Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
907ee574e6 | ||
|
|
b51ea2505e |
4
package-lock.json
generated
4
package-lock.json
generated
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "app-ts",
|
||||
"version": "2.4.32",
|
||||
"version": "2.4.34",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "app-ts",
|
||||
"version": "2.4.32",
|
||||
"version": "2.4.34",
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"@anthropic-ai/sdk": "^0.102.0",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "app-ts",
|
||||
"version": "2.4.32",
|
||||
"version": "2.4.34",
|
||||
"description": "",
|
||||
"main": "dist/server.js",
|
||||
"scripts": {
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
-- AlterTable
|
||||
ALTER TABLE `audit_logs` MODIFY `created_at` DATETIME(0) NULL DEFAULT CURRENT_TIMESTAMP(0);
|
||||
|
||||
|
||||
-- Stock invariants enforced by the database itself: a future cumulative-
|
||||
-- decrement bug (the C2 class — duplicate issue lines driving a batch
|
||||
-- negative and silently vanishing from stock totals) becomes a loud error
|
||||
-- instead of hidden corruption. All databases verified clean of negative
|
||||
-- rows before this migration (2026-06-12).
|
||||
ALTER TABLE `sklad_batches`
|
||||
ADD CONSTRAINT `chk_sklad_batches_quantity_nonneg` CHECK (`quantity` >= 0);
|
||||
|
||||
ALTER TABLE `sklad_item_locations`
|
||||
ADD CONSTRAINT `chk_sklad_item_locations_quantity_nonneg` CHECK (`quantity` >= 0);
|
||||
@@ -65,7 +65,9 @@ model audit_logs {
|
||||
new_values String? @db.LongText
|
||||
user_agent String? @db.Text
|
||||
session_id String? @db.VarChar(128)
|
||||
created_at DateTime? @default(now()) @db.Timestamp(0)
|
||||
// DATETIME, not TIMESTAMP — TIMESTAMP dies in 2038 and converts through
|
||||
// the session timezone (2026-06-12 hardening migration).
|
||||
created_at DateTime? @default(now()) @db.DateTime(0)
|
||||
|
||||
@@index([action], map: "idx_audit_logs_action")
|
||||
@@index([created_at], map: "idx_audit_logs_created")
|
||||
|
||||
@@ -391,12 +391,12 @@ async function main() {
|
||||
console.log(` Admin role now has all ${allPerms.length} permissions`);
|
||||
|
||||
// 4. Ensure admin user exists
|
||||
let adminUser = await prisma.users.findFirst({
|
||||
const adminUser = await prisma.users.findFirst({
|
||||
where: { username: "admin" },
|
||||
});
|
||||
if (!adminUser) {
|
||||
const hash = bcrypt.hashSync("admin", 10);
|
||||
adminUser = await prisma.users.create({
|
||||
await prisma.users.create({
|
||||
data: {
|
||||
username: "admin",
|
||||
email: "admin@boha.local",
|
||||
|
||||
@@ -59,7 +59,7 @@ async function main() {
|
||||
// fails we KEEP file_data and report the row as failed.
|
||||
const expectedSize = rec.file_data.length;
|
||||
const readBack = nasFinancialsManager.readReceivedInvoice(result.filePath);
|
||||
let writtenSize = -1;
|
||||
let writtenSize: number;
|
||||
if (readBack) {
|
||||
writtenSize = readBack.data.length;
|
||||
} else {
|
||||
|
||||
136
src/__tests__/db-constraints.test.ts
Normal file
136
src/__tests__/db-constraints.test.ts
Normal file
@@ -0,0 +1,136 @@
|
||||
import { describe, it, expect, beforeAll, afterAll } from "vitest";
|
||||
import prisma from "../config/database";
|
||||
|
||||
/**
|
||||
* Pins the 2026-06-12 DB hardening migration:
|
||||
* 1. CHECK (quantity >= 0) on sklad_batches + sklad_item_locations — the DB
|
||||
* itself rejects negative stock, so a future C2-class bug (cumulative
|
||||
* decrements driving a batch negative) becomes a loud error instead of
|
||||
* silently hidden corruption.
