Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Audit trail pour actions sensibles

Browse Source 
Story 1.7 - Implémente un système complet d'audit trail pour tracer
toutes les actions sensibles (authentification, modifications de données,
exports) avec immuabilité garantie par PostgreSQL.

Fonctionnalités principales:
- Table audit_log append-only avec contraintes PostgreSQL (RULE)
- AuditLogger centralisé avec injection automatique du contexte
- Correlation ID pour traçabilité distribuée (HTTP + async)
- Handlers pour événements d'authentification
- Commande d'archivage des logs anciens
- Pas de PII dans les logs (emails/IPs hashés)

Infrastructure:
- Middlewares Messenger pour propagation du Correlation ID
- HTTP middleware pour génération/propagation du Correlation ID
- Support multi-tenant avec TenantResolver
This commit is contained in:
Mathias STRASSER
2026-02-04 00:11:58 +01:00
parent b823479658
commit 2ed60fdcc1
38 changed files with 4179 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

305
backend/tests/Unit/Administration/Infrastructure/Api/Controller/LogoutControllerTest.php Normal file
View File

@@ -0,0 +1,305 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Api\Controller;
use App\Administration\Domain\Event\Deconnexion;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Administration\Domain\Repository\SessionRepository;
use App\Administration\Infrastructure\Api\Controller\LogoutController;
use App\Shared\Domain\Clock;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
/**
* [P0] Tests for LogoutController - critical session invalidation.
*
* Verifies:
* - Token family invalidation on logout
* - Session deletion
* - Cookie clearing
* - Deconnexion event dispatch
* - Graceful handling of missing/malformed tokens
*/
final class LogoutControllerTest extends TestCase
{
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440001';
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string IP_ADDRESS = '192.168.1.100';
private const string USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)';
private RefreshTokenRepository $refreshTokenRepository;
private SessionRepository $sessionRepository;
private Clock $clock;
/** @var DomainEvent[] */
private array $dispatchedEvents = [];
private LogoutController $controller;
protected function setUp(): void
{
$this->refreshTokenRepository = $this->createMock(RefreshTokenRepository::class);
$this->sessionRepository = $this->createMock(SessionRepository::class);
$this->clock = new class implements Clock {
#[Override]
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-01-28 10:00:00');
}
};
$this->dispatchedEvents = [];
$eventBus = new class($this->dispatchedEvents) implements MessageBusInterface {
/** @param DomainEvent[] $events */
public function __construct(private array &$events)
{
}
#[Override]
public function dispatch(object $message, array $stamps = []): Envelope
{
$this->events[] = $message;
return new Envelope($message);
}
};
$this->controller = new LogoutController(
$this->refreshTokenRepository,
$this->sessionRepository,
$eventBus,
$this->clock,
);
}
#[Test]
public function itInvalidatesTokenFamilyOnLogout(): void
{
// GIVEN: A request with a valid refresh token cookie
$refreshToken = $this->createRefreshToken();
$tokenString = $refreshToken->toTokenString();
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => $tokenString,
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->refreshTokenRepository
->expects($this->once())
->method('find')
->with($refreshToken->id)
->willReturn($refreshToken);
// THEN: Family should be invalidated
$this->refreshTokenRepository
->expects($this->once())
->method('invalidateFamily')
->with($refreshToken->familyId);
// WHEN: Logout is invoked
$response = ($this->controller)($request);
// THEN: Returns success
$this->assertSame(Response::HTTP_OK, $response->getStatusCode());
}
#[Test]
public function itDeletesSessionOnLogout(): void
{
// GIVEN: A valid refresh token
$refreshToken = $this->createRefreshToken();
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => $refreshToken->toTokenString(),
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->refreshTokenRepository
->method('find')
->willReturn($refreshToken);
// THEN: Session should be deleted
$this->sessionRepository
