Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Browse Source 
Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.
This commit is contained in:
Mathias STRASSER
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/config/packages/messenger.yaml
View File

@@ -49,7 +49,4 @@ framework:
routing:
# Route your messages to the transports
# Password reset events are async to prevent timing attacks (email enumeration)
# and to improve API response time
'App\Administration\Domain\Event\PasswordResetTokenGenerated': async
'App\Administration\Domain\Event\MotDePasseChange': async
# 'App\Message\YourMessage': async

5
backend/config/services.yaml
View File

@@ -92,6 +92,11 @@ services:
arguments:
$appUrl: '%app.url%'
App\Shared\Infrastructure\Tenant\TenantUrlBuilder:
arguments:
$appUrl: '%app.url%'
$baseDomain: '%tenant.base_domain%'
# Audit Logger Service (writes to append-only audit_log table)
App\Shared\Application\Port\AuditLogger:
alias: App\Shared\Infrastructure\Audit\AuditLogger

15
backend/src/Administration/Application/Command/BlockUser/BlockUserCommand.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
final readonly class BlockUserCommand
{
public function __construct(
public string $userId,
public string $reason,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/BlockUser/BlockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class BlockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(BlockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->bloquer($command->reason, $this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

19
backend/src/Administration/Application/Command/InviteUser/InviteUserCommand.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
final readonly class InviteUserCommand
{
public function __construct(
public string $tenantId,
public string $schoolName,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public ?string $dateNaissance = null,
) {
}
}

63
backend/src/Administration/Application/Command/InviteUser/InviteUserHandler.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use InvalidArgumentException;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class InviteUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @throws EmailDejaUtiliseeException if email is already used in this tenant
* @throws InvalidArgumentException if the role is invalid
*/
public function __invoke(InviteUserCommand $command): User
{
$tenantId = TenantId::fromString($command->tenantId);
$email = new Email($command->email);
$role = Role::tryFrom($command->role);
if ($role === null) {
throw new InvalidArgumentException("Rôle invalide : \"{$command->role}\".");
}
$existingUser = $this->userRepository->findByEmail($email, $tenantId);
if ($existingUser !== null) {
throw EmailDejaUtiliseeException::dansTenant($email, $tenantId);
}
$user = User::inviter(
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $command->schoolName,
firstName: $command->firstName,
lastName: $command->lastName,
invitedAt: $this->clock->now(),
dateNaissance: $command->dateNaissance !== null
? new DateTimeImmutable($command->dateNaissance)
: null,
);
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
final readonly class ResendInvitationCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class ResendInvitationHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(ResendInvitationCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->renvoyerInvitation($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/UnblockUser/UnblockUserCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
final readonly class UnblockUserCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/UnblockUser/UnblockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class UnblockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(UnblockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->debloquer($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

58
backend/src/Administration/Application/Query/GetUsers/GetUsersHandler.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'query.bus')]
final readonly class GetUsersHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @return UserDto[]
*/
public function __invoke(GetUsersQuery $query): array
{
$users = $this->userRepository->findAllByTenant(
TenantId::fromString($query->tenantId),
);
// Apply filters
if ($query->role !== null) {
$filterRole = Role::tryFrom($query->role);
if ($filterRole !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->role === $filterRole,
);
}
}
if ($query->statut !== null) {
$filterStatut = StatutCompte::tryFrom($query->statut);
if ($filterStatut !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->statut === $filterStatut,
);
}
}
return array_values(array_map(
fn ($user) => UserDto::fromDomain($user, $this->clock),
$users,
));
}
}

15
backend/src/Administration/Application/Query/GetUsers/GetUsersQuery.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
final readonly class GetUsersQuery
{
public function __construct(
public string $tenantId,
public ?string $role = null,
public ?string $statut = null,
) {
}
}

48
backend/src/Administration/Application/Query/GetUsers/UserDto.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\User;
use App\Shared\Domain\Clock;
use DateTimeImmutable;
final readonly class UserDto
{
public function __construct(
public string $id,
public string $email,
public string $role,
public string $roleLabel,
public string $firstName,
public string $lastName,
public string $statut,
public DateTimeImmutable $createdAt,
public ?DateTimeImmutable $invitedAt,
public ?DateTimeImmutable $activatedAt,
public ?DateTimeImmutable $blockedAt,
public ?string $blockedReason,
public bool $invitationExpiree,
) {
}
public static function fromDomain(User $user, Clock $clock): self
{
return new self(
id: (string) $user->id,
email: (string) $user->email,
role: $user->role->value,
roleLabel: $user->role->label(),
firstName: $user->firstName,
lastName: $user->lastName,
statut: $user->statut->value,
createdAt: $user->createdAt,
invitedAt: $user->invitedAt,
activatedAt: $user->activatedAt,
blockedAt: $user->blockedAt,
blockedReason: $user->blockedReason,
invitationExpiree: $user->estInvitationExpiree($clock->now()),
);
}
}

35
backend/src/Administration/Domain/Event/InvitationRenvoyee.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class InvitationRenvoyee implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

36
backend/src/Administration/Domain/Event/UtilisateurBloque.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurBloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $reason,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

35
backend/src/Administration/Domain/Event/UtilisateurDebloque.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurDebloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

38
backend/src/Administration/Domain/Event/UtilisateurInvite.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurInvite implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

