Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Permettre au super admin de se connecter et accéder à son dashboard

Browse Source 
Le super admin (table super_admins, master DB) ne pouvait pas se connecter
via /api/login car ce firewall n'utilisait que le provider tenant. De même,
le JWT n'était pas enrichi pour les super admins, l'endpoint /api/me/roles
les rejetait, et le frontend redirigeait systématiquement vers /dashboard.

Un chain provider (super_admin + tenant) résout l'authentification,
le JwtPayloadEnricher et MyRolesProvider gèrent désormais les deux types
d'utilisateurs, et le frontend redirige selon le rôle après login.
This commit is contained in:
Mathias STRASSER
2026-02-17 10:07:10 +01:00
parent c856dfdcda
commit 0951322d71
68 changed files with 4049 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/src/Administration/Infrastructure/Api/Provider/MyRolesProvider.php
View File

@@ -13,6 +13,7 @@ use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\MyRolesOutput;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
use function array_map;
@@ -37,6 +38,16 @@ final readonly class MyRolesProvider implements ProviderInterface
public function provide(Operation $operation, array $uriVariables = [], array $context = []): MyRolesOutput
{
$currentUser = $this->security->getUser();
if ($currentUser instanceof SecuritySuperAdmin) {
$output = new MyRolesOutput();
$output->roles = [['value' => 'ROLE_SUPER_ADMIN', 'label' => 'Super Admin']];
$output->activeRole = 'ROLE_SUPER_ADMIN';
$output->activeRoleLabel = 'Super Admin';
return $output;
}
if (!$currentUser instanceof SecurityUser) {
throw new UnauthorizedHttpException('Bearer', 'Authentification requise.');
}

16
backend/src/Administration/Infrastructure/Security/JwtPayloadEnricher.php
View File

@@ -4,6 +4,7 @@ declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
/**
@@ -12,7 +13,8 @@ use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
* Added claims:
* - sub: User email (Symfony Security identifier)
* - user_id: User UUID (for API consumers)
* - tenant_id: Tenant UUID for multi-tenant isolation
* - tenant_id: Tenant UUID for multi-tenant isolation (regular users only)
* - user_type: "super_admin" for super admins
* - roles: List of Symfony roles for authorization
*
* @see Story 1.4 - User login
@@ -22,13 +24,21 @@ final readonly class JwtPayloadEnricher
public function onJWTCreated(JWTCreatedEvent $event): void
{
$user = $event->getUser();
$payload = $event->getData();
if ($user instanceof SecuritySuperAdmin) {
$payload['user_id'] = $user->superAdminId();
$payload['user_type'] = 'super_admin';
$payload['roles'] = $user->getRoles();
$event->setData($payload);
return;
}
if (!$user instanceof SecurityUser) {
return;
}
$payload = $event->getData();
// Business claims for multi-tenant isolation and authorization
$payload['user_id'] = $user->userId();
$payload['tenant_id'] = $user->tenantId();