# GoodGo Platform — QA Tracker **Cập nhật lần cuối:** 2026-04-22 **Nguồn:** GOO-2 Lead Orchestrator Audit --- ## Baseline QA Status (từ audit 2026-04-12) | Metric | Kết quả | |--------|---------| | Lint (ESLint) | PASS — 0 lỗi | | TypeScript | 7 lỗi (thiếu kiểu vitest trong web test files) | | Unit tests | 232 files, 1454 tests — ALL PASS | | Build | ALL 3 packages build thành công | | E2E | Chưa chạy lại sau audit | --- ## Blocker Findings (BƯỚC 1 Audit — cần QA sau fix) | ID | Mô tả | Task | Trạng thái QA | Mức ảnh hưởng | |----|-------|------|---------------|---------------| | BLOCKER-1 | Double CSRF middleware — login/register broken in prod | GOO-3 ✅ | Cần verify | Critical | | BLOCKER-2 | UsageRecord race condition — quota bypass | GOO-4 | Chờ fix | Critical | | BLOCKER-3 | exchange-token no rate limit | GOO-5 | Chờ fix | Critical | | GAP-03 | MoMo IPN URL points to frontend | GOO-6 | Chờ fix | Critical | | A-19 | MCP search returns 0 results (status case) | GOO-9 | Chờ fix | Critical | --- ## Security Findings (cần QA sau fix) | ID | Mô tả | Task | Trạng thái QA | |----|-------|------|---------------| | HIGH-1 | JWT doesn't check banned users | GOO-7 | Chờ fix | | HIGH-2 | AI API key stored plaintext | GOO-8 | Chờ fix | | HIGH-4 | $queryRawUnsafe in project search | GOO-14 | Chờ fix | | MED-9 | Soft-deleted users can login | GOO-15 | Chờ fix | --- ## Test Plan — Sprint 1 Verification ### API Tests (curl) - [ ] POST /auth/login without CSRF token → 200 (not 403) - [ ] POST /auth/register without CSRF token → 200 - [ ] POST /payments/callback/vnpay without CSRF → 200 - [ ] POST /payments/callback/momo → verifies IPN reaches backend - [ ] POST /auth/exchange-token 6x in 60s → 429 on 6th - [ ] Login with banned user (isActive=false) → 401 - [ ] Login with soft-deleted user (deletedAt set) → 401 - [ ] 5 concurrent listing creates → quota not exceeded - [ ] MCP property-search tool → returns ACTIVE listings ### UI Tests (Playwright) - [ ] Login page loads without CSRF error - [ ] Registration flow completes - [ ] Search returns results (Vietnamese diacritics — Sprint 2) - [ ] Admin dashboard loads for admin user, redirects for non-admin --- ## Test Plan — Sprint 2 Verification - [ ] Phone OTP login: request → receive → verify → authenticated - [ ] legalStatus dropdown shows enum values (not free text) - [ ] Search "chung cu quan 7" matches "chung cư quận 7" - [ ] District dropdown shows "Thủ Đức" (not Quận 2/9) --- ## Bug Tracking | Bug ID | Mô tả | Task liên quan | Severity | Trạng thái | |--------|-------|----------------|----------|------------| | (none yet) | — | — | — | — | --- ## Notes - QA sẽ chạy full regression sau khi Sprint 1 hoàn thành - E2E tests cần Playwright config update cho new auth flows (Sprint 2) - Performance benchmarks sẽ chạy sau Sprint 4 (revenue stats, dashboard queries)