@kaikybrofc/omnizap-system 2.3.1 → 2.3.2

package/server/routes/indexRouter.js

@@ -0,0 +1,203 @@
+import path from 'node:path';
+
+import { maybeHandleMetricsRequest } from './metrics/metricsRouter.js';
+import { maybeHandleHealthRequest, shouldHandleHealthPath } from './health/healthRouter.js';
+import { buildUserApiPaths, getUserRouterConfig, maybeHandleUserRequest, shouldHandleUserPath } from './user/userRouter.js';
+import { getSystemAdminRouterConfig, maybeHandleSystemAdminRequest, shouldHandleSystemAdminPath } from './admin/systemAdminRouter.js';
+import { getStickerSiteRouterConfig, maybeHandleStickerSiteRequest, shouldHandleStickerSitePath } from './stickerCatalog/stickerSiteRouter.js';
+import { getStickerDataRouterConfig, maybeHandleStickerDataRequest, shouldHandleStickerDataPath } from './stickerCatalog/stickerDataRouter.js';
+import { getStickerApiRouterConfig, maybeHandleStickerApiRequest, shouldHandleStickerApiPath } from './stickerCatalog/stickerApiRouter.js';
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const sendNotFound = (req, res) => {
+  if (res.writableEnded) return true;
+  res.statusCode = 404;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  if (req.method === 'HEAD') {
+    res.end();
+    return true;
+  }
+  res.end(JSON.stringify({ error: 'Not Found' }));
+  return true;
+};
+
+let indexRouteConfigsPromise = null;
+
+const loadUserConfigSafe = async () => {
+  try {
+    return await getUserRouterConfig();
+  } catch {
+    return {
+      webPath: '/user',
+      apiBasePath: '/api/sticker-packs',
+    };
+  }
+};
+
+const loadSystemAdminConfigSafe = async () => {
+  try {
+    return await getSystemAdminRouterConfig();
+  } catch {
+    return {
+      webPath: '/user/systemadm',
+      legacyWebPath: '/stickers/admin',
+      apiAdminBasePath: '/api/sticker-packs/admin',
+      apiAdminSessionPath: '/api/sticker-packs/admin/session',
+    };
+  }
+};
+
+const loadStickerSiteConfigSafe = async () => {
+  try {
+    return await getStickerSiteRouterConfig();
+  } catch {
+    return {
+      enabled: true,
+      webPath: '/stickers',
+      apiBasePath: '/api/sticker-packs',
+      orphanApiPath: '/api/sticker-packs/orphan-stickers',
+      dataPublicPath: '/data',
+      dataPublicDir: path.resolve(process.cwd(), 'data'),
+    };
+  }
+};
+
+const loadStickerDataConfigSafe = async () => {
+  try {
+    return await getStickerDataRouterConfig();
+  } catch {
+    return {
+      dataPublicPath: '/data',
+      dataPublicDir: path.resolve(process.cwd(), 'data'),
+    };
+  }
+};
+
+const loadStickerApiConfigSafe = async () => {
+  try {
+    return await getStickerApiRouterConfig();
+  } catch {
+    return {
+      apiBasePath: '/api/sticker-packs',
+      marketplaceStatsPath: '/api/marketplace/stats',
+    };
+  }
+};
+
+export const getIndexRouteConfigs = async () => {
+  if (!indexRouteConfigsPromise) {
+    indexRouteConfigsPromise = Promise.all([
+      loadUserConfigSafe(),
+      loadSystemAdminConfigSafe(),
+      loadStickerSiteConfigSafe(),
+      loadStickerDataConfigSafe(),
+      loadStickerApiConfigSafe(),
+    ]).then(([userConfig, systemAdminConfig, stickerSiteConfig, stickerDataConfig, stickerApiConfig]) => ({
+      userConfig,
+      systemAdminConfig,
+      stickerConfig: {
+        ...stickerSiteConfig,
+        ...stickerDataConfig,
+        ...stickerApiConfig,
+      },
+    }));
+  }
+
+  return indexRouteConfigsPromise;
+};
+
+const shouldHandleSystemAdminStep = (pathname, systemAdminConfig) => shouldHandleSystemAdminPath(pathname, systemAdminConfig);
+
+const shouldHandleUserStep = (pathname, userConfig) => shouldHandleUserPath(pathname, userConfig);
+
+const shouldHandleMetricsStep = (pathname, metricsPath) => startsWithPath(pathname, normalizeBasePath(metricsPath, '/metrics'));
+
+export const routeRequest = async (req, res, { pathname, url, metricsPath = '/metrics', configs = null } = {}) => {
+  const resolvedConfigs = configs || (await getIndexRouteConfigs());
+  const userConfig = resolvedConfigs?.userConfig || null;
+  const systemAdminConfig = resolvedConfigs?.systemAdminConfig || null;
+  const stickerConfig = resolvedConfigs?.stickerConfig || null;
+
+  // 1) Metrics
+  if (shouldHandleMetricsStep(pathname, metricsPath)) {
+    const handled = await maybeHandleMetricsRequest(req, res, { pathname, metricsPath });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 2) Health checks
+  if (shouldHandleHealthPath(pathname)) {
+    const handled = await maybeHandleHealthRequest(req, res, { pathname });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 3) User
+  const systemAdminCandidate = shouldHandleSystemAdminStep(pathname, systemAdminConfig);
+  if (shouldHandleUserStep(pathname, userConfig)) {
+    const handled = await maybeHandleUserRequest(req, res, { pathname, url });
+    if (handled) return true;
+
+    // Permite /user/systemadm continuar para o router de admin.
+    if (!systemAdminCandidate) return sendNotFound(req, res);
+  }
+
+  // 4) System admin + legacy /stickers/admin
+  if (systemAdminCandidate) {
+    const handled = await maybeHandleSystemAdminRequest(req, res, { pathname, url });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 5) Sticker catalog apenas nos prefixes permitidos
+  if (shouldHandleStickerSitePath(pathname, stickerConfig)) {
+    const handled = await maybeHandleStickerSiteRequest(req, res, { pathname, url });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  if (shouldHandleStickerDataPath(pathname, stickerConfig)) {
+    const handled = await maybeHandleStickerDataRequest(req, res, {
+      pathname,
+      config: {
+        dataPublicPath: stickerConfig?.dataPublicPath,
+        dataPublicDir: stickerConfig?.dataPublicDir,
+      },
+    });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  if (shouldHandleStickerApiPath(pathname, stickerConfig)) {
+    const handled = await maybeHandleStickerApiRequest(req, res, {
+      pathname,
+      url,
+      config: {
+        apiBasePath: stickerConfig?.apiBasePath,
+        marketplaceStatsPath: stickerConfig?.marketplaceStatsPath,
+      },
+    });
+    if (handled) return true;
+    return sendNotFound(req, res);
+  }
+
+  // 6) 404 global
+  return sendNotFound(req, res);
+};
+
+export const getUserApiPathsFromConfig = (userConfig = null) => {
+  const apiBasePath = userConfig?.apiBasePath || '/api/sticker-packs';
+  return buildUserApiPaths(apiBasePath);
+};

