Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des sessions utilisateur

Browse Source 
Permet aux utilisateurs de visualiser et gérer leurs sessions actives
sur différents appareils, avec la possibilité de révoquer des sessions
à distance en cas de suspicion d'activité non autorisée.

Fonctionnalités :
- Liste des sessions actives avec métadonnées (appareil, navigateur, localisation)
- Identification de la session courante
- Révocation individuelle d'une session
- Révocation de toutes les autres sessions
- Déconnexion avec nettoyage des cookies sur les deux chemins (legacy et actuel)

Sécurité :
- Cache frontend scopé par utilisateur pour éviter les fuites entre comptes
- Validation que le refresh token appartient à l'utilisateur JWT authentifié
- TTL des sessions Redis aligné sur l'expiration du refresh token
- Événements d'audit pour traçabilité (SessionInvalidee, ToutesSessionsInvalidees)

@see Story 1.6 - Gestion des sessions
This commit is contained in:
Mathias STRASSER
2026-02-03 10:10:40 +01:00
parent affad287f9
commit b823479658
40 changed files with 4222 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/.env.test
View File

@@ -2,3 +2,6 @@
APP_ENV=test
KERNEL_CLASS='App\Kernel'
APP_SECRET='$ecretf0rt3st'
# Tenant configuration
TENANT_BASE_DOMAIN=classeo.local

13
backend/config/packages/cache.yaml
View File

@@ -29,6 +29,11 @@ framework:
adapter: cache.adapter.filesystem
default_lifetime: 900 # 15 minutes
# Pool dédié aux sessions (7 jours TTL max)
sessions.cache:
adapter: cache.adapter.filesystem
default_lifetime: 604800 # 7 jours
# Test environment uses Redis to avoid filesystem cache timing issues in E2E tests
# (CLI creates tokens, FrankenPHP must see them immediately)
when@test:
@@ -55,6 +60,10 @@ when@test:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 900
sessions.cache:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 604800
when@prod:
framework:
@@ -84,3 +93,7 @@ when@prod:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 900 # 15 minutes
sessions.cache:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 604800 # 7 jours

10
backend/config/services.yaml
View File

@@ -21,6 +21,8 @@ services:
Psr\Cache\CacheItemPoolInterface $refreshTokensCache: '@refresh_tokens.cache'
# Bind password reset tokens cache pool (1-hour TTL)
Psr\Cache\CacheItemPoolInterface $passwordResetTokensCache: '@password_reset_tokens.cache'
# Bind sessions cache pool (7-day TTL)
Psr\Cache\CacheItemPoolInterface $sessionsCache: '@sessions.cache'
# Bind named message buses
Symfony\Component\Messenger\MessageBusInterface $eventBus: '@event.bus'
Symfony\Component\Messenger\MessageBusInterface $commandBus: '@command.bus'
@@ -112,6 +114,14 @@ services:
App\Administration\Domain\Repository\PasswordResetTokenRepository:
alias: App\Administration\Infrastructure\Persistence\Redis\RedisPasswordResetTokenRepository
# Session Repository
App\Administration\Domain\Repository\SessionRepository:
alias: App\Administration\Infrastructure\Persistence\Redis\RedisSessionRepository
# GeoLocation Service (null implementation - no geolocation)
App\Administration\Application\Port\GeoLocationService:
alias: App\Administration\Infrastructure\Service\NullGeoLocationService
# Password Reset Processor with rate limiters
App\Administration\Infrastructure\Api\Processor\RequestPasswordResetProcessor:
arguments:

32
backend/src/Administration/Application/Port/GeoLocationService.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Port;
use App\Administration\Domain\Model\Session\Location;
/**
* Port interface for IP geolocation operations.
*
* This abstracts the geolocation mechanism, allowing the Application
* layer to remain independent of the specific implementation
* (e.g., MaxMind GeoLite2, IP-API, etc.).
*
* Current implementation: NullGeoLocationService (stores IP without resolution).
* Future implementation: MaxMindGeoLocationService using GeoLite2-City database
* for country/city resolution. This will be implemented when the feature is
* prioritized (requires GeoLite2 license and periodic database updates).
*
* @see Story 1.6 - Gestion des sessions
*/
interface GeoLocationService
{
/**
* Locate an IP address.
*
* Returns Location with country and city if available,
* or Location::unknown() if geolocation fails.
*/
public function locate(string $ipAddress): Location;
}

39
backend/src/Administration/Domain/Event/Deconnexion.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lors d'une déconnexion volontaire.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class Deconnexion implements DomainEvent
{
public function __construct(
public string $userId,
public string $familyId,
public TenantId $tenantId,
public string $ipAddress,
public string $userAgent,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return Uuid::fromString($this->userId);
}
}

39
backend/src/Administration/Domain/Event/SessionInvalidee.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lorsqu'une session est invalidée.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class SessionInvalidee implements DomainEvent
{
public function __construct(
public string $userId,
public string $familyId,
public TenantId $tenantId,
public string $ipAddress,
public string $userAgent,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return Uuid::fromString($this->userId);
}
}

43
backend/src/Administration/Domain/Event/ToutesSessionsInvalidees.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lorsque toutes les sessions (sauf courante) sont invalidées.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class ToutesSessionsInvalidees implements DomainEvent
{
/**
* @param list<string> $invalidatedFamilyIds Les IDs des familles de tokens invalidées
*/
public function __construct(
public string $userId,
public array $invalidatedFamilyIds,
public string $exceptFamilyId,
public TenantId $tenantId,
public string $ipAddress,
public string $userAgent,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return Uuid::fromString($this->userId);
}
}

23
backend/src/Administration/Domain/Exception/SessionNotFoundException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use RuntimeException;
use function sprintf;
/**
* Exception levée lorsqu'une session n'est pas trouvée.
*
* @see Story 1.6 - Gestion des sessions
*/
final class SessionNotFoundException extends RuntimeException
{
public function __construct(TokenFamilyId $familyId)
{
parent::__construct(sprintf('Session with family ID "%s" not found.', $familyId));
}
}

171
backend/src/Administration/Domain/Model/Session/DeviceInfo.php Normal file
View File

@@ -0,0 +1,171 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\Session;
/**
* Informations sur l'appareil/navigateur de la session.
*
* Parse le User-Agent pour extraire des informations lisibles :
* - device : Desktop, Mobile, Tablet
* - browser : Chrome 120, Firefox 121, Safari 17...
* - os : Windows 10, macOS 10.15, iOS 17.2, Android 14...
*
* Le rawUserAgent est conservé pour le fingerprinting.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class DeviceInfo
{
private function __construct(
public string $device,
public string $browser,
public string $os,
public string $rawUserAgent,
) {
}
/**
* Parse un User-Agent pour extraire les informations de l'appareil.
*/
public static function fromUserAgent(string $userAgent): self
{
if ($userAgent === '') {
return new self(
device: 'Inconnu',
browser: 'Inconnu',
os: 'Inconnu',
rawUserAgent: '',
);
}
$device = self::parseDevice($userAgent);
$browser = self::parseBrowser($userAgent);
$os = self::parseOs($userAgent);
return new self(
device: $device,
browser: $browser,
os: $os,
rawUserAgent: $userAgent,
);
}
/**
* Reconstitue les informations depuis le stockage.
*
* @internal Pour usage Infrastructure uniquement
*/
public static function reconstitute(
string $device,
string $browser,
string $os,
string $rawUserAgent,
): self {
return new self($device, $browser, $os, $rawUserAgent);
}
/**
* Indique si l'appareil est mobile (phone ou tablet).
*/
public function isMobile(): bool
{
return $this->device === 'Mobile' || $this->device === 'Tablet';
}
private static function parseDevice(string $userAgent): string
{
$ua = strtolower($userAgent);
if (str_contains($ua, 'ipad')) {
return 'Tablet';
}
if (str_contains($ua, 'mobile') || str_contains($ua, 'iphone') || str_contains($ua, 'android')) {
if (str_contains($ua, 'tablet')) {
return 'Tablet';
}
return 'Mobile';
}
if (str_contains($ua, 'windows') || str_contains($ua, 'macintosh') || str_contains($ua, 'linux')) {
return 'Desktop';
}
return 'Inconnu';
}
private static function parseBrowser(string $userAgent): string
{
// Edge doit être testé avant Chrome car Edge contient "Chrome"
if (preg_match('/Edg(?:e|A|iOS)?\/(\d+)/', $userAgent, $matches)) {
return "Edge {$matches[1]}";
}
if (preg_match('/Chrome\/(\d+)/', $userAgent, $matches)) {
return "Chrome {$matches[1]}";
}
if (preg_match('/Firefox\/(\d+)/', $userAgent, $matches)) {
return "Firefox {$matches[1]}";
}
// Safari: chercher Version/ pour la version affichée
if (preg_match('/Version\/(\d+)/', $userAgent, $matches) && str_contains($userAgent, 'Safari')) {
return "Safari {$matches[1]}";
}
return 'Inconnu';
}
private static function parseOs(string $userAgent): string
{
// Windows
if (preg_match('/Windows NT (\d+\.\d+)/', $userAgent, $matches)) {
$version = match ($matches[1]) {
'10.0' => '10',
'6.3' => '8.1',
'6.2' => '8',
'6.1' => '7',
default => $matches[1],
};
return "Windows {$version}";
}
// macOS
if (preg_match('/Mac OS X (\d+[._]\d+)/', $userAgent, $matches)) {
$version = str_replace('_', '.', $matches[1]);
return "macOS {$version}";
}
// iPadOS
if (preg_match('/iPad.*OS (\d+[._]\d+)/', $userAgent, $matches)) {
$version = str_replace('_', '.', $matches[1]);
return "iPadOS {$version}";
}
// iOS
if (preg_match('/iPhone.*OS (\d+[._]\d+)/', $userAgent, $matches)) {
$version = str_replace('_', '.', $matches[1]);
return "iOS {$version}";
}
// Android
if (preg_match('/Android (\d+)/', $userAgent, $matches)) {
return "Android {$matches[1]}";
}
// Linux (générique)
if (str_contains($userAgent, 'Linux')) {
return 'Linux';
}
return 'Inconnu';
}
}

