ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f1756829af86cff784bbe668749c8e2fd6c07636
DashDescomplicar/api/README.md
Emanuel Almeida f1756829af security: implement 6 high-severity vulnerability fixes 
HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3  COMPLETE
- Phase 2 (High): 6/6  COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-14 04:09:50 +00:00

99 lines
2.2 KiB
Markdown
Executable File
Raw Blame History

# Dashboard Descomplicar API
API Node.js/Express com queries diretas à BD Desk CRM.
## Estrutura
```
api/
├── server.ts # Express server
├── db.ts # MySQL connection pool
├── services/
│ ├── calendar.ts # Google Calendar API
│ ├── dashboard.ts # Dashboard queries
│ └── monitoring.ts # Monitoring queries
└── routes/
├── dashboard.ts # GET /api/dashboard
└── monitor.ts # GET /api/monitor
```
## Endpoints
### GET /api/dashboard
Retorna dados do dashboard principal:
- Tarefas (urgente, alta, vencidas, testes, semana)
- Tickets abertos
- Leads (contactar, followup, proposta)
- Projectos activos
- Timesheet semanal
- Billing 360
- Pipeline de vendas
- Eventos Google Calendar (hoje + semana)
### GET /api/monitor
Retorna status de monitorização:
- Servidores (CPU, RAM, Disco)
- Serviços web
- Sites WordPress
- Containers Docker
### GET /api/health
Health check endpoint
## Setup
1. **Instalar dependências:**
```bash
npm install
```
2. **Configurar .env:**
```bash
cp .env.example .env
# Editar .env com credenciais correctas
```
3. **Desenvolvimento:**
```bash
npm run dev # Vite + API (ambos)
npm run dev:api # API apenas
npm run dev:ui # Vite apenas
```
4. **Produção:**
```bash
npm run build
npm start
```
## Queries Migradas do PHP
Todas as queries do `index.php` e `monitor.php` foram migradas para TypeScript:
- ✅ Tasks (urgente, alta, vencidas, testes, semana, monday mood)
- ✅ Tickets
- ✅ Leads (contactar, followup, proposta)
- ✅ Projectos
- ✅ Timesheet semanal
- ✅ Billing 360
- ✅ Pipeline (leads, estimates, proposals)
- ✅ Google Calendar (eventos pessoais + profissionais)
- ✅ Monitorização (tbl_eal_monitoring)
## BD Necessárias
- `ealmeida_desk24` (BD principal Perfex CRM)
- Tabelas Perfex: `tbltasks`, `tblleads`, `tblprojects`, `tbltickets`, etc.
- Tabelas custom: `billing_360_clients`, `billing_360_invoices`, `tbl_eal_monitoring`
## Google Calendar API
Credenciais OAuth2 configuradas em `services/calendar.ts`:
- Client ID
- Client Secret
- Refresh Token
Calendários:
- `primary` - Eventos pessoais
- `emanuel@descomplicar.pt` - Eventos profissionais
Reference in New Issue View Git Blame Copy Permalink