2026-03-19 20:37:16 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace App\Tests\Controller;
|
|
|
|
|
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
use App\Entity\Billet;
|
|
|
|
|
use App\Entity\BilletBuyer;
|
|
|
|
|
use App\Entity\BilletBuyerItem;
|
|
|
|
|
use App\Entity\BilletOrder;
|
|
|
|
|
use App\Entity\Category;
|
2026-03-20 08:45:48 +01:00
|
|
|
use App\Entity\Payout;
|
|
|
|
|
use App\Entity\User;
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
use App\Service\AuditService;
|
|
|
|
|
use App\Service\BilletOrderService;
|
2026-03-20 08:45:48 +01:00
|
|
|
use App\Service\MailerService;
|
|
|
|
|
use App\Service\PayoutPdfService;
|
2026-03-19 20:37:16 +01:00
|
|
|
use App\Service\StripeService;
|
2026-03-20 08:45:48 +01:00
|
|
|
use Doctrine\ORM\EntityManagerInterface;
|
2026-03-19 20:37:16 +01:00
|
|
|
use Stripe\Event;
|
|
|
|
|
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
|
|
|
|
|
|
|
|
|
|
class StripeWebhookControllerTest extends WebTestCase
|
|
|
|
|
{
|
|
|
|
|
public function testWebhookWithValidSignature(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn(new Event());
|
2026-03-19 20:37:16 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], [
|
2026-03-19 20:37:16 +01:00
|
|
|
'HTTP_STRIPE_SIGNATURE' => 'valid',
|
|
|
|
|
], '{}');
|
|
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
self::assertSame('OK', $client->getResponse()->getContent());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testWebhookWithInvalidSignature(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn(null);
|
2026-03-19 20:37:16 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], [
|
2026-03-19 20:37:16 +01:00
|
|
|
'HTTP_STRIPE_SIGNATURE' => 'invalid',
|
|
|
|
|
], '{}');
|
|
|
|
|
|
|
|
|
|
self::assertResponseStatusCodeSame(400);
|
|
|
|
|
}
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
public function testAccountCreatedSetsStartedStatus(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_created');
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account.created';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode(['related_object' => ['id' => 'acct_created']]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_created']);
|
|
|
|
|
self::assertSame('started', $updated->getStripeStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testAccountClosedDisablesFlags(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_closed');
|
|
|
|
|
$user->setStripeChargesEnabled(true);
|
|
|
|
|
$user->setStripePayoutsEnabled(true);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account.closed';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode(['related_object' => ['id' => 'acct_closed']]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_closed']);
|
|
|
|
|
self::assertSame('closed', $updated->getStripeStatus());
|
|
|
|
|
self::assertFalse($updated->isStripeChargesEnabled());
|
|
|
|
|
self::assertFalse($updated->isStripePayoutsEnabled());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testAccountUpdatedSetsStatus(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$this->createOrgaUser($em, 'acct_upd');
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account.updated';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode(['related_object' => ['id' => 'acct_upd']]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_upd']);
|
|
|
|
|
self::assertSame('updated', $updated->getStripeStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testAccountStatusUnknownUser(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account.created';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode(['related_object' => ['id' => 'acct_nonexistent']]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testAccountStatusNoRelatedObject(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account.created';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testMerchantCapabilityCardPaymentsActive(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$this->createOrgaUser($em, 'acct_merchant');
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account[configuration.merchant].capability_status_updated';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode([
|
|
|
|
|
'related_object' => ['id' => 'acct_merchant'],
|
|
|
|
|
'changes' => ['after' => ['configuration' => [
|
|
|
|
|
'merchant' => ['capabilities' => [
|
|
|
|
|
'card_payments' => ['status' => 'active'],
|
|
|
|
|
]],
|
|
|
|
|
]]],
|
|
|
|
|
]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_merchant']);
|
|
|
|
|
self::assertTrue($updated->isStripeChargesEnabled());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testRecipientCapabilityPayoutsActive(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$this->createOrgaUser($em, 'acct_recipient');
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account[configuration.recipient].capability_status_updated';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode([
|
|
|
|
|
'related_object' => ['id' => 'acct_recipient'],
|
|
|
|
|
'changes' => ['after' => ['configuration' => [
|
|
|
|
|
'recipient' => ['capabilities' => [
|
|
|
|
|
'stripe_balance' => ['payouts' => ['status' => 'active']],
