Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization
Billetterie: - Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration) - Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction - Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set - Disable checkout when event ended (server 400 + template hide) - Webhook deduplication via cache (24h TTL on stripe event.id) - Email validation (filter_var) in OrderController guest flow - JSON cart validation (structure check before processing) - Invitation expiration after 7 days (isExpired method + landing page message) - Stripe Checkout fallback when JS fails to load (noscript + redirect) Config externalization: - Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml - Replace all hardcoded contact@e-cosplay.fr across 13 files - MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin UX & Accessibility: - ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End) - aria-label on cart +/- buttons and editor toolbar buttons - tabindex=0 on editor toolbar buttons for keyboard access - data-confirm handler in app.js (was only in admin.js) - Cart error feedback on checkout failure - Billet designer save feedback (loading/success/error states) - Stock polling every 30s with rupture/low stock badges - Back to event link on payment page Security: - HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed - Stripe polling timeout (15s max) with fallback redirect - Rate limiting on public order access (20/5min) - .catch() on all fetch() calls (sortable, billet-designer) Tests (92% PHP, 100% JS lines): - PCOV added to dev Dockerfile - Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key - Rate limiter disabled in test env - Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js - New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4) - New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest - New tests: Stripe webhook payment_failed (6) + charge.refunded (6) - New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration - JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9) - ESLint + PHP CS Fixer: 0 errors - SonarQube exclusions aligned with vitest coverage config Infra: - Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am - MeilisearchService: getAllDocumentIds(), listIndexes() Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
@@ -29,7 +29,7 @@ class MessengerFailureSubscriberTest extends TestCase
|
||||
$em->expects(self::once())->method('flush');
|
||||
$mailer->expects(self::once())->method('send');
|
||||
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer);
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer, 'test@example.com');
|
||||
|
||||
$message = new \stdClass();
|
||||
$envelope = new Envelope($message);
|
||||
@@ -49,7 +49,7 @@ class MessengerFailureSubscriberTest extends TestCase
|
||||
$em->expects(self::once())->method('flush');
|
||||
$mailer->expects(self::once())->method('send');
|
||||
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer);
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer, 'test@example.com');
|
||||
|
||||
$message = new \stdClass();
|
||||
$envelope = new Envelope($message, [new RedeliveryStamp(3)]);
|
||||
@@ -69,7 +69,7 @@ class MessengerFailureSubscriberTest extends TestCase
|
||||
$em->expects(self::once())->method('flush');
|
||||
$mailer->expects(self::once())->method('send');
|
||||
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer);
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer, 'test@example.com');
|
||||
|
||||
$message = new class {
|
||||
public function __serialize(): array
|
||||
@@ -94,7 +94,7 @@ class MessengerFailureSubscriberTest extends TestCase
|
||||
$em->expects(self::once())->method('flush');
|
||||
$mailer->method('send')->willThrowException(new \RuntimeException('mail failed'));
|
||||
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer);
|
||||
$subscriber = new MessengerFailureSubscriber($em, $mailer, 'test@example.com');
|
||||
|
||||
$message = new \stdClass();
|
||||
$envelope = new Envelope($message);
|
||||
|
||||
@@ -8,6 +8,9 @@ use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpKernel\Event\RequestEvent;
