fix: audit fix pass #1 — all 19 verified HIGH findings + critical dep cleanup
Fixes every CRITICAL/HIGH finding from the 2026-06-09 full-codebase audit
(REVIEW_FINDINGS.md); each fix went through independent spec + code-quality
review. Plan and per-task log: docs/superpowers/plans/2026-06-10-audit-high-fix-pass.md
- attendance: schemas accept the combined local datetimes the forms/service
use (new dateTimeString helpers in schemas/common.ts), breaks persist on
create, AttendanceCreate submit rebuilt — every submit 400'd since 519edce
- 2fa: backup codes wired to /totp/backup-verify (+ remember-me parity),
enrollment QR generated locally via qrcode (CSP-blocked external service
also leaked the secret), dashboard shows per-user enrollment, not policy
- invoices/orders: per-line VAT survives re-saves (numberOr 0-respecting
coercion in formatters.ts), billing_text persists on update, issued-order
status transitions update UI gates
- trips: real pagination on all 3 pages, GET /trips/stats server aggregate
(shared buildTripsWhere + legacy distance coalesce), vehicle_id applies on
PUT with both-vehicle odometer recompute, print rebuilt (sync window.open,
escaped template, server totals)
- orders api: attachment_data PDF blob excluded from all non-binary reads
- warehouse: unit field is a Select over UnitEnum, receipt attachments
downloadable via new authenticated GET route
- downloads: shared RFC 5987 contentDisposition helper — Czech filenames no
longer 500 (warehouse, received-invoices, orders endpoints)
- misc: block-env hook actually blocks (exit 2 + stderr), project create
works with empty dates, NaN filter guards on trips endpoints
- deps: remove unused concurrently (clears both critical advisories), pin
@hono/node-server >=1.19.13 via overrides (clears the 3 moderates without
the Prisma 6 downgrade), drop deprecated @types stubs
Gates: tsc -b clean - vitest 30 files / 342 tests (31 new) - eslint 0 errors
- build OK
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -264,7 +264,8 @@ export default async function totpRoutes(
|
||||
async (request, reply) => {
|
||||
const parsed = parseBody(TotpBackupSchema, request.body);
|
||||
if ("error" in parsed) return error(reply, parsed.error, 400);
|
||||
const { login_token, backup_code: code } = parsed.data;
|
||||
const { login_token, backup_code: code, remember_me } = parsed.data;
|
||||
const rememberMe = remember_me ?? false;
|
||||
|
||||
const tokenHash = crypto
|
||||
.createHash("sha256")
|
||||
@@ -393,14 +394,18 @@ export default async function totpRoutes(
|
||||
.update(refreshTokenRaw)
|
||||
.digest("hex");
|
||||
|
||||
// Mirror /login/totp: honor remember_me so a backup-code login keeps
|
||||
// the same session longevity the user asked for at the password step.
|
||||
const refreshExpiresIn = rememberMe
|
||||
? config.jwt.refreshTokenRememberExpiry
|
||||
: config.jwt.refreshTokenSessionExpiry;
|
||||
|
||||
await prisma.refresh_tokens.create({
|
||||
data: {
|
||||
user_id: user.id,
|
||||
token_hash: refreshTokenHash,
|
||||
expires_at: new Date(
|
||||
Date.now() + config.jwt.refreshTokenSessionExpiry * 1000,
|
||||
),
|
||||
remember_me: false,
|
||||
expires_at: new Date(Date.now() + refreshExpiresIn * 1000),
|
||||
remember_me: rememberMe,
|
||||
ip_address: request.ip,
|
||||
user_agent: request.headers["user-agent"] ?? null,
|
||||
},
|
||||
@@ -411,7 +416,7 @@ export default async function totpRoutes(
|
||||
secure: config.isProduction,
|
||||
sameSite: "strict",
|
||||
path: "/api/admin",
|
||||
maxAge: config.jwt.refreshTokenSessionExpiry,
|
||||
maxAge: refreshExpiresIn,
|
||||
});
|
||||
|
||||
await logAudit({
|
||||
|
||||
Reference in New Issue
Block a user