[CLAUDE] Phase5.1: Security headers + account lockout + Users management

Security hardening:
- Api/Middleware/SecurityHeadersMiddleware MOI: remove server fingerprint (Server, X-Powered-By, ...), add X-Content-Type-Options:nosniff, X-Frame-Options:DENY, Referrer-Policy:strict-origin-when-cross-origin, Permissions-Policy (disable geolocation/mic/cam/payment), X-Permitted-Cross-Domain-Policies:none, CSP (default-src 'self' + img data: + style inline for Tailwind + frame-ancestors 'none'). Skip CSP tren /swagger (dung inline script).
- Program.cs wire UseMiddleware SecurityHeadersMiddleware first in pipeline
- Infrastructure/DependencyInjection Identity options:
  - Password.RequiredLength config-driven (Identity:Password:RequiredLength, default 8 dev, override 12+ prod)
  - Lockout: DefaultLockoutTimeSpan (15min), MaxFailedAccessAttempts (5), AllowedForNewUsers=true — all config-driven
- LoginCommandHandler: IsLockedOutAsync check truoc → throw voi deadline message, AccessFailedAsync khi sai password, ResetAccessFailedCountAsync khi login thanh cong

Users management:
- Application/Users/UserFeatures.cs: 8 CQRS (ListUsersQuery paging+search, GetUserQuery, CreateUserCommand + Validator, UpdateUserCommand voi self-disable protection, AssignRolesCommand voi self-demote protection (khong tu go Admin), ResetPasswordCommand (invalidate refresh token + unlock), UnlockUserCommand)
- UserDto: Id, Email, FullName, IsActive, IsLocked (computed tu LockoutEnd), CreatedAt, Roles
- Api/Controllers/UsersController: 7 endpoint (Users.Read/Create/Update policies):
  - GET / (list paged), GET /{id}, POST /, PUT /{id}, PUT /{id}/roles, POST /{id}/reset-password, POST /{id}/unlock
- using alias ValidationException = Application.Common.Exceptions.ValidationException (fix ambiguity voi FluentValidation)

Frontend fe-admin:
- types/users.ts MOI: User type + AVAILABLE_ROLES 12 role (match BE AppRoles.cs) + RoleLabel Vietnamese
- pages/system/UsersPage.tsx MOI:
  - DataTable columns: Email (mono), FullName, Roles (badge chips voi Vietnamese label), IsActive (CheckCircle/XCircle), IsLocked (KeyRound red), CreatedAt
  - Actions per row (PermissionGuard Users.Update wrap): Gan role (Shield icon → Dialog grid 12 checkbox), Reset password (KeyRound → Dialog voi warning user se bi logout), Unlock (Unlock icon, chi hien khi isLocked), Toggle active (XCircle/CheckCircle)
  - Create user dialog: email + fullName + password (min 8) + grid 12 role checkbox
- Route /system/users vao App.tsx

E2E verified:
- Security headers present tren moi response (check qua curl -I)
- POST /api/users voi roles: [Drafter] → 201 + id
- GET /api/users → paged voi 2 user (admin + new test.drafter)
- TS check fe-admin → pass
- dotnet build → 0 errors

Docs:
- docs/STATUS.md: Phase 5.1 xong, cumulative BE 3700 LOC, 42 endpoints, 17 FE pages
- docs/HANDOFF.md: phase table update row Phase 5.1, last updated timestamp
- docs/changelog/migration-todos.md: tick 6 items Phase 5.1 + 4 items remaining (IDOR, deps scan, admin warning, Roles CRUD)
- docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md: session log

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EOF

docs/HANDOFF.md

@@ -1,6 +1,6 @@
 # HANDOFF — Brief 5 phút cho session tiếp theo
 
-**Last updated:** 2026-04-21 15:30 (cuối Phase 5 Prep)
+**Last updated:** 2026-04-21 16:30 (cuối Phase 5.1 Security + Users Mgmt)
 