23
backend/src/Administration/Domain/Exception/EmailDejaUtiliseeException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\Email;
use App\Shared\Domain\Tenant\TenantId;
use RuntimeException;
use function sprintf;
final class EmailDejaUtiliseeException extends RuntimeException
{
public static function dansTenant(Email $email, TenantId $tenantId): self
{
return new self(sprintf(
'L\'email "%s" est déjà utilisé dans l\'établissement "%s".',
$email,
$tenantId,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurDejaInviteException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurDejaInviteException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de renvoyer l\'invitation pour "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonBlocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonBlocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de bloquer l\'utilisateur "%s" : le compte est déjà en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonDeblocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonDeblocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de débloquer l\'utilisateur "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

150
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -6,8 +6,15 @@ namespace App\Administration\Domain\Model\User;
use App\Administration\Domain\Event\CompteActive;
use App\Administration\Domain\Event\CompteCreated;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\MotDePasseChange;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\CompteNonActivableException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\AggregateRoot;
@@ -26,6 +33,9 @@ final class User extends AggregateRoot
public private(set) ?string $hashedPassword = null;
public private(set) ?DateTimeImmutable $activatedAt = null;
public private(set) ?ConsentementParental $consentementParental = null;
public private(set) ?DateTimeImmutable $invitedAt = null;
public private(set) ?DateTimeImmutable $blockedAt = null;
public private(set) ?string $blockedReason = null;
private function __construct(
public private(set) UserId $id,
@@ -36,6 +46,8 @@ final class User extends AggregateRoot
public private(set) StatutCompte $statut,
public private(set) ?DateTimeImmutable $dateNaissance,
public private(set) DateTimeImmutable $createdAt,
public private(set) string $firstName = '',
public private(set) string $lastName = '',
) {
}
@@ -136,6 +148,134 @@ final class User extends AggregateRoot
return $this->statut->peutSeConnecter();
}
/**
* Creates a new user via admin invitation.
*
* Unlike creer() which is for self-registration, inviter() is used
* when an admin creates a user account from the management interface.
*/
public static function inviter(
Email $email,
Role $role,
TenantId $tenantId,
string $schoolName,
string $firstName,
string $lastName,
DateTimeImmutable $invitedAt,
?DateTimeImmutable $dateNaissance = null,
): self {
$user = new self(
id: UserId::generate(),
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
statut: StatutCompte::EN_ATTENTE,
dateNaissance: $dateNaissance,
createdAt: $invitedAt,
firstName: $firstName,
lastName: $lastName,
);
$user->invitedAt = $invitedAt;
$user->recordEvent(new UtilisateurInvite(
userId: $user->id,
email: (string) $user->email,
role: $user->role->value,
firstName: $firstName,
lastName: $lastName,
tenantId: $user->tenantId,
occurredOn: $invitedAt,
));
return $user;
}
/**
* Resends the invitation for a user still awaiting activation.
*
* @throws UtilisateurDejaInviteException if user is no longer in a pending state
*/
public function renvoyerInvitation(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
throw UtilisateurDejaInviteException::carStatutIncompatible($this->id, $this->statut);
}
$this->invitedAt = $at;
$this->recordEvent(new InvitationRenvoyee(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Blocks a user account.
*
* @throws UtilisateurNonBlocableException if user is already suspended or archived
*/
public function bloquer(string $reason, DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::ACTIF) {
throw UtilisateurNonBlocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::SUSPENDU;
$this->blockedAt = $at;
$this->blockedReason = $reason;
$this->recordEvent(new UtilisateurBloque(
userId: $this->id,
email: (string) $this->email,
reason: $reason,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Unblocks a suspended user account, restoring it to active status.
*
* @throws UtilisateurNonDeblocableException if user is not suspended
*/
public function debloquer(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::SUSPENDU) {
throw UtilisateurNonDeblocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::ACTIF;
$this->blockedAt = null;
$this->blockedReason = null;
$this->recordEvent(new UtilisateurDebloque(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Checks if the invitation has expired (> 7 days since last invitation).
*/
public function estInvitationExpiree(DateTimeImmutable $at): bool
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
return false;
}
if ($this->invitedAt === null) {
return false;
}
return $at > $this->invitedAt->modify('+7 days');
}
/**
* Changes the user's password.
*
@@ -170,6 +310,11 @@ final class User extends AggregateRoot
?string $hashedPassword,
?DateTimeImmutable $activatedAt,
?ConsentementParental $consentementParental,
string $firstName = '',
string $lastName = '',
?DateTimeImmutable $invitedAt = null,
?DateTimeImmutable $blockedAt = null,
?string $blockedReason = null,
): self {
$user = new self(
id: $id,
@@ -180,11 +325,16 @@ final class User extends AggregateRoot
statut: $statut,
dateNaissance: $dateNaissance,
createdAt: $createdAt,
firstName: $firstName,
lastName: $lastName,
);
$user->hashedPassword = $hashedPassword;
$user->activatedAt = $activatedAt;
$user->consentementParental = $consentementParental;
$user->invitedAt = $invitedAt;
$user->blockedAt = $blockedAt;
$user->blockedReason = $blockedReason;
return $user;
}

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -23,4 +23,11 @@ interface UserRepository
* Returns null if user doesn't exist in that tenant.
*/
public function findByEmail(Email $email, TenantId $tenantId): ?User;
/**
* Returns all users for a given tenant.
*
* @return User[]
*/
public function findAllByTenant(TenantId $tenantId): array;
}

