Merge remote-tracking branch 'origin/master'

2026-02-18 13:51:18 +03:00
parent eff80a3211
commit 369db87091
5 changed files with 251 additions and 63 deletions
--- a/svc/queries/statement_header.go
+++ b/svc/queries/statement_header.go
@@ -26,51 +26,74 @@ func GetStatements(params models.StatementParams) ([]models.StatementHeader, err
 	}

 	query := fmt.Sprintf(`
+
 ;WITH Opening AS (
    SELECT 
-        b.CurrAccCode AS Cari_Kod,
+        b.CurrAccCode     AS Cari_Kod,
        b.DocCurrencyCode AS Para_Birimi,
        SUM(c.Debit - c.Credit) AS Devir_Bakiyesi
+
    FROM trCurrAccBook b
+
    LEFT JOIN trCurrAccBookCurrency c
      ON c.CurrAccBookID = b.CurrAccBookID
     AND c.CurrencyCode  = b.DocCurrencyCode
+
    WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
      AND b.DocumentDate < @startdate
+
      AND EXISTS (
            SELECT 1
            FROM CurrAccBookATAttributesFilter f2
            WHERE f2.CurrAccBookID = b.CurrAccBookID
              AND f2.ATAtt01 IN (%s)
      )
-    GROUP BY b.CurrAccCode, b.DocCurrencyCode
+
+    GROUP BY 
+        b.CurrAccCode, 
+        b.DocCurrencyCode
 ),
+
 Movements AS (
    SELECT 
        b.CurrAccCode        AS Cari_Kod,
        d.CurrAccDescription AS Cari_Isim,
+
        CONVERT(varchar(10), b.DocumentDate, 23) AS Belge_Tarihi, 
        CONVERT(varchar(10), b.DueDate, 23)      AS Vade_Tarihi, 
+
        b.RefNumber          AS Belge_No,
        b.BaseApplicationCode AS Islem_Tipi,
        b.LineDescription    AS Aciklama,
+
        b.DocCurrencyCode    AS Para_Birimi,
+
        c.Debit              AS Borc,
        c.Credit             AS Alacak,
+
        SUM(c.Debit - c.Credit)
-            OVER (PARTITION BY b.CurrAccCode, c.CurrencyCode 
-                  ORDER BY b.DocumentDate, b.CurrAccBookID) AS Hareket_Bakiyesi,
+            OVER (
+              PARTITION BY b.CurrAccCode, c.CurrencyCode 
+              ORDER BY b.DocumentDate, b.CurrAccBookID
+            ) AS Hareket_Bakiyesi,
+
        f.ATAtt01 AS Parislemtipi
+
    FROM trCurrAccBook b
+
    LEFT JOIN cdCurrAccDesc d
        ON b.CurrAccCode = d.CurrAccCode 
+
    LEFT JOIN trCurrAccBookCurrency c
        ON b.CurrAccBookID = c.CurrAccBookID
       AND b.DocCurrencyCode = c.CurrencyCode
+
    LEFT JOIN CurrAccBookATAttributesFilter f
        ON b.CurrAccBookID = f.CurrAccBookID
+
    WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
      AND b.DocumentDate BETWEEN @startdate AND @enddate
+
      AND EXISTS (
            SELECT 1 
            FROM CurrAccBookATAttributesFilter f2
@@ -78,6 +101,7 @@ Movements AS (
              AND f2.ATAtt01 IN (%s)
      )
 )
+
 SELECT 
    m.Cari_Kod,
    m.Cari_Isim,
@@ -87,54 +111,66 @@ SELECT
    m.Islem_Tipi,
    m.Aciklama,
    m.Para_Birimi,
+
    m.Borc,
    m.Alacak,
+
    ISNULL(o.Devir_Bakiyesi,0) + m.Hareket_Bakiyesi AS Bakiye,
+
    m.Parislemtipi AS Parislemler
+
 FROM Movements m
+
 LEFT JOIN Opening o
  ON o.Cari_Kod = m.Cari_Kod
 AND o.Para_Birimi = m.Para_Birimi

