Adds a format-check workflow that runs `pnpm run format:check` (Lerna fans
out to all packages with the script) on pushes to main/develop and all PRs.
Also adds the missing `format:check` script to the server package so Lerna
picks it up alongside the existing webapp script.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove @ts-nocheck directives and add TypeScript interfaces for
Preferences container components (Users, Roles, Accountant, Branches,
Currencies). Replace duplicated withUserPreferences HOC with existing
withDialogActions. Install @types/flat for the flat module.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
## Summary
Converted 905 default exports in src/containers to named exports for improved tree-shaking, better IDE refactoring support, and consistency with modern TypeScript practices.
## Changes
- Converted `export default function X` to `export function X` (916 files)
- Converted `export default compose(...)(X)` to `export const X = compose(...)(XInner)` with HOC wrapping
- Updated 373 import sites from default to named imports
- Fixed 136 React.lazy() imports to use .then() pattern for compatibility with named exports
- Updated re-export patterns in index files
- Fixed edge cases (alert arrays, connector HOCs, type definitions)
## Implementation
- Created codemod script: codemod-containers-exports.js (905 files converted)
- Created import updater: codemod-update-default-imports.js (373 imports fixed)
- Created lazy import fixer: codemod-fix-lazy-imports.js (136 lazy imports fixed)
- Manual fixes for 30 edge-case files (arrays, HOC factories, type definitions)
## Testing
- TypeScript type check: 0 codemod-related errors
- All lazy imports updated with .then() pattern
- All import sites updated to use named imports
- Zero remaining default exports in containers directory
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add `accept: application/json+table` header to all SDK report table
fetcher functions for proper table response negotiation
- Refactor audit log query hooks to use SDK fetch functions instead of
manual API calls with qs.stringify
- Modernize useInfiniteQuery to object syntax with initialPageParam
- Replace deprecated keepPreviousData option with placeholderData import
- Uncomment AuditLogHeader, AuditLogLoadingBar, and AuditLogBody components
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fix 20+ pre-existing TypeScript errors in the server package using
proper type-safe solutions — no `as any`, `as unknown`, or `any` types.
Key changes:
- Replace R.curry with regular curried arrow functions for proper inference
- Add return types to abstract methods (DynamicFilterRoleAbstractor)
- Add field declarations to empty models (ItemWarehouseQuantity)
- Add index signature to IMetadata for dynamic extra columns
- Use explicit field construction instead of pick()+cast patterns
- Convert moment format strings to Date objects where Date type expected
- Make interface properties optional where payloads don't include them
- Use native Array.reduce with proper typing instead of lodash chain
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Extract shared `MapState<MappedProps, OwnProps>` generic into `containers/hoc.types.ts`,
replacing 57 per-file local type duplicates
- Add exported `WithXProps` interfaces to all state HOCs that lacked them, replacing
`MapState<Record<string, unknown>, Props>` with the properly typed generic
- Add exported `WithXActionsProps` interfaces to all action HOCs, annotating
`mapDispatchToProps` return types and ensuring consistent exports
- Fix TS errors in `withAlertStoreConnect`, `withDrawers`, `withAuthentication`,
`withCurrentOrganization`, and `withOrganization` (missing args and missing casts)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update ~112 files across packages/webapp/src to use the new
kebab-case folder and file names introduced in the previous commit.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rename 19 PascalCase/camelCase folders to kebab-case
(e.g. CashflowAccounts → cashflow-accounts, financialStatement → financial-statement)
- Rename all .tsx store files to .ts (no JSX in any store file)
- Rename camelCase/PascalCase file base names to kebab-case
(e.g. paymentMades.reducer.tsx → payment-mades.reducer.ts)
- Rename 9 root-level store files to kebab-case
(createStore.tsx → create-store.ts, reducers.tsx → reducers.ts, etc.)
- Update all ~112 import paths across packages/webapp/src to match new paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Validate sortOrder against an allowlist at the DTO layer, normalize the
direction centrally in DynamicFilterSortBy.buildQuery, and re-sanitize
inside every orderByRaw modifier so attacker-controlled SQL cannot reach
the ORDER BY clause.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The multer-s3 storage factory used `Date.now().toString()` as the S3 key
for every upload, yielding a 13-digit ms-epoch key. The keyspace for any
time window equals the millisecond count of that window, so an attacker
holding a registered account can enumerate keys for known upload moments
(e.g. ~10 minutes for a 10-second window with a 10-proxy rotation), then
download files via `GET /attachments/:id/presigned-url`. Two uploads in
the same millisecond also collide and silently overwrite each other.
