Files
app/src/__tests__/warehouse-fk-400.test.ts
BOHA e11765bf0e fix: resolve all 28 findings from the 2026-06-12 full audit (TDD-pinned)
Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
  failed deficit line rolls back the surplus corrective receipt — retries
  no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
  of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
  (in-transaction, clamped at 0)

High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
  the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
  when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
  (Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
  hours against its own balance (mirrors createLeave)

Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
  500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
  Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
  (recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
  @db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
  /items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
  finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
  settings.company|settings.system; Settings System tab no longer clobbers
  Firma numbering patterns; draft invoices hide the dead PDF button;
  dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
  audit-log + invoice month buckets day-shift fixes

Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.

~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 23:00:19 +02:00

207 lines
6.4 KiB
TypeScript

import { describe, it, expect, beforeAll, afterAll } from "vitest";
import Fastify from "fastify";
import cookie from "@fastify/cookie";
import rateLimit from "@fastify/rate-limit";
import jwt from "jsonwebtoken";
import prisma from "../config/database";
import { config } from "../config/env";
import { securityHeaders } from "../middleware/security";
import warehouseRoutes from "../routes/admin/warehouse";
/**
* Pinning tests for audit finding M8: warehouse receipts/issues create+update
* must pre-validate FK existence (supplier, item, location, project, explicit
* batch) and return Czech 400s — a dangling id otherwise raises P2003 at
* Prisma and surfaces as a generic 500. The document modules and trips.ts
* pre-validate this way; warehouse omitted the guard.
*/
const N = "wh_fk400_";
const MISSING_ID = 99999999;
let app: ReturnType<typeof Fastify>;
let adminToken: string;
let projectId: number;
let itemId: number;
let draftReceiptId: number;
async function cleanup() {
await prisma.sklad_issue_lines.deleteMany({
where: { issue: { notes: { contains: N } } },
});
await prisma.sklad_issues.deleteMany({ where: { notes: { contains: N } } });
await prisma.sklad_batches.deleteMany({
where: { item: { name: { contains: N } } },
});
await prisma.sklad_receipt_lines.deleteMany({
where: { item: { name: { contains: N } } },
});
await prisma.sklad_receipts.deleteMany({ where: { notes: { contains: N } } });
await prisma.sklad_items.deleteMany({ where: { name: { contains: N } } });
await prisma.projects.deleteMany({ where: { name: { startsWith: N } } });
}
beforeAll(async () => {
await cleanup();
app = Fastify({ logger: false });
await app.register(cookie);
await app.register(rateLimit, { max: 1000, timeWindow: "1 minute" });
app.addHook("onRequest", securityHeaders);
await app.register(warehouseRoutes, { prefix: "/api/admin/warehouse" });
const admin = await prisma.users.findFirst({
where: { roles: { name: "admin" } },
});
if (!admin) throw new Error("Test setup: admin user not found");
adminToken = jwt.sign(
{ sub: admin.id, username: admin.username, role: "admin" },
config.jwt.secret,
{ expiresIn: "15m" },
);
const project = await prisma.projects.create({
data: { name: `${N}project`, status: "active" },
});
projectId = project.id;
const item = await prisma.sklad_items.create({
data: { name: `${N}item`, unit: "ks" },
});
itemId = item.id;
// In-stock batch so issue tests get past availability checks.
const receipt = await prisma.sklad_receipts.create({
data: { notes: `${N}stock`, status: "CONFIRMED" },
});
const line = await prisma.sklad_receipt_lines.create({
data: {
receipt_id: receipt.id,
item_id: itemId,
quantity: 10,
unit_price: 5,
},
});
await prisma.sklad_batches.create({
data: {
item_id: itemId,
receipt_line_id: line.id,
quantity: 10,
original_qty: 10,
unit_price: 5,
received_at: new Date(2026, 0, 1, 12, 0, 0),
is_consumed: false,
},
});
// DRAFT receipt for the PUT test.
const draft = await prisma.sklad_receipts.create({
data: {
notes: `${N}draft`,
status: "DRAFT",
items: { create: [{ item_id: itemId, quantity: 1, unit_price: 5 }] },
},
});
draftReceiptId = draft.id;
});
afterAll(async () => {
if (app) await app.close();
await cleanup();
await prisma.$disconnect();
});
function post(url: string, payload: unknown) {
return app.inject({
method: "POST",
url,
headers: {
Authorization: `Bearer ${adminToken}`,
"Content-Type": "application/json",
},
payload: payload as Record<string, unknown>,
});
}
describe("warehouse FK pre-validation (audit M8)", () => {
it("POST /receipts with a nonexistent item_id returns 400, not 500", async () => {
const res = await post("/api/admin/warehouse/receipts", {
notes: `${N}r1`,
items: [{ item_id: MISSING_ID, quantity: 1, unit_price: 10 }],
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("POST /receipts with a nonexistent supplier_id returns 400, not 500", async () => {
const res = await post("/api/admin/warehouse/receipts", {
notes: `${N}r2`,
supplier_id: MISSING_ID,
items: [{ item_id: itemId, quantity: 1, unit_price: 10 }],
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("POST /receipts with a nonexistent location_id returns 400, not 500", async () => {
const res = await post("/api/admin/warehouse/receipts", {
notes: `${N}r3`,
items: [
{
item_id: itemId,
quantity: 1,
unit_price: 10,
location_id: MISSING_ID,
},
],
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("PUT /receipts/:id with a nonexistent item_id returns 400, not 500", async () => {
const res = await app.inject({
method: "PUT",
url: `/api/admin/warehouse/receipts/${draftReceiptId}`,
headers: {
Authorization: `Bearer ${adminToken}`,
"Content-Type": "application/json",
},
payload: {
notes: `${N}draft`,
items: [{ item_id: MISSING_ID, quantity: 1, unit_price: 10 }],
},
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("POST /issues with a nonexistent project_id returns 400, not 500", async () => {
const res = await post("/api/admin/warehouse/issues", {
notes: `${N}i1`,
project_id: MISSING_ID,
items: [{ item_id: itemId, quantity: 1 }],
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("POST /issues with a nonexistent explicit batch_id returns 400, not 500", async () => {
const res = await post("/api/admin/warehouse/issues", {
notes: `${N}i2`,
project_id: projectId,
items: [{ item_id: itemId, quantity: 1, batch_id: MISSING_ID }],
});
expect(res.statusCode).toBe(400);
expect(res.json().error).toContain("nenalezen");
});
it("valid receipt create still succeeds", async () => {
const res = await post("/api/admin/warehouse/receipts", {
notes: `${N}ok`,
items: [{ item_id: itemId, quantity: 2, unit_price: 10 }],
});
expect(res.statusCode).toBe(201);
});
});