f55807fa7d
wip
2026-06-20 15:13:23 -07:00
769597d769
refactor finance.
2026-05-29 23:56:29 -07:00
95fa37ebdf
fix(expense): open category read to all authed users; statement lookups via FirstOrDefaultAsync
...
Final-review findings:
- ExpenseCategoriesController was finance-only at the class level, but the member
self-service reimbursement form reads the category list to populate its dropdown,
so members got 403 and could not submit. Open GET to any authenticated user;
keep group/subcategory writes finance-only (mirrors MinistriesController).
Verified live with a member-role account: reads 200, writes 403, self-submit 200.
- MonthlyStatementService Update/Finalize now use FirstOrDefaultAsync for
convention consistency with the rest of the service layer.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 19:14:18 -07:00
e1f99158aa
fix(expense): resolve current user id from 'sub' JWT claim
...
Live verification revealed the JWT carries the user id in the 'sub' claim
(NameClaimType=sub, MapInboundClaims=false), so ClaimTypes.NameIdentifier is
null at runtime. This caused ExpensesController.GetMine/GetById to throw
NullReferenceException (500) on the '!.Value', and made the services fall back
to 'system' — silently defeating the self-ownership guard. Resolve via
NameIdentifier (unit tests) then 'sub' (real tokens). Adds a regression test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 19:08:21 -07:00
9933c180b7
feat(expense): add controllers + register services
...
Adds ExpenseCategoriesController, ExpensesController, MonthlyStatementsController
and registers IExpenseCategoryService, IExpenseService, IMonthlyStatementService in DI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:37:25 -07:00
86d9879a6d
feat(expense): add MonthlyStatementService with server-side recompute + tests
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:34:39 -07:00
d9289008f6
feat(expense): add ExpenseService with state machine + receipt storage + tests
...
TDD: wrote 8 tests first (red), then implemented IExpenseService + ExpenseService
covering CRUD, Draft→PendingApproval→Approved→Paid state machine, soft-delete,
per-owner access guards, and receipt blob round-trip via IFileStorage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:28:38 -07:00
015f689d9b
feat(expense): add ExpenseCategoryService + tests
...
TDD cycle: wrote 3 xUnit tests first (red), then implemented
IExpenseCategoryService + ExpenseCategoryService (green).
2026-05-29 18:24:07 -07:00
15cdfe6f92
feat(expense): add expense, category, and monthly-statement DTOs
2026-05-29 18:21:52 -07:00
e7bf07c2ad
feat(storage): add IFileStorage + local-disk implementation
...
Adds IFileStorage abstraction and LocalDiskFileStorage for receipt file storage with path-traversal protection, and registers it in DI. Includes 3 TDD-verified xUnit tests.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:18:28 -07:00
ac65c68e18
feat(expense): add AddExpenseModule EF migration
...
Creates Ministries, ExpenseCategoryGroups, ExpenseSubCategories,
Expenses (with filtered Status index, MinistryId/ExpenseDate indexes,
Restrict FKs + SetNull on Member), and MonthlyStatements (unique
Year+Month index) tables. No existing tables modified.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:15:16 -07:00
cf929557fe
feat(expense): add Expense + MonthlyStatement entities and EF config
2026-05-29 18:11:56 -07:00
b3eb9d297a
feat(expense): add expense category entities + seed (11 groups / 38 subs)
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 18:08:12 -07:00
f6f06d841c
feat(ministry): add Ministry entity, seed (10), and read endpoint
2026-05-29 18:03:28 -07:00
a573179714
feat(giving): match giver member name in single-giving search (spec §4.2)
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 17:24:47 -07:00
b5a15dd9f2
feat(giving): add offering-sessions controller
2026-05-28 16:54:24 -07:00
86041c0d05
fix(giving): map duplicate-date race to 409 + return zelle/paypal refs in session detail
2026-05-28 16:53:24 -07:00
e04776460d
feat(giving): offering-session batch service with server-side totals + locking
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 16:47:19 -07:00
586551aec0
feat(giving): add givings controller
2026-05-28 16:43:06 -07:00
2b6f29e775
feat(giving): single-entry giving service with paging + lock guard
...
Adds GivingListItemDto, GivingDto, CreateGivingRequest, UpdateGivingRequest DTOs;
IGivingService interface; GivingService implementation with category/date filtering,
OfferingSession lock guard (Submitted/Reconciled), and DI registration in Program.cs.
Covered by 4 xUnit tests (TDD: red → green).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 16:38:32 -07:00
81efaedbc2
feat(giving): add giving-categories controller
2026-05-28 16:34:18 -07:00
cb15d30980
refactor(giving): drop unused accessor from category service + add deactivate-missing test
2026-05-28 16:33:27 -07:00
798dfa3fe0
feat(giving): giving-category service with CRUD + soft-disable
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 16:29:31 -07:00
8b52572fad
feat(giving): add EF migration for giving module
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 16:25:11 -07:00
577ae1aabe
refactor(giving): use AnyAsync in category seed (code-review minor)
2026-05-28 16:21:32 -07:00
e20964ae0d
feat(giving): seed default giving categories
2026-05-28 16:19:44 -07:00
999f8a80f9
feat(giving): add GivingCategory, OfferingSession, Giving entities + EF config
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-28 16:16:24 -07:00
a525c71baa
WIP
2026-05-28 15:25:31 -07:00
d79b1faa8f
fix 401 loop hell
2026-05-27 15:09:05 -07:00
e83fa4c2e9
fix: use RandomNumberGenerator for cryptographic temp password generation
...
Replaced `new Random()` with `RandomNumberGenerator.GetInt32()` and a
Fisher-Yates shuffle to ensure temp passwords are cryptographically secure.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 14:29:26 -07:00
8249b3fe3e
feat: add UsersController and register all services
...