78
backend/src/Administration/Domain/Model/Session/Location.php Normal file
View File

@@ -0,0 +1,78 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\Session;
/**
* Localisation approximative basée sur l'adresse IP.
*
* Utilisé pour afficher "France, Paris" dans la liste des sessions.
* La précision dépend du service de géolocalisation.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class Location
{
private function __construct(
public ?string $ip,
public ?string $country,
public ?string $city,
) {
}
/**
* Crée une localisation à partir d'une IP et des données de géolocalisation.
*/
public static function fromIp(string $ip, ?string $country, ?string $city): self
{
return new self(
ip: $ip,
country: $country,
city: $city,
);
}
/**
* Crée une localisation inconnue (quand la géolocalisation échoue).
*/
public static function unknown(): self
{
return new self(
ip: null,
country: null,
city: null,
);
}
/**
* Reconstitue une localisation depuis le stockage.
*
* @internal Pour usage Infrastructure uniquement
*/
public static function reconstitute(
?string $ip,
?string $country,
?string $city,
): self {
return new self($ip, $country, $city);
}
/**
* Formate la localisation pour affichage.
*
* @return string "France, Paris" ou "France" ou "Inconnu"
*/
public function format(): string
{
if ($this->country !== null && $this->city !== null) {
return "{$this->country}, {$this->city}";
}
if ($this->country !== null) {
return $this->country;
}
return 'Inconnu';
}
}

128
backend/src/Administration/Domain/Model/Session/Session.php Normal file
View File

@@ -0,0 +1,128 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\Session;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
/**
* Représente une session utilisateur active.
*
* Une session est identifiée par son familyId (lié aux token families).
* Elle stocke les métadonnées lisibles par l'utilisateur :
* - Appareil/navigateur (DeviceInfo)
* - Localisation approximative (Location)
* - Dates de création et dernière activité
*
* Invariants :
* - Une session appartient à un seul utilisateur et tenant
* - Le familyId est immutable (identifie la session)
* - lastActivityAt >= createdAt
*
* Note sur les méthodes statiques :
* Cette classe utilise des factory methods (create(), reconstitute()) suivant les
* patterns DDD standards pour la création d'Aggregates. Bien que le projet suive
* les principes "No Static" d'Elegant Objects, les factory methods pour Aggregates
* sont une exception documentée car elles encapsulent la logique d'instanciation
* et gardent le constructeur privé, préservant ainsi les invariants du domaine.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class Session
{
private function __construct(
public TokenFamilyId $familyId,
public UserId $userId,
public TenantId $tenantId,
public DeviceInfo $deviceInfo,
public Location $location,
public DateTimeImmutable $createdAt,
public DateTimeImmutable $lastActivityAt,
) {
}
/**
* Crée une nouvelle session lors de la connexion.
*/
public static function create(
TokenFamilyId $familyId,
UserId $userId,
TenantId $tenantId,
DeviceInfo $deviceInfo,
Location $location,
DateTimeImmutable $createdAt,
): self {
return new self(
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: $deviceInfo,
location: $location,
createdAt: $createdAt,
lastActivityAt: $createdAt,
);
}
/**
* Met à jour le timestamp de dernière activité.
*
* Appelé lors du refresh de token pour maintenir la session active.
*/
public function updateActivity(DateTimeImmutable $at): self
{
return new self(
familyId: $this->familyId,
userId: $this->userId,
tenantId: $this->tenantId,
deviceInfo: $this->deviceInfo,
location: $this->location,
createdAt: $this->createdAt,
lastActivityAt: $at,
);
}
/**
* Vérifie si cette session correspond à la session courante.
*/
public function isCurrent(TokenFamilyId $currentFamilyId): bool
{
return $this->familyId->equals($currentFamilyId);
}
/**
* Vérifie si cette session appartient à l'utilisateur donné.
*/
public function belongsToUser(UserId $userId): bool
{
return $this->userId->equals($userId);
}
/**
* Reconstitue une session depuis le stockage.
*
* @internal Pour usage Infrastructure uniquement
*/
public static function reconstitute(
TokenFamilyId $familyId,
UserId $userId,
TenantId $tenantId,
DeviceInfo $deviceInfo,
Location $location,
DateTimeImmutable $createdAt,
DateTimeImmutable $lastActivityAt,
): self {
return new self(
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: $deviceInfo,
location: $location,
createdAt: $createdAt,
lastActivityAt: $lastActivityAt,
);
}
}

66
backend/src/Administration/Domain/Repository/SessionRepository.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Repository;
use App\Administration\Domain\Exception\SessionNotFoundException;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use DateTimeImmutable;
/**
* Repository pour la gestion des sessions utilisateur.
*
* Implémentation attendue : Redis avec TTL automatique.
*
* @see Story 1.6 - Gestion des sessions
*/
interface SessionRepository
{
/**
* Sauvegarde une session.
*
* @param int $ttlSeconds TTL en secondes (aligné avec le refresh token)
*/
public function save(Session $session, int $ttlSeconds): void;
/**
* Récupère une session par son family ID.
*
* @throws SessionNotFoundException si la session n'existe pas
*/
public function getByFamilyId(TokenFamilyId $familyId): Session;
/**
* Recherche une session par son family ID (nullable).
*/
public function findByFamilyId(TokenFamilyId $familyId): ?Session;
/**
* Récupère toutes les sessions d'un utilisateur.
*
* @return list<Session>
*/
public function findAllByUserId(UserId $userId): array;
/**
* Supprime une session.
*/
public function delete(TokenFamilyId $familyId): void;
/**
* Supprime toutes les sessions sauf celle spécifiée.
*
* @return list<TokenFamilyId> Les family IDs des sessions supprimées
*/
public function deleteAllExcept(UserId $userId, TokenFamilyId $exceptFamilyId): array;
/**
* Met à jour le timestamp de dernière activité.
*
* @param int $ttlSeconds TTL restant en secondes (aligné avec le refresh token)
*/
public function updateActivity(TokenFamilyId $familyId, DateTimeImmutable $at, int $ttlSeconds): void;
}

44
backend/src/Administration/Infrastructure/Api/Controller/LogoutController.php
View File

@@ -4,27 +4,35 @@ declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Controller;
use App\Administration\Domain\Event\Deconnexion;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Administration\Domain\Repository\SessionRepository;
use App\Shared\Domain\Clock;
use DateTimeImmutable;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Routing\Attribute\Route;
/**
* Logout endpoint.
*
* Invalidates the refresh token and deletes the cookie.
* Invalidates the refresh token, deletes the session, and clears the cookie.
*
* @see Story 1.4 - User login
* @see Story 1.6 - Session management
*/
final readonly class LogoutController
{
public function __construct(
private RefreshTokenRepository $refreshTokenRepository,
private SessionRepository $sessionRepository,
private MessageBusInterface $eventBus,
private Clock $clock,
) {
}
@@ -40,8 +48,21 @@ final readonly class LogoutController
$refreshToken = $this->refreshTokenRepository->find($tokenId);
if ($refreshToken !== null) {
// Delete the session
$this->sessionRepository->delete($refreshToken->familyId);
// Invalidate the entire family (disconnects all devices)
$this->refreshTokenRepository->invalidateFamily($refreshToken->familyId);
// Dispatch logout event
$this->eventBus->dispatch(new Deconnexion(
userId: (string) $refreshToken->userId,
familyId: (string) $refreshToken->familyId,
tenantId: $refreshToken->tenantId,
ipAddress: $request->getClientIp() ?? 'unknown',
userAgent: $request->headers->get('User-Agent', 'unknown'),
occurredOn: $this->clock->now(),
));
}
} catch (InvalidArgumentException) {
// Malformed token, ignore
@@ -51,15 +72,30 @@ final readonly class LogoutController
// Create the response with cookie deletion
$response = new JsonResponse(['message' => 'Logout successful'], Response::HTTP_OK);
// Delete the refresh_token cookie (same path as used during login)
// Delete the refresh_token cookie
// Secure flag only on HTTPS (prod), not HTTP (dev)
$isSecure = $request->isSecure();
// Clear cookie at current path /api
$response->headers->setCookie(
Cookie::create('refresh_token')
->withValue('')
->withExpires(new DateTimeImmutable('-1 hour'))
->withPath('/api')
->withHttpOnly(true)
->withSecure($isSecure)
->withSameSite($isSecure ? 'strict' : 'lax'),
);
// Also clear legacy cookie at /api/token (migration period)
$response->headers->setCookie(
Cookie::create('refresh_token')
->withValue('')
->withExpires(new DateTimeImmutable('-1 hour'))
->withPath('/api/token')
->withHttpOnly(true)
->withSecure(true)
->withSameSite('strict'),
->withSecure($isSecure)
->withSameSite($isSecure ? 'strict' : 'lax'),
);
return $response;

