@omnizap-system/omnizap 2.6.1 → 2.6.3

package/scripts/security-web-surface-check.mjs

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+
+import { nowIso as __timeNowIso } from '#time';
+
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import process from 'node:process';
+
+const rawBaseUrl = String(process.env.SECURITY_WEB_SURFACE_BASE_URL || 'https://omnizap.shop').trim() || 'https://omnizap.shop';
+const reportPath = String(process.env.SECURITY_WEB_SURFACE_REPORT_PATH || './temp/security-web-surface-report.json').trim();
+const requestTimeoutMs = Math.max(1_000, Number(process.env.SECURITY_WEB_SURFACE_TIMEOUT_MS || 10_000));
+
+const toBaseOrigin = (value) => {
+  const raw = String(value || '').trim();
+  if (!raw) return 'https://omnizap.shop';
+  try {
+    const parsed = new URL(raw);
+    return parsed.origin;
+  } catch {
+    try {
+      const parsed = new URL(`https://${raw}`);
+      return parsed.origin;
+    } catch {
+      return 'https://omnizap.shop';
+    }
+  }
+};
+
+const baseOrigin = toBaseOrigin(rawBaseUrl);
+
+const PASS = 'PASS';
+const FAIL = 'FAIL';
+
+const STATIC_REQUIRED_HEADERS = ['content-security-policy', 'permissions-policy', 'strict-transport-security', 'x-content-type-options', 'x-frame-options'];
+
+const API_REQUIRED_HEADERS = ['content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'permissions-policy', 'strict-transport-security', 'x-content-type-options', 'x-frame-options'];
+
+const checks = [
+  {
+    id: 1,
+    name: 'Root static page has security headers',
+    path: '/',
+    expectedStatuses: [200],
+    requiredHeaders: STATIC_REQUIRED_HEADERS,
+  },
+  {
+    id: 2,
+    name: 'Legal page has security headers',
+    path: '/notice-and-takedown/',
+    expectedStatuses: [200],
+    requiredHeaders: STATIC_REQUIRED_HEADERS,
+  },
+  {
+    id: 3,
+    name: 'Dotenv path is not exposed',
+    path: '/.env',
+    forbiddenStatuses: [200],
+    bodyLeakPatterns: [/DB_PASSWORD|MYSQL_PASSWORD|GITHUB_TOKEN|SECRET|PRIVATE_KEY/i],
+  },
+  {
+    id: 4,
+    name: 'Unknown path does not soft-fallback with 200',
+    path: '/__security_probe_nonexistent_omnizap__.txt',
+    expectedStatuses: [404],
+  },
+  {
+    id: 5,
+    name: 'Whitespace path fuzz does not return 200',
+    path: '/assets%20/',
+    forbiddenStatuses: [200],
+  },
+  {
+    id: 6,
+    name: 'API bootstrap keeps hardened headers',
+    path: '/api/home-bootstrap',
+    expectedStatuses: [200],
+    requiredHeaders: API_REQUIRED_HEADERS,
+  },
+];
+
+const request = async (targetPath) => {
+  const normalizedPath = String(targetPath || '/').startsWith('/') ? String(targetPath || '/') : `/${String(targetPath || '/')}`;
+  const url = `${baseOrigin}${normalizedPath}`;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), requestTimeoutMs);
+
+  try {
+    const response = await fetch(url, {
+      method: 'GET',
+      redirect: 'manual',
+      signal: controller.signal,
+    });
+    const text = await response.text();
+    return {
+      ok: true,
+      url,
+      status: response.status,
+      headers: Object.fromEntries(response.headers.entries()),
+      body: text,
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      url,
+      status: null,
