[CLAUDE] Phase5 prep: production infra + deploy scripts + 4 guides + FE refresh token

Backend production infra: - Packages: Serilog.Sinks.File, HealthChecks.EntityFrameworkCore (RateLimiting built-in .NET 10) - appsettings.Production.json MOI: placeholder __SET_VIA_SECRETS__, AllowedOrigins, Serilog File sink rolling daily retention 30d, RateLimit config - appsettings.json + Development.json: them Serilog WriteTo Console - Program.cs REWRITE: - Serilog ReadFrom.Configuration (prod file / dev console) - Rate limiter: policy auth-login 5/min/IP (AuthController.Login) + GlobalLimiter 300/min/IP - Health checks: /health/live liveness (empty predicate) + /health/ready DB probe (AddDbContextCheck) - HSTS production 1 year - CORS origins from config AllowedOrigins (default dev 2 localhost) - AuthController.Login gắn [EnableRateLimiting("auth-login")] Deploy scripts: - scripts/deploy-iis.ps1: stop pool → backup current → clean+extract artifact → start pool → health check loop 30s timeout → rollback instruction if fail - scripts/backup-sql.ps1: BACKUP DATABASE voi INIT+COMPRESSION+CHECKSUM + retention 30d auto cleanup - .gitea/workflows/deploy.yml MOI: 4 job build BE (Windows) + build 2 FE (Ubuntu, pin .nvmrc 20) + deploy-iis qua WinRM PSSession (secrets IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION) Docs guides MOI (4 file): - deployment-iis.md: prereqs (IIS features, Hosting Bundle, SQL, WinRM) + setup lan dau (app pool, 3 site, HTTPS win-acme, user-secrets) + deploy hang ngay (CI/CD + manual) + rollback + monitoring + troubleshooting + SPA web.config sample - cicd.md: pipeline overview 4 job, secrets setup, runner Windows+Ubuntu, branch strategy, build optimizations, common CI/CD issues - security-checklist.md: OWASP top 10 2021 mapping voi status + pre go-live checklist + incident response - runbook.md: daily ops (health/logs), restart/rollback, DB backup/restore/migration revert, user management (reset password, unlock, disable), monitoring (CPU/disk/connection pool), deployment checklist, common gotcha Frontend refresh token (ca 2 app fe-admin + fe-user): - lib/api.ts REWRITE: them REFRESH_KEY, axios response interceptor 401 → POST /auth/refresh → retry request goc. Queue pattern cho nhieu request song song chi 1 refresh call chay. Skip retry /auth/login + /auth/refresh tranh infinite loop. _retry flag tren original config. - contexts/AuthContext.tsx: luu+xoa REFRESH_KEY trong login/logout E2E verified: - GET /health/live → 200 Healthy - GET /health/ready → 200 Healthy (DB probe) - Rate limit flood 7 POST /auth/login → #1-5 HTTP 400 (cred sai) + #6-7 HTTP 429 Too Many Requests ✅ - TS check fe-admin + fe-user → pass - dotnet build → 0 errors Docs updates: - docs/STATUS.md: Phase 5 prep done, next Phase 5 deploy production + Phase 5.1 security hardening, cumulative stats 8 commits - docs/HANDOFF.md: phase table them Phase 5 prep row, file tree update voi guides + scripts + workflows, git state commit 8 - docs/changelog/migration-todos.md: tick Phase 5 prep items (12 items done) + Phase 5 deploy items remaining + Phase 5.1 security hardening list - docs/changelog/sessions/2026-04-21-1530-phase5-prep.md: session log chi tiet Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 12:57:12 +07:00
parent fe7ad8e4a3
commit f3fb3fd565
19 changed files with 1382 additions and 91 deletions
--- a/fe-user/src/contexts/AuthContext.tsx
+++ b/fe-user/src/contexts/AuthContext.tsx
@ -1,5 +1,5 @@
 import { createContext, useContext, useEffect, useState, type ReactNode } from 'react'
-import { api, TOKEN_KEY, USER_KEY } from '@/lib/api'
+import { api, TOKEN_KEY, REFRESH_KEY, USER_KEY } from '@/lib/api'
 import type { AuthResponse, LoginPayload, UserInfo } from '@/types/auth'
 import type { MenuNode } from '@/types/menu'