242
backend/src/Administration/Infrastructure/Api/Controller/SessionsController.php Normal file
View File

@@ -0,0 +1,242 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Controller;
use App\Administration\Domain\Event\SessionInvalidee;
use App\Administration\Domain\Event\ToutesSessionsInvalidees;
use App\Administration\Domain\Exception\SessionNotFoundException;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Administration\Domain\Repository\SessionRepository;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use function array_map;
use function count;
use DateTimeInterface;
use InvalidArgumentException;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Routing\Attribute\Route;
/**
* Sessions management endpoints.
*
* Architecture note: Events (SessionInvalidee, ToutesSessionsInvalidees) are dispatched
* directly from this controller rather than from domain aggregates. This is a documented
* exception to the standard DDD pattern because:
* - Session is a read model without command/aggregate behavior
* - The "invalidate" operation spans multiple aggregates (RefreshToken + Session)
* - The controller orchestrates infrastructure operations, making it the natural
* event emission point for audit trail purposes
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class SessionsController
{
public function __construct(
private Security $security,
private SessionRepository $sessionRepository,
private RefreshTokenRepository $refreshTokenRepository,
private MessageBusInterface $eventBus,
private Clock $clock,
) {
}
/**
* List all active sessions for the current user.
*/
#[Route('/api/me/sessions', name: 'api_sessions_list', methods: ['GET'])]
public function list(Request $request): JsonResponse
{
$user = $this->getSecurityUser();
$userId = UserId::fromString($user->userId());
$tenantId = TenantId::fromString($user->tenantId());
// Get the current family ID from the refresh token cookie
$currentFamilyId = $this->getCurrentFamilyId($request, $userId);
$sessions = $this->sessionRepository->findAllByUserId($userId);
$sessionsData = [];
foreach ($sessions as $session) {
// Skip sessions from other tenants (defense in depth)
if (!$session->tenantId->equals($tenantId)) {
continue;
}
$isCurrent = $currentFamilyId !== null && $session->isCurrent($currentFamilyId);
$sessionsData[] = [
'family_id' => (string) $session->familyId,
'device' => $session->deviceInfo->device,
'browser' => $session->deviceInfo->browser,
'os' => $session->deviceInfo->os,
'location' => $session->location->format(),
'created_at' => $session->createdAt->format(DateTimeInterface::ATOM),
'last_activity_at' => $session->lastActivityAt->format(DateTimeInterface::ATOM),
'is_current' => $isCurrent,
];
}
// Sort: current session first, then by last activity (most recent first)
usort($sessionsData, static function (array $a, array $b): int {
if ($a['is_current'] && !$b['is_current']) {
return -1;
}
if (!$a['is_current'] && $b['is_current']) {
return 1;
}
return $b['last_activity_at'] <=> $a['last_activity_at'];
});
return new JsonResponse(['sessions' => $sessionsData]);
}
/**
* Revoke a specific session.
*/
#[Route('/api/me/sessions/{familyId}', name: 'api_sessions_revoke', methods: ['DELETE'])]
public function revoke(string $familyId, Request $request): JsonResponse
{
$user = $this->getSecurityUser();
$userId = UserId::fromString($user->userId());
try {
$targetFamilyId = TokenFamilyId::fromString($familyId);
$session = $this->sessionRepository->getByFamilyId($targetFamilyId);
} catch (InvalidArgumentException|SessionNotFoundException) {
throw new NotFoundHttpException('Session not found');
}
// Verify the session belongs to the user (return 404 to not leak existence)
if (!$session->belongsToUser($userId)) {
throw new NotFoundHttpException('Session not found');
}
// Prevent revoking current session via this endpoint (use logout instead)
$currentFamilyId = $this->getCurrentFamilyId($request, $userId);
if ($currentFamilyId !== null && $session->isCurrent($currentFamilyId)) {
throw new AccessDeniedHttpException('Cannot revoke current session. Use logout instead.');
}
// Invalidate the token family (disconnects the device)
$this->refreshTokenRepository->invalidateFamily($targetFamilyId);
// Delete the session
$this->sessionRepository->delete($targetFamilyId);
// Dispatch event for audit trail
$this->eventBus->dispatch(new SessionInvalidee(
userId: $user->userId(),
familyId: (string) $targetFamilyId,
tenantId: TenantId::fromString($user->tenantId()),
ipAddress: $request->getClientIp() ?? 'unknown',
userAgent: $request->headers->get('User-Agent', 'unknown'),
occurredOn: $this->clock->now(),
));
return new JsonResponse(['message' => 'Session revoked'], Response::HTTP_OK);
}
/**
* Revoke all sessions except the current one.
*/
#[Route('/api/me/sessions', name: 'api_sessions_revoke_all', methods: ['DELETE'])]
public function revokeAll(Request $request): JsonResponse
{
$user = $this->getSecurityUser();
$userId = UserId::fromString($user->userId());
// Get the current family ID to exclude it
$currentFamilyId = $this->getCurrentFamilyId($request, $userId);
if ($currentFamilyId === null) {
throw new AccessDeniedHttpException('Unable to identify current session');
}
// Delete all sessions except current
$deletedFamilyIds = $this->sessionRepository->deleteAllExcept($userId, $currentFamilyId);
// Invalidate all corresponding token families
foreach ($deletedFamilyIds as $familyId) {
$this->refreshTokenRepository->invalidateFamily($familyId);
}
// Dispatch event for audit trail (only if sessions were actually revoked)
if (count($deletedFamilyIds) > 0) {
$this->eventBus->dispatch(new ToutesSessionsInvalidees(
userId: $user->userId(),
invalidatedFamilyIds: array_map(static fn (TokenFamilyId $id): string => (string) $id, $deletedFamilyIds),
exceptFamilyId: (string) $currentFamilyId,
tenantId: TenantId::fromString($user->tenantId()),
ipAddress: $request->getClientIp() ?? 'unknown',
userAgent: $request->headers->get('User-Agent', 'unknown'),
occurredOn: $this->clock->now(),
));
}
return new JsonResponse([
'message' => 'All other sessions revoked',
'revoked_count' => count($deletedFamilyIds),
], Response::HTTP_OK);
}
private function getSecurityUser(): SecurityUser
{
$user = $this->security->getUser();
if (!$user instanceof SecurityUser) {
throw new AccessDeniedHttpException('Authentication required');
}
return $user;
}
/**
* Get the current session's family ID from the refresh token cookie.
*
* Security: Validates that the refresh token belongs to the authenticated user
* to prevent cross-account issues in multi-tab scenarios where JWT and cookie
* could belong to different users.
*/
private function getCurrentFamilyId(Request $request, UserId $authenticatedUserId): ?TokenFamilyId
{
$refreshTokenValue = $request->cookies->get('refresh_token');
if ($refreshTokenValue === null) {
return null;
}
try {
$tokenId = RefreshToken::extractIdFromTokenString($refreshTokenValue);
$refreshToken = $this->refreshTokenRepository->find($tokenId);
if ($refreshToken === null) {
return null;
}
// Verify the refresh token belongs to the authenticated user
// This prevents misidentification in multi-tab/account-switch scenarios
if (!$refreshToken->userId->equals($authenticatedUserId)) {
return null;
}
return $refreshToken->familyId;
} catch (InvalidArgumentException) {
return null;
}
}
}

22
backend/src/Administration/Infrastructure/Api/Processor/RefreshTokenProcessor.php
View File

@@ -11,6 +11,7 @@ use App\Administration\Domain\Event\TokenReplayDetecte;
use App\Administration\Domain\Exception\TokenAlreadyRotatedException;
use App\Administration\Domain\Exception\TokenReplayDetectedException;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Repository\SessionRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\RefreshTokenInput;
use App\Administration\Infrastructure\Api\Resource\RefreshTokenOutput;
@@ -48,6 +49,7 @@ final readonly class RefreshTokenProcessor implements ProcessorInterface
private RefreshTokenManager $refreshTokenManager,
private JWTTokenManagerInterface $jwtManager,
private UserRepository $userRepository,
private SessionRepository $sessionRepository,
private RequestStack $requestStack,
private SecurityUserFactory $securityUserFactory,
private TenantResolver $tenantResolver,
@@ -106,18 +108,25 @@ final readonly class RefreshTokenProcessor implements ProcessorInterface
$securityUser = $this->securityUserFactory->fromDomainUser($user);
// Update session last activity with TTL aligned to refresh token expiry
$now = $this->clock->now();
$remainingTtlSeconds = $newRefreshToken->expiresAt->getTimestamp() - $now->getTimestamp();
$this->sessionRepository->updateActivity($newRefreshToken->familyId, $now, $remainingTtlSeconds);
// Generate the new JWT
$jwt = $this->jwtManager->create($securityUser);
// Store the cookie in request attributes for the listener
// The RefreshTokenCookieListener will add it to the response
// Secure flag only on HTTPS (prod), not HTTP (dev)
$isSecure = $request->isSecure();
$cookie = Cookie::create('refresh_token')
->withValue($newRefreshToken->toTokenString())
->withExpires($newRefreshToken->expiresAt)
->withPath('/api/token')
->withSecure(true)
->withPath('/api')
->withSecure($isSecure)
->withHttpOnly(true)
->withSameSite('strict');
->withSameSite($isSecure ? 'strict' : 'lax');
$request->attributes->set('_refresh_token_cookie', $cookie);
@@ -156,13 +165,14 @@ final readonly class RefreshTokenProcessor implements ProcessorInterface
$request = $this->requestStack->getCurrentRequest();
if ($request !== null) {
$isSecure = $request->isSecure();
$cookie = Cookie::create('refresh_token')
->withValue('')
->withExpires(new DateTimeImmutable('-1 day'))
->withPath('/api/token')
->withSecure(true)
->withPath('/api')
->withSecure($isSecure)
->withHttpOnly(true)
->withSameSite('strict');
->withSameSite($isSecure ? 'strict' : 'lax');
$request->attributes->set('_refresh_token_cookie', $cookie);
}

