From a5144443a48e6df15521136710bf3450876d3d0e Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@yuno.malio.fr>
Date: Sun, 15 Mar 2026 22:02:27 +0100
Subject: [PATCH] =?UTF-8?q?fix(avatar)=20:=20address=20review=20findings?=
 =?UTF-8?q?=20=E2=80=94=20security=20and=20UX=20fixes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use getMimeType() instead of getClientMimeType() to prevent MIME spoofing
- Change IsGranted to IS_AUTHENTICATED_FULLY so ROLE_CLIENT can access avatars
- Remove Groups from avatarFileName (only avatarUrl needed by frontend)
- Disable aggressive caching to prevent stale avatar images
- Add error handling to avatar upload in profile page
- Use i18n for "Mon profil" button text

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 frontend/components/ui/AppTopNav.vue    |  2 +-
 frontend/pages/profile.vue              |  8 ++++++--
 src/Controller/UserAvatarController.php | 10 +++++-----
 src/Entity/User.php                     |  1 -
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/frontend/components/ui/AppTopNav.vue b/frontend/components/ui/AppTopNav.vue
index 5b05a03..bb6776f 100644
--- a/frontend/components/ui/AppTopNav.vue
+++ b/frontend/components/ui/AppTopNav.vue
@@ -19,7 +19,7 @@
               class="block w-full px-3 py-2 text-left hover:bg-neutral-100"
               @click="navigateTo('/profile')"
             >
-              Mon profil
+              {{ $t('profile.title') }}
             </button>
             <button
               type="button"
diff --git a/frontend/pages/profile.vue b/frontend/pages/profile.vue
index 625e5c5..1022dc1 100644
--- a/frontend/pages/profile.vue
+++ b/frontend/pages/profile.vue
@@ -67,8 +67,12 @@ async function onCrop(blob: Blob) {
     selectedFile.value = null
     if (!auth.user) return
 
-    await upload(auth.user.id, blob)
-    await auth.refreshUser()
+    try {
+        await upload(auth.user.id, blob)
+        await auth.refreshUser()
+    } catch {
+        // Upload error — $fetch will throw on non-2xx
+    }
 }
 
 async function onRemove() {
diff --git a/src/Controller/UserAvatarController.php b/src/Controller/UserAvatarController.php
index 675ba76..dac0724 100644
--- a/src/Controller/UserAvatarController.php
+++ b/src/Controller/UserAvatarController.php
@@ -30,7 +30,7 @@ class UserAvatarController extends AbstractController
     ) {}
 
     #[Route('/api/users/{id}/avatar', name: 'user_avatar_upload', methods: ['POST'], priority: 1)]
-    #[IsGranted('ROLE_USER')]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function upload(int $id, Request $request): JsonResponse
     {
         $user = $this->findUserOrFail($id);
@@ -46,7 +46,7 @@ class UserAvatarController extends AbstractController
             throw new BadRequestHttpException('File size exceeds 5 MB limit.');
         }
 
-        $mimeType = $file->getClientMimeType();
+        $mimeType = $file->getMimeType();
 
         if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
             throw new BadRequestHttpException('Invalid file type. Allowed: JPEG, PNG, WebP, GIF.');
@@ -71,7 +71,7 @@ class UserAvatarController extends AbstractController
     }
 
     #[Route('/api/users/{id}/avatar', name: 'user_avatar_serve', methods: ['GET'], priority: 1)]
-    #[IsGranted('ROLE_USER')]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function serve(int $id): BinaryFileResponse
     {
         $user = $this->findUserOrFail($id);
@@ -91,13 +91,13 @@ class UserAvatarController extends AbstractController
         $extension = pathinfo($user->getAvatarFileName(), PATHINFO_EXTENSION);
         $mimeMap   = ['jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'png' => 'image/png', 'webp' => 'image/webp', 'gif' => 'image/gif'];
         $response->headers->set('Content-Type', $mimeMap[$extension] ?? 'application/octet-stream');
-        $response->headers->set('Cache-Control', 'public, max-age=86400');
+        $response->headers->set('Cache-Control', 'no-cache, must-revalidate');
 
         return $response;
     }
 
     #[Route('/api/users/{id}/avatar', name: 'user_avatar_delete', methods: ['DELETE'], priority: 1)]
-    #[IsGranted('ROLE_USER')]
+    #[IsGranted('IS_AUTHENTICATED_FULLY')]
     public function delete(int $id): Response
     {
         $user = $this->findUserOrFail($id);
diff --git a/src/Entity/User.php b/src/Entity/User.php
index 3f921e4..00d4009 100644
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -71,7 +71,6 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private ?string $apiToken = null;
 
     #[ORM\Column(length: 255, nullable: true)]
-    #[Groups(['me:read', 'user:list'])]
     private ?string $avatarFileName = null;
 
     #[ORM\ManyToOne(targetEntity: Client::class)]