fix: security, validation, and data integrity fixes across 53 files

- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
  for inactive/locked users, locked_until check in loadAuthData, TOTP
  fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
  foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
  and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
  relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
  duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
  leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
  null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
  numbering.service releaseSequence no-op, nas-offers filename sanitize,
  Content-Disposition header injection fix, mojibake Czech strings

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-04-28 08:40:38 +02:00
parent 7f07032bf2
commit d7c7fbad88
52 changed files with 927 additions and 573 deletions

View File

@@ -212,57 +212,77 @@ export async function updateUser(
const data: Record<string, unknown> = {};
if (body.username !== undefined) {
const newUsername = String(body.username).trim();
if (newUsername !== existing.username) {
const existingUsername = await prisma.users.findFirst({
where: { username: newUsername },
});
if (existingUsername) {
return {
error: "Uživatelské jméno již existuje",
status: 409,
} as const;
try {
await prisma.$transaction(async (tx) => {
if (body.username !== undefined) {
const newUsername = String(body.username).trim();
if (newUsername !== existing.username) {
const existingUsername = await tx.users.findFirst({
where: { username: newUsername },
});
if (existingUsername) {
throw Object.assign(new Error("Uživatelské jméno již existuje"), {
status: 409,
});
}
}
data.username = newUsername;
}
}
data.username = newUsername;
}
if (body.email !== undefined) {
const newEmail = String(body.email).trim();
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(newEmail)) {
return { error: "Neplatný formát e-mailu", status: 400 } as const;
}
const existingEmail = await prisma.users.findFirst({
where: { email: newEmail, id: { not: id } },
if (body.email !== undefined) {
const newEmail = String(body.email).trim();
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(newEmail)) {
throw Object.assign(new Error("Neplatný formát e-mailu"), {
status: 400,
});
}
const existingEmail = await tx.users.findFirst({
where: { email: newEmail, id: { not: id } },
});
if (existingEmail) {
throw Object.assign(new Error("E-mail již existuje"), {
status: 409,
});
}
data.email = newEmail;
}
if (body.first_name !== undefined)
data.first_name = String(body.first_name);
if (body.last_name !== undefined) data.last_name = String(body.last_name);
if (body.role_id !== undefined)
data.role_id = body.role_id ? Number(body.role_id) : null;
if (body.is_active !== undefined)
data.is_active =
body.is_active === true ||
body.is_active === 1 ||
body.is_active === "1";
if (body.password) {
const newPassword = String(body.password);
if (newPassword.length < 8) {
throw Object.assign(new Error("Heslo musí mít alespoň 8 znaků"), {
status: 400,
});
}
data.password_hash = await bcrypt.hash(
newPassword,
config.security.bcryptCost,
);
data.password_changed_at = new Date();
}
await tx.users.update({ where: { id }, data });
});
if (existingEmail) {
return { error: "E-mail již existuje", status: 409 } as const;
} catch (err) {
if (err instanceof Error && "status" in err) {
return {
error: err.message,
status: (err as Error & { status: number }).status,
} as const;
}
data.email = newEmail;
throw err;
}
if (body.first_name !== undefined) data.first_name = String(body.first_name);
if (body.last_name !== undefined) data.last_name = String(body.last_name);
if (body.role_id !== undefined)
data.role_id = body.role_id ? Number(body.role_id) : null;
if (body.is_active !== undefined)
data.is_active =
body.is_active === true || body.is_active === 1 || body.is_active === "1";
if (body.password) {
const newPassword = String(body.password);
if (newPassword.length < 8) {
return { error: "Heslo musí mít alespoň 8 znaků", status: 400 } as const;
}
data.password_hash = await bcrypt.hash(
newPassword,
config.security.bcryptCost,
);
data.password_changed_at = new Date();
}
await prisma.users.update({ where: { id }, data });
return { id, username: existing.username } as const;
}
@@ -276,8 +296,10 @@ export async function deleteUser(id: number, currentUserId?: number) {
return { error: "Uživatel nenalezen", status: 404 } as const;
}
await prisma.refresh_tokens.deleteMany({ where: { user_id: id } });
await prisma.users.delete({ where: { id } });
await prisma.$transaction(async (tx) => {
await tx.refresh_tokens.deleteMany({ where: { user_id: id } });
await tx.users.delete({ where: { id } });
});
return { id, username: existing.username } as const;
}