vietreport-admin/solution-erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CLAUDE] Phase5.1: Security headers + account lockout + Users management

Browse Source 
Security hardening:
- Api/Middleware/SecurityHeadersMiddleware MOI: remove server fingerprint (Server, X-Powered-By, ...), add X-Content-Type-Options:nosniff, X-Frame-Options:DENY, Referrer-Policy:strict-origin-when-cross-origin, Permissions-Policy (disable geolocation/mic/cam/payment), X-Permitted-Cross-Domain-Policies:none, CSP (default-src 'self' + img data: + style inline for Tailwind + frame-ancestors 'none'). Skip CSP tren /swagger (dung inline script).
- Program.cs wire UseMiddleware SecurityHeadersMiddleware first in pipeline
- Infrastructure/DependencyInjection Identity options:
  - Password.RequiredLength config-driven (Identity:Password:RequiredLength, default 8 dev, override 12+ prod)
  - Lockout: DefaultLockoutTimeSpan (15min), MaxFailedAccessAttempts (5), AllowedForNewUsers=true — all config-driven
- LoginCommandHandler: IsLockedOutAsync check truoc → throw voi deadline message, AccessFailedAsync khi sai password, ResetAccessFailedCountAsync khi login thanh cong

Users management:
- Application/Users/UserFeatures.cs: 8 CQRS (ListUsersQuery paging+search, GetUserQuery, CreateUserCommand + Validator, UpdateUserCommand voi self-disable protection, AssignRolesCommand voi self-demote protection (khong tu go Admin), ResetPasswordCommand (invalidate refresh token + unlock), UnlockUserCommand)
- UserDto: Id, Email, FullName, IsActive, IsLocked (computed tu LockoutEnd), CreatedAt, Roles
- Api/Controllers/UsersController: 7 endpoint (Users.Read/Create/Update policies):
  - GET / (list paged), GET /{id}, POST /, PUT /{id}, PUT /{id}/roles, POST /{id}/reset-password, POST /{id}/unlock
- using alias ValidationException = Application.Common.Exceptions.ValidationException (fix ambiguity voi FluentValidation)

Frontend fe-admin:
- types/users.ts MOI: User type + AVAILABLE_ROLES 12 role (match BE AppRoles.cs) + RoleLabel Vietnamese
- pages/system/UsersPage.tsx MOI:
  - DataTable columns: Email (mono), FullName, Roles (badge chips voi Vietnamese label), IsActive (CheckCircle/XCircle), IsLocked (KeyRound red), CreatedAt
  - Actions per row (PermissionGuard Users.Update wrap): Gan role (Shield icon → Dialog grid 12 checkbox), Reset password (KeyRound → Dialog voi warning user se bi logout), Unlock (Unlock icon, chi hien khi isLocked), Toggle active (XCircle/CheckCircle)
  - Create user dialog: email + fullName + password (min 8) + grid 12 role checkbox
- Route /system/users vao App.tsx

E2E verified:
- Security headers present tren moi response (check qua curl -I)
- POST /api/users voi roles: [Drafter] → 201 + id
- GET /api/users → paged voi 2 user (admin + new test.drafter)
- TS check fe-admin → pass
- dotnet build → 0 errors

Docs:
- docs/STATUS.md: Phase 5.1 xong, cumulative BE 3700 LOC, 42 endpoints, 17 FE pages
- docs/HANDOFF.md: phase table update row Phase 5.1, last updated timestamp
- docs/changelog/migration-todos.md: tick 6 items Phase 5.1 + 4 items remaining (IDOR, deps scan, admin warning, Roles CRUD)
- docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md: session log

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EOF
This commit is contained in:
pqhuy1987
2026-04-21 13:06:46 +07:00
parent 46a2cab788
commit 11e61c9c39
13 changed files with 909 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/HANDOFF.md
View File

@ -1,6 +1,6 @@
# HANDOFF — Brief 5 phút cho session tiếp theo # HANDOFF — Brief 5 phút cho session tiếp theo
**Last updated:** 2026-04-21 15:30 (cuối Phase 5 Prep) **Last updated:** 2026-04-21 16:30 (cuối Phase 5.1 Security + Users Mgmt)
## Ở đâu rồi? ## Ở đâu rồi?
@ -15,9 +15,9 @@
| 3 Workflow iteration 2 (SLA + notify + attachment) | 📝 Optional | | 3 Workflow iteration 2 (SLA + notify + attachment) | 📝 Optional |
| 4 Report MVP (Dashboard + Excel) | ✅ Done | | 4 Report MVP (Dashboard + Excel) | ✅ Done |
| 4 Report iteration 2 | 📝 Optional | | 4 Report iteration 2 | 📝 Optional |
| **5 Prep (infra + scripts + guides + refresh token)** | ✅ Done | | 5 Prep (infra + scripts + guides + refresh token) | ✅ Done |
| **5.1 Security + Users Mgmt (headers, lockout, Users CRUD)** | ✅ Done (IDOR + deps scan còn) |
| 5 Deploy production (cần Gitea URL) | 📋 Next | | 5 Deploy production (cần Gitea URL) | 📋 Next |
| 5.1 Security hardening (headers, lockout, IDOR) | 📋 Queue |
## Run nhanh ## Run nhanh

