183 lines
8.6 KiB
Markdown
183 lines
8.6 KiB
Markdown
# CTO Fix Tracker — Post-Audit Action Plan
|
|
|
|
> Generated: 2026-03-13 | Source: Per-service code audit (24 SERVICE_DOCS.md)
|
|
> Status: ALL WAVES COMPLETE ✅
|
|
|
|
---
|
|
|
|
## Executive Summary
|
|
|
|
Audit 24 microservices phát hiện **6 loại vấn đề cross-cutting** và **nhiều bug cụ thể per-service**.
|
|
Ưu tiên theo impact: Security > Runtime Bugs > Code Quality > Tech Debt.
|
|
|
|
---
|
|
|
|
## P0 — CRITICAL (Security & Runtime Failures)
|
|
|
|
### P0-1: Missing Authentication/Authorization
|
|
**Impact**: Tất cả endpoints public, bất kỳ ai cũng gọi được API
|
|
**Affected**: 18/24 services (chỉ IAM + merchant có auth đầy đủ)
|
|
|
|
| Service | Status | Fix |
|
|
|---------|--------|-----|
|
|
| catalog-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| order-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| booking-service-net | Public endpoints (only admin has auth) | Add [Authorize] to public controllers |
|
|
| fnb-engine-net | No [Authorize] | Add auth middleware + attributes |
|
|
| inventory-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| social-service-net | No JWT middleware in pipeline | Add UseAuthentication/UseAuthorization |
|
|
| mining-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| chat-service-net | Has [Authorize] ✅ | OK |
|
|
| membership-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| wallet-service-net | Has [Authorize] ✅ | OK |
|
|
| storage-service-net | Has [Authorize] ✅ | OK |
|
|
| ads-manager-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| ads-serving-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| ads-billing-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| ads-tracking-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| ads-analytics-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| promotion-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| mission-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| mkt-facebook-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
|
|
| mkt-whatsapp-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| mkt-x-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
| mkt-zalo-service-net | No [Authorize] | Add auth middleware + attributes |
|
|
|
|
### P0-2: Template Artifacts (Runtime Failures)
|
|
**Impact**: Services connect to wrong database or fail to build Docker image
|
|
|
|
| Service | Issue | Fix |
|
|
|---------|-------|-----|
|
|
| mission-service-net | DB name `myservice_db` instead of `mission_service` | Fix appsettings connection string |
|
|
| mkt-facebook-service-net | Dockerfile references `MyService.API` | Rename to FacebookService.API |
|
|
| mkt-whatsapp-service-net | DbContext file named `MyServiceContext.cs`, DB `myservice_db` | Rename file + fix connection string |
|
|
| promotion-service-net | docker-compose uses template naming | Fix service naming |
|
|
|
|
### P0-3: Critical Handler Bugs
|
|
|
|
| Service | Bug | Impact |
|
|
|---------|-----|--------|
|
|
| ads-tracking-service-net | `TrackPixelEventCommandHandler` creates PixelEvent but NEVER persists | All tracking data lost |
|
|
| ads-tracking-service-net | `RecordConversionCommand` has handler but NO controller exposes it | Dead code |
|
|
| booking-service-net | `UpdateResourceCommand` accepts Name/Capacity but only applies IsActive | Silent data loss |
|
|
| ads-manager-service-net | `ListPendingAdsQuery` filters "Pending" but enum is "pending_review" | Always returns empty |
|
|
| mining-service-net | `BanMinerCommand` calls Suspend() not Ban(); `ResetMinerStreakCommand` is no-op | Admin actions broken |
|
|
| order-service-net | Missing DB columns referenced by Dapper queries | Runtime SQL errors |
|
|
| mkt-x-service-net | Only ISampleRepository in DI; 8 other repos missing registration | Runtime DI failures |
|
|
|
|
---
|
|
|
|
## P1 — HIGH (Data Integrity & Correctness)
|
|
|
|
### P1-1: Missing FluentValidation Validators
|
|
**Impact**: Invalid data enters system without validation
|
|
|
|
| Service | Commands without validators |
|
|
|---------|---------------------------|
|
|
| ads-manager-service-net | ALL 10 commands |
|
|
| ads-serving-service-net | ALL queries (no commands exist) |
|
|
| ads-billing-service-net | ALL 3 commands |
|
|
| ads-tracking-service-net | 2/3 commands |
|
|
| ads-analytics-service-net | ALL commands |
|
|
| mining-service-net | ALL commands |
|
|
| mission-service-net | ALL 4 commands |
|
|
| promotion-service-net | ALL 12 commands |
|
|
| social-service-net | ALL 8 commands |
|
|
|
|
