ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20c16ab1e0f87d49b45b597b2bc192d107582d72
DashDescomplicar/api/routes/wp-monitor.ts
Emanuel Almeida 20c16ab1e0 security: fix 3 critical vulnerabilities + dependency audit 
CRITICAL FIXES:
- Remove hardcoded DB password from api/db.ts (was: 9qPRdCGGqM4o)
- Remove hardcoded API key from api/routes/wp-monitor.ts
- Add mandatory env var validation for DB_USER, DB_PASS, DB_NAME
- Add mandatory env var validation for WP_MONITOR_API_KEY
- Add connection timeouts to MySQL pool (10s/15s/30s)

VERIFIED:
- .env never committed to Git (credentials not exposed in repo)
- .gitignore working correctly

DEPENDENCIES:
- Fix qs vulnerability (GHSA-w7fw-mjwx-w883)
- npm audit: 1 low → 0 vulnerabilities

Related: AUDIT-REPORT.md vulnerabilities 1.1, 1.2, 1.3
Next: Implement rate limiting, CORS restrictions, input validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-14 03:38:09 +00:00

150 lines
4.1 KiB
TypeScript
Executable File
Raw Blame History

/**
* WordPress Monitor API Route
* Receives data from Descomplicar Monitor WordPress plugin
* POST /api/wp-monitor - Receive site data
* GET /api/wp-monitor - List monitored sites
* GET /api/wp-monitor?test - Connection test
* @author Descomplicar® | @link descomplicar.pt | @copyright 2026
*/
import { Router } from 'express'
import type { Request, Response } from 'express'
import db from '../db.js'
const router = Router()
// Validação obrigatória da API key
const API_KEY = process.env.WP_MONITOR_API_KEY
if (!API_KEY) {
throw new Error('WP_MONITOR_API_KEY environment variable is required')
}
// Middleware to validate API key
function validateApiKey(req: Request, res: Response, next: Function) {
const apiKey = req.headers['x-api-key'] || req.query.key
if (apiKey !== API_KEY) {
return res.status(401).json({ error: 'Unauthorized', message: 'Invalid API Key' })
}
next()
}
// Test endpoint
router.get('/', validateApiKey, async (req: Request, res: Response) => {
// Test connection
if (req.query.test !== undefined) {
return res.json({ success: true, message: 'Connection OK', timestamp: new Date().toISOString() })
}
// List all WordPress sites
try {
const [sites] = await db.query(`
SELECT name, status, details, last_check
FROM tbl_eal_monitoring
WHERE category = 'site'
ORDER BY name ASC
`)
const result = (sites as any[]).map(site => ({
name: site.name,
status: site.status,
last_check: site.last_check,
data: typeof site.details === 'string' ? JSON.parse(site.details) : site.details
}))
res.json({
success: true,
sites: result,
total: result.length,
timestamp: new Date().toISOString()
})
} catch (error) {
console.error('WP Monitor GET error:', error)
res.status(500).json({ error: 'Database error', message: (error as Error).message })
}
})
// Receive data from WordPress plugin
router.post('/', validateApiKey, async (req: Request, res: Response) => {
const data = req.body
if (!data || !data.site_url) {
return res.status(400).json({ error: 'Bad Request', message: 'Invalid JSON or missing site_url' })
}
try {
const siteUrl = data.site_url.replace(/\/$/, '')
const siteName = data.site_name || new URL(siteUrl).hostname
// Determine status based on data
const status = determineStatus(data)
const jsonData = JSON.stringify(data)
// Check if site exists
const [existing] = await db.query(
'SELECT id FROM tbl_eal_monitoring WHERE category = ? AND name = ?',
['site', siteName]
)
if ((existing as any[]).length > 0) {
// Update existing
await db.query(
'UPDATE tbl_eal_monitoring SET details = ?, status = ?, last_check = NOW() WHERE category = ? AND name = ?',
[jsonData, status, 'site', siteName]
)
} else {
// Insert new
await db.query(
'INSERT INTO tbl_eal_monitoring (name, category, status, details, last_check) VALUES (?, ?, ?, ?, NOW())',
[siteName, 'site', status, jsonData]
)
}
console.log(`[WP-Monitor] Received data from: ${siteUrl} - Status: ${status}`)
res.json({
success: true,
message: 'Data received',
site: siteName,
status,
timestamp: new Date().toISOString()
})
} catch (error) {
console.error('WP Monitor POST error:', error)
res.status(500).json({ error: 'Database error', message: (error as Error).message })
}
})
/**
* Determine status based on WordPress data
*/
function determineStatus(data: any): string {
// Critical conditions
if (data.health?.status === 'critical') {
return 'failed'
}
let warnings = 0
// Many pending updates
if (data.updates?.counts?.total > 5) warnings++
// Core update pending
if (data.updates?.core?.length > 0) warnings++
// Debug mode in production
if (data.system?.debug_mode === true) warnings++
// Health issues
if (data.health?.issues?.length > 0) {
warnings += data.health.issues.length
}
// Large database (>500MB)
if (data.database?.size_mb > 500) warnings++
if (warnings >= 3) return 'warning'
return 'ok'
}
export default router
Reference in New Issue View Git Blame Copy Permalink