Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Browse Source 
Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.
This commit is contained in:
Mathias STRASSER
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/config/packages/messenger.yaml
View File

@@ -49,7 +49,4 @@ framework:
routing: routing:
# Route your messages to the transports # Route your messages to the transports
# Password reset events are async to prevent timing attacks (email enumeration) # 'App\Message\YourMessage': async
# and to improve API response time
'App\Administration\Domain\Event\PasswordResetTokenGenerated': async
'App\Administration\Domain\Event\MotDePasseChange': async

5
backend/config/services.yaml
View File

@@ -92,6 +92,11 @@ services:
arguments: arguments:
$appUrl: '%app.url%' $appUrl: '%app.url%'
App\Shared\Infrastructure\Tenant\TenantUrlBuilder:
arguments:
$appUrl: '%app.url%'
$baseDomain: '%tenant.base_domain%'
# Audit Logger Service (writes to append-only audit_log table) # Audit Logger Service (writes to append-only audit_log table)
App\Shared\Application\Port\AuditLogger: App\Shared\Application\Port\AuditLogger:
alias: App\Shared\Infrastructure\Audit\AuditLogger alias: App\Shared\Infrastructure\Audit\AuditLogger

15
backend/src/Administration/Application/Command/BlockUser/BlockUserCommand.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
final readonly class BlockUserCommand
{
public function __construct(
public string $userId,
public string $reason,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/BlockUser/BlockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\BlockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class BlockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(BlockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->bloquer($command->reason, $this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

19
backend/src/Administration/Application/Command/InviteUser/InviteUserCommand.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
final readonly class InviteUserCommand
{
public function __construct(
public string $tenantId,
public string $schoolName,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public ?string $dateNaissance = null,
) {
}
}

63
backend/src/Administration/Application/Command/InviteUser/InviteUserHandler.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\InviteUser;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use InvalidArgumentException;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class InviteUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @throws EmailDejaUtiliseeException if email is already used in this tenant
* @throws InvalidArgumentException if the role is invalid
*/
public function __invoke(InviteUserCommand $command): User
{
$tenantId = TenantId::fromString($command->tenantId);
$email = new Email($command->email);
$role = Role::tryFrom($command->role);
if ($role === null) {
throw new InvalidArgumentException("Rôle invalide : \"{$command->role}\".");
}
$existingUser = $this->userRepository->findByEmail($email, $tenantId);
if ($existingUser !== null) {
throw EmailDejaUtiliseeException::dansTenant($email, $tenantId);
}
$user = User::inviter(
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $command->schoolName,
firstName: $command->firstName,
lastName: $command->lastName,
invitedAt: $this->clock->now(),
dateNaissance: $command->dateNaissance !== null
? new DateTimeImmutable($command->dateNaissance)
: null,
);
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
final readonly class ResendInvitationCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/ResendInvitation/ResendInvitationHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\ResendInvitation;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class ResendInvitationHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(ResendInvitationCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->renvoyerInvitation($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

14
backend/src/Administration/Application/Command/UnblockUser/UnblockUserCommand.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
final readonly class UnblockUserCommand
{
public function __construct(
public string $userId,
public string $tenantId = '',
) {
}
}

39
backend/src/Administration/Application/Command/UnblockUser/UnblockUserHandler.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Command\UnblockUser;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'command.bus')]
final readonly class UnblockUserHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
public function __invoke(UnblockUserCommand $command): User
{
$userId = UserId::fromString($command->userId);
$user = $this->userRepository->get($userId);
if ($command->tenantId !== '' && !$user->tenantId->equals(TenantId::fromString($command->tenantId))) {
throw UserNotFoundException::withId($userId);
}
$user->debloquer($this->clock->now());
$this->userRepository->save($user);
return $user;
}
}

58
backend/src/Administration/Application/Query/GetUsers/GetUsersHandler.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
#[AsMessageHandler(bus: 'query.bus')]
final readonly class GetUsersHandler
{
public function __construct(
private UserRepository $userRepository,
private Clock $clock,
) {
}
/**
* @return UserDto[]
*/
public function __invoke(GetUsersQuery $query): array
{
$users = $this->userRepository->findAllByTenant(
TenantId::fromString($query->tenantId),
);
// Apply filters
if ($query->role !== null) {
$filterRole = Role::tryFrom($query->role);
if ($filterRole !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->role === $filterRole,
);
}
}
if ($query->statut !== null) {
$filterStatut = StatutCompte::tryFrom($query->statut);
if ($filterStatut !== null) {
$users = array_filter(
$users,
static fn ($user) => $user->statut === $filterStatut,
);
}
}
return array_values(array_map(
fn ($user) => UserDto::fromDomain($user, $this->clock),
$users,
));
}
}

15
backend/src/Administration/Application/Query/GetUsers/GetUsersQuery.php Normal file
View File

@@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
final readonly class GetUsersQuery
{
public function __construct(
public string $tenantId,
public ?string $role = null,
public ?string $statut = null,
) {
}
}

48
backend/src/Administration/Application/Query/GetUsers/UserDto.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Query\GetUsers;
use App\Administration\Domain\Model\User\User;
use App\Shared\Domain\Clock;
use DateTimeImmutable;
final readonly class UserDto
{
public function __construct(
public string $id,
public string $email,
public string $role,
public string $roleLabel,
public string $firstName,
public string $lastName,
public string $statut,
public DateTimeImmutable $createdAt,
public ?DateTimeImmutable $invitedAt,
public ?DateTimeImmutable $activatedAt,
public ?DateTimeImmutable $blockedAt,
public ?string $blockedReason,
public bool $invitationExpiree,
) {
}
public static function fromDomain(User $user, Clock $clock): self
{
return new self(
id: (string) $user->id,
email: (string) $user->email,
role: $user->role->value,
roleLabel: $user->role->label(),
firstName: $user->firstName,
lastName: $user->lastName,
statut: $user->statut->value,
createdAt: $user->createdAt,
invitedAt: $user->invitedAt,
activatedAt: $user->activatedAt,
blockedAt: $user->blockedAt,
blockedReason: $user->blockedReason,
invitationExpiree: $user->estInvitationExpiree($clock->now()),
);
}
}

35
backend/src/Administration/Domain/Event/InvitationRenvoyee.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class InvitationRenvoyee implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

36
backend/src/Administration/Domain/Event/UtilisateurBloque.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurBloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $reason,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

35
backend/src/Administration/Domain/Event/UtilisateurDebloque.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurDebloque implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

38
backend/src/Administration/Domain/Event/UtilisateurInvite.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;
final readonly class UtilisateurInvite implements DomainEvent
{
public function __construct(
public UserId $userId,
public string $email,
public string $role,
public string $firstName,
public string $lastName,
public TenantId $tenantId,
private DateTimeImmutable $occurredOn,
) {
}
#[Override]
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
#[Override]
public function aggregateId(): UuidInterface
{
return $this->userId->value;
}
}

23
backend/src/Administration/Domain/Exception/EmailDejaUtiliseeException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\Email;
use App\Shared\Domain\Tenant\TenantId;
use RuntimeException;
use function sprintf;
final class EmailDejaUtiliseeException extends RuntimeException
{
public static function dansTenant(Email $email, TenantId $tenantId): self
{
return new self(sprintf(
'L\'email "%s" est déjà utilisé dans l\'établissement "%s".',
$email,
$tenantId,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurDejaInviteException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurDejaInviteException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de renvoyer l\'invitation pour "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonBlocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonBlocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de bloquer l\'utilisateur "%s" : le compte est déjà en statut "%s".',
$userId,
$statut->value,
));
}
}

23
backend/src/Administration/Domain/Exception/UtilisateurNonDeblocableException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\UserId;
use RuntimeException;
use function sprintf;
final class UtilisateurNonDeblocableException extends RuntimeException
{
public static function carStatutIncompatible(UserId $userId, StatutCompte $statut): self
{
return new self(sprintf(
'Impossible de débloquer l\'utilisateur "%s" : le compte est en statut "%s".',
$userId,
$statut->value,
));
}
}

