Merge branch 'develop' into 80-scripts-sql

Author: pierrick-fonquerne

src/backend/src/FantasyRealm.Api/Controllers/EmployeeManagementController.cs

@@ -120,6 +120,33 @@ public async Task<IActionResult> UpdateStatus(int id, [FromBody] UpdateUserStatu
             return Ok(result.Value);
         }
 
+        /// <summary>
+        /// Resets an employee's password with a generated temporary password.
+        /// Sets the MustChangePassword flag and sends the new credentials by email.
+        /// </summary>
+        /// <param name="id">The employee identifier.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        /// <returns>No content on success.</returns>
+        /// <response code="204">Password reset successfully.</response>
+        /// <response code="403">Target user is not an employee.</response>
+        /// <response code="404">Employee not found.</response>
+        [HttpPost("{id:int}/reset-password")]
+        [ProducesResponseType(StatusCodes.Status204NoContent)]
+        [ProducesResponseType(StatusCodes.Status403Forbidden)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<IActionResult> ResetPassword(int id, CancellationToken cancellationToken)
+        {
+            if (!TryGetUserId(out var adminId))
+                return Unauthorized(new { message = "Utilisateur non identifié." });
+
+            var result = await employeeManagementService.ResetPasswordAsync(id, adminId, cancellationToken);
+
+            if (result.IsFailure)
+                return StatusCode(result.ErrorCode ?? 400, new { message = result.Error });
+
+            return NoContent();
+        }
+
         /// <summary>
         /// Permanently deletes an employee account.
         /// Sends a notification email before deletion.

src/backend/src/FantasyRealm.Application/Interfaces/IEmployeeManagementService.cs

@@ -67,6 +67,18 @@ Task<Result<EmployeeManagementResponse>> ReactivateAsync(
             int adminId,
             CancellationToken cancellationToken);
 
+        /// <summary>
+        /// Resets an employee's password with a generated temporary password.
+        /// Sets the MustChangePassword flag and sends the new credentials by email.
+        /// </summary>
+        /// <param name="employeeId">The employee identifier.</param>
+        /// <param name="adminId">The administrator performing the action.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        Task<Result<Unit>> ResetPasswordAsync(
+            int employeeId,
+            int adminId,
+            CancellationToken cancellationToken);
+
         /// <summary>
         /// Permanently deletes an employee account.
         /// Sends a notification email before deletion.

src/backend/src/FantasyRealm.Application/Services/EmployeeManagementService.cs

@@ -14,6 +14,7 @@ namespace FantasyRealm.Application.Services
     public sealed class EmployeeManagementService(
         IUserRepository userRepository,
         IPasswordHasher passwordHasher,
+        IPasswordGenerator passwordGenerator,
         IEmailService emailService,
         IActivityLogService activityLogService,
         ILogger<EmployeeManagementService> logger) : IEmployeeManagementService
@@ -182,6 +183,44 @@ await emailService.SendAccountReactivatedEmailAsync(
             return Result<EmployeeManagementResponse>.Success(UserMapper.ToEmployeeResponse(updated));
         }
 
+        /// <inheritdoc />
+        public async Task<Result<Unit>> ResetPasswordAsync(
+            int employeeId,
+            int adminId,
+            CancellationToken cancellationToken)
+        {
+            var employee = await userRepository.GetByIdWithRoleAsync(employeeId, cancellationToken);
+
+            if (employee is null)
+                return Result<Unit>.Failure("Employé introuvable.", 404);
+
+            if (employee.Role.Label != EmployeeRoleLabel)
+                return Result<Unit>.Failure("Seuls les mots de passe des comptes employés peuvent être réinitialisés depuis cet espace.", 403);
+
+            var temporaryPassword = passwordGenerator.GenerateSecurePassword();
+            employee.PasswordHash = passwordHasher.Hash(temporaryPassword);
+            employee.MustChangePassword = true;
+
+            await userRepository.UpdateAsync(employee, cancellationToken);
+
+            logger.LogInformation("Employee {EmployeeId} password reset by admin {AdminId}", employeeId, adminId);
+
+            try { await activityLogService.LogAsync(ActivityAction.EmployeePasswordReset, "User", employeeId, employee.Pseudo, null, cancellationToken); }
+            catch (Exception ex) { logger.LogWarning(ex, "Failed to log activity for employee password reset {EmployeeId}", employeeId); }
+
+            try
+            {
+                await emailService.SendTemporaryPasswordEmailAsync(
+                    employee.Email, employee.Pseudo, temporaryPassword, cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                logger.LogWarning(ex, "Failed to send temporary password email for employee {EmployeeId}", employeeId);
+            }
+
+            return Result<Unit>.Success(Unit.Value);
+        }
+
         /// <inheritdoc />
         public async Task<Result<Unit>> DeleteAsync(
             int employeeId,

