Merge pull request #18 from HelloAsso/log-file-per-env

Improve stream creation and logging

Author: rockynox

.env.example

@@ -1,3 +1,6 @@
+# Environnement : correspond au nom de la branche git ("main", "develop", etc.)
+APP_ENV=develop
+
 DBURL=localhost
 DBPORT=3306
 DBNAME=twitch

.github/workflows/php-prod.yml

@@ -60,6 +60,7 @@ jobs:
         envkey_MANDRILL_API: ${{ secrets.PROD_MANDRILL_API }}
         envkey_API_KEY: ${{ secrets.PROD_API_KEY }}
         envkey_APP_VERSION: ${{ github.sha }}
+        envkey_APP_ENV: ${{ github.ref_name }}
         file_name: .env
 
     - name: Tar
@@ -74,6 +75,6 @@ jobs:
       run : |
         sshpass -p ${{ secrets.PROD_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }} "cd /home/socialgo/www && tar xzvf artifact.tar.gz -C twitch-widget && rm artifact.tar.gz"
 
-    - name: Launch sql migrations
-      run : |
-        sshpass -p ${{ secrets.PROD_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }} "cd /home/socialgo/www/twitch-widget && php migrations/run.php"     
+#    - name: Launch sql migrations
+#      run : |
+#        sshpass -p ${{ secrets.PROD_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }} "cd /home/socialgo/www/twitch-widget && php migrations/run.php"

.github/workflows/php-sandbox.yml

@@ -3,6 +3,7 @@ name: Build & deploy sandbox
 on:
   push:
     branches: [ "develop" ]
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -60,6 +61,7 @@ jobs:
         envkey_MANDRILL_API: ${{ secrets.SANDBOX_MANDRILL_API }}
         envkey_API_KEY: ${{ secrets.SANDBOX_API_KEY }}
         envkey_APP_VERSION: ${{ github.sha }}
+        envkey_APP_ENV: ${{ github.ref_name }}
         file_name: .env
 
     - name: Tar
@@ -74,7 +76,7 @@ jobs:
       run : |
         sshpass -p ${{ secrets.SANDBOX_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.SANDBOX_SSH_USER }}@${{ secrets.SANDBOX_SSH_HOST }} "cd /home/socialgo/www && tar xzvf artifact.tar.gz -C twitch-widget-sandbox && rm artifact.tar.gz"
 
-    - name: Launch sql migrations
-      run : |
-        sshpass -p ${{ secrets.SANDBOX_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.SANDBOX_SSH_USER }}@${{ secrets.SANDBOX_SSH_HOST }} "cd /home/socialgo/www/twitch-widget-sandbox && php migrations/run.php" 
+#    - name: Launch sql migrations
+#      run : |
+#        sshpass -p ${{ secrets.SANDBOX_SSH_PASSWORD }} ssh -o StrictHostKeyChecking=no ${{ secrets.SANDBOX_SSH_USER }}@${{ secrets.SANDBOX_SSH_HOST }} "cd /home/socialgo/www/twitch-widget-sandbox && php migrations/run.php"
 

.gitignore

@@ -5,4 +5,6 @@ public/node_modules/
 log.txt
 *.log
 
+.idea
+
 node_modules/

cron.php

@@ -18,7 +18,13 @@
 ]);
 
 $logger = new Logger('cron');
-$logger->pushHandler(new StreamHandler(__DIR__ . '/logs/cron.log', Logger::DEBUG));
+$env = $_SERVER['APP_ENV'] ?? 'production';
+$logDir = __DIR__ . '/logs/' . $env;
+if (!is_dir($logDir)) {
+    mkdir($logDir, 0755, true);
+}
+$logFile = $logDir . '/cron.log';
+$logger->pushHandler(new StreamHandler($logFile, Logger::DEBUG));
 
 $accessTokenRepository = new AccessTokenRepository($pdo, $_SERVER['DBPREFIX']);
 $authorizationCodeRepository = new AuthorizationCodeRepository($pdo, $_SERVER['DBPREFIX']);
@@ -35,15 +41,35 @@
     $logger
 );
 
-$tokens = $accessTokenRepository->getAccessTokensToRefresh();
+try {
+    $tokens = $accessTokenRepository->getAccessTokensToRefresh();
 
