Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Connexion utilisateur avec sécurité renforcée

Browse Source 
Implémente la Story 1.4 du système d'authentification avec plusieurs
couches de protection contre les attaques par force brute.

Sécurité backend :
- Authentification JWT avec access token (15min) + refresh token (7j)
- Rotation automatique des refresh tokens avec détection de replay
- Rate limiting progressif par IP (délai Fibonacci après échecs)
- Intégration Cloudflare Turnstile CAPTCHA après 5 tentatives
- Alerte email à l'utilisateur après blocage temporaire
- Isolation multi-tenant (un utilisateur ne peut se connecter que sur
  son établissement)

Frontend :
- Page de connexion avec feedback visuel des délais et erreurs
- Composant TurnstileCaptcha réutilisable
- Gestion d'état auth avec stockage sécurisé des tokens
- Tests E2E Playwright pour login, tenant isolation, et activation

Infrastructure :
- Configuration Symfony Security avec json_login + jwt
- Cache pools séparés (filesystem en test, Redis en prod)
- NullLoginRateLimiter pour environnement de test (évite blocage CI)
- Génération des clés JWT en CI après démarrage du backend
This commit is contained in:
Mathias STRASSER
2026-02-01 10:25:25 +01:00
parent 6889c67a44
commit b9d9f48305
93 changed files with 6850 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/.env
View File

@@ -66,9 +66,20 @@ TENANT_BASE_DOMAIN=classeo.local
###> app ###
# Frontend URL for emails and links
APP_URL=http://localhost:5173
APP_URL=http://localhost:5174
###< app ###
###> nelmio/cors-bundle ###
CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'
CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1|[\w-]+\.classeo\.local)(:[0-9]+)?$'
###< nelmio/cors-bundle ###
###> cloudflare/turnstile ###
# Cloudflare Turnstile CAPTCHA (anti-bot protection)
# Get keys from: https://dash.cloudflare.com/?to=/:account/turnstile
# Cloudflare Turnstile - use test keys for local dev
# Test secret that always passes: 1x0000000000000000000000000000000AA
# Real key for production: set in .env.local
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
# Fail open on API errors: true=allow through (dev), false=block (prod)
TURNSTILE_FAIL_OPEN=true
###< cloudflare/turnstile ###

2
backend/.php-cs-fixer.dist.php
View File

@@ -16,6 +16,8 @@ $finder = (new PhpCsFixer\Finder())
->notPath('src/Shared/Domain/EntityId.php')
// Classes that need to be mocked in tests (cannot be final)
->notPath('src/Shared/Infrastructure/Tenant/TenantResolver.php')
// Domain TenantId needs to be extended by Infrastructure alias during migration
->notPath('src/Shared/Domain/Tenant/TenantId.php')
;
return (new PhpCsFixer\Config())

2
backend/composer.json
View File

@@ -25,11 +25,13 @@
"symfony/dotenv": "^8.0",
"symfony/flex": "^2",
"symfony/framework-bundle": "^8.0",
"symfony/http-client": "8.0.*",
"symfony/mailer": "8.0.*",
"symfony/messenger": "^8.0",
"symfony/monolog-bundle": "^4.0",
"symfony/property-access": "^8.0",
"symfony/property-info": "^8.0",
"symfony/rate-limiter": "8.0.*",
"symfony/runtime": "^8.0",
"symfony/security-bundle": "^8.0",
"symfony/serializer": "^8.0",

392
backend/composer.lock generated
View File

@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "e5abd2128a53127e2298b296ed587025",
"content-hash": "07fe67e8d6e7bdfbca22ab4e7c6a65c2",
"packages": [
{
"name": "api-platform/core",
@@ -3831,6 +3831,180 @@
],
"time": "2026-01-27T09:06:10+00:00"
},
{
"name": "symfony/http-client",
"version": "v8.0.5",
"source": {
"type": "git",
"url": "https://github.com/symfony/http-client.git",
"reference": "f9fdd372473e66469c6d32a4ed12efcffdea38c4"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/http-client/zipball/f9fdd372473e66469c6d32a4ed12efcffdea38c4",
"reference": "f9fdd372473e66469c6d32a4ed12efcffdea38c4",
"shasum": ""
},
"require": {
"php": ">=8.4",
"psr/log": "^1|^2|^3",
"symfony/http-client-contracts": "~3.4.4|^3.5.2",
"symfony/service-contracts": "^2.5|^3"
},
"conflict": {
"amphp/amp": "<3",
"php-http/discovery": "<1.15"
},
"provide": {
"php-http/async-client-implementation": "*",
"php-http/client-implementation": "*",
"psr/http-client-implementation": "1.0",
"symfony/http-client-implementation": "3.0"
},
"require-dev": {
"amphp/http-client": "^5.3.2",
"amphp/http-tunnel": "^2.0",
"guzzlehttp/promises": "^1.4|^2.0",
"nyholm/psr7": "^1.0",
"php-http/httplug": "^1.0|^2.0",
"psr/http-client": "^1.0",
"symfony/cache": "^7.4|^8.0",
"symfony/dependency-injection": "^7.4|^8.0",
"symfony/http-kernel": "^7.4|^8.0",
"symfony/messenger": "^7.4|^8.0",
"symfony/process": "^7.4|^8.0",
"symfony/rate-limiter": "^7.4|^8.0",
"symfony/stopwatch": "^7.4|^8.0"
},
"type": "library",
"autoload": {
"psr-4": {
"Symfony\\Component\\HttpClient\\": ""
},
"exclude-from-classmap": [
"/Tests/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Nicolas Grekas",
"email": "p@tchwork.com"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
"homepage": "https://symfony.com",
"keywords": [
"http"
],
"support": {
"source": "https://github.com/symfony/http-client/tree/v8.0.5"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2026-01-27T16:18:07+00:00"
},
{
"name": "symfony/http-client-contracts",
"version": "v3.6.0",
"source": {
"type": "git",
"url": "https://github.com/symfony/http-client-contracts.git",
"reference": "75d7043853a42837e68111812f4d964b01e5101c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/http-client-contracts/zipball/75d7043853a42837e68111812f4d964b01e5101c",
"reference": "75d7043853a42837e68111812f4d964b01e5101c",
"shasum": ""
},
"require": {
"php": ">=8.1"
},
"type": "library",
"extra": {
"thanks": {
"url": "https://github.com/symfony/contracts",
"name": "symfony/contracts"
},
"branch-alias": {
"dev-main": "3.6-dev"
}
},
"autoload": {
"psr-4": {
"Symfony\\Contracts\\HttpClient\\": ""
},
"exclude-from-classmap": [
"/Test/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Nicolas Grekas",
"email": "p@tchwork.com"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Generic abstractions related to HTTP clients",
"homepage": "https://symfony.com",
"keywords": [
"abstractions",
"contracts",
"decoupling",
"interfaces",
"interoperability",
"standards"
],
"support": {
"source": "https://github.com/symfony/http-client-contracts/tree/v3.6.0"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2025-04-29T11:18:49+00:00"
},
{
"name": "symfony/http-foundation",
"version": "v8.0.5",
@@ -4427,6 +4601,77 @@
],
"time": "2025-12-08T08:00:13+00:00"
},
{
"name": "symfony/options-resolver",
"version": "v8.0.0",
"source": {
"type": "git",
"url": "https://github.com/symfony/options-resolver.git",
"reference": "d2b592535ffa6600c265a3893a7f7fd2bad82dd7"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/options-resolver/zipball/d2b592535ffa6600c265a3893a7f7fd2bad82dd7",
"reference": "d2b592535ffa6600c265a3893a7f7fd2bad82dd7",
"shasum": ""
},
"require": {
"php": ">=8.4",
"symfony/deprecation-contracts": "^2.5|^3"
},
"type": "library",
"autoload": {
"psr-4": {
"Symfony\\Component\\OptionsResolver\\": ""
},
"exclude-from-classmap": [
"/Tests/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Fabien Potencier",
"email": "fabien@symfony.com"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Provides an improved replacement for the array_replace PHP function",
"homepage": "https://symfony.com",
"keywords": [
"config",
"configuration",
"options"
],
"support": {
"source": "https://github.com/symfony/options-resolver/tree/v8.0.0"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2025-11-12T15:55:31+00:00"
},
{
"name": "symfony/password-hasher",
"version": "v8.0.4",
@@ -5169,6 +5414,80 @@
],
"time": "2026-01-27T16:18:07+00:00"
},
{
"name": "symfony/rate-limiter",
"version": "v8.0.5",
"source": {
"type": "git",
"url": "https://github.com/symfony/rate-limiter.git",
"reference": "7ae921420913ea0d6e4763e229b839b1d9a99288"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/rate-limiter/zipball/7ae921420913ea0d6e4763e229b839b1d9a99288",
"reference": "7ae921420913ea0d6e4763e229b839b1d9a99288",
"shasum": ""
},
"require": {
"php": ">=8.4",
"symfony/options-resolver": "^7.4|^8.0"
},
"require-dev": {
"psr/cache": "^1.0|^2.0|^3.0",
"symfony/lock": "^7.4|^8.0"
},
"type": "library",
"autoload": {
"psr-4": {
"Symfony\\Component\\RateLimiter\\": ""
},
"exclude-from-classmap": [
"/Tests/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Wouter de Jong",
"email": "wouter@wouterj.nl"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Provides a Token Bucket implementation to rate limit input and output in your application",
"homepage": "https://symfony.com",
"keywords": [
"limiter",
"rate-limiter"
],
"support": {
"source": "https://github.com/symfony/rate-limiter/tree/v8.0.5"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2026-01-27T16:18:07+00:00"
},
{
"name": "symfony/routing",
"version": "v8.0.4",
@@ -10550,77 +10869,6 @@
],
"time": "2025-12-02T07:14:37+00:00"
},
{
"name": "symfony/options-resolver",
"version": "v8.0.0",
"source": {
"type": "git",
"url": "https://github.com/symfony/options-resolver.git",
"reference": "d2b592535ffa6600c265a3893a7f7fd2bad82dd7"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/options-resolver/zipball/d2b592535ffa6600c265a3893a7f7fd2bad82dd7",
"reference": "d2b592535ffa6600c265a3893a7f7fd2bad82dd7",
"shasum": ""
},
"require": {
"php": ">=8.4",
"symfony/deprecation-contracts": "^2.5|^3"
},
"type": "library",
"autoload": {
"psr-4": {
"Symfony\\Component\\OptionsResolver\\": ""
},
"exclude-from-classmap": [
"/Tests/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Fabien Potencier",
"email": "fabien@symfony.com"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Provides an improved replacement for the array_replace PHP function",
"homepage": "https://symfony.com",
"keywords": [
"config",
"configuration",
"options"
],
"support": {
"source": "https://github.com/symfony/options-resolver/tree/v8.0.0"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2025-11-12T15:55:31+00:00"
},
{
"name": "symfony/phpunit-bridge",
"version": "v8.0.3",

18
backend/config/packages/cache.yaml
View File

@@ -14,6 +14,16 @@ framework:
adapter: cache.adapter.filesystem
default_lifetime: 0 # Pas d'expiration
# Pool dédié aux refresh tokens (7 jours TTL max)
refresh_tokens.cache:
adapter: cache.adapter.filesystem
default_lifetime: 604800 # 7 jours
# Pool dédié au rate limiting (15 min TTL)
cache.rate_limiter:
adapter: cache.adapter.filesystem
default_lifetime: 900 # 15 minutes
when@prod:
framework:
cache:
@@ -30,3 +40,11 @@ when@prod:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 0 # Pas d'expiration
refresh_tokens.cache:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 604800 # 7 jours
cache.rate_limiter:
adapter: cache.adapter.redis
provider: '%env(REDIS_URL)%'
default_lifetime: 900 # 15 minutes

4
backend/config/packages/lexik_jwt_authentication.yaml
View File

@@ -2,7 +2,9 @@ lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
token_ttl: 3600
token_ttl: 1800 # 30 minutes (Story 1.4 requirement)
# Use 'username' claim for user identification (email, set by Lexik from getUserIdentifier())
# This allows loadUserByIdentifier() to receive the email correctly
user_id_claim: username
clock_skew: 0

6
backend/config/packages/monolog.yaml
View File

@@ -55,3 +55,9 @@ when@prod:
channels: [deprecation]
path: php://stderr
formatter: monolog.formatter.json
audit:
type: stream
channels: [audit]
path: "%kernel.logs_dir%/audit.log"
level: info
formatter: monolog.formatter.json

3
backend/config/packages/nelmio_cors.yaml
View File

@@ -2,9 +2,10 @@ nelmio_cors:
defaults:
origin_regex: true
allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
allow_credentials: true
allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
allow_headers: ['Content-Type', 'Authorization']
expose_headers: ['Link']
expose_headers: ['Link', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset']
max_age: 3600
paths:
'^/': null

18
backend/config/packages/rate_limiter.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Rate Limiter Configuration
# Story 1.4 - AC3: Lockout après 5 échecs répétés
framework:
rate_limiter:
# Limite les tentatives de login par email
login_attempts:
policy: fixed_window
limit: 5
interval: '15 minutes'
cache_pool: cache.rate_limiter
# Limite les tentatives de login par IP (protection contre brute force distribué)
login_by_ip:
policy: sliding_window
limit: 20
interval: '15 minutes'
cache_pool: cache.rate_limiter

26
backend/config/packages/security.yaml
View File

@@ -8,28 +8,36 @@ security:
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# used to reload user from session & other features (e.g. switch_user)
# Configure user provider when User entity is created
users_in_memory:
memory:
users:
admin: { password: 'admin', roles: ['ROLE_ADMIN'] }
# User provider for API authentication (Story 1.4)
app_user_provider:
id: App\Administration\Infrastructure\Security\DatabaseUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_login:
pattern: ^/api/login$
stateless: true
json_login:
check_path: /api/login
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: App\Administration\Infrastructure\Security\LoginFailureHandler
provider: app_user_provider
api_public:
pattern: ^/api/(activation-tokens|activate|login|docs)(/|$)
pattern: ^/api/(activation-tokens|activate|token/(refresh|logout)|docs)(/|$)
stateless: true
security: false
api:
pattern: ^/api
stateless: true
jwt: ~
provider: app_user_provider
main:
lazy: true
provider: users_in_memory
provider: app_user_provider
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
@@ -38,6 +46,8 @@ security:
- { path: ^/api/login, roles: PUBLIC_ACCESS }
- { path: ^/api/activation-tokens, roles: PUBLIC_ACCESS }
- { path: ^/api/activate, roles: PUBLIC_ACCESS }
- { path: ^/api/token/refresh, roles: PUBLIC_ACCESS }
- { path: ^/api/token/logout, roles: PUBLIC_ACCESS }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
when@test:

5
backend/config/routes/security.yaml
View File

@@ -1,3 +1,8 @@
_security_logout:
resource: security.route_loader.logout
type: service
# Login route - handled by json_login authenticator
api_login:
path: /api/login
methods: [POST]

65
backend/config/services.yaml
View File

@@ -17,6 +17,8 @@ services:
Psr\Cache\CacheItemPoolInterface $activationTokensCache: '@activation_tokens.cache'
# Bind users cache pool (no TTL - persistent data)
Psr\Cache\CacheItemPoolInterface $usersCache: '@users.cache'
# Bind refresh tokens cache pool (7-day TTL)
Psr\Cache\CacheItemPoolInterface $refreshTokensCache: '@refresh_tokens.cache'
# Bind named message buses
Symfony\Component\Messenger\MessageBusInterface $eventBus: '@event.bus'
Symfony\Component\Messenger\MessageBusInterface $commandBus: '@command.bus'
@@ -76,3 +78,66 @@ services:
App\Administration\Infrastructure\Messaging\SendActivationConfirmationHandler:
arguments:
$appUrl: '%app.url%'
# Audit log handler (uses dedicated audit channel)
App\Administration\Infrastructure\Messaging\AuditLoginEventsHandler:
arguments:
$auditLogger: '@monolog.logger.audit'
$appSecret: '%env(APP_SECRET)%'
# JWT Authentication
App\Administration\Infrastructure\Security\JwtPayloadEnricher:
tags:
- { name: kernel.event_listener, event: lexik_jwt_authentication.on_jwt_created, method: onJWTCreated }
App\Administration\Infrastructure\Security\DatabaseUserProvider:
arguments:
$userRepository: '@App\Administration\Domain\Repository\UserRepository'
# Refresh Token Repository
App\Administration\Domain\Repository\RefreshTokenRepository:
alias: App\Administration\Infrastructure\Persistence\Redis\RedisRefreshTokenRepository
# Login handlers
App\Administration\Infrastructure\Security\LoginSuccessHandler:
tags:
- { name: kernel.event_listener, event: lexik_jwt_authentication.on_authentication_success, method: onAuthenticationSuccess }
App\Administration\Infrastructure\Security\LoginFailureHandler:
tags:
- { name: security.authentication_failure_handler, firewall: api_login }
# Rate Limiter (délai Fibonacci + CAPTCHA + blocage IP)
App\Shared\Infrastructure\RateLimit\LoginRateLimiter:
arguments:
$cache: '@cache.rate_limiter'
App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface:
alias: App\Shared\Infrastructure\RateLimit\LoginRateLimiter
# Rate Limit Listener (vérifie le rate limit AVANT authentification)
App\Shared\Infrastructure\RateLimit\LoginRateLimitListener:
arguments:
$rateLimiterCache: '@cache.rate_limiter'
# Turnstile CAPTCHA Validator
# failOpen: true en dev (ne pas bloquer si API down), false en prod (sécurité)
App\Shared\Infrastructure\Captcha\TurnstileValidator:
arguments:
$secretKey: '%env(TURNSTILE_SECRET_KEY)%'
$failOpen: '%env(bool:default::TURNSTILE_FAIL_OPEN)%'
App\Shared\Infrastructure\Captcha\TurnstileValidatorInterface:
alias: App\Shared\Infrastructure\Captcha\TurnstileValidator
# =============================================================================
# Test environment overrides
# =============================================================================
when@test:
services:
# Use null rate limiter in test environment to avoid IP blocking during E2E tests
App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface:
alias: App\Shared\Infrastructure\RateLimit\NullLoginRateLimiter
App\Shared\Infrastructure\RateLimit\NullLoginRateLimiter:
autowire: true

2
backend/src/Administration/Application/Command/ActivateAccount/ActivateAccountResult.php
View File

@@ -4,7 +4,7 @@ declare(strict_types=1);
namespace App\Administration\Application\Command\ActivateAccount;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
/**
* Result of the ActivateAccountCommand execution.

