magento
diff --git a/‎app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php
Lines changed: 60 additions & 0 deletions b/‎app/code/Magento/CustomerGraphQl/Controller/HttpRequestValidator/AuthorizationRequestValidator.php
Lines changed: 60 additions & 0 deletions
diff --git a/‎app/code/Magento/CustomerGraphQl/etc/graphql/di.xml
Lines changed: 7 additions & 0 deletions b/‎app/code/Magento/CustomerGraphQl/etc/graphql/di.xml
Lines changed: 7 additions & 0 deletions
diff --git a/‎app/code/Magento/GraphQl/Controller/GraphQl.php
Lines changed: 32 additions & 2 deletions b/‎app/code/Magento/GraphQl/Controller/GraphQl.php
Lines changed: 32 additions & 2 deletions
diff --git a/‎dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/AuthenticationTest.php
Lines changed: 229 additions & 0 deletions b/‎dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/AuthenticationTest.php
Lines changed: 229 additions & 0 deletions
@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\CustomerGraphQl\Controller\HttpRequestValidator;
+
+use Magento\Framework\App\HttpRequestInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use Magento\Integration\Api\Exception\UserTokenException;
+use Magento\Integration\Api\UserTokenReaderInterface;
+use Magento\Integration\Api\UserTokenValidatorInterface;
+
+class AuthorizationRequestValidator implements HttpRequestValidatorInterface
+{
+    private const AUTH = 'Authorization';
+    private const BEARER = 'bearer';
+
+    /**
+     * AuthorizationRequestValidator Constructor
+     *
+     * @param UserTokenReaderInterface $tokenReader
+     * @param UserTokenValidatorInterface $tokenValidator
+     */
+    public function __construct(
+        private readonly UserTokenReaderInterface $tokenReader,
+        private readonly UserTokenValidatorInterface $tokenValidator
+    ) {
+    }
+
+    /**
+     * Validate the authorization header bearer token if it is set
+     *
+     * @param HttpRequestInterface $request
+     * @return void
+     * @throws GraphQlAuthenticationException
+     */
+    public function validate(HttpRequestInterface $request): void
+    {
+        $authorizationHeaderValue = $request->getHeader(self::AUTH);
+        if (!$authorizationHeaderValue) {
+            return;
+        }
+
+        $headerPieces = explode(' ', $authorizationHeaderValue);
+        if (count($headerPieces) !== 2 || strtolower($headerPieces[0]) !== self::BEARER) {
+            return;
+        }
+
+        try {
+            $this->tokenValidator->validate($this->tokenReader->read($headerPieces[1]));
+        } catch (UserTokenException | AuthorizationException $exception) {
+            throw new GraphQlAuthenticationException(__($exception->getMessage()));
+        }
+    }
+}
@@ -214,4 +214,11 @@
         <plugin name="merge_order_after_customer_signup"
                 type="Magento\CustomerGraphQl\Plugin\Model\MergeGuestOrder" />
     </type>
+    <type name="Magento\GraphQl\Controller\HttpRequestProcessor">
+        <arguments>
+            <argument name="requestValidators" xsi:type="array">
+                <item name="authorizationValidator" xsi:type="object">Magento\CustomerGraphQl\Controller\HttpRequestValidator\AuthorizationRequestValidator</item>
+            </argument>
+        </arguments>
+    </type>
 </config>
@@ -19,6 +19,8 @@
 use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Controller\Result\JsonFactory;
 use Magento\Framework\GraphQl\Exception\ExceptionFormatter;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthenticationException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Fields as QueryFields;
 use Magento\Framework\GraphQl\Query\QueryParser;
@@ -185,7 +187,7 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $statusCode = 200;
         $jsonResult = $this->jsonFactory->create();
         $data = [];
-        $result = null;
+        $result = ['errors' => []];
         $schema = null;
         $query = '';
 