src/backend/src/FantasyRealm.Domain/Enums/ActivityAction.cs

@@ -19,6 +19,7 @@ public enum ActivityAction
         EmployeeSuspended,
         EmployeeReactivated,
         EmployeeDeleted,
+        EmployeePasswordReset,
         PasswordChanged
     }
 }

src/backend/tests/FantasyRealm.Tests.Unit/Services/EmployeeManagementServiceTests.cs

@@ -17,6 +17,7 @@ public class EmployeeManagementServiceTests
     {
         private readonly Mock<IUserRepository> _userRepoMock = new();
         private readonly Mock<IPasswordHasher> _passwordHasherMock = new();
+        private readonly Mock<IPasswordGenerator> _passwordGeneratorMock = new();
         private readonly Mock<IEmailService> _emailServiceMock = new();
         private readonly Mock<IActivityLogService> _activityLogServiceMock = new();
         private readonly Mock<ILogger<EmployeeManagementService>> _loggerMock = new();
@@ -29,6 +30,7 @@ public EmployeeManagementServiceTests()
             _sut = new EmployeeManagementService(
                 _userRepoMock.Object,
                 _passwordHasherMock.Object,
+                _passwordGeneratorMock.Object,
                 _emailServiceMock.Object,
                 _activityLogServiceMock.Object,
                 _loggerMock.Object);
@@ -318,6 +320,86 @@ public async Task ReactivateAsync_WhenNotEmployeeRole_ReturnsFailure403()
             result.ErrorCode.Should().Be(403);
         }
 
+        // -- ResetPasswordAsync ---------------------------------------------------
+
+        [Fact]
+        public async Task ResetPasswordAsync_WhenFound_SetsHashAndMustChangePassword()
+        {
+            var employee = ActiveEmployee();
+            _userRepoMock
+                .Setup(r => r.GetByIdWithRoleAsync(10, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(employee);
+            _passwordGeneratorMock
+                .Setup(g => g.GenerateSecurePassword(It.IsAny<int>()))
+                .Returns("TempP@ss2025!xyz");
+            _passwordHasherMock
+                .Setup(h => h.Hash("TempP@ss2025!xyz"))
+                .Returns("hashed_temp");
+            _userRepoMock
+                .Setup(r => r.UpdateAsync(employee, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(employee);
+
+            var result = await _sut.ResetPasswordAsync(10, AdminId, CancellationToken.None);
+
+            result.IsSuccess.Should().BeTrue();
+            employee.PasswordHash.Should().Be("hashed_temp");
+            employee.MustChangePassword.Should().BeTrue();
+            _userRepoMock.Verify(r => r.UpdateAsync(employee, It.IsAny<CancellationToken>()), Times.Once);
+        }
+
+        [Fact]
+        public async Task ResetPasswordAsync_WhenFound_SendsTemporaryPasswordEmail()
+        {
+            var employee = ActiveEmployee();
+            _userRepoMock
+                .Setup(r => r.GetByIdWithRoleAsync(10, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(employee);
+            _passwordGeneratorMock
+                .Setup(g => g.GenerateSecurePassword(It.IsAny<int>()))
+                .Returns("TempP@ss2025!xyz");
+            _passwordHasherMock
+                .Setup(h => h.Hash(It.IsAny<string>()))
+                .Returns("hashed_temp");
+            _userRepoMock
+                .Setup(r => r.UpdateAsync(employee, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(employee);
+
+            await _sut.ResetPasswordAsync(10, AdminId, CancellationToken.None);
+
+            _emailServiceMock.Verify(
+                e => e.SendTemporaryPasswordEmailAsync(
+                    "legolas@example.com", "Legolas", "TempP@ss2025!xyz",
+                    It.IsAny<CancellationToken>()),
+                Times.Once);
+        }
+
+        [Fact]
+        public async Task ResetPasswordAsync_WhenNotFound_ReturnsFailure404()
+        {
+            _userRepoMock
+                .Setup(r => r.GetByIdWithRoleAsync(999, It.IsAny<CancellationToken>()))
+                .ReturnsAsync((User?)null);
+
+            var result = await _sut.ResetPasswordAsync(999, AdminId, CancellationToken.None);
+
+            result.IsFailure.Should().BeTrue();
+            result.ErrorCode.Should().Be(404);
+        }
+
+        [Fact]
+        public async Task ResetPasswordAsync_WhenNotEmployeeRole_ReturnsFailure403()
+        {
+            var user = RegularUser();
+            _userRepoMock
+                .Setup(r => r.GetByIdWithRoleAsync(20, It.IsAny<CancellationToken>()))
+                .ReturnsAsync(user);
+
+            var result = await _sut.ResetPasswordAsync(20, AdminId, CancellationToken.None);
+
+            result.IsFailure.Should().BeTrue();
+            result.ErrorCode.Should().Be(403);
+        }
+
         // -- DeleteAsync ---------------------------------------------------------
 
