feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.

backend/src/Administration/Infrastructure/Security/DatabaseUserProvider.php

@@ -6,12 +6,14 @@ namespace App\Administration\Infrastructure\Security;
 
 use App\Administration\Domain\Exception\EmailInvalideException;
 use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\StatutCompte;
 use App\Administration\Domain\Repository\UserRepository;
 use App\Shared\Infrastructure\Tenant\TenantId;
 use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
 use App\Shared\Infrastructure\Tenant\TenantResolver;
 use InvalidArgumentException;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -55,7 +57,15 @@ final readonly class DatabaseUserProvider implements UserProviderInterface
             throw new SymfonyUserNotFoundException();
         }
 
-        // Do not allow login if the account is not active
+        // Blocked account: specific message so the user understands why they can't log in
+        if ($user->statut === StatutCompte::SUSPENDU) {
+            throw new CustomUserMessageAccountStatusException(
+                'Votre compte a été suspendu. Contactez votre établissement.',
+                messageData: ['statut' => 'suspended'],
+            );
+        }
+
+        // Other non-active statuses (pending, consent, archived): generic error
         if (!$user->peutSeConnecter()) {
             throw new SymfonyUserNotFoundException();
         }

backend/src/Administration/Infrastructure/Security/LoginFailureHandler.php

@@ -22,6 +22,7 @@ use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Messenger\MessageBusInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Throwable;
 
@@ -48,6 +49,15 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
 
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
     {
+        // Suspended account: return a specific message without recording a rate-limit failure.
+        // This prevents blocked users from triggering CAPTCHA/delay escalation
+        // while informing them clearly why they cannot log in.
+        if ($exception instanceof CustomUserMessageAccountStatusException) {
+            $this->metricsCollector->recordLoginFailure('account_suspended');
+
+            return $this->createSuspendedResponse($exception);
+        }
+
         $content = json_decode($request->getContent(), true);
         $email = is_array($content) && isset($content['email']) && is_string($content['email'])
             ? $content['email']
@@ -92,6 +102,16 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
         return $this->createFailureResponse($result);
     }
 
+    private function createSuspendedResponse(CustomUserMessageAccountStatusException $exception): JsonResponse
+    {
+        return new JsonResponse([
+            'type' => '/errors/account-suspended',
+            'title' => 'Compte suspendu',
+            'status' => Response::HTTP_FORBIDDEN,
+            'detail' => $exception->getMessageKey(),
+        ], Response::HTTP_FORBIDDEN);
+    }
+
     private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
     {
         $response = new JsonResponse([

backend/src/Administration/Infrastructure/Security/UserVoter.php

@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Administration\Infrastructure\Security;
+
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Infrastructure\Api\Resource\UserResource;
+
+use function in_array;
+
+use Override;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * Voter pour les autorisations sur la gestion des utilisateurs.
+ *
+ * Seuls ADMIN et SUPER_ADMIN peuvent gérer les utilisateurs.
+ *
+ * @extends Voter<string, User|UserResource>
+ */
+final class UserVoter extends Voter
+{
+    public const string VIEW = 'USER_VIEW';
+    public const string CREATE = 'USER_CREATE';
+    public const string BLOCK = 'USER_BLOCK';
+    public const string UNBLOCK = 'USER_UNBLOCK';
+    public const string RESEND_INVITATION = 'USER_RESEND_INVITATION';
+
+    private const array SUPPORTED_ATTRIBUTES = [
+        self::VIEW,
+        self::CREATE,
+        self::BLOCK,
+        self::UNBLOCK,
+        self::RESEND_INVITATION,
+    ];
+
+    #[Override]
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        if (!in_array($attribute, self::SUPPORTED_ATTRIBUTES, true)) {
+            return false;
+        }
+
+        if ($subject === null) {
+            return true;
+        }
+
+        return $subject instanceof User || $subject instanceof UserResource;
+    }
+
+    #[Override]
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+    {
+        $user = $token->getUser();
+
+        if (!$user instanceof UserInterface) {
+            return false;
+        }
+
+        $roles = $user->getRoles();
+
+        return match ($attribute) {
+            self::VIEW => $this->canView($roles),
+            self::CREATE, self::BLOCK, self::UNBLOCK, self::RESEND_INVITATION => $this->canManage($roles),
+            default => false,
+        };
+    }
+
+    /**
+     * @param string[] $roles
+     */
+    private function canView(array $roles): bool
+    {
+        return $this->hasAnyRole($roles, [
+            Role::SUPER_ADMIN->value,
+            Role::ADMIN->value,
+            Role::SECRETARIAT->value,
+        ]);
+    }
+
+    /**
+     * @param string[] $roles
+     */
+    private function canManage(array $roles): bool
+    {
+        return $this->hasAnyRole($roles, [
+            Role::SUPER_ADMIN->value,
+            Role::ADMIN->value,
+        ]);
+    }
+
+    /**
+     * @param string[] $userRoles
+     * @param string[] $allowedRoles
+     */
+    private function hasAnyRole(array $userRoles, array $allowedRoles): bool
+    {
+        foreach ($userRoles as $role) {
+            if (in_array($role, $allowedRoles, true)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}