Backend
-------
- New endpoint GET /analytics/pois/nearby?lat&lng&radius&limit (public,
no guard). Mirrors the neighborhoods/:district/score shape.
- Prisma $queryRawUnsafe with PostGIS ST_DWithin on POI.location::geography
and ST_Distance for the ordered-by-distance result. Default radius 2km,
max 10km; default limit 30, max 100.
- Response maps POIType enum → frontend POICategory so the existing pill
filter in NeighborhoodPOIMap works out of the box:
SCHOOL/UNIVERSITY → school
HOSPITAL/CLINIC/PHARMACY → hospital
METRO_STATION/BUS_STOP → transit
MALL/MARKET/SUPERMARKET/BANK/ATM → shopping
RESTAURANT/CAFE → restaurant
PARK → park
else → shopping (fallback, still filterable)
- New files: application/queries/get-nearby-pois/{query,handler}.ts +
presentation/dto/get-nearby-pois.dto.ts. Registered in analytics.module.ts.
Frontend
--------
- analytics-api.ts: exports NearbyPOI, NearbyPOIsResponse, NearbyPOICategory
and analyticsApi.getNearbyPOIs(lat, lng, radius?, limit?).
- listing-detail-client.tsx: the "Vị trí trên bản đồ" card no longer
renders <ListingMap> for a single pin — it now renders
<NeighborhoodPOIMap> with the property's coords as center, the nearby
POIs as markers, and the existing category-filter pills. A small
"Tìm thấy N điểm quan tâm trong bán kính 2 km" summary sits below.
- The neighborhood score radar card remains below, untouched.
- The spec fixture + mocks extended for the new analyticsApi dependency.
No schema change, no migration. Phase C of 4.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Property table already stores usableAreaM2, floor, totalFloors,
metroDistanceM and nearbyPOIs but the listing detail endpoint was
dropping them. Add them to ListingDetailData + the Prisma read query,
mirror the additions on the frontend ListingDetail type, and render
them on the detail page:
- Quick-specs bar now shows "Tầng X / Y" (floor/totalFloors) with a
sensible fallback to `floors`, plus "Cách metro" when populated.
- Details card adds rows: "Diện tích sử dụng", "Tầng / Tổng tầng"
(merges floor + totalFloors), "Cách metro gần nhất" (formatted m/km).
- New "transit" icon for the metro stat.
Purely additive surfacing — no schema change, no migration. Listings
missing these fields still render as before.
Test fixture in listing-detail-client.spec.tsx extended with the new
nullable fields so the type stays compatible.
Phase A of 4 (Listings detail enhancement plan).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mapbox theming
--------------
- New hook `lib/mapbox-style.ts` returning streets-v12 (light) or
dark-v11 (dark) from the app's useTheme().
- Six map components now initialise with the themed style and
`map.setStyle(...)` on theme change: project-map, park-map,
listing-map, district-heatmap (plus re-adding its heatmap source
after style.load), neighborhood-poi-map, valuation/comparables-map.
- Marker / popup DOM styles swapped from hard-coded white/#666/#green
to shadcn CSS tokens (--card, --card-foreground, --muted-foreground,
--primary, --border). Global Mapbox popup + control + attribution
skins added in app/globals.css.
- POI filter pills on neighborhood-poi-map were hard-coded `bg-white`
which rendered same-colour text on white in dark mode — switched to
`bg-card`/`bg-card/60` for proper contrast.
- Extend the MockMap in comparables-map.spec.tsx with setStyle/on
so the new theme-sync effect doesn't blow up in tests.
Detail client normaliser (du-an-server)
---------------------------------------
- Project media from the backend is a `string[]` (raw URLs) or richer
`{url,...}` objects. Handle both shapes and drop entries without
a URL so we never feed "" to <Image src>.
- Amenities are `string[]` in the DB but the frontend type expects
`{id,name,icon,category}`; normalise strings into objects so the
AmenitiesTab has stable keys and a displayable name.
