From f5f831dfb0e8dbad6bad454c1d117308c710bb31 Mon Sep 17 00:00:00 2001
From: Alpinux <cedric.abonnel@gmail.com>
Date: Mon, 4 May 2026 00:46:05 +0200
Subject: [PATCH] OTP : configuration via kc_action, login redirige vers profil
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- auth/otp_setup.php : déclenche CONFIGURE_TOTP via kc_action Keycloak
- Tuile OTP pointe vers otp_setup.php (plus de lien externe vers la console)
- Bouton Activer en btn-primary, Reconfigurer en btn-outline
- login.php : redirige vers /profile.php si déjà connecté

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 web/auth/login.php     |  2 +-
 web/auth/otp_setup.php | 25 +++++++++++++++++++++++++
 web/profile.php        |  6 ++----
 3 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 web/auth/otp_setup.php

diff --git a/web/auth/login.php b/web/auth/login.php
index 5275c9b..4e5c524 100644
--- a/web/auth/login.php
+++ b/web/auth/login.php
@@ -6,7 +6,7 @@ require_once __DIR__ . '/../inc/oidc.php';
 session_start_safe();
 
 if (current_user()) {
-    header('Location: /dashboard.php');
+    header('Location: /profile.php');
     exit;
 }
 
diff --git a/web/auth/otp_setup.php b/web/auth/otp_setup.php
new file mode 100644
index 0000000..5a8680e
--- /dev/null
+++ b/web/auth/otp_setup.php
@@ -0,0 +1,25 @@
+<?php
+require_once __DIR__ . '/../inc/config.php';
+require_once __DIR__ . '/../inc/auth.php';
+
+session_start_safe();
+require_login();
+
+$state = bin2hex(random_bytes(16));
+$nonce = bin2hex(random_bytes(16));
+$_SESSION['oidc_state'] = $state;
+$_SESSION['oidc_nonce'] = $nonce;
+$_SESSION['next_url']   = '/profile.php';
+
+$url = ALPID_AUTH_URL . '?' . http_build_query([
+    'client_id'     => ALPID_CLIENT_ID,
+    'response_type' => 'code',
+    'scope'         => 'openid profile email',
+    'redirect_uri'  => CALLBACK_URL,
+    'state'         => $state,
+    'nonce'         => $nonce,
+    'kc_action'     => 'CONFIGURE_TOTP',
+]);
+
+header('Location: ' . $url);
+exit;
diff --git a/web/profile.php b/web/profile.php
index 445fe96..774c260 100644
--- a/web/profile.php
+++ b/web/profile.php
@@ -128,8 +128,7 @@ $gps      = ($membership && is_file($gps_file))
     ? (json_decode(file_get_contents($gps_file), true)[$membership['id']] ?? null)
     : null;
 
-$otp         = kc_get_otp_credential($user['sub']);
-$otp_setup_url = ALPID_BASE . '/realms/' . ALPID_REALM . '/account/#/security/signingin';
+$otp = kc_get_otp_credential($user['sub']);
 
 $is_adherent = $user['is_adherent']
     || ($membership && $membership['status']===1 && $membership['date_fin_ts']>time());
@@ -350,8 +349,7 @@ require __DIR__ . '/views/layout.php';
           <?= $otp ? 'Activée' : 'Désactivée' ?>
         </div>
       </div>
-      <a href="<?= htmlspecialchars($otp_setup_url) ?>" target="_blank" rel="noopener"
-         class="btn-outline btn-sm tile-action">
+      <a href="/auth/otp_setup.php" class="btn-<?= $otp ? 'outline' : 'primary' ?> btn-sm tile-action">
         <?= $otp ? 'Reconfigurer' : 'Activer' ?>
       </a>
     </div>