,14 @@ public function dispatch(RequestInterface $request): ResponseInterface
                 $this->contextFactory->create(),
                 $data['variables'] ?? []
             );
+            $statusCode = $this->getHttpResponseCode($result);
+        } catch (GraphQlAuthenticationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 401;
+        } catch (GraphQlAuthorizationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 403;
         } catch (\Exception $error) {
-            $result['errors'] = isset($result['errors']) ? $result['errors'] : [];
             $result['errors'][] = $this->graphQlError->create($error);
             $statusCode = ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS;
         }
@@ -224,6 +231,32 @@ public function dispatch(RequestInterface $request): ResponseInterface
         return $this->httpResponse;
     }
 
+    /**
+     * Retrieve http response code based on the error categories
+     *
+     * @param array $result
+     * @return int
+     */
+    private function getHttpResponseCode(array $result): int
+    {
+        if (empty($result['errors'])) {
+            return 200;
+        }
+        foreach ($result['errors'] as $error) {
+            if (!isset($error['extensions']['category'])) {
+                continue;
+            }
+            switch ($error['extensions']['category']) {
+                case GraphQlAuthenticationException::EXCEPTION_CATEGORY:
+                    return 401;
+                case GraphQlAuthorizationException::EXCEPTION_CATEGORY:
+                    return 403;
+            }
+        }
+
+        return 200;
+    }
+
     /**
      * Get data from request body or query string
      *
diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/AuthenticationTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/AuthenticationTest.php
@@ -0,0 +1,208 @@
+<?php
+/************************************************************************
+ *
+ * Copyright 2023 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ***********************************************************************
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Customer;
+
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Test\Fixture\Customer;
+use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\TestFramework\Fixture\DataFixture;
+use Magento\TestFramework\Fixture\DataFixtureStorageManager;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\TestCase\GraphQlAbstract;
+use Magento\TestFramework\TestCase\HttpClient\CurlClient;
+
+/**
+ * Test customer authentication responses
+ */
+class AuthenticationTest extends GraphQlAbstract
+{
+    private const QUERY_ACCESSIBLE_BY_GUEST = <<<QUERY
+{
+  isEmailAvailable(email: "customer@example.com") {
+    is_email_available
+  }
+}
+QUERY;
+
+    private const QUERY_REQUIRE_AUTHENTICATION = <<<QUERY
+{
+  customer {
+    email
+  }
+}
+QUERY;
+
+    private $tokenService;
+
+    protected function setUp(): void
+    {
+        $this->tokenService = Bootstrap::getObjectManager()->get(CustomerTokenServiceInterface::class);
+    }
+
+    public function testNoToken()
+    {
+        $response = $this->graphQlQuery(self::QUERY_ACCESSIBLE_BY_GUEST);
+
+        self::assertArrayHasKey('isEmailAvailable', $response);
+        self::assertArrayHasKey('is_email_available', $response['isEmailAvailable']);
+    }
+
+    public function testInvalidToken()
+    {
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_ACCESSIBLE_BY_GUEST
+            ],
+            [
+                'Authorization: Bearer invalid_token'
+            ]
+        );
+    }
+
+    #[
+        DataFixture(Customer::class, as: 'customer'),
+    ]
+    public function testRevokedTokenPublicQuery()
+    {
+        /** @var CustomerInterface $customer */
+        $customer = DataFixtureStorageManager::getStorage()->get('customer');
+        $token = $this->tokenService->createCustomerAccessToken($customer->getEmail(), 'password');
+
+        $response = $this->graphQlQuery(
+            self::QUERY_ACCESSIBLE_BY_GUEST,
+            [],
+            '',
+            [
+                'Authorization' => 'Bearer ' . $token
+            ]
+        );
+
+        self::assertArrayHasKey('isEmailAvailable', $response);
+        self::assertArrayHasKey('is_email_available', $response['isEmailAvailable']);
+
+        $this->tokenService->revokeCustomerAccessToken($customer->getId());
+
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_ACCESSIBLE_BY_GUEST
+            ],
+            [
+                'Authorization: Bearer ' . $token
+            ]
+        );
+    }
+
+    #[
+        DataFixture(Customer::class, as: 'customer'),
+    ]
+    public function testRevokedTokenProtectedQuery()
+    {
+        /** @var CustomerInterface $customer */
+        $customer = DataFixtureStorageManager::getStorage()->get('customer');
+        $token = $this->tokenService->createCustomerAccessToken($customer->getEmail(), 'password');
+
+        $response = $this->graphQlQuery(
+            self::QUERY_REQUIRE_AUTHENTICATION,
+            [],
+            '',
+            [
+                'Authorization' => 'Bearer ' . $token
+            ]
+        );
+
+        self::assertEquals(
+            [
+                'customer' => [
+                    'email' => $customer->getEmail()
+                ]
+            ],
+            $response
+        );
+
+        $this->tokenService->revokeCustomerAccessToken($customer->getId());
+
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_REQUIRE_AUTHENTICATION
+            ],
+            [
+                'Authorization: Bearer ' . $token
+            ]
+        );
+    }
+
+    #[
+        DataFixture(Customer::class, as: 'customer'),
+        DataFixture(
+            Customer::class,
+            [
+                'addresses' => [
+                    [
+                        'country_id' => 'US',
+                        'region_id' => 32,
+                        'city' => 'Boston',
+                        'street' => ['10 Milk Street'],
+                        'postcode' => '02108',
+                        'telephone' => '1234567890',
+                        'default_billing' => true,
+                        'default_shipping' => true
+                    ]
+                ]
+            ],
+            as: 'customer2'
+        ),
+    ]
+    public function testForbidden()
+    {
+        /** @var CustomerInterface $customer2 */
+        $customer2Data = DataFixtureStorageManager::getStorage()->get('customer2');
+        $customer2 = Bootstrap::getObjectManager()
+            ->get(CustomerRepositoryInterface::class)
+            ->get($customer2Data->getEmail());
+        $addressId = $customer2->getDefaultBilling();
+        $mutation
+            = <<<MUTATION
+mutation {
+  deleteCustomerAddress(id: {$addressId})
+}
+MUTATION;
+
+        /** @var CustomerInterface $customer */
+        $customer = DataFixtureStorageManager::getStorage()->get('customer');
+        $token = $this->tokenService->createCustomerAccessToken($customer->getEmail(), 'password');
+
+        $this->expectExceptionCode(403);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->post(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            json_encode(['query' => $mutation]),
+            [
+                'Authorization: Bearer ' . $token,
+                'Accept: application/json',
+                'Content-Type: application/json'
+            ]
+        );
+    }
+}
