From 9999dff6cea6217ad5bb997501c5bbbdd0070eb5 Mon Sep 17 00:00:00 2001
From: louispaulb <louis.targo@gmail.com>
Date: Wed, 25 Mar 2026 13:10:31 -0400
Subject: [PATCH] Fix critical bugs: transaction integrity, PTO calculations,
 session secret

- banking-hours.service: use tx instead of this.prisma inside transaction
- sick-leave.service: use tx inside transaction + increment instead of set
- vacation.service: remove invalid WHERE clause on paidTimeOff update
- main.ts: session secret from env var, dev auth bypass, CORS origin:true

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/main.ts                                   | 22 +++++++++++++++++--
 .../domains/services/banking-hours.service.ts |  2 +-
 .../domains/services/sick-leave.service.ts    |  4 ++--
 .../domains/services/vacation.service.ts      |  2 +-
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/main.ts b/src/main.ts
index e151a3a..a0dc60e 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -21,7 +21,7 @@ async function bootstrap() {
 
     // Authentication and session
     app.use(session({
-        secret: 'This is a super secret dev secret that you cant share with anyone',
+        secret: process.env.SESSION_SECRET || 'dev-only-secret-change-in-production',
         resave: false,
         saveUninitialized: false,
         rolling: true,
@@ -39,9 +39,27 @@ async function bootstrap() {
     app.use(passport.initialize());
     app.use(passport.session());
 
+    // LOCAL DEV: bypass Authentik by injecting a fake authenticated user
+    if (process.env.DEV_BYPASS_AUTH === 'true') {
+        console.log('⚠ DEV_BYPASS_AUTH enabled — all requests authenticated as louis@targo.ca');
+        app.use((req, _res, next) => {
+            if (!req.user) {
+                req.user = {
+                    first_name: 'Louis',
+                    last_name: 'Paul',
+                    email: 'louis@targo.ca',
+                    role: 'ADMIN',
+                    user_module_access: ['timesheets', 'timesheets_approval', 'employee_list', 'employee_management', 'personal_profile', 'dashboard'],
+                };
+                req.isAuthenticated = () => true;
+            }
+            next();
+        });
+    }
+
     // Enable CORS
     app.enableCors({
-        origin: ['http://10.100.251.2:9011', 'http://10.5.14.111:9012', 'http://10.100.251.2:9013', 'http://localhost:9000', 'https://app.targo.ca', 'https://portail.targo.ca', 'https://staging.app.targo.ca'],
+        origin: true, // allow all origins in dev
         credentials: true,
     });
 
diff --git a/src/time-and-attendance/domains/services/banking-hours.service.ts b/src/time-and-attendance/domains/services/banking-hours.service.ts
index f7c0b8a..1063131 100644
--- a/src/time-and-attendance/domains/services/banking-hours.service.ts
+++ b/src/time-and-attendance/domains/services/banking-hours.service.ts
@@ -17,7 +17,7 @@ export class BankedHoursService {
 
         try {
             const result = await this.prisma.$transaction(async (tx) => {
-                const employee = await this.prisma.employees.findUnique({
+                const employee = await tx.employees.findUnique({
                     where: { id: employee_id },
                     select: {
                         id: true,
diff --git a/src/time-and-attendance/domains/services/sick-leave.service.ts b/src/time-and-attendance/domains/services/sick-leave.service.ts
index 09c9993..b7d513b 100644
--- a/src/time-and-attendance/domains/services/sick-leave.service.ts
+++ b/src/time-and-attendance/domains/services/sick-leave.service.ts
@@ -109,7 +109,7 @@ export class SickLeaveService {
                     employee_id,
                 },
                 data: {
-                    sick_hours,
+                    sick_hours: { increment: sick_hours },
                     last_updated,
                 }
             })
@@ -129,7 +129,7 @@ export class SickLeaveService {
 
         try {
             const result = await this.prisma.$transaction(async (tx) => {
-                const employee = await this.prisma.employees.findUnique({
+                const employee = await tx.employees.findUnique({
                     where: { id: employee_id },
                     select: {
                         id: true,
diff --git a/src/time-and-attendance/domains/services/vacation.service.ts b/src/time-and-attendance/domains/services/vacation.service.ts
index da5f585..86fe63f 100644
--- a/src/time-and-attendance/domains/services/vacation.service.ts
+++ b/src/time-and-attendance/domains/services/vacation.service.ts
@@ -97,7 +97,7 @@ export class VacationService {
                 } else {
                     //update vacation_bank
                     await tx.paidTimeOff.update({
-                        where: { employee_id: employee_id, vacation_hours: { gte: asked_hours } },
+                        where: { employee_id: employee_id },
                         data: {
                             vacation_hours: { decrement: asked_hours },
                             last_updated: new Date(),