r-dev
b342d0e50a
- Remove orphaned PUBLIC_ACCESS rule for deleted /api/test route - Remove JWT login firewall (app is session-based only) - Set APP_SECRET placeholder (real value must be in .env.local) - Remove JWT env vars from .env - Add session regeneration on login (prevent session fixation) - Remove Document.path from API serialization groups (prevent path leak) - Restrict health check details to ROLE_ADMIN (anonymes get status only) - Add path traversal guard in DocumentStorageService - Convert CreateProfileCommand password to interactive hidden prompt - Restrict Profile Get endpoint to ROLE_ADMIN - Change api firewall to stateless: false (matches session-based auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
260 lines
6.6 KiB
PHP
260 lines
6.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Entity;
|
|
|
|
use ApiPlatform\Metadata\ApiResource;
|
|
use ApiPlatform\Metadata\Delete;
|
|
use ApiPlatform\Metadata\Get;
|
|
use ApiPlatform\Metadata\GetCollection;
|
|
use ApiPlatform\Metadata\Patch;
|
|
use ApiPlatform\Metadata\Post;
|
|
use ApiPlatform\Metadata\Put;
|
|
use App\Repository\ProfileRepository;
|
|
use App\State\ProfilePasswordHasher;
|
|
use DateTimeImmutable;
|
|
use Doctrine\ORM\Mapping as ORM;
|
|
use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
|
|
use Symfony\Component\Security\Core\User\UserInterface;
|
|
use Symfony\Component\Serializer\Attribute\Groups;
|
|
use Symfony\Component\Validator\Constraints as Assert;
|
|
|
|
#[ORM\Entity(repositoryClass: ProfileRepository::class)]
|
|
#[ORM\Table(name: 'profiles')]
|
|
#[ORM\UniqueConstraint(name: 'UNIQ_email', columns: ['email'])]
|
|
#[ORM\HasLifecycleCallbacks]
|
|
#[ApiResource(
|
|
description: 'Profils utilisateurs. Chaque profil possède un rôle (Admin, Gestionnaire, Viewer, User), un email unique et un mot de passe. Gère l\'authentification par session.',
|
|
operations: [
|
|
new Get(security: "is_granted('ROLE_ADMIN')"),
|
|
new GetCollection(security: "is_granted('ROLE_ADMIN')"),
|
|
new Post(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Put(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Patch(
|
|
security: "is_granted('ROLE_ADMIN')",
|
|
denormalizationContext: ['groups' => ['profile:write', 'profile:admin:write']],
|
|
processor: ProfilePasswordHasher::class,
|
|
),
|
|
new Delete(security: "is_granted('ROLE_ADMIN')"),
|
|
],
|
|
normalizationContext: ['groups' => ['profile:read']],
|
|
denormalizationContext: ['groups' => ['profile:write']]
|
|
)]
|
|
class Profile implements UserInterface, PasswordAuthenticatedUserInterface
|
|
{
|
|
#[ORM\Id]
|
|
#[ORM\Column(type: 'string', length: 36)]
|
|
#[Groups(['profile:read'])]
|
|
private ?string $id = null;
|
|
|
|
#[ORM\Column(type: 'string', length: 180, unique: true, nullable: true)]
|
|
#[Assert\Email]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private ?string $email = null;
|
|
|
|
#[ORM\Column(type: 'string', length: 100, name: 'firstname')]
|
|
#[Assert\NotBlank]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private string $firstName;
|
|
|
|
#[ORM\Column(type: 'string', length: 100, name: 'lastname')]
|
|
#[Assert\NotBlank]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private string $lastName;
|
|
|
|
#[ORM\Column(type: 'boolean', options: ['default' => true], name: 'isactive')]
|
|
#[Groups(['profile:read', 'profile:write'])]
|
|
private bool $isActive = true;
|
|
|
|
/**
|
|
* @var list<string> The user roles
|
|
*/
|
|
#[ORM\Column(type: 'json', options: ['default' => '["ROLE_USER"]'])]
|
|
#[Groups(['profile:read', 'profile:admin:write'])]
|
|
private array $roles = ['ROLE_USER'];
|
|
|
|
/**
|
|
* @var null|string The hashed password
|
|
*/
|
|
#[ORM\Column(type: 'string', nullable: true)]
|
|
private ?string $password = null;
|
|
|
|
/**
|
|
* Non-persisted field used for password hashing via ProfilePasswordHasher.