|
||||
* 2. audit_logs.created_at is DATETIME, not TIMESTAMP — no 2038 cap.
|
||||
*/
|
||||
|
||||
const N = "db_constraints_";
|
||||
|
||||
let itemId: number;
|
||||
let locationId: number;
|
||||
let receiptId: number;
|
||||
let lineAId: number;
|
||||
let lineBId: number;
|
||||
|
||||
async function cleanup() {
|
||||
await prisma.sklad_batches.deleteMany({
|
||||
where: { item: { name: { contains: N } } },
|
||||
});
|
||||
await prisma.sklad_item_locations.deleteMany({
|
||||
where: { item: { name: { contains: N } } },
|
||||
});
|
||||
await prisma.sklad_receipt_lines.deleteMany({
|
||||
where: { item: { name: { contains: N } } },
|
||||
});
|
||||
await prisma.sklad_receipts.deleteMany({ where: { notes: { contains: N } } });
|
||||
await prisma.sklad_items.deleteMany({ where: { name: { contains: N } } });
|
||||
await prisma.sklad_locations.deleteMany({
|
||||
where: { name: { contains: N } },
|
||||
});
|
||||
await prisma.audit_logs.deleteMany({
|
||||
where: { description: { contains: N } },
|
||||
});
|
||||
}
|
||||
|
||||
beforeAll(async () => {
|
||||
await cleanup();
|
||||
const item = await prisma.sklad_items.create({
|
||||
data: { name: `${N}item`, unit: "ks" },
|
||||
});
|
||||
itemId = item.id;
|
||||
const location = await prisma.sklad_locations.create({
|
||||
data: { code: `DBC${Date.now() % 100000}`, name: `${N}loc` },
|
||||
});
|
||||
locationId = location.id;
|
||||
const receipt = await prisma.sklad_receipts.create({
|
||||
data: { notes: `${N}receipt`, status: "CONFIRMED" },
|
||||
});
|
||||
receiptId = receipt.id;
|
||||
const lineA = await prisma.sklad_receipt_lines.create({
|
||||
data: {
|
||||
receipt_id: receiptId,
|
||||
item_id: itemId,
|
||||
quantity: 5,
|
||||
unit_price: 1,
|
||||
},
|
||||
});
|
||||
lineAId = lineA.id;
|
||||
const lineB = await prisma.sklad_receipt_lines.create({
|
||||
data: {
|
||||
receipt_id: receiptId,
|
||||
item_id: itemId,
|
||||
quantity: 5,
|
||||
unit_price: 1,
|
||||
},
|
||||
});
|
||||
lineBId = lineB.id;
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
await cleanup();
|
||||
await prisma.$disconnect();
|
||||
});
|
||||
|
||||
describe("stock CHECK constraints", () => {
|
||||
it("rejects inserting a negative batch quantity", async () => {
|
||||
await expect(
|
||||
prisma.sklad_batches.create({
|
||||
data: {
|
||||
item_id: itemId,
|
||||
receipt_line_id: lineAId,
|
||||
quantity: -1,
|
||||
original_qty: 5,
|
||||
unit_price: 1,
|
||||
is_consumed: false,
|
||||
},
|
||||
}),
|
||||
).rejects.toThrow();
|
||||
});
|
||||
|
||||
it("rejects updating a batch quantity below zero", async () => {
|
||||
const batch = await prisma.sklad_batches.create({
|
||||
data: {
|
||||
item_id: itemId,
|
||||
receipt_line_id: lineBId,
|
||||
quantity: 5,
|
||||
original_qty: 5,
|
||||
unit_price: 1,
|
||||
is_consumed: false,
|
||||
},
|
||||
});
|
||||
await expect(
|
||||
prisma.$executeRaw`UPDATE sklad_batches SET quantity = -2 WHERE id = ${batch.id}`,
|
||||
).rejects.toThrow();
|
||||
const fresh = await prisma.sklad_batches.findUnique({