@ -51,6 +51,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
  async function login(payload: LoginPayload) {
    const res = await api.post<AuthResponse>('/auth/login', payload)
    localStorage.setItem(TOKEN_KEY, res.data.accessToken)
+    localStorage.setItem(REFRESH_KEY, res.data.refreshToken)
    localStorage.setItem(USER_KEY, JSON.stringify(res.data.user))
    setUser(res.data.user)
    await loadMenu()
@ -58,6 +59,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {

  function logout() {
    localStorage.removeItem(TOKEN_KEY)
+    localStorage.removeItem(REFRESH_KEY)
    localStorage.removeItem(USER_KEY)
    localStorage.removeItem(MENU_KEY)
    setUser(null)
--- a/fe-user/src/lib/api.ts
+++ b/fe-user/src/lib/api.ts
@ -1,6 +1,7 @@
-import axios from 'axios'
+import axios, { AxiosError, type InternalAxiosRequestConfig } from 'axios'

 export const TOKEN_KEY = 'solution-erp-user-token'
+export const REFRESH_KEY = 'solution-erp-user-refresh'
 export const USER_KEY = 'solution-erp-user-user'

 export const api = axios.create({
@ -10,22 +11,85 @@ export const api = axios.create({

 api.interceptors.request.use(config => {
  const token = localStorage.getItem(TOKEN_KEY)
-  if (token) {
-    config.headers.Authorization = `Bearer ${token}`
-  }
+  if (token) config.headers.Authorization = `Bearer ${token}`
  return config
 })

+type QueueItem = {
+  resolve: (value: unknown) => void
+  reject: (reason?: unknown) => void
+  config: InternalAxiosRequestConfig
+}
+
+let isRefreshing = false
+let queue: QueueItem[] = []
+
+function processQueue(error: unknown, token: string | null) {
+  queue.forEach(({ resolve, reject, config }) => {
+    if (error || !token) {
+      reject(error)
+    } else {
+      config.headers.Authorization = `Bearer ${token}`
+      resolve(api(config))
+    }
+  })
+  queue = []
+}
+
+function redirectLogin() {
+  localStorage.removeItem(TOKEN_KEY)
+  localStorage.removeItem(REFRESH_KEY)
+  localStorage.removeItem(USER_KEY)
+  if (!window.location.pathname.startsWith('/login')) {
+    window.location.href = '/login'
+  }
+}
+
 api.interceptors.response.use(
  response => response,
-  error => {
-    if (error.response?.status === 401) {
-      localStorage.removeItem(TOKEN_KEY)
-      localStorage.removeItem(USER_KEY)
-      if (!window.location.pathname.startsWith('/login')) {
-        window.location.href = '/login'
-      }
+  async (error: AxiosError) => {
+    const original = error.config as InternalAxiosRequestConfig & { _retry?: boolean }
+
+    if (error.response?.status !== 401 || !original || original._retry) {
+      return Promise.reject(error)
+    }
+
+    if (original.url?.includes('/auth/login') || original.url?.includes('/auth/refresh')) {
+      redirectLogin()
+      return Promise.reject(error)
+    }
+
+    original._retry = true
+    const refreshToken = localStorage.getItem(REFRESH_KEY)
+    if (!refreshToken) {
+      redirectLogin()
+      return Promise.reject(error)
+    }
+
+    if (isRefreshing) {
+      return new Promise((resolve, reject) => {
+        queue.push({ resolve, reject, config: original })
+      })
+    }
+
+    isRefreshing = true
+    try {
+      const res = await axios.post<{ accessToken: string; refreshToken: string }>(
+        '/api/auth/refresh',
+        { refreshToken },
+      )
+      const newToken = res.data.accessToken
+      localStorage.setItem(TOKEN_KEY, newToken)
+      localStorage.setItem(REFRESH_KEY, res.data.refreshToken)
+      processQueue(null, newToken)
+      original.headers.Authorization = `Bearer ${newToken}`
+      return api(original)
+    } catch (refreshErr) {
+      processQueue(refreshErr, null)
+      redirectLogin()
+      return Promise.reject(refreshErr)
+    } finally {
+      isRefreshing = false
    }
-    return Promise.reject(error)
  },
 )