@easyflow/javascript-sdk 2.1.8 → 2.1.10

package/libs/security.mjs

@@ -1,217 +0,0 @@
-/**
- * Módulo de Segurança do Easyflow SDK
- * Implementa todas as proteções de segurança necessárias para distribuição via CDN
- */
-import { throwsError } from './exception-handler.mjs'
-import { NetworkError, SecurityError } from './errors.mjs'
-import { Validator } from './validator.mjs'
-import { Sanitizer } from './sanitizer.mjs'
-import { mergeHeaders } from './utils.mjs'
-import { makeFingerprint } from './fingerprint.mjs'
-
-// Configurações de segurança
-// Buscar configurações de um arquivo de configuração externo ou variáveis de ambiente
-const SECURITY_CONFIG = {
-    ALLOWED_ORIGINS: [
-        'https://easyflow.digital',
-        'https://pay.easyflow.digital',
-        'https://app.easyflow.digital',
-        'https://localhost:443',
-        'https://127.0.0.1:443',
-    ],
-    ALLOWED_DOMAINS: [
-        'easyflow.digital',
-        'pay.easyflow.digital',
-        'app.easyflow.digital',
-    ],
-    MAX_REQUESTS_PER_MINUTE: 30,
-    REQUEST_TIMEOUT: 30000,
-    DEBUG_PROTECTION: false,
-    PRODUCTION_MODE: true,
-    // Allow iframe usage for low-code platforms
-    ALLOW_IFRAME: true,
-}
-
-/**
- * Verificador de Ambiente Seguro
- */
-class EnvironmentValidator {
-    static validate() {
-        this.checkHTTPS()
-        this.checkIframe()
-        this.checkCryptoAPI()
-        this.checkTrustedTypes()
-        this.checkOrigin()
-    }
-
-    static checkHTTPS() {
-        if (
-            location.protocol !== 'https:' &&
-            location.hostname !== 'localhost' &&
-            location.hostname !== '127.0.0.1'
-        ) {
-            throwsError(new SecurityError('HTTPS required for security'))
-        }
-    }
-
-    static checkIframe() {
-        if (!SECURITY_CONFIG.ALLOW_IFRAME && window.top !== window.self) {
-            throwsError(new SecurityError('Cannot run in iframe for security'))
-        }
-    }
-
-    static checkCryptoAPI() {
-        if (!window.crypto || !window.crypto.subtle) {
-            throwsError(new SecurityError('Web Crypto API required'))
-        }
-    }
-
-    static checkTrustedTypes() {
-        if (!window.trustedTypes) {
-            console.warn('Trusted Types not supported - security reduced')
-        }
-    }
-
-    static checkOrigin() {
-        const currentOrigin = window.location.origin
-        if (!SECURITY_CONFIG.ALLOWED_ORIGINS.includes(currentOrigin)) {
-            console.warn(`Origin ${currentOrigin} not in allowed list`)
-        }
-    }
-}
-
-/**
- * Rate Limiter Avançado
- */
-class RateLimiter {
-    constructor() {
-        this.requests = new Map()
-        this.maxRequests = SECURITY_CONFIG.MAX_REQUESTS_PER_MINUTE
-        this.timeWindow = 60000
-    }
-
-    async checkLimit(identifier) {
-        const now = Date.now()
-        const userRequests = this.requests.get(identifier) || []
-        const validRequests = userRequests.filter(
-            (time) => now - time < this.timeWindow
-        )
-        if (validRequests.length >= this.maxRequests) {
-            const delay = this.calculateBackoff(validRequests.length)
-            await new Promise((resolve) => setTimeout(resolve, delay))
-            throwsError(new SecurityError('Rate limit exceeded'))
-        }
-        validRequests.push(now)
-        this.requests.set(identifier, validRequests)
-    }
-
-    calculateBackoff(requestCount) {
-        return Math.min(
-            1000 * Math.pow(2, requestCount - this.maxRequests),
-            30000
-        )
-    }
-}
-
-/**
- * Proteção contra Replay Attacks
- */
-class ReplayProtection {
-    static generateNonce() {