+
 UNION ALL

-- Devir satırı
-SELECT  
-    @Carikod                    AS Cari_Kod,
-    MAX(d.CurrAccDescription)   AS Cari_Isim,
-    CONVERT(varchar(10), @startdate, 23) AS Belge_Tarihi, 
-    CONVERT(varchar(10), @startdate, 23) AS Vade_Tarihi, 
-    'Baslangic_devir'           AS Belge_No,
-    'Devir'                     AS Islem_Tipi,
-    'Devir Bakiyesi'            AS Aciklama,
-    b.DocCurrencyCode           AS Para_Birimi,
-    SUM(c.Debit)                AS Borc,
-    SUM(c.Credit)               AS Alacak,
-    SUM(c.Debit) - SUM(c.Credit) AS Bakiye,
-    (
-      SELECT STRING_AGG(x.ATAtt01, ',')
-      FROM (
-        SELECT DISTINCT f2.ATAtt01
-        FROM CurrAccBookATAttributesFilter f2
-        INNER JOIN trCurrAccBook bb
-          ON f2.CurrAccBookID = bb.CurrAccBookID
-        WHERE bb.CurrAccCode LIKE '%%' + @Carikod + '%%'
-          AND bb.DocumentDate < @startdate
-          AND f2.ATAtt01 IN (%s)
-      ) x
-    ) AS Parislemler
-FROM trCurrAccBook b
-LEFT JOIN cdCurrAccDesc d
-    ON b.CurrAccCode = d.CurrAccCode 
-LEFT JOIN trCurrAccBookCurrency c
-    ON b.CurrAccBookID = c.CurrAccBookID
-   AND b.DocCurrencyCode = c.CurrencyCode
-WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
-  AND b.DocumentDate < @startdate
-GROUP BY b.DocCurrencyCode

-ORDER BY Para_Birimi, Belge_Tarihi;
-`, parislemFilter, parislemFilter, parislemFilter)
+/* ✅ Devir satırı sadece Opening’den */
+SELECT  
+    o.Cari_Kod,
+    d.CurrAccDescription,
+
+    CONVERT(varchar(10), @startdate, 23),
+    CONVERT(varchar(10), @startdate, 23),
+
+    'Baslangic_devir',
+    'Devir',
+    'Devir Bakiyesi',
+
+    o.Para_Birimi,
+
+    CASE 
+        WHEN o.Devir_Bakiyesi >= 0 THEN o.Devir_Bakiyesi 
+        ELSE 0 
+    END,
+
+    CASE 
+        WHEN o.Devir_Bakiyesi < 0 THEN ABS(o.Devir_Bakiyesi) 
+        ELSE 0 
+    END,
+
+    o.Devir_Bakiyesi,
+
+    '%s'
+
+FROM Opening o
+
+LEFT JOIN cdCurrAccDesc d
+  ON d.CurrAccCode = o.Cari_Kod
+
+
+ORDER BY 
+    Para_Birimi, 
+    Belge_Tarihi;
+`,
+		parislemFilter,
+		parislemFilter,
+		parislemFilter,
+	)

 	rows, err := db.MssqlDB.Query(query,
 		sql.Named("startdate", params.StartDate),
--- a/svc/queries/statements_detail.go
+++ b/svc/queries/statements_detail.go
@@ -31,9 +31,17 @@ SELECT
    COALESCE(MAX(KisaKarDesc.AttributeDescription), '')   AS Icerik,
    a.ItemCode       AS Urun_Kodu,
    a.ColorCode      AS Urun_Rengi,
-    SUM(a.Qty1)      AS Toplam_Adet,
-    SUM(ABS(a.Doc_Price)) AS Toplam_Fiyat,
-    CAST(SUM(a.Qty1 * ABS(a.Doc_Price)) AS numeric(18,2)) AS Toplam_Tutar
+    SUM(a.Qty1) AS Toplam_Adet,
+
+CAST(
+    SUM(a.Qty1 * ABS(a.Doc_Price)) 
+    / NULLIF(SUM(a.Qty1),0)
+AS numeric(18,4)) AS Doviz_Fiyat,
+
+CAST(
+    SUM(a.Qty1 * ABS(a.Doc_Price)) 
+AS numeric(18,2)) AS Toplam_Tutar
+
 FROM AllInvoicesWithAttributes a
 LEFT JOIN prItemAttribute AnaGrup
    ON a.ItemCode = AnaGrup.ItemCode AND AnaGrup.AttributeTypeCode = 1
--- a/svc/routes/login.go
+++ b/svc/routes/login.go
@@ -3,6 +3,7 @@ package routes
 import (
 	"bssapp-backend/auth"
 	"bssapp-backend/internal/auditlog"
+	"bssapp-backend/internal/security"
 	"bssapp-backend/models"
 	"bssapp-backend/queries"
 	"bssapp-backend/repository"
@@ -208,6 +209,22 @@ func writeLoginResponse(w http.ResponseWriter, db *sql.DB, user *models.MkUser)
 		return
 	}