150
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -6,8 +6,15 @@ namespace App\Administration\Domain\Model\User;
use App\Administration\Domain\Event\CompteActive; use App\Administration\Domain\Event\CompteActive;
use App\Administration\Domain\Event\CompteCreated; use App\Administration\Domain\Event\CompteCreated;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\MotDePasseChange; use App\Administration\Domain\Event\MotDePasseChange;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\CompteNonActivableException; use App\Administration\Domain\Exception\CompteNonActivableException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental; use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Policy\ConsentementParentalPolicy; use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\AggregateRoot; use App\Shared\Domain\AggregateRoot;
@@ -26,6 +33,9 @@ final class User extends AggregateRoot
public private(set) ?string $hashedPassword = null; public private(set) ?string $hashedPassword = null;
public private(set) ?DateTimeImmutable $activatedAt = null; public private(set) ?DateTimeImmutable $activatedAt = null;
public private(set) ?ConsentementParental $consentementParental = null; public private(set) ?ConsentementParental $consentementParental = null;
public private(set) ?DateTimeImmutable $invitedAt = null;
public private(set) ?DateTimeImmutable $blockedAt = null;
public private(set) ?string $blockedReason = null;
private function __construct( private function __construct(
public private(set) UserId $id, public private(set) UserId $id,
@@ -36,6 +46,8 @@ final class User extends AggregateRoot
public private(set) StatutCompte $statut, public private(set) StatutCompte $statut,
public private(set) ?DateTimeImmutable $dateNaissance, public private(set) ?DateTimeImmutable $dateNaissance,
public private(set) DateTimeImmutable $createdAt, public private(set) DateTimeImmutable $createdAt,
public private(set) string $firstName = '',
public private(set) string $lastName = '',
) { ) {
} }
@@ -136,6 +148,134 @@ final class User extends AggregateRoot
return $this->statut->peutSeConnecter(); return $this->statut->peutSeConnecter();
} }
/**
* Creates a new user via admin invitation.
*
* Unlike creer() which is for self-registration, inviter() is used
* when an admin creates a user account from the management interface.
*/
public static function inviter(
Email $email,
Role $role,
TenantId $tenantId,
string $schoolName,
string $firstName,
string $lastName,
DateTimeImmutable $invitedAt,
?DateTimeImmutable $dateNaissance = null,
): self {
$user = new self(
id: UserId::generate(),
email: $email,
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
statut: StatutCompte::EN_ATTENTE,
dateNaissance: $dateNaissance,
createdAt: $invitedAt,
firstName: $firstName,
lastName: $lastName,
);
$user->invitedAt = $invitedAt;
$user->recordEvent(new UtilisateurInvite(
userId: $user->id,
email: (string) $user->email,
role: $user->role->value,
firstName: $firstName,
lastName: $lastName,
tenantId: $user->tenantId,
occurredOn: $invitedAt,
));
return $user;
}
/**
* Resends the invitation for a user still awaiting activation.
*
* @throws UtilisateurDejaInviteException if user is no longer in a pending state
*/
public function renvoyerInvitation(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
throw UtilisateurDejaInviteException::carStatutIncompatible($this->id, $this->statut);
}
$this->invitedAt = $at;
$this->recordEvent(new InvitationRenvoyee(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Blocks a user account.
*
* @throws UtilisateurNonBlocableException if user is already suspended or archived
*/
public function bloquer(string $reason, DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::ACTIF) {
throw UtilisateurNonBlocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::SUSPENDU;
$this->blockedAt = $at;
$this->blockedReason = $reason;
$this->recordEvent(new UtilisateurBloque(
userId: $this->id,
email: (string) $this->email,
reason: $reason,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Unblocks a suspended user account, restoring it to active status.
*
* @throws UtilisateurNonDeblocableException if user is not suspended
*/
public function debloquer(DateTimeImmutable $at): void
{
if ($this->statut !== StatutCompte::SUSPENDU) {
throw UtilisateurNonDeblocableException::carStatutIncompatible($this->id, $this->statut);
}
$this->statut = StatutCompte::ACTIF;
$this->blockedAt = null;
$this->blockedReason = null;
$this->recordEvent(new UtilisateurDebloque(
userId: $this->id,
email: (string) $this->email,
tenantId: $this->tenantId,
occurredOn: $at,
));
}
/**
* Checks if the invitation has expired (> 7 days since last invitation).
*/
public function estInvitationExpiree(DateTimeImmutable $at): bool
{
if ($this->statut !== StatutCompte::EN_ATTENTE && $this->statut !== StatutCompte::CONSENTEMENT_REQUIS) {
return false;
}
if ($this->invitedAt === null) {
return false;
}
return $at > $this->invitedAt->modify('+7 days');
}
/** /**
* Changes the user's password. * Changes the user's password.
* *
@@ -170,6 +310,11 @@ final class User extends AggregateRoot
?string $hashedPassword, ?string $hashedPassword,
?DateTimeImmutable $activatedAt, ?DateTimeImmutable $activatedAt,
?ConsentementParental $consentementParental, ?ConsentementParental $consentementParental,
string $firstName = '',
string $lastName = '',
?DateTimeImmutable $invitedAt = null,
?DateTimeImmutable $blockedAt = null,
?string $blockedReason = null,
): self { ): self {
$user = new self( $user = new self(
id: $id, id: $id,
@@ -180,11 +325,16 @@ final class User extends AggregateRoot
statut: $statut, statut: $statut,
dateNaissance: $dateNaissance, dateNaissance: $dateNaissance,
createdAt: $createdAt, createdAt: $createdAt,
firstName: $firstName,
lastName: $lastName,
); );
$user->hashedPassword = $hashedPassword; $user->hashedPassword = $hashedPassword;
$user->activatedAt = $activatedAt; $user->activatedAt = $activatedAt;
$user->consentementParental = $consentementParental; $user->consentementParental = $consentementParental;
$user->invitedAt = $invitedAt;
$user->blockedAt = $blockedAt;
$user->blockedReason = $blockedReason;
return $user; return $user;
} }

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -23,4 +23,11 @@ interface UserRepository
* Returns null if user doesn't exist in that tenant. * Returns null if user doesn't exist in that tenant.
*/ */
public function findByEmail(Email $email, TenantId $tenantId): ?User; public function findByEmail(Email $email, TenantId $tenantId): ?User;
/**
* Returns all users for a given tenant.
*
* @return User[]
*/
public function findAllByTenant(TenantId $tenantId): array;
} }

88
backend/src/Administration/Infrastructure/Api/Processor/BlockUserProcessor.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class BlockUserProcessor implements ProcessorInterface
{
public function __construct(
private BlockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Security $security,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::BLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à bloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
$currentUser = $this->security->getUser();
if ($currentUser instanceof SecurityUser && $currentUser->userId() === $userId) {
throw new BadRequestHttpException('Vous ne pouvez pas bloquer votre propre compte.');
}
$reason = trim($data->reason ?? '');
if ($reason === '') {
throw new BadRequestHttpException('La raison du blocage est obligatoire.');
}
try {
$command = new BlockUserCommand(
userId: $userId,
reason: $reason,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonBlocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

80
backend/src/Administration/Infrastructure/Api/Processor/InviteUserProcessor.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use InvalidArgumentException;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class InviteUserProcessor implements ProcessorInterface
{
public function __construct(
private InviteUserHandler $handler,
private TenantContext $tenantContext,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::CREATE)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à créer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
$tenantConfig = $this->tenantContext->getCurrentTenantConfig();
try {
$command = new InviteUserCommand(
tenantId: $tenantId,
schoolName: $tenantConfig->subdomain,
email: $data->email ?? '',
role: $data->role ?? '',
firstName: $data->firstName ?? '',
lastName: $data->lastName ?? '',
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (EmailInvalideException|InvalidArgumentException $e) {
throw new BadRequestHttpException($e->getMessage());
} catch (EmailDejaUtiliseeException $e) {
throw new ConflictHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/ResendInvitationProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class ResendInvitationProcessor implements ProcessorInterface
{
public function __construct(
private ResendInvitationHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::RESEND_INVITATION)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à renvoyer une invitation.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new ResendInvitationCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurDejaInviteException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

74
backend/src/Administration/Infrastructure/Api/Processor/UnblockUserProcessor.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* @implements ProcessorInterface<UserResource, UserResource>
*/
final readonly class UnblockUserProcessor implements ProcessorInterface
{
public function __construct(
private UnblockUserHandler $handler,
private MessageBusInterface $eventBus,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
/**
* @param UserResource $data
*/
#[Override]
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::UNBLOCK)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à débloquer un utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$command = new UnblockUserCommand(
userId: $userId,
tenantId: (string) $this->tenantContext->getCurrentTenantId(),
);
$user = ($this->handler)($command);
foreach ($user->pullDomainEvents() as $event) {
$this->eventBus->dispatch($event);
}
return UserResource::fromDomain($user, $this->clock->now());
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
} catch (UtilisateurNonDeblocableException $e) {
throw new BadRequestHttpException($e->getMessage());
}
}
}