+      headers: {},
+      body: '',
+      error: error?.message || String(error),
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+};
+
+const summarize = (items) =>
+  items.reduce(
+    (acc, item) => {
+      acc[item.status] = (acc[item.status] || 0) + 1;
+      return acc;
+    },
+    { PASS: 0, FAIL: 0 },
+  );
+
+const runCheck = async (check) => {
+  const response = await request(check.path);
+  const reasons = [];
+
+  if (!response.ok) {
+    reasons.push(`network_error:${response.error || 'unknown'}`);
+  }
+
+  if (Array.isArray(check.expectedStatuses) && check.expectedStatuses.length > 0) {
+    if (!check.expectedStatuses.includes(response.status)) {
+      reasons.push(`unexpected_status:${response.status}`);
+    }
+  }
+
+  if (Array.isArray(check.forbiddenStatuses) && check.forbiddenStatuses.length > 0) {
+    if (check.forbiddenStatuses.includes(response.status)) {
+      reasons.push(`forbidden_status:${response.status}`);
+    }
+  }
+
+  const missingHeaders = [];
+  for (const headerName of check.requiredHeaders || []) {
+    const resolved = response.headers?.[headerName];
+    if (!resolved) missingHeaders.push(headerName);
+  }
+
+  if (missingHeaders.length > 0) {
+    reasons.push(`missing_headers:${missingHeaders.join(',')}`);
+  }
+
+  const leakPatternHit = (check.bodyLeakPatterns || []).find((pattern) => pattern.test(String(response.body || '')));
+  if (leakPatternHit) {
+    reasons.push(`body_leak_pattern:${String(leakPatternHit)}`);
+  }
+
+  return {
+    id: check.id,
+    name: check.name,
+    path: check.path,
+    status: reasons.length > 0 ? FAIL : PASS,
+    reasons,
+    evidence: {
+      url: response.url,
+      status: response.status,
+      headers: response.headers,
+      body_preview: String(response.body || '').slice(0, 240),
+    },
+  };
+};
+
+const writeReport = async (payload) => {
+  const absolutePath = path.resolve(process.cwd(), reportPath);
+  await fs.mkdir(path.dirname(absolutePath), { recursive: true });
+  await fs.writeFile(absolutePath, `${JSON.stringify(payload, null, 2)}\n`, 'utf8');
+  return absolutePath;
+};
+
+const main = async () => {
+  const startedAt = __timeNowIso();
+  const results = [];
+
+  for (const check of checks) {
+    const result = await runCheck(check);
+    results.push(result);
+    console.log(`[security-web-surface] ${String(result.id).padStart(2, '0')} ${result.name}: ${result.status}`);
+  }
+
+  const summary = summarize(results);
+  const endedAt = __timeNowIso();
+  const report = {
+    meta: {
+      base_origin: baseOrigin,
+      started_at: startedAt,
+      ended_at: endedAt,
+      timeout_ms: requestTimeoutMs,
+    },
+    summary,
+    results,
+  };
+
+  const reportAbsolutePath = await writeReport(report);
+  console.log('[security-web-surface] ---');
+  console.log(`[security-web-surface] base_origin=${baseOrigin}`);
+  console.log(`[security-web-surface] summary=${JSON.stringify(summary)}`);
+  console.log(`[security-web-surface] report_path=${reportAbsolutePath}`);
+
+  if ((summary.FAIL || 0) > 0) {
+    process.exitCode = 1;
+  }
+};
+
+main().catch((error) => {
+  console.error(`[security-web-surface] fatal_error=${error?.message || error}`);
+  process.exit(1);
+});

