chore: bump version to 1.3.0

- Added `moderator` role to `User` type for improved role assignment flexibility.
- Introduced `updateAdmin` method in user and content services to handle partial admin-specific updates.
- Enhanced `Content` type with `categoryId` and `iconUrl` to support richer categorization.

.gitea/workflows/backend-tests.yml

@@ -1,36 +0,0 @@
-name: Backend Tests
-
-on:
-  push:
-    paths:
-      - 'backend/**'
-  pull_request:
-    paths:
-      - 'backend/**'
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-        with:
-          version: 9
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Get pnpm store directory
-        id: pnpm-cache
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> "${GITEA_OUTPUT:-$GITHUB_OUTPUT}"
-      - uses: actions/cache@v4
-        with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile --prefer-offline
-      - name: Run Backend Tests
-        run: pnpm -F @memegoat/backend test

.gitea/workflows/ci.yml

@@ -1,13 +1,18 @@
-name: Deploy to Production
+# Pipeline CI/CD pour Gitea Actions (Forgejo)
+# Compatible avec GitHub Actions pour la portabilité
+name: CI/CD Pipeline
 
 on:
   push:
     branches:
-      - main
+      - '**'
+    tags:
+      - 'v*'
+  pull_request:
 
 jobs:
   validate:
-    name: Validate Build & Lint
+    name: Valider ${{ matrix.component }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -16,23 +21,23 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Install pnpm
+      - name: Installer pnpm
         uses: pnpm/action-setup@v4
         with:
           version: 9
 
-      - name: Setup Node.js
+      - name: Configurer Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 20
 
-      - name: Get pnpm store directory
+      - name: Obtenir le chemin du store pnpm
         id: pnpm-cache
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> "${GITEA_OUTPUT:-$GITHUB_OUTPUT}"
 
-      - name: Setup pnpm cache
+      - name: Configurer le cache pnpm
         uses: actions/cache@v4
         with:
           path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
@@ -40,28 +45,45 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: Install dependencies
+      - name: Installer les dépendances
         run: pnpm install --frozen-lockfile --prefer-offline
 
       - name: Lint ${{ matrix.component }}
         run: pnpm -F @memegoat/${{ matrix.component }} lint
 
+      - name: Tester ${{ matrix.component }}
+        if: matrix.component == 'backend' || matrix.component == 'frontend'
+        run: |
+          if pnpm -F @memegoat/${{ matrix.component }} run | grep -q "test"; then
+            pnpm -F @memegoat/${{ matrix.component }} test
+          else
+            echo "Pas de script de test trouvé pour ${{ matrix.component }}, passage."
+          fi
+
       - name: Build ${{ matrix.component }}
         run: pnpm -F @memegoat/${{ matrix.component }} build
         env:
           NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL }}
 
   deploy:
-    name: Deploy to Production
+    name: Déploiement en Production
     needs: validate
+    # Déclenchement uniquement sur push sur main ou tag de version
+    # Gitea supporte le contexte 'github' pour la compatibilité
+    if: gitea.event_name == 'push' && (gitea.ref == 'refs/heads/main' || startsWith(gitea.ref, 'refs/tags/v'))
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Deploy with Docker Compose
+      - name: Vérifier l'environnement Docker
         run: |
-          docker compose -f docker-compose.prod.yml up -d --build
+          docker version
+          docker compose version
+
+      - name: Déployer avec Docker Compose
+        run: |
+          docker compose -f docker-compose.prod.yml up -d --build --remove-orphans
         env:
           BACKEND_PORT: ${{ secrets.BACKEND_PORT }}
           FRONTEND_PORT: ${{ secrets.FRONTEND_PORT }}

.gitea/workflows/lint.yml

@@ -1,43 +0,0 @@
-name: Lint
-
-on:
-  push:
-    paths:
-      - 'frontend/**'
-      - 'backend/**'
-      - 'documentation/**'
-  pull_request:
-    paths:
-      - 'frontend/**'
-      - 'backend/**'
-      - 'documentation/**'
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        component: [backend, frontend, documentation]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-        with:
-          version: 9
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Get pnpm store directory
-        id: pnpm-cache
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> "${GITEA_OUTPUT:-$GITHUB_OUTPUT}"
-      - uses: actions/cache@v4
-        with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile --prefer-offline
-      - name: Lint ${{ matrix.component }}
-        run: pnpm -F @memegoat/${{ matrix.component }} lint

.output.txt

@@ -1,225 +0,0 @@
-{
-  "name": "@memegoat/source",
-  "version": "0.0.1",
-  "description": "",
-  "scripts": {
-    "build": "pnpm run build:back && pnpm run build:front && pnpm run build:docs",
-    "build:front": "pnpm run -F @memegoat/frontend build",
-    "build:back": "pnpm run -F @memegoat/backend build",
-    "build:docs": "pnpm run -F @memegoat/documentation build",
-    "lint": "pnpm run lint:back && pnpm run lint:front && pnpm run lint:docs",
-    "lint:back": "pnpm run -F @memegoat/backend lint",
-    "lint:front": "pnpm run -F @memegoat/frontend lint",
-    "lint:docs": "pnpm run -F @memegoat/documentation lint",
-    "test": "pnpm run test:back && pnpm run test:front",
-    "test:back": "pnpm run -F @memegoat/backend test",
-    "test:front": "pnpm run -F @memegoat/frontend test",
-    "format": "pnpm run format:back && pnpm run format:front && pnpm run format:docs",
-    "format:back": "pnpm run -F @memegoat/backend format",
-    "format:front": "pnpm run -F @memegoat/frontend format",
-    "format:docs": "pnpm run -F @memegoat/documentation format",
-    "upgrade": "pnpm dlx taze minor"
-  },
-  "keywords": [],
-  "author": {
-    "name": "Mathis HERRIOT",
-    "email": "mherriot.pro@proton.me",
-    "role": "Author"
-  },
-  "license": "AGPL-3.0-only",
-  "devDependencies": {
-    "@biomejs/biome": "2.3.11"
-  }
-}
-{
-        "name": "@memegoat/backend",
-        "version": "0.0.1",
-        "description": "",
-        "author": "",
-        "private": true,
-        "license": "UNLICENSED",
-        "files": [
-                "dist",
-                ".migrations",
-                "drizzle.config.ts"
-        ],
-        "scripts": {
-                "build": "nest build",
-                "lint": "biome check",
-                "lint:write": "biome check --write",
-                "format": "biome format --write",
-                "start": "nest start",
-                "start:dev": "nest start --watch",
-                "start:debug": "nest start --debug --watch",
-                "start:prod": "node dist/main",
-                "test": "jest",
-                "test:watch": "jest --watch",
-                "test:cov": "jest --coverage",
-                "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-                "test:e2e": "jest --config ./test/jest-e2e.json",
-                "db:generate": "drizzle-kit generate",
-                "db:migrate": "drizzle-kit migrate",
-                "db:studio": "drizzle-kit studio"
-        },
-        "dependencies": {
-                "@nestjs-modules/mailer": "^2.0.2",
-                "@nestjs/cache-manager": "^3.1.0",
-                "@nestjs/common": "^11.0.1",
-                "@nestjs/config": "^4.0.2",
-                "@nestjs/core": "^11.0.1",
-                "@nestjs/mapped-types": "^2.1.0",
-                "@nestjs/platform-express": "^11.0.1",
-                "@nestjs/schedule": "^6.1.0",
-                "@nestjs/throttler": "^6.5.0",
-                "@noble/post-quantum": "^0.5.4",
-                "@node-rs/argon2": "^2.0.2",
-                "@sentry/nestjs": "^10.32.1",
-                "@sentry/profiling-node": "^10.32.1",
-                "cache-manager": "^7.2.7",
-                "cache-manager-redis-yet": "^5.1.5",
-                "clamscan": "^2.4.0",
-                "class-transformer": "^0.5.1",
-                "class-validator": "^0.14.3",
-                "dotenv": "^17.2.3",
-                "drizzle-orm": "^0.45.1",
-                "fluent-ffmpeg": "^2.1.3",
-                "helmet": "^8.1.0",
-                "iron-session": "^8.0.4",
-                "jose": "^6.1.3",
-                "minio": "^8.0.6",
-                "nodemailer": "^7.0.12",
-                "otplib": "^12.0.1",
-                "pg": "^8.16.3",
-                "qrcode": "^1.5.4",
-                "reflect-metadata": "^0.2.2",
-                "rxjs": "^7.8.1",
-                "sharp": "^0.34.5",
-                "uuid": "^13.0.0",
-                "zod": "^4.3.5",
-                "drizzle-kit": "^0.31.8"
-        },
-        "devDependencies": {
-                "@nestjs/cli": "^11.0.0",
-                "globals": "^16.0.0",
-                "jest": "^30.0.0",
-                "source-map-support": "^0.5.21",
-                "supertest": "^7.0.0",
-                "ts-jest": "^29.2.5",
-                "ts-loader": "^9.5.2",
-                "ts-node": "^10.9.2",
-                "tsconfig-paths": "^4.2.0",
-                "tsx": "^4.21.0",
-                "typescript": "^5.7.3",
-                "typescript-eslint": "^8.20.0",
-                "@nestjs/schematics": "^11.0.0",
-                "@nestjs/testing": "^11.0.1",
-                "@types/express": "^5.0.0",
-                "@types/fluent-ffmpeg": "^2.1.28",
-                "@types/jest": "^30.0.0",
-                "@types/multer": "^2.0.0",
-                "@types/node": "^22.10.7",
-                "@types/nodemailer": "^7.0.4",
-                "@types/pg": "^8.16.0",
-                "@types/qrcode": "^1.5.6",
-                "@types/sharp": "^0.32.0",
-                "@types/supertest": "^6.0.2",
-                "@types/uuid": "^11.0.0",
-                "drizzle-kit": "^0.31.8"
-        },
-        "jest": {
-                "moduleFileExtensions": [
-                        "js",
-                        "json",
-                        "ts"
-                ],
-                "rootDir": "src",
-                "testRegex": ".*\\.spec\\.ts$",
-                "collectCoverageFrom": [
-                        "**/*.(t|j)s"
-                ],
-                "coverageDirectory": "../coverage",
-                "testEnvironment": "node",
-                "transformIgnorePatterns": [
-                        "node_modules/(?!(.pnpm/)?(jose|@noble|uuid)/)"
-                ],
-                "transform": {
-                        "^.+\\.(t|j)sx?$": "ts-jest"
-                },
-                "moduleNameMapper": {
-                        "^@noble/post-quantum/(.*)$": "<rootDir>/../node_modules/@noble/post-quantum/$1",
-                        "^@noble/hashes/(.*)$": "<rootDir>/../node_modules/@noble/hashes/$1"
-                }
-        }
-}
-{
-        "name": "@memegoat/frontend",
-        "version": "0.0.1",
-        "private": true,
-        "scripts": {
-                "dev": "next dev",
-                "build": "next build",
-                "start": "next start",
-                "lint": "biome check",
-                "format": "biome format --write"
-        },
-        "dependencies": {
-                "@hookform/resolvers": "^5.2.2",
-                "@radix-ui/react-accordion": "^1.2.12",
-                "@radix-ui/react-alert-dialog": "^1.1.15",
-                "@radix-ui/react-aspect-ratio": "^1.1.8",
-                "@radix-ui/react-avatar": "^1.1.11",
-                "@radix-ui/react-checkbox": "^1.3.3",
-                "@radix-ui/react-collapsible": "^1.1.12",
-                "@radix-ui/react-context-menu": "^2.2.16",
-                "@radix-ui/react-dialog": "^1.1.15",
-                "@radix-ui/react-dropdown-menu": "^2.1.16",
-                "@radix-ui/react-hover-card": "^1.1.15",
-                "@radix-ui/react-label": "^2.1.8",
-                "@radix-ui/react-menubar": "^1.1.16",
-                "@radix-ui/react-navigation-menu": "^1.2.14",
-                "@radix-ui/react-popover": "^1.1.15",
-                "@radix-ui/react-progress": "^1.1.8",
-                "@radix-ui/react-radio-group": "^1.3.8",
-                "@radix-ui/react-scroll-area": "^1.2.10",
-                "@radix-ui/react-select": "^2.2.6",
-                "@radix-ui/react-separator": "^1.1.8",
-                "@radix-ui/react-slider": "^1.3.6",
-                "@radix-ui/react-slot": "^1.2.4",
-                "@radix-ui/react-switch": "^1.2.6",
-                "@radix-ui/react-tabs": "^1.1.13",
-                "@radix-ui/react-toggle": "^1.1.10",
-                "@radix-ui/react-toggle-group": "^1.1.11",
-                "@radix-ui/react-tooltip": "^1.2.8",
-                "axios": "^1.13.2",
-                "class-variance-authority": "^0.7.1",
-                "clsx": "^2.1.1",
-                "cmdk": "^1.1.1",
-                "date-fns": "^4.1.0",
-                "embla-carousel-react": "^8.6.0",
-                "input-otp": "^1.4.2",
-                "lucide-react": "^0.562.0",
-                "next": "16.1.1",
-                "next-themes": "^0.4.6",
-                "react": "19.2.3",
-                "react-day-picker": "^9.13.0",
-                "react-dom": "19.2.3",
-                "react-hook-form": "^7.71.1",
-                "react-resizable-panels": "^4.4.1",
-                "recharts": "2.15.4",
-                "sonner": "^2.0.7",
-                "tailwind-merge": "^3.4.0",
-                "vaul": "^1.1.2",
-                "zod": "^4.3.5"
-        },
-        "devDependencies": {
-                "@biomejs/biome": "2.3.11",
-                "@tailwindcss/postcss": "^4",
-                "@types/node": "^20",
-                "@types/react": "^19",
-                "@types/react-dom": "^19",
-                "babel-plugin-react-compiler": "1.0.0",
-                "tailwindcss": "^4",
-                "tw-animate-css": "^1.4.0",
-                "typescript": "^5"
-        }
-}

ROADMAP.md

@@ -47,4 +47,4 @@ Ce document définit les objectifs, les critères techniques et les fonctionnali
 - [ ] Tests d'intégration et E2E
 - [x] Gestion centralisée des erreurs (Filters NestJS)
 - [ ] Monitoring et centralisation des logs (ex: Sentry, ELK/Loki)
-- [ ] Performance : Cache (Redis) pour les tendances et recherches fréquentes
+- [x] Performance : Cache (Redis) pour les tendances et recherches fréquentes

backend/biome.json

@@ -24,7 +24,8 @@
 		"rules": {
 			"recommended": true,
 			"suspicious": {
-				"noUnknownAtRules": "off"
+				"noUnknownAtRules": "off",
+				"noExplicitAny": "off"
 			},
 			"style": {
 				"useImportType": "off"

backend/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@memegoat/backend",
-	"version": "0.0.0",
+	"version": "1.3.0",
 	"description": "",
 	"author": "",
 	"private": true,
@@ -13,7 +13,7 @@
 	"scripts": {
 		"build": "nest build",
 		"lint": "biome check",
-		"lint:write": "biome check --write",
+		"lint:write": "biome check --write --unsafe",
 		"format": "biome format --write",
 		"start": "nest start",
 		"start:dev": "nest start --watch",
@@ -107,7 +107,7 @@
 		"coverageDirectory": "../coverage",
 		"testEnvironment": "node",
 		"transformIgnorePatterns": [
-			"node_modules/(?!(.pnpm/)?(jose|@noble|uuid)/)"
+			"node_modules/(?!(.pnpm/)?(jose|@noble|uuid))"
 		],
 		"transform": {
 			"^.+\\.(t|j)sx?$": "ts-jest"

backend/src/admin/admin.controller.spec.ts

@@ -0,0 +1,62 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AdminController } from "./admin.controller";
+import { AdminService } from "./admin.service";
+
+describe("AdminController", () => {
+	let controller: AdminController;
+	let service: AdminService;
+
+	const mockAdminService = {
+		getStats: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [AdminController],
+			providers: [{ provide: AdminService, useValue: mockAdminService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<AdminController>(AdminController);
+		service = module.get<AdminService>(AdminService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("getStats", () => {
+		it("should call service.getStats", async () => {
+			await controller.getStats();
+			expect(service.getStats).toHaveBeenCalled();
+		});
+	});
+});

backend/src/admin/admin.service.spec.ts

@@ -0,0 +1,58 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { CategoriesRepository } from "../categories/repositories/categories.repository";
+import { ContentsRepository } from "../contents/repositories/contents.repository";
+import { UsersRepository } from "../users/repositories/users.repository";
+import { AdminService } from "./admin.service";
+
+describe("AdminService", () => {
+	let service: AdminService;
+	let _usersRepository: UsersRepository;
+	let _contentsRepository: ContentsRepository;
+	let _categoriesRepository: CategoriesRepository;
+
+	const mockUsersRepository = {
+		countAll: jest.fn(),
+	};
+
+	const mockContentsRepository = {
+		count: jest.fn(),
+	};
+
+	const mockCategoriesRepository = {
+		countAll: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				AdminService,
+				{ provide: UsersRepository, useValue: mockUsersRepository },
+				{ provide: ContentsRepository, useValue: mockContentsRepository },
+				{ provide: CategoriesRepository, useValue: mockCategoriesRepository },
+			],
+		}).compile();
+
+		service = module.get<AdminService>(AdminService);
+		_usersRepository = module.get<UsersRepository>(UsersRepository);
+		_contentsRepository = module.get<ContentsRepository>(ContentsRepository);
+		_categoriesRepository =
+			module.get<CategoriesRepository>(CategoriesRepository);
+	});
+
+	it("should return stats", async () => {
+		mockUsersRepository.countAll.mockResolvedValue(10);
+		mockContentsRepository.count.mockResolvedValue(20);
+		mockCategoriesRepository.countAll.mockResolvedValue(5);
+
+		const result = await service.getStats();
+
+		expect(result).toEqual({
+			users: 10,
+			contents: 20,
+			categories: 5,
+		});
+		expect(mockUsersRepository.countAll).toHaveBeenCalled();
+		expect(mockContentsRepository.count).toHaveBeenCalledWith({});
+		expect(mockCategoriesRepository.countAll).toHaveBeenCalled();
+	});
+});

backend/src/api-keys/api-keys.controller.spec.ts

@@ -0,0 +1,95 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { ApiKeysController } from "./api-keys.controller";
+import { ApiKeysService } from "./api-keys.service";
+
+describe("ApiKeysController", () => {
+	let controller: ApiKeysController;
+	let service: ApiKeysService;
+
+	const mockApiKeysService = {
+		create: jest.fn(),
+		findAll: jest.fn(),
+		revoke: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [ApiKeysController],
+			providers: [{ provide: ApiKeysService, useValue: mockApiKeysService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<ApiKeysController>(ApiKeysController);
+		service = module.get<ApiKeysService>(ApiKeysService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { name: "Key Name", expiresAt: "2026-01-20T12:00:00Z" };
+			await controller.create(req, dto);
+			expect(service.create).toHaveBeenCalledWith(
+				"user-uuid",
+				"Key Name",
+				new Date(dto.expiresAt),
+			);
+		});
+
+		it("should call service.create without expiresAt", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { name: "Key Name" };
+			await controller.create(req, dto);
+			expect(service.create).toHaveBeenCalledWith(
+				"user-uuid",
+				"Key Name",
+				undefined,
+			);
+		});
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.findAll(req);
+			expect(service.findAll).toHaveBeenCalledWith("user-uuid");
+		});
+	});
+
+	describe("revoke", () => {
+		it("should call service.revoke", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.revoke(req, "key-id");
+			expect(service.revoke).toHaveBeenCalledWith("user-uuid", "key-id");
+		});
+	});
+});

