690401:1326 fix secutities uuid

2026-04-01 13:26:19 +07:00
parent 83b04773f7
commit 1d868d10b3
17 changed files with 105 additions and 185 deletions
@@ -12,5 +12,5 @@ services:
  # Override สำหรับ Database (Local Dev)
  mariadb:
    environment:
-      - MYSQL_ROOT_PASSWORD=Center#2025
+      - MYSQL_ROOT_PASSWORD=Center2025
      - MYSQL_PASSWORD=Center2025
@@ -1,105 +0,0 @@
-- Migration: Align Schema with Documentation
-- Version: 1733800000000
-- Date: 2025-12-10
-- Description: Add missing fields and fix column lengths to match schema v1.5.1
-- ==========================================================
-- Phase 1: Organizations Table Updates
-- ==========================================================
-- Add role_id column to organizations
-ALTER TABLE organizations
-ADD COLUMN role_id INT NULL COMMENT 'Reference to organization_roles table';
-
-- Add foreign key constraint
-ALTER TABLE organizations
-ADD CONSTRAINT fk_organizations_role FOREIGN KEY (role_id) REFERENCES organization_roles(id) ON DELETE
-SET NULL;
-
-- Modify organization_name length from 200 to 255
-ALTER TABLE organizations
-MODIFY COLUMN organization_name VARCHAR(255) NOT NULL COMMENT 'Organization name';
-
-- ==========================================================
-- Phase 2: Users Table Updates (Security Fields)
-- ==========================================================
-- Add failed_attempts for login tracking
-ALTER TABLE users
-ADD COLUMN failed_attempts INT DEFAULT 0 COMMENT 'Number of failed login attempts';
-
-- Add locked_until for account lockout mechanism
-ALTER TABLE users
-ADD COLUMN locked_until DATETIME NULL COMMENT 'Account locked until this timestamp';
-
-- Add last_login_at for audit trail
-ALTER TABLE users
-ADD COLUMN last_login_at TIMESTAMP NULL COMMENT 'Last successful login timestamp';
-
-- ==========================================================
-- Phase 3: Roles Table Updates
-- ==========================================================
-- Modify role_name length from 50 to 100
-ALTER TABLE roles
-MODIFY COLUMN role_name VARCHAR(100) NOT NULL COMMENT 'Role name';
-
-- ==========================================================
-- Verification Queries
-- ==========================================================
-- Verify organizations table structure
-SELECT COLUMN_NAME,
-  DATA_TYPE,
-  CHARACTER_MAXIMUM_LENGTH,
-  IS_NULLABLE,
-  COLUMN_COMMENT
-FROM INFORMATION_SCHEMA.COLUMNS
-WHERE TABLE_SCHEMA = DATABASE()
-  AND TABLE_NAME = 'organizations'
-ORDER BY ORDINAL_POSITION;
-
-- Verify users table has new security fields
-SELECT COLUMN_NAME,
-  DATA_TYPE,
-  COLUMN_DEFAULT,
-  IS_NULLABLE,
-  COLUMN_COMMENT
-FROM INFORMATION_SCHEMA.COLUMNS
-WHERE TABLE_SCHEMA = DATABASE()
-  AND TABLE_NAME = 'users'
-  AND COLUMN_NAME IN (
-    'failed_attempts',
-    'locked_until',
-    'last_login_at'
-  )
-ORDER BY ORDINAL_POSITION;
-
-- Verify roles table role_name length
-SELECT COLUMN_NAME,
-  DATA_TYPE,
-  CHARACTER_MAXIMUM_LENGTH
-FROM INFORMATION_SCHEMA.COLUMNS
-WHERE TABLE_SCHEMA = DATABASE()
-  AND TABLE_NAME = 'roles'
-  AND COLUMN_NAME = 'role_name';
-
-- ==========================================================
-- Rollback Script (Use if needed)
-- ==========================================================
-/*
- -- Rollback Phase 3: Roles
- ALTER TABLE roles
- MODIFY COLUMN role_name VARCHAR(50) NOT NULL;
- 
- -- Rollback Phase 2: Users
- ALTER TABLE users
- DROP COLUMN last_login_at,
- DROP COLUMN locked_until,
- DROP COLUMN failed_attempts;
- 
- -- Rollback Phase 1: Organizations
- ALTER TABLE organizations
- MODIFY COLUMN organization_name VARCHAR(200) NOT NULL;
- 
- ALTER TABLE organizations
- DROP FOREIGN KEY fk_organizations_role;
- 
- ALTER TABLE organizations
- DROP COLUMN role_id;
- */
@@ -57,7 +57,7 @@ import { MigrationModule } from './modules/migration/migration.module';
    // 1. Setup Config Module พร้อม Validation
    ConfigModule.forRoot({
      isGlobal: true,
-      envFilePath: '.env',
+      envFilePath: ['.env', '.env.local'],
      load: [redisConfig],
      validationSchema: envValidationSchema,
      validationOptions: {
@@ -4,8 +4,8 @@ export const databaseConfig: TypeOrmModuleOptions = {
  type: 'mysql',
  host: process.env.DB_HOST || 'localhost',
  port: Number(process.env.DB_PORT || '3306'),
-  username: process.env.DB_USERNAME || 'root',
-  password: process.env.DB_PASSWORD || 'Center#2025',
+  username: process.env.DB_USERNAME || 'admin',
+  password: process.env.DB_PASSWORD || 'Center2025',
  database: process.env.DB_DATABASE || 'lcbp3_dev',
  charset: 'utf8mb4',
  entities: [__dirname + '/../**/*.entity{.ts,.js}'],
@@ -97,7 +97,7 @@ export async function seedUsers(dataSource: DataSource) {
  ];

