fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,7 +7,7 @@ import {
|
||||
import prisma from "../../config/database";
|
||||
import { requireAuth, requirePermission } from "../../middleware/auth";
|
||||
import { logAudit } from "../../services/audit";
|
||||
import { success, error, parseId } from "../../utils/response";
|
||||
import { success, error, parseId, paginated } from "../../utils/response";
|
||||
import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
|
||||
import { parseBody } from "../../schemas/common";
|
||||
import {
|
||||
@@ -30,7 +30,12 @@ export default async function leaveRequestsRoutes(
|
||||
|
||||
const where: Record<string, unknown> = {};
|
||||
if (!isAdmin || query.mine === "1") where.user_id = authData.userId;
|
||||
else if (query.user_id) where.user_id = Number(query.user_id);
|
||||
else if (query.user_id) {
|
||||
const filterUserId = Number(query.user_id);
|
||||
if (!Number.isFinite(filterUserId))
|
||||
return error(reply, "Neplatné ID uživatele", 400);
|
||||
where.user_id = filterUserId;
|
||||
}
|
||||
if (query.status) {
|
||||
const statuses = String(query.status).split(",");
|
||||
where.status = statuses.length === 1 ? statuses[0] : { in: statuses };
|
||||
@@ -54,11 +59,7 @@ export default async function leaveRequestsRoutes(
|
||||
prisma.leave_requests.count({ where }),
|
||||
]);
|
||||
|
||||
return reply.send({
|
||||
success: true,
|
||||
data: requests,
|
||||
pagination: buildPaginationMeta(total, page, limit),
|
||||
});
|
||||
return paginated(reply, requests, buildPaginationMeta(total, page, limit));
|
||||
});
|
||||
|
||||
fastify.post("/", { preHandler: requireAuth }, async (request, reply) => {
|
||||
@@ -304,6 +305,9 @@ export default async function leaveRequestsRoutes(
|
||||
data: {
|
||||
status: "approved" as leave_requests_status,
|
||||
reviewer_id: authData.userId,
|
||||
reviewer_note: body.reviewer_note
|
||||
? String(body.reviewer_note)
|
||||
: null,
|
||||
reviewed_at: new Date(),
|
||||
},
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user