feat: Permettre au super admin de se connecter et accéder à son dashboard

Le super admin (table super_admins, master DB) ne pouvait pas se connecter via /api/login car ce firewall n'utilisait que le provider tenant. De même, le JWT n'était pas enrichi pour les super admins, l'endpoint /api/me/roles les rejetait, et le frontend redirigeait systématiquement vers /dashboard. Un chain provider (super_admin + tenant) résout l'authentification, le JwtPayloadEnricher et MyRolesProvider gèrent désormais les deux types d'utilisateurs, et le frontend redirige selon le rôle après login.
2026-02-17 10:07:10 +01:00
parent c856dfdcda
commit 0951322d71
68 changed files with 4049 additions and 8 deletions
--- a/backend/config/packages/security.yaml
+++ b/backend/config/packages/security.yaml
@@ -21,6 +21,13 @@ security:
        # User provider for API authentication (Story 1.4)
        app_user_provider:
            id: App\Administration\Infrastructure\Security\DatabaseUserProvider
+        # Super Admin authentication — master database, not per-tenant (Story 2.10)
+        super_admin_provider:
+            id: App\SuperAdmin\Infrastructure\Security\SuperAdminUserProvider
+        # Chain provider: tries super admin first, then tenant user
+        all_users_provider:
+            chain:
+                providers: ['super_admin_provider', 'app_user_provider']

    firewalls:
        dev:
@@ -40,7 +47,12 @@ security:
                password_path: password
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: App\Administration\Infrastructure\Security\LoginFailureHandler
-            provider: app_user_provider
+            provider: all_users_provider
+        super_admin_api:
+            pattern: ^/api/super-admin
+            stateless: true
+            jwt: ~
+            provider: super_admin_provider
        api_public:
            pattern: ^/api/(activation-tokens|activate|token/(refresh|logout)|password/(forgot|reset)|docs)(/|$)
            stateless: true
@@ -49,7 +61,7 @@ security:
            pattern: ^/api
            stateless: true
            jwt: ~
-            provider: app_user_provider
+            provider: all_users_provider
        main:
            lazy: true
            provider: app_user_provider
@@ -58,6 +70,7 @@ security:
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/api/docs, roles: PUBLIC_ACCESS }
+        - { path: ^/api/super-admin, roles: ROLE_SUPER_ADMIN }
        - { path: ^/api/login, roles: PUBLIC_ACCESS }
        - { path: ^/api/activation-tokens, roles: PUBLIC_ACCESS }
        - { path: ^/api/activate, roles: PUBLIC_ACCESS }