backend/src/api-keys/repositories/api-keys.repository.spec.ts

@@ -0,0 +1,83 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { ApiKeysRepository } from "./api-keys.repository";
+
+describe("ApiKeysRepository", () => {
+	let repository: ApiKeysRepository;
+	let _databaseService: DatabaseService;
+
+	const mockDb = {
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				ApiKeysRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<ApiKeysRepository>(ApiKeysRepository);
+		_databaseService = module.get<DatabaseService>(DatabaseService);
+	});
+
+	it("should create an api key", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.create({
+			userId: "u1",
+			name: "n",
+			prefix: "p",
+			keyHash: "h",
+		});
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should find all keys for user", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findAll("u1");
+		expect(result).toHaveLength(1);
+	});
+
+	it("should revoke a key", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([
+			{ id: "1", isActive: false },
+		]);
+		const result = await repository.revoke("u1", "k1");
+		expect(result[0].isActive).toBe(false);
+	});
+
+	it("should find active by hash", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findActiveByKeyHash("h");
+		expect(result.id).toBe("1");
+	});
+
+	it("should update last used", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.updateLastUsed("1");
+		expect(mockDb.update).toHaveBeenCalled();
+	});
+});

backend/src/auth/auth.controller.spec.ts

@@ -0,0 +1,190 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthController } from "./auth.controller";
+import { AuthService } from "./auth.service";
+import { BootstrapService } from "./bootstrap.service";
+
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn().mockResolvedValue({
+		save: jest.fn(),
+		destroy: jest.fn(),
+	}),
+}));
+
+describe("AuthController", () => {
+	let controller: AuthController;
+	let authService: AuthService;
+	let _configService: ConfigService;
+
+	const mockAuthService = {
+		register: jest.fn(),
+		login: jest.fn(),
+		verifyTwoFactorLogin: jest.fn(),
+		refresh: jest.fn(),
+	};
+
+	const mockBootstrapService = {
+		consumeToken: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest
+			.fn()
+			.mockReturnValue("complex_password_at_least_32_characters_long"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [AuthController],
+			providers: [
+				{ provide: AuthService, useValue: mockAuthService },
+				{ provide: BootstrapService, useValue: mockBootstrapService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		controller = module.get<AuthController>(AuthController);
+		authService = module.get<AuthService>(AuthService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("register", () => {
+		it("should call authService.register", async () => {
+			const dto = {
+				email: "test@example.com",
+				password: "password",
+				username: "test",
+			};
+			await controller.register(dto as any);
+			expect(authService.register).toHaveBeenCalledWith(dto);
+		});
+	});
+
+	describe("login", () => {
+		it("should call authService.login and setup session if success", async () => {
+			const dto = { email: "test@example.com", password: "password" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const loginResult = {
+				access_token: "at",
+				refresh_token: "rt",
+				userId: "1",
+				message: "ok",
+			};
+			mockAuthService.login.mockResolvedValue(loginResult);
+
+			await controller.login(dto as any, "ua", req, res);
+
+			expect(authService.login).toHaveBeenCalledWith(dto, "ua", "127.0.0.1");
+			expect(res.json).toHaveBeenCalledWith({ message: "ok", userId: "1" });
+		});
+
+		it("should return result if no access_token", async () => {
+			const dto = { email: "test@example.com", password: "password" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const loginResult = { message: "2fa_required", userId: "1" };
+			mockAuthService.login.mockResolvedValue(loginResult);
+
+			await controller.login(dto as any, "ua", req, res);
+
+			expect(res.json).toHaveBeenCalledWith(loginResult);
+		});
+	});
+
+	describe("verifyTwoFactor", () => {
+		it("should call authService.verifyTwoFactorLogin and setup session", async () => {
+			const dto = { userId: "1", token: "123456" };
+			const req = { ip: "127.0.0.1" } as any;
+			const res = { json: jest.fn() } as any;
+			const verifyResult = {
+				access_token: "at",
+				refresh_token: "rt",
+				message: "ok",
+			};
+			mockAuthService.verifyTwoFactorLogin.mockResolvedValue(verifyResult);
+
+			await controller.verifyTwoFactor(dto, "ua", req, res);
+
+			expect(authService.verifyTwoFactorLogin).toHaveBeenCalledWith(
+				"1",
+				"123456",
+				"ua",
+				"127.0.0.1",
+			);
+			expect(res.json).toHaveBeenCalledWith({ message: "ok" });
+		});
+	});
+
+	describe("refresh", () => {
+		it("should refresh token if session has refresh token", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { refreshToken: "rt", save: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { json: jest.fn() } as any;
+			mockAuthService.refresh.mockResolvedValue({
+				access_token: "at2",
+				refresh_token: "rt2",
+			});
+
+			await controller.refresh(req, res);
+
+			expect(authService.refresh).toHaveBeenCalledWith("rt");
+			expect(res.json).toHaveBeenCalledWith({ message: "Token refreshed" });
+		});
+
+		it("should return 401 if no refresh token", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { save: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { status: jest.fn().mockReturnThis(), json: jest.fn() } as any;
+
+			await controller.refresh(req, res);
+
+			expect(res.status).toHaveBeenCalledWith(401);
+		});
+	});
+
+	describe("logout", () => {
+		it("should destroy session", async () => {
+			const { getIronSession } = require("iron-session");
+			const session = { destroy: jest.fn() };
+			getIronSession.mockResolvedValue(session);
+			const req = {} as any;
+			const res = { json: jest.fn() } as any;
+
+			await controller.logout(req, res);
+
+			expect(session.destroy).toHaveBeenCalled();
+			expect(res.json).toHaveBeenCalledWith({ message: "User logged out" });
+		});
+	});
+});

backend/src/auth/auth.controller.ts

@@ -1,9 +1,19 @@
-import { Body, Controller, Headers, Post, Req, Res } from "@nestjs/common";
+import {
+	Body,
+	Controller,
+	Get,
+	Headers,
+	Post,
+	Query,
+	Req,
+	Res,
+} from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { Throttle } from "@nestjs/throttler";
 import type { Request, Response } from "express";
 import { getIronSession } from "iron-session";
 import { AuthService } from "./auth.service";
+import { BootstrapService } from "./bootstrap.service";
 import { LoginDto } from "./dto/login.dto";
 import { RegisterDto } from "./dto/register.dto";
 import { Verify2faDto } from "./dto/verify-2fa.dto";
@@ -13,6 +23,7 @@ import { getSessionOptions, SessionData } from "./session.config";
 export class AuthController {
 	constructor(
 		private readonly authService: AuthService,
+		private readonly bootstrapService: BootstrapService,
 		private readonly configService: ConfigService,
 	) {}
 
@@ -120,4 +131,12 @@ export class AuthController {
 		session.destroy();
 		return res.json({ message: "User logged out" });
 	}
+
+	@Get("bootstrap-admin")
+	async bootstrapAdmin(
+		@Query("token") token: string,
+		@Query("username") username: string,
+	) {
+		return this.bootstrapService.consumeToken(token, username);
+	}
 }

backend/src/auth/auth.module.ts

@@ -3,6 +3,7 @@ import { SessionsModule } from "../sessions/sessions.module";
 import { UsersModule } from "../users/users.module";
 import { AuthController } from "./auth.controller";
 import { AuthService } from "./auth.service";
+import { BootstrapService } from "./bootstrap.service";
 import { AuthGuard } from "./guards/auth.guard";
 import { OptionalAuthGuard } from "./guards/optional-auth.guard";
 import { RolesGuard } from "./guards/roles.guard";
@@ -15,6 +16,7 @@ import { RbacRepository } from "./repositories/rbac.repository";
 	providers: [
 		AuthService,
 		RbacService,
+		BootstrapService,
 		RbacRepository,
 		AuthGuard,
 		OptionalAuthGuard,

backend/src/auth/bootstrap.service.spec.ts

@@ -0,0 +1,114 @@
+import { UnauthorizedException } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { UsersService } from "../users/users.service";
+import { BootstrapService } from "./bootstrap.service";
+import { RbacService } from "./rbac.service";
+
+describe("BootstrapService", () => {
+	let service: BootstrapService;
+	let rbacService: RbacService;
+	let _usersService: UsersService;
+
+	const mockRbacService = {
+		countAdmins: jest.fn(),
+		assignRoleToUser: jest.fn(),
+	};
+
+	const mockUsersService = {
+		findPublicProfile: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		jest.clearAllMocks();
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				BootstrapService,
+				{ provide: RbacService, useValue: mockRbacService },
+				{ provide: UsersService, useValue: mockUsersService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		service = module.get<BootstrapService>(BootstrapService);
+		rbacService = module.get<RbacService>(RbacService);
+		_usersService = module.get<UsersService>(UsersService);
+	});
+
+	it("should be defined", () => {
+		expect(service).toBeDefined();
+	});
+
+	describe("onApplicationBootstrap", () => {
+		it("should generate a token if no admin exists", async () => {
+			mockRbacService.countAdmins.mockResolvedValue(0);
+			const generateTokenSpy = jest.spyOn(
+				service as any,
+				"generateBootstrapToken",
+			);
+
+			await service.onApplicationBootstrap();
+
+			expect(rbacService.countAdmins).toHaveBeenCalled();
+			expect(generateTokenSpy).toHaveBeenCalled();
+		});
+
+		it("should not generate a token if admin exists", async () => {
+			mockRbacService.countAdmins.mockResolvedValue(1);
+			const generateTokenSpy = jest.spyOn(
+				service as any,
+				"generateBootstrapToken",
+			);
+
+			await service.onApplicationBootstrap();
+
+			expect(rbacService.countAdmins).toHaveBeenCalled();
+			expect(generateTokenSpy).not.toHaveBeenCalled();
+		});
+	});
+
+	describe("consumeToken", () => {
+		it("should throw UnauthorizedException if token is invalid", async () => {
+			mockRbacService.countAdmins.mockResolvedValue(0);
+			await service.onApplicationBootstrap();
+
+			await expect(service.consumeToken("wrong-token", "user1")).rejects.toThrow(
+				UnauthorizedException,
+			);
+		});
+
+		it("should throw UnauthorizedException if user not found", async () => {
+			mockRbacService.countAdmins.mockResolvedValue(0);
+			await service.onApplicationBootstrap();
+			const token = (service as any).bootstrapToken;
+
+			mockUsersService.findPublicProfile.mockResolvedValue(null);
+
+			await expect(service.consumeToken(token, "user1")).rejects.toThrow(
+				UnauthorizedException,
+			);
+		});
+
+		it("should assign admin role and invalidate token on success", async () => {
+			mockRbacService.countAdmins.mockResolvedValue(0);
+			await service.onApplicationBootstrap();
+			const token = (service as any).bootstrapToken;
+
+			const mockUser = { uuid: "user-uuid", username: "user1" };
+			mockUsersService.findPublicProfile.mockResolvedValue(mockUser);
+
+			const result = await service.consumeToken(token, "user1");
+
+			expect(rbacService.assignRoleToUser).toHaveBeenCalledWith(
+				"user-uuid",
+				"admin",
+			);
+			expect((service as any).bootstrapToken).toBeNull();
+			expect(result.message).toContain("user1 is now an administrator");
+		});
+	});
+});

backend/src/auth/bootstrap.service.ts

@@ -0,0 +1,67 @@
+import * as crypto from "node:crypto";
+import {
+	Injectable,
+	Logger,
+	OnApplicationBootstrap,
+	UnauthorizedException,
+} from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { UsersService } from "../users/users.service";
+import { RbacService } from "./rbac.service";
+
+@Injectable()
+export class BootstrapService implements OnApplicationBootstrap {
+	private readonly logger = new Logger(BootstrapService.name);
+	private bootstrapToken: string | null = null;
+
+	constructor(
+		private readonly rbacService: RbacService,
+		private readonly usersService: UsersService,
+		private readonly configService: ConfigService,
+	) {}
+
+	async onApplicationBootstrap() {
+		const adminCount = await this.rbacService.countAdmins();
+		if (adminCount === 0) {
+			this.generateBootstrapToken();
+		}
+	}
+
+	private generateBootstrapToken() {
+		this.bootstrapToken = crypto.randomBytes(32).toString("hex");
+		const domain = this.configService.get("DOMAIN_NAME") || "localhost";
+		const protocol = domain.includes("localhost") ? "http" : "https";
+		const url = `${protocol}://${domain}/auth/bootstrap-admin`;
+
+		this.logger.warn("SECURITY ALERT: No administrator found in database.");
+		this.logger.warn(
+			"To create the first administrator, use the following endpoint:",
+		);
+		this.logger.warn(
+			`Endpoint: GET ${url}?token=${this.bootstrapToken}&username=votre_nom_utilisateur`,
+		);
+		this.logger.warn(
+			'Exemple: curl -X GET "http://localhost/auth/bootstrap-admin?token=...&username=..."',
+		);
+		this.logger.warn("This token is one-time use only.");
+	}
+
+	async consumeToken(token: string, username: string) {
+		if (!this.bootstrapToken || token !== this.bootstrapToken) {
+			throw new UnauthorizedException("Invalid or expired bootstrap token");
+		}
+
+		const user = await this.usersService.findPublicProfile(username);
+		if (!user) {
+			throw new UnauthorizedException(`User ${username} not found`);
+		}
+
+		await this.rbacService.assignRoleToUser(user.uuid, "admin");
+		this.bootstrapToken = null; // One-time use
+
+		this.logger.log(
+			`User ${username} has been promoted to administrator via bootstrap token.`,
+		);
+		return { message: `User ${username} is now an administrator` };
+	}
+}

backend/src/auth/guards/auth.guard.spec.ts

@@ -0,0 +1,89 @@
+import { ExecutionContext, UnauthorizedException } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { getIronSession } from "iron-session";
+import { JwtService } from "../../crypto/services/jwt.service";
+import { AuthGuard } from "./auth.guard";
+
+jest.mock("jose", () => ({}));
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn(),
+}));
+
+describe("AuthGuard", () => {
+	let guard: AuthGuard;
+	let _jwtService: JwtService;
+	let _configService: ConfigService;
+
+	const mockJwtService = {
+		verifyJwt: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest.fn().mockReturnValue("session-password"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				AuthGuard,
+				{ provide: JwtService, useValue: mockJwtService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		guard = module.get<AuthGuard>(AuthGuard);
+		_jwtService = module.get<JwtService>(JwtService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should return true for valid token", async () => {
+		const request = { user: null };
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => request,
+				getResponse: () => ({}),
+			}),
+		} as unknown as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({
+			accessToken: "valid-token",
+		});
+		mockJwtService.verifyJwt.mockResolvedValue({ sub: "user1" });
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(request.user).toEqual({ sub: "user1" });
+	});
+
+	it("should throw UnauthorizedException if no token", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({});
+
+		await expect(guard.canActivate(context)).rejects.toThrow(
+			UnauthorizedException,
+		);
+	});
+
+	it("should throw UnauthorizedException if token invalid", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "invalid" });
+		mockJwtService.verifyJwt.mockRejectedValue(new Error("invalid"));
+
+		await expect(guard.canActivate(context)).rejects.toThrow(
+			UnauthorizedException,
+		);
+	});
+});

backend/src/auth/guards/optional-auth.guard.spec.ts

@@ -0,0 +1,84 @@
+import { ExecutionContext } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { getIronSession } from "iron-session";
+import { JwtService } from "../../crypto/services/jwt.service";
+import { OptionalAuthGuard } from "./optional-auth.guard";
+
+jest.mock("jose", () => ({}));
+jest.mock("iron-session", () => ({
+	getIronSession: jest.fn(),
+}));
+
+describe("OptionalAuthGuard", () => {
+	let guard: OptionalAuthGuard;
+	let _jwtService: JwtService;
+
+	const mockJwtService = {
+		verifyJwt: jest.fn(),
+	};
+
+	const mockConfigService = {
+		get: jest.fn().mockReturnValue("session-password"),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				OptionalAuthGuard,
+				{ provide: JwtService, useValue: mockJwtService },
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		guard = module.get<OptionalAuthGuard>(OptionalAuthGuard);
+		_jwtService = module.get<JwtService>(JwtService);
+	});
+
+	it("should return true and set user for valid token", async () => {
+		const request = { user: null };
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => request,
+				getResponse: () => ({}),
+			}),
+		} as unknown as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "valid" });
+		mockJwtService.verifyJwt.mockResolvedValue({ sub: "u1" });
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(request.user).toEqual({ sub: "u1" });
+	});
+
+	it("should return true if no token", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({}),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({});
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return true even if token invalid", async () => {
+		const context = {
+			switchToHttp: () => ({
+				getRequest: () => ({ user: null }),
+				getResponse: () => ({}),
+			}),
+		} as ExecutionContext;
+
+		(getIronSession as jest.Mock).mockResolvedValue({ accessToken: "invalid" });
+		mockJwtService.verifyJwt.mockRejectedValue(new Error("invalid"));
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+		expect(context.switchToHttp().getRequest().user).toBeNull();
+	});
+});

backend/src/auth/guards/roles.guard.spec.ts

@@ -0,0 +1,90 @@
+import { ExecutionContext } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { Test, TestingModule } from "@nestjs/testing";
+import { RbacService } from "../rbac.service";
+import { RolesGuard } from "./roles.guard";
+
+describe("RolesGuard", () => {
+	let guard: RolesGuard;
+	let _reflector: Reflector;
+	let _rbacService: RbacService;
+
+	const mockReflector = {
+		getAllAndOverride: jest.fn(),
+	};
+
+	const mockRbacService = {
+		getUserRoles: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				RolesGuard,
+				{ provide: Reflector, useValue: mockReflector },
+				{ provide: RbacService, useValue: mockRbacService },
+			],
+		}).compile();
+
+		guard = module.get<RolesGuard>(RolesGuard);
+		_reflector = module.get<Reflector>(Reflector);
+		_rbacService = module.get<RbacService>(RbacService);
+	});
+
+	it("should return true if no roles required", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(null);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+		} as ExecutionContext;
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return false if no user in request", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: null }),
+			}),
+		} as ExecutionContext;
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(false);
+	});
+
+	it("should return true if user has required role", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: { sub: "u1" } }),
+			}),
+		} as ExecutionContext;
+
+		mockRbacService.getUserRoles.mockResolvedValue(["admin", "user"]);
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(true);
+	});
+
+	it("should return false if user doesn't have required role", async () => {
+		mockReflector.getAllAndOverride.mockReturnValue(["admin"]);
+		const context = {
+			getHandler: () => ({}),
+			getClass: () => ({}),
+			switchToHttp: () => ({
+				getRequest: () => ({ user: { sub: "u1" } }),
+			}),
+		} as ExecutionContext;
+
+		mockRbacService.getUserRoles.mockResolvedValue(["user"]);
+
+		const result = await guard.canActivate(context);
+		expect(result).toBe(false);
+	});
+});

backend/src/auth/rbac.service.spec.ts

@@ -9,6 +9,8 @@ describe("RbacService", () => {
 	const mockRbacRepository = {
 		findRolesByUserId: jest.fn(),
 		findPermissionsByUserId: jest.fn(),
+		countRoles: jest.fn(),
+		createRole: jest.fn(),
 	};
 
 	beforeEach(async () => {
@@ -58,4 +60,35 @@ describe("RbacService", () => {
 			expect(repository.findPermissionsByUserId).toHaveBeenCalledWith(userId);
 		});
 	});
+
+	describe("seedRoles", () => {
+		it("should be called on application bootstrap", async () => {
+			const seedRolesSpy = jest.spyOn(service, "seedRoles");
+			await service.onApplicationBootstrap();
+			expect(seedRolesSpy).toHaveBeenCalled();
+		});
+
+		it("should seed roles if none exist", async () => {
+			mockRbacRepository.countRoles.mockResolvedValue(0);
+
+			await service.seedRoles();
+
+			expect(repository.countRoles).toHaveBeenCalled();
+			expect(repository.createRole).toHaveBeenCalledTimes(3);
+			expect(repository.createRole).toHaveBeenCalledWith(
+				"Administrator",
+				"admin",
+				"Full system access",
+			);
+		});
+
+		it("should not seed roles if some already exist", async () => {
+			mockRbacRepository.countRoles.mockResolvedValue(3);
+
+			await service.seedRoles();
+
+			expect(repository.countRoles).toHaveBeenCalled();
+			expect(repository.createRole).not.toHaveBeenCalled();
+		});
+	});
 });

backend/src/auth/rbac.service.ts

@@ -1,10 +1,53 @@
-import { Injectable } from "@nestjs/common";
+import { Injectable, Logger, OnApplicationBootstrap } from "@nestjs/common";
 import { RbacRepository } from "./repositories/rbac.repository";
 
