@easyflow/javascript-sdk 2.1.7

package/libs/security.mjs

@@ -0,0 +1,217 @@
+/**
+ * Módulo de Segurança do Easyflow SDK
+ * Implementa todas as proteções de segurança necessárias para distribuição via CDN
+ */
+import { throwsError } from './exception-handler.mjs'
+import { NetworkError, SecurityError } from './errors.mjs'
+import { Validator } from './validator.mjs'
+import { Sanitizer } from './sanitizer.mjs'
+import { mergeHeaders } from './utils.mjs'
+import { makeFingerprint } from './fingerprint.mjs'
+
+// Configurações de segurança
+// Buscar configurações de um arquivo de configuração externo ou variáveis de ambiente
+const SECURITY_CONFIG = {
+    ALLOWED_ORIGINS: [
+        'https://easyflow.digital',
+        'https://pay.easyflow.digital',
+        'https://app.easyflow.digital',
+        'https://localhost:443',
+        'https://127.0.0.1:443',
+    ],
+    ALLOWED_DOMAINS: [
+        'easyflow.digital',
+        'pay.easyflow.digital',
+        'app.easyflow.digital',
+    ],
+    MAX_REQUESTS_PER_MINUTE: 30,
+    REQUEST_TIMEOUT: 30000,
+    DEBUG_PROTECTION: false,
+    PRODUCTION_MODE: true,
+    // Allow iframe usage for low-code platforms
+    ALLOW_IFRAME: true,
+}
+
+/**
+ * Verificador de Ambiente Seguro
+ */
+class EnvironmentValidator {
+    static validate() {
+        this.checkHTTPS()
+        this.checkIframe()
+        this.checkCryptoAPI()
+        this.checkTrustedTypes()
+        this.checkOrigin()
+    }
+
+    static checkHTTPS() {
+        if (
+            location.protocol !== 'https:' &&
+            location.hostname !== 'localhost' &&
+            location.hostname !== '127.0.0.1'
+        ) {
+            throwsError(new SecurityError('HTTPS required for security'))
+        }
+    }
+
+    static checkIframe() {
+        if (!SECURITY_CONFIG.ALLOW_IFRAME && window.top !== window.self) {
+            throwsError(new SecurityError('Cannot run in iframe for security'))
+        }
+    }
+
+    static checkCryptoAPI() {
+        if (!window.crypto || !window.crypto.subtle) {
+            throwsError(new SecurityError('Web Crypto API required'))
+        }
+    }
+
+    static checkTrustedTypes() {
+        if (!window.trustedTypes) {
+            console.warn('Trusted Types not supported - security reduced')
+        }
+    }
+
+    static checkOrigin() {
+        const currentOrigin = window.location.origin
+        if (!SECURITY_CONFIG.ALLOWED_ORIGINS.includes(currentOrigin)) {
+            console.warn(`Origin ${currentOrigin} not in allowed list`)
+        }
+    }
+}
+
+/**
+ * Rate Limiter Avançado
+ */
+class RateLimiter {
+    constructor() {
+        this.requests = new Map()
+        this.maxRequests = SECURITY_CONFIG.MAX_REQUESTS_PER_MINUTE
+        this.timeWindow = 60000
+    }
+
+    async checkLimit(identifier) {
+        const now = Date.now()
+        const userRequests = this.requests.get(identifier) || []
+        const validRequests = userRequests.filter(
+            (time) => now - time < this.timeWindow
+        )
+        if (validRequests.length >= this.maxRequests) {
+            const delay = this.calculateBackoff(validRequests.length)
+            await new Promise((resolve) => setTimeout(resolve, delay))
+            throwsError(new SecurityError('Rate limit exceeded'))
+        }
+        validRequests.push(now)
+        this.requests.set(identifier, validRequests)
+    }
+
+    calculateBackoff(requestCount) {
+        return Math.min(
+            1000 * Math.pow(2, requestCount - this.maxRequests),
+            30000
+        )
+    }
+}
+
+/**
+ * Proteção contra Replay Attacks
+ */
+class ReplayProtection {