19
docs/STATUS.md
View File

@ -2,9 +2,9 @@
> **Update rule:** trước khi bắt đầu 1 task → ghi row vào `🔥 In Progress`. Xong → chuyển sang `✅ Recently Done`. > **Update rule:** trước khi bắt đầu 1 task → ghi row vào `🔥 In Progress`. Xong → chuyển sang `✅ Recently Done`.
**Last updated:** 2026-04-21 15:30 **Last updated:** 2026-04-21 16:30
## 📍 Phase hiện tại: **Phase 5 Prep xong** (infra + scripts + docs) — chờ Gitea URL để deploy thật ## 📍 Phase hiện tại: **Phase 5.1 Security + Users Mgmt xong** — chờ Gitea URL để deploy Phase 5 prod
## 🔥 In Progress ## 🔥 In Progress
@ -14,7 +14,8 @@ _(không có)_
| Ngày | Ai | Task | Commit | | Ngày | Ai | Task | Commit |
|---|---|---|---| |---|---|---|---|
| 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit (5/min login, 300/min global) + health check (/live + /ready DB probe) + Serilog file rolling 30d + HSTS prod. Scripts: deploy-iis.ps1 + backup-sql.ps1 + .gitea/workflows/deploy.yml. Docs guides (4): deployment-iis, cicd, security-checklist, runbook. FE refresh token auto interceptor (cả 2 app) với queue pattern | (sắp commit) | | 2026-04-21 | Claude | **Phase 5.1 Security + Users Mgmt** — Security headers middleware (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) + Identity account lockout (5 fail → 15min) + LoginHandler check IsLockedOut + AccessFailedAsync. BE Users CQRS 8 feature + UsersController 7 endpoint. FE admin `/system/users` — list + create + gán role + reset password + unlock + toggle active | (sắp commit) |
| 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit + health check + Serilog file + HSTS + scripts deploy-iis/backup-sql + .gitea/workflows/deploy.yml + 4 guides + FE refresh token queue pattern | `46a2cab` |
| 2026-04-21 | Claude | **Phase 4 Report MVP + Docs Consolidation** — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | `fe7ad8e` | | 2026-04-21 | Claude | **Phase 4 Report MVP + Docs Consolidation** — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | `fe7ad8e` |
| 2026-04-21 | Claude | **Phase 3 Workflow MVP** — 9 phase state machine + gen mã HĐ RG-001 | `7e957a7` | | 2026-04-21 | Claude | **Phase 3 Workflow MVP** — 9 phase state machine + gen mã HĐ RG-001 | `7e957a7` |
| 2026-04-21 | Claude | **Phase 2 Form Engine MVP** | `5113e4c` | | 2026-04-21 | Claude | **Phase 2 Form Engine MVP** | `5113e4c` |
@ -46,14 +47,16 @@ Session logs: [P0](changelog/sessions/2026-04-21-1045-phase0-scaffold.md) · [P1
- [ ] Smoke test end-to-end prod - [ ] Smoke test end-to-end prod
- [ ] UAT 1 tuần 2-3 user thật - [ ] UAT 1 tuần 2-3 user thật
### Phase 5.1 Security hardening ### Phase 5.1 Security — xong gần hết
Xem [`guides/security-checklist.md`](guides/security-checklist.md). TODO: - [x] Security headers middleware (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, CSP)
- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP) - [x] Identity account lockout (5 fail → 15min, config-driven)
- [ ] Identity Account lockout (5 fail → 15min lock) - [x] Password policy config-driven (default 8 dev, override prod `Identity:Password:RequiredLength`)
- [ ] Password policy min 12 chars production - [x] LoginHandler check lockout + AccessFailedAsync + reset on success
- [x] BE Users management + FE admin UsersPage (tạo user test permission non-admin)
- [ ] IDOR check ContractsController (user không xem HĐ không liên quan) - [ ] IDOR check ContractsController (user không xem HĐ không liên quan)
- [ ] Dependencies scan CI (`dotnet list package --vulnerable` + `npm audit`) - [ ] Dependencies scan CI (`dotnet list package --vulnerable` + `npm audit`)
- [ ] Admin mặc định warning log force đổi password
### Polish iterations ### Polish iterations

14
docs/changelog/migration-todos.md
View File

@ -211,14 +211,18 @@
- [ ] UAT production 1 tuần với 2-3 user thật - [ ] UAT production 1 tuần với 2-3 user thật
- [ ] Go-live checklist: backup, rollback plan, on-call contact - [ ] Go-live checklist: backup, rollback plan, on-call contact
### Phase 5.1 Security hardening ### Phase 5.1 Security hardening + Users Mgmt
- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy) - [x] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy)
- [ ] Identity account lockout (5 fail → 15min lock) — config trong `DependencyInjection.cs` - [x] Identity account lockout (5 fail → 15min, config-driven)
- [ ] Password policy min 12 chars production - [x] Password policy config-driven (default 8 dev, override `Identity:Password:RequiredLength` prod)
- [x] LoginCommand: check IsLockedOutAsync + AccessFailedAsync + reset on success
- [x] BE Users management: CQRS 8 feature + UsersController 7 endpoint (Users.Read/Create/Update policies)
- [x] FE admin `/system/users`: list + create + assign roles + reset password + unlock + toggle active
- [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase - [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase
- [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`) - [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`)
- [ ] Admin mặc định: đổi password prod hoặc disable sau setup user thật - [ ] Admin mặc định: warning log force đổi password
- [ ] BE Roles CRUD (Create/Rename/Delete custom role) + FE `/system/roles`
## Post-launch (Phase 6+ — future) ## Post-launch (Phase 6+ — future)

118
docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md Normal file
View File

