wu-framework 1.0.5 → 1.1.0

package/src/core/wu-event-bus.js

@@ -1,46 +1,156 @@
 /**
- * 📡 WU-EVENT-BUS: ADVANCED PUB/SUB SYSTEM
+ * 📡 WU-EVENT-BUS: SECURE PUB/SUB SYSTEM
  *
  * Sistema de eventos para comunicación entre microfrontends
- * - Pub/Sub pattern
+ * - Pub/Sub pattern con validación de origen
  * - Event namespaces
  * - Wildcards
  * - Event replay
- * - Performance optimizado
+ * - Verificación de apps autorizadas
  */
 
 export class WuEventBus {
   constructor() {
-    this.listeners = new Map(); // eventName -> Set<callback>
-    this.history = []; // Event history para replay
+    this.listeners = new Map();
+    this.history = [];
+
+    // 🔐 SEGURIDAD: Registro de apps autorizadas con tokens
+    this.authorizedApps = new Map(); // appName -> { token, permissions }
+    this.trustedEvents = new Set(['wu:*', 'system:*']); // Eventos del sistema
+
     this.config = {
       maxHistory: 100,
       enableReplay: true,
       enableWildcards: true,
-      logEvents: false
+      logEvents: false,
+      // 🔐 Opciones de seguridad
+      strictMode: false, // Si true, rechaza eventos de apps no autorizadas
+      validateOrigin: true // Valida que appName sea una app registrada
     };
 
     this.stats = {
       emitted: 0,
-      subscriptions: 0
+      subscriptions: 0,
+      rejected: 0 // Eventos rechazados por seguridad
     };
+  }
 
-    console.log('[WuEventBus] 📡 Advanced event bus initialized');
+  /**
+   * 🔐 REGISTER APP: Registrar app autorizada para emitir eventos
+   * @param {string} appName - Nombre de la app
+   * @param {Object} options - { permissions: ['event:*'], token }
+   * @returns {string} Token de autorización
+   */
+  registerApp(appName, options = {}) {
+    const token = options.token || this._generateToken();
+
+    this.authorizedApps.set(appName, {
+      token,
+      permissions: options.permissions || ['*'], // Por defecto puede emitir todo
+      registeredAt: Date.now()
+    });
+
+    return token;
   }
 
   /**
-   * 📢 EMIT: Emitir evento
+   * 🔓 UNREGISTER APP: Desregistrar app
+   * @param {string} appName
+   */
+  unregisterApp(appName) {
+    this.authorizedApps.delete(appName);
+  }
+
+  /**
+   * 🔐 VALIDATE ORIGIN: Verificar que el emisor está autorizado
+   * @param {string} eventName
+   * @param {string} appName
+   * @param {string} token
+   * @returns {boolean}
+   */
+  _validateOrigin(eventName, appName, token) {
+    // Eventos del sistema siempre permitidos
+    if (this._isSystemEvent(eventName)) {
+      return true;
+    }
+
+    // Si no está en modo estricto, permitir todo
+    if (!this.config.strictMode) {
+      return true;
+    }
+
+    // Verificar que la app esté registrada
+    const appInfo = this.authorizedApps.get(appName);
+    if (!appInfo) {
+      return false;
+    }
+
+    // Verificar token si se proporciona
+    if (token && appInfo.token !== token) {
+      return false;
+    }
+
+    // Verificar permisos
+    return this._hasPermission(appInfo.permissions, eventName);
+  }
+
+  /**
+   * 🔐 HAS PERMISSION: Verificar si la app tiene permiso para el evento
+   */
+  _hasPermission(permissions, eventName) {
+    if (permissions.includes('*')) return true;
+
+    return permissions.some(pattern => {
+      if (pattern === eventName) return true;
+      if (pattern.includes('*')) {
+        return this.matchesWildcard(eventName, pattern);
+      }
+      return false;
+    });
+  }
+
+  /**
+   * 🔐 IS SYSTEM EVENT: Verificar si es un evento del sistema
+   */
+  _isSystemEvent(eventName) {
+    return eventName.startsWith('wu:') ||
+           eventName.startsWith('system:') ||
+           eventName.startsWith('app:');
+  }
+
+  /**
+   * 🔐 GENERATE TOKEN: Generar token único
+   */
+  _generateToken() {
+    return `wu_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+
+  /**
+   * 📢 EMIT: Emitir evento con validación de origen
    * @param {string} eventName - Nombre del evento
    * @param {*} data - Datos del evento
-   * @param {Object} options - Opciones { appName, timestamp, meta }
+   * @param {Object} options - { appName, timestamp, meta, token }
    */
   emit(eventName, data, options = {}) {
+    const appName = options.appName || 'unknown';
+
+    // 🔐 Validar origen si está habilitado
+    if (this.config.validateOrigin && this.config.strictMode) {
+      if (!this._validateOrigin(eventName, appName, options.token)) {
+        this.stats.rejected++;
+        console.warn(`[WuEventBus] 🚫 Event rejected: ${eventName} from ${appName} (unauthorized)`);
+        return false;
+      }
+    }
+
     const event = {
       name: eventName,
       data,
       timestamp: options.timestamp || Date.now(),
-      appName: options.appName || 'unknown',
-      meta: options.meta || {}
+      appName,
+      meta: options.meta || {},
+      // 🔐 Marcar si el origen fue verificado
+      verified: this.authorizedApps.has(appName)
     };
 
