fix(mimoquage): refresh phone, skip missing-info modal, restore banner (#3253)

Author: LucasCharrier

packages/app/src/app/avis-cse/layout.tsx

@@ -1,7 +1,7 @@
 import { redirect } from "next/navigation";
 import { CseOpinionLayout } from "~/modules/cseOpinion";
-import { extractSiren } from "~/modules/my-space";
 import { auth } from "~/server/auth";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
 import { api } from "~/trpc/server";
 
 export default async function CseOpinionRootLayout({
@@ -15,12 +15,11 @@ export default async function CseOpinionRootLayout({
 		redirect("/login");
 	}
 
-	const siret = session.user.siret;
-	if (!siret) {
+	const siren = getEffectiveSiren(session);
+	if (!siren) {
 		redirect("/");
 	}
 
-	const siren = extractSiren(siret);
 	const [company, declarationData] = await Promise.all([
 		api.company.get({ siren }),
 		api.declaration.getOrCreate(),

packages/app/src/app/declaration-remuneration/layout.tsx

@@ -3,8 +3,8 @@ import {
 	DeclarationLayout,
 	MissingSiret,
 } from "~/modules/declaration-remuneration";
-import { extractSiren } from "~/modules/domain";
 import { auth } from "~/server/auth";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
 import { api } from "~/trpc/server";
 
 export default async function DeclarationRootLayout({
@@ -18,12 +18,11 @@ export default async function DeclarationRootLayout({
 		redirect("/login");
 	}
 
-	const siret = session.user.siret;
-	if (!siret) {
+	const siren = getEffectiveSiren(session);
+	if (!siren) {
 		return <MissingSiret />;
 	}
 
-	const siren = extractSiren(siret);
 	const [company, declarationData] = await Promise.all([
 		api.company.get({ siren }),
 		api.declaration.getOrCreate(),

packages/app/src/app/mon-espace/page.tsx

@@ -2,7 +2,8 @@ import { redirect } from "next/navigation";
 
 import { MonEspacePage } from "~/modules/my-space";
 import { auth } from "~/server/auth";
-import { HydrateClient } from "~/trpc/server";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
+import { api, HydrateClient } from "~/trpc/server";
 
 export default async function Page() {
 	const session = await auth();
@@ -11,18 +12,24 @@ export default async function Page() {
 		redirect("/login");
 	}
 
-	// When an admin is impersonating a company, use the impersonated SIREN
-	// (padded to SIRET length so MonEspacePage can extract it the same way).
-	const effectiveSiret =
-		session.user.isAdmin && session.user.impersonation
-			? session.user.impersonation.siren
-			: (session.user.siret ?? null);
+	// When an admin is impersonating a company, use the impersonated SIREN.
+	// MonEspacePage expects a SIRET-length string for symmetric handling;
+	// passing the SIREN (9 chars) is fine since it only reads the first 9.
+	const effectiveSiret = getEffectiveSiren(session);
+
+	// The JWT only captures `phone` at sign-in, so `session.user.phone` goes
+	// stale as soon as the user saves a phone through the missing-info modal
+	// and re-triggers it on every render. Reading from the profile table on
+	// each page load keeps the missing-info gate honest. Fall back to `null`
+	// when the profile row is missing so the page still renders (the modal
+	// will prompt for a phone number just like before).
+	const profile = await api.profile.get().catch(() => null);
 
 	return (
 		<HydrateClient>
 			<MonEspacePage
 				siret={effectiveSiret}
-				userPhone={session.user.phone ?? null}
+				userPhone={profile?.phone ?? null}
 			/>
 		</HydrateClient>
 	);

packages/app/src/modules/my-space/DeclarationLink.tsx

@@ -1,5 +1,6 @@
 "use client";
 
+import { useIsImpersonating } from "~/modules/auth";
 import { hasRequiredDeclarationInfo } from "~/modules/domain";
 
 import { DECLARATION_PROCESS_PANEL_ID } from "./DeclarationProcessPanel";
@@ -16,7 +17,9 @@ type Props = {
 
 /** Link that opens the missing info modal if phone or CSE is missing, or navigates/opens panel directly. */
 export function DeclarationLink({ type, userPhone, hasCse, children }: Props) {
-	const hasMissingInfo = !hasRequiredDeclarationInfo(userPhone, hasCse);
+	const isImpersonating = useIsImpersonating();
+	const hasMissingInfo =
+		!isImpersonating && !hasRequiredDeclarationInfo(userPhone, hasCse);
 
