feat: add Zod validation schemas for all domain routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/routes/admin/users.ts

@@ -6,6 +6,8 @@ import { success, error, parseId } from '../../utils/response';
 import { parsePagination, buildPaginationMeta } from '../../utils/pagination';
 import bcrypt from 'bcryptjs';
 import { config } from '../../config/env';
+import { parseBody } from '../../schemas/common';
+import { CreateUserSchema, UpdateUserSchema } from '../../schemas/users.schema';
 
 const ALLOWED_SORT_FIELDS = ['id', 'username', 'email', 'first_name', 'last_name', 'created_at'];
 
@@ -69,25 +71,17 @@ export default async function usersRoutes(fastify: FastifyInstance): Promise<voi
 
   // POST /api/admin/users
   fastify.post('/', { preHandler: requirePermission('users.create') }, async (request, reply) => {
-    const body = request.body as Record<string, unknown>;
+    const parsed = parseBody(CreateUserSchema, request.body);
+    if ('error' in parsed) return error(reply, parsed.error, 400);
+    const body = parsed.data;
 
-    const username = body.username ? String(body.username).trim() : '';
-    const email = body.email ? String(body.email).trim() : '';
-    const password = body.password ? String(body.password) : '';
-    const firstName = body.first_name ? String(body.first_name).trim() : '';
-    const lastName = body.last_name ? String(body.last_name).trim() : '';
+    const username = body.username.trim();
+    const email = body.email.trim();
+    const password = body.password;
+    const firstName = body.first_name.trim();
+    const lastName = body.last_name.trim();
     const roleId = body.role_id;
 
-    // Required fields
-    if (!username || !email || !password || !firstName || !lastName || !roleId) {
-      return error(reply, 'Všechna pole jsou povinná', 400);
-    }
-
-    // Password length
-    if (password.length < 8) {
-      return error(reply, 'Heslo musí mít alespoň 8 znaků', 400);
-    }
-
     // Email format
     if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
       return error(reply, 'Neplatný formát e-mailu', 400);
@@ -135,7 +129,9 @@ export default async function usersRoutes(fastify: FastifyInstance): Promise<voi
   fastify.put<{ Params: { id: string } }>('/:id', { preHandler: requirePermission('users.edit') }, async (request, reply) => {
     const id = parseId(request.params.id, reply);
     if (id === null) return;
-    const body = request.body as Record<string, unknown>;
+    const parsed = parseBody(UpdateUserSchema, request.body);
+    if ('error' in parsed) return error(reply, parsed.error, 400);
+    const body = parsed.data;
 
     const existing = await prisma.users.findUnique({ where: { id } });
     if (!existing) return error(reply, 'Uživatel nenalezen', 404);