- Fix SESSION_HANDLER_DSN: use Redis db index (/1) instead of /sessions
which caused "dbindex must be a number" error
- Remove LibreTranslate service and volume from docker-compose prod
- Remove gitignore rules for translation files (en, es, de, it)
so all languages are tracked in git
- Apply PHP CS Fixer style fixes
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- ApiSandboxController: reduce scan() returns from 4 to 3 via ternary
- ApiDocController: add MIME_JSON constant, extract buildInsomniaRequest()
and buildInsomniaBody() to reduce cognitive complexity
- Store sessions in Redis to fix SSO disconnect with 2 PHP replicas
(round-robin load balancing caused session loss on filesystem storage)
- Configure session cookie: 24h lifetime, secure auto, samesite lax
- Replace Caddy analytics proxies (/stats/*, /assets/perf.js, /sperf)
with direct URLs to tools-security.esy-web.dev and cloudflareinsights.com
- Update JS tests for new direct analytics URLs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- refresh: merge empty headers check into verifyJwt call (ternary with INVALID_JWT fallback)
- ssoValidate: merge user null + not organizer into single condition, use null coalescing for findOneBy chain
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Desktop: yellow "Inscription" button next to login icon (hidden on mobile)
- Mobile menu: yellow "Inscription" block after "Connexion" link
- Registration was already functional at /inscription, just missing from navbar
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ApiAuthTrait:
- authenticateRequest(): verify JWT from headers, return User or JsonResponse error
- success()/error(): standard JSON response helpers
ApiSandboxController (/api/sandbox):
- GET /events: returns fixture events
- GET /events/{id}: returns single fixture event
- GET /events/{id}/categories: returns fixture categories by event
- GET /categories/{id}/billets: returns fixture billets by category
- GET /billets/{id}: returns fixture billet detail
- POST /scan: returns fixture scan result by reference
- All routes authenticated via JWT, data from data/sandbox/fixtures.json
ApiLiveController (/api/live):
- GET /events: real events from DB, filtered by authenticated organizer
- GET /events/{id}: real event detail with ownership check
- GET /events/{id}/categories: real categories with isActive computed
- GET /categories/{id}/billets: real billets with sold count from BilletOrder
- GET /billets/{id}: full billet detail with image URL, category, event
- POST /scan: real ticket scan with state machine:
- invalid → refused (reason: invalid)
- expired → refused (reason: expired)
- already scanned + hasDefinedExit → refused (reason: exit_definitive)
- valid → accepted (sets firstScannedAt if first scan)
- unlimited entry/exit if !hasDefinedExit
- All routes check event/billet ownership against authenticated user
- Image URLs use request hostname (dynamic)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Flow:
1. GET /api/auth/login/sso → redirect to Keycloak login page
2. User authenticates on Keycloak
3. Keycloak redirects to GET /api/auth/login/sso/validate?code=xxx&state=xxx
4. Validate exchanges OAuth code for Keycloak token, finds user, returns JWT
- Finds user by keycloakId first, then by email fallback
- Only ROLE_ORGANIZER can get a JWT
- Response includes token + expiresAt + email
- API doc updated with both SSO routes
- SSO validate marked @codeCoverageIgnore (requires live Keycloak)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Only login skips auth headers (isLogin), refresh and all other routes include them
- afterResponseScript applies to both login and refresh (isAuthRoute)
- Refresh in Insomnia now works: sends expired token → gets new token → auto-stored
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- verifyJwt now returns {userId, expired} instead of just userId
- Expired token with valid signature can be refreshed (new 24h token)
- POST /api/auth/refresh: send expired token in ETicket-JWT header → get new token
- Returns 400 if token is still valid (no need to refresh)
- Returns 401 if signature invalid or user not found
- API doc: refresh endpoint documented with statuses
- Insomnia: both login and refresh auto-store jwt_token via afterResponseScript
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Login body uses {{ _.email }} and {{ _.password }} from environment
- afterResponseScript: auto-extracts token from response and sets jwt_token env var
- All other requests use {{ _.jwt_token }} automatically
- Flow: set email+password in env → send login → jwt_token is set → all routes work
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Insomnia export (/api/doc/insomnia.json):
- Generates Insomnia v4 export format with all API routes
- Workspace with environment variables (base_url, env, email, password, jwt_token)
- Folders per section (Auth, Events, Categories, Billets, Scanner)
- Each request with correct method, URL with Insomnia template vars, headers, body
- Auth routes use base_url directly, others use base_url/api/{env}/...
