Merge branch '2.4-develop' into automation

Author: Indraniks

app/code/Magento/Backend/App/Area/FrontNameResolver.php

@@ -117,6 +117,9 @@ public function getFrontName($checkHost = false)
     /**
      * Return whether the host from request is the backend host
      *
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     * @SuppressWarnings(PHPMD.NPathComplexity)
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      * @return bool
      */
     public function isHostBackend()
@@ -128,10 +131,11 @@ public function isHostBackend()
         if ($this->scopeConfig->getValue(self::XML_PATH_USE_CUSTOM_ADMIN_URL, ScopeInterface::SCOPE_STORE)) {
             $backendUrl = $this->scopeConfig->getValue(self::XML_PATH_CUSTOM_ADMIN_URL, ScopeInterface::SCOPE_STORE);
         } else {
-            $backendUrl = $this->config->getValue(Store::XML_PATH_UNSECURE_BASE_URL);
+            $xmlPath = $this->request->isSecure() ? Store::XML_PATH_SECURE_BASE_URL : Store::XML_PATH_UNSECURE_BASE_URL;
+            $backendUrl = $this->config->getValue($xmlPath);
             if ($backendUrl === null) {
                 $backendUrl = $this->scopeConfig->getValue(
-                    Store::XML_PATH_UNSECURE_BASE_URL,
+                    $xmlPath,
                     ScopeInterface::SCOPE_STORE
                 );
             }

app/code/Magento/Backend/Test/Unit/App/Area/FrontNameResolverTest.php

@@ -129,6 +129,7 @@ public function testIsHostBackend(
             ->willReturnMap(
                 [
                     [Store::XML_PATH_UNSECURE_BASE_URL, ScopeInterface::SCOPE_STORE, null, $url],
+                    [Store::XML_PATH_SECURE_BASE_URL, ScopeInterface::SCOPE_STORE, null, $url],
                     [
                         FrontNameResolver::XML_PATH_USE_CUSTOM_ADMIN_URL,
                         ScopeInterface::SCOPE_STORE,
@@ -160,7 +161,6 @@ public function testIsHostBackend(
                     ->setHost(parse_url($url, PHP_URL_HOST))
                     ->setPort(parse_url($url, PHP_URL_PORT))
             );
-
         $this->assertEquals($expectedValue, $this->model->isHostBackend());
     }
 

app/code/Magento/Cms/Test/Unit/Ui/Component/Listing/DataProviderTest.php

@@ -1,17 +1,7 @@
 <?php
-/************************************************************************
- * Copyright 2024 Adobe
+/**
+ * Copyright 2016 Adobe
  * All Rights Reserved.
- *
- * NOTICE: All information contained herein is, and remains
- * the property of Adobe and its suppliers, if any. The intellectual
- * and technical concepts contained herein are proprietary to Adobe
- * and its suppliers and are protected by all applicable intellectual
- * property laws, including trade secret and copyright laws.
- * Dissemination of this information or reproduction of this material
- * is strictly forbidden unless prior written permission is obtained
- * from Adobe.
- * ***********************************************************************
  */
 declare(strict_types=1);
 

app/code/Magento/Config/Block/System/Config/Form/Field/File.php

@@ -55,7 +55,7 @@ protected function _getDeleteCheckbox()
             $html .= '<input type="hidden" name="' .
                 parent::getName() .
                 '[value]" value="' .
-                $this->_escaper->escapeHtml($this->getValue()) .
+                $this->_escaper->escapeHtmlAttr($this->getValue()) .
                 '" />';
             $html .= '</div>';
         }

app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+
+class AuthorizationRequestValidator implements HttpRequestValidatorInterface
+{
+    private const AUTH = 'Authorization';
+    private const BEARER = 'bearer';
+
+    /**
+     * AuthorizationRequestValidator Constructor
+     *
+     * @param UserTokenReaderInterface $tokenReader
+     * @param UserTokenValidatorInterface $tokenValidator
+     */
+    public function __construct(
+        private readonly UserTokenReaderInterface $tokenReader,
+        private readonly UserTokenValidatorInterface $tokenValidator
+    ) {
+    }
+
+    /**
+     * Validate the authorization header bearer token if it is set
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlAuthenticationException
+     */
+    public function validate(HttpRequestInterface $request): void
+    {
+        $authorizationHeaderValue = $request->getHeader(self::AUTH);
+        if (!$authorizationHeaderValue) {
+            return;
+        }
+
+        $headerPieces = explode(' ', $authorizationHeaderValue);
+        if (count($headerPieces) !== 2 || strtolower($headerPieces[0]) !== self::BEARER) {
+            return;
+        }
+
+        try {
+            $this->tokenValidator->validate($this->tokenReader->read($headerPieces[1]));
+        } catch (UserTokenException | AuthorizationException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+    }
+}

