Merge branch 'b-7.4.x' into b-7.4.x-simplify-OXDEV-9078

Author: TitaKoleva

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Two-Factor Authentication (2FA) with email OTP verification
 
+### Fixed
+- Captcha validation moved from User model to UserComponent to prevent API login failures
+
 ## [2.1.0] - 2026-01-14
 
 ### Added
@@ -58,6 +61,7 @@ This is the stable release of v1.0.0. No changes have been made since v1.0.0-rc.
 - Button for generating strong password
 - Button for show/hide password in password fields
 
+[2.1.0]: https://github.com/OXID-eSales/security-module/compare/v2.0.0...v2.1.0
 [2.0.0]: https://github.com/OXID-eSales/security-module/compare/v2.0.0-rc.3...v2.0.0
 [2.0.0-rc.3]: https://github.com/OXID-eSales/security-module/compare/v2.0.0-rc.2...v2.0.0-rc.3
 [2.0.0-rc.2]: https://github.com/OXID-eSales/security-module/compare/v2.0.0-rc.1...v2.0.0-rc.2

README.md

@@ -14,7 +14,7 @@ A collection of security features for OXID eShop
 This module assumes you have OXID eShop Compilation version 7.4.0 installed.
 
 ### Branches
-* b-7.4.x branch is compatible with OXID eShop compilation 7.4.x
+* 2.1.0.x versions (or b-7.4.x branch) are compatible with OXID eShop compilation 7.4.x
 * 2.0.0.x versions (or b-7.3.x branch) are compatible with OXID eShop compilation 7.3.x.
 * 1.0.0.x versions (or b-7.2.x branch) are compatible with OXID eShop compilation 7.2.x.
 

assets/out/src/css/providers.css

@@ -27,11 +27,12 @@
         'de' => 'Werkzeuge zum Schutz Ihres Shops und zur Sicherung von Kundenkonten.'
     ],
     'thumbnail'   => 'logo.png',
-    'version'     => '2.0.0',
+    'version'     => '2.1.0',
     'author'      => 'OXID eSales AG',
     'url'         => 'https://github.com/OXID-eSales/security-module',
     'email'       => 'info@oxid-esales.com',
     'extend'      => [
+        \OxidEsales\Eshop\Application\Component\UserComponent::class => \OxidEsales\SecurityModule\Captcha\Shop\UserComponent::class,
         \OxidEsales\Eshop\Application\Controller\NewsletterController::class => \OxidEsales\SecurityModule\Captcha\Shop\NewsletterController::class,
         \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class => \OxidEsales\SecurityModule\Shared\Controller\ForgotPasswordController::class,
         \OxidEsales\Eshop\Application\Model\User::class => \OxidEsales\SecurityModule\Shared\Model\User::class,

metadata.php

@@ -14,7 +14,7 @@
 use OxidEsales\EshopCommunity\Internal\Framework\Form\FormInterface;
 use OxidEsales\EshopCommunity\Internal\Framework\FormConfiguration\FormConfigurationInterface;
 
-class ContactFormDecorator
+class ContactFormDecorator implements ContactFormBridgeInterface
 {
     public function __construct(
         private ContactFormBridgeInterface $contactFormBridge,

src/Captcha/Form/ContactFormDecorator.php

@@ -0,0 +1,63 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Captcha\Shop;
+
+use OxidEsales\Eshop\Core\Exception\StandardException;
+use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
+use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface;
+
+/**
+ * @mixin \OxidEsales\Eshop\Application\Component\UserComponent
+ * @eshopExtension
+ */
+class UserComponent extends UserComponent_parent
+{
+    public function login()
+    {
+        if (!$this->isCaptchaEnabled()) {
+            return parent::login();
+        }
+
+        try {
+            $this->getService(CaptchaServiceInterface::class)
+                ->validate(Registry::getRequest());
+        } catch (StandardException $e) {
+            Registry::getUtilsView()->addErrorToDisplay($e->getMessage());
+            $this->setLoginStatus(USER_LOGIN_FAIL);
+            return 'user';
+        }
+
+        return parent::login();
+    }
+
+    public function createUser()
+    {
+        if (!$this->isCaptchaEnabled()) {
+            return parent::createUser();
+        }
+
+        try {
+            $this->getService(CaptchaServiceInterface::class)
+                ->validate(Registry::getRequest());
+        } catch (StandardException $e) {
+            Registry::getUtilsView()->addErrorToDisplay($e->getMessage());
+            return false;
+        }
+
+        return parent::createUser();
+    }
+
+    private function isCaptchaEnabled(): bool
+    {
+        $settings = $this->getService(ModuleSettingsServiceInterface::class);
+        return $settings->isCaptchaEnabled() || $settings->isHoneyPotCaptchaEnabled();
+    }
+}

