feat: Securisation du Backend

Back-End/Common/migrations/0001_initial.py

@@ -1,4 +1,4 @@
-# Generated by Django 5.1.3 on 2025-11-30 11:02
+# Generated by Django 5.1.3 on 2026-03-14 13:23
 
 import django.db.models.deletion
 from django.db import migrations, models

Back-End/Common/tests.py

@@ -1,3 +1,145 @@
-from django.test import TestCase
+"""
+Tests unitaires pour le module Common.
+Vérifie que les endpoints Domain et Category requièrent une authentification JWT.
+"""
 
-# Create your tests here.
+import json
+
+from django.test import TestCase, override_settings
+from django.urls import reverse
+from rest_framework import status
+from rest_framework.test import APIClient
+from rest_framework_simplejwt.tokens import RefreshToken
+
+from Auth.models import Profile
+
+
+def create_user(email="common_test@example.com", password="testpassword123"):
+    return Profile.objects.create_user(username=email, email=email, password=password)
+
+
+def get_jwt_token(user):
+    refresh = RefreshToken.for_user(user)
+    return str(refresh.access_token)
+
+
+TEST_REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework_simplejwt.authentication.JWTAuthentication',
+    ),
+    'DEFAULT_PERMISSION_CLASSES': (
+        'rest_framework.permissions.IsAuthenticated',
+    ),
+}
+
+TEST_CACHES = {'default': {'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'}}
+
+
+# ---------------------------------------------------------------------------
+# Domain
+# ---------------------------------------------------------------------------
+
+@override_settings(
+    CACHES=TEST_CACHES,
+    SESSION_ENGINE='django.contrib.sessions.backends.db',
+    REST_FRAMEWORK=TEST_REST_FRAMEWORK,
+)
+class DomainEndpointAuthTest(TestCase):
+    """Tests d'authentification sur les endpoints Domain."""
+
+    def setUp(self):
+        self.client = APIClient()
+        self.list_url = reverse("Common:domain_list_create")
+        self.user = create_user()
+
+    def test_get_domains_sans_auth_retourne_401(self):
+        """GET /Common/domains sans token doit retourner 401."""
+        response = self.client.get(self.list_url)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_post_domain_sans_auth_retourne_401(self):
+        """POST /Common/domains sans token doit retourner 401."""
+        response = self.client.post(
+            self.list_url,
+            data=json.dumps({"name": "Musique"}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_get_domains_avec_auth_retourne_200(self):
+        """GET /Common/domains avec token valide doit retourner 200."""
+        token = get_jwt_token(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
+        response = self.client.get(self.list_url)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_put_domain_sans_auth_retourne_401(self):
+        """PUT /Common/domains/{id} sans token doit retourner 401."""
+        url = reverse("Common:domain_detail", kwargs={"id": 1})
+        response = self.client.put(
+            url,
+            data=json.dumps({"name": "Danse"}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_delete_domain_sans_auth_retourne_401(self):
+        """DELETE /Common/domains/{id} sans token doit retourner 401."""
+        url = reverse("Common:domain_detail", kwargs={"id": 1})
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+
+# ---------------------------------------------------------------------------
+# Category
+# ---------------------------------------------------------------------------
+
+@override_settings(
+    CACHES=TEST_CACHES,
+    SESSION_ENGINE='django.contrib.sessions.backends.db',
+    REST_FRAMEWORK=TEST_REST_FRAMEWORK,
+)
+class CategoryEndpointAuthTest(TestCase):
+    """Tests d'authentification sur les endpoints Category."""
+
+    def setUp(self):
+        self.client = APIClient()
+        self.list_url = reverse("Common:category_list_create")
+        self.user = create_user(email="category_test@example.com")
+
+    def test_get_categories_sans_auth_retourne_401(self):
+        """GET /Common/categories sans token doit retourner 401."""
+        response = self.client.get(self.list_url)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_post_category_sans_auth_retourne_401(self):
+        """POST /Common/categories sans token doit retourner 401."""
+        response = self.client.post(
+            self.list_url,
+            data=json.dumps({"name": "Jazz"}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_get_categories_avec_auth_retourne_200(self):
+        """GET /Common/categories avec token valide doit retourner 200."""
+        token = get_jwt_token(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}")
+        response = self.client.get(self.list_url)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_put_category_sans_auth_retourne_401(self):
+        """PUT /Common/categories/{id} sans token doit retourner 401."""
+        url = reverse("Common:category_detail", kwargs={"id": 1})
+        response = self.client.put(
+            url,
+            data=json.dumps({"name": "Classique"}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    def test_delete_category_sans_auth_retourne_401(self):
+        """DELETE /Common/categories/{id} sans token doit retourner 401."""
+        url = reverse("Common:category_detail", kwargs={"id": 1})
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

Back-End/Common/views.py

@@ -4,18 +4,21 @@ from django.utils.decorators import method_decorator
 from rest_framework.parsers import JSONParser
 from rest_framework.views import APIView
 from rest_framework import status
+from rest_framework.permissions import IsAuthenticated
 from .models import (
-    Domain, 
+    Domain,
     Category
 )
 from .serializers import (
-    DomainSerializer, 
+    DomainSerializer,
     CategorySerializer
 )
 
 @method_decorator(csrf_protect, name='dispatch')
 @method_decorator(ensure_csrf_cookie, name='dispatch')
 class DomainListCreateView(APIView):
+    permission_classes = [IsAuthenticated]
+
     def get(self, request):
         domains = Domain.objects.all()
         serializer = DomainSerializer(domains, many=True)
@@ -32,6 +35,8 @@ class DomainListCreateView(APIView):
 @method_decorator(csrf_protect, name='dispatch')
 @method_decorator(ensure_csrf_cookie, name='dispatch')
 class DomainDetailView(APIView):
+    permission_classes = [IsAuthenticated]
+
     def get(self, request, id):
         try:
             domain = Domain.objects.get(id=id)
@@ -65,6 +70,8 @@ class DomainDetailView(APIView):
 @method_decorator(csrf_protect, name='dispatch')
 @method_decorator(ensure_csrf_cookie, name='dispatch')
 class CategoryListCreateView(APIView):
+    permission_classes = [IsAuthenticated]
+
     def get(self, request):
         categories = Category.objects.all()
         serializer = CategorySerializer(categories, many=True)
@@ -81,6 +88,8 @@ class CategoryListCreateView(APIView):
 @method_decorator(csrf_protect, name='dispatch')
 @method_decorator(ensure_csrf_cookie, name='dispatch')
 class CategoryDetailView(APIView):
+    permission_classes = [IsAuthenticated]
+
     def get(self, request, id):
         try:
             category = Category.objects.get(id=id)