app/code/Magento/CustomerGraphQl/etc/graphql/di.xml

@@ -214,4 +214,11 @@
         <plugin name="merge_order_after_customer_signup"
                 type="Magento\CustomerGraphQl\Plugin\Model\MergeGuestOrder" />
     </type>
+    <type name="Magento\GraphQl\Controller\HttpRequestProcessor">
+        <arguments>
+            <argument name="requestValidators" xsi:type="array">
+                <item name="authorizationValidator" xsi:type="object">Magento\CustomerGraphQl\Controller\HttpRequestValidator\AuthorizationRequestValidator</item>
+            </argument>
+        </arguments>
+    </type>
 </config>

app/code/Magento/Downloadable/Test/Fixture/DownloadableProduct.php

@@ -19,6 +19,7 @@
 use Magento\TestFramework\Fixture\Api\DataMerger;
 use Magento\TestFramework\Fixture\Api\ServiceFactory;
 use Magento\TestFramework\Fixture\Data\ProcessorInterface;
+use Magento\Downloadable\Api\DomainManagerInterface;
 
 class DownloadableProduct extends Product
 {
@@ -43,6 +44,8 @@ class DownloadableProduct extends Product
         ],
     ];
 
+    private const DOMAINS = ['example.com','www.example.com'];
+
     /**
      * DownloadableProduct constructor
      *
@@ -61,7 +64,8 @@ public function __construct(
         private readonly ProductRepositoryInterface $productRepository,
         private readonly DirectoryList $directoryList,
         private readonly Link $link,
-        private readonly File $file
+        private readonly File $file,
+        private readonly DomainManagerInterface $domainManager
     ) {
         parent::__construct($serviceFactory, $dataProcessor, $dataMerger, $productRepository);
     }
@@ -74,9 +78,17 @@ public function __construct(
      */
     public function apply(array $data = []): ?DataObject
     {
+        $this->domainManager->addDomains(self::DOMAINS);
+
         return parent::apply($this->prepareData($data));
     }
 
+    public function revert(DataObject $data): void
+    {
+        $this->domainManager->removeDomains(self::DOMAINS);
+        parent::revert($data);
+    }
+
     /**
      * Prepare product data
      *
@@ -112,13 +124,22 @@ private function prepareLinksData(array $data): array
     {
         $links = [];
         foreach ($data['extension_attributes']['downloadable_product_links'] as $link) {
+
+            if ($link['link_type'] == 'url') {
+                $link['link_url'] = 'http://example.com/downloadable.txt';
+                $link['link_file'] = '';
+            } else {
+                $link['link_file'] = $this->generateDownloadableLink($link['link_file'] ?? 'test-' . uniqid() . '.txt');
+                $link['link_url'] = '';
+            }
+
             $links[] = [
                 'id' => null,
                 'title' => $link['title'] ?? 'Test Link%uniqid%',
                 'price' => $link['price'] ?? 0,
                 'link_type' => $link['link_type'] ?? 'file',
-                'link_url' => null,
-                'link_file' => $this->generateDownloadableLink($link['link_file'] ?? 'test-' . uniqid() . '.txt'),
+                'link_url' => $link['link_url'],
+                'link_file' => $link['link_file'],
                 'is_shareable' => $link['is_shareable'] ?? 0,
                 'number_of_downloads' => $link['number_of_downloads'] ?? 5,
                 'sort_order' => $link['sort_order'] ?? 10,

app/code/Magento/GraphQl/Controller/GraphQl.php

@@ -7,6 +7,7 @@
 
 namespace Magento\GraphQl\Controller;
 
+use Exception;
 use GraphQL\Error\FormattedError;
 use GraphQL\Error\SyntaxError;
 use Magento\Framework\App\Area;
@@ -19,6 +20,8 @@
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Controller\Result\JsonFactory;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Fields as QueryFields;
 use Magento\Framework\GraphQl\Query\QueryParser;
@@ -30,6 +33,7 @@
 use Magento\GraphQl\Helper\Query\Logger\LogData;
 use Magento\GraphQl\Model\Query\ContextFactoryInterface;
 use Magento\GraphQl\Model\Query\Logger\LoggerPool;
+use Throwable;
 