Resolves three classes of runtime warnings on /du-an/<slug>:
"Image is missing required 'src' property", "ReactDOM.preload ...
empty href", and "Each child in a list should have a unique 'key'
prop" (AmenitiesTab).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Project status was declared on the frontend as
UPCOMING/SELLING/HANDOVER/COMPLETED but the Prisma enum
ProjectDevelopmentStatus is PLANNING/UNDER_CONSTRUCTION/HANDOVER/
COMPLETED — CREATE failed with "status must be one of …". Aligned the
TypeScript union + PROJECT_STATUS_LABELS/COLORS, filter options on
/projects list, and both new + edit forms. Updated the
normalizeProjectDetail fallback and the du-an test spec to match.
Listings DELETE was blocked by FK references (Inquiry, SavedListing,
PriceHistory, Order, Transaction have no onDelete: Cascade in schema).
Wrapped the Prisma listing delete in a $transaction that removes the
child rows first, then the listing itself, so CRUD from the dashboard
actually lands instead of returning "Referenced record does not exist".
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- api-client: on 401 (non-auth endpoints), call /auth/refresh once and
retry the original request. Coalesce concurrent refreshes via a shared
in-flight promise so burst traffic only fires one refresh. Skip retry
for /auth/* to avoid loops. Surfaced by the /listings/new wizard
where an expired access_token cookie made the first submit throw
"Unauthorized" even though goodgo_authenticated=1 was still set.
- listing-detail-client: breadcrumb was `Trang ch\u1ee7` / `T\u00ecm
ki\u1ebfm` written as JSX text, not a string literal — rendered the
raw escape sequence. Replaced with "Trang chủ" / "Tìm kiếm".
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Split `isResidentialProjectsEnabledServer` out of the `'use client'`
hook file into `lib/feature-flags/residential-projects.ts` so Server
Components can import it without Next.js treating it as a client ref.
- Detail endpoint preserves `media` via new `shapeProjectDetail`
instead of stripping it in `shapeProject`.
- `fetchProjectBySlug` now normalizes the response: fills missing
arrays (media, blocks, amenities, priceRanges, priceHistory,
neighborhoodScores, pois, documents) with `[]`, remaps
`developer.logo` → `logoUrl`, defaults `totalProjects` to 0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Five compounding problems caused hundreds of "Console ApiError:
Unauthorized" entries on every load of /dashboard (and friends) while
unauthenticated or while the auth cookie was stale:
1. QueryClient had `throwOnError: true` as a blanket default, so every
401 from any react-query hook propagated to the nearest error
boundary instead of staying in the query's `error` state. That
also invited React to re-render and re-fire the boundary multiple
times per failing query.
2. React Query retried all failures 3 times with exponential backoff,
so a single 401 became four requests. 401 isn't fixable by retry,
so this is just noise.
3. Dashboard layout rendered `<NotificationBell />` unconditionally,
which polled /notifications/unread-count on mount even when no user
was signed in → 401 on every mount.
4. Dashboard + Admin layouts had no redirect-to-login guard, so
protected queries (market-report, heatmap, admin/dashboard, …) all
mounted and fired against the API before the user ever saw the
login screen.
5. Admin layout waited on `user` but had no way to distinguish "store
still initialising" from "user genuinely absent" — so an expired
cookie left the page stuck on a spinner while the same 401 storm
played out in the background.
Fixes
- query-client.ts: `throwOnError` and `retry` are now predicates. Only
5xx / network errors bubble to boundaries and are retried; 4xx
(auth, validation, not-found) stay in query error state so the
component can render an empty/auth placeholder.
- auth-store.ts: new `isInitialized` flag set in a finally block at
the end of `initialize()`. Downstream guards use it to distinguish
"still booting" from "definitely logged out".
- (dashboard)/layout.tsx: redirects to /login?next=<path> once
initialised and unauthenticated, and renders a lightweight loading
screen in the meantime so child queries never mount.
- (admin)/layout.tsx: same guard. Non-ADMIN logged-in users still
bounce to /dashboard.
