AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
corentin_wakdo/docs/domaines/auth.md
Corentin JOGUET 32f9baacce
All checks were successful
CI / secret-scan (push) Successful in 8s
Details
CI / php-lint (push) Successful in 20s
Details
CI / static-tests (push) Successful in 41s
Details
CI / js-tests (push) Successful in 19s
Details
CI / auto-merge (push) Has been skipped
Details
docs(domaines): documentation par domaine fonctionnel (7 fiches) (#44)
2026-06-17 15:55:30 +02:00

1.4 KiB
Raw Blame History

Domaine — Authentification & sessions

Perimetre

Connexion back-office, deconnexion, reinitialisation de mot de passe, garde de session, PIN d'action sensible. Pas d'auth cote borne (front public).

Ce qui est livre

  • App\Auth\AuthService (login 12.1 / logout 12.2), PasswordResetService (12.3).
  • SessionManager (seul a toucher $_SESSION/cookie, mode test memoire), SessionGuard (RG-6/RG-T02 : idle 4h, absolu 10h, is_active), Csrf (jeton synchroniseur).
  • PasswordHasher (argon2id + leurre de timing), PinVerifier, PinThrottle, ThrottlePolicy (backoff degressif).
  • Controleurs AuthController, PasswordResetController, ProfileController (set-PIN self-service), MeController (/api/me).

Regles metier

  • RG-6 / RG-T02 : session valide (idle + absolu + compte actif) sinon 302 /login.
  • RG-8 / RG-9 : throttle login par compte + par IP (login_throttle), backoff degressif.
  • RG-T13 : PIN d'action sensible (voir users, rbac, stock).
  • Anti-enumeration : reponses neutres (reset, login) ; leurre de timing argon2id.

Decisions

ADR-0001 (from scratch), ADR-0004 (PIN), ADR-0005 (throttle PIN).

Tables

user, login_throttle, pin_throttle, audit_log (login + pin.failed). Detail : docs/merise/mlt.md section 12 + 22.