11e61c9c39
Security hardening:
- Api/Middleware/SecurityHeadersMiddleware MOI: remove server fingerprint (Server, X-Powered-By, ...), add X-Content-Type-Options:nosniff, X-Frame-Options:DENY, Referrer-Policy:strict-origin-when-cross-origin, Permissions-Policy (disable geolocation/mic/cam/payment), X-Permitted-Cross-Domain-Policies:none, CSP (default-src 'self' + img data: + style inline for Tailwind + frame-ancestors 'none'). Skip CSP tren /swagger (dung inline script).
- Program.cs wire UseMiddleware SecurityHeadersMiddleware first in pipeline
- Infrastructure/DependencyInjection Identity options:
- Password.RequiredLength config-driven (Identity:Password:RequiredLength, default 8 dev, override 12+ prod)
- Lockout: DefaultLockoutTimeSpan (15min), MaxFailedAccessAttempts (5), AllowedForNewUsers=true — all config-driven
- LoginCommandHandler: IsLockedOutAsync check truoc → throw voi deadline message, AccessFailedAsync khi sai password, ResetAccessFailedCountAsync khi login thanh cong
Users management:
- Application/Users/UserFeatures.cs: 8 CQRS (ListUsersQuery paging+search, GetUserQuery, CreateUserCommand + Validator, UpdateUserCommand voi self-disable protection, AssignRolesCommand voi self-demote protection (khong tu go Admin), ResetPasswordCommand (invalidate refresh token + unlock), UnlockUserCommand)
- UserDto: Id, Email, FullName, IsActive, IsLocked (computed tu LockoutEnd), CreatedAt, Roles
- Api/Controllers/UsersController: 7 endpoint (Users.Read/Create/Update policies):
- GET / (list paged), GET /{id}, POST /, PUT /{id}, PUT /{id}/roles, POST /{id}/reset-password, POST /{id}/unlock
- using alias ValidationException = Application.Common.Exceptions.ValidationException (fix ambiguity voi FluentValidation)
Frontend fe-admin:
- types/users.ts MOI: User type + AVAILABLE_ROLES 12 role (match BE AppRoles.cs) + RoleLabel Vietnamese
- pages/system/UsersPage.tsx MOI:
- DataTable columns: Email (mono), FullName, Roles (badge chips voi Vietnamese label), IsActive (CheckCircle/XCircle), IsLocked (KeyRound red), CreatedAt
- Actions per row (PermissionGuard Users.Update wrap): Gan role (Shield icon → Dialog grid 12 checkbox), Reset password (KeyRound → Dialog voi warning user se bi logout), Unlock (Unlock icon, chi hien khi isLocked), Toggle active (XCircle/CheckCircle)
- Create user dialog: email + fullName + password (min 8) + grid 12 role checkbox
- Route /system/users vao App.tsx
E2E verified:
- Security headers present tren moi response (check qua curl -I)
- POST /api/users voi roles: [Drafter] → 201 + id
- GET /api/users → paged voi 2 user (admin + new test.drafter)
- TS check fe-admin → pass
- dotnet build → 0 errors
Docs:
- docs/STATUS.md: Phase 5.1 xong, cumulative BE 3700 LOC, 42 endpoints, 17 FE pages
- docs/HANDOFF.md: phase table update row Phase 5.1, last updated timestamp
- docs/changelog/migration-todos.md: tick 6 items Phase 5.1 + 4 items remaining (IDOR, deps scan, admin warning, Roles CRUD)
- docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md: session log
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EOF
SOLUTION_ERP
Hệ thống quản lý Hợp đồng Nhà cung cấp / Thầu phụ / Tổ đội cho Công ty TNHH Xây dựng Solutions.
📘 AI context:
CLAUDE.md(pointer) →docs/CLAUDE.md(full)
Quick start (dev)
Yêu cầu: .NET 10 SDK, Node 20+, SQL Server (local hoặc qua Docker).
# 1. DB — chạy SQL Server qua Docker (nếu chưa có local)
docker compose up -d
# 2. Backend — migration + run Api (port 5443)
dotnet ef database update --project src/Backend/SolutionErp.Infrastructure --startup-project src/Backend/SolutionErp.Api
dotnet run --project src/Backend/SolutionErp.Api
# 3. Frontend admin (port 8082) — terminal mới
cd fe-admin
npm install
npm run dev
# 4. Frontend user (port 8080) — terminal mới
cd fe-user
npm install
npm run dev
Admin mặc định (sẽ seed sau Phase 1): admin@solutionerp.local / Admin@123456
Architecture
fe-admin (:8082) fe-user (:8080)
│ │
└────── /api proxy ──────┘
▼
SolutionErp.Api (:5443)
│
┌──────────────┼──────────────┐
▼ ▼ ▼
Application Domain Infrastructure ── SQL Server
Tech stack
- Backend: .NET 10 + Clean Architecture + CQRS (MediatR) + FluentValidation + AutoMapper + EF Core + ASP.NET Identity + JWT
- Frontend: React 18 + Vite + TypeScript + Tailwind + shadcn/ui + TanStack Query
- DB: SQL Server 2022
- Deploy: Windows Server + IIS
Roadmap
| Phase | Tuần | Focus |
|---|---|---|
| 0 Draft | T1 | Scaffold, parse FORM + QUY_TRINH |
| 1 Alpha Core | T2-4 | Auth, Permission, CRUD master |
| 2 Form Engine | T5-6 | Render template docx/xlsx |
| 3 Workflow | T7-9 | State machine 9 phase |
| 4 Report + Polish | T10-11 | Dashboard + Excel export |
| 5 Production | T12-13 | CI/CD IIS, UAT, go-live |
Chi tiết ở docs/changelog/migration-todos.md.
License
Proprietary — Công ty TNHH Xây dựng Solutions.