@ -0,0 +1,118 @@
# Session 2026-04-21 16:30 — Phase 5.1 Security + Users Management
**Dev:** Claude (Opus 4.7)
**Duration:** ~1h
**Base commit:** `46a2cab`
## Làm được
### Chunk T — Phase 5.1 Security hardening
- `Api/Middleware/SecurityHeadersMiddleware.cs` MỚI:
- Remove server fingerprint: `Server`, `X-Powered-By`, `X-AspNet-Version`, `X-AspNetMvc-Version`
- Security headers: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Referrer-Policy: strict-origin-when-cross-origin`, `X-Permitted-Cross-Domain-Policies: none`, `Permissions-Policy` (disable geolocation/mic/cam/payment)
- CSP: `default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'` — skip ở `/swagger` (dùng inline script/style)
- `Program.cs` wire `app.UseMiddleware<SecurityHeadersMiddleware>()` đầu pipeline
- `Infrastructure/DependencyInjection.cs` Identity options:
- Password `RequiredLength` đọc config (`Identity:Password:RequiredLength`) — default 8 dev, override 12+ prod
- Lockout: `DefaultLockoutTimeSpan` (default 15 phút), `MaxFailedAccessAttempts` (default 5), `AllowedForNewUsers = true`
- Override qua `appsettings.Production.json` Identity section
- `LoginCommand` handler update:
- Check `IsLockedOutAsync` trước khi verify password → throw với deadline message
- `AccessFailedAsync` khi sai password (tăng counter, auto-lock)
- `ResetAccessFailedCountAsync` khi login thành công
### Chunk U — BE Users management (8 features)
- `Application/Users/UserFeatures.cs`:
- `UserDto` (Id, Email, FullName, IsActive, IsLocked, CreatedAt, Roles)
- `ListUsersQuery` với paging + search (email / fullName)
- `GetUserQuery`
- `CreateUserCommand` + Validator + Handler (check email unique, CreateAsync + AddToRoleAsync)
- `UpdateUserCommand` (FullName + IsActive, với self-disable protection)
- `AssignRolesCommand` (replace full set, diff add/remove, self-demote protection — không tự gỡ Admin)
- `ResetPasswordCommand` (admin flow — Remove + Add password, invalidate refresh token, unlock)
- `UnlockUserCommand`
- `Api/Controllers/UsersController.cs` — 7 endpoint với policy `Users.Read` / `Users.Create` / `Users.Update`
### Chunk V — FE admin Users page
- `types/users.ts`: User type + `AVAILABLE_ROLES` (12 role từ BE AppRoles.cs) + `RoleLabel` tiếng Việt
- `pages/system/UsersPage.tsx`:
- DataTable list users với Email / Họ tên / Roles (badge chips) / Active / Locked / Created
- Nút **Gán role** (icon Shield) → Dialog checkbox 12 role → PUT `/roles`
- Nút **Reset password** (icon KeyRound) → Dialog với warning "user sẽ bị logout"
- Nút **Unlock** (hiện khi isLocked=true)
- Nút **Toggle Active** (XCircle / CheckCircle)
- Dialog **Thêm user mới**: email / fullName / password / grid roles checkbox → POST `/users`
- `<PermissionGuard menuKey="Users" action="Create|Update">` wrap các button
- Route `/system/users` vào App.tsx
## E2E verified
```bash
# Security headers
GET /api/users (với Bearer)200
Response headers:
X-Content-Type-Options: nosniff ✅
X-Frame-Options: DENY ✅
Referrer-Policy: strict-origin-when-cross-origin ✅
Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=()
Content-Security-Policy: default-src 'self'; ... ✅
# Users CRUD
POST /api/users {email: test.drafter@..., roles: ["Drafter"]}201 + id
GET /api/users → Paged[1 admin only initially, now 2]
# TS check fe-admin → pass
```
## Bug gặp + fix
| Bug | Fix |
|---|---|
| `ValidationException` ambiguous FluentValidation vs Custom | `using ValidationException = ...Custom.ValidationException;` alias |
| Edit tool "File not read" tiếp tục bị hit sau system-reminder | Read lại → Edit — pattern đã quen |
## Tác động lên STATUS/HANDOFF/migration-todos/gotchas
- `migration-todos.md` Phase 5.1: tick 5 items done (security headers, account lockout, password policy, — còn IDOR check + dependencies scan)
- `gotchas.md`: không thêm mới (các issue lần này không có bẫy mới)
- `STATUS.md`: cumulative BE LOC 3300 → 3700 (+UserFeatures + SecurityHeaders)
- `HANDOFF.md`: thêm Phase 5.1 status row, FE pages 16 → 17 (+UsersPage)
## Handoff cho session tiếp theo
### Phase 5.1 còn
- [ ] IDOR check ContractsController: user Drafter chỉ thấy HĐ mình tạo hoặc có role giữ phase hiện tại (cần add helper `IsInvolvedInContract(userId, contractId)`)
- [ ] Dependencies scan CI: `dotnet list package --vulnerable --include-transitive` + `npm audit --audit-level=high`
- [ ] Admin mặc định: thêm warning log lần đầu start nếu admin password = `Admin@123456` (force đổi)
### Roles CRUD (quick win còn lại)
- [ ] BE: `CreateRoleCommand`, `UpdateRoleCommand` (rename + description), `DeleteRoleCommand` (block nếu còn user/permission)
- [ ] FE: `/system/roles` page
### Phase 3 iter 2 (big — optional)
- SlaExpiryJob BackgroundService
- Email/in-app notification
- Upload attachment endpoint + FE
### Blocker
- ⏳ Gitea URL — user sẽ cấp
## Thông số cumulative
| | Phase 5 prep | **Phase 5.1 Security + Users** |
|---|---:|---:|
| BE LOC | ~3300 | **~3700** (+UserFeatures ~250 + SecurityHeaders ~40 + LoginHandler update) |
| DB tables | 19 | 19 |
| API endpoints | ~35 | **~42** (+7 users) |
| FE pages | 16 | **17** (+UsersPage) |
| Middleware | 2 | **3** (+SecurityHeaders) |
| Commits | 9 | **10** (sắp) |

2
fe-admin/src/App.tsx
View File

@ -13,6 +13,7 @@ import { FormsPage } from '@/pages/forms/FormsPage'
import { ContractsListPage } from '@/pages/contracts/ContractsListPage' import { ContractsListPage } from '@/pages/contracts/ContractsListPage'
import { ContractDetailPage } from '@/pages/contracts/ContractDetailPage' import { ContractDetailPage } from '@/pages/contracts/ContractDetailPage'
import { ReportsPage } from '@/pages/ReportsPage' import { ReportsPage } from '@/pages/ReportsPage'
import { UsersPage } from '@/pages/system/UsersPage'
function App() { function App() {
return ( return (
@ -31,6 +32,7 @@ function App() {
<Route path="/master/suppliers" element={<SuppliersPage />} /> <Route path="/master/suppliers" element={<SuppliersPage />} />
<Route path="/master/projects" element={<ProjectsPage />} /> <Route path="/master/projects" element={<ProjectsPage />} />
<Route path="/master/departments" element={<DepartmentsPage />} /> <Route path="/master/departments" element={<DepartmentsPage />} />
<Route path="/system/users" element={<UsersPage />} />
<Route path="/system/permissions" element={<PermissionsPage />} /> <Route path="/system/permissions" element={<PermissionsPage />} />
<Route path="/forms" element={<FormsPage />} /> <Route path="/forms" element={<FormsPage />} />
<Route path="/contracts" element={<ContractsListPage />} /> <Route path="/contracts" element={<ContractsListPage />} />

