security: fix all Medium findings from FLAWS_REPORT audit

- Auth: TOTP replay protection with counter tracking, constant-time backup code comparison, atomic lockout increment, per-token logout - Invoices/PDFs: net-based VAT calculation, dangerous URL scheme stripping in cleanQuillHtml, orders-pdf error handling - Orders: reject item changes on status transition, cascading delete cleanup, take:1 with orderBy - Projects: atomic rename collision handling, MIME/extension validation, empty customer name rejection - Attendance: Czech public holiday awareness in frontend fund calculation, leave_hours 0 handling, invalid date NaN guard, bounded per-month queries in workfund - Users/Admin: profile audit logging + password validation, session revocation guard, session ID validation, dashboard DB aggregation, soft-deleted record protection in scope templates - Frontend: FormField label linkage, Pagination ARIA, error handling in OrderConfirmationModal, 401 propagation, GPS emoji hidden from screen readers, table sort state fix, geolocation race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive minimal body, CompanySettings ref mutation fix, OfferDetail unlock abort, AttendanceBalances combined fetches - Utils: env validation, Puppeteer concurrency mutex, invoice alert cron cleanup on shutdown, body limit alignment, TOTP error logging, trustProxy from env, symlink rejection, rate cache Map usage Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 08:24:14 +02:00
parent 528e55991b
commit 4f4b12f039
33 changed files with 442 additions and 211 deletions
--- a/src/admin/pages/CompanySettings.tsx
+++ b/src/admin/pages/CompanySettings.tsx
@@ -85,7 +85,6 @@ export default function CompanySettings({
    vat_id: "",
  });
  const [customFields, setCustomFields] = useState<CustomField[]>([]);
-  const customFieldKeyCounter = useRef(0);
  const [fieldOrder, setFieldOrder] = useState<string[]>([
    ...DEFAULT_FIELD_ORDER,
  ]);
@@ -197,9 +196,17 @@ export default function CompanySettings({
        const cf =
          Array.isArray(d.custom_fields) && d.custom_fields.length > 0
            ? d.custom_fields.map(
-                (f: { name: string; value: string; showLabel?: boolean }) => ({
+                (
+                  f: {
+                    name: string;
+                    value: string;
+                    showLabel?: boolean;
+                    _key?: string;
+                  },
+                  i: number,
+                ) => ({
                  ...f,
-                  _key: `cf-${++customFieldKeyCounter.current}`,
+                  _key: f._key || `cf-${Date.now()}-${i}`,
                }),
              )
            : [];
@@ -716,7 +723,7 @@ export default function CompanySettings({
                        name: "",
                        value: "",
                        showLabel: true,
-                        _key: `cf-${++customFieldKeyCounter.current}`,
+                        _key: `cf-${Date.now()}`,
                      },
                    ])
                  }