fix: security, validation, and data integrity fixes across 53 files

- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt for inactive/locked users, locked_until check in loadAuthData, TOTP fixes (async bcrypt, BigInt conversion, future-code counter fix) - Validation: Zod enums for leave_type/status, numeric transforms on foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks) - Permissions: requirePermission on attendance PUT, attendance_users and project_logs access checks, trips users filtered by trips.record - Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one relations), attendance_users now filters by attendance.record only - Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser, duplicateOffer, bulkCreateAttendance, createLeave, scope-templates, leave-requests, company-settings, profile updates - Frontend: mountedRef reset in useListData, blob URL cleanup on unmount, null checks on date fields, AdminDatePicker min/max for HH:mm - Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri - Other: exchange-rate cache TTL, invoice-alert midnight comparison fix, numbering.service releaseSequence no-op, nas-offers filename sanitize, Content-Disposition header injection fix, mojibake Czech strings Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 08:40:38 +02:00
parent 7f07032bf2
commit d7c7fbad88
52 changed files with 927 additions and 573 deletions
--- a/src/admin/context/AlertContext.tsx
+++ b/src/admin/context/AlertContext.tsx
@@ -57,7 +57,10 @@ export function AlertProvider({ children }: { children: ReactNode }) {
        { id, message, type: type as Alert["type"] },
      ]);
      if (duration > 0) {
-        const timeoutId = setTimeout(() => removeAlert(id), duration);
+        const timeoutId = setTimeout(() => {
+          timeoutsRef.current.delete(timeoutId);
+          removeAlert(id);
+        }, duration);
        timeoutsRef.current.add(timeoutId);
      }
      return id;
--- a/src/admin/context/AuthContext.tsx
+++ b/src/admin/context/AuthContext.tsx
@@ -268,6 +268,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
            login_token: loginToken,
            totp_code: code,
            remember_me: remember,
+            isBackup,
          }),
        });
        const data = await response.json();