Files
app/src/services/users.service.ts
BOHA 528e55991b security: fix all Critical and High findings from FLAWS_REPORT audit
- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 00:58:35 +02:00

284 lines
7.5 KiB
TypeScript

import prisma from "../config/database";
import bcrypt from "bcryptjs";
import { config } from "../config/env";
const ALLOWED_SORT_FIELDS = [
"id",
"username",
"email",
"first_name",
"last_name",
"created_at",
];
const USER_SELECT = {
id: true,
username: true,
email: true,
first_name: true,
last_name: true,
role_id: true,
is_active: true,
last_login: true,
totp_enabled: true,
created_at: true,
updated_at: true,
roles: { select: { id: true, name: true, display_name: true } },
} as const;
export interface ListUsersParams {
page: number;
limit: number;
skip: number;
sort: string;
order: "asc" | "desc";
search: string;
}
export interface CreateUserData {
username: string;
email: string;
password: string;
first_name: string;
last_name: string;
role_id?: number | null;
is_active?: boolean;
}
export interface UpdateUserData {
username?: string;
email?: string;
password?: string;
first_name?: string;
last_name?: string;
role_id?: number | null;
is_active?: boolean | number | string;
}
export async function listUsers(params: ListUsersParams) {
const { page, limit, skip, sort, order, search } = params;
const sortField = ALLOWED_SORT_FIELDS.includes(sort) ? sort : "id";
const where = search
? {
OR: [
{ username: { contains: search } },
{ email: { contains: search } },
{ first_name: { contains: search } },
{ last_name: { contains: search } },
],
}
: {};
const [users, total] = await Promise.all([
prisma.users.findMany({
where,
skip,
take: limit,
orderBy: { [sortField]: order },
select: USER_SELECT,
}),
prisma.users.count({ where }),
]);
return { users, total, page, limit };
}
export async function getUser(id: number) {
return prisma.users.findUnique({
where: { id },
select: USER_SELECT,
});
}
export async function createUser(
data: CreateUserData,
callerRoleName?: string,
) {
const username = data.username.trim();
const email = data.email.trim();
const firstName = data.first_name.trim();
const lastName = data.last_name.trim();
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
return { error: "Neplatný formát e-mailu", status: 400 } as const;
}
const existingUsername = await prisma.users.findFirst({
where: { username },
});
if (existingUsername) {
return { error: "Uživatelské jméno již existuje", status: 409 } as const;
}
const existingEmail = await prisma.users.findFirst({ where: { email } });
if (existingEmail) {
return { error: "E-mail již existuje", status: 409 } as const;
}
if (data.role_id) {
const targetRole = await prisma.roles.findUnique({
where: { id: Number(data.role_id) },
});
if (targetRole?.name === "admin" && callerRoleName !== "admin") {
return { error: "Nelze přiřadit roli admin", status: 403 } as const;
}
}
const passwordHash = await bcrypt.hash(
data.password,
config.security.bcryptCost,
);
const user = await prisma.users.create({
data: {
username,
email,
password_hash: passwordHash,
first_name: firstName,
last_name: lastName,
role_id: data.role_id ? Number(data.role_id) : null,
is_active: data.is_active !== false,
},
});
return { user } as const;
}
export async function updateUser(
id: number,
body: UpdateUserData,
callerRoleName?: string,
) {
const existing = await prisma.users.findUnique({ where: { id } });
if (!existing) {
return { error: "Uživatel nenalezen", status: 404 } as const;
}
if (body.role_id !== undefined) {
if (body.role_id) {
const targetRole = await prisma.roles.findUnique({
where: { id: Number(body.role_id) },
});
if (targetRole?.name === "admin" && callerRoleName !== "admin") {
return { error: "Nelze přiřadit roli admin", status: 403 } as const;
}
}
if (
existing.role_id !== null &&
Number(body.role_id) !== existing.role_id
) {
const currentRole = await prisma.roles.findUnique({
where: { id: existing.role_id },
});
if (currentRole?.name === "admin") {
const adminRole = await prisma.roles.findFirst({
where: { name: "admin" },
});
if (adminRole) {
const activeAdminCount = await prisma.users.count({
where: { role_id: adminRole.id, is_active: true },
});
if (activeAdminCount <= 1) {
return {
error: "Nelze odebrat roli poslednímu aktivnímu administrátorovi",
status: 400,
} as const;
}
}
}
}
}
if (body.is_active !== undefined && !body.is_active) {
if (existing.role_id !== null && existing.is_active) {
const adminRole = await prisma.roles.findFirst({
where: { name: "admin" },
});
if (adminRole && existing.role_id === adminRole.id) {
const activeAdminCount = await prisma.users.count({
where: { role_id: adminRole.id, is_active: true },
});
if (activeAdminCount <= 1) {
return {
error: "Nelze deaktivovat posledního aktivního administrátora",
status: 400,
} as const;
}
}
}
}
const data: Record<string, unknown> = {};
if (body.username !== undefined) {
const newUsername = String(body.username).trim();
if (newUsername !== existing.username) {
const existingUsername = await prisma.users.findFirst({
where: { username: newUsername },
});
if (existingUsername) {
return {
error: "Uživatelské jméno již existuje",
status: 409,
} as const;
}
}
data.username = newUsername;
}
if (body.email !== undefined) {
const newEmail = String(body.email).trim();
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(newEmail)) {
return { error: "Neplatný formát e-mailu", status: 400 } as const;
}
const existingEmail = await prisma.users.findFirst({
where: { email: newEmail, id: { not: id } },
});
if (existingEmail) {
return { error: "E-mail již existuje", status: 409 } as const;
}
data.email = newEmail;
}
if (body.first_name !== undefined) data.first_name = String(body.first_name);
if (body.last_name !== undefined) data.last_name = String(body.last_name);
if (body.role_id !== undefined)
data.role_id = body.role_id ? Number(body.role_id) : null;
if (body.is_active !== undefined)
data.is_active =
body.is_active === true || body.is_active === 1 || body.is_active === "1";
if (body.password) {
const newPassword = String(body.password);
if (newPassword.length < 8) {
return { error: "Heslo musí mít alespoň 8 znaků", status: 400 } as const;
}
data.password_hash = await bcrypt.hash(
newPassword,
config.security.bcryptCost,
);
data.password_changed_at = new Date();
}
await prisma.users.update({ where: { id }, data });
return { id, username: existing.username } as const;
}
export async function deleteUser(id: number, currentUserId?: number) {
if (id === currentUserId) {
return { error: "Nelze smazat vlastní účet", status: 400 } as const;
}
const existing = await prisma.users.findUnique({ where: { id } });
if (!existing) {
return { error: "Uživatel nenalezen", status: 404 } as const;
}
await prisma.refresh_tokens.deleteMany({ where: { user_id: id } });
await prisma.users.delete({ where: { id } });
return { id, username: existing.username } as const;
}