SEC-C-01 extended gap: 3 base appsettings.json files still referenced external
infrastructure (167.114.174.113) with Velik@2026 credentials and real SMTP
password — missed by the Wave 1 security fix which targeted DB credentials only.
Changes:
- iam-service-net/appsettings.json: Redis localhost (removed Velik@2026),
SMTP localhost:1025 (removed Mailgun credentials)
- membership-service-net/appsettings.json: Redis localhost (removed Velik@2026)
- storage-service-net/appsettings.json: MinIO→localhost:9000 minioadmin/minioadmin,
Redis→localhost (removed Velik@2026)
All production credentials (Redis, MinIO, SMTP) must be injected via
environment variables. Base appsettings.json targets docker-compose local stack.
CTO review finding: Redis__Password, MinIO:SecretKey, Email:SmtpPassword
must never appear in committed config files.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
SEC-C-01 gap: Security engineer's Wave 1 fix replaced Neon credentials in
appsettings.json (19 files) but missed 4 appsettings.Development.json files
that still pointed to cloud infrastructure with production credentials.
Changes per service:
- iam-service-net: DB→localhost, Redis→localhost (removed Velik@2026),
Email SMTP→localhost:1025 (removed Mailgun password)
- membership-service-net: DB→localhost, Redis→localhost
- promotion-service-net: DB→localhost
- storage-service-net: DB→localhost, MinIO→localhost:9000 (removed Velik@2026),
Redis→localhost
All four files now point exclusively to local Docker Compose services
(postgres-local:5432, redis-local:6379, minio-local:9000).
Production/staging credentials must be injected via environment variables.
CTO review finding: appsettings.Development.json must not contain cloud
credentials. Local dev should always use docker-compose services.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
BACK-W-02: Replace string-interpolated SET LOCAL SQL with parameterized
set_config() calls in TenantMiddleware across 5 services (order, wallet,
inventory, catalog, fnb-engine). Eliminates SQL injection pattern;
set_config(key, $1, true) is local-to-transaction, same semantics as SET LOCAL.
BACK-C-01: Remove AllowAnyOrigin() from all 26 services. Switch to
WithOrigins() reading AllowedOrigins config array, with dev-only fallback
to localhost. In production, set AllowedOrigins=["https://goodgo.vn",
"https://admin.goodgo.vn"] via environment config.
BACK-C-03: Standardize OrdersController GET /orders/{id} 404 response
from {Message:...} to {success:false, error:{code,message}} per API contract.
BACK-C-04: Add complete ProblemDetails exception mappings to _template_dot_net:
ValidationException -> 400, DomainException -> 422, with TODO comments
for service-specific types (EntityNotFoundException -> 404, etc.).
BACK-C-02: wallet-service and booking-service already have full
IRequestManager idempotency implementation — no changes needed.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
SEC-C-01: Replace Neon PostgreSQL credentials (npg_Ssfy6HKO0cXI) with local
dev connection strings in all 19 appsettings.json files. Production credentials
must be injected via ConnectionStrings__DefaultConnection env var. Add
appsettings.Production.json and appsettings.Staging.json to .gitignore.
SEC-C-02: Add services/goodgo-mcp-server/.env to root .gitignore. Create
.env.example with safe placeholder values documenting required variables.
SEC-C-03: Wrap AddDeveloperSigningCredential() in env check — development only.
Non-development environments must provide X.509 certificate via
IdentityServer:SigningCertificatePath and IdentityServer:SigningCertificatePassword.
SEC-C-04: Remove 4 unauthenticated debug endpoints from StaffController:
GET debug/all, POST debug/seed, POST debug/update-userid, POST debug/update-merchant.
These endpoints allowed privilege escalation and data exfiltration without auth.
SEC-C-05: Removed endpoints containing SQL injection via string interpolation
(lines 307, 367 in StaffController). Also removed [AllowAnonymous] from
GET lookup endpoint — inherits class-level [Authorize].
BREAKING: debug/* endpoints are permanently removed. BFF lookup endpoint now
requires authentication.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Modified connection strings in appsettings.json for membership and storage services to use the new database host and credentials.
- Updated Redis configuration with new host, port, and authentication details.
- Changed JWT secret key to enhance security and updated issuer and audience settings for consistency across services.
- Expanded the API documentation to include detailed sections on file management endpoints, including upload, retrieval, sharing, and deletion.
- Added a comprehensive overview of pre-signed URLs and access levels, clarifying the differences between public, private, and shared file access.
- Introduced a new architecture section detailing the download URL generation flow and security considerations for pre-signed URLs.
- Enhanced the README with examples and explanations to improve developer understanding of file access and management processes.
- Updated the GenerateObjectKey method to include a prefix based on the file access level (public, private, shared).
- Improved documentation for the method to clarify the path structure and its implications for file accessibility.
- Adjusted the UploadFileCommandHandler to utilize the new object key generation logic, ensuring proper file organization in storage.
- Introduced a new endpoint to retrieve CDN URLs for public files, falling back to pre-signed URLs when necessary.
- Enhanced caching for file metadata retrieval in GetFileQueryHandler to improve performance.
- Updated file handling commands to invalidate relevant caches upon file operations.
- Added configuration settings for CDN in appsettings.json to manage CDN behavior.
- Implemented new data models for CDN URL responses and integrated them into the API response structure.