 @Injectable()
-export class RbacService {
+export class RbacService implements OnApplicationBootstrap {
+	private readonly logger = new Logger(RbacService.name);
+
 	constructor(private readonly rbacRepository: RbacRepository) {}
 
+	async onApplicationBootstrap() {
+		this.logger.log("RbacService initialized, checking roles...");
+		await this.seedRoles();
+	}
+
+	async seedRoles() {
+		try {
+			const count = await this.rbacRepository.countRoles();
+			if (count === 0) {
+				this.logger.log("No roles found, seeding default roles...");
+				const defaultRoles = [
+					{
+						name: "Administrator",
+						slug: "admin",
+						description: "Full system access",
+					},
+					{
+						name: "Moderator",
+						slug: "moderator",
+						description: "Access to moderation tools",
+					},
+					{ name: "User", slug: "user", description: "Standard user access" },
+				];
+
+				for (const role of defaultRoles) {
+					await this.rbacRepository.createRole(
+						role.name,
+						role.slug,
+						role.description,
+					);
+					this.logger.log(`Created role: ${role.slug}`);
+				}
+				this.logger.log("Default roles seeded successfully.");
+			} else {
+				this.logger.log(`${count} roles already exist, skipping seeding.`);
+			}
+		} catch (error) {
+			this.logger.error("Error during roles seeding:", error);
+		}
+	}
+
 	async getUserRoles(userId: string) {
 		return this.rbacRepository.findRolesByUserId(userId);
 	}
@@ -12,4 +55,12 @@ export class RbacService {
 	async getUserPermissions(userId: string) {
 		return this.rbacRepository.findPermissionsByUserId(userId);
 	}
+
+	async countAdmins() {
+		return this.rbacRepository.countAdmins();
+	}
+
+	async assignRoleToUser(userId: string, roleSlug: string) {
+		return this.rbacRepository.assignRole(userId, roleSlug);
+	}
 }

backend/src/auth/repositories/rbac.repository.ts

@@ -39,4 +39,52 @@ export class RbacRepository {
 
 		return Array.from(new Set(result.map((p) => p.slug)));
 	}
+
+	async countRoles(): Promise<number> {
+		const result = await this.databaseService.db
+			.select({ count: roles.id })
+			.from(roles);
+		return result.length;
+	}
+
+	async countAdmins(): Promise<number> {
+		const result = await this.databaseService.db
+			.select({ count: usersToRoles.userId })
+			.from(usersToRoles)
+			.innerJoin(roles, eq(usersToRoles.roleId, roles.id))
+			.where(eq(roles.slug, "admin"));
+		return result.length;
+	}
+
+	async createRole(name: string, slug: string, description?: string) {
+		return this.databaseService.db
+			.insert(roles)
+			.values({
+				name,
+				slug,
+				description,
+			})
+			.returning();
+	}
+
+	async assignRole(userId: string, roleSlug: string) {
+		const role = await this.databaseService.db
+			.select()
+			.from(roles)
+			.where(eq(roles.slug, roleSlug))
+			.limit(1);
+
+		if (!role[0]) {
+			throw new Error(`Role with slug ${roleSlug} not found`);
+		}
+
+		return this.databaseService.db
+			.insert(usersToRoles)
+			.values({
+				userId,
+				roleId: role[0].id,
+			})
+			.onConflictDoNothing()
+			.returning();
+	}
 }

backend/src/categories/categories.controller.spec.ts

@@ -0,0 +1,105 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { CategoriesController } from "./categories.controller";
+import { CategoriesService } from "./categories.service";
+
+describe("CategoriesController", () => {
+	let controller: CategoriesController;
+	let service: CategoriesService;
+
+	const mockCategoriesService = {
+		findAll: jest.fn(),
+		findOne: jest.fn(),
+		create: jest.fn(),
+		update: jest.fn(),
+		remove: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [CategoriesController],
+			providers: [
+				{ provide: CategoriesService, useValue: mockCategoriesService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<CategoriesController>(CategoriesController);
+		service = module.get<CategoriesService>(CategoriesService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			await controller.findAll();
+			expect(service.findAll).toHaveBeenCalled();
+		});
+	});
+
+	describe("findOne", () => {
+		it("should call service.findOne", async () => {
+			await controller.findOne("1");
+			expect(service.findOne).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const dto = { name: "Cat", slug: "cat" };
+			await controller.create(dto);
+			expect(service.create).toHaveBeenCalledWith(dto);
+		});
+	});
+
+	describe("update", () => {
+		it("should call service.update", async () => {
+			const dto = { name: "New Name" };
+			await controller.update("1", dto);
+			expect(service.update).toHaveBeenCalledWith("1", dto);
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.remove", async () => {
+			await controller.remove("1");
+			expect(service.remove).toHaveBeenCalledWith("1");
+		});
+	});
+});

backend/src/categories/repositories/categories.repository.spec.ts

@@ -0,0 +1,82 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { CategoriesRepository } from "./categories.repository";
+
+describe("CategoriesRepository", () => {
+	let repository: CategoriesRepository;
+
+	const mockDb = {
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		orderBy: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				CategoriesRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<CategoriesRepository>(CategoriesRepository);
+	});
+
+	it("should find all", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findAll();
+		expect(result).toHaveLength(1);
+	});
+
+	it("should count all", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ count: 5 }]);
+		const result = await repository.countAll();
+		expect(result).toBe(5);
+	});
+
+	it("should find one", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findOne("1");
+		expect(result.id).toBe("1");
+	});
+
+	it("should create", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.create({ name: "C", slug: "s" });
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should update", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.update("1", { name: "N", updatedAt: new Date() });
+		expect(mockDb.update).toHaveBeenCalled();
+	});
+
+	it("should remove", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.remove("1");
+		expect(mockDb.delete).toHaveBeenCalled();
+	});
+});

backend/src/contents/contents.controller.spec.ts

@@ -0,0 +1,230 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { OptionalAuthGuard } from "../auth/guards/optional-auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { ContentsController } from "./contents.controller";
+import { ContentsService } from "./contents.service";
+
+describe("ContentsController", () => {
+	let controller: ContentsController;
+	let service: ContentsService;
+
+	const mockContentsService = {
+		create: jest.fn(),
+		getUploadUrl: jest.fn(),
+		uploadAndProcess: jest.fn(),
+		findAll: jest.fn(),
+		findOne: jest.fn(),
+		incrementViews: jest.fn(),
+		incrementUsage: jest.fn(),
+		remove: jest.fn(),
+		removeAdmin: jest.fn(),
+		generateBotHtml: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [ContentsController],
+			providers: [
+				{ provide: ContentsService, useValue: mockContentsService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(OptionalAuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<ContentsController>(ContentsController);
+		service = module.get<ContentsService>(ContentsService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { title: "Title", type: "image" as any };
+			await controller.create(req, dto as any);
+			expect(service.create).toHaveBeenCalledWith("user-uuid", dto);
+		});
+	});
+
+	describe("getUploadUrl", () => {
+		it("should call service.getUploadUrl", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.getUploadUrl(req, "test.jpg");
+			expect(service.getUploadUrl).toHaveBeenCalledWith("user-uuid", "test.jpg");
+		});
+	});
+
+	describe("upload", () => {
+		it("should call service.uploadAndProcess", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const file = {} as Express.Multer.File;
+			const dto = { title: "Title" };
+			await controller.upload(req, file, dto as any);
+			expect(service.uploadAndProcess).toHaveBeenCalledWith(
+				"user-uuid",
+				file,
+				dto,
+			);
+		});
+	});
+
+	describe("explore", () => {
+		it("should call service.findAll", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.explore(
+				req,
+				10,
+				0,
+				"trend",
+				"tag",
+				"cat",
+				"auth",
+				"query",
+				false,
+				undefined,
+			);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "trend",
+				tag: "tag",
+				category: "cat",
+				author: "auth",
+				query: "query",
+				favoritesOnly: false,
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("trends", () => {
+		it("should call service.findAll with trend sort", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.trends(req, 10, 0);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "trend",
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("recent", () => {
+		it("should call service.findAll with recent sort", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.recent(req, 10, 0);
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				sortBy: "recent",
+				userId: "user-uuid",
+			});
+		});
+	});
+
+	describe("findOne", () => {
+		it("should return json for normal user", async () => {
+			const req = { user: { sub: "user-uuid" }, headers: {} } as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			const content = { id: "1" };
+			mockContentsService.findOne.mockResolvedValue(content);
+
+			await controller.findOne("1", req, res);
+
+			expect(res.json).toHaveBeenCalledWith(content);
+		});
+
+		it("should return html for bot", async () => {
+			const req = {
+				user: { sub: "user-uuid" },
+				headers: { "user-agent": "Googlebot" },
+			} as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			const content = { id: "1" };
+			mockContentsService.findOne.mockResolvedValue(content);
+			mockContentsService.generateBotHtml.mockReturnValue("<html></html>");
+
+			await controller.findOne("1", req, res);
+
+			expect(res.send).toHaveBeenCalledWith("<html></html>");
+		});
+
+		it("should throw NotFoundException if not found", async () => {
+			const req = { user: { sub: "user-uuid" }, headers: {} } as any;
+			const res = { json: jest.fn(), send: jest.fn() } as any;
+			mockContentsService.findOne.mockResolvedValue(null);
+
+			await expect(controller.findOne("1", req, res)).rejects.toThrow(
+				"Contenu non trouvé",
+			);
+		});
+	});
+
+	describe("incrementViews", () => {
+		it("should call service.incrementViews", async () => {
+			await controller.incrementViews("1");
+			expect(service.incrementViews).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("incrementUsage", () => {
+		it("should call service.incrementUsage", async () => {
+			await controller.incrementUsage("1");
+			expect(service.incrementUsage).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.remove", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.remove("1", req);
+			expect(service.remove).toHaveBeenCalledWith("1", "user-uuid");
+		});
+	});
+
+	describe("removeAdmin", () => {
+		it("should call service.removeAdmin", async () => {
+			await controller.removeAdmin("1");
+			expect(service.removeAdmin).toHaveBeenCalledWith("1");
+		});
+	});
+});

backend/src/contents/contents.controller.ts

@@ -10,6 +10,7 @@ import {
 	Param,
 	ParseBoolPipe,
 	ParseIntPipe,
+	Patch,
 	Post,
 	Query,
 	Req,
@@ -185,4 +186,11 @@ export class ContentsController {
 	removeAdmin(@Param("id") id: string) {
 		return this.contentsService.removeAdmin(id);
 	}
+
+	@Patch(":id/admin")
+	@UseGuards(AuthGuard, RolesGuard)
+	@Roles("admin")
+	updateAdmin(@Param("id") id: string, @Body() updateContentDto: any) {
+		return this.contentsService.updateAdmin(id, updateContentDto);
+	}
 }

backend/src/contents/contents.service.spec.ts

@@ -23,6 +23,7 @@ describe("ContentsService", () => {
 		incrementViews: jest.fn(),
 		incrementUsage: jest.fn(),
 		softDelete: jest.fn(),
+		softDeleteAdmin: jest.fn(),
 		findOne: jest.fn(),
 		findBySlug: jest.fn(),
 	};
@@ -147,4 +148,81 @@ describe("ContentsService", () => {
 			expect(result[0].views).toBe(1);
 		});
 	});
+
+	describe("incrementUsage", () => {
+		it("should increment usage", async () => {
+			mockContentsRepository.incrementUsage.mockResolvedValue([
+				{ id: "1", usageCount: 1 },
+			]);
+			await service.incrementUsage("1");
+			expect(mockContentsRepository.incrementUsage).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should soft delete content", async () => {
+			mockContentsRepository.softDelete.mockResolvedValue({ id: "1" });
+			await service.remove("1", "u1");
+			expect(mockContentsRepository.softDelete).toHaveBeenCalledWith("1", "u1");
+		});
+	});
+
+	describe("removeAdmin", () => {
+		it("should soft delete content without checking owner", async () => {
+			mockContentsRepository.softDeleteAdmin.mockResolvedValue({ id: "1" });
+			await service.removeAdmin("1");
+			expect(mockContentsRepository.softDeleteAdmin).toHaveBeenCalledWith("1");
+		});
+	});
+
+	describe("findOne", () => {
+		it("should return content by id", async () => {
+			mockContentsRepository.findOne.mockResolvedValue({
+				id: "1",
+				storageKey: "k",
+				author: { avatarUrl: "a" },
+			});
+			mockS3Service.getPublicUrl.mockReturnValue("url");
+			const result = await service.findOne("1");
+			expect(result.id).toBe("1");
+			expect(result.url).toBe("url");
+		});
+
+		it("should return content by slug", async () => {
+			mockContentsRepository.findOne.mockResolvedValue({
+				id: "1",
+				slug: "s",
+				storageKey: "k",
+			});
+			const result = await service.findOne("s");
+			expect(result.slug).toBe("s");
+		});
+	});
+
+	describe("generateBotHtml", () => {
+		it("should generate html with og tags", () => {
+			const content = { title: "Title", storageKey: "k" };
+			mockS3Service.getPublicUrl.mockReturnValue("url");
+			const html = service.generateBotHtml(content as any);
+			expect(html).toContain("<title>Title</title>");
+			expect(html).toContain('content="Title"');
+			expect(html).toContain('content="url"');
+		});
+	});
+
+	describe("ensureUniqueSlug", () => {
+		it("should return original slug if unique", async () => {
+			mockContentsRepository.findBySlug.mockResolvedValue(null);
+			const slug = (service as any).ensureUniqueSlug("My Title");
+			await expect(slug).resolves.toBe("my-title");
+		});
+
+		it("should append counter if not unique", async () => {
+			mockContentsRepository.findBySlug
+				.mockResolvedValueOnce({ id: "1" })
+				.mockResolvedValueOnce(null);
+			const slug = await (service as any).ensureUniqueSlug("My Title");
+			expect(slug).toBe("my-title-1");
+		});
+	});
 });

backend/src/contents/contents.service.ts

@@ -184,6 +184,16 @@ export class ContentsService {
 		return deleted;
 	}
 
+	async updateAdmin(id: string, data: any) {
+		this.logger.log(`Updating content ${id} by admin`);
+		const updated = await this.contentsRepository.update(id, data);
+
+		if (updated) {
+			await this.clearContentsCache();
+		}
+		return updated;
+	}
+
 	async findOne(idOrSlug: string, userId?: string) {
 		const content = await this.contentsRepository.findOne(idOrSlug, userId);
 		if (!content) return null;

backend/src/contents/repositories/contents.repository.ts

@@ -404,6 +404,15 @@ export class ContentsRepository {
 		return deleted;
 	}
 
+	async update(id: string, data: Partial<typeof contents.$inferInsert>) {
+		const [updated] = await this.databaseService.db
+			.update(contents)
+			.set({ ...data, updatedAt: new Date() })
+			.where(eq(contents.id, id))
+			.returning();
+		return updated;
+	}
+
 	async findBySlug(slug: string) {
 		const [result] = await this.databaseService.db
 			.select()

backend/src/database/database.service.spec.ts

@@ -0,0 +1,67 @@
+import { ConfigService } from "@nestjs/config";
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "./database.service";
+
+jest.mock("pg", () => {
+	const mPool = {
+		connect: jest.fn(),
+		query: jest.fn(),
+		end: jest.fn(),
+		on: jest.fn(),
+	};
+	return { Pool: jest.fn(() => mPool) };
+});
+
+jest.mock("drizzle-orm/node-postgres", () => ({
+	drizzle: jest.fn().mockReturnValue({}),
+}));
+
+describe("DatabaseService", () => {
+	let service: DatabaseService;
+	let _configService: ConfigService;
+
+	const mockConfigService = {
+		get: jest.fn((key) => {
+			const config = {
+				POSTGRES_PASSWORD: "p",
+				POSTGRES_USER: "u",
+				POSTGRES_HOST: "h",
+				POSTGRES_PORT: "5432",
+				POSTGRES_DB: "db",
+				NODE_ENV: "development",
+			};
+			return config[key];
+		}),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				DatabaseService,
+				{ provide: ConfigService, useValue: mockConfigService },
+			],
+		}).compile();
+
+		service = module.get<DatabaseService>(DatabaseService);
+		_configService = module.get<ConfigService>(ConfigService);
+	});
+
+	it("should be defined", () => {
+		expect(service).toBeDefined();
+	});
+
+	describe("onModuleInit", () => {
+		it("should skip migrations in development", async () => {
+			await service.onModuleInit();
+			expect(mockConfigService.get).toHaveBeenCalledWith("NODE_ENV");
+		});
+	});
+
+	describe("onModuleDestroy", () => {
+		it("should close pool", async () => {
+			const pool = (service as any).pool;
+			await service.onModuleDestroy();
+			expect(pool.end).toHaveBeenCalled();
+		});
+	});
+});

backend/src/favorites/favorites.controller.spec.ts

@@ -0,0 +1,82 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { FavoritesController } from "./favorites.controller";
+import { FavoritesService } from "./favorites.service";
+
+describe("FavoritesController", () => {
+	let controller: FavoritesController;
+	let service: FavoritesService;
+
+	const mockFavoritesService = {
+		addFavorite: jest.fn(),
+		removeFavorite: jest.fn(),
+		getUserFavorites: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [FavoritesController],
+			providers: [{ provide: FavoritesService, useValue: mockFavoritesService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<FavoritesController>(FavoritesController);
+		service = module.get<FavoritesService>(FavoritesService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("add", () => {
+		it("should call service.addFavorite", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.add(req, "content-1");
+			expect(service.addFavorite).toHaveBeenCalledWith("user-uuid", "content-1");
+		});
+	});
+
+	describe("remove", () => {
+		it("should call service.removeFavorite", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.remove(req, "content-1");
+			expect(service.removeFavorite).toHaveBeenCalledWith(
+				"user-uuid",
+				"content-1",
+			);
+		});
+	});
+
+	describe("list", () => {
+		it("should call service.getUserFavorites", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.list(req, 10, 0);
+			expect(service.getUserFavorites).toHaveBeenCalledWith("user-uuid", 10, 0);
+		});
+	});
+});

backend/src/favorites/repositories/favorites.repository.spec.ts

@@ -0,0 +1,72 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { FavoritesRepository } from "./favorites.repository";
+
+describe("FavoritesRepository", () => {
+	let repository: FavoritesRepository;
+
+	const mockDb = {
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		innerJoin: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		offset: jest.fn().mockReturnThis(),
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				FavoritesRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<FavoritesRepository>(FavoritesRepository);
+	});
+
+	it("should find content by id", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findContentById("1");
+		expect(result.id).toBe("1");
+	});
+
+	it("should add favorite", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([
+			{ userId: "u", contentId: "c" },
+		]);
+		await repository.add("u", "c");
+		expect(mockDb.insert).toHaveBeenCalled();
+	});
+
+	it("should remove favorite", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.remove("u", "c");
+		expect(mockDb.delete).toHaveBeenCalled();
+	});
+
+	it("should find by user id", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ content: { id: "c1" } }]);
+		const result = await repository.findByUserId("u1", 10, 0);
+		expect(result).toHaveLength(1);
+		expect(result[0].id).toBe("c1");
+	});
+});

backend/src/health.controller.spec.ts

@@ -1,3 +1,4 @@
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Test, TestingModule } from "@nestjs/testing";
 import { DatabaseService } from "./database/database.service";
 import { HealthController } from "./health.controller";
@@ -9,6 +10,10 @@ describe("HealthController", () => {
 		execute: jest.fn().mockResolvedValue([]),
 	};
 
+	const mockCacheManager = {
+		set: jest.fn().mockResolvedValue(undefined),
+	};
+
 	beforeEach(async () => {
 		const module: TestingModule = await Test.createTestingModule({
 			controllers: [HealthController],
@@ -19,24 +24,42 @@ describe("HealthController", () => {
 						db: mockDb,
 					},
 				},
+				{
+					provide: CACHE_MANAGER,
+					useValue: mockCacheManager,
+				},
 			],
 		}).compile();
 
 		controller = module.get<HealthController>(HealthController);
 	});
 