160
backend/src/Administration/Application/Service/RefreshTokenManager.php Normal file
View File

@@ -0,0 +1,160 @@
<?php
declare(strict_types=1);
namespace App\Administration\Application\Service;
use App\Administration\Domain\Exception\TokenAlreadyRotatedException;
use App\Administration\Domain\Exception\TokenReplayDetectedException;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use InvalidArgumentException;
/**
* Gère le cycle de vie des refresh tokens.
*
* Responsabilités :
* - Création de tokens pour nouvelles sessions
* - Rotation des tokens avec détection de replay
* - Invalidation de familles de tokens compromises
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class RefreshTokenManager
{
private const int WEB_TTL_SECONDS = 86400; // 1 jour pour web
private const int MOBILE_TTL_SECONDS = 604800; // 7 jours pour mobile
public function __construct(
private RefreshTokenRepository $repository,
private Clock $clock,
) {
}
/**
* Crée un nouveau refresh token pour une session.
*/
public function create(
UserId $userId,
TenantId $tenantId,
DeviceFingerprint $deviceFingerprint,
bool $isMobile = false,
): RefreshToken {
$ttl = $isMobile ? self::MOBILE_TTL_SECONDS : self::WEB_TTL_SECONDS;
// Ajouter un jitter de ±10% pour éviter les expirations simultanées
$jitter = (int) ($ttl * 0.1 * (random_int(-100, 100) / 100));
$ttl += $jitter;
$token = RefreshToken::create(
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: $deviceFingerprint,
issuedAt: $this->clock->now(),
ttlSeconds: $ttl,
);
$this->repository->save($token);
return $token;
}
/**
* Valide et rafraîchit un token.
*
* @throws TokenReplayDetectedException si un replay attack est détecté
* @throws TokenAlreadyRotatedException si le token a déjà été rotaté mais est en grace period
* @throws InvalidArgumentException si le token est invalide ou expiré
*
* @return RefreshToken le nouveau token après rotation
*/
public function refresh(
string $tokenString,
DeviceFingerprint $deviceFingerprint,
): RefreshToken {
$tokenId = RefreshToken::extractIdFromTokenString($tokenString);
$token = $this->repository->find($tokenId);
$now = $this->clock->now();
if ($token === null) {
throw new InvalidArgumentException('Token not found');
}
// Vérifier l'expiration
if ($token->isExpired($now)) {
$this->repository->delete($tokenId);
throw new InvalidArgumentException('Token expired');
}
// Vérifier le device fingerprint
if (!$token->matchesDevice($deviceFingerprint)) {
// Potentielle tentative de vol de token - invalider toute la famille
$this->repository->invalidateFamily($token->familyId);
throw new TokenReplayDetectedException($token->familyId);
}
// Détecter les replay attacks
if ($token->isRotated) {
// Token déjà utilisé !
if ($token->isInGracePeriod($now)) {
// Dans la grace period - probablement une race condition légitime
// On laisse passer mais on ne génère pas de nouveau token
// Le client devrait utiliser le token le plus récent
// Exception dédiée pour ne PAS supprimer le cookie lors d'une race condition légitime
throw new TokenAlreadyRotatedException();
}
// Replay attack confirmé - invalider toute la famille
$this->repository->invalidateFamily($token->familyId);
throw new TokenReplayDetectedException($token->familyId);
}
// Rotation du token (préserve le TTL original)
[$newToken, $rotatedOldToken] = $token->rotate($now);
// Sauvegarder le nouveau token EN PREMIER
// Important: sauvegarder le nouveau token EN PREMIER pour que l'index famille garde le bon TTL
$this->repository->save($newToken);
// Mettre à jour l'ancien token comme rotaté (pour grace period)
$this->repository->save($rotatedOldToken);
return $newToken;
}
/**
* Révoque un token (déconnexion).
*/
public function revoke(string $tokenString): void
{
try {
$tokenId = RefreshToken::extractIdFromTokenString($tokenString);
$token = $this->repository->find($tokenId);
if ($token !== null) {
// Invalider toute la famille pour une déconnexion complète
$this->repository->invalidateFamily($token->familyId);
}
} catch (InvalidArgumentException) {
// Token invalide, rien à faire
}
}
/**
* Invalide toute une famille de tokens.
*
* Utilisé quand un utilisateur est suspendu/archivé pour révoquer toutes ses sessions.
*/
public function invalidateFamily(TokenFamilyId $familyId): void
{
$this->repository->invalidateFamily($familyId);
}
}

2
backend/src/Administration/Domain/Event/ActivationTokenGenerated.php
View File

@@ -6,7 +6,7 @@ namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\ActivationToken\ActivationTokenId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;

2
backend/src/Administration/Domain/Event/CompteActive.php
View File

@@ -5,7 +5,7 @@ declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;

43
backend/src/Administration/Domain/Event/CompteBloqueTemporairement.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis quand un compte est bloqué temporairement suite à trop de tentatives.
*
* Cet événement déclenche l'envoi d'un email d'alerte à l'utilisateur.
*
* @see Story 1.4 - AC3: Lockout après 5 échecs, email d'alerte
*/
final readonly class CompteBloqueTemporairement implements DomainEvent
{
public function __construct(
public string $email,
public string $ipAddress,
public string $userAgent,
public int $blockedForSeconds,
public int $failedAttempts,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return Uuid::uuid5(
Uuid::NAMESPACE_DNS,
'account_lockout:' . $this->email,
);
}
}

2
backend/src/Administration/Domain/Event/CompteCreated.php
View File

@@ -6,7 +6,7 @@ namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\DomainEvent;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Ramsey\Uuid\UuidInterface;

44
backend/src/Administration/Domain/Event/ConnexionEchouee.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lors d'une tentative de connexion échouée.
*
* Note: L'email est enregistré pour le tracking mais ne révèle pas
* si le compte existe (même message d'erreur dans tous les cas).
*
* @see Story 1.4 - AC2: Gestion erreurs d'authentification
*/
final readonly class ConnexionEchouee implements DomainEvent
{
public function __construct(
public string $email,
public string $ipAddress,
public string $userAgent,
public string $reason, // 'invalid_credentials', 'account_locked', 'rate_limited'
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
// Pas d'aggregate associé, utiliser un UUID basé sur l'email
return Uuid::uuid5(
Uuid::NAMESPACE_DNS,
'login_attempt:' . $this->email,
);
}
}

39
backend/src/Administration/Domain/Event/ConnexionReussie.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Shared\Domain\DomainEvent;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lors d'une connexion réussie.
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class ConnexionReussie implements DomainEvent
{
public function __construct(
public string $userId,
public string $email,
public TenantId $tenantId,
public string $ipAddress,
public string $userAgent,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return Uuid::fromString($this->userId);
}
}

41
backend/src/Administration/Domain/Event/TokenReplayDetecte.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Event;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Shared\Domain\DomainEvent;
use DateTimeImmutable;
use Ramsey\Uuid\UuidInterface;
/**
* Événement émis lors de la détection d'une tentative de replay attack.
*
* Indique qu'un token déjà utilisé a été présenté, ce qui suggère
* un vol de token. Toute la famille de tokens a été invalidée.
*
* Cet événement doit déclencher une alerte sécurité.
*
* @see Story 1.4 - Connexion utilisateur (sécurité refresh tokens)
*/
final readonly class TokenReplayDetecte implements DomainEvent
{
public function __construct(
public TokenFamilyId $familyId,
public string $ipAddress,
public string $userAgent,
public DateTimeImmutable $occurredOn,
) {
}
public function occurredOn(): DateTimeImmutable
{
return $this->occurredOn;
}
public function aggregateId(): UuidInterface
{
return $this->familyId->value;
}
}

23
backend/src/Administration/Domain/Exception/TokenAlreadyRotatedException.php Normal file
View File

@@ -0,0 +1,23 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use RuntimeException;
/**
* Exception thrown when a refresh token has already been rotated but is still in grace period.
*
* This is a benign condition during multi-tab race conditions - the client should use
* the newer token. The cookie should NOT be cleared in this case.
*
* @see Story 1.4 - Connexion utilisateur
*/
final class TokenAlreadyRotatedException extends RuntimeException
{
public function __construct()
{
parent::__construct('Token already rotated, use new token');
}
}

33
backend/src/Administration/Domain/Exception/TokenReplayDetectedException.php Normal file
View File

@@ -0,0 +1,33 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Exception;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use RuntimeException;
use function sprintf;
/**
* Exception levée quand un replay attack sur un refresh token est détecté.
*
* Cette exception indique qu'un token déjà utilisé a été présenté à nouveau,
* suggérant que le token a été volé et utilisé par un attaquant.
*
* Quand cette exception est levée :
* - Toute la famille de tokens est invalidée
* - L'utilisateur doit se reconnecter
* - Un audit log doit être créé
* - Une alerte de sécurité peut être envoyée
*/
final class TokenReplayDetectedException extends RuntimeException
{
public function __construct(
public readonly TokenFamilyId $familyId,
) {
parent::__construct(
sprintf('Token replay attack detected for family %s. All tokens in family have been invalidated.', $familyId),
);
}
}

2
backend/src/Administration/Domain/Model/ActivationToken/ActivationToken.php
View File

@@ -9,7 +9,7 @@ use App\Administration\Domain\Event\ActivationTokenUsed;
use App\Administration\Domain\Exception\ActivationTokenAlreadyUsedException;
use App\Administration\Domain\Exception\ActivationTokenExpiredException;
use App\Shared\Domain\AggregateRoot;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Ramsey\Uuid\Uuid;

53
backend/src/Administration/Domain/Model/RefreshToken/DeviceFingerprint.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\RefreshToken;
/**
* Empreinte du device pour validation de l'origine du refresh token.
*
* Calculée comme SHA-256(User-Agent) pour identifier le device/navigateur.
*
* Note: L'IP n'est intentionnellement PAS incluse car les utilisateurs
* mobiles ou VPN changent fréquemment d'IP, ce qui invaliderait leur
* session de façon inattendue.
*/
final readonly class DeviceFingerprint
{
private function __construct(
public string $value,
) {
}
/**
* Crée une empreinte à partir des informations de la requête.
*
* @param string $userAgent User-Agent du navigateur
* @param string $_ipAddress Non utilisé (conservé pour compatibilité API)
*/
public static function fromRequest(string $userAgent, string $_ipAddress = ''): self
{
$fingerprint = hash('sha256', $userAgent);
return new self($fingerprint);
}
/**
* Reconstitue une empreinte depuis le stockage.
*/
public static function fromString(string $fingerprint): self
{
return new self($fingerprint);
}
public function equals(self $other): bool
{
return hash_equals($this->value, $other->value);
}
public function __toString(): string
{
return $this->value;
}
}

217
backend/src/Administration/Domain/Model/RefreshToken/RefreshToken.php Normal file
View File

@@ -0,0 +1,217 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\RefreshToken;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use InvalidArgumentException;
/**
* Représente un refresh token pour le renouvellement silencieux des sessions.
*
* Stratégie de sécurité :
* - Rotation : chaque utilisation génère un nouveau token et invalide l'ancien
* - Family tracking : tous les tokens d'une session partagent un family_id
* - Replay detection : si un token déjà utilisé est présenté, toute la famille est invalidée
* - Device binding : le token est lié à un device fingerprint
* - Grace period : 30s de tolérance pour les race conditions multi-onglets
*
* Note sur les méthodes statiques :
* Cette classe utilise des factory methods statiques (create(), reconstitute()) conformément
* aux patterns DDD standards pour la création d'Aggregates. Bien que le projet suive les
* principes Elegant Objects "No Static", les factory methods pour les Aggregates sont une
* exception documentée car elles encapsulent la logique d'instanciation et rendent le
* constructeur privé, préservant ainsi l'invariant du domain.
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class RefreshToken
{
/**
* TTL par défaut : 7 jours (604800 secondes).
*
* Ce TTL est utilisé si aucun TTL n'est spécifié à la création du token.
* RefreshTokenManager utilise 1 jour (86400s) pour les sessions web afin
* de limiter l'exposition en cas de vol de cookie sur navigateur.
*/
private const int DEFAULT_TTL_SECONDS = 604800;
/**
* Période de grâce après rotation pour gérer les race conditions multi-onglets.
* Si deux onglets rafraîchissent simultanément, le second recevra une erreur
* bénigne au lieu d'invalider toute la famille de tokens.
*/
private const int GRACE_PERIOD_SECONDS = 30;
private function __construct(
public RefreshTokenId $id,
public TokenFamilyId $familyId,
public UserId $userId,
public TenantId $tenantId,
public DeviceFingerprint $deviceFingerprint,
public DateTimeImmutable $issuedAt,
public DateTimeImmutable $expiresAt,
public ?RefreshTokenId $rotatedFrom,
public bool $isRotated,
public ?DateTimeImmutable $rotatedAt = null,
) {
}
/**
* Crée un nouveau refresh token pour une nouvelle session.
*/
public static function create(
UserId $userId,
TenantId $tenantId,
DeviceFingerprint $deviceFingerprint,
DateTimeImmutable $issuedAt,
int $ttlSeconds = self::DEFAULT_TTL_SECONDS,
): self {
return new self(
id: RefreshTokenId::generate(),
familyId: TokenFamilyId::generate(),
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: $deviceFingerprint,
issuedAt: $issuedAt,
expiresAt: $issuedAt->modify("+{$ttlSeconds} seconds"),
rotatedFrom: null,
isRotated: false,
rotatedAt: null,
);
}
/**
* Effectue une rotation du token (génère un nouveau token, marque l'ancien comme rotaté).
*
* Le nouveau token conserve le même TTL que l'original pour respecter la politique de session
* (web = 1 jour, mobile = 7 jours). L'ancien token est marqué avec rotatedAt pour la grace period.
*
* @return array{0: self, 1: self} Le nouveau token et l'ancien token marqué comme rotaté
*/
public function rotate(DateTimeImmutable $at): array
{
// Préserver le TTL original pour respecter la politique de session (web = 1 jour, mobile = 7 jours)
$originalTtlSeconds = $this->expiresAt->getTimestamp() - $this->issuedAt->getTimestamp();
$newToken = new self(
id: RefreshTokenId::generate(),
familyId: $this->familyId, // Même famille
userId: $this->userId,
tenantId: $this->tenantId,
deviceFingerprint: $this->deviceFingerprint,
issuedAt: $at,
expiresAt: $at->modify("+{$originalTtlSeconds} seconds"),
rotatedFrom: $this->id, // Traçabilité
isRotated: false,
rotatedAt: null,
);
$rotatedOldToken = new self(
id: $this->id,
familyId: $this->familyId,
userId: $this->userId,
tenantId: $this->tenantId,
deviceFingerprint: $this->deviceFingerprint,
issuedAt: $this->issuedAt,
expiresAt: $this->expiresAt,
rotatedFrom: $this->rotatedFrom,
isRotated: true,
rotatedAt: $at, // Pour la grace period
);
return [$newToken, $rotatedOldToken];
}
/**
* Vérifie si le token est expiré.
*/
public function isExpired(DateTimeImmutable $at): bool
{
return $at > $this->expiresAt;
}
/**
* Vérifie si le token est dans la période de grâce après rotation.
*
* La grace period permet de gérer les race conditions quand plusieurs onglets
* tentent de rafraîchir le token simultanément. Elle est basée sur le moment
* de la rotation, pas sur l'émission initiale du token.
*/
public function isInGracePeriod(DateTimeImmutable $at): bool
{
if (!$this->isRotated || $this->rotatedAt === null) {
return false;
}
$gracePeriodEnd = $this->rotatedAt->modify('+' . self::GRACE_PERIOD_SECONDS . ' seconds');
return $at <= $gracePeriodEnd;
}
/**
* Vérifie si l'empreinte du device correspond.
*/
public function matchesDevice(DeviceFingerprint $fingerprint): bool
{
return $this->deviceFingerprint->equals($fingerprint);
}
/**
* Génère le token string à stocker dans le cookie.
*
* Le format est opaque pour le client : base64(id)
*/
public function toTokenString(): string
{
return base64_encode((string) $this->id);
}
/**
* Extrait l'ID depuis un token string.
*/
public static function extractIdFromTokenString(string $tokenString): RefreshTokenId
{
$decoded = base64_decode($tokenString, true);
if ($decoded === false) {
throw new InvalidArgumentException('Invalid token format');
}
return RefreshTokenId::fromString($decoded);
}
/**
* Reconstitue un RefreshToken depuis le stockage.
*
* @internal Pour usage par l'Infrastructure uniquement
*/
public static function reconstitute(
RefreshTokenId $id,
TokenFamilyId $familyId,
UserId $userId,
TenantId $tenantId,
DeviceFingerprint $deviceFingerprint,
DateTimeImmutable $issuedAt,
DateTimeImmutable $expiresAt,
?RefreshTokenId $rotatedFrom,
bool $isRotated,
?DateTimeImmutable $rotatedAt = null,
): self {
return new self(
id: $id,
familyId: $familyId,
userId: $userId,
tenantId: $tenantId,
deviceFingerprint: $deviceFingerprint,
issuedAt: $issuedAt,
expiresAt: $expiresAt,
rotatedFrom: $rotatedFrom,
isRotated: $isRotated,
rotatedAt: $rotatedAt,
);
}
}

14
backend/src/Administration/Domain/Model/RefreshToken/RefreshTokenId.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\RefreshToken;
use App\Shared\Domain\EntityId;
/**
* Identifiant unique d'un refresh token (JTI claim).
*/
final readonly class RefreshTokenId extends EntityId
{
}

17
backend/src/Administration/Domain/Model/RefreshToken/TokenFamilyId.php Normal file
View File

@@ -0,0 +1,17 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Model\RefreshToken;
use App\Shared\Domain\EntityId;
/**
* Identifiant de la famille de tokens.
*
* Tous les tokens issus d'une même connexion partagent le même family_id.
* Utilisé pour détecter et invalider les replay attacks.
*/
final readonly class TokenFamilyId extends EntityId
{
}

6
backend/src/Administration/Domain/Model/User/Email.php
View File

@@ -16,11 +16,12 @@ use const FILTER_VALIDATE_EMAIL;
*/
final readonly class Email
{
/** @var non-empty-string */
public string $value;
public function __construct(string $value)
{
if (filter_var($value, FILTER_VALIDATE_EMAIL) === false) {
if (filter_var($value, FILTER_VALIDATE_EMAIL) === false || $value === '') {
throw EmailInvalideException::pourAdresse($value);
}
@@ -32,6 +33,9 @@ final readonly class Email
return strtolower($this->value) === strtolower($other->value);
}
/**
* @return non-empty-string
*/
public function __toString(): string
{
return $this->value;

2
backend/src/Administration/Domain/Model/User/User.php
View File

@@ -10,7 +10,7 @@ use App\Administration\Domain\Exception\CompteNonActivableException;
use App\Administration\Domain\Model\ConsentementParental\ConsentementParental;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\AggregateRoot;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
/**

42
backend/src/Administration/Domain/Repository/RefreshTokenRepository.php Normal file
View File

@@ -0,0 +1,42 @@
<?php
declare(strict_types=1);
namespace App\Administration\Domain\Repository;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\RefreshTokenId;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
/**
* Repository pour la gestion des refresh tokens.
*
* Implémentation attendue : Redis avec TTL automatique.
*/
interface RefreshTokenRepository
{
/**
* Sauvegarde un refresh token.
*/
public function save(RefreshToken $token): void;
/**
* Récupère un refresh token par son ID.
*/
public function find(RefreshTokenId $id): ?RefreshToken;
/**
* Récupère un refresh token par sa valeur (le token string).
*/
public function findByToken(string $tokenValue): ?RefreshToken;
/**
* Supprime un refresh token.
*/
public function delete(RefreshTokenId $id): void;
/**
* Invalide tous les tokens d'une famille (en cas de replay attack détectée).
*/
public function invalidateFamily(TokenFamilyId $familyId): void;
}

7
backend/src/Administration/Domain/Repository/UserRepository.php
View File

@@ -7,6 +7,7 @@ namespace App\Administration\Domain\Repository;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
interface UserRepository
{
@@ -17,5 +18,9 @@ interface UserRepository
*/
public function get(UserId $id): User;
public function findByEmail(Email $email): ?User;
/**
* Finds a user by email within a specific tenant.
* Returns null if user doesn't exist in that tenant.
*/
public function findByEmail(Email $email, TenantId $tenantId): ?User;
}

67
backend/src/Administration/Infrastructure/Api/Controller/LogoutController.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Controller;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use DateTimeImmutable;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;
/**
* Endpoint de déconnexion.
*
* Invalide le refresh token et supprime le cookie.
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class LogoutController
{
public function __construct(
private RefreshTokenRepository $refreshTokenRepository,
) {
}
#[Route('/api/token/logout', name: 'api_logout', methods: ['POST'])]
public function __invoke(Request $request): Response
{
$refreshTokenValue = $request->cookies->get('refresh_token');
// Invalider toute la famille de tokens pour une déconnexion complète
if ($refreshTokenValue !== null) {
try {
$tokenId = RefreshToken::extractIdFromTokenString($refreshTokenValue);
$refreshToken = $this->refreshTokenRepository->find($tokenId);
if ($refreshToken !== null) {
// Invalider toute la famille (déconnecte tous les devices)
$this->refreshTokenRepository->invalidateFamily($refreshToken->familyId);
}
} catch (InvalidArgumentException) {
// Token malformé, ignorer
}
}
// Créer la réponse avec suppression du cookie
$response = new JsonResponse(['message' => 'Déconnexion réussie'], Response::HTTP_OK);
// Supprimer le cookie refresh_token (même path que celui utilisé lors du login)
$response->headers->setCookie(
Cookie::create('refresh_token')
->withValue('')
->withExpires(new DateTimeImmutable('-1 hour'))
->withPath('/api/token')
->withHttpOnly(true)
->withSecure(true)
->withSameSite('strict'),
);
return $response;
}
}

189
backend/src/Administration/Infrastructure/Api/Processor/RefreshTokenProcessor.php Normal file
View File

