e-ticket

Author	SHA1	Message	Date
Serreau Jovann	2e01f1f4c0	Add sandbox/live environments to API doc, update TASK_CHECKUP for JWT auth API doc: - Add sandbox (/api/sandbox) and live (/api/live) environments with badges - Auth (/api/auth/login) is shared between environments - Endpoint paths show both prefixes: /api/sandbox\|/api/live/... - Auth endpoints show path without prefix TASK_CHECKUP: - Replace API key auth with JWT auth (ETicket-Email + ETicket-JWT headers) - All routes use {env} prefix (sandbox/live) - /mon-compte API tab redirects to /api/doc - Sandbox: read-only mode (POST/PATCH/DELETE return result without DB modification) - Mark documentation tasks as done Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 18:58:17 +01:00
Serreau Jovann	6b009a4511	Add social sharing buttons and QR code for events Public event page: - Share buttons: X (Twitter), Facebook, Instagram (copy link), TikTok (copy link), copy link - Buttons use url_encode for share URLs with event title + URL - Instagram/TikTok copy to clipboard (no direct share URL support) - Consistent brutal design with aria-labels Organizer dashboard: - Share X, Facebook, copy link buttons per event in events list - QR code download button per event - Route /mon-compte/evenement/{id}/qrcode: generates 400px PNG QR code via Endroid - QR code points to public event URL, downloaded as qrcode-{slug}.png JS module: - assets/modules/share.js: initShare() handles data-share-copy buttons - Copies URL to clipboard, shows checkmark for 1.5s then restores icon - 4 tests (no buttons, copy, checkmark restore, multiple buttons) Social icons already displayed via _social_icons.html.twig component Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 15:11:53 +01:00
Serreau Jovann	04927ec988	Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization Billetterie: - Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration) - Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction - Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set - Disable checkout when event ended (server 400 + template hide) - Webhook deduplication via cache (24h TTL on stripe event.id) - Email validation (filter_var) in OrderController guest flow - JSON cart validation (structure check before processing) - Invitation expiration after 7 days (isExpired method + landing page message) - Stripe Checkout fallback when JS fails to load (noscript + redirect) Config externalization: - Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml - Replace all hardcoded contact@e-cosplay.fr across 13 files - MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin UX & Accessibility: - ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End) - aria-label on cart +/- buttons and editor toolbar buttons - tabindex=0 on editor toolbar buttons for keyboard access - data-confirm handler in app.js (was only in admin.js) - Cart error feedback on checkout failure - Billet designer save feedback (loading/success/error states) - Stock polling every 30s with rupture/low stock badges - Back to event link on payment page Security: - HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed - Stripe polling timeout (15s max) with fallback redirect - Rate limiting on public order access (20/5min) - .catch() on all fetch() calls (sortable, billet-designer) Tests (92% PHP, 100% JS lines): - PCOV added to dev Dockerfile - Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key - Rate limiter disabled in test env - Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js - New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4) - New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest - New tests: Stripe webhook payment_failed (6) + charge.refunded (6) - New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration - JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9) - ESLint + PHP CS Fixer: 0 errors - SonarQube exclusions aligned with vitest coverage config Infra: - Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am - MeilisearchService: getAllDocumentIds(), listIndexes() Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 11:14:06 +01:00
Serreau Jovann	61200adc74	Add stock management, order notifications, webhooks, expiration cron, and billet type validation - Decrement billet quantity after purchase in BilletOrderService::generateOrderTickets - Block purchase when stock is exhausted (quantity <= 0) in OrderController::buildOrderItems - Add organizer email notification on new order (order_notification_orga template) - Add organizer email notification on cancel/refund (order_cancelled_orga template) - Add ExpirePendingOrdersCommand (app:orders:expire-pending) cron every 5min via Ansible - Cancels pending orders older than 30 minutes, restores stock, invalidates tickets - Includes BilletBuyerRepository::findExpiredPending query method - 3 unit tests covering: no expired orders, stock restoration, unlimited billets - Add payment_intent.payment_failed webhook: cancels order, logs audit, emails buyer - Add charge.refunded webhook: sets order to refunded, invalidates tickets, notifies orga and buyer - Validate billet type (billet/reservation_brocante/vote) against organizer offer - getAllowedBilletTypes: gratuit=billet only, basic/sur-mesure=all types - Server-side validation in hydrateBilletFromRequest, UI filtering in templates - Update TASK_CHECKUP.md: all Billetterie & Commandes items now complete Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 00:12:30 +01:00
