npm - cdp-edge - Versions diffs - 1.2.0 → 1.3.0 - Mend

cdp-edge 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (142) hide show

package/extracted-skill/tracking-events-generator/agents/security-enterprise-agent.md CHANGED Viewed

@@ -43,7 +43,7 @@ Browser (Cliente)          Worker (Server-Side)           APIs (Meta/Google/TikT
 ### 1.1 Token Bucket Algorithm
-```javascript
+```typescript
 // Rate limiting com token bucket
 const RATE_LIMIT_CONFIG = {
   // Limites por IP
@@ -127,7 +127,7 @@ const rateLimiters = {
 ### 1.2 Rate Limiting Middleware
-```javascript
+```typescript
 // Middleware de rate limiting
 export async function applyRateLimiting(request, env) {
   const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
@@ -260,7 +260,7 @@ export async function applyRateLimiting(request, env) {
 ### 1.3 Response Headers de Rate Limiting
-```javascript
+```typescript
 // Headers de resposta com informações de rate limiting
 export function getRateLimitHeaders(checkResult) {
   const headers = {
@@ -285,7 +285,7 @@ export function getRateLimitHeaders(checkResult) {
 ### 2.1 Blacklist e Whitelist de IPs
-```javascript
+```typescript
 // Configuração de IP blocking
 const IP_BLOCKING_CONFIG = {
   // Blacklist: IPs explicitamente bloqueados
@@ -396,13 +396,13 @@ CREATE INDEX IF NOT EXISTS idx_ip_violations_blocked ON ip_violations(blocked);
 ### 2.3 IP Blocking Middleware
-```javascript
+```typescript
 // Middleware de IP blocking
 export async function checkIPBlocking(request, env) {
   const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
   // 1. Verificar whitelist (primeiro - bypass rate limiting)
-  const isWhitelisted = await checkIPWhitelist(ip);
+  const isWhitelisted = await checkIPWhitelist(ip, env);
   if (isWhitelisted) {
     return {
       allowed: true,
@@ -412,7 +412,7 @@ export async function checkIPBlocking(request, env) {
   }
   // 2. Verificar blacklist manual
-  const isManuallyBlocked = await checkIPBlacklist(ip);
+  const isManuallyBlocked = await checkIPBlacklist(ip, env);
   if (isManuallyBlocked) {
     await logSecurityEvent({
       type: 'IP_BLACKLISTED',
@@ -430,7 +430,7 @@ export async function checkIPBlocking(request, env) {
   }
   // 3. Verificar geoblocking
-  const isGeoBlocked = await checkGeoBlocking(request);
+  const isGeoBlocked = await checkGeoBlocking(request, env);
   if (isGeoBlocked) {
     await logSecurityEvent({
       type: 'IP_GEO_BLOCKED',
@@ -447,7 +447,7 @@ export async function checkIPBlocking(request, env) {
   }
   // 4. Verificar bloqueio automático (comportamento malicioso)
-  const isAutoBlocked = await checkAutoIPBlocking(ip);
+  const isAutoBlocked = await checkAutoIPBlocking(ip, env);
   if (isAutoBlocked) {
     await logSecurityEvent({
       type: 'IP_AUTO_BLOCKED',
@@ -470,13 +470,13 @@ export async function checkIPBlocking(request, env) {
 }
 // Verificar se IP está na whitelist
-async function checkIPWhitelist(ip) {
+async function checkIPWhitelist(ip, env) {
   if (!IP_BLOCKING_CONFIG.whitelist.enabled) {
     return false;
   }
   // 1. Verificar whitelist manual (IP exato)
-  const manualWhitelist = await DB.prepare(`
+  const manualWhitelist = await env.DB.prepare(`
     SELECT ip, cidr_range
     FROM ip_whitelist
     WHERE ip = ?
@@ -497,8 +497,8 @@ async function checkIPWhitelist(ip) {
 }
 // Verificar se IP está na blacklist
-async function checkIPBlacklist(ip) {
-  const blocked = await DB.prepare(`
+async function checkIPBlacklist(ip, env) {
+  const blocked = await env.DB.prepare(`
     SELECT block_reason, blocked_at, unblocked_at, blocking_type, violation_count
     FROM ip_blacklist
     WHERE ip = ? AND unblocked_at IS NULL
@@ -508,7 +508,7 @@ async function checkIPBlacklist(ip) {
 }
 // Verificar geoblocking
-async function checkGeoBlocking(request) {
+async function checkGeoBlocking(request, env) {
   if (!IP_BLOCKING_CONFIG.blacklist.geo_blocking.enabled) {
     return null;
   }
@@ -527,7 +527,7 @@ async function checkGeoBlocking(request) {
 }
 // Verificar bloqueio automático por comportamento
-async function checkAutoIPBlocking(ip) {
+async function checkAutoIPBlocking(ip, env) {
   if (!IP_BLOCKING_CONFIG.blacklist.automatic.enabled) {
     return null;
   }
@@ -535,7 +535,7 @@ async function checkAutoIPBlocking(ip) {
   const config = IP_BLOCKING_CONFIG.blacklist.automatic;
   // 1. Verificar falhas por hora
-  const failuresPerHour = await DB.prepare(`
+  const failuresPerHour = await env.DB.prepare(`
     SELECT COUNT(*) as failures
     FROM ip_violations
     WHERE ip = ?
