BOHA
|
aa6c1b5094
|
refactor: fix all Low findings from FLAWS_REPORT audit
- Auth: TOTP params from config, JWT error logging, audit log failure
logging, replaced_by_hash validation on token rotation
- Invoices: remove dead VAT code, consistent PDF permissions,
WebP magic-byte detection, deduped exchange-rate fetches
- Orders/Offers: multipart limit from config, use paginated() helper,
payment method from DB in PDF
- Projects: verify project exists before creating note
- Attendance: action_type enum validation, consistent local-time
shift_date construction, holiday attendance in work fund,
trips.view permission on last-km query
- Users: paginated() helper usage, remove duplicate dashboard keys,
parallel currency conversion, single hashToken implementation
- Frontend: memoized customInput, reliable print onload, modal prop
standardization (isOpen), ConfirmModal type icons, id===0 key
fallback, Login useCallback, CompanySettings ConfirmModal,
Attendance timeout cleanup, Dashboard memoization, beforeunload
dirty-state warnings on Invoice/Offer/Order detail
- Schema: invoice_alert_log timestamp, config/env comment on
Date.prototype.toJSON override
- Utils: exchange-rate inflight dedup
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
2026-04-24 08:45:37 +02:00 |
|
BOHA
|
4f4b12f039
|
security: fix all Medium findings from FLAWS_REPORT audit
- Auth: TOTP replay protection with counter tracking, constant-time
backup code comparison, atomic lockout increment, per-token logout
- Invoices/PDFs: net-based VAT calculation, dangerous URL scheme
stripping in cleanQuillHtml, orders-pdf error handling
- Orders: reject item changes on status transition, cascading
delete cleanup, take:1 with orderBy
- Projects: atomic rename collision handling, MIME/extension
validation, empty customer name rejection
- Attendance: Czech public holiday awareness in frontend fund
calculation, leave_hours 0 handling, invalid date NaN guard,
bounded per-month queries in workfund
- Users/Admin: profile audit logging + password validation, session
revocation guard, session ID validation, dashboard DB aggregation,
soft-deleted record protection in scope templates
- Frontend: FormField label linkage, Pagination ARIA, error
handling in OrderConfirmationModal, 401 propagation, GPS emoji
hidden from screen readers, table sort state fix, geolocation
race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive
minimal body, CompanySettings ref mutation fix, OfferDetail unlock
abort, AttendanceBalances combined fetches
- Utils: env validation, Puppeteer concurrency mutex, invoice alert
cron cleanup on shutdown, body limit alignment, TOTP error logging,
trustProxy from env, symlink rejection, rate cache Map usage
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
2026-04-24 08:24:14 +02:00 |
|