-        return crypto
-            .getRandomValues(new Uint8Array(16))
-            .reduce((acc, val) => acc + val.toString(16).padStart(2, '0'), '')
-    }
-}
-
-function fingerprint() {
-    return makeFingerprint() ?? Math.random().toString(10).substring(10)
-}
-
-function getSecurityHeaders(fingerprintId = fingerprint()) {
-    return {
-        'Content-Security-Policy':
-            "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';",
-        'X-Frame-Options': 'DENY',
-        'X-Content-Type-Options': 'nosniff',
-        'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'X-XSS-Protection': '1; mode=block',
-        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
-        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-        'X-Download-Options': 'noopen',
-        'X-Permitted-Cross-Domain-Policies': 'none',
-        'x-fingerprint-id': fingerprintId,
-        'X-Nonce': ReplayProtection.generateNonce(),
-        'X-Timestamp': Date.now().toString(),
-        'X-Client-Version': '2.1.3',
-        'X-Client-Platform': 'web',
-    }
-}
-
-function makeEmptyRequestOptions() {
-    return {
-        method: 'POST',
-        headers: {},
-        body: null,
-        mode: 'cors',
-        cache: 'no-cache',
-        credentials: 'same-origin',
-        redirect: 'error',
-        referrerPolicy: 'no-referrer',
-    }
-}
-
-class SecureFetch {
-    static async request(url, options = makeEmptyRequestOptions()) {
-        const controller = new AbortController()
-        const timeoutId = setTimeout(
-            () => controller.abort(),
-            SECURITY_CONFIG.REQUEST_TIMEOUT
-        )
-        try {
-            const headersSanitized = Sanitizer.sanitizeHeaders(options.headers)
-            const secureHeaders = mergeHeaders(
-                getSecurityHeaders(headersSanitized['x-fingerprint-id']),
-                headersSanitized
-            )
-            console.log('url', url)
-            const secureUrl = Validator.validateUrl(url)
-            const params = {
-                ...options,
-                headers: secureHeaders,
-                signal: controller.signal,
-            }
-            console.log('ALL params before fetch', params)
-            const response = await fetch(secureUrl, params)
-            clearTimeout(timeoutId)
-            if (!response.ok) {
-                throwsError(
-                    new NetworkError(
-                        `HTTP ${response.status}: ${response.statusText}`
-                    )
-                )
-            }
-            return response
-        } catch (error) {
-            console.log('Error in SecureFetch:', error)
-            clearTimeout(timeoutId)
-            throwsError(error)
-        }
-    }
-}
-
-if (typeof window !== 'undefined') {
-    try {
-        EnvironmentValidator.validate()
-    } catch (error) {
-        console.error('Security initialization failed:', error.message)
-    }
-}
-
-export {
-    EnvironmentValidator,
-    RateLimiter,
-    ReplayProtection,
-    SecureFetch,
-    SECURITY_CONFIG,
-}

package/libs/types.mjs

@@ -1,141 +0,0 @@
-/**
- * @typedef {Object} EasyflowConfig
- * @property {string} [baseUrl] - Base URL for the API (default: 'https://pay.easyflow.digital')
- * @property {string} businessId - Business identifier
- * @property {Object} [headers] - Default headers to include in all requests
- * @property {number} [timeout] - Request timeout in milliseconds
- */
-
-/**
- * @typedef {Object} Address
- * @property {string} zipCode - ZIP/Postal code
- * @property {string} street - Street name
- * @property {string} complement - Address complement (apartment, suite, etc.)
