Fixes every CRITICAL/HIGH finding from the 2026-06-09 full-codebase audit
(REVIEW_FINDINGS.md); each fix went through independent spec + code-quality
review. Plan and per-task log: docs/superpowers/plans/2026-06-10-audit-high-fix-pass.md
- attendance: schemas accept the combined local datetimes the forms/service
use (new dateTimeString helpers in schemas/common.ts), breaks persist on
create, AttendanceCreate submit rebuilt — every submit 400'd since 519edce
- 2fa: backup codes wired to /totp/backup-verify (+ remember-me parity),
enrollment QR generated locally via qrcode (CSP-blocked external service
also leaked the secret), dashboard shows per-user enrollment, not policy
- invoices/orders: per-line VAT survives re-saves (numberOr 0-respecting
coercion in formatters.ts), billing_text persists on update, issued-order
status transitions update UI gates
- trips: real pagination on all 3 pages, GET /trips/stats server aggregate
(shared buildTripsWhere + legacy distance coalesce), vehicle_id applies on
PUT with both-vehicle odometer recompute, print rebuilt (sync window.open,
escaped template, server totals)
- orders api: attachment_data PDF blob excluded from all non-binary reads
- warehouse: unit field is a Select over UnitEnum, receipt attachments
downloadable via new authenticated GET route
- downloads: shared RFC 5987 contentDisposition helper — Czech filenames no
longer 500 (warehouse, received-invoices, orders endpoints)
- misc: block-env hook actually blocks (exit 2 + stderr), project create
works with empty dates, NaN filter guards on trips endpoints
- deps: remove unused concurrently (clears both critical advisories), pin
@hono/node-server >=1.19.13 via overrides (clears the 3 moderates without
the Prisma 6 downgrade), drop deprecated @types stubs
Gates: tsc -b clean - vitest 30 files / 342 tests (31 new) - eslint 0 errors
- build OK
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
48 lines
1.5 KiB
TypeScript
48 lines
1.5 KiB
TypeScript
import { z } from "zod";
|
||
|
||
export const LoginSchema = z.object({
|
||
username: z.string().min(1, "Uživatelské jméno je povinné").max(255),
|
||
password: z.string().min(1, "Heslo je povinné").max(200),
|
||
remember_me: z.boolean().optional().default(false),
|
||
});
|
||
|
||
export const TotpVerifySchema = z.object({
|
||
login_token: z.string().min(1, "Token je povinný"),
|
||
totp_code: z
|
||
.string()
|
||
.length(6, "Kód musí mít 6 číslic")
|
||
.regex(/^\d{6}$/, "Kód musí mít 6 číslic"),
|
||
remember_me: z.boolean().optional().default(false),
|
||
});
|
||
|
||
export const TotpBackupSchema = z.object({
|
||
login_token: z.string().min(1, "Token je povinný"),
|
||
backup_code: z
|
||
.string()
|
||
.min(1, "Záložní kód je povinný")
|
||
// Cap length so a request with bodyLimit=10KB can't trigger N×bcrypt on
|
||
// a multi-KB string. Real backup codes are 8-16 chars; 64 is generous.
|
||
.max(64, "Záložní kód je příliš dlouhý"),
|
||
remember_me: z.boolean().optional().default(false),
|
||
});
|
||
|
||
export const TotpEnableSchema = z.object({
|
||
secret: z.string().min(1).max(255),
|
||
code: z.string().min(1).max(64),
|
||
password: z.string().max(200).optional(),
|
||
current_code: z.string().max(64).optional(),
|
||
});
|
||
|
||
export const TotpDisableSchema = z.object({
|
||
code: z.string().min(1).max(64),
|
||
password: z.string().max(200).optional(),
|
||
});
|
||
|
||
export const TotpRequiredSchema = z.object({
|
||
required: z.boolean(),
|
||
});
|
||
|
||
export type LoginInput = z.infer<typeof LoginSchema>;
|
||
export type TotpVerifyInput = z.infer<typeof TotpVerifySchema>;
|
||
export type TotpBackupInput = z.infer<typeof TotpBackupSchema>;
|