- Download button (indigo) next to Spec JSON button
Dynamic hostname:
- Insomnia export uses request.getSchemeAndHttpHost() (not hardcoded)
- Template passes host via data-host attribute
- JS env switcher reads host from data-host or falls back to location.origin
- Base URLs update dynamically when switching sandbox/live
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Controllers:
- ApiAuthController: POST /api/auth/login with JWT generation (HS256, 24h TTL)
- Validates email + password against DB
- Returns JWT token with userId, email, roles, iat, exp
- Static verifyJwt() for use by live/sandbox controllers
- Only ROLE_ORGANIZER can authenticate
- ApiLiveController: empty shell at /api/live (routes to implement)
- ApiSandboxController: empty shell at /api/sandbox (routes to implement)
Auth is shared: one /api/auth/login for both environments using real credentials.
Sandbox fixtures (data/sandbox/fixtures.json):
- 2 events (Brocante + Convention Cosplay)
- 4 categories across events
- 6 billets with varied types (billet, reservation_brocante)
- 6 billet details with descriptions, images, categories, events
- 4 scan results (2 accepted, 2 refused with different reasons)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove: orders, orders/{id}, events/{id}/orders, events/{id}/stats,
events/{id}/tickets, events/{id}/scan-stats, events/{id}/billets,
export CSV routes
Keep only 7 routes:
- POST /api/auth/login (auth)
- GET /api/events (list)
- GET /api/events/{id} (detail)
- GET /api/events/{id}/categories (categories of event)
- GET /api/categories/{id}/billets (billets of category)
- GET /api/billets/{id} (billet detail with image)
- POST /api/scan (scan ticket: accepted/refused)
API is focused on: browse events → load categories → load billets → scan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove POST /api/scan/verify (redundant with /api/scan)
- POST /api/scan now returns state: "accepted" or "refused" with reason
- Refused reasons: already_scanned, invalid, expired, exit_definitive, wrong_event
- Accepted response includes details object (for future additional data)
- Template: render extra section (refusal reasons table in red)
- Only 2 POST routes remain: /api/auth/login + /api/scan (all others are GET)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Returns all billet fields: name, description, priceHT, quantity, sold, type, isGeneratedBillet, hasDefinedExit, notBuyable, position
- Includes imageUrl (absolute URL to billet picture if present, null otherwise)
- Includes nested category (id, name) and event (id, title)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security:
- Move env switcher logic to assets/modules/api-env-switcher.js (no inline script)
- Register in app.js via initApiEnvSwitcher()
- Compliant with CSP script-src (no unsafe-inline needed for this page)
API doc:
- Add CSP policy section showing all authorized origins per directive
- Table: script-src, connect-src, style-src, img-src, font-src, frame-src, form-action, object-src, worker-src
- Note: inline scripts not allowed, must use nonce or external file
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Toggle switch (Sandbox orange / Live green) in header section
- Switches update in real-time: base URL, description, all endpoint path prefixes
- Sandbox: /api/sandbox (orange), Live: /api/live (green)
- Auth endpoints (/api/auth/*) are not affected by the toggle
- No page reload needed, pure JS DOM updates
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
API doc:
- Add sandbox (/api/sandbox) and live (/api/live) environments with badges
- Auth (/api/auth/login) is shared between environments
- Endpoint paths show both prefixes: /api/sandbox|/api/live/...
- Auth endpoints show path without prefix
TASK_CHECKUP:
- Replace API key auth with JWT auth (ETicket-Email + ETicket-JWT headers)
- All routes use {env} prefix (sandbox/live)
- /mon-compte API tab redirects to /api/doc
- Sandbox: read-only mode (POST/PATCH/DELETE return result without DB modification)
- Mark documentation tasks as done
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Ansible: healthcheck via PHP container (curl from php, not libretranslate)
- Ansible: exit 0 if LibreTranslate not ready (don't block deploy)
- Ansible: ignore_errors on translation step (non-blocking)
- AccountControllerTest: add testEventQrCode (PNG response) and testEventQrCodeDeniedForOtherUser (403)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- TranslateCommand: increase waitForApi retries from 30 to 90 (3 minutes total)
- Ansible deploy: add explicit healthcheck wait step (60×5s = 5min max) before translation
- First launch downloads ~2-4GB of language models, needs more time
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Public event page:
- Share buttons: X (Twitter), Facebook, Instagram (copy link), TikTok (copy link), copy link
- Buttons use url_encode for share URLs with event title + URL
- Instagram/TikTok copy to clipboard (no direct share URL support)
- Consistent brutal design with aria-labels
Organizer dashboard:
- Share X, Facebook, copy link buttons per event in events list
- QR code download button per event
- Route /mon-compte/evenement/{id}/qrcode: generates 400px PNG QR code via Endroid
- QR code points to public event URL, downloaded as qrcode-{slug}.png
JS module:
- assets/modules/share.js: initShare() handles data-share-copy buttons
- Copies URL to clipboard, shows checkmark for 1.5s then restores icon
- 4 tests (no buttons, copy, checkmark restore, multiple buttons)
Social icons already displayed via _social_icons.html.twig component
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