- * @property {string} neighborhood - Neighborhood/district
- * @property {string} city - City name
- * @property {string} state - State/province
- * @property {string} number - Street number
- */
-
-/**
- * @typedef {Object} LegalDocument
- * @property {'CPF'|'CNPJ'} type - Document type (CPF for individuals, CNPJ for companies)
- * @property {string} number - Document number
- */
-
-/**
- * @typedef {Object} Phone
- * @property {string} areaCode - Country area code (e.g., '+55' for Brazil)
- * @property {string} ddd - Area code (e.g., '11' for São Paulo)
- * @property {string} number - Phone number
- * @property {boolean} isMobile - Whether the phone number is mobile
- */
-
-/**
- * @typedef {Object} Business
- * @property {string} id - Business identifier
- * @property {string} name - Business name
- * @property {string} [document] - Business document (CNPJ)
- */
-
-/**
- * @typedef {Object} Customer
- * @property {string} id - Customer unique identifier
- * @property {Business} business - Business information
- * @property {string} name - Customer full name
- * @property {string} email - Customer email address
- * @property {Address} [address] - Customer billing address
- * @property {Address} [deliveryAddress] - Customer delivery address
- * @property {LegalDocument} document - Customer legal document
- * @property {Phone} phone - Customer phone information
- */
-
-/**
- * @typedef {Object} CreditCardAnon
- * @property {string} nickname - Card nickname for identification
- * @property {string} last4Numbers - Last 4 digits of the card
- * @property {Object} holder - Partial credit card holder information
- * @property {string} expiresAtMonth - Expiration month (MM format)
- * @property {string} expiresAtYear - Expiration year (YYYY format)
- * @property {string} brand - Card brand (Visa, Mastercard, etc.)
- */
-
-/**
- * @typedef {Object} PaginatedResult
- * @template T
- * @property {T[]} docs - Array of documents/items
- * @property {number} totalDocs - Total number of documents
- * @property {number} totalPages - Total number of pages
- * @property {number} currentPage - Current page number
- * @property {number} nextPage - Next page number
- * @property {boolean} hasNext - Whether there is a next page
- * @property {number} limit - Number of items per page
- */
-
-/**
- * @typedef {Object} PaymentMethod
- * @property {string} method - Payment method type
- * @property {number} amount - Amount in cents
- * @property {Object} [creditCard] - Credit card data
- * @property {Object} [pix] - PIX payment data
- * @property {Object} [bankBillet] - Bank billet data
- */
-
-/**
- * @typedef {Object} OrderData
- * @property {Object} customer - Customer information
- * @property {Array<PaymentMethod>} payments - Payment methods
- * @property {Object} [metadata] - Additional metadata
- */
-
-/**
- * @typedef {Object} Customer
- * @property {string} name - Customer name
- * @property {string} email - Customer email
- * @property {string} document - Customer document (CPF/CNPJ)
- */
-
-/**
- * @typedef {Object} CreditCardData
- * @property {string} number - Card number
- * @property {string} holderName - Card holder name
- * @property {string} expirationMonth - Expiration month
- * @property {string} expirationYear - Expiration year
- * @property {string} cvv - Security code
- */
-
-/**
- * @typedef {Object} PixData
- * @property {string} [qrCode] - PIX QR code (base64 image)
- * @property {string} [copyAndPasteCode] - PIX copy and paste code
- */
-
-/**
- * @typedef {Object} BankBilletData
- * @property {string} [link] - Bank billet link
- * @property {string} [line] - Bank billet line (linha digitável)
- * @property {string} [barCode] - Bank billet barcode
- */
-
-/**
- * @typedef {Object} ApiResponse
- * @property {Object} [data] - Response data
- * @property {string} [error] - Error message
- * @property {number} [status] - HTTP status code
- */
-
-/**
- * @typedef {Object} OfferData
- * @property {string} id - Offer ID
- * @property {Array<Object>} items - Offer items
- * @property {Object} [metadata] - Additional metadata
- */
-
-/**
- * @typedef {Object} OrderResponse
- * @property {string} orderId - Order ID
- * @property {string} status - Order status
- * @property {Array<PaymentMethod>} payments - Payment methods
- * @property {Object} customer - Customer information
- * @property {Object} [metadata] - Additional metadata
- */