Fixes every CRITICAL/HIGH finding from the 2026-06-09 full-codebase audit
(REVIEW_FINDINGS.md); each fix went through independent spec + code-quality
review. Plan and per-task log: docs/superpowers/plans/2026-06-10-audit-high-fix-pass.md
- attendance: schemas accept the combined local datetimes the forms/service
use (new dateTimeString helpers in schemas/common.ts), breaks persist on
create, AttendanceCreate submit rebuilt — every submit 400'd since 519edce
- 2fa: backup codes wired to /totp/backup-verify (+ remember-me parity),
enrollment QR generated locally via qrcode (CSP-blocked external service
also leaked the secret), dashboard shows per-user enrollment, not policy
- invoices/orders: per-line VAT survives re-saves (numberOr 0-respecting
coercion in formatters.ts), billing_text persists on update, issued-order
status transitions update UI gates
- trips: real pagination on all 3 pages, GET /trips/stats server aggregate
(shared buildTripsWhere + legacy distance coalesce), vehicle_id applies on
PUT with both-vehicle odometer recompute, print rebuilt (sync window.open,
escaped template, server totals)
- orders api: attachment_data PDF blob excluded from all non-binary reads
- warehouse: unit field is a Select over UnitEnum, receipt attachments
downloadable via new authenticated GET route
- downloads: shared RFC 5987 contentDisposition helper — Czech filenames no
longer 500 (warehouse, received-invoices, orders endpoints)
- misc: block-env hook actually blocks (exit 2 + stderr), project create
works with empty dates, NaN filter guards on trips endpoints
- deps: remove unused concurrently (clears both critical advisories), pin
@hono/node-server >=1.19.13 via overrides (clears the 3 moderates without
the Prisma 6 downgrade), drop deprecated @types stubs
Gates: tsc -b clean - vitest 30 files / 342 tests (31 new) - eslint 0 errors
- build OK
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
362 lines
12 KiB
TypeScript
362 lines
12 KiB
TypeScript
import { FastifyInstance } from "fastify";
|
|
import { requirePermission } from "../../middleware/auth";
|
|
import { logAudit } from "../../services/audit";
|
|
import { success, error, parseId, paginated } from "../../utils/response";
|
|
import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
|
|
import { contentDisposition } from "../../utils/content-disposition";
|
|
import { parseBody } from "../../schemas/common";
|
|
import { config } from "../../config/env";
|
|
import {
|
|
CreateOrderFromQuotationSchema,
|
|
CreateOrderSchema,
|
|
UpdateOrderSchema,
|
|
} from "../../schemas/orders.schema";
|
|
import {
|
|
listOrders,
|
|
getOrderTotals,
|
|
getOrder,
|
|
getOrderAttachment,
|
|
createOrderFromQuotation,
|
|
createOrder,
|
|
updateOrder,
|
|
deleteOrder,
|
|
getNextOrderNumber,
|
|
} from "../../services/orders.service";
|
|
|
|
import multipart from "@fastify/multipart";
|
|
|
|
export default async function ordersRoutes(
|
|
fastify: FastifyInstance,
|
|
): Promise<void> {
|
|
await fastify.register(multipart, {
|
|
limits: { fileSize: config.nas.maxUploadSize },
|
|
});
|
|
|
|
// GET /api/admin/orders/next-number
|
|
fastify.get(
|
|
"/next-number",
|
|
{ preHandler: requirePermission("orders.create") },
|
|
async (_request, reply) => {
|
|
const number = await getNextOrderNumber();
|
|
return success(reply, { number, next_number: number });
|
|
},
|
|
);
|
|
|
|
fastify.get(
|
|
"/",
|
|
{ preHandler: requirePermission("orders.view") },
|
|
async (request, reply) => {
|
|
const query = request.query as Record<string, unknown>;
|
|
const { page, limit, skip, sort, order, search } = parsePagination(query);
|
|
|
|
const result = await listOrders({
|
|
page,
|
|
limit,
|
|
skip,
|
|
sort,
|
|
order,
|
|
search,
|
|
status: query.status ? String(query.status) : undefined,
|
|
customer_id: query.customer_id ? Number(query.customer_id) : undefined,
|
|
month: query.month ? Number(query.month) : undefined,
|
|
year: query.year ? Number(query.year) : undefined,
|
|
});
|
|
|
|
return paginated(
|
|
reply,
|
|
result.data,
|
|
buildPaginationMeta(result.total, result.page, result.limit),
|
|
);
|
|
},
|
|
);
|
|
|
|
// GET /api/admin/orders/stats — per-currency total (incl. VAT) summed over the
|
|
// WHOLE filtered set (not one page). Must be registered BEFORE "/:id" so the
|
|
// literal "stats" path isn't captured as an order id.
