forlogic-core 2.3.5 → 2.3.7

package/.note/memory/security/lib-hardening-roadmap.md

@@ -0,0 +1,45 @@
+---
+name: Lib hardening roadmap
+description: Roadmap de hardening do forlogic-core dividido em blocos por impacto (zero-impact → opt-in → breaking)
+type: feature
+---
+
+Plano completo em `.lovable/plan.md`. Status:
+
+**Bloco 1 (patch, zero impact — IMPLEMENTADO)**
+- Headers de dev reforçados: COOP, CORP, bloqueio de TRACE/CONNECT, Vary sempre.
+- SupabaseSingleton bloqueia `apikey` em query string.
+- `errorService` usa `sanitizeErrorMessage` + `generateId('short')`.
+- `lib/utils/generateId.ts`, `lib/utils/sanitizeError.ts`.
+- `lib/validation/schemas.ts` reexportado pelo barrel.
+- `scripts/check-rls.ts` + `npm run check:rls`.
+
+**Bloco 2 (minor, opt-in — IMPLEMENTADO)**
+- Subpath `forlogic-core/edge`: requireUserJWT, requireOwnership, safeJsonParse, jsonError, rateLimit, withCors, corsPreflight, stripTechHeaders, HttpError. Standalone (sem deps de React/Supabase SDK).
+- Subpath `forlogic-core/storage`: detectMimeFromMagicBytes, validateMagicBytes, sanitizeAndRandomizeFilename, getSignedUrl, RECOMMENDED_PRIVATE_BUCKETS, SAFE_IMAGE_MIME, SAFE_DOCUMENT_MIME.
+- Subpath `forlogic-core/validation`: schemas zod (também no barrel).
+- `lib/templates/migrations/`: 01-user-owned-table.sql, 02-user-roles.sql, README.
+- `CoreProviders` ganha prop opcional `securityMode?: 'legacy' | 'strict'` (default `legacy`) + helper `getSecurityMode()`.
+- `package.json#exports` e `rollup.config.js` configurados para os 3 novos subpaths (standaloneBuilds).
+
+**Bloco 3 (major v2.0.0 — breaking, próxima fase)**
+- JWT fora de localStorage.
+- `apikey` fora da URL no Realtime.
+- CORS default restritivo (sem `*.lovable.app`).
+- SameSite=Strict em cookies.
+- Lint rule banindo `Date.now()` como ID.
+- `securityMode='strict'` vira default; flag removida em v3.
+
+## Uso pelos consumidores
+
+```ts
+// Edge Function (Deno)
+import { requireUserJWT, jsonError, rateLimit } from 'npm:forlogic-core/edge';
+
+// Browser
+import { validateMagicBytes, SAFE_IMAGE_MIME, sanitizeAndRandomizeFilename } from 'forlogic-core/storage';
+import { emailSchema, userIdSchema } from 'forlogic-core/validation';
+
+// App root
+<CoreProviders securityMode="strict">...</CoreProviders>
+```

package/dist/components/modules/ModulesContent.d.ts

@@ -17,5 +17,7 @@ export interface ModulesContentProps {
     alias?: string;
     /** Identificador do módulo de origem (de onde o menu foi aberto). Usado em analytics. */
     sourceModule?: string;
+    /** Exibe o grupo "Admin" no menu. Restrito a usuários SysAdmin. */
+    showAdminGroup?: boolean;
 }
-export declare function ModulesContent({ onModuleClick, contractedModules, onModuleInterest, nonContractedUrl, educaUrl, saberGestaoUrl, wikiUrl, alias, sourceModule, }: ModulesContentProps): import("react/jsx-runtime").JSX.Element;
+export declare function ModulesContent({ onModuleClick, contractedModules, onModuleInterest, nonContractedUrl, educaUrl, saberGestaoUrl, wikiUrl, alias, sourceModule, showAdminGroup, }: ModulesContentProps): import("react/jsx-runtime").JSX.Element;

package/dist/components/modules/ModulesDialog.d.ts

@@ -1,3 +1,3 @@
 import { ModulesDialogProps } from "./types";
-export declare function ModulesDialog({ open, onOpenChange, onModuleClick, contractedModules, onModuleInterest, educaUrl, saberGestaoUrl, wikiUrl, sourceModule, }: ModulesDialogProps): import("react/jsx-runtime").JSX.Element;
+export declare function ModulesDialog({ open, onOpenChange, onModuleClick, contractedModules, onModuleInterest, educaUrl, saberGestaoUrl, wikiUrl, sourceModule, showAdminGroup, }: ModulesDialogProps): import("react/jsx-runtime").JSX.Element;
 export default ModulesDialog;