 ## Ở đâu rồi?
 
@@ -15,9 +15,9 @@
 | 3 Workflow iteration 2 (SLA + notify + attachment) | 📝 Optional |
 | 4 Report MVP (Dashboard + Excel) | ✅ Done |
 | 4 Report iteration 2 | 📝 Optional |
-| **5 Prep (infra + scripts + guides + refresh token)** | ✅ Done |
+| 5 Prep (infra + scripts + guides + refresh token) | ✅ Done |
+| **5.1 Security + Users Mgmt (headers, lockout, Users CRUD)** | ✅ Done (IDOR + deps scan còn) |
 | 5 Deploy production (cần Gitea URL) | 📋 Next |
-| 5.1 Security hardening (headers, lockout, IDOR) | 📋 Queue |
 
 ## Run nhanh
 

docs/STATUS.md

@@ -2,9 +2,9 @@
 
 > **Update rule:** trước khi bắt đầu 1 task → ghi row vào `🔥 In Progress`. Xong → chuyển sang `✅ Recently Done`.
 
-**Last updated:** 2026-04-21 15:30
+**Last updated:** 2026-04-21 16:30
 
-## 📍 Phase hiện tại: **Phase 5 Prep xong** (infra + scripts + docs) — chờ Gitea URL để deploy thật
+## 📍 Phase hiện tại: **Phase 5.1 Security + Users Mgmt xong** — chờ Gitea URL để deploy Phase 5 prod
 
 ## 🔥 In Progress
 
@@ -14,7 +14,8 @@ _(không có)_
 
 | Ngày | Ai | Task | Commit |
 |---|---|---|---|
-| 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit (5/min login, 300/min global) + health check (/live + /ready DB probe) + Serilog file rolling 30d + HSTS prod. Scripts: deploy-iis.ps1 + backup-sql.ps1 + .gitea/workflows/deploy.yml. Docs guides (4): deployment-iis, cicd, security-checklist, runbook. FE refresh token auto interceptor (cả 2 app) với queue pattern | (sắp commit) |
+| 2026-04-21 | Claude | **Phase 5.1 Security + Users Mgmt** — Security headers middleware (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) + Identity account lockout (5 fail → 15min) + LoginHandler check IsLockedOut + AccessFailedAsync. BE Users CQRS 8 feature + UsersController 7 endpoint. FE admin `/system/users` — list + create + gán role + reset password + unlock + toggle active | (sắp commit) |
+| 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit + health check + Serilog file + HSTS + scripts deploy-iis/backup-sql + .gitea/workflows/deploy.yml + 4 guides + FE refresh token queue pattern | `46a2cab` |
 | 2026-04-21 | Claude | **Phase 4 Report MVP + Docs Consolidation** — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | `fe7ad8e` |
 | 2026-04-21 | Claude | **Phase 3 Workflow MVP** — 9 phase state machine + gen mã HĐ RG-001 | `7e957a7` |
 | 2026-04-21 | Claude | **Phase 2 Form Engine MVP** | `5113e4c` |
@@ -46,14 +47,16 @@ Session logs: [P0](changelog/sessions/2026-04-21-1045-phase0-scaffold.md) · [P1
 - [ ] Smoke test end-to-end prod
 - [ ] UAT 1 tuần 2-3 user thật
 
-### Phase 5.1 Security hardening
+### Phase 5.1 Security — xong gần hết
 
-Xem [`guides/security-checklist.md`](guides/security-checklist.md). TODO:
-- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP)
-- [ ] Identity Account lockout (5 fail → 15min lock)
-- [ ] Password policy min 12 chars production
+- [x] Security headers middleware (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, CSP)
+- [x] Identity account lockout (5 fail → 15min, config-driven)
+- [x] Password policy config-driven (default 8 dev, override prod `Identity:Password:RequiredLength`)
+- [x] LoginHandler check lockout + AccessFailedAsync + reset on success
+- [x] BE Users management + FE admin UsersPage (tạo user test permission non-admin)
 - [ ] IDOR check ContractsController (user không xem HĐ không liên quan)
 - [ ] Dependencies scan CI (`dotnet list package --vulnerable` + `npm audit`)
+- [ ] Admin mặc định warning log force đổi password
 