@@ -544,7 +544,7 @@ async function checkAutoIPBlocking(ip) {
   if (failuresPerHour.failures >= config.threshold_failures_per_hour) {
     // Bloquear IP automaticamente
-    await blockIPAutomatically(ip, 'EXCEEDED_FAILURES_PER_HOUR', failuresPerHour.failures);
+    await blockIPAutomatically(ip, 'EXCEEDED_FAILURES_PER_HOUR', failuresPerHour.failures, env);
     return {
       blocked: true,
       reason: 'EXCEEDED_FAILURES_PER_HOUR',
@@ -554,7 +554,7 @@ async function checkAutoIPBlocking(ip) {
   }
   // 2. Verificar falhas por dia
-  const failuresPerDay = await DB.prepare(`
+  const failuresPerDay = await env.DB.prepare(`
     SELECT COUNT(*) as failures
     FROM ip_violations
     WHERE ip = ?
@@ -562,7 +562,7 @@ async function checkAutoIPBlocking(ip) {
   `).bind(ip).get();
   if (failuresPerDay.failures >= config.threshold_failures_per_day) {
-    await blockIPAutomatically(ip, 'EXCEEDED_FAILURES_PER_DAY', failuresPerDay.failures);
+    await blockIPAutomatically(ip, 'EXCEEDED_FAILURES_PER_DAY', failuresPerDay.failures, env);
     return {
       blocked: true,
       reason: 'EXCEEDED_FAILURES_PER_DAY',
@@ -572,7 +572,7 @@ async function checkAutoIPBlocking(ip) {
   }
   // 3. Verificar erros 429 por hora
-  const rateLimitErrorsPerHour = await DB.prepare(`
+  const rateLimitErrorsPerHour = await env.DB.prepare(`
     SELECT COUNT(*) as errors
     FROM ip_violations
     WHERE ip = ?
@@ -581,7 +581,7 @@ async function checkAutoIPBlocking(ip) {
   `).bind(ip).get();
   if (rateLimitErrorsPerHour.errors >= config.threshold_429_per_hour) {
-    await blockIPAutomatically(ip, 'EXCEEDED_RATE_LIMITS_PER_HOUR', rateLimitErrorsPerHour.errors);
+    await blockIPAutomatically(ip, 'EXCEEDED_RATE_LIMITS_PER_HOUR', rateLimitErrorsPerHour.errors, env);
     return {
       blocked: true,
       reason: 'EXCEEDED_RATE_LIMITS_PER_HOUR',
@@ -594,10 +594,10 @@ async function checkAutoIPBlocking(ip) {
 }
 // Bloquear IP automaticamente
-async function blockIPAutomatically(ip, reason, count) {
+async function blockIPAutomatically(ip, reason, count, env) {
   const now = new Date().toISOString();
-  await DB.prepare(`
+  await env.DB.prepare(`
     INSERT OR REPLACE INTO ip_blacklist
     (ip, block_reason, blocked_at, blocking_type, violation_count, last_violation_type, last_violation_at)
     VALUES (?, ?, ?, ?, ?, ?, ?)
@@ -621,7 +621,7 @@ async function blockIPAutomatically(ip, reason, count) {
 ### 3.1 Schema Validation (Joi)
-```javascript
+```typescript
 // Joi schema validation (via npm package)
 import Joi from 'joi';
@@ -740,7 +740,7 @@ export async function validateEvent(eventData, eventName) {
 ### 3.2 Sanitização de Dados (Anti-XSS, Anti-Injection)
-```javascript
+```typescript
 // Sanitização de strings (anti-XSS)
 export function sanitizeString(input) {
   if (!input || typeof input !== 'string') {
@@ -925,9 +925,108 @@ export function sanitizePayload(eventData, eventName) {
 }
 ```
-### 3.3 Middleware de Validação e Sanitização
+### 3.3 CSRF Protection (Anti-Cross-Site Request Forgery)
+CSRF é relevante nos **endpoints de webhook** (Hotmart, Kiwify, Ticto) onde um atacante pode forjar requisições. A proteção é HMAC-SHA256 por assinatura — cada plataforma assina o payload com um secret compartilhado.
+```typescript
+/**
+ * Verificação CSRF via HMAC-SHA256 para webhooks de plataformas de pagamento.
