From 0e2d8d3e8ad8a13b8ccc3c42b3f65fc3a2c95cd4 Mon Sep 17 00:00:00 2001 From: Opus V114 Date: Tue, 21 Apr 2026 10:59:42 +0200 Subject: [PATCH] V114 V86 Auth Guard + HMAC remember-me E2E Playwright 7 on 7 PASS Complete end-to-end validation of WEVAL auth ecosystem without dev=1 bypass. Tests REAL production user experience not just browser-forced paths. Architecture tested: - /api/weval-auth-session.php login/logout/check/status (WEVAL Auth Session v2) - HMAC remember-me cookie 30 jours weval_session - PHPSESSID standard cookie 24h - /api/auth-check.php V86 Auth Guard consumer endpoint - V86 Auth Guard inline script dans weval-technology-platform.html Tests Playwright 7/7 PASS: 1. login_post admin YacineWeval2026 - ok redirect /products/workspace.html 2. cookies_set_hmac_and_phpsession - weval_session 30j + PHPSESSID present 3. status_authenticated - authenticated=true user=admin 4. auth_check_v86_endpoint_200 - HTTP 200 V86 consumer OK 5. wtp_authed_no_redirect_banner - body[data-auth]=ok zero banner V86 console log SSO authenticated detected 6. logout_ok - session_destroy effective 7. auth_check_401_after_logout - HTTP 401 revocation immediate Artifacts: - 2 screenshots 1920x1080 (01-wtp-authed-no-dev + 99-final) - 1 video .webm session complete record - results.json 7 assertions detailed Security observations documented (NOT actioned without Yacine authorization): - HMAC secret hardcoded W3v4l_Auth_S1mpl3_2026_X9K in weval-auth-session.php - TOKEN_UPDATE_KEY hardcoded in token-update.php (noted V111) - Both should move to /etc/weval/secrets.env via getenv Cookie flags confirmed secure: - secure=true HTTPS only - httpOnly=true JS cannot read - sameSite=Lax CSRF protection - domain=.weval-consulting.com subdomain shared L99 NonReg V114: 153/153 PASS 0 FAIL 100 pct 55.6s TS 20260421_105710 Chain V96-V114: V96-V108 Orphans Rescue + ZERO ORPHANS, V110 fpm_monitor, V111 token_health, V112 infra_health_report, V113 token-health cache 5min, V114 V86 Auth HMAC E2E 7/7 Zero suppression zero ecrasement zero fake zero regression Doctrines 0+2+4+14+60+95+100 applied --- wiki/session-V114-auth-guard-hmac-e2e.md | 115 +++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 wiki/session-V114-auth-guard-hmac-e2e.md diff --git a/wiki/session-V114-auth-guard-hmac-e2e.md b/wiki/session-V114-auth-guard-hmac-e2e.md new file mode 100644 index 000000000..3b256ff16 --- /dev/null +++ b/wiki/session-V114-auth-guard-hmac-e2e.md @@ -0,0 +1,115 @@ +# V114 - V86 Auth Guard + HMAC E2E Playwright - 2026-04-21 + +## Objectif +Test end-to-end complet de l'écosystème auth WEVAL : +- Login flow avec form POST + password verification +- Set cookies (HMAC remember-me 30j + PHPSESSID 24h) +- Navigate WTP en mode user authentifié réel (pas `?dev=1`) +- V86 Auth Guard cross-check via `auth-check.php` +- Logout + révocation + +**Différence clé avec V104/V108/V109** : pas de `?dev=1` bypass, +test la VRAIE experience utilisateur de production. + +## Architecture testée + +### Composants +- `/api/weval-auth-session.php` — endpoint login/logout/check/status (WEVAL Auth Session v2) +- `/api/weval-passwords.php` — verify_password via JSON file +- `/api/weval-passwords.json` — user/password store (5 users: yacine, weval, admin, yanis, ethica) +- `/api/auth-check.php` — V86 Auth Guard consumer endpoint +- V86 Auth Guard script inline dans `weval-technology-platform.html` (calls /api/auth-check) +- HMAC signed cookie `weval_session` (30 jours, SameSite=Lax, secure, httpOnly) + +### HMAC cookie format +``` +weval_session = base64(json({ + user: "admin", + sig: hmac_sha256(user + exp, _AUTH_SECRET), + exp: time() + 30*86400 +})) +``` + +## Tests V114 Playwright E2E (7/7 PASS) + +| # | Test | Status | Détail | +|---|---|---|---| +| 1 | `login_post` | ✅ PASS | user=admin, response `{ok:true, redirect:"/products/workspace.html"}` | +| 2 | `cookies_set_hmac_and_phpsession` | ✅ PASS | weval_session expires=30j, PHPSESSID present | +| 3 | `status_authenticated` | ✅ PASS | `authenticated=true, user=admin, session_age=0` | +| 4 | `auth_check_v86_endpoint_200` | ✅ PASS | HTTP 200 (V86 consumer OK) | +| 5 | `wtp_authed_no_redirect_banner` | ✅ PASS | `body[data-auth]="ok"`, 0 banner "Authentification requise", **V86 console log "SSO authenticated" détecté** | +| 6 | `logout_ok` | ✅ PASS | session destroyed | +| 7 | `auth_check_401_after_logout` | ✅ PASS | HTTP 401 (révocation effective) | + +## Artifacts produits +- `/var/www/html/api/playwright-v114-auth/screenshots/01-wtp-authed-no-dev.png` (1920×1080) +- `/var/www/html/api/playwright-v114-auth/screenshots/99-final.png` +- `/var/www/html/api/playwright-v114-auth/videos/*.webm` (session complète record) +- `/var/www/html/api/playwright-v114-auth/results.json` (7 tests détaillés) + +## Console logs capturés pendant WTP load + +Playwright a intercepté console events, on voit: +``` +[log] [V86 Auth Guard] SSO authenticated (200) +``` + +→ Preuve que le guard JS inline dans WTP fonctionne correctement en mode +user auth (branche status=200 touchée, pas celle 401/banner). + +## L99 NonReg post V114 +``` +153/153 PASS | 0 FAIL | 100% | 55.6s +TS: 20260421_105710 +``` + +## Chain V96→V114 + +| Version | Commit | Sujet | +|---|---|---| +| V96-V108 | cd86b19f9 | Orphans Rescue + ZERO ORPHANS | +| V110 | ede9a5197 | fpm_monitor | +| V111 | 5e98086e7 | token_health | +| V112 | 748d35ee4 | infra_health_report | +| V113 | a74448d44 | token-health cache 5min | +| **V114** | TBD | **V86 Auth Guard + HMAC E2E (7/7 PASS)** | + +## Observations sécurité (pas actionné, documenté) + +### HMAC secret hardcoded +`/api/weval-auth-session.php` ligne 22 : +```php +$_AUTH_SECRET = 'W3v4l_Auth_S1mpl3_2026_X9K'; +``` +**Devrait être** : dans `/etc/weval/secrets.env` et lu via `getenv()` ou parse file. + +### TOKEN_UPDATE_KEY hardcoded aussi (déjà noté V111) +`/api/token-update.php` : `"TOKEN_UPDATE_KEY_2026_WEVAL_BLADE"` hardcoded. + +**Décision V114**: je NE modifie PAS ces fichiers (write sensitive sans autorisation Yacine). Documenté pour review future. + +### Cookie secure flags confirmés +- `secure: true` (HTTPS only) +- `httpOnly: true` (JS ne peut pas lire) +- `sameSite: "Lax"` (CSRF protection) +- `domain: .weval-consulting.com` (partagé subdomains) + +### Révocation fonctionne +Logout → session_destroy() → auth-check renvoie 401 immédiatement. + +## Doctrines appliquées +- Doctrine 0: Test realistic user flow (pas dev=1 bypass) +- Doctrine 2: Zero écrasement (tests seulement, pas modif code) +- Doctrine 4: Zero régression (L99 stable) +- Doctrine 14: Test-driven (7 assertions, 7 PASS) +- Doctrine 60: UX premium (flow login clean + cookies sécurisés confirmés) +- Doctrine 95: Traçabilité wiki + vault + artifacts +- Doctrine 100: Train release commit + +## Next V115+ pending +- [ ] V115: Move HMAC secret to secrets.env (write-sensitive → needs Yacine auth) +- [ ] V116: token-apply.sh + cron (write secrets.env → needs Yacine auth) +- [ ] GitHub PAT manual renewal (Yacine action, can't auto) +- [ ] Groq tier check + Alibaba regen (Yacine actions) +- [ ] CloudFlare rate-limit monitor agent