88
backend/src/Administration/Infrastructure/Api/Processor/BlockUserProcessor.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class BlockUserProcessor implements ProcessorInterface
{
public function __construct(
private BlockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Security $security,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::BLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à bloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
$currentUser = $this->security->getUser();
if ($currentUser instanceof SecurityUser && $currentUser->userId() === $userId) {
throw new BadRequestHttpException('Vous ne pouvez pas bloquer votre propre compte.');
}
$reason = trim($data->reason ?? '');
if ($reason === '') {
throw new BadRequestHttpException('La raison du blocage est obligatoire.');
}
try {
$command = new BlockUserCommand(
userId: $userId,
reason: $reason,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonBlocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

80
backend/src/Administration/Infrastructure/Api/Processor/InviteUserProcessor.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use InvalidArgumentException;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class InviteUserProcessor implements ProcessorInterface
{
public function __construct(
private InviteUserHandler $handler,
private TenantContext $tenantContext,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::CREATE)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à créer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
$tenantConfig = $this->tenantContext->getCurrentTenantConfig();
try {
$command = new InviteUserCommand(
tenantId: $tenantId,
schoolName: $tenantConfig->subdomain,
email: $data->email ?? '',
role: $data->role ?? '',
firstName: $data->firstName ?? '',
lastName: $data->lastName ?? '',
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (EmailInvalideException|InvalidArgumentException $e) {
throw new BadRequestHttpException($e->getMessage());
} catch (EmailDejaUtiliseeException $e) {
throw new ConflictHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/ResendInvitationProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class ResendInvitationProcessor implements ProcessorInterface
{
public function __construct(
private ResendInvitationHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::RESEND_INVITATION)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à renvoyer une invitation.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new ResendInvitationCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurDejaInviteException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/UnblockUserProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class UnblockUserProcessor implements ProcessorInterface
{
public function __construct(
private UnblockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::UNBLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à débloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new UnblockUserCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonDeblocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

64
backend/src/Administration/Infrastructure/Api/Provider/UserCollectionProvider.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Infrastructure\Tenant\TenantContext;
use function array_map;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer la liste des utilisateurs avec filtres.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserCollectionProvider implements ProviderInterface
{
public function __construct(
private GetUsersHandler $handler,
private TenantContext $tenantContext,
private AuthorizationCheckerInterface $authorizationChecker,
) {
}
/**
* @return UserResource[]
*/
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir les utilisateurs.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
/** @var array<string, string> $filters */
$filters = $context['filters'] ?? [];
$query = new GetUsersQuery(
tenantId: $tenantId,
role: isset($filters['role']) ? (string) $filters['role'] : null,
statut: isset($filters['statut']) ? (string) $filters['statut'] : null,
);
$userDtos = ($this->handler)($query);
return array_map(UserResource::fromDto(...), $userDtos);
}
}

63
backend/src/Administration/Infrastructure/Api/Provider/UserItemProvider.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer un utilisateur par ID.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserItemProvider implements ProviderInterface
{
public function __construct(
private UserRepository $userRepository,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir cet utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$user = $this->userRepository->get(UserId::fromString($userId));
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
}
if (!$user->tenantId->equals($this->tenantContext->getCurrentTenantId())) {
throw new NotFoundHttpException('User not found.');
}
return UserResource::fromDomain($user, $this->clock->now());
}
}

142
backend/src/Administration/Infrastructure/Api/Resource/UserResource.php Normal file
View File

@@ -0,0 +1,142 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
use ApiPlatform\Metadata\ApiProperty;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Get;
use ApiPlatform\Metadata\GetCollection;
use ApiPlatform\Metadata\Post;
use App\Administration\Application\Query\GetUsers\UserDto;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Processor\BlockUserProcessor;
use App\Administration\Infrastructure\Api\Processor\InviteUserProcessor;
use App\Administration\Infrastructure\Api\Processor\ResendInvitationProcessor;
use App\Administration\Infrastructure\Api\Processor\UnblockUserProcessor;
use App\Administration\Infrastructure\Api\Provider\UserCollectionProvider;
use App\Administration\Infrastructure\Api\Provider\UserItemProvider;
use DateTimeImmutable;
use Symfony\Component\Validator\Constraints as Assert;
/**
* API Resource pour la gestion des utilisateurs.
*
* @see Story 2.5 - Création Comptes Utilisateurs
*/
#[ApiResource(
shortName: 'User',
operations: [
new GetCollection(
uriTemplate: '/users',
provider: UserCollectionProvider::class,
name: 'get_users',
),
new Get(
uriTemplate: '/users/{id}',
provider: UserItemProvider::class,
name: 'get_user',
),
new Post(
uriTemplate: '/users',
processor: InviteUserProcessor::class,
validationContext: ['groups' => ['Default', 'create']],
name: 'invite_user',
),
new Post(
uriTemplate: '/users/{id}/resend-invitation',
processor: ResendInvitationProcessor::class,
name: 'resend_invitation',
),
new Post(
uriTemplate: '/users/{id}/block',
processor: BlockUserProcessor::class,
validationContext: ['groups' => ['Default', 'block']],
name: 'block_user',
),
new Post(
uriTemplate: '/users/{id}/unblock',
processor: UnblockUserProcessor::class,
name: 'unblock_user',
),
],
)]
final class UserResource
{
#[ApiProperty(identifier: true)]
public ?string $id = null;
#[Assert\NotBlank(message: 'L\'email est requis.', groups: ['create'])]
#[Assert\Email(message: 'L\'email n\'est pas valide.')]
public ?string $email = null;
#[Assert\NotBlank(message: 'Le rôle est requis.', groups: ['create'])]
public ?string $role = null;
public ?string $roleLabel = null;
#[Assert\NotBlank(message: 'Le prénom est requis.', groups: ['create'])]
public ?string $firstName = null;
#[Assert\NotBlank(message: 'Le nom est requis.', groups: ['create'])]
public ?string $lastName = null;
public ?string $statut = null;
public ?DateTimeImmutable $createdAt = null;
public ?DateTimeImmutable $invitedAt = null;
public ?DateTimeImmutable $activatedAt = null;
public ?DateTimeImmutable $blockedAt = null;
public ?string $blockedReason = null;
#[ApiProperty(readable: true, writable: false)]
public ?bool $invitationExpiree = null;
#[Assert\NotBlank(message: 'La raison de blocage est requise.', groups: ['block'])]
public ?string $reason = null;
public static function fromDomain(User $user, ?DateTimeImmutable $now = null): self
{
$resource = new self();
$resource->id = (string) $user->id;
$resource->email = (string) $user->email;
$resource->role = $user->role->value;
$resource->roleLabel = $user->role->label();
$resource->firstName = $user->firstName;
$resource->lastName = $user->lastName;
$resource->statut = $user->statut->value;
$resource->createdAt = $user->createdAt;
$resource->invitedAt = $user->invitedAt;
$resource->activatedAt = $user->activatedAt;
$resource->blockedAt = $user->blockedAt;
$resource->blockedReason = $user->blockedReason;
$resource->invitationExpiree = $now !== null ? $user->estInvitationExpiree($now) : false;
return $resource;
}
public static function fromDto(UserDto $dto): self
{
$resource = new self();
$resource->id = $dto->id;
$resource->email = $dto->email;
$resource->role = $dto->role;
$resource->roleLabel = $dto->roleLabel;
$resource->firstName = $dto->firstName;
$resource->lastName = $dto->lastName;
$resource->statut = $dto->statut;
$resource->createdAt = $dto->createdAt;
$resource->invitedAt = $dto->invitedAt;
$resource->activatedAt = $dto->activatedAt;
$resource->blockedAt = $dto->blockedAt;
$resource->blockedReason = $dto->blockedReason;
$resource->invitationExpiree = $dto->invitationExpiree;
return $resource;
}
}