64
backend/src/Administration/Infrastructure/Api/Provider/UserCollectionProvider.php Normal file
View File

@@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Infrastructure\Tenant\TenantContext;
use function array_map;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer la liste des utilisateurs avec filtres.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserCollectionProvider implements ProviderInterface
{
public function __construct(
private GetUsersHandler $handler,
private TenantContext $tenantContext,
private AuthorizationCheckerInterface $authorizationChecker,
) {
}
/**
* @return UserResource[]
*/
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): array
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir les utilisateurs.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
$tenantId = (string) $this->tenantContext->getCurrentTenantId();
/** @var array<string, string> $filters */
$filters = $context['filters'] ?? [];
$query = new GetUsersQuery(
tenantId: $tenantId,
role: isset($filters['role']) ? (string) $filters['role'] : null,
statut: isset($filters['statut']) ? (string) $filters['statut'] : null,
);
$userDtos = ($this->handler)($query);
return array_map(UserResource::fromDto(...), $userDtos);
}
}

63
backend/src/Administration/Infrastructure/Api/Provider/UserItemProvider.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Provider;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProviderInterface;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use App\Administration\Infrastructure\Security\UserVoter;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantContext;
use Override;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
/**
* State Provider pour récupérer un utilisateur par ID.
*
* @implements ProviderInterface<UserResource>
*/
final readonly class UserItemProvider implements ProviderInterface
{
public function __construct(
private UserRepository $userRepository,
private AuthorizationCheckerInterface $authorizationChecker,
private TenantContext $tenantContext,
private Clock $clock,
) {
}
#[Override]
public function provide(Operation $operation, array $uriVariables = [], array $context = []): UserResource
{
if (!$this->authorizationChecker->isGranted(UserVoter::VIEW)) {
throw new AccessDeniedHttpException('Vous n\'êtes pas autorisé à voir cet utilisateur.');
}
if (!$this->tenantContext->hasTenant()) {
throw new UnauthorizedHttpException('Bearer', 'Tenant non défini.');
}
/** @var string $userId */
$userId = $uriVariables['id'] ?? '';
try {
$user = $this->userRepository->get(UserId::fromString($userId));
} catch (UserNotFoundException $e) {
throw new NotFoundHttpException($e->getMessage());
}
if (!$user->tenantId->equals($this->tenantContext->getCurrentTenantId())) {
throw new NotFoundHttpException('User not found.');
}
return UserResource::fromDomain($user, $this->clock->now());
}
}

142
backend/src/Administration/Infrastructure/Api/Resource/UserResource.php Normal file
View File

@@ -0,0 +1,142 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
use ApiPlatform\Metadata\ApiProperty;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Get;
use ApiPlatform\Metadata\GetCollection;
use ApiPlatform\Metadata\Post;
use App\Administration\Application\Query\GetUsers\UserDto;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Processor\BlockUserProcessor;
use App\Administration\Infrastructure\Api\Processor\InviteUserProcessor;
use App\Administration\Infrastructure\Api\Processor\ResendInvitationProcessor;
use App\Administration\Infrastructure\Api\Processor\UnblockUserProcessor;
use App\Administration\Infrastructure\Api\Provider\UserCollectionProvider;
use App\Administration\Infrastructure\Api\Provider\UserItemProvider;
use DateTimeImmutable;
use Symfony\Component\Validator\Constraints as Assert;
/**
* API Resource pour la gestion des utilisateurs.
*
* @see Story 2.5 - Création Comptes Utilisateurs
*/
#[ApiResource(
shortName: 'User',
operations: [
new GetCollection(
uriTemplate: '/users',
provider: UserCollectionProvider::class,
name: 'get_users',
),
new Get(
uriTemplate: '/users/{id}',
provider: UserItemProvider::class,
name: 'get_user',
),
new Post(
uriTemplate: '/users',
processor: InviteUserProcessor::class,
validationContext: ['groups' => ['Default', 'create']],
name: 'invite_user',
),
new Post(
uriTemplate: '/users/{id}/resend-invitation',
processor: ResendInvitationProcessor::class,
name: 'resend_invitation',
),
new Post(
uriTemplate: '/users/{id}/block',
processor: BlockUserProcessor::class,
validationContext: ['groups' => ['Default', 'block']],
name: 'block_user',
),
new Post(
uriTemplate: '/users/{id}/unblock',
processor: UnblockUserProcessor::class,
name: 'unblock_user',
),
],
)]
final class UserResource
{
#[ApiProperty(identifier: true)]
public ?string $id = null;
#[Assert\NotBlank(message: 'L\'email est requis.', groups: ['create'])]
#[Assert\Email(message: 'L\'email n\'est pas valide.')]
public ?string $email = null;
#[Assert\NotBlank(message: 'Le rôle est requis.', groups: ['create'])]
public ?string $role = null;
public ?string $roleLabel = null;
#[Assert\NotBlank(message: 'Le prénom est requis.', groups: ['create'])]
public ?string $firstName = null;
#[Assert\NotBlank(message: 'Le nom est requis.', groups: ['create'])]
public ?string $lastName = null;
public ?string $statut = null;
public ?DateTimeImmutable $createdAt = null;
public ?DateTimeImmutable $invitedAt = null;
public ?DateTimeImmutable $activatedAt = null;
public ?DateTimeImmutable $blockedAt = null;
public ?string $blockedReason = null;
#[ApiProperty(readable: true, writable: false)]
public ?bool $invitationExpiree = null;
#[Assert\NotBlank(message: 'La raison de blocage est requise.', groups: ['block'])]
public ?string $reason = null;
public static function fromDomain(User $user, ?DateTimeImmutable $now = null): self
{
$resource = new self();
$resource->id = (string) $user->id;
$resource->email = (string) $user->email;
$resource->role = $user->role->value;
$resource->roleLabel = $user->role->label();
$resource->firstName = $user->firstName;
$resource->lastName = $user->lastName;
$resource->statut = $user->statut->value;
$resource->createdAt = $user->createdAt;
$resource->invitedAt = $user->invitedAt;
$resource->activatedAt = $user->activatedAt;
$resource->blockedAt = $user->blockedAt;
$resource->blockedReason = $user->blockedReason;
$resource->invitationExpiree = $now !== null ? $user->estInvitationExpiree($now) : false;
return $resource;
}
public static function fromDto(UserDto $dto): self
{
$resource = new self();
$resource->id = $dto->id;
$resource->email = $dto->email;
$resource->role = $dto->role;
$resource->roleLabel = $dto->roleLabel;
$resource->firstName = $dto->firstName;
$resource->lastName = $dto->lastName;
$resource->statut = $dto->statut;
$resource->createdAt = $dto->createdAt;
$resource->invitedAt = $dto->invitedAt;
$resource->activatedAt = $dto->activatedAt;
$resource->blockedAt = $dto->blockedAt;
$resource->blockedReason = $dto->blockedReason;
$resource->invitationExpiree = $dto->invitationExpiree;
return $resource;
}
}

11
backend/src/Administration/Infrastructure/Console/CreateTestActivationTokenCommand.php
View File

@@ -147,14 +147,20 @@ final class CreateTestActivationTokenCommand extends Command
} }
$now = $this->clock->now(); $now = $this->clock->now();
$emailVO = new Email($email);
// Create user // Check if user already exists for this tenant
$user = $this->userRepository->findByEmail($emailVO, $tenantId);
if ($user !== null) {
$io->note(sprintf('User "%s" already exists, reusing existing account.', $email));
} else {
$dateNaissance = $isMinor $dateNaissance = $isMinor
? $now->modify('-13 years') // 13 ans = mineur ? $now->modify('-13 years') // 13 ans = mineur
: null; : null;
$user = User::creer( $user = User::creer(
email: new Email($email), email: $emailVO,
role: $role, role: $role,
tenantId: $tenantId, tenantId: $tenantId,
schoolName: $schoolName, schoolName: $schoolName,
@@ -163,6 +169,7 @@ final class CreateTestActivationTokenCommand extends Command
); );
$this->userRepository->save($user); $this->userRepository->save($user);
}
// Create activation token // Create activation token
$token = ActivationToken::generate( $token = ActivationToken::generate(