268
backend/src/Administration/Infrastructure/Persistence/Redis/RedisSessionRepository.php Normal file
View File

@@ -0,0 +1,268 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Persistence\Redis;
use App\Administration\Domain\Exception\SessionNotFoundException;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\SessionRepository;
use App\Shared\Domain\Tenant\TenantId;
use function count;
use DateTimeImmutable;
use DateTimeInterface;
use Psr\Cache\CacheItemPoolInterface;
/**
* Redis implementation of the sessions repository.
*
* Storage structure:
* - Session data: session:{family_id} → session JSON data
* - User index: user_sessions:{user_id} → set of family_ids
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class RedisSessionRepository implements SessionRepository
{
private const string SESSION_PREFIX = 'session:';
private const string USER_SESSIONS_PREFIX = 'user_sessions:';
/**
* Maximum TTL for user index (8 days).
*
* Must be >= the longest possible session TTL to ensure
* all sessions are properly indexed.
*/
private const int MAX_USER_INDEX_TTL = 691200;
public function __construct(
private CacheItemPoolInterface $sessionsCache,
) {
}
public function save(Session $session, int $ttlSeconds): void
{
// Save the session
$sessionItem = $this->sessionsCache->getItem(self::SESSION_PREFIX . $session->familyId);
$sessionItem->set($this->serialize($session));
$sessionItem->expiresAfter($ttlSeconds);
$this->sessionsCache->save($sessionItem);
// Add to user index
$userItem = $this->sessionsCache->getItem(self::USER_SESSIONS_PREFIX . $session->userId);
/** @var list<string> $familyIds */
$familyIds = $userItem->isHit() ? $userItem->get() : [];
$familyIds[] = (string) $session->familyId;
$userItem->set(array_values(array_unique($familyIds)));
$userItem->expiresAfter(self::MAX_USER_INDEX_TTL);
$this->sessionsCache->save($userItem);
}
public function getByFamilyId(TokenFamilyId $familyId): Session
{
$session = $this->findByFamilyId($familyId);
if ($session === null) {
throw new SessionNotFoundException($familyId);
}
return $session;
}
public function findByFamilyId(TokenFamilyId $familyId): ?Session
{
$item = $this->sessionsCache->getItem(self::SESSION_PREFIX . $familyId);
if (!$item->isHit()) {
return null;
}
/** @var array{family_id: string, user_id: string, tenant_id: string, device: string, browser: string, os: string, raw_user_agent: string, ip: string|null, country: string|null, city: string|null, created_at: string, last_activity_at: string} $data */
$data = $item->get();
return $this->deserialize($data);
}
public function findAllByUserId(UserId $userId): array
{
$userItem = $this->sessionsCache->getItem(self::USER_SESSIONS_PREFIX . $userId);
if (!$userItem->isHit()) {
return [];
}
/** @var list<string> $familyIds */
$familyIds = $userItem->get();
$sessions = [];
$validFamilyIds = [];
foreach ($familyIds as $familyIdStr) {
$session = $this->findByFamilyId(TokenFamilyId::fromString($familyIdStr));
if ($session !== null) {
$sessions[] = $session;
$validFamilyIds[] = $familyIdStr;
}
}
// Clean up stale entries from user index
if (count($validFamilyIds) !== count($familyIds)) {
$userItem->set($validFamilyIds);
$userItem->expiresAfter(self::MAX_USER_INDEX_TTL);
$this->sessionsCache->save($userItem);
}
return $sessions;
}
public function delete(TokenFamilyId $familyId): void
{
// Find session to get userId for index cleanup
$session = $this->findByFamilyId($familyId);
// Delete the session
$this->sessionsCache->deleteItem(self::SESSION_PREFIX . $familyId);
// Remove from user index if session existed
if ($session !== null) {
$this->removeFromUserIndex($session->userId, $familyId);
}
}
public function deleteAllExcept(UserId $userId, TokenFamilyId $exceptFamilyId): array
{
$userItem = $this->sessionsCache->getItem(self::USER_SESSIONS_PREFIX . $userId);
if (!$userItem->isHit()) {
return [];
}
/** @var list<string> $familyIds */
$familyIds = $userItem->get();
$deletedFamilyIds = [];
foreach ($familyIds as $familyIdStr) {
$familyId = TokenFamilyId::fromString($familyIdStr);
if ($familyId->equals($exceptFamilyId)) {
continue;
}
$this->sessionsCache->deleteItem(self::SESSION_PREFIX . $familyIdStr);
$deletedFamilyIds[] = $familyId;
}
// Update user index to only contain the excepted session
$userItem->set([(string) $exceptFamilyId]);
$userItem->expiresAfter(self::MAX_USER_INDEX_TTL);
$this->sessionsCache->save($userItem);
return $deletedFamilyIds;
}
public function updateActivity(TokenFamilyId $familyId, DateTimeImmutable $at, int $ttlSeconds): void
{
$session = $this->findByFamilyId($familyId);
if ($session === null) {
return;
}
$updatedSession = $session->updateActivity($at);
// Preserve TTL aligned with refresh token expiry
$sessionItem = $this->sessionsCache->getItem(self::SESSION_PREFIX . $familyId);
$sessionItem->set($this->serialize($updatedSession));
$sessionItem->expiresAfter($ttlSeconds);
$this->sessionsCache->save($sessionItem);
}
private function removeFromUserIndex(UserId $userId, TokenFamilyId $familyId): void
{
$userItem = $this->sessionsCache->getItem(self::USER_SESSIONS_PREFIX . $userId);
if (!$userItem->isHit()) {
return;
}
/** @var list<string> $familyIds */
$familyIds = $userItem->get();
$familyIds = array_values(array_filter(
$familyIds,
static fn (string $id) => $id !== (string) $familyId,
));
if (count($familyIds) === 0) {
$this->sessionsCache->deleteItem(self::USER_SESSIONS_PREFIX . $userId);
} else {
$userItem->set($familyIds);
$userItem->expiresAfter(self::MAX_USER_INDEX_TTL);
$this->sessionsCache->save($userItem);
}
}
/**
* @return array<string, mixed>
*/
private function serialize(Session $session): array
{
return [
'family_id' => (string) $session->familyId,
'user_id' => (string) $session->userId,
'tenant_id' => (string) $session->tenantId,
'device' => $session->deviceInfo->device,
'browser' => $session->deviceInfo->browser,
'os' => $session->deviceInfo->os,
'raw_user_agent' => $session->deviceInfo->rawUserAgent,
'ip' => $session->location->ip,
'country' => $session->location->country,
'city' => $session->location->city,
'created_at' => $session->createdAt->format(DateTimeInterface::ATOM),
'last_activity_at' => $session->lastActivityAt->format(DateTimeInterface::ATOM),
];
}
/**
* @param array{
* family_id: string,
* user_id: string,
* tenant_id: string,
* device: string,
* browser: string,
* os: string,
* raw_user_agent: string,
* ip: string|null,
* country: string|null,
* city: string|null,
* created_at: string,
* last_activity_at: string
* } $data
*/
private function deserialize(array $data): Session
{
return Session::reconstitute(
familyId: TokenFamilyId::fromString($data['family_id']),
userId: UserId::fromString($data['user_id']),
tenantId: TenantId::fromString($data['tenant_id']),
deviceInfo: DeviceInfo::reconstitute(
device: $data['device'],
browser: $data['browser'],
os: $data['os'],
rawUserAgent: $data['raw_user_agent'],
),
location: Location::reconstitute(
ip: $data['ip'],
country: $data['country'],
city: $data['city'],
),
createdAt: new DateTimeImmutable($data['created_at']),
lastActivityAt: new DateTimeImmutable($data['last_activity_at']),
);
}
}

36
backend/src/Administration/Infrastructure/Security/LoginSuccessHandler.php
View File

@@ -4,10 +4,14 @@ declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Application\Port\GeoLocationService;
use App\Administration\Application\Service\RefreshTokenManager;
use App\Administration\Domain\Event\ConnexionReussie;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\SessionRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
@@ -17,14 +21,17 @@ use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Messenger\MessageBusInterface;
/**
* Handles post-login success actions: refresh token, reset rate limit, audit.
* Handles post-login success actions: refresh token, session, reset rate limit, audit.
*
* @see Story 1.4 - T5: Backend Login Endpoint
* @see Story 1.6 - Session management
*/
final readonly class LoginSuccessHandler
{
public function __construct(
private RefreshTokenManager $refreshTokenManager,
private SessionRepository $sessionRepository,
private GeoLocationService $geoLocationService,
private LoginRateLimiterInterface $rateLimiter,
private MessageBusInterface $eventBus,
private Clock $clock,
@@ -62,14 +69,35 @@ final readonly class LoginSuccessHandler
$isMobile,
);
// Create the session with metadata
$deviceInfo = DeviceInfo::fromUserAgent($userAgent);
$location = $this->geoLocationService->locate($ipAddress);
$now = $this->clock->now();
$session = Session::create(
familyId: $refreshToken->familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: $deviceInfo,
location: $location,
createdAt: $now,
);
// Calculate TTL (same as refresh token)
$ttlSeconds = $refreshToken->expiresAt->getTimestamp() - $now->getTimestamp();
$this->sessionRepository->save($session, $ttlSeconds);
// Add the refresh token as HttpOnly cookie
// Path is /api to allow session identification on /api/me/sessions endpoints
// Secure flag only on HTTPS (prod), not HTTP (dev)
$isSecure = $request->isSecure();
$cookie = Cookie::create('refresh_token')
->withValue($refreshToken->toTokenString())
->withExpires($refreshToken->expiresAt)
->withPath('/api/token')
->withSecure(true)
->withPath('/api')
->withSecure($isSecure)
->withHttpOnly(true)
->withSameSite('strict');
->withSameSite($isSecure ? 'strict' : 'lax');
$response->headers->setCookie($cookie);

