[CLAUDE] Phase5 prep: production infra + deploy scripts + 4 guides + FE refresh token

Backend production infra: - Packages: Serilog.Sinks.File, HealthChecks.EntityFrameworkCore (RateLimiting built-in .NET 10) - appsettings.Production.json MOI: placeholder __SET_VIA_SECRETS__, AllowedOrigins, Serilog File sink rolling daily retention 30d, RateLimit config - appsettings.json + Development.json: them Serilog WriteTo Console - Program.cs REWRITE: - Serilog ReadFrom.Configuration (prod file / dev console) - Rate limiter: policy auth-login 5/min/IP (AuthController.Login) + GlobalLimiter 300/min/IP - Health checks: /health/live liveness (empty predicate) + /health/ready DB probe (AddDbContextCheck) - HSTS production 1 year - CORS origins from config AllowedOrigins (default dev 2 localhost) - AuthController.Login gắn [EnableRateLimiting("auth-login")] Deploy scripts: - scripts/deploy-iis.ps1: stop pool → backup current → clean+extract artifact → start pool → health check loop 30s timeout → rollback instruction if fail - scripts/backup-sql.ps1: BACKUP DATABASE voi INIT+COMPRESSION+CHECKSUM + retention 30d auto cleanup - .gitea/workflows/deploy.yml MOI: 4 job build BE (Windows) + build 2 FE (Ubuntu, pin .nvmrc 20) + deploy-iis qua WinRM PSSession (secrets IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION) Docs guides MOI (4 file): - deployment-iis.md: prereqs (IIS features, Hosting Bundle, SQL, WinRM) + setup lan dau (app pool, 3 site, HTTPS win-acme, user-secrets) + deploy hang ngay (CI/CD + manual) + rollback + monitoring + troubleshooting + SPA web.config sample - cicd.md: pipeline overview 4 job, secrets setup, runner Windows+Ubuntu, branch strategy, build optimizations, common CI/CD issues - security-checklist.md: OWASP top 10 2021 mapping voi status + pre go-live checklist + incident response - runbook.md: daily ops (health/logs), restart/rollback, DB backup/restore/migration revert, user management (reset password, unlock, disable), monitoring (CPU/disk/connection pool), deployment checklist, common gotcha Frontend refresh token (ca 2 app fe-admin + fe-user): - lib/api.ts REWRITE: them REFRESH_KEY, axios response interceptor 401 → POST /auth/refresh → retry request goc. Queue pattern cho nhieu request song song chi 1 refresh call chay. Skip retry /auth/login + /auth/refresh tranh infinite loop. _retry flag tren original config. - contexts/AuthContext.tsx: luu+xoa REFRESH_KEY trong login/logout E2E verified: - GET /health/live → 200 Healthy - GET /health/ready → 200 Healthy (DB probe) - Rate limit flood 7 POST /auth/login → #1-5 HTTP 400 (cred sai) + #6-7 HTTP 429 Too Many Requests ✅ - TS check fe-admin + fe-user → pass - dotnet build → 0 errors Docs updates: - docs/STATUS.md: Phase 5 prep done, next Phase 5 deploy production + Phase 5.1 security hardening, cumulative stats 8 commits - docs/HANDOFF.md: phase table them Phase 5 prep row, file tree update voi guides + scripts + workflows, git state commit 8 - docs/changelog/migration-todos.md: tick Phase 5 prep items (12 items done) + Phase 5 deploy items remaining + Phase 5.1 security hardening list - docs/changelog/sessions/2026-04-21-1530-phase5-prep.md: session log chi tiet Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 12:57:12 +07:00
parent fe7ad8e4a3
commit f3fb3fd565
19 changed files with 1382 additions and 91 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@ -0,0 +1,118 @@
+# Gitea Actions CI/CD — build + deploy SOLUTION_ERP lên IIS Windows Server.
+# Trigger: push vào branch main, hoặc manual.
+#
+# Chạy trên Windows self-hosted runner (vì cần IIS + Word COM cho .doc convert optional).
+# Secrets cần set trong Gitea repo settings:
+#   - IIS_HOST          (hostname hoặc IP)
+#   - IIS_USER          (Windows user có admin + WinRM)
+#   - IIS_PASSWORD
+#   - JWT_SECRET        (64+ chars random — dùng trong appsettings.Production.json)
+#   - DB_CONNECTION     (connection string production)
+
+name: Deploy SOLUTION_ERP
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build-backend:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET 10
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Restore + Build BE
+        run: |
+          dotnet restore SolutionErp.slnx
+          dotnet build SolutionErp.slnx --no-restore --configuration Release
+
+      - name: Publish Api
+        run: >
+          dotnet publish src/Backend/SolutionErp.Api/SolutionErp.Api.csproj
+          --no-build --configuration Release
+          --output artifacts/api
+          --runtime win-x64 --self-contained false
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: backend-api
+          path: artifacts/api/
+
+  build-fe-admin:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: 'fe-admin/.nvmrc'   # pin 20.x (gotcha NamGroup)
+          cache: 'npm'
+          cache-dependency-path: 'fe-admin/package-lock.json'
+      - run: npm ci
+        working-directory: fe-admin
+      - run: npm run build
+        working-directory: fe-admin
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fe-admin-dist
+          path: fe-admin/dist/
+
+  build-fe-user:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: 'fe-user/.nvmrc'
+          cache: 'npm'
+          cache-dependency-path: 'fe-user/package-lock.json'
+      - run: npm ci
+        working-directory: fe-user
+      - run: npm run build
+        working-directory: fe-user
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fe-user-dist
+          path: fe-user/dist/
+
+  deploy-iis:
+    needs: [build-backend, build-fe-admin, build-fe-user]
+    runs-on: windows-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: artifacts/
+
+      - name: Zip artifacts
+        shell: pwsh
+        run: |
+          Compress-Archive -Path artifacts/backend-api/* -DestinationPath api.zip -Force
+          Compress-Archive -Path artifacts/fe-admin-dist/* -DestinationPath fe-admin.zip -Force
+          Compress-Archive -Path artifacts/fe-user-dist/* -DestinationPath fe-user.zip -Force
+
+      - name: Copy + deploy via WinRM
+        shell: pwsh
+        env:
+          IIS_HOST: ${{ secrets.IIS_HOST }}
+          IIS_USER: ${{ secrets.IIS_USER }}
+          IIS_PASSWORD: ${{ secrets.IIS_PASSWORD }}
+        run: |
+          $secure = ConvertTo-SecureString $env:IIS_PASSWORD -AsPlainText -Force
+          $cred = New-Object PSCredential($env:IIS_USER, $secure)
+          $session = New-PSSession -ComputerName $env:IIS_HOST -Credential $cred
+
+          Copy-Item -Path api.zip, fe-admin.zip, fe-user.zip -Destination "C:\Deploy\" -ToSession $session
+
+          Invoke-Command -Session $session -ScriptBlock {
+              & C:\Deploy\scripts\deploy-iis.ps1 -Artifact "C:\Deploy\api.zip" -Site "SolutionErpApi"
+              Expand-Archive "C:\Deploy\fe-admin.zip" "C:\inetpub\solution-erp\fe-admin" -Force
+              Expand-Archive "C:\Deploy\fe-user.zip"  "C:\inetpub\solution-erp\fe-user" -Force
+          }
+
+          Remove-PSSession $session