Emanuel Almeida
1f7dc5ff2b
[C-001] CRÍTICO - Implementar autenticação API key - Middleware Next.js protege todas as rotas /api/* (exceto /health) - Sistema auth com validação de header x-api-key - Template .env.example com API_SECRET_KEY [C-002] CRÍTICO - Validação de inputs com Zod - Schemas para siteId (int positivo) e period (1-365d) - Previne NaN, SQL injection, inputs maliciosos - Respostas 400 Bad Request com detalhes de erro [C-003] CRÍTICO - Corrigir TypeScript any type - chart-card.tsx: any → string | number | null - ESLint passa sem warnings [M-005] MODERADO - Corrigir .gitignore sobre-restritivo - Exceção !.env.example permite commit do template Verificações: ✅ pnpm run lint - 0 erros ✅ pnpm audit - 0 vulnerabilidades ✅ CVSS 7.5 → 0.0 Docs: AUDIT-REPORT.md, SECURITY-FIX.md, CHANGELOG.md Regra: #47 (Security Audit Pre-Commit) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
36 lines
997 B
TypeScript
36 lines
997 B
TypeScript
import { z } from 'zod'
|
|
|
|
/**
|
|
* Validation schemas for API routes
|
|
* Implements input validation to prevent injection attacks and invalid data
|
|
*/
|
|
|
|
export const siteIdSchema = z.object({
|
|
siteId: z.string()
|
|
.transform((val) => parseInt(val, 10))
|
|
.pipe(
|
|
z.number()
|
|
.int('Site ID must be an integer')
|
|
.positive('Site ID must be positive')
|
|
)
|
|
})
|
|
|
|
export const periodSchema = z.object({
|
|
period: z.string()
|
|
.regex(/^\d+d$/, 'Period must be in format: 30d, 90d, etc')
|
|
.transform((val) => parseInt(val.replace('d', ''), 10))
|
|
.pipe(
|
|
z.number()
|
|
.int('Days must be an integer')
|
|
.min(1, 'Period must be at least 1 day')
|
|
.max(365, 'Period cannot exceed 365 days')
|
|
)
|
|
.optional()
|
|
.default(30)
|
|
})
|
|
|
|
export type SiteIdInput = z.input<typeof siteIdSchema>
|
|
export type SiteIdOutput = z.output<typeof siteIdSchema>
|
|
export type PeriodInput = z.input<typeof periodSchema>
|
|
export type PeriodOutput = z.output<typeof periodSchema>
|