Implement polymorphic reviews system supporting any target type (agent,
property, etc.) with DDD/CQRS architecture following existing patterns.
Endpoints:
- POST /api/reviews — create review (authenticated)
- GET /api/reviews?targetType=&targetId= — list reviews by target
- GET /api/reviews/stats?targetType=&targetId= — aggregate rating stats
- GET /api/reviews/me — list authenticated user's reviews
- DELETE /api/reviews/:id — delete own review
Business rules: 1-5 rating validation, self-review prevention, one
review per user per target. Includes 15 unit tests for all handlers.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Fix heredoc quoting in deploy workflow to allow IMAGE_TAG and
REGISTRY_URL variable expansion. Add Next.js API health check route.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Update Grafana datasource and Prometheus configs for monitoring
integration. Improve E2E CI workflow with Prisma generate, browser
caching, and trace artifact collection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
New test coverage for infrastructure and presentation layers across
multiple modules including Momo/ZaloPay payment services, Typesense
search repository, listing indexer, and notification handlers.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Update cache service with better error handling and analytics
query handlers to use consistent caching patterns.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Separate root route from health check endpoint. The /health endpoint
now returns timestamp for monitoring integration.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Login and register test files had incomplete mock stores missing
user, isAuthenticated, handleOAuthCallback, and other AuthState
properties, causing TypeScript errors.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Install @tanstack/react-query with exponential backoff retry config
- Create QueryClientProvider and custom hooks for listings, analytics,
payments, and subscription API calls
- Migrate 5 dashboard pages from useState/useEffect to React Query hooks
- Add dark mode CSS variables and ThemeProvider with localStorage persistence
- Add theme toggle button in dashboard header (sun/moon icon)
- Enhance error boundaries with auto-retry, retry count, and loading state
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Remove hardcoded minioadmin/minioadmin_secret fallback from docker-compose.yml,
require MINIO_ACCESS_KEY/MINIO_SECRET_KEY env vars (fail-fast with :? syntax)
- Align docker-compose.yml env var names with .env.example (MINIO_ACCESS_KEY/SECRET_KEY)
- Update CI e2e workflow to use GitHub vars with non-default fallbacks
- Update .env.test to use non-default test credentials
- Add @aws-sdk/s3-request-presigner and getPresignedUploadUrl() method to
MinioMediaStorageService for properly signed client-side uploads
- Remove hardcoded credentials from dev-environment docs
Co-Authored-By: Paperclip <noreply@paperclip.ing>
validateEnv() previously skipped validation entirely when NODE_ENV !== 'production',
allowing the app to start without JWT_SECRET and JWT_REFRESH_SECRET in dev/staging.
Split required vars into ALWAYS_REQUIRED (JWT secrets) and REQUIRED_IN_PRODUCTION
(infrastructure) so security-critical secrets are validated in every environment.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Review table was missing an index on userId, causing full table scans
when querying reviews by user. All other FK columns across 22 models were
verified to have proper indexes already (including Listing.sellerId which
was added in a prior migration).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implement auto-tagging (amenities, location features, condition/legal),
content quality scoring with moderation integration, and FastAPI endpoints
for single and batch text analysis. Uses underthesea for Vietnamese
tokenization/POS when available, with regex fallback.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Extract metric names into constants with goodgo_ prefix for business metrics
- Add MetricsService for type-safe metric recording
- Add HttpMetricsInterceptor for automatic request duration/count tracking
- Register interceptor globally via APP_INTERCEPTOR
- Include linter auto-fixes for test files
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Implement four new dashboard pages with full UI:
- /dashboard/profile: view/edit profile, agent details, KYC status
- /dashboard/kyc: multi-step KYC document submission flow
- /dashboard/subscription: plan comparison, quota usage, billing history
- /dashboard/payments: transaction history with filters and pagination
Also adds API client modules (profile-api, subscription-api, payment-api)
and updates dashboard navigation with new page links.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add vitest config and test script to web app
- Auth validation tests: phone format, password rules, registration flow
- Listing validation tests: all schema steps, constants, merged schema
- Utils tests: cn() class merging with Tailwind conflict resolution
- 36 tests across 3 test files
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add DuplicateDetector domain service that flags potential duplicate listings
using PostGIS ST_DWithin geo-proximity (100m radius) combined with trigram-based
title similarity (>70% threshold). Detection runs during CreateListing but never
blocks creation — warnings are returned in the response for seller/admin review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Apply QuotaGuard + @RequireQuota to listing creation and analytics endpoints