+ * Cada plataforma tem seu próprio header e algoritmo.
+ *
+ * @param {Request} request
+ * @param {Object} env
+ * @param {string} gateway - 'hotmart' | 'kiwify' | 'ticto' | 'stripe'
+ * @returns {Promise<boolean>} true se assinatura válida
+ */
+export async function validateWebhookSignature(request, env, gateway) {
+  const body = await request.text(); // Ler como texto para HMAC exato
+  switch (gateway) {
+    case 'hotmart': {
+      // Hotmart: header X-Hotmart-Hottok (token fixo, não HMAC)
+      const token = request.headers.get('X-Hotmart-Hottok');
+      return token === env.WEBHOOK_SECRET_HOTMART;
+    }
+    case 'kiwify': {
+      // Kiwify: query param ?signature=HMAC_SHA256(body, secret)
+      const url = new URL(request.url);
+      const receivedSig = url.searchParams.get('signature') || '';
+      const expectedSig = await hmacSHA256(body, env.WEBHOOK_SECRET_KIWIFY);
+      return timingSafeEqual(receivedSig, expectedSig);
+    }
+    case 'ticto': {
+      // Ticto: header X-Ticto-Signature = HMAC_SHA256(body, secret)
+      const receivedSig = request.headers.get('X-Ticto-Signature') || '';
+      const expectedSig = await hmacSHA256(body, env.WEBHOOK_SECRET_TICTO);
+      return timingSafeEqual(receivedSig, expectedSig);
+    }
+    case 'stripe': {
+      // Stripe: header Stripe-Signature = t={ts},v1={HMAC}
+      const sigHeader = request.headers.get('Stripe-Signature') || '';
+      const parts = Object.fromEntries(sigHeader.split(',').map(p => p.split('=')));
+      const signedPayload = `${parts.t}.${body}`;
+      const expectedSig = await hmacSHA256(signedPayload, env.STRIPE_WEBHOOK_SECRET);
+      return timingSafeEqual(parts.v1, expectedSig);
+    }
+    default:
+      return false; // Gateway desconhecido = rejeitar
+  }
+}
+// HMAC-SHA256 usando WebCrypto (disponível em Cloudflare Workers)
+async function hmacSHA256(message, secret) {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw', encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false, ['sign']
+  );
+  const sig = await crypto.subtle.sign('HMAC', key, encoder.encode(message));
+  return Array.from(new Uint8Array(sig)).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+// Comparação em tempo constante — previne timing attacks
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+/**
+ * Uso no handler de webhook:
+ *
+ * const isValid = await validateWebhookSignature(request, env, 'hotmart');
+ * if (!isValid) return new Response('Unauthorized', { status: 401 });
+ *
+ * REGRA: Validar assinatura ANTES de parsear o body JSON.
+ * Re-clonar o request se precisar ler o body depois:
+ *   const clonedRequest = request.clone();
+ *   const valid = await validateWebhookSignature(clonedRequest, env, gateway);
+ *   const body = await request.json(); // original ainda disponível
+ */
+```
+### Checklist CSRF
-```javascript
+- [ ] HMAC validado para Hotmart, Kiwify, Ticto antes de processar
+- [ ] Rejeição 401 imediata se assinatura inválida
+- [ ] Uso de `timingSafeEqual` para prevenir timing attacks
+- [ ] Body lido como texto para HMAC (não como JSON — evita parsing antes da validação)
+- [ ] Secrets via `wrangler secret put WEBHOOK_SECRET_HOTMART` etc.
