[CLAUDE] Phase1: foundation - BE Clean Arch + Identity + JWT + 2 FE React + login E2E

Backend (.NET 10):
- Domain: BaseEntity/AuditableEntity, ContractType/Phase/ApprovalDecision enums, User/Role (Identity<Guid>), AppRoles (12 const)
- Application: IApplicationDbContext/ICurrentUser/IDateTime/IJwtTokenService, custom exceptions, ValidationBehavior (MediatR pipeline), Auth CQRS (Login/Refresh/Me), DependencyInjection
- Infrastructure: ApplicationDbContext (IdentityDbContext), AuditingInterceptor (auto audit + soft delete), DbInitializer (seed 12 role + admin), DesignTimeDbContextFactory, JwtTokenService, DateTimeService, DI
- Api: CurrentUserService, GlobalExceptionMiddleware (ProblemDetails), AuthController, Program.cs rewrite (Serilog + JWT + CORS + Swagger), appsettings + launchSettings (port 5443)
- Migration Init applied to SolutionErp_Dev LocalDB

Frontend (React 19 + Vite 8 + Tailwind 4):
- fe-admin (:8082 blue) + fe-user (:8080 emerald) - shared structure, khac menu + brand color
- Tailwind 4 via @tailwindcss/vite plugin, theme brand colors
- AuthContext (localStorage token), ProtectedRoute, Layout (sidebar + header)
- UI kit: Button/Input/Label (CVA + Tailwind)
- LoginPage voi toast error, DashboardPage/InboxPage placeholder
- Axios interceptor: auto Bearer + 401 redirect
- TanStack Query client, React Router 7, Sonner toast

Package downgrades (do .NET 10 / TS 6 compat):
- MediatR 14 -> 12.4.1 (v14 breaking changes)
- Swashbuckle 10 -> 6.9.0 (v10 khong tuong thich OpenApi 2)
- Removed Microsoft.AspNetCore.OpenApi (conflict voi Swashbuckle)

E2E verified: POST /api/auth/login qua Vite proxy ca 2 FE -> JWT + user info

Credentials seed: admin@solutionerp.local / Admin@123456

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Backend/SolutionErp.Application/Auth/Commands/Login/LoginCommand.cs

@@ -0,0 +1,55 @@
+using FluentValidation;
+using MediatR;
+using Microsoft.AspNetCore.Identity;
+using SolutionErp.Application.Auth.Dtos;
+using SolutionErp.Application.Common.Exceptions;
+using SolutionErp.Application.Common.Interfaces;
+using SolutionErp.Domain.Identity;
+
+namespace SolutionErp.Application.Auth.Commands.Login;
+
+public record LoginCommand(string Email, string Password) : IRequest<AuthResponseDto>;
+
+public class LoginCommandValidator : AbstractValidator<LoginCommand>
+{
+    public LoginCommandValidator()
+    {
+        RuleFor(x => x.Email).NotEmpty().EmailAddress();
+        RuleFor(x => x.Password).NotEmpty().MinimumLength(6);
+    }
+}
+
+public class LoginCommandHandler : IRequestHandler<LoginCommand, AuthResponseDto>
+{
+    private readonly UserManager<User> _userManager;
+    private readonly IJwtTokenService _jwtTokenService;
+
+    public LoginCommandHandler(UserManager<User> userManager, IJwtTokenService jwtTokenService)
+    {
+        _userManager = userManager;
+        _jwtTokenService = jwtTokenService;
+    }
+
+    public async Task<AuthResponseDto> Handle(LoginCommand request, CancellationToken cancellationToken)
+    {
+        var user = await _userManager.FindByEmailAsync(request.Email);
+        if (user is null || !user.IsActive)
+            throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
+
+        if (!await _userManager.CheckPasswordAsync(user, request.Password))
+            throw new UnauthorizedException("Email hoặc mật khẩu không đúng.");
+
+        var roles = await _userManager.GetRolesAsync(user);
+        var tokens = await _jwtTokenService.GenerateTokensAsync(user, roles);
+
+        user.RefreshToken = tokens.RefreshToken;
+        user.RefreshTokenExpiresAt = tokens.RefreshTokenExpiresAt;
+        await _userManager.UpdateAsync(user);
+
+        return new AuthResponseDto(
+            tokens.AccessToken,
+            tokens.RefreshToken,
+            tokens.RefreshTokenExpiresAt,
+            new UserInfoDto(user.Id, user.Email!, user.FullName, roles.ToList()));
+    }
+}

