PWA-1938: Resetting user context when auth token is revoked

Author: pdohogne-magento

app/code/Magento/GraphQlCache/Model/Plugin/Integration/Api/UserTokenIssuer.php renamed to app/code/Magento/GraphQlCache/Model/Plugin/Auth/TokenIssuer.php

@@ -5,17 +5,17 @@
  */
 declare(strict_types=1);
 
-namespace Magento\GraphQlCache\Model\Plugin\Integration\Api;
+namespace Magento\GraphQlCache\Model\Plugin\Auth;
 
 use Magento\Authorization\Model\UserContextInterface;
-use Magento\Framework\App\ResponseInterface;
 use Magento\GraphQl\Model\Query\ContextFactoryInterface;
 use Magento\Integration\Api\UserTokenIssuerInterface;
+use Magento\Integration\Model\CustomUserContext;
 
 /**
- * Load the shared UserContext with data for the user used to generate the token
+ * Load the shared UserContext with data for the new user after a token is generated
  */
-class UserTokenIssuer
+class TokenIssuer
 {
     /**
      * @var ContextFactoryInterface
@@ -36,7 +36,7 @@ public function __construct(ContextFactoryInterface $contextFactory)
      * @param UserTokenIssuerInterface $issuer
      * @param string $result
      * @param UserContextInterface $userContext
-     * @return ResponseInterface
+     * @return string
      *
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */

app/code/Magento/GraphQlCache/Model/Plugin/Auth/TokenRevoker.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQlCache\Model\Plugin\Auth;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\GraphQl\Model\Query\ContextFactoryInterface;
+use Magento\Integration\Model\CustomUserContext;
+
+/**
+ * Load the shared UserContext with data for guest after a token is revoked
+ */
+class TokenRevoker
+{
+    /**
+     * @var ContextFactoryInterface
+     */
+    private $contextFactory;
+
+    /**
+     * @param ContextFactoryInterface $contextFactory
+     */
+    public function __construct(ContextFactoryInterface $contextFactory)
+    {
+        $this->contextFactory = $contextFactory;
+    }
+
+    /**
+     * Reset the shared user context to guest after a token is revoked
+     *
+     * @return void
+     */
+    public function afterRevokeFor(): void
+    {
+        $this->contextFactory->create(new CustomUserContext(0, UserContextInterface::USER_TYPE_GUEST));
+    }
+}

app/code/Magento/GraphQlCache/etc/graphql/di.xml

@@ -24,6 +24,9 @@
         <plugin name="result-varnish-cache" type="Magento\PageCache\Model\Controller\Result\VarnishPlugin"/>
     </type>
     <type name="Magento\Integration\Api\UserTokenIssuerInterface">
-        <plugin name="set-context-after-token" type="Magento\GraphQlCache\Model\Plugin\Integration\Api\UserTokenIssuer"/>
+        <plugin name="set-context-after-token" type="Magento\GraphQlCache\Model\Plugin\Auth\TokenIssuer"/>
+    </type>
+    <type name="Magento\Integration\Api\UserTokenRevokerInterface">
+        <plugin name="set-guest-after-revoke" type="Magento\GraphQlCache\Model\Plugin\Auth\TokenRevoker"/>
     </type>
 </config>

dev/tests/api-functional/testsuite/Magento/GraphQl/GraphQlCache/CacheIdFactorProviders/Customer/IsLoggedInProviderTest.php

@@ -93,4 +93,44 @@ public function testCacheIdHeaderWithIsLoggedIn()
             $addProductToCustomerCartResponse['headers'][CacheIdCalculator::CACHE_ID_HEADER]
         );
     }
+
+    /**
+     * Tests that cache id header resets to the one for guest when a customer token is revoked
+     *
+     * @magentoApiDataFixture Magento/Customer/_files/customer.php
+     * @magentoApiDataFixture Magento/GraphQl/Catalog/_files/simple_product.php
+     */
+    public function testCacheIdHeaderAfterRevokeToken()
+    {
+        // Get the guest cache id
+        $guestCartResponse = $this->graphQlMutationWithResponseHeaders('mutation{createEmptyCart}');
+        $this->assertArrayHasKey(CacheIdCalculator::CACHE_ID_HEADER, $guestCartResponse['headers']);
+        $guestCacheId = $guestCartResponse['headers'][CacheIdCalculator::CACHE_ID_HEADER];
+
+        // Get the customer cache id and token to send to the revoke mutation
+        $generateToken = <<<MUTATION
+mutation{
+  generateCustomerToken(email:"customer@example.com", password:"password")
+  {token}
+}
+MUTATION;
+        $tokenResponse = $this->graphQlMutationWithResponseHeaders($generateToken);
+        $this->assertArrayHasKey('generateCustomerToken', $tokenResponse['body']);
+        $customerToken = $tokenResponse['body']['generateCustomerToken']['token'];
+        $this->assertArrayHasKey(CacheIdCalculator::CACHE_ID_HEADER, $tokenResponse['headers']);
+        $customerCacheId = $tokenResponse['headers'][CacheIdCalculator::CACHE_ID_HEADER];
+        $this->assertNotEquals($customerCacheId, $guestCacheId);
+
+        // Revoke the token and check that it returns the guest cache id
+        $revokeCustomerToken = "mutation{revokeCustomerToken{result}}";
+        $revokeResponse = $this->graphQlMutationWithResponseHeaders(
+            $revokeCustomerToken,
+            [],
+            '',
+            ['Authorization' => 'Bearer ' . $customerToken]
+        );
+        $this->assertArrayHasKey(CacheIdCalculator::CACHE_ID_HEADER, $revokeResponse['headers']);
+        $revokeCacheId = $revokeResponse['headers'][CacheIdCalculator::CACHE_ID_HEADER];
+        $this->assertEquals($guestCacheId, $revokeCacheId);
+    }
 }