feat: Connexion utilisateur avec sécurité renforcée
Implémente la Story 1.4 du système d'authentification avec plusieurs couches de protection contre les attaques par force brute. Sécurité backend : - Authentification JWT avec access token (15min) + refresh token (7j) - Rotation automatique des refresh tokens avec détection de replay - Rate limiting progressif par IP (délai Fibonacci après échecs) - Intégration Cloudflare Turnstile CAPTCHA après 5 tentatives - Alerte email à l'utilisateur après blocage temporaire - Isolation multi-tenant (un utilisateur ne peut se connecter que sur son établissement) Frontend : - Page de connexion avec feedback visuel des délais et erreurs - Composant TurnstileCaptcha réutilisable - Gestion d'état auth avec stockage sécurisé des tokens - Tests E2E Playwright pour login, tenant isolation, et activation Infrastructure : - Configuration Symfony Security avec json_login + jwt - Cache pools séparés (filesystem en test, Redis en prod) - NullLoginRateLimiter pour environnement de test (évite blocage CI) - Génération des clés JWT en CI après démarrage du backend
This commit is contained in:
@@ -14,6 +14,16 @@ framework:
|
||||
adapter: cache.adapter.filesystem
|
||||
default_lifetime: 0 # Pas d'expiration
|
||||
|
||||
# Pool dédié aux refresh tokens (7 jours TTL max)
|
||||
refresh_tokens.cache:
|
||||
adapter: cache.adapter.filesystem
|
||||
default_lifetime: 604800 # 7 jours
|
||||
|
||||
# Pool dédié au rate limiting (15 min TTL)
|
||||
cache.rate_limiter:
|
||||
adapter: cache.adapter.filesystem
|
||||
default_lifetime: 900 # 15 minutes
|
||||
|
||||
when@prod:
|
||||
framework:
|
||||
cache:
|
||||
@@ -30,3 +40,11 @@ when@prod:
|
||||
adapter: cache.adapter.redis
|
||||
provider: '%env(REDIS_URL)%'
|
||||
default_lifetime: 0 # Pas d'expiration
|
||||
refresh_tokens.cache:
|
||||
adapter: cache.adapter.redis
|
||||
provider: '%env(REDIS_URL)%'
|
||||
default_lifetime: 604800 # 7 jours
|
||||
cache.rate_limiter:
|
||||
adapter: cache.adapter.redis
|
||||
provider: '%env(REDIS_URL)%'
|
||||
default_lifetime: 900 # 15 minutes
|
||||
|
||||
@@ -2,7 +2,9 @@ lexik_jwt_authentication:
|
||||
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
|
||||
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
|
||||
pass_phrase: '%env(JWT_PASSPHRASE)%'
|
||||
token_ttl: 3600
|
||||
token_ttl: 1800 # 30 minutes (Story 1.4 requirement)
|
||||
# Use 'username' claim for user identification (email, set by Lexik from getUserIdentifier())
|
||||
# This allows loadUserByIdentifier() to receive the email correctly
|
||||
user_id_claim: username
|
||||
clock_skew: 0
|
||||
|
||||
|
||||
@@ -55,3 +55,9 @@ when@prod:
|
||||
channels: [deprecation]
|
||||
path: php://stderr
|
||||
formatter: monolog.formatter.json
|
||||
audit:
|
||||
type: stream
|
||||
channels: [audit]
|
||||
path: "%kernel.logs_dir%/audit.log"
|
||||
level: info
|
||||
formatter: monolog.formatter.json
|
||||
|
||||
@@ -2,9 +2,10 @@ nelmio_cors:
|
||||
defaults:
|
||||
origin_regex: true
|
||||
allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
|
||||
allow_credentials: true
|
||||
allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
|
||||
allow_headers: ['Content-Type', 'Authorization']
|
||||
expose_headers: ['Link']
|
||||
expose_headers: ['Link', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset']
