feat(mobile): Implement Keycloak WebView authentication with HTTP callback
- Replace flutter_appauth with custom WebView implementation to resolve deep link issues - Add KeycloakWebViewAuthService with integrated WebView for seamless authentication - Configure Android manifest for HTTP cleartext traffic support - Add network security config for development environment (192.168.1.11) - Update Keycloak client to use HTTP callback endpoint (http://192.168.1.11:8080/auth/callback) - Remove obsolete keycloak_auth_service.dart and temporary scripts - Clean up dependencies and regenerate injection configuration - Tested successfully on multiple Android devices (Xiaomi 2201116TG, SM A725F) BREAKING CHANGE: Authentication flow now uses WebView instead of external browser - Users will see Keycloak login page within the app instead of browser redirect - Resolves ERR_CLEARTEXT_NOT_PERMITTED and deep link state management issues - Maintains full OIDC compliance with PKCE flow and secure token storage Technical improvements: - WebView with custom navigation delegate for callback handling - Automatic token extraction and user info parsing from JWT - Proper error handling and user feedback - Consistent authentication state management across app lifecycle
This commit is contained in:
DahoudG
@@ -78,6 +78,9 @@ class AuthState extends Equatable {
|
||||
/// Vérifie si l'utilisateur est connecté
|
||||
bool get isAuthenticated => status == AuthStatus.authenticated;
|
||||
|
||||
/// Vérifie si l'authentification est en cours de vérification
|
||||
bool get isChecking => status == AuthStatus.checking;
|
||||
|
||||
/// Vérifie si la session est valide
|
||||
bool get isSessionValid {
|
||||
if (!isAuthenticated || expiresAt == null) return false;
|
||||
|
||||
@@ -7,6 +7,7 @@ class UserInfo extends Equatable {
|
||||
final String firstName;
|
||||
final String lastName;
|
||||
final String role;
|
||||
final List<String>? roles;
|
||||
final String? profilePicture;
|
||||
final bool isActive;
|
||||
|
||||
@@ -16,6 +17,7 @@ class UserInfo extends Equatable {
|
||||
required this.firstName,
|
||||
required this.lastName,
|
||||
required this.role,
|
||||
this.roles,
|
||||
this.profilePicture,
|
||||
required this.isActive,
|
||||
});
|
||||
@@ -35,6 +37,7 @@ class UserInfo extends Equatable {
|
||||
firstName: json['firstName'] ?? '',
|
||||
lastName: json['lastName'] ?? '',
|
||||
role: json['role'] ?? 'membre',
|
||||
roles: json['roles'] != null ? List<String>.from(json['roles']) : null,
|
||||
profilePicture: json['profilePicture'],
|
||||
isActive: json['isActive'] ?? true,
|
||||
);
|
||||
@@ -47,6 +50,7 @@ class UserInfo extends Equatable {
|
||||
'firstName': firstName,
|
||||
'lastName': lastName,
|
||||
'role': role,
|
||||
'roles': roles,
|
||||
'profilePicture': profilePicture,
|
||||
'isActive': isActive,
|
||||
};
|
||||
@@ -58,6 +62,7 @@ class UserInfo extends Equatable {
|
||||
String? firstName,
|
||||
String? lastName,
|
||||
String? role,
|
||||
List<String>? roles,
|
||||
String? profilePicture,
|
||||
bool? isActive,
|
||||
}) {
|
||||
@@ -67,6 +72,7 @@ class UserInfo extends Equatable {
|
||||
firstName: firstName ?? this.firstName,
|
||||
lastName: lastName ?? this.lastName,
|
||||
role: role ?? this.role,
|
||||
roles: roles ?? this.roles,
|
||||
profilePicture: profilePicture ?? this.profilePicture,
|
||||
isActive: isActive ?? this.isActive,
|
||||
);
|
||||
@@ -79,6 +85,7 @@ class UserInfo extends Equatable {
|
||||
firstName,
|
||||
lastName,
|
||||
role,
|
||||
roles,
|
||||