+    static generateNonce() {
+        return crypto
+            .getRandomValues(new Uint8Array(16))
+            .reduce((acc, val) => acc + val.toString(16).padStart(2, '0'), '')
+    }
+}
+
+function fingerprint() {
+    return makeFingerprint() ?? Math.random().toString(10).substring(10)
+}
+
+function getSecurityHeaders(fingerprintId = fingerprint()) {
+    return {
+        'Content-Security-Policy':
+            "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';",
+        'X-Frame-Options': 'DENY',
+        'X-Content-Type-Options': 'nosniff',
+        'Referrer-Policy': 'strict-origin-when-cross-origin',
+        'X-XSS-Protection': '1; mode=block',
+        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+        'X-Download-Options': 'noopen',
+        'X-Permitted-Cross-Domain-Policies': 'none',
+        'x-fingerprint-id': fingerprintId,
+        'X-Nonce': ReplayProtection.generateNonce(),
+        'X-Timestamp': Date.now().toString(),
+        'X-Client-Version': '2.1.3',
+        'X-Client-Platform': 'web',
+    }
+}
+
+function makeEmptyRequestOptions() {
+    return {
+        method: 'POST',
+        headers: {},
+        body: null,
+        mode: 'cors',
+        cache: 'no-cache',
+        credentials: 'same-origin',
+        redirect: 'error',
+        referrerPolicy: 'no-referrer',
+    }
+}
+
+class SecureFetch {
+    static async request(url, options = makeEmptyRequestOptions()) {
+        const controller = new AbortController()
+        const timeoutId = setTimeout(
+            () => controller.abort(),
+            SECURITY_CONFIG.REQUEST_TIMEOUT
+        )
+        try {
+            const headersSanitized = Sanitizer.sanitizeHeaders(options.headers)
+            const secureHeaders = mergeHeaders(
+                getSecurityHeaders(headersSanitized['x-fingerprint-id']),
+                headersSanitized
+            )
+            console.log('url', url)
+            const secureUrl = Validator.validateUrl(url)
+            const params = {
+                ...options,
+                headers: secureHeaders,
+                signal: controller.signal,
+            }
+            console.log('ALL params before fetch', params)
+            const response = await fetch(secureUrl, params)
+            clearTimeout(timeoutId)
+            if (!response.ok) {
+                throwsError(
+                    new NetworkError(
+                        `HTTP ${response.status}: ${response.statusText}`
+                    )
+                )
+            }
+            return response
+        } catch (error) {
+            console.log('Error in SecureFetch:', error)
+            clearTimeout(timeoutId)
+            throwsError(error)
+        }
+    }
+}
+
+if (typeof window !== 'undefined') {
+    try {
+        EnvironmentValidator.validate()
+    } catch (error) {
+        console.error('Security initialization failed:', error.message)
+    }
+}
+
+export {
+    EnvironmentValidator,
+    RateLimiter,
+    ReplayProtection,
+    SecureFetch,
+    SECURITY_CONFIG,
+}

package/libs/types.mjs

@@ -0,0 +1,141 @@
+/**
+ * @typedef {Object} EasyflowConfig
+ * @property {string} [baseUrl] - Base URL for the API (default: 'https://pay.easyflow.digital')
+ * @property {string} businessId - Business identifier
+ * @property {Object} [headers] - Default headers to include in all requests
+ * @property {number} [timeout] - Request timeout in milliseconds
+ */
+
+/**
+ * @typedef {Object} Address
+ * @property {string} zipCode - ZIP/Postal code
+ * @property {string} street - Street name
+ * @property {string} complement - Address complement (apartment, suite, etc.)