|
||||
max_age: 3600
|
||||
paths:
|
||||
'^/': null
|
||||
|
||||
18
backend/config/packages/rate_limiter.yaml
Normal file
18
backend/config/packages/rate_limiter.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
# Rate Limiter Configuration
|
||||
# Story 1.4 - AC3: Lockout après 5 échecs répétés
|
||||
|
||||
framework:
|
||||
rate_limiter:
|
||||
# Limite les tentatives de login par email
|
||||
login_attempts:
|
||||
policy: fixed_window
|
||||
limit: 5
|
||||
interval: '15 minutes'
|
||||
cache_pool: cache.rate_limiter
|
||||
|
||||
# Limite les tentatives de login par IP (protection contre brute force distribué)
|
||||
login_by_ip:
|
||||
policy: sliding_window
|
||||
limit: 20
|
||||
interval: '15 minutes'
|
||||
cache_pool: cache.rate_limiter
|
||||
@@ -8,28 +8,36 @@ security:
|
||||
|
||||
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
|
||||
providers:
|
||||
# used to reload user from session & other features (e.g. switch_user)
|
||||
# Configure user provider when User entity is created
|
||||
users_in_memory:
|
||||
memory:
|
||||
users:
|
||||
admin: { password: 'admin', roles: ['ROLE_ADMIN'] }
|
||||
# User provider for API authentication (Story 1.4)
|
||||
app_user_provider:
|
||||
id: App\Administration\Infrastructure\Security\DatabaseUserProvider
|
||||
|
||||
firewalls:
|
||||
dev:
|
||||
pattern: ^/(_(profiler|wdt)|css|images|js)/
|
||||
security: false
|
||||
api_login:
|
||||
pattern: ^/api/login$
|
||||
stateless: true
|
||||
json_login:
|
||||
check_path: /api/login
|
||||
username_path: email
|
||||
password_path: password
|
||||
success_handler: lexik_jwt_authentication.handler.authentication_success
|
||||
failure_handler: App\Administration\Infrastructure\Security\LoginFailureHandler
|
||||
provider: app_user_provider
|
||||
api_public:
|
||||
pattern: ^/api/(activation-tokens|activate|login|docs)(/|$)
|
||||
pattern: ^/api/(activation-tokens|activate|token/(refresh|logout)|docs)(/|$)
|
||||
stateless: true
|
||||
security: false
|
||||
api:
|
||||
pattern: ^/api
|
||||
stateless: true
|
||||
jwt: ~
|
||||
provider: app_user_provider
|
||||
main:
|
||||
lazy: true
|
||||
provider: users_in_memory
|
||||
provider: app_user_provider
|
||||
|
||||
# Easy way to control access for large sections of your site
|
||||
# Note: Only the *first* access control that matches will be used
|
||||
@@ -38,6 +46,8 @@ security:
|
||||
- { path: ^/api/login, roles: PUBLIC_ACCESS }
|
||||
- { path: ^/api/activation-tokens, roles: PUBLIC_ACCESS }
|
||||
- { path: ^/api/activate, roles: PUBLIC_ACCESS }
|
||||
- { path: ^/api/token/refresh, roles: PUBLIC_ACCESS }
|
||||
- { path: ^/api/token/logout, roles: PUBLIC_ACCESS }
|
||||
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
|
||||
|
||||
when@test:
|
||||
|
||||
@@ -1,3 +1,8 @@
|
||||
_security_logout:
|
||||
resource: security.route_loader.logout
|
||||
type: service
|
||||
|
||||
# Login route - handled by json_login authenticator
|
||||
api_login:
|
||||
path: /api/login
|
||||
methods: [POST]
|
||||
|
||||
@@ -17,6 +17,8 @@ services:
|
||||
Psr\Cache\CacheItemPoolInterface $activationTokensCache: '@activation_tokens.cache'
|
||||
# Bind users cache pool (no TTL - persistent data)
|
||||
Psr\Cache\CacheItemPoolInterface $usersCache: '@users.cache'
|
||||
# Bind refresh tokens cache pool (7-day TTL)
|