-	it("should return ok if database is connected", async () => {
+	it("should return ok if database and redis are connected", async () => {
 		mockDb.execute.mockResolvedValue([]);
+		mockCacheManager.set.mockResolvedValue(undefined);
 		const result = await controller.check();
 		expect(result.status).toBe("ok");
 		expect(result.database).toBe("connected");
+		expect(result.redis).toBe("connected");
 	});
 
 	it("should return error if database is disconnected", async () => {
 		mockDb.execute.mockRejectedValue(new Error("DB Error"));
+		mockCacheManager.set.mockResolvedValue(undefined);
 		const result = await controller.check();
 		expect(result.status).toBe("error");
 		expect(result.database).toBe("disconnected");
-		expect(result.message).toBe("DB Error");
+		expect(result.databaseError).toBe("DB Error");
+		expect(result.redis).toBe("connected");
+	});
+
+	it("should return error if redis is disconnected", async () => {
+		mockDb.execute.mockResolvedValue([]);
+		mockCacheManager.set.mockRejectedValue(new Error("Redis Error"));
+		const result = await controller.check();
+		expect(result.status).toBe("error");
+		expect(result.database).toBe("connected");
+		expect(result.redis).toBe("disconnected");
+		expect(result.redisError).toBe("Redis Error");
 	});
 });

backend/src/health.controller.ts

@@ -1,28 +1,44 @@
-import { Controller, Get } from "@nestjs/common";
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Controller, Get, Inject } from "@nestjs/common";
+import type { Cache } from "cache-manager";
 import { sql } from "drizzle-orm";
 import { DatabaseService } from "./database/database.service";
 
 @Controller("health")
 export class HealthController {
-	constructor(private readonly databaseService: DatabaseService) {}
+	constructor(
+		private readonly databaseService: DatabaseService,
+		@Inject(CACHE_MANAGER) private cacheManager: Cache,
+	) {}
 
 	@Get()
 	async check() {
+		const health: any = {
+			status: "ok",
+			timestamp: new Date().toISOString(),
+		};
+
 		try {
 			// Check database connection
 			await this.databaseService.db.execute(sql`SELECT 1`);
-			return {
-				status: "ok",
-				database: "connected",
-				timestamp: new Date().toISOString(),
-			};
+			health.database = "connected";
 		} catch (error) {
-			return {
-				status: "error",
-				database: "disconnected",
-				message: error.message,
-				timestamp: new Date().toISOString(),
-			};
+			health.status = "error";
+			health.database = "disconnected";
+			health.databaseError = error.message;
 		}
+
+		try {
+			// Check Redis connection via cache-manager
+			// We try to set a temporary key to verify the connection
+			await this.cacheManager.set("health-check", "ok", 1000);
+			health.redis = "connected";
+		} catch (error) {
+			health.status = "error";
+			health.redis = "disconnected";
+			health.redisError = error.message;
+		}
+
+		return health;
 	}
 }

backend/src/media/media.controller.spec.ts

@@ -49,6 +49,11 @@ describe("MediaController", () => {
 			expect(stream.pipe).toHaveBeenCalledWith(res);
 		});
 
+		it("should throw NotFoundException if path is missing", async () => {
+			const res = {} as unknown as Response;
+			await expect(controller.getFile("", res)).rejects.toThrow(NotFoundException);
+		});
+
 		it("should throw NotFoundException if file is not found", async () => {
 			mockS3Service.getFileInfo.mockRejectedValue(new Error("Not found"));
 			const res = {} as unknown as Response;

backend/src/media/media.controller.ts

@@ -1,21 +1,36 @@
-import { Controller, Get, NotFoundException, Param, Res } from "@nestjs/common";
+import {
+	Controller,
+	Get,
+	Logger,
+	NotFoundException,
+	Query,
+	Res,
+} from "@nestjs/common";
 import type { Response } from "express";
 import type { BucketItemStat } from "minio";
 import { S3Service } from "../s3/s3.service";
 
 @Controller("media")
 export class MediaController {
+	private readonly logger = new Logger(MediaController.name);
+
 	constructor(private readonly s3Service: S3Service) {}
 
-	@Get("*key")
-	async getFile(@Param("key") key: string, @Res() res: Response) {
-		try {
-			const stats = (await this.s3Service.getFileInfo(key)) as BucketItemStat;
-			const stream = await this.s3Service.getFile(key);
+	@Get()
+	async getFile(@Query("path") path: string, @Res() res: Response) {
+		if (!path) {
+			this.logger.warn("Tentative d'accès à un média sans paramètre 'path'");
+			throw new NotFoundException("Paramètre 'path' manquant");
+		}
 
-			const contentType =
+		try {
+			this.logger.log(`Récupération du fichier : ${path}`);
+			const stats = (await this.s3Service.getFileInfo(path)) as BucketItemStat;
+			const stream = await this.s3Service.getFile(path);
+
+			const contentType: string =
 				stats.metaData?.["content-type"] ||
-				stats.metadata?.["content-type"] ||
+				stats.metaData?.["Content-Type"] ||
 				"application/octet-stream";
 
 			res.setHeader("Content-Type", contentType);
@@ -23,7 +38,10 @@ export class MediaController {
 			res.setHeader("Cache-Control", "public, max-age=31536000, immutable");
 
 			stream.pipe(res);
-		} catch (_error) {
+		} catch (error) {
+			this.logger.error(
+				`Erreur lors de la récupération du fichier ${path} : ${error.message}`,
+			);
 			throw new NotFoundException("Fichier non trouvé");
 		}
 	}

backend/src/media/media.service.spec.ts

@@ -96,4 +96,37 @@ describe("MediaService", () => {
 			expect(result.buffer).toEqual(Buffer.from("processed-video"));
 		});
 	});
+
+	describe("scanFile", () => {
+		it("should return false if clamav not initialized", async () => {
+			const result = await service.scanFile(Buffer.from(""), "test.txt");
+			expect(result.isInfected).toBe(false);
+		});
+
+		it("should handle virus detection", async () => {
+			// Mock private property to simulate initialized clamscan
+			(service as any).isClamAvInitialized = true;
+			(service as any).clamscan = {
+				scanStream: jest.fn().mockResolvedValue({
+					isInfected: true,
+					viruses: ["Eicar-Test-Signature"],
+				}),
+			};
+
+			const result = await service.scanFile(Buffer.from(""), "test.txt");
+			expect(result.isInfected).toBe(true);
+			expect(result.virusName).toBe("Eicar-Test-Signature");
+		});
+
+		it("should handle scan error", async () => {
+			(service as any).isClamAvInitialized = true;
+			(service as any).clamscan = {
+				scanStream: jest.fn().mockRejectedValue(new Error("Scan failed")),
+			};
+
+			await expect(
+				service.scanFile(Buffer.from(""), "test.txt"),
+			).rejects.toThrow();
+		});
+	});
 });

backend/src/reports/reports.controller.spec.ts

@@ -0,0 +1,82 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { ReportsController } from "./reports.controller";
+import { ReportsService } from "./reports.service";
+
+describe("ReportsController", () => {
+	let controller: ReportsController;
+	let service: ReportsService;
+
+	const mockReportsService = {
+		create: jest.fn(),
+		findAll: jest.fn(),
+		updateStatus: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [ReportsController],
+			providers: [{ provide: ReportsService, useValue: mockReportsService }],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<ReportsController>(ReportsController);
+		service = module.get<ReportsService>(ReportsService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should call service.create", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { contentId: "1", reason: "spam" };
+			await controller.create(req, dto as any);
+			expect(service.create).toHaveBeenCalledWith("user-uuid", dto);
+		});
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			await controller.findAll(10, 0);
+			expect(service.findAll).toHaveBeenCalledWith(10, 0);
+		});
+	});
+
+	describe("updateStatus", () => {
+		it("should call service.updateStatus", async () => {
+			const dto = { status: "resolved" as any };
+			await controller.updateStatus("1", dto);
+			expect(service.updateStatus).toHaveBeenCalledWith("1", "resolved");
+		});
+	});
+});

backend/src/reports/repositories/reports.repository.spec.ts

@@ -0,0 +1,73 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { ReportsRepository } from "./reports.repository";
+
+describe("ReportsRepository", () => {
+	let repository: ReportsRepository;
+
+	const mockDb = {
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		orderBy: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		offset: jest.fn().mockReturnThis(),
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockReturnThis(),
+		execute: jest.fn(),
+	};
+
+	const wrapWithThen = (obj: unknown) => {
+		// biome-ignore lint/suspicious/noThenProperty: Necessary to mock Drizzle's awaitable query builder
+		Object.defineProperty(obj, "then", {
+			value: function (onFulfilled: (arg0: unknown) => void) {
+				const result = (this as Record<string, unknown>).execute();
+				return Promise.resolve(result).then(onFulfilled);
+			},
+			configurable: true,
+		});
+		return obj;
+	};
+	wrapWithThen(mockDb);
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				ReportsRepository,
+				{ provide: DatabaseService, useValue: { db: mockDb } },
+			],
+		}).compile();
+
+		repository = module.get<ReportsRepository>(ReportsRepository);
+	});
+
+	it("should create report", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.create({ reporterId: "u", reason: "spam" });
+		expect(result.id).toBe("1");
+	});
+
+	it("should find all", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		const result = await repository.findAll(10, 0);
+		expect(result).toHaveLength(1);
+	});
+
+	it("should update status", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([
+			{ id: "1", status: "resolved" },
+		]);
+		const result = await repository.updateStatus("1", "resolved");
+		expect(result[0].status).toBe("resolved");
+	});
+
+	it("should purge obsolete", async () => {
+		(mockDb.execute as jest.Mock).mockResolvedValue([{ id: "1" }]);
+		await repository.purgeObsolete(new Date());
+		expect(mockDb.delete).toHaveBeenCalled();
+	});
+});

backend/src/s3/s3.service.spec.ts

@@ -8,7 +8,6 @@ jest.mock("minio");
 describe("S3Service", () => {
 	let service: S3Service;
 	let configService: ConfigService;
-	// biome-ignore lint/suspicious/noExplicitAny: Fine for testing purposes
 	let minioClient: any;
 
 	beforeEach(async () => {
@@ -192,7 +191,7 @@ describe("S3Service", () => {
 				return null;
 			});
 			const url = service.getPublicUrl("test.webp");
-			expect(url).toBe("https://api.test.com/media/test.webp");
+			expect(url).toBe("https://api.test.com/media?path=test.webp");
 		});
 
 		it("should use DOMAIN_NAME and PORT for localhost", () => {
@@ -205,7 +204,7 @@ describe("S3Service", () => {
 				},
 			);
 			const url = service.getPublicUrl("test.webp");
-			expect(url).toBe("http://localhost:3000/media/test.webp");
+			expect(url).toBe("http://localhost:3000/media?path=test.webp");
 		});
 
 		it("should use api.DOMAIN_NAME for production", () => {
@@ -217,7 +216,7 @@ describe("S3Service", () => {
 				},
 			);
 			const url = service.getPublicUrl("test.webp");
-			expect(url).toBe("https://api.memegoat.fr/media/test.webp");
+			expect(url).toBe("https://api.memegoat.fr/media?path=test.webp");
 		});
 	});
 });

backend/src/s3/s3.service.ts

@@ -173,6 +173,6 @@ export class S3Service implements OnModuleInit, IStorageService {
 			baseUrl = `https://api.${domain}`;
 		}
 
-		return `${baseUrl}/media/${storageKey}`;
+		return `${baseUrl}/media?path=${storageKey}`;
 	}
 }

backend/src/tags/tags.controller.spec.ts

@@ -0,0 +1,69 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { TagsController } from "./tags.controller";
+import { TagsService } from "./tags.service";
+
+describe("TagsController", () => {
+	let controller: TagsController;
+	let service: TagsService;
+
+	const mockTagsService = {
+		findAll: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [TagsController],
+			providers: [
+				{ provide: TagsService, useValue: mockTagsService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		}).compile();
+
+		controller = module.get<TagsController>(TagsController);
+		service = module.get<TagsService>(TagsService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("findAll", () => {
+		it("should call service.findAll", async () => {
+			await controller.findAll(10, 0, "test", "popular");
+			expect(service.findAll).toHaveBeenCalledWith({
+				limit: 10,
+				offset: 0,
+				query: "test",
+				sortBy: "popular",
+			});
+		});
+	});
+});

backend/src/users/dto/update-user.dto.ts

@@ -14,4 +14,12 @@ export class UpdateUserDto {
 	@IsOptional()
 	@IsString()
 	avatarUrl?: string;
+
+	@IsOptional()
+	@IsString()
+	status?: "active" | "verification" | "suspended" | "pending" | "deleted";
+
+	@IsOptional()
+	@IsString()
+	role?: string;
 }

backend/src/users/repositories/users.repository.spec.ts

@@ -0,0 +1,150 @@
+import { Test, TestingModule } from "@nestjs/testing";
+import { DatabaseService } from "../../database/database.service";
+import { UsersRepository } from "./users.repository";
+
+describe("UsersRepository", () => {
+	let repository: UsersRepository;
+	let _databaseService: DatabaseService;
+
+	const mockDb = {
+		insert: jest.fn().mockReturnThis(),
+		values: jest.fn().mockReturnThis(),
+		returning: jest.fn().mockResolvedValue([{ uuid: "u1" }]),
+		select: jest.fn().mockReturnThis(),
+		from: jest.fn().mockReturnThis(),
+		where: jest.fn().mockReturnThis(),
+		limit: jest.fn().mockReturnThis(),
+		offset: jest.fn().mockReturnThis(),
+		update: jest.fn().mockReturnThis(),
+		set: jest.fn().mockReturnThis(),
+		delete: jest.fn().mockReturnThis(),
+		transaction: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [
+				UsersRepository,
+				{
+					provide: DatabaseService,
+					useValue: { db: mockDb },
+				},
+			],
+		}).compile();
+
+		repository = module.get<UsersRepository>(UsersRepository);
+		_databaseService = module.get<DatabaseService>(DatabaseService);
+		jest.clearAllMocks();
+	});
+
+	it("should be defined", () => {
+		expect(repository).toBeDefined();
+	});
+
+	describe("create", () => {
+		it("should insert a user", async () => {
+			const data = {
+				username: "u",
+				email: "e",
+				passwordHash: "p",
+				emailHash: "eh",
+			};
+			await repository.create(data);
+			expect(mockDb.insert).toHaveBeenCalled();
+			expect(mockDb.values).toHaveBeenCalledWith(data);
+		});
+	});
+
+	describe("findByEmailHash", () => {
+		it("should select user by email hash", async () => {
+			mockDb.limit.mockResolvedValueOnce([{ uuid: "u1" }]);
+			const result = await repository.findByEmailHash("hash");
+			expect(result.uuid).toBe("u1");
+			expect(mockDb.select).toHaveBeenCalled();
+			expect(mockDb.where).toHaveBeenCalled();
+		});
+	});
+
+	describe("findOneWithPrivateData", () => {
+		it("should select user with private data", async () => {
+			mockDb.limit.mockResolvedValueOnce([{ uuid: "u1" }]);
+			const result = await repository.findOneWithPrivateData("u1");
+			expect(result.uuid).toBe("u1");
+		});
+	});
+
+	describe("countAll", () => {
+		it("should return count", async () => {
+			mockDb.from.mockResolvedValueOnce([{ count: 5 }]);
+			const result = await repository.countAll();
+			expect(result).toBe(5);
+		});
+	});
+
+	describe("findAll", () => {
+		it("should select users with limit and offset", async () => {
+			mockDb.offset.mockResolvedValueOnce([{ uuid: "u1" }]);
+			const result = await repository.findAll(10, 0);
+			expect(result[0].uuid).toBe("u1");
+			expect(mockDb.limit).toHaveBeenCalledWith(10);
+			expect(mockDb.offset).toHaveBeenCalledWith(0);
+		});
+	});
+
+	describe("findByUsername", () => {
+		it("should find by username", async () => {
+			mockDb.limit.mockResolvedValueOnce([{ uuid: "u1" }]);
+			const result = await repository.findByUsername("u");
+			expect(result.uuid).toBe("u1");
+		});
+	});
+
+	describe("update", () => {
+		it("should update user", async () => {
+			mockDb.returning.mockResolvedValueOnce([{ uuid: "u1" }]);
+			await repository.update("u1", { displayName: "New" });
+			expect(mockDb.update).toHaveBeenCalled();
+			expect(mockDb.set).toHaveBeenCalled();
+		});
+	});
+
+	describe("getTwoFactorSecret", () => {
+		it("should return secret", async () => {
+			mockDb.limit.mockResolvedValueOnce([{ secret: "s" }]);
+			const result = await repository.getTwoFactorSecret("u1");
+			expect(result).toBe("s");
+		});
+	});
+
+	describe("getUserContents", () => {
+		it("should return contents", async () => {
+			mockDb.where.mockResolvedValueOnce([{ id: "c1" }]);
+			const result = await repository.getUserContents("u1");
+			expect(result[0].id).toBe("c1");
+		});
+	});
+
+	describe("softDeleteUserAndContents", () => {
+		it("should run transaction", async () => {
+			const mockTx = {
+				update: jest.fn().mockReturnThis(),
+				set: jest.fn().mockReturnThis(),
+				where: jest.fn().mockReturnThis(),
+				returning: jest.fn().mockResolvedValue([{ uuid: "u1" }]),
+			};
+			mockDb.transaction.mockImplementation(async (cb) => cb(mockTx));
+
+			const result = await repository.softDeleteUserAndContents("u1");
+			expect(result[0].uuid).toBe("u1");
+			expect(mockTx.update).toHaveBeenCalledTimes(2);
+		});
+	});
+
+	describe("purgeDeleted", () => {
+		it("should delete old deleted users", async () => {
+			mockDb.returning.mockResolvedValueOnce([{ uuid: "u1" }]);
+			const _result = await repository.purgeDeleted(new Date());
+			expect(mockDb.delete).toHaveBeenCalled();
+		});
+	});
+});

backend/src/users/repositories/users.repository.ts

@@ -64,7 +64,7 @@ export class UsersRepository {
 	}
 
 	async findAll(limit: number, offset: number) {
-		return await this.databaseService.db
+		const result = await this.databaseService.db
 			.select({
 				uuid: users.uuid,
 				username: users.username,
@@ -77,6 +77,8 @@ export class UsersRepository {
 			.from(users)
 			.limit(limit)
 			.offset(offset);
+
+		return result;
 	}
 