@@ -0,0 +1,189 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Processor;
use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Administration\Application\Service\RefreshTokenManager;
use App\Administration\Domain\Event\TokenReplayDetecte;
use App\Administration\Domain\Exception\TokenAlreadyRotatedException;
use App\Administration\Domain\Exception\TokenReplayDetectedException;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Api\Resource\RefreshTokenInput;
use App\Administration\Infrastructure\Api\Resource\RefreshTokenOutput;
use App\Administration\Infrastructure\Security\SecurityUserFactory;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use DateTimeImmutable;
use InvalidArgumentException;
use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Messenger\MessageBusInterface;
/**
* Processor pour le rafraîchissement de token.
*
* Flow :
* 1. Lire le refresh token depuis le cookie HttpOnly
* 2. Valider le token et le device fingerprint
* 3. Détecter les replay attacks
* 4. Générer un nouveau JWT et faire la rotation du refresh token
* 5. Mettre à jour le cookie
*
* @implements ProcessorInterface<RefreshTokenInput, RefreshTokenOutput>
*
* @see Story 1.4 - T6: Endpoint Refresh Token
*/
final readonly class RefreshTokenProcessor implements ProcessorInterface
{
public function __construct(
private RefreshTokenManager $refreshTokenManager,
private JWTTokenManagerInterface $jwtManager,
private UserRepository $userRepository,
private RequestStack $requestStack,
private SecurityUserFactory $securityUserFactory,
private TenantResolver $tenantResolver,
private MessageBusInterface $eventBus,
private Clock $clock,
) {
}
/**
* @param RefreshTokenInput $data
*/
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): RefreshTokenOutput
{
$request = $this->requestStack->getCurrentRequest();
if ($request === null) {
throw new UnauthorizedHttpException('Bearer', 'Request not available');
}
// Lire le refresh token depuis le cookie
$refreshTokenString = $request->cookies->get('refresh_token');
if ($refreshTokenString === null) {
throw new UnauthorizedHttpException('Bearer', 'Refresh token not found');
}
// Créer le device fingerprint pour validation
$ipAddress = $request->getClientIp() ?? 'unknown';
$userAgent = $request->headers->get('User-Agent', 'unknown');
$fingerprint = DeviceFingerprint::fromRequest($userAgent, $ipAddress);
try {
// Valider et faire la rotation du refresh token
$newRefreshToken = $this->refreshTokenManager->refresh($refreshTokenString, $fingerprint);
// Sécurité: vérifier que le tenant du refresh token correspond au tenant de la requête
// Empêche l'utilisation d'un token d'un tenant pour accéder à un autre
$currentTenantId = $this->resolveCurrentTenant($request->getHost());
if ($currentTenantId !== null && (string) $newRefreshToken->tenantId !== (string) $currentTenantId) {
$this->clearRefreshTokenCookie();
throw new AccessDeniedHttpException('Invalid token for this tenant');
}
// Charger l'utilisateur pour générer le JWT
$user = $this->userRepository->get($newRefreshToken->userId);
// Vérifier que l'utilisateur peut toujours se connecter (pas suspendu/archivé)
if (!$user->peutSeConnecter()) {
// Invalider toute la famille et supprimer le cookie
$this->refreshTokenManager->invalidateFamily($newRefreshToken->familyId);
$this->clearRefreshTokenCookie();
throw new AccessDeniedHttpException('Account is no longer active');
}
$securityUser = $this->securityUserFactory->fromDomainUser($user);
// Générer le nouveau JWT
$jwt = $this->jwtManager->create($securityUser);
// Stocker le cookie dans les attributs de requête pour le listener
// Le RefreshTokenCookieListener l'ajoutera à la réponse
$cookie = Cookie::create('refresh_token')
->withValue($newRefreshToken->toTokenString())
->withExpires($newRefreshToken->expiresAt)
->withPath('/api/token')
->withSecure(true)
->withHttpOnly(true)
->withSameSite('strict');
$request->attributes->set('_refresh_token_cookie', $cookie);
return new RefreshTokenOutput(token: $jwt);
} catch (TokenReplayDetectedException $e) {
// Replay attack détecté - la famille a été invalidée
// Dispatcher l'événement de sécurité pour alertes/audit
$this->eventBus->dispatch(new TokenReplayDetecte(
familyId: $e->familyId,
ipAddress: $ipAddress,
userAgent: $userAgent,
occurredOn: $this->clock->now(),
));
// Supprimer le cookie côté client
$this->clearRefreshTokenCookie();
throw new AccessDeniedHttpException(
'Session compromise detected. All sessions have been invalidated. Please log in again.',
);
} catch (TokenAlreadyRotatedException) {
// Token déjà rotaté mais en grace period - race condition légitime
// NE PAS supprimer le cookie ! Le client a probablement déjà le nouveau token
// d'une requête concurrente. Retourner 409 Conflict pour que le client réessaie.
throw new ConflictHttpException('Token already rotated, retry with current cookie');
} catch (InvalidArgumentException $e) {
// Token invalide ou expiré
$this->clearRefreshTokenCookie();
throw new UnauthorizedHttpException('Bearer', $e->getMessage());
}
}
private function clearRefreshTokenCookie(): void
{
$request = $this->requestStack->getCurrentRequest();
if ($request !== null) {
$cookie = Cookie::create('refresh_token')
->withValue('')
->withExpires(new DateTimeImmutable('-1 day'))
->withPath('/api/token')
->withSecure(true)
->withHttpOnly(true)
->withSameSite('strict');
$request->attributes->set('_refresh_token_cookie', $cookie);
}
}
/**
* Resolves the current tenant from the request host.
*
* Returns null for localhost (dev environment uses default tenant).
*/
private function resolveCurrentTenant(string $host): ?\App\Shared\Domain\Tenant\TenantId
{
// Skip validation for localhost (dev environment)
if ($host === 'localhost' || $host === '127.0.0.1') {
return null;
}
try {
return $this->tenantResolver->resolve($host)->tenantId;
} catch (TenantNotFoundException) {
return null;
}
}
}

32
backend/src/Administration/Infrastructure/Api/Resource/RefreshTokenInput.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
use ApiPlatform\Metadata\ApiResource;
use ApiPlatform\Metadata\Post;
use App\Administration\Infrastructure\Api\Processor\RefreshTokenProcessor;
/**
* Resource API Platform pour le rafraîchissement de token.
*
* Le refresh token est lu depuis le cookie HttpOnly, pas du body.
*
* @see Story 1.4 - T6: Endpoint Refresh Token
*/
#[ApiResource(
operations: [
new Post(
uriTemplate: '/token/refresh',
processor: RefreshTokenProcessor::class,
output: RefreshTokenOutput::class,
name: 'refresh_token',
description: 'Utilise le refresh token (cookie HttpOnly) pour obtenir un nouveau JWT. Le refresh token est automatiquement rotaté.',
),
],
)]
final class RefreshTokenInput
{
// Pas de propriétés - le refresh token vient du cookie
}

16
backend/src/Administration/Infrastructure/Api/Resource/RefreshTokenOutput.php Normal file
View File

@@ -0,0 +1,16 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Api\Resource;
/**
* Output pour le rafraîchissement de token.
*/
final readonly class RefreshTokenOutput
{
public function __construct(
public string $token,
) {
}
}

86
backend/src/Administration/Infrastructure/Console/CreateTestActivationTokenCommand.php
View File

@@ -11,7 +11,8 @@ use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantRegistry;
use function sprintf;
@@ -31,6 +32,7 @@ final class CreateTestActivationTokenCommand extends Command
public function __construct(
private readonly ActivationTokenRepository $activationTokenRepository,
private readonly UserRepository $userRepository,
private readonly TenantRegistry $tenantRegistry,
private readonly Clock $clock,
) {
parent::__construct();
@@ -43,21 +45,65 @@ final class CreateTestActivationTokenCommand extends Command
->addOption('role', null, InputOption::VALUE_OPTIONAL, 'User role (PARENT, ELEVE, PROF, ADMIN)', 'PARENT')
->addOption('school', null, InputOption::VALUE_OPTIONAL, 'School name', 'École de Test')
->addOption('minor', null, InputOption::VALUE_NONE, 'Create a minor user (requires parental consent)')
->addOption('base-url', null, InputOption::VALUE_OPTIONAL, 'Frontend base URL', 'http://localhost:5173');
->addOption('tenant', null, InputOption::VALUE_OPTIONAL, 'Tenant subdomain (ecole-alpha, ecole-beta)', 'ecole-alpha')
->addOption('base-url', null, InputOption::VALUE_OPTIONAL, 'Frontend base URL', 'http://localhost:5174');
}
protected function execute(InputInterface $input, OutputInterface $output): int
{
$io = new SymfonyStyle($input, $output);
/** @var string $email */
$email = $input->getOption('email');
/** @var string $roleOption */
$roleOption = $input->getOption('role');
$roleInput = strtoupper($roleOption);
/** @var string $schoolName */
$schoolName = $input->getOption('school');
$isMinor = $input->getOption('minor');
// Interactive mode only if:
// 1. Input is interactive (not -n flag, has TTY)
// 2. Using all default values (no explicit options provided)
$usingDefaults = $input->getOption('email') === 'test@example.com'
&& $input->getOption('role') === 'PARENT'
&& $input->getOption('tenant') === 'ecole-alpha';
if ($input->isInteractive() && $usingDefaults) {
$io->title('Création d\'un token d\'activation de test');
/** @var string $tenantSubdomain */
$tenantSubdomain = $io->choice(
'Tenant (établissement)',
['ecole-alpha', 'ecole-beta'],
'ecole-alpha'
);
/** @var string $roleChoice */
$roleChoice = $io->choice(
'Rôle',
['PARENT', 'ELEVE', 'PROF', 'ADMIN'],
'PARENT'
);
$defaultEmail = match ($roleChoice) {
'PARENT' => 'parent@test.com',
'ELEVE' => 'eleve@test.com',
'PROF' => 'prof@test.com',
'ADMIN' => 'admin@test.com',
default => 'test@example.com',
};
/** @var string $email */
$email = $io->ask('Email', $defaultEmail);
$roleInput = strtoupper($roleChoice);
/** @var string $schoolName */
$schoolName = $io->ask('Nom de l\'école', 'École de Test');
$isMinor = $io->confirm('Utilisateur mineur (nécessite consentement parental) ?', false);
} else {
/** @var string $email */
$email = $input->getOption('email');
/** @var string $roleOption */
$roleOption = $input->getOption('role');
$roleInput = strtoupper($roleOption);
/** @var string $schoolName */
$schoolName = $input->getOption('school');
$isMinor = $input->getOption('minor');
/** @var string $tenantSubdomain */
$tenantSubdomain = $input->getOption('tenant');
}
/** @var string $baseUrlOption */
$baseUrlOption = $input->getOption('base-url');
$baseUrl = rtrim($baseUrlOption, '/');
@@ -77,8 +123,25 @@ final class CreateTestActivationTokenCommand extends Command
return Command::FAILURE;
}
// Resolve tenant from subdomain
try {
$tenantConfig = $this->tenantRegistry->getBySubdomain($tenantSubdomain);
$tenantId = $tenantConfig->tenantId;
} catch (TenantNotFoundException) {
$availableTenants = array_map(
static fn ($config) => $config->subdomain,
$this->tenantRegistry->getAllConfigs()
);
$io->error(sprintf(
'Tenant "%s" not found. Available tenants: %s',
$tenantSubdomain,
implode(', ', $availableTenants)
));
return Command::FAILURE;
}
$now = $this->clock->now();
$tenantId = TenantId::fromString('550e8400-e29b-41d4-a716-446655440001');
// Create user
$dateNaissance = $isMinor
@@ -118,6 +181,7 @@ final class CreateTestActivationTokenCommand extends Command
['User ID', (string) $user->id],
['Email', $email],
['Role', $role->value],
['Tenant', $tenantSubdomain],
['School', $schoolName],
['Minor', $isMinor ? 'Yes (requires parental consent)' : 'No'],
['Token', $token->tokenValue],

164
backend/src/Administration/Infrastructure/Console/CreateTestUserCommand.php Normal file
View File

@@ -0,0 +1,164 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Console;
use App\Administration\Application\Port\PasswordHasher;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantRegistry;
use function sprintf;
use Symfony\Component\Console\Attribute\AsCommand;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;
/**
* Creates an already-activated test user for E2E login tests.
*
* Unlike the activation token command, this creates a user that can
* immediately log in with the provided password.
*/
#[AsCommand(
name: 'app:dev:create-test-user',
description: 'Creates an already-activated test user for E2E login tests',
)]
final class CreateTestUserCommand extends Command
{
public function __construct(
private readonly UserRepository $userRepository,
private readonly PasswordHasher $passwordHasher,
private readonly TenantRegistry $tenantRegistry,
private readonly Clock $clock,
) {
parent::__construct();
}
protected function configure(): void
{
$this
->addOption('email', null, InputOption::VALUE_OPTIONAL, 'Email address', 'e2e-login@example.com')
->addOption('password', null, InputOption::VALUE_OPTIONAL, 'Password (plain text)', 'TestPassword123')
->addOption('role', null, InputOption::VALUE_OPTIONAL, 'User role (PARENT, ELEVE, PROF, ADMIN)', 'PARENT')
->addOption('school', null, InputOption::VALUE_OPTIONAL, 'School name', 'École de Test')
->addOption('tenant', null, InputOption::VALUE_OPTIONAL, 'Tenant subdomain (ecole-alpha, ecole-beta)', 'ecole-alpha');
}
protected function execute(InputInterface $input, OutputInterface $output): int
{
$io = new SymfonyStyle($input, $output);
/** @var string $email */
$email = $input->getOption('email');
/** @var string $password */
$password = $input->getOption('password');
/** @var string $roleOption */
$roleOption = $input->getOption('role');
$roleInput = strtoupper($roleOption);
/** @var string $schoolName */
$schoolName = $input->getOption('school');
/** @var string $tenantSubdomain */
$tenantSubdomain = $input->getOption('tenant');
// Convert short role name to full Symfony role format
$roleName = str_starts_with($roleInput, 'ROLE_') ? $roleInput : 'ROLE_' . $roleInput;
$role = Role::tryFrom($roleName);
if ($role === null) {
$validRoles = array_map(static fn (Role $r) => str_replace('ROLE_', '', $r->value), Role::cases());
$io->error(sprintf(
'Invalid role "%s". Valid roles: %s',
$roleInput,
implode(', ', $validRoles)
));
return Command::FAILURE;
}
// Resolve tenant from subdomain
try {
$tenantConfig = $this->tenantRegistry->getBySubdomain($tenantSubdomain);
$tenantId = $tenantConfig->tenantId;
} catch (TenantNotFoundException) {
$availableTenants = array_map(
static fn ($config) => $config->subdomain,
$this->tenantRegistry->getAllConfigs()
);
$io->error(sprintf(
'Tenant "%s" not found. Available tenants: %s',
$tenantSubdomain,
implode(', ', $availableTenants)
));
return Command::FAILURE;
}
$now = $this->clock->now();
// Check if user already exists
$existingUser = $this->userRepository->findByEmail(new Email($email), $tenantId);
if ($existingUser !== null) {
$io->warning(sprintf('User with email "%s" already exists. Returning existing user.', $email));
$io->table(
['Property', 'Value'],
[
['User ID', (string) $existingUser->id],
['Email', $email],
['Password', $password],
['Role', $existingUser->role->value],
['Status', $existingUser->statut->value],
]
);
return Command::SUCCESS;
}
// Create activated user using reconstitute to bypass domain validation
$hashedPassword = $this->passwordHasher->hash($password);
$user = User::reconstitute(
id: UserId::generate(),
email: new Email($email),
role: $role,
tenantId: $tenantId,
schoolName: $schoolName,
statut: StatutCompte::ACTIF,
dateNaissance: null,
createdAt: $now,
hashedPassword: $hashedPassword,
activatedAt: $now,
consentementParental: null,
);
$this->userRepository->save($user);
$io->success('Test user created successfully!');
$io->table(
['Property', 'Value'],
[
['User ID', (string) $user->id],
['Email', $email],
['Password', $password],
['Role', $role->value],
['Tenant', $tenantSubdomain],
['School', $schoolName],
['Status', StatutCompte::ACTIF->value],
]
);
return Command::SUCCESS;
}
}

76
backend/src/Administration/Infrastructure/Messaging/AuditLoginEventsHandler.php Normal file
View File

@@ -0,0 +1,76 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\ConnexionEchouee;
use App\Administration\Domain\Event\ConnexionReussie;
use Psr\Log\LoggerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
/**
* Enregistre les événements de connexion dans l'audit log.
*
* Important: Les IP sont hashées pour respecter NFR-S3 (pas de PII dans les logs).
*
* @see Story 1.4 - T5.5: Tracer dans audit log
* @see AC3: Événement tracé dans audit log
*/
final readonly class AuditLoginEventsHandler
{
public function __construct(
private LoggerInterface $auditLogger,
private string $appSecret,
) {
}
#[AsMessageHandler]
public function handleConnexionReussie(ConnexionReussie $event): void
{
$this->auditLogger->info('login.success', [
'user_id' => $event->userId,
'tenant_id' => (string) $event->tenantId,
'ip_hash' => $this->hashIp($event->ipAddress),
'user_agent_hash' => $this->hashUserAgent($event->userAgent),
'occurred_on' => $event->occurredOn->format('c'),
]);
}
#[AsMessageHandler]
public function handleConnexionEchouee(ConnexionEchouee $event): void
{
$this->auditLogger->warning('login.failure', [
'email_hash' => $this->hashEmail($event->email),
'reason' => $event->reason,
'ip_hash' => $this->hashIp($event->ipAddress),
'user_agent_hash' => $this->hashUserAgent($event->userAgent),
'occurred_on' => $event->occurredOn->format('c'),
]);
}
/**
* Hash l'IP pour éviter de stocker des PII.
* Le hash permet toujours de corréler les événements d'une même IP.
*/
private function hashIp(string $ip): string
{
return hash('sha256', $ip . $this->appSecret);
}
/**
* Hash l'email pour éviter de stocker des PII.
*/
private function hashEmail(string $email): string
{
return hash('sha256', strtolower($email) . $this->appSecret);
}
/**
* Hash le User-Agent (généralement pas PII mais peut être très long).
*/
private function hashUserAgent(string $userAgent): string
{
return hash('sha256', $userAgent);
}
}

58
backend/src/Administration/Infrastructure/Messaging/SendLockoutAlertHandler.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Messaging;
use App\Administration\Domain\Event\CompteBloqueTemporairement;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Messenger\Attribute\AsMessageHandler;
use Symfony\Component\Mime\Email;
use Twig\Environment;
/**
* Envoie un email d'alerte quand un compte est bloqué temporairement.
*
* @see Story 1.4 - T4: Email alerte lockout
*/
#[AsMessageHandler]
final readonly class SendLockoutAlertHandler
{
public function __construct(
private MailerInterface $mailer,
private Environment $twig,
private string $fromEmail = 'noreply@classeo.fr',
) {
}
public function __invoke(CompteBloqueTemporairement $event): void
{
$blockedForMinutes = (int) ceil($event->blockedForSeconds / 60);
$htmlContent = $this->twig->render('email/lockout_alert.html.twig', [
'email' => $event->email,
'ipAddress' => $event->ipAddress,
'failedAttempts' => $event->failedAttempts,
'blockedForMinutes' => $blockedForMinutes,
'occurredOn' => $event->occurredOn,
]);
$textContent = $this->twig->render('email/lockout_alert.txt.twig', [
'email' => $event->email,
'ipAddress' => $event->ipAddress,
'failedAttempts' => $event->failedAttempts,
'blockedForMinutes' => $blockedForMinutes,
'occurredOn' => $event->occurredOn,
]);
$email = (new Email())
->from($this->fromEmail)
->to($event->email)
->subject('🔒 Alerte de sécurité - Tentatives de connexion suspectes')
->html($htmlContent)
->text($textContent)
->priority(Email::PRIORITY_HIGH);
$this->mailer->send($email);
}
}

20
backend/src/Administration/Infrastructure/Persistence/Cache/CacheUserRepository.php
View File