package/server/controllers/admin/adminPanelHandlers.js

@@ -1,7 +1,8 @@
 import { now as __timeNow, nowIso as __timeNowIso, toUnixMs as __timeNowMs } from '#time';
 import { randomUUID, randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
-import { URLSearchParams } from 'node:url';
+import { URL, URLSearchParams } from 'node:url';
 
+import { setAdminOverviewSnapshot } from '../../../app/observability/metrics.js';
 import { parseAdminModeratorUpsertPayload, parseAdminSessionPasswordPayload } from '../../auth/validation/authSchemas.js';
 
 export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger, sendJson, readJsonBody, parseCookies, getCookieValuesFromRequest, appendSetCookie, buildCookieString, sanitizeText, normalizeGoogleSubject, normalizeEmail, normalizeJid, toIsoOrNull, toWhatsAppPhoneDigits, mapGoogleSessionResponseData, resolveGoogleWebSessionFromRequest, revokeGoogleWebSessionsByIdentity, getMarketplaceGlobalStatsCached, getSystemSummaryCached, getFeatureFlagsSnapshot, refreshFeatureFlags, listAdminBans, createAdminBanRecord, revokeAdminBanRecord, normalizeVisitPath, stickerWebPath, findStickerPackByPackKey, stickerPackService, buildManagedPackResponseData, sendManagedMutationStatus, sendManagedPackMutationStatus, deleteManagedPackWithCleanup, mapStickerPackWebManageError, cleanupOrphanStickerAssets, invalidateStickerCatalogDerivedCaches }) => {
@@ -16,6 +17,229 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
   const ADMIN_PANEL_SESSION_TTL_MS = Math.max(10 * 60 * 1000, Number(process.env.ADM_PANEL_SESSION_TTL_MS) || 12 * 60 * 60 * 1000);
   const ADMIN_MODERATOR_PASSWORD_MIN_LENGTH = Math.max(6, Number(process.env.ADM_MODERATOR_PASSWORD_MIN_LENGTH) || 8);
   const ADMIN_PANEL_SESSION_COOKIE_NAME = 'omnizap_admin_panel_session';
+  const SYSTEM_ADMIN_GRAFANA_TIME_FROM = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_TIME_FROM || 'now-6h', 40, { allowEmpty: true }) || 'now-6h';
+  const SYSTEM_ADMIN_GRAFANA_TIME_TO = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_TIME_TO || 'now', 40, { allowEmpty: true }) || 'now';
+  const SYSTEM_ADMIN_GRAFANA_REFRESH = sanitizeText(process.env.SYSTEM_ADMIN_GRAFANA_REFRESH || '10s', 20, { allowEmpty: true }) || '10s';
+  const SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS = Math.max(800, Number(process.env.SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS) || 2500);
+  const SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS = Math.max(5000, Number(process.env.SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS) || 15000);
+
+  const normalizeGrafanaBaseUrl = (value) => {
+    const raw = String(value || '').trim();
+    if (!raw) return '';
+    try {
+      const parsed = new URL(raw);
+      if (!['http:', 'https:'].includes(parsed.protocol)) return '';
+      const normalizedPathname = String(parsed.pathname || '/').replace(/\/+$/, '');
+      parsed.search = '';
+      parsed.hash = '';
+      return `${parsed.origin}${normalizedPathname === '/' ? '' : normalizedPathname}`;
+    } catch {
+      return '';
+    }
+  };
+
+  const normalizeGrafanaUid = (value) =>
+    String(value || '')
+      .trim()
+      .replace(/[^a-zA-Z0-9_-]/g, '')
+      .slice(0, 120);
+
+  const slugifyGrafanaDashboard = (value) => {
+    const raw = String(value || '')
+      .trim()
+      .toLowerCase();
+    const slug = raw
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/^-+|-+$/g, '')
+      .slice(0, 90);
+    return slug || 'dashboard';
+  };
+
+  const parseGrafanaDashboardDefinitions = () => {
+    const raw = String(process.env.SYSTEM_ADMIN_GRAFANA_DASHBOARDS || '')
+      .split(',')
+      .map((item) => String(item || '').trim())
+      .filter(Boolean);
+
+    const parsed = raw
+      .map((entry) => {
+        const [uidPart, ...titleParts] = entry.split('|');
+        const uid = normalizeGrafanaUid(uidPart);
+        const title = sanitizeText(titleParts.join('|') || '', 90, { allowEmpty: true }) || '';
+        return uid ? { uid, title } : null;
+      })
+      .filter(Boolean);
+
+    if (parsed.length) return parsed;
+
+    return [
+      { uid: 'omnizap-system-admin', title: 'System Admin' },
+      { uid: 'omnizap-overview', title: 'Overview' },
+      { uid: 'omnizap-mysql', title: 'MySQL' },
+    ];
+  };
+
+  const buildAdminGrafanaObservabilityLinks = () => {
+    const baseUrl = normalizeGrafanaBaseUrl(process.env.SYSTEM_ADMIN_GRAFANA_URL || process.env.GRAFANA_PUBLIC_URL || '');
+    if (!baseUrl) {
+      return {
+        enabled: false,
+        base_url: null,
+        dashboards: [],
+      };
+    }
+
+    const base = new URL(`${baseUrl}/`);
+    const definitions = parseGrafanaDashboardDefinitions();
+
+    const dashboards = definitions
+      .map((entry, index) => {
+        const uid = normalizeGrafanaUid(entry?.uid || '');
+        if (!uid) return null;
+        const title = sanitizeText(entry?.title || '', 90, { allowEmpty: true }) || `Dashboard ${index + 1}`;