     // Agregar a historial
@@ -71,13 +181,11 @@ export class WuEventBus {
     }
 
     this.stats.emitted++;
+    return true;
   }
 
   /**
    * 👂 ON: Suscribirse a evento
-   * @param {string} eventName - Nombre del evento (puede usar wildcards: 'app.*', '*.update')
-   * @param {Function} callback - Callback a ejecutar
-   * @returns {Function} Función para desuscribirse
    */
   on(eventName, callback) {
     if (!this.listeners.has(eventName)) {
@@ -87,48 +195,36 @@ export class WuEventBus {
     this.listeners.get(eventName).add(callback);
     this.stats.subscriptions++;
 
-    // Retornar función de desuscripción
     return () => this.off(eventName, callback);
   }
 
   /**
    * 🔇 OFF: Desuscribirse de evento
-   * @param {string} eventName - Nombre del evento
-   * @param {Function} callback - Callback a remover
    */
   off(eventName, callback) {
     const listeners = this.listeners.get(eventName);
     if (listeners) {
       listeners.delete(callback);
-
-      // Limpiar si no quedan listeners
       if (listeners.size === 0) {
         this.listeners.delete(eventName);
       }
-
       this.stats.subscriptions--;
     }
   }
 
   /**
    * 🎯 ONCE: Suscribirse una sola vez
-   * @param {string} eventName - Nombre del evento
-   * @param {Function} callback - Callback a ejecutar
-   * @returns {Function} Función para desuscribirse
    */
   once(eventName, callback) {
     const wrappedCallback = (event) => {
       callback(event);
       this.off(eventName, wrappedCallback);
     };
-
     return this.on(eventName, wrappedCallback);
   }
 
   /**
-   * 🌟 WILDCARD LISTENERS: Notificar listeners con wildcards
-   * @param {string} eventName - Nombre del evento emitido
-   * @param {Object} event - Objeto del evento
+   * 🌟 WILDCARD LISTENERS
    */
   notifyWildcardListeners(eventName, event) {
     for (const [pattern, listeners] of this.listeners) {
@@ -145,41 +241,29 @@ export class WuEventBus {
   }
 
   /**
-   * 🎯 MATCHES WILDCARD: Verificar si evento coincide con patrón wildcard
-   * @param {string} eventName - Nombre del evento
-   * @param {string} pattern - Patrón con wildcards
-   * @returns {boolean}
+   * 🎯 MATCHES WILDCARD
    */
   matchesWildcard(eventName, pattern) {
-    // Si no hay wildcard, ya se procesó en listeners exactos
     if (!pattern.includes('*')) return false;
-
-    // Convertir pattern a regex
     const regexPattern = pattern
       .replace(/\./g, '\\.')
       .replace(/\*/g, '.*');
-
     const regex = new RegExp(`^${regexPattern}$`);
     return regex.test(eventName);
   }
 
   /**
-   * 📝 ADD TO HISTORY: Agregar evento al historial
-   * @param {Object} event - Evento
+   * 📝 ADD TO HISTORY
    */
   addToHistory(event) {
     this.history.push(event);
-
-    // Mantener tamaño máximo
     if (this.history.length > this.config.maxHistory) {
       this.history.shift();
     }
   }
 
