feat: Gestion des sessions utilisateur

Permet aux utilisateurs de visualiser et gérer leurs sessions actives sur différents appareils, avec la possibilité de révoquer des sessions à distance en cas de suspicion d'activité non autorisée. Fonctionnalités : - Liste des sessions actives avec métadonnées (appareil, navigateur, localisation) - Identification de la session courante - Révocation individuelle d'une session - Révocation de toutes les autres sessions - Déconnexion avec nettoyage des cookies sur les deux chemins (legacy et actuel) Sécurité : - Cache frontend scopé par utilisateur pour éviter les fuites entre comptes - Validation que le refresh token appartient à l'utilisateur JWT authentifié - TTL des sessions Redis aligné sur l'expiration du refresh token - Événements d'audit pour traçabilité (SessionInvalidee, ToutesSessionsInvalidees) @see Story 1.6 - Gestion des sessions
2026-02-03 10:10:40 +01:00
parent affad287f9
commit b823479658
40 changed files with 4222 additions and 42 deletions
--- a/backend/tests/Unit/Administration/Infrastructure/Api/Controller/SessionsControllerTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Api/Controller/SessionsControllerTest.php
@@ -0,0 +1,371 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Infrastructure\Api\Controller;
+
+use App\Administration\Domain\Event\ToutesSessionsInvalidees;
+use App\Administration\Domain\Exception\SessionNotFoundException;
+use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
+use App\Administration\Domain\Model\RefreshToken\RefreshToken;
+use App\Administration\Domain\Model\RefreshToken\RefreshTokenId;
+use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
+use App\Administration\Domain\Model\Session\DeviceInfo;
+use App\Administration\Domain\Model\Session\Location;
+use App\Administration\Domain\Model\Session\Session;
+use App\Administration\Domain\Model\User\UserId;
+use App\Administration\Domain\Repository\RefreshTokenRepository;
+use App\Administration\Domain\Repository\SessionRepository;
+use App\Administration\Infrastructure\Api\Controller\SessionsController;
+use App\Administration\Infrastructure\Security\SecurityUser;
+use App\Shared\Domain\Clock;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Messenger\Envelope;
+use Symfony\Component\Messenger\MessageBusInterface;
+
+final class SessionsControllerTest extends TestCase
+{
+    private Security&MockObject $security;
+    private SessionRepository&MockObject $sessionRepository;
+    private RefreshTokenRepository&MockObject $refreshTokenRepository;
+    private MessageBusInterface&MockObject $eventBus;
+    private Clock&MockObject $clock;
+    private SessionsController $controller;
+
+    private const string USER_ID = '550e8400-e29b-41d4-a716-446655440000';
+    private const string TENANT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
+    private const string OTHER_TENANT_ID = 'b2c3d4e5-f6a7-8901-bcde-f12345678901';
+
+    protected function setUp(): void
+    {
+        $this->security = $this->createMock(Security::class);
+        $this->sessionRepository = $this->createMock(SessionRepository::class);
+        $this->refreshTokenRepository = $this->createMock(RefreshTokenRepository::class);
+        $this->eventBus = $this->createMock(MessageBusInterface::class);
+        $this->clock = $this->createMock(Clock::class);
+
+        $this->controller = new SessionsController(
+            $this->security,
+            $this->sessionRepository,
+            $this->refreshTokenRepository,
+            $this->eventBus,
+            $this->clock,
+        );
+    }
+
+    #[Test]
+    public function revokeReturnsNotFoundWhenFamilyIdIsMalformed(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        // Assert: SessionRepository::getByFamilyId() should NEVER be called
+        // because we fail before any business logic (InvalidArgumentException on UUID parse)
+        $this->sessionRepository
+            ->expects($this->never())
+            ->method('getByFamilyId');
+
+        $this->expectException(NotFoundHttpException::class);
+        $this->expectExceptionMessage('Session not found');
+
+        $request = Request::create('/api/me/sessions/not-a-uuid', 'DELETE');
+        $this->controller->revoke('not-a-uuid', $request);
+    }
+
+    #[Test]
+    public function revokeReturnsNotFoundWhenSessionDoesNotExist(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $familyId = TokenFamilyId::generate();
+
+        $this->sessionRepository
+            ->expects($this->once())
+            ->method('getByFamilyId')
+            ->with($this->callback(static fn (TokenFamilyId $id) => $id->equals($familyId)))
