ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f1756829af86cff784bbe668749c8e2fd6c07636
DashDescomplicar/api/routes/diagnostic.ts
Emanuel Almeida f1756829af security: implement 6 high-severity vulnerability fixes 
HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3  COMPLETE
- Phase 2 (High): 6/6  COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-14 04:09:50 +00:00

77 lines
2.6 KiB
TypeScript
Executable File
Raw Blame History

/**
* Diagnostic API Route
* @author Descomplicar® | @link descomplicar.pt | @copyright 2026
*/
import { Router } from 'express'
import type { Request, Response } from 'express'
import * as dashboardService from '../services/dashboard.js'
import * as calendarService from '../services/calendar.js'
import db from '../db.js'
const router = Router()
router.get('/', async (_req: Request, res: Response) => {
const tests = []
// Test database connection
try {
await db.query('SELECT 1')
tests.push({ name: 'DB Connection', status: 'OK' })
} catch (error: any) {
tests.push({ name: 'DB Connection', status: 'FAILED', error: error.message })
}
// Test each dashboard service function
const functions = [
{ name: 'getUrgenteTasks', fn: dashboardService.getUrgenteTasks },
{ name: 'getAltaTasks', fn: dashboardService.getAltaTasks },
{ name: 'getVencidasTasks', fn: dashboardService.getVencidasTasks },
{ name: 'getEmTestesTasks', fn: dashboardService.getEmTestesTasks },
{ name: 'getEstaSemana', fn: dashboardService.getEstaSemana },
{ name: 'getMondayMood', fn: dashboardService.getMondayMood },
{ name: 'getTickets', fn: dashboardService.getTickets },
{ name: 'getContactarLeads', fn: dashboardService.getContactarLeads },
{ name: 'getFollowupLeads', fn: dashboardService.getFollowupLeads },
{ name: 'getPropostaLeads', fn: dashboardService.getPropostaLeads },
{ name: 'getProjectos', fn: dashboardService.getProjectos },
{ name: 'getTimesheet', fn: dashboardService.getTimesheet },
{ name: 'getBilling360', fn: dashboardService.getBilling360 },
{ name: 'getPipeline', fn: dashboardService.getPipeline }
]
for (const { name, fn } of functions) {
try {
await fn()
tests.push({ name, status: 'OK' })
} catch (error: any) {
tests.push({ name, status: 'FAILED', error: error.message })
}
}
// Test calendar functions
try {
await calendarService.getTodayEvents()
tests.push({ name: 'getTodayEvents', status: 'OK' })
} catch (error: any) {
tests.push({ name: 'getTodayEvents', status: 'FAILED', error: error.message })
}
try {
await calendarService.getWeekEvents()
tests.push({ name: 'getWeekEvents', status: 'OK' })
} catch (error: any) {
tests.push({ name: 'getWeekEvents', status: 'FAILED', error: error.message })
}
const failed = tests.filter(t => t.status === 'FAILED')
const summary = {
total: tests.length,
passed: tests.filter(t => t.status === 'OK').length,
failed: failed.length
}
res.json({ summary, tests, failed })
})
export default router
Reference in New Issue View Git Blame Copy Permalink