||||
Psr\Cache\CacheItemPoolInterface $refreshTokensCache: '@refresh_tokens.cache'
|
||||
# Bind named message buses
|
||||
Symfony\Component\Messenger\MessageBusInterface $eventBus: '@event.bus'
|
||||
Symfony\Component\Messenger\MessageBusInterface $commandBus: '@command.bus'
|
||||
@@ -76,3 +78,66 @@ services:
|
||||
App\Administration\Infrastructure\Messaging\SendActivationConfirmationHandler:
|
||||
arguments:
|
||||
$appUrl: '%app.url%'
|
||||
|
||||
# Audit log handler (uses dedicated audit channel)
|
||||
App\Administration\Infrastructure\Messaging\AuditLoginEventsHandler:
|
||||
arguments:
|
||||
$auditLogger: '@monolog.logger.audit'
|
||||
$appSecret: '%env(APP_SECRET)%'
|
||||
|
||||
# JWT Authentication
|
||||
App\Administration\Infrastructure\Security\JwtPayloadEnricher:
|
||||
tags:
|
||||
- { name: kernel.event_listener, event: lexik_jwt_authentication.on_jwt_created, method: onJWTCreated }
|
||||
|
||||
App\Administration\Infrastructure\Security\DatabaseUserProvider:
|
||||
arguments:
|
||||
$userRepository: '@App\Administration\Domain\Repository\UserRepository'
|
||||
|
||||
# Refresh Token Repository
|
||||
App\Administration\Domain\Repository\RefreshTokenRepository:
|
||||
alias: App\Administration\Infrastructure\Persistence\Redis\RedisRefreshTokenRepository
|
||||
|
||||
# Login handlers
|
||||
App\Administration\Infrastructure\Security\LoginSuccessHandler:
|
||||
tags:
|
||||
- { name: kernel.event_listener, event: lexik_jwt_authentication.on_authentication_success, method: onAuthenticationSuccess }
|
||||
|
||||
App\Administration\Infrastructure\Security\LoginFailureHandler:
|
||||
tags:
|
||||
- { name: security.authentication_failure_handler, firewall: api_login }
|
||||
|
||||
# Rate Limiter (délai Fibonacci + CAPTCHA + blocage IP)
|
||||
App\Shared\Infrastructure\RateLimit\LoginRateLimiter:
|
||||
arguments:
|
||||
$cache: '@cache.rate_limiter'
|
||||
|
||||
App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface:
|
||||
alias: App\Shared\Infrastructure\RateLimit\LoginRateLimiter
|
||||
|
||||
# Rate Limit Listener (vérifie le rate limit AVANT authentification)
|
||||
App\Shared\Infrastructure\RateLimit\LoginRateLimitListener:
|
||||
arguments:
|
||||
$rateLimiterCache: '@cache.rate_limiter'
|
||||
|
||||
# Turnstile CAPTCHA Validator
|
||||
# failOpen: true en dev (ne pas bloquer si API down), false en prod (sécurité)
|
||||
App\Shared\Infrastructure\Captcha\TurnstileValidator:
|
||||
arguments:
|
||||
$secretKey: '%env(TURNSTILE_SECRET_KEY)%'
|
||||
$failOpen: '%env(bool:default::TURNSTILE_FAIL_OPEN)%'
|
||||
|
||||
App\Shared\Infrastructure\Captcha\TurnstileValidatorInterface:
|
||||
alias: App\Shared\Infrastructure\Captcha\TurnstileValidator
|
||||
|
||||
# =============================================================================
|
||||
# Test environment overrides
|
||||
# =============================================================================
|
||||
when@test:
|
||||
services:
|
||||
# Use null rate limiter in test environment to avoid IP blocking during E2E tests
|
||||
App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface:
|
||||
alias: App\Shared\Infrastructure\RateLimit\NullLoginRateLimiter
|
||||
|
||||
App\Shared\Infrastructure\RateLimit\NullLoginRateLimiter:
|
||||
autowire: true
|
||||
|
||||
Reference in New Issue
Block a user