11e61c9c39
Security hardening:
- Api/Middleware/SecurityHeadersMiddleware MOI: remove server fingerprint (Server, X-Powered-By, ...), add X-Content-Type-Options:nosniff, X-Frame-Options:DENY, Referrer-Policy:strict-origin-when-cross-origin, Permissions-Policy (disable geolocation/mic/cam/payment), X-Permitted-Cross-Domain-Policies:none, CSP (default-src 'self' + img data: + style inline for Tailwind + frame-ancestors 'none'). Skip CSP tren /swagger (dung inline script).
- Program.cs wire UseMiddleware SecurityHeadersMiddleware first in pipeline
- Infrastructure/DependencyInjection Identity options:
- Password.RequiredLength config-driven (Identity:Password:RequiredLength, default 8 dev, override 12+ prod)
- Lockout: DefaultLockoutTimeSpan (15min), MaxFailedAccessAttempts (5), AllowedForNewUsers=true — all config-driven
- LoginCommandHandler: IsLockedOutAsync check truoc → throw voi deadline message, AccessFailedAsync khi sai password, ResetAccessFailedCountAsync khi login thanh cong
Users management:
- Application/Users/UserFeatures.cs: 8 CQRS (ListUsersQuery paging+search, GetUserQuery, CreateUserCommand + Validator, UpdateUserCommand voi self-disable protection, AssignRolesCommand voi self-demote protection (khong tu go Admin), ResetPasswordCommand (invalidate refresh token + unlock), UnlockUserCommand)
- UserDto: Id, Email, FullName, IsActive, IsLocked (computed tu LockoutEnd), CreatedAt, Roles
- Api/Controllers/UsersController: 7 endpoint (Users.Read/Create/Update policies):
- GET / (list paged), GET /{id}, POST /, PUT /{id}, PUT /{id}/roles, POST /{id}/reset-password, POST /{id}/unlock
- using alias ValidationException = Application.Common.Exceptions.ValidationException (fix ambiguity voi FluentValidation)
Frontend fe-admin:
- types/users.ts MOI: User type + AVAILABLE_ROLES 12 role (match BE AppRoles.cs) + RoleLabel Vietnamese
- pages/system/UsersPage.tsx MOI:
- DataTable columns: Email (mono), FullName, Roles (badge chips voi Vietnamese label), IsActive (CheckCircle/XCircle), IsLocked (KeyRound red), CreatedAt
- Actions per row (PermissionGuard Users.Update wrap): Gan role (Shield icon → Dialog grid 12 checkbox), Reset password (KeyRound → Dialog voi warning user se bi logout), Unlock (Unlock icon, chi hien khi isLocked), Toggle active (XCircle/CheckCircle)
- Create user dialog: email + fullName + password (min 8) + grid 12 role checkbox
- Route /system/users vao App.tsx
E2E verified:
- Security headers present tren moi response (check qua curl -I)
- POST /api/users voi roles: [Drafter] → 201 + id
- GET /api/users → paged voi 2 user (admin + new test.drafter)
- TS check fe-admin → pass
- dotnet build → 0 errors
Docs:
- docs/STATUS.md: Phase 5.1 xong, cumulative BE 3700 LOC, 42 endpoints, 17 FE pages
- docs/HANDOFF.md: phase table update row Phase 5.1, last updated timestamp
- docs/changelog/migration-todos.md: tick 6 items Phase 5.1 + 4 items remaining (IDOR, deps scan, admin warning, Roles CRUD)
- docs/changelog/sessions/2026-04-21-1630-phase5-1-security-users.md: session log
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EOF
106 lines
5.8 KiB
Markdown
106 lines
5.8 KiB
Markdown
# STATUS — Snapshot hiện tại
|
|
|
|
> **Update rule:** trước khi bắt đầu 1 task → ghi row vào `🔥 In Progress`. Xong → chuyển sang `✅ Recently Done`.
