From ed58a402b0e779401916059b5ce123823886b721 Mon Sep 17 00:00:00 2001
From: Matthieu <mtholot19@gmail.com>
Date: Tue, 17 Mar 2026 15:23:29 +0100
Subject: [PATCH] fix(auth) : use dedicated plainPassword field for password
 hashing

- Add non-persisted plainPassword field to User entity (write-only via API)
- Remove direct write access to password field
- Update UserPasswordHasherProcessor to hash from plainPassword
- Update frontend DTO and UserDrawer component

Ticket: T-009

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 frontend/components/user/UserDrawer.vue   |  8 +++++---
 frontend/services/dto/user-data.ts        |  2 +-
 src/Entity/User.php                       | 21 +++++++++++++++++++--
 src/State/UserPasswordHasherProcessor.php |  5 +++--
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/frontend/components/user/UserDrawer.vue b/frontend/components/user/UserDrawer.vue
index bd4ac85..57fc736 100644
--- a/frontend/components/user/UserDrawer.vue
+++ b/frontend/components/user/UserDrawer.vue
@@ -1,5 +1,5 @@
 <template>
-    <AppDrawer v-model="isOpen" :title="isEditing ? 'Modifier un utilisateur' : 'Ajouter un utilisateur'">
+    <AppDrawer v-model="isOpen" :title="isEditing ? $t('users.editUser') : $t('users.addUser')">
         <form class="flex flex-col gap-2" @submit.prevent="handleSubmit">
             <MalioInputText
                 v-model="form.username"
@@ -90,6 +90,8 @@ import { useProjectService } from '~/services/projects'
 import type { Client } from '~/services/dto/client'
 import type { Project } from '~/services/dto/project'
 
+const { t } = useI18n()
+
 const props = defineProps<{
     modelValue: boolean
     item: UserData | null
@@ -114,7 +116,7 @@ const clients = ref<Client[]>([])
 const allProjects = ref<Project[]>([])
 
 const clientOptions = computed(() => [
-    { label: 'Aucun client', value: null as number | null },
+    { label: t('common.noClient'), value: null as number | null },
     ...clients.value.map((c) => ({ label: c.name, value: c.id as number | null })),
 ])
 
@@ -190,7 +192,7 @@ async function handleSubmit() {
             allowedProjects: form.allowedProjectIds.map((id) => `/api/projects/${id}`),
         }
         if (form.password) {
-            payload.password = form.password
+            payload.plainPassword = form.password
         }
 
         if (isEditing.value && props.item) {
diff --git a/frontend/services/dto/user-data.ts b/frontend/services/dto/user-data.ts
index b609a59..987af19 100644
--- a/frontend/services/dto/user-data.ts
+++ b/frontend/services/dto/user-data.ts
@@ -12,7 +12,7 @@ export type UserData = {
 
 export type UserWrite = {
     username: string
-    password?: string
+    plainPassword?: string
     roles: string[]
     client?: string | null
     allowedProjects?: string[]
diff --git a/src/Entity/User.php b/src/Entity/User.php
index 00d4009..c85b9cf 100644
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@@ -61,9 +61,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private array $roles = [];
 
     #[ORM\Column]
-    #[Groups(['user:write'])]
     private ?string $password = null;
 
+    #[Groups(['user:write'])]
+    private ?string $plainPassword = null;
+
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
     private ?DateTimeImmutable $createdAt = null;
 
@@ -224,5 +226,20 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
         return '/api/users/'.$this->id.'/avatar';
     }
 
-    public function eraseCredentials(): void {}
+    public function getPlainPassword(): ?string
+    {
+        return $this->plainPassword;
+    }
+
+    public function setPlainPassword(?string $plainPassword): static
+    {
+        $this->plainPassword = $plainPassword;
+
+        return $this;
+    }
+
+    public function eraseCredentials(): void
+    {
+        $this->plainPassword = null;
+    }
 }
diff --git a/src/State/UserPasswordHasherProcessor.php b/src/State/UserPasswordHasherProcessor.php
index 06ef694..88e9d1c 100644
--- a/src/State/UserPasswordHasherProcessor.php
+++ b/src/State/UserPasswordHasherProcessor.php
@@ -29,10 +29,11 @@ final readonly class UserPasswordHasherProcessor implements ProcessorInterface
      */
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
     {
-        $plainPassword = $data->getPassword();
+        $plainPassword = $data->getPlainPassword();
 
-        if (null !== $plainPassword && !str_starts_with($plainPassword, '$')) {
+        if (null !== $plainPassword && '' !== $plainPassword) {
             $data->setPassword($this->passwordHasher->hashPassword($data, $plainPassword));
+            $data->setPlainPassword(null);
         }
 
         return $this->persistProcessor->process($data, $operation, $uriVariables, $context);