[FEATURE] Ajouter une validation de l'email dans les liens de l'email d'avertissement de connexion après un an d'inactivité (PIX-16127)

pix-service-auto-merge · web-flow · commit 9d542b100ea7 · 2025-02-24T16:28:20.000+01:00
#11420
diff --git a/api/db/seeds/data/team-acces/build-users.js b/api/db/seeds/data/team-acces/build-users.js
@@ -48,6 +48,15 @@ function _buildUsers(databaseBuilder) {
     email: 'chrono.post@example.net',
     createdAt: new Date('2000-12-31'),
   });
+
+  // user with an old last logged-at date (>1 year) and no email confirmation date
+  const userWithOldLastLoggedAt = databaseBuilder.factory.buildUser.withRawPassword({
+    firstName: 'Old',
+    lastName: 'Connexion',
+    email: 'old-connexion@example.net',
+    emailConfirmedAt: null,
+  });
+  databaseBuilder.factory.buildUserLogin({ userId: userWithOldLastLoggedAt.id, lastLoggedAt: new Date('1970-01-01') });
 }
 
 export function buildUsers(databaseBuilder) {
diff --git a/api/src/identity-access-management/domain/emails/create-warning-connection.email.js b/api/src/identity-access-management/domain/emails/create-warning-connection.email.js
@@ -10,12 +10,20 @@ import { mailer } from '../../../shared/mail/infrastructure/services/mailer.js';
  * @param {string} params.locale - The locale for the email.
  * @param {string} params.email - The recipient's email address.
  * @param {string} params.firstName - The recipient's first name.
+ * @param {string} params.validationToken - The token for email validation.
  * @returns {Email} The email object.
  */
-export function createWarningConnectionEmail({ locale, email, firstName }) {
+export function createWarningConnectionEmail({ locale, email, firstName, validationToken }) {
   locale = locale || LOCALE.FRENCH_FRANCE;
   const lang = new Intl.Locale(locale).language;
-  const factory = new EmailFactory({ app: 'pix-app', locale });
+  let localeSupport;
+  if (locale.toLowerCase() === LOCALE.FRENCH_FRANCE) {
+    localeSupport = LOCALE.FRENCH_FRANCE;
+  } else {
+    localeSupport = lang;
+  }
+
+  const factory = new EmailFactory({ app: 'pix-app', locale: localeSupport });
 
   const { i18n, defaultVariables } = factory;
   const pixAppUrl = urlBuilder.getPixAppBaseUrl(locale);
@@ -28,7 +36,11 @@ export function createWarningConnectionEmail({ locale, email, firstName }) {
     variables: {
       homeName: defaultVariables.homeName,
       homeUrl: defaultVariables.homeUrl,
-      helpDeskUrl: defaultVariables.helpdeskUrl,
+      helpDeskUrl: urlBuilder.getEmailValidationUrl({
+        locale: localeSupport,
+        redirectUrl: defaultVariables.helpdeskUrl,
+        token: validationToken,
+      }),
       displayNationalLogo: defaultVariables.displayNationalLogo,
       contactUs: i18n.__('common.email.contactUs'),
       doNotAnswer: i18n.__('common.email.doNotAnswer'),
@@ -39,7 +51,11 @@ export function createWarningConnectionEmail({ locale, email, firstName }) {
       disclaimer: i18n.__('warning-connection-email.params.disclaimer'),
       warningMessage: i18n.__('warning-connection-email.params.warningMessage'),
       resetMyPassword: i18n.__('warning-connection-email.params.resetMyPassword'),
-      resetUrl,
+      resetUrl: urlBuilder.getEmailValidationUrl({
+        locale: localeSupport,
+        redirectUrl: resetUrl,
+        token: validationToken,
+      }),
       supportContact: i18n.__('warning-connection-email.params.supportContact'),
       thanks: i18n.__('warning-connection-email.params.thanks'),
       signing: i18n.__('warning-connection-email.params.signing'),
diff --git a/api/src/identity-access-management/domain/usecases/authenticate-user.js b/api/src/identity-access-management/domain/usecases/authenticate-user.js
@@ -17,6 +17,7 @@ const authenticateUser = async function ({
   userLoginRepository,
   adminMemberRepository,
   emailRepository,
+  emailValidationDemandRepository,
   audience,
 }) {
   try {
@@ -49,11 +50,15 @@ const authenticateUser = async function ({
 
