boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity
Files
aa6c1b5094ade5ade345ac4b164437ef81179d58
app/src/routes/admin/invoices.ts
BOHA 528e55991b security: fix all Critical and High findings from FLAWS_REPORT audit 
- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 00:58:35 +02:00

239 lines
7.5 KiB
TypeScript
Raw Blame History

import { FastifyInstance } from "fastify";
import prisma from "../../config/database";
import { requirePermission } from "../../middleware/auth";
import { logAudit } from "../../services/audit";
import { success, error, parseId } from "../../utils/response";
import { parsePagination, buildPaginationMeta } from "../../utils/pagination";
import { parseBody } from "../../schemas/common";
import {
CreateInvoiceSchema,
UpdateInvoiceSchema,
} from "../../schemas/invoices.schema";
import {
markOverdueInvoices,
listInvoices,
getNextInvoiceNumberFormatted,
getNextInvoiceNumberPreview,
getInvoiceStats,
getOrderDataForInvoice,
getInvoice,
createInvoice,
updateInvoice,
deleteInvoice,
} from "../../services/invoices.service";
import { nasFinancialsManager } from "../../services/nas-financials-manager";
export default async function invoicesRoutes(
fastify: FastifyInstance,
): Promise<void> {
// Auto-update overdue invoices on GET requests only (matches PHP behavior)
fastify.addHook("onRequest", async (request) => {
if (request.method !== "GET") return;
await markOverdueInvoices();
});
// GET /api/admin/invoices
fastify.get(
"/",
{ preHandler: requirePermission("invoices.view") },
async (request, reply) => {
const query = request.query as Record<string, unknown>;
const { page, limit, skip, order, search } = parsePagination(query);
const result = await listInvoices({
page,
limit,
skip,
sort: String(query.sort || ""),
order,
search,
status: query.status ? String(query.status) : undefined,
customer_id: query.customer_id ? Number(query.customer_id) : undefined,
month: query.month ? Number(query.month) : undefined,
year: query.year ? Number(query.year) : undefined,
});
return reply.send({
success: true,
data: result.data,
pagination: buildPaginationMeta(result.total, page, limit),
});
},
);
// GET /api/admin/invoices/next-number
fastify.get(
"/next-number",
{ preHandler: requirePermission("invoices.create") },
async (_request, reply) => {
const result = await getNextInvoiceNumberPreview();
return success(reply, result);
},
);
// GET /api/admin/invoices/stats
fastify.get(
"/stats",
{ preHandler: requirePermission("invoices.view") },
async (request, reply) => {
const query = request.query as Record<string, unknown>;
const month = query.month ? Number(query.month) : undefined;
const year = query.year ? Number(query.year) : undefined;
const stats = await getInvoiceStats(month, year);
return success(reply, stats);
},
);
// GET /api/admin/invoices/order-data/:id
fastify.get<{ Params: { id: string } }>(
"/order-data/:id",
{ preHandler: requirePermission("invoices.create") },
async (request, reply) => {
const orderId = parseId(request.params.id, reply);
if (orderId === null) return;
const result = await getOrderDataForInvoice(orderId);
if (!result) return error(reply, "Objednávka nenalezena", 404);
return success(reply, result);
},
);
// GET /api/admin/invoices/:id
fastify.get<{ Params: { id: string } }>(
"/:id",
{ preHandler: requirePermission("invoices.view") },
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;
const invoice = await getInvoice(id);
if (!invoice) return error(reply, "Faktura nenalezena", 404);
return success(reply, invoice);
},
);
// POST /api/admin/invoices
fastify.post(
"/",
{ preHandler: requirePermission("invoices.create") },
async (request, reply) => {
const parsed = parseBody(CreateInvoiceSchema, request.body);
if ("error" in parsed) return error(reply, parsed.error, 400);
const body = parsed.data;
const invoice = await createInvoice(body);
await logAudit({
request,
authData: request.authData,
action: "create",
entityType: "invoice",
entityId: invoice.id,
description: `Vytvořena faktura ${invoice.invoice_number}`,
});
// Return both invoice_id and id for frontend compatibility
return success(
reply,
{
id: invoice.id,
invoice_id: invoice.id,
invoice_number: invoice.invoice_number,
},
201,
"Faktura byla vystavena",
);
},
);
// PUT /api/admin/invoices/:id
fastify.put<{ Params: { id: string } }>(
"/:id",
{ preHandler: requirePermission("invoices.edit") },
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;
const parsed = parseBody(UpdateInvoiceSchema, request.body);
if ("error" in parsed) return error(reply, parsed.error, 400);
const body = parsed.data;
const result = await updateInvoice(id, body);
if ("error" in result) {
if (result.error === "not_found")
return error(reply, "Faktura nenalezena", 404);
if (result.error === "invalid_transition")
return error(
reply,
`Neplatný přechod stavu z "${result.currentStatus}" na "${result.newStatus}"`,
400,
);
return error(reply, "Neznámá chyba", 500);
}
await logAudit({
request,
authData: request.authData,
action: "update",
entityType: "invoice",
entityId: id,
description: `Upravena faktura ${result.invoice_number}`,
});
return success(reply, { id }, 200, "Faktura byla aktualizována");
},
);
// DELETE /api/admin/invoices/:id
fastify.delete<{ Params: { id: string } }>(
"/:id",
{ preHandler: requirePermission("invoices.delete") },
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;
const existing = await deleteInvoice(id);
if (!existing) return error(reply, "Faktura nenalezena", 404);
// Delete PDF from NAS
if (existing.invoice_number) {
await nasFinancialsManager.cleanIssuedInvoice(existing.invoice_number);
}
await logAudit({
request,
authData: request.authData,
action: "delete",
entityType: "invoice",
entityId: id,
description: `Smazána faktura ${existing.invoice_number}`,
});
return success(reply, null, 200, "Faktura smazána");
},
);
// GET /api/admin/invoices/:id/file — serve PDF from NAS
fastify.get<{ Params: { id: string } }>(
"/:id/file",
{ preHandler: requirePermission("invoices.view") },
async (request, reply) => {
const id = parseId(request.params.id, reply);
if (id === null) return;
const invoice = await prisma.invoices.findUnique({
where: { id },
select: { invoice_number: true, issue_date: true },
});
if (!invoice?.invoice_number || !invoice.issue_date)
return error(reply, "Faktura nenalezena", 404);
const d = new Date(invoice.issue_date);
const relPath = `Vydané/${d.getFullYear()}/${String(d.getMonth() + 1).padStart(2, "0")}/${invoice.invoice_number}.pdf`;
const file = nasFinancialsManager.readIssuedInvoice(relPath);
if (!file) return error(reply, "PDF soubor nenalezen", 404);
return reply
.type("application/pdf")
.header(
"Content-Disposition",
`inline; filename="${invoice.invoice_number}.pdf"`,
)
.send(file.data);
},
);
}
Reference in New Issue View Git Blame Copy Permalink