AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: authentification back-office P2 (login/logout/reset, throttle, audit) #11

Merged
Corentin merged 4 commits from feat/p2-auth into dev 2026-06-15 20:18:59 +02:00
Conversation 0 Commits 4 Files changed 37 +3648 -1
Corentin commented 2026-06-15 20:16:25 +02:00
Owner
Copy link

Authentification back-office (P2), implemente mlt.md section 12.

Perimetre : login (12.1), logout (12.2), reinitialisation mot de passe (12.3),
SessionGuard (RG-6 / RG-T02, cable en P3), throttle par compte + par IP, audit_log.

Securite : sessions PHP + argon2id, regeneration d'ID a la connexion, jeton CSRF
synchroniseur, backoff degressif anti brute-force, anti-enumeration d'email (timing +
profil d'ecritures identique), fail-closed sur erreur base.

Qualite : 98 tests (unit DB-free + integration DB auto-skippee), PHPStan L6 vert,
E2E valide contre la base reelle. Revue adversariale passee, 6 findings corriges.

Doc : docs/api/conventions.md (conventions de nommage + listing des endpoints).

Base volontaire : dev.

Authentification back-office (P2), implemente mlt.md section 12. Perimetre : login (12.1), logout (12.2), reinitialisation mot de passe (12.3), SessionGuard (RG-6 / RG-T02, cable en P3), throttle par compte + par IP, audit_log. Securite : sessions PHP + argon2id, regeneration d'ID a la connexion, jeton CSRF synchroniseur, backoff degressif anti brute-force, anti-enumeration d'email (timing + profil d'ecritures identique), fail-closed sur erreur base. Qualite : 98 tests (unit DB-free + integration DB auto-skippee), PHPStan L6 vert, E2E valide contre la base reelle. Revue adversariale passee, 6 findings corriges. Doc : docs/api/conventions.md (conventions de nommage + listing des endpoints). Base volontaire : dev.
Corentin added 4 commits 2026-06-15 20:16:25 +02:00 
Cable ARGON2_*, ACCOUNT_LOCKOUT_*, IP_THROTTLE_*, STAFF_PIN_MIN_LENGTH et
PASSWORD_RESET_TTL dans le bloc environment de wakdo-app pour que la couche auth
lise ses parametres de cout et de throttling (deja presents dans .env.example).
Request::formBody() decode un POST urlencode (le login back-office est un
formulaire, pas du JSON) ; Request::clientIp() resout l'IP client reelle derriere
Traefik (dernier hop X-Forwarded-For valide, repli REMOTE_ADDR). Database::transaction()
enveloppe un jeu d'ecritures dans un begin/commit atomique avec rollback sur exception
(RG-T08) ; DatabaseInterface extrait le seam d'acces aux donnees pour rendre les services
testables avec un double. Response gagne des accesseurs en lecture (body/header/headers)
pour les tests de controleur. Tout est additif et retro-compatible.
Implemente mlt.md section 12 : AUTHENTICATE_USER (12.1), LOGOUT_USER (12.2),
RESET_PASSWORD (12.3). Sessions PHP + argon2id, regeneration d'ID a la connexion,
idle 4h / absolu 10h via SessionGuard (cable en P3), jeton CSRF synchroniseur, backoff
degressif anti brute-force par compte et par IP source (login_throttle), audit_log
append-only (login_success/failed, password_reset), defenses anti-enumeration d'email
(timing + profil d'ecritures identique), fail-closed sur erreur base. Vues login/forgot/reset
rendues serveur. Routes posees sur le vhost admin (pas de prefixe /admin : docroot =
public/admin). PHPUnit sans Composer (unit + integration DB auto-skippee sans base) et
PHPStan L6 restent verts.
docs(api): conventions de nommage et listing des endpoints
Some checks failed
CI / secret-scan (push) Successful in 8s
Details
CI / php-lint (push) Successful in 22s
Details
CI / static-tests (push) Successful in 31s
Details
CI / secret-scan (pull_request) Successful in 8s
Details
CI / php-lint (pull_request) Successful in 18s
Details
CI / static-tests (pull_request) Successful in 25s
Details
CI / auto-merge (push) Has been skipped
Details
CI / auto-merge (pull_request) Failing after 5s
Details
08a95eb4e9 
Documente les conventions de l'API Wakdo (chemins minuscule + snake_case, ressources
au pluriel, enveloppe data/error, codes d'erreur SCREAMING_SNAKE, champs snake_case alignes
sur le dictionnaire) et le listing des endpoints (en service P2 + projection P3-P5). Acte la
divergence connue avec le repli JSON kiosk legacy et le point de mapping data.js.
Corentin added the
auto-merge
 label 2026-06-15 20:16:26 +02:00
Corentin merged commit 1b0b20c12d into dev 2026-06-15 20:18:59 +02:00
Corentin deleted branch feat/p2-auth 2026-06-15 20:18:59 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
auto-merge

Fusion automatique sur CI verte

No labels
auto-merge
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AcadeNice/corentin_wakdo#11
No description provided.
Delete branch "feat/p2-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?