-echo count($tokens) . " token(s) à rafraîchir\n";
-foreach ($tokens as $token) {
-    try {
-        $apiWrapper->refreshToken($token->refresh_token, $token->organization_slug);
-        echo "Token rafraîchi pour " . ($token->organization_slug ?? 'global') . "\n";
-    } catch (Exception $e) {
-        echo "Erreur pour " . ($token->organization_slug ?? 'global') . " : " . $e->getMessage() . "\n";
-        $logger->error('Erreur refresh token pour ' . $token->organization_slug, ['exception' => $e]);
+    $logger->info('Cron démarré. IP du serveur : ' . gethostbyname(gethostname()) . '. API_AUTH_URL : ' . $_SERVER['API_AUTH_URL']);
+    echo count($tokens) . " token(s) à rafraîchir\n";
+    foreach ($tokens as $token) {
+        try {
+            $apiWrapper->refreshToken($token->refresh_token, $token->organization_slug);
+            echo "Token rafraîchi pour " . ($token->organization_slug ?? 'global') . "\n";
+            $logger->info('Token rafraîchi avec succès pour ' . ($token->organization_slug ?? 'global'));
+        } catch (Exception $e) {
+            $isNetworkError = str_contains($e->getMessage(), 'cURL error 7') || str_contains($e->getMessage(), 'Connection refused');
+            echo "Erreur pour " . ($token->organization_slug ?? 'global') . " : " . $e->getMessage() . "\n";
+            if ($isNetworkError) {
+                $logger->critical('Impossible de joindre l\'API (' . $_SERVER['API_AUTH_URL'] . '). Vérifiez que le serveur distant est accessible depuis cette machine.', [
+                    'server_ip' => gethostbyname(gethostname()),
+                    'organization_slug' => $token->organization_slug,
+                ]);
+            } else {
+                $logger->error('Erreur refresh token pour ' . $token->organization_slug, ['exception' => $e]);
+            }
+        }
     }
+} catch (Throwable $e) {
+    $logger->critical('Le cron a planté de manière inattendue.', [
+        'exception' => $e->getMessage(),
+        'file' => $e->getFile(),
+        'line' => $e->getLine(),
+    ]);
+    echo "Erreur critique : " . $e->getMessage() . "\n";
+    exit(1);
 }

migrations/09-allow-null-org-slug-auth-code.sql

@@ -0,0 +1,2 @@
+ALTER TABLE {prefix}authorization_code MODIFY COLUMN organization_slug VARCHAR(255) NULL;
+

public/index.php

@@ -37,14 +37,24 @@
 $container = new Container();
 $container->set('logger.api', function () {
     $level = $_SERVER['LOGLEVEL'] ?? Logger::DEBUG;
-    $logger = new Logger('api'); // le nom est ici !
-    $logger->pushHandler(new RotatingFileHandler(__DIR__ . '/../logs/api.log', 7, $level));
+    $env = $_SERVER['APP_ENV'] ?? 'production';
+    $logDir = __DIR__ . '/../logs/' . $env;
+    if (!is_dir($logDir)) {
+        mkdir($logDir, 0755, true);
+    }
+    $logger = new Logger('api');
+    $logger->pushHandler(new RotatingFileHandler($logDir . '/api.log', 7, $level));
     return $logger;
 });
 $container->set(Logger::class, function () {
     $level = $_SERVER['LOGLEVEL'] ?? Logger::DEBUG;
+    $env = $_SERVER['APP_ENV'] ?? 'production';
+    $logDir = __DIR__ . '/../logs/' . $env;
+    if (!is_dir($logDir)) {
+        mkdir($logDir, 0755, true);
+    }
     $logger = new Logger('app');
-    $logger->pushHandler(new RotatingFileHandler(__DIR__ . '/../logs/app.log', 7, $level)); 
+    $logger->pushHandler(new RotatingFileHandler($logDir . '/app.log', 7, $level));
     return $logger;
 });
 
@@ -169,6 +179,16 @@
 } else {
     $errorMiddleware = $app->addErrorMiddleware(false, true, true, $container->get(Logger::class));
 }
+
+// Ne pas logger les erreurs 404 (bots, scanners, etc.)
+$errorMiddleware->setErrorHandler(
+    \Slim\Exception\HttpNotFoundException::class,
+    function (\Psr\Http\Message\ServerRequestInterface $request, \Throwable $exception, bool $displayErrorDetails) use ($app) {
+        $response = $app->getResponseFactory()->createResponse();
+        return $response->withStatus(404);
+    },
+    true // handleSubclasses
+);
 $app->get('/', [HomeController::class, 'index'])->setName('app_index');
 $app->get('/forgot_password', [HomeController::class, 'forgotPassword'])->setName('app_forgot_password');
 $app->get('/reset_password/{token}', [HomeController::class, 'resetPassword'])->setName('app_reset_password');
@@ -186,6 +206,8 @@
 $app->get('/admin/event/{id}/edit', [AdminController::class, 'editEvent'])->add(new AuthMiddleware())->setName('app_event_edit');
 $app->post('/admin/event/{id}/edit', [AdminController::class, 'editEventPost'])->add(new AuthMiddleware())->setName('app_event_edit_post');
 $app->post('/admin/stream', [AdminController::class, 'newStream'])->add(new AuthMiddleware())->setName('app_stream_new');
+$app->get('/admin/stream/init-auth', [AdminController::class, 'initStreamAuth'])->add(new AuthMiddleware())->setName('app_stream_init_auth');
+$app->get('/admin/stream/auth-callback', [AdminController::class, 'streamAuthCallback'])->setName('app_stream_auth_callback');
 $app->post('/admin/stream/{id}/delete', [AdminController::class, 'deleteStream'])->add(new AuthMiddleware())->setName('app_stream_delete');
 $app->get('/admin/stream/{id}/edit', [AdminController::class, 'editStream'])->add(new AuthMiddleware())->setName('app_stream_edit');
 $app->post('/admin/stream/{id}/edit', [AdminController::class, 'editStreamPost'])->add(new AuthMiddleware())->setName('app_stream_edit_post');