33
backend/src/Administration/Infrastructure/Console/CreateTestActivationTokenCommand.php
View File

@@ -147,22 +147,29 @@ final class CreateTestActivationTokenCommand extends Command
}
$now = $this->clock->now();
$emailVO = new Email($email);
// Create user
$dateNaissance = $isMinor
? $now->modify('-13 years') // 13 ans = mineur
: null;
// Check if user already exists for this tenant
$user = $this->userRepository->findByEmail($emailVO, $tenantId);
$user = User::creer(
email: new Email($email),
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
dateNaissance: $dateNaissance,
createdAt: $now,
);
if ($user !== null) {
$io->note(sprintf('User "%s" already exists, reusing existing account.', $email));
} else {
$dateNaissance = $isMinor
? $now->modify('-13 years') // 13 ans = mineur
: null;
$this->userRepository->save($user);
$user = User::creer(
email: $emailVO,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
dateNaissance: $dateNaissance,
createdAt: $now,
);
$this->userRepository->save($user);
}
// Create activation token
$token = ActivationToken::generate(

74
backend/src/Administration/Infrastructure/Messaging/SendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends an invitation email when a user is invited by an admin.
*
* Creates an activation token and emails the user with an activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(UtilisateurInvite $event): void
{
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $event->role,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$roleEnum = Role::tryFrom($event->role);
$roleLabel = $roleEnum?->label() ?? $event->role;
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $event->firstName,
'lastName' => $event->lastName,
'role' => $roleLabel,
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

83
backend/src/Administration/Infrastructure/Messaging/SendResendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,83 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Psr\Log\LoggerInterface;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends a new invitation email when an invitation is resent.
*
* Creates a fresh activation token and emails the user with a new activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendResendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private LoggerInterface $logger,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(InvitationRenvoyee $event): void
{
try {
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
} catch (UserNotFoundException $e) {
$this->logger->warning('User no longer exists when processing resend invitation event, skipping.', [
'userId' => (string) $event->userId,
'email' => $event->email,
'exception' => $e->getMessage(),
]);
return;
}
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $user->role->value,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $user->firstName,
'lastName' => $user->lastName,
'role' => $user->role->label(),
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Rappel : Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