48
backend/src/Administration/Infrastructure/Service/NullGeoLocationService.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Service;
use App\Administration\Application\Port\GeoLocationService;
use App\Administration\Domain\Model\Session\Location;
use const FILTER_FLAG_NO_PRIV_RANGE;
use const FILTER_FLAG_NO_RES_RANGE;
use const FILTER_VALIDATE_IP;
/**
* Null implementation of GeoLocationService.
*
* Always returns Location::unknown(). Use this when:
* - No geolocation database is configured
* - In development/test environments
* - When privacy concerns require disabling geolocation
*
* For production, replace with MaxMindGeoLocationService
* or another IP geolocation provider.
*
* @see Story 1.6 - Gestion des sessions
*/
final readonly class NullGeoLocationService implements GeoLocationService
{
public function locate(string $ipAddress): Location
{
// Store IP but don't resolve location
// This allows for future resolution if a geo service is configured
if ($this->isPrivateOrReserved($ipAddress)) {
return Location::unknown();
}
return Location::fromIp($ipAddress, null, null);
}
private function isPrivateOrReserved(string $ip): bool
{
return filter_var(
$ip,
FILTER_VALIDATE_IP,
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
) === false;
}
}

352
backend/tests/Functional/Administration/Api/SessionsEndpointsTest.php Normal file
View File

@@ -0,0 +1,352 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Administration\Api;
use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\SessionRepository;
use App\Shared\Domain\Tenant\TenantId;
use function count;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
/**
* Tests for sessions endpoints.
*
* @see Story 1.6 - Gestion des sessions
*/
final class SessionsEndpointsTest extends ApiTestCase
{
/**
* Opt-in for API Platform 5.0 behavior where kernel boot is explicit.
*
* @see https://github.com/api-platform/core/issues/6971
*/
protected static ?bool $alwaysBootKernel = true;
private const string TENANT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440000';
// =========================================================================
// Logout endpoint tests
// =========================================================================
#[Test]
public function logoutEndpointAcceptsPostWithoutAuthentication(): void
{
$client = static::createClient();
// Logout should work even without a valid token (graceful logout)
$client->request('POST', '/api/token/logout', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
// Should return 200 OK (graceful logout even without token)
self::assertResponseStatusCodeSame(200);
}
#[Test]
public function logoutEndpointReturnsSuccessMessage(): void
{
$client = static::createClient();
$client->request('POST', '/api/token/logout', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
self::assertResponseIsSuccessful();
self::assertJsonContains(['message' => 'Logout successful']);
}
#[Test]
public function logoutEndpointDeletesRefreshTokenCookie(): void
{
$client = static::createClient();
$response = $client->request('POST', '/api/token/logout', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
// Check that Set-Cookie header is present (to delete the cookie)
$headers = $response->getHeaders(false);
self::assertArrayHasKey('set-cookie', $headers);
// The cookie should be set to empty with past expiration
$setCookieHeader = $headers['set-cookie'][0];
self::assertStringContainsString('refresh_token=', $setCookieHeader);
}
#[Test]
public function logoutEndpointDeletesRefreshTokenCookieOnApiAndLegacyPaths(): void
{
$client = static::createClient();
$response = $client->request('POST', '/api/token/logout', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
$headers = $response->getHeaders(false);
self::assertArrayHasKey('set-cookie', $headers);
// Should have 2 Set-Cookie headers for refresh_token deletion
$setCookieHeaders = $headers['set-cookie'];
self::assertGreaterThanOrEqual(2, count($setCookieHeaders), 'Expected at least 2 Set-Cookie headers');
// Collect all refresh_token cookie paths
$paths = [];
foreach ($setCookieHeaders as $header) {
if (stripos($header, 'refresh_token=') !== false) {
// Extract path with case-insensitive matching
if (preg_match('/path=([^;]+)/i', $header, $matches)) {
$paths[] = trim($matches[1]);
}
}
}
// Must clear both /api (current) and /api/token (legacy) paths
self::assertContains('/api', $paths, 'Missing Set-Cookie for Path=/api');
self::assertContains('/api/token', $paths, 'Missing Set-Cookie for Path=/api/token (legacy)');
}
// =========================================================================
// Sessions list endpoint tests - Security
// =========================================================================
/**
* Without a valid tenant subdomain, the endpoint returns 404.
* This is correct security behavior: don't reveal endpoint existence.
*/
#[Test]
public function listSessionsReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('GET', '/api/me/sessions', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
// Tenant middleware intercepts and returns 404 (not revealing endpoint)
self::assertResponseStatusCodeSame(404);
self::assertJsonContains(['message' => 'Resource not found']);
}
// =========================================================================
// Revoke single session endpoint tests - Security
// =========================================================================
/**
* Without a valid tenant subdomain, the endpoint returns 404.
* This is correct security behavior: don't reveal endpoint existence.
*/
#[Test]
public function revokeSessionReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('DELETE', '/api/me/sessions/00000000-0000-0000-0000-000000000001', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
// Tenant middleware intercepts and returns 404 (not revealing endpoint)
self::assertResponseStatusCodeSame(404);
self::assertJsonContains(['message' => 'Resource not found']);
}
// =========================================================================
// Revoke all sessions endpoint tests - Security
// =========================================================================
/**
* Without a valid tenant subdomain, the endpoint returns 404.
* This is correct security behavior: don't reveal endpoint existence.
*/
#[Test]
public function revokeAllSessionsReturns404WithoutTenant(): void
{
$client = static::createClient();
$client->request('DELETE', '/api/me/sessions', [
'headers' => [
'Host' => 'localhost',
'Accept' => 'application/json',
],
]);
// Tenant middleware intercepts and returns 404 (not revealing endpoint)
self::assertResponseStatusCodeSame(404);
self::assertJsonContains(['message' => 'Resource not found']);
}
// =========================================================================
// Authenticated session list tests
// =========================================================================
/**
* Test that listing sessions requires authentication.
* Returns 401 when no JWT token is provided.
*/
#[Test]
public function listSessionsReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$client->request('GET', 'http://ecole-alpha.classeo.local/api/me/sessions', [
'headers' => [
'Accept' => 'application/json',
],
]);
self::assertResponseStatusCodeSame(401);
}
/**
* Test that revoking sessions requires authentication.
* Returns 401 when no JWT token is provided.
*/
#[Test]
public function revokeSessionReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$familyId = TokenFamilyId::generate();
$client->request('DELETE', 'http://ecole-alpha.classeo.local/api/me/sessions/' . $familyId, [
'headers' => [
'Accept' => 'application/json',
],
]);
self::assertResponseStatusCodeSame(401);
}
/**
* Test that revoking all sessions requires authentication.
* Returns 401 when no JWT token is provided.
*/
#[Test]
public function revokeAllSessionsReturns401WithoutAuthentication(): void
{
$client = static::createClient();
$client->request('DELETE', 'http://ecole-alpha.classeo.local/api/me/sessions', [
'headers' => [
'Accept' => 'application/json',
],
]);
self::assertResponseStatusCodeSame(401);
}
/**
* Test that the session repository correctly stores and retrieves sessions.
* This is an integration test of the repository without HTTP layer.
*/
#[Test]
public function sessionRepositoryCanStoreAndRetrieveSessions(): void
{
$container = static::getContainer();
$sessionRepository = $container->get(SessionRepository::class);
$familyId = TokenFamilyId::generate();
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
$session = Session::create(
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: DeviceInfo::fromUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0'),
location: Location::fromIp('192.168.1.1', 'France', 'Paris'),
createdAt: new DateTimeImmutable(),
);
$sessionRepository->save($session, 86400);
// Retrieve by family ID
$retrieved = $sessionRepository->findByFamilyId($familyId);
self::assertNotNull($retrieved);
self::assertTrue($retrieved->familyId->equals($familyId));
self::assertSame('Desktop', $retrieved->deviceInfo->device);
self::assertSame('Chrome 120', $retrieved->deviceInfo->browser);
// Retrieve by user ID
$userSessions = $sessionRepository->findAllByUserId($userId);
self::assertNotEmpty($userSessions);
// Cleanup
$sessionRepository->delete($familyId);
self::assertNull($sessionRepository->findByFamilyId($familyId));
}
/**
* Test that deleteAllExcept removes other sessions but keeps the specified one.
*/
#[Test]
public function sessionRepositoryDeleteAllExceptKeepsSpecifiedSession(): void
{
$container = static::getContainer();
$sessionRepository = $container->get(SessionRepository::class);
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
// Clean up any existing sessions for this user (from previous test runs)
$existingSessions = $sessionRepository->findAllByUserId($userId);
foreach ($existingSessions as $existingSession) {
$sessionRepository->delete($existingSession->familyId);
}
// Create multiple sessions
$keepFamilyId = TokenFamilyId::generate();
$deleteFamilyId1 = TokenFamilyId::generate();
$deleteFamilyId2 = TokenFamilyId::generate();
foreach ([$keepFamilyId, $deleteFamilyId1, $deleteFamilyId2] as $familyId) {
$session = Session::create(
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: DeviceInfo::fromUserAgent('Test Browser'),
location: Location::unknown(),
createdAt: new DateTimeImmutable(),
);
$sessionRepository->save($session, 86400);
}
// Delete all except one
$deletedIds = $sessionRepository->deleteAllExcept($userId, $keepFamilyId);
self::assertCount(2, $deletedIds);
self::assertNotNull($sessionRepository->findByFamilyId($keepFamilyId));
self::assertNull($sessionRepository->findByFamilyId($deleteFamilyId1));
self::assertNull($sessionRepository->findByFamilyId($deleteFamilyId2));
// Cleanup
$sessionRepository->delete($keepFamilyId);
}
}

