feat: EC-CUBE 4.3系 B2Bパスキー認証プラグイン初期実装

.env.tpl

@@ -0,0 +1,7 @@
+# 1Password テンプレートファイル
+# 使用方法: op inject -i .env.tpl -o .env
+
+# EcAuth クライアント設定
+ECAUTH_BASE_URL=op://EcAuth/eccube4-ecauth-plugin/base_url
+ECAUTH_CLIENT_ID=op://EcAuth/eccube4-ecauth-plugin/client_id
+ECAUTH_CLIENT_SECRET=op://EcAuth/eccube4-ecauth-plugin/client_secret

.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  phpstan:
+    name: PHPStan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-progress --prefer-dist
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan analyse --no-progress
+
+  rector:
+    name: Rector
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-progress --prefer-dist
+
+      - name: Run Rector (dry-run)
+        run: vendor/bin/rector process --dry-run
+
+  cs-fixer:
+    name: PHP CS Fixer
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-progress --prefer-dist
+
+      - name: Run PHP CS Fixer (dry-run)
+        run: vendor/bin/php-cs-fixer fix --dry-run --diff

.github/workflows/deploy.yml

@@ -0,0 +1,43 @@
+name: Packaging for EC-CUBE Plugin
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  deploy:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Packaging
+        working-directory: ../
+        run: |
+          rm -rf $GITHUB_WORKSPACE/.github
+          rm -rf $GITHUB_WORKSPACE/tests
+          rm -rf $GITHUB_WORKSPACE/node_modules
+          rm -f $GITHUB_WORKSPACE/Dockerfile
+          rm -f $GITHUB_WORKSPACE/docker-compose.yml
+          rm -f $GITHUB_WORKSPACE/docker-compose.override.yml
+          rm -f $GITHUB_WORKSPACE/docker-entrypoint.sh
+          rm -f $GITHUB_WORKSPACE/package.json
+          rm -f $GITHUB_WORKSPACE/package-lock.json
+          rm -f $GITHUB_WORKSPACE/yarn.lock
+          rm -f $GITHUB_WORKSPACE/playwright.config.ts
+          rm -f $GITHUB_WORKSPACE/phpstan.neon.dist
+          rm -f $GITHUB_WORKSPACE/rector.php
+          rm -f $GITHUB_WORKSPACE/.php-cs-fixer.dist.php
+          rm -f $GITHUB_WORKSPACE/.env.tpl
+          rm -f $GITHUB_WORKSPACE/CLAUDE.md
+          find $GITHUB_WORKSPACE -name "dummy" -delete
+          find $GITHUB_WORKSPACE -name ".git*" -and ! -name ".gitkeep" -print0 | xargs -0 rm -rf
+          chmod -R o+w $GITHUB_WORKSPACE
+          cd $GITHUB_WORKSPACE
+          tar cvzf ../${{ github.event.repository.name }}-${{ github.event.release.tag_name }}.tar.gz ./*
+
+      - name: Upload binaries to release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ${{ runner.workspace }}/${{ github.event.repository.name }}-${{ github.event.release.tag_name }}.tar.gz

.github/workflows/playwright.yml

@@ -0,0 +1,66 @@
+name: Playwright E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  e2e:
+    name: E2E Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
+
+      - name: Create .env file
+        run: |
+          cat <<'EOF' > .env
+          ECAUTH_BASE_URL=${{ secrets.ECAUTH_BASE_URL }}
+          ECAUTH_CLIENT_ID=${{ secrets.ECAUTH_CLIENT_ID }}
+          ECAUTH_CLIENT_SECRET=${{ secrets.ECAUTH_CLIENT_SECRET }}
+          EOF
+
+      - name: Start Docker environment
+        run: docker compose up -d --build --wait
+
+      - name: Wait for EC-CUBE to be ready
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sk https://localhost:4430/admin/login > /dev/null 2>&1; then
+              echo "EC-CUBE is ready"
+              break
+            fi
+            echo "Waiting for EC-CUBE... ($i/30)"
+            sleep 5
+          done
+
+      - name: Run Playwright tests
+        run: npx playwright test --reporter=list
+        env:
+          BASE_URL: https://localhost:4430
+
+      - name: Upload test results
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: |
+            test-results/
+            playwright-report/
+          retention-days: 7
+
+      - name: Stop Docker environment
+        if: always()
+        run: docker compose down

.php-cs-fixer.dist.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+$finder = PhpCsFixer\Finder::create()
+    ->in([
+        __DIR__.'/Controller',
+        __DIR__.'/Entity',
+        __DIR__.'/Form',
+        __DIR__.'/Repository',
+        __DIR__.'/Service',
+    ])
+    ->append([
+        __DIR__.'/EcAuthLoginEvent.php',
+        __DIR__.'/EcAuthLoginNav.php',
+        __DIR__.'/PluginManager.php',
+    ])
+    ->name('*.php');
+
+return (new PhpCsFixer\Config())
+    ->setRiskyAllowed(true)
+    ->setRules([
+        '@PSR12' => true,
+        'array_syntax' => ['syntax' => 'short'],
+        'no_unused_imports' => true,
+        'ordered_imports' => ['sort_algorithm' => 'alpha'],
+        'single_quote' => true,
+        'trailing_comma_in_multiline' => ['elements' => ['arrays', 'arguments', 'parameters']],
+        'blank_line_before_statement' => [
+            'statements' => ['return'],
+        ],
+    ])
+    ->setFinder($finder);