### P1-2: Missing Command/Query Handlers
|
|
|
|
| Service | Missing Handler |
|
|
|---------|----------------|
|
|
| promotion-service-net | ExchangeVoucherCommand, PurchaseVoucherCommand (no handlers) |
|
|
| promotion-service-net | SearchVouchersQuery, GetCampaignStatisticsQuery, GetCampaignVouchersQuery (no handlers) |
|
|
| mission-service-net | GetUserMissionProgressQuery (no handler) |
|
|
| mkt-facebook-service-net | GetConversationsQuery, GetCustomersQuery (no handlers) |
|
|
| mkt-whatsapp-service-net | GetConversationsQuery (no handler, controller queries repo directly) |
|
|
| ads-manager-service-net | Audience query handlers missing |
|
|
|
|
### P1-3: Repository Pattern Violations
|
|
|
|
| Service | Issue |
|
|
|---------|-------|
|
|
| catalog-service-net | Category handlers use DbContext directly, bypass repository |
|
|
| booking-service-net | 3 repo interfaces in Infrastructure instead of Domain |
|
|
| ads-billing-service-net | No repository pattern at all, direct DbContext |
|
|
| ads-analytics-service-net | No repository pattern |
|
|
| ads-serving-service-net | No repository pattern |
|
|
|
|
---
|
|
|
|
## P2 — MEDIUM (Code Quality & Conventions)
|
|
|
|
### P2-1: Response Format Inconsistency
|
|
Standard: `{ success: bool, data: T }` — Many services return raw DTOs
|
|
|
|
| Service | Issue |
|
|
|---------|-------|
|
|
| chat-service-net | Returns raw DTOs |
|
|
| membership-service-net | Mixed (Members raw, StampCards wrapped) |
|
|
| social-service-net | Returns raw DTOs |
|
|
| ads-* services | Returns raw DTOs |
|
|
| booking-service-net | Returns raw DTOs |
|
|
|
|
### P2-2: Domain Events Defined but No Handlers
|
|
|
|
| Service | Unused Events |
|
|
|---------|--------------|
|
|
| membership-service-net | MembershipLevelChangedDomainEvent (never raised) |
|
|
| social-service-net | UserUnblockedDomainEvent (never raised) |
|
|
| ads-manager-service-net | All events dispatched but no handlers |
|
|
| promotion-service-net | VoucherRedeemedDomainEvent (never consumed) |
|
|
| booking-service-net | Events defined but unused |
|
|
|
|
### P2-3: Missing EF Migrations
|
|
|
|
| Service | Issue |
|
|
|---------|-------|
|
|
| mkt-facebook-service-net | No migrations exist |
|
|
| ads-billing-service-net | Spurious InvoiceId1 FK column |
|
|
| ads-analytics-service-net | ClientRequest table missing from migration |
|
|
|
|
### P2-4: Unused Dependencies (Tech Debt)
|
|
Redis, Dapper, Polly registered but unused in: booking, social, mining, mission, promotion, ads-* services
|
|
|
|
---
|
|
|
|
## Fix Execution Plan
|
|
|
|
### Wave 1 — P0 Security + Template (Parallel Agents)
|
|
- Agent 1: Fix auth for core services (catalog, order, booking, fnb-engine, inventory)
|
|
- Agent 2: Fix auth for social services (social, mining, membership, mission)
|
|
- Agent 3: Fix auth for ads services (ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics)
|
|
- Agent 4: Fix auth for mkt services (mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion)
|
|
- Agent 5: Fix template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion)
|
|
- Agent 6: Fix critical handler bugs (ads-tracking, booking, ads-manager, mining, mkt-x)
|
|
|
|
### Wave 2 — P1 Validators + Missing Handlers
|
|
- Agent 7-12: Add FluentValidation per service group
|
|
- Agent 13-15: Implement missing handlers
|
|
|
|
### Wave 3 — P2 Code Quality
|
|
- Response format standardization
|
|
- Migration fixes
|
|
- Cleanup unused dependencies
|
|
|
|
---
|
|
|
|
## Progress Tracking
|
|
|
|
| Wave | Task | Status | Commit |
|
|
|------|------|--------|--------|
|
|
| 1 | Auth: core services (catalog, order, booking, fnb, inventory) | ✅ DONE | f8606e0 |
|
|
| 1 | Auth: social services (social, mining, membership, mission) | ✅ DONE | f8606e0 |
|
|
| 1 | Auth: ads services (5 services) | ✅ DONE | f8606e0 |
|
|
| 1 | Auth: mkt services + promotion | ✅ DONE | f8606e0 |
|
|
| 1 | Template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion) | ✅ DONE | f8606e0 |
|
|
| 1 | Critical handler bugs (7 bugs across 5 services) | ✅ DONE | f8606e0 |
|
|
| 2 | Validators: ads services (16 validators) | ✅ DONE | 59b2cec |
|
|
| 2 | Validators: social+mining+mission+promotion (41 validators) | ✅ DONE | 59b2cec |
|
|
| 2 | Missing handlers (10 handlers across 4 services) | ✅ DONE | 59b2cec |
|
|
| 3 | Response format standardization (30 controllers, 8 services) | ✅ DONE | efabe49 |
|
|
| 3 | Migration fixes (InvoiceId1 FK, idempotency cleanup) | ✅ DONE | efabe49 |
|
|
| 3 | Cleanup unused dependencies (no DI registrations found) | ✅ N/A | — |
|