@@ -211,6 +213,13 @@ public function dispatch(RequestInterface $request): ResponseInterface
                     $data['variables'] ?? []
                 );
             }
+            $statusCode = $this->getHttpResponseCode($result);
+        } catch (GraphQlAuthenticationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 401;
+        } catch (GraphQlAuthorizationException $error) {
+            $result['errors'][] = $this->graphQlError->create($error);
+            $statusCode = 403;
         } catch (SyntaxError|GraphQlInputException $error) {
             $result = [
                 'errors' => [FormattedError::createFromException($error)],
@@ -230,14 +239,35 @@ public function dispatch(RequestInterface $request): ResponseInterface
         $jsonResult->renderResult($this->httpResponse);
 
         // log information about the query, unless it is an introspection query
-        if (strpos($query, 'IntrospectionQuery') === false) {
+        if (!str_contains($query, 'IntrospectionQuery')) {
             $queryInformation = $this->logDataHelper->getLogData($request, $data, $schema, $this->httpResponse);
             $this->loggerPool->execute($queryInformation);
         }
 
         return $this->httpResponse;
     }
 
+    /**
+     * Retrieve http response code based on the error categories
+     *
+     * @param array $result
+     * @return int
+     */
+    private function getHttpResponseCode(array $result): int
+    {
+        foreach ($result['errors'] ?? [] as $error) {
+            if (isset($error['extensions']['category'])) {
+                return match ($error['extensions']['category']) {
+                    GraphQlAuthenticationException::EXCEPTION_CATEGORY => 401,
+                    GraphQlAuthorizationException::EXCEPTION_CATEGORY => 403,
+                    default => 200,
+                };
+            }
+        }
+
+        return 200;
+    }
+
     /**
      * Get data from request body or query string
      *
 
