f3fb3fd565
Backend production infra:
- Packages: Serilog.Sinks.File, HealthChecks.EntityFrameworkCore (RateLimiting built-in .NET 10)
- appsettings.Production.json MOI: placeholder __SET_VIA_SECRETS__, AllowedOrigins, Serilog File sink rolling daily retention 30d, RateLimit config
- appsettings.json + Development.json: them Serilog WriteTo Console
- Program.cs REWRITE:
- Serilog ReadFrom.Configuration (prod file / dev console)
- Rate limiter: policy auth-login 5/min/IP (AuthController.Login) + GlobalLimiter 300/min/IP
- Health checks: /health/live liveness (empty predicate) + /health/ready DB probe (AddDbContextCheck)
- HSTS production 1 year
- CORS origins from config AllowedOrigins (default dev 2 localhost)
- AuthController.Login gắn [EnableRateLimiting("auth-login")]
Deploy scripts:
- scripts/deploy-iis.ps1: stop pool → backup current → clean+extract artifact → start pool → health check loop 30s timeout → rollback instruction if fail
- scripts/backup-sql.ps1: BACKUP DATABASE voi INIT+COMPRESSION+CHECKSUM + retention 30d auto cleanup
- .gitea/workflows/deploy.yml MOI: 4 job build BE (Windows) + build 2 FE (Ubuntu, pin .nvmrc 20) + deploy-iis qua WinRM PSSession (secrets IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
Docs guides MOI (4 file):
- deployment-iis.md: prereqs (IIS features, Hosting Bundle, SQL, WinRM) + setup lan dau (app pool, 3 site, HTTPS win-acme, user-secrets) + deploy hang ngay (CI/CD + manual) + rollback + monitoring + troubleshooting + SPA web.config sample
- cicd.md: pipeline overview 4 job, secrets setup, runner Windows+Ubuntu, branch strategy, build optimizations, common CI/CD issues
- security-checklist.md: OWASP top 10 2021 mapping voi status + pre go-live checklist + incident response
- runbook.md: daily ops (health/logs), restart/rollback, DB backup/restore/migration revert, user management (reset password, unlock, disable), monitoring (CPU/disk/connection pool), deployment checklist, common gotcha
Frontend refresh token (ca 2 app fe-admin + fe-user):
- lib/api.ts REWRITE: them REFRESH_KEY, axios response interceptor 401 → POST /auth/refresh → retry request goc. Queue pattern cho nhieu request song song chi 1 refresh call chay. Skip retry /auth/login + /auth/refresh tranh infinite loop. _retry flag tren original config.
- contexts/AuthContext.tsx: luu+xoa REFRESH_KEY trong login/logout
E2E verified:
- GET /health/live → 200 Healthy
- GET /health/ready → 200 Healthy (DB probe)
- Rate limit flood 7 POST /auth/login → #1-5 HTTP 400 (cred sai) + #6-7 HTTP 429 Too Many Requests ✅
- TS check fe-admin + fe-user → pass
- dotnet build → 0 errors
Docs updates:
- docs/STATUS.md: Phase 5 prep done, next Phase 5 deploy production + Phase 5.1 security hardening, cumulative stats 8 commits
- docs/HANDOFF.md: phase table them Phase 5 prep row, file tree update voi guides + scripts + workflows, git state commit 8
- docs/changelog/migration-todos.md: tick Phase 5 prep items (12 items done) + Phase 5 deploy items remaining + Phase 5.1 security hardening list
- docs/changelog/sessions/2026-04-21-1530-phase5-prep.md: session log chi tiet
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5.3 KiB
5.3 KiB
STATUS — Snapshot hiện tại
Update rule: trước khi bắt đầu 1 task → ghi row vào
🔥 In Progress. Xong → chuyển sang✅ Recently Done.