+            ->willThrowException(new SessionNotFoundException($familyId));
+
+        $this->expectException(NotFoundHttpException::class);
+        $this->expectExceptionMessage('Session not found');
+
+        $request = Request::create('/api/me/sessions/' . $familyId, 'DELETE');
+        $this->controller->revoke((string) $familyId, $request);
+    }
+
+    #[Test]
+    public function listReturnsSessionsForCurrentUserAndTenant(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $familyId = TokenFamilyId::generate();
+        $userId = UserId::fromString(self::USER_ID);
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $now = new DateTimeImmutable('2024-01-15 10:00:00');
+
+        $session = Session::create(
+            familyId: $familyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'Mozilla/5.0'),
+            location: Location::fromIp('192.168.1.1', 'France', 'Paris'),
+            createdAt: $now,
+        );
+
+        $this->sessionRepository
+            ->expects($this->once())
+            ->method('findAllByUserId')
+            ->with($this->callback(static fn (UserId $id) => $id->equals($userId)))
+            ->willReturn([$session]);
+
+        $request = Request::create('/api/me/sessions', 'GET');
+        $response = $this->controller->list($request);
+
+        $data = json_decode($response->getContent(), true);
+
+        self::assertSame(200, $response->getStatusCode());
+        self::assertCount(1, $data['sessions']);
+        self::assertSame((string) $familyId, $data['sessions'][0]['family_id']);
+        self::assertSame('Desktop', $data['sessions'][0]['device']);
+        self::assertSame('Chrome 120', $data['sessions'][0]['browser']);
+        self::assertSame('Windows 10', $data['sessions'][0]['os']);
+        self::assertSame('France, Paris', $data['sessions'][0]['location']);
+        self::assertFalse($data['sessions'][0]['is_current']);
+    }
+
+    #[Test]
+    public function listFilterOutSessionsFromOtherTenants(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $userId = UserId::fromString(self::USER_ID);
+        $currentTenantId = TenantId::fromString(self::TENANT_ID);
+        $otherTenantId = TenantId::fromString(self::OTHER_TENANT_ID);
+        $now = new DateTimeImmutable('2024-01-15 10:00:00');
+
+        $sessionSameTenant = Session::create(
+            familyId: TokenFamilyId::generate(),
+            userId: $userId,
+            tenantId: $currentTenantId,
+            deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'Mozilla/5.0'),
+            location: Location::unknown(),
+            createdAt: $now,
+        );
+
+        $sessionOtherTenant = Session::create(
+            familyId: TokenFamilyId::generate(),
+            userId: $userId,
+            tenantId: $otherTenantId,
+            deviceInfo: DeviceInfo::reconstitute('Mobile', 'Safari 17', 'iOS 17', 'iPhone'),
+            location: Location::unknown(),
+            createdAt: $now,
+        );
+
+        $this->sessionRepository
+            ->method('findAllByUserId')
+            ->willReturn([$sessionSameTenant, $sessionOtherTenant]);
+
+        $request = Request::create('/api/me/sessions', 'GET');
+        $response = $this->controller->list($request);
+
+        $data = json_decode($response->getContent(), true);
+
+        // Should only return the session from the current tenant
+        self::assertCount(1, $data['sessions']);
+        self::assertSame('Desktop', $data['sessions'][0]['device']);
+    }
+
+    #[Test]
+    public function listMarksCurrentSessionCorrectly(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $currentFamilyId = TokenFamilyId::generate();
+        $otherFamilyId = TokenFamilyId::generate();
+        $userId = UserId::fromString(self::USER_ID);
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $now = new DateTimeImmutable('2024-01-15 10:00:00');
+
+        $currentSession = Session::create(
+            familyId: $currentFamilyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceInfo: DeviceInfo::reconstitute('Desktop', 'Chrome 120', 'Windows 10', 'UA1'),
+            location: Location::unknown(),
+            createdAt: $now,
+        );
+
+        $otherSession = Session::create(
+            familyId: $otherFamilyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceInfo: DeviceInfo::reconstitute('Mobile', 'Safari 17', 'iOS 17', 'UA2'),
+            location: Location::unknown(),
+            createdAt: $now,
+        );
+
+        $this->sessionRepository
+            ->method('findAllByUserId')
+            ->willReturn([$currentSession, $otherSession]);
+
+        // Create a real RefreshToken to identify the current session
