fix: 2026-06-09 full-codebase audit hardening

Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.

Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.

Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).

Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.

Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.

Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-09 06:45:26 +02:00
parent c454d1a3fc
commit 519edce373
179 changed files with 7179 additions and 2844 deletions

View File

@@ -1,7 +1,8 @@
import { FastifyInstance } from "fastify";
import { z } from "zod";
import { requirePermission } from "../../middleware/auth";
import { logAudit } from "../../services/audit";
import { success, error, parseId } from "../../utils/response";
import { success, error, parseId, paginated } from "../../utils/response";
import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
import { parseBody } from "../../schemas/common";
import {
@@ -20,6 +21,15 @@ import {
deleteProjectNote,
} from "../../services/projects.service";
// Body for DELETE /:id — optional delete_files flag. The body may be absent on
// a DELETE request, so default to an empty object and coerce truthy flags.
const DeleteProjectSchema = z.object({
delete_files: z
.union([z.boolean(), z.string(), z.number()])
.optional()
.transform((v) => v === true || v === 1 || v === "1" || v === "true"),
});
export default async function projectsRoutes(
fastify: FastifyInstance,
): Promise<void> {
@@ -30,6 +40,14 @@ export default async function projectsRoutes(
const query = request.query as Record<string, unknown>;
const { page, limit, skip, sort, order, search } = parsePagination(query);
const parsedCustomerId = query.customer_id
? Number(query.customer_id)
: undefined;
const customerId =
parsedCustomerId !== undefined && Number.isFinite(parsedCustomerId)
? parsedCustomerId
: undefined;
const result = await listProjects({
page,
limit,
@@ -38,14 +56,14 @@ export default async function projectsRoutes(
order,
search,
status: query.status ? String(query.status) : undefined,
customer_id: query.customer_id ? Number(query.customer_id) : undefined,
customer_id: customerId,
});
return reply.send({
success: true,
data: result.data,
pagination: buildPaginationMeta(result.total, page, limit),
});
return paginated(
reply,
result.data,
buildPaginationMeta(result.total, page, limit),
);
},
);
@@ -143,6 +161,15 @@ export default async function projectsRoutes(
return error(reply, note.error, (note as any).status ?? 400);
}
await logAudit({
request,
authData,
action: "create",
entityType: "project",
entityId: projectId,
description: `Přidána poznámka projektu`,
});
return success(reply, { note }, 201, "Poznámka byla přidána");
},
);
@@ -179,8 +206,9 @@ export default async function projectsRoutes(
const id = parseId(request.params.id, reply);
if (id === null) return;
const body = request.body as Record<string, unknown>;
const deleteFiles = !!body?.delete_files;
const parsed = parseBody(DeleteProjectSchema, request.body ?? {});
if ("error" in parsed) return error(reply, parsed.error, 400);
const deleteFiles = parsed.data.delete_files;
const result = await deleteProject(id, deleteFiles);
if ("error" in result) {
if (result.error === "not_found")