More robust

2026-03-27 20:14:11 +01:00
parent 75ec966435
commit 68c547ddcb
25 changed files with 474 additions and 224 deletions
--- a/app/Controllers/AssetController.php
+++ b/app/Controllers/AssetController.php
@@ -18,8 +18,6 @@ class AssetController extends BaseController
            return;
        }

-        $this->f3->expire(86400); // 24 h côté navigateur
-
        echo Web::instance()->minify(
            $file,
            self::ALLOWED[$file],
--- a/app/Controllers/AuthController.php
+++ b/app/Controllers/AuthController.php
@@ -4,15 +4,19 @@ declare(strict_types=1);

 class AuthController extends BaseController
 {
+    public function beforeRoute(): void
+    {
+        $this->disableCache();
+    }
+
    public function show(): void
    {
        if ($this->currentUser() !== null) {
-            $this->f3->reroute($this->f3->alias('dashboard'));
+            $this->f3->reroute('@dashboard');
            return;
        }

-        $this->f3->expire(0);
-        $this->render('auth/login.html', ['pageTitle' => 'Connexion']);
+        $this->renderSession('auth/login.html', ['pageTitle' => 'Connexion'], true);
    }

    public function login(): void
@@ -26,22 +30,24 @@ class AuthController extends BaseController
        if ($user === null || !password_verify($password, $user['password_hash'])) {
            usleep(1_500_000); // 1,5 s — ralentit le brute-force
            $this->flash('error', 'Identifiants invalides.');
-            $this->f3->reroute($this->f3->alias('login'));
+            $this->f3->reroute('@login');
            return;
        }

        session_regenerate_id(true);
        $this->f3->set('SESSION.user_id', $user['id']);
+        $this->refreshCsrfToken();
        $this->flash('success', 'Connexion réussie.');
-        $this->f3->reroute($this->f3->alias('dashboard'));
+        $this->f3->reroute('@dashboard');
    }

    public function logout(): void
    {
        $this->verifyCsrf();
        $this->f3->clear('SESSION.user_id');
+        $this->f3->clear('SESSION.csrf_token');
        session_regenerate_id(true);
        $this->flash('success', 'Déconnexion effectuée.');
-        $this->f3->reroute($this->f3->alias('home'));
+        $this->f3->reroute('@login');
    }
 }
--- a/app/Controllers/BaseController.php
+++ b/app/Controllers/BaseController.php
@@ -13,13 +13,31 @@ abstract class BaseController
        $this->db = $this->f3->get('DB');
    }

-    protected function render(string $view, array $data = []): void
+    protected function renderPublic(string $view, array $data = []): void
    {
+        $user = $this->currentUser();
+
        $this->f3->mset($data + [
-            'view'        => $view,
+            'view' => $view,
+            'currentUser' => $user,
+            'flash' => array_key_exists('flash', $data) && is_array($data['flash']) ? $data['flash'] : null,
+            'csrfToken' => $user !== null ? $this->csrfToken() : null,
+        ]);
+
+        echo Template::instance()->render('layout.html');
+    }
+
+    protected function renderSession(string $view, array $data = [], bool $withCsrf = false): void
+    {
+        $flash = array_key_exists('flash', $data) && is_array($data['flash'])
+            ? $data['flash']
+            : $this->pullFlash();
+
+        $this->f3->mset($data + [
+            'view' => $view,
            'currentUser' => $this->currentUser(),
-            'flash'       => $this->pullFlash(),
-            'csrfToken'   => $this->csrfToken(),
+            'flash' => $flash,
+            'csrfToken' => $withCsrf ? $this->csrfToken() : null,
        ]);

        echo Template::instance()->render('layout.html');
@@ -38,12 +56,16 @@ abstract class BaseController
        }

        $this->flash('error', 'Connecte-toi pour continuer.');
-        $this->f3->reroute($this->f3->alias('login'));
+        $this->f3->reroute('@login');
+    }
+
+    protected function disableCache(): void
+    {
+        $this->f3->expire(0);
    }

    protected function csrfToken(): string
    {
-        // Génère un token CSRF et le stocke en session au premier appel.
        $token = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
        if ($token === '') {
            $token = bin2hex(random_bytes(32));
@@ -53,10 +75,17 @@ abstract class BaseController
        return $token;
    }

+    protected function refreshCsrfToken(): string
+    {
+        $token = bin2hex(random_bytes(32));
+        $this->f3->set('SESSION.csrf_token', $token);
+        return $token;
+    }
+
    protected function verifyCsrf(): void
    {
        $submitted = (string) ($this->f3->get('POST.csrf_token') ?? '');
-        $expected  = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
+        $expected = (string) ($this->f3->get('SESSION.csrf_token') ?? '');

        if ($submitted !== '' && $expected !== '' && hash_equals($expected, $submitted)) {
            return;
--- a/app/Controllers/DashboardController.php
+++ b/app/Controllers/DashboardController.php
@@ -4,19 +4,22 @@ declare(strict_types=1);

 class DashboardController extends BaseController
 {
-    public function index(): void
+    public function beforeRoute(): void
    {
        $this->requireAuth();
-        $this->f3->expire(0);
+        $this->disableCache();
+    }