 	// When info is missing, open missing-info modal (for both types)
 	if (hasMissingInfo) {

packages/app/src/modules/my-space/MissingInfoModal.tsx

@@ -2,6 +2,7 @@
 
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 
+import { useIsImpersonating } from "~/modules/auth";
 import { getDsfrModal } from "~/modules/shared";
 import { PhoneField } from "~/modules/shared/PhoneField";
 import { useDsfrDialogOpen } from "~/modules/shared/useDsfrDialogOpen";
@@ -33,6 +34,7 @@ function getDescription(needsPhone: boolean, needsCse: boolean): string {
 type OpenerType = "remuneration" | "representation";
 
 export function MissingInfoModal({ siren, userPhone, hasCse }: Props) {
+	const isImpersonating = useIsImpersonating();
 	const dialogRef = useRef<HTMLDialogElement>(null);
 	const openerTypeRef = useRef<OpenerType>("remuneration");
 	const needsPhone = !userPhone;
@@ -124,6 +126,12 @@ export function MissingInfoModal({ siren, userPhone, hasCse }: Props) {
 	const isPending =
 		updatePhoneMutation.isPending || updateHasCseMutation.isPending;
 
+	// Admin impersonation is read-only: every write would be blocked server-side
+	// (issue #3230), so prompting for missing info is pure noise.
+	if (isImpersonating) {
+		return null;
+	}
+
 	return (
 		<dialog
 			aria-labelledby={MODAL_TITLE_ID}

packages/app/src/modules/my-space/__tests__/DeclarationLink.test.tsx

@@ -1,9 +1,17 @@
 import { render, screen } from "@testing-library/react";
-import { describe, expect, it } from "vitest";
+import { useSession } from "next-auth/react";
+import { afterEach, describe, expect, it, vi } from "vitest";
 
+import { mockImpersonatingSession } from "~/test/impersonationMock";
 import { DeclarationLink } from "../DeclarationLink";
 
+const mockedUseSession = vi.mocked(useSession);
+
 describe("DeclarationLink", () => {
+	afterEach(() => {
+		mockedUseSession.mockReset();
+	});
+
 	it("renders remuneration as a button opening the process panel when info is present", () => {
 		render(
 			<DeclarationLink hasCse={true} type="remuneration" userPhone="0122334455">
@@ -63,4 +71,20 @@ describe("DeclarationLink", () => {
 		const button = screen.getByRole("button", { name: "Représentation" });
 		expect(button).toBeInTheDocument();
 	});
+
+	it("bypasses missing info modal during admin impersonation", () => {
+		mockImpersonatingSession(mockedUseSession);
+
+		render(
+			<DeclarationLink hasCse={null} type="remuneration" userPhone={null}>
+				Rémunération
+			</DeclarationLink>,
+		);
+
+		const button = screen.getByRole("button", { name: "Rémunération" });
+		expect(button).toHaveAttribute(
+			"aria-controls",
+			"declaration-process-panel",
+		);
+	});
 });

packages/app/src/modules/my-space/__tests__/MissingInfoModal.test.tsx

@@ -1,5 +1,10 @@
 import { render, screen } from "@testing-library/react";
-import { describe, expect, it, vi } from "vitest";
+import { useSession } from "next-auth/react";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+import { mockImpersonatingSession } from "~/test/impersonationMock";
+
+const mockedUseSession = vi.mocked(useSession);
 
 vi.mock("~/trpc/react", () => ({
 	api: {
@@ -148,4 +153,19 @@ describe("MissingInfoModal", () => {
 			screen.getByRole("button", { name: "Enregistrer", hidden: true }),
 		).not.toBeDisabled();
 	});
+
+	describe("admin impersonation", () => {
+		afterEach(() => {
+			mockedUseSession.mockReset();
+		});
+
+		it("does not render the modal when impersonating", () => {
+			mockImpersonatingSession(mockedUseSession);
+
+			const { container } = render(
+				<MissingInfoModal hasCse={null} siren="532847196" userPhone={null} />,
+			);
+			expect(container.querySelector("#missing-info-modal")).toBeNull();
+		});
+	});
 });

packages/app/src/server/api/routers/__tests__/declaration.test.ts

@@ -722,26 +722,41 @@ describe("declarationRouter", () => {
 			);
 		});
 