@@ -12,7 +12,7 @@ use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Psr\Cache\CacheItemPoolInterface;
@@ -40,8 +40,9 @@ final readonly class CacheUserRepository implements UserRepository
$item->set($this->serialize($user));
$this->usersCache->save($item);
// Save email index for lookup
$emailItem = $this->usersCache->getItem(self::EMAIL_INDEX_PREFIX . $this->normalizeEmail($user->email));
// Save email index for lookup (scoped to tenant)
$emailKey = $this->emailIndexKey($user->email, $user->tenantId);
$emailItem = $this->usersCache->getItem($emailKey);
$emailItem->set((string) $user->id);
$this->usersCache->save($emailItem);
}
@@ -60,9 +61,10 @@ final readonly class CacheUserRepository implements UserRepository
return $this->deserialize($data);
}
public function findByEmail(Email $email): ?User
public function findByEmail(Email $email, TenantId $tenantId): ?User
{
$emailItem = $this->usersCache->getItem(self::EMAIL_INDEX_PREFIX . $this->normalizeEmail($email));
$emailKey = $this->emailIndexKey($email, $tenantId);
$emailItem = $this->usersCache->getItem($emailKey);
if (!$emailItem->isHit()) {
return null;
@@ -159,4 +161,12 @@ final readonly class CacheUserRepository implements UserRepository
{
return strtolower(str_replace(['@', '.'], ['_at_', '_dot_'], (string) $email));
}
/**
* Creates a cache key for email lookup scoped to a tenant.
*/
private function emailIndexKey(Email $email, TenantId $tenantId): string
{
return self::EMAIL_INDEX_PREFIX . $tenantId . ':' . $this->normalizeEmail($email);
}
}

16
backend/src/Administration/Infrastructure/Persistence/InMemory/InMemoryUserRepository.php
View File

@@ -9,6 +9,7 @@ use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Domain\Tenant\TenantId;
use Override;
final class InMemoryUserRepository implements UserRepository
@@ -16,14 +17,14 @@ final class InMemoryUserRepository implements UserRepository
/** @var array<string, User> Indexed by ID */
private array $byId = [];
/** @var array<string, User> Indexed by email (lowercase) */
private array $byEmail = [];
/** @var array<string, User> Indexed by tenant:email (lowercase) */
private array $byTenantEmail = [];
#[Override]
public function save(User $user): void
{
$this->byId[(string) $user->id] = $user;
$this->byEmail[strtolower((string) $user->email)] = $user;
$this->byTenantEmail[$this->emailKey($user->email, $user->tenantId)] = $user;
}
#[Override]
@@ -39,8 +40,13 @@ final class InMemoryUserRepository implements UserRepository
}
#[Override]
public function findByEmail(Email $email): ?User
public function findByEmail(Email $email, TenantId $tenantId): ?User
{
return $this->byEmail[strtolower((string) $email)] ?? null;
return $this->byTenantEmail[$this->emailKey($email, $tenantId)] ?? null;
}
private function emailKey(Email $email, TenantId $tenantId): string
{
return $tenantId . ':' . strtolower((string) $email);
}
}

2
backend/src/Administration/Infrastructure/Persistence/Redis/RedisActivationTokenRepository.php
View File

@@ -8,7 +8,7 @@ use App\Administration\Domain\Exception\ActivationTokenNotFoundException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\ActivationToken\ActivationTokenId;
use App\Administration\Domain\Repository\ActivationTokenRepository;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use Psr\Cache\CacheItemPoolInterface;

169
backend/src/Administration/Infrastructure/Persistence/Redis/RedisRefreshTokenRepository.php Normal file
View File

@@ -0,0 +1,169 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Persistence\Redis;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\RefreshTokenId;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use DateTimeInterface;
use Psr\Cache\CacheItemPoolInterface;
/**
* Implémentation Redis du repository de refresh tokens.
*
* Structure de stockage :
* - Token individuel : refresh:{token_id} → données JSON du token
* - Index famille : refresh_family:{family_id} → set des token_ids de la famille
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class RedisRefreshTokenRepository implements RefreshTokenRepository
{
private const string TOKEN_PREFIX = 'refresh:';
private const string FAMILY_PREFIX = 'refresh_family:';
public function __construct(
private CacheItemPoolInterface $refreshTokensCache,
) {
}
public function save(RefreshToken $token): void
{
// Sauvegarder le token
$tokenItem = $this->refreshTokensCache->getItem(self::TOKEN_PREFIX . $token->id);
$tokenItem->set($this->serialize($token));
// Calculer le TTL restant
$now = new DateTimeImmutable();
$ttl = $token->expiresAt->getTimestamp() - $now->getTimestamp();
if ($ttl > 0) {
$tokenItem->expiresAfter($ttl);
}
$this->refreshTokensCache->save($tokenItem);
// Ajouter à l'index famille
// Ne jamais réduire le TTL de l'index famille
// L'index doit survivre aussi longtemps que le token le plus récent de la famille
$familyItem = $this->refreshTokensCache->getItem(self::FAMILY_PREFIX . $token->familyId);
/** @var list<string> $familyTokenIds */
$familyTokenIds = $familyItem->isHit() ? $familyItem->get() : [];
$familyTokenIds[] = (string) $token->id;
$familyItem->set(array_unique($familyTokenIds));
// Seulement étendre le TTL, jamais le réduire
// Pour les tokens rotated (ancien), on ne change pas le TTL de l'index
if (!$token->isRotated && $ttl > 0) {
$familyItem->expiresAfter($ttl);
} elseif (!$familyItem->isHit()) {
// Nouveau index - définir le TTL initial
$familyItem->expiresAfter($ttl > 0 ? $ttl : 604800);
}
// Si c'est un token rotaté et l'index existe déjà, on garde le TTL existant
$this->refreshTokensCache->save($familyItem);
}
public function find(RefreshTokenId $id): ?RefreshToken
{
$item = $this->refreshTokensCache->getItem(self::TOKEN_PREFIX . $id);
if (!$item->isHit()) {
return null;
}
/** @var array{id: string, family_id: string, user_id: string, tenant_id: string, device_fingerprint: string, issued_at: string, expires_at: string, rotated_from: string|null, is_rotated: bool, rotated_at?: string|null} $data */
$data = $item->get();
return $this->deserialize($data);
}
public function findByToken(string $tokenValue): ?RefreshToken
{
return $this->find(RefreshTokenId::fromString($tokenValue));
}
public function delete(RefreshTokenId $id): void
{
$this->refreshTokensCache->deleteItem(self::TOKEN_PREFIX . $id);
}
public function invalidateFamily(TokenFamilyId $familyId): void
{
$familyItem = $this->refreshTokensCache->getItem(self::FAMILY_PREFIX . $familyId);
if (!$familyItem->isHit()) {
return;
}
/** @var list<string> $tokenIds */
$tokenIds = $familyItem->get();
// Supprimer tous les tokens de la famille
foreach ($tokenIds as $tokenId) {
$this->refreshTokensCache->deleteItem(self::TOKEN_PREFIX . $tokenId);
}
// Supprimer l'index famille
$this->refreshTokensCache->deleteItem(self::FAMILY_PREFIX . $familyId);
}
/**
* @return array<string, mixed>
*/
private function serialize(RefreshToken $token): array
{
return [
'id' => (string) $token->id,
'family_id' => (string) $token->familyId,
'user_id' => (string) $token->userId,
'tenant_id' => (string) $token->tenantId,
'device_fingerprint' => (string) $token->deviceFingerprint,
'issued_at' => $token->issuedAt->format(DateTimeInterface::ATOM),
'expires_at' => $token->expiresAt->format(DateTimeInterface::ATOM),
'rotated_from' => $token->rotatedFrom !== null ? (string) $token->rotatedFrom : null,
'is_rotated' => $token->isRotated,
'rotated_at' => $token->rotatedAt?->format(DateTimeInterface::ATOM),
];
}
/**
* @param array{
* id: string,
* family_id: string,
* user_id: string,
* tenant_id: string,
* device_fingerprint: string,
* issued_at: string,
* expires_at: string,
* rotated_from: string|null,
* is_rotated: bool,
* rotated_at?: string|null
* } $data
*/
private function deserialize(array $data): RefreshToken
{
$rotatedAt = $data['rotated_at'] ?? null;
return RefreshToken::reconstitute(
id: RefreshTokenId::fromString($data['id']),
familyId: TokenFamilyId::fromString($data['family_id']),
userId: UserId::fromString($data['user_id']),
tenantId: TenantId::fromString($data['tenant_id']),
deviceFingerprint: DeviceFingerprint::fromString($data['device_fingerprint']),
issuedAt: new DateTimeImmutable($data['issued_at']),
expiresAt: new DateTimeImmutable($data['expires_at']),
rotatedFrom: $data['rotated_from'] !== null ? RefreshTokenId::fromString($data['rotated_from']) : null,
isRotated: $data['is_rotated'],
rotatedAt: $rotatedAt !== null ? new DateTimeImmutable($rotatedAt) : null,
);
}
}

113
backend/src/Administration/Infrastructure/Security/DatabaseUserProvider.php Normal file
View File

@@ -0,0 +1,113 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Exception\EmailInvalideException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Repository\UserRepository;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\UserNotFoundException as SymfonyUserNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
/**
* Charge les utilisateurs depuis le domaine pour l'authentification Symfony.
*
* Ce provider fait le pont entre Symfony Security et notre Domain Layer.
* Il ne révèle jamais si un utilisateur existe ou non pour des raisons de sécurité.
* Les utilisateurs sont isolés par tenant (établissement).
*
* @implements UserProviderInterface<SecurityUser>
*
* @see Story 1.4 - Connexion utilisateur (AC2: pas de révélation d'existence du compte)
*/
final readonly class DatabaseUserProvider implements UserProviderInterface
{
public function __construct(
private UserRepository $userRepository,
private TenantResolver $tenantResolver,
private RequestStack $requestStack,
private SecurityUserFactory $securityUserFactory,
) {
}
public function loadUserByIdentifier(string $identifier): UserInterface
{
$tenantId = $this->getCurrentTenantId();
try {
$email = new Email($identifier);
} catch (EmailInvalideException) {
// Malformed email = treat as user not found (security: generic error)
throw new SymfonyUserNotFoundException();
}
$user = $this->userRepository->findByEmail($email, $tenantId);
// Message générique pour ne pas révéler l'existence du compte
if ($user === null) {
throw new SymfonyUserNotFoundException();
}
// Ne pas permettre la connexion si le compte n'est pas actif
if (!$user->peutSeConnecter()) {
throw new SymfonyUserNotFoundException();
}
return $this->securityUserFactory->fromDomainUser($user);
}
public function refreshUser(UserInterface $user): UserInterface
{
if (!$user instanceof SecurityUser) {
throw new InvalidArgumentException('Expected instance of ' . SecurityUser::class);
}
return $this->loadUserByIdentifier($user->email());
}
public function supportsClass(string $class): bool
{
return $class === SecurityUser::class;
}
/**
* Resolves the current tenant from the request host.
*
* @throws SymfonyUserNotFoundException if tenant cannot be resolved (security: generic error)
*/
private function getCurrentTenantId(): TenantId
{
$request = $this->requestStack->getCurrentRequest();
if ($request === null) {
throw new SymfonyUserNotFoundException();
}
$host = $request->getHost();
// Dev/test fallback: localhost uses ecole-alpha tenant
if ($host === 'localhost' || $host === '127.0.0.1') {
try {
return $this->tenantResolver->resolve('ecole-alpha.classeo.local')->tenantId;
} catch (TenantNotFoundException) {
throw new SymfonyUserNotFoundException();
}
}
try {
$tenantConfig = $this->tenantResolver->resolve($host);
return $tenantConfig->tenantId;
} catch (TenantNotFoundException) {
// Don't reveal tenant doesn't exist - use same error as invalid credentials
throw new SymfonyUserNotFoundException();
}
}
}

39
backend/src/Administration/Infrastructure/Security/JwtPayloadEnricher.php Normal file
View File

@@ -0,0 +1,39 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
/**
* Enrichit le payload JWT avec les claims métier.
*
* Claims ajoutés:
* - sub: Email de l'utilisateur (identifiant Symfony Security)
* - user_id: UUID de l'utilisateur (pour les consommateurs d'API)
* - tenant_id: UUID du tenant pour l'isolation multi-tenant
* - roles: Liste des rôles Symfony pour l'autorisation
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class JwtPayloadEnricher
{
public function onJWTCreated(JWTCreatedEvent $event): void
{
$user = $event->getUser();
if (!$user instanceof SecurityUser) {
return;
}
$payload = $event->getData();
// Claims métier pour l'isolation multi-tenant et l'autorisation
$payload['user_id'] = $user->userId();
$payload['tenant_id'] = $user->tenantId();
$payload['roles'] = $user->getRoles();
$event->setData($payload);
}
}

128
backend/src/Administration/Infrastructure/Security/LoginFailureHandler.php Normal file
View File

@@ -0,0 +1,128 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Event\CompteBloqueTemporairement;
use App\Administration\Domain\Event\ConnexionEchouee;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use function is_array;
use function is_string;
use function sprintf;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
/**
* Gère les échecs de login : rate limiting Fibonacci, audit, messages user-friendly.
*
* Important: Ne jamais révéler si l'email existe ou non (AC2).
*
* @see Story 1.4 - T5: Endpoint Login Backend
*/
final readonly class LoginFailureHandler implements AuthenticationFailureHandlerInterface
{
public function __construct(
private LoginRateLimiterInterface $rateLimiter,
private MessageBusInterface $eventBus,
private Clock $clock,
) {
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
$content = json_decode($request->getContent(), true);
$email = is_array($content) && isset($content['email']) && is_string($content['email'])
? $content['email']
: 'unknown';
$ipAddress = $request->getClientIp() ?? 'unknown';
$userAgent = $request->headers->get('User-Agent', 'unknown');
// Enregistrer l'échec et obtenir le nouvel état
$result = $this->rateLimiter->recordFailure($request, $email);
// Émettre l'événement d'échec
$this->eventBus->dispatch(new ConnexionEchouee(
email: $email,
ipAddress: $ipAddress,
userAgent: $userAgent,
reason: 'invalid_credentials',
occurredOn: $this->clock->now(),
));
// Si l'IP vient d'être bloquée
if ($result->ipBlocked) {
$this->eventBus->dispatch(new CompteBloqueTemporairement(
email: $email,
ipAddress: $ipAddress,
userAgent: $userAgent,
blockedForSeconds: $result->retryAfter ?? LoginRateLimiterInterface::IP_BLOCK_DURATION,
failedAttempts: $result->attempts,
occurredOn: $this->clock->now(),
));
return $this->createBlockedResponse($result);
}
// Réponse standard d'échec avec infos sur le délai et CAPTCHA
return $this->createFailureResponse($result);
}
private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([
'type' => '/errors/ip-blocked',
'title' => 'Accès temporairement bloqué',
'status' => Response::HTTP_TOO_MANY_REQUESTS,
'detail' => sprintf(
'Trop de tentatives de connexion. Réessayez dans %s.',
$result->getFormattedDelay(),
),
'retryAfter' => $result->retryAfter,
], Response::HTTP_TOO_MANY_REQUESTS);
foreach ($result->toHeaders() as $name => $value) {
$response->headers->set($name, $value);
}
return $response;
}
private function createFailureResponse(LoginRateLimitResult $result): JsonResponse
{
$data = [
'type' => '/errors/authentication-failed',
'title' => 'Identifiants incorrects',
'status' => Response::HTTP_UNAUTHORIZED,
'detail' => 'L\'adresse email ou le mot de passe est incorrect.',
'attempts' => $result->attempts,
];
// Ajouter le délai si applicable
if ($result->delaySeconds > 0) {
$data['delay'] = $result->delaySeconds;
$data['delayFormatted'] = $result->getFormattedDelay();
}
// Indiquer si CAPTCHA requis pour la prochaine tentative
if ($result->requiresCaptcha) {
$data['captchaRequired'] = true;
}
$response = new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
foreach ($result->toHeaders() as $name => $value) {
$response->headers->set($name, $value);
}
return $response;
}
}

89
backend/src/Administration/Infrastructure/Security/LoginSuccessHandler.php Normal file
View File

@@ -0,0 +1,89 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Application\Service\RefreshTokenManager;
use App\Administration\Domain\Event\ConnexionReussie;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Messenger\MessageBusInterface;
/**
* Gère les actions post-login réussi : refresh token, reset rate limit, audit.
*
* @see Story 1.4 - T5: Endpoint Login Backend
*/
final readonly class LoginSuccessHandler
{
public function __construct(
private RefreshTokenManager $refreshTokenManager,
private LoginRateLimiterInterface $rateLimiter,
private MessageBusInterface $eventBus,
private Clock $clock,
private RequestStack $requestStack,
) {
}
public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
{
$user = $event->getUser();
$response = $event->getResponse();
$request = $this->requestStack->getCurrentRequest();
if (!$user instanceof SecurityUser || $request === null) {
return;
}
$email = $user->email();
$userId = UserId::fromString($user->userId());
$tenantId = TenantId::fromString($user->tenantId());
$ipAddress = $request->getClientIp() ?? 'unknown';
$userAgent = $request->headers->get('User-Agent', 'unknown');
// Créer le device fingerprint
$fingerprint = DeviceFingerprint::fromRequest($userAgent, $ipAddress);
// Détecter si c'est un mobile (pour le TTL du refresh token)
$isMobile = str_contains(strtolower($userAgent), 'mobile');
// Créer le refresh token
$refreshToken = $this->refreshTokenManager->create(
$userId,
$tenantId,
$fingerprint,
$isMobile,
);
// Ajouter le refresh token en cookie HttpOnly
$cookie = Cookie::create('refresh_token')
->withValue($refreshToken->toTokenString())
->withExpires($refreshToken->expiresAt)
->withPath('/api/token')
->withSecure(true)
->withHttpOnly(true)
->withSameSite('strict');
$response->headers->setCookie($cookie);
// Reset le rate limiter pour cet email
$this->rateLimiter->reset($email);
// Émettre l'événement de connexion réussie
$this->eventBus->dispatch(new ConnexionReussie(
userId: $user->userId(),
email: $email,
tenantId: $tenantId,
ipAddress: $ipAddress,
userAgent: $userAgent,
occurredOn: $this->clock->now(),
));
}
}

34
backend/src/Administration/Infrastructure/Security/RefreshTokenCookieListener.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Ajoute le cookie refresh_token à la réponse HTTP.
*
* Ce listener est nécessaire car dans API Platform 4.x, la réponse n'est pas
* disponible dans le context du processor. Le processor stocke le cookie dans
* les attributs de la requête, et ce listener l'ajoute à la réponse.
*
* @see Story 1.4 - T6: Endpoint Refresh Token
*/
#[AsEventListener(event: KernelEvents::RESPONSE, priority: 0)]
final readonly class RefreshTokenCookieListener
{
public function __invoke(ResponseEvent $event): void
{
$request = $event->getRequest();
$cookie = $request->attributes->get('_refresh_token_cookie');
if ($cookie instanceof Cookie) {
$event->getResponse()->headers->setCookie($cookie);
$request->attributes->remove('_refresh_token_cookie');
}
}
}

79
backend/src/Administration/Infrastructure/Security/SecurityUser.php Normal file
View File

@@ -0,0 +1,79 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Adapter entre le Domain User et Symfony Security.
*
* Ce DTO est utilisé par le système d'authentification Symfony.
* Il ne contient pas de logique métier - c'est un simple transporteur de données.
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class SecurityUser implements UserInterface, PasswordAuthenticatedUserInterface
{
/** @var non-empty-string */
private string $email;
/**
* @param non-empty-string $email
* @param list<string> $roles Les rôles Symfony (ROLE_*)
*/
public function __construct(
private UserId $userId,
string $email,
private string $hashedPassword,
private TenantId $tenantId,
private array $roles,
) {
$this->email = $email;
}
public function getUserIdentifier(): string
{
return $this->email;
}
public function userId(): string
{
return (string) $this->userId;
}
public function getPassword(): string
{
return $this->hashedPassword;
}
/**
* @return list<string>
*/
public function getRoles(): array
{
return $this->roles;
}
public function tenantId(): string
{
return (string) $this->tenantId;
}
/**
* @return non-empty-string
*/
public function email(): string
{
return $this->email;
}
public function eraseCredentials(): void
{
// Rien à effacer, les données sont immutables
}
}