Adds UsersController with CRUD endpoints (list, get, create, update,
deactivate, reset-password) restricted to super_admin role. Registers
IUserManagementService in Program.cs alongside existing services.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 14:10:46 -07:00
3ab0998793
feat: add UserManagementService with temp-password creation and deactivation
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 14:08:50 -07:00
0986233d9b
feat: add MembersController (CRUD + paged list)
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 14:03:23 -07:00
bfffdee2a8
feat: add MemberService with soft-delete and paged search
...
Implements IMemberService with Create/Read/Update/soft-Delete operations,
NickName/zh-name search, status and hasUser filtering, and full xUnit coverage
(11 tests). Uses separate user-lookup query for InMemory DB compatibility; detaches
entity after soft-delete so query-filter assertions work correctly in tests.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 14:00:59 -07:00
97743f6974
feat: add PagedResult, Member DTOs, and User DTOs
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 13:55:21 -07:00
34344cbf83
feat: add Member/FamilyUnit DbSets, audit interceptor registration, EF migration
...
Registers AuditSaveChangesInterceptor in DI and wires it into AppDbContext.
Adds Members and FamilyUnits DbSets with full column/index configuration and
applies the AddMemberAndFamilyUnit migration to the ChurchCRM database.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 13:52:58 -07:00
cd5413125d
feat: add Member and FamilyUnit entities
2026-05-27 13:49:50 -07:00
820ca6981c
feat: add AuditSaveChangesInterceptor and failing interceptor tests
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-27 13:48:03 -07:00
f703519838
fix: use DateTimeOffset instead of DateTime in audit base classes
2026-05-27 13:46:31 -07:00
5041873c2b
feat: add AuditableEntity and SoftDeleteEntity base classes
2026-05-27 13:44:10 -07:00
60405ef0aa
WIP
2026-05-27 07:49:26 -07:00
2aa095c158
Task 11: Smoke test fixes (all 5 scenarios pass)
...
TokenService.GenerateRefreshToken():
- Switched to URL-safe Base64 (RFC 4648 §5): +→-, /→_, no = padding.
- Characters are unreserved per RFC 6265, so Response.Cookies.Append
does NOT percent-encode the value. Request.Cookies reads back exact value.
AuthController:
- CookieOptions.Secure = !env.IsDevelopment()
Plain HTTP in local dev works; HTTPS-only in staging/production.
- Inject IWebHostEnvironment for environment-aware Secure flag.
TokenServiceTests:
- Updated GenerateRefreshToken test: 86-char URL-safe Base64 instead
of 64-byte standard Base64. 16/16 tests pass.
Smoke test results (http://localhost:5209 ):
1. POST /api/auth/login → 200 + rolac_rt cookie + JWT
2. POST /api/auth/refresh → 200 + new token (rotation)
3. POST /api/auth/logout → 204 + cookie cleared
4. Refresh with revoked token → 401
5. Wrong password → 401
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-26 19:28:20 -07:00
ef0098d5cc
Task 10: EF Core InitialAuth migration
...
Applied against ChurchCRM database on 192.168.68.55:49154.
Creates Identity tables (AspNetUsers, AspNetRoles, AspNetUserRoles, etc.)
+ RefreshTokens table with unique index on TokenHash.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-26 19:13:30 -07:00
8b86bd573e
Tasks 7-9: AuthController, appsettings, Program.cs
...
Task 7 – AuthController (POST /api/auth/login|refresh|logout)
- Refresh token in HttpOnly; Secure; SameSite=Strict cookie (rolac_rt)
- Cookie Path scoped to /api/auth; cleared on logout/invalid refresh
Task 8 – appsettings.json (non-secret JWT values + CORS origins)
- appsettings.Development.json carries connection string + JWT secret
(file is gitignored)
Task 9 – Program.cs wiring
- EF Core + Npgsql, ASP.NET Core Identity, JWT Bearer auth
- RoleClaimType=role matches the short JWT claim name written by TokenService
- CORS: AllowCredentials for Angular app
- Swagger UI with Bearer security definition
- Startup: MigrateAsync + DbSeeder.SeedAsync (roles + dev admin)
- DbSeeder: added SeedAsync(IServiceProvider) entry point
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-26 17:40:52 -07:00
9db8b34181
Task 6: AuthService + 9 unit tests (16/16 pass)
...
- IAuthService: LoginAsync / RefreshAsync / LogoutAsync
- AuthService: refresh-token rotation, hashed storage, LastLoginAt update
- AuthServiceTests: 5 login + 3 refresh + 1 logout tests via Moq + EF InMemory
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-26 17:38:56 -07:00
f74563bb36
Task 5: TokenService + unit tests (7/7 pass)
...
- ITokenService: GenerateAccessToken / GenerateRefreshToken / HashToken
- TokenService: JWT (HS256, 15-min), 64-byte CSPRNG refresh, SHA-256 hex hash
- Role claims use short JWT name role (v7.x JsonWebTokenHandler compatible)
- TokenServiceTests: 7 xUnit tests, payload decoded via Base64Url+System.Text.Json
to avoid Microsoft.IdentityModel 7.1.2/7.5.2 version-mismatch issues
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-26 17:34:56 -07:00
b335867b30
feat: add LoginRequest and LoginResponse DTOs
2026-05-25 19:07:36 -07:00
a66a3f7cb0
feat: add AppDbContext (Identity + RefreshTokens) and DbSeeder (13 roles + dev admin)
2026-05-25 19:05:02 -07:00
40d740d6e0
feat: add AppUser, AppRole, RefreshToken entities
2026-05-25 19:02:22 -07:00
5a789fb0c2
chore: add Identity, EF Core PostgreSQL, JWT Bearer packages
2026-05-25 19:00:30 -07:00
Chris Chen