59
backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php
View File

@@ -14,6 +14,9 @@ use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use function in_array;
use Psr\Cache\CacheItemPoolInterface;
/**
@@ -27,6 +30,7 @@ final readonly class CacheUserRepository implements UserRepository
{
private const string KEY_PREFIX = 'user:';
private const string EMAIL_INDEX_PREFIX = 'user_email:';
private const string TENANT_INDEX_PREFIX = 'user_tenant:';
public function __construct(
private CacheItemPoolInterface $usersCache,
@@ -45,6 +49,18 @@ final readonly class CacheUserRepository implements UserRepository
$emailItem = $this->usersCache->getItem($emailKey);
$emailItem->set((string) $user->id);
$this->usersCache->save($emailItem);
// Save tenant index for listing users
$tenantKey = self::TENANT_INDEX_PREFIX . $user->tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
/** @var string[] $userIds */
$userIds = $tenantItem->isHit() ? $tenantItem->get() : [];
$userId = (string) $user->id;
if (!in_array($userId, $userIds, true)) {
$userIds[] = $userId;
}
$tenantItem->set($userIds);
$this->usersCache->save($tenantItem);
}
public function findById(UserId $id): ?User
@@ -55,7 +71,7 @@ final readonly class CacheUserRepository implements UserRepository
return null;
}
/** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */
/** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, first_name?: string, last_name?: string, invited_at?: string|null, blocked_at?: string|null, blocked_reason?: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */
$data = $item->get();
return $this->deserialize($data);
@@ -87,6 +103,29 @@ final readonly class CacheUserRepository implements UserRepository
return $user;
}
public function findAllByTenant(TenantId $tenantId): array
{
$tenantKey = self::TENANT_INDEX_PREFIX . $tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
if (!$tenantItem->isHit()) {
return [];
}
/** @var string[] $userIds */
$userIds = $tenantItem->get();
$users = [];
foreach ($userIds as $userId) {
$user = $this->findById(UserId::fromString($userId));
if ($user !== null) {
$users[] = $user;
}
}
return $users;
}
/**
* @return array<string, mixed>
*/
@@ -105,6 +144,11 @@ final readonly class CacheUserRepository implements UserRepository
'date_naissance' => $user->dateNaissance?->format('Y-m-d'),
'created_at' => $user->createdAt->format('c'),
'activated_at' => $user->activatedAt?->format('c'),
'first_name' => $user->firstName,
'last_name' => $user->lastName,
'invited_at' => $user->invitedAt?->format('c'),
'blocked_at' => $user->blockedAt?->format('c'),
'blocked_reason' => $user->blockedReason,
'consentement_parental' => $consentement !== null ? [
'parent_id' => $consentement->parentId,
'eleve_id' => $consentement->eleveId,
@@ -126,6 +170,11 @@ final readonly class CacheUserRepository implements UserRepository
* date_naissance: string|null,
* created_at: string,
* activated_at: string|null,
* first_name?: string,
* last_name?: string,
* invited_at?: string|null,
* blocked_at?: string|null,
* blocked_reason?: string|null,
* consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null
* } $data
*/
@@ -142,6 +191,9 @@ final readonly class CacheUserRepository implements UserRepository
);
}
$invitedAt = ($data['invited_at'] ?? null) !== null ? new DateTimeImmutable($data['invited_at']) : null;
$blockedAt = ($data['blocked_at'] ?? null) !== null ? new DateTimeImmutable($data['blocked_at']) : null;
return User::reconstitute(
id: UserId::fromString($data['id']),
email: new Email($data['email']),
@@ -154,6 +206,11 @@ final readonly class CacheUserRepository implements UserRepository
hashedPassword: $data['hashed_password'],
activatedAt: $data['activated_at'] !== null ? new DateTimeImmutable($data['activated_at']) : null,
consentementParental: $consentement,
firstName: $data['first_name'] ?? '',
lastName: $data['last_name'] ?? '',
invitedAt: $invitedAt,
blockedAt: $blockedAt,
blockedReason: $data['blocked_reason'] ?? null,
);
}

9
backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php
View File

@@ -45,6 +45,15 @@ final class InMemoryUserRepository implements UserRepository
return $this->byTenantEmail[$this->emailKey($email, $tenantId)] ?? null;
}
#[Override]
public function findAllByTenant(TenantId $tenantId): array
{
return array_values(array_filter(
$this->byId,
static fn (User $user): bool => $user->tenantId->equals($tenantId),
));
}
private function emailKey(Email $email, TenantId $tenantId): string
{
return $tenantId . ':' . strtolower((string) $email);

12
backend/src/Administration/Infrastructure/Security/DatabaseUserProvider.php
View File

@@ -6,12 +6,14 @@ namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -55,7 +57,15 @@ final readonly class DatabaseUserProvider implements UserProviderInterface
throw new SymfonyUserNotFoundException();
}
// Do not allow login if the account is not active
// Blocked account: specific message so the user understands why they can't log in
if ($user->statut === StatutCompte::SUSPENDU) {
throw new CustomUserMessageAccountStatusException(
'Votre compte a été suspendu. Contactez votre établissement.',
messageData: ['statut' => 'suspended'],
);
}
// Other non-active statuses (pending, consent, archived): generic error
if (!$user->peutSeConnecter()) {
throw new SymfonyUserNotFoundException();
}

20
backend/src/Administration/Infrastructure/Security/LoginFailureHandler.php
View File

@@ -22,6 +22,7 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
use Throwable;
@@ -48,6 +49,15 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
// Suspended account: return a specific message without recording a rate-limit failure.
// This prevents blocked users from triggering CAPTCHA/delay escalation
// while informing them clearly why they cannot log in.
if ($exception instanceof CustomUserMessageAccountStatusException) {
$this->metricsCollector->recordLoginFailure('account_suspended');
return $this->createSuspendedResponse($exception);
}
$content = json_decode($request->getContent(), true);
$email = is_array($content) && isset($content['email']) && is_string($content['email'])
? $content['email']
@@ -92,6 +102,16 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
return $this->createFailureResponse($result);
}
private function createSuspendedResponse(CustomUserMessageAccountStatusException $exception): JsonResponse
{
return new JsonResponse([
'type' => '/errors/account-suspended',
'title' => 'Compte suspendu',
'status' => Response::HTTP_FORBIDDEN,
'detail' => $exception->getMessageKey(),
], Response::HTTP_FORBIDDEN);
}
private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([

111
backend/src/Administration/Infrastructure/Security/UserVoter.php Normal file
View File

