fix: security, validation, and data integrity fixes across 53 files
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -38,12 +38,7 @@ export default async function profileRoutes(
|
||||
|
||||
const data: Record<string, unknown> = {};
|
||||
if (body.email) {
|
||||
const newEmail = String(body.email).trim();
|
||||
const existing = await prisma.users.findFirst({
|
||||
where: { email: newEmail, id: { not: userId } },
|
||||
});
|
||||
if (existing) return error(reply, "E-mail již existuje", 409);
|
||||
data.email = newEmail;
|
||||
data.email = String(body.email).trim();
|
||||
}
|
||||
if (body.first_name) data.first_name = String(body.first_name);
|
||||
if (body.last_name) data.last_name = String(body.last_name);
|
||||
@@ -65,7 +60,23 @@ export default async function profileRoutes(
|
||||
data.password_changed_at = new Date();
|
||||
}
|
||||
|
||||
await prisma.users.update({ where: { id: userId }, data });
|
||||
// Wrap email uniqueness check and update in a transaction to prevent race condition
|
||||
try {
|
||||
await prisma.$transaction(async (tx) => {
|
||||
if (data.email) {
|
||||
const existing = await tx.users.findFirst({
|
||||
where: { email: String(data.email), id: { not: userId } },
|
||||
});
|
||||
if (existing) throw new Error("EMAIL_EXISTS");
|
||||
}
|
||||
await tx.users.update({ where: { id: userId }, data });
|
||||
});
|
||||
} catch (e) {
|
||||
if (e instanceof Error && e.message === "EMAIL_EXISTS") {
|
||||
return error(reply, "E-mail již existuje", 409);
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
|
||||
await logAudit({
|
||||
request,
|
||||
|
||||
Reference in New Issue
Block a user