package/dist/components/modules/types.d.ts

@@ -12,6 +12,8 @@ export interface Module {
     softwareAlias?: string;
     /** Steps do onboarding para módulos não contratados */
     onboardingSteps?: OnboardingStep[];
+    /** Quando true, o módulo é sempre tratado como contratado (não passa pelo filtro de contractedModules). */
+    alwaysContracted?: boolean;
 }
 export interface ModuleGroup {
     id: string;
@@ -38,4 +40,6 @@ export interface ModulesDialogProps {
     allModulesUrl?: string;
     /** Identificador do módulo de origem (de onde o menu foi aberto). Usado em analytics. */
     sourceModule?: string;
+    /** Quando true, inclui o card "Admin" ao final da aba Qualiex. Restrito a SysAdmin. Quando omitido, o ModulesDialog deriva de `user.isSysAdmin`. */
+    showAdminGroup?: boolean;
 }

package/dist/edge/index.d.ts

@@ -0,0 +1,98 @@
+/**
+ * forlogic-core/edge — helpers para Edge Functions (Deno) que consomem a stack.
+ *
+ * Uso típico em uma Edge Function:
+ * ```ts
+ * import { requireUserJWT, safeJsonParse, jsonError, rateLimit } from 'npm:forlogic-core/edge';
+ * import { z } from 'npm:zod';
+ *
+ * const bodySchema = z.object({ message: z.string().max(500) });
+ *
+ * Deno.serve(async (req) => {
+ *   try {
+ *     const user = await requireUserJWT(req);
+ *     const limited = await rateLimit(`msg:${user.sub}`, { max: 10, windowSec: 60 });
+ *     if (limited) return jsonError('Too many requests', 429);
+ *     const body = await safeJsonParse(req, bodySchema);
+ *     // ... lógica
+ *     return Response.json({ ok: true });
+ *   } catch (err) {
+ *     return jsonError(err);
+ *   }
+ * });
+ * ```
+ *
+ * Todos os helpers são tree-shakable e não dependem de Supabase SDK,
+ * mantendo o cold-start mínimo nas Edge Functions.
+ */
+export interface JwtPayload {
+    sub: string;
+    exp?: number;
+    iat?: number;
+    email?: string;
+    role?: string;
+    [key: string]: unknown;
+}
+export interface RateLimitOptions {
+    /** Máximo de requests permitidos dentro da janela. */
+    max: number;
+    /** Janela em segundos. */
+    windowSec: number;
+}
+export declare class HttpError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}
+/**
+ * Resposta JSON de erro segura: nunca vaza stack/detalhes técnicos para o caller.
+ * Aceita `Error`, `HttpError` ou (status, message).
+ */
+export declare function jsonError(err: unknown, status?: number): Response;
+/**
+ * Extrai e valida o JWT do header `Authorization: Bearer ...`.
+ * Apenas decodifica o payload e checa `exp` — assume que o gateway (Supabase)
+ * já validou a assinatura. Para validação criptográfica adicional, combine com `verifyJwt`.
+ */
+export declare function requireUserJWT(req: Request): Promise<JwtPayload>;
+/**
+ * Garante que o usuário autenticado é dono do recurso.
+ * Use depois de `requireUserJWT`.
+ */
+export declare function requireOwnership(userId: string, resourceOwnerId: string | null | undefined): void;
+interface ZodLike<T> {
+    parse(input: unknown): T;
+}
+/**
+ * Faz parse do body como JSON e valida com um schema zod (opcional).
+ * Limita o tamanho do payload para evitar DoS.
+ */
+export declare function safeJsonParse<T = unknown>(req: Request, schema?: ZodLike<T>, opts?: {
+    maxBytes?: number;
+}): Promise<T>;
+/**
+ * Remove headers técnicos antes de retornar a resposta ao caller.
+ * Use sempre que repassar uma `Response` vinda de Supabase REST/RPC.
+ */
+export declare function stripTechHeaders(res: Response): Response;
+/**
+ * Rate limiter in-memory (por instância Deno). Para limites cross-instance,
+ * persista em Supabase ou Upstash; este helper cobre 90% dos casos.
+ *
+ * Retorna `true` se a request DEVE ser bloqueada.
+ */
+export declare function rateLimit(key: string, opts: RateLimitOptions): boolean;
+export interface CorsOptions {
+    /** Lista explícita de origens permitidas (sem wildcard com credentials). */
+    allowedOrigins: string[];
+    allowedMethods?: string[];
+    allowedHeaders?: string[];
+    credentials?: boolean;
+}
+/**
+ * Aplica CORS seguro a uma resposta. Sempre define `Vary: Origin`.
+ * Nunca usa `*` quando `credentials=true`.
+ */
+export declare function withCors(req: Request, res: Response, opts: CorsOptions): Response;
+/** Resposta padrão para preflight OPTIONS. */
+export declare function corsPreflight(req: Request, opts: CorsOptions): Response | null;
+export {};