profilePicture,
|
||||
isActive,
|
||||
];
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
import 'package:flutter/material.dart';
|
||||
import '../../../features/auth/presentation/pages/keycloak_login_page.dart';
|
||||
import '../../../features/navigation/presentation/pages/main_navigation.dart';
|
||||
import '../services/keycloak_webview_auth_service.dart';
|
||||
import '../models/auth_state.dart';
|
||||
import '../../di/injection.dart';
|
||||
|
||||
/// Wrapper qui gère l'authentification et le routage
|
||||
class AuthWrapper extends StatefulWidget {
|
||||
const AuthWrapper({super.key});
|
||||
|
||||
@override
|
||||
State<AuthWrapper> createState() => _AuthWrapperState();
|
||||
}
|
||||
|
||||
class _AuthWrapperState extends State<AuthWrapper> {
|
||||
late KeycloakWebViewAuthService _authService;
|
||||
|
||||
@override
|
||||
void initState() {
|
||||
super.initState();
|
||||
_authService = getIt<KeycloakWebViewAuthService>();
|
||||
}
|
||||
|
||||
@override
|
||||
Widget build(BuildContext context) {
|
||||
return StreamBuilder<AuthState>(
|
||||
stream: _authService.authStateStream,
|
||||
initialData: _authService.currentState,
|
||||
builder: (context, snapshot) {
|
||||
final authState = snapshot.data ?? const AuthState.unknown();
|
||||
|
||||
// Affichage de l'écran de chargement pendant la vérification
|
||||
if (authState.isChecking) {
|
||||
return const Scaffold(
|
||||
body: Center(
|
||||
child: Column(
|
||||
mainAxisAlignment: MainAxisAlignment.center,
|
||||
children: [
|
||||
CircularProgressIndicator(),
|
||||
SizedBox(height: 16),
|
||||
Text('Vérification de l\'authentification...'),
|
||||
],
|
||||
),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
// Si l'utilisateur est authentifié, afficher l'application principale
|
||||
if (authState.isAuthenticated) {
|
||||
return const MainNavigation();
|
||||
}
|
||||
|
||||
// Sinon, afficher la page de connexion
|
||||
return const KeycloakLoginPage();
|
||||
},
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,373 @@
|
||||
import 'dart:async';
|
||||
import 'dart:convert';
|
||||
import 'dart:math';
|
||||
import 'package:crypto/crypto.dart';
|
||||
import 'package:flutter/material.dart';
|
||||
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
|
||||
import 'package:injectable/injectable.dart';
|
||||
import 'package:jwt_decoder/jwt_decoder.dart';
|
||||
import 'package:webview_flutter/webview_flutter.dart';
|
||||
import '../models/auth_state.dart';
|
||||
import '../models/user_info.dart';
|
||||
import 'package:dio/dio.dart';
|
||||
|
||||
@singleton
|
||||
class KeycloakWebViewAuthService {
|
||||
static const String _keycloakBaseUrl = 'http://192.168.1.11:8180';
|
||||
static const String _realm = 'unionflow';
|
||||
static const String _clientId = 'unionflow-mobile';
|
||||
static const String _redirectUrl = 'http://192.168.1.11:8080/auth/callback';
|
||||
|
||||
final FlutterSecureStorage _secureStorage = const FlutterSecureStorage();
|
||||
final Dio _dio = Dio();
|
||||
|
||||
// Stream pour l'état d'authentification
|
||||
final _authStateController = StreamController<AuthState>.broadcast();
|
||||
Stream<AuthState> get authStateStream => _authStateController.stream;
|
||||
|
||||
AuthState _currentState = const AuthState.unauthenticated();
|
||||
AuthState get currentState => _currentState;
|
||||
|
||||
KeycloakWebViewAuthService() {
|
||||
_initializeAuthState();
|
||||
}
|
||||
|
||||
Future<void> _initializeAuthState() async {
|
||||
print('🔄 Initialisation du service d\'authentification WebView...');