+    public function index(): void
+    {
        $page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
        $result = (new Post($this->db))->paginateList($page, 24);

-        $this->render('admin/dashboard.html', [
+        $this->renderSession('admin/dashboard.html', [
            'pageTitle' => 'Tableau de bord',
            'posts' => $result['posts'],
            'pagination' => $result,
-            'paginationBase' => $this->f3->alias('dashboard'),
-        ]);
+            'paginationAlias' => 'dashboard',
+        ], true);
    }
 }
--- a/app/Controllers/MediaController.php
+++ b/app/Controllers/MediaController.php
@@ -5,21 +5,29 @@ declare(strict_types=1);
 class MediaController extends BaseController
 {
    private const UPLOAD_MAX_BYTES = 10 * 1024 * 1024; // 10 Mo
+    private const PER_PAGE = 24;
+
+    public function beforeRoute(): void
+    {
+        $this->requireAuth();
+        $this->disableCache();
+    }

    public function index(): void
    {
-        $this->requireAuth();
-        $this->f3->expire(0);
+        $page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
+        $result = (new Media($this->db))->paginateLibrary($page, self::PER_PAGE);

-        $this->render('admin/media.html', [
+        $this->renderSession('admin/media.html', [
            'pageTitle' => 'Médiathèque',
-            'items' => (new Media($this->db))->all(),
-        ]);
+            'items' => $result['items'],
+            'pagination' => $result,
+            'paginationAlias' => 'media_index',
+        ], true);
    }

    public function upload(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();

        try {
@@ -27,7 +35,8 @@ class MediaController extends BaseController
            $originalName = (string) ($this->f3->get('FILES.image.name') ?? '');

            $received = Web::instance()->receive(
-                fn(array $file): bool => $file['size'] <= self::UPLOAD_MAX_BYTES,
+                fn(array $file): bool => (int) ($file['size'] ?? 0) > 0
+                    && (int) ($file['size'] ?? 0) <= self::UPLOAD_MAX_BYTES,
                overwrite: false,
                slug: true
            );
@@ -36,7 +45,7 @@ class MediaController extends BaseController
            $accepted = array_keys(array_filter($received));

            if ($accepted === []) {
-                throw new RuntimeException('Choisis une image valide à envoyer (JPG, PNG, WebP ≤ ' . (int)(self::UPLOAD_MAX_BYTES / 1024 / 1024) . ' Mo).');
+                throw new RuntimeException('Choisis une image valide à envoyer (JPG, PNG, WebP ≤ ' . (int) (self::UPLOAD_MAX_BYTES / 1024 / 1024) . ' Mo).');
            }

            foreach ($accepted as $destPath) {
@@ -48,12 +57,11 @@ class MediaController extends BaseController
            $this->flash('error', $e->getMessage());
        }

-        $this->f3->reroute($this->f3->alias('media_index'));
+        $this->f3->reroute('@media_index');
    }

    public function updateAlt(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();

        try {
@@ -64,12 +72,11 @@ class MediaController extends BaseController
            $this->flash('error', $e->getMessage());
        }

-        $this->f3->reroute($this->f3->alias('media_index'));
+        $this->f3->reroute('@media_index');
    }

    public function delete(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();

        try {
@@ -79,6 +86,6 @@ class MediaController extends BaseController
            $this->flash('error', $e->getMessage());
        }

-        $this->f3->reroute($this->f3->alias('media_index'));
+        $this->f3->reroute('@media_index');
    }
 }
--- a/app/Controllers/PostController.php
+++ b/app/Controllers/PostController.php
@@ -4,16 +4,21 @@ declare(strict_types=1);

 class PostController extends BaseController
 {
-    public function create(): void
+    private const MEDIA_PICKER_LIMIT = 60;
+
+    public function beforeRoute(): void
    {
        $this->requireAuth();
-        $this->f3->expire(0);
+        $this->disableCache();
+    }
+
+    public function create(): void
+    {
        $this->renderForm('Nouvel article', $this->f3->alias('post_store'), Post::emptyForm());
    }

    public function store(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();

        $input = $this->postInput();
@@ -22,18 +27,14 @@ class PostController extends BaseController
            (new Post($this->db))->create($input);
            Cache::instance()->reset('.url'); // invalide le cache des pages publiques
            $this->flash('success', 'Article créé.');
-            $this->f3->reroute($this->f3->alias('dashboard'));
+            $this->f3->reroute('@dashboard');
        } catch (RuntimeException $e) {
-            $this->f3->expire(0);
            $this->renderForm('Nouvel article', $this->f3->alias('post_store'), $input, $e->getMessage());
        }
    }

    public function edit(): void
    {
-        $this->requireAuth();
-        $this->f3->expire(0);
-
        $post = (new Post($this->db))->findForEdit((int) $this->f3->get('PARAMS.id'));
        if ($post === null) {
            $this->f3->error(404, 'Article introuvable.');
@@ -45,7 +46,6 @@ class PostController extends BaseController

    public function update(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();

