Backend (IAM Service):
- New GetRolePermissionsQuery + Handler: reads permissions from role_claims
- New UpdateRolePermissionsCommand + Handler: validates permission names
against StaffPermissions enum, replaces role_claims, blocks system roles
- New endpoints: GET/PUT /api/v1/roles/{id}/permissions
- GetRolesQuery: batch-fetch permissions per role via role_claims join
- RoleResponse: add Permissions field to API response
- Seeded role_claims for Admin (7), Merchant (7), MerchantAdmin (6),
MerchantStaff (2), SuperAdmin (All), Support (2)
Frontend (Blazor WASM):
- IamApiService: add Permissions to RoleDto, UpdateRolePermissionsAsync()
- RolePermissions.razor: replace hardcoded GetPermissionsForRole() with
API-driven permission toggles from role_claims data
- Editable toggles for non-system roles, disabled for system roles
- Save/Cancel buttons appear when permissions modified
- 7 permission types matching StaffPermissions enum
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added Access Requests, Access Reviews, Privileged Access Management, Audit Log, and Compliance APIs to enhance access management and governance capabilities.
- Updated the DbContext to include new entities for AuditLog and ComplianceReport, improving data handling for compliance and auditing.
- Enhanced Dependency Injection to support new repositories for the added functionalities, streamlining service operations.
- Introduced new AccessReview and PrivilegedAccess entities in the DbContext to enhance access management capabilities.
- Updated Dependency Injection to include AccessReviewRepository and PrivilegedAccessRepository, improving service functionality for access reviews and privileged access management.
- Introduced new Access Request and Access Request Approver entities in the DbContext to support access management features.
- Updated Dependency Injection to include the AccessRequestRepository, enhancing the service's capabilities for handling access requests.
- Added example curl command for token retrieval using the test account, improving developer experience for testing authentication flows.
- Added new sections for Organization & Group APIs, User Profile APIs, and Identity Verification APIs in both English and Vietnamese documentation, reflecting the features introduced in Phase 2.
- Revised the implementation roadmap to indicate the completion of Identity Management features, enhancing clarity on the current capabilities of the IAM Service.
- Updated the Dependency Injection and DbContext to include new repositories and database tables for the added functionalities.
- Added endpoints for sending and confirming email verification, enhancing user account security.
- Integrated two-factor authentication (2FA) with TOTP support, including enabling, verifying, and disabling 2FA.
- Implemented social login functionality for Google and Facebook, allowing users to authenticate using their existing accounts.
- Updated dependency injection to include services for email, 2FA, and social login.
- Enhanced documentation to reflect new features and usage examples for email verification and 2FA.
- Replaced OpenIddict references with Duende IdentityServer in the project, including updates to the API project and infrastructure.
- Refactored authentication and authorization logic in AuthController, LogoutCommandHandler, and related services to align with Duende IdentityServer's structure.
- Updated dependency injection configuration to register Duende IdentityServer components and JWT Bearer authentication.
- Enhanced functional tests to accommodate changes in authentication flow and ensure compatibility with the new identity server.
- Removed obsolete OpenIddict components and related code to streamline the project.
- Added custom exceptions: DuplicateResourceException, EntityNotFoundException, AuthenticationFailedException, and BusinessRuleException to improve error handling in the application.
- Updated Program.cs to map these exceptions to appropriate HTTP status codes and problem details for better client feedback.
- Refactored RegisterUserCommandHandler to throw DuplicateResourceException when a user with the same email already exists.
- Enhanced testing setup in CustomWebApplicationFactory to ensure proper handling of these exceptions during functional tests.
- Updated API documentation to include new user management features such as password change and logout functionalities.
- Added detailed descriptions and examples for OAuth2 token endpoint, supporting password, refresh token, and client credentials grants.
- Introduced new endpoints for user management, including retrieving, updating, and deleting users.
- Enhanced Swagger annotations for better clarity and usability of the API documentation.
- Implemented response models for password change and logout operations to standardize API responses.
- Added new sections on API Design, Caching Patterns, and Testing Patterns to the Vietnamese documentation.
- Updated sidebar configurations for improved navigation and accessibility.
- Removed outdated onboarding guides to streamline content and focus on relevant resources.
