6 Commits

Author	SHA1	Message	Date
Ho Ngoc Hai	33a5ff407b	feat(auth): add DEVELOPER + PARK_OPERATOR roles with owner scoping (B2B accounts) ... Two new B2B roles for CĐT (project developers) and KCN operators, provisioned by admin. Each account owns a subset of ProjectDevelopment / IndustrialPark records and can CRUD them from the dashboard; admin retains full access. Phase 1 — Schema - Extend UserRole enum with DEVELOPER + PARK_OPERATOR (before ADMIN) - ProjectDevelopment.ownerId FK (User, ON DELETE SET NULL) + index - IndustrialPark.ownerId FK + index - Migration 20260420030000 Phase 2a — Backend authorization - CreateProjectCommand + CreateIndustrialParkCommand accept ownerId; controllers auto-set it to the caller's user id when role=DEVELOPER / PARK_OPERATOR - Update + Delete commands gain (requesterUserId, requesterRole) and enforce ADMIN-or-owner via ForbiddenException; reassigning ownerId is admin-only - Search params gain optional ownerId filter wired through Prisma repos - New endpoints: GET /projects/mine/list, GET /industrial/parks/mine/list - user-rate-limit guard: add DEVELOPER + PARK_OPERATOR entries (300/window) Phase 2b — Admin provision - ProvisionDeveloperCommand/Handler: create user (role=DEVELOPER), pre-validate target projects have no existing owner, batch-assign ownerId - ProvisionParkOperatorCommand/Handler: same for PARK_OPERATOR + IndustrialPark - POST /admin/accounts/developers, POST /admin/accounts/park-operators (admin-only) - DTOs with phone/password/fullName/email + optional {project,park}Ids[] Phase 2c — Project stats for developer dashboard - GetProjectStatsQuery + handler: aggregates linkedListingCount, activeListingCount, totalInquiries, unreadInquiries, savedByUsers via Property → Listing → Inquiry chain - GET /projects/:id/stats — admin sees all, DEVELOPER only their own (403 otherwise) Phase 3 — Frontend - Dashboard layout role-aware: DEVELOPER sees "Dự án của tôi" + CRM + Profile (hides listings/analytics/subscription); PARK_OPERATOR sees "KCN của tôi" equivalent - /projects dashboard page switches to duAnApi.searchMine() when role=DEVELOPER - /industrial-parks page switches to industrialApi.searchMine() when role=PARK_OPERATOR - Admin nav gains "Tài khoản CĐT" + "Tài khoản KCN" entries - New pages /admin/accounts/developers + /admin/accounts/park-operators with checkbox-based multi-select for linking entities - adminApi.provisionDeveloper + provisionParkOperator + types - duAnApi.searchMine + getStats; industrialApi.searchMine - Login demo accounts list includes CĐT Vingroup + KCN VSIP Phase 4 — Seed (prisma/seed-b2b-accounts.ts) - DEVELOPER "CĐT Vingroup" (+84912000001) owns 4 projects - DEVELOPER "CĐT Masterise Homes" (+84912000003) owns 2 projects - PARK_OPERATOR "Vận hành KCN VSIP" (+84912000002) owns 2 seeded KCN - Password Velik@2026 for all Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 22:12:16 +07:00
Ho Ngoc Hai	ab26eb4c05	feat(admin): AI settings page — configure Anthropic API key + URL + model ... Foundation for Phase E (AI advisor / AI valuation on listing detail). An admin sets the Anthropic Claude credentials once in the new "/admin/settings/ai" page; downstream features read them via SystemSettingsService. Database -------- - New Prisma model SystemSetting { key @id, value Text, valueType, isSecret, updatedAt, updatedBy }. db:push applied cleanly. Backend ------- - SystemSettingsService — canonical getter/setter for ai.api_url / ai.api_key / ai.model. maskApiKey() returns the last 4 chars prefixed with "sk-ant-...". Exposes unmasked getAiSettings() for server-side consumers (AI advisor handlers). - GET /admin/settings/ai — returns { apiUrl, apiKeyMasked, model, hasApiKey, updatedAt }. Never emits the raw key. - PATCH /admin/settings/ai — body accepts partial { apiUrl, apiKey, model }. apiKey sentinel "__UNCHANGED__" preserves the stored value; empty string clears it; any other value overwrites. - CQRS: get-ai-settings query + update-ai-settings command. Registered in admin.module.ts; service exported via modules/admin/index.ts so Phase E can inject it. Frontend -------- - adminApi.getAiSettings() / updateAiSettings() added to lib/admin-api.ts with shared AiSettings + UpdateAiSettingsPayload types. - New Lucide-only nav entry "Cài đặt AI" (Sparkles) in admin layout. - /admin/settings/ai/page.tsx — Card with API URL input, masked API key input with Eye/EyeOff toggle, "Xoá key" button, model Select (claude-opus-4-5 / sonnet-4-5 / haiku-4-5 + custom input), save button with inline success/error banners, "last updated" timestamp. - i18n keys adminNav.settings + adminNav.aiSettings in vi.json/en.json. Constraints ----------- - No new packages. Runtime imports for NestJS-DI classes preserved. - Key NOT encrypted at rest (MVP); documented in service comment as future hardening. - Page inherits existing admin auth guard via (admin) layout. Verification ------------ - API typecheck clean. - Web typecheck clean in touched files. - API suite: 1975 / 1975 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 16:09:44 +07:00