package/server/routes/metrics/metricsRouter.js

@@ -0,0 +1,13 @@
+import { sendMetricsResponse } from '../../controllers/metricsController.js';
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+export const maybeHandleMetricsRequest = async (_req, res, { pathname, metricsPath }) => {
+  if (!startsWithPath(pathname, metricsPath)) return false;
+  await sendMetricsResponse(res);
+  return true;
+};

package/server/routes/stickerCatalog/catalogHandlers/catalogAdminHttp.js

@@ -11,6 +11,31 @@ export const handleCatalogAdminRoutes = async ({ req, res, url, segments, handle
     return true;
   }
 
+  if (segments.length === 3 && segments[1] === 'users' && segments[2] === 'force-logout') {
+    await handlers.handleAdminForceLogoutRequest(req, res);
+    return true;
+  }
+
+  if (segments.length === 2 && segments[1] === 'feature-flags') {
+    await handlers.handleAdminFeatureFlagsRequest(req, res);
+    return true;
+  }
+
+  if (segments.length === 2 && segments[1] === 'ops') {
+    await handlers.handleAdminOpsActionRequest(req, res);
+    return true;
+  }
+
+  if (segments.length === 2 && segments[1] === 'search') {
+    await handlers.handleAdminSearchRequest(req, res, url);
+    return true;
+  }
+
+  if (segments.length === 2 && segments[1] === 'export') {
+    await handlers.handleAdminExportRequest(req, res, url);
+    return true;
+  }
+
   if (segments.length === 2 && segments[1] === 'moderators') {
     await handlers.handleAdminModeratorsRequest(req, res);
     return true;
@@ -27,6 +52,10 @@ export const handleCatalogAdminRoutes = async ({ req, res, url, segments, handle
   }
 