src/Captcha/Shop/UserComponent.php

@@ -9,15 +9,7 @@
 
 namespace OxidEsales\SecurityModule\Shared\Model;
 
-use OxidEsales\Eshop\Core\Exception\InputException;
-use OxidEsales\Eshop\Core\Exception\UserException;
-use OxidEsales\Eshop\Core\Registry;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserServiceInterface;
-use OxidEsales\SecurityModule\Captcha\Captcha\Image\Exception\CaptchaValidateException as ImageCaptchaException;
-use OxidEsales\SecurityModule\Captcha\Captcha\HoneyPot\Exception\CaptchaValidateException as HoneyPotCaptchaException;
-use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
-use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface as CaptchaSettingsServiceInterface;
-use OxidEsales\SecurityModule\Shared\Core\InputValidator;
 
 /**
  * User model extended
@@ -27,62 +19,6 @@
  */
 class User extends User_parent
 {
-    public function checkValues(
-        $sLogin,
-        #[\SensitiveParameter] $sPassword,
-        #[\SensitiveParameter] $sPassword2,
-        $aInvAddress,
-        $aDelAddress
-    ): void {
-        if ($this->isCaptchaEnabled() && $this->shouldValidateCaptcha()) {
-            /** @var InputValidator $oInputValidator */
-            $oInputValidator = Registry::getInputValidator();
-            $captchaService = $this->getService(CaptchaServiceInterface::class);
-
-            try {
-                $captchaService->validate(
-                    Registry::getRequest()
-                );
-            } catch (ImageCaptchaException $e) {
-                $oInputValidator->addValidationError(
-                    "captcha",
-                    oxNew(
-                        InputException::class,
-                        Registry::getLang()->translateString($e->getMessage())
-                    )
-                );
-            } catch (HoneyPotCaptchaException $e) {
-                throw $e;
-            }
-        }
-
-        parent::checkValues($sLogin, $sPassword, $sPassword2, $aInvAddress, $aDelAddress);
-    }
-
-    /**
-     * @SuppressWarnings(PHPMD.BooleanArgumentFlag)
-     */
-    public function login($userName, #[\SensitiveParameter] $password, $setSessionCookie = false): bool
-    {
-        if ($this->isAdmin()) {
-            return parent::login($userName, $password, $setSessionCookie);
-        }
-
-        if ($password !== null && $this->isCaptchaEnabled()) {
-            $captchaService = $this->getService(CaptchaServiceInterface::class);
-
-            try {
-                $captchaService->validate(
-                    Registry::getRequest()
-                );
-            } catch (ImageCaptchaException | HoneyPotCaptchaException $e) {
-                throw oxNew(UserException::class, $e->getMessage());
-            }
-        }
-
-        return parent::login($userName, $password, $setSessionCookie);
-    }
-
     /** @phpstan-ignore missingType.return (inherited from parent without return type) */
     protected function onLogin($userName, #[\SensitiveParameter] $password)
     {
@@ -96,15 +32,4 @@ protected function onLogin($userName, #[\SensitiveParameter] $password)
             }
         }
     }
-
-    private function isCaptchaEnabled(): bool
-    {
-        $settingsService = $this->getService(CaptchaSettingsServiceInterface::class);
-        return $settingsService->isCaptchaEnabled() || $settingsService->isHoneyPotCaptchaEnabled();
-    }
-
-    protected function shouldValidateCaptcha(): bool
-    {
-        return !$this->getUser();
-    }
 }

src/Shared/Model/User.php

@@ -1,7 +1,7 @@
 SET @@session.sql_mode = '';
 