+        const slug = slugifyGrafanaDashboard(title || uid);
+        const viewUrl = new URL(`d/${encodeURIComponent(uid)}/${encodeURIComponent(slug)}`, base);
+        viewUrl.searchParams.set('orgId', '1');
+        viewUrl.searchParams.set('from', SYSTEM_ADMIN_GRAFANA_TIME_FROM);
+        viewUrl.searchParams.set('to', SYSTEM_ADMIN_GRAFANA_TIME_TO);
+        viewUrl.searchParams.set('refresh', SYSTEM_ADMIN_GRAFANA_REFRESH);
+
+        const embedUrl = new URL(String(viewUrl));
+        embedUrl.searchParams.set('kiosk', 'tv');
+
+        return {
+          uid,
+          title,
+          view_url: viewUrl.toString(),
+          embed_url: embedUrl.toString(),
+        };
+      })
+      .filter(Boolean);
+
+    return {
+      enabled: dashboards.length > 0,
+      base_url: baseUrl,
+      dashboards,
+    };
+  };
+  const grafanaObservabilityLinks = buildAdminGrafanaObservabilityLinks();
+  let grafanaRuntimeSnapshotCache = {
+    expires_at_ms: 0,
+    payload: null,
+  };
+
+  const resolveGrafanaHealthEndpointUrl = () => {
+    const candidates = [process.env.GRAFANA_PROXY_TARGET_URL, process.env.GRAFANA_INTERNAL_URL, process.env.SYSTEM_ADMIN_GRAFANA_URL, process.env.GRAFANA_PUBLIC_URL];
+    for (const candidate of candidates) {
+      const baseUrl = normalizeGrafanaBaseUrl(candidate);
+      if (!baseUrl) continue;
+      try {
+        return new URL('api/health', `${baseUrl}/`).toString();
+      } catch {
+        // noop
+      }
+    }
+    return '';
+  };
+
+  const getGrafanaRuntimeSnapshot = async () => {
+    const nowMs = __timeNowMs();
+    if (grafanaRuntimeSnapshotCache.payload && nowMs < grafanaRuntimeSnapshotCache.expires_at_ms) {
+      return grafanaRuntimeSnapshotCache.payload;
+    }
+
+    const dashboardsTotal = Array.isArray(grafanaObservabilityLinks?.dashboards) ? grafanaObservabilityLinks.dashboards.length : 0;
+    const baseSnapshot = {
+      enabled: Boolean(grafanaObservabilityLinks?.enabled),
+      available: false,
+      status: 'unavailable',
+      response_ms: null,
+      checked_at: __timeNowIso(),
+      http_status: null,
+      version: null,
+      database: null,
+      commit: null,
+      dashboards_total: dashboardsTotal,
+      error: null,
+    };
+
+    const healthEndpointUrl = resolveGrafanaHealthEndpointUrl();
+    if (!healthEndpointUrl) {
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: nowMs + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: baseSnapshot,
+      };
+      return baseSnapshot;
+    }
+
+    const controller = typeof AbortController === 'function' ? new AbortController() : null;
+    const timeoutId =
+      controller && Number.isFinite(SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS)
+        ? setTimeout(() => {
+            controller.abort();
+          }, SYSTEM_ADMIN_GRAFANA_STATUS_TIMEOUT_MS)
+        : null;
+    const startedAtMs = __timeNowMs();
+
+    try {
+      const response = await globalThis.fetch(healthEndpointUrl, {
+        method: 'GET',
+        headers: {
+          Accept: 'application/json',
+        },
+        signal: controller?.signal,
+      });
+      const responseMs = Math.max(0, __timeNowMs() - startedAtMs);
+      let payload = null;
+      try {
+        payload = await response.json();
+      } catch {
+        payload = null;
+      }
+
+      const version = sanitizeText(payload?.version || '', 40, { allowEmpty: true }) || null;
+      const commit = sanitizeText(payload?.commit || '', 80, { allowEmpty: true }) || null;
+      const database = sanitizeText(payload?.database || '', 30, { allowEmpty: true }) || null;
+      const normalizedDatabase = String(database || '')
+        .trim()
+        .toLowerCase();
+      const status = !response.ok ? 'offline' : normalizedDatabase === 'ok' ? 'online' : normalizedDatabase ? 'degraded' : 'online';
+
+      const snapshot = {
+        ...baseSnapshot,
+        available: response.ok,
+        status,
+        response_ms: responseMs,
+        checked_at: __timeNowIso(),
+        http_status: Number(response.status || 0) || null,
+        version,
+        database,
+        commit,
+      };
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: __timeNowMs() + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: snapshot,
+      };
+      return snapshot;
+    } catch (error) {
+      const responseMs = Math.max(0, __timeNowMs() - startedAtMs);
+      const isAbort = error?.name === 'AbortError';
+      const snapshot = {
+        ...baseSnapshot,
+        status: 'offline',
+        response_ms: responseMs,
+        checked_at: __timeNowIso(),
+        error: sanitizeText(isAbort ? 'timeout' : error?.message || 'fetch_failed', 80, { allowEmpty: true }) || 'fetch_failed',
+      };
+      grafanaRuntimeSnapshotCache = {
+        expires_at_ms: __timeNowMs() + SYSTEM_ADMIN_GRAFANA_STATUS_CACHE_TTL_MS,
+        payload: snapshot,
+      };
+      return snapshot;
+    } finally {
+      if (timeoutId) clearTimeout(timeoutId);
+    }
+  };
 