|
|
fastify.get(
|
|
"/stats",
|
|
{ preHandler: requirePermission("orders.view") },
|
|
async (request, reply) => {
|
|
const query = request.query as Record<string, unknown>;
|
|
const result = await getOrderTotals({
|
|
search: query.search ? String(query.search) : undefined,
|
|
status: query.status ? String(query.status) : undefined,
|
|
customer_id: query.customer_id ? Number(query.customer_id) : undefined,
|
|
month: query.month ? Number(query.month) : undefined,
|
|
year: query.year ? Number(query.year) : undefined,
|
|
});
|
|
return success(reply, { totals: result.totals });
|
|
},
|
|
);
|
|
|
|
fastify.get<{ Params: { id: string } }>(
|
|
"/:id",
|
|
{ preHandler: requirePermission("orders.view") },
|
|
async (request, reply) => {
|
|
const id = parseId(request.params.id, reply);
|
|
if (id === null) return;
|
|
const order = await getOrder(id);
|
|
if (!order) return error(reply, "Objednávka nenalezena", 404);
|
|
return success(reply, order);
|
|
},
|
|
);
|
|
|
|
// GET /api/admin/orders/:id/attachment
|
|
fastify.get<{ Params: { id: string } }>(
|
|
"/:id/attachment",
|
|
{ preHandler: requirePermission("orders.view") },
|
|
async (request, reply) => {
|
|
const id = parseId(request.params.id, reply);
|
|
if (id === null) return;
|
|
const attachment = await getOrderAttachment(id);
|
|
if (!attachment) return error(reply, "Příloha nenalezena", 404);
|
|
|
|
return reply
|
|
.type("application/pdf")
|
|
.header(
|
|
"Content-Disposition",
|
|
contentDisposition("inline", attachment.filename),
|
|
)
|
|
.send(attachment.data);
|
|
},
|
|
);
|
|
|
|
// POST /api/admin/orders — handles both JSON (manual) and multipart (from quotation)
|
|
fastify.post(
|
|
"/",
|
|
{ preHandler: requirePermission("orders.create") },
|
|
async (request, reply) => {
|
|
const isMultipart =
|
|
request.headers["content-type"]?.includes("multipart");
|
|
|
|
if (isMultipart) {
|
|
const fields: Record<string, string> = {};
|
|
let attachmentBuffer: Buffer | null = null;
|
|
let attachmentName: string | null = null;
|
|
|
|
const parts = request.parts();
|
|
for await (const part of parts) {
|
|
if (part.type === "field") {
|
|
fields[part.fieldname] = String(part.value);
|
|
} else if (part.type === "file" && part.fieldname === "attachment") {
|
|
attachmentBuffer = await part.toBuffer();
|
|
attachmentName = part.filename;
|
|
}
|
|
}
|
|
|
|
// From-quotation flow (multipart with attachment)
|
|
if (fields.quotationId) {
|
|
// Validate via the same schema as the JSON path — `intIdFromForm`
|
|
// is NaN-safe and rejects ≤0 / non-integer (raw parseInt would
|
|
// silently yield NaN).
|
|
const fromQuotParsed = parseBody(CreateOrderFromQuotationSchema, {
|
|
quotationId: fields.quotationId,
|
|
customerOrderNumber: fields.customerOrderNumber,
|
|
});
|
|
if ("error" in fromQuotParsed)
|
|
return error(reply, fromQuotParsed.error, 400);
|
|
const quotationId = fromQuotParsed.data.quotationId;
|
|
const customerOrderNumber = fromQuotParsed.data.customerOrderNumber;
|
|
const result = await createOrderFromQuotation({
|
|
quotationId,
|
|
customerOrderNumber,
|
|
attachmentBuffer,
|
|
attachmentName,
|
|
});
|
|
if ("error" in result)
|
|
return error(reply, result.error!, result.status!);
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "order",
|
|
entityId: result.data.order_id,
|
|
description: `Vytvořena objednávka ${result.data.order_number} z nabídky #${result.data.quotationId}`,
|
|
});
|
|
return success(
|
|
reply,
|
|
{
|
|
order_id: result.data.order_id,
|
|
id: result.data.id,
|
|
order_number: result.data.order_number,
|
|
},
|
|
201,
|
|
"Objednávka byla vytvořena",
|
|
);
|
|
}
|
|
|
|
// Manual order (multipart, with optional PO attachment)
|
|
const rawManual: Record<string, unknown> = { ...fields };
|
|
if (typeof fields.items === "string" && fields.items.length > 0) {
|
|
try {
|
|
rawManual.items = JSON.parse(fields.items);
|
|
} catch {
|
|
return error(reply, "Neplatná data položek", 400);
|
|
}
|
|
}
|
|
const manualParsed = parseBody(CreateOrderSchema, rawManual);
|
|
if ("error" in manualParsed)
|
|
return error(reply, manualParsed.error, 400);
|
|
|
|
const result = await createOrder(
|
|
manualParsed.data,
|
|
attachmentBuffer,
|
|