34
backend/src/Administration/Infrastructure/Security/SecurityUserFactory.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
declare(strict_types=1);
namespace App\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User as DomainUser;
/**
* Factory pour créer des SecurityUser depuis des Domain Users.
*
* Respecte le principe "No Static" d'Elegant Objects.
*
* @see Story 1.4 - Connexion utilisateur
*/
final readonly class SecurityUserFactory
{
public function fromDomainUser(DomainUser $domainUser): SecurityUser
{
return new SecurityUser(
userId: $domainUser->id,
email: (string) $domainUser->email,
hashedPassword: $domainUser->hashedPassword ?? '',
tenantId: $domainUser->tenantId,
roles: [$this->mapRoleToSymfony($domainUser->role)],
);
}
private function mapRoleToSymfony(Role $role): string
{
return $role->value;
}
}

20
backend/src/Shared/Domain/Tenant/TenantId.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
declare(strict_types=1);
namespace App\Shared\Domain\Tenant;
use App\Shared\Domain\EntityId;
/**
* Identifiant unique d'un tenant (établissement scolaire).
*
* Value Object du Domain - représente l'identité d'un tenant dans le système multi-tenant.
* Chaque tenant isole ses données (utilisateurs, notes, etc.) des autres.
*
* Note: Cette classe n'est pas `final` pour permettre l'alias Infrastructure
* durant la période de migration. L'alias sera supprimé dans une version future.
*/
readonly class TenantId extends EntityId
{
}

27
backend/src/Shared/Infrastructure/Captcha/TurnstileResult.php Normal file
View File

@@ -0,0 +1,27 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Captcha;
/**
* Résultat de la validation Turnstile.
*/
final readonly class TurnstileResult
{
private function __construct(
public bool $isValid,
public ?string $errorMessage,
) {
}
public static function valid(): self
{
return new self(isValid: true, errorMessage: null);
}
public static function invalid(string $errorMessage): self
{
return new self(isValid: false, errorMessage: $errorMessage);
}
}

115
backend/src/Shared/Infrastructure/Captcha/TurnstileValidator.php Normal file
View File

@@ -0,0 +1,115 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Captcha;
use Psr\Log\LoggerInterface;
use Symfony\Contracts\HttpClient\HttpClientInterface;
use Throwable;
/**
* Valide les tokens Cloudflare Turnstile.
*
* @see https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
* @see Story 1.4 - T8: CAPTCHA anti-bot
*/
final readonly class TurnstileValidator implements TurnstileValidatorInterface
{
private const string VERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
private const float TIMEOUT_SECONDS = 5.0;
/**
* @param bool $failOpen Si true, les erreurs API laissent passer (dev). Si false, elles bloquent (prod).
*/
public function __construct(
private HttpClientInterface $httpClient,
private LoggerInterface $logger,
private string $secretKey,
private bool $failOpen = false,
) {
}
/**
* Valide un token Turnstile.
*
* @param string $token Le token fourni par le widget Turnstile
* @param string|null $remoteIp L'IP du client (optionnel, mais recommandé)
*/
public function validate(string $token, ?string $remoteIp = null): TurnstileResult
{
if ($token === '') {
return TurnstileResult::invalid('Token vide');
}
try {
$formData = [
'secret' => $this->secretKey,
'response' => $token,
];
if ($remoteIp !== null) {
$formData['remoteip'] = $remoteIp;
}
$response = $this->httpClient->request('POST', self::VERIFY_URL, [
'body' => $formData,
'timeout' => self::TIMEOUT_SECONDS,
]);
$data = $response->toArray();
if ($data['success'] === true) {
return TurnstileResult::valid();
}
// Erreurs possibles : https://developers.cloudflare.com/turnstile/get-started/server-side-validation/#error-codes
$errorCodes = $data['error-codes'] ?? [];
$errorMessage = $this->translateErrorCodes($errorCodes);
$this->logger->warning('Turnstile validation failed', [
'error_codes' => $errorCodes,
]);
return TurnstileResult::invalid($errorMessage);
} catch (Throwable $e) {
$this->logger->error('Turnstile API error', [
'exception' => $e->getMessage(),
'fail_open' => $this->failOpen,
]);
// Comportement configurable en cas d'erreur API
// - failOpen=true (dev): laisse passer pour ne pas bloquer le développement
// - failOpen=false (prod): bloque pour maintenir la sécurité
if ($this->failOpen) {
return TurnstileResult::valid();
}
return TurnstileResult::invalid('Service de vérification temporairement indisponible');
}
}
/**
* @param array<string> $errorCodes
*/
private function translateErrorCodes(array $errorCodes): string
{
$translations = [
'missing-input-secret' => 'Configuration serveur invalide',
'invalid-input-secret' => 'Configuration serveur invalide',
'missing-input-response' => 'Token manquant',
'invalid-input-response' => 'Token invalide ou expiré',
'bad-request' => 'Requête invalide',
'timeout-or-duplicate' => 'Token expiré ou déjà utilisé',
'internal-error' => 'Erreur serveur Cloudflare',
];
foreach ($errorCodes as $code) {
if (isset($translations[$code])) {
return $translations[$code];
}
}
return 'Vérification échouée';
}
}

19
backend/src/Shared/Infrastructure/Captcha/TurnstileValidatorInterface.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Captcha;
/**
* Interface pour la validation des tokens CAPTCHA.
*/
interface TurnstileValidatorInterface
{
/**
* Valide un token CAPTCHA.
*
* @param string $token Le token fourni par le widget CAPTCHA
* @param string|null $remoteIp L'IP du client (optionnel)
*/
public function validate(string $token, ?string $remoteIp = null): TurnstileResult;
}

43
backend/src/Shared/Infrastructure/Console/ResetRateLimitCommand.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Console;
use Psr\Cache\CacheItemPoolInterface;
use Symfony\Component\Console\Attribute\AsCommand;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;
/**
* Réinitialise le cache du rate limiter pour les tests.
*
* Cette commande est uniquement destinée aux environnements de développement et de test.
* Elle vide tous les compteurs de tentatives de login et les blocages IP.
*/
#[AsCommand(
name: 'app:dev:reset-rate-limit',
description: 'Reset the login rate limiter cache (dev/test only)',
)]
final class ResetRateLimitCommand extends Command
{
public function __construct(
private readonly CacheItemPoolInterface $rateLimiterCache,
) {
parent::__construct();
}
protected function execute(InputInterface $input, OutputInterface $output): int
{
$io = new SymfonyStyle($input, $output);
// Clear the entire rate limiter cache pool
$this->rateLimiterCache->clear();
$io->success('Rate limiter cache has been cleared.');
return Command::SUCCESS;
}
}

222
backend/src/Shared/Infrastructure/RateLimit/LoginRateLimitListener.php Normal file
View File

@@ -0,0 +1,222 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\RateLimit;
use App\Shared\Infrastructure\Captcha\TurnstileValidatorInterface;
use function is_array;
use function is_int;
use function is_string;
use Psr\Cache\CacheItemPoolInterface;
use function sprintf;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Vérifie le rate limit AVANT l'authentification.
*
* Ce listener intercepte les requêtes de login et :
* - Bloque immédiatement si l'IP est bloquée
* - Exige un CAPTCHA après 5 échecs et le valide via Cloudflare Turnstile
* - Bloque l'IP si le CAPTCHA échoue 3 fois
*
* @see Story 1.4 - AC3: Protection contre brute force
*/
#[AsEventListener(event: KernelEvents::REQUEST, priority: 10)]
final readonly class LoginRateLimitListener
{
private const int MAX_CAPTCHA_FAILURES = 3;
private const int CAPTCHA_FAILURES_TTL = 900; // 15 minutes
public function __construct(
private LoginRateLimiterInterface $rateLimiter,
private TurnstileValidatorInterface $turnstileValidator,
private CacheItemPoolInterface $rateLimiterCache,
) {
}
public function __invoke(RequestEvent $event): void
{
$request = $event->getRequest();
// Seulement pour la route de login
if ($request->getPathInfo() !== '/api/login' || $request->getMethod() !== 'POST') {
return;
}
// Extraire l'email du body JSON (avec guards contre JSON invalide)
$content = json_decode($request->getContent(), true);
if (!is_array($content)) {
return; // JSON invalide, laisser le validator gérer
}
$email = isset($content['email']) && is_string($content['email']) ? $content['email'] : null;
if ($email === null) {
return; // Laisser le validator gérer
}
// Vérifier l'état du rate limit
$result = $this->rateLimiter->check($request, $email);
// IP bloquée → 429 immédiat
if ($result->ipBlocked) {
$event->setResponse($this->createBlockedResponse($result));
return;
}
// Délai Fibonacci en cours (enforcement serveur) → 429
if (!$result->isAllowed && $result->retryAfter !== null && $result->retryAfter > 0) {
$event->setResponse($this->createDelayedResponse($result));
return;
}
// CAPTCHA requis (après 5 échecs)
if ($result->requiresCaptcha) {
$captchaToken = isset($content['captcha_token']) && is_string($content['captcha_token'])
? $content['captcha_token']
: null;
// Pas de token fourni → demander le CAPTCHA
if ($captchaToken === null || $captchaToken === '') {
$event->setResponse($this->createCaptchaRequiredResponse($result));
return;
}
// Valider le token via Cloudflare Turnstile
$ip = $request->getClientIp();
$turnstileResult = $this->turnstileValidator->validate($captchaToken, $ip);
if (!$turnstileResult->isValid) {
// CAPTCHA invalide → incrémenter les échecs CAPTCHA par IP
// Après 3 échecs CAPTCHA, bloquer l'IP
$captchaFailures = $this->recordCaptchaFailure($ip ?? 'unknown');
if ($captchaFailures >= self::MAX_CAPTCHA_FAILURES) {
$this->rateLimiter->blockIp($ip ?? 'unknown');
$event->setResponse($this->createBlockedResponse(
LoginRateLimitResult::blocked(LoginRateLimiterInterface::IP_BLOCK_DURATION)
));
return;
}
$event->setResponse($this->createCaptchaInvalidResponse(
$turnstileResult->errorMessage ?? 'Vérification échouée',
$captchaFailures,
));
return;
}
// CAPTCHA valide → réinitialiser les échecs CAPTCHA pour cette IP
$this->resetCaptchaFailures($ip ?? 'unknown');
}
// Tout est OK, continuer vers l'authentification
}
private function recordCaptchaFailure(string $ip): int
{
$key = 'captcha_failures_' . md5($ip);
$item = $this->rateLimiterCache->getItem($key);
$cached = $item->get();
$failures = $item->isHit() && is_int($cached) ? $cached + 1 : 1;
$item->set($failures);
$item->expiresAfter(self::CAPTCHA_FAILURES_TTL);
$this->rateLimiterCache->save($item);
return $failures;
}
private function resetCaptchaFailures(string $ip): void
{
$key = 'captcha_failures_' . md5($ip);
$this->rateLimiterCache->deleteItem($key);
}
private function createBlockedResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([
'type' => '/errors/ip-blocked',
'title' => 'Accès temporairement bloqué',
'status' => Response::HTTP_TOO_MANY_REQUESTS,
'detail' => sprintf(
'Trop de tentatives de connexion. Réessayez dans %s.',
$result->getFormattedDelay(),
),
'retryAfter' => $result->retryAfter,
], Response::HTTP_TOO_MANY_REQUESTS);
foreach ($result->toHeaders() as $name => $value) {
$response->headers->set($name, $value);
}
return $response;
}
private function createDelayedResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([
'type' => '/errors/rate-limited',
'title' => 'Veuillez patienter',
'status' => Response::HTTP_TOO_MANY_REQUESTS,
'detail' => sprintf(
'Veuillez patienter %s avant de réessayer.',
$result->getFormattedDelay(),
),
'retryAfter' => $result->retryAfter,
'attempts' => $result->attempts,
], Response::HTTP_TOO_MANY_REQUESTS);
foreach ($result->toHeaders() as $name => $value) {
$response->headers->set($name, $value);
}
return $response;
}
private function createCaptchaRequiredResponse(LoginRateLimitResult $result): JsonResponse
{
$response = new JsonResponse([
'type' => '/errors/captcha-required',
'title' => 'Vérification requise',
'status' => Response::HTTP_PRECONDITION_REQUIRED,
'detail' => 'Veuillez compléter la vérification de sécurité pour continuer.',
'attempts' => $result->attempts,
], Response::HTTP_PRECONDITION_REQUIRED);
foreach ($result->toHeaders() as $name => $value) {
$response->headers->set($name, $value);
}
return $response;
}
private function createCaptchaInvalidResponse(string $errorMessage, int $failures): JsonResponse
{
return new JsonResponse([
'type' => '/errors/captcha-invalid',
'title' => 'Vérification échouée',
'status' => Response::HTTP_BAD_REQUEST,
'detail' => $errorMessage,
'captchaFailures' => $failures,
'maxFailures' => self::MAX_CAPTCHA_FAILURES,
], Response::HTTP_BAD_REQUEST);
}
}

167
backend/src/Shared/Infrastructure/RateLimit/LoginRateLimitResult.php Normal file
View File

@@ -0,0 +1,167 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\RateLimit;
use function sprintf;
/**
* Résultat de la vérification du rate limit pour le login.
*
* Stratégie de protection :
* - Délai progressif Fibonacci après chaque échec (1s, 1s, 2s, 3s, 5s, 8s, 13s...)
* - CAPTCHA requis après 5 échecs
* - Blocage IP après échec CAPTCHA répété
*/
final readonly class LoginRateLimitResult
{
private function __construct(
public bool $isAllowed,
public int $attempts,
public int $delaySeconds,
public bool $requiresCaptcha,
public bool $ipBlocked,
public ?int $retryAfter,
) {
}
/**
* Tentative autorisée (éventuellement avec délai).
*/
public static function allowed(int $attempts, int $delaySeconds, bool $requiresCaptcha): self
{
return new self(
isAllowed: true,
attempts: $attempts,
delaySeconds: $delaySeconds,
requiresCaptcha: $requiresCaptcha,
ipBlocked: false,
retryAfter: $delaySeconds > 0 ? $delaySeconds : null,
);
}
/**
* IP bloquée (trop de tentatives ou échec CAPTCHA).
*/
public static function blocked(int $retryAfter): self
{
return new self(
isAllowed: false,
attempts: 0,
delaySeconds: $retryAfter,
requiresCaptcha: false,
ipBlocked: true,
retryAfter: $retryAfter,
);
}
/**
* Tentative refusée temporairement (délai Fibonacci en cours).
*/
public static function delayed(int $attempts, int $retryAfter): self
{
return new self(
isAllowed: false,
attempts: $attempts,
delaySeconds: $retryAfter,
requiresCaptcha: $attempts >= 5, // CAPTCHA_THRESHOLD
ipBlocked: false,
retryAfter: $retryAfter,
);
}
/**
* Calcule le délai Fibonacci pour un nombre de tentatives donné.
*
* Suite: 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89... (max 89s)
*
* Mapping:
* - 1 tentative = pas de délai
* - 2 tentatives = 1s (F0)
* - 3 tentatives = 1s (F1)
* - 4 tentatives = 2s (F2)
* - 5 tentatives = 3s (F3)
* - etc.
*/
public static function fibonacciDelay(int $attempts): int
{
if ($attempts <= 1) {
return 0; // Première tentative sans délai
}
// Index dans la suite Fibonacci: attempts - 2
// Cap à F(10) = 89 secondes (index 10 dans la suite 1,1,2,3,5,8,13,21,34,55,89)
$n = min($attempts - 2, 10);
return self::fibonacci($n);
}
/**
* Calcule le n-ième nombre de Fibonacci.
*
* F(0)=1, F(1)=1, F(2)=2, F(3)=3, F(4)=5, F(5)=8, F(6)=13, F(7)=21, F(8)=34, F(9)=55, F(10)=89
*/
private static function fibonacci(int $n): int
{
if ($n <= 1) {
return 1;
}
$prev = 1;
$curr = 1;
for ($i = 2; $i <= $n; ++$i) {
$next = $prev + $curr;
$prev = $curr;
$curr = $next;
}
return $curr;
}
/**
* Génère les headers pour la réponse HTTP.
*
* @return array<string, string>
*/
public function toHeaders(): array
{
$headers = [
'X-Login-Attempts' => (string) $this->attempts,
];
if ($this->delaySeconds > 0) {
$headers['X-Login-Delay'] = (string) $this->delaySeconds;
$headers['Retry-After'] = (string) $this->delaySeconds;
}
if ($this->requiresCaptcha) {
$headers['X-Captcha-Required'] = 'true';
}
if ($this->ipBlocked) {
$headers['X-IP-Blocked'] = 'true';
}
return $headers;
}
/**
* Retourne le temps d'attente formaté pour l'utilisateur.
*/
public function getFormattedDelay(): string
{
if ($this->delaySeconds <= 0) {
return '';
}
if ($this->delaySeconds < 60) {
return sprintf('%d seconde%s', $this->delaySeconds, $this->delaySeconds > 1 ? 's' : '');
}
$minutes = (int) ceil($this->delaySeconds / 60);
return sprintf('%d minute%s', $minutes, $minutes > 1 ? 's' : '');
}
}

206
backend/src/Shared/Infrastructure/RateLimit/LoginRateLimiter.php Normal file
View File

@@ -0,0 +1,206 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\RateLimit;
use function is_int;
use Psr\Cache\CacheItemPoolInterface;
use Symfony\Component\HttpFoundation\Request;
/**
* Service de rate limiting pour les tentatives de login.
*
* Stratégie de protection multi-niveaux :
* - Délai progressif Fibonacci par email (1s, 1s, 2s, 3s, 5s, 8s, 13s, 21s, 34s, 55s, 89s max)
* - CAPTCHA requis après 5 échecs sur le même email
* - Blocage IP 15 min si trop de tentatives globales (20) ou échec CAPTCHA répété
*
* @see Story 1.4 - AC3: Protection contre brute force
*/
final readonly class LoginRateLimiter implements LoginRateLimiterInterface
{
private const string EMAIL_ATTEMPTS_PREFIX = 'login_attempts:';
private const string EMAIL_DELAY_PREFIX = 'login_delay:';
private const string IP_ATTEMPTS_PREFIX = 'login_ip:';
private const string IP_BLOCKED_PREFIX = 'login_ip_blocked:';
private const int EMAIL_ATTEMPTS_TTL = 900; // 15 minutes
private const int IP_ATTEMPTS_LIMIT = 20;
public function __construct(
private CacheItemPoolInterface $cache,
) {
}
public function check(Request $request, string $email): LoginRateLimitResult
{
$ip = $request->getClientIp() ?? 'unknown';
// Vérifier si l'IP est bloquée
if ($this->isIpBlocked($ip)) {
$blockedItem = $this->cache->getItem($this->ipBlockedKey($ip));
$blockedUntil = $blockedItem->get();
$retryAfter = is_int($blockedUntil) ? max(0, $blockedUntil - time()) : 0;
return LoginRateLimitResult::blocked($retryAfter);
}
// Vérifier si l'email est en période de délai (enforcement Fibonacci)
$delayedUntil = $this->getDelayedUntil($email);
if ($delayedUntil > time()) {
$retryAfter = $delayedUntil - time();
$attempts = $this->getAttempts($email);
return LoginRateLimitResult::delayed($attempts, $retryAfter);
}
// Récupérer le nombre de tentatives pour cet email
$attempts = $this->getAttempts($email);
$delaySeconds = LoginRateLimitResult::fibonacciDelay($attempts);
$requiresCaptcha = $attempts >= self::CAPTCHA_THRESHOLD;
return LoginRateLimitResult::allowed($attempts, $delaySeconds, $requiresCaptcha);
}
public function recordFailure(Request $request, string $email): LoginRateLimitResult
{
$ip = $request->getClientIp() ?? 'unknown';
// Incrémenter les tentatives pour l'email
$emailAttempts = $this->incrementAttempts($email);
// Incrémenter les tentatives pour l'IP
$ipAttempts = $this->incrementIpAttempts($ip);
// Bloquer l'IP si trop de tentatives globales
if ($ipAttempts >= self::IP_ATTEMPTS_LIMIT) {
$this->blockIp($ip);
return LoginRateLimitResult::blocked(self::IP_BLOCK_DURATION);
}
$delaySeconds = LoginRateLimitResult::fibonacciDelay($emailAttempts);
$requiresCaptcha = $emailAttempts >= self::CAPTCHA_THRESHOLD;
// Enregistrer le timestamp de prochaine tentative autorisée
// Cela permet d'enforcer le délai côté serveur
if ($delaySeconds > 0) {
$this->setDelayedUntil($email, time() + $delaySeconds);
}
return LoginRateLimitResult::allowed($emailAttempts, $delaySeconds, $requiresCaptcha);
}
public function reset(string $email): void
{
$key = self::EMAIL_ATTEMPTS_PREFIX . $this->normalizeEmail($email);
$this->cache->deleteItem($key);
}
public function blockIp(string $ip): void
{
$item = $this->cache->getItem($this->ipBlockedKey($ip));
$item->set(time() + self::IP_BLOCK_DURATION);
$item->expiresAfter(self::IP_BLOCK_DURATION);
$this->cache->save($item);
}
public function isIpBlocked(string $ip): bool
{
$item = $this->cache->getItem($this->ipBlockedKey($ip));
if (!$item->isHit()) {
return false;
}
$blockedUntil = $item->get();
return $blockedUntil > time();
}
private function getAttempts(string $email): int
{
$key = self::EMAIL_ATTEMPTS_PREFIX . $this->normalizeEmail($email);
$item = $this->cache->getItem($key);
if (!$item->isHit()) {
return 0;
}
$cached = $item->get();
return is_int($cached) ? $cached : 0;
}
private function incrementAttempts(string $email): int
{
$key = self::EMAIL_ATTEMPTS_PREFIX . $this->normalizeEmail($email);
$item = $this->cache->getItem($key);
$cached = $item->get();
$attempts = $item->isHit() && is_int($cached) ? $cached : 0;
++$attempts;
$item->set($attempts);
$item->expiresAfter(self::EMAIL_ATTEMPTS_TTL);
$this->cache->save($item);
return $attempts;
}
private function incrementIpAttempts(string $ip): int
{
$key = self::IP_ATTEMPTS_PREFIX . $this->hashIp($ip);
$item = $this->cache->getItem($key);
$cached = $item->get();
$attempts = $item->isHit() && is_int($cached) ? $cached : 0;
++$attempts;
$item->set($attempts);
$item->expiresAfter(self::EMAIL_ATTEMPTS_TTL);
$this->cache->save($item);
return $attempts;
}
private function ipBlockedKey(string $ip): string
{
return self::IP_BLOCKED_PREFIX . $this->hashIp($ip);
}
private function getDelayedUntil(string $email): int
{
$key = self::EMAIL_DELAY_PREFIX . $this->normalizeEmail($email);
$item = $this->cache->getItem($key);
if (!$item->isHit()) {
return 0;
}
$cached = $item->get();
return is_int($cached) ? $cached : 0;
}
private function setDelayedUntil(string $email, int $timestamp): void
{
$key = self::EMAIL_DELAY_PREFIX . $this->normalizeEmail($email);
$item = $this->cache->getItem($key);
$item->set($timestamp);
// TTL = délai + marge de sécurité
$item->expiresAfter(max(0, $timestamp - time()) + 10);
$this->cache->save($item);
}
private function normalizeEmail(string $email): string
{
return strtolower(trim($email));
}
private function hashIp(string $ip): string
{
return hash('sha256', $ip);
}
}