74
backend/src/Administration/Infrastructure/Messaging/SendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends an invitation email when a user is invited by an admin.
*
* Creates an activation token and emails the user with an activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(UtilisateurInvite $event): void
{
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $event->role,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$roleEnum = Role::tryFrom($event->role);
$roleLabel = $roleEnum?->label() ?? $event->role;
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $event->firstName,
'lastName' => $event->lastName,
'role' => $roleLabel,
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

83
backend/src/Administration/Infrastructure/Messaging/SendResendInvitationEmailHandler.php Normal file
View File

@@ -0,0 +1,83 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantUrlBuilder;
use Psr\Log\LoggerInterface;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Sends a new invitation email when an invitation is resent.
*
* Creates a fresh activation token and emails the user with a new activation link.
*/
#[AsMessageHandler(bus: 'event.bus')]
final readonly class SendResendInvitationEmailHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private ActivationTokenRepository $tokenRepository,
private UserRepository $userRepository,
private TenantUrlBuilder $tenantUrlBuilder,
private Clock $clock,
private LoggerInterface $logger,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(InvitationRenvoyee $event): void
{
try {
$user = $this->userRepository->get(UserId::fromString((string) $event->userId));
} catch (UserNotFoundException $e) {
$this->logger->warning('User no longer exists when processing resend invitation event, skipping.', [
'userId' => (string) $event->userId,
'email' => $event->email,
'exception' => $e->getMessage(),
]);
return;
}
$token = ActivationToken::generate(
userId: (string) $event->userId,
email: $event->email,
tenantId: $event->tenantId,
role: $user->role->value,
schoolName: $user->schoolName,
createdAt: $this->clock->now(),
);
$this->tokenRepository->save($token);
$activationUrl = $this->tenantUrlBuilder->build($event->tenantId, '/activate/' . $token->tokenValue);
$html = $this->twig->render('emails/invitation.html.twig', [
'firstName' => $user->firstName,
'lastName' => $user->lastName,
'role' => $user->role->label(),
'activationUrl' => $activationUrl,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('Rappel : Invitation à rejoindre Classeo')
->html($html);
$this->mailer->send($email);
}
}

59
backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php
View File

@@ -14,6 +14,9 @@ use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository; use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId; use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable; use DateTimeImmutable;
use function in_array;
use Psr\Cache\CacheItemPoolInterface; use Psr\Cache\CacheItemPoolInterface;
/** /**
@@ -27,6 +30,7 @@ final readonly class CacheUserRepository implements UserRepository
{ {
private const string KEY_PREFIX = 'user:'; private const string KEY_PREFIX = 'user:';
private const string EMAIL_INDEX_PREFIX = 'user_email:'; private const string EMAIL_INDEX_PREFIX = 'user_email:';
private const string TENANT_INDEX_PREFIX = 'user_tenant:';
public function __construct( public function __construct(
private CacheItemPoolInterface $usersCache, private CacheItemPoolInterface $usersCache,
@@ -45,6 +49,18 @@ final readonly class CacheUserRepository implements UserRepository
$emailItem = $this->usersCache->getItem($emailKey); $emailItem = $this->usersCache->getItem($emailKey);
$emailItem->set((string) $user->id); $emailItem->set((string) $user->id);
$this->usersCache->save($emailItem); $this->usersCache->save($emailItem);
// Save tenant index for listing users
$tenantKey = self::TENANT_INDEX_PREFIX . $user->tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
/** @var string[] $userIds */
$userIds = $tenantItem->isHit() ? $tenantItem->get() : [];
$userId = (string) $user->id;
if (!in_array($userId, $userIds, true)) {
$userIds[] = $userId;
}
$tenantItem->set($userIds);
$this->usersCache->save($tenantItem);
} }
public function findById(UserId $id): ?User public function findById(UserId $id): ?User
@@ -55,7 +71,7 @@ final readonly class CacheUserRepository implements UserRepository
return null; return null;
} }
/** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */ /** @var array{id: string, email: string, role: string, tenant_id: string, school_name: string, statut: string, hashed_password: string|null, date_naissance: string|null, created_at: string, activated_at: string|null, first_name?: string, last_name?: string, invited_at?: string|null, blocked_at?: string|null, blocked_reason?: string|null, consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null} $data */
$data = $item->get(); $data = $item->get();
return $this->deserialize($data); return $this->deserialize($data);
@@ -87,6 +103,29 @@ final readonly class CacheUserRepository implements UserRepository
return $user; return $user;
} }
public function findAllByTenant(TenantId $tenantId): array
{
$tenantKey = self::TENANT_INDEX_PREFIX . $tenantId;
$tenantItem = $this->usersCache->getItem($tenantKey);
if (!$tenantItem->isHit()) {
return [];
}
/** @var string[] $userIds */
$userIds = $tenantItem->get();
$users = [];
foreach ($userIds as $userId) {
$user = $this->findById(UserId::fromString($userId));
if ($user !== null) {
$users[] = $user;
}
}
return $users;
}
/** /**
* @return array<string, mixed> * @return array<string, mixed>
*/ */
@@ -105,6 +144,11 @@ final readonly class CacheUserRepository implements UserRepository
'date_naissance' => $user->dateNaissance?->format('Y-m-d'), 'date_naissance' => $user->dateNaissance?->format('Y-m-d'),
'created_at' => $user->createdAt->format('c'), 'created_at' => $user->createdAt->format('c'),
'activated_at' => $user->activatedAt?->format('c'), 'activated_at' => $user->activatedAt?->format('c'),
'first_name' => $user->firstName,
'last_name' => $user->lastName,
'invited_at' => $user->invitedAt?->format('c'),
'blocked_at' => $user->blockedAt?->format('c'),
'blocked_reason' => $user->blockedReason,
'consentement_parental' => $consentement !== null ? [ 'consentement_parental' => $consentement !== null ? [
'parent_id' => $consentement->parentId, 'parent_id' => $consentement->parentId,
'eleve_id' => $consentement->eleveId, 'eleve_id' => $consentement->eleveId,
@@ -126,6 +170,11 @@ final readonly class CacheUserRepository implements UserRepository
* date_naissance: string|null, * date_naissance: string|null,
* created_at: string, * created_at: string,
* activated_at: string|null, * activated_at: string|null,
* first_name?: string,
* last_name?: string,
* invited_at?: string|null,
* blocked_at?: string|null,
* blocked_reason?: string|null,
* consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null * consentement_parental: array{parent_id: string, eleve_id: string, date_consentement: string, ip_address: string}|null
* } $data * } $data
*/ */
@@ -142,6 +191,9 @@ final readonly class CacheUserRepository implements UserRepository
); );
} }
$invitedAt = ($data['invited_at'] ?? null) !== null ? new DateTimeImmutable($data['invited_at']) : null;
$blockedAt = ($data['blocked_at'] ?? null) !== null ? new DateTimeImmutable($data['blocked_at']) : null;
return User::reconstitute( return User::reconstitute(
id: UserId::fromString($data['id']), id: UserId::fromString($data['id']),
email: new Email($data['email']), email: new Email($data['email']),
@@ -154,6 +206,11 @@ final readonly class CacheUserRepository implements UserRepository
hashedPassword: $data['hashed_password'], hashedPassword: $data['hashed_password'],
activatedAt: $data['activated_at'] !== null ? new DateTimeImmutable($data['activated_at']) : null, activatedAt: $data['activated_at'] !== null ? new DateTimeImmutable($data['activated_at']) : null,
consentementParental: $consentement, consentementParental: $consentement,
firstName: $data['first_name'] ?? '',
lastName: $data['last_name'] ?? '',
invitedAt: $invitedAt,
blockedAt: $blockedAt,
blockedReason: $data['blocked_reason'] ?? null,
); );
} }

9
backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php
View File

@@ -45,6 +45,15 @@ final class InMemoryUserRepository implements UserRepository
return $this->byTenantEmail[$this->emailKey($email, $tenantId)] ?? null; return $this->byTenantEmail[$this->emailKey($email, $tenantId)] ?? null;
} }
#[Override]
public function findAllByTenant(TenantId $tenantId): array
{
return array_values(array_filter(
$this->byId,
static fn (User $user): bool => $user->tenantId->equals($tenantId),
));
}
private function emailKey(Email $email, TenantId $tenantId): string private function emailKey(Email $email, TenantId $tenantId): string
{ {
return $tenantId . ':' . strtolower((string) $email); return $tenantId . ':' . strtolower((string) $email);

12
backend/src/Administration/Infrastructure/Security/DatabaseUserProvider.php
View File