327
fe-admin/src/pages/system/UsersPage.tsx Normal file
View File

@ -0,0 +1,327 @@
import { useState, type FormEvent } from 'react'
import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
import { KeyRound, Plus, Shield, Unlock, Users, CheckCircle2, XCircle } from 'lucide-react'
import { toast } from 'sonner'
import { PageHeader } from '@/components/PageHeader'
import { DataTable, Pagination, type Column } from '@/components/DataTable'
import { PermissionGuard } from '@/components/PermissionGuard'
import { Button } from '@/components/ui/Button'
import { Input } from '@/components/ui/Input'
import { Label } from '@/components/ui/Label'
import { Dialog } from '@/components/ui/Dialog'
import { api } from '@/lib/api'
import { getErrorMessage } from '@/lib/apiError'
import { MenuKeys } from '@/lib/menuKeys'
import type { Paged } from '@/types/master'
import { AVAILABLE_ROLES, RoleLabel, type User } from '@/types/users'
const fmtDate = (s: string) => new Date(s).toLocaleDateString('vi-VN')
export function UsersPage() {
const qc = useQueryClient()
const [page, setPage] = useState(1)
const [search, setSearch] = useState('')
const [createOpen, setCreateOpen] = useState(false)
const [createForm, setCreateForm] = useState({ email: '', fullName: '', password: '', roles: [] as string[] })
const [rolesModal, setRolesModal] = useState<User | null>(null)
const [roleSelection, setRoleSelection] = useState<string[]>([])
const [resetModal, setResetModal] = useState<User | null>(null)
const [newPassword, setNewPassword] = useState('')
const list = useQuery({
queryKey: ['users', { page, search }],
queryFn: async () =>
(await api.get<Paged<User>>('/users', { params: { page, pageSize: 20, search: search || undefined } })).data,
})
const createMut = useMutation({
mutationFn: async () => {
await api.post('/users', createForm)
},
onSuccess: () => {
qc.invalidateQueries({ queryKey: ['users'] })
toast.success('Đã tạo user')
setCreateOpen(false)
setCreateForm({ email: '', fullName: '', password: '', roles: [] })
},
onError: err => toast.error(getErrorMessage(err)),
})
const rolesMut = useMutation({
mutationFn: async () => {
if (!rolesModal) return
await api.put(`/users/${rolesModal.id}/roles`, { roles: roleSelection })
},
onSuccess: () => {
qc.invalidateQueries({ queryKey: ['users'] })
toast.success('Đã cập nhật role')
setRolesModal(null)
},
onError: err => toast.error(getErrorMessage(err)),
})
const resetMut = useMutation({
mutationFn: async () => {
if (!resetModal) return
await api.post(`/users/${resetModal.id}/reset-password`, { newPassword })
},
onSuccess: () => {
toast.success(`Đã reset password. User phải login lại.`)
setResetModal(null)
setNewPassword('')
},
onError: err => toast.error(getErrorMessage(err)),
})
const unlockMut = useMutation({
mutationFn: (id: string) => api.post(`/users/${id}/unlock`),
onSuccess: () => {
qc.invalidateQueries({ queryKey: ['users'] })
toast.success('Đã mở khóa')
},
onError: err => toast.error(getErrorMessage(err)),
})
const toggleActiveMut = useMutation({
mutationFn: (u: User) => api.put(`/users/${u.id}`, { id: u.id, fullName: u.fullName, isActive: !u.isActive }),
onSuccess: () => {
qc.invalidateQueries({ queryKey: ['users'] })
toast.success('Đã cập nhật trạng thái')
},
onError: err => toast.error(getErrorMessage(err)),
})
function openRoles(u: User) {
setRolesModal(u)
setRoleSelection([...u.roles])
}
function toggleRole(r: string) {
setRoleSelection(sel => (sel.includes(r) ? sel.filter(x => x !== r) : [...sel, r]))
}
function toggleCreateRole(r: string) {
setCreateForm(f => ({
...f,
roles: f.roles.includes(r) ? f.roles.filter(x => x !== r) : [...f.roles, r],
}))
}
const columns: Column<User>[] = [
{ key: 'email', header: 'Email', render: u => <span className="font-mono text-xs">{u.email}</span> },
{ key: 'fullName', header: 'Họ tên', render: u => u.fullName },
{
key: 'roles',
header: 'Vai trò',
render: u => (
<div className="flex flex-wrap gap-1">
{u.roles.length === 0 && <span className="text-xs text-slate-400"></span>}
{u.roles.map(r => (
<span key={r} className="rounded bg-brand-50 px-1.5 py-0.5 text-xs text-brand-700">
{RoleLabel[r] ?? r}
</span>
))}
</div>
),
},
{
key: 'isActive',
header: 'Active',
width: 'w-24',
align: 'center',
render: u =>
u.isActive ? (
<CheckCircle2 className="mx-auto h-4 w-4 text-emerald-600" />
) : (
<XCircle className="mx-auto h-4 w-4 text-slate-400" />
),
},
{
key: 'isLocked',
header: 'Locked',
width: 'w-24',
align: 'center',
render: u =>
u.isLocked ? (
<span className="inline-flex items-center gap-1 text-xs text-red-600">
<KeyRound className="h-3.5 w-3.5" />
Locked
</span>
) : (
<span className="text-xs text-slate-400"></span>
),
},
{ key: 'createdAt', header: 'Ngày tạo', width: 'w-28', render: u => fmtDate(u.createdAt) },
{
key: 'actions',
header: '',
align: 'right',
width: 'w-52',
render: u => (
<div className="flex justify-end gap-1">
<PermissionGuard menuKey={MenuKeys.Users} action="Update">
<Button size="sm" variant="ghost" onClick={() => openRoles(u)} title="Gán role">
<Shield className="h-3.5 w-3.5" />
</Button>
<Button size="sm" variant="ghost" onClick={() => { setResetModal(u); setNewPassword('') }} title="Reset password">
<KeyRound className="h-3.5 w-3.5" />
</Button>
{u.isLocked && (
<Button size="sm" variant="ghost" onClick={() => unlockMut.mutate(u.id)} title="Mở khóa">
<Unlock className="h-3.5 w-3.5 text-amber-600" />
</Button>
)}
<Button size="sm" variant="ghost" onClick={() => toggleActiveMut.mutate(u)} title={u.isActive ? 'Vô hiệu hóa' : 'Kích hoạt'}>
{u.isActive ? <XCircle className="h-3.5 w-3.5 text-red-500" /> : <CheckCircle2 className="h-3.5 w-3.5 text-emerald-600" />}
</Button>
</PermissionGuard>
</div>
),
},
]
return (
<div className="p-6">
<PageHeader
title={
<span className="flex items-center gap-2">
<Users className="h-5 w-5" />
Người dùng
</span>
}
description="Tạo user + gán role để test quyền với non-admin."
actions={
<PermissionGuard menuKey={MenuKeys.Users} action="Create">
<Button onClick={() => setCreateOpen(true)}>
<Plus className="h-4 w-4" />
Thêm user
</Button>
</PermissionGuard>
}
/>
<div className="mb-3 flex gap-2">
<Input
placeholder="Tìm email hoặc tên…"
value={search}
onChange={e => { setSearch(e.target.value); setPage(1) }}
className="max-w-sm"
/>
</div>
<DataTable columns={columns} rows={list.data?.items ?? []} getRowKey={u => u.id} isLoading={list.isLoading} />
<Pagination page={page} pageSize={20} total={list.data?.total ?? 0} onChange={setPage} />
{/* Create user */}
<Dialog
open={createOpen}
onClose={() => setCreateOpen(false)}
title="Thêm user mới"
size="md"
footer={
<>
<Button variant="outline" onClick={() => setCreateOpen(false)}>Hủy</Button>
<Button onClick={(e: FormEvent) => { e.preventDefault(); createMut.mutate() }} disabled={createMut.isPending}>
{createMut.isPending ? 'Đang tạo…' : 'Tạo'}
</Button>
</>
}
>
<form className="space-y-4" onSubmit={e => { e.preventDefault(); createMut.mutate() }}>
<div className="space-y-1.5">
<Label>Email *</Label>
<Input type="email" value={createForm.email} onChange={e => setCreateForm(f => ({ ...f, email: e.target.value }))} required />
</div>
<div className="space-y-1.5">
<Label>Họ tên *</Label>
<Input value={createForm.fullName} onChange={e => setCreateForm(f => ({ ...f, fullName: e.target.value }))} required />
</div>
<div className="space-y-1.5">
<Label>Password *</Label>
<Input type="password" value={createForm.password} onChange={e => setCreateForm(f => ({ ...f, password: e.target.value }))} required minLength={8} />
<div className="text-xs text-slate-500">Tối thiểu 8 tự + chữ hoa + thường + số + tự đc biệt</div>
</div>
<div className="space-y-1.5">
<Label>Roles</Label>
<div className="grid grid-cols-2 gap-2">
{AVAILABLE_ROLES.map(r => (
<label key={r} className="flex cursor-pointer items-center gap-2 rounded border border-slate-200 px-2 py-1 text-xs hover:bg-slate-50">
<input
type="checkbox"
className="accent-brand-600"
checked={createForm.roles.includes(r)}
onChange={() => toggleCreateRole(r)}
/>
{RoleLabel[r]}
</label>
))}
</div>
</div>
</form>
</Dialog>
{/* Assign roles */}
<Dialog
open={!!rolesModal}
onClose={() => setRolesModal(null)}
title={`Gán role cho ${rolesModal?.fullName}`}
size="md"
footer={
<>
<Button variant="outline" onClick={() => setRolesModal(null)}>Hủy</Button>
<Button onClick={() => rolesMut.mutate()} disabled={rolesMut.isPending}>
{rolesMut.isPending ? 'Đang lưu…' : 'Lưu'}
</Button>
</>
}
>
<div className="grid grid-cols-2 gap-2">
{AVAILABLE_ROLES.map(r => (
<label key={r} className="flex cursor-pointer items-center gap-2 rounded border border-slate-200 px-2 py-1 text-xs hover:bg-slate-50">
<input
type="checkbox"
className="accent-brand-600"
checked={roleSelection.includes(r)}
onChange={() => toggleRole(r)}
/>
{RoleLabel[r]}
</label>
))}
</div>
</Dialog>
{/* Reset password */}
<Dialog
open={!!resetModal}
onClose={() => setResetModal(null)}
title={`Reset password: ${resetModal?.email}`}
size="sm"
footer={
<>
<Button variant="outline" onClick={() => setResetModal(null)}>Hủy</Button>
<Button
variant="danger"
onClick={() => resetMut.mutate()}
disabled={resetMut.isPending || newPassword.length < 8}
>
{resetMut.isPending ? 'Đang reset…' : 'Reset'}
</Button>
</>
}
>
<div className="space-y-3">
<div className="rounded bg-amber-50 px-3 py-2 text-xs text-amber-800">
User sẽ bị logout khỏi mọi session + phải login lại với password mới.
</div>
<div className="space-y-1.5">
<Label>Password mới</Label>
<Input type="password" value={newPassword} onChange={e => setNewPassword(e.target.value)} minLength={8} />
</div>
</div>
</Dialog>
</div>
)
}