|
||||
|
||||
try {
|
||||
final accessToken = await _secureStorage.read(key: 'access_token');
|
||||
|
||||
if (accessToken != null && !JwtDecoder.isExpired(accessToken)) {
|
||||
final userInfo = await _getUserInfoFromToken(accessToken);
|
||||
final refreshToken = await _secureStorage.read(key: 'refresh_token');
|
||||
if (userInfo != null && refreshToken != null) {
|
||||
final expiresAt = DateTime.fromMillisecondsSinceEpoch(
|
||||
JwtDecoder.decode(accessToken)['exp'] * 1000
|
||||
);
|
||||
_updateAuthState(AuthState.authenticated(
|
||||
user: userInfo,
|
||||
accessToken: accessToken,
|
||||
refreshToken: refreshToken,
|
||||
expiresAt: expiresAt,
|
||||
));
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Tentative de refresh si le token d'accès est expiré
|
||||
final refreshToken = await _secureStorage.read(key: 'refresh_token');
|
||||
if (refreshToken != null && !JwtDecoder.isExpired(refreshToken)) {
|
||||
final success = await _refreshTokens();
|
||||
if (success) return;
|
||||
}
|
||||
|
||||
// Aucun token valide trouvé
|
||||
await _clearTokens();
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors de l\'initialisation: $e');
|
||||
await _clearTokens();
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
}
|
||||
}
|
||||
|
||||
Future<void> loginWithWebView(BuildContext context) async {
|
||||
print('🔐 Début de la connexion Keycloak WebView...');
|
||||
|
||||
try {
|
||||
_updateAuthState(const AuthState.checking());
|
||||
|
||||
// Génération des paramètres PKCE
|
||||
final codeVerifier = _generateCodeVerifier();
|
||||
final codeChallenge = _generateCodeChallenge(codeVerifier);
|
||||
final state = _generateRandomString(32);
|
||||
|
||||
// Construction de l'URL d'autorisation
|
||||
final authUrl = _buildAuthorizationUrl(codeChallenge, state);
|
||||
|
||||
print('🌐 URL d\'autorisation: $authUrl');
|
||||
|
||||
// Ouverture de la WebView
|
||||
final result = await Navigator.of(context).push<String>(
|
||||
MaterialPageRoute(
|
||||
builder: (context) => KeycloakWebViewPage(
|
||||
authUrl: authUrl,
|
||||
redirectUrl: _redirectUrl,
|
||||
),
|
||||
),
|
||||
);
|
||||
|
||||
if (result != null) {
|
||||
// Traitement du code d'autorisation
|
||||
await _handleAuthorizationCode(result, codeVerifier, state);
|
||||
} else {
|
||||
print('❌ Authentification annulée par l\'utilisateur');
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
}
|
||||
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors de la connexion: $e');
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
rethrow;
|
||||
}
|
||||
}
|
||||
|
||||
String _buildAuthorizationUrl(String codeChallenge, String state) {
|
||||
final params = {
|
||||
'client_id': _clientId,
|
||||
'redirect_uri': _redirectUrl,
|
||||
'response_type': 'code',
|
||||
'scope': 'openid profile email',
|
||||
'code_challenge': codeChallenge,
|
||||
'code_challenge_method': 'S256',
|
||||
'state': state,
|
||||
};
|
||||
|
||||
final queryString = params.entries
|
||||
.map((e) => '${Uri.encodeComponent(e.key)}=${Uri.encodeComponent(e.value)}')
|
||||
.join('&');
|
||||
|
||||
return '$_keycloakBaseUrl/realms/$_realm/protocol/openid-connect/auth?$queryString';
|
||||
}
|
||||
|
||||
Future<void> _handleAuthorizationCode(String authCode, String codeVerifier, String expectedState) async {
|
||||
print('🔄 Traitement du code d\'autorisation...');
|
||||
|
||||
try {
|
||||
// Échange du code contre des tokens
|
||||
final response = await _dio.post(
|
||||
