Merge remote-tracking branch 'mainline/2.4.1-develop' into 28124-graphql-order-email

Author: cpartica

app/code/Magento/Authorization/Model/CompositeUserContext.php

@@ -56,15 +56,15 @@ protected function add(UserContextInterface $userContext)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserId()
     {
         return $this->getUserContext() ? $this->getUserContext()->getUserId() : null;
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserType()
     {
@@ -78,7 +78,7 @@ public function getUserType()
      */
     protected function getUserContext()
     {
-        if ($this->chosenUserContext === null) {
+        if (!$this->chosenUserContext) {
             /** @var UserContextInterface $userContext */
             foreach ($this->userContexts as $userContext) {
                 if ($userContext->getUserType() && $userContext->getUserId() !== null) {

app/code/Magento/Captcha/Model/DefaultModel.php

@@ -7,7 +7,9 @@
 
 namespace Magento\Captcha\Model;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Captcha\Helper\Data;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Math\Random;
 
 /**
@@ -93,27 +95,35 @@ class DefaultModel extends \Laminas\Captcha\Image implements \Magento\Captcha\Mo
      */
     private $randomMath;
 
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
     /**
      * @param \Magento\Framework\Session\SessionManagerInterface $session
      * @param \Magento\Captcha\Helper\Data $captchaData
      * @param ResourceModel\LogFactory $resLogFactory
      * @param string $formId
      * @param Random $randomMath
+     * @param UserContextInterface|null $userContext
      * @throws \Laminas\Captcha\Exception\ExtensionNotLoadedException
      */
     public function __construct(
         \Magento\Framework\Session\SessionManagerInterface $session,
         \Magento\Captcha\Helper\Data $captchaData,
         \Magento\Captcha\Model\ResourceModel\LogFactory $resLogFactory,
         $formId,
-        Random $randomMath = null
+        Random $randomMath = null,
+        ?UserContextInterface $userContext = null
     ) {
         parent::__construct();
         $this->session = $session;
         $this->captchaData = $captchaData;
         $this->resLogFactory = $resLogFactory;
         $this->formId = $formId;
-        $this->randomMath = $randomMath ?? \Magento\Framework\App\ObjectManager::getInstance()->get(Random::class);
+        $this->randomMath = $randomMath ?? ObjectManager::getInstance()->get(Random::class);
+        $this->userContext = $userContext ?? ObjectManager::getInstance()->get(UserContextInterface::class);
     }
 
     /**
@@ -152,6 +162,7 @@ public function isRequired($login = null)
                 $this->formId,
                 $this->getTargetForms()
             )
+            || $this->userContext->getUserType() === UserContextInterface::USER_TYPE_INTEGRATION
         ) {
             return false;
         }
@@ -241,7 +252,7 @@ private function isOverLimitLoginAttempts($login)
      */
     private function isUserAuth()
     {
-        return $this->session->isLoggedIn();
+        return $this->session->isLoggedIn() || $this->userContext->getUserId();
     }
 
     /**
@@ -427,7 +438,7 @@ public function getWordLen()
             $to = self::DEFAULT_WORD_LENGTH_TO;
         }
 
-        return \Magento\Framework\Math\Random::getRandomNumber($from, $to);
+        return Random::getRandomNumber($from, $to);
     }
 
     /**
@@ -549,7 +560,7 @@ private function clearWord()
      */
     protected function randomSize()
     {
-        return \Magento\Framework\Math\Random::getRandomNumber(280, 300) / 100;
+        return Random::getRandomNumber(280, 300) / 100;
     }
 
     /**

app/code/Magento/Captcha/Observer/CaptchaStringResolver.php

@@ -3,10 +3,14 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Captcha\Observer;
 
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\Request\Http as HttpRequest;
+use Magento\Captcha\Helper\Data as CaptchaHelper;
 