 /**
  * Front controller for web API GraphQL area.
@@ -40,6 +44,8 @@
  */
 class GraphQl implements FrontControllerInterface
 {
+    private const METHOD_OPTIONS = 'OPTIONS';
+
     /**
      * @var \Magento\Framework\Webapi\Response
      * @deprecated 100.3.2
@@ -181,20 +187,19 @@ public function __construct(
     public function dispatch(RequestInterface $request): ResponseInterface
     {
         $this->areaList->getArea(Area::AREA_GRAPHQL)->load(Area::PART_TRANSLATE);
-
-        $statusCode = 200;
         $jsonResult = $this->jsonFactory->create();
         $data = [];
         $result = null;
         $schema = null;
-        $query = '';
 
         try {
             $data = $this->getDataFromRequest($request);
             $query = $data['query'] ?? '';
 
             /** @var Http $request */
             $this->requestProcessor->validateRequest($request);
+            $statusCode = $request->getMethod() === self::METHOD_OPTIONS ? 204 : 200;
+
             if ($request->isGet() || $request->isPost()) {
                 $parsedQuery = $this->queryParser->parse($query);
                 $data['parsedQuery'] = $parsedQuery;
@@ -210,17 +215,10 @@ public function dispatch(RequestInterface $request): ResponseInterface
                     $this->contextFactory->create(),
                     $data['variables'] ?? []
                 );
+                $statusCode = $this->getHttpResponseCode($result);
             }
-        } catch (SyntaxError|GraphQlInputException $error) {
-            $result = [
-                'errors' => [FormattedError::createFromException($error)],
-            ];
-            $statusCode = 400;
-        } catch (\Exception $error) {
-            $result = [
-                'errors' => [$this->graphQlError->create($error)],
-            ];
-            $statusCode = ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS;
+        } catch (Exception $error) {
+            [$result, $statusCode] = $this->handleGraphQlException($error);
         }
 
         $jsonResult->setHttpResponseCode($statusCode);
@@ -230,14 +228,59 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $jsonResult->renderResult($this->httpResponse);
 
         // log information about the query, unless it is an introspection query
-        if (strpos($query, 'IntrospectionQuery') === false) {
+        if (!isset($data['query']) || strpos($data['query'], 'IntrospectionQuery') === false) {
             $queryInformation = $this->logDataHelper->getLogData($request, $data, $schema, $this->httpResponse);
             $this->loggerPool->execute($queryInformation);
         }
 
         return $this->httpResponse;
     }
 
+    /**
+     * Handle GraphQL Exceptions
+     *
+     * @param Exception $error
+     * @return array
+     * @throws Throwable
+     */
+    private function handleGraphQlException(Exception $error): array
+    {
+        if ($error instanceof SyntaxError || $error instanceof GraphQlInputException) {
+            return [['errors' => [FormattedError::createFromException($error)]], 400];
+        }
+        if ($error instanceof GraphQlAuthenticationException) {
+            return [['errors' => [$this->graphQlError->create($error)]], 401];
+        }
+        if ($error instanceof GraphQlAuthorizationException) {
+            return [['errors' => [$this->graphQlError->create($error)]], 403];
+        }
+        return [
+            ['errors' => [$this->graphQlError->create($error)]],
+            ExceptionFormatter::HTTP_GRAPH_QL_SCHEMA_ERROR_STATUS
+        ];
+    }
+
+    /**
+     * Retrieve http response code based on the error categories
+     *
+     * @param array $result
+     * @return int
+     */
+    private function getHttpResponseCode(array $result): int
+    {
+        foreach ($result['errors'] ?? [] as $error) {
+            if (isset($error['extensions']['category'])) {
+                return match ($error['extensions']['category']) {
+                    GraphQlAuthenticationException::EXCEPTION_CATEGORY => 401,
+                    GraphQlAuthorizationException::EXCEPTION_CATEGORY => 403,
+                    default => 200,
+                };
+            }
+        }
+
+        return 200;
+    }
+
     /**
      * Get data from request body or query string
      *
@@ -247,18 +290,16 @@ public function dispatch(RequestInterface $request): ResponseInterface
      */
     private function getDataFromRequest(RequestInterface $request): array
     {
+        $data = [];
         try {
             /** @var Http $request */
             if ($request->isPost()) {
                 $data = $request->getContent() ? $this->jsonSerializer->unserialize($request->getContent()) : [];
             } elseif ($request->isGet()) {
                 $data = $request->getParams();
-                $data['variables'] = isset($data['variables']) ?
-                    $this->jsonSerializer->unserialize($data['variables']) : null;
-                $data['variables'] = is_array($data['variables']) ?
-                    $data['variables'] : null;
-            } else {
-                $data = [];
+                $data['variables'] = !empty($data['variables']) && is_string($data['variables'])
+                    ? $this->jsonSerializer->unserialize($data['variables'])
+                    : null;
             }
         } catch (\InvalidArgumentException $e) {
             throw new GraphQlInputException(__('Unable to parse the request.'), $e);