[CLAUDE] Phase5.1: Security headers + account lockout + Users management

Security hardening: - Api/Middleware/SecurityHeadersMiddleware MOI: remove server fingerprint (Server, X-Powered-By, ...), add X-Content-Type-Options:nosniff, X-Frame-Options:DENY, Referrer-Policy:strict-origin-when-cross-origin, Permissions-Policy (disable geolocation/mic/cam/payment), X-Permitted-Cross-Domain-Policies:none, CSP (default-src 'self' + img data: + style inline for Tailwind + frame-ancestors 'none'). Skip CSP tren /swagger (dung inline script). - Program.cs wire UseMiddleware SecurityHeadersMiddleware first in pipeline - Infrastructure/DependencyInjection Identity options: - Password.RequiredLength config-driven (Identity:Password:RequiredLength, default 8 dev, override 12+ prod) - Lockout: DefaultLockoutTimeSpan (15min), MaxFailedAccessAttempts (5), AllowedForNewUsers=true — all config-driven - LoginCommandHandler: IsLockedOutAsync check truoc → throw voi deadline message, AccessFailedAsync khi sai password, ResetAccessFailedCountAsync khi login thanh cong Users management: - Application/Users/UserFeatures.cs: 8 CQRS (ListUsersQuery paging+search, GetUserQuery, CreateUserCommand + Validator, UpdateUserCommand voi self-disable protection, AssignRolesCommand voi self-demote protection (khong tu go Admin), ResetPasswordCommand (invalidate refresh token + unlock), UnlockUserCommand) - UserDto: Id, Email, FullName, IsActive, IsLocked (computed tu LockoutEnd), CreatedAt, Roles - Api/Controllers/UsersController: 7 endpoint (Users.Read/Create/Update policies): - GET / (list paged), GET /{id}, POST /, PUT /{id}, PUT /{id}/roles, POST /{id}/reset-password, POST /{id}/unlock - using alias ValidationException = Application.Common.Exceptions.ValidationException (fix ambiguity voi FluentValidation) Frontend fe-admin: - types/users.ts MOI: User type + AVAILABLE_ROLES 12 role (match BE AppRoles.cs) + RoleLabel Vietnamese - pages/system/UsersPage.tsx MOI: - DataTable columns: Email (mono), FullName, Roles (badge chips voi Vietnamese label), IsActive (CheckCircle/XCircle), IsLocked (KeyRound red), CreatedAt - Actions per row (PermissionGuard Users.Update wrap): Gan role (Shield icon → Dialog grid 12 checkbox), Reset password (KeyRound → Dialog voi warning user se bi logout), Unlock (Unlock icon, chi hien khi isLocked), Toggle active (XCircle/CheckCircle) - Create user dialog: email + fullName + password (min 8) + grid 12 role checkbox - Route /system/users vao App.tsx E2E verified: - Security headers present tren moi response (check qua curl -I) - POST /api/users voi roles: [Drafter] → 201 + id - GET /api/users → paged voi 2 user (admin + new test.drafter) - TS check fe-admin → pass - dotnet build → 0 errors Docs: - docs/STATUS.md: Phase 5.1 xong, cumulative BE 3700 LOC, 42 endpoints, 17 FE pages - docs/HANDOFF.md: phase table update row Phase 5.1, last updated timestamp - docs/changelog/migration-todos.md: tick 6 items Phase 5.1 + 4 items remaining (IDOR, deps scan, admin warning, Roles CRUD) - docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md: session log Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> EOF
2026-04-21 13:06:46 +07:00
parent 46a2cab788
commit 11e61c9c39
13 changed files with 909 additions and 33 deletions
--- a/src/Backend/SolutionErp.Application/Auth/Commands/Login/LoginCommand.cs
+++ b/src/Backend/SolutionErp.Application/Auth/Commands/Login/LoginCommand.cs
@ -19,32 +19,39 @@ public class LoginCommandValidator : AbstractValidator<LoginCommand>
    }
 }

-public class LoginCommandHandler : IRequestHandler<LoginCommand, AuthResponseDto>
+public class LoginCommandHandler(
+    UserManager<User> userManager,
+    IJwtTokenService jwtTokenService) : IRequestHandler<LoginCommand, AuthResponseDto>
 {
-    private readonly UserManager<User> _userManager;
-    private readonly IJwtTokenService _jwtTokenService;
-
-    public LoginCommandHandler(UserManager<User> userManager, IJwtTokenService jwtTokenService)
-    {
-        _userManager = userManager;
-        _jwtTokenService = jwtTokenService;
-    }
-
    public async Task<AuthResponseDto> Handle(LoginCommand request, CancellationToken cancellationToken)
    {
-        var user = await _userManager.FindByEmailAsync(request.Email);
+        var user = await userManager.FindByEmailAsync(request.Email);
        if (user is null || !user.IsActive)
            throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");

-        if (!await _userManager.CheckPasswordAsync(user, request.Password))
-            throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
+        // Check lockout trước
+        if (await userManager.IsLockedOutAsync(user))
+        {
+            var until = user.LockoutEnd;
+            throw new UnauthorizedException($"Tài khoản bị khóa do nhập sai nhiều lần. Thử lại sau {until:HH:mm}.");
+        }

-        var roles = await _userManager.GetRolesAsync(user);
-        var tokens = await _jwtTokenService.GenerateTokensAsync(user, roles);
+        if (!await userManager.CheckPasswordAsync(user, request.Password))
+        {
+            // Tăng AccessFailedCount + auto lock khi đủ ngưỡng
+            await userManager.AccessFailedAsync(user);
+            throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
+        }
+
+        // Success → reset failed count
+        await userManager.ResetAccessFailedCountAsync(user);
+
+        var roles = await userManager.GetRolesAsync(user);
+        var tokens = await jwtTokenService.GenerateTokensAsync(user, roles);

        user.RefreshToken = tokens.RefreshToken;
        user.RefreshTokenExpiresAt = tokens.RefreshTokenExpiresAt;
-        await _userManager.UpdateAsync(user);
+        await userManager.UpdateAsync(user);

        return new AuthResponseDto(
            tokens.AccessToken,