clearCookie was missing httpOnly, secure, sameSite — browser ignored
the Set-Cookie header because the options didn't match the original
cookie attributes. Cookie persisted after logout, allowing F5 to
re-authenticate via silent refresh.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
On logout, finds all refresh tokens matching the same user + IP +
user-agent (same browser session) and deletes them all. This cleans
up zombie tokens from previous logins and token rotations that
were showing as stale sessions on the dashboard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Deletes current token AND tokens replaced by it
- Cleans up all expired tokens on logout
- Prevents stale sessions from showing on dashboard after re-login
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
loadAuthData() didn't include totp_enabled or require_2fa in the
AuthData response. The frontend always saw undefined → false.
Now includes both fields from the database.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The TOTP verification endpoint always created refresh tokens with
remember_me=false and 1-hour expiry, regardless of what the user
selected at login.
Fix:
- Frontend now sends remember_me in the TOTP verify request body
- Backend reads remember_me and uses it for token expiry (30 days)
and cookie maxAge
Users with 2FA who checked "remember me" will now stay logged in
for 30 days instead of being kicked out after 1 hour.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added billing_text column to invoices table (VARCHAR 500)
- Prisma migration: 20260323_add_billing_text
- Form field on invoice create page with placeholder
- PDF uses billing_text, falls back to default translation
- Stored on create and editable on draft invoices
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Changed from offers-editor-section + offers-items-table to
admin-card + admin-card-body + admin-table-responsive, matching
the offer detail page structure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Item reordering: replaced placeholder with @dnd-kit drag-and-drop.
Each item row has a drag handle for reordering via vertical drag.
Uses SortableContext with verticalListSortingStrategy.
2. Scope template insertion: fixed template loading to use already-fetched
data instead of re-fetching from non-existent endpoint. Templates with
sections are now stored fully and inserted directly on selection.
Also copies template description to scope_description.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
API now only returns data sections the user has permission to see:
- my_shift: attendance.record
- attendance: attendance.admin
- offers: offers.view
- projects: projects.view
- invoices: invoices.view
- orders: orders.view
- leave_pending: attendance.approve
- recent_activity: settings.audit
Frontend hides KPI cards, activity feed, and attendance sections
for users without the matching permissions.
Regular employees now only see their shift status, quick actions,
profile, and sessions — not company KPIs or admin data.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added white-space: nowrap to .admin-btn (prevents text wrapping)
- Modal footer buttons get min-width: 100px for consistent sizing
- Spinner in buttons doesn't add extra vertical space
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixed offers, orders, attendance, scope-templates schemas — quantity,
unit_price, position, hours, minutes now use z.union([z.number(), z.string()])
with transform instead of bare z.number().
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Component used admin-pagination-btn/pages/dots but CSS has
admin-pagination-page/controls/ellipsis. Fixed to match existing CSS.
Added record count display.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Times in the database are stored as local time (CET). JavaScript's
Date constructor treated them as UTC, then toLocaleTimeString added
+1 hour for CET timezone.
Fix: extract hours/minutes directly from the datetime string via regex
instead of going through Date object. No timezone conversion applied.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added GET /api/admin/received-invoices/suppliers endpoint (distinct names)
- Upload and edit forms use HTML datalist for browser-native autocomplete
- Suggestions loaded once on page mount
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Vehicle list (GET) now requires only authentication, not trips.vehicles
permission. Users with trips.view can see available cars in the trip
modal. Create/update/delete still require trips.vehicles.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- mailer.ts: nodemailer transport via local sendmail
- leave-notification.ts: HTML email matching PHP template
- Sends notification to LEAVE_NOTIFY_EMAIL on new leave request
- Non-blocking: errors logged but don't fail the request
- Added LEAVE_NOTIFY_EMAIL and APP_URL env vars
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PHP uses base64(nonce+ciphertext+tag), TS was using hex:hex:hex.
decrypt() now auto-detects the format. encrypt() now outputs
PHP-compatible base64 format for cross-compatibility.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Connects the existing UI button to GET/POST /api/admin/totp/required
endpoints. Fetches current state on load, toggles on click.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two separate useState calls (sort + order) caused React to skip
re-renders when clicking the same column — setSort returned the same
value so React bailed out, and the nested setOrder was lost.
Single state object guarantees a new reference on every click,
so React always re-renders and useListData always refetches.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause: useListData set loading=true on every refetch, and all 4
admin list pages (offers, orders, invoices, projects) applied
pointerEvents:'none' while loading — blocking all clicks including
sort column headers.
Fix: removed setLoading(true) from refetch (matching PHP behavior)
and removed pointerEvents from all list page cards. Opacity fade
kept as visual feedback.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When no trips exist for a vehicle, the last-km endpoint now returns
the vehicle's initial_km instead of 0, matching the PHP behavior:
COALESCE(MAX(end_km), vehicle.initial_km, 0)
Also fixed ordering from id DESC to end_km DESC for correctness.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Generates QR code in SVG format using the SPAYD payment standard,
matching the PHP implementation. Contains: IBAN, amount, currency,
variable symbol, constant symbol, and invoice reference.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the file management placeholder with the actual ProjectFileManager
component, providing projectId, projectNumber, hasPermission, and hasNasFolder
props from the existing page state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TypeScript port of PHP NasFileManager with symlink rejection,
path traversal protection, MIME validation via file-type, and
blocked extension checking.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Dark table headers (#333), proper column widths, uppercase labels
- User header bar with gray background and total hours
- Records from userData.records (not filtered from global records)
- Fund row with covered/total and status badge
- Leave summary with vacation remaining
- Print wrapper table for repeating header
- Matching CSS: borders, fonts, spacing, badges
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