+ * @property {string} neighborhood - Neighborhood/district
+ * @property {string} city - City name
+ * @property {string} state - State/province
+ * @property {string} number - Street number
+ */
+
+/**
+ * @typedef {Object} LegalDocument
+ * @property {'CPF'|'CNPJ'} type - Document type (CPF for individuals, CNPJ for companies)
+ * @property {string} number - Document number
+ */
+
+/**
+ * @typedef {Object} Phone
+ * @property {string} areaCode - Country area code (e.g., '+55' for Brazil)
+ * @property {string} ddd - Area code (e.g., '11' for São Paulo)
+ * @property {string} number - Phone number
+ * @property {boolean} isMobile - Whether the phone number is mobile
+ */
+
+/**
+ * @typedef {Object} Business
+ * @property {string} id - Business identifier
+ * @property {string} name - Business name
+ * @property {string} [document] - Business document (CNPJ)
+ */
+
+/**
+ * @typedef {Object} Customer
+ * @property {string} id - Customer unique identifier
+ * @property {Business} business - Business information
+ * @property {string} name - Customer full name
+ * @property {string} email - Customer email address
+ * @property {Address} [address] - Customer billing address
+ * @property {Address} [deliveryAddress] - Customer delivery address
+ * @property {LegalDocument} document - Customer legal document
+ * @property {Phone} phone - Customer phone information
+ */
+
+/**
+ * @typedef {Object} CreditCardAnon
+ * @property {string} nickname - Card nickname for identification
+ * @property {string} last4Numbers - Last 4 digits of the card
+ * @property {Object} holder - Partial credit card holder information
+ * @property {string} expiresAtMonth - Expiration month (MM format)
+ * @property {string} expiresAtYear - Expiration year (YYYY format)
+ * @property {string} brand - Card brand (Visa, Mastercard, etc.)
+ */
+
+/**
+ * @typedef {Object} PaginatedResult
+ * @template T
+ * @property {T[]} docs - Array of documents/items
+ * @property {number} totalDocs - Total number of documents
+ * @property {number} totalPages - Total number of pages
+ * @property {number} currentPage - Current page number
+ * @property {number} nextPage - Next page number
+ * @property {boolean} hasNext - Whether there is a next page
+ * @property {number} limit - Number of items per page
+ */
+
+/**
+ * @typedef {Object} PaymentMethod
+ * @property {string} method - Payment method type
+ * @property {number} amount - Amount in cents
+ * @property {Object} [creditCard] - Credit card data
+ * @property {Object} [pix] - PIX payment data
+ * @property {Object} [bankBillet] - Bank billet data
+ */
+
+/**
+ * @typedef {Object} OrderData
+ * @property {Object} customer - Customer information
+ * @property {Array<PaymentMethod>} payments - Payment methods
+ * @property {Object} [metadata] - Additional metadata
+ */
+
+/**
+ * @typedef {Object} Customer
+ * @property {string} name - Customer name
+ * @property {string} email - Customer email
+ * @property {string} document - Customer document (CPF/CNPJ)
+ */
+
+/**
+ * @typedef {Object} CreditCardData
+ * @property {string} number - Card number
+ * @property {string} holderName - Card holder name
+ * @property {string} expirationMonth - Expiration month
+ * @property {string} expirationYear - Expiration year
+ * @property {string} cvv - Security code
+ */
+
+/**
+ * @typedef {Object} PixData
+ * @property {string} [qrCode] - PIX QR code (base64 image)
+ * @property {string} [copyAndPasteCode] - PIX copy and paste code
+ */
+
+/**
+ * @typedef {Object} BankBilletData
+ * @property {string} [link] - Bank billet link
+ * @property {string} [line] - Bank billet line (linha digitável)
+ * @property {string} [barCode] - Bank billet barcode
+ */
+
+/**
+ * @typedef {Object} ApiResponse
+ * @property {Object} [data] - Response data
+ * @property {string} [error] - Error message
+ * @property {number} [status] - HTTP status code
+ */
+
+/**
+ * @typedef {Object} OfferData
+ * @property {string} id - Offer ID
+ * @property {Array<Object>} items - Offer items
+ * @property {Object} [metadata] - Additional metadata
+ */
+
+/**
+ * @typedef {Object} OrderResponse
+ * @property {string} orderId - Order ID
+ * @property {string} status - Order status
+ * @property {Array<PaymentMethod>} payments - Payment methods
+ * @property {Object} customer - Customer information
+ * @property {Object} [metadata] - Additional metadata
+ */