 /**
  * Extract given captcha word.
@@ -22,12 +26,13 @@ class CaptchaStringResolver
      */
     public function resolve(RequestInterface $request, $formId)
     {
-        $captchaParams = $request->getPost(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE);
+        $value = '';
+        $captchaParams = $request->getPost(CaptchaHelper::INPUT_NAME_FIELD_VALUE);
         if (!empty($captchaParams) && !empty($captchaParams[$formId])) {
             $value = $captchaParams[$formId];
-        } else {
-            //For Web APIs
-            $value = $request->getHeader('X-Captcha');
+        } elseif ($headerValue = $request->getHeader('X-Captcha')) {
+            //CAPTCHA was provided via header for this XHR/web API request.
+            $value = $headerValue;
         }
 
         return $value;

app/code/Magento/Captcha/Test/Unit/Model/DefaultTest.php

@@ -7,6 +7,7 @@
 
 namespace Magento\Captcha\Test\Unit\Model;
 
+use Magento\Authorization\Model\UserContextInterface;
 use Magento\Captcha\Block\Captcha\DefaultCaptcha;
 use Magento\Captcha\Helper\Data;
 use Magento\Captcha\Model\DefaultModel;
@@ -93,10 +94,15 @@ class DefaultTest extends TestCase
     protected $session;
 
     /**
-     * @var MockObject
+     * @var MockObject|LogFactory
      */
     protected $_resLogFactory;
 
+    /**
+     * @var UserContextInterface|MockObject
+     */
+    private $userContextMock;
+
     /**
      * Sets up the fixture, for example, opens a network connection.
      * This method is called before a test is executed.
@@ -139,11 +145,18 @@ protected function setUp(): void
             $this->_getResourceModelStub()
         );
 
+        $randomMock = $this->createMock(Random::class);
+        $randomMock->method('getRandomString')->willReturn('random-string');
+
+        $this->userContextMock = $this->getMockForAbstractClass(UserContextInterface::class);
+
         $this->_object = new DefaultModel(
             $this->session,
             $this->_getHelperStub(),
             $this->_resLogFactory,
-            'user_create'
+            'user_create',
+            $randomMock,
+            $this->userContextMock
         );
     }
 
@@ -163,6 +176,19 @@ public function testIsRequired()
         $this->assertTrue($this->_object->isRequired());
     }
 
+    /**
+     * Validate that CAPTCHA is disabled for integrations.
+     *
+     * @return void
+     */
+    public function testIsRequiredForIntegration(): void
+    {
+        $this->userContextMock->method('getUserType')->willReturn(UserContextInterface::USER_TYPE_INTEGRATION);
+        $this->userContextMock->method('getUserId')->willReturn(1);
+
+        $this->assertFalse($this->_object->isRequired());
+    }
+
     /**
      * @covers \Magento\Captcha\Model\DefaultModel::isCaseSensitive
      */

app/code/Magento/Captcha/composer.json

@@ -11,6 +11,7 @@
         "magento/module-checkout": "*",
         "magento/module-customer": "*",
         "magento/module-store": "*",
+        "magento/module-authorization": "*",
         "laminas/laminas-captcha": "^2.7.1",
         "laminas/laminas-db": "^2.8.2",
         "laminas/laminas-session": "^2.7.3"

app/code/Magento/Captcha/i18n/en_US.csv

@@ -9,6 +9,7 @@ Always,Always
 "Reload captcha","Reload captcha"
 "Please type the letters and numbers below","Please type the letters and numbers below"
 "Attention: Captcha is case sensitive.","Attention: Captcha is case sensitive."
+"Please provide CAPTCHA code and try again","Please provide CAPTCHA code and try again"
 CAPTCHA,CAPTCHA
 "Enable CAPTCHA in Admin","Enable CAPTCHA in Admin"
 Font,Font

app/code/Magento/Checkout/Api/Exception/PaymentProcessingRateLimitExceededException.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Checkout\Api\Exception;
+
+use Magento\Framework\Exception\LocalizedException;
+
+/**
+ * Thrown when too many payment processing requests have been initiated by a user.
+ */
+class PaymentProcessingRateLimitExceededException extends LocalizedException
+{
+
+}

