- Auth: pessimistic locking on login tokens and refresh token rotation, backup code attempt counter, rate limiting verification - Schema: unique constraints on business numbers, FK relations, unsigned/signed alignment, attendance duplicate prevention - Invoices/PDFs: DOMPurify sanitization, bounded queries in stats and alerts, VAT rounding, Puppeteer error handling - Orders/Offers: transactional parent+child creation, Zod NaN refinement, status enums, uniqueness checks - Projects/Files: path traversal protection, streamed uploads, permission guards, query param validation - Attendance/HR: duplicate checks, ownership validation, GPS restrictions, trip distance validation - Frontend: modal lock reference counting, XSS escaping in print HTML, ref mutation fixes, accessibility attributes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
284 lines
7.5 KiB
TypeScript
284 lines
7.5 KiB
TypeScript
import prisma from "../config/database";
|
|
import bcrypt from "bcryptjs";
|
|
import { config } from "../config/env";
|
|
|
|
const ALLOWED_SORT_FIELDS = [
|
|
"id",
|
|
"username",
|
|
"email",
|
|
"first_name",
|
|
"last_name",
|
|
"created_at",
|
|
];
|
|
|
|
const USER_SELECT = {
|
|
id: true,
|
|
username: true,
|
|
email: true,
|
|
first_name: true,
|
|
last_name: true,
|
|
role_id: true,
|
|
is_active: true,
|
|
last_login: true,
|
|
totp_enabled: true,
|
|
created_at: true,
|
|
updated_at: true,
|
|
roles: { select: { id: true, name: true, display_name: true } },
|
|
} as const;
|
|
|
|
export interface ListUsersParams {
|
|
page: number;
|
|
limit: number;
|
|
skip: number;
|
|
sort: string;
|
|
order: "asc" | "desc";
|
|
search: string;
|
|
}
|
|
|
|
export interface CreateUserData {
|
|
username: string;
|
|
email: string;
|
|
password: string;
|
|
first_name: string;
|
|
last_name: string;
|
|
role_id?: number | null;
|
|
is_active?: boolean;
|
|
}
|
|
|
|
export interface UpdateUserData {
|
|
username?: string;
|
|
email?: string;
|
|
password?: string;
|
|
first_name?: string;
|
|
last_name?: string;
|
|
role_id?: number | null;
|
|
is_active?: boolean | number | string;
|
|
}
|
|
|
|
export async function listUsers(params: ListUsersParams) {
|
|
const { page, limit, skip, sort, order, search } = params;
|
|
const sortField = ALLOWED_SORT_FIELDS.includes(sort) ? sort : "id";
|
|
|
|
const where = search
|
|
? {
|
|
OR: [
|
|
{ username: { contains: search } },
|
|
{ email: { contains: search } },
|
|
{ first_name: { contains: search } },
|
|
{ last_name: { contains: search } },
|
|
],
|
|
}
|
|
: {};
|
|
|
|
const [users, total] = await Promise.all([
|
|
prisma.users.findMany({
|
|
where,
|
|
skip,
|
|
take: limit,
|
|
orderBy: { [sortField]: order },
|
|
select: USER_SELECT,
|
|
}),
|
|
prisma.users.count({ where }),
|
|
]);
|
|
|
|
return { users, total, page, limit };
|
|
}
|
|
|
|
export async function getUser(id: number) {
|
|
return prisma.users.findUnique({
|
|
where: { id },
|
|
select: USER_SELECT,
|
|
});
|
|
}
|
|
|
|
export async function createUser(
|
|
data: CreateUserData,
|
|
callerRoleName?: string,
|
|
) {
|
|
const username = data.username.trim();
|
|
const email = data.email.trim();
|
|
const firstName = data.first_name.trim();
|
|
const lastName = data.last_name.trim();
|
|
|
|
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
|
|
return { error: "Neplatný formát e-mailu", status: 400 } as const;
|
|
}
|
|
|
|
const existingUsername = await prisma.users.findFirst({
|
|
where: { username },
|
|
});
|
|
if (existingUsername) {
|
|
return { error: "Uživatelské jméno již existuje", status: 409 } as const;
|
|
}
|
|
|
|
const existingEmail = await prisma.users.findFirst({ where: { email } });
|
|
if (existingEmail) {
|
|
return { error: "E-mail již existuje", status: 409 } as const;
|
|
}
|
|
|
|
if (data.role_id) {
|
|
const targetRole = await prisma.roles.findUnique({
|
|
where: { id: Number(data.role_id) },
|
|
});
|
|
if (targetRole?.name === "admin" && callerRoleName !== "admin") {
|
|
return { error: "Nelze přiřadit roli admin", status: 403 } as const;
|
|
}
|
|
}
|
|
|
|
const passwordHash = await bcrypt.hash(
|
|
data.password,
|
|
config.security.bcryptCost,
|
|
);
|
|
|
|
const user = await prisma.users.create({
|
|
data: {
|
|
username,
|
|
email,
|
|
password_hash: passwordHash,
|
|
first_name: firstName,
|
|
last_name: lastName,
|
|
