BOHA
d1c5234a03
fix: allow logo endpoint without auth for <img> tag loading
...
Logo images are loaded via <img src> which doesn't carry auth cookies
reliably during login transitions. Changed from requireAuth to
optionalAuth — logos are not sensitive data.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 11:52:24 +02:00
BOHA
d7c7fbad88
fix: security, validation, and data integrity fixes across 53 files
...
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 08:40:38 +02:00
BOHA
aa6c1b5094
refactor: fix all Low findings from FLAWS_REPORT audit
...
- Auth: TOTP params from config, JWT error logging, audit log failure
logging, replaced_by_hash validation on token rotation
- Invoices: remove dead VAT code, consistent PDF permissions,
WebP magic-byte detection, deduped exchange-rate fetches
- Orders/Offers: multipart limit from config, use paginated() helper,
payment method from DB in PDF
- Projects: verify project exists before creating note
- Attendance: action_type enum validation, consistent local-time
shift_date construction, holiday attendance in work fund,
trips.view permission on last-km query
- Users: paginated() helper usage, remove duplicate dashboard keys,
parallel currency conversion, single hashToken implementation
- Frontend: memoized customInput, reliable print onload, modal prop
standardization (isOpen), ConfirmModal type icons, id===0 key
fallback, Login useCallback, CompanySettings ConfirmModal,
Attendance timeout cleanup, Dashboard memoization, beforeunload
dirty-state warnings on Invoice/Offer/Order detail
- Schema: invoice_alert_log timestamp, config/env comment on
Date.prototype.toJSON override
- Utils: exchange-rate inflight dedup
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 08:45:37 +02:00
BOHA
528e55991b
security: fix all Critical and High findings from FLAWS_REPORT audit
...
- Auth: pessimistic locking on login tokens and refresh token rotation,
backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
HTML, ref mutation fixes, accessibility attributes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 00:58:35 +02:00
BOHA
9c49015968
1.3.0
2026-03-27 10:25:40 +01:00
BOHA
6b31b2f74b
feat: system settings, dynamic logos, template numbering, permission consolidation
...
- System settings page with tabs: Security, System, Firma
- Configurable attendance rules (break thresholds, rounding) from DB
- Configurable document numbering with template patterns ({YYYY}/{PREFIX}/{NNN})
- Dynamic logo upload (light/dark variants) served from DB instead of static files
- Email settings (SMTP from/name, alert/leave emails) configurable in UI
- Currency and VAT rate lists configurable, used across all modules
- Permissions simplified: offers.settings + settings.roles + settings.security → settings.manage
- Leaflet bundled locally, removed unpkg.com from CSP
- Silent catch blocks fixed with proper logging
- console.log replaced with app.log.info in server.ts
- Schema renamed: company-settings.schema → settings.schema
- App info section: version, Node.js, uptime, memory, DB status, NAS status
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-27 10:15:47 +01:00
BOHA
106606f3fa
fix: code review — XSS, type safety, validation improvements
...
Critical:
- InvoiceDetail: sanitize notes HTML with DOMPurify
- OrderDetail: use proper DOMPurify import instead of window fallback
Important:
- AttendanceBalances: add fund_to_date to interface, remove as-any casts
- All schemas: replace z.any() with z.preprocess for boolean fields
- Routes: simplify boolean coercion (Zod handles it now)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-24 20:13:20 +01:00
BOHA
3c167cf5c4
style: run prettier on entire codebase
2026-03-24 19:59:14 +01:00
BOHA
c0b8a94210
fix: resolve TypeScript compilation errors from service extraction
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 09:11:04 +01:00
BOHA
d2b22e9399
feat: add Zod validation schemas for all domain routes
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:57:38 +01:00
BOHA
4608494a3f
initial commit
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:46:51 +01:00