admin/pos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update IAM Service with various enhancements and fixes

Browse Source 
- Added `xmlchars` dependency to `pnpm-lock.yaml` for improved XML character handling.
- Updated IAM Service audit plan to streamline post-deployment monitoring tasks.
- Enhanced Dockerfile to prune development dependencies after build for a leaner production image.
- Introduced a new encryption key configuration in the environment example for better security practices.
- Refactored multiple service files to improve import organization and maintainability.
- Improved error handling in seed scripts to provide more detailed logging on failures.
- Updated various controllers and services to ensure consistent import statements and enhance readability.

These changes aim to improve the overall functionality, security, and maintainability of the IAM Service.
This commit is contained in:
Ho Ngoc Hai
2026-01-02 16:13:36 +07:00
parent 5ce05c63e7
commit 8cc2f66df6
111 changed files with 1879 additions and 643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
.cursor/plans/iam_service_audit_plan_d8aad26f.plan.md
View File

@@ -2,116 +2,114 @@
name: IAM Service Audit Plan
overview: "Kế hoạch kiểm tra toàn diện cho IAM Service bao gồm: logic nghiệp vụ, quy trình build, bảo mật, và triển khai môi trường dev/staging/production. Plan được chia thành 6 phases: Pre-deployment Audit, Security Fixes, Local Environment, Staging Deployment, Production Deployment, và Post-deployment."
todos:
# Phase 1: Pre-deployment Audit - Business Logic Review
- id: audit-auth-1
content: "Review Authentication Module - Registration Flow: Check email validation, password hashing with bcrypt cost 12, user profile creation in services/iam-service/src/modules/auth/auth.service.ts"
status: pending
status: completed
- id: audit-auth-2
content: "Review Authentication Module - Login Flow: Check password verification, JWT generation (access + refresh), session creation, MFA integration in services/iam-service/src/modules/auth/auth.service.ts"
status: pending
status: completed
- id: audit-auth-3
content: "Review Authentication Module - Token Refresh: Check token family tracking, refresh token rotation, replay attack detection in services/iam-service/src/modules/token/jwt.service.ts"
status: pending
status: completed
- id: audit-auth-4
content: "Review Authentication Module - Password Change: Check refresh token revocation, audit logging in services/iam-service/src/modules/auth/change-password.service.ts"
status: pending
status: completed
- id: audit-rbac-1
content: "Review RBAC Module - Permission Resolution: Check hierarchy (Direct user → Role → Group → Policy) in services/iam-service/src/modules/rbac/rbac.service.ts"
status: pending
status: completed
- id: audit-rbac-2
content: "Review RBAC Module - Role Assignment: Check expiration handling in services/iam-service/src/modules/rbac/rbac.service.ts"
status: pending
status: completed
- id: audit-rbac-3
content: "Review RBAC Module - Policy Engine: Check JSON Logic implementation in services/iam-service/src/modules/rbac/policy.engine.ts"
status: pending
status: completed
- id: audit-rbac-4
content: "Review RBAC Module - Permission Caching: Verify 5 min TTL and cache invalidation in services/iam-service/src/core/cache/cache.service.ts"
status: pending
status: completed
- id: audit-identity-1
content: "Review Identity Module - User Management: Check CRUD operations, bulk import/export in services/iam-service/src/modules/identity/user/user.service.ts"
status: pending
status: completed
- id: audit-identity-2
content: "Review Identity Module - Profile Management: Check custom fields, avatar upload/delete in services/iam-service/src/modules/identity/profile/profile.service.ts"
status: pending
status: completed
- id: audit-identity-3
content: "Review Identity Module - Verification: Check email/phone/document verification flows in services/iam-service/src/modules/identity/verification/verification.service.ts"
status: pending
status: completed
- id: audit-identity-4
content: "Review Identity Module - Organizations: Check multi-tenant support, hierarchical structure in services/iam-service/src/modules/identity/organization/organization.service.ts"
status: pending
status: completed
- id: audit-identity-5
content: "Review Identity Module - Groups: Check member management, group-based permissions in services/iam-service/src/modules/identity/group/group.service.ts"
status: pending
status: completed
- id: audit-access-1
content: "Review Access Module - Access Requests: Check workflow, approval chains, JIT access in services/iam-service/src/modules/access/request/request.service.ts"
status: pending
status: completed
- id: audit-access-2
content: "Review Access Module - Access Reviews: Check certification campaigns, automated cleanup in services/iam-service/src/modules/access/review/review.service.ts"
status: pending
status: completed
- id: audit-access-3
content: "Review Access Module - Access Analytics: Check usage tracking, risk identification in services/iam-service/src/modules/access/analytics/analytics.service.ts"
status: pending
status: completed
- id: audit-mfa-1
content: "Review MFA Module - TOTP: Check TOTP implementation using speakeasy library in services/iam-service/src/modules/mfa/mfa.service.ts"
status: pending
status: completed
- id: audit-mfa-2
content: "Review MFA Module - QR Code: Check QR code generation in services/iam-service/src/modules/mfa/mfa.service.ts"
status: pending
status: completed
- id: audit-mfa-3
content: "Review MFA Module - WebAuthn: Check WebAuthn support in services/iam-service/src/modules/mfa/mfa.service.ts"
status: pending
status: completed
- id: audit-mfa-4
content: "Review MFA Module - Multiple Devices: Check multiple devices per user support in services/iam-service/src/modules/mfa/mfa.service.ts"