 REPLACE INTO `oxuser` (`OXID`, `OXACTIVE`, `OXRIGHTS`, `OXSHOPID`, `OXUSERNAME`, `OXPASSWORD`, `OXPASSSALT`, `OXCUSTNR`, `OXUSTID`, `OXCOMPANY`, `OXFNAME`, `OXLNAME`, `OXSTREET`, `OXSTREETNR`, `OXADDINFO`, `OXCITY`, `OXCOUNTRYID`, `OXZIP`, `OXFON`, `OXFAX`, `OXSAL`, `OXBONI`, `OXCREATE`, `OXREGISTER`, `OXPRIVFON`, `OXMOBFON`, `OXBIRTHDATE`)
-VALUES ('testuser', 1, 'user', 1, 'some_test_user@oxid-esales.dev', '$2y$10$b186f117054b700a89de9uXDzfahkizUucitfPov3C2cwF5eit2M2', 'b186f117054b700a89de929ce90c6aef', 8, '', 'UserCompany šÄßüл', 'UserNamešÄßüл', 'UserSurnamešÄßüл', 'Musterstr.šÄßüл', '1', 'User additional info šÄßüл', 'Musterstadt šÄßüл', 'testcountry_de', '79098', '0800 111111', '0800 111112', 'Mr', 500, '2008-02-05 14:42:42', '2008-02-05 14:42:42', '0800 111113', '0800 111114', '1980-01-01');
+VALUES ('testuser', 1, 'user', 1, 'some_test_user@oxid-esales.dev', 'c9dadd994241c9e5fa6469547009328a', '7573657275736572', 8, '', 'UserCompany šÄßüл', 'UserNamešÄßüл', 'UserSurnamešÄßüл', 'Musterstr.šÄßüл', '1', 'User additional info šÄßüл', 'Musterstadt šÄßüл', 'testcountry_de', '79098', '0800 111111', '0800 111112', 'Mr', 500, '2008-02-05 14:42:42', '2008-02-05 14:42:42', '0800 111113', '0800 111114', '1980-01-01');
 
 REPLACE INTO `oxarticles` (`OXID`, `OXSHOPID`, `OXPARENTID`, `OXACTIVE`, `OXARTNUM`, `OXTITLE`, `OXSHORTDESC`, `OXPRICE`, `OXPRICEA`, `OXPRICEB`, `OXPRICEC`, `OXTPRICE`, `OXUNITNAME`, `OXUNITQUANTITY`, `OXVAT`, `OXWEIGHT`, `OXSTOCK`, `OXSTOCKFLAG`, `OXSTOCKTEXT`, `OXNOSTOCKTEXT`, `OXDELIVERY`, `OXINSERT`, `OXTIMESTAMP`, `OXLENGTH`, `OXWIDTH`, `OXHEIGHT`, `OXSEARCHKEYS`, `OXISSEARCH`, `OXVARNAME`, `OXVARSTOCK`, `OXVARCOUNT`, `OXVARSELECT`, `OXVARMINPRICE`, `OXVARMAXPRICE`, `OXVARNAME_1`, `OXVARSELECT_1`, `OXTITLE_1`, `OXSHORTDESC_1`, `OXSEARCHKEYS_1`, `OXBUNDLEID`, `OXSTOCKTEXT_1`, `OXNOSTOCKTEXT_1`, `OXSORT`, `OXVENDORID`, `OXMANUFACTURERID`, `OXMINDELTIME`, `OXMAXDELTIME`, `OXDELTIMEUNIT`)
 VALUES ('1000', 1, '', 1, '1000', '[DE 4] Test product 0 šÄßüл', 'Test product 0 short desc [DE]', 50, 35, 45, 55, 0, 'kg', 2, NULL, 2, 15, 1, 'In stock [DE]', 'Out of stock [DE]', '0000-00-00', '2008-02-04', '2008-02-04 17:07:48', 1, 2, 2, 'search1000', 1, '', 0, 0, '', 50, 0, '', '', 'Test product 0 [EN] šÄßüл', 'Test product 0 short desc [EN] šÄßüл', 'šÄßüл1000', '', 'In stock [EN] šÄßüл', 'Out of stock [EN] šÄßüл', 0, 'testdistributor', 'testmanufacturer', 1, 1, 'DAY');

tests/Codeception/Support/Data/fixtures.sql

@@ -1,7 +1,7 @@
 SET @@session.sql_mode = '';
 