'$_keycloakBaseUrl/realms/$_realm/protocol/openid-connect/token',
|
||||
data: {
|
||||
'grant_type': 'authorization_code',
|
||||
'client_id': _clientId,
|
||||
'code': authCode,
|
||||
'redirect_uri': _redirectUrl,
|
||||
'code_verifier': codeVerifier,
|
||||
},
|
||||
options: Options(
|
||||
contentType: Headers.formUrlEncodedContentType,
|
||||
),
|
||||
);
|
||||
|
||||
if (response.statusCode == 200) {
|
||||
final tokens = response.data;
|
||||
await _storeTokens(tokens);
|
||||
|
||||
final userInfo = await _getUserInfoFromToken(tokens['access_token']);
|
||||
if (userInfo != null) {
|
||||
final expiresAt = DateTime.fromMillisecondsSinceEpoch(
|
||||
JwtDecoder.decode(tokens['access_token'])['exp'] * 1000
|
||||
);
|
||||
_updateAuthState(AuthState.authenticated(
|
||||
user: userInfo,
|
||||
accessToken: tokens['access_token'],
|
||||
refreshToken: tokens['refresh_token'],
|
||||
expiresAt: expiresAt,
|
||||
));
|
||||
print('✅ Authentification réussie pour: ${userInfo.email}');
|
||||
}
|
||||
}
|
||||
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors de l\'échange de tokens: $e');
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
rethrow;
|
||||
}
|
||||
}
|
||||
|
||||
// Méthodes utilitaires PKCE
|
||||
String _generateCodeVerifier() {
|
||||
final random = Random.secure();
|
||||
final bytes = List<int>.generate(32, (i) => random.nextInt(256));
|
||||
return base64Url.encode(bytes).replaceAll('=', '');
|
||||
}
|
||||
|
||||
String _generateCodeChallenge(String codeVerifier) {
|
||||
final bytes = utf8.encode(codeVerifier);
|
||||
final digest = sha256.convert(bytes);
|
||||
return base64Url.encode(digest.bytes).replaceAll('=', '');
|
||||
}
|
||||
|
||||
String _generateRandomString(int length) {
|
||||
const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
|
||||
final random = Random.secure();
|
||||
return List.generate(length, (index) => chars[random.nextInt(chars.length)]).join();
|
||||
}
|
||||
|
||||
Future<UserInfo?> _getUserInfoFromToken(String accessToken) async {
|
||||
try {
|
||||
final decodedToken = JwtDecoder.decode(accessToken);
|
||||
|
||||
final roles = List<String>.from(decodedToken['realm_access']?['roles'] ?? []);
|
||||
final primaryRole = roles.isNotEmpty ? roles.first : 'membre';
|
||||
|
||||
return UserInfo(
|
||||
id: decodedToken['sub'] ?? '',
|
||||
email: decodedToken['email'] ?? '',
|
||||
firstName: decodedToken['given_name'] ?? '',
|
||||
lastName: decodedToken['family_name'] ?? '',
|
||||
role: primaryRole,
|
||||
roles: roles,
|
||||
isActive: true,
|
||||
);
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors de l\'extraction des infos utilisateur: $e');
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
Future<void> _storeTokens(Map<String, dynamic> tokens) async {
|
||||
await _secureStorage.write(key: 'access_token', value: tokens['access_token']);
|
||||
await _secureStorage.write(key: 'refresh_token', value: tokens['refresh_token']);
|
||||
if (tokens['id_token'] != null) {
|
||||
await _secureStorage.write(key: 'id_token', value: tokens['id_token']);
|
||||
}
|
||||
}
|
||||
|
||||
Future<bool> _refreshTokens() async {
|
||||
try {
|
||||
final refreshToken = await _secureStorage.read(key: 'refresh_token');
|
||||
if (refreshToken == null) return false;
|
||||
|
||||
final response = await _dio.post(
|
||||
'$_keycloakBaseUrl/realms/$_realm/protocol/openid-connect/token',
|
||||
data: {
|
||||
'grant_type': 'refresh_token',
|
||||
'client_id': _clientId,
|
||||
'refresh_token': refreshToken,
|
||||
},
|
||||