src/Controllers/AdminController.php

@@ -2,11 +2,18 @@
 
 namespace App\Controllers;
 
+use App\Models\AccessToken;
+use App\Repositories\AccessTokenRepository;
+use App\Repositories\AuthorizationCodeRepository;
 use App\Repositories\EventRepository;
 use App\Repositories\FileManager;
 use App\Repositories\StreamRepository;
 use App\Repositories\UserRepository;
 use App\Repositories\WidgetRepository;
+use App\Services\ApiWrapper;
+use DateInterval;
+use DateTime;
+use Exception;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Slim\Flash\Messages;
@@ -23,6 +30,9 @@ public function __construct(
         private UserRepository $userRepository,
         private WidgetRepository $widgetRepository,
         private Messages $messages,
+        private ApiWrapper $apiWrapper,
+        private AccessTokenRepository $accessTokenRepository,
+        private AuthorizationCodeRepository $authorizationCodeRepository,
     ) {}
 
     public function index(Request $request, Response $response): Response
@@ -40,6 +50,7 @@ public function index(Request $request, Response $response): Response
             "streams" => $streams,
             "events" => $events,
             "messages" => $this->messages->getMessages(),
+            "currentUser" => $user,
         ];
 
         $template = $user->role == "ADMIN" ? 'stream/index-admin.html.twig' : 'stream/index.html.twig';
@@ -238,4 +249,139 @@ public function editStreamPost(Request $request, Response $response, array $args
 