CLAUDE.md

@@ -0,0 +1,103 @@
+# CLAUDE.md
+
+このファイルは Claude Code (claude.ai/code) がこのリポジトリで作業する際のガイダンスを提供します。
+
+## プロジェクト概要
+
+EC-CUBE 4.3系管理画面向け EcAuth B2Bパスキー認証プラグイン（EcAuthLogin43）。
+EcAuth Identity Provider と連携し、管理画面にパスキー（WebAuthn/FIDO2）認証を追加する。
+
+## 開発コマンド
+
+### Docker 環境
+
+```bash
+# 起動
+docker compose up -d --build
+
+# ログ確認
+docker compose logs ec-cube
+
+# 停止
+docker compose down
+```
+
+### 静的解析
+
+```bash
+# PHPStan
+composer phpstan
+
+# Rector (dry-run)
+composer rector
+
+# PHP CS Fixer (dry-run)
+composer cs-check
+```
+
+### E2E テスト
+
+```bash
+yarn install
+npx playwright test
+```
+
+## ディレクトリ構成
+
+```
+ec-cube4-ecauth/
+├── composer.json                    # type: eccube-plugin, code: EcAuthLogin43
+├── PluginManager.php                # enable() でデフォルト Config 作成
+├── EcAuthLoginEvent.php             # TemplateEvent サブスクライバ
+├── EcAuthLoginNav.php               # 管理画面ナビゲーション
+├── Controller/
+│   ├── Admin/
+│   │   ├── ConfigController.php     # プラグイン設定画面
+│   │   └── PasskeyController.php    # パスキー管理画面
+│   ├── EcAuthCallbackController.php # 認証コールバック（認証不要）
+│   └── PasskeyAuthController.php    # パスキー認証/登録 API 中継
+├── Entity/
+│   ├── Config.php                   # plg_ecauth_login43_config
+│   └── MemberTrait.php              # dtb_member に ecauth_subject 追加
+├── Form/Type/Admin/
+│   └── ConfigType.php
+├── Repository/
+│   └── ConfigRepository.php
+├── Service/
+│   ├── EcAuthApiClient.php          # EcAuth API HTTP クライアント
+│   └── PasskeyAuthService.php       # パスキー認証ビジネスロジック
+├── Resource/
+│   ├── config/services.yaml
+│   ├── locale/messages.ja.yaml
+│   ├── template/admin/
+│   │   ├── config.twig
+│   │   ├── passkey_list.twig
+│   │   └── login_passkey.twig
+│   └── assets/js/
+│       └── webauthn.js
+├── tests/specs/                     # Playwright E2E テスト
+├── Dockerfile
+├── docker-compose.yml
+├── docker-compose.override.yml
+└── docker-entrypoint.sh
+```
+
+## EcAuth API エンドポイント（本プラグインが呼び出す）
+
+| エンドポイント | 認証方式 | 用途 |
+|----------------|----------|------|
+| `POST /b2b/passkey/authenticate/options` | client_id | チャレンジ取得 |
+| `POST /b2b/passkey/authenticate/verify` | client_id | 署名検証→認可コード |
+| `POST /b2b/passkey/register/options` | client_id + client_secret | 登録オプション |
+| `POST /b2b/passkey/register/verify` | client_id + client_secret | 登録完了 |
+| `GET /b2b/passkey/list` | Bearer Token | 一覧取得 |
+| `DELETE /b2b/passkey/{credentialId}` | Bearer Token | 削除 |
+| `POST /token` | client_id + client_secret | トークン交換 |
+
+## セキュリティ注意事項
+
+- client_secret はサーバーサイドのみ。JS に渡さない
+- CSRF トークンはフォームと AJAX 両方で送信
+- state パラメータは hash_equals() で検証、使い捨て削除
+- WebAuthn は HTTPS 必須。HTTP 時はボタン非表示
+- デプロイ先 URL を issue/PR/README に含めないこと

Controller/Admin/ConfigController.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace Plugin\EcAuthLogin43\Controller\Admin;
+
+use Eccube\Controller\AbstractController;
+use Plugin\EcAuthLogin43\Form\Type\Admin\ConfigType;
+use Plugin\EcAuthLogin43\Repository\ConfigRepository;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Annotation\Route;
+
+class ConfigController extends AbstractController
+{
+    /**
+     * @var ConfigRepository
+     */
+    protected $configRepository;
+
+    public function __construct(ConfigRepository $configRepository)
+    {
+        $this->configRepository = $configRepository;
+    }
+
+    /**
+     * @Route("/%eccube_admin_route%/ecauth_login43/config", name="ecauth_login43_admin_config")
+     * @Template("@EcAuthLogin43/admin/config.twig")
+     */
+    public function index(Request $request)
+    {
+        $Config = $this->configRepository->get();
+        $form = $this->createForm(ConfigType::class, $Config);
+        $form->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            $Config = $form->getData();
+            $this->entityManager->persist($Config);
+            $this->entityManager->flush();
+
+            $this->addSuccess('ecauth_login43.admin.config.save.success', 'admin');
+
+            return $this->redirectToRoute('ecauth_login43_admin_config');
+        }
+
+        return [
+            'form' => $form->createView(),
+        ];
+    }
+}