   if (segments.length === 3 && segments[1] === 'packs') {
+    if (req.method === 'DELETE') {
+      await handlers.handleAdminPackDeleteRequest(req, res, segments[2]);
+      return true;
+    }
     await handlers.handleAdminPackDetailsRequest(req, res, segments[2]);
     return true;
   }
@@ -36,11 +65,21 @@ export const handleCatalogAdminRoutes = async ({ req, res, url, segments, handle
     return true;
   }
 
+  if (segments.length === 5 && segments[1] === 'packs' && segments[3] === 'stickers') {
+    await handlers.handleAdminPackStickerDeleteRequest(req, res, segments[2], segments[4]);
+    return true;
+  }
+
   if (segments.length === 6 && segments[1] === 'packs' && segments[3] === 'stickers' && segments[5] === 'delete') {
     await handlers.handleAdminPackStickerDeleteRequest(req, res, segments[2], segments[4]);
     return true;
   }
 
+  if (segments.length === 3 && segments[1] === 'stickers') {
+    await handlers.handleAdminGlobalStickerDeleteRequest(req, res, segments[2]);
+    return true;
+  }
+
   if (segments.length === 4 && segments[1] === 'stickers' && segments[3] === 'delete') {
     await handlers.handleAdminGlobalStickerDeleteRequest(req, res, segments[2]);
     return true;
@@ -56,6 +95,11 @@ export const handleCatalogAdminRoutes = async ({ req, res, url, segments, handle
     return true;
   }
 
+  if (segments.length === 3 && segments[1] === 'bans') {
+    await handlers.handleAdminBanRevokeRequest(req, res, segments[2]);
+    return true;
+  }
+
   sendJson(req, res, 404, { error: 'Rota admin nao encontrada.' });
   return true;
 };

package/server/routes/stickerCatalog/stickerApiRouter.js

@@ -0,0 +1,84 @@
+import { requireAdminAuth } from '../../middleware/requireAdminAuth.js';
+import { createAdminApiRateLimit } from '../../middleware/rateLimit.js';
+
+let stickerCatalogControllerPromise = null;
+
+const loadStickerCatalogController = async () => {
+  if (!stickerCatalogControllerPromise) {
+    stickerCatalogControllerPromise = import('../../controllers/stickerCatalogController.js');
+  }
+  return stickerCatalogControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_STICKER_API_BASE_PATH = '/api/sticker-packs';
+const DEFAULT_MARKETPLACE_STATS_PATH = '/api/marketplace/stats';
+const ALLOWED_METHODS = new Set(['GET', 'HEAD', 'POST', 'PATCH', 'DELETE']);
+const adminApiRateLimit = createAdminApiRateLimit();
+
+const sendMethodNotAllowed = (req, res) => {
+  if (res.writableEnded) return;
+  res.statusCode = 405;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  if (req.method === 'HEAD') {
+    res.end();
+    return;
+  }
+  res.end(JSON.stringify({ error: 'Method Not Allowed' }));
+};
+
+export const getStickerApiRouterConfig = async () => {
+  const controller = await loadStickerCatalogController();
+  const legacyConfig = (typeof controller?.getStickerCatalogConfig === 'function' ? controller.getStickerCatalogConfig() : null) || {};
+  return {
+    apiBasePath: normalizeBasePath(legacyConfig.apiBasePath, DEFAULT_STICKER_API_BASE_PATH),
+    marketplaceStatsPath: DEFAULT_MARKETPLACE_STATS_PATH,
+  };
+};
+
+export const shouldHandleStickerApiPath = (pathname, stickerConfig = null) => {
+  const apiBasePath = normalizeBasePath(stickerConfig?.apiBasePath, DEFAULT_STICKER_API_BASE_PATH);
+  const marketplaceStatsPath = normalizeBasePath(stickerConfig?.marketplaceStatsPath, DEFAULT_MARKETPLACE_STATS_PATH);
+  return startsWithPath(pathname, apiBasePath) || startsWithPath(pathname, marketplaceStatsPath);
+};
+
+export const maybeHandleStickerApiRequest = async (req, res, { pathname, url, config = null }) => {
+  const resolvedConfig = config || (await getStickerApiRouterConfig());
+  if (!shouldHandleStickerApiPath(pathname, resolvedConfig)) return false;
+
+  const method = String(req.method || '').toUpperCase();
+  if (!ALLOWED_METHODS.has(method)) {
+    sendMethodNotAllowed(req, res);
+    return true;
+  }
+
+  const apiBasePath = normalizeBasePath(resolvedConfig.apiBasePath, DEFAULT_STICKER_API_BASE_PATH);
+  const adminBasePath = `${apiBasePath}/admin`;
+  const adminSessionPath = `${adminBasePath}/session`;
+
+  if (startsWithPath(pathname, adminBasePath)) {
+    const allowedByRateLimit = adminApiRateLimit(req, res);
+    if (!allowedByRateLimit) return true;
+  }
+
+  if (startsWithPath(pathname, adminBasePath) && pathname !== adminSessionPath) {
+    const allowed = requireAdminAuth(req, res);
+    if (!allowed) return true;
+  }
+
+  const controller = await loadStickerCatalogController();
+  if (typeof controller?.maybeHandleStickerCatalogRequest !== 'function') return false;
+  return controller.maybeHandleStickerCatalogRequest(req, res, { pathname, url });
+};