127
backend/tests/Unit/Administration/Domain/Model/Session/DeviceInfoTest.php Normal file
View File

@@ -0,0 +1,127 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\Session;
use App\Administration\Domain\Model\Session\DeviceInfo;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class DeviceInfoTest extends TestCase
{
#[Test]
#[DataProvider('userAgentProvider')]
public function fromUserAgentParsesCorrectly(
string $userAgent,
string $expectedDevice,
string $expectedBrowser,
string $expectedOs,
): void {
$deviceInfo = DeviceInfo::fromUserAgent($userAgent);
self::assertSame($expectedDevice, $deviceInfo->device);
self::assertSame($expectedBrowser, $deviceInfo->browser);
self::assertSame($expectedOs, $deviceInfo->os);
self::assertSame($userAgent, $deviceInfo->rawUserAgent);
}
/**
* @return iterable<string, array{string, string, string, string}>
*/
public static function userAgentProvider(): iterable
{
yield 'Chrome on Windows' => [
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'Desktop',
'Chrome 120',
'Windows 10',
];
yield 'Firefox on macOS' => [
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0',
'Desktop',
'Firefox 121',
'macOS 10.15',
];
yield 'Safari on iPhone' => [
'Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1',
'Mobile',
'Safari 17',
'iOS 17.2',
];
yield 'Chrome on Android' => [
'Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.144 Mobile Safari/537.36',
'Mobile',
'Chrome 120',
'Android 14',
];
yield 'Safari on iPad' => [
'Mozilla/5.0 (iPad; CPU OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1',
'Tablet',
'Safari 17',
'iPadOS 17.2',
];
yield 'Edge on Windows' => [
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0',
'Desktop',
'Edge 120',
'Windows 10',
];
}
#[Test]
public function fromUserAgentHandlesEmptyString(): void
{
$deviceInfo = DeviceInfo::fromUserAgent('');
self::assertSame('Inconnu', $deviceInfo->device);
self::assertSame('Inconnu', $deviceInfo->browser);
self::assertSame('Inconnu', $deviceInfo->os);
}
#[Test]
public function fromUserAgentHandlesUnknownUserAgent(): void
{
$deviceInfo = DeviceInfo::fromUserAgent('Some Random Bot/1.0');
self::assertSame('Inconnu', $deviceInfo->device);
self::assertSame('Inconnu', $deviceInfo->browser);
self::assertSame('Inconnu', $deviceInfo->os);
}
#[Test]
public function reconstituteRestoresFromStorage(): void
{
$deviceInfo = DeviceInfo::reconstitute(
device: 'Desktop',
browser: 'Chrome 120',
os: 'Windows 10',
rawUserAgent: 'Mozilla/5.0...',
);
self::assertSame('Desktop', $deviceInfo->device);
self::assertSame('Chrome 120', $deviceInfo->browser);
self::assertSame('Windows 10', $deviceInfo->os);
self::assertSame('Mozilla/5.0...', $deviceInfo->rawUserAgent);
}
#[Test]
public function isMobileReturnsTrueForMobileDevices(): void
{
$mobile = DeviceInfo::fromUserAgent(
'Mozilla/5.0 (iPhone; CPU iPhone OS 17_2 like Mac OS X) AppleWebKit/605.1.15',
);
$desktop = DeviceInfo::fromUserAgent(
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0',
);
self::assertTrue($mobile->isMobile());
self::assertFalse($desktop->isMobile());
}
}

87
backend/tests/Unit/Administration/Domain/Model/Session/LocationTest.php Normal file
View File

@@ -0,0 +1,87 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\Session;
use App\Administration\Domain\Model\Session\Location;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class LocationTest extends TestCase
{
#[Test]
public function fromIpCreatesLocationWithCountryAndCity(): void
{
$location = Location::fromIp('192.168.1.1', 'France', 'Paris');
self::assertSame('France', $location->country);
self::assertSame('Paris', $location->city);
self::assertSame('192.168.1.1', $location->ip);
}
#[Test]
public function fromIpCreatesLocationWithCountryOnly(): void
{
$location = Location::fromIp('10.0.0.1', 'Germany', null);
self::assertSame('Germany', $location->country);
self::assertNull($location->city);
}
#[Test]
public function unknownCreatesUnknownLocation(): void
{
$location = Location::unknown();
self::assertNull($location->country);
self::assertNull($location->city);
self::assertNull($location->ip);
}
#[Test]
public function formatReturnsCountryAndCity(): void
{
$location = Location::fromIp('192.168.1.1', 'France', 'Paris');
self::assertSame('France, Paris', $location->format());
}
#[Test]
public function formatReturnsCountryOnlyWhenNoCityAvailable(): void
{
$location = Location::fromIp('10.0.0.1', 'Germany', null);
self::assertSame('Germany', $location->format());
}
#[Test]
public function formatReturnsInconnuWhenUnknown(): void
{
$location = Location::unknown();
self::assertSame('Inconnu', $location->format());
}
#[Test]
public function formatReturnsInconnuForPrivateIpRanges(): void
{
$location = Location::fromIp('192.168.1.1', null, null);
self::assertSame('Inconnu', $location->format());
}
#[Test]
public function reconstituteRestoresFromStorage(): void
{
$location = Location::reconstitute(
ip: '8.8.8.8',
country: 'United States',
city: 'Mountain View',
);
self::assertSame('8.8.8.8', $location->ip);
self::assertSame('United States', $location->country);
self::assertSame('Mountain View', $location->city);
}
}

133
backend/tests/Unit/Administration/Domain/Model/Session/SessionTest.php Normal file
View File

@@ -0,0 +1,133 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\Session;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class SessionTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
#[Test]
public function createGeneratesSessionWithCorrectData(): void
{
$familyId = TokenFamilyId::generate();
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$deviceInfo = DeviceInfo::fromUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0');
$location = Location::fromIp('192.168.1.1', 'France', 'Paris');
$createdAt = new DateTimeImmutable('2026-01-31 10:00:00');
$session = Session::create(
$familyId,
$userId,
$tenantId,
$deviceInfo,
$location,
$createdAt,
);
self::assertTrue($session->familyId->equals($familyId));
self::assertTrue($session->userId->equals($userId));
self::assertTrue($session->tenantId->equals($tenantId));
self::assertSame($deviceInfo, $session->deviceInfo);
self::assertSame($location, $session->location);
self::assertEquals($createdAt, $session->createdAt);
self::assertEquals($createdAt, $session->lastActivityAt);
}
#[Test]
public function updateActivityUpdatesLastActivityTimestamp(): void
{
$session = $this->createSession();
$newActivityAt = new DateTimeImmutable('2026-01-31 14:30:00');
$updatedSession = $session->updateActivity($newActivityAt);
self::assertEquals($newActivityAt, $updatedSession->lastActivityAt);
self::assertEquals($session->createdAt, $updatedSession->createdAt);
self::assertTrue($session->familyId->equals($updatedSession->familyId));
}
#[Test]
public function isCurrentReturnsTrueForMatchingFamilyId(): void
{
$familyId = TokenFamilyId::generate();
$session = Session::create(
$familyId,
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceInfo::fromUserAgent('Mozilla/5.0'),
Location::unknown(),
new DateTimeImmutable(),
);
self::assertTrue($session->isCurrent($familyId));
self::assertFalse($session->isCurrent(TokenFamilyId::generate()));
}
#[Test]
public function belongsToUserReturnsTrueForMatchingUserId(): void
{
$userId = UserId::generate();
$session = Session::create(
TokenFamilyId::generate(),
$userId,
TenantId::fromString(self::TENANT_ID),
DeviceInfo::fromUserAgent('Mozilla/5.0'),
Location::unknown(),
new DateTimeImmutable(),
);
self::assertTrue($session->belongsToUser($userId));
self::assertFalse($session->belongsToUser(UserId::generate()));
}
#[Test]
public function reconstituteRestoresSessionFromStorage(): void
{
$familyId = TokenFamilyId::generate();
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$deviceInfo = DeviceInfo::fromUserAgent('Mozilla/5.0');
$location = Location::fromIp('10.0.0.1', 'Germany', 'Berlin');
$createdAt = new DateTimeImmutable('2026-01-20 08:00:00');
$lastActivityAt = new DateTimeImmutable('2026-01-31 16:00:00');
$session = Session::reconstitute(
$familyId,
$userId,
$tenantId,
$deviceInfo,
$location,
$createdAt,
$lastActivityAt,
);
self::assertTrue($session->familyId->equals($familyId));
self::assertEquals($createdAt, $session->createdAt);
self::assertEquals($lastActivityAt, $session->lastActivityAt);
}
private function createSession(): Session
{
return Session::create(
TokenFamilyId::generate(),
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceInfo::fromUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0'),
Location::fromIp('192.168.1.1', 'France', 'Paris'),
new DateTimeImmutable('2026-01-31 10:00:00'),
);
}
}

