fix: securisation du flow de dépot rapide d'offre

.talismanrc

@@ -22,7 +22,7 @@ fileignoreconfig:
 - filename: .infra/files/configs/mailpit/auth
   checksum: 0c02db6c367747bfd696e8c93ed78c456fe311452e7a4ee1d7d5acc88f3b2189
 - filename: .infra/files/configs/mongodb/seed.gpg
-  checksum: 3cb836a5c356c64ac6634c8aeb03b9737950a66ed61d9ae8f6b1528ad7b17434
+  checksum: e09bc952da0dbeb33331dc317980e6537dc4d37674ca08748246d4d093b82294
 - filename: .infra/vault/vault.yml
   checksum: 1a62fbc5e3e877b5241d59c61fda05a61b6c8bb4fb7f5662f2f1bc44c288782b
 - filename: server/.env.test

server/src/http/routes/auth/login.controller.ts

@@ -15,34 +15,23 @@ import { Server } from "../../server"
 
 export default (server: Server) => {
   server.post(
-    "/login/confirmation-email",
+    "/login/:userId/resend-confirmation-email",
     {
-      schema: zRoutes.post["/login/confirmation-email"],
-      preHandler: [],
+      schema: zRoutes.post["/login/:userId/resend-confirmation-email"],
+      onRequest: server.auth(zRoutes.post["/login/:userId/resend-confirmation-email"]),
     },
     async (req, res) => {
-      try {
-        const { email } = req.body
-        const formatedEmail = email.toLowerCase()
-        const user = await getUser({ email: formatedEmail })
-
-        if (!user) {
-          return res.status(400).send({ error: true, reason: "UNKNOWN" })
-        }
-
-        const { is_email_checked } = user
-
-        if (is_email_checked) {
-          return res.status(400).send({ error: true, reason: "VERIFIED" })
-        }
-        await sendUserConfirmationEmail(user)
-        return res.status(200).send({})
-      } catch (error) {
-        return res.status(400).send({
-          errorMessage: "l'adresse mail n'est pas valide.",
-          details: error,
-        })
+      const { userId } = req.params
+      const user = await getUser({ _id: userId })
+      if (!user) {
+        return res.status(400).send({ error: true, reason: "UNKNOWN" })
+      }
+      const { is_email_checked } = user
+      if (is_email_checked) {
+        return res.status(400).send({ error: true, reason: "VERIFIED" })
       }
+      await sendUserConfirmationEmail(user)
+      return res.status(200).send({})
     }
   )
 

server/src/http/routes/etablissementRecruteur.controller.ts

@@ -165,6 +165,7 @@ export default (server: Server) => {
             if (result.errorCode === BusinessErrorCodes.ALREADY_EXISTS) throw Boom.forbidden(result.message)
             else throw Boom.badRequest(result.message)
           }
+          await startSession(req.body.email, res)
           return res.status(200).send(result)
         }
         case CFA: {

server/src/http/routes/formulaire.controller.ts

@@ -31,6 +31,7 @@ export default (server: Server) => {
     "/formulaire/:establishment_id",
     {
       schema: zRoutes.get["/formulaire/:establishment_id"],
+      onRequest: [server.auth(zRoutes.get["/formulaire/:establishment_id"])],
     },
     async (req, res) => {
       const result = await getFormulaire({ establishment_id: req.params.establishment_id })
@@ -149,7 +150,7 @@ export default (server: Server) => {
     "/formulaire/:establishment_id/offre",
     {
       schema: zRoutes.post["/formulaire/:establishment_id/offre"],
-      // preHandler: [server.auth(zRoutes.post["/formulaire/:establishment_id/offre"])],
+      onRequest: [server.auth(zRoutes.post["/formulaire/:establishment_id/offre"])],
       bodyLimit: 5 * 1024 ** 2, // 5MB
     },
     async (req, res) => {
@@ -195,6 +196,7 @@ export default (server: Server) => {
     "/formulaire/offre/:jobId/delegation",
     {
       schema: zRoutes.post["/formulaire/offre/:jobId/delegation"],
+      onRequest: [server.auth(zRoutes.post["/formulaire/offre/:jobId/delegation"])],
     },
     async (req, res) => {
       const { etablissementCatalogueIds } = req.body

server/src/http/routes/user.controller.ts

@@ -1,6 +1,8 @@
 import Boom from "boom"
 import { IJob, getUserStatus, zRoutes } from "shared/index"
 
