cdp-edge 2.0.1 → 2.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cdp-edge",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "CDP Edge - Quantum Tracking - Sistema multi-agente para tracking digital Cloudflare Native (Workers + D1)",
   "main": "dist/index.js",
   "type": "module",
@@ -23,7 +23,7 @@
     "build": "node build.js",
     "dev": "node build.js --watch",
     "test": "node test.js",
-    "test:unit": "node tests/unit/*.test.js",
+    "test:unit": "node tests/unit/normalization.test.js && node tests/unit/hashing.test.js && node tests/unit/deduplication.test.js && node tests/unit/payload-validation.test.js && node tests/unit/new-features.test.js",
     "test:unit:normalize": "node tests/unit/normalization.test.js",
     "test:unit:hash": "node tests/unit/hashing.test.js",
     "test:unit:dedup": "node tests/unit/deduplication.test.js",

package/server-edge-tracker/worker.js

@@ -151,7 +151,7 @@ async function sendMetaCapi(env, eventName, payload, request, ctx) {
     if (!res.ok) {
       const errorCode = data.error?.code || String(res.status);
       const errorMessage = data.error?.message || data.error?.error_user_msg || 'Unknown error';
-      console.error('Meta CAPI error:', JSON.stringify(data));
+      console.error('Meta CAPI error:', res.status, data.error?.message || data.error?.error_user_msg || 'unknown');
 
       // Log de falha para Feedback Loop
       if (env.DB) {
@@ -802,7 +802,7 @@ async function sendTikTokApi(env, eventName, payload, request, ctx) {
 
     const data = await res.json();
     if (!res.ok || data.code !== 0) {
-      console.error('TikTok Events API error:', JSON.stringify(data));
+      console.error('TikTok Events API error:', res.status, data.message || data.code || 'unknown');
 
       // Log de falha para Feedback Loop
       if (env.DB && ctx) {
@@ -907,8 +907,9 @@ async function sendPinterestCapi(env, eventName, payload, request, ctx) {
     );
     const data = await res.json();
     if (!res.ok) {
-      console.error('Pinterest CAPI error:', JSON.stringify(data));
-      if (env.DB && ctx) ctx.waitUntil(logApiFailure(env.DB, 'pinterest', eventName, String(res.status), JSON.stringify(data), body.data[0].event_id, JSON.stringify(body)));
+      const pinterestErrMsg = data.message || data.code || String(res.status);
+      console.error('Pinterest CAPI error:', res.status, pinterestErrMsg);
+      if (env.DB && ctx) ctx.waitUntil(logApiFailure(env.DB, 'pinterest', eventName, String(res.status), pinterestErrMsg, body.data[0].event_id, JSON.stringify(body)));
     }
     return data;
   } catch (err) {
@@ -1306,7 +1307,7 @@ async function _sendWARequest(env, body) {
       body: JSON.stringify(body),
     });
     const data = await res.json();
-    if (!res.ok) console.error('WhatsApp Meta API error:', JSON.stringify(data));
+    if (!res.ok) console.error('WhatsApp Meta API error:', res.status, data.error?.message || 'unknown');
     return { ok: res.ok, status: res.status, data };
   } catch (err) {
     console.error('WhatsApp Meta API failed:', err.message);
@@ -1452,7 +1453,7 @@ async function processWhatsAppWebhook(env, body, request, ctx) {
               'UPDATE whatsapp_contacts SET capi_sent = 1 WHERE wamid = ?'
             ).bind(wamid).run();
           } else if (!res.ok) {
-            console.error('[CTWA] Meta CAPI error:', JSON.stringify(data));
+            console.error('[CTWA] Meta CAPI error:', res.status, data.error?.message || 'unknown');
             if (env.DB) {
               await logApiFailure(env.DB, 'meta', 'Contact', data.error?.code || res.status,
                 data.error?.message || 'CTWA CAPI error', eventId, JSON.stringify(requestBody));
@@ -1931,7 +1932,7 @@ async function runIntelligenceAgent(env, runType) {
 