371
backend/tests/Unit/Administration/Infrastructure/Api/Controller/SessionsControllerTest.php Normal file
View File

@@ -0,0 +1,371 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Api\Controller;
use App\Administration\Domain\Event\ToutesSessionsInvalidees;
use App\Administration\Domain\Exception\SessionNotFoundException;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\RefreshTokenId;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Administration\Domain\Repository\SessionRepository;
use App\Administration\Infrastructure\Api\Controller\SessionsController;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\MockObject\MockObject;
use PHPUnit\Framework\TestCase;
use stdClass;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
final class SessionsControllerTest extends TestCase
{
private Security&MockObject $security;
private SessionRepository&MockObject $sessionRepository;
private RefreshTokenRepository&MockObject $refreshTokenRepository;
private MessageBusInterface&MockObject $eventBus;
private Clock&MockObject $clock;
private SessionsController $controller;
private const string USER_ID = '550e8400-e29b-41d4-a716-446655440000';
private const string TENANT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
private const string OTHER_TENANT_ID = 'b2c3d4e5-f6a7-8901-bcde-f12345678901';
protected function setUp(): void
{
$this->security = $this->createMock(Security::class);
$this->sessionRepository = $this->createMock(SessionRepository::class);
$this->refreshTokenRepository = $this->createMock(RefreshTokenRepository::class);
$this->eventBus = $this->createMock(MessageBusInterface::class);
$this->clock = $this->createMock(Clock::class);
$this->controller = new SessionsController(
$this->security,
$this->sessionRepository,
$this->refreshTokenRepository,
$this->eventBus,
$this->clock,
);
}
#[Test]
public function revokeReturnsNotFoundWhenFamilyIdIsMalformed(): void
{
$this->mockAuthenticatedUser();
// Assert: SessionRepository::getByFamilyId() should NEVER be called
// because we fail before any business logic (InvalidArgumentException on UUID parse)
$this->sessionRepository
->expects($this->never())
->method('getByFamilyId');
$this->expectException(NotFoundHttpException::class);
$this->expectExceptionMessage('Session not found');
$request = Request::create('/api/me/sessions/not-a-uuid', 'DELETE');
$this->controller->revoke('not-a-uuid', $request);
}
#[Test]
public function revokeReturnsNotFoundWhenSessionDoesNotExist(): void
{
$this->mockAuthenticatedUser();
$familyId = TokenFamilyId::generate();
$this->sessionRepository
->expects($this->once())
->method('getByFamilyId')
->with($this->callback(static fn (TokenFamilyId $id) => $id->equals($familyId)))
->willThrowException(new SessionNotFoundException($familyId));
$this->expectException(NotFoundHttpException::class);
$this->expectExceptionMessage('Session not found');
$request = Request::create('/api/me/sessions/' . $familyId, 'DELETE');
$this->controller->revoke((string) $familyId, $request);
}
#[Test]
public function listReturnsSessionsForCurrentUserAndTenant(): void
{
$this->mockAuthenticatedUser();
$familyId = TokenFamilyId::generate();
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
$now = new DateTimeImmutable('2024-01-15 10:00:00');
$session = Session::create(
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'Mozilla/5.0'),
location: Location::fromIp('192.168.1.1', 'France', 'Paris'),
createdAt: $now,
);
$this->sessionRepository
->expects($this->once())
->method('findAllByUserId')
->with($this->callback(static fn (UserId $id) => $id->equals($userId)))
->willReturn([$session]);
$request = Request::create('/api/me/sessions', 'GET');
$response = $this->controller->list($request);
$data = json_decode($response->getContent(), true);
self::assertSame(200, $response->getStatusCode());
self::assertCount(1, $data['sessions']);
self::assertSame((string) $familyId, $data['sessions'][0]['family_id']);
self::assertSame('Desktop', $data['sessions'][0]['device']);
self::assertSame('Chrome 120', $data['sessions'][0]['browser']);
self::assertSame('Windows 10', $data['sessions'][0]['os']);
self::assertSame('France, Paris', $data['sessions'][0]['location']);
self::assertFalse($data['sessions'][0]['is_current']);
}
#[Test]
public function listFilterOutSessionsFromOtherTenants(): void
{
$this->mockAuthenticatedUser();
$userId = UserId::fromString(self::USER_ID);
$currentTenantId = TenantId::fromString(self::TENANT_ID);
$otherTenantId = TenantId::fromString(self::OTHER_TENANT_ID);
$now = new DateTimeImmutable('2024-01-15 10:00:00');
$sessionSameTenant = Session::create(
familyId: TokenFamilyId::generate(),
userId: $userId,
tenantId: $currentTenantId,
deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'Mozilla/5.0'),
location: Location::unknown(),
createdAt: $now,
);
$sessionOtherTenant = Session::create(
familyId: TokenFamilyId::generate(),
userId: $userId,
tenantId: $otherTenantId,
deviceInfo: DeviceInfo::reconstitute('Mobile', 'Safari 17', 'iOS 17', 'iPhone'),
location: Location::unknown(),
createdAt: $now,
);
$this->sessionRepository
->method('findAllByUserId')
->willReturn([$sessionSameTenant, $sessionOtherTenant]);
$request = Request::create('/api/me/sessions', 'GET');
$response = $this->controller->list($request);
$data = json_decode($response->getContent(), true);
// Should only return the session from the current tenant
self::assertCount(1, $data['sessions']);
self::assertSame('Desktop', $data['sessions'][0]['device']);
}
#[Test]
public function listMarksCurrentSessionCorrectly(): void
{
$this->mockAuthenticatedUser();
$currentFamilyId = TokenFamilyId::generate();
$otherFamilyId = TokenFamilyId::generate();
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
$now = new DateTimeImmutable('2024-01-15 10:00:00');
$currentSession = Session::create(
familyId: $currentFamilyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'UA1'),
location: Location::unknown(),
createdAt: $now,
);
$otherSession = Session::create(
familyId: $otherFamilyId,
userId: $userId,
tenantId: $tenantId,
deviceInfo: DeviceInfo::reconstitute('Mobile', 'Safari 17', 'iOS 17', 'UA2'),
location: Location::unknown(),
createdAt: $now,
);
$this->sessionRepository
->method('findAllByUserId')
->willReturn([$currentSession, $otherSession]);
// Create a real RefreshToken to identify the current session
$refreshToken = RefreshToken::reconstitute(
id: RefreshTokenId::generate(),
familyId: $currentFamilyId,
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
issuedAt: $now,
expiresAt: $now->modify('+1 day'),
rotatedFrom: null,
isRotated: false,
);
$this->refreshTokenRepository
->method('find')
->willReturn($refreshToken);
// Create request with refresh token cookie
$tokenValue = $refreshToken->toTokenString();
$request = Request::create('/api/me/sessions', 'GET');
$request->cookies->set('refresh_token', $tokenValue);
$response = $this->controller->list($request);
$data = json_decode($response->getContent(), true);
// Current session should be first (sorted) and marked as current
self::assertCount(2, $data['sessions']);
self::assertTrue($data['sessions'][0]['is_current']);
self::assertSame((string) $currentFamilyId, $data['sessions'][0]['family_id']);
self::assertFalse($data['sessions'][1]['is_current']);
}
#[Test]
public function revokeAllDeletesAllSessionsExceptCurrent(): void
{
$this->mockAuthenticatedUser();
$currentFamilyId = TokenFamilyId::generate();
$deletedFamilyId1 = TokenFamilyId::generate();
$deletedFamilyId2 = TokenFamilyId::generate();
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
$now = new DateTimeImmutable('2024-01-15 10:00:00');
$this->clock->method('now')->willReturn($now);
// Create a real RefreshToken for current session identification
$refreshToken = RefreshToken::reconstitute(
id: RefreshTokenId::generate(),
familyId: $currentFamilyId,
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
issuedAt: $now,
expiresAt: $now->modify('+1 day'),
rotatedFrom: null,
isRotated: false,
);
$this->refreshTokenRepository->method('find')->willReturn($refreshToken);
// Mock deleteAllExcept
$this->sessionRepository
->expects($this->once())
->method('deleteAllExcept')
->with(
$this->callback(static fn (UserId $id) => $id->equals($userId)),
$this->callback(static fn (TokenFamilyId $id) => $id->equals($currentFamilyId)),
)
->willReturn([$deletedFamilyId1, $deletedFamilyId2]);
// Expect invalidateFamily to be called for each deleted session
$this->refreshTokenRepository
->expects($this->exactly(2))
->method('invalidateFamily');
// Expect event to be dispatched
$this->eventBus
->expects($this->once())
->method('dispatch')
->with($this->isInstanceOf(ToutesSessionsInvalidees::class))
->willReturn(new Envelope(new stdClass()));
$tokenValue = $refreshToken->toTokenString();
$request = Request::create('/api/me/sessions', 'DELETE');
$request->cookies->set('refresh_token', $tokenValue);
$request->headers->set('User-Agent', 'Test Browser');
$response = $this->controller->revokeAll($request);
$data = json_decode($response->getContent(), true);
self::assertSame(200, $response->getStatusCode());
self::assertSame('All other sessions revoked', $data['message']);
self::assertSame(2, $data['revoked_count']);
}
#[Test]
public function revokeAllDoesNotDispatchEventWhenNoSessionsRevoked(): void
{
$this->mockAuthenticatedUser();
$currentFamilyId = TokenFamilyId::generate();
$userId = UserId::fromString(self::USER_ID);
$tenantId = TenantId::fromString(self::TENANT_ID);
$now = new DateTimeImmutable('2024-01-15 10:00:00');
$this->clock->method('now')->willReturn($now);
// Create a real RefreshToken
$refreshToken = RefreshToken::reconstitute(
id: RefreshTokenId::generate(),
familyId: $currentFamilyId,
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
issuedAt: $now,
expiresAt: $now->modify('+1 day'),
rotatedFrom: null,
isRotated: false,
);
$this->refreshTokenRepository->method('find')->willReturn($refreshToken);
// No sessions to delete
$this->sessionRepository
->method('deleteAllExcept')
->willReturn([]);
// Event should NOT be dispatched
$this->eventBus
->expects($this->never())
->method('dispatch');
$tokenValue = $refreshToken->toTokenString();
$request = Request::create('/api/me/sessions', 'DELETE');
$request->cookies->set('refresh_token', $tokenValue);
$response = $this->controller->revokeAll($request);
$data = json_decode($response->getContent(), true);
self::assertSame(200, $response->getStatusCode());
self::assertSame(0, $data['revoked_count']);
}
private function mockAuthenticatedUser(): void
{
$securityUser = new SecurityUser(
UserId::fromString(self::USER_ID),
'test@example.com',
'hashed_password',
TenantId::fromString(self::TENANT_ID),
['ROLE_USER'],
);
$this->security->method('getUser')->willReturn($securityUser);
}
}