+import { stopSession } from "@/common/utils/session.service"
+
 import { Recruiter, UserRecruteur } from "../../common/model/index"
 import { getStaticFilePath } from "../../common/utils/getStaticFilePath"
 import config from "../../config"
@@ -170,6 +172,7 @@ export default (server: Server) => {
     "/user/status/:userId",
     {
       schema: zRoutes.get["/user/status/:userId"],
+      onRequest: [server.auth(zRoutes.get["/user/status/:userId"])],
     },
     async (req, res) => {
       const user = await UserRecruteur.findOne({ _id: req.params.userId }).lean()
@@ -282,7 +285,7 @@ export default (server: Server) => {
     "/user",
     {
       schema: zRoutes.delete["/user"],
-      preHandler: [],
+      onRequest: [server.auth(zRoutes.delete["/user"])],
     },
     async (req, res) => {
       const { userId, recruiterId } = req.query
@@ -292,7 +295,7 @@ export default (server: Server) => {
       if (recruiterId) {
         await deleteFormulaire(recruiterId)
       }
-
+      await stopSession(req, res)
       return res.status(200).send({})
     }
   )

server/src/security/authenticationService.ts

@@ -53,9 +53,11 @@ async function authCookieSession(req: FastifyRequest): Promise<UserWithType<"IUs
 
     const { email } = jwt.verify(token, config.auth.user.jwtSecret) as JwtPayload
 
-    const user = await getUserRecruteur({ email })
-
-    return user ? { type: "IUserRecruteur", value: user } : null
+    const user = await getUserRecruteur({ email: email.toLowerCase() })
+    if (!user) {
+      return null
+    }
+    return { type: "IUserRecruteur", value: user }
   } catch (error) {
     captureException(error)
     return null

shared/models/job.model.ts

@@ -88,3 +88,11 @@ export type IDelegation = z.output<typeof ZDelegation>
 export type IJob = z.output<typeof ZJob>
 export type IJobWritable = z.output<typeof ZJobWrite>
 export type IJobJson = Jsonify<z.input<typeof ZJob>>
+
+export const ZNewDelegations = z
+  .object({
+    etablissementCatalogueIds: z.array(z.string()),
+  })
+  .strict()
+
+export type INewDelegations = z.input<typeof ZNewDelegations>

shared/models/usersRecruteur.model.ts

@@ -8,14 +8,12 @@ import { ZGlobalAddress } from "./address.model"
 import { zObjectId } from "./common"
 
 const etatUtilisateurValues = Object.values(ETAT_UTILISATEUR)
+export const ZEtatUtilisateur = z.enum([etatUtilisateurValues[0], ...etatUtilisateurValues.slice(1)]).describe("Statut de l'utilisateur")
 
 export const ZUserStatusValidation = z
   .object({
     validation_type: z.enum(["AUTOMATIQUE", "MANUELLE"]).describe("Processus de validation lors de l'inscription de l'utilisateur"),
-    status: z
-      .enum([etatUtilisateurValues[0], ...etatUtilisateurValues.slice(1)])
-      .nullish()
-      .describe("Statut de l'utilisateur"),
+    status: ZEtatUtilisateur.nullish(),
     reason: z.string().nullish().describe("Raison du changement de statut"),
     user: z.string().describe("Utilisateur ayant effectué la modification | SERVEUR si le compte a été validé automatiquement"),
     date: z.date().nullish().describe("Date de l'évènement"),

shared/routes/formulaire.route.ts

@@ -10,15 +10,19 @@ export const zFormulaireRoute = {
     "/formulaire/:establishment_id": {
       method: "get",
       path: "/formulaire/:establishment_id",
-      // TODO_SECURITY_FIX gestion des permissions
-      // TODO_SECURITY_FIX session gérée par cookie server
       params: z.object({ establishment_id: z.string() }).strict(),
       response: {
         // TODO ANY TO BE FIXED
         "200": z.any(),
         // "2xx": ZRecruiter,
       },
-      securityScheme: null,
+      securityScheme: {
+        auth: "cookie-session",
+        access: "recruiter:manage",
+        ressources: {
+          recruiter: [{ establishment_id: { type: "params", key: "establishment_id" } }],
+        },
+      },
     },
     "/formulaire/offre/f/:jobId": {
       method: "get",
@@ -63,7 +67,6 @@ export const zFormulaireRoute = {
     "/formulaire/:establishment_id/offre": {
       method: "post",
       path: "/formulaire/:establishment_id/offre",
-      // TODO_SECURITY_FIX gestion des permissions
       // TODO_SECURITY_FIX limiter les champs autorisés à la modification. Utiliser un "ZRecruiterNew" (ou un autre nom du genre ZFormulaire)
       params: z.object({ establishment_id: z.string() }).strict(),
       // TODO nonstrict TO BE FIXED on the frontend
@@ -73,13 +76,17 @@ export const zFormulaireRoute = {
         // "2xx": ZRecruiter,
         "200": z.any(),
       },
-      securityScheme: null,
+      securityScheme: {
+        auth: "cookie-session",
+        access: "recruiter:add_job",
+        ressources: {
+          recruiter: [{ establishment_id: { type: "params", key: "establishment_id" } }],
+        },
+      },
     },
     "/formulaire/offre/:jobId/delegation": {
       method: "post",
       path: "/formulaire/offre/:jobId/delegation",
-      // TODO_SECURITY_FIX gestion des permissions
-      // TODO_SECURITY_FIX session gérée par cookie server
       params: z.object({ jobId: zObjectId }).strict(),
       body: z
         .object({
@@ -88,10 +95,16 @@ export const zFormulaireRoute = {
         .strict(),
       response: {
         // TODO ANY TO BE FIXED
-        "2xx": z.any(),
+        "200": z.any(),
         // "2xx": ZRecruiter,
       },
-      securityScheme: null,
+      securityScheme: {
+        auth: "cookie-session",
+        access: "job:manage",
+        ressources: {
+          job: [{ _id: { type: "params", key: "jobId" } }],
+        },
+      },
     },
   },
   put: {

