Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(api): wrap critical mutations in transactions and fix TOCTOU race conditions

Browse Source 
- applyProjectScenario: wrap assignment loop in db.$transaction to prevent partial updates
- vacation approve/reject: fix TOCTOU race via updateMany with status-guard in WHERE + CONFLICT on count=0
- vacation cancel: wrap vacation.update + entitlement.updateMany in $transaction
- batchApprove: collect mutations, wrap in $transaction, dispatch SSE/notifications after commit
- Fix dead-code bug in createHappyPathDb where $transaction was assigned after return
- Add atomicity and concurrency tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 08:34:59 +02:00
parent b103e79e92
commit 1d6d75ecf6
6 changed files with 245 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/router/scenario-apply.ts
+44 -42
View File
@@ -22,56 +22,58 @@ export async function applyProjectScenario(
const created: string[] = [];
for (const change of changes) {
if (change.remove && change.assignmentId) {
await db.assignment.update({
where: { id: change.assignmentId },
data: { status: "CANCELLED" },
});
continue;
}
await db.$transaction(async (tx) => {
for (const change of changes) {
if (change.remove && change.assignmentId) {
await tx.assignment.update({
where: { id: change.assignmentId },
data: { status: "CANCELLED" },
});
continue;
}
if (change.assignmentId) {
await db.assignment.update({
where: { id: change.assignmentId },
if (change.assignmentId) {
await tx.assignment.update({
where: { id: change.assignmentId },
data: {
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
...(change.resourceId ? { resourceId: change.resourceId } : {}),
...(change.roleId ? { roleId: change.roleId } : {}),
},
});
created.push(change.assignmentId);
continue;
}
if (!change.resourceId) {
continue;
}
const resource = await tx.resource.findUnique({
where: { id: change.resourceId },
select: { lcrCents: true },
});
const dailyCostCents = Math.round((resource?.lcrCents ?? 0) * change.hoursPerDay);
const newAssignment = await tx.assignment.create({
data: {
projectId,
resourceId: change.resourceId,
...(change.roleId ? { roleId: change.roleId } : {}),
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
...(change.resourceId ? { resourceId: change.resourceId } : {}),
...(change.roleId ? { roleId: change.roleId } : {}),
percentage: 100,
dailyCostCents,
status: "PROPOSED",
metadata: {},
},
});
created.push(change.assignmentId);
continue;
created.push(newAssignment.id);
}
if (!change.resourceId) {
continue;
}
const resource = await db.resource.findUnique({
where: { id: change.resourceId },
select: { lcrCents: true },
});
const dailyCostCents = Math.round((resource?.lcrCents ?? 0) * change.hoursPerDay);
const newAssignment = await db.assignment.create({
data: {
projectId,
resourceId: change.resourceId,
...(change.roleId ? { roleId: change.roleId } : {}),
startDate: change.startDate,
endDate: change.endDate,
hoursPerDay: change.hoursPerDay,
percentage: 100,
dailyCostCents,
status: "PROPOSED",
metadata: {},
},
});
created.push(newAssignment.id);
}
});
void createAuditEntry({
db,
packages/api/src/router/vacation-management-procedures.ts
+84 -66
View File
@@ -5,7 +5,7 @@ import { VACATION_BALANCE_TYPES } from "../lib/vacation-deduction-snapshot.js";
import { z } from "zod";
import { findUniqueOrThrow } from "../db/helpers.js";
import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
import { createAuditEntry } from "../lib/audit.js";
import { makeAuditLogger } from "../lib/audit-helpers.js";
import { checkBatchVacationConflicts, checkVacationConflicts } from "../lib/vacation-conflicts.js";
import { emitVacationUpdated } from "../sse/event-bus.js";
import { adminProcedure, managerProcedure, protectedProcedure } from "../trpc.js";
@@ -20,6 +20,7 @@ import {
notifyVacationStatusInBackground,
} from "./vacation-side-effects.js";
import {
approvableVacationStatuses,
assertVacationApprovable,
assertVacationCancelable,
assertVacationRejectable,
@@ -73,6 +74,7 @@ export const vacationManagementProcedures = {
});
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const conflictResult = await checkVacationConflicts(