+---
+### 3.4 Middleware de Validação e Sanitização
+```typescript
 // Middleware de segurança completo
 export async function applySecurityMiddleware(request, env) {
   const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
@@ -1049,7 +1148,7 @@ export async function applySecurityMiddleware(request, env) {
 ### 4.1 Configuração de Encryption
-```javascript
+```typescript
 // Configuração de encryption
 const ENCRYPTION_CONFIG = {
   // Algoritmos de hash (para enviar às plataformas)
@@ -1087,7 +1186,7 @@ const ENCRYPTION_CONFIG = {
 ### 4.2 Hashing Functions (SHA256 - Web Crypto API)
-```javascript
+```typescript
 // Hashing de email
 export async function hashEmail(email) {
   if (!email) return null;
@@ -1204,7 +1303,7 @@ export async function hashCEP(cep) {
 ### 4.3 Encryption Functions (AES-256-GCM)
-```javascript
+```typescript
 // Encriptação de dados sensíveis
 const encryptionKeys = new Map();
@@ -1348,7 +1447,7 @@ CREATE INDEX IF NOT EXISTS idx_audit_blocked ON audit_logs(blocked);
 ### 5.2 Tipos de Audit Log
-```javascript
+```typescript
 // Tipos de log de segurança
 const AUDIT_LOG_TYPES = {
   // Rate Limiting
@@ -1399,9 +1498,9 @@ const SEVERITY_LEVELS = {
 ### 5.3 Funções de Audit Logging
-```javascript
+```typescript
 // Log de evento de segurança
-export async function logSecurityEvent(eventData) {
+export async function logSecurityEvent(eventData, env) {
   const {
     type,
     severity,
@@ -1419,7 +1518,7 @@ export async function logSecurityEvent(eventData) {
   const timestamp = new Date().toISOString();
-  await DB.prepare(`
+  await env.DB.prepare(`
     INSERT INTO audit_logs
     (timestamp, ip, user_id, session_id, user_agent, event_name, event_id,
      log_type, severity, action, outcome, details, blocked)
@@ -1453,7 +1552,7 @@ export async function logSecurityEvent(eventData) {
 }
 // Query de audit logs
-export async function queryAuditLogs(filters = {}) {
+export async function queryAuditLogs(filters = {}, env) {
   const {
     ip,
     user_id,
@@ -1509,7 +1608,7 @@ export async function queryAuditLogs(filters = {}) {
   query += ' ORDER BY timestamp DESC LIMIT ?';
-  const results = await DB.prepare(query).bind(...params).all();
+  const results = await env.DB.prepare(query).bind(...params).all();
   return results;
 }
@@ -1521,7 +1620,7 @@ export async function queryAuditLogs(filters = {}) {
 ### 6.1 Endpoint: `/api/security/rate-limit-status`
-```javascript
+```typescript
 export async function getRateLimitStatus(request, env) {
   const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
@@ -1539,7 +1638,7 @@ export async function getRateLimitStatus(request, env) {
         refill_rate: rateLimiters.event.get('global').refillRate
       }
     },
-    recent_violations: await DB.prepare(`
+    recent_violations: await env.DB.prepare(`
       SELECT
         log_type,
         severity,
@@ -1561,14 +1660,14 @@ export async function getRateLimitStatus(request, env) {
 ### 6.2 Endpoint: `/api/security/ip-status`
-```javascript
+```typescript
 export async function getIPStatus(request, env) {
   const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
   // Verificar status do IP
-  const blacklist = await checkIPBlacklist(ip);
-  const whitelist = await checkIPWhitelist(ip);
-  const geoBlock = await checkGeoBlocking(request);
+  const blacklist = await checkIPBlacklist(ip, env);
+  const whitelist = await checkIPWhitelist(ip, env);
+  const geoBlock = await checkGeoBlocking(request, env);
   const status = {
     ip,
@@ -1577,7 +1676,7 @@ export async function getIPStatus(request, env) {
     blacklist_reason: blacklist ? blacklist.block_reason : null,
     is_geo_blocked: !!geoBlock,
     geo_details: geoBlock || null,
-    recent_violations: await DB.prepare(`
+    recent_violations: await env.DB.prepare(`
       SELECT
         COUNT(*) as violations,
         MAX(violation_count) as max_violation_count
@@ -1597,7 +1696,7 @@ export async function getIPStatus(request, env) {
 ### 6.3 Endpoint: `/api/security/audit-logs`
-```javascript
+```typescript
 export async function getAuditLogs(request, env) {
   const url = new URL(request.url);
   const filters = {
@@ -1630,10 +1729,10 @@ export async function getAuditLogs(request, env) {
 ## 🎯 FORMATO DE SAÍDA
-### DELIVERABLE 1: `security-middleware.js`
+### DELIVERABLE 1: `modules/security-middleware.ts`
-```javascript
-// security-middleware.js - Middleware de segurança completo
+```typescript
+// modules/security-middleware.ts - Middleware de segurança completo
 export {
   applyRateLimiting,
   checkIPBlocking,
@@ -1666,7 +1765,7 @@ CREATE TABLE IF NOT EXISTS audit_logs (...);
 ### DELIVERABLE 3: `security-config.js`
-```javascript
+```typescript
 // security-config.js - Configuração de segurança
 export const RATE_LIMIT_CONFIG = { ... };
 export const IP_BLOCKING_CONFIG = { ... };
@@ -1699,6 +1798,16 @@ export const SEVERITY_LEVELS = { ... };
 - [ ] CIDR ranges implementados
 - [ ] Auto-unblock implementado
+### CSRF Protection (Webhooks)
+- [ ] HMAC-SHA256 validado para Hotmart
+- [ ] HMAC-SHA256 validado para Kiwify
+- [ ] HMAC-SHA256 validado para Ticto
+- [ ] HMAC-SHA256 validado para Stripe
+- [ ] `timingSafeEqual` implementado (sem timing attacks)
+- [ ] Body lido como text antes do JSON.parse para validação HMAC
+- [ ] Secrets via `wrangler secret put` (nunca hardcode)
 ### Input Validation
 - [ ] Joi schemas criados (Lead, Purchase, Contact)