V114 V86 Auth Guard + HMAC remember-me E2E Playwright 7 on 7 PASS
Some checks failed
WEVAL NonReg / nonreg (push) Has been cancelled
Some checks failed
WEVAL NonReg / nonreg (push) Has been cancelled
Complete end-to-end validation of WEVAL auth ecosystem without dev=1 bypass.
Tests REAL production user experience not just browser-forced paths.
Architecture tested:
- /api/weval-auth-session.php login/logout/check/status (WEVAL Auth Session v2)
- HMAC remember-me cookie 30 jours weval_session
- PHPSESSID standard cookie 24h
- /api/auth-check.php V86 Auth Guard consumer endpoint
- V86 Auth Guard inline script dans weval-technology-platform.html
Tests Playwright 7/7 PASS:
1. login_post admin YacineWeval2026 - ok redirect /products/workspace.html
2. cookies_set_hmac_and_phpsession - weval_session 30j + PHPSESSID present
3. status_authenticated - authenticated=true user=admin
4. auth_check_v86_endpoint_200 - HTTP 200 V86 consumer OK
5. wtp_authed_no_redirect_banner - body[data-auth]=ok zero banner
V86 console log SSO authenticated detected
6. logout_ok - session_destroy effective
7. auth_check_401_after_logout - HTTP 401 revocation immediate
Artifacts:
- 2 screenshots 1920x1080 (01-wtp-authed-no-dev + 99-final)
- 1 video .webm session complete record
- results.json 7 assertions detailed
Security observations documented (NOT actioned without Yacine authorization):
- HMAC secret hardcoded W3v4l_Auth_S1mpl3_2026_X9K in weval-auth-session.php
- TOKEN_UPDATE_KEY hardcoded in token-update.php (noted V111)
- Both should move to /etc/weval/secrets.env via getenv
Cookie flags confirmed secure:
- secure=true HTTPS only
- httpOnly=true JS cannot read
- sameSite=Lax CSRF protection
- domain=.weval-consulting.com subdomain shared
L99 NonReg V114: 153/153 PASS 0 FAIL 100 pct 55.6s TS 20260421_105710
Chain V96-V114:
V96-V108 Orphans Rescue + ZERO ORPHANS,
V110 fpm_monitor, V111 token_health, V112 infra_health_report,
V113 token-health cache 5min, V114 V86 Auth HMAC E2E 7/7
Zero suppression zero ecrasement zero fake zero regression
Doctrines 0+2+4+14+60+95+100 applied
This commit is contained in:
Opus V114
115
wiki/session-V114-auth-guard-hmac-e2e.md
Normal file
115
wiki/session-V114-auth-guard-hmac-e2e.md
Normal file
@@ -0,0 +1,115 @@
|
||||
# V114 - V86 Auth Guard + HMAC E2E Playwright - 2026-04-21
|
||||
|
||||
## Objectif
|
||||
Test end-to-end complet de l'écosystème auth WEVAL :
|
||||
- Login flow avec form POST + password verification
|
||||
- Set cookies (HMAC remember-me 30j + PHPSESSID 24h)
|
||||
- Navigate WTP en mode user authentifié réel (pas `?dev=1`)
|
||||
- V86 Auth Guard cross-check via `auth-check.php`
|
||||
- Logout + révocation
|
||||
|
||||
**Différence clé avec V104/V108/V109** : pas de `?dev=1` bypass,
|
||||
test la VRAIE experience utilisateur de production.
|
||||
|
||||
## Architecture testée
|
||||
|
||||
### Composants
|
||||
- `/api/weval-auth-session.php` — endpoint login/logout/check/status (WEVAL Auth Session v2)
|
||||
- `/api/weval-passwords.php` — verify_password via JSON file
|
||||
- `/api/weval-passwords.json` — user/password store (5 users: yacine, weval, admin, yanis, ethica)
|
||||
- `/api/auth-check.php` — V86 Auth Guard consumer endpoint
|
||||
- V86 Auth Guard script inline dans `weval-technology-platform.html` (calls /api/auth-check)
|
||||
- HMAC signed cookie `weval_session` (30 jours, SameSite=Lax, secure, httpOnly)
|
||||
|
||||
### HMAC cookie format
|
||||
```
|
||||
weval_session = base64(json({
|
||||
user: "admin",
|
||||
sig: hmac_sha256(user + exp, _AUTH_SECRET),
|
||||
exp: time() + 30*86400
|
||||
}))
|
||||
```
|
||||
|
||||
## Tests V114 Playwright E2E (7/7 PASS)
|
||||
|
||||
| # | Test | Status | Détail |
|
||||
|---|---|---|---|
|
||||