Serreau Jovann	f03b33ac5a	Mark invitation Stripe block as not needed (invitations are free, no payment) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:50:18 +01:00
Serreau Jovann	517e31f2f7	Auto-login after invitation registration, redirect to /mon-compte Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:49:41 +01:00
Serreau Jovann	ef06066794	Show clear error and redirect to login on duplicate email registration Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:34:18 +01:00
Serreau Jovann	36db3fc25d	Notify admin when organizer accepts or refuses invitation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:33:04 +01:00
Serreau Jovann	80b48b9dbf	Add financial dashboard for organizer in payouts tab - 6 KPIs: encaissé, en attente, remboursé, com E-Ticket, com Stripe, net perçu - Calculated from all orders linked to organizer's events - Displayed above export buttons and payouts table Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:23:59 +01:00
Serreau Jovann	141871af1f	Mark payouts tab as already done in TASK_CHECKUP Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:19:22 +01:00
Serreau Jovann	608b746989	Add monthly export CSV + PDF for admin and organizers - ExportService: monthly stats query, CSV generation, PDF generation via dompdf - Admin: /admin/export/{year}/{month} (CSV) + /admin/export/{year}/{month}/pdf - Orga: /mon-compte/export/{year}/{month} (CSV) + /mon-compte/export/{year}/{month}/pdf - Admin CSV: commande, date, événement, orga, acheteur, billets, total HT, com E-Ticket, com Stripe - Orga CSV: + net perçu column - PDF A4 landscape: KPIs + orders table with commissions breakdown - Buttons in admin dashboard and orga payouts tab (current + previous month) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:16:55 +01:00
Serreau Jovann	47916f5f30	Add admin dashboard stats: CA, commissions E-Ticket/Stripe, orders, billets, orgas Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:09:16 +01:00
Serreau Jovann	94ebe09181	Enforce sub-account permissions on events and tickets routes - SubAccountPermissionSubscriber: checks events/tickets permissions for sub-accounts - Blocks access with redirect + flash error if permission missing - Hide events/subaccounts/payouts tabs for sub-accounts without permission - 5 tests: non-sub-account, blocked events, allowed events, blocked tickets Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 22:05:16 +01:00
Serreau Jovann	6db0566f69	Add admin orders page with search, status filter, KPIs - /admin/commandes: paginated list of all orders - Search by order number, name, email - Filter by status (pending, paid, cancelled, refunded) - 4 KPIs: paid count, CA total HT, refunded count, cancelled count - Table: order number, buyer, event, billets, total, date, status badges - Navigation link 'Commandes' in admin header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 21:25:32 +01:00
Serreau Jovann	372bf46136	Add organizer suspension: toggle, badge, block access, audit log - User.isSuspended (nullable bool, null = not suspended) - Admin: toggle suspend/reactivate button on organizers list - SuspendedUserSubscriber: redirects suspended users to homepage with error - Audit log: organizer_suspended / organizer_reactivated - Badge 'Suspendu' (red) replaces offer badge when suspended Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:53:46 +01:00
Serreau Jovann	64d0a6fd29	Mark admin edit offer/commission as done, add sub-account permissions verification task Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:49:23 +01:00
Serreau Jovann	66ac2379ec	Add audit trail: AuditLog entity, AuditService, admin logs page - AuditLog entity: action, entityType, entityId, data (JSON), performedBy, ipAddress - AuditService: logs actions with current user and IP - Audit on: order_created, order_paid, order_cancelled, order_refunded - Admin /admin/logs: paginated table with action badges, details, user, IP - Navigation link 'Logs' in admin header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:48:10 +01:00
Serreau Jovann	6ae9b1c7ff	Add brocantes and vote to Basic offer, add billet type verification task Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:39:39 +01:00