@@ -0,0 +1,111 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use function in_array;
use Override;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Voter pour les autorisations sur la gestion des utilisateurs.
*
* Seuls ADMIN et SUPER_ADMIN peuvent gérer les utilisateurs.
*
* @extends Voter<string, User|UserResource>
*/
final class UserVoter extends Voter
{
public const string VIEW = 'USER_VIEW';
public const string CREATE = 'USER_CREATE';
public const string BLOCK = 'USER_BLOCK';
public const string UNBLOCK = 'USER_UNBLOCK';
public const string RESEND_INVITATION = 'USER_RESEND_INVITATION';
private const array SUPPORTED_ATTRIBUTES = [
self::VIEW,
self::CREATE,
self::BLOCK,
self::UNBLOCK,
self::RESEND_INVITATION,
];
#[Override]
protected function supports(string $attribute, mixed $subject): bool
{
if (!in_array($attribute, self::SUPPORTED_ATTRIBUTES, true)) {
return false;
}
if ($subject === null) {
return true;
}
return $subject instanceof User || $subject instanceof UserResource;
}
#[Override]
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$roles = $user->getRoles();
return match ($attribute) {
self::VIEW => $this->canView($roles),
self::CREATE, self::BLOCK, self::UNBLOCK, self::RESEND_INVITATION => $this->canManage($roles),
default => false,
};
}
/**
* @param string[] $roles
*/
private function canView(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
Role::SECRETARIAT->value,
]);
}
/**
* @param string[] $roles
*/
private function canManage(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
]);
}
/**
* @param string[] $userRoles
* @param string[] $allowedRoles
*/
private function hasAnyRole(array $userRoles, array $allowedRoles): bool
{
foreach ($userRoles as $role) {
if (in_array($role, $allowedRoles, true)) {
return true;
}
}
return false;
}
}

33
backend/src/Shared/Infrastructure/Tenant/TenantUrlBuilder.php Normal file
View File

@@ -0,0 +1,33 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Tenant;
use App\Shared\Domain\Tenant\TenantId as DomainTenantId;
/**
* Builds tenant-aware URLs using the tenant subdomain and base domain.
*/
final readonly class TenantUrlBuilder
{
public function __construct(
private TenantRegistry $tenantRegistry,
private string $appUrl,
private string $baseDomain,
) {
}
public function build(DomainTenantId $tenantId, string $path): string
{
$tenantConfig = $this->tenantRegistry->getConfig(
TenantId::fromString((string) $tenantId),
);
$parsed = parse_url($this->appUrl);
$scheme = $parsed['scheme'] ?? 'https';
$port = isset($parsed['port']) ? ':' . $parsed['port'] : '';
return $scheme . '://' . $tenantConfig->subdomain . '.' . $this->baseDomain . $port . $path;
}
}

98
backend/templates/emails/invitation.html.twig Normal file
View File

@@ -0,0 +1,98 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Invitation - Classeo</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
line-height: 1.6;
color: #333;
max-width: 600px;
margin: 0 auto;
padding: 20px;
}
.header {
text-align: center;
padding: 20px 0;
border-bottom: 2px solid #4f46e5;
}
.header h1 {
color: #4f46e5;
margin: 0;
font-size: 28px;
}
.content {
padding: 30px 0;
}
.info-box {
background-color: #f3f4f6;
border-radius: 8px;
padding: 20px;
margin: 20px 0;
}
.info-box p {
margin: 5px 0;
}
.button {
display: inline-block;
background-color: #4f46e5;
color: white;
text-decoration: none;
padding: 12px 24px;
border-radius: 6px;
font-weight: 500;
}
.button:hover {
background-color: #4338ca;
}
.footer {
text-align: center;
padding: 20px 0;
border-top: 1px solid #e5e7eb;
color: #6b7280;
font-size: 14px;
}
.warning {
background-color: #fef3c7;
border-left: 4px solid #f59e0b;
padding: 12px 16px;
margin: 20px 0;
border-radius: 0 8px 8px 0;
}
</style>
</head>
<body>
<div class="header">
<h1>Classeo</h1>
</div>
<div class="content">
<h2>Bienvenue sur Classeo !</h2>
<p>Bonjour {{ firstName }},</p>
<p>Vous avez été invité(e) à rejoindre Classeo en tant que <strong>{{ role }}</strong>.</p>
<div class="info-box">
<p>Cliquez sur le bouton ci-dessous pour activer votre compte et définir votre mot de passe.</p>
</div>
<p style="text-align: center; margin: 30px 0;">
<a href="{{ activationUrl }}" class="button">Activer mon compte</a>
</p>
<div class="warning">
<p><strong>Ce lien expire dans 7 jours.</strong></p>
<p>Si vous ne pouvez pas cliquer sur le bouton, copiez ce lien dans votre navigateur :</p>
<p style="word-break: break-all; font-size: 12px;">{{ activationUrl }}</p>
</div>
</div>
<div class="footer">
<p>Cet email a été envoyé automatiquement par Classeo.</p>
<p>Si vous n'attendiez pas cette invitation, vous pouvez ignorer cet email.</p>
</div>
</body>
</html>

114
backend/tests/Unit/Administration/Application/Command/BlockUser/BlockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\BlockUser;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class BlockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private BlockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-10 15:00:00');
}
};
$this->handler = new BlockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function blocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$command = new BlockUserCommand(
userId: (string) $user->id,
reason: 'Comportement inapproprié',
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::SUSPENDU, $updated->statut);
self::assertSame('Comportement inapproprié', $updated->blockedReason);
self::assertNotNull($updated->blockedAt);
}
#[Test]
public function throwsWhenUserAlreadySuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-08 10:00:00'));
$this->userRepository->save($user);
$this->expectException(UtilisateurNonBlocableException::class);
($this->handler)(new BlockUserCommand(
userId: (string) $user->id,
reason: 'Seconde raison',
));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new BlockUserCommand(
userId: (string) UserId::generate(),
reason: 'Raison',
));
}
}