|
||||
use Symfony\Component\HttpKernel\HttpKernelInterface;
|
||||
use Symfony\Component\HttpKernel\KernelEvents;
|
||||
use Symfony\Component\RateLimiter\LimiterInterface;
|
||||
use Symfony\Component\RateLimiter\RateLimit;
|
||||
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
|
||||
|
||||
class RateLimiterSubscriberTest extends TestCase
|
||||
{
|
||||
@@ -62,4 +65,70 @@ class RateLimiterSubscriberTest extends TestCase
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testIgnoresTestEnvironment(): void
|
||||
{
|
||||
$subscriber = new RateLimiterSubscriber([], 'test');
|
||||
|
||||
$request = new Request();
|
||||
$request->attributes->set('_route', 'app_order_create');
|
||||
|
||||
$kernel = $this->createMock(HttpKernelInterface::class);
|
||||
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
|
||||
|
||||
$subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testAllowsRequestWhenLimiterAccepts(): void
|
||||
{
|
||||
$rateLimit = $this->createMock(RateLimit::class);
|
||||
$rateLimit->method('isAccepted')->willReturn(true);
|
||||
|
||||
$limiter = $this->createMock(LimiterInterface::class);
|
||||
$limiter->method('consume')->willReturn($rateLimit);
|
||||
|
||||
$factory = $this->createMock(RateLimiterFactoryInterface::class);
|
||||
$factory->method('create')->willReturn($limiter);
|
||||
|
||||
$subscriber = new RateLimiterSubscriber(['order_create' => $factory], 'prod');
|
||||
|
||||
$request = new Request();
|
||||
$request->attributes->set('_route', 'app_order_create');
|
||||
|
||||
$kernel = $this->createMock(HttpKernelInterface::class);
|
||||
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
|
||||
|
||||
$subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testReturns429WhenLimiterRejects(): void
|
||||
{
|
||||
$rateLimit = $this->createMock(RateLimit::class);
|
||||
$rateLimit->method('isAccepted')->willReturn(false);
|
||||
|
||||
$limiter = $this->createMock(LimiterInterface::class);
|
||||
$limiter->method('consume')->willReturn($rateLimit);
|
||||
|
||||
$factory = $this->createMock(RateLimiterFactoryInterface::class);
|
||||
$factory->method('create')->willReturn($limiter);
|
||||
|
||||
$subscriber = new RateLimiterSubscriber(['order_create' => $factory], 'prod');
|
||||
|
||||
$request = new Request();
|
||||
$request->attributes->set('_route', 'app_order_create');
|
||||
|
||||
$kernel = $this->createMock(HttpKernelInterface::class);
|
||||
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
|
||||
|
||||
$subscriber->onKernelRequest($event);
|
||||
|
||||
$response = $event->getResponse();
|
||||
self::assertNotNull($response);
|
||||
self::assertSame(429, $response->getStatusCode());
|
||||
self::assertSame('Trop de requetes. Reessayez plus tard.', $response->getContent());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,7 +7,6 @@ use App\EventSubscriber\SubAccountPermissionSubscriber;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
|
||||
use Symfony\Component\HttpFoundation\Session\Session;
|
||||
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
|
||||
use Symfony\Component\HttpKernel\Event\RequestEvent;
|
||||
|
||||
155
tests/EventSubscriber/SuspendedUserSubscriberTest.php
Normal file
155
tests/EventSubscriber/SuspendedUserSubscriberTest.php
Normal file
@@ -0,0 +1,155 @@
|
||||
<?php
|
||||
|
||||
namespace App\Tests\EventSubscriber;
|
||||
|
||||
use App\Entity\User;
|
||||
use App\EventSubscriber\SuspendedUserSubscriber;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
|
||||
use Symfony\Component\HttpFoundation\Session\Session;
|
||||
use Symfony\Component\HttpKernel\Event\RequestEvent;
|
||||
use Symfony\Component\HttpKernel\HttpKernelInterface;
|
||||
use Symfony\Component\HttpKernel\KernelEvents;
|
||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||
|
||||
class SuspendedUserSubscriberTest extends TestCase
|
||||
{
|
||||
private Security $security;
|
||||
private UrlGeneratorInterface $urlGenerator;
|
||||
private SuspendedUserSubscriber $subscriber;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
$this->security = $this->createMock(Security::class);