         [Fact]

src/frontend/src/components/admin/ActivityLogFilters.tsx

@@ -6,6 +6,7 @@ const ACTION_OPTIONS: { value: ActivityAction; label: string }[] = [
   { value: 'EmployeeSuspended', label: 'Employé suspendu' },
   { value: 'EmployeeReactivated', label: 'Employé réactivé' },
   { value: 'EmployeeDeleted', label: 'Employé supprimé' },
+  { value: 'EmployeePasswordReset', label: 'Mot de passe employé réinitialisé' },
   { value: 'UserSuspended', label: 'Utilisateur suspendu' },
   { value: 'UserReactivated', label: 'Utilisateur réactivé' },
   { value: 'UserDeleted', label: 'Utilisateur supprimé' },

src/frontend/src/components/admin/ActivityLogTable.tsx

@@ -6,6 +6,7 @@ const ACTION_LABELS: Record<string, string> = {
   EmployeeSuspended: 'Employé suspendu',
   EmployeeReactivated: 'Employé réactivé',
   EmployeeDeleted: 'Employé supprimé',
+  EmployeePasswordReset: 'Mot de passe réinitialisé',
   UserSuspended: 'Utilisateur suspendu',
   UserReactivated: 'Utilisateur réactivé',
   UserDeleted: 'Utilisateur supprimé',
@@ -24,6 +25,7 @@ const ACTION_COLORS: Record<string, string> = {
   EmployeeSuspended: 'bg-orange-500/20 text-orange-400',
   EmployeeReactivated: 'bg-green-500/20 text-green-400',
   EmployeeDeleted: 'bg-red-500/20 text-red-400',
+  EmployeePasswordReset: 'bg-blue-500/20 text-blue-400',
   UserSuspended: 'bg-orange-500/20 text-orange-400',
   UserReactivated: 'bg-green-500/20 text-green-400',
   UserDeleted: 'bg-red-500/20 text-red-400',

