Files
app/src/__tests__/schema-nan.test.ts
BOHA e11765bf0e fix: resolve all 28 findings from the 2026-06-12 full audit (TDD-pinned)
Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
  failed deficit line rolls back the surplus corrective receipt — retries
  no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
  of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
  (in-transaction, clamped at 0)

High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
  the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
  when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
  (Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
  hours against its own balance (mirrors createLeave)

Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
  500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
  Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
  (recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
  @db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
  /items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
  finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
  settings.company|settings.system; Settings System tab no longer clobbers
  Firma numbering patterns; draft invoices hide the dead PDF button;
  dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
  audit-log + invoice month buckets day-shift fixes

Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.

~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 23:00:19 +02:00

289 lines
9.6 KiB
TypeScript

import { describe, it, expect } from "vitest";
import { CreateOrderSchema } from "../schemas/orders.schema";
import { CreateQuotationSchema } from "../schemas/offers.schema";
import { CreateTripSchema, UpdateTripSchema } from "../schemas/trips.schema";
import { CreateReceivedInvoiceSchema } from "../schemas/received-invoices.schema";
import {
ReceiptItemSchema,
CreateSupplierSchema,
} from "../schemas/warehouse.schema";
import { UpdateCompanySettingsSchema } from "../schemas/settings.schema";
// These schemas now build on the shared form-coercion helpers in
// `src/schemas/common.ts` (numberFromForm / numberInRange / intIdFromForm / …).
// HTTP bodies arrive as strings (multipart) or numbers (JSON), so the helpers
// must BOTH (a) coerce a valid numeric STRING → number and (b) reject a NaN
// string. The original suite only asserted (b); these tests pin (a) as well.
describe("Zod form coercion + NaN rejection", () => {
describe("CreateOrderSchema", () => {
it("rejects NaN string in quantity", () => {
const result = CreateOrderSchema.safeParse({
customer_id: 1,
items: [{ quantity: "not-a-number" }],
});
expect(result.success).toBe(false);
});
it("rejects NaN string in unit_price", () => {
const result = CreateOrderSchema.safeParse({
customer_id: 1,
items: [{ unit_price: "abc" }],
});
expect(result.success).toBe(false);
});
it("accepts valid numbers", () => {
const result = CreateOrderSchema.safeParse({
customer_id: 1,
items: [{ quantity: 2, unit_price: 100 }],
});
expect(result.success).toBe(true);
});
it("coerces a valid numeric STRING quantity/unit_price to a number", () => {
const result = CreateOrderSchema.safeParse({
customer_id: 1,
items: [{ quantity: "2", unit_price: "100.5" }],
});
expect(result.success).toBe(true);
if (result.success) {
const item = result.data.items![0];
expect(item.quantity).toBe(2);
expect(typeof item.quantity).toBe("number");
expect(item.unit_price).toBe(100.5);
expect(typeof item.unit_price).toBe("number");
}
});
});
describe("CreateQuotationSchema", () => {
it("rejects NaN string in item quantity", () => {
const result = CreateQuotationSchema.safeParse({
customer_id: 1,
items: [{ quantity: "bad" }],
});
expect(result.success).toBe(false);
});
it("coerces a valid numeric STRING item quantity/unit_price", () => {
const result = CreateQuotationSchema.safeParse({
customer_id: 1,
items: [{ quantity: "3", unit_price: "250" }],
});
expect(result.success).toBe(true);
if (result.success) {
const item = result.data.items![0];
expect(item.quantity).toBe(3);
expect(item.unit_price).toBe(250);
}
});
});
// The remaining schemas were the ones flagged as accepting NaN before the
// shared helpers landed. Assert both the coercion and the rejection paths.
describe("CreateTripSchema", () => {
it("coerces numeric STRING vehicle_id / start_km / end_km to numbers", () => {
// km fields are Int columns — integer strings coerce, decimals are
// rejected (see trips-vehicles-km-int.test.ts for the rejection pins).
const result = CreateTripSchema.safeParse({
vehicle_id: "5",
trip_date: "2026-01-15",
start_km: "100",
end_km: "150",
route_from: "Praha",
route_to: "Brno",
});
expect(result.success).toBe(true);
if (result.success) {
expect(result.data.vehicle_id).toBe(5);
expect(result.data.start_km).toBe(100);
expect(result.data.end_km).toBe(150);
expect(typeof result.data.start_km).toBe("number");
}
});
it("rejects a NaN string in start_km", () => {