+        $refreshToken = RefreshToken::reconstitute(
+            id: RefreshTokenId::generate(),
+            familyId: $currentFamilyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
+            issuedAt: $now,
+            expiresAt: $now->modify('+1 day'),
+            rotatedFrom: null,
+            isRotated: false,
+        );
+
+        $this->refreshTokenRepository
+            ->method('find')
+            ->willReturn($refreshToken);
+
+        // Create request with refresh token cookie
+        $tokenValue = $refreshToken->toTokenString();
+        $request = Request::create('/api/me/sessions', 'GET');
+        $request->cookies->set('refresh_token', $tokenValue);
+
+        $response = $this->controller->list($request);
+        $data = json_decode($response->getContent(), true);
+
+        // Current session should be first (sorted) and marked as current
+        self::assertCount(2, $data['sessions']);
+        self::assertTrue($data['sessions'][0]['is_current']);
+        self::assertSame((string) $currentFamilyId, $data['sessions'][0]['family_id']);
+        self::assertFalse($data['sessions'][1]['is_current']);
+    }
+
+    #[Test]
+    public function revokeAllDeletesAllSessionsExceptCurrent(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $currentFamilyId = TokenFamilyId::generate();
+        $deletedFamilyId1 = TokenFamilyId::generate();
+        $deletedFamilyId2 = TokenFamilyId::generate();
+        $userId = UserId::fromString(self::USER_ID);
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $now = new DateTimeImmutable('2024-01-15 10:00:00');
+
+        $this->clock->method('now')->willReturn($now);
+
+        // Create a real RefreshToken for current session identification
+        $refreshToken = RefreshToken::reconstitute(
+            id: RefreshTokenId::generate(),
+            familyId: $currentFamilyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
+            issuedAt: $now,
+            expiresAt: $now->modify('+1 day'),
+            rotatedFrom: null,
+            isRotated: false,
+        );
+        $this->refreshTokenRepository->method('find')->willReturn($refreshToken);
+
+        // Mock deleteAllExcept
+        $this->sessionRepository
+            ->expects($this->once())
+            ->method('deleteAllExcept')
+            ->with(
+                $this->callback(static fn (UserId $id) => $id->equals($userId)),
+                $this->callback(static fn (TokenFamilyId $id) => $id->equals($currentFamilyId)),
+            )
+            ->willReturn([$deletedFamilyId1, $deletedFamilyId2]);
+
+        // Expect invalidateFamily to be called for each deleted session
+        $this->refreshTokenRepository
+            ->expects($this->exactly(2))
+            ->method('invalidateFamily');
+
+        // Expect event to be dispatched
+        $this->eventBus
+            ->expects($this->once())
+            ->method('dispatch')
+            ->with($this->isInstanceOf(ToutesSessionsInvalidees::class))
+            ->willReturn(new Envelope(new stdClass()));
+
+        $tokenValue = $refreshToken->toTokenString();
+        $request = Request::create('/api/me/sessions', 'DELETE');
+        $request->cookies->set('refresh_token', $tokenValue);
+        $request->headers->set('User-Agent', 'Test Browser');
+
+        $response = $this->controller->revokeAll($request);
+        $data = json_decode($response->getContent(), true);
+
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame('All other sessions revoked', $data['message']);
+        self::assertSame(2, $data['revoked_count']);
+    }
+
+    #[Test]
+    public function revokeAllDoesNotDispatchEventWhenNoSessionsRevoked(): void
+    {
+        $this->mockAuthenticatedUser();
+
+        $currentFamilyId = TokenFamilyId::generate();
+        $userId = UserId::fromString(self::USER_ID);
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $now = new DateTimeImmutable('2024-01-15 10:00:00');
+
+        $this->clock->method('now')->willReturn($now);
+
+        // Create a real RefreshToken
+        $refreshToken = RefreshToken::reconstitute(
+            id: RefreshTokenId::generate(),
+            familyId: $currentFamilyId,
+            userId: $userId,
+            tenantId: $tenantId,
+            deviceFingerprint: DeviceFingerprint::fromString('test-fingerprint'),
+            issuedAt: $now,
+            expiresAt: $now->modify('+1 day'),
+            rotatedFrom: null,
+            isRotated: false,
+        );
+        $this->refreshTokenRepository->method('find')->willReturn($refreshToken);
+
+        // No sessions to delete
+        $this->sessionRepository