- notification-bell.tsx: short-circuits `fetchUnreadCount` when
`isAuthenticated` is false.
Verified in dev: visiting /vi/dashboard unauthenticated now redirects
to /login?redirect=/dashboard with zero console errors and no
/analytics/… calls to the backend.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the last gap from the tec-2725 branch: the valuation form's v2
extended-features section and POST endpoint can now submit real
predictions through to the Python ensemble model.
Backend
- New DTO apps/api/src/modules/analytics/presentation/dto/predict-valuation.dto.ts
with all v1 fields + 8 v2 fields (useV2 toggle, distanceToHospital/Park/
Mall in km, floodZoneRisk enum NONE|LOW|MEDIUM|HIGH, hasElevator/
Parking/Pool booleans).
- New CQRS handler apps/api/src/modules/analytics/application/queries/
predict-valuation/ that routes to AVM_SERVICE.estimateValue() with the
full request body.
- Extend AVMParams (domain) with the same v2 fields + inline v1 fields
(district, city, bedrooms, bathrooms, floors, frontage, roadWidth,
hasLegalPaper, projectId, imageUrl, description, deepAnalysis).
- HttpAVMService.estimateViaAi now branches on `useV2`: v2 calls the new
aiClient.predictV2() → POST /avm/v2/predict on the Python service,
mapping floodZoneRisk enum → 0..1 float and computing
building_age_years from yearBuilt. v1 path gets all the inline
descriptors wired through so non-propertyId calls no longer lose
context.
- AiServiceClient gets AiPredictV2Request / AiPredictV2Response types
mirroring libs/ai-services/app/models/avm_v2.py::AVMv2PredictRequest
(which already accepts all 7 numeric/boolean v2 fields — no Python
change needed).
- Register PredictValuationHandler in AnalyticsModule.
- New route POST /analytics/valuation on AnalyticsController:
JwtAuthGuard + QuotaGuard + EndpointRateLimitGuard (10/min),
@RequireQuota('analytics_queries'), full Swagger doc. Total endpoint
count 179 → 180.
Frontend
- Extend ValuationRequest with useV2, 3 distance-km fields,
floodZoneRisk, hasElevator/Parking/Pool + export FloodZoneRisk type
and FLOOD_RISK_OPTIONS.
- valuationApi.predict() body mapping now includes v2 fields and renames
'areaM2' → 'area' to match the backend DTO contract.
- valuationFormSchema gains matching optional Zod fields + exports
FLOOD_RISK_OPTIONS for the form.
- valuation-form.tsx gets:
* Image upload hardening: MIME+size validation (JPG/PNG ≤5MB) before
preview, role="progressbar" + aria-labels on the progress bar,
role="alert" + data-testid="image-upload-error" on errors. Matches
the upload-progress part of the task/tec-2725 commit 4ee0129 that
was previously parked as blocked.
* New Sparkles-branded "Mô hình v2 (Ensemble)" toggle alongside the
existing Bot-branded "Phân tích chuyên sâu" toggle.
* Collapsible "Đặc trưng mở rộng (AVM v2)" section with distance
inputs, flood-risk select, and three amenity checkboxes.
* handleFormSubmit passes all v2 fields through to onSubmit.
Python service unchanged — AVMv2PredictRequest already has every field
we send (distance_to_hospital_km, flood_zone_risk as float,
has_elevator/parking/pool, etc.).
Typecheck clean for the valuation surface. Pre-existing errors in
metadata.spec.ts and transfer-wizard-client.tsx are unrelated and left
for a follow-up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Flip NEXT_PUBLIC_FEATURE_RESIDENTIAL_PROJECTS default from false to
true so /du-an and /du-an/[slug] render without requiring an env var
or ?residential_projects=1 query override. Kill-switch preserved —
set the env var to "0"/"false" to disable.
