security: fix all Medium findings from FLAWS_REPORT audit

- Auth: TOTP replay protection with counter tracking, constant-time backup code comparison, atomic lockout increment, per-token logout - Invoices/PDFs: net-based VAT calculation, dangerous URL scheme stripping in cleanQuillHtml, orders-pdf error handling - Orders: reject item changes on status transition, cascading delete cleanup, take:1 with orderBy - Projects: atomic rename collision handling, MIME/extension validation, empty customer name rejection - Attendance: Czech public holiday awareness in frontend fund calculation, leave_hours 0 handling, invalid date NaN guard, bounded per-month queries in workfund - Users/Admin: profile audit logging + password validation, session revocation guard, session ID validation, dashboard DB aggregation, soft-deleted record protection in scope templates - Frontend: FormField label linkage, Pagination ARIA, error handling in OrderConfirmationModal, 401 propagation, GPS emoji hidden from screen readers, table sort state fix, geolocation race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive minimal body, CompanySettings ref mutation fix, OfferDetail unlock abort, AttendanceBalances combined fetches - Utils: env validation, Puppeteer concurrency mutex, invoice alert cron cleanup on shutdown, body limit alignment, TOTP error logging, trustProxy from env, symlink rejection, rate cache Map usage Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 08:24:14 +02:00
parent 528e55991b
commit 4f4b12f039
33 changed files with 442 additions and 211 deletions
--- a/src/admin/pages/Attendance.tsx
+++ b/src/admin/pages/Attendance.tsx
@@ -126,9 +126,12 @@ export default function Attendance() {
    action: string | null;
  }>({ show: false, action: null });
  const geoAbortRef = useRef<AbortController | null>(null);
+  const mountedRef = useRef(true);
+  const latestActionRef = useRef<string | null>(null);

  useEffect(() => {
    return () => {
+      mountedRef.current = false;
      if (geoAbortRef.current) geoAbortRef.current.abort();
    };
  }, []);
@@ -179,6 +182,7 @@ export default function Attendance() {

  const handlePunch = (action: string) => {
    setSubmitting(true);
+    latestActionRef.current = action;

    if (!navigator.geolocation) {
      alert.warning("GPS není dostupná");
@@ -188,6 +192,7 @@ export default function Attendance() {

    navigator.geolocation.getCurrentPosition(
      (position) => {
+        if (!mountedRef.current) return;
        const { latitude, longitude, accuracy } = position.coords;
        submitPunch(action, { latitude, longitude, accuracy, address: "" });

@@ -203,6 +208,8 @@ export default function Attendance() {
        )
          .then((r) => r.json())
          .then((geoData) => {
+            if (!mountedRef.current) return;
+            if (latestActionRef.current !== action) return;
            if (geoData.display_name) {
              apiFetch(`${API_BASE}/attendance/update-address`, {
                method: "POST",
@@ -219,6 +226,7 @@ export default function Attendance() {
          .catch(() => {});
      },
      (geoError) => {
+        if (!mountedRef.current) return;
        let errorMsg = "Nepodařilo se získat polohu";
        if (geoError.code === geoError.PERMISSION_DENIED) {
          errorMsg = "Přístup k poloze byl zamítnut";
--- a/src/admin/pages/AttendanceBalances.tsx
+++ b/src/admin/pages/AttendanceBalances.tsx
@@ -224,9 +224,10 @@ export default function AttendanceBalances() {
  }, [year]);

  useEffect(() => {
-    fetchData();
-    fetchFundData();
-    fetchProjectData();
+    const loadAll = async () => {
+      await Promise.all([fetchData(), fetchFundData(), fetchProjectData()]);
+    };
+    loadAll();
  }, [fetchData, fetchFundData, fetchProjectData]);

  useModalLock(showEditModal);
--- a/src/admin/pages/AttendanceHistory.tsx
+++ b/src/admin/pages/AttendanceHistory.tsx
@@ -69,6 +69,73 @@ const formatBreakRange = (record: AttendanceRecord): string => {
  return "—";
 };