->expects($this->once())
->method('delete')
->with($refreshToken->familyId);
// WHEN: Logout is invoked
($this->controller)($request);
}
#[Test]
public function itDispatchesDeconnexionEvent(): void
{
// GIVEN: A valid refresh token
$refreshToken = $this->createRefreshToken();
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => $refreshToken->toTokenString(),
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->refreshTokenRepository
->method('find')
->willReturn($refreshToken);
// WHEN: Logout is invoked
($this->controller)($request);
// THEN: Deconnexion event is dispatched with correct data
$logoutEvents = array_filter(
$this->dispatchedEvents,
static fn ($e) => $e instanceof Deconnexion,
);
$this->assertCount(1, $logoutEvents);
$event = reset($logoutEvents);
$this->assertSame((string) $refreshToken->userId, $event->userId);
$this->assertSame((string) $refreshToken->familyId, $event->familyId);
$this->assertSame(self::IP_ADDRESS, $event->ipAddress);
$this->assertSame(self::USER_AGENT, $event->userAgent);
}
#[Test]
public function itClearsCookiesOnLogout(): void
{
// GIVEN: A valid refresh token
$refreshToken = $this->createRefreshToken();
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => $refreshToken->toTokenString(),
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->refreshTokenRepository
->method('find')
->willReturn($refreshToken);
// WHEN: Logout is invoked
$response = ($this->controller)($request);
// THEN: Cookies are cleared (expired)
$cookies = $response->headers->getCookies();
$this->assertCount(2, $cookies); // /api and /api/token (legacy)
foreach ($cookies as $cookie) {
$this->assertSame('refresh_token', $cookie->getName());
$this->assertSame('', $cookie->getValue());
$this->assertTrue($cookie->isCleared()); // Expiry in the past
}
}
#[Test]
public function itHandlesMissingCookieGracefully(): void
{
// GIVEN: A request without refresh_token cookie
$request = Request::create('/api/token/logout', 'POST', [], [], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
// THEN: No repository operations
$this->refreshTokenRepository
->expects($this->never())
->method('find');
$this->refreshTokenRepository
->expects($this->never())
->method('invalidateFamily');
$this->sessionRepository
->expects($this->never())
->method('delete');
// WHEN: Logout is invoked
$response = ($this->controller)($request);
// THEN: Still returns success (idempotent)
$this->assertSame(Response::HTTP_OK, $response->getStatusCode());
// THEN: Cookies are still cleared
$this->assertNotEmpty($response->headers->getCookies());
}
#[Test]
public function itHandlesMalformedTokenGracefully(): void
{
// GIVEN: A request with malformed token
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => 'malformed-token-not-base64',
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
// THEN: No repository operations (exception caught)
$this->refreshTokenRepository
->expects($this->never())
->method('invalidateFamily');
// WHEN: Logout is invoked
$response = ($this->controller)($request);
// THEN: Still returns success
$this->assertSame(Response::HTTP_OK, $response->getStatusCode());
}
#[Test]
public function itHandlesNonExistentTokenGracefully(): void
{
// GIVEN: A valid token format but not in database
$refreshToken = $this->createRefreshToken();
$request = Request::create('/api/token/logout', 'POST', [], [
'refresh_token' => $refreshToken->toTokenString(),
], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->refreshTokenRepository
->method('find')
->willReturn(null);
// THEN: No invalidation attempted
$this->refreshTokenRepository
->expects($this->never())
->method('invalidateFamily');
// WHEN: Logout is invoked
$response = ($this->controller)($request);
// THEN: Still returns success (idempotent)
$this->assertSame(Response::HTTP_OK, $response->getStatusCode());
}
private function createRefreshToken(): RefreshToken
{
return RefreshToken::create(
userId: UserId::fromString(self::USER_ID),
tenantId: TenantId::fromString(self::TENANT_ID),
deviceFingerprint: DeviceFingerprint::fromRequest(self::USER_AGENT, self::IP_ADDRESS),
issuedAt: $this->clock->now(),
);
}
}

249
backend/tests/Unit/Administration/Infrastructure/Persistence/InMemory/InMemoryRefreshTokenRepositoryTest.php Normal file
View File