@@ -6,12 +6,14 @@ namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Exception\EmailInvalideException; use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Domain\Model\User\Email; use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Repository\UserRepository; use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Infrastructure\Tenant\TenantId; use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException; use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver; use App\Shared\Infrastructure\Tenant\TenantResolver;
use InvalidArgumentException; use InvalidArgumentException;
use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException; use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -55,7 +57,15 @@ final readonly class DatabaseUserProvider implements UserProviderInterface
throw new SymfonyUserNotFoundException(); throw new SymfonyUserNotFoundException();
} }
// Do not allow login if the account is not active // Blocked account: specific message so the user understands why they can't log in
if ($user->statut === StatutCompte::SUSPENDU) {
throw new CustomUserMessageAccountStatusException(
'Votre compte a été suspendu. Contactez votre établissement.',
messageData: ['statut' => 'suspended'],
);
}
// Other non-active statuses (pending, consent, archived): generic error
if (!$user->peutSeConnecter()) { if (!$user->peutSeConnecter()) {
throw new SymfonyUserNotFoundException(); throw new SymfonyUserNotFoundException();
} }

20
backend/src/Administration/Infrastructure/Security/LoginFailureHandler.php
View File

@@ -22,6 +22,7 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\MessageBusInterface; use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
use Throwable; use Throwable;
@@ -48,6 +49,15 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{ {
// Suspended account: return a specific message without recording a rate-limit failure.
// This prevents blocked users from triggering CAPTCHA/delay escalation
// while informing them clearly why they cannot log in.
if ($exception instanceof CustomUserMessageAccountStatusException) {
$this->metricsCollector->recordLoginFailure('account_suspended');
return $this->createSuspendedResponse($exception);
}
$content = json_decode($request->getContent(), true); $content = json_decode($request->getContent(), true);
$email = is_array($content) && isset($content['email']) && is_string($content['email']) $email = is_array($content) && isset($content['email']) && is_string($content['email'])
? $content['email'] ? $content['email']
@@ -92,6 +102,16 @@ final readonly class LoginFailureHandler implements AuthenticationFailureHandler
return $this->createFailureResponse($result); return $this->createFailureResponse($result);
} }
private function createSuspendedResponse(CustomUserMessageAccountStatusException $exception): JsonResponse
{
return new JsonResponse([
'type' => '/errors/account-suspended',
'title' => 'Compte suspendu',
'status' => Response::HTTP_FORBIDDEN,
'detail' => $exception->getMessageKey(),
], Response::HTTP_FORBIDDEN);
}
private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
{ {
$response = new JsonResponse([ $response = new JsonResponse([

111
backend/src/Administration/Infrastructure/Security/UserVoter.php Normal file
View File

@@ -0,0 +1,111 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Api\Resource\UserResource;
use function in_array;
use Override;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Voter pour les autorisations sur la gestion des utilisateurs.
*
* Seuls ADMIN et SUPER_ADMIN peuvent gérer les utilisateurs.
*
* @extends Voter<string, User|UserResource>
*/
final class UserVoter extends Voter
{
public const string VIEW = 'USER_VIEW';
public const string CREATE = 'USER_CREATE';
public const string BLOCK = 'USER_BLOCK';
public const string UNBLOCK = 'USER_UNBLOCK';
public const string RESEND_INVITATION = 'USER_RESEND_INVITATION';
private const array SUPPORTED_ATTRIBUTES = [
self::VIEW,
self::CREATE,
self::BLOCK,
self::UNBLOCK,
self::RESEND_INVITATION,
];
#[Override]
protected function supports(string $attribute, mixed $subject): bool
{
if (!in_array($attribute, self::SUPPORTED_ATTRIBUTES, true)) {
return false;
}
if ($subject === null) {
return true;
}
return $subject instanceof User || $subject instanceof UserResource;
}
#[Override]
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
{
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
$roles = $user->getRoles();
return match ($attribute) {
self::VIEW => $this->canView($roles),
self::CREATE, self::BLOCK, self::UNBLOCK, self::RESEND_INVITATION => $this->canManage($roles),
default => false,
};
}
/**
* @param string[] $roles
*/
private function canView(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
Role::SECRETARIAT->value,
]);
}
/**
* @param string[] $roles
*/
private function canManage(array $roles): bool
{
return $this->hasAnyRole($roles, [
Role::SUPER_ADMIN->value,
Role::ADMIN->value,
]);
}
/**
* @param string[] $userRoles
* @param string[] $allowedRoles
*/
private function hasAnyRole(array $userRoles, array $allowedRoles): bool
{
foreach ($userRoles as $role) {
if (in_array($role, $allowedRoles, true)) {
return true;
}
}
return false;
}
}

33
backend/src/Shared/Infrastructure/Tenant/TenantUrlBuilder.php Normal file
View File

@@ -0,0 +1,33 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Tenant;
use App\Shared\Domain\Tenant\TenantId as DomainTenantId;
/**
* Builds tenant-aware URLs using the tenant subdomain and base domain.
*/
final readonly class TenantUrlBuilder
{
public function __construct(
private TenantRegistry $tenantRegistry,
private string $appUrl,
private string $baseDomain,
) {
}
public function build(DomainTenantId $tenantId, string $path): string
{
$tenantConfig = $this->tenantRegistry->getConfig(
TenantId::fromString((string) $tenantId),
);
$parsed = parse_url($this->appUrl);
$scheme = $parsed['scheme'] ?? 'https';
$port = isset($parsed['port']) ? ':' . $parsed['port'] : '';
return $scheme . '://' . $tenantConfig->subdomain . '.' . $this->baseDomain . $port . $path;
}
}

98
backend/templates/emails/invitation.html.twig Normal file
View File

@@ -0,0 +1,98 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Invitation - Classeo</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
line-height: 1.6;
color: #333;
max-width: 600px;
margin: 0 auto;
padding: 20px;
}
.header {
text-align: center;
padding: 20px 0;
border-bottom: 2px solid #4f46e5;
}
.header h1 {
color: #4f46e5;
margin: 0;
font-size: 28px;
}
.content {
padding: 30px 0;
}
.info-box {
background-color: #f3f4f6;
border-radius: 8px;
padding: 20px;
margin: 20px 0;
}
.info-box p {
margin: 5px 0;
}
.button {
display: inline-block;
background-color: #4f46e5;
color: white;
text-decoration: none;
padding: 12px 24px;
border-radius: 6px;
font-weight: 500;
}
.button:hover {
background-color: #4338ca;
}
.footer {
text-align: center;
padding: 20px 0;
border-top: 1px solid #e5e7eb;
color: #6b7280;
font-size: 14px;
}
.warning {
background-color: #fef3c7;
border-left: 4px solid #f59e0b;
padding: 12px 16px;
margin: 20px 0;
border-radius: 0 8px 8px 0;
}
</style>
</head>
<body>
<div class="header">
<h1>Classeo</h1>
</div>
<div class="content">
<h2>Bienvenue sur Classeo !</h2>
<p>Bonjour {{ firstName }},</p>
<p>Vous avez été invité(e) à rejoindre Classeo en tant que <strong>{{ role }}</strong>.</p>
<div class="info-box">
<p>Cliquez sur le bouton ci-dessous pour activer votre compte et définir votre mot de passe.</p>
</div>
<p style="text-align: center; margin: 30px 0;">
<a href="{{ activationUrl }}" class="button">Activer mon compte</a>
</p>
<div class="warning">
<p><strong>Ce lien expire dans 7 jours.</strong></p>
<p>Si vous ne pouvez pas cliquer sur le bouton, copiez ce lien dans votre navigateur :</p>
<p style="word-break: break-all; font-size: 12px;">{{ activationUrl }}</p>
</div>
</div>
<div class="footer">
<p>Cet email a été envoyé automatiquement par Classeo.</p>
<p>Si vous n'attendiez pas cette invitation, vous pouvez ignorer cet email.</p>
</div>
</body>
</html>

114
backend/tests/Unit/Administration/Application/Command/BlockUser/BlockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\BlockUser;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class BlockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private BlockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-10 15:00:00');
}
};
$this->handler = new BlockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function blocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$command = new BlockUserCommand(
userId: (string) $user->id,
reason: 'Comportement inapproprié',
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::SUSPENDU, $updated->statut);
self::assertSame('Comportement inapproprié', $updated->blockedReason);
self::assertNotNull($updated->blockedAt);
}
#[Test]
public function throwsWhenUserAlreadySuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-08 10:00:00'));
$this->userRepository->save($user);
$this->expectException(UtilisateurNonBlocableException::class);
($this->handler)(new BlockUserCommand(
userId: (string) $user->id,
reason: 'Seconde raison',
));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new BlockUserCommand(
userId: (string) UserId::generate(),
reason: 'Raison',
));
}
}