The homepage now advertises Dự án as a core feature; having the page
404 by default contradicted that positioning.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add useResidentialProjectsFlag hook with NEXT_PUBLIC_FEATURE_RESIDENTIAL_PROJECTS env + URL/localStorage override (mirrors AVM v2 pattern)
- Gate /du-an index (client) and /du-an/[slug] detail (server) routes via notFound() when flag disabled
- Add component tests for index page including disabled-flag notFound branch
Co-Authored-By: Paperclip <noreply@paperclip.ing>
R5.4 ships the upgraded AVM UI behind the `avm_v2` A/B flag. When the
flag is on, the dashboard exposes:
- Tab switch between single valuation and multi-property compare
- Waterfall drivers chart (ValueDriversChart) alongside the existing
horizontal bar breakdown
- Mapbox comparables map with similarity-coloured markers and an
optional highlighted subject pin
- Confidence interval + range bar and PDF export remain available
- Valuation history chart surface unchanged (still lazy-loaded)
Flag plumbing (useAvmV2Flag):
- NEXT_PUBLIC_FEATURE_AVM_V2=1 enables by default
- `?avm_v2=1|0` URL param forces + persists to localStorage
- safe localStorage handling (no throw when storage is blocked)
Tests: comparables-map, value-drivers-chart, use-avm-v2-flag specs
added. Pre-existing "Yếu tố chính" assertion in valuation-results.spec
updated to match the current copy ("Yếu tố ảnh hưởng giá") so the
valuation suite is green (7 files, 52 tests).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add unit tests for FeatureListingHandler (6 tests) and ActivateFeaturedListingHandler (6 tests)
- Add unit tests for NeighborhoodScoreServiceImpl (5 tests) and GetNeighborhoodScoreHandler (2 tests)
- Add PriceHistoryChart component with recharts LineChart for listing detail page
- Wire up price history API client and integrate chart into listing detail view
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add NeighborhoodRadarChart to listing detail view, fetching scores
from the analytics API based on the listing's district and city.
Displays a 6-axis radar chart (education, healthcare, transport,
shopping, environment, safety) with overall score and color-coded
badges.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add interactive Mapbox map to /khu-cong-nghiep landing page with park markers and popups
- Build compare page at /khu-cong-nghiep/so-sanh with recharts RadarChart and detailed comparison table
- Build listing search page at /khu-cong-nghiep/cho-thue with filters for property type, lease type, area, and price
- Add IndustrialListing types, API client functions, and React Query hooks
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add three new frontend page sections:
- Industrial parks (khu-cong-nghiep): listing, detail, filter bar
- Transfer listings (chuyen-nhuong): search, category tabs, detail
- AI reports dashboard: list, create, viewer with TOC
Includes components, API clients, hooks, server helpers, i18n keys,
navigation links in public and dashboard layouts, and lint fixes.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add batch valuation (POST /analytics/valuation/batch, max 50 properties),
valuation comparison (POST /analytics/valuation/compare, 2-5 properties),
and history endpoint (GET /analytics/valuation/history/:propertyId) with
confidence explanation helper. Frontend: enhanced valuation form with project
autocomplete and deep analysis toggle, results with confidence badges and
price range visualization, comparables table, history chart, market context
card, and PDF export.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implements the frontend notification client for TEC-2217:
1. notifications-api.ts — API client for list, unread-count,
markAsRead, markAllAsRead endpoints
2. notifications-store.ts — Zustand store for notification state
(recent list, unread count, dropdown open state)
3. use-socket-notifications.ts — Socket.IO hook that connects with
httpOnly cookie auth, listens for notification:new events,
auto-reconnects, and syncs unread count on (re)connect
4. notification-bell.tsx — Bell icon with unread badge + dropdown
showing 10 most recent notifications with time-ago formatting,
mark-as-read on click, mark-all-as-read, and "Xem tất cả" link
5. notifications-provider.tsx — Provider wired into locale layout
(inside AuthProvider) to initialize Socket.IO connection
6. Dashboard header — NotificationBell placed before LanguageSwitcher
Added socket.io-client dependency.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Change MinIO healthcheck from `mc ready local` to curl-based probe
(`curl -sf http://localhost:9000/minio/health/live`) in both
docker-compose.yml and docker-compose.prod.yml, matching the
approach already used in docker-compose.ci.yml
- Add descriptive placeholder for REDIS_PASSWORD in .env.example
(was empty, now has CHANGE_ME_IN_PRODUCTION reminder)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add proper Vietnamese diacritics to all valuation components
(form, results, history) and their test assertions
- Fix valuation API client to use /analytics/valuation endpoint
- Return empty history gracefully (no server endpoint yet)
Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
- Set SameSite=lax for auth & CSRF cookies in development (cross-port)
- Set refresh_token cookie path to / (was /auth, preventing cross-port send)
- Await params in Next.js 15 async server components (layout, listings, agents)
- Add CSRF token to web-vitals POST requests
- Fix: 401 Unauthorized on all authenticated API calls from web app
- Fix: CSRF token missing on POST requests from different port
- Fix: params.locale sync access warning in generateMetadata
Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
- Rewrite prisma/seed.ts to populate all 27 models with realistic
Vietnamese real estate data (8 users with login, 10 properties,
10 listings, orders, payments, reviews, notifications, etc.)
