pos-system

Author	SHA1	Message	Date
Ho Ngoc Hai	36a0a9c256	feat: Add functional tests for MktZaloService, new contract and load tests, and audit documentation, while removing a legacy infrastructure project and updating service configurations.	2026-03-25 15:00:05 +07:00
Ho Ngoc Hai	97b54ebd39	fix(security): fix 5 P1 backend issues — BACK-C-01/03/04, BACK-W-02 BACK-W-02: Replace string-interpolated SET LOCAL SQL with parameterized set_config() calls in TenantMiddleware across 5 services (order, wallet, inventory, catalog, fnb-engine). Eliminates SQL injection pattern; set_config(key, $1, true) is local-to-transaction, same semantics as SET LOCAL. BACK-C-01: Remove AllowAnyOrigin() from all 26 services. Switch to WithOrigins() reading AllowedOrigins config array, with dev-only fallback to localhost. In production, set AllowedOrigins=["https://goodgo.vn", "https://admin.goodgo.vn"] via environment config. BACK-C-03: Standardize OrdersController GET /orders/{id} 404 response from {Message:...} to {success:false, error:{code,message}} per API contract. BACK-C-04: Add complete ProblemDetails exception mappings to _template_dot_net: ValidationException -> 400, DomainException -> 422, with TODO comments for service-specific types (EntityNotFoundException -> 404, etc.). BACK-C-02: wallet-service and booking-service already have full IRequestManager idempotency implementation — no changes needed. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-23 09:48:22 +07:00
Ho Ngoc Hai	25f68781ad	fix(security): fix 5 P0 security blockers — SEC-C-01 through SEC-C-05 SEC-C-01: Replace Neon PostgreSQL credentials (npg_Ssfy6HKO0cXI) with local dev connection strings in all 19 appsettings.json files. Production credentials must be injected via ConnectionStrings__DefaultConnection env var. Add appsettings.Production.json and appsettings.Staging.json to .gitignore. SEC-C-02: Add services/goodgo-mcp-server/.env to root .gitignore. Create .env.example with safe placeholder values documenting required variables. SEC-C-03: Wrap AddDeveloperSigningCredential() in env check — development only. Non-development environments must provide X.509 certificate via IdentityServer:SigningCertificatePath and IdentityServer:SigningCertificatePassword. SEC-C-04: Remove 4 unauthenticated debug endpoints from StaffController: GET debug/all, POST debug/seed, POST debug/update-userid, POST debug/update-merchant. These endpoints allowed privilege escalation and data exfiltration without auth. SEC-C-05: Removed endpoints containing SQL injection via string interpolation (lines 307, 367 in StaffController). Also removed [AllowAnonymous] from GET lookup endpoint — inherits class-level [Authorize]. BREAKING: debug/* endpoints are permanently removed. BFF lookup endpoint now requires authentication. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-23 09:47:07 +07:00
Ho Ngoc Hai	efabe49157	refactor(P2): standardize API responses + fix migrations + cleanup DI Wave 3 — 3 parallel agents fixing P2 code quality issues: Response format standardization (30 controllers across 8 services): - Wrapped all raw DTO returns with { success: true, data: result } - Standardized error responses with { success: false, error: { code, message } } - Services: chat, social, membership, ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics - booking-service already compliant (skipped) Migration fixes: - ads-billing: Fixed InvoiceId1 spurious FK (explicit HasMany navigation) - Removed unused IRequestManager DI from: ads-analytics, ads-serving, booking, mkt-facebook (classes preserved for future use) Unused dependencies: - No Redis/Dapper DI registrations found (only NuGet refs, kept as-is) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 20:34:10 +07:00