options: Options(contentType: Headers.formUrlEncodedContentType),
|
||||
);
|
||||
|
||||
if (response.statusCode == 200) {
|
||||
await _storeTokens(response.data);
|
||||
final userInfo = await _getUserInfoFromToken(response.data['access_token']);
|
||||
if (userInfo != null) {
|
||||
final expiresAt = DateTime.fromMillisecondsSinceEpoch(
|
||||
JwtDecoder.decode(response.data['access_token'])['exp'] * 1000
|
||||
);
|
||||
_updateAuthState(AuthState.authenticated(
|
||||
user: userInfo,
|
||||
accessToken: response.data['access_token'],
|
||||
refreshToken: response.data['refresh_token'],
|
||||
expiresAt: expiresAt,
|
||||
));
|
||||
return true;
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors du refresh: $e');
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
Future<void> logout() async {
|
||||
print('🚪 Déconnexion...');
|
||||
await _clearTokens();
|
||||
_updateAuthState(const AuthState.unauthenticated());
|
||||
}
|
||||
|
||||
Future<void> _clearTokens() async {
|
||||
await _secureStorage.delete(key: 'access_token');
|
||||
await _secureStorage.delete(key: 'refresh_token');
|
||||
await _secureStorage.delete(key: 'id_token');
|
||||
}
|
||||
|
||||
void _updateAuthState(AuthState newState) {
|
||||
_currentState = newState;
|
||||
_authStateController.add(newState);
|
||||
}
|
||||
|
||||
void dispose() {
|
||||
_authStateController.close();
|
||||
}
|
||||
}
|
||||
|
||||
// Page WebView pour l'authentification
|
||||
class KeycloakWebViewPage extends StatefulWidget {
|
||||
final String authUrl;
|
||||
final String redirectUrl;
|
||||
|
||||
const KeycloakWebViewPage({
|
||||
Key? key,
|
||||
required this.authUrl,
|
||||
required this.redirectUrl,
|
||||
}) : super(key: key);
|
||||
|
||||
@override
|
||||
State<KeycloakWebViewPage> createState() => _KeycloakWebViewPageState();
|
||||
}
|
||||
|
||||
class _KeycloakWebViewPageState extends State<KeycloakWebViewPage> {
|
||||
late final WebViewController _controller;
|
||||
|
||||
@override
|
||||
void initState() {
|
||||
super.initState();
|
||||
_initializeWebView();
|
||||
}
|
||||
|
||||
void _initializeWebView() {
|
||||
_controller = WebViewController()
|
||||
..setJavaScriptMode(JavaScriptMode.unrestricted)
|
||||
..setUserAgent('Mozilla/5.0 (Linux; Android 10; Mobile) AppleWebKit/537.36')
|
||||
..setNavigationDelegate(
|
||||
NavigationDelegate(
|
||||
onNavigationRequest: (NavigationRequest request) {
|
||||
print('🌐 Navigation vers: ${request.url}');
|
||||
|
||||
if (request.url.startsWith(widget.redirectUrl)) {
|
||||
// Extraction du code d'autorisation
|
||||
final uri = Uri.parse(request.url);
|
||||
final code = uri.queryParameters['code'];
|
||||
|
||||
if (code != null) {
|
||||
print('✅ Code d\'autorisation reçu: $code');
|
||||
Navigator.of(context).pop(code);
|
||||
} else {
|
||||
print('❌ Aucun code d\'autorisation trouvé');
|
||||
Navigator.of(context).pop();
|
||||
}
|
||||
|
||||
return NavigationDecision.prevent;
|
||||
}
|
||||
|
||||
return NavigationDecision.navigate;
|
||||
},
|
||||
onWebResourceError: (WebResourceError error) {
|
||||
print('❌ Erreur WebView: ${error.description}');
|
||||
print('❌ Code d\'erreur: ${error.errorCode}');
|
||||
print('❌ URL qui a échoué: ${error.url}');
|
||||
},
|
||||
),
|
||||
);
|
||||
|
||||
// Chargement avec gestion d'erreur
|
||||
_loadUrlWithRetry();
|
||||
}
|
||||
|
||||
Future<void> _loadUrlWithRetry() async {
|
||||
try {
|
||||
await _controller.loadRequest(Uri.parse(widget.authUrl));
|
||||
} catch (e) {
|
||||
print('❌ Erreur lors du chargement: $e');
|
||||