Replace the key callback with `${organizationId}/${randomUUID()}`:
* `randomUUID()` from `node:crypto` is a v4 UUID with 122 bits of
entropy, making brute-force enumeration infeasible.
* The `<organizationId>/` prefix (read from the `nestjs-cls` store
populated by `ClsModule` middleware in `App.module.ts`) limits the
blast radius of any hypothetical bucket-listing leak to a single
tenant.
Add a tenant migration applying `unique` to `documents.key` so any future
key collision surfaces as a DB error instead of a silent S3 overwrite.
Legacy 13-digit numeric keys remain accessible via their stored values;
only new uploads use the new format.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
POST /api/banking/plaid/webhooks was @PublicRoute() and processed the
body without verifying Plaid's Plaid-Verification JWT, letting any
unauthenticated client replay or fabricate webhook events for a tenant
by guessing a plaidItemId.
Add PlaidWebhookVerificationService that verifies the Plaid-Verification
ES256 JWS using a JWK fetched from plaidClient.webhookVerificationKeyGet
(cached per kid via lru-cache for 24h), enforces a 5-minute iat replay
window through jose.jwtVerify({ maxTokenAge }), and timing-safe compares
the body's SHA-256 against the request_body_sha256 claim. The webhook
controller now consumes the raw body and the plaid-verification header,
runs verification before setupPlaidTenant, and returns 400 Bad Request
on any failure - so no tenant context is ever set for an unsigned or
tampered request.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolve a CLS middleware in App.module.ts to copy the request
`organization-id` header straight into `cls.organizationId`, which the
TenancyDB factory used to pick the per-tenant database. The JWT path
never set `organizationId` from the authenticated user, and
TenancyGlobalGuard only checked that the header was present — so any
authenticated user could read or write another tenant's database by
sending their own JWT plus the victim's `organization-id`.
Make the JWT-resolved tenant the source of truth and validate the
header at the edge:
- AuthSigninService.verifyPayload now loads the user's tenant and sets
`cls.organizationId` from `tenant.organizationId`, mirroring the
API-key path in AuthApiKeyAuthorizeService.
- TenancyGlobalGuard rejects with `Organization mismatch.` when the
request header disagrees with the CLS value set by the auth guard.
- App.module.ts no longer seeds `cls.organizationId` from the
attacker-controlled request header.
GHSA-2g96-86rw-qmvg
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add tenant-scoped document lookup with throwIfNotFound() before S3
operations in GetAttachment, DeleteAttachment, and
GetAttachmentPresignedUrl services. This prevents users from reading,
deleting, or generating presigned URLs for attachments belonging to
other tenants.
Also adds RequirePermission decorators to the three attachment
endpoints and introduces Attachment ability subject with View and
Delete actions.
GHSA-rc4v-wq22-v6cf
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The balance sheet rendered "Current Liabilties" in the Liabilities
section because of a typo in the i18n key, the schema reference, the
swagger example responses, and the generated SDK fixtures. Fixed all
five locations so PDF/HTML/JSON renders all read "Current Liabilities".
- packages/server/src/i18n/en/balance_sheet.json: rename key and value
- packages/server/src/modules/FinancialStatements/modules/BalanceSheet/
BalanceSheetSchema.ts: update i18n key reference
- packages/server/src/modules/FinancialStatements/modules/BalanceSheet/
BalanceSheet.swagger.ts: fix three example response strings
- shared/sdk-ts/openapi.json + schema.ts: regenerate to match
Hoist `page` and `pageSize` declarations from the per-module DTOs into
the shared DynamicFilterQueryDto base class. Without these declarations,
the global ValidationPipe (whitelist: true) strips the params from the
request before the service layer sees them, so list services fall back
to their default page=1, pageSize=12 regardless of what the client sent.
Affects 10 collection GET endpoints whose query DTOs are empty subclasses
of DynamicFilterQueryDto: expenses, bills, credit-notes, manual-journals,
payments-received, sale-invoices, sale-estimates, sale-receipts,
vendor-credits, item-categories.
The 3 already-working DTOs (Customers, Vendors, Items) keep their local
page/pageSize declarations as redundant overrides — no behavior change.
Closes#1088
