fix: security, validation, and data integrity fixes across 53 files

- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt for inactive/locked users, locked_until check in loadAuthData, TOTP fixes (async bcrypt, BigInt conversion, future-code counter fix) - Validation: Zod enums for leave_type/status, numeric transforms on foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks) - Permissions: requirePermission on attendance PUT, attendance_users and project_logs access checks, trips users filtered by trips.record - Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one relations), attendance_users now filters by attendance.record only - Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser, duplicateOffer, bulkCreateAttendance, createLeave, scope-templates, leave-requests, company-settings, profile updates - Frontend: mountedRef reset in useListData, blob URL cleanup on unmount, null checks on date fields, AdminDatePicker min/max for HH:mm - Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri - Other: exchange-rate cache TTL, invoice-alert midnight comparison fix, numbering.service releaseSequence no-op, nas-offers filename sanitize, Content-Disposition header injection fix, mojibake Czech strings Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 08:40:38 +02:00
parent 7f07032bf2
commit d7c7fbad88
52 changed files with 927 additions and 573 deletions
--- a/src/routes/admin/trips.ts
+++ b/src/routes/admin/trips.ts
@@ -38,9 +38,15 @@ export default async function tripsRoutes(
        mo = NaN;
      }
      if (!isNaN(yr) && !isNaN(mo) && mo >= 1 && mo <= 12) {
+        // Use explicit date strings to avoid toJSON timezone shift
+        const monthStart = `${yr}-${String(mo).padStart(2, "0")}-01`;
+        const nextMonth =
+          mo === 12
+            ? `${yr + 1}-01-01`
+            : `${yr}-${String(mo + 1).padStart(2, "0")}-01`;
        where.trip_date = {
-          gte: new Date(yr, mo - 1, 1),
-          lt: new Date(yr, mo, 1),
+          gte: new Date(monthStart),
+          lt: new Date(nextMonth),
        };
      }
    }
@@ -75,15 +81,8 @@ export default async function tripsRoutes(
        where: {
          is_active: true,
          roles: {
-            is: {
-              OR: [
-                { name: "admin" },
-                {
-                  role_permissions: {
-                    some: { permissions: { name: "trips.record" } },
-                  },
-                },
-              ],
+            role_permissions: {
+              some: { permissions: { name: "trips.record" } },
            },
          },
        },
@@ -120,9 +119,17 @@ export default async function tripsRoutes(
      if (filterUserId) where.user_id = filterUserId;
      if (filterVehicleId) where.vehicle_id = filterVehicleId;
      if (query.month && query.year) {
+        // Use explicit date strings to avoid toJSON timezone shift
+        const yr = Number(query.year);
+        const mo = Number(query.month);
+        const monthStart = `${yr}-${String(mo).padStart(2, "0")}-01`;
+        const nextMonth =
+          mo === 12
+            ? `${yr + 1}-01-01`
+            : `${yr}-${String(mo + 1).padStart(2, "0")}-01`;
        where.trip_date = {
-          gte: new Date(Number(query.year), Number(query.month) - 1, 1),
-          lt: new Date(Number(query.year), Number(query.month), 1),
+          gte: new Date(monthStart),
+          lt: new Date(nextMonth),
        };
      }