@@ -0,0 +1,229 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\GraphQl\Customer;
+
+use Exception;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Test\Fixture\Customer;
+use Magento\Framework\Exception\AuthenticationException;
+use Magento\Framework\Exception\EmailNotConfirmedException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\TestFramework\Fixture\DataFixture;
+use Magento\TestFramework\Fixture\DataFixtureStorageManager;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\TestCase\GraphQlAbstract;
+use Magento\TestFramework\TestCase\HttpClient\CurlClient;
+
+/**
+ * Test customer authentication responses
+ */
+class AuthenticationTest extends GraphQlAbstract
+{
+    private const QUERY_ACCESSIBLE_BY_GUEST = <<<QUERY
+        {
+          isEmailAvailable(email: "[email protected]") {
+            is_email_available
+          }
+        }
+    QUERY;
+
+    private const QUERY_REQUIRE_AUTHENTICATION = <<<QUERY
+        {
+          customer {
+            email
+          }
+        }
+    QUERY;
+
+    /**
+     * @var CustomerTokenServiceInterface
+     */
+    private $tokenService;
+
+    protected function setUp(): void
+    {
+        $this->tokenService = Bootstrap::getObjectManager()->get(CustomerTokenServiceInterface::class);
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function testNoToken(): void
+    {
+        self::assertEquals(
+            [
+                'isEmailAvailable' => [
+                    'is_email_available' => 1
+                ]
+            ],
+            $this->graphQlQuery(self::QUERY_ACCESSIBLE_BY_GUEST)
+        );
+    }
+
+    public function testInvalidToken(): void
+    {
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_ACCESSIBLE_BY_GUEST
+            ],
+            [
+                'Authorization: Bearer invalid_token'
+            ]
+        );
+    }
+
+    /**
+     * @throws AuthenticationException
+     * @throws LocalizedException
+     * @throws EmailNotConfirmedException
+     */
+    #[
+        DataFixture(Customer::class, as: 'customer'),
+    ]
+    public function testRevokedTokenPublicQuery(): void
+    {
+        /** @var CustomerInterface $customer */
+        $customer = DataFixtureStorageManager::getStorage()->get('customer');
+        $token = $this->tokenService->createCustomerAccessToken($customer->getEmail(), 'password');
+
+        self::assertEquals(
+            [
+                'isEmailAvailable' => [
+                    'is_email_available' => 1
+                ]
+            ],
+            $this->graphQlQuery(
+                self::QUERY_ACCESSIBLE_BY_GUEST,
+                [],
+                '',
+                [
+                    'Authorization' => 'Bearer ' . $token
+                ]
+            )
+        );
+
+        $this->tokenService->revokeCustomerAccessToken($customer->getId());
+
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_ACCESSIBLE_BY_GUEST
+            ],
+            [
+                'Authorization: Bearer ' . $token
+            ]
+        );
+    }
+
+    /**
+     * @throws AuthenticationException
+     * @throws EmailNotConfirmedException
+     * @throws LocalizedException
+     * @throws Exception
+     */
+    #[
+        DataFixture(Customer::class, as: 'customer'),
+    ]
+    public function testRevokedTokenProtectedQuery()
+    {
+        /** @var CustomerInterface $customer */
+        $customer = DataFixtureStorageManager::getStorage()->get('customer');
+        $token = $this->tokenService->createCustomerAccessToken($customer->getEmail(), 'password');
+
+        self::assertEquals(
+            [
+                'customer' => [
+                    'email' => $customer->getEmail()
+                ]
+            ],
+            $this->graphQlQuery(
+                self::QUERY_REQUIRE_AUTHENTICATION,
+                [],
+                '',
+                [
+                    'Authorization' => 'Bearer ' . $token
+                ]
+            )
+        );
+
+        $this->tokenService->revokeCustomerAccessToken($customer->getId());
+
+        $this->expectExceptionCode(401);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->get(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            [
+                'query' => self::QUERY_REQUIRE_AUTHENTICATION
+            ],
+            [
+                'Authorization: Bearer ' . $token
+            ]
+        );
+    }
+
+    /**
+     * @throws NoSuchEntityException
+     * @throws AuthenticationException
+     * @throws EmailNotConfirmedException
+     * @throws LocalizedException
+     */
+    #[
+        DataFixture(Customer::class, as: 'unauthorizedCustomer'),
+        DataFixture(
+            Customer::class,
+            [
+                'addresses' => [
+                    [
+                        'country_id' => 'US',
+                        'region_id' => 32,
+                        'city' => 'Boston',
+                        'street' => ['10 Milk Street'],
+                        'postcode' => '02108',
+                        'telephone' => '1234567890',
+                        'default_billing' => true,
+                        'default_shipping' => true
+                    ]
+                ]
+            ],
+            as: 'customerWithAddress'
+        ),
+    ]
+    public function testForbidden(): void
+    {
+        /** @var CustomerInterface $customerWithAddress */
+        $customerWithAddressData = DataFixtureStorageManager::getStorage()->get('customerWithAddress');
+        $customerWithAddress = Bootstrap::getObjectManager()
+            ->get(CustomerRepositoryInterface::class)
+            ->get($customerWithAddressData->getEmail());
+        $mutation = <<<MUTATION
+            mutation {
+              deleteCustomerAddress(id: {$customerWithAddress->getDefaultBilling()})
+            }
+        MUTATION;
+
+        /** @var CustomerInterface $unauthorizedCustomer */
+        $unauthorizedCustomer = DataFixtureStorageManager::getStorage()->get('unauthorizedCustomer');
+        $token = $this->tokenService->createCustomerAccessToken($unauthorizedCustomer->getEmail(), 'password');
+
+        $this->expectExceptionCode(403);
+        Bootstrap::getObjectManager()->get(CurlClient::class)->post(
+            rtrim(TESTS_BASE_URL, '/') . '/graphql',
+            json_encode(['query' => $mutation]),
+            [
+                'Authorization: Bearer ' . $token,
+                'Accept: application/json',
+                'Content-Type: application/json'
+            ]
+        );
+    }
+}