feat: améliorer le flux OAuth et l'UX du Dashboard après consentement

- Ajouter contrainte unique sur usage_point_id (PDL) avec gestion race condition
- Améliorer l'affichage des erreurs de consentement (PDL déjà existant)
- Ajouter écran de chargement global après retour du consentement
- Afficher overlay de synchronisation automatique sur les nouveaux PDL
- Supprimer le filtre "Afficher les PDL désactivés" (toujours visibles)
- Ajouter bouton Supprimer sur les PDL désactivés (mode compact)
- Corriger double exécution useEffect avec useRef guard
- Persister états de chargement/erreur via sessionStorage entre remontages

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: Clément VALENTIN

apps/api/src/main.py

@@ -214,48 +214,42 @@ async def health_check() -> HealthCheckResponse:
 # Consent callback endpoint
 @app.get("/consent", tags=["OAuth"])
 async def consent_callback(
+    request: Request,
     code: str = Query(..., description="Authorization code from Enedis"),
-    state: str = Query(..., description="State parameter containing user_id"),
+    state: str = Query(None, description="State parameter (ignored - user identified via JWT)"),
     usage_point_id: str = Query(None, description="Usage point ID from Enedis"),
     db: AsyncSession = Depends(get_db),
 ) -> RedirectResponse:
-    """Handle consent redirect from Enedis and redirect to frontend dashboard"""
+    """Handle consent redirect from Enedis and redirect to frontend dashboard.
+
+    The user is identified via their JWT token (from cookie or localStorage).
+    The PDL(s) from Enedis are automatically added to the authenticated user's account.
+    """
     # Frontend URL from settings
     frontend_url = f"{settings.FRONTEND_URL}/dashboard"
 
     logger.info("=" * 60)
     logger.debug("[CONSENT] ===== DEBUT CALLBACK ENEDIS =====")
-    logger.debug(f"[CONSENT] Code reçu: {code[:20]}...")
+    logger.debug(f"[CONSENT] Code reçu: {code[:20]}..." if code else "[CONSENT] Pas de code")
     logger.debug(f"[CONSENT] State reçu: {state}")
     logger.debug(f"[CONSENT] Usage Point ID reçu: {usage_point_id}")
     logger.debug(f"[CONSENT] Frontend URL: {frontend_url}")
-    logger.debug(f"[CONSENT] Redirect URI configuré: {settings.ENEDIS_REDIRECT_URI}")
     logger.info("=" * 60)
 
     try:
-        # Parse state - Enedis may return it with format "user_id:usage_point_id" or just "user_id"
-        # Extract only the user_id part (before the colon if present)
-        if ":" in state:
-            user_id = state.split(":")[0].strip()
-        else:
-            user_id = state.strip()
-
-        # Log for debugging
-        logger.debug(f"[CONSENT] User ID extrait du state: {user_id}")
+        # Get the authenticated user from JWT token
+        from .middleware.auth import get_current_user_optional
 
-        # Verify user exists
-        result = await db.execute(select(User).where(User.id == user_id))
-        user = result.scalar_one_or_none()
+        user = await get_current_user_optional(request, db)
 
         if not user:
-            # Log all users for debugging
-            all_users = await db.execute(select(User))
-            user_ids = [u.id for u in all_users.scalars().all()]
-            logger.error(f"[CONSENT] User not found with ID: {user_id}")
-            logger.debug(f"[CONSENT] Available users: {user_ids}")
-            # Redirect to frontend dashboard with error
-            error_msg = f"user_not_found (looking for: {user_id[:8]}...)"
-            return RedirectResponse(url=f"{frontend_url}?consent_error={error_msg}")
+            logger.error("[CONSENT] ✗ Utilisateur non authentifié - redirection vers login")
+            # Redirect to login with return URL
+            return_url = f"/oauth/callback?code={code}&usage_point_id={usage_point_id}" if usage_point_id else f"/oauth/callback?code={code}"
+            return RedirectResponse(url=f"{settings.FRONTEND_URL}/login?redirect={return_url}")
+
+        user_id = user.id
+        logger.info(f"[CONSENT] ✓ Utilisateur authentifié: {user.email} (ID: {user_id})")
 