|
|
|
|
|
]],
|
|
|
|
|
]]],
|
|
|
|
|
]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_recipient']);
|
|
|
|
|
self::assertTrue($updated->isStripePayoutsEnabled());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testCapabilityBothActiveSetStatusActive(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_both');
|
|
|
|
|
$user->setStripeChargesEnabled(true);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account[configuration.merchant].capability_status_updated';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode([
|
|
|
|
|
'related_object' => ['id' => 'acct_both'],
|
|
|
|
|
'changes' => ['after' => ['configuration' => [
|
|
|
|
|
'merchant' => ['capabilities' => [
|
|
|
|
|
'stripe_balance' => ['payouts' => ['status' => 'active']],
|
|
|
|
|
]],
|
|
|
|
|
]]],
|
|
|
|
|
]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(User::class)->findOneBy(['stripeAccountId' => 'acct_both']);
|
|
|
|
|
self::assertSame('active', $updated->getStripeStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testCapabilityUnknownUser(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = new Event();
|
|
|
|
|
$event->type = 'v2.core.account[configuration.merchant].capability_status_updated';
|
|
|
|
|
|
|
|
|
|
$this->mockStripe($client, $event);
|
|
|
|
|
|
|
|
|
|
$payload = json_encode([
|
|
|
|
|
'related_object' => ['id' => 'acct_ghost'],
|
|
|
|
|
'changes' => ['after' => ['configuration' => []]],
|
|
|
|
|
]);
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], $payload);
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPayoutCreatedSavesAndSendsEmail(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_payout');
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payout.created',
|
|
|
|
|
'account' => 'acct_payout',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'id' => 'po_test_wh_'.uniqid(),
|
|
|
|
|
'status' => 'pending',
|
|
|
|
|
'amount' => 5000,
|
|
|
|
|
'currency' => 'eur',
|
|
|
|
|
'destination' => 'ba_xxx',
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::once())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPayoutPaidSendsEmailWithPdf(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_paid');
|
|
|
|
|
|
|
|
|
|
$payoutId = 'po_paid_'.uniqid();
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payout.paid',
|
|
|
|
|
'account' => 'acct_paid',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'id' => $payoutId,
|
|
|
|
|
'status' => 'paid',
|
|
|
|
|
'amount' => 10000,
|
|
|
|
|
'currency' => 'eur',
|
|
|
|
|
'destination' => 'ba_yyy',
|
|
|
|
|
'arrival_date' => time() + 86400,
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::once())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$pdfService = $this->createMock(PayoutPdfService::class);
|
|
|
|
|
$pdfService->expects(self::once())->method('generateToFile')->willReturn('/tmp/fake.pdf');
|
|
|
|
|
static::getContainer()->set(PayoutPdfService::class, $pdfService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$payout = $freshEm->getRepository(Payout::class)->findOneBy(['stripePayoutId' => $payoutId]);
|
|
|
|
|
self::assertNotNull($payout);
|
|
|
|
|
self::assertSame('paid', $payout->getStatus());
|
|
|
|
|
self::assertSame(10000, $payout->getAmount());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPayoutUpdatedExistingPayout(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_upd_po');
|
|
|
|
|
|
|
|
|
|
$payout = new Payout();
|
|
|
|
|
$payout->setOrganizer($user);
|
|
|
|
|
$payout->setStripePayoutId('po_existing_'.uniqid());
|
|
|
|
|
$payout->setStatus('pending');
|
|
|
|
|
$payout->setAmount(3000);
|
|
|
|
|
$payout->setCurrency('eur');
|
|
|
|
|
$payout->setStripeAccountId('acct_upd_po');
|
|
|
|
|
$em->persist($payout);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payout.updated',
|
|
|
|
|
'account' => 'acct_upd_po',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'id' => $payout->getStripePayoutId(),
|
|
|
|
|
'status' => 'in_transit',
|
|
|
|
|
'amount' => 3000,
|
|
|
|
|
'currency' => 'eur',
|
|
|
|
|
'destination' => 'ba_zzz',
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::once())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(Payout::class)->findOneBy(['stripePayoutId' => $payout->getStripePayoutId()]);
|
|
|
|
|
self::assertSame('in_transit', $updated->getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPayoutNoPayoutId(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payout.created',
|
|
|
|
|
'data' => ['object' => []],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPayoutNoUser(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payout.created',
|
|
|
|
|
'account' => 'acct_nouser',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'id' => 'po_nouser_'.uniqid(),
|
|
|
|
|
'status' => 'pending',
|
|
|
|
|
'amount' => 1000,
|
|
|
|
|
'currency' => 'eur',
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
2026-03-20 08:45:48 +01:00
|
|
|
|
|
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
// === payment_intent.payment_failed ===
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedCancelsOrder(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_pf_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'metadata' => ['order_id' => (string) $order->getId()],
