Emanuel Almeida
f1756829af
HIGH-SEVERITY FIXES (Fase 2): 1. Rate Limiting (Vulnerabilidade 2.1) - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev) - Applied to all /api/* routes - Standard headers for retry-after 2. CORS Restrictions (Vulnerabilidade 2.2) - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt - Localhost only in development - CORS blocking logs 3. Input Validation with Zod (Vulnerabilidade 2.4) - Generic validateRequest() middleware - Schemas: WordPress Monitor, server metrics, dashboard, financial - Applied to api/routes/wp-monitor.ts POST endpoint - Detailed field-level error messages 4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL) - Enabled via OIDC_ENABLED=true - Bearer token validation on all APIs - Backward compatible (disabled by default) 5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6) - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh - Generates ed25519 key, copies to 6 servers - Instructions to remove passwords from .env - .env.example updated with SSH_PRIVATE_KEY_PATH 6. Improved Error Handling (Vulnerabilidade 2.5) - Unique error IDs (UUID) for tracking - Structured JSON logs in production - Stack traces blocked in production - Generic messages to client FILES CHANGED: - api/server.ts - Complete refactor with all security improvements - api/middleware/validation.ts - NEW: Zod middleware and schemas - api/routes/wp-monitor.ts - Added Zod validation on POST - .env.example - Complete security documentation - CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high) - package.json + package-lock.json - New dependencies DEPENDENCIES ADDED: - express-rate-limit@7.x - zod@3.x - express-openid-connect@2.x AUDIT STATUS: - npm audit: 0 vulnerabilities - Hook Regra #47: PASSED PROGRESS: - Phase 1 (Critical): 3/3 ✅ COMPLETE - Phase 2 (High): 6/6 ✅ COMPLETE - Phase 3 (Medium): 0/6 - Next - Phase 4 (Low): 0/5 - Next Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Dashboard Descomplicar API
API Node.js/Express com queries diretas à BD Desk CRM.
Estrutura
api/
├── server.ts # Express server
├── db.ts # MySQL connection pool
├── services/
│ ├── calendar.ts # Google Calendar API
│ ├── dashboard.ts # Dashboard queries
│ └── monitoring.ts # Monitoring queries
└── routes/
├── dashboard.ts # GET /api/dashboard
└── monitor.ts # GET /api/monitor
Endpoints
GET /api/dashboard
Retorna dados do dashboard principal:
- Tarefas (urgente, alta, vencidas, testes, semana)
- Tickets abertos
- Leads (contactar, followup, proposta)
- Projectos activos
- Timesheet semanal
- Billing 360
- Pipeline de vendas
- Eventos Google Calendar (hoje + semana)
GET /api/monitor
Retorna status de monitorização:
- Servidores (CPU, RAM, Disco)
- Serviços web
- Sites WordPress
- Containers Docker
GET /api/health
Health check endpoint
Setup
- Instalar dependências:
npm install
- Configurar .env:
cp .env.example .env
# Editar .env com credenciais correctas
- Desenvolvimento:
npm run dev # Vite + API (ambos)
npm run dev:api # API apenas
npm run dev:ui # Vite apenas
- Produção:
npm run build
npm start
Queries Migradas do PHP
Todas as queries do index.php e monitor.php foram migradas para TypeScript:
- ✅ Tasks (urgente, alta, vencidas, testes, semana, monday mood)
- ✅ Tickets
- ✅ Leads (contactar, followup, proposta)
- ✅ Projectos
- ✅ Timesheet semanal
- ✅ Billing 360
- ✅ Pipeline (leads, estimates, proposals)
- ✅ Google Calendar (eventos pessoais + profissionais)
- ✅ Monitorização (tbl_eal_monitoring)
BD Necessárias
ealmeida_desk24(BD principal Perfex CRM)- Tabelas Perfex:
tbltasks,tblleads,tblprojects,tbltickets, etc. - Tabelas custom:
billing_360_clients,billing_360_invoices,tbl_eal_monitoring
Google Calendar API
Credenciais OAuth2 configuradas em services/calendar.ts:
- Client ID
- Client Secret
- Refresh Token
Calendários:
primary- Eventos pessoaisemanuel@descomplicar.pt- Eventos profissionais