         # Just create PDL - token will be managed globally via Client Credentials
         logger.debug("[CONSENT] ===== TRAITEMENT DU PDL =====")
@@ -283,61 +277,76 @@ async def consent_callback(
                 logger.warning(f"[CONSENT] ⚠ PDL ignoré (pas d'ID): {up}")
                 continue
 
-            # Check if PDL already exists
+            # Check if PDL already exists (globally)
             from .models import PDL
 
-            result = await db.execute(select(PDL).where(PDL.user_id == user_id, PDL.usage_point_id == usage_point_id))
-            existing_pdl = result.scalar_one_or_none()
+            result = await db.execute(select(PDL).where(PDL.usage_point_id == usage_point_id))
+            existing_pdl = result.scalars().first()
 
-            if not existing_pdl:
-                # Create new PDL
+            if existing_pdl:
+                # PDL already exists - reject via consent flow
+                # Admin must use the manual "Add PDL (admin)" button instead
+                logger.warning(f"[CONSENT] ⚠ PDL {usage_point_id} existe déjà (user_id: {existing_pdl.user_id}) - refusé")
+                return RedirectResponse(
+                    url=f"{frontend_url}?consent_error=pdl_already_exists&pdl={usage_point_id}"
+                )
+
+            # Create new PDL with race condition handling
+            try:
                 new_pdl = PDL(user_id=user_id, usage_point_id=usage_point_id)
                 db.add(new_pdl)
-                await db.flush()  # Flush to get the ID
+                await db.flush()  # Flush to get the ID - will raise IntegrityError if duplicate
                 created_count += 1
                 logger.info(f"[CONSENT] ✓ PDL créé: {usage_point_id}")
-
-                # Try to fetch contract info automatically
-                try:
-                    from .adapters import enedis_adapter
-                    from .routers.enedis import get_valid_token
-
-                    access_token = await get_valid_token(usage_point_id, user, db)
-                    if access_token:
-                        contract_data = await enedis_adapter.get_contract(usage_point_id, access_token)
-
-                        if (
-                            contract_data
-                            and "customer" in contract_data
-                            and "usage_points" in contract_data["customer"]
-                        ):
-                            usage_points = contract_data["customer"]["usage_points"]
-                            if usage_points and len(usage_points) > 0:
-                                usage_point = usage_points[0]
-
-                                if "contracts" in usage_point:
-                                    contract = usage_point["contracts"]
-
-                                    if "subscribed_power" in contract:
-                                        power_str = str(contract["subscribed_power"])
-                                        new_pdl.subscribed_power = int(
-                                            power_str.replace("kVA", "").replace(" ", "").strip()
-                                        )
-                                        print(
-                                            f"[CONSENT] ✓ Puissance souscrite récupérée: {new_pdl.subscribed_power} kVA"
-                                        )
-
-                                    if "offpeak_hours" in contract:
-                                        offpeak = contract["offpeak_hours"]
-                                        if isinstance(offpeak, str):
-                                            new_pdl.offpeak_hours = {"default": offpeak}
-                                        elif isinstance(offpeak, dict):
-                                            new_pdl.offpeak_hours = offpeak
-                                        logger.info(f"[CONSENT] ✓ Heures creuses récupérées: {new_pdl.offpeak_hours}")
-                except Exception as e:
-                    logger.warning(f"[CONSENT] ⚠ Impossible de récupérer les infos du contrat: {e}")
-            else:
-                logger.debug(f"[CONSENT] PDL existe déjà: {usage_point_id}")
+            except Exception as e:
+                # Handle race condition: another request created the PDL between our check and insert
+                if "UNIQUE constraint failed" in str(e) or "duplicate key" in str(e).lower():
+                    logger.warning(f"[CONSENT] ⚠ PDL {usage_point_id} créé par requête concurrente - abandon silencieux")
+                    # Don't redirect with error - let the first request handle it
+                    # Just return empty response to avoid double redirect
+                    from fastapi.responses import Response
+                    return Response(status_code=204)  # No Content - browser will ignore
+                raise  # Re-raise other exceptions
+
+            # Try to fetch contract info automatically
+            try:
+                from .adapters import enedis_adapter
+                from .routers.enedis import get_valid_token
+
+                access_token = await get_valid_token(usage_point_id, user, db)
+                if access_token:
+                    contract_data = await enedis_adapter.get_contract(usage_point_id, access_token)
+
+                    if (
+                        contract_data
+                        and "customer" in contract_data
+                        and "usage_points" in contract_data["customer"]
+                    ):
+                        usage_points_data = contract_data["customer"]["usage_points"]
+                        if usage_points_data and len(usage_points_data) > 0:
+                            usage_point_data = usage_points_data[0]
+
+                            if "contracts" in usage_point_data:
+                                contract = usage_point_data["contracts"]
+
+                                if "subscribed_power" in contract:
+                                    power_str = str(contract["subscribed_power"])
+                                    new_pdl.subscribed_power = int(
+                                        power_str.replace("kVA", "").replace(" ", "").strip()
+                                    )
+                                    logger.info(
+                                        f"[CONSENT] ✓ Puissance souscrite récupérée: {new_pdl.subscribed_power} kVA"
+                                    )
+
+                                if "offpeak_hours" in contract:
+                                    offpeak = contract["offpeak_hours"]
+                                    if isinstance(offpeak, str):
+                                        new_pdl.offpeak_hours = {"default": offpeak}
+                                    elif isinstance(offpeak, dict):
+                                        new_pdl.offpeak_hours = offpeak
+                                    logger.info(f"[CONSENT] ✓ Heures creuses récupérées: {new_pdl.offpeak_hours}")
+            except Exception as e:
+                logger.warning(f"[CONSENT] ⚠ Impossible de récupérer les infos du contrat: {e}")
 