47
fe-admin/src/types/users.ts Normal file
View File

@ -0,0 +1,47 @@
export type User = {
id: string
email: string
fullName: string
isActive: boolean
isLocked: boolean
createdAt: string
roles: string[]
}
export type CreateUserInput = {
email: string
fullName: string
password: string
roles: string[]
}
// 12 role seed trong BE (AppRoles.cs)
export const AVAILABLE_ROLES = [
'Admin',
'Drafter',
'DeptManager',
'ProjectManager',
'Procurement',
'CostControl',
'Finance',
'Accounting',
'Equipment',
'Director',
'AuthorizedSigner',
'HrAdmin',
] as const
export const RoleLabel: Record<string, string> = {
Admin: 'Quản trị',
Drafter: 'Người soạn',
DeptManager: 'Trưởng phòng ban',
ProjectManager: 'Giám đốc dự án',
Procurement: 'Cung ứng',
CostControl: 'Kiểm soát chi phí',
Finance: 'Tài chính',
Accounting: 'Kế toán',
Equipment: 'Thiết bị',
Director: 'Ban Giám đốc',
AuthorizedSigner: 'Người ủy quyền ký',
HrAdmin: 'Nhân sự / Đóng dấu',
}

68
src/Backend/SolutionErp.Api/Controllers/UsersController.cs Normal file
View File

@ -0,0 +1,68 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Common.Models;
using SolutionErp.Application.Users;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/users")]
[Authorize(Policy = "Users.Read")]
public class UsersController(IMediator mediator) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<PagedResult<UserDto>>> List(
[FromQuery] int page = 1, [FromQuery] int pageSize = 20,
[FromQuery] string? search = null, [FromQuery] bool sortDesc = true,
CancellationToken ct = default)
=> Ok(await mediator.Send(new ListUsersQuery { Page = page, PageSize = pageSize, Search = search, SortDesc = sortDesc }, ct));
[HttpGet("{id:guid}")]
public async Task<ActionResult<UserDto>> Get(Guid id, CancellationToken ct)
=> Ok(await mediator.Send(new GetUserQuery(id), ct));
[HttpPost]
[Authorize(Policy = "Users.Create")]
public async Task<ActionResult<object>> Create([FromBody] CreateUserCommand cmd, CancellationToken ct)
{
var id = await mediator.Send(cmd, ct);
return CreatedAtAction(nameof(Get), new { id }, new { id });
}
[HttpPut("{id:guid}")]
[Authorize(Policy = "Users.Update")]
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateUserCommand cmd, CancellationToken ct)
{
if (id != cmd.Id) return BadRequest(new { detail = "ID không khớp" });
await mediator.Send(cmd, ct);
return NoContent();
}
[HttpPut("{id:guid}/roles")]
[Authorize(Policy = "Users.Update")]
public async Task<IActionResult> AssignRoles(Guid id, [FromBody] AssignRolesBody body, CancellationToken ct)
{
await mediator.Send(new AssignRolesCommand(id, body.Roles), ct);
return NoContent();
}
[HttpPost("{id:guid}/reset-password")]
[Authorize(Policy = "Users.Update")]
public async Task<IActionResult> ResetPassword(Guid id, [FromBody] ResetPasswordBody body, CancellationToken ct)
{
await mediator.Send(new ResetPasswordCommand(id, body.NewPassword), ct);
return NoContent();
}
[HttpPost("{id:guid}/unlock")]
[Authorize(Policy = "Users.Update")]
public async Task<IActionResult> Unlock(Guid id, CancellationToken ct)
{
await mediator.Send(new UnlockUserCommand(id), ct);
return NoContent();
}
}
public record AssignRolesBody(List<string> Roles);
public record ResetPasswordBody(string NewPassword);

42
src/Backend/SolutionErp.Api/Middleware/SecurityHeadersMiddleware.cs Normal file
View File

@ -0,0 +1,42 @@
namespace SolutionErp.Api.Middleware;
// Thêm security headers theo OWASP + Mozilla Observatory best practices.
// Xem docs/guides/security-checklist.md §A05.
public class SecurityHeadersMiddleware(RequestDelegate next)
{
public async Task InvokeAsync(HttpContext context)
{
var headers = context.Response.Headers;
// Ẩn server fingerprint
headers.Remove("Server");
headers.Remove("X-Powered-By");
headers.Remove("X-AspNet-Version");
headers.Remove("X-AspNetMvc-Version");
// Security headers
headers["X-Content-Type-Options"] = "nosniff";
headers["X-Frame-Options"] = "DENY";
headers["Referrer-Policy"] = "strict-origin-when-cross-origin";
headers["X-Permitted-Cross-Domain-Policies"] = "none";
headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=(), payment=()";
// CSP chỉ áp dụng ở non-Swagger (Swagger dùng inline script/style)
var isSwagger = context.Request.Path.StartsWithSegments("/swagger");
if (!isSwagger)
{
headers["Content-Security-Policy"] =
"default-src 'self'; " +
"img-src 'self' data:; " +
"style-src 'self' 'unsafe-inline'; " + // Tailwind cần inline styles ở runtime
"script-src 'self'; " +
"font-src 'self' data:; " +
"connect-src 'self'; " +
"frame-ancestors 'none'; " +
"base-uri 'self'; " +
"form-action 'self'";
}
await next(context);
}
}

1
src/Backend/SolutionErp.Api/Program.cs
View File

@ -146,6 +146,7 @@ builder.Services.AddSwaggerGen(c =>
var app = builder.Build(); var app = builder.Build();
// ---------- Pipeline ---------- // ---------- Pipeline ----------
app.UseMiddleware<SecurityHeadersMiddleware>();
app.UseMiddleware<GlobalExceptionMiddleware>(); app.UseMiddleware<GlobalExceptionMiddleware>();
app.UseSerilogRequestLogging(); app.UseSerilogRequestLogging();

39
src/Backend/SolutionErp.Application/Auth/Commands/Login/LoginCommand.cs
View File

