Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
45 lines
1.6 KiB
TypeScript
45 lines
1.6 KiB
TypeScript
import Fastify from "fastify";
|
|
import cookie from "@fastify/cookie";
|
|
import rateLimit from "@fastify/rate-limit";
|
|
import authRoutes from "../routes/admin/auth";
|
|
import totpRoutes from "../routes/admin/totp";
|
|
|
|
export async function buildApp() {
|
|
const app = Fastify({ logger: false });
|
|
await app.register(cookie);
|
|
await app.register(rateLimit, { max: 1000, timeWindow: "1 minute" });
|
|
await app.register(authRoutes, { prefix: "/api/admin" });
|
|
await app.register(totpRoutes, { prefix: "/api/admin/totp" });
|
|
return app;
|
|
}
|
|
|
|
/**
|
|
* Minimal structural shape of the only thing extractCookie needs from a
|
|
* response — its `set-cookie` header. Matches Fastify's `LightMyRequestResponse`
|
|
* (from `app.inject`) and a plain supertest response without coupling to either.
|
|
*/
|
|
interface ResponseWithCookies {
|
|
headers: Record<string, string | string[] | number | undefined>;
|
|
}
|
|
|
|
export function extractCookie(
|
|
response: ResponseWithCookies,
|
|
name: string,
|
|
): string | undefined {
|
|
const cookies = response.headers["set-cookie"];
|
|
if (!cookies) return undefined;
|
|
const arr = Array.isArray(cookies) ? cookies : [cookies];
|
|
for (const c of arr) {
|
|
if (typeof c !== "string") continue;
|
|
if (c.startsWith(`${name}=`)) {
|
|
// The value is everything from the first "=" up to the first ";".
|
|
// Split ONLY on the first "=" so a base64/JWT value containing "=" (e.g.
|
|
// padding) is not truncated — `split("=")[1]` would drop everything after
|
|
// the second "=".
|
|
const pair = c.split(";")[0];
|
|
return pair.slice(pair.indexOf("=") + 1);
|
|
}
|
|
}
|
|
return undefined;
|
|
}
|