refactor: fix all Low findings from FLAWS_REPORT audit

- Auth: TOTP params from config, JWT error logging, audit log failure logging, replaced_by_hash validation on token rotation - Invoices: remove dead VAT code, consistent PDF permissions, WebP magic-byte detection, deduped exchange-rate fetches - Orders/Offers: multipart limit from config, use paginated() helper, payment method from DB in PDF - Projects: verify project exists before creating note - Attendance: action_type enum validation, consistent local-time shift_date construction, holiday attendance in work fund, trips.view permission on last-km query - Users: paginated() helper usage, remove duplicate dashboard keys, parallel currency conversion, single hashToken implementation - Frontend: memoized customInput, reliable print onload, modal prop standardization (isOpen), ConfirmModal type icons, id===0 key fallback, Login useCallback, CompanySettings ConfirmModal, Attendance timeout cleanup, Dashboard memoization, beforeunload dirty-state warnings on Invoice/Offer/Order detail - Schema: invoice_alert_log timestamp, config/env comment on Date.prototype.toJSON override - Utils: exchange-rate inflight dedup Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 08:45:37 +02:00
parent 4f4b12f039
commit aa6c1b5094
35 changed files with 466 additions and 206 deletions
--- a/src/routes/admin/company-settings.ts
+++ b/src/routes/admin/company-settings.ts
@@ -77,8 +77,12 @@ export default async function companySettingsRoutes(
    else if (
      buf[0] === 0x52 &&
      buf[1] === 0x49 &&
+      buf[2] === 0x46 &&
+      buf[3] === 0x46 &&
      buf[8] === 0x57 &&
-      buf[9] === 0x45
+      buf[9] === 0x45 &&
+      buf[10] === 0x42 &&
+      buf[11] === 0x50
    )
      mime = "image/webp";

--- a/src/routes/admin/dashboard.ts
+++ b/src/routes/admin/dashboard.ts
@@ -200,23 +200,25 @@ export default async function dashboardRoutes(
          (revenueByCurrency[currency] || 0) + amount;
      }

+      const revenueConversions = await Promise.all(
+        Object.entries(revenueByCurrency).map(async ([currency, amount]) => ({
+          amount: Math.round(amount * 100) / 100,
+          currency,
+          czk: await toCzk(Math.round(amount * 100) / 100, currency),
+        })),
+      );
+
      result.invoices = {
-        revenue_this_month: Object.entries(revenueByCurrency).map(
-          ([currency, amount]) => ({
-            amount: Math.round(amount * 100) / 100,
-            currency,
-          }),
-        ),
+        revenue_this_month: revenueConversions.map(({ amount, currency }) => ({
+          amount,
+          currency,
+        })),
        unpaid_count: unpaidCount,
-        revenue_czk: await (async () => {
-          let total = 0;
-          for (const [cur, amount] of Object.entries(revenueByCurrency)) {
-            total += await toCzk(Math.round(amount * 100) / 100, cur);
-          }
-          return Math.round(total * 100) / 100;
-        })(),
+        revenue_czk:
+          Math.round(
+            revenueConversions.reduce((sum, r) => sum + r.czk, 0) * 100,
+          ) / 100,
      };
-      result.unpaid_invoices = unpaidCount;
    }

    // Orders — only for orders.view
@@ -232,7 +234,6 @@ export default async function dashboardRoutes(
        where: { status: "pending" },
      });
      result.leave_pending = { count };
-      result.pending_leave_requests = count;
    }

    // Recent activity — only for settings.audit (admin)
--- a/src/routes/admin/invoices-pdf.ts
+++ b/src/routes/admin/invoices-pdf.ts
@@ -267,7 +267,7 @@ export default async function invoicesPdfRoutes(
 ): Promise<void> {
  fastify.get<{ Params: { id: string } }>(
    "/:id",
-    { preHandler: requirePermission("invoices.export") },
+    { preHandler: requirePermission("invoices.view") },
    async (request, reply) => {
      const id = parseId(request.params.id, reply);
      if (id === null) return;
--- a/src/routes/admin/orders-pdf.ts
+++ b/src/routes/admin/orders-pdf.ts
@@ -383,7 +383,9 @@ export default async function ordersPdfRoutes(
          })
          .join("");