|
||||
where: { id: batch.id },
|
||||
});
|
||||
expect(Number(fresh?.quantity)).toBe(5);
|
||||
});
|
||||
|
||||
it("rejects a negative item_location quantity", async () => {
|
||||
await expect(
|
||||
prisma.sklad_item_locations.create({
|
||||
data: { item_id: itemId, location_id: locationId, quantity: -1 },
|
||||
}),
|
||||
).rejects.toThrow();
|
||||
});
|
||||
});
|
||||
|
||||
describe("audit_logs.created_at has no 2038 cap", () => {
|
||||
it("accepts a far-future timestamp (DATETIME, not TIMESTAMP)", async () => {
|
||||
const row = await prisma.audit_logs.create({
|
||||
data: {
|
||||
action: "test",
|
||||
description: `${N}future`,
|
||||
created_at: new Date(Date.UTC(2098, 0, 15, 12, 0, 0)),
|
||||
},
|
||||
});
|
||||
expect(row.created_at?.getUTCFullYear()).toBe(2098);
|
||||
});
|
||||
});
|
||||
@@ -1090,26 +1090,6 @@ async function authPost(path: string, token: string, body: unknown) {
|
||||
});
|
||||
}
|
||||
|
||||
async function authPatch(path: string, token: string, body: unknown) {
|
||||
return app.inject({
|
||||
method: "PATCH",
|
||||
url: path,
|
||||
headers: {
|
||||
Authorization: `Bearer ${token}`,
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
payload: body as object,
|
||||
});
|
||||
}
|
||||
|
||||
async function authDelete(path: string, token: string) {
|
||||
return app.inject({
|
||||
method: "DELETE",
|
||||
url: path,
|
||||
headers: { Authorization: `Bearer ${token}` },
|
||||
});
|
||||
}
|
||||
|
||||
beforeAll(async () => {
|
||||
app = await buildApp();
|
||||
|
||||
|
||||
@@ -148,7 +148,7 @@ const TrashIcon = (
|
||||
);
|
||||
|
||||
export default function PlanCellModal(props: Props) {
|
||||
const { open, mode, onClose } = props;
|
||||
const { open, mode } = props;
|
||||
if (!open || mode.kind === "closed") return null;
|
||||
if (mode.kind === "view") return <ViewModal {...props} />;
|
||||
if (mode.kind === "day-in-range")
|
||||
|
||||
@@ -234,7 +234,6 @@ function computeUserTotals(
|
||||
}
|
||||
|
||||
const holidayDates = holidaysInMonth(yr, mo + 1);
|
||||
const holidayCount = holidayDates.length;
|
||||
|
||||
for (const uid of Object.keys(totals)) {
|
||||
const t = totals[uid];
|
||||
@@ -476,14 +475,12 @@ function buildUserSectionHtml(
|
||||
// Sum of vacation/sick/unpaid hours (in hours, not minutes). The
|
||||
// "holiday" leave_type is auto-computed from Czech holidays further down
|
||||
// and no longer selectable in the UI, so it's deliberately omitted here.
|
||||
let vacationHours = 0,
|
||||
sickHours = 0;
|
||||
let vacationHours = 0;
|
||||
for (const r of userRecords) {
|
||||
const lt = r.leave_type || "work";
|
||||
if (lt === "work") continue;
|
||||
const h = Number(r.leave_hours) || 8;
|
||||
if (lt === "vacation") vacationHours += h;
|
||||
else if (lt === "sick") sickHours += h;
|
||||
}
|
||||
|
||||
// Odpracováno: floor(worked / 8) × 8.
|
||||
@@ -492,7 +489,6 @@ function buildUserSectionHtml(
|
||||
|
||||
// Free Svátek: 8h per holiday date the user did not work.
