admin/pos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
666 Commits 1 Branch 0 Tags
97b54ebd3929cd74dd48f0b45a87ec4c3cacdaf7
Commit Graph

10 Commits

Author SHA1 Message Date
Ho Ngoc Hai
97b54ebd39 fix(security): fix 5 P1 backend issues — BACK-C-01/03/04, BACK-W-02 
BACK-W-02: Replace string-interpolated SET LOCAL SQL with parameterized
set_config() calls in TenantMiddleware across 5 services (order, wallet,
inventory, catalog, fnb-engine). Eliminates SQL injection pattern;
set_config(key, $1, true) is local-to-transaction, same semantics as SET LOCAL.

BACK-C-01: Remove AllowAnyOrigin() from all 26 services. Switch to
WithOrigins() reading AllowedOrigins config array, with dev-only fallback
to localhost. In production, set AllowedOrigins=["https://goodgo.vn",
"https://admin.goodgo.vn"] via environment config.

BACK-C-03: Standardize OrdersController GET /orders/{id} 404 response
from {Message:...} to {success:false, error:{code,message}} per API contract.

BACK-C-04: Add complete ProblemDetails exception mappings to _template_dot_net:
ValidationException -> 400, DomainException -> 422, with TODO comments
for service-specific types (EntityNotFoundException -> 404, etc.).

BACK-C-02: wallet-service and booking-service already have full
IRequestManager idempotency implementation — no changes needed.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-23 09:48:22 +07:00
Ho Ngoc Hai
653322b26c fix: resolve 12 critical/high issues from code review across backend, frontend, and infra 
Backend (7 fixes):
- wallet-service: remove conflicting EF Ignore() calls for mapped backing fields
- fnb-engine: remove KitchenTicket short constructor that set productId=orderItemId
- fnb-engine: replace fire-and-forget Task.Run with direct await for inventory deduction
- TenantMiddleware: implement PostgreSQL RLS SET LOCAL in 4 services (wallet, fnb, inventory, catalog)
- order-service: fix SQL injection pattern in TenantMiddleware with Guid.ToString("D")
- order-service: add ValidateShopAccess() authorization check in SignalR PosHub
- 4 services: register IDbConnection (NpgsqlConnection) in DI for RLS middleware

Frontend (3 fixes):
- PosDataService: return Success=false (not true) when PayOrder response parsing fails
- QrPayment: add _disposed guard to prevent timer race condition after component disposal
- BFF OrderController: add [Authorize] attribute to require JWT for all endpoints

Infrastructure (3 fixes):
- docker-compose: upgrade PostgreSQL 15-alpine to 16-alpine per project spec
- init-databases.sh: add 4 missing marketing service databases (mkt_*)
- Traefik routes: add wallet, catalog, booking routers and /api/v1/stock path

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 16:22:08 +07:00
Ho Ngoc Hai
6061164873 feat: add multi-tenant row-level security across 5 services and 96 FnB engine unit tests 
Security (P0-5):
- Implement ITenantProvider + HttpContextTenantProvider per service (order, fnb, inventory, catalog, wallet)
- Add EF Core global query filters for tenant isolation (shop_id/user_id based)
- Add TenantMiddleware setting PostgreSQL session variables for RLS
- Create PostgreSQL RLS policies script (scripts/db/rls-policies.sql)
- Adapter pattern bridges API-layer to Infrastructure-layer (Clean Architecture)
- Bypass mechanisms for admin roles, service-to-service calls, and migrations

Testing (P1-12):
- Add 96 unit tests for fnb-engine (up from 3)
- 57 domain entity tests: Table(18), KitchenTicket(12), Session(8), Reservation(13), Recipe(6)
- 39 command handler tests: CRUD operations, status transitions, validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 13:40:34 +07:00
Ho Ngoc Hai
751f90c365 feat: Log EF Core migration errors instead of crashing the application at startup across all services. 2026-02-28 01:03:43 +07:00
Ho Ngoc Hai
be86e48de6 feat: automatically apply EF Core database migrations on service startup across all services 2026-02-28 00:51:35 +07:00
Cursor Agent
4751929a3e fix: switch JWT Bearer auth from symmetric key to OIDC discovery in 5 microservices 
Replace manual SymmetricSecurityKey validation with Authority-based OIDC
discovery so tokens are validated against RSA keys published by the IAM
IdentityServer's discovery endpoint.

Services updated:
- CatalogService.API
- OrderService.API
- InventoryService.API
- FnbEngine.API
- BookingService.API

Co-authored-by: Velik <hongochai10@users.noreply.github.com>
 2026-02-26 22:51:57 +00:00
Cursor Agent
c789f964a8 Add JWT Bearer authentication registration to 5 microservice Program.cs files 
Add AddAuthentication(JwtBearerDefaults.AuthenticationScheme) and
AddJwtBearer() service registration before CORS configuration in:
- CatalogService.API
- OrderService.API
- InventoryService.API
- FnbEngine.API
- BookingService.API

Also add Microsoft.AspNetCore.Authentication.JwtBearer v10.0.1 NuGet
package reference to each service's .csproj file.

This fixes the runtime error caused by UseAuthentication() being called
without a registered authentication scheme.

Co-authored-by: Velik <hongochai10@users.noreply.github.com>
 2026-02-26 22:51:57 +00:00
Cursor Agent
2fcf73b33f Add UseAuthentication and UseAuthorization middleware after UseRouting in 5 microservices 
Added app.UseAuthentication() and app.UseAuthorization() after
app.UseRouting() in the middleware pipeline for:
- CatalogService.API
- OrderService.API
- InventoryService.API
- FnbEngine.API
- BookingService.API

Co-authored-by: Velik <hongochai10@users.noreply.github.com>
 2026-02-26 22:51:57 +00:00
Ho Ngoc Hai
811ddd1e19 feat: Add functional tests for OrderService and update InventoryService command and idempotency logic. 2026-01-18 00:19:46 +07:00
Ho Ngoc Hai
19c0acfe0f feat: Add new unit tests, domain exceptions, documentation, and various build artifacts across multiple services. 2026-01-17 23:04:15 +07:00