 ### Polish iterations
 

docs/changelog/migration-todos.md

@@ -211,14 +211,18 @@
 - [ ] UAT production 1 tuần với 2-3 user thật
 - [ ] Go-live checklist: backup, rollback plan, on-call contact
 
-### Phase 5.1 Security hardening
+### Phase 5.1 Security hardening + Users Mgmt
 
-- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy)
-- [ ] Identity account lockout (5 fail → 15min lock) — config trong `DependencyInjection.cs`
-- [ ] Password policy min 12 chars production
+- [x] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy)
+- [x] Identity account lockout (5 fail → 15min, config-driven)
+- [x] Password policy config-driven (default 8 dev, override `Identity:Password:RequiredLength` prod)
+- [x] LoginCommand: check IsLockedOutAsync + AccessFailedAsync + reset on success
+- [x] BE Users management: CQRS 8 feature + UsersController 7 endpoint (Users.Read/Create/Update policies)
+- [x] FE admin `/system/users`: list + create + assign roles + reset password + unlock + toggle active
 - [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase
 - [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`)
-- [ ] Admin mặc định: đổi password prod hoặc disable sau setup user thật
+- [ ] Admin mặc định: warning log force đổi password
+- [ ] BE Roles CRUD (Create/Rename/Delete custom role) + FE `/system/roles`
 