+function getEasterSunday(year: number): string {
+  const a = year % 19;
+  const b = Math.floor(year / 100);
+  const c = year % 100;
+  const d = Math.floor(b / 4);
+  const e = b % 4;
+  const f = Math.floor((b + 8) / 25);
+  const g = Math.floor((b - f + 1) / 3);
+  const h = (19 * a + b - d - g + 15) % 30;
+  const i = Math.floor(c / 4);
+  const k = c % 4;
+  const l = (32 + 2 * e + 2 * i - h - k) % 7;
+  const m = Math.floor((a + 11 * h + 22 * l) / 451);
+  const month = Math.floor((h + l - 7 * m + 114) / 31);
+  const day = ((h + l - 7 * m + 114) % 31) + 1;
+  return `${year}-${String(month).padStart(2, "0")}-${String(day).padStart(2, "0")}`;
+}
+
+function getCzechHolidays(year: number): string[] {
+  const y = String(year);
+  const holidays = [
+    `${y}-01-01`,
+    `${y}-05-01`,
+    `${y}-05-08`,
+    `${y}-07-05`,
+    `${y}-07-06`,
+    `${y}-09-28`,
+    `${y}-10-28`,
+    `${y}-11-17`,
+    `${y}-12-24`,
+    `${y}-12-25`,
+    `${y}-12-26`,
+  ];
+  const easterSunday = getEasterSunday(year);
+  const easterDate = new Date(easterSunday);
+  const goodFriday = new Date(easterDate);
+  goodFriday.setDate(goodFriday.getDate() - 2);
+  const easterMonday = new Date(easterDate);
+  easterMonday.setDate(easterMonday.getDate() + 1);
+  const pad = (n: number) => String(n).padStart(2, "0");
+  holidays.push(
+    `${goodFriday.getFullYear()}-${pad(goodFriday.getMonth() + 1)}-${pad(goodFriday.getDate())}`,
+  );
+  holidays.push(
+    `${easterMonday.getFullYear()}-${pad(easterMonday.getMonth() + 1)}-${pad(easterMonday.getDate())}`,
+  );
+  holidays.sort();
+  return holidays;
+}
+
+function getBusinessDaysInMonth(year: number, month: number): number {
+  const holidays = getCzechHolidays(year);
+  let count = 0;
+  const daysInMonth = new Date(year, month + 1, 0).getDate();
+  for (let day = 1; day <= daysInMonth; day++) {
+    const date = new Date(year, month, day);
+    const dow = date.getDay();
+    if (dow !== 0 && dow !== 6) {
+      const dateStr = `${year}-${String(month + 1).padStart(2, "0")}-${String(day).padStart(2, "0")}`;
+      if (!holidays.includes(dateStr)) {
+        count++;
+      }
+    }
+  }
+  return count;
+}
+
 const renderProjectCell = (record: AttendanceRecord) => {
  if (record.project_logs && record.project_logs.length > 0) {
    return (
@@ -185,7 +252,8 @@ export default function AttendanceHistory() {
      if (leaveType === "work") {
        totalMinutes += calculateWorkMinutes(record);
      } else {
-        const hours = Number(record.leave_hours) || 8;
+        const hours =
+          record.leave_hours != null ? Number(record.leave_hours) : 8;
        if (leaveType === "vacation") vacationHours += hours;
        else if (leaveType === "sick") sickHours += hours;
        else if (leaveType === "holiday") holidayHours += hours;
@@ -193,21 +261,9 @@ export default function AttendanceHistory() {
      }
    }

-    // Exclude holidays from business days (matching PHP CzechHolidays logic)
    const yr = parseInt(yearStr, 10);
    const mo = parseInt(monthStr, 10) - 1;
-    const holidayDays = records.filter(
-      (r) => (r.leave_type || "work") === "holiday",
-    ).length;
-    let businessDays = 0;
-    const cur = new Date(yr, mo, 1);
-    while (cur.getMonth() === mo) {
-      const dow = cur.getDay();
-      if (dow !== 0 && dow !== 6) businessDays++;
-      cur.setDate(cur.getDate() + 1);
-    }
-    // Subtract holidays from business days (holidays are non-working days, not part of the fund)
-    businessDays = Math.max(0, businessDays - holidayDays);
+    const businessDays = getBusinessDaysInMonth(yr, mo);
    const fund = businessDays * 8;
    const worked = Math.round((totalMinutes / 60) * 100) / 100;
    // Covered = worked + vacation + sick (NOT holiday/unpaid — holiday is excluded from fund, unpaid is voluntary)
--- a/src/admin/pages/AttendanceLocation.tsx
+++ b/src/admin/pages/AttendanceLocation.tsx
@@ -134,9 +134,17 @@ export default function AttendanceLocation() {
          fillOpacity: 0.8,
        }).addTo(map);

