fix: security, validation, and data integrity fixes across 53 files

- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
  for inactive/locked users, locked_until check in loadAuthData, TOTP
  fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
  foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
  and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
  relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
  duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
  leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
  null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
  numbering.service releaseSequence no-op, nas-offers filename sanitize,
  Content-Disposition header injection fix, mojibake Czech strings

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/auth.ts

@@ -95,7 +95,7 @@ export default async function authRoutes(
     {
       config: {
         rateLimit: {
-          max: 20,
+          max: 5,
           timeWindow: "1 minute",
         },
       },
@@ -104,10 +104,8 @@ export default async function authRoutes(
     async (request, reply) => {
       const parsed = parseBody(TotpVerifySchema, request.body);
       if ("error" in parsed) return error(reply, parsed.error, 400);
-      const { login_token, totp_code } = parsed.data;
-      const rawBody = request.body as unknown as Record<string, unknown>;
-      const rememberMe =
-        rawBody.remember_me === true || rawBody.remember_me === "true";
+      const { login_token, totp_code, remember_me } = parsed.data;
+      const rememberMe = remember_me ?? false;
 
       const tokenHash = crypto
         .createHash("sha256")
@@ -130,8 +128,6 @@ export default async function authRoutes(
         const storedTokenId = Number(storedToken.id);
         const storedUserId = Number(storedToken.user_id);
 
-        await tx.totp_login_tokens.delete({ where: { id: storedTokenId } });
-
         const user = await tx.users.findUnique({
           where: { id: storedUserId },
           include: { roles: true },
@@ -141,11 +137,15 @@ export default async function authRoutes(
           return { error: "Uživatel nenalezen", status: 401 };
         }
 
+        if (!user.is_active) {
+          return { error: "Účet je deaktivován", status: 401 };
+        }
+
         if (user.locked_until && new Date(user.locked_until) > new Date()) {
           return { error: "Účet je dočasně uzamčen", status: 429 };
         }
 
-        return { user };
+        return { user, storedTokenId };
       });
 
       if ("error" in totpResult) {
@@ -183,6 +183,11 @@ export default async function authRoutes(
         return error(reply, "TOTP kód již byl použit", 401);
       }
 
+      // TOTP verified successfully — now consume the login token
+      await prisma.totp_login_tokens.delete({
+        where: { id: totpResult.storedTokenId },
+      });
+
       // Reset failed attempts and update last login (TOTP verified = successful login)
       await prisma.users.update({
         where: { id: user.id },
@@ -234,6 +239,16 @@ export default async function authRoutes(
       });
 
       setRefreshCookie(reply, refreshTokenRaw, rememberMe);
+
+      await logAudit({
+        request,
+        authData: authData,
+        action: "login_totp",
+        entityType: "user",
+        entityId: user.id,
+        description: `TOTP přihlášení uživatele ${user.username}`,
+      });
+
       return success(reply, { access_token: accessToken, user: authData });
     },
   );
@@ -278,7 +293,7 @@ export default async function authRoutes(
   );
 
   // POST /api/admin/logout
-  fastify.post("/logout", async (request, reply) => {
+  fastify.post("/logout", { bodyLimit: 10240 }, async (request, reply) => {
     const refreshTokenRaw = request.cookies.refresh_token;
     if (refreshTokenRaw) {
       await logout(refreshTokenRaw);