 	async findByUsername(username: string) {

backend/src/users/users.controller.spec.ts

@@ -0,0 +1,192 @@
+jest.mock("uuid", () => ({
+	v4: jest.fn(() => "mocked-uuid"),
+}));
+
+jest.mock("@noble/post-quantum/ml-kem.js", () => ({
+	ml_kem768: {
+		keygen: jest.fn(),
+		encapsulate: jest.fn(),
+		decapsulate: jest.fn(),
+	},
+}));
+
+jest.mock("jose", () => ({
+	SignJWT: jest.fn().mockReturnValue({
+		setProtectedHeader: jest.fn().mockReturnThis(),
+		setIssuedAt: jest.fn().mockReturnThis(),
+		setExpirationTime: jest.fn().mockReturnThis(),
+		sign: jest.fn().mockResolvedValue("mocked-jwt"),
+	}),
+	jwtVerify: jest.fn(),
+}));
+
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Test, TestingModule } from "@nestjs/testing";
+import { AuthService } from "../auth/auth.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { RolesGuard } from "../auth/guards/roles.guard";
+import { AuthenticatedRequest } from "../common/interfaces/request.interface";
+import { UsersController } from "./users.controller";
+import { UsersService } from "./users.service";
+
+describe("UsersController", () => {
+	let controller: UsersController;
+	let usersService: UsersService;
+	let authService: AuthService;
+
+	const mockUsersService = {
+		findAll: jest.fn(),
+		findPublicProfile: jest.fn(),
+		findOneWithPrivateData: jest.fn(),
+		exportUserData: jest.fn(),
+		update: jest.fn(),
+		updateAvatar: jest.fn(),
+		updateConsent: jest.fn(),
+		remove: jest.fn(),
+	};
+
+	const mockAuthService = {
+		generateTwoFactorSecret: jest.fn(),
+		enableTwoFactor: jest.fn(),
+		disableTwoFactor: jest.fn(),
+	};
+
+	const mockCacheManager = {
+		get: jest.fn(),
+		set: jest.fn(),
+	};
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			controllers: [UsersController],
+			providers: [
+				{ provide: UsersService, useValue: mockUsersService },
+				{ provide: AuthService, useValue: mockAuthService },
+				{ provide: CACHE_MANAGER, useValue: mockCacheManager },
+			],
+		})
+			.overrideGuard(AuthGuard)
+			.useValue({ canActivate: () => true })
+			.overrideGuard(RolesGuard)
+			.useValue({ canActivate: () => true })
+			.compile();
+
+		controller = module.get<UsersController>(UsersController);
+		usersService = module.get<UsersService>(UsersService);
+		authService = module.get<AuthService>(AuthService);
+	});
+
+	it("should be defined", () => {
+		expect(controller).toBeDefined();
+	});
+
+	describe("findAll", () => {
+		it("should call usersService.findAll", async () => {
+			await controller.findAll(10, 0);
+			expect(usersService.findAll).toHaveBeenCalledWith(10, 0);
+		});
+	});
+
+	describe("findPublicProfile", () => {
+		it("should call usersService.findPublicProfile", async () => {
+			await controller.findPublicProfile("testuser");
+			expect(usersService.findPublicProfile).toHaveBeenCalledWith("testuser");
+		});
+	});
+
+	describe("findMe", () => {
+		it("should call usersService.findOneWithPrivateData", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.findMe(req);
+			expect(usersService.findOneWithPrivateData).toHaveBeenCalledWith(
+				"user-uuid",
+			);
+		});
+	});
+
+	describe("exportMe", () => {
+		it("should call usersService.exportUserData", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.exportMe(req);
+			expect(usersService.exportUserData).toHaveBeenCalledWith("user-uuid");
+		});
+	});
+
+	describe("updateMe", () => {
+		it("should call usersService.update", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { displayName: "New Name" };
+			await controller.updateMe(req, dto);
+			expect(usersService.update).toHaveBeenCalledWith("user-uuid", dto);
+		});
+	});
+
+	describe("updateAvatar", () => {
+		it("should call usersService.updateAvatar", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const file = {} as Express.Multer.File;
+			await controller.updateAvatar(req, file);
+			expect(usersService.updateAvatar).toHaveBeenCalledWith("user-uuid", file);
+		});
+	});
+
+	describe("updateConsent", () => {
+		it("should call usersService.updateConsent", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			const dto = { termsVersion: "1.0", privacyVersion: "1.0" };
+			await controller.updateConsent(req, dto);
+			expect(usersService.updateConsent).toHaveBeenCalledWith(
+				"user-uuid",
+				"1.0",
+				"1.0",
+			);
+		});
+	});
+
+	describe("removeMe", () => {
+		it("should call usersService.remove", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.removeMe(req);
+			expect(usersService.remove).toHaveBeenCalledWith("user-uuid");
+		});
+	});
+
+	describe("removeAdmin", () => {
+		it("should call usersService.remove", async () => {
+			await controller.removeAdmin("target-uuid");
+			expect(usersService.remove).toHaveBeenCalledWith("target-uuid");
+		});
+	});
+
+	describe("setup2fa", () => {
+		it("should call authService.generateTwoFactorSecret", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.setup2fa(req);
+			expect(authService.generateTwoFactorSecret).toHaveBeenCalledWith(
+				"user-uuid",
+			);
+		});
+	});
+
+	describe("enable2fa", () => {
+		it("should call authService.enableTwoFactor", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.enable2fa(req, "token123");
+			expect(authService.enableTwoFactor).toHaveBeenCalledWith(
+				"user-uuid",
+				"token123",
+			);
+		});
+	});
+
+	describe("disable2fa", () => {
+		it("should call authService.disableTwoFactor", async () => {
+			const req = { user: { sub: "user-uuid" } } as AuthenticatedRequest;
+			await controller.disable2fa(req, "token123");
+			expect(authService.disableTwoFactor).toHaveBeenCalledWith(
+				"user-uuid",
+				"token123",
+			);
+		});
+	});
+});

backend/src/users/users.controller.ts

@@ -112,6 +112,16 @@ export class UsersController {
 		return this.usersService.remove(uuid);
 	}
 
+	@Patch("admin/:uuid")
+	@UseGuards(AuthGuard, RolesGuard)
+	@Roles("admin")
+	updateAdmin(
+		@Param("uuid") uuid: string,
+		@Body() updateUserDto: UpdateUserDto,
+	) {
+		return this.usersService.update(uuid, updateUserDto);
+	}
+
 	// Double Authentification (2FA)
 	@Post("me/2fa/setup")
 	@UseGuards(AuthGuard)

backend/src/users/users.service.spec.ts

@@ -128,4 +128,112 @@ describe("UsersService", () => {
 			expect(result[0].displayName).toBe("New");
 		});
 	});
+
+	describe("clearUserCache", () => {
+		it("should delete cache", async () => {
+			await service.clearUserCache("u1");
+			expect(mockCacheManager.del).toHaveBeenCalledWith("users/profile/u1");
+		});
+	});
+
+	describe("findByEmailHash", () => {
+		it("should call repository.findByEmailHash", async () => {
+			mockUsersRepository.findByEmailHash.mockResolvedValue({ uuid: "u1" });
+			const result = await service.findByEmailHash("hash");
+			expect(result.uuid).toBe("u1");
+			expect(mockUsersRepository.findByEmailHash).toHaveBeenCalledWith("hash");
+		});
+	});
+
+	describe("findOneWithPrivateData", () => {
+		it("should return user with roles", async () => {
+			mockUsersRepository.findOneWithPrivateData.mockResolvedValue({ uuid: "u1" });
+			mockRbacService.getUserRoles.mockResolvedValue(["admin"]);
+			const result = await service.findOneWithPrivateData("u1");
+			expect(result.roles).toEqual(["admin"]);
+		});
+	});
+
+	describe("findAll", () => {
+		it("should return all users", async () => {
+			mockUsersRepository.findAll.mockResolvedValue([{ uuid: "u1" }]);
+			mockUsersRepository.countAll.mockResolvedValue(1);
+
+			const result = await service.findAll(10, 0);
+
+			expect(result.totalCount).toBe(1);
+			expect(result.data[0].uuid).toBe("u1");
+		});
+	});
+
+	describe("findPublicProfile", () => {
+		it("should return public profile", async () => {
+			mockUsersRepository.findByUsername.mockResolvedValue({
+				uuid: "u1",
+				username: "u1",
+			});
+			const result = await service.findPublicProfile("u1");
+			expect(result.username).toBe("u1");
+		});
+	});
+
+	describe("updateConsent", () => {
+		it("should update consent", async () => {
+			await service.updateConsent("u1", "v1", "v2");
+			expect(mockUsersRepository.update).toHaveBeenCalledWith("u1", {
+				termsVersion: "v1",
+				privacyVersion: "v2",
+				gdprAcceptedAt: expect.any(Date),
+			});
+		});
+	});
+
+	describe("setTwoFactorSecret", () => {
+		it("should set 2fa secret", async () => {
+			await service.setTwoFactorSecret("u1", "secret");
+			expect(mockUsersRepository.update).toHaveBeenCalledWith("u1", {
+				twoFactorSecret: "secret",
+			});
+		});
+	});
+
+	describe("toggleTwoFactor", () => {
+		it("should toggle 2fa", async () => {
+			await service.toggleTwoFactor("u1", true);
+			expect(mockUsersRepository.update).toHaveBeenCalledWith("u1", {
+				isTwoFactorEnabled: true,
+			});
+		});
+	});
+
+	describe("getTwoFactorSecret", () => {
+		it("should return 2fa secret", async () => {
+			mockUsersRepository.getTwoFactorSecret.mockResolvedValue("secret");
+			const result = await service.getTwoFactorSecret("u1");
+			expect(result).toBe("secret");
+		});
+	});
+
+	describe("exportUserData", () => {
+		it("should return all user data", async () => {
+			mockUsersRepository.findOneWithPrivateData.mockResolvedValue({ uuid: "u1" });
+			mockUsersRepository.getUserContents.mockResolvedValue([]);
+			mockUsersRepository.getUserFavorites.mockResolvedValue([]);
+
+			const result = await service.exportUserData("u1");
+
+			expect(result.profile).toBeDefined();
+			expect(result.contents).toBeDefined();
+			expect(result.favorites).toBeDefined();
+		});
+	});
+
+	describe("remove", () => {
+		it("should soft delete user", async () => {
+			await service.remove("u1");
+			expect(mockUsersRepository.softDeleteUserAndContents).toHaveBeenCalledWith(
+				"u1",
+			);
+		});
+	});
 });

backend/src/users/users.service.ts

@@ -100,7 +100,14 @@ export class UsersService {
 
 	async update(uuid: string, data: UpdateUserDto) {
 		this.logger.log(`Updating user profile for ${uuid}`);
-		const result = await this.usersRepository.update(uuid, data);
+
+		const { role, ...userData } = data;
+
+		const result = await this.usersRepository.update(uuid, userData);
+
+		if (role) {
+			await this.rbacService.assignRoleToUser(uuid, role);
+		}
 
 		if (result[0]) {
 			await this.clearUserCache(result[0].username);

docker-compose.prod.yml

@@ -9,6 +9,8 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-app}
     networks:
       - nw_memegoat
+    ports:
+      - "127.0.0.1:5432:5432"    # not exposed to WAN, LAN only for administration checkup
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck:
@@ -35,6 +37,7 @@ services:
     restart: always
     networks:
       - nw_memegoat
+      - nw_caddy
     #ports:
     #  - "9000:9000"
     #  - "9001:9001"

documentation/content/docs/api-reference.mdx

@@ -18,15 +18,21 @@ Cette page documente tous les points de terminaison disponibles sur l'API Memego
     Inscrit un nouvel utilisateur.
 
     **Corps de la requête (JSON) :**
-    - `username` (string) : Nom d'utilisateur unique.
+    - `username` (string, max: 32) : Nom d'utilisateur unique.
     - `email` (string) : Adresse email valide.
-    - `password` (string) : Mot de passe (min. 8 caractères).
+    - `password` (string, min: 8) : Mot de passe.
+    - `displayName` (string, optional, max: 32) : Nom d'affichage.
+
+    **Réponses :**
+    - `201 Created` : Utilisateur créé.
+    - `400 Bad Request` : Validation échouée ou utilisateur déjà existant.
 
     ```json
     {
       "username": "goat_user",
       "email": "user@memegoat.fr",
-      "password": "strong-password"
+      "password": "strong-password",
+      "displayName": "Le Bouc"
     }
     ```
   </Accordion>
@@ -38,23 +44,25 @@ Cette page documente tous les points de terminaison disponibles sur l'API Memego
     - `email` (string)
     - `password` (string)
 
-    **Réponse (Succès) :**
-    ```json
-    {
-      "message": "User logged in successfully",
-      "userId": "uuid-v4"
-    }
-    ```
-    *Note: L'access_token et le refresh_token sont stockés dans un cookie HttpOnly chiffré.*
+    **Réponses :**
+    - `200 OK` : Connexion réussie.
+      ```json
+      {
+        "message": "User logged in successfully",
+        "userId": "uuid-v4"
+      }
+      ```
+    - `200 OK` (2FA requise) :
+      ```json
+      {
+        "message": "2FA required",
+        "requires2FA": true,
+        "userId": "uuid-v4"
+      }
+      ```
+    - `401 Unauthorized` : Identifiants invalides.
 
-    **Réponse (2FA requise) :**
-    ```json
-    {
-      "message": "2FA required",
-      "requires2FA": true,
-      "userId": "uuid-v4"
-    }
-    ```
+    *Note: L'access_token et le refresh_token sont stockés dans un cookie HttpOnly chiffré.*
   </Accordion>
 
   <Accordion title="POST /auth/verify-2fa">
@@ -63,15 +71,41 @@ Cette page documente tous les points de terminaison disponibles sur l'API Memego
     **Corps de la requête :**
     - `userId` (uuid) : ID de l'utilisateur.
     - `token` (string) : Code TOTP à 6 chiffres.
+
+    **Réponses :**
+    - `200 OK` : Vérification réussie, session établie.
+    - `401 Unauthorized` : Token invalide ou utilisateur non autorisé.
   </Accordion>
 
   <Accordion title="POST /auth/refresh">
     Obtient un nouvel `access_token` à partir du `refresh_token` stocké dans la session.
     Met à jour automatiquement le cookie de session.
+
+    **Réponses :**
+    - `200 OK` : Token rafraîchi.
+    - `401 Unauthorized` : Refresh token absent ou invalide.
   </Accordion>
 
   <Accordion title="POST /auth/logout">
-    Invalide la session actuelle.
+    Invalide la session actuelle en détruisant le cookie de session.
+
+    **Réponses :**
+    - `200 OK` : Déconnexion réussie.
+  </Accordion>
+
+  <Accordion title="GET /auth/bootstrap-admin">
+    Élève les privilèges d'un utilisateur au rang d'administrateur. 
+    <Callout type="warn">
+      Cette route n'est active que si aucun administrateur n'existe en base de données. Le token est affiché dans les logs de la console au démarrage.
+    </Callout>
+
+    **Query Params :**
+    - `token` (string) : Token à usage unique généré par le système.
+    - `username` (string) : Nom de l'utilisateur à promouvoir.
+
+    **Réponses :**
+    - `200 OK` : Utilisateur promu.
+    - `401 Unauthorized` : Token invalide ou utilisateur non trouvé.
   </Accordion>
 </Accordions>
 
@@ -80,16 +114,62 @@ Cette page documente tous les points de terminaison disponibles sur l'API Memego
 <Accordions>
   <Accordion title="GET /users/me">
     Récupère les informations détaillées de l'utilisateur connecté. Requiert l'authentification.
+
+    **Réponses :**
+    - `200 OK` : Retourne l'objet utilisateur complet (incluant données privées).
+    - `401 Unauthorized` : Session invalide.
+  </Accordion>
+
+  <Accordion title="GET /users/public/:username">
+    Récupère le profil public d'un utilisateur par son nom d'utilisateur. Mise en cache pendant 1 minute.
+
+    **Réponses :**
+    - `200 OK` : Profil public (id, username, displayName, bio, avatarUrl, createdAt).
+    - `404 Not Found` : Utilisateur non trouvé.
   </Accordion>
 
   <Accordion title="GET /users/me/export">
     Extrait l'intégralité des données de l'utilisateur au format JSON (Conformité RGPD).
-    Contient le profil, les contenus et les favoris.
+    Contient le profil, les contenus créés et les favoris.
+
+    **Réponses :**
+    - `200 OK` : Archive JSON des données.
+    - `401 Unauthorized` : Non authentifié.
   </Accordion>
 
   <Accordion title="PATCH /users/me">
     Met à jour les informations du profil.
-    - `displayName` (string)
+
+    **Corps de la requête :**
+    - `displayName` (string, optional, max: 32)
+    - `bio` (string, optional, max: 255)
+    - `avatarUrl` (string, optional) : URL directe de l'avatar.
+
+    **Réponses :**
+    - `200 OK` : Profil mis à jour.
+    - `400 Bad Request` : Validation échouée.
+  </Accordion>
+
+  <Accordion title="POST /users/me/avatar">
+    Met à jour l'avatar de l'utilisateur via upload de fichier.
+
+    **Type :** `multipart/form-data`
+    **Champ :** `file` (Image: png, jpeg, webp)
+
+    **Réponses :**
+    - `201 Created` : Avatar téléchargé et mis à jour.
+    - `400 Bad Request` : Fichier invalide ou trop volumineux.
+  </Accordion>
+
+  <Accordion title="PATCH /users/me/consent">
+    Met à jour les consentements légaux de l'utilisateur (CGU/RGPD).
+
+    **Corps de la requête :**
+    - `termsVersion` (string, max: 16)
+    - `privacyVersion` (string, max: 16)
+
+    **Réponses :**
+    - `200 OK` : Consentements enregistrés.
   </Accordion>
 
   <Accordion title="DELETE /users/me">
@@ -97,95 +177,388 @@ Cette page documente tous les points de terminaison disponibles sur l'API Memego
     <Callout type="warn">
       Les données sont définitivement purgées après un délai légal de 30 jours.
     </Callout>
+
+    **Réponses :**
+    - `200 OK` : Suppression planifiée.
   </Accordion>
 
-  <Accordion title="Gestion 2FA">
-    - `POST /users/me/2fa/setup` : Génère un secret et QR Code.
-    - `POST /users/me/2fa/enable` : Active après vérification du jeton.
-    - `POST /users/me/2fa/disable` : Désactive avec jeton.
+  <Accordion title="POST /users/me/2fa/setup">
+    Génère un secret et un QR Code pour la configuration de la 2FA.
+
+    **Réponses :**
+    - `201 Created` :
+      ```json
+      {
+        "secret": "JBSWY3DPEHPK3PXP",
+        "qrCodeDataUrl": "data:image/png;base64,..."
+      }
+      ```
   </Accordion>
 
-  <Accordion title="Administration (GET /users/admin)">
-    Liste tous les utilisateurs. Réservé aux administrateurs.
-    **Params :** `limit`, `offset`.
+  <Accordion title="POST /users/me/2fa/enable">
+    Active la 2FA après vérification du jeton TOTP.
+
+    **Corps de la requête :**
+    - `token` (string) : Code TOTP généré par l'app.
+
+    **Réponses :**
+    - `200 OK` : 2FA activée.
+    - `400 Bad Request` : Token invalide ou 2FA non initiée.
+  </Accordion>
+
+  <Accordion title="POST /users/me/2fa/disable">
+    Désactive la 2FA en utilisant un jeton TOTP valide.
+
+    **Corps de la requête :**
+    - `token` (string) : Code TOTP.
+
+    **Réponses :**
+    - `200 OK` : 2FA désactivée.
+  </Accordion>
+
+  <Accordion title="GET /users/admin">
+    Liste tous les utilisateurs. **Réservé aux administrateurs.**
+
+    **Query Params :**
+    - `limit` (number) : Défaut 10.
+    - `offset` (number) : Défaut 0.
+
+    **Réponses :**
+    - `200 OK` : Liste paginée des utilisateurs.
+    - `403 Forbidden` : Droits insuffisants.
+  </Accordion>
+
+  <Accordion title="DELETE /users/:uuid">
+    Supprime définitivement un utilisateur par son UUID. **Réservé aux administrateurs.**
+
+    **Réponses :**
+    - `200 OK` : Utilisateur supprimé.
   </Accordion>
 </Accordions>
 
 ### 🖼️ Contenus (`/contents`)
 
 <Accordions>
-  <Accordion title="GET /contents/explore | /trends | /recent">
-    Recherche et filtre les contenus. Ces endpoints sont mis en cache (Redis + Navigateur).
+  <Accordion title="GET /contents/explore">
+    Recherche et filtre les contenus. Cet endpoint est mis en cache pendant 1 minute.
     
     **Query Params :**
-    - `sort` : `trend` | `recent` (uniquement sur `/explore`)
-    - `tag` (string)
-    - `category` (slug ou id)
-    - `author` (username)
-    - `query` (titre)
-    - `favoritesOnly` (bool)
+    - `limit` (number) : Défaut 10.
+    - `offset` (number) : Défaut 0.
+    - `sort` : `trend` | `recent`
+    - `tag` (string) : Filtrer par tag (nom).
+    - `category` (slug ou uuid) : Filtrer par catégorie.
+    - `author` (username) : Filtrer par auteur.
+    - `query` (string) : Recherche textuelle dans le titre.
+    - `favoritesOnly` (boolean) : Ne montrer que les favoris de l'utilisateur (nécessite auth).
+    - `userId` (uuid) : Filtrer par ID utilisateur.
+
+    **Réponses :**
+    - `200 OK` : Liste paginée des contenus.
+  </Accordion>
+
+  <Accordion title="GET /contents/trends">
+    Récupère les contenus les plus populaires du moment. Cache de 5 minutes.
+
+    **Query Params :** `limit`, `offset`.
+
+    **Réponses :**
+    - `200 OK` : Liste des tendances.
+  </Accordion>
+
+  <Accordion title="GET /contents/recent">
+    Récupère les contenus les plus récents. Cache de 1 minute.
+
+    **Query Params :** `limit`, `offset`.
+
+    **Réponses :**
+    - `200 OK` : Liste des contenus récents.
   </Accordion>
 
   <Accordion title="GET /contents/:idOrSlug">
-    Récupère un contenu par son ID ou son Slug.
+    Récupère un contenu par son ID ou son Slug. Cache de 1 heure.
     
