fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -253,7 +253,7 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
authData: request.authData,
|
||||
action: "create",
|
||||
entityType: "work_plan_entry",
|
||||
entityId: (result.data as any).id,
|
||||
entityId: result.data.id,
|
||||
newValues: result.data,
|
||||
description: result.description,
|
||||
});
|
||||
@@ -307,7 +307,8 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
action: "update",
|
||||
entityType: "work_plan_entry",
|
||||
entityId: id,
|
||||
oldValues: (result.oldData as any) ?? undefined,
|
||||
oldValues:
|
||||
(result.oldData as Record<string, unknown> | null) ?? undefined,
|
||||
newValues: result.data as Record<string, unknown>,
|
||||
description: result.description,
|
||||
});
|
||||
@@ -331,7 +332,8 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
action: "delete",
|
||||
entityType: "work_plan_entry",
|
||||
entityId: id,
|
||||
oldValues: (result.oldData as any) ?? undefined,
|
||||
oldValues:
|
||||
(result.oldData as Record<string, unknown> | null) ?? undefined,
|
||||
description: result.description,
|
||||
});
|
||||
return success(reply, { ok: true }, 200, "Plán smazán");
|
||||
@@ -358,7 +360,7 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
authData: request.authData,
|
||||
action: "create",
|
||||
entityType: "work_plan_override",
|
||||
entityId: (result.data as any).id,
|
||||
entityId: result.data.id,
|
||||
newValues: result.data,
|
||||
description: result.description,
|
||||
});
|
||||
@@ -389,7 +391,8 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
action: "update",
|
||||
entityType: "work_plan_override",
|
||||
entityId: id,
|
||||
oldValues: (result.oldData as any) ?? undefined,
|
||||
oldValues:
|
||||
(result.oldData as Record<string, unknown> | null) ?? undefined,
|
||||
newValues: result.data,
|
||||
description: result.description,
|
||||
});
|
||||
@@ -413,7 +416,8 @@ export default async function planRoutes(app: FastifyInstance) {
|
||||
action: "delete",
|
||||
entityType: "work_plan_override",
|
||||
entityId: id,
|
||||
oldValues: (result.oldData as any) ?? undefined,
|
||||
oldValues:
|
||||
(result.oldData as Record<string, unknown> | null) ?? undefined,
|
||||
description: result.description,
|
||||
});
|
||||
return success(reply, { ok: true }, 200, "Přepsání smazáno");
|
||||
|
||||
Reference in New Issue
Block a user