  const salt = await bcrypt.genSalt();
-  const password = await bcrypt.hash('password123', salt); // Default password
+  const password = await bcrypt.hash('Center2025', salt); // Default password (ADR-019 aligned)

  for (const u of usersData) {
    let user = await userRepo.findOneBy({ username: u.username });
@@ -8,15 +8,16 @@ import { Can } from '@/components/common/can';
 export const dynamic = 'force-dynamic';

 interface CorrespondencesPageProps {
-  searchParams?: {
+  searchParams: Promise<{
    type?: string;
-  };
+  }>;
 }

-export default function CorrespondencesPage({
+export default async function CorrespondencesPage({
  searchParams,
 }: CorrespondencesPageProps) {
-  const isRfaView = searchParams?.type?.toUpperCase() === 'RFA';
+  const params = await searchParams;
+  const isRfaView = params?.type?.toUpperCase() === 'RFA';
  const heading = isRfaView ? 'RFAs (Request for Approval)' : 'Correspondences';
  const description = isRfaView
    ? 'Unified list view for RFA documents'
@@ -7,6 +7,7 @@ import QueryProvider from '@/providers/query-provider';
 import SessionProvider from '@/providers/session-provider'; // ✅ Import เข้ามา
 import ThemeProvider from '@/providers/theme-provider';
 import { Toaster } from '@/components/ui/sonner';
+import { headers } from 'next/headers';

 const inter = Inter({ subsets: ['latin'] });

@@ -19,13 +20,15 @@ interface RootLayoutProps {
  children: React.ReactNode;
 }

-export default function RootLayout({ children }: RootLayoutProps) {
+export default async function RootLayout({ children }: RootLayoutProps) {
+  const nonce = (await headers()).get('x-nonce') || '';
+
  return (
    <html lang="en" suppressHydrationWarning>
      <head />
      <body className={cn('min-h-screen bg-background font-sans antialiased', inter.className)}>
-        <SessionProvider>
-          <ThemeProvider>
+        <SessionProvider nonce={nonce}>
+          <ThemeProvider nonce={nonce}>
            <QueryProvider>
              {children}
              <Toaster />
@@ -2,7 +2,7 @@
 'use client';

 import { useAuthStore } from '@/lib/stores/auth-store';
-import { ReactNode } from 'react';
+import { ReactNode, useEffect, useState } from 'react';

 interface CanProps {
  permission?: string;
@@ -18,6 +18,15 @@ interface CanProps {

 export function Can({ permission, role, children, fallback = null }: CanProps) {
  const { hasPermission, hasRole } = useAuthStore();
+  const [mounted, setMounted] = useState(false);
+
+  useEffect(() => {
+    setMounted(true);
+  }, []);
+
+  if (!mounted) {
+    return <>{fallback}</>;
+  }

  let allowed = true;

@@ -162,13 +162,13 @@ export const {
          }

          return {
-            id: backendData.user.user_id.toString(),
-            publicId: backendData.user.publicId, // ✅ Added (ADR-019 Waived for session)
+            id: backendData.user.publicId, // ✅ Use publicId for session identity (ADR-019)
+            publicId: backendData.user.publicId,
            name: `${backendData.user.firstName ?? ''} ${backendData.user.lastName ?? ''}`.trim(),
            email: backendData.user.email,
            username: backendData.user.username,
-            firstName: backendData.user.firstName, // ✅ Added
-            lastName: backendData.user.lastName, // ✅ Added
+            firstName: backendData.user.firstName,
+            lastName: backendData.user.lastName,
            role: backendData.user.role || 'User',
            organizationId: backendData.user.primaryOrganizationId,
            accessToken: backendData.access_token,
@@ -3,8 +3,8 @@ import { create } from 'zustand';
 import { persist } from 'zustand/middleware';

