refactor: fix all Low findings from FLAWS_REPORT audit
- Auth: TOTP params from config, JWT error logging, audit log failure logging, replaced_by_hash validation on token rotation - Invoices: remove dead VAT code, consistent PDF permissions, WebP magic-byte detection, deduped exchange-rate fetches - Orders/Offers: multipart limit from config, use paginated() helper, payment method from DB in PDF - Projects: verify project exists before creating note - Attendance: action_type enum validation, consistent local-time shift_date construction, holiday attendance in work fund, trips.view permission on last-km query - Users: paginated() helper usage, remove duplicate dashboard keys, parallel currency conversion, single hashToken implementation - Frontend: memoized customInput, reliable print onload, modal prop standardization (isOpen), ConfirmModal type icons, id===0 key fallback, Login useCallback, CompanySettings ConfirmModal, Attendance timeout cleanup, Dashboard memoization, beforeunload dirty-state warnings on Invoice/Offer/Order detail - Schema: invoice_alert_log timestamp, config/env comment on Date.prototype.toJSON override - Utils: exchange-rate inflight dedup Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,8 @@ dotenv.config();
|
||||
process.env.TZ = process.env.TZ || "Europe/Prague";
|
||||
|
||||
// Override Date.toJSON so JSON.stringify outputs local time (Europe/Prague).
|
||||
// This is intentional and required for PHP migration compatibility: the legacy
|
||||
// PHP API returned local Czech times, and the frontend relies on this format.
|
||||
// Prisma stores UTC in MySQL DATETIME columns. When reading, it creates
|
||||
// JS Date objects with correct UTC internals. The default toJSON() calls
|
||||
// toISOString() which returns UTC — this override uses local getters instead,
|
||||
@@ -50,6 +52,13 @@ export const config = {
|
||||
|
||||
totp: {
|
||||
encryptionKey: required("TOTP_ENCRYPTION_KEY"),
|
||||
algorithm: (process.env.TOTP_ALGORITHM || "SHA1") as "SHA1",
|
||||
digits: parseInt(process.env.TOTP_DIGITS || "6", 10),
|
||||
period: parseInt(process.env.TOTP_PERIOD || "30", 10),
|
||||
loginTokenExpiryMinutes: parseInt(
|
||||
process.env.LOGIN_TOKEN_EXPIRY_MINUTES || "5",
|
||||
10,
|
||||
),
|
||||
},
|
||||
|
||||
nas: {
|
||||
|
||||
Reference in New Issue
Block a user