fix: 2026-06-09 full-codebase audit hardening
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -270,12 +270,26 @@ export async function refreshAccessToken(
|
||||
`;
|
||||
const storedToken = tokens[0] ?? null;
|
||||
|
||||
// Detected reuse: a token that exists but has ALREADY been rotated
|
||||
// (replaced_at / replaced_by_hash set) is being presented again. This is
|
||||
// the classic refresh-token-theft signature — either the legitimate
|
||||
// client or an attacker is replaying a consumed token. Breach
|
||||
// containment: revoke the WHOLE token family for that user so both the
|
||||
// stolen and the still-valid descendant tokens are invalidated, forcing
|
||||
// a fresh login.
|
||||
if (
|
||||
!storedToken ||
|
||||
storedToken.replaced_at ||
|
||||
storedToken.replaced_by_hash ||
|
||||
new Date(storedToken.expires_at) < new Date()
|
||||
storedToken &&
|
||||
(storedToken.replaced_at || storedToken.replaced_by_hash)
|
||||
) {
|
||||
const reuseUserId = Number(storedToken.user_id);
|
||||
await tx.refresh_tokens.deleteMany({ where: { user_id: reuseUserId } });
|
||||
request.log.warn(
|
||||
`Refresh-token reuse detected for user ${reuseUserId}; revoked all sessions`,
|
||||
);
|
||||
return { type: "error", message: "Neplatný refresh token", status: 401 };
|
||||
}
|
||||
|
||||
if (!storedToken || new Date(storedToken.expires_at) < new Date()) {
|
||||
return { type: "error", message: "Neplatný refresh token", status: 401 };
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user