role_id: data.role_id ? Number(data.role_id) : null,
|
|
is_active: data.is_active !== false,
|
|
},
|
|
});
|
|
|
|
return { user } as const;
|
|
}
|
|
|
|
export async function updateUser(
|
|
id: number,
|
|
body: UpdateUserData,
|
|
callerRoleName?: string,
|
|
) {
|
|
const existing = await prisma.users.findUnique({ where: { id } });
|
|
if (!existing) {
|
|
return { error: "Uživatel nenalezen", status: 404 } as const;
|
|
}
|
|
|
|
if (body.role_id !== undefined) {
|
|
if (body.role_id) {
|
|
const targetRole = await prisma.roles.findUnique({
|
|
where: { id: Number(body.role_id) },
|
|
});
|
|
if (targetRole?.name === "admin" && callerRoleName !== "admin") {
|
|
return { error: "Nelze přiřadit roli admin", status: 403 } as const;
|
|
}
|
|
}
|
|
|
|
if (
|
|
existing.role_id !== null &&
|
|
Number(body.role_id) !== existing.role_id
|
|
) {
|
|
const currentRole = await prisma.roles.findUnique({
|
|
where: { id: existing.role_id },
|
|
});
|
|
if (currentRole?.name === "admin") {
|
|
const adminRole = await prisma.roles.findFirst({
|
|
where: { name: "admin" },
|
|
});
|
|
if (adminRole) {
|
|
const activeAdminCount = await prisma.users.count({
|
|
where: { role_id: adminRole.id, is_active: true },
|
|
});
|
|
if (activeAdminCount <= 1) {
|
|
return {
|
|
error: "Nelze odebrat roli poslednímu aktivnímu administrátorovi",
|
|
status: 400,
|
|
} as const;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (body.is_active !== undefined && !body.is_active) {
|
|
if (existing.role_id !== null && existing.is_active) {
|
|
const adminRole = await prisma.roles.findFirst({
|
|
where: { name: "admin" },
|
|
});
|
|
if (adminRole && existing.role_id === adminRole.id) {
|
|
const activeAdminCount = await prisma.users.count({
|
|
where: { role_id: adminRole.id, is_active: true },
|
|
});
|
|
if (activeAdminCount <= 1) {
|
|
return {
|
|
error: "Nelze deaktivovat posledního aktivního administrátora",
|
|
status: 400,
|
|
} as const;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
const data: Record<string, unknown> = {};
|
|
|
|
if (body.username !== undefined) {
|
|
const newUsername = String(body.username).trim();
|
|
if (newUsername !== existing.username) {
|
|
const existingUsername = await prisma.users.findFirst({
|
|
where: { username: newUsername },
|
|
});
|
|
if (existingUsername) {
|
|
return {
|
|
error: "Uživatelské jméno již existuje",
|
|
status: 409,
|
|
} as const;
|
|
}
|
|
}
|
|
data.username = newUsername;
|
|
}
|
|
|
|
if (body.email !== undefined) {
|
|
const newEmail = String(body.email).trim();
|
|
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(newEmail)) {
|
|
return { error: "Neplatný formát e-mailu", status: 400 } as const;
|
|
}
|
|
const existingEmail = await prisma.users.findFirst({
|
|
where: { email: newEmail, id: { not: id } },
|
|
});
|
|
if (existingEmail) {
|
|
return { error: "E-mail již existuje", status: 409 } as const;
|
|
}
|
|
data.email = newEmail;
|
|
}
|
|
|
|
if (body.first_name !== undefined) data.first_name = String(body.first_name);
|
|
if (body.last_name !== undefined) data.last_name = String(body.last_name);
|
|
if (body.role_id !== undefined)
|
|
data.role_id = body.role_id ? Number(body.role_id) : null;
|
|
if (body.is_active !== undefined)
|
|
data.is_active =
|
|
body.is_active === true || body.is_active === 1 || body.is_active === "1";
|
|
if (body.password) {
|
|
const newPassword = String(body.password);
|
|
if (newPassword.length < 8) {
|
|
return { error: "Heslo musí mít alespoň 8 znaků", status: 400 } as const;
|
|
}
|
|
data.password_hash = await bcrypt.hash(
|
|
newPassword,
|
|
config.security.bcryptCost,
|
|
);
|
|
data.password_changed_at = new Date();
|
|
}
|
|
|
|
await prisma.users.update({ where: { id }, data });
|
|
|
|
return { id, username: existing.username } as const;
|
|
}
|
|
|
|
export async function deleteUser(id: number, currentUserId?: number) {
|
|
if (id === currentUserId) {
|
|
return { error: "Nelze smazat vlastní účet", status: 400 } as const;
|
|
}
|
|
|
|
const existing = await prisma.users.findUnique({ where: { id } });
|
|
if (!existing) {
|
|
return { error: "Uživatel nenalezen", status: 404 } as const;
|
|
}
|
|
|
|
await prisma.refresh_tokens.deleteMany({ where: { user_id: id } });
|
|
await prisma.users.delete({ where: { id } });
|
|
|
|
return { id, username: existing.username } as const;
|
|
}
|