Refactor JwtAuthenticator to use User Oxid

Author: godefroy-le-hardi

README.md

@@ -54,7 +54,6 @@ Response:
 {
   "token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
   "user": {
-    "id": "abc123",
     "username": "user@example.com",
     "roles": ["ROLE_USER"]
   }
@@ -97,7 +96,6 @@ use Symfony\Component\Security\Http\Attribute\CurrentUser;
 public function getData(#[CurrentUser] ApiUser $user): Response
 {
     return new JsonResponse([
-        'user_id' => $user->getUserId(),
         'username' => $user->getUserIdentifier(),
         'roles' => $user->getRoles()
     ]);

src/Security/AdminController.php

@@ -18,19 +18,11 @@
 
 final readonly class AdminController
 {
-    public function __construct(
-        private int $apiRateLimit
-    ) {
-    }
-
     #[Route('/api/admin/settings', methods: ['GET'])]
     #[IsGranted('ROLE_ADMIN')]
     public function getSettings(#[CurrentUser] ApiUser $user): Response
     {
         return new JsonResponse([
-            'settings' => [
-                'api_rate_limit' => $this->apiRateLimit,
-            ],
             'admin_user' => $user->getUserIdentifier(),
         ]);
     }

src/Security/Auth/AuthenticationSuccessHandler.php

@@ -28,15 +28,14 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token)
         $user = $token->getUser();
 
         if (!$user instanceof ApiUser) {
-            return new JsonResponse(['error' => 'Invalid user type'], Response::HTTP_INTERNAL_SERVER_ERROR);
+            return new JsonResponse(['error' => 'Invalid user type'], Response::HTTP_UNAUTHORIZED);
         }
 
         $jwtToken = $this->tokenService->generateToken($user);
 
         return new JsonResponse([
             'token' => $jwtToken,
             'user' => [
-                'id' => $user->getUserId(),
                 'username' => $user->getUserIdentifier(),
                 'roles' => $user->getRoles()
             ]

src/Security/Auth/JwtAuthenticator.php

@@ -13,8 +13,8 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use OxidEsales\AuthComponent\Security\User\ApiUserProvider;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenExtractorInterface;
 use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -25,7 +25,7 @@ class JwtAuthenticator extends AbstractAuthenticator
 {
     public function __construct(
         private readonly TokenServiceInterface $tokenService,
-        private readonly UserProviderInterface $userProvider,
+        private readonly ApiUserProvider $userProvider,
         private readonly AccessTokenExtractorInterface $tokenExtractor,
     ) {
     }
@@ -45,10 +45,14 @@ public function authenticate(Request $request): Passport
 
         $parsedToken = $this->tokenService->parseToken($token);
 
-        $username = $parsedToken->claims()->get('username');
+        $userId = $parsedToken->claims()->get('userId');
+
+        if (!is_string($userId) || $userId === '') {
+            throw new AuthenticationException('Token missing userId claim');
+        }
 
         return new SelfValidatingPassport(
-            new UserBadge($username, fn() => $this->userProvider->loadUserByIdentifier($username))
+            new UserBadge($userId, fn() => $this->userProvider->loadByOxid($userId))
         );
     }
 

src/Security/Auth/TokenService.php

@@ -70,7 +70,7 @@ public function generateToken(ApiUser $user): string
             ->identifiedBy(bin2hex(random_bytes(16)))
             ->issuedAt($now)
             ->expiresAt($now->modify(sprintf('+%d seconds', $this->expirationSeconds)))
-            ->withClaim('username', $user->getUserIdentifier())
+            ->withClaim('userId', $user->getOxid())
             ->getToken($this->config->signer(), $this->config->signingKey());
 
         return $token->toString();

src/Security/ProfileController.php

@@ -23,7 +23,6 @@
     public function getProfile(#[CurrentUser] ApiUser $user): Response
     {
         return new JsonResponse([
-            'id' => $user->getUserId(),
             'username' => $user->getUserIdentifier(),
             'roles' => $user->getRoles()
         ]);

src/Security/User/ApiUser.php

@@ -15,21 +15,21 @@
 final class ApiUser implements UserInterface, PasswordAuthenticatedUserInterface
 {
     public function __construct(
-        private readonly string $userId,
+        private readonly string $oxid,
         private readonly string $username,
         private readonly array $roles,
-        private ?string $password = null
+        #[\SensitiveParameter] private ?string $password = null
     ) {
     }
 