package/dist/edge/index.esm.js

@@ -0,0 +1,124 @@
+class HttpError extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "HttpError";
+  }
+}
+function jsonError(err, status = 500) {
+  if (err instanceof HttpError) {
+    return Response.json({ error: err.message }, { status: err.status });
+  }
+  if (typeof err === "string") {
+    return Response.json({ error: err }, { status });
+  }
+  const message = err instanceof Error ? err.message : "Internal error";
+  const isProd = globalThis.Deno?.env?.get?.("DENO_DEPLOYMENT_ID");
+  return Response.json(
+    { error: isProd ? "Internal error" : message },
+    { status }
+  );
+}
+function decodeJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new HttpError(401, "Malformed token");
+  try {
+    const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+    return JSON.parse(atob(padded));
+  } catch {
+    throw new HttpError(401, "Invalid token");
+  }
+}
+async function requireUserJWT(req) {
+  const auth = req.headers.get("authorization") ?? req.headers.get("Authorization");
+  if (!auth?.startsWith("Bearer ")) throw new HttpError(401, "Missing bearer token");
+  const token = auth.slice(7).trim();
+  if (!token) throw new HttpError(401, "Empty token");
+  const payload = decodeJwt(token);
+  if (!payload.sub) throw new HttpError(401, "Token missing sub");
+  if (payload.exp && payload.exp * 1e3 < Date.now()) {
+    throw new HttpError(401, "Token expired");
+  }
+  return payload;
+}
+function requireOwnership(userId, resourceOwnerId) {
+  if (!resourceOwnerId || userId !== resourceOwnerId) {
+    throw new HttpError(403, "Forbidden");
+  }
+}
+async function safeJsonParse(req, schema, opts = {}) {
+  const maxBytes = opts.maxBytes ?? 1e6;
+  const contentLength = Number(req.headers.get("content-length") ?? 0);
+  if (contentLength > maxBytes) throw new HttpError(413, "Payload too large");
+  let raw;
+  try {
+    raw = await req.text();
+  } catch {
+    throw new HttpError(400, "Invalid body");
+  }
+  if (raw.length > maxBytes) throw new HttpError(413, "Payload too large");
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new HttpError(400, "Invalid JSON");
+  }
+  if (schema) {
+    try {
+      return schema.parse(parsed);
+    } catch (err) {
+      throw new HttpError(400, err instanceof Error ? err.message : "Validation failed");
+    }
+  }
+  return parsed;
+}
+const TECH_HEADERS = [
+  "x-postgres-error",
+  "x-postgres-hint",
+  "x-pg-error",
+  "x-supabase-internal",
+  "x-debug",
+  "server",
+  "x-powered-by"
+];
+function stripTechHeaders(res) {
+  const headers = new Headers(res.headers);
+  for (const h of TECH_HEADERS) headers.delete(h);
+  return new Response(res.body, { status: res.status, statusText: res.statusText, headers });
+}
+const buckets = /* @__PURE__ */ new Map();
+function rateLimit(key, opts) {
+  const now = Date.now();
+  const bucket = buckets.get(key);
+  if (!bucket || bucket.resetAt < now) {
+    buckets.set(key, { count: 1, resetAt: now + opts.windowSec * 1e3 });
+    return false;
+  }
+  bucket.count++;
+  return bucket.count > opts.max;
+}
+function withCors(req, res, opts) {
+  const origin = req.headers.get("origin");
+  const headers = new Headers(res.headers);
+  headers.set("Vary", "Origin");
+  if (origin && opts.allowedOrigins.includes(origin)) {
+    headers.set("Access-Control-Allow-Origin", origin);
+    if (opts.credentials) headers.set("Access-Control-Allow-Credentials", "true");
+    headers.set(
+      "Access-Control-Allow-Methods",
+      (opts.allowedMethods ?? ["GET", "POST", "PUT", "DELETE", "OPTIONS"]).join(", ")
+    );
+    headers.set(
+      "Access-Control-Allow-Headers",
+      (opts.allowedHeaders ?? ["authorization", "content-type", "apikey"]).join(", ")
+    );
+  }
+  return new Response(res.body, { status: res.status, statusText: res.statusText, headers });
+}
+function corsPreflight(req, opts) {
+  if (req.method !== "OPTIONS") return null;
+  return withCors(req, new Response(null, { status: 204 }), opts);
+}
+
+export { HttpError, corsPreflight, jsonError, rateLimit, requireOwnership, requireUserJWT, safeJsonParse, stripTechHeaders, withCors };