Last updated: 2026-04-21 15:30
📍 Phase hiện tại: Phase 5 Prep xong (infra + scripts + docs) — chờ Gitea URL để deploy thật
🔥 In Progress
(không có)
✅ Recently Done (newest on top)
| Ngày | Ai | Task | Commit |
|---|---|---|---|
| 2026-04-21 | Claude | Phase 5 Prep — BE rate limit (5/min login, 300/min global) + health check (/live + /ready DB probe) + Serilog file rolling 30d + HSTS prod. Scripts: deploy-iis.ps1 + backup-sql.ps1 + .gitea/workflows/deploy.yml. Docs guides (4): deployment-iis, cicd, security-checklist, runbook. FE refresh token auto interceptor (cả 2 app) với queue pattern | (sắp commit) |
| 2026-04-21 | Claude | Phase 4 Report MVP + Docs Consolidation — Dashboard KPI + Excel export + rules.md + architecture.md + schema-diagram.md + gotchas update 26 pitfalls | fe7ad8e |
| 2026-04-21 | Claude | Phase 3 Workflow MVP — 9 phase state machine + gen mã HĐ RG-001 | 7e957a7 |
| 2026-04-21 | Claude | Phase 2 Form Engine MVP | 5113e4c |
| 2026-04-21 | Claude | Phase 1.2 — CRUD Master + Permission Matrix | 54d6c9b |
| 2026-04-21 | Claude | Docs addition | 49a5f57 |
| 2026-04-21 | Claude | Phase 1 foundation | 702411f |
| 2026-04-21 | Claude | Phase 0 | 25dad7f |
Session logs: P0 · P1f · P1.2 · P2 · P3 · P4 · P5prep
Docs entry points:
rules.md·architecture.md·HANDOFF.mdworkflow-contract.md·forms-spec.mddatabase/database-guide.md·database/schema-diagram.mdflows/(7 file) ·guides/(4 file) ·gotchas.mdchangelog/migration-todos.md·changelog/sessions/(7 file)
🎯 Next up
Phase 5 còn lại (cần Gitea URL)
- Setup Gitea remote + push all commits
- Enable Gitea Actions runner (Windows + Ubuntu)
- Set 5 secrets trong Gitea (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
- Test CI/CD workflow lần đầu trên staging
- Windows Server setup IIS theo
guides/deployment-iis.md - HTTPS cert (win-acme Let's Encrypt)
- SQL Server prod + Task Scheduler backup
- Smoke test end-to-end prod
- UAT 1 tuần 2-3 user thật
Phase 5.1 Security hardening
Xem guides/security-checklist.md. TODO:
- Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP)
- Identity Account lockout (5 fail → 15min lock)
- Password policy min 12 chars production
- IDOR check ContractsController (user không xem HĐ không liên quan)
- Dependencies scan CI (
dotnet list package --vulnerable+npm audit)
Polish iterations
Phase 2 iter 2: convert .doc, field spec JSON + form builder, {{#loop}}, PDF convert Phase 3 iter 2: SLA job auto-approve, email/in-app notify, attachment upload, RowVersion Phase 4 iter 2: SLA overdue report, PDF HĐ export, dashboard user-specific
Quick wins
- FE Users management + Roles CRUD (test permission non-admin)
- Filter Inbox theo phase FE
- Test refresh token flow manual (logout/login flow)
📊 Thông số cumulative
| P0 | P1f | P1.2 | P2 | P3 | P4 | P5 prep | |
|---|---|---|---|---|---|---|---|
| BE LOC | 0 | ~400 | ~1500 | ~1900 | ~2700 | ~3100 | ~3300 |
| DB tables | 0 | 7 | 12 | 14 | 19 | 19 | 19 |
| API endpoints | 0 | 4 | 20 | 23 | 31 | 33 | 35 (+health) |
| Migrations | 0 | 1 | 3 | 4 | 5 | 5 | 5 |
| FE pages | 0 | 2 | 6 | 7 | 14 | 16 | 16 |
| Scripts PS | 0 | 0 | 0 | 1 (convert-doc) | 1 | 1 | 3 (+deploy-iis, backup-sql) |
| CI/CD workflow | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| Docs | 10 | 13 | 14 | 24 | 26 | 30 | 35 (+4 guides + session log) |
| Commits | 1 | 2 | 3 | 5 | 6 | 7 | 8 (sắp) |
🚨 Blockers / risks
- ⏳ Gitea remote URL — ĐANG CẦN để push + setup CI/CD
- ⚠️ Phase 5.1 security hardening chưa làm (headers, account lockout, IDOR check)
- ⚠️ 3 file .doc chưa convert (Phase 2 carryover)
- ⚠️ SLA không tự auto-approve (Phase 3.2)
- ⚠️ Email/in-app notification chưa có
- ⚠️ FE Users management chưa có — khó test permission non-admin
- ⚠️ Rate limit global 300/min/IP — OK cho dev, cần tăng cho prod nếu nhiều user
Credentials + URLs
admin@solutionerp.local / Admin@123456
- API: http://localhost:5443 — Swagger
/swagger(dev only) — Health/health/live+/health/ready - Admin FE: http://localhost:8082 —
/dashboard,/contracts,/reports,/master/*,/forms,/system/permissions - User FE: http://localhost:8080 —
/inbox,/contracts/new,/my-contracts