security:
    providers:
        app_account_provider:
            entity:
                class: App\Entity\Account
                property: email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            lazy: true
            provider: app_account_provider
            user_checker: App\Security\UserChecker

            # --- AJOUT DE LA CONFIGURATION 2FA ---
            two_factor:
                auth_form_path: 2fa_login    # Route d'affichage du formulaire
                check_path: 2fa_login_check # Route de soumission du code
            # -------------------------------------

            form_login:
                login_path: app_home
                check_path: app_home
                enable_csrf: true
                csrf_token_id: authenticate

            entry_point: App\Security\AuthenticationEntryPoint

            custom_authenticator:
                - App\Security\LoginFormAuthenticator
                - App\Security\KeycloakAuthenticator

            logout:
                path: app_logout # Assurez-vous d'utiliser 'path'
                target: app_home

    password_hashers:
        App\Entity\Account: 'auto'

    role_hierarchy:
        ROLE_ROOT: [ROLE_ADMIN,ROLE_CLIENT_MAIN]
        ROLE_CLIENT_MAIN: [ROLE_ADMIN]


    access_control:
        # Permettre l'accès aux pages 2FA même si on n'est pas encore pleinement "ROLE_ADMIN"
        - { path: ^/2fa, roles: PUBLIC_ACCESS }

        - { path: ^/crm, roles: [ROLE_ADMIN] }
        - { path: ^/, roles: PUBLIC_ACCESS }