|
|
*/
|
|
#[Groups(['profile:write'])]
|
|
private ?string $plainPassword = null;
|
|
|
|
#[ORM\Column(type: 'datetime_immutable', name: 'createdat')]
|
|
#[Groups(['profile:read'])]
|
|
private DateTimeImmutable $createdAt;
|
|
|
|
#[ORM\Column(type: 'datetime_immutable', name: 'updatedat')]
|
|
#[Groups(['profile:read'])]
|
|
private DateTimeImmutable $updatedAt;
|
|
|
|
public function __construct()
|
|
{
|
|
$this->id = 'cl'.bin2hex(random_bytes(12));
|
|
$this->createdAt = new DateTimeImmutable();
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
|
|
public function getId(): ?string
|
|
{
|
|
return $this->id;
|
|
}
|
|
|
|
public function getEmail(): ?string
|
|
{
|
|
return $this->email;
|
|
}
|
|
|
|
public function setEmail(?string $email): static
|
|
{
|
|
$this->email = $email;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getFirstName(): string
|
|
{
|
|
return $this->firstName;
|
|
}
|
|
|
|
public function setFirstName(string $firstName): static
|
|
{
|
|
$this->firstName = $firstName;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getLastName(): string
|
|
{
|
|
return $this->lastName;
|
|
}
|
|
|
|
public function setLastName(string $lastName): static
|
|
{
|
|
$this->lastName = $lastName;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function isActive(): bool
|
|
{
|
|
return $this->isActive;
|
|
}
|
|
|
|
public function setIsActive(bool $isActive): static
|
|
{
|
|
$this->isActive = $isActive;
|
|
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*/
|
|
public function getUserIdentifier(): string
|
|
{
|
|
return (string) $this->email;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*
|
|
* @return list<string>
|
|
*/
|
|
public function getRoles(): array
|
|
{
|
|
$roles = $this->roles;
|
|
$roles[] = 'ROLE_USER';
|
|
|
|
return array_values(array_unique($roles));
|
|
}
|
|
|
|
/**
|
|
* @param list<string> $roles
|
|
*/
|
|
public function setRoles(array $roles): static
|
|
{
|
|
$this->roles = $roles;
|
|
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* @see PasswordAuthenticatedUserInterface
|
|
*/
|
|
public function getPassword(): ?string
|
|
{
|
|
return $this->password;
|
|
}
|
|
|
|
public function setPassword(?string $password): static
|
|
{
|
|
$this->password = $password;
|
|
|
|
return $this;
|
|
}
|
|
|
|
public function getPlainPassword(): ?string
|
|
{
|
|
return $this->plainPassword;
|
|
}
|
|
|
|
public function setPlainPassword(?string $plainPassword): static
|
|
{
|
|
$this->plainPassword = $plainPassword;
|
|
|
|
return $this;
|
|
}
|
|
|
|
#[Groups(['profile:read'])]
|
|
public function getHasPassword(): bool
|
|
{
|
|
return null !== $this->password && '' !== $this->password;
|
|
}
|
|
|
|
/**
|
|
* @see UserInterface
|
|
*/
|
|
public function eraseCredentials(): void
|
|
{
|
|
$this->plainPassword = null;
|
|
}
|
|
|
|
public function getCreatedAt(): DateTimeImmutable
|
|
{
|
|
return $this->createdAt;
|
|
}
|
|
|
|
public function getUpdatedAt(): DateTimeImmutable
|
|
{
|
|
return $this->updatedAt;
|
|
}
|
|
|
|
#[ORM\PrePersist]
|
|
public function setCreatedAtValue(): void
|
|
{
|
|
$this->createdAt = new DateTimeImmutable();
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
|
|
#[ORM\PreUpdate]
|
|
public function setUpdatedAtValue(): void
|
|
{
|
|
$this->updatedAt = new DateTimeImmutable();
|
|
}
|
|
}
|