fix(P0): security hardening + critical bug fixes across 22 services

Wave 1 — 6 parallel agents fixing P0 issues from code audit: Auth (18 services secured): - Added JWT Bearer auth + [Authorize] to all unprotected controllers - Webhook endpoints (Facebook/WhatsApp/Zalo/X) stay [AllowAnonymous] - Health checks remain public for Docker/K8s probes - Services: catalog, order, booking, fnb-engine, inventory, social, ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics, mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion Template artifacts (4 services): - mission-service: myservice_db → mission_service - mkt-facebook: Dockerfile MyService.API → FacebookService.API - mkt-whatsapp: MyServiceContext.cs → WhatsAppServiceContext.cs - promotion: UserSecretsId fixed Critical handler bugs (7 fixes): - ads-tracking: TrackPixelEventHandler now persists to DB - ads-tracking: RecordConversion endpoint exposed via controller - booking: UpdateResource now applies Name + Capacity changes - ads-manager: ListPendingAds uses correct enum (pending_review) - mining: BanMiner calls Ban() not Suspend() - mining: ResetMinerStreak now actually resets streak - mkt-x: 8 missing repository DI registrations added Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 20:18:09 +07:00
parent f3779c4ebe
commit f8606e0447
99 changed files with 741 additions and 83 deletions
--- a/services/social-service-net/src/SocialService.API/Program.cs
+++ b/services/social-service-net/src/SocialService.API/Program.cs
@@ -2,6 +2,8 @@ using Microsoft.EntityFrameworkCore;
 using Asp.Versioning;
 using FluentValidation;
 using Hellang.Middleware.ProblemDetails;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
 using SocialService.API.Application.Behaviors;
 using SocialService.Infrastructure;
 using Serilog;
@@ -103,6 +105,22 @@ try
        });
    });

+    // EN: Add JWT Authentication / VI: Thêm JWT Authentication
+    builder.Services.AddAuthentication("Bearer")
+        .AddJwtBearer("Bearer", options =>
+        {
+            options.Authority = builder.Configuration["Jwt:Authority"] ?? "http://iam-service-net:8080";
+            options.Audience = builder.Configuration["Jwt:Audience"] ?? "goodgo-api";
+            options.RequireHttpsMetadata = false; // EN: Development only / VI: Chỉ development
+            options.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuer = false, // EN: IAM service validates / VI: IAM service xác thực
+                ValidateAudience = false,
+                ValidateLifetime = true
+            };
+        });
+    builder.Services.AddAuthorization();
+
    // EN: Add health checks / VI: Thêm health checks
    builder.Services.AddHealthChecks()
        .AddNpgSql(
@@ -142,6 +160,10 @@ try
    app.UseCors();
    app.UseRouting();

+    // EN: Add Authentication & Authorization middleware / VI: Thêm middleware xác thực & phân quyền
+    app.UseAuthentication();
+    app.UseAuthorization();
+
    // EN: Map health check endpoints / VI: Map health check endpoints
    app.MapHealthChecks("/health");
    app.MapHealthChecks("/health/live", new()