security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-04-24 00:58:35 +02:00
parent 122eee175e
commit 528e55991b
57 changed files with 2355 additions and 1010 deletions

View File

@@ -1,4 +1,5 @@
import { FastifyInstance } from "fastify";
import prisma from "../../config/database";
import { requirePermission } from "../../middleware/auth";
import { logAudit } from "../../services/audit";
import { success, error, parseId } from "../../utils/response";
@@ -59,15 +60,18 @@ export default async function usersRoutes(
if ("error" in parsed) return error(reply, parsed.error, 400);
const body = parsed.data;
const result = await createUser({
username: body.username,
email: body.email,
password: body.password,
first_name: body.first_name,
last_name: body.last_name,
role_id: body.role_id,
is_active: body.is_active,
});
const result = await createUser(
{
username: body.username,
email: body.email,
password: body.password,
first_name: body.first_name,
last_name: body.last_name,
role_id: body.role_id,
is_active: body.is_active,
},
request.authData?.roleName ?? undefined,
);
if ("error" in result) return error(reply, result.error!, result.status!);
@@ -106,9 +110,20 @@ export default async function usersRoutes(
? Number(parsed.data.role_id)
: (parsed.data.role_id as number | null | undefined),
};
const result = await updateUser(id, userData);
const result = await updateUser(
id,
userData,
request.authData?.roleName ?? undefined,
);
if ("error" in result) return error(reply, result.error!, result.status!);
if (parsed.data.password) {
await prisma.refresh_tokens.updateMany({
where: { user_id: id, replaced_at: null },
data: { replaced_at: new Date() },
});
}
await logAudit({
request,
authData: request.authData,