     **Détection de Bots (SEO) :**
-    Si l'User-Agent correspond à un robot d'indexation (Googlebot, Twitterbot, etc.), l'API retourne un rendu HTML minimal contenant les méta-tags **OpenGraph** et **Twitter Cards** pour un partage optimal. Pour les autres clients, les données sont retournées en JSON.
+    Si l'User-Agent correspond à un robot d'indexation (Googlebot, Twitterbot, etc.), l'API retourne un rendu HTML minimal contenant les méta-tags **OpenGraph** et **Twitter Cards**.
+
+    **Réponses :**
+    - `200 OK` : Objet Contenu ou Rendu HTML (Bots).
+    - `404 Not Found` : Contenu inexistant.
+  </Accordion>
+
+  <Accordion title="POST /contents">
+    Crée une entrée de contenu à partir d'une ressource déjà uploadée ou externe.
+
+    **Corps de la requête :**
+    - `type` : `meme` | `gif`
+    - `title` (string, max: 255)
+    - `storageKey` (string, max: 512) : Clé du fichier sur S3.
+    - `mimeType` (string, max: 128)
+    - `fileSize` (number)
+    - `categoryId` (uuid, optional)
+    - `tags` (string[], optional)
+
+    **Réponses :**
+    - `201 Created` : Contenu référencé.
+    - `401 Unauthorized` : Non authentifié.
   </Accordion>
 
   <Accordion title="POST /contents/upload">
-    Upload un fichier avec traitement automatique.
-    **Type :** `multipart/form-data`
+    Upload un fichier et crée le contenu associé en une seule étape.
 
+    **Type :** `multipart/form-data`
     **Champs :**
     - `file` (binary) : png, jpeg, webp, webm, gif.
     - `type` : `meme` | `gif`
-    - `title` : string
-    - `categoryId`? : uuid
-    - `tags`? : string[]
+    - `title` (string)
+    - `categoryId` (uuid, optional)
+    - `tags` (string[], optional)
+
+    **Réponses :**
+    - `201 Created` : Upload réussi et contenu créé.
+    - `400 Bad Request` : Fichier non supporté ou données invalides.
   </Accordion>
 
-  <Accordion title="POST /contents/:id/view | /use">
-    Incrémente les statistiques de vue ou d'utilisation.
+  <Accordion title="POST /contents/upload-url">
+    Génère une URL présignée pour un upload direct vers S3.
+
+    **Query Param :**
+    - `fileName` (string) : Nom du fichier avec extension.
+
+    **Réponses :**
+    - `201 Created` : Retourne l'URL présignée et les champs requis.
+  </Accordion>
+
+  <Accordion title="POST /contents/:id/view">
+    Incrémente le compteur de vues d'un contenu.
+
+    **Réponses :**
+    - `201 Created` : Compteur incrémenté.
+  </Accordion>
+
+  <Accordion title="POST /contents/:id/use">
+    Incrémente le compteur d'utilisation (clic sur "Utiliser").
+
+    **Réponses :**
+    - `201 Created` : Compteur incrémenté.
   </Accordion>
 
   <Accordion title="DELETE /contents/:id">
     Supprime un contenu (Soft Delete). Doit être l'auteur.
+
+    **Réponses :**
+    - `200 OK` : Contenu supprimé.
+    - `403 Forbidden` : Tentative de supprimer le contenu d'autrui.
+  </Accordion>
+
+  <Accordion title="DELETE /contents/:id/admin">
+    Supprime définitivement un contenu. **Réservé aux administrateurs.**
+
+    **Réponses :**
+    - `200 OK` : Contenu supprimé définitivement.
   </Accordion>
 </Accordions>
 
-### 📂 Catégories, ⭐ Favoris, 🚩 Signalements
+### 📂 Catégories (`/categories`)
 
 <Accordions>
-  <Accordion title="Catégories (/categories)">
-    - `GET /categories` : Liste toutes les catégories.
-    - `POST /categories` : Création (Admin uniquement).
+  <Accordion title="GET /categories">
+    Liste toutes les catégories de mèmes disponibles. Cache de 1 heure.
+
+    **Réponses :**
+    - `200 OK` : Liste d'objets catégorie.
   </Accordion>
 
-  <Accordion title="Favoris (/favorites)">
-    - `GET /favorites` : Liste les favoris de l'utilisateur.
-    - `POST /favorites/:contentId` : Ajoute un favori.
-    - `DELETE /favorites/:contentId` : Retire un favori.
+  <Accordion title="GET /categories/:id">
+    Récupère les détails d'une catégorie spécifique.
+
+    **Réponses :**
+    - `200 OK` : Objet catégorie.
+    - `404 Not Found` : Catégorie non trouvée.
   </Accordion>
 
-  <Accordion title="Signalements (/reports)">
-    - `POST /reports` : Signale un contenu ou un tag.
-    - `GET /reports` : Liste (Modérateurs).
-    - `PATCH /reports/:id/status` : Gère le workflow.
+  <Accordion title="POST /categories">
+    Crée une nouvelle catégorie. **Admin uniquement.**
+
+    **Corps de la requête :**
+    - `name` (string, max: 64)
+    - `description` (string, optional, max: 255)
+    - `iconUrl` (string, optional, max: 512)
+
+    **Réponses :**
+    - `201 Created` : Catégorie créée.
+  </Accordion>
+
+  <Accordion title="PATCH /categories/:id">
+    Met à jour une catégorie existante. **Admin uniquement.**
+
+    **Corps de la requête :** (Tous optionnels) `name`, `description`, `iconUrl`.
+
+    **Réponses :**
+    - `200 OK` : Catégorie mise à jour.
+  </Accordion>
+
+  <Accordion title="DELETE /categories/:id">
+    Supprime une catégorie. **Admin uniquement.**
+
+    **Réponses :**
+    - `200 OK` : Catégorie supprimée.
   </Accordion>
 </Accordions>
 
-### 🔑 Clés API & 🏷️ Tags
+### ⭐ Favoris (`/favorites`)
 
 <Accordions>
-  <Accordion title="Clés API (/api-keys)">
-    - `POST /api-keys` : Génère une clé `{ name, expiresAt? }`.
-    - `GET /api-keys` : Liste les clés actives.
-    - `DELETE /api-keys/:id` : Révoque une clé.
+  <Accordion title="GET /favorites">
+    Liste les favoris de l'utilisateur connecté.
+
+    **Query Params :**
+    - `limit` (number) : Défaut 10.
+    - `offset` (number) : Défaut 0.
+
+    **Réponses :**
+    - `200 OK` : Liste paginée des favoris.
+    - `401 Unauthorized` : Non authentifié.
   </Accordion>
 
-  <Accordion title="Tags (/tags)">
-    - `GET /tags` : Recherche de tags populaires ou récents.
-    **Params :** `query`, `sort`, `limit`.
+  <Accordion title="POST /favorites/:contentId">
+    Ajoute un contenu aux favoris de l'utilisateur.
+
+    **Réponses :**
+    - `201 Created` : Favori ajouté.
+  </Accordion>
+
+  <Accordion title="DELETE /favorites/:contentId">
+    Retire un contenu des favoris de l'utilisateur.
+
+    **Réponses :**
+    - `200 OK` : Favori supprimé.
+  </Accordion>
+</Accordions>
+
+### 🚩 Signalements (`/reports`)
+
+<Accordions>
+  <Accordion title="POST /reports">
+    Signale un contenu ou un tag pour modération.
+
+    **Corps de la requête :**
+    - `contentId` (uuid, optional) : ID du contenu à signaler.
+    - `tagId` (uuid, optional) : ID du tag à signaler.
+    - `reason` : `inappropriate` | `spam` | `copyright` | `other`
+    - `description` (string, optional, max: 1000)
+
+    **Réponses :**
+    - `201 Created` : Signalement enregistré.
+  </Accordion>
+
+  <Accordion title="GET /reports">
+    Liste les signalements. **Réservé aux administrateurs et modérateurs.**
+
+    **Query Params :**
+    - `limit` (number) : Défaut 10.
+    - `offset` (number) : Défaut 0.
+
+    **Réponses :**
+    - `200 OK` : Liste des signalements.
+  </Accordion>
+
+  <Accordion title="PATCH /reports/:id/status">
+    Met à jour le statut d'un signalement. **Réservé aux administrateurs et modérateurs.**
+
+    **Corps de la requête :**
+    - `status` : `pending` | `reviewed` | `resolved` | `dismissed`
+
+    **Réponses :**
+    - `200 OK` : Statut mis à jour.
+  </Accordion>
+</Accordions>
+
+### 🔑 Clés API (`/api-keys`)
+
+<Accordions>
+  <Accordion title="POST /api-keys">
+    Génère une nouvelle clé API pour l'utilisateur.
+
+    **Corps de la requête :**
+    - `name` (string, max: 128) : Nom descriptif de la clé.
+    - `expiresAt` (date-string, optional) : Date d'expiration.
+
+    **Réponses :**
+    - `201 Created` : Clé générée. Retourne le token (à conserver précieusement, ne sera plus affiché).
+  </Accordion>
+
+  <Accordion title="GET /api-keys">
+    Liste toutes les clés API actives de l'utilisateur.
+
+    **Réponses :**
+    - `200 OK` : Liste des métadonnées des clés (nom, date de création, expiration).
+  </Accordion>
+
+  <Accordion title="DELETE /api-keys/:id">
+    Révoque une clé API spécifique.
+
+    **Réponses :**
+    - `200 OK` : Clé révoquée.
+  </Accordion>
+</Accordions>
+
+### 🏷️ Tags (`/tags`)
+
+<Accordions>
+  <Accordion title="GET /tags">
+    Liste les tags populaires ou recherchés. Cache de 5 minutes.
+
+    **Query Params :**
+    - `limit` (number) : Défaut 10.
+    - `offset` (number) : Défaut 0.
+    - `query` (string, optional) : Recherche par nom.
+    - `sort` : `popular` | `recent`
+
+    **Réponses :**
+    - `200 OK` : Liste paginée des tags.
+  </Accordion>
+</Accordions>
+
+### 🛠️ Système (`/health`)
+
+<Accordions>
+  <Accordion title="GET /health">
+    Vérifie l'état de santé de l'API et de ses dépendances (DB, Redis).
+
+    **Réponses :**
+    - `200 OK` : Système opérationnel.
+      ```json
+      {
+        "status": "ok",
+        "timestamp": "2024-01-21T10:00:00.000Z",
+        "database": "connected",
+        "redis": "connected"
+      }
+      ```
+    - `503 Service Unavailable` : Problème sur l'un des composants.
+  </Accordion>
+</Accordions>
+
+### 📁 Médias (`/media`)
+
+<Accordions>
+  <Accordion title="GET /media">
+    Sert un fichier média stocké sur S3 avec une gestion optimisée du cache.
+
+    **Query Params :**
+    - `path` (string) : Chemin relatif du fichier sur le bucket.
+
+    **Réponses :**
+    - `200 OK` : Flux binaire du fichier. Headers `Content-Type` et `Cache-Control` inclus.
+    - `404 Not Found` : Fichier introuvable.
+  </Accordion>
+</Accordions>
+
+### 📊 Administration (`/admin`)
+
+<Accordions>
+  <Accordion title="GET /admin/stats">
+    Récupère les statistiques globales d'utilisation de la plateforme (**Admin uniquement**).
   </Accordion>
 </Accordions>

documentation/content/docs/api.mdx

@@ -20,6 +20,13 @@ Le système utilise plusieurs méthodes d'authentification sécurisées pour ré
   <Card title="Double Authentification" description="Support TOTP natif avec secret chiffré PGP pour une sécurité maximale." />
 </Cards>
 
-### Webhooks / Services Externes
+### Stockage & Médias (S3)
 
-Liste des intégrations tierces.
+Memegoat utilise une architecture de stockage d'objets compatible S3 (MinIO). Les interactions se font de deux manières :
+
+1.  **Proxification Backend** : Pour l'accès public via `/media?path=...`.
+2.  **URLs Présignées** : Pour l'upload sécurisé direct depuis le client (via `/contents/upload-url`).
+
+### Notifications (Mail)
+
+Le système intègre un service d'envoi d'emails (SMTP) pour les notifications critiques et la gestion des comptes.

documentation/content/docs/database.mdx

@@ -35,10 +35,13 @@ erDiagram
         string username
         string email
         string display_name
+        string avatar_url
+        string bio
         string status
     }
     CONTENT {
         string title
+        string slug
         string type
         string storage_key
     }
@@ -82,6 +85,8 @@ erDiagram
         bytea email
         varchar email_hash
         varchar display_name
+        varchar avatar_url
+        varchar bio
         varchar password_hash
         user_status status
         bytea two_factor_secret
@@ -100,6 +105,7 @@ erDiagram
         uuid category_id FK
         content_type type
         varchar title
+        varchar slug
         varchar storage_key
         varchar mime_type
         integer file_size
@@ -233,6 +239,8 @@ erDiagram
         varchar email_hash "UNIQUE, INDEXED"
         varchar username "UNIQUE, NOT NULL"
         varchar password_hash "NOT NULL"
+        varchar avatar_url "NULLABLE"
+        varchar bio "NULLABLE"
         bytea two_factor_secret "ENCRYPTED"
         boolean is_two_factor_enabled "DEFAULT false"
         timestamp gdpr_accepted_at "NULLABLE"
@@ -241,6 +249,7 @@ erDiagram
     contents {
         uuid id "DEFAULT gen_random_uuid()"
         uuid user_id "REFERENCES users(uuid)"
+        varchar slug "UNIQUE, NOT NULL"
         varchar storage_key "UNIQUE, NOT NULL"
         integer file_size "NOT NULL"
         timestamp deleted_at "SOFT DELETE"

documentation/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@memegoat/documentation",
-	"version": "0.0.1",
+	"version": "0.1.0",
 	"private": true,
 	"scripts": {
 		"build": "next build",

frontend/next.config.ts

@@ -3,6 +3,18 @@ import type { NextConfig } from "next";
 const nextConfig: NextConfig = {
 	/* config options here */
 	reactCompiler: true,
+	images: {
+		remotePatterns: [
+			{
+				protocol: "https",
+				hostname: "memegoat.fr",
+			},
+			{
+				protocol: "https",
+				hostname: "api.memegoat.fr",
+			},
+		],
+	},
 	output: "standalone",
 };
 

frontend/package.json

@@ -1,12 +1,13 @@
 {
 	"name": "@memegoat/frontend",
-	"version": "0.0.0",
+	"version": "1.3.0",
 	"private": true,
 	"scripts": {
 		"dev": "next dev",
 		"build": "next build",
 		"start": "next start",
 		"lint": "biome check",
+		"lint:write": "biome check --write",
 		"format": "biome format --write"
 	},
 	"dependencies": {

frontend/src/app/(dashboard)/admin/categories/category-dialog.tsx

@@ -0,0 +1,149 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+} from "@/components/ui/dialog";
+import {
+	Form,
+	FormControl,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { Textarea } from "@/components/ui/textarea";
+import { CategoryService } from "@/services/category.service";
+import type { Category } from "@/types/content";
+
+interface CategoryDialogProps {
+	category?: Category | null;
+	open: boolean;
+	onOpenChange: (open: boolean) => void;
+	onSuccess: () => void;
+}
+
+export function CategoryDialog({
+	category,
+	open,
+	onOpenChange,
+	onSuccess,
+}: CategoryDialogProps) {
+	const [loading, setLoading] = useState(false);
+
+	const form = useForm<Partial<Category>>({
+		defaultValues: {
+			name: "",
+			description: "",
+			iconUrl: "",
+		},
+	});
+
+	useEffect(() => {
+		if (category) {
+			form.reset({
+				name: category.name,
+				description: category.description || "",
+				iconUrl: category.iconUrl || "",
+			});
+		} else {
+			form.reset({
+				name: "",
+				description: "",
+				iconUrl: "",
+			});
+		}
+	}, [category, form]);
+
+	const onSubmit = async (values: Partial<Category>) => {
+		setLoading(true);
+		try {
+			if (category) {
+				await CategoryService.update(category.id, values);
+			} else {
+				await CategoryService.create(values);
+			}
+			onSuccess();
+			onOpenChange(false);
+		} catch (error) {
+			console.error(error);
+		} finally {
+			setLoading(false);
+		}
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={onOpenChange}>
+			<DialogContent>
+				<DialogHeader>
+					<DialogTitle>
+						{category ? "Modifier la catégorie" : "Créer une catégorie"}
+					</DialogTitle>
+				</DialogHeader>
+				<Form {...form}>
+					<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+						<FormField
+							control={form.control}
+							name="name"
+							rules={{ required: "Le nom est requis" }}
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Nom</FormLabel>
+									<FormControl>
+										<Input {...field} placeholder="Nom de la catégorie" />
+									</FormControl>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<FormField
+							control={form.control}
+							name="description"
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Description</FormLabel>
+									<FormControl>
+										<Textarea {...field} placeholder="Description (optionnel)" />
+									</FormControl>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<FormField
+							control={form.control}
+							name="iconUrl"
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>URL de l'icône</FormLabel>
+									<FormControl>
+										<Input {...field} placeholder="https://..." />
+									</FormControl>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<DialogFooter>
+							<Button
+								type="button"
+								variant="outline"
+								onClick={() => onOpenChange(false)}
+							>
+								Annuler
+							</Button>
+							<Button type="submit" disabled={loading}>
+								{loading ? "Enregistrement..." : "Enregistrer"}
+							</Button>
+						</DialogFooter>
+					</form>
+				</Form>
+			</DialogContent>
+		</Dialog>
+	);
+}

frontend/src/app/(dashboard)/admin/categories/page.tsx

@@ -1,6 +1,9 @@
 "use client";
 
-import { useEffect, useState } from "react";
+import { Edit, Plus, Trash2 } from "lucide-react";
+import Image from "next/image";
+import { useCallback, useEffect, useState } from "react";
+import { Button } from "@/components/ui/button";
 import { Skeleton } from "@/components/ui/skeleton";
 import {
 	Table,
@@ -12,24 +15,57 @@ import {
 } from "@/components/ui/table";
 import { CategoryService } from "@/services/category.service";
 import type { Category } from "@/types/content";
+import { CategoryDialog } from "./category-dialog";
 
 export default function AdminCategoriesPage() {
 	const [categories, setCategories] = useState<Category[]>([]);
 	const [loading, setLoading] = useState(true);
+	const [dialogOpen, setDialogOpen] = useState(false);
+	const [selectedCategory, setSelectedCategory] = useState<Category | null>(
+		null,
+	);
 
-	useEffect(() => {
+	const fetchCategories = useCallback(() => {
+		setLoading(true);
 		CategoryService.getAll()
 			.then(setCategories)
 			.catch((err) => console.error(err))
 			.finally(() => setLoading(false));
 	}, []);
 