-        const paymentMethod = lang === "cs" ? "převodem" : "Bank transfer";
+        const paymentMethod =
+          String((order as Record<string, unknown>).payment_method || "") ||
+          (lang === "cs" ? "převodem" : "Bank transfer");

        let vatDetailHtml = "";
        if (applyVat) {
--- a/src/routes/admin/orders.ts
+++ b/src/routes/admin/orders.ts
@@ -1,9 +1,10 @@
 import { FastifyInstance } from "fastify";
 import { requirePermission } from "../../middleware/auth";
 import { logAudit } from "../../services/audit";
-import { success, error, parseId } from "../../utils/response";
+import { success, error, parseId, paginated } from "../../utils/response";
 import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
 import { parseBody } from "../../schemas/common";
+import { config } from "../../config/env";
 import {
  CreateOrderFromQuotationSchema,
  CreateOrderSchema,
@@ -25,7 +26,9 @@ import multipart from "@fastify/multipart";
 export default async function ordersRoutes(
  fastify: FastifyInstance,
 ): Promise<void> {
-  await fastify.register(multipart, { limits: { fileSize: 10 * 1024 * 1024 } });
+  await fastify.register(multipart, {
+    limits: { fileSize: config.nas.maxUploadSize },
+  });

  // GET /api/admin/orders/next-number
  fastify.get(
@@ -54,15 +57,11 @@ export default async function ordersRoutes(
        customer_id: query.customer_id ? Number(query.customer_id) : undefined,
      });

-      return reply.send({
-        success: true,
-        data: result.data,
-        pagination: buildPaginationMeta(
-          result.total,
-          result.page,
-          result.limit,
-        ),
-      });
+      return paginated(
+        reply,
+        result.data,
+        buildPaginationMeta(result.total, result.page, result.limit),
+      );
    },
  );

--- a/src/routes/admin/projects.ts
+++ b/src/routes/admin/projects.ts
@@ -129,6 +129,9 @@ export default async function projectsRoutes(
        lastName: authData.lastName,
        content: parsed.data.content ?? undefined,
      });
+      if (note && "error" in note) {
+        return error(reply, note.error, (note as any).status ?? 400);
+      }

      return success(reply, { note }, 201, "Poznámka byla přidána");
    },
--- a/src/routes/admin/quotations.ts
+++ b/src/routes/admin/quotations.ts
@@ -1,7 +1,7 @@
 import { FastifyInstance } from "fastify";
 import { requirePermission } from "../../middleware/auth";
 import { logAudit } from "../../services/audit";
-import { success, error, parseId } from "../../utils/response";
+import { success, error, parseId, paginated } from "../../utils/response";
 import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
 import { parseBody } from "../../schemas/common";
 import {
@@ -44,11 +44,11 @@ export default async function quotationsRoutes(
        customer_id: query.customer_id ? Number(query.customer_id) : undefined,
      });

-      return reply.send({
-        success: true,
-        data: result.data,
-        pagination: buildPaginationMeta(result.total, page, limit),
-      });
+      return paginated(
+        reply,
+        result.data,
+        buildPaginationMeta(result.total, page, limit),
+      );
    },
  );

--- a/src/routes/admin/sessions.ts
+++ b/src/routes/admin/sessions.ts
@@ -1,12 +1,8 @@
 import { FastifyInstance } from "fastify";
-import crypto from "crypto";
 import prisma from "../../config/database";
 import { requireAuth } from "../../middleware/auth";
 import { success, error } from "../../utils/response";
-
-function hashToken(token: string): string {
-  return crypto.createHash("sha256").update(token).digest("hex");
-}
+import { hashToken } from "../../services/auth";

 /** Parse user-agent string into browser, OS, and device icon */
 function parseUserAgent(ua: string | null): {
--- a/src/routes/admin/trips.ts
+++ b/src/routes/admin/trips.ts
@@ -175,7 +175,7 @@ export default async function tripsRoutes(
  // Matches PHP: COALESCE(MAX(end_km), vehicle.initial_km, 0)
  fastify.get<{ Params: { vehicleId: string } }>(
    "/last-km/:vehicleId",
-    { preHandler: requireAuth },
+    { preHandler: requirePermission("trips.view") },
    async (request, reply) => {
      const vehicleId = parseInt(request.params.vehicleId, 10);
      if (isNaN(vehicleId)) return error(reply, "Neplatné ID vozidla", 400);
--- a/src/routes/admin/users.ts
+++ b/src/routes/admin/users.ts
@@ -2,7 +2,7 @@ import { FastifyInstance } from "fastify";
 import prisma from "../../config/database";
 import { requirePermission } from "../../middleware/auth";
 import { logAudit } from "../../services/audit";
-import { success, error, parseId } from "../../utils/response";
+import { success, error, parseId, paginated } from "../../utils/response";
 import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
 import { parseBody } from "../../schemas/common";
 import { CreateUserSchema, UpdateUserSchema } from "../../schemas/users.schema";
@@ -25,15 +25,11 @@ export default async function usersRoutes(
      const params = parsePagination(request.query as Record<string, unknown>);
      const result = await listUsers(params);

-      return reply.send({
-        success: true,
-        data: result.users,
-        pagination: buildPaginationMeta(
-          result.total,
-          result.page,
-          result.limit,
-        ),
-      });
+      return paginated(
+        reply,
+        result.users,
+        buildPaginationMeta(result.total, result.page, result.limit),
+      );
    },
  );