109
backend/tests/Unit/Administration/Application/Command/InviteUser/InviteUserHandlerTest.php Normal file
View File

@@ -0,0 +1,109 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\InviteUser;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class InviteUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private InviteUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new InviteUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function invitesUserSuccessfully(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertSame('teacher@example.com', (string) $user->email);
self::assertNotNull($user->invitedAt);
}
#[Test]
public function throwsWhenEmailAlreadyUsedInTenant(): void
{
// Pre-populate with existing user
$existingUser = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Existing',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($existingUser);
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$this->expectException(EmailDejaUtiliseeException::class);
($this->handler)($command);
}
#[Test]
public function savesUserToRepository(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
$found = $this->userRepository->get($user->id);
self::assertSame((string) $user->id, (string) $found->id);
}
}

96
backend/tests/Unit/Administration/Application/Command/ResendInvitation/ResendInvitationHandlerTest.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\ResendInvitation;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class ResendInvitationHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private ResendInvitationHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-14 10:00:00');
}
};
$this->handler = new ResendInvitationHandler($this->userRepository, $this->clock);
}
#[Test]
public function resendsInvitationSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($user);
$command = new ResendInvitationCommand(userId: (string) $user->id);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertEquals(new DateTimeImmutable('2026-02-14 10:00:00'), $updated->invitedAt);
}
#[Test]
public function throwsWhenUserIsActive(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurDejaInviteException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) UserId::generate()));
}
}

107
backend/tests/Unit/Administration/Application/Command/UnblockUser/UnblockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\UnblockUser;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UnblockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private UnblockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-12 10:00:00');
}
};
$this->handler = new UnblockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function unblocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Comportement inapproprié', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->userRepository->save($user);
$command = new UnblockUserCommand(
userId: (string) $user->id,
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::ACTIF, $updated->statut);
self::assertNull($updated->blockedAt);
self::assertNull($updated->blockedReason);
}
#[Test]
public function throwsWhenUserNotSuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurNonDeblocableException::class);
($this->handler)(new UnblockUserCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new UnblockUserCommand(userId: (string) UserId::generate()));
}
}

174
backend/tests/Unit/Administration/Application/Query/GetUsers/GetUsersHandlerTest.php Normal file
View File

@@ -0,0 +1,174 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Query\GetUsers;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class GetUsersHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string OTHER_TENANT_ID = '550e8400-e29b-41d4-a716-446655440099';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private GetUsersHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new GetUsersHandler($this->userRepository, $this->clock);
}
#[Test]
public function returnsAllUsersForTenant(): void
{
$this->seedUsers();
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function filtersUsersByRole(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
role: Role::PROF->value,
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame(Role::PROF->value, $dto->role);
}
}
#[Test]
public function filtersUsersByStatut(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
statut: 'pending',
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame('pending', $dto->statut);
}
}
#[Test]
public function excludesUsersFromOtherTenants(): void
{
$this->seedUsers();
// Add user to different tenant
$otherUser = User::inviter(
email: new Email('other@example.com'),
role: Role::ADMIN,
tenantId: TenantId::fromString(self::OTHER_TENANT_ID),
schoolName: 'Autre École',
firstName: 'Autre',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($otherUser);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function calculatesInvitationExpiree(): void
{
// Invited 10 days ago — should be expired
$user = User::inviter(
email: new Email('old@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Old',
lastName: 'Invitation',
invitedAt: new DateTimeImmutable('2026-01-25 10:00:00'),
);
$this->userRepository->save($user);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(1, $result);
self::assertTrue($result[0]->invitationExpiree);
}
private function seedUsers(): void
{
$tenantId = TenantId::fromString(self::TENANT_ID);
$teacher1 = User::inviter(
email: new Email('teacher1@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($teacher1);
$teacher2 = User::inviter(
email: new Email('teacher2@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Marie',
lastName: 'Martin',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
// Activate teacher2
$teacher2->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($teacher2);
$parent = User::inviter(
email: new Email('parent@example.com'),
role: Role::PARENT,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Pierre',
lastName: 'Parent',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($parent);
}
}

323
backend/tests/Unit/Administration/Domain/Model/User/UserInvitationTest.php Normal file
View File