@@ -0,0 +1,249 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Persistence\InMemory;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryRefreshTokenRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
/**
* [P1] Tests for InMemoryRefreshTokenRepository.
*
* Verifies:
* - Token save and retrieval
* - Token deletion
* - Family invalidation (all tokens in family)
* - User invalidation (all families for user)
* - Index maintenance
*/
final class InMemoryRefreshTokenRepositoryTest extends TestCase
{
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440001';
private const string USER_ID_2 = '550e8400-e29b-41d4-a716-446655440003';
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryRefreshTokenRepository $repository;
private DateTimeImmutable $now;
protected function setUp(): void
{
$this->repository = new InMemoryRefreshTokenRepository();
$this->now = new DateTimeImmutable('2026-01-28 10:00:00');
}
#[Test]
public function itSavesAndRetrievesToken(): void
{
// GIVEN: A refresh token
$token = $this->createToken(self::USER_ID);
// WHEN: Token is saved
$this->repository->save($token);
// THEN: Token can be retrieved by ID
$found = $this->repository->find($token->id);
$this->assertNotNull($found);
$this->assertSame((string) $token->id, (string) $found->id);
$this->assertSame((string) $token->familyId, (string) $found->familyId);
$this->assertSame((string) $token->userId, (string) $found->userId);
}
#[Test]
public function itReturnsNullForNonExistentToken(): void
{
// GIVEN: Empty repository
// WHEN: Searching for non-existent token
$token = $this->createToken(self::USER_ID);
$found = $this->repository->find($token->id);
// THEN: Returns null
$this->assertNull($found);
}
#[Test]
public function itDeletesTokenById(): void
{
// GIVEN: A saved token
$token = $this->createToken(self::USER_ID);
$this->repository->save($token);
// WHEN: Token is deleted
$this->repository->delete($token->id);
// THEN: Token is no longer found
$found = $this->repository->find($token->id);
$this->assertNull($found);
}
#[Test]
public function itInvalidatesEntireFamily(): void
{
// GIVEN: Multiple tokens in the same family
$token1 = $this->createToken(self::USER_ID);
$token2 = $this->rotateToken($token1);
$token3 = $this->rotateToken($token2);
$this->repository->save($token1);
$this->repository->save($token2);
$this->repository->save($token3);
// WHEN: Family is invalidated
$this->repository->invalidateFamily($token1->familyId);
// THEN: All tokens in family are deleted
$this->assertNull($this->repository->find($token1->id));
$this->assertNull($this->repository->find($token2->id));
$this->assertNull($this->repository->find($token3->id));
}
#[Test]
public function itDoesNotAffectOtherFamilies(): void
{
// GIVEN: Tokens in different families
$token1 = $this->createToken(self::USER_ID);
$token2 = $this->createToken(self::USER_ID); // Different family (new login session)
$this->repository->save($token1);
$this->repository->save($token2);
// WHEN: One family is invalidated
$this->repository->invalidateFamily($token1->familyId);
// THEN: Other family is intact
$this->assertNull($this->repository->find($token1->id));
$this->assertNotNull($this->repository->find($token2->id));
}
#[Test]
public function itInvalidatesAllFamiliesForUser(): void
{
// GIVEN: Multiple families for the same user (multiple devices)
$token1 = $this->createToken(self::USER_ID);
$token2 = $this->createToken(self::USER_ID);
$token3 = $this->createToken(self::USER_ID);
$this->repository->save($token1);
$this->repository->save($token2);
$this->repository->save($token3);
// All belong to same user but different families
$userId = UserId::fromString(self::USER_ID);
// Verify user has active sessions
$this->assertTrue($this->repository->hasActiveSessionsForUser($userId));
// WHEN: All tokens for user are invalidated
$this->repository->invalidateAllForUser($userId);
// THEN: No sessions remain for user
$this->assertFalse($this->repository->hasActiveSessionsForUser($userId));
$this->assertNull($this->repository->find($token1->id));
$this->assertNull($this->repository->find($token2->id));
$this->assertNull($this->repository->find($token3->id));
}
#[Test]
public function itDoesNotAffectOtherUsers(): void
{
// GIVEN: Tokens for different users
$token1 = $this->createToken(self::USER_ID);
$token2 = $this->createToken(self::USER_ID_2);
$this->repository->save($token1);
$this->repository->save($token2);
// WHEN: First user's tokens are invalidated
$this->repository->invalidateAllForUser(UserId::fromString(self::USER_ID));
// THEN: Second user's token is intact
$this->assertNull($this->repository->find($token1->id));
$this->assertNotNull($this->repository->find($token2->id));
}
#[Test]
public function itTracksActiveSessionsForUser(): void
{
// GIVEN: No tokens for user
$userId = UserId::fromString(self::USER_ID);
$this->assertFalse($this->repository->hasActiveSessionsForUser($userId));
// WHEN: Token is saved
$token = $this->createToken(self::USER_ID);
$this->repository->save($token);
// THEN: User has active sessions
$this->assertTrue($this->repository->hasActiveSessionsForUser($userId));
}
#[Test]
public function itHandlesInvalidationOfNonExistentFamily(): void
{
// GIVEN: Non-existent family ID
$familyId = TokenFamilyId::generate();
// WHEN: Invalidating non-existent family
$this->repository->invalidateFamily($familyId);
// THEN: No exception thrown (idempotent operation)
$this->assertTrue(true);
}
#[Test]
public function itHandlesInvalidationOfNonExistentUser(): void
{
// GIVEN: Non-existent user ID
$userId = UserId::fromString(self::USER_ID);
// WHEN: Invalidating non-existent user's tokens
$this->repository->invalidateAllForUser($userId);
// THEN: No exception thrown (idempotent operation)
$this->assertTrue(true);
}
#[Test]
public function itHandlesDuplicateSavesIdempotently(): void
{
// GIVEN: A token
$token = $this->createToken(self::USER_ID);
// WHEN: Token is saved multiple times
$this->repository->save($token);
$this->repository->save($token);
$this->repository->save($token);
// THEN: Token exists once (no duplicates in indexes)
$found = $this->repository->find($token->id);
$this->assertNotNull($found);
// Invalidating family should clean everything properly
$this->repository->invalidateFamily($token->familyId);
$this->assertNull($this->repository->find($token->id));
}
private function createToken(string $userId): RefreshToken
{
return RefreshToken::create(
userId: UserId::fromString($userId),
tenantId: TenantId::fromString(self::TENANT_ID),
deviceFingerprint: DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
issuedAt: $this->now,
);
}
private function rotateToken(RefreshToken $token): RefreshToken
{
[$newToken, $oldToken] = $token->rotate($this->now->modify('+1 minute'));
return $newToken;
}
}

