90434acbde
SEC-W-11: Remove hardcoded OAuth2 client_id/client_secret from Blazor WASM.
- Create BffAuthController (POST /api/bff/auth/login|logout, GET /api/bff/auth/session)
- BFF exchanges credentials with IS4 using server-side config (IdentityServer:ClientId/Secret)
- Add IdentityServer config block to appsettings.json / appsettings.Development.json
SEC-W-12: Migrate password grant — token exchange now happens server-side in BFF, not WASM.
- AuthService.LoginAsync() POSTs to /api/bff/auth/login (no IS4 call from WASM)
SEC-W-01: JWT in localStorage — migrate to httpOnly SameSite=Strict BFF session cookie.
- BffAuthController sets cookie on login, clears on logout
- AuthStateService no longer stores raw token (Token property removed)
- AuthService only stores non-sensitive metadata (email, role) in localStorage
- TryRestoreSessionAsync now calls GET /api/bff/auth/session instead of localStorage
- AuthForwardingHandler reads token from bff_session cookie (legacy header fallback kept)
FRONT-W-01: Token refresh not implemented — add TokenExpiry tracking + proactive refresh timer.
- AuthStateService: add TokenExpiry, OnTokenExpiring event, IDisposable Timer
- Login() schedules a Timer that fires OnTokenExpiring 2 min before expiry
FRONT-W-02: DefaultRequestHeaders race condition — use per-request HttpRequestMessage.
- PosDataService: remove AttachToken() (mutated shared DefaultRequestHeaders)
- All HTTP helpers (PostAsync, PutAsync, PostAndGetAsync, GetListFromApiAsync,
GetObjectFromApiAsync) now use HttpRequestMessage per-request
- Auth handled automatically by browser cookie (same-origin, httpOnly BFF cookie)
FRONT-C-04: No route guard on AdminLayout — add auth redirect.
- AdminLayout.OnAfterRenderAsync: after TryRestoreSessionAsync, redirect to /auth/login
if still unauthenticated (with returnUrl param)
FRONT-C-05: shopId not validated against user permissions — add BFF verification.
- AdminLayout: call PosData.GetShopByIdAsync(shopId) after detecting shop context
- Redirect to /admin if BFF returns null (403/404 = no access, prevents IDOR)
- Populate _shopName/_shopCategory from verified backend data (not just URL)
SEC-W-13: No CDN SRI for Lucide icons — add integrity hash + crossorigin attribute.
- index.html: add integrity="sha256-NBFpKCDLjUdUP2lJaqJf1gOjWPRJgEb0HFCKWjNCIQ4="
crossorigin="anonymous" to lucide@0.468.0 script tag
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GoodGo Platform
Monorepo platform with microservices architecture for the merchant/customer ecosystem — POS, F&B, retail, spa, karaoke, and more.
Domain: goodgo.vn | Staging: api.staging.goodgo.vn
Tech Stack
| Layer | Technologies |
|---|---|
| Backend | .NET 10.0 (C# 14), MediatR/CQRS, EF Core 10, FluentValidation, Serilog, Dapper, Polly |
| Web | Blazor WASM + MudBlazor 8.15 (Material Design) |
| Mobile | .NET MAUI (cross-platform), SwiftUI (iOS) |
| Database | PostgreSQL 16 (local) / Neon PostgreSQL (cloud), Redis 7 |
| Messaging | RabbitMQ 3 (AMQP) |
| Storage | MinIO (S3-compatible) |
| Gateway | Traefik v3 |
| Infra | Docker Compose (local), Kubernetes RKE2 (staging/prod) |
| CI/CD | GitHub Actions, Docker Hub |
| Observability | Prometheus + Grafana + Loki + Promtail |
| Auth | Duende IdentityServer, JWT Bearer, OAuth2 |
| Monorepo | pnpm 8 workspaces, Turborepo |
Project Structure
services/ # 26 .NET microservices (Clean Architecture + CQRS)
apps/ # Frontend applications
packages/ # Shared Node.js packages (@goodgo/*)
deployments/ # Environment configs (local, staging, production)
infra/ # Infrastructure (Traefik, databases, observability)
scripts/ # Automation scripts (dev, db, deploy, build)
Services
Core Platform
iam-service-net— Identity & Access Management (JWT, RBAC, MFA, Sessions)merchant-service-net— Merchant & Shop managementcatalog-service-net— Product catalogorder-service-net— Order processinginventory-service-net— Inventory managementwallet-service-net— Wallet & paymentsfnb-engine-net— F&B enginebooking-service-net— Booking & reservations
Engagement
promotion-service-net— Promotions & discountsmembership-service-net— Membership & loyaltychat-service-net— Chat & messaging (SignalR + Redis)social-service-net— Social featuresmission-service-net— Gamification missions
Advertising
ads-manager-service-net— Campaign managementads-serving-service-net— Ad deliveryads-billing-service-net— Ad billingads-tracking-service-net— Event trackingads-analytics-service-net— Analytics
Marketing Integrations
mkt-facebook-service-net— Facebookmkt-whatsapp-service-net— WhatsAppmkt-x-service-net— X (Twitter)mkt-zalo-service-net— Zalo
Utilities
storage-service-net— File storage (MinIO)mining-service-net— Data mining
Frontend Apps
| App | Stack | Description |
|---|---|---|
web-client-tpos-net |
Blazor WASM + MudBlazor | POS system (multi-vertical: karaoke, restaurant, cafe, spa, retail) |
web-client-base-net |
Blazor WASM + MudBlazor | Enterprise portal |
app-client-base-net |
.NET MAUI | Cross-platform mobile app |
app-client-base-swift |
SwiftUI | iOS app |
web-docs |
VitePress | Documentation site |
Quick Start
Prerequisites
- Docker & Docker Compose
- .NET 10.0 SDK
- Node.js 25+
- pnpm 8+
Run Locally
# Start infrastructure (PostgreSQL, Redis, RabbitMQ, MinIO, Traefik) + all services
cd deployments/local
docker compose up -d
# Run database migrations (per service)
./scripts/db/migrate.sh
# Start a specific service for development
./scripts/dev/start-service.sh iam-service-net
Architecture
Each .NET service follows Clean Architecture + CQRS:
ServiceName/
src/
ServiceName.API/ # Controllers + MediatR Commands/Queries
ServiceName.Domain/ # Entities, aggregates, domain events (no dependencies)
ServiceName.Infrastructure/ # EF Core, repositories, migrations
tests/
ServiceName.UnitTests/ # xUnit + FluentAssertions
ServiceName.FunctionalTests/ # WebApplicationFactory integration tests
Documentation
- ROADMAP.md — Development roadmap and phase tracking
- CLAUDE.md — Full architecture reference and agent configuration
Maintainer
Built by VelikHo (@hongochai10)
- Email: hongochai10@icloud.com
- GitHub: https://github.com/hongochai10