         return $response->withHeader('Location', $url)->withStatus(302);
     }
+
+    /**
+     * Génère l'URL d'autorisation OAuth HelloAsso pour connecter une association dans le cadre de la création d'un stream.
+     * Retourne un JSON { "url": "..." } pour que le front puisse ouvrir la mire dans un nouvel onglet.
+     *
+     * @param Request $request
+     * @param Response $response
+     * @return Response
+     */
+    public function initStreamAuth(Request $request, Response $response): Response
+    {
+        $streamCallbackUrl = $_SERVER['WEBSITE_DOMAIN'] . '/admin/stream/auth-callback';
+        $authorizationUrl = $this->apiWrapper->generateAuthorizationUrl(null, $streamCallbackUrl);
+
+        $response->getBody()->write(json_encode(['url' => $authorizationUrl]));
+        return $response->withHeader('Content-Type', 'application/json');
+    }
+
+    /**
+     * Callback OAuth pour la connexion d'une association lors de la création d'un stream.
+     * Échange le code d'autorisation, stocke les tokens et récupère la liste des formulaires de don.
+     * Retourne une page HTML qui transmet les données à la fenêtre parente via postMessage.
+     *
+     * @param Request $request
+     * @param Response $response
+     * @return Response
+     */
+    public function streamAuthCallback(Request $request, Response $response): Response
+    {
+        $error = $request->getQueryParams()['error'] ?? null;
+        $errorDescription = $request->getQueryParams()['error_description'] ?? null;
+
+        if ($error) {
+            $response->getBody()->write($this->buildCallbackPage(null, [], $errorDescription));
+            return $response;
+        }
+
+        $state = $request->getQueryParams()['state'] ?? null;
+        $code = $request->getQueryParams()['code'] ?? null;
+
+        if (!$state || !$code) {
+            $response->getBody()->write($this->buildCallbackPage(null, [], 'Paramètres manquants dans la réponse.'));
+            return $response;
+        }
+
+        try {
+            $authorizationCodeData = $this->authorizationCodeRepository->selectById($state);
+            if (!$authorizationCodeData) {
+                throw new Exception("State invalide ou expiré.");
+            }
+
+            $tokenData = $this->apiWrapper->exchangeAuthorizationCode(
+                $code,
+                $authorizationCodeData->redirect_uri,
+                $authorizationCodeData->code_verifier
+            );
+
+            $organizationSlug = $tokenData['organization_slug'];
+
+            // Stocker / mettre à jour les tokens
+            $existingToken = $this->accessTokenRepository->selectBySlug($organizationSlug);
+
+            $token = new AccessToken();
+            $token->access_token = $tokenData['access_token'];
+            $token->refresh_token = $tokenData['refresh_token'];
+            $token->organization_slug = $organizationSlug;
+            $token->access_token_expires_at = (new DateTime())->add(new DateInterval('PT28M'));
+            $token->refresh_token_expires_at = (new DateTime())->add(new DateInterval('P28D'));
+
+            if ($existingToken === null) {
+                $this->accessTokenRepository->insert($token);
+            } else {
+                $this->accessTokenRepository->update($token);
+            }
+
+            // Récupérer les formulaires de don
+            $forms = $this->apiWrapper->getDonationForms($organizationSlug);
+        } catch (Exception $e) {
+            $response->getBody()->write($this->buildCallbackPage(null, [], $e->getMessage()));
+            return $response;
+        }
+
+        $response->getBody()->write($this->buildCallbackPage($organizationSlug, $forms));
+        return $response;
+    }
+
+    /**
+     * Construit la page HTML de callback OAuth qui communique les données à la fenêtre parente via postMessage.
+     */
+    private function buildCallbackPage(?string $organizationSlug, array $forms, ?string $error = null): string
+    {
+        $organizationSlugJson = json_encode($organizationSlug);
+        $formsJson = json_encode($forms);
+        $errorJson = json_encode($error);
+
+        return <<<HTML
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+    <meta charset="UTF-8">
+    <title>Connexion HelloAsso</title>
+    <style>
+        body { font-family: sans-serif; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; background: #1a1a2e; color: #eee; }
+        .card { background: #16213e; padding: 2rem; border-radius: 12px; text-align: center; max-width: 400px; }
+        .success { color: #4ade80; font-size: 2rem; }
+        .error { color: #f87171; }
+    </style>
+</head>
+<body>
+<div class="card">
+    <div id="msg"><p>Connexion en cours, veuillez patienter...</p></div>
+</div>
+<script>
+    var organizationSlug = {$organizationSlugJson};
+    var forms = {$formsJson};
+    var error = {$errorJson};
+
+    if (error) {
+        document.getElementById('msg').innerHTML = '<p class="error">❌ Erreur : ' + error + '</p><p>Vous pouvez fermer cet onglet.</p>';
+    } else if (window.opener && !window.opener.closed) {
+        window.opener.postMessage({
+            type: 'ha_stream_auth_success',
+            organizationSlug: organizationSlug,
+            forms: forms
+        }, window.location.origin);
+        document.getElementById('msg').innerHTML = '<p class="success">✅</p><p>Association connectée ! Fermeture en cours...</p>';
+        setTimeout(function() { window.close(); }, 1500);
+    } else {
+        document.getElementById('msg').innerHTML = '<p class="success">✅ Association connectée !</p><p>Vous pouvez fermer cet onglet et retourner à la page d\'administration.</p>';
+    }
+</script>
+</body>
+</html>
+HTML;
+    }
 }

src/Controllers/LoginController.php

@@ -228,6 +228,16 @@ public function validateAuthPage(Request $request, Response $response): Response
         $codeVerifier = $authorizationCodeData->code_verifier;
 
         $tokenDataGrantAuthorization = $this->apiWrapper->exchangeAuthorizationCode($code, $redirect_uri, $codeVerifier);
+
+        if ($authorizationCodeData->organization_slug !== $tokenDataGrantAuthorization['organization_slug']) {
+            $this->logger->warning('Incohérence de slug lors de l\'échange du code d\'autorisation', [
+                'slug_attendu' => $authorizationCodeData->organization_slug,
+                'slug_reçu' => $tokenDataGrantAuthorization['organization_slug'],
+            ]);
+            $response->getBody()->write('Erreur : le slug de l\'association ne correspond pas à celui attendu. L\'authentification a été annulée.');
+            return $response->withStatus(400);
+        }
+
         $existingOrganizationToken = $this->accessTokenRepository->selectBySlug($tokenDataGrantAuthorization['organization_slug']);
 
         $token = new AccessToken();

src/Repositories/FileManager.php

@@ -73,8 +73,11 @@ public function uploadPicture(UploadedFileInterface $file): string
         return $fileName;
     }
 
-    public function getPictureUrl(string $fileName): string
+    public function getPictureUrl(?string $fileName): ?string
     {
+        if ($fileName === null) {
+            return null;
+        }
         return $this->blobUrl . '/images/charity_stream/' . $fileName;
     }
 
@@ -90,8 +93,11 @@ public function uploadSound(UploadedFileInterface $file): string
         return $fileName;
     }
 
-    public function getSoundUrl(string $fileName): string
+    public function getSoundUrl(?string $fileName): ?string
     {
+        if ($fileName === null) {
+            return null;
+        }
         return $this->blobUrl . '/sounds/charity_stream/' . $fileName;
     }
 }