- Replace all emoji icons with Lucide React SVG icons across frontend
for consistent rendering, sizing, and accessibility
- Redesign dashboard nav: grouped sidebar with section headers,
primary/secondary split on desktop, icon-only secondary items
- Replace language switcher flag emoji with Globe icon
- Replace SVG theme toggle with Lucide Moon/Sun icons
- Fix API startup: graceful fallback for Sentry profiling, Google OAuth,
and Zalo OAuth when credentials are not configured
- Relax rate limiting in development mode (10k req/min)
- Fix listings API to include media[] array in search response
- Add optional chaining for property.media across frontend components
- Update OAuth strategy tests to match graceful fallback behavior
Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
- Remove unused imports (waitFor, useAuthStore) in dashboard test files
- Convert import() type annotation to import type in comparison-store spec
- Add next-env.d.ts to ESLint ignores (auto-generated file)
- Fix empty object pattern in auth.fixture.ts
- Sort import order alphabetically in 5 API test files
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implements a public-facing agent profile page with:
- Backend: new GET /agents/:agentId/profile public API endpoint with
agent info, active listings, quality score, and review stats
- Frontend: server-rendered profile page with generateMetadata for SEO,
JSON-LD structured data (RealEstateAgent schema), breadcrumbs
- Agent profile displays bio, service areas, quality score gauge,
active listing cards, reviews with star ratings, and contact CTA
- Mobile responsive layout with sticky contact sidebar on desktop
- Vietnamese UI text throughout, consistent with existing patterns
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Build a complete property comparison feature at /compare:
- Zustand store with localStorage persistence for selected listings (2-5)
- Side-by-side comparison table (price, area, price/m², amenities, location, etc.)
- Summary statistics banner (price range, area range, price/m² range)
- "Add to Compare" button on property cards and detail pages
- Floating comparison bar for quick access when listings are selected
- Bilingual i18n support (Vietnamese + English)
- 18 unit tests for store logic and comparison stats computation
- Mobile-responsive layout with horizontal scroll on comparison table
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Create a single `currency.ts` utility with `formatPrice`, `formatVND`,
`formatPricePerM2`, and `parseVND` to replace 9+ duplicated inline
formatters. This fixes inconsistent decimal handling (1.5M was truncated
to "1 triệu") and standardises price/m² display. Integrated across
property cards, listing detail, dashboard, analytics, payments, pricing,
and admin moderation pages with 19 new unit tests.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add comprehensive SEO support for property listing pages to improve
organic search visibility and social sharing.