331
backend/tests/Unit/Administration/Infrastructure/Security/LoginSuccessHandlerTest.php Normal file
View File

@@ -0,0 +1,331 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Application\Port\GeoLocationService;
use App\Administration\Application\Service\RefreshTokenManager;
use App\Administration\Domain\Event\ConnexionReussie;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\SessionRepository;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryRefreshTokenRepository;
use App\Administration\Infrastructure\Security\LoginSuccessHandler;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Domain\Clock;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use DateTimeImmutable;
use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
use Override;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* [P0] Tests for LoginSuccessHandler - critical authentication flow.
*
* Verifies:
* - Refresh token creation on successful login
* - Session creation with device info and geolocation
* - Rate limiter reset after successful login
* - ConnexionReussie event dispatch
* - HttpOnly cookie configuration
*/
final class LoginSuccessHandlerTest extends TestCase
{
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440001';
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string EMAIL = 'user@example.com';
private const string IP_ADDRESS = '192.168.1.100';
private const string USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)';
private InMemoryRefreshTokenRepository $refreshTokenRepository;
private RefreshTokenManager $refreshTokenManager;
private SessionRepository $sessionRepository;
private GeoLocationService $geoLocationService;
private LoginRateLimiterInterface $rateLimiter;
private Clock $clock;
private RequestStack $requestStack;
/** @var DomainEvent[] */
private array $dispatchedEvents = [];
private LoginSuccessHandler $handler;
protected function setUp(): void
{
$this->clock = new class implements Clock {
#[Override]
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-01-28 10:00:00');
}
};
$this->refreshTokenRepository = new InMemoryRefreshTokenRepository();
$this->refreshTokenManager = new RefreshTokenManager(
$this->refreshTokenRepository,
$this->clock,
);
$this->sessionRepository = $this->createMock(SessionRepository::class);
$this->geoLocationService = $this->createMock(GeoLocationService::class);
$this->rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$this->requestStack = new RequestStack();
$this->dispatchedEvents = [];
$eventBus = new class($this->dispatchedEvents) implements MessageBusInterface {
/** @param DomainEvent[] $events */
public function __construct(private array &$events)
{
}
#[Override]
public function dispatch(object $message, array $stamps = []): Envelope
{
$this->events[] = $message;
return new Envelope($message);
}
};
$this->handler = new LoginSuccessHandler(
$this->refreshTokenManager,
$this->sessionRepository,
$this->geoLocationService,
$this->rateLimiter,
$eventBus,
$this->clock,
$this->requestStack,
);
}
#[Test]
public function itCreatesRefreshTokenOnSuccessfulLogin(): void
{
// GIVEN: A successful authentication event with SecurityUser
$request = $this->createRequest();
$this->requestStack->push($request);
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
$this->geoLocationService
->method('locate')
->willReturn(Location::unknown());
$this->sessionRepository
->expects($this->once())
->method('save')
->with(
$this->isInstanceOf(Session::class),
$this->greaterThan(0),
);
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: Refresh token cookie is set
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$this->assertSame('refresh_token', $cookies[0]->getName());
$this->assertTrue($cookies[0]->isHttpOnly());
$this->assertSame('/api', $cookies[0]->getPath());
// THEN: Refresh token is saved in repository
$this->assertTrue(
$this->refreshTokenRepository->hasActiveSessionsForUser(
UserId::fromString(self::USER_ID),
),
);
}
#[Test]
public function itCreatesSessionWithDeviceInfoAndLocation(): void
{
// GIVEN: A successful authentication with request context
$request = $this->createRequest();