 export interface User {
-  id: string; // Internal stringified INT (for stability)
-  publicId?: string; // ADR-019: Public UUIDv7
+  id: string; // publicId (ADR-019)
+  publicId: string;
  username: string;
  email: string;
  firstName: string;
@@ -78,18 +78,6 @@ const nextConfig = {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
-          {
-            key: 'Content-Security-Policy',
-            value: [
-              "default-src 'self'",
-              "script-src 'self' 'unsafe-eval'", // จำเป็นสำหรับ Workflow DSL Engine (new Function())
-              "style-src 'self' 'unsafe-inline'",
-              "img-src 'self' data: https:",
-              "font-src 'self'",
-              "connect-src 'self' ws: wss:",
-              "frame-src 'self'",
-            ].join('; '),
-          },
        ],
      },
    ];
@@ -4,9 +4,15 @@
 import { SessionProvider as NextAuthSessionProvider } from 'next-auth/react';
 import { AuthSync } from '@/components/auth/auth-sync';

-export default function SessionProvider({ children }: { children: React.ReactNode }) {
+export default function SessionProvider({
+  children,
+  nonce,
+}: {
+  children: React.ReactNode;
+  nonce?: string;
+}) {
  return (
-    <NextAuthSessionProvider>
+    <NextAuthSessionProvider nonce={nonce}>
      <AuthSync />
      {children}
    </NextAuthSessionProvider>
@@ -4,8 +4,10 @@ import { ThemeProvider as NextThemesProvider } from 'next-themes';

 export default function ThemeProvider({
  children,
+  nonce,
 }: {
  children: React.ReactNode;
+  nonce?: string;
 }) {
  return (
    <NextThemesProvider
@@ -13,6 +15,7 @@ export default function ThemeProvider({
      defaultTheme="dark"
      enableSystem={false}
      themes={['light', 'dark']}
+      nonce={nonce}
    >
      {children}
    </NextThemesProvider>
@@ -43,7 +43,47 @@ export default auth((req) => {
    }
  }

-  return NextResponse.next(); // แก้ไขจาก null
+  // 5. Generate CSP with Nonce (Security Rule Tier 1)
+  // ใช้ Nonce Strategy เพื่ออนุญาต Inline Script เฉพาะที่ระบุตัวตนได้ ป้องกัน XSS
+  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
+  
+  let connectSrcApi = 'http://localhost:3001';
+  if (process.env.NEXT_PUBLIC_API_URL) {
+    try {
+      connectSrcApi = new URL(process.env.NEXT_PUBLIC_API_URL).origin;
+    } catch {
+      connectSrcApi = process.env.NEXT_PUBLIC_API_URL;
+    }
+  }
+
+  const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval';
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data: https:;
+    font-src 'self' data:;
+    connect-src 'self' ws: wss: ${connectSrcApi};
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+  `
+    .replace(/\s{2,}/g, ' ')
+    .trim();
+
+  const requestHeaders = new Headers(req.headers);
+  requestHeaders.set('x-nonce', nonce);
+  requestHeaders.set('Content-Security-Policy', cspHeader);
+
+  const response = NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
+  });
+  response.headers.set('Content-Security-Policy', cspHeader);
+
+  return response;
 });

 // กำหนดว่า Middleware นี้จะทำงานกับ Route ไหนบ้าง
@@ -4,11 +4,11 @@ import _NextAuth, { DefaultSession } from 'next-auth';
 declare module 'next-auth' {
  interface Session {
    user: {
-      id: string;
-      publicId: string; // ✅ Added (ADR-019 Waived for session)
-      username: string; // ✅ Added
-      firstName: string; // ✅ Added
-      lastName: string; // ✅ Added
+      id: string; // publicId (ADR-019)
+      publicId: string;
+      username: string;
+      firstName: string;
+      lastName: string;
      role: string;
      organizationId?: number;
    } & DefaultSession['user'];
@@ -18,11 +18,11 @@ declare module 'next-auth' {
  }

  interface User {
-    id: string;
-    publicId: string; // ✅ Added
-    username: string; // ✅ Added
-    firstName: string; // ✅ Added
-    lastName: string; // ✅ Added
+    id: string; // publicId (ADR-019)
+    publicId: string;
+    username: string;
+    firstName: string;
+    lastName: string;
    role: string;
    organizationId?: number;
    accessToken?: string;
@@ -32,8 +32,8 @@ declare module 'next-auth' {