shared/routes/index.ts

@@ -61,19 +61,27 @@ const zRoutesGet: typeof zRoutesGetP1 & typeof zRoutesGetP2 & typeof zRoutesGetP
   ...zRoutesGetP3,
 } as const
 
-const zRoutesPost = {
+const zRoutesPost1 = {
   ...zApplicationRoutes.post,
   ...zLoginRoutes.post,
   ...zTrainingLinksRoutes.post,
   ...zUnsubscribeRoute.post,
   ...zUserRecruteurRoutes.post,
   ...zV1JobsRoutes.post,
+} as const
+
+const zRoutesPost2 = {
   ...zFormulaireRoute.post,
   ...zRecruiterRoutes.post,
   ...zCampaignWebhookRoutes.post,
   ...zEtablissementRoutes.post,
   ...zAppointmentsRoute.post,
   ...zEmailsRoutes.post,
+}
+
+const zRoutesPost = {
+  ...zRoutesPost1,
+  ...zRoutesPost2,
 } as const
 
 const zRoutesPut = {

shared/routes/login.routes.ts

@@ -1,23 +1,29 @@
 import { z } from "../helpers/zodWithOpenApi"
 import { ZUserRecruteurPublic } from "../models"
+import { zObjectId } from "../models/common"
 
 import { IRoutesDef } from "./common.routes"
 
 export const zLoginRoutes = {
   post: {
-    "/login/confirmation-email": {
+    "/login/:userId/resend-confirmation-email": {
       method: "post",
-      path: "/login/confirmation-email",
-      // TODO_SECURITY_FIX faire en sorte que le lien magique ne soit pas human readable. Rename en /resend-confirmation-email
-      body: z
+      path: "/login/:userId/resend-confirmation-email",
+      params: z
         .object({
-          email: z.string().email(),
+          userId: zObjectId,
         })
         .strict(),
       response: {
         "200": z.object({}).strict(),
       },
-      securityScheme: null,
+      securityScheme: {
+        auth: "cookie-session",
+        access: "user:manage",
+        ressources: {
+          user: [{ _id: { key: "userId", type: "params" } }],
+        },
+      },
     },
     "/login/magiclink": {
       method: "post",

shared/routes/recruiters.routes.ts

@@ -156,7 +156,7 @@ export const zRecruiterRoutes = {
       ]),
       response: {
         // TODO ANY TO BE FIXED
-        "2xx": z.any(),
+        "200": z.any(),
         // "2xx": z.union([
         //   z
         //     .object({

shared/routes/user.routes.ts

@@ -1,6 +1,6 @@
 import { z } from "../helpers/zodWithOpenApi"
 import { zObjectId } from "../models/common"
-import { ZUserRecruteur, ZUserRecruteurWritable, ZUserStatusValidation } from "../models/usersRecruteur.model"
+import { ZEtatUtilisateur, ZUserRecruteur, ZUserRecruteurWritable, ZUserStatusValidation } from "../models/usersRecruteur.model"
 
 import { IRoutesDef, ZResError } from "./common.routes"
 
@@ -115,10 +115,19 @@ export const zUserRecruteurRoutes = {
         })
         .strict(),
       response: {
-        // TODO ANY TO BE FIXED
-        "200": z.any(),
+        "200": z
+          .object({
+            status_current: ZEtatUtilisateur,
+          })
+          .strict(),
+      },
+      securityScheme: {
+        auth: "cookie-session",
+        access: "user:manage",
+        ressources: {
+          user: [{ _id: { type: "params", key: "userId" } }],
+        },
       },
-      securityScheme: null,
     },
   },
   post: {
@@ -204,8 +213,6 @@ export const zUserRecruteurRoutes = {
     "/user": {
       method: "delete",
       path: "/user",
-      // TODO_SECURITY_FIX session et cookie + permissions
-      // TODO return json format
       querystring: z
         .object({
           userId: zObjectId,
@@ -215,7 +222,22 @@ export const zUserRecruteurRoutes = {
       response: {
         "200": z.object({}).strict(),
       },
-      securityScheme: null,
+      securityScheme: {
+        auth: "cookie-session",
+        access: "recruiter:manage",
+        ressources: {
+          user: [
+            {
+              _id: { type: "query", key: "userId" },
+            },
+          ],
+          recruiter: [
+            {
+              _id: { type: "query", key: "recruiterId" },
+            },
+          ],
+        },
+      },
     },
     "/admin/users/:userId": {
       method: "delete",