src/frontend/src/components/admin/EmployeeCard.tsx

@@ -7,6 +7,7 @@ interface EmployeeCardProps {
   employee: EmployeeManagement;
   onSuspend: (id: number) => void;
   onReactivate: (id: number) => void;
+  onResetPassword: (id: number) => void;
   onDelete: (id: number) => void;
   isProcessing: boolean;
 }
@@ -15,6 +16,7 @@ export const EmployeeCard = memo(function EmployeeCard({
   employee,
   onSuspend,
   onReactivate,
+  onResetPassword,
   onDelete,
   isProcessing,
 }: EmployeeCardProps) {
@@ -55,6 +57,9 @@ export const EmployeeCard = memo(function EmployeeCard({
             aria-label={`Réactiver le compte de ${employee.pseudo}`}
             className="flex-1"
           >
+            <svg className="w-3.5 h-3.5 mr-1 inline-block" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+            </svg>
             Réactiver
           </Button>
         ) : (
@@ -66,9 +71,25 @@ export const EmployeeCard = memo(function EmployeeCard({
             aria-label={`Suspendre le compte de ${employee.pseudo}`}
             className="flex-1"
           >
+            <svg className="w-3.5 h-3.5 mr-1 inline-block" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
+            </svg>
             Suspendre
           </Button>
         )}
+        <Button
+          variant="secondary"
+          size="sm"
+          onClick={() => onResetPassword(employee.id)}
+          isLoading={isProcessing}
+          aria-label={`Réinitialiser le mot de passe de ${employee.pseudo}`}
+          className="flex-1"
+        >
+          <svg className="w-3.5 h-3.5 mr-1 inline-block" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z" />
+          </svg>
+          Mot de passe
+        </Button>
         <Button
           variant="danger"
           size="sm"
@@ -77,6 +98,9 @@ export const EmployeeCard = memo(function EmployeeCard({
           aria-label={`Supprimer le compte de ${employee.pseudo}`}
           className="flex-1"
         >
+          <svg className="w-3.5 h-3.5 mr-1 inline-block" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
+          </svg>
           Supprimer
         </Button>
       </div>

src/frontend/src/components/admin/ResetPasswordModal.tsx

@@ -0,0 +1,83 @@
+import { Modal, ModalHeader, ModalBody, ModalFooter, Button } from '../ui';
+
+interface ResetPasswordModalProps {
+  isOpen: boolean;
+  targetName: string;
+  onConfirm: () => void;
+  onClose: () => void;
+  isSubmitting: boolean;
+  result: 'idle' | 'success' | 'error';
+}
+
+export function ResetPasswordModal({
+  isOpen,
+  targetName,
+  onConfirm,
+  onClose,
+  isSubmitting,
+  result,
+}: ResetPasswordModalProps) {
+  return (
+    <Modal isOpen={isOpen} onClose={onClose} size="sm">
+      <ModalHeader onClose={onClose}>
+        Réinitialiser le mot de passe
+      </ModalHeader>
+      <ModalBody>
+        {result === 'idle' && (
+          <p className="text-cream-300">
+            Réinitialiser le mot de passe de{' '}
+            <strong className="text-cream-100">{targetName}</strong> ?
+            <br />
+            <span className="text-cream-500 text-sm mt-2 block">
+              Un mot de passe temporaire sera généré et envoyé par email.
+              L'employé devra le modifier à sa prochaine connexion.
+            </span>
+          </p>
+        )}
+        {result === 'success' && (
+          <div className="flex items-start gap-3">
+            <svg className="w-6 h-6 text-success-400 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            <p className="text-cream-300">
+              Le mot de passe de <strong className="text-cream-100">{targetName}</strong> a
+              été réinitialisé avec succès. Un email contenant le mot de passe temporaire
+              lui a été envoyé.
+            </p>
+          </div>
+        )}
+        {result === 'error' && (
+          <div className="flex items-start gap-3">
+            <svg className="w-6 h-6 text-error-400 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            <p className="text-cream-300">
+              Une erreur est survenue lors de la réinitialisation du mot de passe.
+              Veuillez réessayer.
+            </p>
+          </div>
+        )}
+      </ModalBody>
+      <ModalFooter>
+        {result === 'idle' && (
+          <>
+            <Button variant="outline" size="sm" onClick={onClose} disabled={isSubmitting}>
+              Annuler
+            </Button>
+            <Button variant="primary" size="sm" onClick={onConfirm} isLoading={isSubmitting}>
+              <svg className="w-3.5 h-3.5 mr-1 inline-block" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z" />
+              </svg>
+              Réinitialiser
+            </Button>
+          </>
+        )}
+        {(result === 'success' || result === 'error') && (
+          <Button variant="outline" size="sm" onClick={onClose}>
+            Fermer
+          </Button>
+        )}
+      </ModalFooter>
+    </Modal>
+  );
+}

src/frontend/src/components/admin/index.ts

@@ -3,3 +3,4 @@ export { ActivityLogTable } from './ActivityLogTable';
 export { AdminDashboardStats } from './AdminDashboardStats';
 export { CreateEmployeeModal } from './CreateEmployeeModal';
 export { EmployeeCard } from './EmployeeCard';
+export { ResetPasswordModal } from './ResetPasswordModal';