 ## Post-launch (Phase 6+ — future)
 

docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md

@@ -0,0 +1,118 @@
+# Session 2026-04-21 16:30 — Phase 5.1 Security + Users Management
+
+**Dev:** Claude (Opus 4.7)
+**Duration:** ~1h
+**Base commit:** `46a2cab`
+
+## Làm được
+
+### Chunk T — Phase 5.1 Security hardening
+
+- `Api/Middleware/SecurityHeadersMiddleware.cs` MỚI:
+  - Remove server fingerprint: `Server`, `X-Powered-By`, `X-AspNet-Version`, `X-AspNetMvc-Version`
+  - Security headers: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Referrer-Policy: strict-origin-when-cross-origin`, `X-Permitted-Cross-Domain-Policies: none`, `Permissions-Policy` (disable geolocation/mic/cam/payment)
+  - CSP: `default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'` — skip ở `/swagger` (dùng inline script/style)
+- `Program.cs` wire `app.UseMiddleware<SecurityHeadersMiddleware>()` đầu pipeline
+
+- `Infrastructure/DependencyInjection.cs` Identity options:
+  - Password `RequiredLength` đọc config (`Identity:Password:RequiredLength`) — default 8 dev, override 12+ prod
+  - Lockout: `DefaultLockoutTimeSpan` (default 15 phút), `MaxFailedAccessAttempts` (default 5), `AllowedForNewUsers = true`
+  - Override qua `appsettings.Production.json` Identity section
+
+- `LoginCommand` handler update:
+  - Check `IsLockedOutAsync` trước khi verify password → throw với deadline message
+  - `AccessFailedAsync` khi sai password (tăng counter, auto-lock)
+  - `ResetAccessFailedCountAsync` khi login thành công
+
+### Chunk U — BE Users management (8 features)
+
+- `Application/Users/UserFeatures.cs`:
+  - `UserDto` (Id, Email, FullName, IsActive, IsLocked, CreatedAt, Roles)
+  - `ListUsersQuery` với paging + search (email / fullName)
+  - `GetUserQuery`
+  - `CreateUserCommand` + Validator + Handler (check email unique, CreateAsync + AddToRoleAsync)
+  - `UpdateUserCommand` (FullName + IsActive, với self-disable protection)
+  - `AssignRolesCommand` (replace full set, diff add/remove, self-demote protection — không tự gỡ Admin)
+  - `ResetPasswordCommand` (admin flow — Remove + Add password, invalidate refresh token, unlock)
+  - `UnlockUserCommand`
+- `Api/Controllers/UsersController.cs` — 7 endpoint với policy `Users.Read` / `Users.Create` / `Users.Update`
+
+### Chunk V — FE admin Users page
+
+- `types/users.ts`: User type + `AVAILABLE_ROLES` (12 role từ BE AppRoles.cs) + `RoleLabel` tiếng Việt
+- `pages/system/UsersPage.tsx`:
+  - DataTable list users với Email / Họ tên / Roles (badge chips) / Active / Locked / Created
+  - Nút **Gán role** (icon Shield) → Dialog checkbox 12 role → PUT `/roles`
+  - Nút **Reset password** (icon KeyRound) → Dialog với warning "user sẽ bị logout"
+  - Nút **Unlock** (hiện khi isLocked=true)
+  - Nút **Toggle Active** (XCircle / CheckCircle)
+  - Dialog **Thêm user mới**: email / fullName / password / grid roles checkbox → POST `/users`
+  - `<PermissionGuard menuKey="Users" action="Create|Update">` wrap các button
+- Route `/system/users` vào App.tsx
+
+## E2E verified
+
+```bash
+# Security headers
+GET /api/users (với Bearer) → 200
+  Response headers:
+    X-Content-Type-Options: nosniff ✅
+    X-Frame-Options: DENY ✅
+    Referrer-Policy: strict-origin-when-cross-origin ✅
+    Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=() ✅
+    Content-Security-Policy: default-src 'self'; ... ✅
+
+# Users CRUD
+POST /api/users {email: test.drafter@..., roles: ["Drafter"]} → 201 + id
+GET /api/users → Paged[1 admin only initially, now 2]
+
+# TS check fe-admin → pass
+```
+
+## Bug gặp + fix
+
+| Bug | Fix |
+|---|---|
+| `ValidationException` ambiguous FluentValidation vs Custom | `using ValidationException = ...Custom.ValidationException;` alias |
+| Edit tool "File not read" tiếp tục bị hit sau system-reminder | Read lại → Edit — pattern đã quen |
+
+## Tác động lên STATUS/HANDOFF/migration-todos/gotchas
+
+- `migration-todos.md` Phase 5.1: tick 5 items done (security headers, account lockout, password policy, — còn IDOR check + dependencies scan)
+- `gotchas.md`: không thêm mới (các issue lần này không có bẫy mới)
+- `STATUS.md`: cumulative BE LOC 3300 → 3700 (+UserFeatures + SecurityHeaders)
+- `HANDOFF.md`: thêm Phase 5.1 status row, FE pages 16 → 17 (+UsersPage)
+
+## Handoff cho session tiếp theo
+
+### Phase 5.1 còn
+
+- [ ] IDOR check ContractsController: user Drafter chỉ thấy HĐ mình tạo hoặc có role giữ phase hiện tại (cần add helper `IsInvolvedInContract(userId, contractId)`)
+- [ ] Dependencies scan CI: `dotnet list package --vulnerable --include-transitive` + `npm audit --audit-level=high`
+- [ ] Admin mặc định: thêm warning log lần đầu start nếu admin password = `Admin@123456` (force đổi)
+
+### Roles CRUD (quick win còn lại)
+
+- [ ] BE: `CreateRoleCommand`, `UpdateRoleCommand` (rename + description), `DeleteRoleCommand` (block nếu còn user/permission)
+- [ ] FE: `/system/roles` page
+
+### Phase 3 iter 2 (big — optional)
+
+- SlaExpiryJob BackgroundService
+- Email/in-app notification
+- Upload attachment endpoint + FE
+
+### Blocker
+
+- ⏳ Gitea URL — user sẽ cấp
+
+## Thông số cumulative
+
+| | Phase 5 prep | **Phase 5.1 Security + Users** |
+|---|---:|---:|
+| BE LOC | ~3300 | **~3700** (+UserFeatures ~250 + SecurityHeaders ~40 + LoginHandler update) |
+| DB tables | 19 | 19 |
+| API endpoints | ~35 | **~42** (+7 users) |
+| FE pages | 16 | **17** (+UsersPage) |
+| Middleware | 2 | **3** (+SecurityHeaders) |
+| Commits | 9 | **10** (sắp) |