app/code/Magento/Checkout/Api/PaymentProcessingRateLimiterInterface.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Checkout\Api;
+
+use Magento\Checkout\Api\Exception\PaymentProcessingRateLimitExceededException;
+
+/**
+ * Limits number of times a user can initiate payment processing.
+ */
+interface PaymentProcessingRateLimiterInterface
+{
+    /**
+     * Limit an attempt to initiate a new payment processing.
+     *
+     * @return void
+     * @throws PaymentProcessingRateLimitExceededException
+     */
+    public function limit(): void;
+}

app/code/Magento/Checkout/Model/CaptchaPaymentProcessingRateLimiter.php

@@ -0,0 +1,123 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Checkout\Model;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Checkout\Api\Exception\PaymentProcessingRateLimitExceededException;
+use Magento\Checkout\Api\PaymentProcessingRateLimiterInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Captcha\Model\DefaultModel as Captcha;
+use Magento\Captcha\Helper\Data as CaptchaHelper;
+use Magento\Captcha\Observer\CaptchaStringResolver as CaptchaResolver;
+use Magento\Framework\App\RequestInterface;
+
+/**
+ * Utilize CAPTCHA as a rate-limiting mechanism.
+ */
+class CaptchaPaymentProcessingRateLimiter implements PaymentProcessingRateLimiterInterface
+{
+    public const CAPTCHA_FORM = 'payment_processing_request';
+
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepo;
+
+    /**
+     * @var CaptchaHelper
+     */
+    private $captchaHelper;
+
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * @var CaptchaResolver
+     */
+    private $captchaResolver;
+
+    /**
+     * CaptchaPaymentProcessingRateLimiter constructor.
+     *
+     * @param UserContextInterface $userContext
+     * @param CustomerRepositoryInterface $customerRepo
+     * @param CaptchaHelper $captchaHelper
+     * @param RequestInterface $request
+     * @param CaptchaResolver $captchaResolver
+     */
+    public function __construct(
+        UserContextInterface $userContext,
+        CustomerRepositoryInterface $customerRepo,
+        CaptchaHelper $captchaHelper,
+        RequestInterface $request,
+        CaptchaResolver $captchaResolver
+    ) {
+        $this->userContext = $userContext;
+        $this->customerRepo = $customerRepo;
+        $this->captchaHelper = $captchaHelper;
+        $this->request = $request;
+        $this->captchaResolver = $captchaResolver;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function limit(): void
+    {
+        if ($this->userContext->getUserType() !== UserContextInterface::USER_TYPE_GUEST
+            && $this->userContext->getUserType() !== UserContextInterface::USER_TYPE_CUSTOMER
+            && $this->userContext->getUserType() !== null
+        ) {
+            return;
+        }
+
+        $login = $this->retrieveLogin();
+        /** @var Captcha $captcha */
+        $captcha = $this->captchaHelper->getCaptcha(self::CAPTCHA_FORM);
+        /** @var PaymentProcessingRateLimitExceededException|null $exception */
+        $exception = null;
+        if ($captcha->isRequired($login)) {
+            $value = $this->captchaResolver->resolve($this->request, self::CAPTCHA_FORM);
+            if ($value && !$captcha->isCorrect($value)) {
+                $exception = new PaymentProcessingRateLimitExceededException(__('Incorrect CAPTCHA'));
+            } elseif (!$value) {
+                $exception = new PaymentProcessingRateLimitExceededException(
+                    __('Please provide CAPTCHA code and try again')
+                );
+            }
+        }
+
+        $captcha->logAttempt($login);
+        if ($exception) {
+            throw $exception;
+        }
+    }
+
+    /**
+     * Retrieve current user login.
+     *
+     * @return string|null
+     */
+    private function retrieveLogin(): ?string
+    {
+        $login = null;
+        if ($this->userContext->getUserId()) {
+            $login = $this->customerRepo->getById($this->userContext->getUserId())->getEmail();
+        }
+
+        return $login;
+    }
+}