   /**
-   * 🔄 REPLAY: Reproducir eventos del historial
-   * @param {string} eventNameOrPattern - Nombre o patrón de eventos a reproducir
-   * @param {Function} callback - Callback para cada evento
+   * 🔄 REPLAY
    */
   replay(eventNameOrPattern, callback) {
     const events = this.history.filter(event => {
@@ -189,8 +273,6 @@ export class WuEventBus {
       return event.name === eventNameOrPattern;
     });
 
-    console.log(`[WuEventBus] 🔄 Replaying ${events.length} events for ${eventNameOrPattern}`);
-
     events.forEach(event => {
       try {
         callback(event);
@@ -201,13 +283,11 @@ export class WuEventBus {
   }
 
   /**
-   * 🧹 CLEAR HISTORY: Limpiar historial de eventos
-   * @param {string} eventNameOrPattern - Patrón de eventos a limpiar (opcional)
+   * 🧹 CLEAR HISTORY
    */
   clearHistory(eventNameOrPattern) {
     if (!eventNameOrPattern) {
       this.history = [];
-      console.log('[WuEventBus] 🧹 Event history cleared');
       return;
     }
 
@@ -220,14 +300,14 @@ export class WuEventBus {
   }
 
   /**
-   * 📊 GET STATS: Obtener estadísticas
-   * @returns {Object}
+   * 📊 GET STATS
    */
   getStats() {
     return {
       ...this.stats,
       activeListeners: this.listeners.size,
       historySize: this.history.length,
+      authorizedApps: this.authorizedApps.size,
       listenersByEvent: Array.from(this.listeners.entries()).map(([event, listeners]) => ({
         event,
         listeners: listeners.size
@@ -236,22 +316,31 @@ export class WuEventBus {
   }
 
   /**
-   * ⚙️ CONFIGURE: Configurar event bus
-   * @param {Object} config - Nueva configuración
+   * ⚙️ CONFIGURE
    */
   configure(config) {
-    this.config = {
-      ...this.config,
-      ...config
-    };
+    this.config = { ...this.config, ...config };
+  }
+
+  /**
+   * 🔐 ENABLE STRICT MODE: Activar modo estricto de seguridad
+   */
+  enableStrictMode() {
+    this.config.strictMode = true;
+  }
+
+  /**
+   * 🔓 DISABLE STRICT MODE
+   */
+  disableStrictMode() {
+    this.config.strictMode = false;
   }
 
   /**
-   * 🗑️ REMOVE ALL: Remover todos los listeners
+   * 🗑️ REMOVE ALL
    */
   removeAll() {
     this.listeners.clear();
     this.stats.subscriptions = 0;
-    console.log('[WuEventBus] 🗑️ All listeners removed');
   }
 }

package/src/core/wu-manifest.js

@@ -1,6 +1,6 @@
 /**
- * 📋 WU-MANIFEST: SISTEMA DE MANIFIESTOS SIMPLIFICADO
- * Maneja wu.json sin complicaciones innecesarias
+ * 📋 WU-MANIFEST: SECURE MANIFEST SYSTEM
+ * Validación estricta de wu.json para seguridad
  */
 
 export class WuManifest {
@@ -8,10 +8,33 @@ export class WuManifest {
     this.cache = new Map();
     this.schemas = new Map();
 
-    // Definir schema básico
-    this.defineSchema();
+    // 🔐 Configuración de seguridad
+    this.security = {
+      maxManifestSize: 100 * 1024, // 100KB máximo
+      maxNameLength: 50,
+      maxEntryLength: 200,
+      maxExports: 100,
+      maxImports: 50,
+      maxRoutes: 100,
+      // Patrones peligrosos en paths
+      dangerousPatterns: [
+        /\.\./,           // Path traversal
+        /^\/etc\//,       // System paths
+        /^\/proc\//,
+        /^file:\/\//,     // File protocol
+        /javascript:/i,   // JS injection
+        /data:/i,         // Data URLs
+        /<script/i,       // Script tags
+        /on\w+\s*=/i      // Event handlers
+      ],
+      // Dominios bloqueados
+      blockedDomains: [
+        'evil.com',
+        'malware.com'
+      ]
+    };
 