         await db.commit()
         logger.info("[CONSENT] ✓ Commit effectué en base de données")

apps/api/src/middleware/auth.py

@@ -87,3 +87,49 @@ async def get_current_user(
 
     logger.error("[AUTH] Authentication failed")
     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication credentials")
+
+
+async def get_current_user_optional(
+    request: Request,
+    db: AsyncSession,
+) -> Optional[User]:
+    """Get current user if authenticated, return None otherwise (no exception raised).
+
+    Used for endpoints that can work with or without authentication.
+    Also checks for token in query params or cookies for OAuth callbacks.
+    """
+    # Try to get token from Authorization header
+    auth_header = request.headers.get("Authorization")
+    token = None
+
+    if auth_header and auth_header.startswith("Bearer "):
+        token = auth_header[7:]
+
+    # Try to get token from query params (for OAuth callbacks)
+    if not token:
+        token = request.query_params.get("access_token")
+
+    # Try to get token from cookies
+    if not token:
+        token = request.cookies.get("access_token")
+
+    if not token:
+        return None
+
+    # Try JWT token
+    payload = decode_access_token(token)
+    if payload:
+        user_id = payload.get("sub")
+        if user_id:
+            result = await db.execute(select(User).where(User.id == user_id))
+            user = result.scalar_one_or_none()
+            if user and user.is_active:
+                return user
+
+    # Try API key (client_secret)
+    result = await db.execute(select(User).where(User.client_secret == token))
+    user = result.scalar_one_or_none()
+    if user and user.is_active:
+        return user
+
+    return None

apps/api/src/models/pdl.py

@@ -9,7 +9,7 @@ class PDL(Base, TimestampMixin):
     __tablename__ = "pdls"
 