- Add QuotaExceeded domain event emitted when quota is exceeded
- Create ListingCreatedUsageHandler to auto-meter usage on listing creation
- Create QuotaExceededListener to send email notifications on quota exceeded
- Add maxAnalyticsQueries and maxMediaUploads fields to Plan model
- Add quota.exceeded email notification template
- Define quota limits per plan tier in seed data
- Add 15 unit tests covering guard, event handler, listener, and event
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add complete OAuth2 authentication flow for Google and Zalo providers:
- OAuthService: handles account linking (by email/phone), new user
creation for OAuth-only accounts, and JWT token generation
- GoogleOAuthStrategy: passport-google-oauth20 integration
- ZaloOAuthStrategy: custom OAuth2 implementation using Zalo's API
(authorization URL generation, code exchange, user info fetch)
- OAuthController: redirect and callback endpoints for both providers
with httpOnly cookie-based token management
- Unit tests for OAuthService (7 tests), GoogleOAuthStrategy (4 tests),
and ZaloOAuthStrategy (7 tests)
- OAuth env vars added to .env.example and env-validation warnings
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add segment-level loading.tsx for dashboard, search, admin, and auth routes
- Add segment-level error.tsx with Vietnamese error messages for all route groups
- Add skip-to-content navigation link in root layout
- Add id="main-content" to all layout main elements
- Add aria-label to nav elements and mobile menu buttons
- Improve dashboard nav responsiveness (icon-only on mobile)
- Hide user name on small screens in dashboard layout
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add resource limits (memory/CPU) and reservations for all services
- Add security hardening: read_only, no-new-privileges, tmpfs for temp dirs
- Add missing prod services: loki, promtail, pg-backup from dev compose
- Fix API healthcheck to include catch() for proper exit codes
- Add json-file logging driver with rotation limits across all services
- Remove exposed PostgreSQL port in prod (internal only)
- Add shm_size for PostgreSQL shared memory
- Add non-root user (appuser) to AI services Dockerfile
- Add --chown=node:node to COPY directives in API/Web Dockerfiles
- Harden .dockerignore: exclude IDE files, OS files, docker-compose files
- Fix Redis URL to include password authentication
- Add JWT_REFRESH_SECRET to API environment
- Add Grafana dependency on Loki for log datasource
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Register SanitizeInputMiddleware for all routes to prevent stored XSS
- Register CsrfMiddleware for all routes (sets cookie on GET, validates on state-changing methods)
- Remove unsafe-inline from CSP scriptSrc directive
- AppModule now implements NestModule with configure() method
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Vietnamese text throughout the frontend was missing accent marks (diacritics),
using plain ASCII instead of proper Unicode characters. Fixed all user-visible
text across dashboard, analytics, listings, search, and chart components.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Convert Lead.status from String to LeadStatus enum (NEW, CONTACTED, QUALIFIED, NEGOTIATING, CONVERTED, LOST) with safe data migration
- Add FK constraint Transaction.buyerId -> User.id to prevent orphaned transactions
- Add compound index on Inquiry(listingId, userId) for duplicate inquiry checks
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Replace innerHTML/setHTML with DOM API (createElement/textContent/setDOMContent)
to prevent XSS via user-controlled listing titles, URLs, and prices
- Add Content-Security-Policy header to next.config.js with proper directives
for Mapbox, API, images, workers, and frame-ancestors
- Add X-CSRF-Token header to media upload fetch call, matching apiClient behavior
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add 'JWT' scheme name to @ApiBearerAuth() in payments & subscriptions
controllers so Swagger UI correctly links to the JWT security definition
- Add postgresqlExtensions preview feature to Prisma schema for v7 compat
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add non-null assertions for array indexing in prisma/seed.ts and
scripts/seed-districts.ts to satisfy strict TypeScript checks.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Whitelist OAuth error codes; never render raw URL params (XSS fix)
- Add error state UI with retry button for API failures on homepage and search
- Use <article> for property cards with ARIA labels and semantic list markup
- Replace raw <img> with Next.js <Image> across all listing/gallery/KYC pages
- Add security headers (X-Content-Type-Options, X-Frame-Options, etc.) in next.config.js
- Gate console.error behind NODE_ENV check in global error boundary
- Mapbox confirmed npm-bundled (SRI N/A)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)
Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)
Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add dedicated idempotencyKey column with unique constraint (userId, provider, idempotencyKey) to prevent duplicate payments at DB level
- Add @Min(1) @Max(100B) validators on amountVND in CreatePaymentDto to reject invalid amounts at API boundary
- Replace read-check-write callback handler with atomic updateIfStatus to eliminate race condition on concurrent callbacks
- Add magic byte verification in FileValidationPipe to validate file content matches declared MIME type server-side
Co-Authored-By: Paperclip <noreply@paperclip.ing>
