security: fix all Critical and High findings from FLAWS_REPORT audit
- Auth: pessimistic locking on login tokens and refresh token rotation, backup code attempt counter, rate limiting verification - Schema: unique constraints on business numbers, FK relations, unsigned/signed alignment, attendance duplicate prevention - Invoices/PDFs: DOMPurify sanitization, bounded queries in stats and alerts, VAT rounding, Puppeteer error handling - Orders/Offers: transactional parent+child creation, Zod NaN refinement, status enums, uniqueness checks - Projects/Files: path traversal protection, streamed uploads, permission guards, query param validation - Attendance/HR: duplicate checks, ownership validation, GPS restrictions, trip distance validation - Frontend: modal lock reference counting, XSS escaping in print HTML, ref mutation fixes, accessibility attributes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,4 +1,5 @@
|
||||
import { FastifyInstance } from "fastify";
|
||||
import prisma from "../../config/database";
|
||||
import { requirePermission } from "../../middleware/auth";
|
||||
import { logAudit } from "../../services/audit";
|
||||
import { success, error, parseId } from "../../utils/response";
|
||||
@@ -59,15 +60,18 @@ export default async function usersRoutes(
|
||||
if ("error" in parsed) return error(reply, parsed.error, 400);
|
||||
const body = parsed.data;
|
||||
|
||||
const result = await createUser({
|
||||
username: body.username,
|
||||
email: body.email,
|
||||
password: body.password,
|
||||
first_name: body.first_name,
|
||||
last_name: body.last_name,
|
||||
role_id: body.role_id,
|
||||
is_active: body.is_active,
|
||||
});
|
||||
const result = await createUser(
|
||||
{
|
||||
username: body.username,
|
||||
email: body.email,
|
||||
password: body.password,
|
||||
first_name: body.first_name,
|
||||
last_name: body.last_name,
|
||||
role_id: body.role_id,
|
||||
is_active: body.is_active,
|
||||
},
|
||||
request.authData?.roleName ?? undefined,
|
||||
);
|
||||
|
||||
if ("error" in result) return error(reply, result.error!, result.status!);
|
||||
|
||||
@@ -106,9 +110,20 @@ export default async function usersRoutes(
|
||||
? Number(parsed.data.role_id)
|
||||
: (parsed.data.role_id as number | null | undefined),
|
||||
};
|
||||
const result = await updateUser(id, userData);
|
||||
const result = await updateUser(
|
||||
id,
|
||||
userData,
|
||||
request.authData?.roleName ?? undefined,
|
||||
);
|
||||
if ("error" in result) return error(reply, result.error!, result.status!);
|
||||
|
||||
if (parsed.data.password) {
|
||||
await prisma.refresh_tokens.updateMany({
|
||||
where: { user_id: id, replaced_at: null },
|
||||
data: { replaced_at: new Date() },
|
||||
});
|
||||
}
|
||||
|
||||
await logAudit({
|
||||
request,
|
||||
authData: request.authData,
|
||||
|
||||
Reference in New Issue
Block a user