Merge pull request #9676 from magento-lynx/lynx-2.4.8

Author: svera

app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+
+class AuthorizationRequestValidator implements HttpRequestValidatorInterface
+{
+    private const AUTH = 'Authorization';
+    private const BEARER = 'bearer';
+
+    /**
+     * AuthorizationRequestValidator Constructor
+     *
+     * @param UserTokenReaderInterface $tokenReader
+     * @param UserTokenValidatorInterface $tokenValidator
+     */
+    public function __construct(
+        private readonly UserTokenReaderInterface $tokenReader,
+        private readonly UserTokenValidatorInterface $tokenValidator
+    ) {
+    }
+
+    /**
+     * Validate the authorization header bearer token if it is set
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlAuthenticationException
+     */
+    public function validate(HttpRequestInterface $request): void
+    {
+        $authorizationHeaderValue = $request->getHeader(self::AUTH);
+        if (!$authorizationHeaderValue) {
+            return;
+        }
+
+        $headerPieces = explode(' ', $authorizationHeaderValue);
+        if (count($headerPieces) !== 2 || strtolower($headerPieces[0]) !== self::BEARER) {
+            return;
+        }
+
+        try {
+            $this->tokenValidator->validate($this->tokenReader->read($headerPieces[1]));
+        } catch (UserTokenException | AuthorizationException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+    }
+}

app/code/Magento/CustomerGraphQl/etc/graphql/di.xml

@@ -214,4 +214,11 @@
         <plugin name="merge_order_after_customer_signup"
                 type="Magento\CustomerGraphQl\Plugin\Model\MergeGuestOrder" />
     </type>
+    <type name="Magento\GraphQl\Controller\HttpRequestProcessor">
+        <arguments>
+            <argument name="requestValidators" xsi:type="array">
+                <item name="authorizationValidator" xsi:type="object">Magento\CustomerGraphQl\Controller\HttpRequestValidator\AuthorizationRequestValidator</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

app/code/Magento/GraphQl/Controller/GraphQl.php

@@ -7,6 +7,7 @@
 
 namespace Magento\GraphQl\Controller;
 
+use Exception;
 use GraphQL\Error\FormattedError;
 use GraphQL\Error\SyntaxError;
 use Magento\Framework\App\Area;
@@ -19,6 +20,8 @@
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Controller\Result\JsonFactory;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Fields as QueryFields;
 use Magento\Framework\GraphQl\Query\QueryParser;
@@ -30,6 +33,7 @@
 use Magento\GraphQl\Helper\Query\Logger\LogData;
 use Magento\GraphQl\Model\Query\ContextFactoryInterface;
 use Magento\GraphQl\Model\Query\Logger\LoggerPool;
+use Throwable;
 
 /**
  * Front controller for web API GraphQL area.
@@ -40,6 +44,8 @@
  */
 class GraphQl implements FrontControllerInterface
 {
+    private const METHOD_OPTIONS = 'OPTIONS';
+
     /**
      * @var \Magento\Framework\Webapi\Response
      * @deprecated 100.3.2
@@ -181,20 +187,19 @@ public function __construct(
     public function dispatch(RequestInterface $request): ResponseInterface
     {
         $this->areaList->getArea(Area::AREA_GRAPHQL)->load(Area::PART_TRANSLATE);
-
-        $statusCode = 200;
         $jsonResult = $this->jsonFactory->create();
         $data = [];
         $result = null;
         $schema = null;
-        $query = '';
 
         try {
             $data = $this->getDataFromRequest($request);
             $query = $data['query'] ?? '';
 
             /** @var Http $request */
             $this->requestProcessor->validateRequest($request);
+            $statusCode = $request->getMethod() === self::METHOD_OPTIONS ? 204 : 200;
+
             if ($request->isGet() || $request->isPost()) {
                 $parsedQuery = $this->queryParser->parse($query);
                 $data['parsedQuery'] = $parsedQuery;
@@ -210,17 +215,10 @@ public function dispatch(RequestInterface $request): ResponseInterface
                     $this->contextFactory->create(),
                     $data['variables'] ?? []
                 );
+                $statusCode = $this->getHttpResponseCode($result);
             }
-        } catch (SyntaxError|GraphQlInputException $error) {
-            $result = [
-                'errors' => [FormattedError::createFromException($error)],
-            ];
-            $statusCode = 400;
-        } catch (\Exception $error) {
-            $result = [
-                'errors' => [$this->graphQlError->create($error)],
-            ];
-            $statusCode = ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS;
+        } catch (Exception $error) {
+            [$result, $statusCode] = $this->handleGraphQlException($error);
         }
 
         $jsonResult->setHttpResponseCode($statusCode);
@@ -230,14 +228,59 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $jsonResult->renderResult($this->httpResponse);
 