@@ -0,0 +1,323 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\User;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UserInvitationTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private Clock $clock;
protected function setUp(): void
{
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
}
#[Test]
public function inviterCreatesUserWithPendingStatusAndRecordsInvitedAt(): void
{
$invitedAt = new DateTimeImmutable('2026-02-07 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertEquals($invitedAt, $user->invitedAt);
self::assertNull($user->hashedPassword);
self::assertNull($user->activatedAt);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function inviterRecordsUtilisateurInviteEvent(): void
{
$user = $this->inviteUser();
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurInvite::class, $events[0]);
}
#[Test]
public function renvoyerInvitationUpdatesInvitedAtAndRecordsEvent(): void
{
$user = $this->inviteUser();
$user->pullDomainEvents();
$newInvitedAt = new DateTimeImmutable('2026-02-14 10:00:00');
$user->renvoyerInvitation($newInvitedAt);
self::assertEquals($newInvitedAt, $user->invitedAt);
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(InvitationRenvoyee::class, $events[0]);
}
#[Test]
public function renvoyerInvitationThrowsWhenUserIsActive(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurDejaInviteException::class);
$user->renvoyerInvitation(new DateTimeImmutable('2026-02-14 10:00:00'));
}
#[Test]
public function bloquerSetsStatusToSuspenduWithReasonAndDate(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$blockedAt = new DateTimeImmutable('2026-02-10 15:00:00');
$user->bloquer('Comportement inapproprié', $blockedAt);
self::assertSame(StatutCompte::SUSPENDU, $user->statut);
self::assertEquals($blockedAt, $user->blockedAt);
self::assertSame('Comportement inapproprié', $user->blockedReason);
self::assertFalse($user->peutSeConnecter());
}
#[Test]
public function bloquerRecordsUtilisateurBloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurBloque::class, $events[0]);
}
#[Test]
public function bloquerThrowsWhenAlreadySuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Seconde raison', new DateTimeImmutable('2026-02-11 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenConsentementRequis(): void
{
$user = User::reconstitute(
id: UserId::generate(),
email: new Email('minor@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
statut: StatutCompte::CONSENTEMENT_REQUIS,
dateNaissance: new DateTimeImmutable('2015-01-01'),
createdAt: new DateTimeImmutable('2026-02-01 10:00:00'),
hashedPassword: null,
activatedAt: null,
consentementParental: null,
);
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function debloquerRestoresActiveStatusAndClearsBlockedInfo(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
self::assertSame(StatutCompte::ACTIF, $user->statut);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function debloquerRecordsUtilisateurDebloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurDebloque::class, $events[0]);
}
#[Test]
public function debloquerThrowsWhenNotSuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function debloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function estInvitationExpireeReturnsTrueAfter7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-01-30 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 8 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:01');
self::assertTrue($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseWithin7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-02-05 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 2 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseForActiveUser(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
// Même longtemps après, un utilisateur actif n'a pas d'invitation expirée
$checkAt = new DateTimeImmutable('2027-01-01 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
private function inviteUser(): User
{
return User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-07 10:00:00'),
);
}
}

5
backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php
View File

@@ -172,6 +172,11 @@ final class ActivateAccountProcessorTest extends TestCase
{
throw UserNotFoundException::withId($id);
}
public function findAllByTenant(TenantId $tenantId): array
{
return [];
}
};
$consentementPolicy = new ConsentementParentalPolicy($this->clock);

17
backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
View File

@@ -23,6 +23,7 @@ use PHPUnit\Framework\TestCase;
use stdClass;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
final class DatabaseUserProviderTest extends TestCase
@@ -83,6 +84,22 @@ final class DatabaseUserProviderTest extends TestCase
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsAccountStatusExceptionForSuspendedUser(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::SUSPENDU, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$this->expectException(CustomUserMessageAccountStatusException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsForUnknownTenant(): void
{

101
backend/tests/Unit/Administration/Infrastructure/Security/LoginFailureHandlerTest.php Normal file
View File

@@ -0,0 +1,101 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\LoginFailureHandler;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Monitoring\MetricsCollector;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use App\Shared\Infrastructure\Tenant\TenantContext;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Prometheus\CollectorRegistry;
use Prometheus\Storage\InMemory;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
final class LoginFailureHandlerTest extends TestCase
{
private function createMetricsCollector(): MetricsCollector
{
return new MetricsCollector(
new CollectorRegistry(new InMemory()),
new TenantContext(),
);
}
#[Test]
public function suspendedAccountReturns403WithoutRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('recordFailure');
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->expects(self::never())->method('dispatch');
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'blocked@example.com', 'password' => 'test']));
$exception = new CustomUserMessageAccountStatusException('Votre compte a été suspendu. Contactez votre établissement.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(403, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/account-suspended', $data['type']);
self::assertSame('Compte suspendu', $data['title']);
}
#[Test]
public function standardFailureReturns401WithRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::once())
->method('recordFailure')
->willReturn(LoginRateLimitResult::allowed(1, 0, false));
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->method('dispatch')->willReturnCallback(
static fn (object $message) => new Envelope($message),
);
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$tenantResolver->method('resolve')->willThrowException(TenantNotFoundException::withSubdomain('unknown'));
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'user@example.com', 'password' => 'wrong']));
$exception = new AuthenticationException('Invalid credentials.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(401, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/authentication-failed', $data['type']);
}
}

134
backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php Normal file
View File

@@ -0,0 +1,134 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\UserVoter;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
final class UserVoterTest extends TestCase
{
private UserVoter $voter;
protected function setUp(): void
{
$this->voter = new UserVoter();
}
#[Test]
public function itAbstainsForUnrelatedAttributes(): void
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn(['ROLE_ADMIN']);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
$result = $this->voter->vote($token, null, ['SOME_OTHER_ATTRIBUTE']);
self::assertSame(UserVoter::ACCESS_ABSTAIN, $result);
}
#[Test]
public function itDeniesAccessToUnauthenticatedUsers(): void
{
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn(null);
$result = $this->voter->vote($token, null, [UserVoter::VIEW]);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsViewToSuperAdmin(): void
{
$result = $this->voteWithRole('ROLE_SUPER_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesViewToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itDeniesViewToParent(): void
{
$result = $this->voteWithRole('ROLE_PARENT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsCreateToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesCreateToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsBlockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesBlockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsUnblockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesUnblockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
private function voteWithRole(string $role, string $attribute): int
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn([$role]);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
return $this->voter->vote($token, null, [$attribute]);
}
}