|
|
|
|
**Last updated:** 2026-04-21 16:30
|
|
|
|
## 📍 Phase hiện tại: **Phase 5.1 Security + Users Mgmt xong** — chờ Gitea URL để deploy Phase 5 prod
|
|
|
|
## 🔥 In Progress
|
|
|
|
_(không có)_
|
|
|
|
## ✅ Recently Done (newest on top)
|
|
|
|
| Ngày | Ai | Task | Commit |
|
|
|---|---|---|---|
|
|
| 2026-04-21 | Claude | **Phase 5.1 Security + Users Mgmt** — Security headers middleware (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) + Identity account lockout (5 fail → 15min) + LoginHandler check IsLockedOut + AccessFailedAsync. BE Users CQRS 8 feature + UsersController 7 endpoint. FE admin `/system/users` — list + create + gán role + reset password + unlock + toggle active | (sắp commit) |
|
|
| 2026-04-21 | Claude | **Phase 5 Prep** — BE rate limit + health check + Serilog file + HSTS + scripts deploy-iis/backup-sql + .gitea/workflows/deploy.yml + 4 guides + FE refresh token queue pattern | `46a2cab` |
|
|
| 2026-04-21 | Claude | **Phase 4 Report MVP + Docs Consolidation** — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | `fe7ad8e` |
|
|
| 2026-04-21 | Claude | **Phase 3 Workflow MVP** — 9 phase state machine + gen mã HĐ RG-001 | `7e957a7` |
|
|
| 2026-04-21 | Claude | **Phase 2 Form Engine MVP** | `5113e4c` |
|
|
| 2026-04-21 | Claude | **Phase 1.2** — CRUD Master + Permission Matrix | `54d6c9b` |
|
|
| 2026-04-21 | Claude | **Docs addition** | `49a5f57` |
|
|
| 2026-04-21 | Claude | **Phase 1 foundation** | `702411f` |
|
|
| 2026-04-21 | Claude | **Phase 0** | `25dad7f` |
|
|
|
|
Session logs: [P0](changelog/sessions/2026-04-21-1045-phase0-scaffold.md) · [P1f](changelog/sessions/2026-04-21-1100-phase1-foundation.md) · [P1.2](changelog/sessions/2026-04-21-1130-phase1-cruds-permission.md) · [P2](changelog/sessions/2026-04-21-1200-phase2-form-engine.md) · [P3](changelog/sessions/2026-04-21-1330-phase3-workflow.md) · [P4](changelog/sessions/2026-04-21-1430-phase4-report.md) · [P5prep](changelog/sessions/2026-04-21-1530-phase5-prep.md)
|
|
|
|
**Docs entry points:**
|
|
- [`rules.md`](rules.md) · [`architecture.md`](architecture.md) · [`HANDOFF.md`](HANDOFF.md)
|
|
- [`workflow-contract.md`](workflow-contract.md) · [`forms-spec.md`](forms-spec.md)
|
|
- [`database/database-guide.md`](database/database-guide.md) · [`database/schema-diagram.md`](database/schema-diagram.md)
|
|
- [`flows/`](flows/) (7 file) · [`guides/`](guides/) (4 file) · [`gotchas.md`](gotchas.md)
|
|
- [`changelog/migration-todos.md`](changelog/migration-todos.md) · [`changelog/sessions/`](changelog/sessions/) (7 file)
|
|
|
|
## 🎯 Next up
|
|
|
|
### Phase 5 còn lại (cần Gitea URL)
|
|
|
|
- [ ] Setup Gitea remote + push all commits
|
|
- [ ] Enable Gitea Actions runner (Windows + Ubuntu)
|
|
- [ ] Set 5 secrets trong Gitea (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
|
|
- [ ] Test CI/CD workflow lần đầu trên staging
|
|
- [ ] Windows Server setup IIS theo [`guides/deployment-iis.md`](guides/deployment-iis.md)
|
|