attachmentName,
|
|
);
|
|
if ("error" in result)
|
|
return error(reply, result.error!, result.status!);
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "order",
|
|
entityId: result.id,
|
|
description: `Vytvořena objednávka ${result.order_number}`,
|
|
});
|
|
if (result.project_id) {
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "project",
|
|
entityId: result.project_id,
|
|
description: `Vytvořen projekt k objednávce ${result.order_number}`,
|
|
});
|
|
}
|
|
return success(
|
|
reply,
|
|
{ id: result.id },
|
|
201,
|
|
"Objednávka byla vytvořena",
|
|
);
|
|
}
|
|
|
|
// === JSON body — either from-quotation (no attachment) or manual order ===
|
|
const rawBody = request.body as Record<string, unknown>;
|
|
|
|
// From-quotation flow via JSON (no attachment)
|
|
if (rawBody.quotationId) {
|
|
const fromQuotParsed = parseBody(
|
|
CreateOrderFromQuotationSchema,
|
|
rawBody,
|
|
);
|
|
if ("error" in fromQuotParsed)
|
|
return error(reply, fromQuotParsed.error, 400);
|
|
const quotationId = fromQuotParsed.data.quotationId;
|
|
const customerOrderNumber = fromQuotParsed.data.customerOrderNumber;
|
|
|
|
if (!quotationId || isNaN(quotationId)) {
|
|
return error(reply, "Chybí ID nabídky", 400);
|
|
}
|
|
|
|
const result = await createOrderFromQuotation({
|
|
quotationId,
|
|
customerOrderNumber,
|
|
});
|
|
if ("error" in result)
|
|
return error(reply, result.error!, result.status!);
|
|
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "order",
|
|
entityId: result.data.order_id,
|
|
description: `Vytvořena objednávka ${result.data.order_number} z nabídky #${result.data.quotationId}`,
|
|
});
|
|
return success(
|
|
reply,
|
|
{
|
|
order_id: result.data.order_id,
|
|
id: result.data.id,
|
|
order_number: result.data.order_number,
|
|
},
|
|
201,
|
|
"Objednávka byla vytvořena",
|
|
);
|
|
}
|
|
|
|
// Manual order creation
|
|
const manualParsed = parseBody(CreateOrderSchema, rawBody);
|
|
if ("error" in manualParsed) return error(reply, manualParsed.error, 400);
|
|
const body = manualParsed.data;
|
|
|
|
const result = await createOrder(body);
|
|
if ("error" in result) return error(reply, result.error!, result.status!);
|
|
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "order",
|
|
entityId: result.id,
|
|
description: `Vytvořena objednávka ${result.order_number}`,
|
|
});
|
|
if (result.project_id) {
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "create",
|
|
entityType: "project",
|
|
entityId: result.project_id,
|
|
description: `Vytvořen projekt k objednávce ${result.order_number}`,
|
|
});
|
|
}
|
|
return success(
|
|
reply,
|
|
{ id: result.id },
|
|
201,
|
|
"Objednávka byla vytvořena",
|
|
);
|
|
},
|
|
);
|
|
|
|
fastify.put<{ Params: { id: string } }>(
|
|
"/:id",
|
|
{ preHandler: requirePermission("orders.edit") },
|
|
async (request, reply) => {
|
|
const id = parseId(request.params.id, reply);
|
|
if (id === null) return;
|
|
const parsed = parseBody(UpdateOrderSchema, request.body);
|
|
if ("error" in parsed) return error(reply, parsed.error, 400);
|
|
|
|
const result = await updateOrder(id, parsed.data);
|
|
if ("error" in result) return error(reply, result.error!, result.status!);
|
|
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "update",
|
|
entityType: "order",
|
|
entityId: id,
|
|
description: `Upravena objednávka ${result.data.order_number}`,
|
|
});
|
|
return success(reply, { id }, 200, "Objednávka byla uložena");
|
|
},
|
|
);
|
|
|
|
fastify.delete<{ Params: { id: string } }>(
|
|
"/:id",
|
|
{ preHandler: requirePermission("orders.delete") },
|
|
async (request, reply) => {
|
|
const id = parseId(request.params.id, reply);
|
|
if (id === null) return;
|
|
|
|
const body = request.body as Record<string, unknown> | undefined;
|
|
const deleteFiles = !!body?.delete_files;
|
|
const result = await deleteOrder(id, deleteFiles);
|
|
if ("error" in result) return error(reply, result.error!, result.status!);
|
|
|
|
await logAudit({
|
|
request,
|
|
authData: request.authData,
|
|
action: "delete",
|
|
entityType: "order",
|
|
entityId: id,
|
|
description: `Smazána objednávka ${result.data.order_number}`,
|
|
});
|
|
return success(reply, null, 200, "Objednávka smazána");
|
|
},
|
|
);
|
|
}
|