48
backend/src/Shared/Infrastructure/RateLimit/LoginRateLimiterInterface.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\RateLimit;
use Symfony\Component\HttpFoundation\Request;
/**
* Interface pour le rate limiting des tentatives de login.
*
* Stratégie de protection multi-niveaux :
* - Délai progressif Fibonacci par email (1s, 1s, 2s, 3s, 5s, 8s...)
* - CAPTCHA requis après 5 échecs
* - Blocage IP après trop de tentatives globales ou échec CAPTCHA
*/
interface LoginRateLimiterInterface
{
public const int CAPTCHA_THRESHOLD = 5;
public const int IP_BLOCK_DURATION = 900; // 15 minutes
/**
* Vérifie l'état du rate limit pour une tentative de login.
*
* Retourne le nombre de tentatives, le délai à appliquer, et si CAPTCHA est requis.
*/
public function check(Request $request, string $email): LoginRateLimitResult;
/**
* Enregistre un échec de login (incrémente le compteur, calcule le nouveau délai).
*/
public function recordFailure(Request $request, string $email): LoginRateLimitResult;
/**
* Réinitialise le compteur pour un email (après login réussi).
*/
public function reset(string $email): void;
/**
* Bloque une IP (après échec CAPTCHA répété).
*/
public function blockIp(string $ip): void;
/**
* Vérifie si une IP est bloquée.
*/
public function isIpBlocked(string $ip): bool;
}

41
backend/src/Shared/Infrastructure/RateLimit/NullLoginRateLimiter.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\RateLimit;
use Symfony\Component\HttpFoundation\Request;
/**
* Implémentation "null" du rate limiter pour les environnements de test.
*
* Cette implémentation ne fait rien - elle permet de bypasser le rate limiting
* pour les tests E2E où l'IP est partagée entre tous les tests.
*/
final readonly class NullLoginRateLimiter implements LoginRateLimiterInterface
{
public function check(Request $request, string $email): LoginRateLimitResult
{
return LoginRateLimitResult::allowed(attempts: 0, delaySeconds: 0, requiresCaptcha: false);
}
public function recordFailure(Request $request, string $email): LoginRateLimitResult
{
return LoginRateLimitResult::allowed(attempts: 1, delaySeconds: 0, requiresCaptcha: false);
}
public function reset(string $email): void
{
// No-op
}
public function blockIp(string $ip): void
{
// No-op
}
public function isIpBlocked(string $ip): bool
{
return false;
}
}

10
backend/src/Shared/Infrastructure/Tenant/TenantId.php
View File

@@ -4,8 +4,14 @@ declare(strict_types=1);
namespace App\Shared\Infrastructure\Tenant;
use App\Shared\Domain\EntityId;
use App\Shared\Domain\Tenant\TenantId as DomainTenantId;
final readonly class TenantId extends EntityId
/**
* Infrastructure alias for Domain TenantId.
*
* @deprecated Use App\Shared\Domain\Tenant\TenantId instead in Domain layer code.
* This alias exists for backwards compatibility in Infrastructure layer.
*/
final readonly class TenantId extends DomainTenantId
{
}

150
backend/templates/email/lockout_alert.html.twig Normal file
View File

@@ -0,0 +1,150 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Alerte de sécurité - Classeo</title>
<style>
body {
font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
line-height: 1.6;
color: #1e293b;
background-color: #f8fafc;
margin: 0;
padding: 20px;
}
.container {
max-width: 560px;
margin: 0 auto;
background: #ffffff;
border-radius: 12px;
box-shadow: 0 1px 3px rgba(0, 0, 0, 0.08);
overflow: hidden;
}
.header {
background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);
padding: 24px 32px;
text-align: center;
}
.header h1 {
color: #ffffff;
font-size: 20px;
font-weight: 600;
margin: 0;
}
.content {
padding: 32px;
}
.alert-icon {
text-align: center;
margin-bottom: 24px;
}
.alert-icon span {
display: inline-block;
width: 48px;
height: 48px;
background: #fef2f2;
border-radius: 50%;
line-height: 48px;
font-size: 24px;
}
.message {
margin-bottom: 24px;
}
.info-box {
background: #f8fafc;
border: 1px solid #e2e8f0;
border-radius: 8px;
padding: 16px;
margin: 24px 0;
}
.info-box table {
width: 100%;
border-collapse: collapse;
}
.info-box td {
padding: 6px 0;
font-size: 14px;
}
.info-box td:first-child {
color: #64748b;
width: 120px;
}
.warning {
background: #fffbeb;
border-left: 4px solid #f59e0b;
padding: 12px 16px;
margin: 24px 0;
font-size: 14px;
color: #92400e;
}
.footer {
background: #f8fafc;
padding: 20px 32px;
text-align: center;
font-size: 13px;
color: #64748b;
border-top: 1px solid #e2e8f0;
}
.logo {
font-weight: 700;
color: #0ea5e9;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<h1>🔒 Alerte de sécurité</h1>
</div>
<div class="content">
<div class="alert-icon">
<span>⚠️</span>
</div>
<div class="message">
<p>Bonjour,</p>
<p>
Nous avons détecté <strong>{{ failedAttempts }} tentatives de connexion échouées</strong>
sur votre compte Classeo. Par mesure de sécurité, votre compte a été
<strong>temporairement bloqué</strong>.
</p>
</div>
<div class="info-box">
<table>
<tr>
<td>Date :</td>
<td>{{ occurredOn|date('d/m/Y à H:i') }}</td>
</tr>
<tr>
<td>Adresse IP :</td>
<td>{{ ipAddress }}</td>
</tr>
<tr>
<td>Durée du blocage :</td>
<td>{{ blockedForMinutes }} minutes</td>
</tr>
</table>
</div>
<div class="warning">
<strong>Si vous n'êtes pas à l'origine de ces tentatives</strong>, nous vous recommandons de
changer votre mot de passe dès que possible après le déblocage de votre compte.
</div>
<p>
Vous pourrez vous reconnecter dans <strong>{{ blockedForMinutes }} minutes</strong>.
</p>
<p style="color: #64748b; font-size: 14px;">
Si vous avez des questions, contactez l'administration de votre établissement.
</p>
</div>
<div class="footer">
<p><span class="logo">📚 Classeo</span> — L'application qui rend serein</p>
<p>Cet email a été envoyé automatiquement suite à une alerte de sécurité.</p>
</div>
</div>
</body>
</html>

23
backend/templates/email/lockout_alert.txt.twig Normal file
View File

@@ -0,0 +1,23 @@
ALERTE DE SÉCURITÉ - Classeo
=============================
Bonjour,
Nous avons détecté {{ failedAttempts }} tentatives de connexion échouées sur votre compte Classeo. Par mesure de sécurité, votre compte a été temporairement bloqué.
Détails :
---------
Date : {{ occurredOn|date('d/m/Y à H:i') }}
Adresse IP : {{ ipAddress }}
Durée du blocage : {{ blockedForMinutes }} minutes
⚠️ IMPORTANT
Si vous n'êtes pas à l'origine de ces tentatives, nous vous recommandons de changer votre mot de passe dès que possible après le déblocage de votre compte.
Vous pourrez vous reconnecter dans {{ blockedForMinutes }} minutes.
Si vous avez des questions, contactez l'administration de votre établissement.
---
📚 Classeo — L'application qui rend serein
Cet email a été envoyé automatiquement suite à une alerte de sécurité.

2
backend/tests/Unit/Administration/Application/Command/ActivateAccount/ActivateAccountHandlerTest.php
View File

@@ -14,7 +14,7 @@ use App\Administration\Domain\Exception\ActivationTokenNotFoundException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryActivationTokenRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use Override;
use PHPUnit\Framework\Attributes\Test;

221
backend/tests/Unit/Administration/Application/Service/RefreshTokenManagerTest.php Normal file
View File

@@ -0,0 +1,221 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Service;
use App\Administration\Application\Service\RefreshTokenManager;
use App\Administration\Domain\Exception\TokenAlreadyRotatedException;
use App\Administration\Domain\Exception\TokenReplayDetectedException;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\RefreshTokenId;
use App\Administration\Domain\Model\RefreshToken\TokenFamilyId;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\RefreshTokenRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use InvalidArgumentException;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class RefreshTokenManagerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private RefreshTokenRepository $repository;
private Clock $clock;
private RefreshTokenManager $manager;
protected function setUp(): void
{
$this->repository = $this->createMock(RefreshTokenRepository::class);
$this->clock = new class implements Clock {
public DateTimeImmutable $now;
public function __construct()
{
$this->now = new DateTimeImmutable('2026-01-31 10:00:00');
}
public function now(): DateTimeImmutable
{
return $this->now;
}
};
$this->manager = new RefreshTokenManager($this->repository, $this->clock);
}
#[Test]
public function createGeneratesAndSavesNewToken(): void
{
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$fingerprint = DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1');
$this->repository->expects(self::once())
->method('save')
->with(self::isInstanceOf(RefreshToken::class));
$token = $this->manager->create($userId, $tenantId, $fingerprint);
self::assertSame($userId, $token->userId);
self::assertSame($tenantId, $token->tenantId);
}
#[Test]
public function refreshThrowsForTokenNotFound(): void
{
$this->repository->method('find')->willReturn(null);
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('Token not found');
// Use a valid UUID format for the token ID
$validUuid = '550e8400-e29b-41d4-a716-446655440099';
$this->manager->refresh(
base64_encode($validUuid),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
);
}
#[Test]
public function refreshRotatesTokenAndReturnsNew(): void
{
$existingToken = $this->createExistingToken(isRotated: false);
$tokenString = $existingToken->toTokenString();
$fingerprint = $existingToken->deviceFingerprint;
$this->repository->method('find')
->willReturn($existingToken);
$this->repository->expects(self::exactly(2))
->method('save');
$newToken = $this->manager->refresh($tokenString, $fingerprint);
self::assertNotEquals($existingToken->id, $newToken->id);
self::assertEquals($existingToken->familyId, $newToken->familyId);
}
#[Test]
public function refreshThrowsForExpiredToken(): void
{
$expiredToken = RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
new DateTimeImmutable('2026-01-01 10:00:00'), // Issued long ago
3600, // 1 hour TTL - expired
);
$this->repository->method('find')->willReturn($expiredToken);
$this->repository->expects(self::once())->method('delete');
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('expired');
$this->manager->refresh(
$expiredToken->toTokenString(),
$expiredToken->deviceFingerprint,
);
}
#[Test]
public function refreshThrowsAndInvalidatesFamilyForWrongDevice(): void
{
$existingToken = $this->createExistingToken();
$differentFingerprint = DeviceFingerprint::fromRequest('Chrome/110', '10.0.0.1');
$this->repository->method('find')->willReturn($existingToken);
$this->repository->expects(self::once())
->method('invalidateFamily')
->with($existingToken->familyId);
$this->expectException(TokenReplayDetectedException::class);
$this->manager->refresh($existingToken->toTokenString(), $differentFingerprint);
}
#[Test]
public function refreshThrowsAndInvalidatesFamilyForReplayAttack(): void
{
// Token rotaté il y a plus de 30 secondes (hors grace period)
$rotatedToken = $this->createExistingToken(
isRotated: true,
issuedAt: new DateTimeImmutable('2026-01-31 09:00:00'),
rotatedAt: new DateTimeImmutable('2026-01-31 09:30:00'), // Rotaté 30 min avant "now"
);
$this->repository->method('find')->willReturn($rotatedToken);
$this->repository->expects(self::once())
->method('invalidateFamily')
->with($rotatedToken->familyId);
$this->expectException(TokenReplayDetectedException::class);
$this->manager->refresh(
$rotatedToken->toTokenString(),
$rotatedToken->deviceFingerprint,
);
}
#[Test]
public function refreshThrowsTokenAlreadyRotatedForGracePeriod(): void
{
// Token rotaté il y a 10 secondes (dans la grace period de 30s)
$rotatedToken = $this->createExistingToken(
isRotated: true,
issuedAt: new DateTimeImmutable('2026-01-31 09:00:00'),
rotatedAt: new DateTimeImmutable('2026-01-31 09:59:50'), // Rotaté 10s avant "now" (10:00:00)
);
$this->repository->method('find')->willReturn($rotatedToken);
// Ne doit PAS invalider la famille
$this->repository->expects(self::never())->method('invalidateFamily');
$this->expectException(TokenAlreadyRotatedException::class);
$this->manager->refresh(
$rotatedToken->toTokenString(),
$rotatedToken->deviceFingerprint,
);
}
#[Test]
public function revokeInvalidatesTokenFamily(): void
{
$existingToken = $this->createExistingToken();
$this->repository->method('find')->willReturn($existingToken);
$this->repository->expects(self::once())
->method('invalidateFamily')
->with($existingToken->familyId);
$this->manager->revoke($existingToken->toTokenString());
}
private function createExistingToken(
bool $isRotated = false,
?DateTimeImmutable $issuedAt = null,
?DateTimeImmutable $rotatedAt = null,
): RefreshToken {
$issuedAt ??= new DateTimeImmutable('2026-01-31 09:00:00');
return RefreshToken::reconstitute(
id: RefreshTokenId::generate(),
familyId: TokenFamilyId::generate(),
userId: UserId::generate(),
tenantId: TenantId::fromString(self::TENANT_ID),
deviceFingerprint: DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
issuedAt: $issuedAt,
expiresAt: $issuedAt->modify('+7 days'),
rotatedFrom: null,
isRotated: $isRotated,
rotatedAt: $rotatedAt,
);
}
}

2
backend/tests/Unit/Administration/Domain/Model/ActivationToken/ActivationTokenTest.php
View File

@@ -10,7 +10,7 @@ use App\Administration\Domain\Exception\ActivationTokenAlreadyUsedException;
use App\Administration\Domain\Exception\ActivationTokenExpiredException;
use App\Administration\Domain\Model\ActivationToken\ActivationToken;
use App\Administration\Domain\Model\ActivationToken\ActivationTokenId;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;

175
backend/tests/Unit/Administration/Domain/Model/RefreshToken/RefreshTokenTest.php Normal file
View File

@@ -0,0 +1,175 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\RefreshToken;
use App\Administration\Domain\Model\RefreshToken\DeviceFingerprint;
use App\Administration\Domain\Model\RefreshToken\RefreshToken;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class RefreshTokenTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
#[Test]
public function createGeneratesTokenWithCorrectData(): void
{
$userId = UserId::generate();
$tenantId = TenantId::fromString(self::TENANT_ID);
$fingerprint = DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1');
$issuedAt = new DateTimeImmutable('2026-01-31 10:00:00');
$token = RefreshToken::create($userId, $tenantId, $fingerprint, $issuedAt);
self::assertSame($userId, $token->userId);
self::assertSame($tenantId, $token->tenantId);
self::assertTrue($token->deviceFingerprint->equals($fingerprint));
self::assertEquals($issuedAt, $token->issuedAt);
self::assertNull($token->rotatedFrom);
self::assertFalse($token->isRotated);
}
#[Test]
public function createSetsExpirationBasedOnTtl(): void
{
$issuedAt = new DateTimeImmutable('2026-01-31 10:00:00');
$ttl = 86400; // 1 day
$token = RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
$issuedAt,
$ttl,
);
$expectedExpiry = $issuedAt->modify('+86400 seconds');
self::assertEquals($expectedExpiry, $token->expiresAt);
}
#[Test]
public function rotateCreatesNewTokenWithSameFamily(): void
{
$token = $this->createToken();
$rotateAt = new DateTimeImmutable('2026-01-31 11:00:00');
[$newToken, $oldToken] = $token->rotate($rotateAt);
// Nouveau token
self::assertNotSame($token->id, $newToken->id);
self::assertSame($token->familyId, $newToken->familyId);
self::assertSame($token->userId, $newToken->userId);
self::assertSame($token->id, $newToken->rotatedFrom);
self::assertFalse($newToken->isRotated);
// Ancien token marqué comme rotaté
self::assertSame($token->id, $oldToken->id);
self::assertTrue($oldToken->isRotated);
}
#[Test]
public function isExpiredReturnsTrueWhenPastExpiration(): void
{
$issuedAt = new DateTimeImmutable('2026-01-31 10:00:00');
$token = RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
$issuedAt,
3600, // 1 hour
);
self::assertFalse($token->isExpired(new DateTimeImmutable('2026-01-31 10:30:00')));
self::assertTrue($token->isExpired(new DateTimeImmutable('2026-01-31 11:30:00')));
}
#[Test]
public function isInGracePeriodReturnsTrueWithin30SecondsOfRotation(): void
{
$token = $this->createToken();
$rotateAt = new DateTimeImmutable('2026-01-31 11:00:00');
[$_, $oldToken] = $token->rotate($rotateAt);
// Dans la grace period (30s après rotation)
self::assertTrue($oldToken->isInGracePeriod(new DateTimeImmutable('2026-01-31 11:00:15')));
self::assertTrue($oldToken->isInGracePeriod(new DateTimeImmutable('2026-01-31 11:00:30')));
// Après la grace period
self::assertFalse($oldToken->isInGracePeriod(new DateTimeImmutable('2026-01-31 11:00:31')));
self::assertFalse($oldToken->isInGracePeriod(new DateTimeImmutable('2026-01-31 11:01:00')));
}
#[Test]
public function rotatePreservesOriginalTtl(): void
{
$issuedAt = new DateTimeImmutable('2026-01-31 10:00:00');
$originalTtl = 86400; // 1 day (web session)
$token = RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
$issuedAt,
$originalTtl,
);
$rotateAt = new DateTimeImmutable('2026-01-31 14:00:00');
[$newToken, $oldToken] = $token->rotate($rotateAt);
// Le nouveau token doit avoir le même TTL que l'original
$expectedExpiry = $rotateAt->modify("+{$originalTtl} seconds");
self::assertEquals($expectedExpiry, $newToken->expiresAt);
// L'ancien token garde son expiration originale
self::assertEquals($issuedAt->modify("+{$originalTtl} seconds"), $oldToken->expiresAt);
// L'ancien token a rotatedAt défini
self::assertEquals($rotateAt, $oldToken->rotatedAt);
self::assertNull($newToken->rotatedAt);
}
#[Test]
public function matchesDeviceReturnsTrueForSameFingerprint(): void
{
$fingerprint = DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1');
$token = RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
$fingerprint,
new DateTimeImmutable(),
);
$sameFingerprint = DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1');
$differentFingerprint = DeviceFingerprint::fromRequest('Chrome/110', '10.0.0.1');
self::assertTrue($token->matchesDevice($sameFingerprint));
self::assertFalse($token->matchesDevice($differentFingerprint));
}
#[Test]
public function toTokenStringAndExtractIdRoundTrips(): void
{
$token = $this->createToken();
$tokenString = $token->toTokenString();
$extractedId = RefreshToken::extractIdFromTokenString($tokenString);
self::assertEquals($token->id, $extractedId);
}
private function createToken(): RefreshToken
{
return RefreshToken::create(
UserId::generate(),
TenantId::fromString(self::TENANT_ID),
DeviceFingerprint::fromRequest('Mozilla/5.0', '192.168.1.1'),
new DateTimeImmutable('2026-01-31 10:00:00'),
);
}
}