// Retry avec une approche différente si nécessaire
|
||||
}
|
||||
}
|
||||
|
||||
@override
|
||||
Widget build(BuildContext context) {
|
||||
return Scaffold(
|
||||
appBar: AppBar(
|
||||
title: const Text('Connexion Keycloak'),
|
||||
leading: IconButton(
|
||||
icon: const Icon(Icons.close),
|
||||
onPressed: () => Navigator.of(context).pop(),
|
||||
),
|
||||
),
|
||||
body: WebViewWidget(controller: _controller),
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,314 @@
|
||||
import 'package:flutter/foundation.dart';
|
||||
import '../models/user_info.dart';
|
||||
import 'auth_service.dart';
|
||||
|
||||
/// Service de gestion des permissions et rôles utilisateurs
|
||||
/// Basé sur le système de rôles du serveur UnionFlow
|
||||
class PermissionService {
|
||||
static final PermissionService _instance = PermissionService._internal();
|
||||
factory PermissionService() => _instance;
|
||||
PermissionService._internal();
|
||||
|
||||
// Pour l'instant, on simule un utilisateur admin pour les tests
|
||||
// TODO: Intégrer avec le vrai AuthService une fois l'authentification implémentée
|
||||
AuthService? _authService;
|
||||
|
||||
// Simulation d'un utilisateur admin pour les tests
|
||||
final UserInfo _mockUser = const UserInfo(
|
||||
id: 'admin-001',
|
||||
email: 'admin@unionflow.ci',
|
||||
firstName: 'Administrateur',
|
||||
lastName: 'Test',
|
||||
role: 'ADMIN',
|
||||
isActive: true,
|
||||
);
|
||||
|
||||
/// Rôles système disponibles
|
||||
static const String roleAdmin = 'ADMIN';
|
||||
static const String roleSuperAdmin = 'SUPER_ADMIN';
|
||||
static const String roleGestionnaireMembre = 'GESTIONNAIRE_MEMBRE';
|
||||
static const String roleTresorier = 'TRESORIER';
|
||||
static const String roleGestionnaireEvenement = 'GESTIONNAIRE_EVENEMENT';
|
||||
static const String roleGestionnaireAide = 'GESTIONNAIRE_AIDE';
|
||||
static const String roleGestionnaireFinance = 'GESTIONNAIRE_FINANCE';
|
||||
static const String roleMembre = 'MEMBER';
|
||||
static const String rolePresident = 'PRESIDENT';
|
||||
|
||||
/// Obtient l'utilisateur actuellement connecté
|
||||
UserInfo? get currentUser => _authService?.currentUser ?? _mockUser;
|
||||
|
||||
/// Vérifie si l'utilisateur est authentifié
|
||||
bool get isAuthenticated => _authService?.isAuthenticated ?? true;
|
||||
|
||||
/// Obtient le rôle de l'utilisateur actuel
|
||||
String? get currentUserRole => currentUser?.role.toUpperCase();
|
||||
|
||||
/// Vérifie si l'utilisateur a un rôle spécifique
|
||||
bool hasRole(String role) {
|
||||
if (!isAuthenticated || currentUserRole == null) {
|
||||
return false;
|
||||
}
|
||||
return currentUserRole == role.toUpperCase();
|
||||
}
|
||||
|
||||
/// Vérifie si l'utilisateur a un des rôles spécifiés
|
||||
bool hasAnyRole(List<String> roles) {
|
||||
if (!isAuthenticated || currentUserRole == null) {
|
||||
return false;
|
||||
}
|
||||
return roles.any((role) => currentUserRole == role.toUpperCase());
|
||||
}
|
||||
|
||||
/// Vérifie si l'utilisateur est un administrateur
|
||||
bool get isAdmin => hasRole(roleAdmin);
|
||||
|
||||
/// Vérifie si l'utilisateur est un super administrateur
|
||||
bool get isSuperAdmin => hasRole(roleSuperAdmin);
|
||||
|
||||
/// Vérifie si l'utilisateur est un membre simple
|
||||
bool get isMember => hasRole(roleMembre);
|
||||
|
||||
/// Vérifie si l'utilisateur est un gestionnaire
|
||||
bool get isGestionnaire => hasAnyRole([
|
||||
roleGestionnaireMembre,
|
||||
roleGestionnaireEvenement,
|
||||
roleGestionnaireAide,
|
||||