Changes:
- Convert listing detail page from client-only to server component wrapper
with generateMetadata() for per-listing title, description, OG tags,
canonical URLs, and hreflang alternates
- Add JSON-LD structured data (Schema.org RealEstateListing) with price,
location, property specs, and breadcrumb markup
- Add Website JSON-LD with SearchAction to root layout
- Upgrade sitemap.xml to dynamically include all active listings across
both locales (vi, en) with ISR revalidation
- Improve robots.txt with pagination/sort exclusions and GPTBot block
- Create server-side fetch utility (listings-server.ts) for SSR data
- Extract client UI into ListingDetailClient component
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add global QueryErrorResetBoundary wrapping the app so TanStack Query
errors are caught with a retry UI instead of crashing. Enable
throwOnError in QueryClient defaults. Update ListingMap to use real
latitude/longitude from API when available, falling back to city-based
jitter for listings without coordinates.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- K6_ENDPOINTS_SUMMARY.md: Quick reference for all API endpoints with request/response shapes
- K6_QUICK_START.md: Practical guide with executable examples for search, auth, listing, and payment load tests
- Includes example K6 scripts, CI integration template, and troubleshooting
- Complete with load test scenarios and reporting options
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build the valuation page at /dashboard/valuation with form input,
AI-powered price estimation results, comparable properties display,
and valuation history. Add "Dinh gia AI" button to listing detail
sidebar for quick per-listing estimates.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Install @tanstack/react-query with exponential backoff retry config
- Create QueryClientProvider and custom hooks for listings, analytics,
payments, and subscription API calls
- Migrate 5 dashboard pages from useState/useEffect to React Query hooks
- Add dark mode CSS variables and ThemeProvider with localStorage persistence
- Add theme toggle button in dashboard header (sun/moon icon)
- Enhance error boundaries with auto-retry, retry count, and loading state
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implement four new dashboard pages with full UI:
- /dashboard/profile: view/edit profile, agent details, KYC status
- /dashboard/kyc: multi-step KYC document submission flow
- /dashboard/subscription: plan comparison, quota usage, billing history
- /dashboard/payments: transaction history with filters and pagination
Also adds API client modules (profile-api, subscription-api, payment-api)
and updates dashboard navigation with new page links.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add vitest config and test script to web app
- Auth validation tests: phone format, password rules, registration flow
- Listing validation tests: all schema steps, constants, merged schema
- Utils tests: cn() class merging with Tailwind conflict resolution
- 36 tests across 3 test files
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Replace innerHTML/setHTML with DOM API (createElement/textContent/setDOMContent)
to prevent XSS via user-controlled listing titles, URLs, and prices
- Add Content-Security-Policy header to next.config.js with proper directives
for Mapbox, API, images, workers, and frame-ancestors
- Add X-CSRF-Token header to media upload fetch call, matching apiClient behavior
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)
Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)
Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add CSRF middleware with double-submit cookie pattern for all
state-changing requests. Integrate cookie-parser, update CORS
headers, and add client-side CSRF token handling.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Build the complete admin panel UI at apps/web/app/(admin)/:
- Admin layout with sidebar navigation and ADMIN role guard
- Dashboard page with stats cards and revenue chart
- User management with search, filters, pagination, detail panel, ban/unban
- Listings moderation queue with approve/reject/bulk actions
- KYC review page with document viewer and approve/reject flow
- New reusable UI components: Dialog, Table
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add /auth/callback/google and /auth/callback/zalo pages that extract
tokens from query params and persist them via the auth store
- Add handleOAuthCallback method to Zustand auth store
- Update middleware to allow /auth/callback/* as public routes
- Show OAuth error messages on login page when redirected back
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Multi-step wizard for listing creation (basic info, location, details, pricing, images)
- Listing detail page with image gallery, property specs, seller/agent info, stats
- Listings index page with filters (transaction type, property type) and pagination
- Edit page with tab-based form (read-only until backend PATCH endpoint available)
- Drag & drop image upload component with preview and multi-file support
- Dashboard layout with navigation bar
- New UI primitives: textarea, select, badge, tabs
- Listings API client with typed endpoints matching backend contract
- Zod validation schemas for all form steps
- Status badges with Vietnamese labels for all listing states
- Responsive design across all pages
Co-Authored-By: Paperclip <noreply@paperclip.ing>