     const userLogin = await userLoginRepository.findByUserId(foundUser.id);
     if (foundUser.email && userLogin?.shouldSendConnectionWarning()) {
+      const validationToken = !foundUser.emailConfirmedAt
+        ? await emailValidationDemandRepository.save(foundUser.id)
+        : null;
       await emailRepository.sendEmailAsync(
         createWarningConnectionEmail({
           locale: foundUser.locale,
           email: foundUser.email,
           firstName: foundUser.firstName,
+          validationToken,
         }),
       );
     }
diff --git a/api/src/shared/infrastructure/utils/url-builder.js b/api/src/shared/infrastructure/utils/url-builder.js
@@ -50,7 +50,8 @@ function getEmailValidationUrl({ locale, redirectUrl, token } = {}) {
   const baseUrl = getPixAppBaseUrl(locale);
 
   const params = new URLSearchParams();
-  if (token) params.append('token', token);
+  if (!token) return redirectUrl;
+  params.append('token', token);
   if (redirectUrl) params.append('redirect_url', redirectUrl);
 
   return `${baseUrl}/api/users/validate-email?${params.toString()}`;
diff --git a/api/tests/identity-access-management/unit/domain/emails/create-warning-connection.email.test.js b/api/tests/identity-access-management/unit/domain/emails/create-warning-connection.email.test.js
@@ -9,6 +9,7 @@ describe('Unit | Identity Access Management | Domain | Email | create-warning-co
       email: 'test@example.com',
       locale: 'fr',
       firstName: 'John',
+      validationToken: 'token',
     };
 
     const email = createWarningConnectionEmail(emailParams);
@@ -40,56 +41,100 @@ describe('Unit | Identity Access Management | Domain | Email | create-warning-co
   });
 
   describe('when the locale is en', function () {
-    it('provides the correct reset password URL', function () {
+    it('provides the correct urls', function () {
       // given
       const emailParams = {
         email: 'toto@example.net',
         locale: 'en',
         firstName: 'John',
+        validationToken: 'token',
       };
 
       // when
       const email = createWarningConnectionEmail(emailParams);
 
       // then
-      const resetUrl = email.variables.resetUrl;
-      expect(resetUrl).to.equal('https://test.app.pix.org/mot-de-passe-oublie?lang=en');
+      const { helpDeskUrl, resetUrl } = email.variables;
+      const expectedSupportUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Fpix.org%2Fen%2Fsupport';
+
+      const expectedResetUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Ftest.app.pix.org%2Fmot-de-passe-oublie%3Flang%3Den';
+      expect(resetUrl).to.equal(expectedResetUrl);
+      expect(helpDeskUrl).to.equal(expectedSupportUrl);
     });
   });
 
   describe('when the locale is fr-fr', function () {
-    it('provides the correct reset password URL', function () {
+    it('provides the correct urls', function () {
       // given
       const emailParams = {
         email: 'toto@example.net',
         locale: 'fr-fr',
         firstName: 'John',
+        validationToken: 'token',
       };
 
       // when
       const email = createWarningConnectionEmail(emailParams);
 
       // then
-      const resetUrl = email.variables.resetUrl;
-      expect(resetUrl).to.equal('https://test.app.pix.fr/mot-de-passe-oublie?lang=fr');
+      const { helpDeskUrl, resetUrl } = email.variables;
+      const expectedSupportUrl =
+        'https://test.app.pix.fr/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Fpix.fr%2Fsupport';
+      const expectedResetUrl =
+        'https://test.app.pix.fr/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Ftest.app.pix.fr%2Fmot-de-passe-oublie%3Flang%3Dfr';
+      expect(resetUrl).to.equal(expectedResetUrl);
+      expect(helpDeskUrl).to.equal(expectedSupportUrl);
+    });
+  });
+
+  describe('when the locale is fr', function () {
+    it('provides the correct urls', function () {
+      // given
+      const emailParams = {
+        email: 'toto@example.net',
+        locale: 'fr',
+        firstName: 'John',
+        validationToken: 'token',
+      };
+
+      // when
+      const email = createWarningConnectionEmail(emailParams);
+
+      // then
+      const { helpDeskUrl, resetUrl } = email.variables;
+      const expectedSupportUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Fpix.org%2Ffr%2Fsupport';
+      const expectedResetUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Ftest.app.pix.org%2Fmot-de-passe-oublie%3Flang%3Dfr';
+      expect(resetUrl).to.equal(expectedResetUrl);
+      expect(helpDeskUrl).to.equal(expectedSupportUrl);
     });
   });
 
   describe('when the locale is nl-BE', function () {
-    it('provides the correct reset password URL', function () {
+    it('provides the correct urls', function () {
       // given
       const emailParams = {
         email: 'toto@example.net',
         locale: 'nl-BE',
         firstName: 'John',
+        validationToken: 'token',
       };
 
