ealmeida/DashDescomplicar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f1756829af86cff784bbe668749c8e2fd6c07636
DashDescomplicar/api/services/calendar.ts
Emanuel Almeida f1756829af security: implement 6 high-severity vulnerability fixes 
HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3  COMPLETE
- Phase 2 (High): 6/6  COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-14 04:09:50 +00:00

107 lines
3.0 KiB
TypeScript
Executable File
Raw Blame History

/**
* Google Calendar Service
* @author Descomplicar® | @link descomplicar.pt | @copyright 2026
*/
import { google } from 'googleapis'
const oauth2Client = new google.auth.OAuth2(
'188617934470-pomrua9oj4459dk69jpv6qhvst9pd3f6.apps.googleusercontent.com',
'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',
'https://developers.google.com/oauthplayground'
)
oauth2Client.setCredentials({
refresh_token: '1//03AJOfA8x4_eyCgYIARAAGAMSNwF-L9Ir2hVygx8arVuZpZKJpqPsFpGCLo3pXJGC9rxpHnVw5Gki5cLWG7Ez64RcT0RFVItZ2fQ'
})
const calendar = google.calendar({ version: 'v3', auth: oauth2Client })
interface CalendarEvent {
titulo: string
hora: string
data?: string
tipo: 'personal' | 'work'
link: string
}
export async function getEvents(calendarId: string, timeMin: string, timeMax: string): Promise<CalendarEvent[]> {
try {
const response = await calendar.events.list({
calendarId,
timeMin,
timeMax,
singleEvents: true,
orderBy: 'startTime',
maxResults: 20
})
const events: CalendarEvent[] = []
const items = response.data.items || []
for (const event of items) {
const start = event.start?.dateTime || event.start?.date
if (!start) continue
const startDate = new Date(start)
const tipo = calendarId === 'primary' ? 'personal' : 'work'
events.push({
titulo: event.summary || 'Sem título',
hora: startDate.toLocaleTimeString('pt-PT', { hour: '2-digit', minute: '2-digit' }),
data: calendarId === 'primary'
? undefined
: startDate.toLocaleDateString('pt-PT', { weekday: 'short', day: '2-digit', month: '2-digit' }),
tipo,
link: event.htmlLink || '#'
})
}
return events
} catch (error) {
console.error(`Calendar error (${calendarId}):`, error)
return []
}
}
export async function getTodayEvents(): Promise<CalendarEvent[]> {
const today = new Date()
today.setHours(0, 0, 0, 0)
const tomorrow = new Date(today)
tomorrow.setDate(tomorrow.getDate() + 1)
const timeMin = today.toISOString()
const timeMax = tomorrow.toISOString()
const [personal, work] = await Promise.all([
getEvents('primary', timeMin, timeMax),
getEvents('emanuel@descomplicar.pt', timeMin, timeMax)
])
return [...personal, ...work].sort((a, b) => a.hora.localeCompare(b.hora))
}
export async function getWeekEvents(): Promise<CalendarEvent[]> {
const today = new Date()
today.setHours(0, 0, 0, 0)
const tomorrow = new Date(today)
tomorrow.setDate(tomorrow.getDate() + 1)
const nextSunday = new Date(today)
nextSunday.setDate(today.getDate() + (7 - today.getDay()))
nextSunday.setHours(23, 59, 59, 999)
const timeMin = tomorrow.toISOString()
const timeMax = nextSunday.toISOString()
const [personal, work] = await Promise.all([
getEvents('primary', timeMin, timeMax),
getEvents('emanuel@descomplicar.pt', timeMin, timeMax)
])
return [...personal, ...work].sort((a, b) => {
const dateA = a.data + a.hora
const dateB = b.data + b.hora
return dateA.localeCompare(dateB)
})
}
Reference in New Issue View Git Blame Copy Permalink