package/server/routes/stickerCatalog/stickerDataRouter.js

@@ -0,0 +1,140 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+import { safeJoin } from '../../utils/safePath.js';
+
+let stickerCatalogControllerPromise = null;
+
+const loadStickerCatalogController = async () => {
+  if (!stickerCatalogControllerPromise) {
+    stickerCatalogControllerPromise = import('../../controllers/stickerCatalogController.js');
+  }
+  return stickerCatalogControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_DATA_PUBLIC_PATH = '/data';
+const DEFAULT_DATA_PUBLIC_DIR = path.resolve(process.cwd(), 'data');
+const ALLOWED_EXTENSIONS = new Set(['.webp', '.png', '.jpg', '.jpeg', '.gif', '.avif', '.bmp']);
+
+const sendJson = (req, res, statusCode, payload) => {
+  if (res.writableEnded) return;
+  res.statusCode = statusCode;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  if (req.method === 'HEAD') {
+    res.end();
+    return;
+  }
+  res.end(JSON.stringify(payload));
+};
+
+const resolveContentType = (extension) => {
+  if (extension === '.png') return 'image/png';
+  if (extension === '.jpg' || extension === '.jpeg') return 'image/jpeg';
+  if (extension === '.gif') return 'image/gif';
+  if (extension === '.avif') return 'image/avif';
+  if (extension === '.bmp') return 'image/bmp';
+  return 'image/webp';
+};
+
+const decodeRelativePath = (pathname, dataPublicPath) => {
+  const rawSuffix = pathname.slice(dataPublicPath.length).replace(/^\/+/, '');
+  if (!rawSuffix) return '';
+
+  const decodedSegments = rawSuffix
+    .split('/')
+    .filter(Boolean)
+    .map((segment) => decodeURIComponent(segment));
+
+  return decodedSegments.join('/');
+};
+
+export const getStickerDataRouterConfig = async () => {
+  const controller = await loadStickerCatalogController();
+  const legacyConfig = (typeof controller?.getStickerCatalogConfig === 'function' ? controller.getStickerCatalogConfig() : null) || {};
+  return {
+    dataPublicPath: normalizeBasePath(legacyConfig.dataPublicPath, DEFAULT_DATA_PUBLIC_PATH),
+    dataPublicDir: path.resolve(legacyConfig.dataPublicDir || DEFAULT_DATA_PUBLIC_DIR),
+  };
+};
+
+export const shouldHandleStickerDataPath = (pathname, stickerConfig = null) => {
+  const dataPublicPath = normalizeBasePath(stickerConfig?.dataPublicPath, DEFAULT_DATA_PUBLIC_PATH);
+  return startsWithPath(pathname, dataPublicPath);
+};
+
+export const maybeHandleStickerDataRequest = async (req, res, { pathname, config = null }) => {
+  const resolvedConfig = config || (await getStickerDataRouterConfig());
+  const dataPublicPath = normalizeBasePath(resolvedConfig.dataPublicPath, DEFAULT_DATA_PUBLIC_PATH);
+
+  if (!shouldHandleStickerDataPath(pathname, resolvedConfig)) return false;
+
+  if (!['GET', 'HEAD'].includes(req.method || '')) {
+    sendJson(req, res, 405, { error: 'Method Not Allowed' });
+    return true;
+  }
+
+  let relativePath = '';
+  try {
+    relativePath = decodeRelativePath(pathname, dataPublicPath);
+  } catch {
+    sendJson(req, res, 400, { error: 'Invalid path encoding' });
+    return true;
+  }
+
+  if (!relativePath) {
+    sendJson(req, res, 400, { error: 'Invalid path' });
+    return true;
+  }
+
+  const absolutePath = safeJoin(resolvedConfig.dataPublicDir, relativePath);
+  if (!absolutePath) {
+    sendJson(req, res, 400, { error: 'Invalid path' });
+    return true;
+  }
+
+  const extension = path.extname(absolutePath).toLowerCase();
+  if (!ALLOWED_EXTENSIONS.has(extension)) {
+    sendJson(req, res, 403, { error: 'Forbidden file type' });
+    return true;
+  }
+
+  try {
+    const fileStat = await fs.stat(absolutePath);
+    if (!fileStat.isFile()) {
+      sendJson(req, res, 404, { error: 'Not Found' });
+      return true;
+    }
+
+    const fileBuffer = req.method === 'HEAD' ? null : await fs.readFile(absolutePath);
+    res.statusCode = 200;
+    res.setHeader('Content-Type', resolveContentType(extension));
+    res.setHeader('Cache-Control', 'public, max-age=300');
+    if (req.method === 'HEAD') {
+      res.end();
+      return true;
+    }
+    res.end(fileBuffer);
+    return true;
+  } catch (error) {
+    if (error?.code === 'ENOENT') {
+      sendJson(req, res, 404, { error: 'Not Found' });
+      return true;
+    }
+
+    sendJson(req, res, 500, { error: 'Read error' });
+    return true;
+  }
+};