@ -19,32 +19,39 @@ public class LoginCommandValidator : AbstractValidator<LoginCommand>
} }
} }
public class LoginCommandHandler : IRequestHandler<LoginCommand, AuthResponseDto> public class LoginCommandHandler(
UserManager<User> userManager,
IJwtTokenService jwtTokenService) : IRequestHandler<LoginCommand, AuthResponseDto>
{ {
private readonly UserManager<User> _userManager;
private readonly IJwtTokenService _jwtTokenService;
public LoginCommandHandler(UserManager<User> userManager, IJwtTokenService jwtTokenService)
{
_userManager = userManager;
_jwtTokenService = jwtTokenService;
}
public async Task<AuthResponseDto> Handle(LoginCommand request, CancellationToken cancellationToken) public async Task<AuthResponseDto> Handle(LoginCommand request, CancellationToken cancellationToken)
{ {
var user = await _userManager.FindByEmailAsync(request.Email); var user = await userManager.FindByEmailAsync(request.Email);
if (user is null || !user.IsActive) if (user is null || !user.IsActive)
throw new UnauthorizedException("Email hoặc mật khẩu không đúng."); throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
if (!await _userManager.CheckPasswordAsync(user, request.Password)) // Check lockout trước
throw new UnauthorizedException("Email hoặc mật khẩu không đúng."); if (await userManager.IsLockedOutAsync(user))
{
var until = user.LockoutEnd;
throw new UnauthorizedException($"Tài khoản bị khóa do nhập sai nhiều lần. Thử lại sau {until:HH:mm}.");
}
var roles = await _userManager.GetRolesAsync(user); if (!await userManager.CheckPasswordAsync(user, request.Password))
var tokens = await _jwtTokenService.GenerateTokensAsync(user, roles); {
// Tăng AccessFailedCount + auto lock khi đủ ngưỡng
await userManager.AccessFailedAsync(user);
throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
}
// Success → reset failed count
await userManager.ResetAccessFailedCountAsync(user);
var roles = await userManager.GetRolesAsync(user);
var tokens = await jwtTokenService.GenerateTokensAsync(user, roles);
user.RefreshToken = tokens.RefreshToken; user.RefreshToken = tokens.RefreshToken;
user.RefreshTokenExpiresAt = tokens.RefreshTokenExpiresAt; user.RefreshTokenExpiresAt = tokens.RefreshTokenExpiresAt;
await _userManager.UpdateAsync(user); await userManager.UpdateAsync(user);
return new AuthResponseDto( return new AuthResponseDto(
tokens.AccessToken, tokens.AccessToken,

248
src/Backend/SolutionErp.Application/Users/UserFeatures.cs Normal file
View File

@ -0,0 +1,248 @@
using FluentValidation;
using MediatR;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using SolutionErp.Application.Common.Exceptions;
using SolutionErp.Application.Common.Interfaces;
using SolutionErp.Application.Common.Models;
using SolutionErp.Domain.Identity;
using ValidationException = SolutionErp.Application.Common.Exceptions.ValidationException;
namespace SolutionErp.Application.Users;
public record UserDto(
Guid Id,
string Email,
string FullName,
bool IsActive,
bool IsLocked,
DateTime CreatedAt,
List<string> Roles);
// ========== LIST ==========
public record ListUsersQuery : PagedRequest, IRequest<PagedResult<UserDto>>;
public class ListUsersQueryHandler(UserManager<User> userManager, IDateTime dateTime)
: IRequestHandler<ListUsersQuery, PagedResult<UserDto>>
{
public async Task<PagedResult<UserDto>> Handle(ListUsersQuery request, CancellationToken ct)
{
var query = userManager.Users.AsNoTracking();
if (!string.IsNullOrWhiteSpace(request.Search))
{
var s = request.Search.Trim();
query = query.Where(u => u.Email!.Contains(s) || u.FullName.Contains(s));
}
query = request.SortDesc
? query.OrderByDescending(u => u.CreatedAt)
: query.OrderBy(u => u.CreatedAt);
var total = await query.CountAsync(ct);
var users = await query
.Skip((request.Page - 1) * request.PageSize)
.Take(request.PageSize)
.ToListAsync(ct);
var items = new List<UserDto>(users.Count);
var now = dateTime.UtcNow;
foreach (var u in users)
{
var roles = await userManager.GetRolesAsync(u);
var isLocked = u.LockoutEnd.HasValue && u.LockoutEnd.Value.UtcDateTime > now;
items.Add(new UserDto(u.Id, u.Email!, u.FullName, u.IsActive, isLocked, u.CreatedAt, roles.ToList()));
}
return new PagedResult<UserDto>(items, total, request.Page, request.PageSize);
}
}
// ========== GET ==========
public record GetUserQuery(Guid Id) : IRequest<UserDto>;
public class GetUserQueryHandler(UserManager<User> userManager, IDateTime dateTime)
: IRequestHandler<GetUserQuery, UserDto>
{
public async Task<UserDto> Handle(GetUserQuery request, CancellationToken ct)
{
var u = await userManager.FindByIdAsync(request.Id.ToString())
?? throw new NotFoundException("User", request.Id);
var roles = await userManager.GetRolesAsync(u);
var isLocked = u.LockoutEnd.HasValue && u.LockoutEnd.Value.UtcDateTime > dateTime.UtcNow;
return new UserDto(u.Id, u.Email!, u.FullName, u.IsActive, isLocked, u.CreatedAt, roles.ToList());
}
}
// ========== CREATE ==========
public record CreateUserCommand(string Email, string FullName, string Password, List<string> Roles)
: IRequest<Guid>;
public class CreateUserCommandValidator : AbstractValidator<CreateUserCommand>
{
public CreateUserCommandValidator()
{
RuleFor(x => x.Email).NotEmpty().EmailAddress().MaximumLength(100);