+	refreshPlain, refreshHash, err := security.GenerateRefreshToken()
+	if err != nil {
+		http.Error(w, "Refresh token üretilemedi", http.StatusInternalServerError)
+		return
+	}
+
+	refreshExp := time.Now().Add(14 * 24 * time.Hour)
+	rtRepo := repository.NewRefreshTokenRepository(db)
+	if err := rtRepo.IssueRefreshToken(user.ID, refreshHash, refreshExp); err != nil {
+		log.Printf("refresh token store failed user=%d err=%v", user.ID, err)
+		http.Error(w, "Session başlatılamadı", http.StatusInternalServerError)
+		return
+	}
+
+	setRefreshCookie(w, refreshPlain, refreshExp)
+
 	_ = json.NewEncoder(w).Encode(map[string]any{
 		"token": token,
 		"user": map[string]any{
--- a/ui/dist/spa/index.html
+++ b/ui/dist/spa/index.html
@@ -1 +1 @@
-<!DOCTYPE html><html><head><title>Baggi SS</title><meta charset=utf-8><meta name=description content="A Quasar Project"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=/icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=/icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=/icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/icons/favicon-16x16.png><link rel=icon type=image/ico href=/favicon.ico><script defer src=/js/vendor.9ea1812a.js></script><script defer src=/js/app.bcfe0c60.js></script><link href=/css/vendor.724dcfab.css rel=stylesheet><link href=/css/app.53116624.css rel=stylesheet></head><body><div id=q-app></div></body></html>
+<!DOCTYPE html><html><head><title>Baggi SS</title><meta charset=utf-8><meta name=description content="A Quasar Project"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=/icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=/icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=/icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/icons/favicon-16x16.png><link rel=icon type=image/ico href=/favicon.ico><script defer src=/js/vendor.9ea1812a.js></script><script defer src=/js/app.d0936c73.js></script><link href=/css/vendor.724dcfab.css rel=stylesheet><link href=/css/app.53116624.css rel=stylesheet></head><body><div id=q-app></div></body></html>
--- a/ui/src/services/api.js
+++ b/ui/src/services/api.js
@@ -3,6 +3,7 @@ import qs from 'qs'
 import { useAuthStore } from 'stores/authStore'

 export const API_BASE_URL = '/api'
+const AUTH_REFRESH_PATH = '/auth/refresh'

 const api = axios.create({
  baseURL: API_BASE_URL,
@@ -12,17 +13,69 @@ const api = axios.create({
  withCredentials: true
 })

+function isPublicPath(url) {
+  return (
+    url.startsWith('/auth/login') ||
+    url.startsWith(AUTH_REFRESH_PATH) ||
+    url.startsWith('/password/forgot') ||
+    url.startsWith('/password/reset')
+  )
+}
+
+function extractToken(payload) {
+  return (
+    payload?.token ||
+    payload?.access_token ||
+    payload?.data?.token ||
+    payload?.data?.access_token ||
+    ''
+  )
+}
+
+function isHtmlLike(value) {
+  const text = String(value || '').trim().toLowerCase()
+  return text.startsWith('<!doctype html') || text.startsWith('<html')
+}
+
+function sanitizeApiErrorDetail(detail, status) {
+  const normalized = String(detail || '').trim()
+
+  if (!normalized) {
+    if (status === 504) {
+      return 'Gateway timeout: origin server did not respond in time.'
+    }
+    return ''
+  }
+
+  if (isHtmlLike(normalized)) {
+    if (status === 504) {
+      return 'Gateway timeout: origin server did not respond in time.'
+    }
+    if (status >= 500) {
+      return `Upstream server error (${status}).`
+    }
+    return `Unexpected HTML error response (${status || '-'})`
+  }
+
+  const compact = normalized.replace(/\s+/g, ' ').trim()
+  if (compact.length > 320) {
+    return `${compact.slice(0, 320)}...`
+  }
+
+  return compact
+}
+
+function redirectToLogin() {
+  if (typeof window === 'undefined') return
+  if (window.location.hash === '#/login') return
+  window.location.hash = '/login'
+}
+
 api.interceptors.request.use((config) => {
  const auth = useAuthStore()
  const url = config.url || ''