status: pending
status: completed
- id: audit-mfa-5
content: "Review MFA Module - Recovery Flow: Verify MFA recovery flow exists (NOTE: Currently missing, needs review)"
status: pending
status: completed
- id: audit-social-1
content: "Review Social Authentication Module: Check Google/Facebook/GitHub OAuth flows, account linking, token refresh in services/iam-service/src/modules/social/social.service.ts"
status: pending
status: completed
- id: audit-oidc-1
content: "Review OIDC Provider Module: Check discovery endpoint, authorization code flow, token exchange, JWKS endpoint in services/iam-service/src/modules/oidc/oidc-provider.service.ts"
status: pending
status: completed
- id: audit-session-1
content: "Review Session Management Module: Check device fingerprinting, session expiration, revocation, activity tracking in services/iam-service/src/modules/session/session.service.ts"
status: pending
status: completed
- id: audit-governance-1
content: "Review Governance Module: Check compliance reporting (GDPR, SOC2, ISO27001), policy management, risk scoring in services/iam-service/src/modules/governance/"
status: pending
status: completed
- id: audit-cache-1
content: "Review Cache Service: Check multi-layer caching (L1: Memory, L2: Redis, L3: DB), cache warming, invalidation in services/iam-service/src/core/cache/cache.service.ts"
status: pending
status: completed
- id: audit-events-1
content: "Review Event Sourcing: Check audit logging for all security events, 7-year retention in services/iam-service/src/core/events/"
status: pending
# Phase 1: Pre-deployment Audit - Build & Error Checking
status: completed
- id: audit-build-1
content: "Run TypeScript typecheck: cd services/iam-service && pnpm typecheck - Verify no TypeScript errors"
status: pending
status: completed
- id: audit-build-2
content: "Run TypeScript build: cd services/iam-service && pnpm build - Verify build succeeds, check for unused variables/imports"
status: pending
status: completed
- id: audit-build-3
content: "Verify Type Safety: Check type safety for Prisma models, verify path aliases (@/*) working correctly"
status: pending
status: completed
- id: audit-lint-1
content: "Run ESLint: cd services/iam-service && pnpm lint - Verify coding standards compliance"
status: pending
status: completed
- id: audit-lint-2
content: "Check Code Quality: Verify no console.log in production code, proper error handling, no security anti-patterns"
status: pending
status: completed
- id: audit-prisma-1
content: "Generate Prisma Client: cd services/iam-service && pnpm prisma:generate - Verify generation succeeds"
status: pending
status: completed
- id: audit-prisma-2
content: "Validate Prisma Schema: Verify schema syntax valid, all relations properly defined, indexes optimized, migration files consistent"
status: pending
status: completed
- id: audit-test-1
content: "Run Unit Tests: cd services/iam-service && pnpm test:unit - Verify all unit tests pass"
status: pending
status: completed
- id: audit-test-2
content: "Run E2E Tests: cd services/iam-service && pnpm test:e2e - Verify all E2E tests pass"
status: pending
status: in_progress
- id: audit-test-3
content: "Generate Test Coverage: cd services/iam-service && pnpm test:coverage - Verify coverage >= 70% (branches, functions, lines, statements)"
status: pending
@@ -121,7 +119,6 @@ todos:
- id: audit-docker-2
content: "Verify Docker Image: Check image size <500MB, non-root user configured, health check functional"
status: pending
# Phase 2: Security Fixes - CRITICAL
- id: security-mfa-1
content: "CRITICAL: Create Encryption Service - Create services/iam-service/src/core/security/encryption.service.ts with encrypt/decrypt functions using crypto module"
status: pending
@@ -140,7 +137,6 @@ todos:
- id: security-jwt-1
content: "CRITICAL: Block Default JWT Secrets - Update services/iam-service/src/config/jwt.config.ts to throw error if default secrets are used when NODE_ENV === 'production'"
status: pending
# Phase 2: Security Fixes - MEDIUM
- id: security-input-1
content: "MEDIUM: Install DOMPurify: cd services/iam-service && pnpm add dompurify @types/dompurify"
status: pending
@@ -171,7 +167,6 @@ todos:
- id: security-lockout-4
content: "MEDIUM: Create Lockout Migration - Create Prisma migration for failedLoginAttempts and lockedUntil fields"
status: pending
# Phase 2: Security Fixes - LOW
- id: security-audit-1
content: "LOW: Run npm audit: cd services/iam-service && npm audit - Review vulnerabilities"
status: pending
@@ -187,7 +182,6 @@ todos:
- id: security-backup-1
content: "LOW: Design MFA Backup Codes - Design backup codes generation and storage strategy for MFA recovery scenarios"
status: pending
# Phase 3: Local Environment
- id: local-env-1
content: "Copy Environment File: cp deployments/local/env.local.example deployments/local/.env.local"
status: pending
@@ -257,7 +251,6 @@ todos:
- id: local-test-7
content: "Review Logs and Metrics: Check application logs and Prometheus metrics for errors"
status: pending
# Phase 4: Staging Deployment
- id: staging-k8s-1
content: "Create Staging Namespace: kubectl create namespace staging"
status: pending
@@ -300,7 +293,6 @@ todos:
- id: staging-test-5
content: "Verify Staging Health Endpoints: Test /health/live and /health/ready endpoints on staging"
status: pending
# Phase 5: Production Deployment
- id: prod-check-1
content: "Pre-production: Verify security audit passed - Review all security fixes are implemented"
status: pending
@@ -367,7 +359,6 @@ todos:
- id: prod-security-8
content: "Production Security: Verify backup strategy in place - Confirm database backup strategy is implemented"
status: pending
# Phase 6: Post-deployment
- id: post-monitor-1
content: "Monitor Error Rates: Check error rates in monitoring dashboard, verify errors are within acceptable range"
status: pending