       // when
       const email = createWarningConnectionEmail(emailParams);
 
       // then
-      const resetUrl = email.variables.resetUrl;
-      expect(resetUrl).to.equal('https://test.app.pix.org/mot-de-passe-oublie?lang=nl');
+      const { resetUrl, helpDeskUrl } = email.variables;
+      const expectedResetUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Ftest.app.pix.org%2Fmot-de-passe-oublie%3Flang%3Dnl';
+
+      const expectedSupportUrl =
+        'https://test.app.pix.org/api/users/validate-email?token=token&redirect_url=https%3A%2F%2Fpix.org%2Fnl-be%2Fsupport';
+      expect(resetUrl).to.equal(expectedResetUrl);
+      expect(helpDeskUrl).to.equal(expectedSupportUrl);
     });
   });
 });
diff --git a/api/tests/identity-access-management/unit/domain/usecases/authenticate-user_test.js b/api/tests/identity-access-management/unit/domain/usecases/authenticate-user_test.js
@@ -20,6 +20,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
   let adminMemberRepository;
   let pixAuthenticationService;
   let emailRepository;
+  let emailValidationDemandRepository;
   let clock;
 
   const userEmail = 'user@example.net';
@@ -51,7 +52,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
     pixAuthenticationService = {
       getUserByUsernameAndPassword: sinon.stub(),
     };
-
+    emailValidationDemandRepository = { save: sinon.stub() };
     emailRepository = { sendEmailAsync: sinon.stub() };
   });
 
@@ -387,21 +388,21 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           userId: user.id,
           lastLoggedAt: '2020-01-01',
         });
-
+        const validationToken = 'token';
         const expectedEmail = createWarningConnectionEmail({
           email: user.email,
           firstName: user.firstName,
           locale: user.locale,
+          validationToken,
         });
 
         pixAuthenticationService.getUserByUsernameAndPassword.resolves(user);
         tokenService.createAccessTokenFromUser
           .withArgs({ userId: user.id, source, audience })
           .resolves({ accessToken, expirationDelaySeconds });
-
+        emailValidationDemandRepository.save.withArgs(user.id).resolves(validationToken);
         userLoginRepository.findByUserId.resolves(userLogins);
 
-        // when
         await authenticateUser({
           username: userEmail,
           password,
@@ -413,6 +414,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           userRepository,
           userLoginRepository,
           emailRepository,
+          emailValidationDemandRepository,
           audience,
         });
 
diff --git a/api/tests/shared/unit/infrastructure/utils/url-builder_test.js b/api/tests/shared/unit/infrastructure/utils/url-builder_test.js
@@ -119,25 +119,25 @@ describe('Unit | Shared | Infrastructure | Utils | url-builder', function () {
       it('returns email validation URL with domain .fr', function () {
         // given
         const redirectUrl = 'https://app.pix.fr/connexion';
-        const expectedParams = new URLSearchParams({ redirect_url: redirectUrl });
 
         // when
         const url = urlBuilder.getEmailValidationUrl({ redirectUrl });
 
         // then
-        expect(url).to.equal(
-          `${config.domain.pixApp + config.domain.tldFr}/api/users/validate-email?${expectedParams.toString()}`,
-        );
+        expect(url).to.equal(redirectUrl);
       });
     });
 
     context('when redirect_url is not given', function () {
       it('returns email validation URL with domain .fr', function () {
+        // given
+        const token = '00000000-0000-0000-0000-000000000000';
+
         // when
-        const url = urlBuilder.getEmailValidationUrl();
+        const url = urlBuilder.getEmailValidationUrl({ token });
 
         // then
-        expect(url).to.equal(`${config.domain.pixApp + config.domain.tldFr}/api/users/validate-email?`);
+        expect(url).to.equal(`${config.domain.pixApp + config.domain.tldFr}/api/users/validate-email?token=${token}`);
       });
     });
   });