// eslint-disable-next-line @typescript-eslint/no-explicit-any
ctx.db as any,
@@ -80,27 +82,29 @@ export const vacationManagementProcedures = {
userRecord?.id,
);
const updated = await ctx.db.vacation.update({
where: { id: input.id },
const approveResult = await ctx.db.vacation.updateMany({
where: { id: input.id, status: { in: approvableVacationStatuses as VacationStatus[] } },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData,
approvedById: userRecord?.id,
approvedAt: new Date(),
}),
});
if (approveResult.count === 0) {
throw new TRPCError({ code: "CONFLICT", message: "Vacation was already processed by another request" });
}
const updated = await ctx.db.vacation.findUniqueOrThrow({ where: { id: input.id } });
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Approved vacation (was ${existing.status})`,
});
@@ -129,28 +133,31 @@ export const vacationManagementProcedures = {
);
assertVacationRejectable(existing.status);
const updated = await ctx.db.vacation.update({
where: { id: input.id },
const rejectResult = await ctx.db.vacation.updateMany({
where: { id: input.id, status: VacationStatus.PENDING },
data: buildRejectedVacationUpdateData({
rejectionReason: input.rejectionReason,
}),
});
if (rejectResult.count === 0) {
throw new TRPCError({ code: "CONFLICT", message: "Vacation was already processed by another request" });
}
const updated = await ctx.db.vacation.findUniqueOrThrow({ where: { id: input.id } });
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
await completeVacationApprovalTasks(ctx.db, input.id, userRecord?.id);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Rejected vacation${input.rejectionReason ? `: ${input.rejectionReason}` : ""}`,
});
@@ -169,6 +176,7 @@ export const vacationManagementProcedures = {
.input(z.object({ ids: z.array(z.string()).min(1).max(100) }))
.mutation(async ({ ctx, input }) => {
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const vacations = await ctx.db.vacation.findMany({
where: { id: { in: input.ids }, status: VacationStatus.PENDING },
@@ -193,39 +201,53 @@ export const vacationManagementProcedures = {
userRecord?.id,
);
for (const vacation of vacations) {
const deductionSnapshotWriteData = await buildVacationApprovalWriteData(ctx.db, {
resourceId: vacation.resourceId,
type: vacation.type,
startDate: vacation.startDate,
endDate: vacation.endDate,
isHalfDay: vacation.isHalfDay,
});
const updated = await ctx.db.vacation.update({
where: { id: vacation.id },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData,
approvedById: userRecord?.id,
approvedAt: new Date(),
// Pre-compute read-only deduction data before opening the transaction
const approvalPayloads = await Promise.all(
vacations.map(async (vacation) => ({
vacation,
writeData: await buildVacationApprovalWriteData(ctx.db, {
resourceId: vacation.resourceId,
type: vacation.type,
startDate: vacation.startDate,
endDate: vacation.endDate,
isHalfDay: vacation.isHalfDay,
}),
});
})),
);
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
notifyVacationStatusInBackground(ctx.db, updated.id, updated.resourceId, VacationStatus.APPROVED);
// Execute all writes atomically, collect side-effect payloads
const approvedNow: Array<{ id: string; resourceId: string; status: typeof VacationStatus.APPROVED }> = [];
const approvedAt = new Date();
void createAuditEntry({
db: ctx.db,
await ctx.db.$transaction(async (tx) => {
approvedNow.length = 0;
for (const { vacation, writeData } of approvalPayloads) {
const updated = await tx.vacation.update({
where: { id: vacation.id },
data: buildApprovedVacationUpdateData({
deductionSnapshotWriteData: writeData,
approvedById: userRecord?.id,
approvedAt,
}),
});
// eslint-disable-next-line @typescript-eslint/no-explicit-any
await completeVacationApprovalTasks(tx as any, updated.id, userRecord?.id);
approvedNow.push({ id: updated.id, resourceId: updated.resourceId, status: VacationStatus.APPROVED });
}
});
// Side effects — dispatched after the transaction commits
for (const entry of approvedNow) {
emitVacationUpdated(entry);
notifyVacationStatusInBackground(ctx.db, entry.id, entry.resourceId, VacationStatus.APPROVED);