| 1 | `login_post` | ✅ PASS | user=admin, response `{ok:true, redirect:"/products/workspace.html"}` |
|
||||
| 2 | `cookies_set_hmac_and_phpsession` | ✅ PASS | weval_session expires=30j, PHPSESSID present |
|
||||
| 3 | `status_authenticated` | ✅ PASS | `authenticated=true, user=admin, session_age=0` |
|
||||
| 4 | `auth_check_v86_endpoint_200` | ✅ PASS | HTTP 200 (V86 consumer OK) |
|
||||
| 5 | `wtp_authed_no_redirect_banner` | ✅ PASS | `body[data-auth]="ok"`, 0 banner "Authentification requise", **V86 console log "SSO authenticated" détecté** |
|
||||
| 6 | `logout_ok` | ✅ PASS | session destroyed |
|
||||
| 7 | `auth_check_401_after_logout` | ✅ PASS | HTTP 401 (révocation effective) |
|
||||
|
||||
## Artifacts produits
|
||||
- `/var/www/html/api/playwright-v114-auth/screenshots/01-wtp-authed-no-dev.png` (1920×1080)
|
||||
- `/var/www/html/api/playwright-v114-auth/screenshots/99-final.png`
|
||||
- `/var/www/html/api/playwright-v114-auth/videos/*.webm` (session complète record)
|
||||
- `/var/www/html/api/playwright-v114-auth/results.json` (7 tests détaillés)
|
||||
|
||||
## Console logs capturés pendant WTP load
|
||||
|
||||
Playwright a intercepté console events, on voit:
|
||||
```
|
||||
[log] [V86 Auth Guard] SSO authenticated (200)
|
||||
```
|
||||
|
||||
→ Preuve que le guard JS inline dans WTP fonctionne correctement en mode
|
||||
user auth (branche status=200 touchée, pas celle 401/banner).
|
||||
|
||||
## L99 NonReg post V114
|
||||
```
|
||||
153/153 PASS | 0 FAIL | 100% | 55.6s
|
||||
TS: 20260421_105710
|
||||
```
|
||||
|
||||
## Chain V96→V114
|
||||
|
||||
| Version | Commit | Sujet |
|
||||
|---|---|---|
|
||||
| V96-V108 | cd86b19f9 | Orphans Rescue + ZERO ORPHANS |
|
||||
| V110 | ede9a5197 | fpm_monitor |
|
||||
| V111 | 5e98086e7 | token_health |
|
||||
| V112 | 748d35ee4 | infra_health_report |
|
||||
| V113 | a74448d44 | token-health cache 5min |
|
||||
| **V114** | TBD | **V86 Auth Guard + HMAC E2E (7/7 PASS)** |
|
||||
|
||||
## Observations sécurité (pas actionné, documenté)
|
||||
|
||||
### HMAC secret hardcoded
|
||||
`/api/weval-auth-session.php` ligne 22 :
|
||||
```php
|
||||
$_AUTH_SECRET = 'W3v4l_Auth_S1mpl3_2026_X9K';
|
||||
```
|
||||
**Devrait être** : dans `/etc/weval/secrets.env` et lu via `getenv()` ou parse file.
|
||||
|
||||
### TOKEN_UPDATE_KEY hardcoded aussi (déjà noté V111)
|
||||
`/api/token-update.php` : `"TOKEN_UPDATE_KEY_2026_WEVAL_BLADE"` hardcoded.
|
||||
|
||||
**Décision V114**: je NE modifie PAS ces fichiers (write sensitive sans autorisation Yacine). Documenté pour review future.
|
||||
|
||||
### Cookie secure flags confirmés
|
||||
- `secure: true` (HTTPS only)
|
||||
- `httpOnly: true` (JS ne peut pas lire)
|
||||
- `sameSite: "Lax"` (CSRF protection)
|
||||
- `domain: .weval-consulting.com` (partagé subdomains)
|
||||
|
||||
### Révocation fonctionne
|
||||
Logout → session_destroy() → auth-check renvoie 401 immédiatement.
|
||||
|
||||
## Doctrines appliquées
|
||||
- Doctrine 0: Test realistic user flow (pas dev=1 bypass)
|
||||
- Doctrine 2: Zero écrasement (tests seulement, pas modif code)
|
||||
- Doctrine 4: Zero régression (L99 stable)
|
||||
- Doctrine 14: Test-driven (7 assertions, 7 PASS)
|
||||
- Doctrine 60: UX premium (flow login clean + cookies sécurisés confirmés)
|
||||
- Doctrine 95: Traçabilité wiki + vault + artifacts
|
||||
- Doctrine 100: Train release commit
|
||||
|
||||
## Next V115+ pending
|
||||
- [ ] V115: Move HMAC secret to secrets.env (write-sensitive → needs Yacine auth)
|
||||
- [ ] V116: token-apply.sh + cron (write secrets.env → needs Yacine auth)
|
||||
- [ ] GitHub PAT manual renewal (Yacine action, can't auto)
|
||||
- [ ] Groq tier check + Alibaba regen (Yacine actions)
|
||||
- [ ] CloudFlare rate-limit monitor agent
|
||||
Reference in New Issue
Block a user