        $id = (int) $this->f3->get('PARAMS.id');
@@ -60,21 +60,19 @@ class PostController extends BaseController

            Cache::instance()->reset('.url'); // invalide le cache des pages publiques
            $this->flash('success', 'Article mis à jour.');
-            $this->f3->reroute($this->f3->alias('dashboard'));
+            $this->f3->reroute('@dashboard');
        } catch (RuntimeException $e) {
-            $this->f3->expire(0);
            $this->renderForm('Modifier l\'article', $this->f3->alias('post_update', ['id' => $id]), $input, $e->getMessage());
        }
    }

    public function delete(): void
    {
-        $this->requireAuth();
        $this->verifyCsrf();
        (new Post($this->db))->delete((int) $this->f3->get('PARAMS.id'));
        Cache::instance()->reset('.url'); // invalide le cache des pages publiques
        $this->flash('success', 'Article supprimé.');
-        $this->f3->reroute($this->f3->alias('dashboard'));
+        $this->f3->reroute('@dashboard');
    }

    private function renderForm(string $pageTitle, string $formAction, array $post, ?string $error = null): void
@@ -84,27 +82,33 @@ class PostController extends BaseController
            $coverPreview = (new Media($this->db))->findById((int) $post['cover_media_id']);
        }

+        $media = new Media($this->db);
+        $mediaItems = $media->latest(self::MEDIA_PICKER_LIMIT);
+        $mediaCount = $media->countAll();
        $flash = $error !== null ? ['type' => 'error', 'message' => $error] : null;

-        $this->render('admin/post_form.html', [
-            'pageTitle'    => $pageTitle,
-            'formAction'   => $formAction,
-            'post'         => $post,
+        $this->renderSession('admin/post_form.html', [
+            'pageTitle' => $pageTitle,
+            'formAction' => $formAction,
+            'post' => $post,
            'coverPreview' => $coverPreview,
-            'mediaItems'   => (new Media($this->db))->all(),
-            'titleMax'     => Post::TITLE_MAX_LENGTH,
-            'excerptMax'   => Post::EXCERPT_MAX_LENGTH,
-            'flash'        => $flash,
-        ]);
+            'mediaItems' => $mediaItems,
+            'mediaCount' => $mediaCount,
+            'mediaPickerLimit' => self::MEDIA_PICKER_LIMIT,
+            'mediaPickerTruncated' => $mediaCount > count($mediaItems),
+            'titleMax' => Post::TITLE_MAX_LENGTH,
+            'excerptMax' => Post::EXCERPT_MAX_LENGTH,
+            'flash' => $flash,
+        ], true);
    }

    private function postInput(): array
    {
        return [
-            'title'          => trim((string) ($this->f3->get('POST.title') ?? '')),
-            'excerpt'        => trim((string) ($this->f3->get('POST.excerpt') ?? '')),
+            'title' => trim((string) ($this->f3->get('POST.title') ?? '')),
+            'excerpt' => trim((string) ($this->f3->get('POST.excerpt') ?? '')),
            'cover_media_id' => (string) ($this->f3->get('POST.cover_media_id') ?? ''),
-            'body_markdown'  => trim((string) ($this->f3->get('POST.body_markdown') ?? '')),
+            'body_markdown' => trim((string) ($this->f3->get('POST.body_markdown') ?? '')),
        ];
    }
 }
--- a/app/Controllers/SiteController.php
+++ b/app/Controllers/SiteController.php
@@ -6,30 +6,26 @@ class SiteController extends BaseController
 {
    public function home(): void
    {
-        $this->f3->expire(300); // 5 min — page publique, contenu peu volatile
-
        $page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
        $result = (new Post($this->db))->paginateList($page);

-        $this->render('site/home.html', [
+        $this->renderPublic('site/home.html', [
            'pageTitle' => 'Accueil',
            'posts' => $result['posts'],
            'pagination' => $result,
-            'paginationBase' => $this->f3->alias('home'),
+            'paginationAlias' => 'home',
        ]);
    }

    public function show(): void
    {
-        $this->f3->expire(3600); // 1 h — les articles bougent rarement
-
        $post = (new Post($this->db))->findBySlug((string) $this->f3->get('PARAMS.slug'));
        if ($post === null) {
            $this->f3->error(404, 'Article introuvable.');
            return;
        }

-        $this->render('site/post.html', [
+        $this->renderPublic('site/post.html', [
            'pageTitle' => $post['title'],
            'post' => $post,
        ]);