RuleFor(x => x.FullName).NotEmpty().MaximumLength(200);
RuleFor(x => x.Password).NotEmpty().MinimumLength(8);
RuleFor(x => x.Roles).NotNull();
}
}
public class CreateUserCommandHandler(
UserManager<User> userManager,
RoleManager<Role> roleManager,
IDateTime dateTime) : IRequestHandler<CreateUserCommand, Guid>
{
public async Task<Guid> Handle(CreateUserCommand request, CancellationToken ct)
{
if (await userManager.FindByEmailAsync(request.Email) is not null)
throw new ConflictException($"Email '{request.Email}' đã tồn tại.");
var user = new User
{
UserName = request.Email,
Email = request.Email,
FullName = request.FullName,
EmailConfirmed = true,
IsActive = true,
CreatedAt = dateTime.UtcNow,
};
var result = await userManager.CreateAsync(user, request.Password);
if (!result.Succeeded)
throw new ValidationException(result.Errors.Select(e => new FluentValidation.Results.ValidationFailure("Password", e.Description)));
// Assign roles
foreach (var roleName in request.Roles.Distinct())
{
if (await roleManager.RoleExistsAsync(roleName))
await userManager.AddToRoleAsync(user, roleName);
}
return user.Id;
}
}
// ========== UPDATE ==========
public record UpdateUserCommand(Guid Id, string FullName, bool IsActive) : IRequest;
public class UpdateUserCommandValidator : AbstractValidator<UpdateUserCommand>
{
public UpdateUserCommandValidator()
{
RuleFor(x => x.Id).NotEmpty();
RuleFor(x => x.FullName).NotEmpty().MaximumLength(200);
}
}
public class UpdateUserCommandHandler(UserManager<User> userManager, ICurrentUser currentUser)
: IRequestHandler<UpdateUserCommand>
{
public async Task Handle(UpdateUserCommand request, CancellationToken ct)
{
var user = await userManager.FindByIdAsync(request.Id.ToString())
?? throw new NotFoundException("User", request.Id);
// Self-disable protection: admin không thể tự deactivate
if (!request.IsActive && user.Id == currentUser.UserId)
throw new ForbiddenException("Không thể tự vô hiệu hóa tài khoản của mình.");
user.FullName = request.FullName;
user.IsActive = request.IsActive;
await userManager.UpdateAsync(user);
}
}
// ========== ASSIGN ROLES (replace full set) ==========
public record AssignRolesCommand(Guid Id, List<string> Roles) : IRequest;
public class AssignRolesCommandValidator : AbstractValidator<AssignRolesCommand>
{
public AssignRolesCommandValidator()
{
RuleFor(x => x.Id).NotEmpty();
RuleFor(x => x.Roles).NotNull();
}
}
public class AssignRolesCommandHandler(
UserManager<User> userManager,
RoleManager<Role> roleManager,
ICurrentUser currentUser) : IRequestHandler<AssignRolesCommand>
{
public async Task Handle(AssignRolesCommand request, CancellationToken ct)
{
var user = await userManager.FindByIdAsync(request.Id.ToString())
?? throw new NotFoundException("User", request.Id);
var current = await userManager.GetRolesAsync(user);
var target = request.Roles.Distinct().ToList();
// Self-demote protection: admin không thể tự gỡ role Admin khỏi mình
if (user.Id == currentUser.UserId
&& current.Contains(AppRoles.Admin)
&& !target.Contains(AppRoles.Admin))
{
throw new ForbiddenException("Không thể tự gỡ role Admin khỏi mình.");
}
var toRemove = current.Except(target).ToList();
var toAdd = target.Except(current).ToList();
if (toRemove.Count > 0) await userManager.RemoveFromRolesAsync(user, toRemove);
foreach (var roleName in toAdd)
{
if (await roleManager.RoleExistsAsync(roleName))
await userManager.AddToRoleAsync(user, roleName);
}
}
}
// ========== RESET PASSWORD (admin) ==========
public record ResetPasswordCommand(Guid Id, string NewPassword) : IRequest;
public class ResetPasswordCommandValidator : AbstractValidator<ResetPasswordCommand>
{
public ResetPasswordCommandValidator()
{
RuleFor(x => x.Id).NotEmpty();
RuleFor(x => x.NewPassword).NotEmpty().MinimumLength(8);
}
}
public class ResetPasswordCommandHandler(UserManager<User> userManager)
: IRequestHandler<ResetPasswordCommand>
{
public async Task Handle(ResetPasswordCommand request, CancellationToken ct)
{
var user = await userManager.FindByIdAsync(request.Id.ToString())
?? throw new NotFoundException("User", request.Id);
// Admin flow: remove + set password (không cần token)
await userManager.RemovePasswordAsync(user);
var result = await userManager.AddPasswordAsync(user, request.NewPassword);
if (!result.Succeeded)
throw new ValidationException(result.Errors.Select(e => new FluentValidation.Results.ValidationFailure("NewPassword", e.Description)));
// Invalidate refresh token → force re-login
user.RefreshToken = null;
user.RefreshTokenExpiresAt = null;
await userManager.UpdateAsync(user);
// Unlock nếu đang lock
await userManager.ResetAccessFailedCountAsync(user);
await userManager.SetLockoutEndDateAsync(user, null);
}
}
// ========== UNLOCK ==========
public record UnlockUserCommand(Guid Id) : IRequest;
public class UnlockUserCommandHandler(UserManager<User> userManager) : IRequestHandler<UnlockUserCommand>
{
public async Task Handle(UnlockUserCommand request, CancellationToken ct)
{
var user = await userManager.FindByIdAsync(request.Id.ToString())
?? throw new NotFoundException("User", request.Id);
await userManager.SetLockoutEndDateAsync(user, null);
await userManager.ResetAccessFailedCountAsync(user);
}
}