+	useEffect(() => {
+		fetchCategories();
+	}, [fetchCategories]);
+
+	const handleDelete = async (id: string) => {
+		if (!confirm("Êtes-vous sûr de vouloir supprimer cette catégorie ?")) return;
+		try {
+			await CategoryService.remove(id);
+			setCategories(categories.filter((c) => c.id !== id));
+		} catch (error) {
+			console.error(error);
+		}
+	};
+
+	const handleEdit = (category: Category) => {
+		setSelectedCategory(category);
+		setDialogOpen(true);
+	};
+
+	const handleCreate = () => {
+		setSelectedCategory(null);
+		setDialogOpen(true);
+	};
+
 	return (
 		<div className="flex-1 space-y-4 p-4 pt-6 md:p-8">
 			<div className="flex items-center justify-between">
 				<h2 className="text-3xl font-bold tracking-tight">
 					Catégories ({categories.length})
 				</h2>
+				<Button onClick={handleCreate}>
+					<Plus className="mr-2 h-4 w-4" /> Ajouter une catégorie
+				</Button>
 			</div>
 			<div className="rounded-md border bg-card">
 				<Table>
@@ -38,6 +74,7 @@ export default function AdminCategoriesPage() {
 							<TableHead>Nom</TableHead>
 							<TableHead>Slug</TableHead>
 							<TableHead>Description</TableHead>
+							<TableHead className="w-[100px]"></TableHead>
 						</TableRow>
 					</TableHeader>
 					<TableBody>
@@ -54,11 +91,14 @@ export default function AdminCategoriesPage() {
 									<TableCell>
 										<Skeleton className="h-4 w-[250px]" />
 									</TableCell>
+									<TableCell>
+										<Skeleton className="h-8 w-8 rounded-full" />
+									</TableCell>
 								</TableRow>
 							))
 						) : categories.length === 0 ? (
 							<TableRow>
-								<TableCell colSpan={3} className="text-center h-24">
+								<TableCell colSpan={4} className="text-center h-24">
 									Aucune catégorie trouvée.
 								</TableCell>
 							</TableRow>
@@ -66,18 +106,55 @@ export default function AdminCategoriesPage() {
 							categories.map((category) => (
 								<TableRow key={category.id}>
 									<TableCell className="font-medium whitespace-nowrap">
-										{category.name}
+										<div className="flex items-center gap-2">
+											{category.iconUrl && (
+												<div className="relative h-6 w-6">
+													<Image
+														src={category.iconUrl}
+														alt=""
+														fill
+														className="rounded object-cover"
+													/>
+												</div>
+											)}
+											{category.name}
+										</div>
 									</TableCell>
 									<TableCell className="whitespace-nowrap">{category.slug}</TableCell>
 									<TableCell className="text-muted-foreground">
 										{category.description || "Aucune description"}
 									</TableCell>
+									<TableCell>
+										<div className="flex items-center gap-2">
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => handleEdit(category)}
+											>
+												<Edit className="h-4 w-4" />
+											</Button>
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => handleDelete(category.id)}
+												className="text-destructive hover:text-destructive hover:bg-destructive/10"
+											>
+												<Trash2 className="h-4 w-4" />
+											</Button>
+										</div>
+									</TableCell>
 								</TableRow>
 							))
 						)}
 					</TableBody>
 				</Table>
 			</div>
+			<CategoryDialog
+				open={dialogOpen}
+				onOpenChange={setDialogOpen}
+				category={selectedCategory}
+				onSuccess={fetchCategories}
+			/>
 		</div>
 	);
 }

frontend/src/app/(dashboard)/admin/contents/content-edit-dialog.tsx

@@ -0,0 +1,155 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+} from "@/components/ui/dialog";
+import {
+	Form,
+	FormControl,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { CategoryService } from "@/services/category.service";
+import { ContentService } from "@/services/content.service";
+import type { Category, Content } from "@/types/content";
+
+interface ContentEditDialogProps {
+	content: Content | null;
+	open: boolean;
+	onOpenChange: (open: boolean) => void;
+	onSuccess: () => void;
+}
+
+export function ContentEditDialog({
+	content,
+	open,
+	onOpenChange,
+	onSuccess,
+}: ContentEditDialogProps) {
+	const [loading, setLoading] = useState(false);
+	const [categories, setCategories] = useState<Category[]>([]);
+
+	const form = useForm<{ title: string; categoryId: string }>({
+		defaultValues: {
+			title: "",
+			categoryId: "",
+		},
+	});
+
+	useEffect(() => {
+		CategoryService.getAll().then(setCategories).catch(console.error);
+	}, []);
+
+	useEffect(() => {
+		if (content) {
+			form.reset({
+				title: content.title,
+				categoryId: content.categoryId || "none",
+			});
+		}
+	}, [content, form]);
+
+	const onSubmit = async (values: { title: string; categoryId: string }) => {
+		if (!content) return;
+		setLoading(true);
+		try {
+			const data = {
+				...values,
+				categoryId: values.categoryId === "none" ? null : values.categoryId,
+			};
+			await ContentService.updateAdmin(content.id, data);
+			onSuccess();
+			onOpenChange(false);
+		} catch (error) {
+			console.error(error);
+		} finally {
+			setLoading(false);
+		}
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={onOpenChange}>
+			<DialogContent>
+				<DialogHeader>
+					<DialogTitle>Modifier le contenu</DialogTitle>
+				</DialogHeader>
+				<Form {...form}>
+					<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+						<FormField
+							control={form.control}
+							name="title"
+							rules={{ required: "Le titre est requis" }}
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Titre</FormLabel>
+									<FormControl>
+										<Input {...field} placeholder="Titre du contenu" />
+									</FormControl>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<FormField
+							control={form.control}
+							name="categoryId"
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Catégorie</FormLabel>
+									<Select
+										onValueChange={field.onChange}
+										defaultValue={field.value}
+										value={field.value}
+									>
+										<FormControl>
+											<SelectTrigger>
+												<SelectValue placeholder="Sélectionner une catégorie" />
+											</SelectTrigger>
+										</FormControl>
+										<SelectContent>
+											<SelectItem value="none">Sans catégorie</SelectItem>
+											{categories.map((cat) => (
+												<SelectItem key={cat.id} value={cat.id}>
+													{cat.name}
+												</SelectItem>
+											))}
+										</SelectContent>
+									</Select>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<DialogFooter>
+							<Button
+								type="button"
+								variant="outline"
+								onClick={() => onOpenChange(false)}
+							>
+								Annuler
+							</Button>
+							<Button type="submit" disabled={loading}>
+								{loading ? "Enregistrement..." : "Enregistrer"}
+							</Button>
+						</DialogFooter>
+					</form>
+				</Form>
+			</DialogContent>
+		</Dialog>
+	);
+}

frontend/src/app/(dashboard)/admin/contents/page.tsx

@@ -2,8 +2,15 @@
 
 import { format } from "date-fns";
 import { fr } from "date-fns/locale";
-import { Download, Eye, Image as ImageIcon, Trash2, Video } from "lucide-react";
-import { useEffect, useState } from "react";
+import {
+	Download,
+	Edit,
+	Eye,
+	Image as ImageIcon,
+	Trash2,
+	Video,
+} from "lucide-react";
+import { useCallback, useEffect, useState } from "react";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Skeleton } from "@/components/ui/skeleton";
@@ -17,13 +24,17 @@ import {
 } from "@/components/ui/table";
 import { ContentService } from "@/services/content.service";
 import type { Content } from "@/types/content";
+import { ContentEditDialog } from "./content-edit-dialog";
 
 export default function AdminContentsPage() {
 	const [contents, setContents] = useState<Content[]>([]);
 	const [loading, setLoading] = useState(true);
 	const [totalCount, setTotalCount] = useState(0);
+	const [selectedContent, setSelectedContent] = useState<Content | null>(null);
+	const [dialogOpen, setDialogOpen] = useState(false);
 
-	useEffect(() => {
+	const fetchContents = useCallback(() => {
+		setLoading(true);
 		ContentService.getExplore({ limit: 20 })
 			.then((res) => {
 				setContents(res.data);
@@ -33,6 +44,10 @@ export default function AdminContentsPage() {
 			.finally(() => setLoading(false));
 	}, []);
 
+	useEffect(() => {
+		fetchContents();
+	}, [fetchContents]);
+
 	const handleDelete = async (id: string) => {
 		if (!confirm("Êtes-vous sûr de vouloir supprimer ce contenu ?")) return;
 
@@ -45,6 +60,11 @@ export default function AdminContentsPage() {
 		}
 	};
 
+	const handleEdit = (content: Content) => {
+		setSelectedContent(content);
+		setDialogOpen(true);
+	};
+
 	return (
 		<div className="flex-1 space-y-4 p-4 pt-6 md:p-8">
 			<div className="flex items-center justify-between">
@@ -61,7 +81,7 @@ export default function AdminContentsPage() {
 							<TableHead>Auteur</TableHead>
 							<TableHead>Stats</TableHead>
 							<TableHead>Date</TableHead>
-							<TableHead className="w-[50px]"></TableHead>
+							<TableHead className="w-[100px]"></TableHead>
 						</TableRow>
 					</TableHeader>
 					<TableBody>
@@ -84,11 +104,14 @@ export default function AdminContentsPage() {
 									<TableCell>
 										<Skeleton className="h-4 w-[100px]" />
 									</TableCell>
+									<TableCell>
+										<Skeleton className="h-8 w-8 rounded-full" />
+									</TableCell>
 								</TableRow>
 							))
 						) : contents.length === 0 ? (
 							<TableRow>
-								<TableCell colSpan={5} className="text-center h-24">
+								<TableCell colSpan={6} className="text-center h-24">
 									Aucun contenu trouvé.
 								</TableCell>
 							</TableRow>
@@ -98,7 +121,7 @@ export default function AdminContentsPage() {
 									<TableCell className="font-medium">
 										<div className="flex items-center gap-3">
 											<div className="flex h-10 w-10 items-center justify-center rounded bg-muted">
-												{content.type === "image" ? (
+												{content.mimeType.startsWith("image/") ? (
 													<ImageIcon className="h-5 w-5 text-muted-foreground" />
 												) : (
 													<Video className="h-5 w-5 text-muted-foreground" />
@@ -132,14 +155,23 @@ export default function AdminContentsPage() {
 										{format(new Date(content.createdAt), "dd/MM/yyyy", { locale: fr })}
 									</TableCell>
 									<TableCell>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => handleDelete(content.id)}
-											className="text-destructive hover:text-destructive hover:bg-destructive/10"
-										>
-											<Trash2 className="h-4 w-4" />
-										</Button>
+										<div className="flex items-center gap-2">
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => handleEdit(content)}
+											>
+												<Edit className="h-4 w-4" />
+											</Button>
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => handleDelete(content.id)}
+												className="text-destructive hover:text-destructive hover:bg-destructive/10"
+											>
+												<Trash2 className="h-4 w-4" />
+											</Button>
+										</div>
 									</TableCell>
 								</TableRow>
 							))
@@ -147,6 +179,12 @@ export default function AdminContentsPage() {
 					</TableBody>
 				</Table>
 			</div>
+			<ContentEditDialog
+				content={selectedContent}
+				open={dialogOpen}
+				onOpenChange={setDialogOpen}
+				onSuccess={fetchContents}
+			/>
 		</div>
 	);
 }

frontend/src/app/(dashboard)/admin/users/page.tsx

@@ -2,8 +2,8 @@
 
 import { format } from "date-fns";
 import { fr } from "date-fns/locale";
-import { Trash2 } from "lucide-react";
-import { useEffect, useState } from "react";
+import { Edit, Trash2 } from "lucide-react";
+import { useCallback, useEffect, useState } from "react";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Skeleton } from "@/components/ui/skeleton";
@@ -17,13 +17,17 @@ import {
 } from "@/components/ui/table";
 import { UserService } from "@/services/user.service";
 import type { User } from "@/types/user";
+import { UserEditDialog } from "./user-edit-dialog";
 
 export default function AdminUsersPage() {
 	const [users, setUsers] = useState<User[]>([]);
 	const [loading, setLoading] = useState(true);
 	const [totalCount, setTotalCount] = useState(0);
+	const [selectedUser, setSelectedUser] = useState<User | null>(null);
+	const [dialogOpen, setDialogOpen] = useState(false);
 
-	useEffect(() => {
+	const fetchUsers = useCallback(() => {
+		setLoading(true);
 		UserService.getUsersAdmin()
 			.then((res) => {
 				setUsers(res.data);
@@ -35,6 +39,10 @@ export default function AdminUsersPage() {
 			.finally(() => setLoading(false));
 	}, []);
 
+	useEffect(() => {
+		fetchUsers();
+	}, [fetchUsers]);
+
 	const handleDelete = async (uuid: string) => {
 		if (
 			!confirm(
@@ -52,6 +60,11 @@ export default function AdminUsersPage() {
 		}
 	};
 
+	const handleEdit = (user: User) => {
+		setSelectedUser(user);
+		setDialogOpen(true);
+	};
+
 	return (
 		<div className="flex-1 space-y-4 p-4 pt-6 md:p-8">
 			<div className="flex items-center justify-between">
@@ -68,7 +81,7 @@ export default function AdminUsersPage() {
 							<TableHead>Rôle</TableHead>
 							<TableHead>Status</TableHead>
 							<TableHead>Date d'inscription</TableHead>
-							<TableHead className="w-[50px]"></TableHead>
+							<TableHead className="w-[100px]"></TableHead>
 						</TableRow>
 					</TableHeader>
 					<TableBody>
@@ -91,11 +104,14 @@ export default function AdminUsersPage() {
 									<TableCell>
 										<Skeleton className="h-4 w-[100px]" />
 									</TableCell>
+									<TableCell>
+										<Skeleton className="h-8 w-8 rounded-full" />
+									</TableCell>
 								</TableRow>
 							))
 						) : users.length === 0 ? (
 							<TableRow>
-								<TableCell colSpan={5} className="text-center h-24">
+								<TableCell colSpan={6} className="text-center h-24">
 									Aucun utilisateur trouvé.
 								</TableCell>
 							</TableRow>
@@ -113,7 +129,15 @@ export default function AdminUsersPage() {
 										</Badge>
 									</TableCell>
 									<TableCell>
-										<Badge variant={user.status === "active" ? "success" : "destructive"}>
+										<Badge
+											variant={
+												user.status === "active"
+													? "success"
+													: user.status === "suspended"
+														? "destructive"
+														: "secondary"
+											}
+										>
 											{user.status}
 										</Badge>
 									</TableCell>
@@ -121,14 +145,19 @@ export default function AdminUsersPage() {
 										{format(new Date(user.createdAt), "PPP", { locale: fr })}
 									</TableCell>
 									<TableCell>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => handleDelete(user.uuid)}
-											className="text-destructive hover:text-destructive hover:bg-destructive/10"
-										>
-											<Trash2 className="h-4 w-4" />
-										</Button>
+										<div className="flex items-center gap-2">
+											<Button variant="ghost" size="icon" onClick={() => handleEdit(user)}>
+												<Edit className="h-4 w-4" />
+											</Button>
+											<Button
+												variant="ghost"
+												size="icon"
+												onClick={() => handleDelete(user.uuid)}
+												className="text-destructive hover:text-destructive hover:bg-destructive/10"
+											>
+												<Trash2 className="h-4 w-4" />
+											</Button>
+										</div>
 									</TableCell>
 								</TableRow>
 							))
@@ -136,6 +165,12 @@ export default function AdminUsersPage() {
 					</TableBody>
 				</Table>
 			</div>
+			<UserEditDialog
+				user={selectedUser}
+				open={dialogOpen}
+				onOpenChange={setDialogOpen}
+				onSuccess={fetchUsers}
+			/>
 		</div>
 	);
 }

frontend/src/app/(dashboard)/admin/users/user-edit-dialog.tsx

@@ -0,0 +1,153 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+} from "@/components/ui/dialog";
+import {
+	Form,
+	FormControl,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { UserService } from "@/services/user.service";
+import type { User } from "@/types/user";
+
+interface UserEditDialogProps {
+	user: User | null;
+	open: boolean;
+	onOpenChange: (open: boolean) => void;
+	onSuccess: () => void;
+}
+
+export function UserEditDialog({
+	user,
+	open,
+	onOpenChange,
+	onSuccess,
+}: UserEditDialogProps) {
+	const [loading, setLoading] = useState(false);
+
+	const form = useForm<Partial<User>>({
+		defaultValues: {
+			role: "user",
+			status: "active",
+		},
+	});
+
+	useEffect(() => {
+		if (user) {
+			form.reset({
+				role: user.role || "user",
+				status: user.status || "active",
+			});
+		}
+	}, [user, form]);
+
+	const onSubmit = async (values: Partial<User>) => {
+		if (!user) return;
+		setLoading(true);
+		try {
+			await UserService.updateAdmin(user.uuid, values);
+			onSuccess();
+			onOpenChange(false);
+		} catch (error) {
+			console.error(error);
+		} finally {
+			setLoading(false);
+		}
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={onOpenChange}>
+			<DialogContent>
+				<DialogHeader>
+					<DialogTitle>Modifier l'utilisateur @{user?.username}</DialogTitle>
+				</DialogHeader>
+				<Form {...form}>
+					<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+						<FormField
+							control={form.control}
+							name="role"
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Rôle</FormLabel>
+									<Select
+										onValueChange={field.onChange}
+										defaultValue={field.value}
+										value={field.value}
+									>
+										<FormControl>
+											<SelectTrigger>
+												<SelectValue placeholder="Sélectionner un rôle" />
+											</SelectTrigger>
+										</FormControl>
+										<SelectContent>
+											<SelectItem value="user">Utilisateur</SelectItem>
+											<SelectItem value="moderator">Modérateur</SelectItem>
+											<SelectItem value="admin">Administrateur</SelectItem>
+										</SelectContent>
+									</Select>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<FormField
+							control={form.control}
+							name="status"
+							render={({ field }) => (
+								<FormItem>
+									<FormLabel>Statut</FormLabel>
+									<Select
+										onValueChange={field.onChange}
+										defaultValue={field.value}
+										value={field.value}
+									>
+										<FormControl>
+											<SelectTrigger>
+												<SelectValue placeholder="Sélectionner un statut" />
+											</SelectTrigger>
+										</FormControl>
+										<SelectContent>
+											<SelectItem value="active">Actif</SelectItem>
+											<SelectItem value="suspended">Suspendu</SelectItem>
+											<SelectItem value="pending">En attente</SelectItem>
+										</SelectContent>
+									</Select>
+									<FormMessage />
+								</FormItem>
+							)}
+						/>
+						<DialogFooter>
+							<Button
+								type="button"
+								variant="outline"
+								onClick={() => onOpenChange(false)}
+							>
+								Annuler
+							</Button>
+							<Button type="submit" disabled={loading}>
+								{loading ? "Enregistrement..." : "Enregistrer"}
+							</Button>
+						</DialogFooter>
+					</form>
+				</Form>
+			</DialogContent>
+		</Dialog>
+	);
+}

frontend/src/app/(dashboard)/layout.tsx

@@ -1,6 +1,7 @@
 import * as React from "react";
 import { AppSidebar } from "@/components/app-sidebar";
 import { MobileFilters } from "@/components/mobile-filters";
+import { ModeToggle } from "@/components/mode-toggle";
 import { SearchSidebar } from "@/components/search-sidebar";
 import {
 	SidebarInset,
@@ -27,7 +28,10 @@ export default function DashboardLayout({
 							<div className="flex-1 flex justify-center">
 								<span className="font-bold text-primary text-lg">MemeGoat</span>
 							</div>
-							<UserNavMobile />
+							<div className="flex items-center gap-2">
+								<ModeToggle />
+								<UserNavMobile />
+							</div>
 						</header>
 						<main className="flex-1 overflow-y-auto bg-zinc-50 dark:bg-zinc-950">
 							{children}

frontend/src/app/(dashboard)/settings/page.tsx

@@ -1,7 +1,16 @@
 "use client";
 
 import { zodResolver } from "@hookform/resolvers/zod";
-import { Loader2, Save, User as UserIcon } from "lucide-react";
+import {
+	Laptop,
+	Loader2,
+	Moon,
+	Palette,
+	Save,
+	Sun,
+	User as UserIcon,
+} from "lucide-react";
+import { useTheme } from "next-themes";
 import * as React from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";
@@ -24,6 +33,8 @@ import {
 	FormMessage,
 } from "@/components/ui/form";
 import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { RadioGroup, RadioGroupItem } from "@/components/ui/radio-group";
 import { Spinner } from "@/components/ui/spinner";
 import { Textarea } from "@/components/ui/textarea";
 import { useAuth } from "@/providers/auth-provider";
@@ -37,8 +48,14 @@ const settingsSchema = z.object({
 type SettingsFormValues = z.infer<typeof settingsSchema>;
 
 export default function SettingsPage() {
+	const { theme, setTheme } = useTheme();
 	const { user, isLoading, refreshUser } = useAuth();
 	const [isSaving, setIsSaving] = React.useState(false);
+	const [mounted, setMounted] = React.useState(false);
+
+	React.useEffect(() => {
+		setMounted(true);
+	}, []);
 