|
|
|
|
|
'last_payment_error' => ['message' => 'Your card was declined.'],
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::once())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
$audit->expects(self::once())->method('log')->with('payment_failed', 'BilletBuyer', $order->getId(), $this->anything());
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(BilletBuyer::class)->find($order->getId());
|
|
|
|
|
self::assertSame(BilletBuyer::STATUS_CANCELLED, $updated->getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedNoOrderId(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => ['metadata' => []]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedOrderNotFound(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'metadata' => ['order_id' => '999999'],
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedOrderAlreadyPaid(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_pf_paid_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$order->setStatus(BilletBuyer::STATUS_PAID);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'metadata' => ['order_id' => (string) $order->getId()],
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(BilletBuyer::class)->find($order->getId());
|
|
|
|
|
self::assertSame(BilletBuyer::STATUS_PAID, $updated->getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedDefaultErrorMessage(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_pf_def_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'metadata' => ['order_id' => (string) $order->getId()],
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::once())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
$audit->expects(self::once())->method('log')->with(
|
|
|
|
|
'payment_failed',
|
|
|
|
|
'BilletBuyer',
|
|
|
|
|
$order->getId(),
|
|
|
|
|
$this->callback(fn (array $d) => 'Paiement refuse' === $d['error'])
|
|
|
|
|
);
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testPaymentFailedNoEmail(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_pf_nomail_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$order->setEmail(null);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'payment_intent.payment_failed',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'metadata' => ['order_id' => (string) $order->getId()],
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::never())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// === charge.refunded ===
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedUpdatesOrder(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_cr_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$order->setStatus(BilletBuyer::STATUS_PAID);
|
|
|
|
|
$order->setStripeSessionId('pi_refund_test_'.uniqid());
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => [
|
|
|
|
|
'payment_intent' => $order->getStripeSessionId(),
|
|
|
|
|
]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::atLeastOnce())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
$audit->expects(self::once())->method('log')->with('order_refunded_webhook', 'BilletBuyer', $order->getId(), $this->anything());
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
|
|
|
|
$billetOrderService = $this->createMock(BilletOrderService::class);
|
|
|
|
|
$billetOrderService->expects(self::once())->method('notifyOrganizerCancelled')->with($this->anything(), 'remboursee');
|
|
|
|
|
static::getContainer()->set(BilletOrderService::class, $billetOrderService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(BilletBuyer::class)->find($order->getId());
|
|
|
|
|
self::assertSame(BilletBuyer::STATUS_REFUNDED, $updated->getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedInvalidatesTickets(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_cr_tk_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$order->setStatus(BilletBuyer::STATUS_PAID);
|
|
|
|
|
$piId = 'pi_ticket_refund_'.uniqid();
|
|
|
|
|
$order->setStripeSessionId($piId);
|
|
|
|
|
|
|
|
|
|
$ticket = new BilletOrder();
|
|
|
|
|
$ticket->setBilletBuyer($order);
|
|
|
|
|
$ticket->setBilletName('Entree');
|
|
|
|
|
$ticket->setUnitPriceHT(1500);
|
|
|
|
|
$ticket->setState(BilletOrder::STATE_VALID);
|
|
|
|
|
$em->persist($ticket);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => ['payment_intent' => $piId]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
|
|
|
|
$billetOrderService = $this->createMock(BilletOrderService::class);
|
|
|
|
|
static::getContainer()->set(BilletOrderService::class, $billetOrderService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updatedTicket = $freshEm->getRepository(BilletOrder::class)->find($ticket->getId());
|
|
|
|
|
self::assertSame(BilletOrder::STATE_INVALID, $updatedTicket->getState());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedNoPaymentIntent(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => []],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedOrderNotFound(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => ['payment_intent' => 'pi_nonexistent_'.uniqid()]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedAlreadyRefunded(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_cr_dup_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$piId = 'pi_already_refunded_'.uniqid();
