admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
269 Commits 1 Branch 0 Tags
43f9e23b28ca7373f324ccd010938a95f9221e7a
Commit Graph

11 Commits

Author SHA1 Message Date
Ho Ngoc Hai
43f9e23b28 feat(auth): add OTP verification for email changes on profile update 
Email changes via PATCH /api/v1/auth/profile now require OTP verification
instead of updating immediately. A 6-digit code is sent to the new email
address and must be confirmed via POST /api/v1/auth/profile/verify-email
within 10 minutes. Also fixes pre-existing web valuation test failures
(formatPrice output format, removed comparables section, missing
QueryClientProvider wrapper).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-16 04:23:06 +07:00
Ho Ngoc Hai
8f8e20f4c0 feat(auth): implement KYC upload with presigned URLs and multi-step form 
Backend:
- GenerateKycUploadUrls command — presigned MinIO URLs (5-min expiry),
  MIME validation (JPEG/PNG/WebP), unique object keys per user
- SubmitKyc command — stores document type, number, and image URLs in
  kycData JSON field, updates kycStatus to PENDING
- POST /auth/kyc/upload-urls and POST /auth/kyc/submit endpoints

Frontend:
- 3-step KYC form: document info → image upload → review
- Direct client-to-MinIO upload via presigned URLs with progress tracking
- Status-aware UI (NONE/PENDING/VERIFIED/REJECTED)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-16 02:37:10 +07:00
Ho Ngoc Hai
74c52198b3 feat(auth): add PATCH /auth/profile endpoint for user profile updates 
Implement user profile update with fullName, avatarUrl, and email fields.
Email changes include uniqueness validation and Email VO verification.
Follows existing DDD/CQRS patterns with cache invalidation.
19 unit tests covering handler logic and DTO validation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 22:34:40 +07:00
Ho Ngoc Hai
1fbe2f4e73 feat: add MFA/TOTP auth, PII encryption, agents/leads/inquiries modules, and comprehensive tests 
- Add TOTP-based MFA with setup, verify, disable, backup codes, and challenge flow
- Add PII field encryption middleware with AES-256-GCM and deterministic search hashes
- Add agents, inquiries, and leads domain modules with entities, events, value objects
- Add web dashboard pages for inquiries and leads with detail dialogs
- Add 30+ component tests (valuation, charts, listings, search, providers, UI)
- Add Prisma migrations for encryption hash columns and MFA TOTP support
- Fix all ESLint errors (unused imports, duplicate imports, lint auto-fixes)
- Update dependencies and lock file
- Clean up obsolete exploration/QA docs, add audit documentation

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-11 23:43:20 +07:00
Ho Ngoc Hai
e03c4699d0 feat(api): implement GDPR-compliant user data deletion 
- Add deletedAt/deletionScheduledAt fields to User model with indexes
- Implement 5 CQRS command handlers:
  - RequestUserDeletion: 30-day soft-delete grace period
  - CancelUserDeletion: restore within grace period
  - ForceDeleteUser: admin immediate deletion with PII anonymization
  - ProcessScheduledDeletions: cron-ready batch processor
  - ExportUserData: GDPR Article 20 data portability
- Cascade strategy: anonymize PII, expire listings, cancel subscriptions,
  delete reviews/inquiries/searches/notifications, preserve payments for audit
- Add UserDataController with DELETE /users/me, POST /users/me/cancel-deletion,
  GET /users/me/export, DELETE /users/:id/force (admin)
- 22 unit tests covering all handlers (160 files, 853 tests passing)
- Migration: 20260410000000_add_user_soft_delete_fields

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-10 05:43:54 +07:00
Ho Ngoc Hai
36e0f49e9e feat(auth): add handler specs and improve auth infrastructure 
Add unit tests for get-profile, get-agent-by-user-id, and verify-kyc handlers.
Improve OAuth service, local strategy, and repository implementations with
proper ConfigService injection and error handling.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-09 09:42:16 +07:00
Ho Ngoc Hai
23bb380d34 feat(auth): implement Google and Zalo OAuth backend strategies 
Add complete OAuth2 authentication flow for Google and Zalo providers:
- OAuthService: handles account linking (by email/phone), new user
  creation for OAuth-only accounts, and JWT token generation
- GoogleOAuthStrategy: passport-google-oauth20 integration
- ZaloOAuthStrategy: custom OAuth2 implementation using Zalo's API
  (authorization URL generation, code exchange, user info fetch)
- OAuthController: redirect and callback endpoints for both providers
  with httpOnly cookie-based token management
- Unit tests for OAuthService (7 tests), GoogleOAuthStrategy (4 tests),
  and ZaloOAuthStrategy (7 tests)
- OAuth env vars added to .env.example and env-validation warnings

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-08 14:14:02 +07:00
Ho Ngoc Hai
2502aa69b7 fix: production readiness — resolve build, lint, and code quality issues 
- Fix Next.js build failure: remove duplicate route at (dashboard)/listings/[id]
  that conflicted with (public)/listings/[id] (same URL path in two route groups)
- Fix 772 ESLint errors: auto-fix import ordering (import-x/order), remove unused
  imports/variables, convert empty interfaces to type aliases, replace require()
  with ESM imports, fix consistent-type-imports violations
- Add CLAUDE.md for developer onboarding documentation
- All checks pass: 0 lint errors, typecheck clean, 230 tests passing, build success

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-08 07:15:06 +07:00
Ho Ngoc Hai
be0deddeed fix(security): harden auth — rate limiting, admin audit logging, JWT aud/iss 
- Add @Throttle (5 req/hour per IP) on register, login, refresh endpoints
- Add audit logging in RolesGuard for failed admin access attempts (userId, role, IP, action)
- Add audience ('goodgo-api') and issuer ('goodgo-platform') claims to JWT tokens
- Validate aud/iss in JwtStrategy to prevent cross-service token reuse

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-08 06:17:02 +07:00
Ho Ngoc Hai
402b5b6810 fix(auth): remove hardcoded JWT fallback secret — fail fast on missing env var 
The auth module fell back to a publicly-known secret string when JWT_SECRET
was unset, creating a critical authentication bypass risk. Both jwt.strategy.ts
and auth.module.ts now throw at startup if JWT_SECRET is missing.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-08 04:01:21 +07:00
Ho Ngoc Hai
391c040100 feat(auth): implement Auth module with register, login, JWT, guards, and CQRS 
- Add RefreshToken and OAuthAccount models to Prisma schema
- Implement clean architecture: domain (entities, VOs, events, repo interfaces),
  infrastructure (Prisma repos, Passport strategies, token service),
  application (CQRS command/query handlers), presentation (controller, guards, DTOs)
- Endpoints: POST /auth/register, /auth/login, /auth/refresh, GET /auth/profile,
  GET /auth/profile/agent, PATCH /auth/kyc
- JWT access + refresh token rotation with family-based revocation
- Role-based guards (BUYER, SELLER, AGENT, ADMIN)
- 16 unit tests (value objects, entity) + integration test suite
- All 80 tests passing, clean TypeScript build

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-08 00:24:42 +07:00