pos-system

admin/pos-system

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ho Ngoc Hai	653322b26c	fix: resolve 12 critical/high issues from code review across backend, frontend, and infra Backend (7 fixes): - wallet-service: remove conflicting EF Ignore() calls for mapped backing fields - fnb-engine: remove KitchenTicket short constructor that set productId=orderItemId - fnb-engine: replace fire-and-forget Task.Run with direct await for inventory deduction - TenantMiddleware: implement PostgreSQL RLS SET LOCAL in 4 services (wallet, fnb, inventory, catalog) - order-service: fix SQL injection pattern in TenantMiddleware with Guid.ToString("D") - order-service: add ValidateShopAccess() authorization check in SignalR PosHub - 4 services: register IDbConnection (NpgsqlConnection) in DI for RLS middleware Frontend (3 fixes): - PosDataService: return Success=false (not true) when PayOrder response parsing fails - QrPayment: add _disposed guard to prevent timer race condition after component disposal - BFF OrderController: add [Authorize] attribute to require JWT for all endpoints Infrastructure (3 fixes): - docker-compose: upgrade PostgreSQL 15-alpine to 16-alpine per project spec - init-databases.sh: add 4 missing marketing service databases (mkt_*) - Traefik routes: add wallet, catalog, booking routers and /api/v1/stock path Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 16:22:08 +07:00
Ho Ngoc Hai	6061164873	feat: add multi-tenant row-level security across 5 services and 96 FnB engine unit tests Security (P0-5): - Implement ITenantProvider + HttpContextTenantProvider per service (order, fnb, inventory, catalog, wallet) - Add EF Core global query filters for tenant isolation (shop_id/user_id based) - Add TenantMiddleware setting PostgreSQL session variables for RLS - Create PostgreSQL RLS policies script (scripts/db/rls-policies.sql) - Adapter pattern bridges API-layer to Infrastructure-layer (Clean Architecture) - Bypass mechanisms for admin roles, service-to-service calls, and migrations Testing (P1-12): - Add 96 unit tests for fnb-engine (up from 3) - 57 domain entity tests: Table(18), KitchenTicket(12), Session(8), Reservation(13), Recipe(6) - 39 command handler tests: CRUD operations, status transitions, validation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 13:40:34 +07:00

Author

SHA1

Message

Date

Ho Ngoc Hai

653322b26c

fix: resolve 12 critical/high issues from code review across backend, frontend, and infra

Backend (7 fixes):
- wallet-service: remove conflicting EF Ignore() calls for mapped backing fields
- fnb-engine: remove KitchenTicket short constructor that set productId=orderItemId
- fnb-engine: replace fire-and-forget Task.Run with direct await for inventory deduction
- TenantMiddleware: implement PostgreSQL RLS SET LOCAL in 4 services (wallet, fnb, inventory, catalog)
- order-service: fix SQL injection pattern in TenantMiddleware with Guid.ToString("D")
- order-service: add ValidateShopAccess() authorization check in SignalR PosHub
- 4 services: register IDbConnection (NpgsqlConnection) in DI for RLS middleware

Frontend (3 fixes):
- PosDataService: return Success=false (not true) when PayOrder response parsing fails
- QrPayment: add _disposed guard to prevent timer race condition after component disposal
- BFF OrderController: add [Authorize] attribute to require JWT for all endpoints

Infrastructure (3 fixes):
- docker-compose: upgrade PostgreSQL 15-alpine to 16-alpine per project spec
- init-databases.sh: add 4 missing marketing service databases (mkt_*)
- Traefik routes: add wallet, catalog, booking routers and /api/v1/stock path

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 16:22:08 +07:00

Ho Ngoc Hai

6061164873

feat: add multi-tenant row-level security across 5 services and 96 FnB engine unit tests

Security (P0-5):
- Implement ITenantProvider + HttpContextTenantProvider per service (order, fnb, inventory, catalog, wallet)
- Add EF Core global query filters for tenant isolation (shop_id/user_id based)
- Add TenantMiddleware setting PostgreSQL session variables for RLS
- Create PostgreSQL RLS policies script (scripts/db/rls-policies.sql)
- Adapter pattern bridges API-layer to Infrastructure-layer (Clean Architecture)
- Bypass mechanisms for admin roles, service-to-service calls, and migrations

Testing (P1-12):
- Add 96 unit tests for fnb-engine (up from 3)
- 57 domain entity tests: Table(18), KitchenTicket(12), Session(8), Reservation(13), Recipe(6)
- 39 command handler tests: CRUD operations, status transitions, validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 13:40:34 +07:00

2 Commits