|
|
|
|
|
$order->setStatus(BilletBuyer::STATUS_REFUNDED);
|
|
|
|
|
$order->setStripeSessionId($piId);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => ['payment_intent' => $piId]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
|
|
|
|
|
$freshEm = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
$updated = $freshEm->getRepository(BilletBuyer::class)->find($order->getId());
|
|
|
|
|
self::assertSame(BilletBuyer::STATUS_REFUNDED, $updated->getStatus());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testChargeRefundedNoEmail(): void
|
|
|
|
|
{
|
|
|
|
|
$client = static::createClient();
|
|
|
|
|
$em = static::getContainer()->get(EntityManagerInterface::class);
|
|
|
|
|
|
|
|
|
|
$user = $this->createOrgaUser($em, 'acct_cr_nomail_'.uniqid());
|
|
|
|
|
$order = $this->createTestOrder($em, $user);
|
|
|
|
|
$order->setStatus(BilletBuyer::STATUS_PAID);
|
|
|
|
|
$piId = 'pi_nomail_'.uniqid();
|
|
|
|
|
$order->setStripeSessionId($piId);
|
|
|
|
|
$order->setEmail(null);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
$event = Event::constructFrom([
|
|
|
|
|
'type' => 'charge.refunded',
|
|
|
|
|
'data' => ['object' => ['payment_intent' => $piId]],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
|
|
|
|
|
$mailer = $this->createMock(MailerService::class);
|
|
|
|
|
$mailer->expects(self::never())->method('sendEmail');
|
|
|
|
|
static::getContainer()->set(MailerService::class, $mailer);
|
|
|
|
|
|
|
|
|
|
$audit = $this->createMock(AuditService::class);
|
|
|
|
|
static::getContainer()->set(AuditService::class, $audit);
|
|
|
|
|
|
|
|
|
|
$billetOrderService = $this->createMock(BilletOrderService::class);
|
|
|
|
|
static::getContainer()->set(BilletOrderService::class, $billetOrderService);
|
|
|
|
|
|
2026-04-01 14:07:49 +02:00
|
|
|
$client->request('POST', '/webhooks/stripe/insta', [], [], ['HTTP_STRIPE_SIGNATURE' => 'v'], '{}');
|
Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)
Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin
UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page
Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)
Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config
Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00
|
|
|
self::assertResponseIsSuccessful();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function createTestOrder(EntityManagerInterface $em, User $user): BilletBuyer
|
|
|
|
|
{
|
|
|
|
|
$event = new \App\Entity\Event();
|
|
|
|
|
$event->setAccount($user);
|
|
|
|
|
$event->setTitle('WH Event '.uniqid());
|
|
|
|
|
$event->setStartAt(new \DateTimeImmutable('2026-08-01 10:00'));
|
|
|
|
|
$event->setEndAt(new \DateTimeImmutable('2026-08-01 18:00'));
|
|
|
|
|
$event->setAddress('1 rue');
|
|
|
|
|
$event->setZipcode('75001');
|
|
|
|
|
$event->setCity('Paris');
|
|
|
|
|
$event->setIsOnline(true);
|
|
|
|
|
$em->persist($event);
|
|
|
|
|
|
|
|
|
|
$category = new Category();
|
|
|
|
|
$category->setName('Cat');
|
|
|
|
|
$category->setEvent($event);
|
|
|
|
|
$em->persist($category);
|
|
|
|
|
|
|
|
|
|
$billet = new Billet();
|
|
|
|
|
$billet->setName('Entree');
|
|
|
|
|
$billet->setCategory($category);
|
|
|
|
|
$billet->setPriceHT(1500);
|
|
|
|
|
$em->persist($billet);
|
|
|
|
|
|
|
|
|
|
$count = $em->getRepository(BilletBuyer::class)->count([]) + 1;
|
|
|
|
|
$order = new BilletBuyer();
|
|
|
|
|
$order->setEvent($event);
|
|
|
|
|
$order->setFirstName('Jean');
|
|
|
|
|
$order->setLastName('Dupont');
|
|
|
|
|
$order->setEmail('jean-wh@test.fr');
|
|
|
|
|
$order->setOrderNumber('2026-03-23-'.$count);
|
|
|
|
|
$order->setTotalHT(1500);
|
|
|
|
|
|
|
|
|
|
$item = new BilletBuyerItem();
|
|
|
|
|
$item->setBillet($billet);
|
|
|
|
|
$item->setBilletName('Entree');
|
|
|
|
|
$item->setQuantity(1);
|
|
|
|
|
$item->setUnitPriceHT(1500);
|
|
|
|
|
$order->addItem($item);
|
|
|
|
|
|
|
|
|
|
$em->persist($order);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
return $order;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:45:48 +01:00
|
|
|
private function createOrgaUser(EntityManagerInterface $em, string $stripeAccountId): User
|
|
|
|
|
{
|
|
|
|
|
$user = new User();
|
|
|
|
|
$user->setEmail('test-wh-'.uniqid().'@example.com');
|
|
|
|
|
$user->setFirstName('WH');
|
|
|
|
|
$user->setLastName('Test');
|
|
|
|
|
$user->setPassword('$2y$13$hashed');
|
|
|
|
|
$user->setRoles(['ROLE_ORGANIZER']);
|
|
|
|
|
$user->setStripeAccountId($stripeAccountId);
|
|
|
|
|
$em->persist($user);
|
|
|
|
|
$em->flush();
|
|
|
|
|
|
|
|
|
|
return $user;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function mockStripe(\Symfony\Bundle\FrameworkBundle\KernelBrowser $client, Event $event): void
|
|
|
|
|
{
|
|
|
|
|
$stripeService = $this->createMock(StripeService::class);
|
2026-04-01 14:07:49 +02:00
|
|
|
$stripeService->method('verifyWebhookSignatureInsta')->willReturn($event);
|
2026-03-20 08:45:48 +01:00
|
|
|
static::getContainer()->set(StripeService::class, $stripeService);
|
|
|
|
|
}
|
2026-03-19 20:37:16 +01:00
|
|
|
}
|