fix: security, validation, and data integrity fixes across 53 files
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -51,6 +51,9 @@ async function loadAuthData(userId: number): Promise<AuthData | null> {
|
||||
|
||||
if (!user || !user.is_active) return null;
|
||||
|
||||
if (user.locked_until && new Date(user.locked_until) > new Date())
|
||||
return null;
|
||||
|
||||
const isAdmin = user.roles?.name === "admin";
|
||||
const permissions = isAdmin
|
||||
? (await prisma.permissions.findMany({ select: { name: true } })).map(
|
||||
@@ -111,6 +114,7 @@ export async function login(
|
||||
}
|
||||
|
||||
if (!user.is_active) {
|
||||
await bcrypt.compare(password, DUMMY_HASH); // timing-safe
|
||||
request.log.warn(`Login failed for deactivated user: ${username}`);
|
||||
return {
|
||||
type: "error",
|
||||
@@ -120,6 +124,7 @@ export async function login(
|
||||
}
|
||||
|
||||
if (user.locked_until && new Date(user.locked_until) > new Date()) {
|
||||
await bcrypt.compare(password, DUMMY_HASH); // timing-safe
|
||||
request.log.warn(`Login failed for locked user: ${username}`);
|
||||
return {
|
||||
type: "error",
|
||||
@@ -319,7 +324,7 @@ export async function refreshAccessToken(
|
||||
accessToken,
|
||||
refreshToken: newRefreshTokenRaw,
|
||||
user: authData,
|
||||
rememberMe: storedToken.remember_me ?? false,
|
||||
rememberMe: rememberMe,
|
||||
};
|
||||
});
|
||||
}
|
||||
@@ -341,10 +346,9 @@ export async function verifyAccessToken(
|
||||
token: string,
|
||||
): Promise<AuthData | null> {
|
||||
try {
|
||||
const payload = jwt.verify(
|
||||
token,
|
||||
config.jwt.secret,
|
||||
) as unknown as JwtPayload;
|
||||
const payload = jwt.verify(token, config.jwt.secret, {
|
||||
algorithms: ["HS256"],
|
||||
}) as unknown as JwtPayload;
|
||||
return loadAuthData(payload.sub);
|
||||
} catch (err) {
|
||||
console.error("JWT verification error:", err);
|
||||
|
||||
Reference in New Issue
Block a user