109
backend/tests/Unit/Administration/Application/Command/InviteUser/InviteUserHandlerTest.php Normal file
View File

@@ -0,0 +1,109 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\InviteUser;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class InviteUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private InviteUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new InviteUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function invitesUserSuccessfully(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertSame('teacher@example.com', (string) $user->email);
self::assertNotNull($user->invitedAt);
}
#[Test]
public function throwsWhenEmailAlreadyUsedInTenant(): void
{
// Pre-populate with existing user
$existingUser = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Existing',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($existingUser);
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$this->expectException(EmailDejaUtiliseeException::class);
($this->handler)($command);
}
#[Test]
public function savesUserToRepository(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
$found = $this->userRepository->get($user->id);
self::assertSame((string) $user->id, (string) $found->id);
}
}

96
backend/tests/Unit/Administration/Application/Command/ResendInvitation/ResendInvitationHandlerTest.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\ResendInvitation;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class ResendInvitationHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private ResendInvitationHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-14 10:00:00');
}
};
$this->handler = new ResendInvitationHandler($this->userRepository, $this->clock);
}
#[Test]
public function resendsInvitationSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($user);
$command = new ResendInvitationCommand(userId: (string) $user->id);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertEquals(new DateTimeImmutable('2026-02-14 10:00:00'), $updated->invitedAt);
}
#[Test]
public function throwsWhenUserIsActive(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurDejaInviteException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) UserId::generate()));
}
}

107
backend/tests/Unit/Administration/Application/Command/UnblockUser/UnblockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\UnblockUser;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UnblockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private UnblockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-12 10:00:00');
}
};
$this->handler = new UnblockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function unblocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Comportement inapproprié', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->userRepository->save($user);
$command = new UnblockUserCommand(
userId: (string) $user->id,
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::ACTIF, $updated->statut);
self::assertNull($updated->blockedAt);
self::assertNull($updated->blockedReason);
}
#[Test]
public function throwsWhenUserNotSuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurNonDeblocableException::class);
($this->handler)(new UnblockUserCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new UnblockUserCommand(userId: (string) UserId::generate()));
}
}

174
backend/tests/Unit/Administration/Application/Query/GetUsers/GetUsersHandlerTest.php Normal file
View File

@@ -0,0 +1,174 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Query\GetUsers;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class GetUsersHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string OTHER_TENANT_ID = '550e8400-e29b-41d4-a716-446655440099';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private GetUsersHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new GetUsersHandler($this->userRepository, $this->clock);
}
#[Test]
public function returnsAllUsersForTenant(): void
{
$this->seedUsers();
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function filtersUsersByRole(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
role: Role::PROF->value,
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame(Role::PROF->value, $dto->role);
}
}
#[Test]
public function filtersUsersByStatut(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
statut: 'pending',
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame('pending', $dto->statut);
}
}
#[Test]
public function excludesUsersFromOtherTenants(): void
{
$this->seedUsers();
// Add user to different tenant
$otherUser = User::inviter(
email: new Email('other@example.com'),
role: Role::ADMIN,
tenantId: TenantId::fromString(self::OTHER_TENANT_ID),
schoolName: 'Autre École',
firstName: 'Autre',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($otherUser);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function calculatesInvitationExpiree(): void
{
// Invited 10 days ago — should be expired
$user = User::inviter(
email: new Email('old@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Old',
lastName: 'Invitation',
invitedAt: new DateTimeImmutable('2026-01-25 10:00:00'),
);
$this->userRepository->save($user);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(1, $result);
self::assertTrue($result[0]->invitationExpiree);
}
private function seedUsers(): void
{
$tenantId = TenantId::fromString(self::TENANT_ID);
$teacher1 = User::inviter(
email: new Email('teacher1@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($teacher1);
$teacher2 = User::inviter(
email: new Email('teacher2@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Marie',
lastName: 'Martin',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
// Activate teacher2
$teacher2->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($teacher2);
$parent = User::inviter(
email: new Email('parent@example.com'),
role: Role::PARENT,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Pierre',
lastName: 'Parent',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($parent);
}
}

323
backend/tests/Unit/Administration/Domain/Model/User/UserInvitationTest.php Normal file
View File

@@ -0,0 +1,323 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\User;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UserInvitationTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private Clock $clock;
protected function setUp(): void
{
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
}
#[Test]
public function inviterCreatesUserWithPendingStatusAndRecordsInvitedAt(): void
{
$invitedAt = new DateTimeImmutable('2026-02-07 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertEquals($invitedAt, $user->invitedAt);
self::assertNull($user->hashedPassword);
self::assertNull($user->activatedAt);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function inviterRecordsUtilisateurInviteEvent(): void
{
$user = $this->inviteUser();
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurInvite::class, $events[0]);
}
#[Test]
public function renvoyerInvitationUpdatesInvitedAtAndRecordsEvent(): void
{
$user = $this->inviteUser();
$user->pullDomainEvents();
$newInvitedAt = new DateTimeImmutable('2026-02-14 10:00:00');
$user->renvoyerInvitation($newInvitedAt);
self::assertEquals($newInvitedAt, $user->invitedAt);
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(InvitationRenvoyee::class, $events[0]);
}
#[Test]
public function renvoyerInvitationThrowsWhenUserIsActive(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurDejaInviteException::class);
$user->renvoyerInvitation(new DateTimeImmutable('2026-02-14 10:00:00'));
}
#[Test]
public function bloquerSetsStatusToSuspenduWithReasonAndDate(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$blockedAt = new DateTimeImmutable('2026-02-10 15:00:00');
$user->bloquer('Comportement inapproprié', $blockedAt);
self::assertSame(StatutCompte::SUSPENDU, $user->statut);
self::assertEquals($blockedAt, $user->blockedAt);
self::assertSame('Comportement inapproprié', $user->blockedReason);
self::assertFalse($user->peutSeConnecter());
}
#[Test]
public function bloquerRecordsUtilisateurBloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurBloque::class, $events[0]);
}
#[Test]
public function bloquerThrowsWhenAlreadySuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Seconde raison', new DateTimeImmutable('2026-02-11 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenConsentementRequis(): void
{
$user = User::reconstitute(
id: UserId::generate(),
email: new Email('minor@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
statut: StatutCompte::CONSENTEMENT_REQUIS,
dateNaissance: new DateTimeImmutable('2015-01-01'),
createdAt: new DateTimeImmutable('2026-02-01 10:00:00'),
hashedPassword: null,
activatedAt: null,
consentementParental: null,
);
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function debloquerRestoresActiveStatusAndClearsBlockedInfo(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
self::assertSame(StatutCompte::ACTIF, $user->statut);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function debloquerRecordsUtilisateurDebloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurDebloque::class, $events[0]);
}
#[Test]
public function debloquerThrowsWhenNotSuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function debloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function estInvitationExpireeReturnsTrueAfter7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-01-30 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 8 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:01');
self::assertTrue($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseWithin7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-02-05 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 2 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseForActiveUser(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
// Même longtemps après, un utilisateur actif n'a pas d'invitation expirée
$checkAt = new DateTimeImmutable('2027-01-01 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
private function inviteUser(): User
{
return User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-07 10:00:00'),
);
}
}

5
backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php
View File

@@ -172,6 +172,11 @@ final class ActivateAccountProcessorTest extends TestCase
{ {
throw UserNotFoundException::withId($id); throw UserNotFoundException::withId($id);
} }
public function findAllByTenant(TenantId $tenantId): array
{
return [];
}
}; };
$consentementPolicy = new ConsentementParentalPolicy($this->clock); $consentementPolicy = new ConsentementParentalPolicy($this->clock);

17
backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
View File

@@ -23,6 +23,7 @@ use PHPUnit\Framework\TestCase;
use stdClass; use stdClass;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException; use Symfony\Component\Security\Core\Exception\UserNotFoundException;
final class DatabaseUserProviderTest extends TestCase final class DatabaseUserProviderTest extends TestCase
@@ -83,6 +84,22 @@ final class DatabaseUserProviderTest extends TestCase
$provider->loadUserByIdentifier('user@example.com'); $provider->loadUserByIdentifier('user@example.com');
} }
#[Test]
public function loadUserByIdentifierThrowsAccountStatusExceptionForSuspendedUser(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::SUSPENDU, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$this->expectException(CustomUserMessageAccountStatusException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test] #[Test]
public function loadUserByIdentifierThrowsForUnknownTenant(): void public function loadUserByIdentifierThrowsForUnknownTenant(): void
{ {

