ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
49 Commits 1 Branch 0 Tags
main
Commit Graph

6 Commits

Author SHA1 Message Date
Emanuel Almeida
36a26dac53 security: complete Fase 3 - all medium-severity vulnerabilities fixed 
MEDIUM-SEVERITY FIXES (Fase 3 complete):

1. Mock Data em Produção (Vulnerabilidade 3.2) 
   - Mock data apenas em desenvolvimento (import.meta.env.DEV)
   - Produção mostra erro claro com retry button
   - Estado de erro com UI profissional

2. Connection Pool Timeouts (Vulnerabilidade 3.3) 
   - JÁ CORRIGIDO em commit anterior (20c16ab)
   - connectTimeout: 10s, acquireTimeout: 15s, timeout: 30s

3. Tipo 'any' em Catch Blocks (Vulnerabilidade 3.4) 
   - TODOS os ficheiros corrigidos (10/10)
   - catch (error: unknown) em vez de catch (error)
   - Type guards: error instanceof Error
   - Mensagens seguras sem vazamento de stack trace
   - Ficheiros: routes/*.ts, services/*.ts, middleware/validation.ts

4. APIs Sem Autenticação Backend (Vulnerabilidade 3.5) 
   - JÁ IMPLEMENTADO em commit anterior (f175682)
   - OIDC opcional via OIDC_ENABLED=true

5. Algoritmos SSH Legacy (Vulnerabilidade 3.6) 
   - Adicionados: curve25519-sha256, curve25519-sha256@libssh.org
   - Removidos: diffie-hellman-group14-sha1 (legacy)
   - Removidos: diffie-hellman-group1-sha1 (INSEGURO)
   - Apenas SHA256+ algorithms mantidos

6. Configuração OIDC (Vulnerabilidade 3.1) 
   - JÁ IMPLEMENTADO em commit anterior (f175682)
   - OIDC completamente funcional (opcional)

FILES CHANGED:
- src/App.tsx - Error state + mock data apenas em dev
- api/routes/*.ts - Tipos unknown em todos os catch blocks
- api/services/*.ts - Tipos unknown em todos os catch blocks
- api/middleware/validation.ts - Tipo correto (error.issues)
- api/services/server-metrics.ts - Algoritmos SSH modernos

BUILD STATUS:
- TypeScript:  PASSED
- npm run build:  SUCCESS
- npm audit:  0 vulnerabilities

PROGRESS:
- Phase 1 (Critical): 3/3  COMPLETE
- Phase 2 (High): 6/6  COMPLETE
- Phase 3 (Medium): 6/6  COMPLETE
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 3.1, 3.2, 3.3, 3.4, 3.5, 3.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-14 04:20:37 +00:00
Emanuel Almeida
f1756829af security: implement 6 high-severity vulnerability fixes 
HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3  COMPLETE
- Phase 2 (High): 6/6  COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-14 04:09:50 +00:00
Emanuel Almeida
a19e07d83c fix: remove HEAD-based site checker that caused false DOWN status 
The checkAllSitesAvailability() function did HEAD requests from EasyPanel
to check sites. Many WordPress sites block HEAD or return errors, causing
all sites to show as DOWN while keeping valid response times from the
CWP collector. The CWP collector (collect-sites.sh) is the single source
of truth for site status.

Removed:
- checkSiteAvailability() and checkAllSitesAvailability() from monitoring service
- POST /api/monitor/check-sites endpoint
- api/scripts/check-sites.ts cron script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-10 17:48:41 +00:00
Emanuel Almeida
f4160b60f9 fix: Remaining TypeScript strict mode errors in routes 2026-02-04 23:19:32 +00:00
Emanuel Almeida
13608a69bf feat: WordPress Monitor API + Site Availability Checker 
- Add POST /api/wp-monitor endpoint for WP plugin data
- Add GET /api/wp-monitor for listing monitored sites
- Add checkSiteAvailability() function for HTTP health checks
- Add checkAllSitesAvailability() for batch checking
- Add /api/scripts/check-sites.ts for cron execution
- Add POST /api/monitor/check-sites for manual trigger

DeskCRM Task: #1556

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-04 23:12:32 +00:00
Emanuel Almeida
a766f3a765 feat: add Node.js/Express API with real data from Desk CRM 
-  API completa em /api com TypeScript
-  Google Calendar integration (pessoal + profissional)
-  Queries diretas à BD: tasks, leads, projectos, billing, pipeline
-  Endpoints: /api/dashboard, /api/monitor, /api/health
-  Vite proxy configurado (/api → localhost:3001)
-  App.tsx usa /api/dashboard (não mais dados mock)
-  Migração completa do PHP (index.php + monitor.php)
-  CHANGELOG.md criado para tracking
-  Scripts npm: dev (paralelo), dev:api, dev:ui, start

Dependencies:
- express, cors, mysql2, googleapis
- concurrently, tsx (dev)

Breaking: PHP backend será descontinuado
See: CHANGELOG.md, api/README.md

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-04 03:26:24 +00:00