fix: resolve all 28 findings from the 2026-06-12 full audit (TDD-pinned)
Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
failed deficit line rolls back the surplus corrective receipt — retries
no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
(in-transaction, clamped at 0)
High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
(Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
hours against its own balance (mirrors createLeave)
Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
(recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
@db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
/items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
settings.company|settings.system; Settings System tab no longer clobbers
Firma numbering patterns; draft invoices hide the dead PDF button;
dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
audit-log + invoice month buckets day-shift fixes
Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.
~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -270,17 +270,17 @@ export async function refreshAccessToken(
|
||||
`;
|
||||
const storedToken = tokens[0] ?? null;
|
||||
|
||||
// Detected reuse: a token that exists but has ALREADY been rotated
|
||||
// (replaced_at / replaced_by_hash set) is being presented again. This is
|
||||
// the classic refresh-token-theft signature — either the legitimate
|
||||
// client or an attacker is replaying a consumed token. Breach
|
||||
// containment: revoke the WHOLE token family for that user so both the
|
||||
// stolen and the still-valid descendant tokens are invalidated, forcing
|
||||
// a fresh login.
|
||||
if (
|
||||
storedToken &&
|
||||
(storedToken.replaced_at || storedToken.replaced_by_hash)
|
||||
) {
|
||||
// Detected reuse: a token that has ALREADY been rotated (replaced_by_hash
|
||||
// points at its descendant) is being presented again. This is the classic
|
||||
// refresh-token-theft signature — either the legitimate client or an
|
||||
// attacker is replaying a consumed token. Breach containment: revoke the
|
||||
// WHOLE token family for that user so both the stolen and the still-valid
|
||||
// descendant tokens are invalidated, forcing a fresh login.
|
||||
// A token with ONLY replaced_at set was manually TERMINATED (sessions
|
||||
// DELETE / password change set replaced_at without a descendant) — that
|
||||
// is an expected dead token, NOT theft: reject it below as plain invalid
|
||||
// without nuking the user's other sessions.
|
||||
if (storedToken && storedToken.replaced_by_hash) {
|
||||
const reuseUserId = Number(storedToken.user_id);
|
||||
await tx.refresh_tokens.deleteMany({ where: { user_id: reuseUserId } });
|
||||
request.log.warn(
|
||||
@@ -289,7 +289,11 @@ export async function refreshAccessToken(
|
||||
return { type: "error", message: "Neplatný refresh token", status: 401 };
|
||||
}
|
||||
|
||||
if (!storedToken || new Date(storedToken.expires_at) < new Date()) {
|
||||
if (
|
||||
!storedToken ||
|
||||
storedToken.replaced_at ||
|
||||
new Date(storedToken.expires_at) < new Date()
|
||||
) {
|
||||
return { type: "error", message: "Neplatný refresh token", status: 401 };
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user