security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation, backup code attempt counter, rate limiting verification - Schema: unique constraints on business numbers, FK relations, unsigned/signed alignment, attendance duplicate prevention - Invoices/PDFs: DOMPurify sanitization, bounded queries in stats and alerts, VAT rounding, Puppeteer error handling - Orders/Offers: transactional parent+child creation, Zod NaN refinement, status enums, uniqueness checks - Projects/Files: path traversal protection, streamed uploads, permission guards, query param validation - Attendance/HR: duplicate checks, ownership validation, GPS restrictions, trip distance validation - Frontend: modal lock reference counting, XSS escaping in print HTML, ref mutation fixes, accessibility attributes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 00:58:35 +02:00
parent 122eee175e
commit 528e55991b
57 changed files with 2355 additions and 1010 deletions
--- a/src/routes/admin/trips.ts
+++ b/src/routes/admin/trips.ts
@@ -206,6 +206,10 @@ export default async function tripsRoutes(
    const body = parsed.data;
    const authData = request.authData!;

+    if (body.end_km < body.start_km) {
+      return error(reply, "Konečný stav km nesmí být menší než počáteční", 400);
+    }
+
    const trip = await prisma.trips.create({
      data: {
        vehicle_id: Number(body.vehicle_id),
@@ -247,6 +251,18 @@ export default async function tripsRoutes(
      const body = parsed.data;
      const authData = request.authData!;

+      if (
+        body.end_km != null &&
+        body.start_km != null &&
+        body.end_km < body.start_km
+      ) {
+        return error(
+          reply,
+          "Konečný stav km nesmí být menší než počáteční",
+          400,
+        );
+      }
+
      const existing = await prisma.trips.findUnique({ where: { id } });
      if (!existing) return error(reply, "Jízda nenalezena", 404);