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
entityId: entry.id,
entityName: `Vacation ${entry.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
after: updated as unknown as Record<string, unknown>,
source: "ui",
after: entry as unknown as Record<string, unknown>,
summary: "Batch approved vacation",
});
await completeVacationApprovalTasks(ctx.db, updated.id, userRecord?.id);
}
const warnings: string[] = [];
@@ -245,6 +267,7 @@ export const vacationManagementProcedures = {
)
.mutation(async ({ ctx, input }) => {
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
const vacations = await ctx.db.vacation.findMany({
where: { id: { in: input.ids }, status: VacationStatus.PENDING },
@@ -268,15 +291,12 @@ export const vacationManagementProcedures = {
input.rejectionReason,
);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: vacation.id,
entityName: `Vacation ${vacation.id}`,
action: "UPDATE",
...(userRecord?.id ? { userId: userRecord.id } : {}),
after: { status: VacationStatus.REJECTED, rejectionReason: input.rejectionReason } as unknown as Record<string, unknown>,
source: "ui",
summary: `Batch rejected vacation${input.rejectionReason ? `: ${input.rejectionReason}` : ""}`,
});
@@ -296,6 +316,7 @@ export const vacationManagementProcedures = {
assertVacationCancelable(existing.status);
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
if (!userRecord) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
@@ -325,31 +346,32 @@ export const vacationManagementProcedures = {
typeof existing.deductedDays === "number" &&
existing.deductedDays > 0;
const updated = await ctx.db.vacation.update({
where: { id: input.id },
data: { status: VacationStatus.CANCELLED },
});
if (shouldReverseEntitlement) {
const year = existing.startDate.getFullYear();
await ctx.db.vacationEntitlement.updateMany({
where: { resourceId: existing.resourceId, year },
data: { usedDays: { decrement: existing.deductedDays as number } },
const updated = await ctx.db.$transaction(async (tx) => {
const cancelledVacation = await tx.vacation.update({
where: { id: input.id },
data: { status: VacationStatus.CANCELLED },
});
}
if (shouldReverseEntitlement) {
const year = existing.startDate.getFullYear();
await tx.vacationEntitlement.updateMany({
where: { resourceId: existing.resourceId, year },
data: { usedDays: { decrement: existing.deductedDays as number } },
});
}
return cancelledVacation;
});
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
userId: userRecord.id,
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Cancelled vacation (was ${existing.status})`,
});
@@ -377,6 +399,7 @@ export const vacationManagementProcedures = {
if (!adminUser) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
const audit = makeAuditLogger(ctx.db, adminUser.id);
const { created, holidays, resources } = await batchCreatePublicHolidayVacations(
ctx.db,
@@ -384,15 +407,12 @@ export const vacationManagementProcedures = {
adminUser.id,
);
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: `public-holidays-${input.year}`,
entityName: `Public Holidays ${input.year}${input.federalState ? ` (${input.federalState})` : ""}`,
action: "CREATE",
userId: adminUser.id,
after: { created, holidays, resources, year: input.year, federalState: input.federalState } as unknown as Record<string, unknown>,
source: "ui",
summary: `Batch created ${created} public holidays for ${resources} resources (${input.year})`,
});
@@ -408,6 +428,7 @@ export const vacationManagementProcedures = {
);
const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
const audit = makeAuditLogger(ctx.db, userRecord?.id);
if (!userRecord) {
throw new TRPCError({ code: "UNAUTHORIZED" });
}
@@ -428,16 +449,13 @@ export const vacationManagementProcedures = {
emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
void createAuditEntry({
db: ctx.db,
audit({
entityType: "Vacation",
entityId: updated.id,
entityName: `Vacation ${updated.id}`,
action: "UPDATE",
userId: userRecord.id,
before: existing as unknown as Record<string, unknown>,
after: updated as unknown as Record<string, unknown>,
source: "ui",
summary: `Updated vacation status to ${input.status}`,
});