|
||||
const holidayDates = holidaysInMonth(yr, mo);
|
||||
const holidayCount = holidayDates.length;
|
||||
const workedDates = new Set(
|
||||
userRecords
|
||||
.filter((r) => (r.leave_type || "work") === "work")
|
||||
|
||||
@@ -92,7 +92,7 @@ async function performMutation<TIn, TOut>(opts: {
|
||||
return result.data as TOut;
|
||||
}
|
||||
|
||||
export interface ApiMutationOptions<TIn, TOut> {
|
||||
export interface ApiMutationOptions<TIn> {
|
||||
url: string | ((input: TIn) => string);
|
||||
method: HttpMethod | ((input: TIn) => HttpMethod);
|
||||
/** Query-key prefixes to invalidate on success. Broad per CLAUDE.md. */
|
||||
@@ -122,7 +122,7 @@ export interface ApiMutationOptions<TIn, TOut> {
|
||||
* as `ApiError` (with `.status` attached) so callers can branch on HTTP code.
|
||||
*/
|
||||
export function useApiMutation<TIn, TOut>(
|
||||
opts: ApiMutationOptions<TIn, TOut> &
|
||||
opts: ApiMutationOptions<TIn> &
|
||||
Omit<UseMutationOptions<TOut, ApiError, TIn>, "mutationFn">,
|
||||
) {
|
||||
const { url, method, invalidate, envelope, onSuccess, ...rest } = opts;
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
import { queryOptions } from "@tanstack/react-query";
|
||||
import apiFetch from "../../utils/api";
|
||||
import { jsonQuery } from "../apiAdapter";
|
||||
|
||||
export interface PlanUser {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import { useState, useMemo, useRef } from "react";
|
||||
import { useQuery, useQueryClient } from "@tanstack/react-query";
|
||||
import { useQuery } from "@tanstack/react-query";
|
||||
import Box from "@mui/material/Box";
|
||||
import Typography from "@mui/material/Typography";
|
||||
import { useAuth } from "../context/AuthContext";
|
||||
@@ -9,7 +9,6 @@ import { iconBadgeSx } from "../theme";
|
||||
import {
|
||||
attendanceHistoryOptions,
|
||||
type AttendanceRecord,
|
||||
type ProjectLogEntry,
|
||||
} from "../lib/queries/attendance";
|
||||
import {
|
||||
formatDate,
|
||||
@@ -201,7 +200,6 @@ const renderProjectCell = (record: AttendanceRecord) => {
|
||||
|
||||
export default function AttendanceHistory() {
|
||||
const { user, hasPermission } = useAuth();
|
||||
const queryClient = useQueryClient();
|
||||
const { data: companySettings } = useQuery(companySettingsOptions());
|
||||
const companyName = companySettings?.company_name || "";
|
||||
const printRef = useRef<HTMLDivElement>(null);
|
||||
|
||||
@@ -26,10 +26,7 @@ const LocationMap = styled("div")(({ theme }) => ({
|
||||
}));
|
||||
|
||||
import { formatDate, formatTime } from "../utils/attendanceHelpers";
|
||||
import {
|
||||
attendanceLocationOptions,
|
||||
type LocationRecord,
|
||||
} from "../lib/queries/attendance";
|
||||
import { attendanceLocationOptions } from "../lib/queries/attendance";
|
||||
import { Button, Card, LoadingState, PageEnter, PageHeader } from "../ui";
|
||||
|
||||
const BackIcon = (
|
||||
|
||||
@@ -3,10 +3,7 @@ import { useQuery, useQueryClient } from "@tanstack/react-query";
|
||||
import { useAlert } from "../context/AlertContext";
|
||||
import { useAuth } from "../context/AuthContext";
|
||||
import Forbidden from "../components/Forbidden";
|
||||
import {
|
||||
companySettingsOptions,
|
||||
type CompanySettingsData,
|
||||
} from "../lib/queries/settings";
|
||||