 declare module 'next-auth/jwt' {
  interface JWT {
-    id: string;
-    username: string; // ✅ Added
+    id: string; // publicId or username depending on auth flow
+    username: string;
    role: string;
    organizationId?: number;
    accessToken?: string;
@@ -13,7 +13,7 @@
    "start:mcp": "node ./scripts/start-mcp.js",
    "dev:backend": "pnpm --filter backend start:dev",
    "dev:frontend": "pnpm --filter lcbp3-frontend dev",
-    "dev": "pnpm run --parallel /dev|start:dev/",
+    "dev": "pnpm run --parallel \"/dev|start:dev/\"",
    "prepare": "husky",
    "lint": "eslint .",
    "lint:fix": "eslint . --fix"
@@ -2,7 +2,7 @@

 **Status:** Accepted
 **Date:** 2026-03-12
-**Version:** 1.8.1
+**Version:** 1.8.2
 **Decision Makers:** Development Team, Database Architect
 **Related Documents:**

@@ -369,26 +369,6 @@ ALTER TABLE notifications
  -- Using regular INDEX instead
 ```

-### Rollback SQL
-
-```sql
-- Rollback: Remove UUID columns (Non-destructive reverse)
-ALTER TABLE users DROP INDEX idx_users_uuid, DROP COLUMN uuid;
-ALTER TABLE organizations DROP INDEX idx_organizations_uuid, DROP COLUMN uuid;
-ALTER TABLE projects DROP INDEX idx_projects_uuid, DROP COLUMN uuid;
-ALTER TABLE contracts DROP INDEX idx_contracts_uuid, DROP COLUMN uuid;
-ALTER TABLE correspondences DROP INDEX idx_correspondences_uuid, DROP COLUMN uuid;
-ALTER TABLE correspondence_revisions DROP INDEX idx_correspondence_revisions_uuid, DROP COLUMN uuid;
-ALTER TABLE circulations DROP INDEX idx_circulations_uuid, DROP COLUMN uuid;
-ALTER TABLE shop_drawings DROP INDEX idx_shop_drawings_uuid, DROP COLUMN uuid;
-ALTER TABLE shop_drawing_revisions DROP INDEX idx_shop_drawing_revisions_uuid, DROP COLUMN uuid;
-ALTER TABLE contract_drawings DROP INDEX idx_contract_drawings_uuid, DROP COLUMN uuid;
-ALTER TABLE asbuilt_drawings DROP INDEX idx_asbuilt_drawings_uuid, DROP COLUMN uuid;
-ALTER TABLE asbuilt_drawing_revisions DROP INDEX idx_asbuilt_drawing_revisions_uuid, DROP COLUMN uuid;
-ALTER TABLE attachments DROP INDEX idx_attachments_uuid, DROP COLUMN uuid;
-ALTER TABLE notifications DROP INDEX idx_notifications_uuid, DROP COLUMN uuid;
-```
-
 ---

 ## Storage Impact Analysis
@@ -530,17 +510,12 @@ type ProjectOption = {

 ---

-## Waivers & Exceptions
+## 🔄 Change Log

-### 1. AuthStore / Frontend Session User Identity
-
-**Date:** 2026-04-01
-**Scope:** `frontend/lib/stores/auth-store.ts`, `frontend/lib/auth.ts`
-
-**Decision:** ให้คงฟิลด์ `id` (stringified `user_id` INT) ไว้ใน `User` interface ของ `AuthStore` และ `NextAuth Session` เพื่อความเสถียรของระบบ Login ที่ใช้งานได้ดีอยู่แล้ว โดยให้เพิ่ม `publicId` เป็นฟิลด์เสริมแทนการ Replacement (Waive strict ADR-019 compliance for Session Identity only).
-
-**Rationale:** ป้องกันความเสี่ยงในการเปลี่ยน Logic การจัดการ Session ที่อาจส่งผลกระทบต่อระบบ Authentication โดยรวม
-
---
+| Version | Date       | Changes                                                             | Updated By  |
+| ------- | ---------- | ------------------------------------------------------------------- | ----------- |
+| 1.8.2   | 2026-04-01 | Removed Waiver: Session Identity to enforce strict `publicId` usage | Antigravity |
+| 1.8.1   | 2026-03-21 | Added Naming Convention Summary & Transition Strategy               | Claude      |
+| 1.8.0   | 2026-03-12 | Initial Decision Outcome & Technical Spec                           | Human Dev   |

 _สำหรับรายละเอียดการ Implement ดูที่ Implementation Plan ใน `05-07-hybrid-uuid-implementation-plan.md`_