security: fix all Medium findings from FLAWS_REPORT audit
- Auth: TOTP replay protection with counter tracking, constant-time backup code comparison, atomic lockout increment, per-token logout - Invoices/PDFs: net-based VAT calculation, dangerous URL scheme stripping in cleanQuillHtml, orders-pdf error handling - Orders: reject item changes on status transition, cascading delete cleanup, take:1 with orderBy - Projects: atomic rename collision handling, MIME/extension validation, empty customer name rejection - Attendance: Czech public holiday awareness in frontend fund calculation, leave_hours 0 handling, invalid date NaN guard, bounded per-month queries in workfund - Users/Admin: profile audit logging + password validation, session revocation guard, session ID validation, dashboard DB aggregation, soft-deleted record protection in scope templates - Frontend: FormField label linkage, Pagination ARIA, error handling in OrderConfirmationModal, 401 propagation, GPS emoji hidden from screen readers, table sort state fix, geolocation race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive minimal body, CompanySettings ref mutation fix, OfferDetail unlock abort, AttendanceBalances combined fetches - Utils: env validation, Puppeteer concurrency mutex, invoice alert cron cleanup on shutdown, body limit alignment, TOTP error logging, trustProxy from env, symlink rejection, rate cache Map usage Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -334,6 +334,7 @@ export default function OfferDetail() {
|
||||
full_name: string;
|
||||
} | null>(null);
|
||||
const heartbeatRef = useRef<ReturnType<typeof setInterval> | null>(null);
|
||||
const unlockAbortRef = useRef<AbortController | null>(null);
|
||||
|
||||
useModalLock(showOrderModal);
|
||||
|
||||
@@ -451,10 +452,14 @@ export default function OfferDetail() {
|
||||
|
||||
return () => {
|
||||
if (heartbeatRef.current) clearInterval(heartbeatRef.current);
|
||||
if (unlockAbortRef.current) unlockAbortRef.current.abort();
|
||||
// Release lock on unmount
|
||||
apiFetch(`${API_BASE}/offers/${id}/unlock`, { method: "POST" }).catch(
|
||||
() => {},
|
||||
);
|
||||
const controller = new AbortController();
|
||||
unlockAbortRef.current = controller;
|
||||
apiFetch(`${API_BASE}/offers/${id}/unlock`, {
|
||||
method: "POST",
|
||||
signal: controller.signal,
|
||||
}).catch(() => {});
|
||||
};
|
||||
}, [isEdit, id, isLockedByOther, isInvalidated]);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user