package/server/routes/stickerCatalog/stickerSiteRouter.js

@@ -0,0 +1,43 @@
+let stickerCatalogControllerPromise = null;
+
+const loadStickerCatalogController = async () => {
+  if (!stickerCatalogControllerPromise) {
+    stickerCatalogControllerPromise = import('../../controllers/stickerCatalogController.js');
+  }
+  return stickerCatalogControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_STICKER_WEB_PATH = '/stickers';
+
+export const getStickerSiteRouterConfig = async () => {
+  const controller = await loadStickerCatalogController();
+  const legacyConfig = (typeof controller?.getStickerCatalogConfig === 'function' ? controller.getStickerCatalogConfig() : null) || {};
+  return {
+    ...legacyConfig,
+    webPath: normalizeBasePath(legacyConfig.webPath, DEFAULT_STICKER_WEB_PATH),
+  };
+};
+
+export const shouldHandleStickerSitePath = (pathname, stickerConfig = null) => {
+  const resolvedWebPath = normalizeBasePath(stickerConfig?.webPath, DEFAULT_STICKER_WEB_PATH);
+  return pathname === '/sitemap.xml' || startsWithPath(pathname, resolvedWebPath);
+};
+
+export const maybeHandleStickerSiteRequest = async (req, res, { pathname, url }) => {
+  const controller = await loadStickerCatalogController();
+  if (typeof controller?.maybeHandleStickerCatalogRequest !== 'function') return false;
+  return controller.maybeHandleStickerCatalogRequest(req, res, { pathname, url });
+};