 	const form = useForm<SettingsFormValues>({
 		resolver: zodResolver(settingsSchema),
@@ -185,6 +202,55 @@ export default function SettingsPage() {
 					</Form>
 				</CardContent>
 			</Card>
+			<Card className="mt-8">
+				<CardHeader>
+					<div className="flex items-center gap-2">
+						<Palette className="h-5 w-5 text-primary" />
+						<CardTitle>Apparence</CardTitle>
+					</div>
+					<CardDescription>
+						Personnalisez l'apparence de l'application selon vos préférences.
+					</CardDescription>
+				</CardHeader>
+				<CardContent>
+					<RadioGroup
+						value={mounted ? theme : "system"}
+						onValueChange={(value) => setTheme(value)}
+						className="grid grid-cols-1 sm:grid-cols-3 gap-4"
+					>
+						<div>
+							<RadioGroupItem value="light" id="light" className="peer sr-only" />
+							<Label
+								htmlFor="light"
+								className="flex flex-col items-center justify-between rounded-md border-2 border-muted bg-popover p-4 hover:bg-accent hover:text-accent-foreground peer-data-[state=checked]:border-primary [&:has([data-state=checked])]:border-primary cursor-pointer"
+							>
+								<Sun className="mb-3 h-6 w-6" />
+								<span>Clair</span>
+							</Label>
+						</div>
+						<div>
+							<RadioGroupItem value="dark" id="dark" className="peer sr-only" />
+							<Label
+								htmlFor="dark"
+								className="flex flex-col items-center justify-between rounded-md border-2 border-muted bg-popover p-4 hover:bg-accent hover:text-accent-foreground peer-data-[state=checked]:border-primary [&:has([data-state=checked])]:border-primary cursor-pointer"
+							>
+								<Moon className="mb-3 h-6 w-6" />
+								<span>Sombre</span>
+							</Label>
+						</div>
+						<div>
+							<RadioGroupItem value="system" id="system" className="peer sr-only" />
+							<Label
+								htmlFor="system"
+								className="flex flex-col items-center justify-between rounded-md border-2 border-muted bg-popover p-4 hover:bg-accent hover:text-accent-foreground peer-data-[state=checked]:border-primary [&:has([data-state=checked])]:border-primary cursor-pointer"
+							>
+								<Laptop className="mb-3 h-6 w-6" />
+								<span>Système</span>
+							</Label>
+						</div>
+					</RadioGroup>
+				</CardContent>
+			</Card>
 		</div>
 	);
 }

frontend/src/app/layout.tsx

@@ -2,6 +2,7 @@ import type { Metadata } from "next";
 import { Ubuntu_Mono, Ubuntu_Sans } from "next/font/google";
 import { Toaster } from "@/components/ui/sonner";
 import { AuthProvider } from "@/providers/auth-provider";
+import { ThemeProvider } from "@/providers/theme-provider";
 import "./globals.css";
 
 const ubuntuSans = Ubuntu_Sans({
@@ -48,6 +49,9 @@ export const metadata: Metadata = {
 		images: ["/memegoat-og.png"],
 	},
 	icons: "/memegoat-color.svg",
+	metadataBase: new URL(
+		process.env.NEXT_PUBLIC_APP_URL || "https://memegoat.fr",
+	),
 };
 
 export default function RootLayout({
@@ -60,10 +64,17 @@ export default function RootLayout({
 			<body
 				className={`${ubuntuSans.variable} ${ubuntuMono.variable} antialiased`}
 			>
-				<AuthProvider>
-					{children}
-					<Toaster />
-				</AuthProvider>
+				<ThemeProvider
+					attribute="class"
+					defaultTheme="system"
+					enableSystem
+					disableTransitionOnChange
+				>
+					<AuthProvider>
+						{children}
+						<Toaster />
+					</AuthProvider>
+				</ThemeProvider>
 			</body>
 		</html>
 	);

frontend/src/components/app-sidebar.tsx

@@ -19,6 +19,7 @@ import {
 import Link from "next/link";
 import { usePathname, useSearchParams } from "next/navigation";
 import * as React from "react";
+import { ModeToggle } from "@/components/mode-toggle";
 import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
 import {
 	Collapsible,
@@ -286,6 +287,14 @@ export function AppSidebar() {
 							</SidebarMenuButton>
 						</SidebarMenuItem>
 					)}
+					<SidebarMenuItem>
+						<div className="flex items-center justify-between px-2 py-2">
+							<span className="text-xs font-medium text-muted-foreground group-data-[collapsible=icon]:hidden">
+								Thème
+							</span>
+							<ModeToggle />
+						</div>
+					</SidebarMenuItem>
 					<SidebarMenuItem>
 						<SidebarMenuButton asChild tooltip="Aide">
 							<Link href="/help">

frontend/src/components/content-card.tsx

@@ -93,9 +93,9 @@ export function ContentCard({ content }: ContentCardProps) {
 					<MoreHorizontal className="h-4 w-4" />
 				</Button>
 			</CardHeader>
-			<CardContent className="p-0 relative bg-zinc-100 dark:bg-zinc-900 aspect-square flex items-center justify-center">
+			<CardContent className="p-0 relative bg-zinc-200 dark:bg-zinc-900 aspect-square flex items-center justify-center">
 				<Link href={`/meme/${content.slug}`} className="w-full h-full relative">
-					{content.type === "image" ? (
+					{content.mimeType.startsWith("image/") ? (
 						<Image
 							src={content.url}
 							alt={content.title}

frontend/src/components/mode-toggle.tsx

@@ -0,0 +1,34 @@
+"use client";
+
+import { Moon, Sun } from "lucide-react";
+import { useTheme } from "next-themes";
+import { Button } from "@/components/ui/button";
+import {
+	DropdownMenu,
+	DropdownMenuContent,
+	DropdownMenuItem,
+	DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+
+export function ModeToggle() {
+	const { setTheme } = useTheme();
+
+	return (
+		<DropdownMenu>
+			<DropdownMenuTrigger asChild>
+				<Button variant="ghost" size="icon" className="h-9 w-9">
+					<Sun className="h-[1.2rem] w-[1.2rem] rotate-0 scale-100 transition-all dark:-rotate-90 dark:scale-0" />
+					<Moon className="absolute h-[1.2rem] w-[1.2rem] rotate-90 scale-0 transition-all dark:rotate-0 dark:scale-100" />
+					<span className="sr-only">Changer le thème</span>
+				</Button>
+			</DropdownMenuTrigger>
+			<DropdownMenuContent align="end">
+				<DropdownMenuItem onClick={() => setTheme("light")}>Clair</DropdownMenuItem>
+				<DropdownMenuItem onClick={() => setTheme("dark")}>Sombre</DropdownMenuItem>
+				<DropdownMenuItem onClick={() => setTheme("system")}>
+					Système
+				</DropdownMenuItem>
+			</DropdownMenuContent>
+		</DropdownMenu>
+	);
+}

frontend/src/lib/api.ts

@@ -53,7 +53,10 @@ api.interceptors.response.use(
 			} catch (refreshError) {
 				// If refresh fails, we might want to redirect to login on the client
 				if (typeof window !== "undefined") {
-					window.location.href = "/login";
+					// On évite de rediriger vers login si on y est déjà pour éviter les boucles
+					if (!window.location.pathname.includes("/login")) {
+						window.location.href = "/login";
+					}
 				}
 				return Promise.reject(refreshError);
 			}

frontend/src/providers/auth-provider.tsx

@@ -26,6 +26,8 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
 	const router = useRouter();
 
 	const refreshUser = React.useCallback(async () => {
+		// Éviter de lancer plusieurs refresh en même temps
+		if (!isLoading) setIsLoading(true);
 		try {
 			const userData = await UserService.getMe();
 			setUser(userData);
@@ -34,11 +36,26 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
 		} finally {
 			setIsLoading(false);
 		}
-	}, []);
+	}, [isLoading]);
 
 	React.useEffect(() => {
-		refreshUser();
-	}, [refreshUser]);
+		let isMounted = true;
+		const initAuth = async () => {
+			try {
+				const userData = await UserService.getMe();
+				if (isMounted) setUser(userData);
+			} catch (_error) {
+				if (isMounted) setUser(null);
+			} finally {
+				if (isMounted) setIsLoading(false);
+			}
+		};
+
+		initAuth();
+		return () => {
+			isMounted = false;
+		};
+	}, []);
 
 	const login = async (email: string, password: string) => {
 		try {

frontend/src/providers/theme-provider.tsx

@@ -0,0 +1,11 @@
+"use client";
+
+import { ThemeProvider as NextThemesProvider } from "next-themes";
+import type * as React from "react";
+
+export function ThemeProvider({
+	children,
+	...props
+}: React.ComponentProps<typeof NextThemesProvider>) {
+	return <NextThemesProvider {...props}>{children}</NextThemesProvider>;
+}

frontend/src/services/category.service.ts

@@ -11,4 +11,18 @@ export const CategoryService = {
 		const { data } = await api.get<Category>(`/categories/${id}`);
 		return data;
 	},
+
+	async create(category: Partial<Category>): Promise<Category> {
+		const { data } = await api.post<Category>("/categories", category);
+		return data;
+	},
+
+	async update(id: string, category: Partial<Category>): Promise<Category> {
+		const { data } = await api.patch<Category>(`/categories/${id}`, category);
+		return data;
+	},
+
+	async remove(id: string): Promise<void> {
+		await api.delete(`/categories/${id}`);
+	},
 };

frontend/src/services/content.service.ts

@@ -65,4 +65,9 @@ export const ContentService = {
 	async removeAdmin(id: string): Promise<void> {
 		await api.delete(`/contents/${id}/admin`);
 	},
+
+	async updateAdmin(id: string, update: Partial<Content>): Promise<Content> {
+		const { data } = await api.patch<Content>(`/contents/${id}/admin`, update);
+		return data;
+	},
 };

frontend/src/services/user.service.ts

@@ -34,6 +34,11 @@ export const UserService = {
 		await api.delete(`/users/${uuid}`);
 	},
 
+	async updateAdmin(uuid: string, update: Partial<User>): Promise<User> {
+		const { data } = await api.patch<User>(`/users/admin/${uuid}`, update);
+		return data;
+	},
+
 	async updateAvatar(file: File): Promise<User> {
 		const formData = new FormData();
 		formData.append("file", file);

frontend/src/types/content.ts

@@ -7,7 +7,7 @@ export interface Content {
 	description?: string;
 	url: string;
 	thumbnailUrl?: string;
-	type: "image" | "video";
+	type: "meme" | "gif";
 	mimeType: string;
 	size: number;
 	width?: number;
@@ -18,6 +18,7 @@ export interface Content {
 	favoritesCount: number;
 	isLiked?: boolean;
 	tags: (string | Tag)[];
+	categoryId?: string | null;
 	category?: Category;
 	authorId: string;
 	author: User;
@@ -36,6 +37,7 @@ export interface Category {
 	name: string;
 	slug: string;
 	description?: string;
+	iconUrl?: string;
 }
 
 export interface PaginatedResponse<T> {

frontend/src/types/user.ts

@@ -6,7 +6,7 @@ export interface User {
 	displayName?: string;
 	avatarUrl?: string;
 	bio?: string;
-	role?: "user" | "admin";
+	role?: "user" | "admin" | "moderator";
 	status?: "active" | "verification" | "suspended" | "pending" | "deleted";
 	createdAt: string;
 }

package.json

@@ -1,18 +1,25 @@
 {
   "name": "@memegoat/source",
-  "version": "0.0.0",
+  "version": "1.3.0",
   "description": "",
   "scripts": {
     "version:get": "cmake -P version.cmake GET",
     "version:set": "cmake -P version.cmake SET",
+    "v:patch": "cmake -P version.cmake PATCH",
+    "v:minor": "cmake -P version.cmake MINOR",
+    "v:major": "cmake -P version.cmake MAJOR",
     "build": "pnpm run build:back && pnpm run build:front && pnpm run build:docs",
     "build:front": "pnpm run -F @memegoat/frontend build",
     "build:back": "pnpm run -F @memegoat/backend build",
     "build:docs": "pnpm run -F @memegoat/documentation build",
     "lint": "pnpm run lint:back && pnpm run lint:front && pnpm run lint:docs",
+    "lint:fix": "pnpm run lint:back:fix && pnpm run lint:front:fix && pnpm run lint:docs:fix",
     "lint:back": "pnpm run -F @memegoat/backend lint",
+    "lint:back:fix": "pnpm run -F @memegoat/backend lint:write",
     "lint:front": "pnpm run -F @memegoat/frontend lint",
+    "lint:front:fix": "pnpm run -F @memegoat/frontend lint:write",
     "lint:docs": "pnpm run -F @memegoat/documentation lint",
+    "lint:docs:fix": "pnpm run -F @memegoat/documentation lint:write",
     "test": "pnpm run test:back && pnpm run test:front",
     "test:back": "pnpm run -F @memegoat/backend test",
     "test:front": "pnpm run -F @memegoat/frontend test",

version.cmake

@@ -1,6 +1,6 @@
 # version.cmake - Script pour gérer la version SemVer de manière centralisée
 
-# Usage: cmake -P version.cmake [GET|SET] [new_version]
+# Usage: cmake -P version.cmake [GET|SET|PATCH|MINOR|MAJOR] [new_version]
 
 set(PACKAGE_JSON_FILES 
     "${CMAKE_CURRENT_LIST_DIR}/package.json"
@@ -15,6 +15,66 @@ function(get_current_version OUT_VAR)
     set(${OUT_VAR} ${CURRENT_VERSION} PARENT_SCOPE)
 endfunction()
 
+# Fonction pour incrémenter la version SemVer
+function(increment_version CURRENT_VERSION TYPE OUT_VAR)
+    if(CURRENT_VERSION MATCHES "^([0-9]+)\\.([0-9]+)\\.([0-9]+)")
+        set(MAJOR ${CMAKE_MATCH_1})
+        set(MINOR ${CMAKE_MATCH_2})
+        set(PATCH ${CMAKE_MATCH_3})
+    else()
+        message(FATAL_ERROR "Format de version invalide: ${CURRENT_VERSION}. Attendu: X.Y.Z")
+    endif()
+
+    if("${TYPE}" STREQUAL "MAJOR")
+        math(EXPR MAJOR "${MAJOR} + 1")
+        set(MINOR 0)
+        set(PATCH 0)
+    elseif("${TYPE}" STREQUAL "MINOR")
+        math(EXPR MINOR "${MINOR} + 1")
+        set(PATCH 0)
+    elseif("${TYPE}" STREQUAL "PATCH")
+        math(EXPR PATCH "${PATCH} + 1")
+    endif()
+
+    set(${OUT_VAR} "${MAJOR}.${MINOR}.${PATCH}" PARENT_SCOPE)
+endfunction()
+
+# Fonction pour créer un commit git pour les changements de version
+function(commit_version_changes VERSION)
+    find_package(Git QUIET)
+    if(GIT_FOUND)
+        # On n'ajoute que les fichiers package.json modifiés
+        set(ADDED_ANY FALSE)
+        foreach(JSON_FILE ${PACKAGE_JSON_FILES})
+            if(EXISTS "${JSON_FILE}")
+                execute_process(
+                    COMMAND ${GIT_EXECUTABLE} add "${JSON_FILE}"
+                    WORKING_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}"
+                )
+                set(ADDED_ANY TRUE)
+            endif()
+        endforeach()
+        
+        if(ADDED_ANY)
+            # On commit uniquement les fichiers qui ont été ajoutés (staged)
+            # L'utilisation de --only ou spécifier les fichiers à nouveau assure qu'on ne prend pas d'autres changements
+            execute_process(
+                COMMAND ${GIT_EXECUTABLE} commit -m "chore: bump version to ${VERSION}" -- ${PACKAGE_JSON_FILES}
+                WORKING_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}"
+                RESULT_VARIABLE COMMIT_RESULT
+            )
+            
+            if(COMMIT_RESULT EQUAL 0)
+                message(STATUS "Changements commités avec succès pour la version ${VERSION}")
+            else()
+                message(WARNING "Échec du commit des changements. Il n'y a peut-être rien à commiter ou aucun changement sur les fichiers JSON.")
+            endif()
+        endif()
+    else()
+        message(WARNING "Git non trouvé, impossible de commiter les changements.")
+    endif()
+endfunction()
+
 # Fonction pour créer un tag git
 function(create_git_tag VERSION)
     find_package(Git QUIET)
@@ -49,36 +109,45 @@ function(set_new_version NEW_VERSION)
         endif()
     endforeach()
     
-    # Demander à l'utilisateur s'il veut tagger (ou le faire par défaut si spécifié)
+    # Commiter les changements
+    commit_version_changes(${NEW_VERSION})
+    
+    # Créer le tag git
     create_git_tag(${NEW_VERSION})
 endfunction()
 
 # Logique principale
-set(ARG_OFFSET 0)
-while(ARG_OFFSET LESS CMAKE_ARGC)
-    if("${CMAKE_ARGV${ARG_OFFSET}}" STREQUAL "-P")
-        math(EXPR COMMAND_INDEX "${ARG_OFFSET} + 2")
-        math(EXPR VERSION_INDEX "${ARG_OFFSET} + 3")
-        break()
+if(CMAKE_SCRIPT_MODE_FILE STREQUAL CMAKE_CURRENT_LIST_FILE)
+    set(ARG_OFFSET 0)
+    while(ARG_OFFSET LESS CMAKE_ARGC)
+        if("${CMAKE_ARGV${ARG_OFFSET}}" STREQUAL "-P")
+            math(EXPR COMMAND_INDEX "${ARG_OFFSET} + 2")
+            math(EXPR VERSION_INDEX "${ARG_OFFSET} + 3")
+            break()
+        endif()
+        math(EXPR ARG_OFFSET "${ARG_OFFSET} + 1")
+    endwhile()
+    
+    if(NOT DEFINED COMMAND_INDEX OR COMMAND_INDEX GREATER_EQUAL CMAKE_ARGC)
+        message(FATAL_ERROR "Usage: cmake -P version.cmake [GET|SET|PATCH|MINOR|MAJOR] [new_version]")
     endif()
-    math(EXPR ARG_OFFSET "${ARG_OFFSET} + 1")
-endwhile()
-
-if(NOT DEFINED COMMAND_INDEX OR COMMAND_INDEX GREATER_EQUAL CMAKE_ARGC)
-    message(FATAL_ERROR "Usage: cmake -P version.cmake [GET|SET] [new_version]")
-endif()
-
-set(COMMAND "${CMAKE_ARGV${COMMAND_INDEX}}")
-
-if("${COMMAND}" STREQUAL "GET")
-    get_current_version(VERSION)
-    message("${VERSION}")
-elseif("${COMMAND}" STREQUAL "SET")
-    if(VERSION_INDEX GREATER_EQUAL CMAKE_ARGC)
-        message(FATAL_ERROR "Veuillez spécifier la nouvelle version: cmake -P version.cmake SET 0.0.0")
+    
+    set(COMMAND "${CMAKE_ARGV${COMMAND_INDEX}}")
+    
+    if("${COMMAND}" STREQUAL "GET")
+        get_current_version(VERSION)
+        message("${VERSION}")
+    elseif("${COMMAND}" STREQUAL "SET")
+        if(VERSION_INDEX GREATER_EQUAL CMAKE_ARGC)
+            message(FATAL_ERROR "Veuillez spécifier la nouvelle version: cmake -P version.cmake SET 0.0.0")
+        endif()
+        set(NEW_VERSION "${CMAKE_ARGV${VERSION_INDEX}}")
+        set_new_version("${NEW_VERSION}")
+    elseif("${COMMAND}" MATCHES "^(PATCH|MINOR|MAJOR)$")
+        get_current_version(CURRENT_VERSION)
+        increment_version("${CURRENT_VERSION}" "${COMMAND}" NEW_VERSION)
+        set_new_version("${NEW_VERSION}")
+    else()
+        message(FATAL_ERROR "Commande inconnue: ${COMMAND}. Utilisez GET, SET, PATCH, MINOR ou MAJOR.")
     endif()
-    set(NEW_VERSION "${CMAKE_ARGV${VERSION_INDEX}}")
-    set_new_version("${NEW_VERSION}")
-else()
-    message(FATAL_ERROR "Commande inconnue: ${COMMAND}. Utilisez GET ou SET.")
 endif()