fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -122,7 +122,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
|
||||
}
|
||||
},
|
||||
[],
|
||||
); // eslint-disable-line react-hooks/exhaustive-deps
|
||||
);
|
||||
|
||||
const silentRefresh = useCallback(async (): Promise<boolean> => {
|
||||
// Deduplicate concurrent refresh calls — token rotation means only one call can succeed
|
||||
@@ -315,6 +315,14 @@ export function AuthProvider({ children }: { children: ReactNode }) {
|
||||
}
|
||||
}, [getAccessTokenFn]);
|
||||
|
||||
// NOTE: this is a SECOND 401-refresh-and-retry path that parallels
|
||||
// `apiFetch` in src/admin/utils/api.ts (which most pages use via the query
|
||||
// helpers). The two diverge: `apiRequest` ignores AbortSignals and does NOT
|
||||
// set the session-expired flag, whereas `apiFetch` dedupes concurrent
|
||||
// refreshes, honors abort, and surfaces the 499 session-expired sentinel.
|
||||
// Consolidating onto `apiFetch` is a tracked follow-up but is deferred here
|
||||
// because it touches the core auth/refresh flow (high regression risk). If
|
||||
// you change refresh/retry semantics in one, mirror it in the other.
|
||||
const apiRequest = useCallback(
|
||||
async (endpoint: string, options: RequestInit = {}) => {
|
||||
let token = getAccessTokenFn();
|
||||
|
||||
Reference in New Issue
Block a user