src/Backend/SolutionErp.Application/Auth/Commands/Refresh/RefreshTokenCommand.cs

@@ -0,0 +1,56 @@
+using FluentValidation;
+using MediatR;
+using Microsoft.AspNetCore.Identity;
+using SolutionErp.Application.Auth.Dtos;
+using SolutionErp.Application.Common.Exceptions;
+using SolutionErp.Application.Common.Interfaces;
+using SolutionErp.Domain.Identity;
+
+namespace SolutionErp.Application.Auth.Commands.Refresh;
+
+public record RefreshTokenCommand(string RefreshToken) : IRequest<AuthResponseDto>;
+
+public class RefreshTokenCommandValidator : AbstractValidator<RefreshTokenCommand>
+{
+    public RefreshTokenCommandValidator()
+    {
+        RuleFor(x => x.RefreshToken).NotEmpty();
+    }
+}
+
+public class RefreshTokenCommandHandler : IRequestHandler<RefreshTokenCommand, AuthResponseDto>
+{
+    private readonly UserManager<User> _userManager;
+    private readonly IJwtTokenService _jwtTokenService;
+    private readonly IDateTime _dateTime;
+
+    public RefreshTokenCommandHandler(
+        UserManager<User> userManager,
+        IJwtTokenService jwtTokenService,
+        IDateTime dateTime)
+    {
+        _userManager = userManager;
+        _jwtTokenService = jwtTokenService;
+        _dateTime = dateTime;
+    }
+
+    public async Task<AuthResponseDto> Handle(RefreshTokenCommand request, CancellationToken cancellationToken)
+    {
+        var user = _userManager.Users.FirstOrDefault(u => u.RefreshToken == request.RefreshToken);
+        if (user is null || user.RefreshTokenExpiresAt is null || user.RefreshTokenExpiresAt < _dateTime.UtcNow)
+            throw new UnauthorizedException("Refresh token không hợp lệ hoặc đã hết hạn.");
+
+        var roles = await _userManager.GetRolesAsync(user);
+        var tokens = await _jwtTokenService.GenerateTokensAsync(user, roles);
+
+        user.RefreshToken = tokens.RefreshToken;
+        user.RefreshTokenExpiresAt = tokens.RefreshTokenExpiresAt;
+        await _userManager.UpdateAsync(user);
+
+        return new AuthResponseDto(
+            tokens.AccessToken,
+            tokens.RefreshToken,
+            tokens.RefreshTokenExpiresAt,
+            new UserInfoDto(user.Id, user.Email!, user.FullName, roles.ToList()));
+    }
+}

src/Backend/SolutionErp.Application/Auth/Dtos/AuthResponseDto.cs

@@ -0,0 +1,13 @@
+namespace SolutionErp.Application.Auth.Dtos;
+
+public record AuthResponseDto(
+    string AccessToken,
+    string RefreshToken,
+    DateTime RefreshTokenExpiresAt,
+    UserInfoDto User);
+
+public record UserInfoDto(
+    Guid Id,
+    string Email,
+    string FullName,
+    IReadOnlyList<string> Roles);

src/Backend/SolutionErp.Application/Auth/Queries/Me/GetMeQuery.cs

@@ -0,0 +1,34 @@
+using MediatR;
+using Microsoft.AspNetCore.Identity;
+using SolutionErp.Application.Auth.Dtos;
+using SolutionErp.Application.Common.Exceptions;
+using SolutionErp.Application.Common.Interfaces;
+using SolutionErp.Domain.Identity;
+
+namespace SolutionErp.Application.Auth.Queries.Me;
+
+public record GetMeQuery : IRequest<UserInfoDto>;
+
+public class GetMeQueryHandler : IRequestHandler<GetMeQuery, UserInfoDto>
+{
+    private readonly ICurrentUser _currentUser;
+    private readonly UserManager<User> _userManager;
+
+    public GetMeQueryHandler(ICurrentUser currentUser, UserManager<User> userManager)
+    {
+        _currentUser = currentUser;
+        _userManager = userManager;
+    }
+
+    public async Task<UserInfoDto> Handle(GetMeQuery request, CancellationToken cancellationToken)
+    {
+        if (!_currentUser.IsAuthenticated || _currentUser.UserId is null)
+            throw new UnauthorizedException();
+
+        var user = await _userManager.FindByIdAsync(_currentUser.UserId.Value.ToString())
+            ?? throw new UnauthorizedException();
+
+        var roles = await _userManager.GetRolesAsync(user);
+        return new UserInfoDto(user.Id, user.Email!, user.FullName, roles.ToList());
+    }
+}