security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/project-files.ts

@@ -1,6 +1,7 @@
 import fs from "fs";
 import { FastifyInstance } from "fastify";
 import multipart from "@fastify/multipart";
+import { z } from "zod";
 import prisma from "../../config/database";
 import { config } from "../../config/env";
 import { requirePermission } from "../../middleware/auth";
@@ -8,6 +9,28 @@ import { logAudit } from "../../services/audit";
 import { success, error } from "../../utils/response";
 import { NasFileManager } from "../../services/nas-file-manager";
 
+const ProjectFilesQuerySchema = z.object({
+  project_id: z.string().min(1, "project_id je povinný"),
+  path: z.string().optional(),
+  action: z.string().optional(),
+});
+
+function parseProjectFilesQuery(
+  query: unknown,
+):
+  | { data: { project_id: string; path?: string; action?: string } }
+  | { error: string } {
+  try {
+    const data = ProjectFilesQuerySchema.parse(query);
+    return { data };
+  } catch (e) {
+    if (e instanceof z.ZodError) {
+      return { error: e.issues.map((err) => err.message).join(", ") };
+    }
+    return { error: "Neplatné parametry dotazu" };
+  }
+}
+
 export default async function projectFilesRoutes(
   fastify: FastifyInstance,
 ): Promise<void> {
@@ -30,8 +53,10 @@ export default async function projectFilesRoutes(
     "/",
     { preHandler: requirePermission("projects.view") },
     async (request, reply) => {
-      const query = request.query as Record<string, string>;
-      const projectId = Number(query.project_id);
+      const parsedQuery = parseProjectFilesQuery(request.query);
+      if ("error" in parsedQuery) return error(reply, parsedQuery.error, 400);
+      const { project_id: projectIdStr, path: subPath = "" } = parsedQuery.data;
+      const projectId = Number(projectIdStr);
       const project = await getProjectForFiles(projectId);
       if (!project) return error(reply, "Projekt nebyl nalezen", 404);
 
@@ -39,9 +64,7 @@ export default async function projectFilesRoutes(
         return error(reply, "Souborový systém není nakonfigurován", 500);
       }
 
-      const subPath = query.path || "";
-
-      if (query.action === "download") {
+      if (parsedQuery.data.action === "download") {
         if (!subPath) return error(reply, "Cesta k souboru je povinná");
         if (!project.project_number)
           return error(reply, "Projekt nemá číslo projektu");
@@ -81,8 +104,9 @@ export default async function projectFilesRoutes(
     "/",
     { preHandler: requirePermission("projects.files") },
     async (request, reply) => {
-      const query = request.query as Record<string, string>;
-      const projectId = Number(query.project_id);
+      const parsedQuery = parseProjectFilesQuery(request.query);
+      if ("error" in parsedQuery) return error(reply, parsedQuery.error, 400);
+      const projectId = Number(parsedQuery.data.project_id);
       const project = await getProjectForFiles(projectId);
       if (!project) return error(reply, "Projekt nebyl nalezen", 404);
       if (!project.project_number)
@@ -105,7 +129,11 @@ export default async function projectFilesRoutes(
         fm.createProjectFolder(project.project_number, project.name || "");
       }
 
-      const err = fm.createFolder(project.project_number, path, folderName);
+      const err = await fm.createFolder(
+        project.project_number,
+        path,
+        folderName,
+      );
       if (err !== null) return error(reply, err);
 
       await logAudit({
@@ -130,8 +158,9 @@ export default async function projectFilesRoutes(
       bodyLimit: config.nas.maxUploadSize,
     },
     async (request, reply) => {
-      const query = request.query as Record<string, string>;
-      const projectId = Number(query.project_id);
+      const parsedQuery = parseProjectFilesQuery(request.query);
+      if ("error" in parsedQuery) return error(reply, parsedQuery.error, 400);
+      const projectId = Number(parsedQuery.data.project_id);
       const project = await getProjectForFiles(projectId);
       if (!project) return error(reply, "Projekt nebyl nalezen", 404);
       if (!project.project_number)
@@ -149,14 +178,13 @@ export default async function projectFilesRoutes(
       const file = await request.file();
       if (!file) return error(reply, "Nebyl nahrán žádný soubor");
 
-      const subPath = query.path || "";
-      const fileBuffer = await file.toBuffer();
+      const subPath = parsedQuery.data.path || "";
       const fileName = file.filename;
 
       const err = await fm.uploadFile(
         project.project_number,
         subPath,
-        fileBuffer,
+        file.file,
         fileName,
       );
       if (err !== null) return error(reply, err);
@@ -180,8 +208,9 @@ export default async function projectFilesRoutes(
     "/",
     { preHandler: requirePermission("projects.files") },
     async (request, reply) => {
-      const query = request.query as Record<string, string>;
-      const projectId = Number(query.project_id);
+      const parsedQuery = parseProjectFilesQuery(request.query);
+      if ("error" in parsedQuery) return error(reply, parsedQuery.error, 400);
+      const projectId = Number(parsedQuery.data.project_id);
       const project = await getProjectForFiles(projectId);
       if (!project) return error(reply, "Projekt nebyl nalezen", 404);
       if (!project.project_number)
@@ -198,7 +227,7 @@ export default async function projectFilesRoutes(
       if (!fromPath || !toPath)
         return error(reply, "Zdrojová i cílová cesta jsou povinné");
 
-      const err = fm.moveItem(project.project_number, fromPath, toPath);
+      const err = await fm.moveItem(project.project_number, fromPath, toPath);
       if (err !== null) return error(reply, err);
 
       await logAudit({
@@ -221,8 +250,9 @@ export default async function projectFilesRoutes(
     "/",
     { preHandler: requirePermission("projects.files") },
     async (request, reply) => {
-      const query = request.query as Record<string, string>;
-      const projectId = Number(query.project_id);
+      const parsedQuery = parseProjectFilesQuery(request.query);
+      if ("error" in parsedQuery) return error(reply, parsedQuery.error, 400);
+      const projectId = Number(parsedQuery.data.project_id);
       const project = await getProjectForFiles(projectId);
       if (!project) return error(reply, "Projekt nebyl nalezen", 404);
       if (!project.project_number)
@@ -232,7 +262,7 @@ export default async function projectFilesRoutes(
         return error(reply, "Souborový systém není nakonfigurován", 500);
       }
 
-      const filePath = query.path || "";
+      const filePath = parsedQuery.data.path || "";
       if (!filePath) return error(reply, "Cesta k souboru je povinná");
 
       const err = await fm.deleteItem(project.project_number, filePath);