|
||||
$this->urlGenerator = $this->createMock(UrlGeneratorInterface::class);
|
||||
$this->subscriber = new SuspendedUserSubscriber(
|
||||
$this->security,
|
||||
$this->urlGenerator,
|
||||
'admin@example.com',
|
||||
);
|
||||
}
|
||||
|
||||
private function createEvent(string $route, int $requestType = HttpKernelInterface::MAIN_REQUEST): RequestEvent
|
||||
{
|
||||
$flashBag = $this->createMock(FlashBagInterface::class);
|
||||
$session = $this->createMock(Session::class);
|
||||
$session->method('getFlashBag')->willReturn($flashBag);
|
||||
|
||||
$request = new Request();
|
||||
$request->attributes->set('_route', $route);
|
||||
$request->setSession($session);
|
||||
|
||||
$kernel = $this->createMock(HttpKernelInterface::class);
|
||||
|
||||
return new RequestEvent($kernel, $request, $requestType);
|
||||
}
|
||||
|
||||
public function testSubscribedEvents(): void
|
||||
{
|
||||
$events = SuspendedUserSubscriber::getSubscribedEvents();
|
||||
|
||||
self::assertArrayHasKey(KernelEvents::REQUEST, $events);
|
||||
self::assertSame(['onKernelRequest', 8], $events[KernelEvents::REQUEST]);
|
||||
}
|
||||
|
||||
public function testSkipsSubRequest(): void
|
||||
{
|
||||
$this->security->expects(self::never())->method('getUser');
|
||||
|
||||
$event = $this->createEvent('app_dashboard', HttpKernelInterface::SUB_REQUEST);
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testSkipsWhenNoUser(): void
|
||||
{
|
||||
$this->security->method('getUser')->willReturn(null);
|
||||
|
||||
$event = $this->createEvent('app_dashboard');
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testSkipsWhenUserNotSuspended(): void
|
||||
{
|
||||
$user = new User();
|
||||
$user->setIsSuspended(false);
|
||||
$this->security->method('getUser')->willReturn($user);
|
||||
|
||||
$event = $this->createEvent('app_dashboard');
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
public function testSkipsWhenUserSuspendedNull(): void
|
||||
{
|
||||
$user = new User();
|
||||
$this->security->method('getUser')->willReturn($user);
|
||||
|
||||
$event = $this->createEvent('app_dashboard');
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
#[\PHPUnit\Framework\Attributes\DataProvider('allowedRoutesProvider')]
|
||||
public function testSkipsAllowedRoutesForSuspendedUser(string $route): void
|
||||
{
|
||||
$user = new User();
|
||||
$user->setIsSuspended(true);
|
||||
$this->security->method('getUser')->willReturn($user);
|
||||
|
||||
$event = $this->createEvent($route);
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
self::assertNull($event->getResponse());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return iterable<string, array{string}>
|
||||
*/
|
||||
public static function allowedRoutesProvider(): iterable
|
||||
{
|
||||
yield 'logout' => ['app_logout'];
|
||||
yield 'home' => ['app_home'];
|
||||
yield 'login' => ['app_login'];
|
||||
}
|
||||
|
||||
public function testRedirectsSuspendedUserOnProtectedRoute(): void
|
||||
{
|
||||
$user = new User();
|
||||
$user->setIsSuspended(true);
|
||||
$this->security->method('getUser')->willReturn($user);
|
||||
|
||||
$this->urlGenerator->method('generate')
|
||||
->with('app_home')
|
||||
->willReturn('/');
|
||||
|
||||
$flashBag = $this->createMock(FlashBagInterface::class);
|
||||
$flashBag->expects(self::once())
|
||||
->method('add')
|
||||
->with('error', 'Votre compte a ete suspendu. Contactez admin@example.com.');
|
||||
|
||||
$session = $this->createMock(Session::class);
|
||||
$session->method('getFlashBag')->willReturn($flashBag);
|
||||
|
||||
$request = new Request();
|
||||
$request->attributes->set('_route', 'app_dashboard');
|
||||
$request->setSession($session);
|
||||
|
||||
$kernel = $this->createMock(HttpKernelInterface::class);
|
||||
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
|
||||
|
||||
$this->subscriber->onKernelRequest($event);
|
||||
|
||||
$response = $event->getResponse();
|
||||
self::assertInstanceOf(RedirectResponse::class, $response);
|
||||
self::assertSame('/', $response->getTargetUrl());
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user