Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.
* Migrate frontend to TypeScript with Deno-based tooling (#206)
Compiles assets/*.ts via sensiolabs/typescript-bundle (standalone SWC
binary) and adds Deno for formatting, linting, type-checking, and
tests, keeping the project's no-Node/npm approach intact. Wires all
four into CI, the Justfile, and the pre-commit hook.
* fix: build TypeScript assets before running PHPUnit in CI
The tests job ran bin/console sass:build but never typescript:build,
so var/typescript/ didn't exist and any page rendering the importmap
(e.g. backoffice/base.html.twig) errored during tests.
* test: add regression test for backoffice navbar-toggler dead target
Guards against the navbar-toggler button pointing at a collapse
target (#navbarSupportedContent) that isn't rendered for the current
user — the bug hit on the login page before #210 restructured the
nav to always render at least one item (the Releases link) regardless
of auth state.
* fix: stop hand-enumerating TS files for deno check
deno check assets/*.ts assets/controllers/*.ts assets/controllers/bo/*.ts
was duplicated in CI and the Justfile, and silently misses any new
controller subdirectory (fmt/lint/test already recurse assets/ via
deno.json). Add a top-level exclude for assets/vendor/ (respected by
all deno subcommands, unlike the per-task include/exclude blocks) so
deno check assets/ can recurse safely instead.
* fix: GitHubReleasesService date parsing and falsy release name
- Move the release-mapping array_map inside the try block so a
malformed published_at (or any other parse failure) degrades to the
same empty-list fallback as an HTTP failure, instead of throwing
uncaught out of the cache callback.
- Stop treating a release literally named "0" as unnamed — the old
`?:` fallback is falsy for that string and silently substituted the
tag name instead.
- Render release dates in UTC explicitly; Twig's date filter otherwise
silently converts to the app's default timezone (Europe/Amsterdam),
which could show the wrong calendar day for releases near midnight.
* docs: add scope-creep-as-a-service rule to CLAUDE.md
Per user instruction: when a review turns up a real bug outside the
current task's scope, fix it in the same MR (with a regression test)
rather than just reporting it, unless it needs a human design call.
* test: expand coverage, dedupe data-driven tests, extract shared WebTestCase base
- Add #[CoversClass] to Base64Test and FilenameSanitizerTest
- Merge near-duplicate test methods into #[DataProvider] cases across
ResetPasswordControllerTest, SettingsControllerTest, ClaimSeasonCommandTest,
FilenameSanitizerTest, Base64Test, and SeasonRepositoryTest
- Add integration tests for previously untested controllers: public
QuizController (quiz-taking flow), LoginController, RegistrationController,
EliminationController, and PrepareEliminationController
- Add unit tests for Elimination and BankQuestion entity logic
- Extract shared WebTestCase setup/helpers (client, entityManager, login,
entity lookups, CSRF token scraping) into AbstractControllerWebTestCase,
removing duplicated boilerplate from all 14 WebTestCase files
* test: address PR review feedback
- Scope AbstractControllerWebTestCase::getCandidate/getQuizByName by
season code (both Candidate and Quiz are only unique per season, not
system-wide) and add a CandidateRepository regression test guarding
against same-named candidates in different seasons
- Add missing entityManager->clear() before verifying DB state after a
POST in PrepareEliminationControllerTest and QuestionBankControllerTest
- Add non-owner denial tests for BackofficeController::exportQuiz and
QuizQuestionController::edit/reorder, which had IsGranted checks with
no test coverage
* ci: publish PHPUnit coverage to GitHub code coverage
- Generate a Cobertura report alongside the existing JUnit report and
upload it with actions/upload-code-coverage so coverage shows up on
PRs and the default branch via GitHub's code coverage feature
- Add a step to copy both reports out of the php container before
publishing them, since var/ is a Docker volume (see the Dockerfile's
VOLUME /app/var/) and isn't bind-mounted to the runner — this also
fixes the existing JUnit report publishing step, which was silently
looking at a path that never had contets on the runner
* ci: fix coverage report paths and tolerate Code Quality not yet enabled
- Write PHPUnit's JUnit and Cobertura reports to reports/ instead of
var/, since var/ is a Docker volume (Dockerfile's VOLUME /app/var/)
that isn't bind-mounted to the runner - reports written there never
reached the host, which is also why the prior junit.xml publish step
had nothing to read. reports/ is a plain path under the project's
bind mount, so no extra copy-out step is needed
- Set fail-on-error: false on the coverage upload step: it 404s until
"Code Quality" is turned on for the repo under Settings > Code
security > Code quality, a one-time manual step