roleGestionnaireFinance,
|
||||
]);
|
||||
|
||||
/// Vérifie si l'utilisateur est un trésorier
|
||||
bool get isTresorier => hasRole(roleTresorier);
|
||||
|
||||
/// Vérifie si l'utilisateur est un président
|
||||
bool get isPresident => hasRole(rolePresident);
|
||||
|
||||
// ========== PERMISSIONS SPÉCIFIQUES AUX MEMBRES ==========
|
||||
|
||||
/// Peut gérer les membres (créer, modifier, supprimer)
|
||||
bool get canManageMembers {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleGestionnaireMembre, rolePresident]);
|
||||
}
|
||||
|
||||
/// Peut créer de nouveaux membres
|
||||
bool get canCreateMembers {
|
||||
return canManageMembers;
|
||||
}
|
||||
|
||||
/// Peut modifier les informations des membres
|
||||
bool get canEditMembers {
|
||||
return canManageMembers;
|
||||
}
|
||||
|
||||
/// Peut supprimer/désactiver des membres
|
||||
bool get canDeleteMembers {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, rolePresident]);
|
||||
}
|
||||
|
||||
/// Peut voir les détails complets des membres
|
||||
bool get canViewMemberDetails {
|
||||
return hasAnyRole([
|
||||
roleAdmin,
|
||||
roleSuperAdmin,
|
||||
roleGestionnaireMembre,
|
||||
roleTresorier,
|
||||
rolePresident,
|
||||
]);
|
||||
}
|
||||
|
||||
/// Peut voir les informations de contact des membres
|
||||
bool get canViewMemberContacts {
|
||||
return canViewMemberDetails;
|
||||
}
|
||||
|
||||
/// Peut exporter les données des membres
|
||||
bool get canExportMembers {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleGestionnaireMembre]);
|
||||
}
|
||||
|
||||
/// Peut importer des données de membres
|
||||
bool get canImportMembers {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin]);
|
||||
}
|
||||
|
||||
/// Peut appeler les membres
|
||||
bool get canCallMembers {
|
||||
return canViewMemberContacts;
|
||||
}
|
||||
|
||||
/// Peut envoyer des messages aux membres
|
||||
bool get canMessageMembers {
|
||||
return canViewMemberContacts;
|
||||
}
|
||||
|
||||
/// Peut voir les statistiques des membres
|
||||
bool get canViewMemberStats {
|
||||
return hasAnyRole([
|
||||
roleAdmin,
|
||||
roleSuperAdmin,
|
||||
roleGestionnaireMembre,
|
||||
roleTresorier,
|
||||
rolePresident,
|
||||
]);
|
||||
}
|
||||
|
||||
/// Peut valider les nouveaux membres
|
||||
bool get canValidateMembers {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleGestionnaireMembre]);
|
||||
}
|
||||
|
||||
// ========== PERMISSIONS GÉNÉRALES ==========
|
||||
|
||||
/// Peut gérer les finances
|
||||
bool get canManageFinances {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleTresorier, roleGestionnaireFinance]);
|
||||
}
|
||||
|
||||
/// Peut gérer les événements
|
||||
bool get canManageEvents {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleGestionnaireEvenement]);
|
||||
}
|
||||
|
||||
/// Peut gérer les aides
|
||||
bool get canManageAides {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin, roleGestionnaireAide]);
|
||||
}
|
||||
|
||||
/// Peut voir les rapports
|
||||
bool get canViewReports {
|
||||
return hasAnyRole([
|
||||
roleAdmin,
|
||||
roleSuperAdmin,
|
||||
roleGestionnaireMembre,
|
||||
roleTresorier,
|
||||
rolePresident,
|
||||
]);
|
||||
}
|
||||
|
||||
/// Peut gérer l'organisation
|
||||
bool get canManageOrganization {
|
||||
return hasAnyRole([roleAdmin, roleSuperAdmin]);
|
||||
}
|
||||
|
||||
// ========== MÉTHODES UTILITAIRES ==========
|
||||
|
||||
/// Obtient le nom d'affichage du rôle
|
||||
String getRoleDisplayName(String? role) {
|
||||
if (role == null) return 'Invité';
