fix: 2026-06-09 full-codebase audit hardening

Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.

Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.

Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).

Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.

Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.

Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-09 06:45:26 +02:00
parent c454d1a3fc
commit 519edce373
179 changed files with 7179 additions and 2844 deletions

View File

@@ -94,15 +94,8 @@ export default function WarehouseReceiptDetail() {
error,
} = useQuery(warehouseReceiptDetailOptions(id));
if (!hasPermission("warehouse.view")) return <Forbidden />;
const canOperate = hasPermission("warehouse.operate");
const confirmMutation = useApiMutation<void, void>({
url: () =>
receipt
? `/api/admin/warehouse/receipts/${receipt.id}/confirm`
: "/api/admin/warehouse/receipts/0/confirm",
const confirmMutation = useApiMutation<number, void>({
url: (receiptId) => `/api/admin/warehouse/receipts/${receiptId}/confirm`,
method: () => "POST",
invalidate: ["warehouse"],
onSuccess: () => {
@@ -110,11 +103,8 @@ export default function WarehouseReceiptDetail() {
},
});
const cancelMutation = useApiMutation<void, void>({
url: () =>
receipt
? `/api/admin/warehouse/receipts/${receipt.id}/cancel`
: "/api/admin/warehouse/receipts/0/cancel",
const cancelMutation = useApiMutation<number, void>({
url: (receiptId) => `/api/admin/warehouse/receipts/${receiptId}/cancel`,
method: () => "POST",
invalidate: ["warehouse"],
onSuccess: () => {
@@ -124,13 +114,11 @@ export default function WarehouseReceiptDetail() {
});
const deleteAttachmentMutation = useApiMutation<
{ attachmentId: number },
{ receiptId: number; attachmentId: number },
void
>({
url: ({ attachmentId }) =>
receipt
? `/api/admin/warehouse/receipts/${receipt.id}/attachments/${attachmentId}`
: `/api/admin/warehouse/receipts/0/attachments/0`,
url: ({ receiptId, attachmentId }) =>
`/api/admin/warehouse/receipts/${receiptId}/attachments/${attachmentId}`,
method: () => "DELETE",
invalidate: ["warehouse"],
onSuccess: () => {
@@ -138,10 +126,15 @@ export default function WarehouseReceiptDetail() {
},
});
// All hooks above this line — permission gate is the last thing before render.
if (!hasPermission("warehouse.view")) return <Forbidden />;
const canOperate = hasPermission("warehouse.operate");
const handleConfirm = async () => {
if (!receipt) return;
try {
await confirmMutation.mutateAsync(undefined);
await confirmMutation.mutateAsync(receipt.id);
} catch (e) {
alert.error(e instanceof Error ? e.message : "Chyba připojení");
}
@@ -150,7 +143,7 @@ export default function WarehouseReceiptDetail() {
const handleCancel = async () => {
if (!receipt) return;
try {
await cancelMutation.mutateAsync(undefined);
await cancelMutation.mutateAsync(receipt.id);
} catch (e) {
alert.error(e instanceof Error ? e.message : "Chyba připojení");
}
@@ -159,7 +152,10 @@ export default function WarehouseReceiptDetail() {
const handleDeleteAttachment = async (attachmentId: number) => {
if (!receipt) return;
try {
await deleteAttachmentMutation.mutateAsync({ attachmentId });
await deleteAttachmentMutation.mutateAsync({
receiptId: receipt.id,
attachmentId,
});
} catch (e) {
alert.error(e instanceof Error ? e.message : "Chyba připojení");
}