         // log information about the query, unless it is an introspection query
-        if (strpos($query, 'IntrospectionQuery') === false) {
+        if (!isset($data['query']) || strpos($data['query'], 'IntrospectionQuery') === false) {
             $queryInformation = $this->logDataHelper->getLogData($request, $data, $schema, $this->httpResponse);
             $this->loggerPool->execute($queryInformation);
         }
 
         return $this->httpResponse;
     }
 
+    /**
+     * Handle GraphQL Exceptions
+     *
+     * @param Exception $error
+     * @return array
+     * @throws Throwable
+     */
+    private function handleGraphQlException(Exception $error): array
+    {
+        if ($error instanceof SyntaxError || $error instanceof GraphQlInputException) {
+            return [['errors' => [FormattedError::createFromException($error)]], 400];
+        }
+        if ($error instanceof GraphQlAuthenticationException) {
+            return [['errors' => [$this->graphQlError->create($error)]], 401];
+        }
+        if ($error instanceof GraphQlAuthorizationException) {
+            return [['errors' => [$this->graphQlError->create($error)]], 403];
+        }
+        return [
+            ['errors' => [$this->graphQlError->create($error)]],
+            ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS
+        ];
+    }
+
+    /**
+     * Retrieve http response code based on the error categories
+     *
+     * @param array $result
+     * @return int
+     */
+    private function getHttpResponseCode(array $result): int
+    {
+        foreach ($result['errors'] ?? [] as $error) {
+            if (isset($error['extensions']['category'])) {
+                return match ($error['extensions']['category']) {
+                    GraphQlAuthenticationException::EXCEPTION_CATEGORY => 401,
+                    GraphQlAuthorizationException::EXCEPTION_CATEGORY => 403,
+                    default => 200,
+                };
+            }
+        }
+
+        return 200;
+    }
+
     /**
      * Get data from request body or query string
      *
@@ -247,18 +290,16 @@ public function dispatch(RequestInterface $request): ResponseInterface
      */
     private function getDataFromRequest(RequestInterface $request): array
     {
+        $data = [];
         try {
             /** @var Http $request */
             if ($request->isPost()) {
                 $data = $request->getContent() ? $this->jsonSerializer->unserialize($request->getContent()) : [];
             } elseif ($request->isGet()) {
                 $data = $request->getParams();
-                $data['variables'] = isset($data['variables']) ?
-                    $this->jsonSerializer->unserialize($data['variables']) : null;
-                $data['variables'] = is_array($data['variables']) ?
-                    $data['variables'] : null;
-            } else {
-                $data = [];
+                $data['variables'] = !empty($data['variables']) && is_string($data['variables'])
+                    ? $this->jsonSerializer->unserialize($data['variables'])
+                    : null;
             }
         } catch (\InvalidArgumentException $e) {
             throw new GraphQlInputException(__('Unable to parse the request.'), $e);

app/code/Magento/QuoteGraphQl/Plugin/Model/RestrictPaymentMethods.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\QuoteGraphQl\Plugin\Model;
+
+use Magento\Payment\Model\MethodList;
+use Magento\Quote\Api\Data\CartInterface;
+
+class RestrictPaymentMethods
+{
+    /**
+     * Show only the "free" payment method if the order total is 0
+     *
+     * @param MethodList $subject
+     * @param array $result
+     * @param CartInterface|null $quote
+     * @return array
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterGetAvailableMethods(
+        MethodList $subject,
+        array $result,
+        ?CartInterface $quote = null
+    ): array {
+        if (!$quote || $quote->getGrandTotal() != 0) {
+            return $result;
+        }
+
+        return array_filter($result, fn ($method) => $method->getCode() === 'free') ?: [];
+    }
+}

app/code/Magento/QuoteGraphQl/composer.json

@@ -20,7 +20,8 @@
         "magento/module-catalog-inventory": "*",
         "magento/module-eav-graph-ql": "*",
         "magento/module-downloadable": "*",
-        "magento/module-catalog-graph-ql": "*"
+        "magento/module-catalog-graph-ql": "*",
+        "magento/module-payment": "*"
     },
     "suggest": {
         "magento/module-graph-ql-cache": "*",

app/code/Magento/QuoteGraphQl/etc/graphql/di.xml

@@ -96,4 +96,7 @@
         <plugin name="billing_address_save_same_as_shipping"
                 type="Magento\QuoteGraphQl\Plugin\CustomerManagementPlugin"/>
     </type>
+    <type name="Magento\Payment\Model\MethodList">
+        <plugin name="restrict_payment_methods_graphql" type="Magento\QuoteGraphQl\Plugin\Model\RestrictPaymentMethods"/>
+    </type>
 </config>