Serreau Jovann	d4941c6c23	Redesign /tarifs page: 3 offers (free/basic 20EUR/mo/custom), commissions table, examples - Free: 0 EUR, 1 event, billets standards - Basic: 20 EUR/mois, events illimites, PDF, invitations - Sur-mesure: sur devis, design personnalise, brocantes, vote - Commission examples table: 1, 2, 5, 10, 15, 20 EUR - Stripe fees + E-Ticket fees breakdown - Includes section with 6 feature cards - Neo-brutalist design matching the rest of the app Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:36:26 +01:00
Serreau Jovann	e5a63b1a33	Add search bar on homepage hero section, redirects to /evenements Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:33:47 +01:00
Serreau Jovann	44845b6313	Add city and date filters on /evenements page - City filter: LIKE search on event.city - Date filter: events starting on selected date - Combines with Meilisearch text search - Labels on filter inputs, clear button when any filter active Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:32:51 +01:00
Serreau Jovann	830e3359d9	Fix billet preview iframe overflow on mobile, mark responsive check done - Preview iframe: overflow-x-auto container instead of fixed overflow - All public pages verified for 320px: flex-wrap, responsive breakpoints OK Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:29:40 +01:00
Serreau Jovann	1db878dfd4	Add og:url, Twitter Card meta, og:type event on detail page - base.html.twig: add og:url (dynamic), twitter:card, twitter:title, twitter:description - event_detail: og:type = event - All public pages already have title + description blocks that propagate to OG Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:24:18 +01:00
Serreau Jovann	281835ee0d	Add CA global, commission E-Ticket and Stripe to admin dashboard task Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:15:10 +01:00
Serreau Jovann	0e79c65966	Optimize N+1 queries: batch billets, soldCounts, paid orders with items - AccountController: single query for all billets by categories, single GROUP BY query for sold counts, eager-load items on paid orders - HomeController: single query for all buyable billets of active categories Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:13:31 +01:00
Serreau Jovann	0772e618da	Mark Meilisearch cache invalidation as done (already handled by EventIndexService) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:09:11 +01:00
Serreau Jovann	25033c29a0	Add automatic CSRF protection on all POST forms - CsrfProtectionSubscriber: auto-injects hidden _csrf_token in HTML responses, auto-verifies on POST requests - Excludes: webhooks, JSON APIs, login (has its own CSRF) - 9 tests covering all cases (GET, excluded, JSON, no token, invalid, valid, inject, non-HTML) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:08:02 +01:00
Serreau Jovann	36456e8dfe	Add rate limiting on login, order, invitation, contact routes - Login: 5 attempts / 15 min (Symfony login_throttling) - Order create: 10 / 5 min (sliding window) - Invitation respond/register: 5 / 15 min - Contact form: 3 / 10 min - RateLimiterSubscriber with route-to-limiter mapping - Returns 429 when rate limited Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 20:01:01 +01:00
Serreau Jovann	207e985821	Add Messenger monitor command, uploads backup, hourly cron - MonitorMessengerCommand: checks failed messages, emails admin with details - Backup script: add /public/uploads tar.gz alongside DB dump - Ansible: cron every hour for messenger monitor - TASK_CHECKUP: mark infrastructure tasks done Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:55:35 +01:00
Serreau Jovann	30eceeccf9	Add database backup cron every 30 minutes via Ansible - backup.sh.j2: pg_dump via Docker, gzip, 7 days retention - deploy.yml: create backup dir, deploy script, configure cron - TASK_CHECKUP: mark backup as done Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:52:52 +01:00
Serreau Jovann	b7b56ed35a	Add dynamic events to sitemap (online + not secret), update TASK_CHECKUP - Sitemap: list all online non-secret events with images - Fix event/orga page counts in sitemap index - TASK_CHECKUP: mark sitemap done, remove health check, captcha, E2E tests, simplify crons to backups only Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:51:34 +01:00
Serreau Jovann	8e0177463b	Remove captcha task from TASK_CHECKUP Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:49:21 +01:00
Serreau Jovann	063b02dfe9	Simplify API section: scanner only (login, events, scan) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:48:11 +01:00
Serreau Jovann	7dc6d4b01f	Add API section to TASK_CHECKUP: login, events, scan, stats Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:47:43 +01:00
Serreau Jovann	244717a0d0	Add task: block invitations if Stripe not validated Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:46:37 +01:00
Serreau Jovann	80aa2a19d6	Remove Billets & Scan section from TASK_CHECKUP (deferred) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:45:46 +01:00
Serreau Jovann	048999c26c	Add TASK_CHECKUP.md with all pending tasks and improvements Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-22 19:44:44 +01:00

37 Commits