-        marker.bindPopup(
-          `<strong>${loc.label}</strong><br>${loc.time}<br>Přesnost: ${Math.round(loc.accuracy)}m`,
+        const popupEl = document.createElement("div");
+        const strong = document.createElement("strong");
+        strong.textContent = loc.label;
+        popupEl.appendChild(strong);
+        popupEl.appendChild(document.createElement("br"));
+        popupEl.appendChild(document.createTextNode(loc.time));
+        popupEl.appendChild(document.createElement("br"));
+        popupEl.appendChild(
+          document.createTextNode(`Přesnost: ${Math.round(loc.accuracy)}m`),
        );
+        marker.bindPopup(popupEl);

        if (loc.accuracy > 0) {
          L.circle([loc.lat, loc.lng], {
--- a/src/admin/pages/CompanySettings.tsx
+++ b/src/admin/pages/CompanySettings.tsx
@@ -85,7 +85,6 @@ export default function CompanySettings({
    vat_id: "",
  });
  const [customFields, setCustomFields] = useState<CustomField[]>([]);
-  const customFieldKeyCounter = useRef(0);
  const [fieldOrder, setFieldOrder] = useState<string[]>([
    ...DEFAULT_FIELD_ORDER,
  ]);
@@ -197,9 +196,17 @@ export default function CompanySettings({
        const cf =
          Array.isArray(d.custom_fields) && d.custom_fields.length > 0
            ? d.custom_fields.map(
-                (f: { name: string; value: string; showLabel?: boolean }) => ({
+                (
+                  f: {
+                    name: string;
+                    value: string;
+                    showLabel?: boolean;
+                    _key?: string;
+                  },
+                  i: number,
+                ) => ({
                  ...f,
-                  _key: `cf-${++customFieldKeyCounter.current}`,
+                  _key: f._key || `cf-${Date.now()}-${i}`,
                }),
              )
            : [];
@@ -716,7 +723,7 @@ export default function CompanySettings({
                        name: "",
                        value: "",
                        showLabel: true,
-                        _key: `cf-${++customFieldKeyCounter.current}`,
+                        _key: `cf-${Date.now()}`,
                      },
                    ])
                  }
--- a/src/admin/pages/OfferDetail.tsx
+++ b/src/admin/pages/OfferDetail.tsx
@@ -334,6 +334,7 @@ export default function OfferDetail() {
    full_name: string;
  } | null>(null);
  const heartbeatRef = useRef<ReturnType<typeof setInterval> | null>(null);
+  const unlockAbortRef = useRef<AbortController | null>(null);

  useModalLock(showOrderModal);

@@ -451,10 +452,14 @@ export default function OfferDetail() {

    return () => {
      if (heartbeatRef.current) clearInterval(heartbeatRef.current);
+      if (unlockAbortRef.current) unlockAbortRef.current.abort();
      // Release lock on unmount
-      apiFetch(`${API_BASE}/offers/${id}/unlock`, { method: "POST" }).catch(
-        () => {},
-      );
+      const controller = new AbortController();
+      unlockAbortRef.current = controller;
+      apiFetch(`${API_BASE}/offers/${id}/unlock`, {
+        method: "POST",
+        signal: controller.signal,
+      }).catch(() => {});
    };
  }, [isEdit, id, isLockedByOther, isInvalidated]);

--- a/src/admin/pages/Vehicles.tsx
+++ b/src/admin/pages/Vehicles.tsx
@@ -173,14 +173,7 @@ export default function Vehicles() {
      const response = await apiFetch(`${API_BASE}/vehicles/${vehicle.id}`, {
        method: "PUT",
        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          spz: vehicle.spz,
-          name: vehicle.name,
-          brand: vehicle.brand || "",
-          model: vehicle.model || "",
-          initial_km: vehicle.initial_km,
-          is_active: !vehicle.is_active,
-        }),
+        body: JSON.stringify({ is_active: !vehicle.is_active }),
      });

      const result = await response.json();