import { companySettingsOptions } from "../lib/queries/settings";
|
||||
import { bankAccountsOptions, type BankAccount } from "../lib/queries/common";
|
||||
import Box from "@mui/material/Box";
|
||||
import Typography from "@mui/material/Typography";
|
||||
@@ -23,7 +20,6 @@ import {
|
||||
TextField,
|
||||
Select,
|
||||
CheckboxField,
|
||||
StatusChip,
|
||||
FileUpload,
|
||||
LoadingState,
|
||||
type DataColumn,
|
||||
|
||||
@@ -1,14 +1,7 @@
|
||||
import { useState, useEffect, useMemo, useRef } from "react";
|
||||
import DOMPurify from "dompurify";
|
||||
import { useQuery } from "@tanstack/react-query";
|
||||
import {
|
||||
orderDetailOptions,
|
||||
type OrderData,
|
||||
type OrderItem,
|
||||
type OrderSection,
|
||||
type OrderInvoice,
|
||||
type OrderProject,
|
||||
} from "../lib/queries/orders";
|
||||
import { orderDetailOptions, type OrderItem } from "../lib/queries/orders";
|
||||
import { useApiMutation } from "../lib/queries/mutations";
|
||||
import { useAlert } from "../context/AlertContext";
|
||||
import { useAuth } from "../context/AuthContext";
|
||||
|
||||
@@ -11,7 +11,6 @@ import MenuItem from "@mui/material/MenuItem";
|
||||
|
||||
import {
|
||||
projectDetailOptions,
|
||||
type ProjectData,
|
||||
type ProjectNote,
|
||||
} from "../lib/queries/projects";
|
||||
import { userListOptions, type User as ApiUser } from "../lib/queries/users";
|
||||
|
||||
@@ -199,7 +199,7 @@ export default function Trips() {
|
||||
TripForm,
|
||||
{ message?: string; error?: string }
|
||||
>({
|
||||
url: (formData) =>
|
||||
url: () =>
|
||||
editingTrip ? `${API_BASE}/trips/${editingTrip.id}` : `${API_BASE}/trips`,
|
||||
method: () => (editingTrip ? "PUT" : "POST"),
|
||||
invalidate: ["trips", "vehicles"],
|
||||
|
||||
@@ -23,7 +23,7 @@ interface InventoryItem {
|
||||
}
|
||||
|
||||
function parseDecimal(raw: string): number {
|
||||
const cleaned = raw.replace(/[eE+\-]/g, "");
|
||||
const cleaned = raw.replace(/[eE+-]/g, "");
|
||||
const n = Number(cleaned);
|
||||
return Number.isFinite(n) ? n : 0;
|
||||
}
|
||||
|
||||
@@ -65,7 +65,7 @@ interface BatchesResponse {
|
||||
}
|
||||
|
||||
function parseDecimal(raw: string): number {
|
||||
const cleaned = raw.replace(/[eE+\-]/g, "");
|
||||
const cleaned = raw.replace(/[eE+-]/g, "");
|
||||
const n = Number(cleaned);
|
||||
return Number.isFinite(n) ? n : 0;
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ interface MovementItem {
|
||||
}
|
||||
|
||||
function parseDecimal(raw: string): number {
|
||||
const cleaned = raw.replace(/[eE+\-]/g, "");
|
||||
const cleaned = raw.replace(/[eE+-]/g, "");
|
||||
const n = Number(cleaned);
|
||||
return Number.isFinite(n) ? n : 0;
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import { FastifyRequest, FastifyReply } from "fastify";
|
||||
import { verifyAccessToken } from "../services/auth";
|
||||
import { error } from "../utils/response";
|
||||
import { AuthData } from "../types";
|
||||
|
||||
export async function requireAuth(
|
||||
request: FastifyRequest,
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { FastifyInstance } from "fastify";
|
||||
import prisma from "../../config/database";
|
||||
import { requireAuth, requirePermission } from "../../middleware/auth";
|
||||
import { requirePermission } from "../../middleware/auth";
|
||||