   // 5. Customer Match — sync semanal D1 → Meta Custom Audience
   const cmResult = await syncMetaCustomAudience(env);
-  console.log(`[Intelligence Agent] Customer Match Meta: ${JSON.stringify(cmResult)}`);
+  console.log(`[Intelligence Agent] Customer Match Meta: sent=${cmResult?.sent ?? 0}, received=${cmResult?.num_received ?? 0}`);
 
   console.log(`[Intelligence Agent] ${runType} concluído`);
 }
@@ -2000,7 +2001,7 @@ async function syncMetaCustomAudience(env) {
     const result = await res.json();
 
     if (!res.ok) {
-      console.error('[CustomerMatch] Meta erro:', JSON.stringify(result));
+      console.error('[CustomerMatch] Meta erro:', res.status, result.error?.message || 'unknown');
       return { error: result.error?.message, sent: 0 };
     }
 
@@ -3508,6 +3509,12 @@ export default {
 
     // ── POST /track — evento do browser ───────────────────────────────────────
     if (request.method === 'POST' && url.pathname === '/track') {
+      // Reject oversized payloads before reading body (64 KB limit)
+      const contentLength = parseInt(request.headers.get('Content-Length') || '0', 10);
+      if (contentLength > 65536) {
+        return new Response(JSON.stringify({ error: 'Payload muito grande' }), { status: 413, headers });
+      }
+
       let body;
       try {
         body = await request.json();
@@ -3518,6 +3525,22 @@ export default {
         );
       }
 
+      // ── Payload validation ────────────────────────────────────────────────────
+      // Reject non-object bodies and oversized string fields to prevent injection
+      if (typeof body !== 'object' || Array.isArray(body) || body === null) {
+        return new Response(JSON.stringify({ error: 'Payload inválido' }), { status: 400, headers });
+      }
+
+      const VALID_EVENT_NAMES = new Set([
+        'PageView','ViewContent','Lead','Purchase','InitiateCheckout',
+        'AddToCart','CompleteRegistration','Contact','Schedule',
+        'StartTrial','Subscribe','SubmitApplication','Search',
+        'video_start','video_25','video_50','video_75','video_complete'
+      ]);
+      const STR_FIELDS = ['email','phone','firstName','lastName','city','state','zip','userId',
+                          'utmSource','utmMedium','utmCampaign','utmContent','utmTerm',
+                          'fbclid','ttclid','gclid','transactionId','productName','currency'];
+
       const { eventName, behavioral_data, ...payload } = body;
 
       if (!eventName) {
@@ -3527,6 +3550,28 @@ export default {
         );
       }
 
+      if (typeof eventName !== 'string' || eventName.length > 64 || !VALID_EVENT_NAMES.has(eventName)) {
+        return new Response(JSON.stringify({ error: `eventName desconhecido: ${eventName.slice(0, 64)}` }), { status: 400, headers });
+      }
+
+      // Enforce max string length on known PII/UTM fields to block injection payloads
+      for (const field of STR_FIELDS) {
+        if (payload[field] !== undefined && payload[field] !== null) {
+          if (typeof payload[field] !== 'string' || payload[field].length > 512) {
+            return new Response(JSON.stringify({ error: `Campo inválido: ${field}` }), { status: 400, headers });
+          }
+        }
+      }
+
+      // value must be a non-negative number when present
+      if (payload.value !== undefined && payload.value !== null) {
+        const v = Number(payload.value);
+        if (isNaN(v) || v < 0 || v > 9_999_999) {
+          return new Response(JSON.stringify({ error: 'value fora do intervalo permitido' }), { status: 400, headers });
+        }
+        payload.value = v;
+      }
+
       // ── Extrair dados comportamentais do browser ──────────────────────────────
       // behavioral_data vem do engagement-scoring.js (engagement_score 0-5, intention_level)
       // e do BehaviorEngine (user_score 0-100)