Ho Ngoc Hai	ad8577e2bd	fix(web): stop flooding console with 401 ApiError during initial load ... Five compounding problems caused hundreds of "Console ApiError: Unauthorized" entries on every load of /dashboard (and friends) while unauthenticated or while the auth cookie was stale: 1. QueryClient had `throwOnError: true` as a blanket default, so every 401 from any react-query hook propagated to the nearest error boundary instead of staying in the query's `error` state. That also invited React to re-render and re-fire the boundary multiple times per failing query. 2. React Query retried all failures 3 times with exponential backoff, so a single 401 became four requests. 401 isn't fixable by retry, so this is just noise. 3. Dashboard layout rendered `<NotificationBell />` unconditionally, which polled /notifications/unread-count on mount even when no user was signed in → 401 on every mount. 4. Dashboard + Admin layouts had no redirect-to-login guard, so protected queries (market-report, heatmap, admin/dashboard, …) all mounted and fired against the API before the user ever saw the login screen. 5. Admin layout waited on `user` but had no way to distinguish "store still initialising" from "user genuinely absent" — so an expired cookie left the page stuck on a spinner while the same 401 storm played out in the background. Fixes - query-client.ts: `throwOnError` and `retry` are now predicates. Only 5xx / network errors bubble to boundaries and are retried; 4xx (auth, validation, not-found) stay in query error state so the component can render an empty/auth placeholder. - auth-store.ts: new `isInitialized` flag set in a finally block at the end of `initialize()`. Downstream guards use it to distinguish "still booting" from "definitely logged out". - (dashboard)/layout.tsx: redirects to /login?next=<path> once initialised and unauthenticated, and renders a lightweight loading screen in the meantime so child queries never mount. - (admin)/layout.tsx: same guard. Non-ADMIN logged-in users still bounce to /dashboard. - notification-bell.tsx: short-circuits `fetchUnreadCount` when `isAuthenticated` is false. Verified in dev: visiting /vi/dashboard unauthenticated now redirects to /login?redirect=/dashboard with zero console errors and no /analytics/… calls to the backend. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 09:41:35 +07:00
Ho Ngoc Hai	55a01c5738	feat(web): centralise Vietnamese price formatting across all pages ... Create a single `currency.ts` utility with `formatPrice`, `formatVND`, `formatPricePerM2`, and `parseVND` to replace 9+ duplicated inline formatters. This fixes inconsistent decimal handling (1.5M was truncated to "1 triệu") and standardises price/m² display. Integrated across property cards, listing detail, dashboard, analytics, payments, pricing, and admin moderation pages with 19 new unit tests. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-10 23:33:31 +07:00
Ho Ngoc Hai	68b65cb848	test(web): increase frontend test coverage to ~70% page coverage ... - Fix vitest config to include [locale] directory tests (was excluded) - Fix register.spec.tsx: use getByRole('heading') to avoid duplicate text match - Fix search.spec.tsx: add QueryClientProvider wrapper and mock saved searches hook - Add 12 new page test files covering dashboard, admin, public, and OAuth pages: - dashboard (main, profile, payments, subscription, KYC) - admin (dashboard, users) - public (landing, pricing) - analytics - OAuth callbacks (Google, Zalo) - 29 test files, 174 tests, 16/23 pages covered (69.6%) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-10 23:14:16 +07:00
Ho Ngoc Hai	7195064f12	feat(web): add i18n locale routes and language switcher component ... Add locale-prefixed routes for admin, auth, dashboard, and public pages. Add error, loading, and not-found pages for locale context. Add language switcher UI component for Vietnamese/English toggle. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-09 09:44:18 +07:00