fix: 2026-06-09 full-codebase audit hardening

Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.

Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.

Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).

Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.

Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.

Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-09 06:45:26 +02:00
parent c454d1a3fc
commit 519edce373
179 changed files with 7179 additions and 2844 deletions

View File

@@ -1,6 +1,7 @@
import { FastifyInstance } from "fastify";
import prisma from "../../config/database";
import { requirePermission } from "../../middleware/auth";
import { logAudit } from "../../services/audit";
import { success, error, parseId } from "../../utils/response";
import { parseBody } from "../../schemas/common";
import {
@@ -70,23 +71,41 @@ export default async function scopeTemplatesRoutes(
};
if (body.id) {
const itemId = Number(body.id);
const existingItem = await prisma.item_templates.findFirst({
where: { id: Number(body.id), is_deleted: false },
where: { id: itemId, is_deleted: false },
});
if (!existingItem) return error(reply, "Šablona nenalezena", 404);
await prisma.item_templates.updateMany({
where: { id: Number(body.id), is_deleted: false },
where: { id: itemId, is_deleted: false },
data: { ...itemData, modified_at: new Date() },
});
return success(
reply,
{ id: Number(body.id) },
200,
"Položka byla uložena",
);
await logAudit({
request,
authData: request.authData,
action: "update",
entityId: itemId,
description: `Upravena šablona položky '${itemData.name ?? itemId}'`,
oldValues: {
name: existingItem.name,
description: existingItem.description,
default_price: existingItem.default_price,
category: existingItem.category,
},
newValues: itemData,
});
return success(reply, { id: itemId }, 200, "Položka byla uložena");
}
const item = await prisma.item_templates.create({ data: itemData });
await logAudit({
request,
authData: request.authData,
action: "create",
entityId: item.id,
description: `Vytvořena šablona položky '${itemData.name ?? item.id}'`,
newValues: itemData,
});
return success(reply, { id: item.id }, 201, "Položka byla vytvořena");
}
@@ -120,6 +139,20 @@ export default async function scopeTemplatesRoutes(
return created;
});
await logAudit({
request,
authData: request.authData,
action: "create",
entityId: template.id,
description: `Vytvořena šablona rozsahu '${template.name ?? template.id}'`,
newValues: {
name: template.name,
title: template.title,
description: template.description,
sections: Array.isArray(body.sections) ? body.sections.length : 0,
},
});
return success(reply, { id: template.id }, 201, "Šablona byla vytvořena");
},
);
@@ -133,10 +166,23 @@ export default async function scopeTemplatesRoutes(
if (String(query.action) === "item" && query.id) {
const id = Number(query.id);
if (!Number.isInteger(id) || id <= 0)
return error(reply, "Neplatné ID", 400);
const existingItem = await prisma.item_templates.findFirst({
where: { id, is_deleted: false },
});
if (!existingItem) return error(reply, "Šablona nenalezena", 404);
await prisma.item_templates.update({
where: { id },
data: { is_deleted: true, modified_at: new Date() },
});
await logAudit({
request,
authData: request.authData,
action: "delete",
entityId: id,
description: `Smazána šablona položky '${existingItem.name ?? id}'`,
});
return success(reply, null, 200, "Šablona smazána");
}
@@ -210,6 +256,27 @@ export default async function scopeTemplatesRoutes(
});
}
await logAudit({
request,
authData: request.authData,
action: "update",
entityId: id,
description: `Upravena šablona rozsahu '${existing.name ?? id}'`,
oldValues: {
name: existing.name,
title: existing.title,
description: existing.description,
},
newValues: {
name: body.name,
title: body.title,
description: body.description,
sections: Array.isArray(body.sections)
? body.sections.length
: undefined,
},
});
return success(reply, { id }, 200, "Šablona byla uložena");
},
);
@@ -220,10 +287,21 @@ export default async function scopeTemplatesRoutes(
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;
const existing = await prisma.scope_templates.findFirst({
where: { id, is_deleted: false },
});
if (!existing) return error(reply, "Šablona nenalezena", 404);
await prisma.scope_templates.update({
where: { id },
data: { is_deleted: true, modified_at: new Date() },
});
await logAudit({
request,
authData: request.authData,
action: "delete",
entityId: id,
description: `Smazána šablona rozsahu '${existing.name ?? id}'`,
});
return success(reply, null, 200, "Šablona smazána");
},
);