From 4ecbb23a2ad4f3cbdda95861262a9c436222f080 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Thu, 19 Mar 2026 10:48:54 +0100
Subject: [PATCH] Fix PHPStan errors and PHP CS Fixer import order

- Fix OAuthController: add missing second parameter to redirect()
- Fix KeycloakAuthenticator: get email from toArray() instead of getEmail()
- Fix KeycloakAuthenticator: type-hint session for getFlashBag() access
- Fix import order in KeycloakAuthenticatorTest

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Controller/OAuthController.php           | 2 +-
 src/Security/KeycloakAuthenticator.php       | 8 +++++---
 tests/Security/KeycloakAuthenticatorTest.php | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Controller/OAuthController.php b/src/Controller/OAuthController.php
index 35d4acb..68acbda 100644
--- a/src/Controller/OAuthController.php
+++ b/src/Controller/OAuthController.php
@@ -12,7 +12,7 @@ class OAuthController extends AbstractController
     #[Route('/connection/sso/login', name: 'app_oauth_keycloak')]
     public function connect(ClientRegistry $clientRegistry): RedirectResponse
     {
-        return $clientRegistry->getClient('keycloak')->redirect(['openid', 'email', 'profile']);
+        return $clientRegistry->getClient('keycloak')->redirect(['openid', 'email', 'profile'], []);
     }
 
     #[Route('/connection/sso/logout', name: 'app_oauth_keycloak_logout')]
diff --git a/src/Security/KeycloakAuthenticator.php b/src/Security/KeycloakAuthenticator.php
index 7a0224c..e18cacf 100644
--- a/src/Security/KeycloakAuthenticator.php
+++ b/src/Security/KeycloakAuthenticator.php
@@ -42,9 +42,9 @@ class KeycloakAuthenticator extends OAuth2Authenticator
         return new SelfValidatingPassport(
             new UserBadge($accessToken->getToken(), function () use ($accessToken, $client) {
                 $keycloakUser = $client->fetchUserFromToken($accessToken);
-                $keycloakId = $keycloakUser->getId();
-                $email = $keycloakUser->getEmail();
                 $data = $keycloakUser->toArray();
+                $keycloakId = $keycloakUser->getId();
+                $email = $data['email'] ?? '';
                 $roles = $this->mapGroupsToRoles($data['groups'] ?? []);
 
                 $user = $this->em->getRepository(User::class)->findOneBy(['keycloakId' => $keycloakId]);
@@ -110,7 +110,9 @@ class KeycloakAuthenticator extends OAuth2Authenticator
 
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
-        $request->getSession()->getFlashBag()->add('error', 'Echec de la connexion SSO E-Cosplay.');
+        /** @var \Symfony\Component\HttpFoundation\Session\Session $session */
+        $session = $request->getSession();
+        $session->getFlashBag()->add('error', 'Echec de la connexion SSO E-Cosplay.');
 
         return new RedirectResponse($this->router->generate('app_login'));
     }
diff --git a/tests/Security/KeycloakAuthenticatorTest.php b/tests/Security/KeycloakAuthenticatorTest.php
index c293008..f765b29 100644
--- a/tests/Security/KeycloakAuthenticatorTest.php
+++ b/tests/Security/KeycloakAuthenticatorTest.php
@@ -9,8 +9,8 @@ use Doctrine\ORM\EntityRepository;
 use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
 use KnpU\OAuth2ClientBundle\Client\OAuth2ClientInterface;
 use League\OAuth2\Client\Token\AccessToken;
-use Stevenmaguire\OAuth2\Client\Provider\KeycloakResourceOwner;
 use PHPUnit\Framework\TestCase;
+use Stevenmaguire\OAuth2\Client\Provider\KeycloakResourceOwner;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
 use Symfony\Component\HttpFoundation\Session\Session;