$this->requestStack->push($request);
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
$expectedLocation = Location::fromIp(self::IP_ADDRESS, 'France', 'Paris');
$this->geoLocationService
->expects($this->once())
->method('locate')
->with(self::IP_ADDRESS)
->willReturn($expectedLocation);
$savedSession = null;
$this->sessionRepository
->expects($this->once())
->method('save')
->willReturnCallback(static function (Session $session, int $ttl) use (&$savedSession): void {
$savedSession = $session;
});
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: Session is created with correct data
$this->assertNotNull($savedSession);
$this->assertSame(self::USER_ID, (string) $savedSession->userId);
}
#[Test]
public function itResetsRateLimiterAfterSuccessfulLogin(): void
{
// GIVEN: A successful authentication
$request = $this->createRequest();
$this->requestStack->push($request);
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
$this->geoLocationService
->method('locate')
->willReturn(Location::unknown());
// THEN: Rate limiter should be reset for the user's email
$this->rateLimiter
->expects($this->once())
->method('reset')
->with(self::EMAIL);
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
}
#[Test]
public function itDispatchesConnexionReussieEvent(): void
{
// GIVEN: A successful authentication
$request = $this->createRequest();
$this->requestStack->push($request);
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
$this->geoLocationService
->method('locate')
->willReturn(Location::unknown());
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: ConnexionReussie event is dispatched
$loginEvents = array_filter(
$this->dispatchedEvents,
static fn ($e) => $e instanceof ConnexionReussie,
);
$this->assertCount(1, $loginEvents);
$loginEvent = reset($loginEvents);
$this->assertSame(self::USER_ID, $loginEvent->userId);
$this->assertSame(self::EMAIL, $loginEvent->email);
$this->assertSame(self::IP_ADDRESS, $loginEvent->ipAddress);
}
#[Test]
public function itIgnoresNonSecurityUserAuthentication(): void
{
// GIVEN: An authentication event with a non-SecurityUser user
$request = $this->createRequest();
$this->requestStack->push($request);
$genericUser = $this->createMock(UserInterface::class);
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $genericUser, $response);
// THEN: No operations should be performed
$this->sessionRepository
->expects($this->never())
->method('save');
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: No cookies added, no events dispatched
$this->assertEmpty($response->headers->getCookies());
$this->assertEmpty($this->dispatchedEvents);
}
#[Test]
public function itIgnoresEventWithoutRequest(): void
{
// GIVEN: No request in the stack
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
// THEN: No operations should be performed
$this->sessionRepository
->expects($this->never())
->method('save');
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: No cookies added
$this->assertEmpty($response->headers->getCookies());
}
#[Test]
public function itSetsSecureCookieOnlyForHttps(): void
{
// GIVEN: An HTTP request (not HTTPS)
$request = Request::create('http://localhost/login', 'POST', [], [], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
$this->requestStack->push($request);
$securityUser = $this->createSecurityUser();
$response = new Response();
$event = new AuthenticationSuccessEvent(['token' => 'jwt'], $securityUser, $response);
$this->geoLocationService
->method('locate')
->willReturn(Location::unknown());
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: Cookie is NOT marked as secure (HTTP)
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$this->assertFalse($cookies[0]->isSecure());
}
private function createRequest(): Request
{
return Request::create('/login', 'POST', [], [], [], [
'REMOTE_ADDR' => self::IP_ADDRESS,
'HTTP_USER_AGENT' => self::USER_AGENT,
]);
}
private function createSecurityUser(): SecurityUser
{
return new SecurityUser(
userId: UserId::fromString(self::USER_ID),
email: self::EMAIL,
hashedPassword: '$argon2id$hashed',
tenantId: TenantId::fromString(self::TENANT_ID),
roles: ['ROLE_PROF'],
);
}
}