     id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
-    usage_point_id: Mapped[str] = mapped_column(String(14), nullable=False, index=True)
+    usage_point_id: Mapped[str] = mapped_column(String(14), nullable=False, unique=True, index=True)
     user_id: Mapped[str] = mapped_column(String(36), ForeignKey("users.id"), nullable=False)
     name: Mapped[str | None] = mapped_column(String(100), nullable=True)  # Custom name for PDL
     display_order: Mapped[int | None] = mapped_column(Integer, nullable=True)  # Custom sort order

apps/api/src/routers/oauth.py

@@ -1,3 +1,4 @@
+import uuid
 from datetime import datetime, timedelta, UTC
 from fastapi import APIRouter, Depends, Query, Path
 from fastapi.responses import RedirectResponse
@@ -9,22 +10,37 @@
 from ..middleware import get_current_user
 from ..adapters import enedis_adapter
 from ..config import settings
+from ..services.cache import cache_service
 
 router = APIRouter(prefix="/oauth", tags=["OAuth"])
 
+# TTL for OAuth state mapping (10 minutes)
+OAUTH_STATE_TTL = 600
+
 
 @router.get("/authorize", response_model=APIResponse)
 async def get_authorize_url(
     current_user: User = Depends(get_current_user),
 ) -> APIResponse:
     """Get Enedis OAuth authorization URL - Consent is account-level, not per PDL"""
+    # Generate a random state for CSRF protection
+    state = str(uuid.uuid4())
+
+    # Store the mapping state -> user_id in Redis (TTL: 10 minutes)
+    if cache_service.redis_client:
+        await cache_service.redis_client.set(
+            f"oauth_state:{state}",
+            current_user.id,
+            ex=OAUTH_STATE_TTL
+        )
+
     # Build authorization URL
     params = {
         "client_id": settings.ENEDIS_CLIENT_ID,
         "response_type": "code",
         "duration": "P36M",  # 36 months
         "redirect_uri": settings.ENEDIS_REDIRECT_URI,
-        "state": current_user.id,  # Only user_id in state
+        "state": state,
     }
 
     param_str = "&".join([f"{k}={v}" for k, v in params.items()])
@@ -39,6 +55,20 @@ async def get_authorize_url(
     )
 
 
+@router.get("/verify-state", response_model=APIResponse)
+async def verify_oauth_state(
+    state: str = Query(..., description="OAuth state to verify"),
+) -> APIResponse:
+    """Verify an OAuth state and return the associated user_id (for debugging)"""
+    if not cache_service.redis_client:
+        return APIResponse(success=False, error=ErrorDetail(code="CACHE_ERROR", message="Cache not available"))
+
+    user_id = await cache_service.redis_client.get(f"oauth_state:{state}")
+    if user_id:
+        return APIResponse(success=True, data={"user_id": user_id.decode() if isinstance(user_id, bytes) else user_id, "state": state})
+    return APIResponse(success=False, error=ErrorDetail(code="STATE_NOT_FOUND", message="State not found or expired"))
+
+
 @router.get("/callback", response_model=APIResponse)
 async def oauth_callback(
     code: str = Query(..., description="Authorization code from Enedis", openapi_examples={"auth_code": {"summary": "Authorization code", "value": "abc123xyz789"}}),

apps/web/src/App.tsx

@@ -7,6 +7,7 @@ import Login from './pages/Login'
 import Signup from './pages/Signup'
 import Dashboard from './pages/Dashboard'
 import OAuthCallback from './pages/OAuthCallback'
+import ConsentRedirect from './pages/ConsentRedirect'
 import Settings from './pages/Settings'
 import VerifyEmail from './pages/VerifyEmail'
 import Admin from './pages/Admin'
@@ -324,6 +325,8 @@ function App() {
           </ProtectedRoute>
         }
       />
+      {/* Route for Enedis consent redirect - forwards to backend */}
+      <Route path="/consent" element={<ConsentRedirect />} />
       <Route path="/verify-email" element={<VerifyEmail />} />
 
       {/* Error pages */}