package/dist/edge/index.js

@@ -0,0 +1,134 @@
+'use strict';
+
+class HttpError extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "HttpError";
+  }
+}
+function jsonError(err, status = 500) {
+  if (err instanceof HttpError) {
+    return Response.json({ error: err.message }, { status: err.status });
+  }
+  if (typeof err === "string") {
+    return Response.json({ error: err }, { status });
+  }
+  const message = err instanceof Error ? err.message : "Internal error";
+  const isProd = globalThis.Deno?.env?.get?.("DENO_DEPLOYMENT_ID");
+  return Response.json(
+    { error: isProd ? "Internal error" : message },
+    { status }
+  );
+}
+function decodeJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new HttpError(401, "Malformed token");
+  try {
+    const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+    return JSON.parse(atob(padded));
+  } catch {
+    throw new HttpError(401, "Invalid token");
+  }
+}
+async function requireUserJWT(req) {
+  const auth = req.headers.get("authorization") ?? req.headers.get("Authorization");
+  if (!auth?.startsWith("Bearer ")) throw new HttpError(401, "Missing bearer token");
+  const token = auth.slice(7).trim();
+  if (!token) throw new HttpError(401, "Empty token");
+  const payload = decodeJwt(token);
+  if (!payload.sub) throw new HttpError(401, "Token missing sub");
+  if (payload.exp && payload.exp * 1e3 < Date.now()) {
+    throw new HttpError(401, "Token expired");
+  }
+  return payload;
+}
+function requireOwnership(userId, resourceOwnerId) {
+  if (!resourceOwnerId || userId !== resourceOwnerId) {
+    throw new HttpError(403, "Forbidden");
+  }
+}
+async function safeJsonParse(req, schema, opts = {}) {
+  const maxBytes = opts.maxBytes ?? 1e6;
+  const contentLength = Number(req.headers.get("content-length") ?? 0);
+  if (contentLength > maxBytes) throw new HttpError(413, "Payload too large");
+  let raw;
+  try {
+    raw = await req.text();
+  } catch {
+    throw new HttpError(400, "Invalid body");
+  }
+  if (raw.length > maxBytes) throw new HttpError(413, "Payload too large");
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new HttpError(400, "Invalid JSON");
+  }
+  if (schema) {
+    try {
+      return schema.parse(parsed);
+    } catch (err) {
+      throw new HttpError(400, err instanceof Error ? err.message : "Validation failed");
+    }
+  }
+  return parsed;
+}
+const TECH_HEADERS = [
+  "x-postgres-error",
+  "x-postgres-hint",
+  "x-pg-error",
+  "x-supabase-internal",
+  "x-debug",
+  "server",
+  "x-powered-by"
+];
+function stripTechHeaders(res) {
+  const headers = new Headers(res.headers);
+  for (const h of TECH_HEADERS) headers.delete(h);
+  return new Response(res.body, { status: res.status, statusText: res.statusText, headers });
+}
+const buckets = /* @__PURE__ */ new Map();
+function rateLimit(key, opts) {
+  const now = Date.now();
+  const bucket = buckets.get(key);
+  if (!bucket || bucket.resetAt < now) {
+    buckets.set(key, { count: 1, resetAt: now + opts.windowSec * 1e3 });
+    return false;
+  }
+  bucket.count++;
+  return bucket.count > opts.max;
+}
+function withCors(req, res, opts) {
+  const origin = req.headers.get("origin");
+  const headers = new Headers(res.headers);
+  headers.set("Vary", "Origin");
+  if (origin && opts.allowedOrigins.includes(origin)) {
+    headers.set("Access-Control-Allow-Origin", origin);
+    if (opts.credentials) headers.set("Access-Control-Allow-Credentials", "true");
+    headers.set(
+      "Access-Control-Allow-Methods",
+      (opts.allowedMethods ?? ["GET", "POST", "PUT", "DELETE", "OPTIONS"]).join(", ")
+    );
+    headers.set(
+      "Access-Control-Allow-Headers",
+      (opts.allowedHeaders ?? ["authorization", "content-type", "apikey"]).join(", ")
+    );
+  }
+  return new Response(res.body, { status: res.status, statusText: res.statusText, headers });
+}
+function corsPreflight(req, opts) {
+  if (req.method !== "OPTIONS") return null;
+  return withCors(req, new Response(null, { status: 204 }), opts);
+}
+
+exports.HttpError = HttpError;
+exports.corsPreflight = corsPreflight;
+exports.jsonError = jsonError;
+exports.rateLimit = rateLimit;
+exports.requireOwnership = requireOwnership;
+exports.requireUserJWT = requireUserJWT;
+exports.safeJsonParse = safeJsonParse;
+exports.stripTechHeaders = stripTechHeaders;
+exports.withCors = withCors;