import { logAudit } from "../../services/audit";
|
||||
import { success, error, parseId, paginated } from "../../utils/response";
|
||||
import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
|
||||
|
||||
@@ -13,7 +13,6 @@ import {
|
||||
markOverdueInvoices,
|
||||
listInvoices,
|
||||
getInvoiceListTotals,
|
||||
getNextInvoiceNumberFormatted,
|
||||
getNextInvoiceNumberPreview,
|
||||
getInvoiceStats,
|
||||
getOrderDataForInvoice,
|
||||
|
||||
@@ -199,7 +199,7 @@ export default async function projectFilesRoutes(
|
||||
|
||||
const subPath = parsedQuery.data.path || "";
|
||||
const rawFileName = file.filename;
|
||||
const fileName = rawFileName.replace(/[\/\\:*?"<>|]/g, "_");
|
||||
const fileName = rawFileName.replace(/[/\\:*?"<>|]/g, "_");
|
||||
|
||||
const buffer = await file.toBuffer();
|
||||
const err = await fm.uploadFile(
|
||||
|
||||
@@ -2,7 +2,7 @@ import { FastifyInstance } from "fastify";
|
||||
import multipart from "@fastify/multipart";
|
||||
import prisma from "../../config/database";
|
||||
import { config } from "../../config/env";
|
||||
import { requireAuth, requirePermission } from "../../middleware/auth";
|
||||
import { requirePermission } from "../../middleware/auth";
|
||||
import { logAudit } from "../../services/audit";
|
||||
import { success, error, parseId, paginated } from "../../utils/response";
|
||||
import { contentDisposition } from "../../utils/content-disposition";
|
||||
@@ -2209,7 +2209,7 @@ export default async function warehouseRoutes(
|
||||
// Build items with auto-filled system_qty and calculated difference
|
||||
const itemsData = await Promise.all(
|
||||
body.items.map(async (item) => {
|
||||
let systemQty = 0;
|
||||
let systemQty: number;
|
||||
|
||||
if (item.location_id != null) {
|
||||
// Get stock at specific location
|
||||
@@ -2318,7 +2318,7 @@ export default async function warehouseRoutes(
|
||||
if (body.items) {
|
||||
itemsData = await Promise.all(
|
||||
body.items.map(async (item) => {
|
||||
let systemQty = 0;
|
||||
let systemQty: number;
|
||||
|
||||
if (item.location_id != null) {
|
||||
const loc = await prisma.sklad_item_locations.findUnique({
|
||||
|
||||
@@ -791,7 +791,7 @@ export async function getProjectReport(year: number) {
|
||||
|
||||
// Use detailed project logs (started_at/ended_at or hours/minutes)
|
||||
for (const log of rec.attendance_project_logs) {
|
||||
let hours = 0;
|
||||
let hours: number;
|
||||
if (log.hours != null || log.minutes != null) {
|
||||
hours = (Number(log.hours) || 0) + (Number(log.minutes) || 0) / 60;
|
||||
} else if (log.started_at && log.ended_at) {
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import crypto from "crypto";
|
||||
import jwt from "jsonwebtoken";
|
||||
import bcrypt from "bcryptjs";
|
||||
import { FastifyRequest, FastifyReply } from "fastify";
|
||||
import { FastifyRequest } from "fastify";
|
||||
import prisma from "../config/database";
|
||||
import { config } from "../config/env";
|
||||
import { AuthData, JwtPayload } from "../types";
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { PaginationQuery, PaginationMeta } from "../types";
|
||||
import { PaginationMeta } from "../types";
|
||||
|
||||
/**
|
||||
* Parse common pagination/sort/search query params.
|
||||
|
||||
Reference in New Issue
Block a user