const result = CreateTripSchema.safeParse({
vehicle_id: 5,
trip_date: "2026-01-15",
start_km: "not-a-number",
end_km: 150,
route_from: "Praha",
route_to: "Brno",
});
expect(result.success).toBe(false);
});
it("rejects a NaN / non-positive string in vehicle_id (FK)", () => {
const result = CreateTripSchema.safeParse({
vehicle_id: "abc",
trip_date: "2026-01-15",
start_km: 100,
end_km: 150,
route_from: "Praha",
route_to: "Brno",
});
expect(result.success).toBe(false);
});
});
describe("CreateReceivedInvoiceSchema", () => {
it("coerces numeric STRING month / year / amount to numbers", () => {
const result = CreateReceivedInvoiceSchema.safeParse({
supplier_name: "ACME s.r.o.",
month: "6",
year: "2026",
amount: "1210.50",
});
expect(result.success).toBe(true);
if (result.success) {
expect(result.data.month).toBe(6);
expect(result.data.year).toBe(2026);
expect(result.data.amount).toBe(1210.5);
expect(typeof result.data.amount).toBe("number");
}
});
it("rejects a NaN string in amount", () => {
const result = CreateReceivedInvoiceSchema.safeParse({
supplier_name: "ACME s.r.o.",
month: 6,
year: 2026,
amount: "not-money",
});
expect(result.success).toBe(false);
});
it("rejects an out-of-range month (numberInRange 1-12)", () => {
const result = CreateReceivedInvoiceSchema.safeParse({
supplier_name: "ACME s.r.o.",
month: 13,
year: 2026,
});
expect(result.success).toBe(false);
});
it("rejects a NaN string in month", () => {
const result = CreateReceivedInvoiceSchema.safeParse({
supplier_name: "ACME s.r.o.",
month: "bad",
year: 2026,
});
expect(result.success).toBe(false);
});
});
describe("warehouse ReceiptItemSchema", () => {
it("coerces numeric STRING item_id / quantity / unit_price to numbers", () => {
const result = ReceiptItemSchema.safeParse({
item_id: "7",
quantity: "12.5",
unit_price: "99",
});
expect(result.success).toBe(true);
if (result.success) {
expect(result.data.item_id).toBe(7);
expect(result.data.quantity).toBe(12.5);
expect(result.data.unit_price).toBe(99);
expect(typeof result.data.quantity).toBe("number");
}
});
it("rejects a NaN string in quantity", () => {
const result = ReceiptItemSchema.safeParse({
item_id: 7,
quantity: "lots",
unit_price: 99,
});
expect(result.success).toBe(false);
});
it("rejects a non-positive quantity (positiveNumberFromForm)", () => {
const result = ReceiptItemSchema.safeParse({
item_id: 7,
quantity: 0,
unit_price: 99,
});
expect(result.success).toBe(false);
});
it("rejects a NaN / non-positive string in item_id (FK)", () => {
const result = ReceiptItemSchema.safeParse({
item_id: "abc",
quantity: 5,
unit_price: 99,
});
expect(result.success).toBe(false);
});
});
});
// Regression tests for the 2026-06-09 audit fix pass: the schema hardening
// must NOT reject input the app legitimately sends.
describe("schema hardening — does not reject previously-valid input", () => {
it("settings: optional email fields accept an empty string (un-filled)", () => {
const r = UpdateCompanySettingsSchema.safeParse({
invoice_alert_email: "",
leave_notify_email: "",
smtp_from: "",
});
expect(r.success).toBe(true);
});
it("settings: a valid email is accepted, a malformed one rejected", () => {
expect(
UpdateCompanySettingsSchema.safeParse({ smtp_from: "a@b.cz" }).success,
).toBe(true);
expect(
UpdateCompanySettingsSchema.safeParse({ smtp_from: "not-an-email" })
.success,
).toBe(false);
});
it("warehouse supplier: dropped legacy contact/address keys are silently stripped", () => {
// email/phone/contact_person/notes/address columns were replaced by the
// customers-model custom_fields blob (2026-06); legacy clients still
// sending them must not 400 — z.object strips unknown keys.
const parsed = CreateSupplierSchema.safeParse({
name: "Dodavatel",
email: "x@y.cz",
phone: "123",
contact_person: "Jan",
notes: "n",
address: "Ulice 1",
custom_fields: [{ name: "Kontakt", value: "Jan", showLabel: true }],
});
expect(parsed.success).toBe(true);
if (parsed.success) {
expect("email" in parsed.data).toBe(false);
expect("address" in parsed.data).toBe(false);
expect(parsed.data.custom_fields).toHaveLength(1);
}
});
it("trips: trip_date accepts a date-only AND a datetime round-trip from @db.Date", () => {
const base = {
vehicle_id: 1,
start_km: 100,
end_km: 120,
route_from: "A",
route_to: "B",
};
// Plain date-only (from the date picker).
const a = CreateTripSchema.safeParse({ ...base, trip_date: "2026-06-09" });
expect(a.success).toBe(true);
// The edit form re-submits what the API serialized for a @db.Date column
// via the Date.toJSON override ("YYYY-MM-DDT00:00:00") — must still pass and
// normalize to the date-only value.
const b = UpdateTripSchema.safeParse({ trip_date: "2026-06-09T00:00:00" });
expect(b.success).toBe(true);
if (b.success) expect(b.data.trip_date).toBe("2026-06-09");
// Genuinely malformed dates are still rejected.
expect(
CreateTripSchema.safeParse({ ...base, trip_date: "09/06/2026" }).success,
).toBe(false);
});
});