-    public function getUserIdentifier(): string
+    public function getOxid(): string
     {
-        return $this->username;
+        return $this->oxid;
     }
 
-    public function getUserId(): string
+    public function getUserIdentifier(): string
     {
-        return $this->userId;
+        return $this->username;
     }
 
     public function getRoles(): array

src/Security/User/ApiUserProvider.php

@@ -21,7 +21,7 @@
     public function __construct(
         private QueryBuilderFactoryInterface $queryBuilderFactory,
         private RoleResolverInterface $roleResolver,
-        private ContextInterface $context
+        private ContextInterface $context,
     ) {
     }
 
@@ -44,14 +44,29 @@ public function loadUserByIdentifier(string $identifier): UserInterface
             throw new UserNotFoundException(sprintf('User "%s" not found.', $identifier));
         }
 
-        $roles = $this->roleResolver->resolveRoles($userData['OXRIGHTS']);
+        return $this->createApiUser($userData);
+    }
 
-        return new ApiUser(
-            $userData['OXID'],
-            $userData['OXUSERNAME'],
-            $roles,
-            $userData['OXPASSWORD']
-        );
+    public function loadByOxid(string $oxid): UserInterface
+    {
+        $queryBuilder = $this->queryBuilderFactory->create();
+        $queryBuilder
+            ->select('OXID', 'OXUSERNAME', 'OXPASSWORD', 'OXRIGHTS')
+            ->from('oxuser')
+            ->where('OXID = :userId')
+            ->andWhere('OXACTIVE = 1')
+            ->andWhere('(OXSHOPID = :shopId OR OXRIGHTS = :mallAdmin)')
+            ->setParameter('userId', $oxid)
+            ->setParameter('shopId', $this->context->getCurrentShopId())
+            ->setParameter('mallAdmin', 'malladmin');
+
+        $userData = $queryBuilder->execute()->fetchAssociative();
+
+        if (!$userData) {
+            throw new UserNotFoundException(sprintf('User "%s" not found.', $oxid));
+        }
+
+        return $this->createApiUser($userData);
     }
 
     public function refreshUser(UserInterface $user): UserInterface
@@ -60,11 +75,23 @@ public function refreshUser(UserInterface $user): UserInterface
             throw new UnsupportedUserException();
         }
 
-        return $this->loadUserByIdentifier($user->getUserIdentifier());
+        return $this->loadByOxid($user->getOxid());
     }
 
     public function supportsClass(string $class): bool
     {
         return ApiUser::class === $class;
     }
+
+    private function createApiUser(array $userData): ApiUser
+    {
+        $roles = $this->roleResolver->resolveRoles($userData['OXRIGHTS']);
+
+        return new ApiUser(
+            $userData['OXID'],
+            $userData['OXUSERNAME'],
+            $roles,
+            $userData['OXPASSWORD']
+        );
+    }
 }

src/Security/services.yaml

@@ -15,8 +15,6 @@ services:
 
   OxidEsales\AuthComponent\Security\AdminController:
     public: true
-    arguments:
-      $apiRateLimit: '%oxid_esales.rate_limiter.limit%'
 
   Symfony\Component\Security\Http\HttpUtils: ~
 

tests/Fixtures/TestModule/TestApiController.php

@@ -34,7 +34,6 @@ public function userEndpoint(#[CurrentUser] ApiUser $user): Response
         return new JsonResponse([
             'message' => 'User endpoint - ROLE_USER required',
             'user' => [
-                'id' => $user->getUserId(),
                 'username' => $user->getUserIdentifier(),
                 'roles' => $user->getRoles(),
             ],
@@ -49,7 +48,6 @@ public function adminEndpoint(#[CurrentUser] ApiUser $user): Response
         return new JsonResponse([
             'message' => 'Admin endpoint - ROLE_ADMIN required',
             'user' => [
-                'id' => $user->getUserId(),
                 'username' => $user->getUserIdentifier(),
                 'roles' => $user->getRoles(),
             ],
@@ -64,7 +62,6 @@ public function infoEndpoint(#[CurrentUser] ?ApiUser $user): Response
             'message' => 'Info endpoint - optional authentication',
             'authenticated' => $user !== null,
             'user' => $user ? [
-                'id' => $user->getUserId(),
                 'username' => $user->getUserIdentifier(),
                 'roles' => $user->getRoles(),
             ] : null,