-		it("refuses getOrCreate when no declaration exists (would create a draft)", async () => {
-			// Simulate the "no existing row" branch — where getOrCreate would
-			// normally insert a new draft. The impersonation guard fires right
-			// before the insert, so the admin never creates a draft in the
-			// user's name.
-			const txSelect = vi.fn().mockImplementation(() => ({
-				from: vi.fn().mockReturnValue({
-					where: vi.fn().mockReturnValue({
-						limit: vi.fn().mockResolvedValue([]),
+		it("returns a placeholder declaration in mimoquage when none exists (no insert)", async () => {
+			// When an admin mimoques a company that has not started a
+			// declaration, getOrCreate must return a transient empty row so the
+			// read-only UI can render. No INSERT is performed (issue #3230).
+			const emptySelect = () =>
+				vi.fn().mockImplementation(() => ({
+					from: vi.fn().mockReturnValue({
+						where: vi.fn().mockReturnValue({
+							limit: vi.fn().mockResolvedValue([]),
+						}),
 					}),
-				}),
-			}));
-			const tx = { select: txSelect, insert: vi.fn(), delete: vi.fn() };
+				}));
+			const insertSpy = vi.fn();
+			const tx = {
+				select: emptySelect(),
+				insert: insertSpy,
+				delete: vi.fn(),
+			};
 			mockTransaction.mockImplementation(async (fn: (tx: unknown) => unknown) =>
 				fn(tx),
 			);
-			const mockDb = { transaction: mockTransaction } as unknown;
+			const mockDb = {
+				transaction: mockTransaction,
+				select: emptySelect(),
+			} as unknown;
 			const caller = await createCaller(mockDb, null, impersonation);
 
-			await expect(caller.getOrCreate()).rejects.toThrow("Mode mimoquage");
+			const result = await caller.getOrCreate();
+			expect(result.declaration.id).toBe("");
+			expect(result.declaration.siren).toBe(impersonation.siren);
+			expect(result.declaration.status).toBe("draft");
+			expect(result.declaration.currentStep).toBe(0);
+			expect(result.jobCategories).toEqual([]);
+			expect(result.employeeCategories).toEqual([]);
+			expect(insertSpy).not.toHaveBeenCalled();
 		});
 
 		it("allows getOrCreate when an existing declaration is returned", async () => {

packages/app/src/server/api/routers/declaration.ts

@@ -24,6 +24,7 @@ import {
 } from "~/server/db/schema";
 import {
 	buildEmployeeCategoryValues,
+	buildPlaceholderDeclaration,
 	deleteJobAndEmployeeCategories,
 	fetchAllCategories,
 	fetchPreviousYearJobCategories,
@@ -56,7 +57,20 @@ export const declarationRouter = createTRPCRouter({
 
 			// Admins impersonating a company can view an existing declaration in
 			// read-only mode, but must not silently create a new draft in the
-			// user's name (issue #3230).
+			// user's name (issue #3230). When no row exists yet, return a
+			// transient placeholder so the read-only UI can still render — it
+			// is never persisted.
+			if (ctx.session.user.isAdmin && ctx.session.user.impersonation) {
+				return {
+					declaration: buildPlaceholderDeclaration({
+						siren,
+						year,
+						declarantId: ctx.session.user.id,
+					}),
+					jobCategories: [],
+					employeeCategories: [],
+				};
+			}
 			assertNotImpersonating(ctx.session);
 
 			const newDeclaration = await tx

packages/app/src/server/api/routers/declarationHelpers.ts

@@ -1,11 +1,50 @@
-import { and, desc, eq, lt } from "drizzle-orm";
+import { and, desc, eq, getTableColumns, lt } from "drizzle-orm";
 
 import {
 	declarations,
 	employeeCategories,
 	jobCategories,
 } from "~/server/db/schema";
 
+type DeclarationRow = typeof declarations.$inferSelect;
+
+/**
+ * Build a transient, zero-value declaration row used to satisfy the read-only
+ * UI when an admin impersonates a company that has not started a declaration
+ * yet (issue #3230). The row is never persisted — it only exists in memory
+ * to let layouts and step pages render their empty state without
+ * short-circuiting on a missing record.
+ *
+ * All columns default to `null`; the identifying / non-null-in-schema fields
+ * (id, siren, year, declarantId, currentStep, status, timestamps) are
+ * overridden explicitly so TypeScript enforces the shape.
+ */
+export function buildPlaceholderDeclaration({
+	siren,
+	year,
+	declarantId,
+}: {
+	siren: string;
+	year: number;
+	declarantId: string;
+}): DeclarationRow {
+	const allNull = Object.fromEntries(
+		Object.keys(getTableColumns(declarations)).map((key) => [key, null]),
+	);
+	const now = new Date();
+	return {
+		...allNull,
+		id: "",
+		siren,
+		year,
+		declarantId,
+		currentStep: 0,
+		status: "draft",
+		createdAt: now,
+		updatedAt: now,
+	} as DeclarationRow;
+}
+
 export type Tx = Parameters<
 	Parameters<import("~/server/db").DB["transaction"]>[0]
 >[0];