2
backend/tests/Unit/Administration/Domain/Model/User/UserTest.php
View File

@@ -14,7 +14,7 @@ use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;

4
backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php
View File

@@ -16,7 +16,7 @@ use App\Administration\Infrastructure\Api\Processor\ActivateAccountProcessor;
use App\Administration\Infrastructure\Api\Resource\ActivateAccountInput;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryActivationTokenRepository;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
@@ -163,7 +163,7 @@ final class ActivateAccountProcessorTest extends TestCase
return null;
}
public function findByEmail(\App\Administration\Domain\Model\User\Email $email): ?\App\Administration\Domain\Model\User\User
public function findByEmail(\App\Administration\Domain\Model\User\Email $email, TenantId $tenantId): ?\App\Administration\Domain\Model\User\User
{
return null;
}

103
backend/tests/Unit/Administration/Infrastructure/Persistence/Cache/CacheUserRepositoryTest.php
View File

@@ -18,12 +18,15 @@ use Psr\Cache\CacheItemPoolInterface;
/**
* Tests for CacheUserRepository.
*
* Key invariant: Users must not expire from cache (unlike activation tokens which have 7-day TTL).
* This was a bug where users were stored in the activation_tokens.cache pool with TTL,
* causing activated accounts to become inaccessible after 7 days.
* Key invariants:
* - Users must not expire from cache (unlike activation tokens which have 7-day TTL)
* - Email lookups are scoped by tenant ID for multi-tenant isolation
*/
final class CacheUserRepositoryTest extends TestCase
{
private const string TENANT_ALPHA_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
private const string TENANT_BETA_ID = 'b2c3d4e5-f6a7-8901-bcde-f12345678901';
#[Test]
public function userIsSavedWithoutExpiration(): void
{
@@ -48,7 +51,7 @@ final class CacheUserRepositoryTest extends TestCase
$user = User::creer(
email: new Email('test@example.com'),
role: Role::PARENT,
tenantId: TenantId::fromString('550e8400-e29b-41d4-a716-446655440001'),
tenantId: TenantId::fromString(self::TENANT_ALPHA_ID),
schoolName: 'École Test',
dateNaissance: null,
createdAt: new DateTimeImmutable(),
@@ -72,13 +75,12 @@ final class CacheUserRepositoryTest extends TestCase
// Arrange
$userId = '550e8400-e29b-41d4-a716-446655440001';
$email = 'test@example.com';
$tenantId = '550e8400-e29b-41d4-a716-446655440002';
$userData = [
'id' => $userId,
'email' => $email,
'role' => 'ROLE_PARENT',
'tenant_id' => $tenantId,
'tenant_id' => self::TENANT_ALPHA_ID,
'school_name' => 'École Test',
'statut' => 'pending',
'hashed_password' => null,
@@ -108,18 +110,18 @@ final class CacheUserRepositoryTest extends TestCase
}
#[Test]
public function userCanBeRetrievedByEmail(): void
public function userCanBeRetrievedByEmailWithinSameTenant(): void
{
// Arrange
$userId = '550e8400-e29b-41d4-a716-446655440001';
$email = 'test@example.com';
$tenantId = '550e8400-e29b-41d4-a716-446655440002';
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$userData = [
'id' => $userId,
'email' => $email,
'role' => 'ROLE_PARENT',
'tenant_id' => $tenantId,
'tenant_id' => self::TENANT_ALPHA_ID,
'school_name' => 'École Test',
'statut' => 'pending',
'hashed_password' => null,
@@ -139,8 +141,10 @@ final class CacheUserRepositoryTest extends TestCase
$cachePool = $this->createMock(CacheItemPoolInterface::class);
$cachePool->method('getItem')
->willReturnCallback(static function ($key) use ($emailIndexItem, $userItem) {
if (str_starts_with($key, 'user_email:')) {
->willReturnCallback(static function ($key) use ($emailIndexItem, $userItem, $tenantId) {
// Email index key should include tenant ID
$expectedEmailKey = 'user_email:' . $tenantId . ':test_at_example_dot_com';
if ($key === $expectedEmailKey) {
return $emailIndexItem;
}
@@ -150,11 +154,86 @@ final class CacheUserRepositoryTest extends TestCase
$repository = new CacheUserRepository($cachePool);
// Act
$user = $repository->findByEmail(new Email($email));
$user = $repository->findByEmail(new Email($email), $tenantId);
// Assert
self::assertNotNull($user);
self::assertSame($userId, (string) $user->id);
self::assertSame($email, (string) $user->email);
}
#[Test]
public function userCannotBeFoundByEmailInDifferentTenant(): void
{
// Arrange: User exists in tenant Alpha
$tenantAlpha = TenantId::fromString(self::TENANT_ALPHA_ID);
$tenantBeta = TenantId::fromString(self::TENANT_BETA_ID);
$email = new Email('test@example.com');
// Cache miss for tenant Beta's email index
$missItem = $this->createMock(CacheItemInterface::class);
$missItem->method('isHit')->willReturn(false);
$cachePool = $this->createMock(CacheItemPoolInterface::class);
$cachePool->method('getItem')
->willReturnCallback(static function ($key) use ($missItem, $tenantBeta) {
// When looking up with tenant Beta, return cache miss
$betaEmailKey = 'user_email:' . $tenantBeta . ':test_at_example_dot_com';
if ($key === $betaEmailKey) {
return $missItem;
}
// For any other key, also return miss
return $missItem;
});
$repository = new CacheUserRepository($cachePool);
// Act: Try to find user in tenant Beta (where they don't exist)
$user = $repository->findByEmail($email, $tenantBeta);
// Assert: User should not be found
self::assertNull($user, 'User from tenant Alpha should not be found when searching in tenant Beta');
}
#[Test]
public function emailIndexKeyIncludesTenantId(): void
{
// Arrange: Track what cache keys are used
$savedKeys = [];
$cacheItem = $this->createMock(CacheItemInterface::class);
$cacheItem->method('set')->willReturnSelf();
$cachePool = $this->createMock(CacheItemPoolInterface::class);
$cachePool->method('getItem')
->willReturnCallback(static function ($key) use (&$savedKeys, $cacheItem) {
$savedKeys[] = $key;
return $cacheItem;
});
$cachePool->method('save')->willReturn(true);
$repository = new CacheUserRepository($cachePool);
$user = User::creer(
email: new Email('test@example.com'),
role: Role::PARENT,
tenantId: TenantId::fromString(self::TENANT_ALPHA_ID),
schoolName: 'École Test',
dateNaissance: null,
createdAt: new DateTimeImmutable(),
);
// Act
$repository->save($user);
// Assert: Email index key should include tenant ID
$emailIndexKey = 'user_email:' . self::TENANT_ALPHA_ID . ':test_at_example_dot_com';
self::assertContains(
$emailIndexKey,
$savedKeys,
'Email index cache key should include tenant ID for multi-tenant isolation'
);
}
}

223
backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php Normal file
View File

@@ -0,0 +1,223 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Repository\UserRepository;
use App\Administration\Infrastructure\Security\DatabaseUserProvider;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Administration\Infrastructure\Security\SecurityUserFactory;
use App\Shared\Infrastructure\Tenant\InMemoryTenantRegistry;
use App\Shared\Infrastructure\Tenant\TenantConfig;
use App\Shared\Infrastructure\Tenant\TenantId;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use stdClass;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
final class DatabaseUserProviderTest extends TestCase
{
private const string TENANT_ALPHA_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
private const string TENANT_BETA_ID = 'b2c3d4e5-f6a7-8901-bcde-f12345678901';
#[Test]
public function loadUserByIdentifierReturnsSecurityUserForActiveAccount(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::ACTIF, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')
->with(
self::callback(static fn (Email $email) => (string) $email === 'user@example.com'),
self::callback(static fn (TenantId $id) => (string) $id === self::TENANT_ALPHA_ID)
)
->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$securityUser = $provider->loadUserByIdentifier('user@example.com');
self::assertInstanceOf(SecurityUser::class, $securityUser);
self::assertSame((string) $domainUser->email, $securityUser->getUserIdentifier());
self::assertSame((string) $domainUser->id, $securityUser->userId());
}
#[Test]
public function loadUserByIdentifierThrowsForNonExistentUser(): void
{
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')->willReturn(null);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$this->expectException(UserNotFoundException::class);
$provider->loadUserByIdentifier('nonexistent@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsForInactiveAccount(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::EN_ATTENTE);
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
// Should throw because account is not active (AC2: no account existence revelation)
$this->expectException(UserNotFoundException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsForUnknownTenant(): void
{
$repository = $this->createMock(UserRepository::class);
// Repository should not even be called if tenant is unknown
$repository->expects(self::never())->method('findByEmail');
$provider = $this->createProvider($repository, 'unknown-tenant.classeo.local');
// Should throw generic error (don't reveal tenant doesn't exist)
$this->expectException(UserNotFoundException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierUsesCorrectTenantFromRequest(): void
{
$tenantAlphaId = TenantId::fromString(self::TENANT_ALPHA_ID);
$tenantBetaId = TenantId::fromString(self::TENANT_BETA_ID);
// User exists in Alpha but not in Beta
$domainUser = $this->createUser($tenantAlphaId, StatutCompte::ACTIF, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')
->willReturnCallback(static function (Email $email, TenantId $tenantId) use ($domainUser, $tenantAlphaId) {
// Only return user if looking in Alpha tenant
if ((string) $tenantId === (string) $tenantAlphaId) {
return $domainUser;
}
return null;
});
// Request comes from Beta tenant
$provider = $this->createProvider($repository, 'ecole-beta.classeo.local');
// Should throw because user doesn't exist in Beta tenant
$this->expectException(UserNotFoundException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function refreshUserReloadsUserFromRepository(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::ACTIF, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->expects(self::once())
->method('findByEmail')
->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$factory = new SecurityUserFactory();
$existingSecurityUser = $factory->fromDomainUser($domainUser);
$refreshedUser = $provider->refreshUser($existingSecurityUser);
self::assertInstanceOf(SecurityUser::class, $refreshedUser);
}
#[Test]
public function supportsClassReturnsTrueForSecurityUser(): void
{
$repository = $this->createMock(UserRepository::class);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
self::assertTrue($provider->supportsClass(SecurityUser::class));
self::assertFalse($provider->supportsClass(stdClass::class));
}
#[Test]
public function localhostFallsBackToEcoleAlphaTenant(): void
{
$tenantAlphaId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantAlphaId, StatutCompte::ACTIF, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')
->with(
self::callback(static fn (Email $email) => (string) $email === 'user@example.com'),
// Should use ecole-alpha tenant ID when accessed from localhost
self::callback(static fn (TenantId $id) => (string) $id === self::TENANT_ALPHA_ID)
)
->willReturn($domainUser);
// Request from localhost should use ecole-alpha tenant
$provider = $this->createProvider($repository, 'localhost');
$securityUser = $provider->loadUserByIdentifier('user@example.com');
self::assertInstanceOf(SecurityUser::class, $securityUser);
}
private function createProvider(UserRepository $repository, string $host): DatabaseUserProvider
{
$tenantRegistry = new InMemoryTenantRegistry([
new TenantConfig(
TenantId::fromString(self::TENANT_ALPHA_ID),
'ecole-alpha',
'postgresql://localhost/alpha'
),
new TenantConfig(
TenantId::fromString(self::TENANT_BETA_ID),
'ecole-beta',
'postgresql://localhost/beta'
),
]);
$tenantResolver = new TenantResolver($tenantRegistry, 'classeo.local');
$request = Request::create('https://' . $host . '/api/login');
$requestStack = new RequestStack();
$requestStack->push($request);
return new DatabaseUserProvider($repository, $tenantResolver, $requestStack, new SecurityUserFactory());
}
private function createUser(TenantId $tenantId, StatutCompte $statut, ?string $hashedPassword = null): User
{
return User::reconstitute(
id: UserId::generate(),
email: new Email('user@example.com'),
role: Role::PARENT,
tenantId: $tenantId,
schoolName: 'École Test',
statut: $statut,
dateNaissance: null,
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
hashedPassword: $hashedPassword,
activatedAt: $statut === StatutCompte::ACTIF ? new DateTimeImmutable() : null,
consentementParental: null,
);
}
}

92
backend/tests/Unit/Administration/Infrastructure/Security/JwtPayloadEnricherTest.php Normal file
View File

@@ -0,0 +1,92 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Security\JwtPayloadEnricher;
use App\Administration\Infrastructure\Security\SecurityUser;
use App\Shared\Infrastructure\Tenant\TenantId;
use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class JwtPayloadEnricherTest extends TestCase
{
private JwtPayloadEnricher $enricher;
protected function setUp(): void
{
$this->enricher = new JwtPayloadEnricher();
}
#[Test]
public function onJWTCreatedAddsCustomClaimsToPayload(): void
{
$userId = UserId::generate();
$tenantId = TenantId::fromString('550e8400-e29b-41d4-a716-446655440002');
$securityUser = new SecurityUser(
userId: $userId,
email: 'user@example.com',
hashedPassword: 'hashed',
tenantId: $tenantId,
roles: ['ROLE_PARENT'],
);
$initialPayload = ['username' => 'user@example.com'];
$event = new JWTCreatedEvent($initialPayload, $securityUser);
$this->enricher->onJWTCreated($event);
$payload = $event->getData();
self::assertSame((string) $userId, $payload['user_id']);
self::assertSame((string) $tenantId, $payload['tenant_id']);
self::assertSame(['ROLE_PARENT'], $payload['roles']);
}
#[Test]
public function onJWTCreatedPreservesExistingPayloadData(): void
{
$securityUser = new SecurityUser(
userId: UserId::generate(),
email: 'user@example.com',
hashedPassword: 'hashed',
tenantId: TenantId::fromString('550e8400-e29b-41d4-a716-446655440002'),
roles: ['ROLE_ADMIN'],
);
$initialPayload = [
'username' => 'user@example.com',
'iat' => 1706436600,
'exp' => 1706438400,
];
$event = new JWTCreatedEvent($initialPayload, $securityUser);
$this->enricher->onJWTCreated($event);
$payload = $event->getData();
self::assertSame('user@example.com', $payload['username']);
self::assertSame(1706436600, $payload['iat']);
self::assertSame(1706438400, $payload['exp']);
}
#[Test]
public function onJWTCreatedDoesNothingForNonSecurityUser(): void
{
$nonSecurityUser = $this->createMock(\Symfony\Component\Security\Core\User\UserInterface::class);
$initialPayload = ['username' => 'other@example.com'];
$event = new JWTCreatedEvent($initialPayload, $nonSecurityUser);
$this->enricher->onJWTCreated($event);
$payload = $event->getData();
// Payload should remain unchanged
self::assertSame(['username' => 'other@example.com'], $payload);
}
}

98
backend/tests/Unit/Administration/Infrastructure/Security/SecurityUserTest.php Normal file
View File

@@ -0,0 +1,98 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Infrastructure\Security\SecurityUserFactory;
use App\Shared\Infrastructure\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class SecurityUserTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private SecurityUserFactory $factory;
protected function setUp(): void
{
$this->factory = new SecurityUserFactory();
}
#[Test]
public function factoryCreatesSecurityUserWithCorrectData(): void
{
$domainUser = $this->createActivatedUser(Role::PARENT);
$securityUser = $this->factory->fromDomainUser($domainUser);
self::assertSame((string) $domainUser->email, $securityUser->getUserIdentifier());
self::assertSame((string) $domainUser->id, $securityUser->userId());
self::assertSame((string) $domainUser->email, $securityUser->email());
self::assertSame($domainUser->hashedPassword, $securityUser->getPassword());
self::assertSame((string) $domainUser->tenantId, $securityUser->tenantId());
}
#[Test]
#[DataProvider('roleProvider')]
public function factoryMapsRolesToSymfonyRoles(Role $domainRole, string $expectedSymfonyRole): void
{
$domainUser = $this->createActivatedUser($domainRole);
$securityUser = $this->factory->fromDomainUser($domainUser);
self::assertContains($expectedSymfonyRole, $securityUser->getRoles());
}
/**
* @return iterable<string, array{Role, string}>
*/
public static function roleProvider(): iterable
{
yield 'Super Admin' => [Role::SUPER_ADMIN, 'ROLE_SUPER_ADMIN'];
yield 'Admin' => [Role::ADMIN, 'ROLE_ADMIN'];
yield 'Prof' => [Role::PROF, 'ROLE_PROF'];
yield 'Vie scolaire' => [Role::VIE_SCOLAIRE, 'ROLE_VIE_SCOLAIRE'];
yield 'Secrétariat' => [Role::SECRETARIAT, 'ROLE_SECRETARIAT'];
yield 'Parent' => [Role::PARENT, 'ROLE_PARENT'];
yield 'Elève' => [Role::ELEVE, 'ROLE_ELEVE'];
}
#[Test]
public function eraseCredentialsDoesNothing(): void
{
$domainUser = $this->createActivatedUser(Role::PARENT);
$securityUser = $this->factory->fromDomainUser($domainUser);
$passwordBefore = $securityUser->getPassword();
$securityUser->eraseCredentials();
// Les credentials sont immutables, donc rien ne change
self::assertSame($passwordBefore, $securityUser->getPassword());
}
private function createActivatedUser(Role $role): User
{
return User::reconstitute(
id: UserId::generate(),
email: new Email('user@example.com'),
role: $role,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Test',
statut: StatutCompte::ACTIF,
dateNaissance: null,
createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
hashedPassword: '$argon2id$v=19$m=65536,t=4,p=1$salt$hash',
activatedAt: new DateTimeImmutable('2026-01-15 12:00:00'),
consentementParental: null,
);
}
}

218
backend/tests/Unit/Shared/Infrastructure/Captcha/TurnstileValidatorTest.php Normal file
View File