101
backend/tests/Unit/Administration/Infrastructure/Security/LoginFailureHandlerTest.php Normal file
View File

@@ -0,0 +1,101 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\LoginFailureHandler;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Monitoring\MetricsCollector;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use App\Shared\Infrastructure\Tenant\TenantContext;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Prometheus\CollectorRegistry;
use Prometheus\Storage\InMemory;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
final class LoginFailureHandlerTest extends TestCase
{
private function createMetricsCollector(): MetricsCollector
{
return new MetricsCollector(
new CollectorRegistry(new InMemory()),
new TenantContext(),
);
}
#[Test]
public function suspendedAccountReturns403WithoutRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('recordFailure');
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->expects(self::never())->method('dispatch');
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'blocked@example.com', 'password' => 'test']));
$exception = new CustomUserMessageAccountStatusException('Votre compte a été suspendu. Contactez votre établissement.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(403, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/account-suspended', $data['type']);
self::assertSame('Compte suspendu', $data['title']);
}
#[Test]
public function standardFailureReturns401WithRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::once())
->method('recordFailure')
->willReturn(LoginRateLimitResult::allowed(1, 0, false));
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->method('dispatch')->willReturnCallback(
static fn (object $message) => new Envelope($message),
);
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$tenantResolver->method('resolve')->willThrowException(TenantNotFoundException::withSubdomain('unknown'));
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'user@example.com', 'password' => 'wrong']));
$exception = new AuthenticationException('Invalid credentials.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(401, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/authentication-failed', $data['type']);
}
}

134
backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php Normal file
View File

@@ -0,0 +1,134 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\UserVoter;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
final class UserVoterTest extends TestCase
{
private UserVoter $voter;
protected function setUp(): void
{
$this->voter = new UserVoter();
}
#[Test]
public function itAbstainsForUnrelatedAttributes(): void
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn(['ROLE_ADMIN']);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
$result = $this->voter->vote($token, null, ['SOME_OTHER_ATTRIBUTE']);
self::assertSame(UserVoter::ACCESS_ABSTAIN, $result);
}
#[Test]
public function itDeniesAccessToUnauthenticatedUsers(): void
{
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn(null);
$result = $this->voter->vote($token, null, [UserVoter::VIEW]);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsViewToSuperAdmin(): void
{
$result = $this->voteWithRole('ROLE_SUPER_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesViewToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itDeniesViewToParent(): void
{
$result = $this->voteWithRole('ROLE_PARENT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsCreateToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesCreateToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsBlockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesBlockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsUnblockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesUnblockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
private function voteWithRole(string $role, string $attribute): int
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn([$role]);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
return $this->voter->vote($token, null, [$attribute]);
}
}

146
frontend/e2e/user-blocking.spec.ts Normal file
View File

@@ -0,0 +1,146 @@
import { test, expect } from '@playwright/test';
import { execSync } from 'child_process';
import { join, dirname } from 'path';
import { fileURLToPath } from 'url';
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const baseUrl = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:4173';
const urlMatch = baseUrl.match(/:(\d+)$/);
const PORT = urlMatch ? urlMatch[1] : '4173';
const ALPHA_URL = `http://ecole-alpha.classeo.local:${PORT}`;
const ADMIN_EMAIL = 'e2e-blocking-admin@example.com';
const ADMIN_PASSWORD = 'BlockingTest123';
const TARGET_EMAIL = 'e2e-blocking-target@example.com';
const TARGET_PASSWORD = 'TargetUser123';
test.describe('User Blocking', () => {
test.describe.configure({ mode: 'serial' });
test.beforeAll(async () => {
const projectRoot = join(__dirname, '../..');
const composeFile = join(projectRoot, 'compose.yaml');
// Create admin user
execSync(
`docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${ADMIN_EMAIL} --password=${ADMIN_PASSWORD} --role=ROLE_ADMIN 2>&1`,
{ encoding: 'utf-8' }
);
// Create target user to be blocked
execSync(
`docker compose -f "${composeFile}" exec -T php php bin/console app:dev:create-test-user --tenant=ecole-alpha --email=${TARGET_EMAIL} --password=${TARGET_PASSWORD} --role=ROLE_PROF 2>&1`,
{ encoding: 'utf-8' }
);
});
async function loginAsAdmin(page: import('@playwright/test').Page) {
await page.goto(`${ALPHA_URL}/login`);
await page.locator('#email').fill(ADMIN_EMAIL);
await page.locator('#password').fill(ADMIN_PASSWORD);
await page.getByRole('button', { name: /se connecter/i }).click();
await expect(page).toHaveURL(/\/dashboard/, { timeout: 10000 });
}
test('admin can block a user and sees blocked status', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/users`);
// Wait for users table to load
await expect(page.locator('.users-table')).toBeVisible({ timeout: 10000 });
// Find the target user row
const targetRow = page.locator('tr', { has: page.locator(`text=${TARGET_EMAIL}`) });
await expect(targetRow).toBeVisible();
// Click "Bloquer" button
await targetRow.getByRole('button', { name: /bloquer/i }).click();
// Block modal should appear
await expect(page.locator('#block-modal-title')).toBeVisible();
// Fill in the reason
await page.locator('#block-reason').fill('Comportement inapproprié en E2E');
// Confirm the block
await page.getByRole('button', { name: /confirmer le blocage/i }).click();
// Wait for the success message
await expect(page.locator('.alert-success')).toBeVisible({ timeout: 5000 });
// Verify the user status changed to "Suspendu"
const updatedRow = page.locator('tr', { has: page.locator(`text=${TARGET_EMAIL}`) });
await expect(updatedRow.locator('.status-blocked')).toContainText('Suspendu');
// Verify the reason is displayed
await expect(updatedRow.locator('.blocked-reason')).toContainText('Comportement inapproprié en E2E');
});
test('admin can unblock a suspended user', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/users`);
await expect(page.locator('.users-table')).toBeVisible({ timeout: 10000 });
// Find the suspended target user row
const targetRow = page.locator('tr', { has: page.locator(`text=${TARGET_EMAIL}`) });
await expect(targetRow).toBeVisible();
// "Débloquer" button should be visible for suspended user
const unblockButton = targetRow.getByRole('button', { name: /débloquer/i });
await expect(unblockButton).toBeVisible();
// Click unblock
await unblockButton.click();
// Wait for the success message
await expect(page.locator('.alert-success')).toBeVisible({ timeout: 5000 });
// Verify the user status changed back to "Actif"
const updatedRow = page.locator('tr', { has: page.locator(`text=${TARGET_EMAIL}`) });
await expect(updatedRow.locator('.status-active')).toContainText('Actif');
});
test('blocked user sees specific error on login', async ({ page }) => {
// First, block the user again
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/users`);
await expect(page.locator('.users-table')).toBeVisible({ timeout: 10000 });
const targetRow = page.locator('tr', { has: page.locator(`text=${TARGET_EMAIL}`) });
await targetRow.getByRole('button', { name: /bloquer/i }).click();
await page.locator('#block-reason').fill('Bloqué pour test login');
await page.getByRole('button', { name: /confirmer le blocage/i }).click();
await expect(page.locator('.alert-success')).toBeVisible({ timeout: 5000 });
// Logout
await page.getByRole('button', { name: /déconnexion/i }).click();
// Try to log in as the blocked user
await page.goto(`${ALPHA_URL}/login`);
await page.locator('#email').fill(TARGET_EMAIL);
await page.locator('#password').fill(TARGET_PASSWORD);
await page.getByRole('button', { name: /se connecter/i }).click();
// Should see a suspended account error, not the generic credentials error
const errorBanner = page.locator('.error-banner.account-suspended');
await expect(errorBanner).toBeVisible({ timeout: 5000 });
await expect(errorBanner).toContainText(/suspendu|contactez/i);
});
test('admin cannot block themselves', async ({ page }) => {
await loginAsAdmin(page);
await page.goto(`${ALPHA_URL}/admin/users`);
await expect(page.locator('.users-table')).toBeVisible({ timeout: 10000 });
// Find the admin's own row
const adminRow = page.locator('tr', { has: page.locator(`text=${ADMIN_EMAIL}`) });
await expect(adminRow).toBeVisible();
// "Bloquer" button should NOT be present on the admin's own row
await expect(adminRow.getByRole('button', { name: /^bloquer$/i })).not.toBeVisible();
});
});