|
||||
|
||||
switch (role.toUpperCase()) {
|
||||
case roleAdmin:
|
||||
return 'Administrateur';
|
||||
case roleSuperAdmin:
|
||||
return 'Super Administrateur';
|
||||
case roleGestionnaireMembre:
|
||||
return 'Gestionnaire Membres';
|
||||
case roleTresorier:
|
||||
return 'Trésorier';
|
||||
case roleGestionnaireEvenement:
|
||||
return 'Gestionnaire Événements';
|
||||
case roleGestionnaireAide:
|
||||
return 'Gestionnaire Aides';
|
||||
case roleGestionnaireFinance:
|
||||
return 'Gestionnaire Finances';
|
||||
case rolePresident:
|
||||
return 'Président';
|
||||
case roleMembre:
|
||||
return 'Membre';
|
||||
default:
|
||||
return role;
|
||||
}
|
||||
}
|
||||
|
||||
/// Obtient la couleur associée au rôle
|
||||
String getRoleColor(String? role) {
|
||||
if (role == null) return '#9E9E9E';
|
||||
|
||||
switch (role.toUpperCase()) {
|
||||
case roleAdmin:
|
||||
return '#FF5722';
|
||||
case roleSuperAdmin:
|
||||
return '#E91E63';
|
||||
case roleGestionnaireMembre:
|
||||
return '#2196F3';
|
||||
case roleTresorier:
|
||||
return '#4CAF50';
|
||||
case roleGestionnaireEvenement:
|
||||
return '#FF9800';
|
||||
case roleGestionnaireAide:
|
||||
return '#9C27B0';
|
||||
case roleGestionnaireFinance:
|
||||
return '#00BCD4';
|
||||
case rolePresident:
|
||||
return '#FFD700';
|
||||
case roleMembre:
|
||||
return '#607D8B';
|
||||
default:
|
||||
return '#9E9E9E';
|
||||
}
|
||||
}
|
||||
|
||||
/// Obtient l'icône associée au rôle
|
||||
String getRoleIcon(String? role) {
|
||||
if (role == null) return 'person';
|
||||
|
||||
switch (role.toUpperCase()) {
|
||||
case roleAdmin:
|
||||
return 'admin_panel_settings';
|
||||
case roleSuperAdmin:
|
||||
return 'security';
|
||||
case roleGestionnaireMembre:
|
||||
return 'people';
|
||||
case roleTresorier:
|
||||
return 'account_balance';
|
||||
case roleGestionnaireEvenement:
|
||||
return 'event';
|
||||
case roleGestionnaireAide:
|
||||
return 'volunteer_activism';
|
||||
case roleGestionnaireFinance:
|
||||
return 'monetization_on';
|
||||
case rolePresident:
|
||||
return 'star';
|
||||
case roleMembre:
|
||||
return 'person';
|
||||
default:
|
||||
return 'person';
|
||||
}
|
||||
}
|
||||
|
||||
/// Vérifie les permissions et lance une exception si non autorisé
|
||||
void requirePermission(bool hasPermission, [String? message]) {
|
||||
if (!hasPermission) {
|
||||
throw PermissionDeniedException(
|
||||
message ?? 'Vous n\'avez pas les permissions nécessaires pour cette action'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/// Vérifie les permissions et retourne un message d'erreur si non autorisé
|
||||
String? checkPermission(bool hasPermission, [String? message]) {
|
||||
if (!hasPermission) {
|
||||
return message ?? 'Permissions insuffisantes';
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/// Log des actions pour audit (en mode debug uniquement)
|
||||
void logAction(String action, {Map<String, dynamic>? details}) {
|
||||
if (kDebugMode) {
|
||||
print('🔐 PermissionService: $action by ${currentUser?.fullName} ($currentUserRole)');
|
||||
if (details != null) {
|
||||
print(' Details: $details');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Exception lancée quand une permission est refusée
|
||||
class PermissionDeniedException implements Exception {
|
||||
final String message;
|
||||
|
||||
const PermissionDeniedException(this.message);
|
||||
|
||||
@override
|
||||
String toString() => 'PermissionDeniedException: $message';
|
||||
}
|
||||
Reference in New Issue
Block a user