package/server/routes/user/userRouter.js

@@ -0,0 +1,56 @@
+let userControllerPromise = null;
+
+const loadUserController = async () => {
+  if (!userControllerPromise) {
+    userControllerPromise = import('../../controllers/userController.js');
+  }
+  return userControllerPromise;
+};
+
+const normalizeBasePath = (value, fallback) => {
+  const raw = String(value || '').trim() || fallback;
+  const withLeadingSlash = raw.startsWith('/') ? raw : `/${raw}`;
+  const withoutTrailingSlash = withLeadingSlash.length > 1 && withLeadingSlash.endsWith('/') ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+  return withoutTrailingSlash || fallback;
+};
+
+const startsWithPath = (pathname, prefix) => {
+  if (!pathname || !prefix) return false;
+  if (pathname === prefix) return true;
+  return pathname.startsWith(`${prefix}/`);
+};
+
+const DEFAULT_USER_WEB_PATH = '/user';
+const DEFAULT_STICKER_API_BASE_PATH = '/api/sticker-packs';
+
+export const buildUserApiPaths = (apiBasePath) => {
+  const resolvedApiBasePath = normalizeBasePath(apiBasePath, DEFAULT_STICKER_API_BASE_PATH);
+  return new Set([`${resolvedApiBasePath}/auth/google/session`, `${resolvedApiBasePath}/me`, `${resolvedApiBasePath}/bot-contact`]);
+};
+
+export const getUserRouterConfig = async () => {
+  const controller = await loadUserController();
+  const legacyConfig = (typeof controller?.getUserRouteConfig === 'function' ? controller.getUserRouteConfig() : null) || {};
+  return {
+    webPath: normalizeBasePath(legacyConfig.webPath, DEFAULT_USER_WEB_PATH),
+    apiBasePath: normalizeBasePath(legacyConfig.apiBasePath, DEFAULT_STICKER_API_BASE_PATH),
+  };
+};
+
+export const shouldHandleUserPath = (pathname, userConfig = null) => {
+  const resolvedConfig = userConfig || {
+    webPath: DEFAULT_USER_WEB_PATH,
+    apiBasePath: DEFAULT_STICKER_API_BASE_PATH,
+  };
+
+  if (startsWithPath(pathname, resolvedConfig.webPath)) return true;
+
+  const userApiPaths = buildUserApiPaths(resolvedConfig.apiBasePath);
+  return userApiPaths.has(pathname);
+};
+
+export const maybeHandleUserRequest = async (req, res, { pathname, url }) => {
+  const controller = await loadUserController();
+  if (typeof controller?.maybeHandleUserRequest !== 'function') return false;
+  return controller.maybeHandleUserRequest(req, res, { pathname, url });
+};

package/server/utils/safePath.js

@@ -0,0 +1,26 @@
+import path from 'node:path';
+
+/**
+ * Junta um caminho relativo de forma segura dentro de um diretório base.
+ * Retorna `null` quando detectar tentativa de path traversal.
+ */
+export const safeJoin = (baseDir, unsafePath) => {
+  const baseAbsolutePath = path.resolve(String(baseDir || '.'));
+  const normalizedUnsafePath = String(unsafePath || '')
+    .replace(/\\/g, '/')
+    .replace(/^\/+/, '');
+
+  const normalizedRelativePath = path.posix.normalize(normalizedUnsafePath);
+  if (normalizedRelativePath === '..' || normalizedRelativePath.startsWith('../') || normalizedRelativePath.includes('/../')) {
+    return null;
+  }
+
+  const safeRelativePath = normalizedRelativePath === '.' ? '' : normalizedRelativePath;
+  const resolvedPath = path.resolve(baseAbsolutePath, safeRelativePath);
+
+  if (resolvedPath !== baseAbsolutePath && !resolvedPath.startsWith(`${baseAbsolutePath}${path.sep}`)) {
+    return null;
+  }
+
+  return resolvedPath;
+};

package/server/routes/metricsRoute.js

@@ -1,7 +0,0 @@
-import { sendMetricsResponse } from '../controllers/metricsController.js';
-
-export const maybeHandleMetricsRoute = async (req, res, { pathname, metricsPath }) => {
-  if (!pathname.startsWith(metricsPath)) return false;
-  await sendMetricsResponse(res);
-  return true;
-};

package/server/routes/stickerCatalogRoute.js

@@ -1,20 +0,0 @@
-let stickerCatalogControllerPromise = null;
-
-const loadStickerCatalogController = async () => {
-  if (!stickerCatalogControllerPromise) {
-    stickerCatalogControllerPromise = import('../controllers/stickerCatalogController.js');
-  }
-  return stickerCatalogControllerPromise;
-};
-
-export const getStickerCatalogRouteConfig = async () => {
-  const controller = await loadStickerCatalogController();
-  if (typeof controller.getStickerCatalogConfig !== 'function') return null;
-  return controller.getStickerCatalogConfig();
-};
-
-export const maybeHandleStickerCatalogRoute = async (req, res, { pathname, url }) => {
-  const controller = await loadStickerCatalogController();
-  if (typeof controller.maybeHandleStickerCatalogRequest !== 'function') return false;
-  return controller.maybeHandleStickerCatalogRequest(req, res, { pathname, url });
-};