+            ->method('deleteAllExcept')
+            ->willReturn([]);
+
+        // Event should NOT be dispatched
+        $this->eventBus
+            ->expects($this->never())
+            ->method('dispatch');
+
+        $tokenValue = $refreshToken->toTokenString();
+        $request = Request::create('/api/me/sessions', 'DELETE');
+        $request->cookies->set('refresh_token', $tokenValue);
+
+        $response = $this->controller->revokeAll($request);
+        $data = json_decode($response->getContent(), true);
+
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame(0, $data['revoked_count']);
+    }
+
+    private function mockAuthenticatedUser(): void
+    {
+        $securityUser = new SecurityUser(
+            UserId::fromString(self::USER_ID),
+            'test@example.com',
+            'hashed_password',
+            TenantId::fromString(self::TENANT_ID),
+            ['ROLE_USER'],
+        );
+
+        $this->security->method('getUser')->willReturn($securityUser);
+    }
+}
--- a/backend/tests/Unit/Administration/Infrastructure/Persistence/Redis/RedisSessionRepositoryTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Persistence/Redis/RedisSessionRepositoryTest.php
@@ -0,0 +1,241 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Infrastructure\Persistence\Redis;
+
+use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
+use App\Administration\Domain\Model\Session\DeviceInfo;
+use App\Administration\Domain\Model\Session\Location;
+use App\Administration\Domain\Model\Session\Session;
+use App\Administration\Domain\Model\User\UserId;
+use App\Administration\Infrastructure\Persistence\Redis\RedisSessionRepository;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Cache\Adapter\ArrayAdapter;
+
+final class RedisSessionRepositoryTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private ArrayAdapter $cache;
+    private RedisSessionRepository $repository;
+
+    protected function setUp(): void
+    {
+        $this->cache = new ArrayAdapter();
+        $this->repository = new RedisSessionRepository($this->cache);
+    }
+
+    #[Test]
+    public function savePersistsSession(): void
+    {
+        $session = $this->createSession();
+
+        $this->repository->save($session, 86400);
+
+        $retrieved = $this->repository->findByFamilyId($session->familyId);
+        self::assertNotNull($retrieved);
+        self::assertTrue($session->familyId->equals($retrieved->familyId));
+    }
+
+    #[Test]
+    public function findByFamilyIdReturnsNullWhenNotFound(): void
+    {
+        $nonExistentId = TokenFamilyId::generate();
+
+        $result = $this->repository->findByFamilyId($nonExistentId);
+
+        self::assertNull($result);
+    }
+
+    #[Test]
+    public function findAllByUserIdReturnsAllUserSessions(): void
+    {
+        $userId = UserId::generate();
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+
+        $session1 = Session::create(
+            TokenFamilyId::generate(),
+            $userId,
+            $tenantId,
+            DeviceInfo::fromUserAgent('Chrome'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+        $session2 = Session::create(
+            TokenFamilyId::generate(),
+            $userId,
+            $tenantId,
+            DeviceInfo::fromUserAgent('Firefox'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+        $otherUserSession = Session::create(
+            TokenFamilyId::generate(),
+            UserId::generate(),
+            $tenantId,
+            DeviceInfo::fromUserAgent('Safari'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+
+        $this->repository->save($session1, 86400);
+        $this->repository->save($session2, 86400);
+        $this->repository->save($otherUserSession, 86400);
+
+        $sessions = $this->repository->findAllByUserId($userId);
+
+        self::assertCount(2, $sessions);
+
+        $familyIds = array_map(
+            static fn (Session $s) => (string) $s->familyId,
+            $sessions,
+        );
+        self::assertContains((string) $session1->familyId, $familyIds);
+        self::assertContains((string) $session2->familyId, $familyIds);
+    }
+
+    #[Test]
+    public function deleteRemovesSession(): void
+    {
+        $session = $this->createSession();
+        $this->repository->save($session, 86400);
+
+        $this->repository->delete($session->familyId);
+
+        self::assertNull($this->repository->findByFamilyId($session->familyId));
+    }
+
+    #[Test]
+    public function deleteRemovesSessionFromUserIndex(): void
+    {
+        $userId = UserId::generate();
+        $session = Session::create(
+            TokenFamilyId::generate(),