@@ -0,0 +1,218 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Shared\Infrastructure\Captcha;
use App\Shared\Infrastructure\Captcha\TurnstileValidator;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Psr\Log\NullLogger;
use Symfony\Component\HttpClient\MockHttpClient;
use Symfony\Component\HttpClient\Response\MockResponse;
final class TurnstileValidatorTest extends TestCase
{
private const string SECRET_KEY = 'test-secret-key';
#[Test]
public function validTokenReturnsValid(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => true,
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('valid-token', '192.168.1.1');
self::assertTrue($result->isValid);
self::assertNull($result->errorMessage);
}
#[Test]
public function invalidTokenReturnsInvalid(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => false,
'error-codes' => ['invalid-input-response'],
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('invalid-token', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Token invalide ou expiré', $result->errorMessage);
}
#[Test]
public function expiredTokenReturnsInvalid(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => false,
'error-codes' => ['timeout-or-duplicate'],
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('expired-token', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Token expiré ou déjà utilisé', $result->errorMessage);
}
#[Test]
public function emptyTokenReturnsInvalid(): void
{
$httpClient = new MockHttpClient(); // No request should be made
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Token vide', $result->errorMessage);
}
#[Test]
public function apiErrorReturnsValidWhenFailOpenEnabled(): void
{
// Simulate API error with fail open
$httpClient = new MockHttpClient([
new MockResponse('', ['http_code' => 500]),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY, failOpen: true);
$result = $validator->validate('some-token', '192.168.1.1');
// Fail open - allow through on API errors
self::assertTrue($result->isValid);
}
#[Test]
public function apiErrorReturnsInvalidWhenFailOpenDisabled(): void
{
// Simulate API error with fail closed (production default)
$httpClient = new MockHttpClient([
new MockResponse('', ['http_code' => 500]),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY, failOpen: false);
$result = $validator->validate('some-token', '192.168.1.1');
// Fail closed - block on API errors
self::assertFalse($result->isValid);
self::assertSame('Service de vérification temporairement indisponible', $result->errorMessage);
}
#[Test]
public function networkErrorReturnsValidWhenFailOpenEnabled(): void
{
// Simulate network error with fail open
$httpClient = new MockHttpClient([
new MockResponse('', ['error' => 'Network error']),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY, failOpen: true);
$result = $validator->validate('some-token', '192.168.1.1');
// Fail open - allow through on network errors
self::assertTrue($result->isValid);
}
#[Test]
public function networkErrorReturnsInvalidWhenFailOpenDisabled(): void
{
// Simulate network error with fail closed
$httpClient = new MockHttpClient([
new MockResponse('', ['error' => 'Network error']),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY, failOpen: false);
$result = $validator->validate('some-token', '192.168.1.1');
// Fail closed - block on network errors
self::assertFalse($result->isValid);
}
#[Test]
public function invalidSecretKeyReturnsInvalid(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => false,
'error-codes' => ['invalid-input-secret'],
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('token', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Configuration serveur invalide', $result->errorMessage);
}
#[Test]
public function missingSecretKeyReturnsInvalid(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => false,
'error-codes' => ['missing-input-secret'],
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('token', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Configuration serveur invalide', $result->errorMessage);
}
#[Test]
public function unknownErrorCodeReturnsGenericMessage(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => false,
'error-codes' => ['unknown-error-code'],
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('token', '192.168.1.1');
self::assertFalse($result->isValid);
self::assertSame('Vérification échouée', $result->errorMessage);
}
#[Test]
public function validationWithoutIpWorks(): void
{
$httpClient = new MockHttpClient([
new MockResponse(json_encode([
'success' => true,
])),
]);
$validator = new TurnstileValidator($httpClient, new NullLogger(), self::SECRET_KEY);
$result = $validator->validate('valid-token');
self::assertTrue($result->isValid);
}
}

432
backend/tests/Unit/Shared/Infrastructure/RateLimit/LoginRateLimitListenerTest.php Normal file
View File

@@ -0,0 +1,432 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Shared\Infrastructure\RateLimit;
use App\Shared\Infrastructure\Captcha\TurnstileResult;
use App\Shared\Infrastructure\Captcha\TurnstileValidatorInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitListener;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Psr\Cache\CacheItemInterface;
use Psr\Cache\CacheItemPoolInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
final class LoginRateLimitListenerTest extends TestCase
{
private function createListener(
?LoginRateLimiterInterface $rateLimiter = null,
?TurnstileValidatorInterface $turnstile = null,
?CacheItemPoolInterface $cache = null,
): LoginRateLimitListener {
return new LoginRateLimitListener(
$rateLimiter ?? $this->createMock(LoginRateLimiterInterface::class),
$turnstile ?? $this->createMock(TurnstileValidatorInterface::class),
$cache ?? $this->createCacheMock(),
);
}
private function createCacheMock(int $captchaFailures = 0): CacheItemPoolInterface
{
$cacheItem = $this->createMock(CacheItemInterface::class);
$cacheItem->method('isHit')->willReturn($captchaFailures > 0);
$cacheItem->method('get')->willReturn($captchaFailures);
$cacheItem->method('set')->willReturnSelf();
$cacheItem->method('expiresAfter')->willReturnSelf();
$cache = $this->createMock(CacheItemPoolInterface::class);
$cache->method('getItem')->willReturn($cacheItem);
$cache->method('save')->willReturn(true);
$cache->method('deleteItem')->willReturn(true);
return $cache;
}
#[Test]
public function blockedIpReturns429BeforeAuthentication(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::blocked(retryAfter: 600));
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode(['email' => 'blocked@example.com', 'password' => 'correct'])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
self::assertTrue($event->hasResponse());
self::assertSame(Response::HTTP_TOO_MANY_REQUESTS, $event->getResponse()->getStatusCode());
$content = json_decode($event->getResponse()->getContent(), true);
self::assertSame('/errors/ip-blocked', $content['type']);
self::assertSame(600, $content['retryAfter']);
}
#[Test]
public function allowedEmailProceedsToAuthentication(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 2,
delaySeconds: 1,
requiresCaptcha: false,
));
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode(['email' => 'user@example.com', 'password' => 'password'])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
// No response set = request continues to authentication
self::assertFalse($event->hasResponse());
}
#[Test]
public function captchaRequiredWithoutTokenReturns428(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode(['email' => 'user@example.com', 'password' => 'password'])
// No captcha_token
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
self::assertTrue($event->hasResponse());
self::assertSame(Response::HTTP_PRECONDITION_REQUIRED, $event->getResponse()->getStatusCode());
$content = json_decode($event->getResponse()->getContent(), true);
self::assertSame('/errors/captcha-required', $content['type']);
}
#[Test]
public function captchaRequiredWithValidTokenProceeds(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$turnstile = $this->createMock(TurnstileValidatorInterface::class);
$turnstile->method('validate')
->willReturn(TurnstileResult::valid());
$listener = $this->createListener(rateLimiter: $rateLimiter, turnstile: $turnstile);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode([
'email' => 'user@example.com',
'password' => 'password',
'captcha_token' => 'valid-token',
])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
// Should proceed to authentication
self::assertFalse($event->hasResponse());
}
#[Test]
public function captchaRequiredWithInvalidTokenReturns400(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$turnstile = $this->createMock(TurnstileValidatorInterface::class);
$turnstile->method('validate')
->willReturn(TurnstileResult::invalid('Token invalide'));
$listener = $this->createListener(rateLimiter: $rateLimiter, turnstile: $turnstile);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode([
'email' => 'user@example.com',
'password' => 'password',
'captcha_token' => 'invalid-token',
])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
self::assertTrue($event->hasResponse());
self::assertSame(Response::HTTP_BAD_REQUEST, $event->getResponse()->getStatusCode());
$content = json_decode($event->getResponse()->getContent(), true);
self::assertSame('/errors/captcha-invalid', $content['type']);
self::assertSame('Token invalide', $content['detail']);
}
#[Test]
public function captchaFailuresPersistAcrossRequests(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$turnstile = $this->createMock(TurnstileValidatorInterface::class);
$turnstile->method('validate')
->willReturn(TurnstileResult::invalid('Token invalide'));
// Simulate 2 previous failures (next failure = 3 = blocked)
$cache = $this->createCacheMock(captchaFailures: 2);
$listener = $this->createListener(rateLimiter: $rateLimiter, turnstile: $turnstile, cache: $cache);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode([
'email' => 'user@example.com',
'password' => 'password',
'captcha_token' => 'invalid-token',
])
);
$request->server->set('REMOTE_ADDR', '192.168.1.100');
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
// 3rd CAPTCHA failure should block the IP
self::assertTrue($event->hasResponse());
self::assertSame(Response::HTTP_TOO_MANY_REQUESTS, $event->getResponse()->getStatusCode());
$content = json_decode($event->getResponse()->getContent(), true);
self::assertSame('/errors/ip-blocked', $content['type']);
}
#[Test]
public function cacheIsSavedOnCaptchaFailure(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$turnstile = $this->createMock(TurnstileValidatorInterface::class);
$turnstile->method('validate')
->willReturn(TurnstileResult::invalid('Token invalide'));
$cacheItem = $this->createMock(CacheItemInterface::class);
$cacheItem->method('isHit')->willReturn(false);
$cacheItem->method('get')->willReturn(0);
$cacheItem->expects(self::once())->method('set')->with(1)->willReturnSelf();
$cacheItem->expects(self::once())->method('expiresAfter')->with(900)->willReturnSelf();
$cache = $this->createMock(CacheItemPoolInterface::class);
$cache->method('getItem')->willReturn($cacheItem);
$cache->expects(self::once())->method('save')->with($cacheItem)->willReturn(true);
$listener = $this->createListener(rateLimiter: $rateLimiter, turnstile: $turnstile, cache: $cache);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode([
'email' => 'user@example.com',
'password' => 'password',
'captcha_token' => 'invalid-token',
])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
}
#[Test]
public function cacheIsDeletedOnValidCaptcha(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->method('check')
->willReturn(LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 8,
requiresCaptcha: true,
));
$turnstile = $this->createMock(TurnstileValidatorInterface::class);
$turnstile->method('validate')
->willReturn(TurnstileResult::valid());
$cache = $this->createMock(CacheItemPoolInterface::class);
$cache->expects(self::once())->method('deleteItem');
$listener = $this->createListener(rateLimiter: $rateLimiter, turnstile: $turnstile, cache: $cache);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode([
'email' => 'user@example.com',
'password' => 'password',
'captcha_token' => 'valid-token',
])
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
}
#[Test]
public function ignoresNonLoginRequests(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('check');
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create('/api/users', 'GET');
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
self::assertFalse($event->hasResponse());
}
#[Test]
public function ignoresLoginGetRequests(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('check');
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create('/api/login', 'GET');
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
self::assertFalse($event->hasResponse());
}
#[Test]
public function proceedsIfEmailMissingFromRequest(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('check');
$listener = $this->createListener(rateLimiter: $rateLimiter);
$request = Request::create(
'/api/login',
'POST',
[],
[],
[],
['CONTENT_TYPE' => 'application/json'],
json_encode(['password' => 'password']) // No email
);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$listener($event);
// Let the validator handle missing email
self::assertFalse($event->hasResponse());
}
}

143
backend/tests/Unit/Shared/Infrastructure/RateLimit/LoginRateLimitResultTest.php Normal file
View File

@@ -0,0 +1,143 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Shared\Infrastructure\RateLimit;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class LoginRateLimitResultTest extends TestCase
{
#[Test]
#[DataProvider('fibonacciDelayProvider')]
public function fibonacciDelayCalculatesCorrectly(int $attempts, int $expectedDelay): void
{
self::assertSame($expectedDelay, LoginRateLimitResult::fibonacciDelay($attempts));
}
/**
* @return iterable<string, array{int, int}>
*/
public static function fibonacciDelayProvider(): iterable
{
yield '0 attempts = no delay' => [0, 0];
yield '1 attempt = no delay' => [1, 0];
yield '2 attempts = 1s' => [2, 1];
yield '3 attempts = 1s' => [3, 1];
yield '4 attempts = 2s' => [4, 2];
yield '5 attempts = 3s' => [5, 3];
yield '6 attempts = 5s' => [6, 5];
yield '7 attempts = 8s' => [7, 8];
yield '8 attempts = 13s' => [8, 13];
yield '9 attempts = 21s' => [9, 21];
yield '10 attempts = 34s' => [10, 34];
yield '11 attempts = 55s' => [11, 55];
yield '12 attempts = 89s (max)' => [12, 89];
yield '20 attempts = 89s (capped)' => [20, 89];
yield '100 attempts = 89s (capped)' => [100, 89];
}
#[Test]
public function allowedResultHasCorrectProperties(): void
{
$result = LoginRateLimitResult::allowed(
attempts: 3,
delaySeconds: 1,
requiresCaptcha: false,
);
self::assertTrue($result->isAllowed);
self::assertSame(3, $result->attempts);
self::assertSame(1, $result->delaySeconds);
self::assertFalse($result->requiresCaptcha);
self::assertFalse($result->ipBlocked);
self::assertSame(1, $result->retryAfter);
}
#[Test]
public function allowedWithZeroDelayHasNullRetryAfter(): void
{
$result = LoginRateLimitResult::allowed(
attempts: 1,
delaySeconds: 0,
requiresCaptcha: false,
);
self::assertNull($result->retryAfter);
}
#[Test]
public function blockedResultHasCorrectProperties(): void
{
$result = LoginRateLimitResult::blocked(retryAfter: 900);
self::assertFalse($result->isAllowed);
self::assertSame(0, $result->attempts);
self::assertSame(900, $result->delaySeconds);
self::assertFalse($result->requiresCaptcha);
self::assertTrue($result->ipBlocked);
self::assertSame(900, $result->retryAfter);
}
#[Test]
public function toHeadersIncludesAllRelevantHeaders(): void
{
$result = LoginRateLimitResult::allowed(
attempts: 6,
delaySeconds: 5,
requiresCaptcha: true,
);
$headers = $result->toHeaders();
self::assertSame('6', $headers['X-Login-Attempts']);
self::assertSame('5', $headers['X-Login-Delay']);
self::assertSame('5', $headers['Retry-After']);
self::assertSame('true', $headers['X-Captcha-Required']);
self::assertArrayNotHasKey('X-IP-Blocked', $headers);
}
#[Test]
public function toHeadersForBlockedIp(): void
{
$result = LoginRateLimitResult::blocked(retryAfter: 600);
$headers = $result->toHeaders();
self::assertSame('true', $headers['X-IP-Blocked']);
self::assertSame('600', $headers['Retry-After']);
}
#[Test]
public function getFormattedDelayFormatsSeconds(): void
{
$result = LoginRateLimitResult::allowed(attempts: 2, delaySeconds: 1, requiresCaptcha: false);
self::assertSame('1 seconde', $result->getFormattedDelay());
$result = LoginRateLimitResult::allowed(attempts: 6, delaySeconds: 5, requiresCaptcha: false);
self::assertSame('5 secondes', $result->getFormattedDelay());
$result = LoginRateLimitResult::allowed(attempts: 8, delaySeconds: 13, requiresCaptcha: false);
self::assertSame('13 secondes', $result->getFormattedDelay());
}
#[Test]
public function getFormattedDelayFormatsMinutes(): void
{
$result = LoginRateLimitResult::blocked(retryAfter: 60);
self::assertSame('1 minute', $result->getFormattedDelay());
$result = LoginRateLimitResult::blocked(retryAfter: 900);
self::assertSame('15 minutes', $result->getFormattedDelay());
}
#[Test]
public function getFormattedDelayReturnsEmptyForZero(): void
{
$result = LoginRateLimitResult::allowed(attempts: 1, delaySeconds: 0, requiresCaptcha: false);
self::assertSame('', $result->getFormattedDelay());
}
}

195
backend/tests/Unit/Shared/Infrastructure/RateLimit/LoginRateLimiterTest.php Normal file
View File

@@ -0,0 +1,195 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Shared\Infrastructure\RateLimit;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiter;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Cache\Adapter\ArrayAdapter;
use Symfony\Component\HttpFoundation\Request;
final class LoginRateLimiterTest extends TestCase
{
private ArrayAdapter $cache;
private LoginRateLimiter $rateLimiter;
protected function setUp(): void
{
$this->cache = new ArrayAdapter();
$this->rateLimiter = new LoginRateLimiter($this->cache);
}
#[Test]
public function checkReturnsAllowedForFirstAttempt(): void
{
$request = $this->createRequest('192.168.1.1');
$result = $this->rateLimiter->check($request, 'test@example.com');
self::assertTrue($result->isAllowed);
self::assertFalse($result->ipBlocked);
self::assertSame(0, $result->attempts);
self::assertSame(0, $result->delaySeconds);
self::assertFalse($result->requiresCaptcha);
}
#[Test]
public function recordFailureIncrementsAttemptsAndCalculatesFibonacciDelay(): void
{
$request = $this->createRequest('192.168.1.1');
$email = 'test@example.com';
// First failure - no delay (1 attempt = 0s)
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertSame(1, $result->attempts);
self::assertSame(0, $result->delaySeconds);
// Second failure - delay 1s (F0)
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertSame(2, $result->attempts);
self::assertSame(1, $result->delaySeconds);
// Third failure - delay 1s (F1)
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertSame(3, $result->attempts);
self::assertSame(1, $result->delaySeconds);
// Fourth failure - delay 2s (F2)
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertSame(4, $result->attempts);
self::assertSame(2, $result->delaySeconds);
// Fifth failure - delay 3s (F3), CAPTCHA required
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertSame(5, $result->attempts);
self::assertSame(3, $result->delaySeconds);
self::assertTrue($result->requiresCaptcha);
}
#[Test]
public function checkReturnsCorrectStateAfterFailures(): void
{
$request = $this->createRequest('192.168.1.1');
$email = 'test@example.com';
// Record 5 failures
for ($i = 0; $i < 5; ++$i) {
$this->rateLimiter->recordFailure($request, $email);
}
// Check should return the current state
$result = $this->rateLimiter->check($request, $email);
self::assertSame(5, $result->attempts);
self::assertTrue($result->requiresCaptcha);
}
#[Test]
public function blockIpPreventsSubsequentAttempts(): void
{
$ip = '192.168.1.1';
$request = $this->createRequest($ip);
$this->rateLimiter->blockIp($ip);
$result = $this->rateLimiter->check($request, 'any@email.com');
self::assertTrue($result->ipBlocked);
self::assertFalse($result->isAllowed);
self::assertGreaterThan(0, $result->retryAfter);
}
#[Test]
public function recordFailureBlocksIpAfter20Attempts(): void
{
$request = $this->createRequest('192.168.1.1');
$email = 'attacker@example.com';
// Record 19 failures - should not be blocked
for ($i = 0; $i < 19; ++$i) {
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertFalse($result->ipBlocked);
}
// 20th failure - should be blocked
$result = $this->rateLimiter->recordFailure($request, $email);
self::assertTrue($result->ipBlocked);
self::assertSame(LoginRateLimiterInterface::IP_BLOCK_DURATION, $result->retryAfter);
}
#[Test]
public function resetClearsAttemptsForEmail(): void
{
$request = $this->createRequest('192.168.1.1');
$email = 'test@example.com';
// Record some failures
$this->rateLimiter->recordFailure($request, $email);
$this->rateLimiter->recordFailure($request, $email);
// Reset
$this->rateLimiter->reset($email);
// Check should show 0 attempts
$result = $this->rateLimiter->check($request, $email);
self::assertSame(0, $result->attempts);
}
#[Test]
public function isIpBlockedReturnsFalseForUnblockedIp(): void
{
self::assertFalse($this->rateLimiter->isIpBlocked('192.168.1.1'));
}
#[Test]
public function isIpBlockedReturnsTrueForBlockedIp(): void
{
$ip = '192.168.1.1';
$this->rateLimiter->blockIp($ip);
self::assertTrue($this->rateLimiter->isIpBlocked($ip));
}
#[Test]
public function differentEmailsHaveSeparateAttemptCounters(): void
{
$request = $this->createRequest('192.168.1.1');
// Record failures for email1
$this->rateLimiter->recordFailure($request, 'email1@test.com');
$this->rateLimiter->recordFailure($request, 'email1@test.com');
// Record failure for email2
$this->rateLimiter->recordFailure($request, 'email2@test.com');
// Check each email
$result1 = $this->rateLimiter->check($request, 'email1@test.com');
$result2 = $this->rateLimiter->check($request, 'email2@test.com');
self::assertSame(2, $result1->attempts);
self::assertSame(1, $result2->attempts);
}
#[Test]
public function emailNormalizationIsCaseInsensitive(): void
{
$request = $this->createRequest('192.168.1.1');
$this->rateLimiter->recordFailure($request, 'Test@Example.COM');
$this->rateLimiter->recordFailure($request, 'test@example.com');
$result = $this->rateLimiter->check($request, 'TEST@EXAMPLE.COM');
self::assertSame(2, $result->attempts);
}
private function createRequest(string $clientIp): Request
{
$request = Request::create('/api/login', 'POST');
$request->server->set('REMOTE_ADDR', $clientIp);
return $request;
}
}