- [ ] HTTPS cert (win-acme Let's Encrypt)
|
|
- [ ] SQL Server prod + Task Scheduler backup
|
|
- [ ] Smoke test end-to-end prod
|
|
- [ ] UAT 1 tuần 2-3 user thật
|
|
|
|
### Phase 5.1 Security — xong gần hết
|
|
|
|
- [x] Security headers middleware (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, CSP)
|
|
- [x] Identity account lockout (5 fail → 15min, config-driven)
|
|
- [x] Password policy config-driven (default 8 dev, override prod `Identity:Password:RequiredLength`)
|
|
- [x] LoginHandler check lockout + AccessFailedAsync + reset on success
|
|
- [x] BE Users management + FE admin UsersPage (tạo user test permission non-admin)
|
|
- [ ] IDOR check ContractsController (user không xem HĐ không liên quan)
|
|
- [ ] Dependencies scan CI (`dotnet list package --vulnerable` + `npm audit`)
|
|
- [ ] Admin mặc định warning log force đổi password
|
|
|
|
### Polish iterations
|
|
|
|
**Phase 2 iter 2:** convert .doc, field spec JSON + form builder, {{#loop}}, PDF convert
|
|
**Phase 3 iter 2:** SLA job auto-approve, email/in-app notify, attachment upload, RowVersion
|
|
**Phase 4 iter 2:** SLA overdue report, PDF HĐ export, dashboard user-specific
|
|
|
|
### Quick wins
|
|
|
|
- FE Users management + Roles CRUD (test permission non-admin)
|
|
- Filter Inbox theo phase FE
|
|
- Test refresh token flow manual (logout/login flow)
|
|
|
|
## 📊 Thông số cumulative
|
|
|
|
| | P0 | P1f | P1.2 | P2 | P3 | P4 | **P5 prep** |
|
|
|---|---:|---:|---:|---:|---:|---:|---:|
|
|
| BE LOC | 0 | ~400 | ~1500 | ~1900 | ~2700 | ~3100 | **~3300** |
|
|
| DB tables | 0 | 7 | 12 | 14 | 19 | 19 | 19 |
|
|
| API endpoints | 0 | 4 | 20 | 23 | 31 | 33 | **35** (+health) |
|
|
| Migrations | 0 | 1 | 3 | 4 | 5 | 5 | 5 |
|
|
| FE pages | 0 | 2 | 6 | 7 | 14 | 16 | 16 |
|
|
| Scripts PS | 0 | 0 | 0 | 1 (convert-doc) | 1 | 1 | **3** (+deploy-iis, backup-sql) |
|
|
| CI/CD workflow | 0 | 0 | 0 | 0 | 0 | 0 | **1** |
|
|
| Docs | 10 | 13 | 14 | 24 | 26 | 30 | **35** (+4 guides + session log) |
|
|
| Commits | 1 | 2 | 3 | 5 | 6 | 7 | **8** (sắp) |
|
|
|
|
## 🚨 Blockers / risks
|
|
|
|
- ⏳ **Gitea remote URL** — ĐANG CẦN để push + setup CI/CD
|
|
- ⚠️ **Phase 5.1 security hardening** chưa làm (headers, account lockout, IDOR check)
|
|
- ⚠️ **3 file .doc chưa convert** (Phase 2 carryover)
|
|
- ⚠️ **SLA không tự auto-approve** (Phase 3.2)
|
|
- ⚠️ **Email/in-app notification** chưa có
|
|
- ⚠️ **FE Users management chưa có** — khó test permission non-admin
|
|
- ⚠️ **Rate limit global 300/min/IP** — OK cho dev, cần tăng cho prod nếu nhiều user
|
|
|
|
## Credentials + URLs
|
|
|
|
```
|
|
admin@solutionerp.local / Admin@123456
|
|
```
|
|
|
|
- API: http://localhost:5443 — Swagger `/swagger` (dev only) — Health `/health/live` + `/health/ready`
|
|
- Admin FE: http://localhost:8082 — `/dashboard`, `/contracts`, `/reports`, `/master/*`, `/forms`, `/system/permissions`
|
|
- User FE: http://localhost:8080 — `/inbox`, `/contracts/new`, `/my-contracts`
|