   const adminPanelSessionMap = new Map();
   let adminPanelSessionPruneAt = 0;
@@ -957,7 +1181,7 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
   };
 
   const buildAdminOverviewPayload = async ({ adminSession = null } = {}) => {
-    const [marketplaceStats, activeSessions, knownUsers, bans, packsCountRows, stickersCountRows, recentPacks, visitSummary, systemSummaryPayload, messageFlowDaily, moderationQueue, auditLog, featureFlags] = await Promise.all([
+    const [marketplaceStats, activeSessions, knownUsers, bans, packsCountRows, stickersCountRows, recentPacks, visitSummary, systemSummaryPayload, messageFlowDaily, moderationQueue, auditLog, featureFlags, grafanaRuntimeSnapshot] = await Promise.all([
       getMarketplaceGlobalStatsCached().catch(() => null),
       listAdminActiveGoogleWebSessions({ limit: 80 }),
       listAdminKnownGoogleUsers({ limit: 120 }),
@@ -976,6 +1200,19 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       buildModerationQueueSnapshot({ limit: 80 }).catch(() => []),
       listAdminAuditLog({ limit: 120 }).catch(() => []),
       listAdminFeatureFlagsDetailed({ limit: 300 }).catch(() => []),
+      getGrafanaRuntimeSnapshot().catch(() => ({
+        enabled: Boolean(grafanaObservabilityLinks?.enabled),
+        available: false,
+        status: 'offline',
+        response_ms: null,
+        checked_at: __timeNowIso(),
+        http_status: null,
+        version: null,
+        database: null,
+        commit: null,
+        dashboards_total: Array.isArray(grafanaObservabilityLinks?.dashboards) ? grafanaObservabilityLinks.dashboards.length : 0,
+        error: 'runtime_snapshot_failed',
+      })),
     ]);
 
     const systemSummary = systemSummaryPayload?.data || null;
@@ -997,7 +1234,7 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       systemMeta,
     });
 
-    return {
+    const overviewPayload = {
       admin_session: mapAdminPanelSessionResponseData(adminSession),
       marketplace_stats: marketplaceStats,
       counters: {
@@ -1045,9 +1282,22 @@ export const createStickerCatalogAdminHandlers = ({ executeQuery, tables, logger
       visit_metrics: visitSummary,
       system_summary: systemSummary,
       system_meta: systemMeta,
+      observability_links: {
+        grafana: grafanaObservabilityLinks,
+      },
+      observability_runtime: {
+        grafana: grafanaRuntimeSnapshot,
+      },
       message_flow_daily: messageFlowDaily,
       updated_at: __timeNowIso(),
     };
+
+    setAdminOverviewSnapshot({
+      overview: overviewPayload,
+      source: 'admin_overview_payload',
+    });
+
+    return overviewPayload;
   };
 
   const findAdminPackContextByKey = async (rawPackKey) => {