- Added multipart upload methods to the IStorageProvider interface and implemented them in the MinioStorageProvider and AliyunOssStorageProvider classes.
- Integrated Redis caching for user quota management in ConfirmUploadCommandHandler and DeleteFileCommandHandler to ensure updated quota values.
- Enhanced GetUserQuotaQueryHandler to utilize cache-aside pattern for improved performance.
- Updated Dependency Injection to register Redis cache service and configured related settings.
- Introduced database schema changes to support multipart uploads and their parts.
- Introduced a new section detailing the Multipart Upload architecture for files larger than 100MB, including a comparison of upload methods.
- Documented the Multipart Upload flow with a sequence diagram illustrating the process from initiation to completion.
- Listed the relevant API endpoints for Multipart Upload, including initiation, part uploads, completion, and progress checking.
- Added a database schema section for tracking multipart uploads and their parts, enhancing clarity on data management.
- Updated the README and ARCHITECTURE documentation to emphasize the Logical Folder structure, clarifying that folders are a logical concept in the database rather than dependent on bucket structure.
- Highlighted the benefits of using UUID-based keys and a flat bucket structure, including improved performance, security, and scalability.
- Provided detailed examples of database schema, workflows, and performance comparisons to illustrate the advantages of the new approach over traditional methods.
- Enhanced explanations of folder management processes, including creation, renaming, and file uploads, to improve developer understanding and implementation.
- Updated the architecture documentation to emphasize the Logical Folder structure and its alignment with Data Sovereignty principles.
- Introduced a clear distinction between logical and physical storage, highlighting the benefits of using UUID-based keys and a flat bucket structure.
- Provided detailed examples of database schema, workflows, and performance comparisons to illustrate the advantages of the new approach over traditional bucket-based methods.
- Enhanced explanations of folder creation, renaming, and file management processes to improve developer understanding and implementation.
- Enhanced the architecture documentation to recommend direct upload over legacy proxy upload for improved performance and scalability.
- Added detailed comparisons of upload patterns, including throughput, memory usage, and latency.
- Updated API endpoint documentation to reflect new direct upload methods and their benefits.
- Included examples for direct upload flow and bucket directory structure to aid developers in implementation.
- Expanded the README documentation to include detailed instructions for Docker network configuration and JWT token issuer setup for inter-service communication.
- Added troubleshooting tips for common issues related to JWT issuer mismatch and container networking.
- Updated caching information and clarified available methods for the IIamServiceClient.
- Added curl installation in the IAM service Dockerfile for improved functionality.
- Removed the deprecated docker-compose.yml for the Storage Service, consolidating service definitions.
- Ensured consistency in the build and publish commands for the Storage Service Dockerfile.
- Changed the IAM service base URL from "http://iam-service:5001" to "http://iam-service-net:8080" in both the local docker-compose.yml and the IamServiceClient class to ensure consistency across configurations.
- Added phone number field to the registration example in the API documentation.
- Included detailed response structure for registration and email verification endpoints.
- Updated email confirmation example to use email instead of userId for clarity.
- Enhanced two-factor authentication response to include manual entry key and recovery codes.
- Added JWT Bearer authentication configuration in `Program.cs` for IAM service integration.
- Updated Swagger setup to include JWT Bearer security definition and requirements.
- Introduced a new Swagger UI client for testing with resource owner password grant type in `Config.cs`.
- Included necessary package reference for `Microsoft.AspNetCore.Authentication.JwtBearer` in the project file.
- Added Swagger support in `Program.cs` to enhance API documentation and enable annotations.
- Updated project file to generate XML documentation for Swagger and included the `Swashbuckle.AspNetCore.Annotations` package.
- Modified `FilesController` and `QuotaController` to support API versioning and updated route attributes accordingly.
- Changed the default bucket name in `appsettings.Development.json` from "storage" to "goodgo" and updated MinIO endpoint and credentials for improved access.
- Modified the service initialization in `Program.cs` to include the environment name, enhancing configuration flexibility.
- Added a missing namespace in `CustomWebApplicationFactory.cs` for better test setup.
- Removed obsolete unit test files for `CreateSampleCommandHandler` and `SampleAggregate`, streamlining the test suite.
- Updated `appsettings.Development.json` to change the database connection string for the storage service.
- Added `Microsoft.EntityFrameworkCore.Design` package reference to the project file for design-time features.
- Removed obsolete command and handler files related to sample management, including `ChangeSampleStatusCommand`, `CreateSampleCommand`, `UpdateSampleCommand`, and their respective handlers.
- Cleaned up the `SamplesController` and related query and validation files to streamline the codebase.
- Introduced a new social-service in the Docker Compose configuration for local development, including build context, environment variables, and health checks.
- Updated architecture documentation to reflect the new storage service structure and its components, including user storage quotas and file management.
- Enhanced README files to provide clearer instructions on service setup, configuration, and API endpoints for file storage management.
- Implemented caching mechanisms in the IAM service client for improved performance and reduced latency in user information retrieval.
- Updated appsettings for development to include caching settings for IAM service interactions.
- Added endpoints for sending and confirming email verification, enhancing user account security.
- Integrated two-factor authentication (2FA) with TOTP support, including enabling, verifying, and disabling 2FA.
- Implemented social login functionality for Google and Facebook, allowing users to authenticate using their existing accounts.
- Updated dependency injection to include services for email, 2FA, and social login.
- Enhanced documentation to reflect new features and usage examples for email verification and 2FA.