+            $userId,
+            TenantId::fromString(self::TENANT_ID),
+            DeviceInfo::fromUserAgent('Chrome'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+
+        $this->repository->save($session, 86400);
+        $this->repository->delete($session->familyId);
+
+        $sessions = $this->repository->findAllByUserId($userId);
+        self::assertCount(0, $sessions);
+    }
+
+    #[Test]
+    public function deleteAllExceptRemovesOtherSessions(): void
+    {
+        $userId = UserId::generate();
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $currentFamilyId = TokenFamilyId::generate();
+
+        $currentSession = Session::create(
+            $currentFamilyId,
+            $userId,
+            $tenantId,
+            DeviceInfo::fromUserAgent('Chrome'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+        $otherSession1 = Session::create(
+            TokenFamilyId::generate(),
+            $userId,
+            $tenantId,
+            DeviceInfo::fromUserAgent('Firefox'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+        $otherSession2 = Session::create(
+            TokenFamilyId::generate(),
+            $userId,
+            $tenantId,
+            DeviceInfo::fromUserAgent('Safari'),
+            Location::unknown(),
+            new DateTimeImmutable(),
+        );
+
+        $this->repository->save($currentSession, 86400);
+        $this->repository->save($otherSession1, 86400);
+        $this->repository->save($otherSession2, 86400);
+
+        $deletedFamilyIds = $this->repository->deleteAllExcept($userId, $currentFamilyId);
+
+        self::assertCount(2, $deletedFamilyIds);
+        self::assertContains((string) $otherSession1->familyId, array_map(static fn ($id) => (string) $id, $deletedFamilyIds));
+        self::assertContains((string) $otherSession2->familyId, array_map(static fn ($id) => (string) $id, $deletedFamilyIds));
+
+        $sessions = $this->repository->findAllByUserId($userId);
+        self::assertCount(1, $sessions);
+        self::assertTrue($sessions[0]->familyId->equals($currentFamilyId));
+    }
+
+    #[Test]
+    public function updateActivityUpdatesLastActivityTimestamp(): void
+    {
+        $session = $this->createSession();
+        $this->repository->save($session, 86400);
+
+        $newActivityAt = new DateTimeImmutable('2026-02-01 15:30:00');
+        $remainingTtl = 43200; // 12 hours remaining
+        $this->repository->updateActivity($session->familyId, $newActivityAt, $remainingTtl);
+
+        $updated = $this->repository->findByFamilyId($session->familyId);
+        self::assertNotNull($updated);
+        self::assertEquals($newActivityAt, $updated->lastActivityAt);
+    }
+
+    #[Test]
+    public function savePreservesAllSessionData(): void
+    {
+        $familyId = TokenFamilyId::generate();
+        $userId = UserId::generate();
+        $tenantId = TenantId::fromString(self::TENANT_ID);
+        $deviceInfo = DeviceInfo::fromUserAgent(
+            'Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0',
+        );
+        $location = Location::fromIp('8.8.8.8', 'United States', 'Mountain View');
+        $createdAt = new DateTimeImmutable('2026-01-31 10:00:00');
+
+        $session = Session::create(
+            $familyId,
+            $userId,
+            $tenantId,
+            $deviceInfo,
+            $location,
+            $createdAt,
+        );
+
+        $this->repository->save($session, 86400);
+        $retrieved = $this->repository->findByFamilyId($familyId);
+
+        self::assertNotNull($retrieved);
+        self::assertTrue($familyId->equals($retrieved->familyId));
+        self::assertTrue($userId->equals($retrieved->userId));
+        self::assertTrue($tenantId->equals($retrieved->tenantId));
+        self::assertSame('Desktop', $retrieved->deviceInfo->device);
+        self::assertSame('Chrome 120', $retrieved->deviceInfo->browser);
+        self::assertSame('Windows 10', $retrieved->deviceInfo->os);
+        self::assertSame('United States', $retrieved->location->country);
+        self::assertSame('Mountain View', $retrieved->location->city);
+        self::assertEquals($createdAt, $retrieved->createdAt);
+    }
+
+    private function createSession(): Session
+    {
+        return Session::create(
+            TokenFamilyId::generate(),
+            UserId::generate(),
+            TenantId::fromString(self::TENANT_ID),
+            DeviceInfo::fromUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0'),
+            Location::fromIp('192.168.1.1', 'France', 'Paris'),
+            new DateTimeImmutable('2026-01-31 10:00:00'),
+        );
+    }
+}