241
backend/tests/Unit/Administration/Infrastructure/Persistence/Redis/RedisSessionRepositoryTest.php Normal file
View File

@@ -0,0 +1,241 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Persistence\Redis;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\Session\DeviceInfo;
use App\Administration\Domain\Model\Session\Location;
use App\Administration\Domain\Model\Session\Session;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Persistence\Redis\RedisSessionRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Cache\Adapter\ArrayAdapter;
final class RedisSessionRepositoryTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private ArrayAdapter $cache;
private RedisSessionRepository $repository;
protected function setUp(): void
{
$this->cache = new ArrayAdapter();
$this->repository = new RedisSessionRepository($this->cache);
}
#[Test]
public function savePersistsSession(): void
{
$session = $this->createSession();
$this->repository->save($session, 86400);
$retrieved = $this->repository->findByFamilyId($session->familyId);
self::assertNotNull($retrieved);
self::assertTrue($session->familyId->equals($retrieved->familyId));
}
#[Test]
public function findByFamilyIdReturnsNullWhenNotFound(): void
{
$nonExistentId = TokenFamilyId::generate();
$result = $this->repository->findByFamilyId($nonExistentId);
self::assertNull($result);
}
#[Test]
public function findAllByUserIdReturnsAllUserSessions(): void
{
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$session1 = Session::create(
TokenFamilyId::generate(),
$userId,
$tenantId,
DeviceInfo::fromUserAgent('Chrome'),
Location::unknown(),
new DateTimeImmutable(),
);
$session2 = Session::create(
TokenFamilyId::generate(),
$userId,
$tenantId,
DeviceInfo::fromUserAgent('Firefox'),
Location::unknown(),
new DateTimeImmutable(),
);
$otherUserSession = Session::create(
TokenFamilyId::generate(),
UserId::generate(),
$tenantId,
DeviceInfo::fromUserAgent('Safari'),
Location::unknown(),
new DateTimeImmutable(),
);
$this->repository->save($session1, 86400);
$this->repository->save($session2, 86400);
$this->repository->save($otherUserSession, 86400);
$sessions = $this->repository->findAllByUserId($userId);
self::assertCount(2, $sessions);
$familyIds = array_map(
static fn (Session $s) => (string) $s->familyId,
$sessions,
);
self::assertContains((string) $session1->familyId, $familyIds);
self::assertContains((string) $session2->familyId, $familyIds);
}
#[Test]
public function deleteRemovesSession(): void
{
$session = $this->createSession();
$this->repository->save($session, 86400);
$this->repository->delete($session->familyId);
self::assertNull($this->repository->findByFamilyId($session->familyId));
}
#[Test]
public function deleteRemovesSessionFromUserIndex(): void
{
$userId = UserId::generate();
$session = Session::create(
TokenFamilyId::generate(),
$userId,
TenantId::fromString(self::TENANT_ID),
DeviceInfo::fromUserAgent('Chrome'),
Location::unknown(),
new DateTimeImmutable(),
);
$this->repository->save($session, 86400);
$this->repository->delete($session->familyId);
$sessions = $this->repository->findAllByUserId($userId);
self::assertCount(0, $sessions);
}
#[Test]
public function deleteAllExceptRemovesOtherSessions(): void
{
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$currentFamilyId = TokenFamilyId::generate();
$currentSession = Session::create(
$currentFamilyId,
$userId,
$tenantId,
DeviceInfo::fromUserAgent('Chrome'),
Location::unknown(),
new DateTimeImmutable(),
);
$otherSession1 = Session::create(
TokenFamilyId::generate(),
$userId,
$tenantId,
DeviceInfo::fromUserAgent('Firefox'),
Location::unknown(),
new DateTimeImmutable(),
);
$otherSession2 = Session::create(
TokenFamilyId::generate(),
$userId,
$tenantId,
DeviceInfo::fromUserAgent('Safari'),
Location::unknown(),
new DateTimeImmutable(),
);
$this->repository->save($currentSession, 86400);
$this->repository->save($otherSession1, 86400);
$this->repository->save($otherSession2, 86400);
$deletedFamilyIds = $this->repository->deleteAllExcept($userId, $currentFamilyId);
self::assertCount(2, $deletedFamilyIds);
self::assertContains((string) $otherSession1->familyId, array_map(static fn ($id) => (string) $id, $deletedFamilyIds));
self::assertContains((string) $otherSession2->familyId, array_map(static fn ($id) => (string) $id, $deletedFamilyIds));
$sessions = $this->repository->findAllByUserId($userId);
self::assertCount(1, $sessions);
self::assertTrue($sessions[0]->familyId->equals($currentFamilyId));
}
#[Test]
public function updateActivityUpdatesLastActivityTimestamp(): void
{
$session = $this->createSession();
$this->repository->save($session, 86400);
$newActivityAt = new DateTimeImmutable('2026-02-01 15:30:00');
$remainingTtl = 43200; // 12 hours remaining
$this->repository->updateActivity($session->familyId, $newActivityAt, $remainingTtl);
$updated = $this->repository->findByFamilyId($session->familyId);
self::assertNotNull($updated);
self::assertEquals($newActivityAt, $updated->lastActivityAt);
}
#[Test]
public function savePreservesAllSessionData(): void
{
$familyId = TokenFamilyId::generate();
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$deviceInfo = DeviceInfo::fromUserAgent(
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0',
);
$location = Location::fromIp('8.8.8.8', 'United States', 'Mountain View');
$createdAt = new DateTimeImmutable('2026-01-31 10:00:00');
$session = Session::create(
$familyId,
$userId,
$tenantId,
$deviceInfo,
$location,
$createdAt,
);
$this->repository->save($session, 86400);
$retrieved = $this->repository->findByFamilyId($familyId);
self::assertNotNull($retrieved);
self::assertTrue($familyId->equals($retrieved->familyId));
self::assertTrue($userId->equals($retrieved->userId));
self::assertTrue($tenantId->equals($retrieved->tenantId));
self::assertSame('Desktop', $retrieved->deviceInfo->device);
self::assertSame('Chrome 120', $retrieved->deviceInfo->browser);
self::assertSame('Windows 10', $retrieved->deviceInfo->os);
self::assertSame('United States', $retrieved->location->country);
self::assertSame('Mountain View', $retrieved->location->city);
self::assertEquals($createdAt, $retrieved->createdAt);
}
private function createSession(): Session
{
return Session::create(
TokenFamilyId::generate(),
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceInfo::fromUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0'),
Location::fromIp('192.168.1.1', 'France', 'Paris'),
new DateTimeImmutable('2026-01-31 10:00:00'),
);
}
}

7
backend/tests/bootstrap.php
View File

@@ -6,6 +6,13 @@ use Symfony\Component\Dotenv\Dotenv;
require dirname(__DIR__) . '/vendor/autoload.php';
// PHPUnit sets $_SERVER['APP_ENV'] via phpunit.xml <server> directive.
// We must ensure this takes precedence over shell environment variables.
if (isset($_SERVER['APP_ENV'])) {
$_ENV['APP_ENV'] = $_SERVER['APP_ENV'];
putenv('APP_ENV=' . $_SERVER['APP_ENV']);
}
if (file_exists(dirname(__DIR__) . '/config/bootstrap.php')) {
require dirname(__DIR__) . '/config/bootstrap.php';
} elseif (method_exists(Dotenv::class, 'bootEnv')) {