security:
    password_hashers:
        App\Entity\Account: 'auto'
        App\Entity\Customer: 'auto'
        App\Entity\Prestaire: 'auto'

    providers:
        app_account_provider:
            entity:
                class: App\Entity\Account
                property: email
        reserve_account_provider: # Provider spécifique Customer
            entity:
                class: App\Entity\Customer
                property: email
        etl_account_provider: # Provider spécifique Customer
            entity:
                class: App\Entity\Prestaire
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        etl:
            pattern: ^/(etl)
            lazy: true
            provider: etl_account_provider # Force l'entité Account (Admin) ici
            user_checker: App\Security\UserChecker
            entry_point: App\Security\EtlAuthenticator
            form_login:
                login_path: etl_home
                check_path: etl_home
                enable_csrf: true
                csrf_token_id: authenticate

            custom_authenticator:
                - App\Security\EtlAuthenticator

            logout:
                path: elt_logout
                target: elt_home


        intranet:
            pattern: ^/(intranet|crm|2fa)
            lazy: true
            provider: app_account_provider # Force l'entité Account (Admin) ici
            user_checker: App\Security\UserChecker
            two_factor:
                auth_form_path: 2fa_login
                check_path: 2fa_login_check
                default_target_path: /
            entry_point: App\Security\LoginFormAuthenticator
            form_login:
                login_path: app_home
                check_path: app_home
                enable_csrf: true
                csrf_token_id: authenticate

            custom_authenticator:
                - App\Security\LoginFormAuthenticator
                - App\Security\KeycloakAuthenticator

            logout:
                path: app_logout
                target: app_home
        # --- FIREWALL PRINCIPAL (CRM / ADMIN) ---
        main:
            pattern: ^/
            provider: reserve_account_provider # Force l'entité Customer ici
            entry_point: App\Security\CustomerAuthenticator # Spécifie l'authentificateur à utiliser comme point d'entrée
            custom_authenticator: 
                - App\Security\CustomerAuthenticator
                - App\Security\FlowAuthenticator
            user_checker: App\Security\UserChecker # Si vous voulez vérifier l'activation du compte
            logout:
                path: reservation_logout
                target: reservation_login # Redirige vers le login client après déconnexion
            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800

    role_hierarchy:
        ROLE_ROOT: [ROLE_ADMIN, ROLE_CLIENT_MAIN, ROLE_CUSTOMER]
        ROLE_CLIENT_MAIN: [ROLE_ADMIN, ROLE_CUSTOMER]

    access_control:
        - { path: ^/2fa, roles: PUBLIC_ACCESS }
        # Protection de l'espace client (Firewall customer_reservation)
        - { path: ^/gestion-contrat, roles: [ROLE_CUSTOMER] }
        # Protection du CRM (Firewall main)
        - { path: ^/crm, roles: [ROLE_ADMIN] }
        - { path: ^/, roles: PUBLIC_ACCESS }