BOHA
cd6d3daf43
v1.6.5: fix attendance unique constraint, schema sync, seed script
...
- Change attendance idx_attendance_user_date from unique to index (allow multiple shifts per day)
- Reset migrations to single baseline init migration
- Add seed script with admin user (admin/admin)
- Update CLAUDE.md with migration workflow documentation
- Various frontend fixes (queries, pages, hooks)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-17 16:21:34 +02:00
BOHA
d7c7fbad88
fix: security, validation, and data integrity fixes across 53 files
...
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 08:40:38 +02:00
BOHA
4f4b12f039
security: fix all Medium findings from FLAWS_REPORT audit
...
- Auth: TOTP replay protection with counter tracking, constant-time
backup code comparison, atomic lockout increment, per-token logout
- Invoices/PDFs: net-based VAT calculation, dangerous URL scheme
stripping in cleanQuillHtml, orders-pdf error handling
- Orders: reject item changes on status transition, cascading
delete cleanup, take:1 with orderBy
- Projects: atomic rename collision handling, MIME/extension
validation, empty customer name rejection
- Attendance: Czech public holiday awareness in frontend fund
calculation, leave_hours 0 handling, invalid date NaN guard,
bounded per-month queries in workfund
- Users/Admin: profile audit logging + password validation, session
revocation guard, session ID validation, dashboard DB aggregation,
soft-deleted record protection in scope templates
- Frontend: FormField label linkage, Pagination ARIA, error
handling in OrderConfirmationModal, 401 propagation, GPS emoji
hidden from screen readers, table sort state fix, geolocation
race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive
minimal body, CompanySettings ref mutation fix, OfferDetail unlock
abort, AttendanceBalances combined fetches
- Utils: env validation, Puppeteer concurrency mutex, invoice alert
cron cleanup on shutdown, body limit alignment, TOTP error logging,
trustProxy from env, symlink rejection, rate cache Map usage
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 08:24:14 +02:00
BOHA
528e55991b
security: fix all Critical and High findings from FLAWS_REPORT audit
...
- Auth: pessimistic locking on login tokens and refresh token rotation,
backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
HTML, ref mutation fixes, accessibility attributes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 00:58:35 +02:00
BOHA
3c167cf5c4
style: run prettier on entire codebase
2026-03-24 19:59:14 +01:00
BOHA
d2b22e9399
feat: add Zod validation schemas for all domain routes
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:57:38 +01:00
BOHA
4608494a3f
initial commit
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:46:51 +01:00