-  const isPublic =
-    url.startsWith('/auth/login') ||
-    url.startsWith('/auth/refresh') ||
-    url.startsWith('/password/forgot') ||
-    url.startsWith('/password/reset')
-
-  if (!isPublic && auth?.token) {
+  if (!isPublicPath(url) && auth?.token) {
    config.headers ||= {}
    config.headers.Authorization = `Bearer ${auth.token}`
  }
@@ -31,33 +84,106 @@ api.interceptors.request.use((config) => {
 })

 let isLoggingOut = false
+let refreshPromise = null
+
+async function refreshAccessToken() {
+  if (refreshPromise) {
+    return refreshPromise
+  }
+
+  refreshPromise = (async () => {
+    const auth = useAuthStore()
+    const response = await api.post(
+      AUTH_REFRESH_PATH,
+      {},
+      {
+        skipAuthRefresh: true,
+        skipAutoLogout: true
+      }
+    )
+
+    const rawToken = extractToken(response?.data)
+    const token = typeof rawToken === 'string' ? rawToken.trim() : ''
+    const isJwt = token.split('.').length === 3
+
+    if (!token || !isJwt) {
+      throw new Error('Invalid refresh token response')
+    }
+
+    auth.setSession({
+      token,
+      user: auth.user || null
+    })
+
+    return token
+  })().finally(() => {
+    refreshPromise = null
+  })
+
+  return refreshPromise
+}
+
+function clearSessionAndRedirect() {
+  if (isLoggingOut) return
+
+  isLoggingOut = true
+  try {
+    useAuthStore().clearSession()
+  } finally {
+    isLoggingOut = false
+    redirectToLogin()
+  }
+}

 api.interceptors.response.use(
  r => r,
  async (error) => {
+    const requestConfig = error?.config || {}
    const status = error?.response?.status
-    const requestUrl = String(error?.config?.url || '')
+    const requestUrl = String(requestConfig.url || '')
    const hasBlob = typeof Blob !== 'undefined' && error?.response?.data instanceof Blob
    const isPasswordChangeRequest =
      requestUrl.startsWith('/password/change') ||
      requestUrl.startsWith('/me/password')
+    const isPublicRequest = isPublicPath(requestUrl)

    if ((status >= 500 || hasBlob) && error) {
-      const method = String(error?.config?.method || 'GET').toUpperCase()
-      const detail = await extractApiErrorDetail(error)
+      const method = String(requestConfig.method || 'GET').toUpperCase()
+      const detail = sanitizeApiErrorDetail(
+        await extractApiErrorDetail(error),
+        status
+      )
      error.parsedMessage = detail
      console.error(`API ${status || '-'} ${method} ${requestUrl}: ${detail}`)
    }

+    const shouldTryRefresh =
+      status === 401 &&
+      !requestConfig._retry &&
+      !requestConfig.skipAuthRefresh &&
+      !isPasswordChangeRequest &&
+      !isPublicRequest
+
+    if (shouldTryRefresh) {
+      requestConfig._retry = true
+      try {
+        const newToken = await refreshAccessToken()
+        requestConfig.headers ||= {}
+        requestConfig.headers.Authorization = `Bearer ${newToken}`
+        return api(requestConfig)
+      } catch {
+        // fall through to logout
+      }
+    }
+
    // Password change endpoints may return 401 for business reasons
    // (for example current password mismatch). Keep session in that case.
-    if (status === 401 && !isPasswordChangeRequest && !isLoggingOut) {
-      isLoggingOut = true
-      try {
-        useAuthStore().clearSession()
-      } finally {
-        isLoggingOut = false
-      }
+    if (
+      status === 401 &&
+      !isPasswordChangeRequest &&
+      !requestConfig.skipAutoLogout
+    ) {
+      clearSessionAndRedirect()
    }

    return Promise.reject(error)
@@ -114,6 +240,7 @@ async function parseBlobErrorMessage(data) {
 }

 export async function extractApiErrorDetail(err) {
+  const status = err?.response?.status
  let detail =
    err?.parsedMessage ||
    err?.response?.data?.detail ||
@@ -129,7 +256,7 @@ export async function extractApiErrorDetail(err) {
    detail = err?.message || 'Request failed'
  }

-  return detail
+  return sanitizeApiErrorDetail(detail, status)
 }

 export const download = async (u, p = {}, c = {}) => {