11
src/Backend/SolutionErp.Infrastructure/DependencyInjection.cs
View File

@ -42,14 +42,23 @@ public static class DependencyInjection
services.AddScoped<IApplicationDbContext>(sp => sp.GetRequiredService<ApplicationDbContext>()); services.AddScoped<IApplicationDbContext>(sp => sp.GetRequiredService<ApplicationDbContext>());
// Password policy + lockout — override prod qua appsettings.Production.json Identity section
var minLen = configuration.GetValue<int?>("Identity:Password:RequiredLength") ?? 8;
var lockoutMinutes = configuration.GetValue<int?>("Identity:Lockout:Minutes") ?? 15;
var lockoutMaxFail = configuration.GetValue<int?>("Identity:Lockout:MaxFailedAttempts") ?? 5;
services.AddIdentityCore<User>(options => services.AddIdentityCore<User>(options =>
{ {
options.Password.RequireDigit = true; options.Password.RequireDigit = true;
options.Password.RequireLowercase = true; options.Password.RequireLowercase = true;
options.Password.RequireUppercase = true; options.Password.RequireUppercase = true;
options.Password.RequireNonAlphanumeric = true; options.Password.RequireNonAlphanumeric = true;
options.Password.RequiredLength = 8; options.Password.RequiredLength = minLen;
options.User.RequireUniqueEmail = true; options.User.RequireUniqueEmail = true;
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(lockoutMinutes);
options.Lockout.MaxFailedAccessAttempts = lockoutMaxFail;
options.Lockout.AllowedForNewUsers = true;
}) })
.AddRoles<Role>() .AddRoles<Role>()
.AddEntityFrameworkStores<ApplicationDbContext>(); .AddEntityFrameworkStores<ApplicationDbContext>();