3
frontend/eslint.config.js
View File

@@ -79,7 +79,8 @@ export default tseslint.config(
fetch: 'readonly', fetch: 'readonly',
HTMLDivElement: 'readonly', HTMLDivElement: 'readonly',
setInterval: 'readonly', setInterval: 'readonly',
clearInterval: 'readonly' clearInterval: 'readonly',
URLSearchParams: 'readonly'
} }
}, },
plugins: { plugins: {

20
frontend/src/lib/auth/auth.svelte.ts
View File

@@ -45,9 +45,10 @@ function parseJwtPayload(token: string): Record<string, unknown> | null {
function extractUserId(token: string): string | null { function extractUserId(token: string): string | null {
const payload = parseJwtPayload(token); const payload = parseJwtPayload(token);
if (!payload) return null; if (!payload) return null;
// JWT 'sub' claim contains the user ID // JWT 'user_id' claim contains the UUID (set by JwtPayloadEnricher)
const sub = payload['sub']; // Note: 'sub' contains the email (Lexik default), not the UUID
return typeof sub === 'string' ? sub : null; const userId = payload['user_id'];
return typeof userId === 'string' ? userId : null;
} }
export interface LoginCredentials { export interface LoginCredentials {
@@ -59,7 +60,7 @@ export interface LoginCredentials {
export interface LoginResult { export interface LoginResult {
success: boolean; success: boolean;
error?: { error?: {
type: 'invalid_credentials' | 'rate_limited' | 'captcha_required' | 'captcha_invalid' | 'unknown'; type: 'invalid_credentials' | 'rate_limited' | 'captcha_required' | 'captcha_invalid' | 'account_suspended' | 'unknown';
message: string; message: string;
retryAfter?: number | undefined; retryAfter?: number | undefined;
delay?: number | undefined; delay?: number | undefined;
@@ -132,6 +133,17 @@ export async function login(credentials: LoginCredentials): Promise<LoginResult>
}; };
} }
// Compte suspendu (403)
if (response.status === 403 && error.type === '/errors/account-suspended') {
return {
success: false,
error: {
type: 'account_suspended',
message: error.detail,
},
};
}
// CAPTCHA invalide (400) // CAPTCHA invalide (400)
if (response.status === 400 && error.type === '/errors/captcha-invalid') { if (response.status === 400 && error.type === '/errors/captcha-invalid') {
return { return {

1
frontend/src/lib/auth/index.ts
View File

@@ -5,6 +5,7 @@ export {
authenticatedFetch, authenticatedFetch,
isAuthenticated, isAuthenticated,
getAccessToken, getAccessToken,
getCurrentUserId,
type LoginCredentials, type LoginCredentials,
type LoginResult, type LoginResult,
} from './auth.svelte'; } from './auth.svelte';

6
frontend/src/lib/components/organisms/Dashboard/DashboardAdmin.svelte
View File

@@ -26,11 +26,11 @@
<div class="quick-actions"> <div class="quick-actions">
<h2 class="sr-only">Actions de configuration</h2> <h2 class="sr-only">Actions de configuration</h2>
<div class="action-cards"> <div class="action-cards">
<div class="action-card disabled" aria-disabled="true"> <a class="action-card" href="/admin/users">
<span class="action-icon">👥</span> <span class="action-icon">👥</span>
<span class="action-label">Gérer les utilisateurs</span> <span class="action-label">Gérer les utilisateurs</span>
<span class="action-hint">Bientôt disponible</span> <span class="action-hint">Inviter et gérer</span>
</div> </a>
<a class="action-card" href="/admin/classes"> <a class="action-card" href="/admin/classes">
<span class="action-icon">🏫</span> <span class="action-icon">🏫</span>
<span class="action-label">Configurer les classes</span> <span class="action-label">Configurer les classes</span>

2
frontend/src/routes/admin/+layout.svelte
View File

@@ -24,6 +24,7 @@
} }
// Determine which admin section is active // Determine which admin section is active
const isUsersActive = $derived(page.url.pathname.startsWith('/admin/users'));
const isClassesActive = $derived(page.url.pathname.startsWith('/admin/classes')); const isClassesActive = $derived(page.url.pathname.startsWith('/admin/classes'));
const isSubjectsActive = $derived(page.url.pathname.startsWith('/admin/subjects')); const isSubjectsActive = $derived(page.url.pathname.startsWith('/admin/subjects'));
const isPeriodsActive = $derived(page.url.pathname.startsWith('/admin/academic-year/periods')); const isPeriodsActive = $derived(page.url.pathname.startsWith('/admin/academic-year/periods'));
@@ -38,6 +39,7 @@
</button> </button>
<nav class="header-nav"> <nav class="header-nav">
<a href="/dashboard" class="nav-link">Tableau de bord</a> <a href="/dashboard" class="nav-link">Tableau de bord</a>
<a href="/admin/users" class="nav-link" class:active={isUsersActive}>Utilisateurs</a>
<a href="/admin/classes" class="nav-link" class:active={isClassesActive}>Classes</a> <a href="/admin/classes" class="nav-link" class:active={isClassesActive}>Classes</a>
<a href="/admin/subjects" class="nav-link" class:active={isSubjectsActive}>Matières</a> <a href="/admin/subjects" class="nav-link" class:active={isSubjectsActive}>Matières</a>
<a href="/admin/academic-year/periods" class="nav-link" class:active={isPeriodsActive}>Périodes</a> <a href="/admin/academic-year/periods" class="nav-link" class:active={isPeriodsActive}>Périodes</a>

1214
frontend/src/routes/admin/users/+page.svelte Normal file
View File

File diff suppressed because it is too large Load Diff

17
frontend/src/routes/login/+page.svelte
View File

@@ -104,7 +104,7 @@
try { try {
const result: LoginResult = await login({ const result: LoginResult = await login({
email, email: email.trim(),
password, password,
captcha_token: captchaToken ?? undefined captcha_token: captchaToken ?? undefined
}); });
@@ -188,7 +188,7 @@
<h1>Connexion</h1> <h1>Connexion</h1>
{#if error} {#if error}
<div class="error-banner" class:rate-limited={isRateLimited}> <div class="error-banner" class:rate-limited={isRateLimited} class:account-suspended={error.type === 'account_suspended'}>
{#if isRateLimited} {#if isRateLimited}
<span class="error-icon">🔒</span> <span class="error-icon">🔒</span>
<div class="error-content"> <div class="error-content">
@@ -197,6 +197,11 @@
Réessayez dans <strong>{formatCountdown(retryAfterSeconds)}</strong> Réessayez dans <strong>{formatCountdown(retryAfterSeconds)}</strong>
</span> </span>
</div> </div>
{:else if error.type === 'account_suspended'}
<span class="error-icon">🚫</span>
<div class="error-content">
<span class="error-message">{error.message}</span>
</div>
{:else} {:else}
<span class="error-icon"></span> <span class="error-icon"></span>
<span class="error-message">{error.message}</span> <span class="error-message">{error.message}</span>
@@ -208,6 +213,7 @@
<div class="form-group"> <div class="form-group">
<label for="email">Adresse email</label> <label for="email">Adresse email</label>
<div class="input-wrapper"> <div class="input-wrapper">
<!-- svelte-ignore a11y_autofocus -->
<input <input
id="email" id="email"
type="email" type="email"
@@ -216,6 +222,7 @@
bind:value={email} bind:value={email}
disabled={isSubmitting || isRateLimited || isDelayed} disabled={isSubmitting || isRateLimited || isDelayed}
autocomplete="email" autocomplete="email"
autofocus
/> />
</div> </div>
</div> </div>
@@ -393,6 +400,12 @@
color: hsl(38, 92%, 30%); color: hsl(38, 92%, 30%);
} }
.error-banner.account-suspended {
background: linear-gradient(135deg, hsl(220, 30%, 95%) 0%, hsl(220, 30%, 97%) 100%);
border-color: hsl(220, 30%, 80%);
color: hsl(220, 30%, 30%);
}
.error-icon { .error-icon {
flex-shrink: 0; flex-shrink: 0;
font-size: 18px; font-size: 18px;