Ho Ngoc Hai	f8606e0447	fix(P0): security hardening + critical bug fixes across 22 services Wave 1 — 6 parallel agents fixing P0 issues from code audit: Auth (18 services secured): - Added JWT Bearer auth + [Authorize] to all unprotected controllers - Webhook endpoints (Facebook/WhatsApp/Zalo/X) stay [AllowAnonymous] - Health checks remain public for Docker/K8s probes - Services: catalog, order, booking, fnb-engine, inventory, social, ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics, mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion Template artifacts (4 services): - mission-service: myservice_db → mission_service - mkt-facebook: Dockerfile MyService.API → FacebookService.API - mkt-whatsapp: MyServiceContext.cs → WhatsAppServiceContext.cs - promotion: UserSecretsId fixed Critical handler bugs (7 fixes): - ads-tracking: TrackPixelEventHandler now persists to DB - ads-tracking: RecordConversion endpoint exposed via controller - booking: UpdateResource now applies Name + Capacity changes - ads-manager: ListPendingAds uses correct enum (pending_review) - mining: BanMiner calls Ban() not Suspend() - mining: ResetMinerStreak now actually resets streak - mkt-x: 8 missing repository DI registrations added Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 20:18:09 +07:00
Ho Ngoc Hai	f3779c4ebe	docs: add SERVICE_DOCS.md for all 24 microservices from per-service code audit Each SERVICE_DOCS.md documents: Overview, API Endpoints, Commands, Queries, Domain Model, Database Schema, Integration Events, Dependencies, Configuration. Generated by 23 parallel audit agents reading actual source code. Key corrections from audit: - inventory-service: 12 commands/6 queries (was listed as scaffold) - promotion-service: 12 commands/10 queries (was listed as 0) - mission-service: 4 commands/7 queries (was listed as 0) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 17:54:53 +07:00
Ho Ngoc Hai	751f90c365	feat: Log EF Core migration errors instead of crashing the application at startup across all services.	2026-02-28 01:03:43 +07:00
Ho Ngoc Hai	be86e48de6	feat: automatically apply EF Core database migrations on service startup across all services	2026-02-28 00:51:35 +07:00
Ho Ngoc Hai	f521cc0a91	chore: Remove the web-client application, add a local database initialization script, and update service Dockerfiles.	2026-02-28 00:41:17 +07:00
Cursor Agent	0f828dafb0	test: replace sample tests with service-specific order and ads suites Co-authored-by: Velik <hongochai10@users.noreply.github.com>	2026-02-23 12:47:21 +00:00
Cursor Agent	1e131adbf3	feat: implement ads serving statistics and event pipeline Co-authored-by: Velik <hongochai10@users.noreply.github.com>	2026-02-23 12:35:08 +00:00
Ho Ngoc Hai	48c757282a	feat: introduce comprehensive billing, analytics, manager, and tracking features with new controllers, commands, queries, DTOs, and infrastructure configurations.	2026-01-18 01:26:29 +07:00
Ho Ngoc Hai	4c9e12e99c	feat: Implement a new Inventory Service API, add admin budget and frequency controllers to Ads Serving, and introduce product and category controllers to Catalog Service.	2026-01-18 01:21:09 +07:00
Ho Ngoc Hai	b1931be440	feat: Implement initial entity configurations for ads billing, analytics, and serving, add catalog product and category commands/queries, and refine booking service infrastructure.	2026-01-18 01:15:51 +07:00
Ho Ngoc Hai	c9fdb56cb8	feat: Remove sample aggregates, introduce BillingAccount aggregate, and refactor CatalogServiceContext to CatalogContext.	2026-01-18 00:36:53 +07:00
Ho Ngoc Hai	6263ab4932	feat: Implement core ad serving functionality with auction, pacing, and frequency capping, and initialize catalog service infrastructure, while removing the sample aggregate.	2026-01-18 00:33:04 +07:00
Ho Ngoc Hai	811ddd1e19	feat: Add functional tests for OrderService and update InventoryService command and idempotency logic.	2026-01-18 00:19:46 +07:00
Ho Ngoc Hai	255e53025d	chore: Update service application ports and switch database connection strings to Neon DB.	2026-01-17 23:26:26 +07:00
Ho Ngoc Hai	29a70f5b64	feat: Introduce `Entity.cs` and `ValueObject.cs` in AdsManagerService domain, add sample command/query handlers, and update build properties across services.	2026-01-17 22:51:35 +07:00

19 Commits