BOHA
744baec2ec
feat(security): audit-log session termination (single + all-others)
...
The two session-revocation endpoints wrote no audit entry. Added a 'session' EntityType (+ Czech label 'Relace') and logAudit on both deletes, so revoking sessions is recorded in the forensic trail.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-06 02:40:41 +02:00
BOHA
c983747418
feat(plan): add plan category CRUD routes with audit
...
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-06 00:38:25 +02:00
BOHA
d410e7433e
feat(plan): extend EntityType with work_plan_entry and work_plan_override
2026-06-05 12:07:48 +02:00
BOHA
d2d1cdbb92
feat(warehouse): add receipt, issue, reservation, inventory, and report routes
...
- Receipts: CRUD + confirm/cancel + multipart attachment upload/delete
- Issues: CRUD + confirm/cancel with auto-FIFO batch selection
- Reservations: list + create + cancel
- Inventory sessions: CRUD + confirm with auto system_qty calculation
- Reports: stock-status, project-consumption, movement-log, below-minimum
- Add confirm/cancel/upload audit actions and warehouse_receipt_attachment entity type
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 14:17:33 +02:00
BOHA
2b1de583fd
feat(warehouse): add entity types, permissions, and number sequences
2026-05-29 14:08:35 +02:00
BOHA
d7c7fbad88
fix: security, validation, and data integrity fixes across 53 files
...
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 08:40:38 +02:00
BOHA
528e55991b
security: fix all Critical and High findings from FLAWS_REPORT audit
...
- Auth: pessimistic locking on login tokens and refresh token rotation,
backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
HTML, ref mutation fixes, accessibility attributes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 00:58:35 +02:00
BOHA
baceb88347
feat: NAS storage for invoices/offers, code cleanup, date/time fixes
...
- NAS storage for created invoices (PDF via puppeteer), received invoices,
and offers with auto-save on create/edit
- Deterministic file paths derived from DB fields (no file_path column needed)
- Separate NAS mount points: NAS_FINANCIALS_PATH, NAS_OFFERS_PATH
- Invoice language field (cs/en) stored per invoice, replaces lang modal
- Invoices list filtered by month/year matching KPI card selection
- Centralized date helpers (src/utils/date.ts) replacing all .toISOString()
calls that returned UTC instead of local time
- Attendance project switching uses exact time (not rounded)
- Comment cleanup: removed ~100 unnecessary/Czech comments
- Removed as-any casts in orders and attendance
- Prisma migrations: add invoice language, drop received_invoices BLOB columns
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-26 10:36:39 +01:00
BOHA
3c167cf5c4
style: run prettier on entire codebase
2026-03-24 19:59:14 +01:00
BOHA
456232cd82
fix: dashboard TOTP status always showing inactive
...
loadAuthData() didn't include totp_enabled or require_2fa in the
AuthData response. The frontend always saw undefined → false.
Now includes both fields from the database.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 20:31:06 +01:00
BOHA
49e668ee2a
feat: add project files REST endpoints with auth and audit logging
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 10:19:11 +01:00
BOHA
4608494a3f
initial commit
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:46:51 +01:00