 REPLACE INTO `oxuser` (`OXID`, `OXACTIVE`, `OXRIGHTS`, `OXSHOPID`, `OXUSERNAME`, `OXPASSWORD`, `OXPASSSALT`, `OXCUSTNR`, `OXUSTID`, `OXCOMPANY`, `OXFNAME`, `OXLNAME`, `OXSTREET`, `OXSTREETNR`, `OXADDINFO`, `OXCITY`, `OXCOUNTRYID`, `OXZIP`, `OXFON`, `OXFAX`, `OXSAL`, `OXBONI`, `OXCREATE`, `OXREGISTER`, `OXPRIVFON`, `OXMOBFON`, `OXBIRTHDATE`)
-VALUES ('testuser', 1, 'user', 1, 'some_test_user@oxid-esales.dev', '$2y$10$b186f117054b700a89de9uXDzfahkizUucitfPov3C2cwF5eit2M2', 'b186f117054b700a89de929ce90c6aef', 8, '', 'UserCompany šÄßüл', 'UserNamešÄßüл', 'UserSurnamešÄßüл', 'Musterstr.šÄßüл', '1', 'User additional info šÄßüл', 'Musterstadt šÄßüл', 'testcountry_de', '79098', '0800 111111', '0800 111112', 'Mr', 500, '2008-02-05 14:42:42', '2008-02-05 14:42:42', '0800 111113', '0800 111114', '1980-01-01');
+VALUES ('testuser', 1, 'user', 1, 'some_test_user@oxid-esales.dev', 'c9dadd994241c9e5fa6469547009328a', '7573657275736572', 8, '', 'UserCompany šÄßüл', 'UserNamešÄßüл', 'UserSurnamešÄßüл', 'Musterstr.šÄßüл', '1', 'User additional info šÄßüл', 'Musterstadt šÄßüл', 'testcountry_de', '79098', '0800 111111', '0800 111112', 'Mr', 500, '2008-02-05 14:42:42', '2008-02-05 14:42:42', '0800 111113', '0800 111114', '1980-01-01');
 
 REPLACE INTO `oxarticles` (`OXID`, `OXMAPID`, `OXSHOPID`, `OXPARENTID`, `OXACTIVE`, `OXARTNUM`, `OXTITLE`, `OXSHORTDESC`, `OXPRICE`, `OXPRICEA`, `OXPRICEB`, `OXPRICEC`, `OXTPRICE`, `OXUNITNAME`, `OXUNITQUANTITY`, `OXVAT`, `OXWEIGHT`, `OXSTOCK`, `OXSTOCKFLAG`, `OXSTOCKTEXT`, `OXNOSTOCKTEXT`, `OXDELIVERY`, `OXINSERT`, `OXTIMESTAMP`, `OXLENGTH`, `OXWIDTH`, `OXHEIGHT`, `OXSEARCHKEYS`, `OXISSEARCH`, `OXVARNAME`, `OXVARSTOCK`, `OXVARCOUNT`, `OXVARSELECT`, `OXVARMINPRICE`, `OXVARMAXPRICE`, `OXVARNAME_1`, `OXVARSELECT_1`, `OXTITLE_1`, `OXSHORTDESC_1`, `OXSEARCHKEYS_1`, `OXBUNDLEID`, `OXSTOCKTEXT_1`, `OXNOSTOCKTEXT_1`, `OXSORT`, `OXVENDORID`, `OXMANUFACTURERID`, `OXMINDELTIME`, `OXMAXDELTIME`, `OXDELTIMEUNIT`)
 VALUES ('1000', 1, 1, '', 1, '1000', '[DE 4] Test product 0 šÄßüл', 'Test product 0 short desc [DE]', 50, 35, 45, 55, 0, 'kg', 2, NULL, 2, 15, 1, 'In stock [DE]', 'Out of stock [DE]', '0000-00-00', '2008-02-04', '2008-02-04 17:07:48', 1, 2, 2, 'search1000', 1, '', 0, 0, '', 50, 0, '', '', 'Test product 0 [EN] šÄßüл', 'Test product 0 short desc [EN] šÄßüл', 'šÄßüл1000', '', 'In stock [EN] šÄßüл', 'Out of stock [EN] šÄßüл', 0, 'testdistributor', 'testmanufacturer', 1, 1, 'DAY');