-    console.log('[WuManifest] 📋 Manifest system initialized');
+    this.defineSchema();
   }
 
   /**
@@ -67,7 +90,19 @@ export class WuManifest {
       }
 
       const manifestText = await response.text();
-      const manifest = JSON.parse(manifestText);
+
+      // 🔐 Validar tamaño del manifest
+      if (manifestText.length > this.security.maxManifestSize) {
+        throw new Error(`Manifest too large (${manifestText.length} bytes, max ${this.security.maxManifestSize})`);
+      }
+
+      // 🔐 Intentar parsear JSON de forma segura
+      let manifest;
+      try {
+        manifest = JSON.parse(manifestText);
+      } catch (parseError) {
+        throw new Error(`Invalid JSON in manifest: ${parseError.message}`);
+      }
 
       // Validar manifest
       const validatedManifest = this.validate(manifest);
@@ -133,13 +168,64 @@ export class WuManifest {
   }
 
   /**
-   * Validar manifest contra schema
+   * 🔐 SANITIZE STRING: Limpiar string de caracteres peligrosos
+   */
+  _sanitizeString(str) {
+    if (typeof str !== 'string') return '';
+    return str
+      .replace(/[<>'"]/g, '') // Remove HTML chars
+      .replace(/[\x00-\x1F\x7F]/g, '') // Remove control chars
+      .trim();
+  }
+
+  /**
+   * 🔐 CHECK DANGEROUS PATTERNS: Verificar patrones peligrosos
+   */
+  _hasDangerousPatterns(str) {
+    if (typeof str !== 'string') return false;
+    return this.security.dangerousPatterns.some(pattern => pattern.test(str));
+  }
+
+  /**
+   * 🔐 VALIDATE URL: Verificar que URL es segura
+   */
+  _isUrlSafe(url) {
+    if (typeof url !== 'string') return false;
+
+    // Verificar patrones peligrosos
+    if (this._hasDangerousPatterns(url)) {
+      return false;
+    }
+
+    // Verificar dominios bloqueados
+    try {
+      const urlObj = new URL(url, 'http://localhost');
+      if (this.security.blockedDomains.some(d => urlObj.hostname.includes(d))) {
+        return false;
+      }
+    } catch {
+      // Si no es URL válida, verificar como path
+      if (this._hasDangerousPatterns(url)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Validar manifest contra schema con validación de seguridad
    * @param {Object} manifest - Manifest a validar
    * @returns {Object} Manifest validado
    */
   validate(manifest) {
     const schema = this.schemas.get('wu.json');
 
+    // 🔐 Verificar que manifest es un objeto
+    if (!manifest || typeof manifest !== 'object' || Array.isArray(manifest)) {
+      throw new Error('Manifest must be a valid object');
+    }
+
     // Verificar campos requeridos
     for (const field of schema.required) {
       if (!manifest[field]) {
@@ -147,23 +233,68 @@ export class WuManifest {
       }
     }
 
+    // 🔐 Validar nombre
+    if (typeof manifest.name !== 'string') {
+      throw new Error('name must be a string');
+    }
+    if (manifest.name.length > this.security.maxNameLength) {
+      throw new Error(`name too long (max ${this.security.maxNameLength} chars)`);
+    }
+    if (this._hasDangerousPatterns(manifest.name)) {
+      throw new Error('name contains dangerous patterns');
+    }
+
+    // 🔐 Validar entry
+    if (typeof manifest.entry !== 'string') {
+      throw new Error('entry must be a string');
+    }
+    if (manifest.entry.length > this.security.maxEntryLength) {
+      throw new Error(`entry too long (max ${this.security.maxEntryLength} chars)`);
+    }
+    if (!this._isUrlSafe(manifest.entry)) {
+      throw new Error('entry contains dangerous patterns');
+    }
+
     // Verificar tipos en sección wu
     if (manifest.wu) {
       const wu = manifest.wu;
-      const wuSchema = schema.wu;
 
       if (wu.exports && typeof wu.exports !== 'object') {
         throw new Error('wu.exports must be an object');
       }
 
+      // 🔐 Validar límites de exports
+      if (wu.exports && Object.keys(wu.exports).length > this.security.maxExports) {
+        throw new Error(`Too many exports (max ${this.security.maxExports})`);
+      }
+
+      // 🔐 Validar cada export path
+      if (wu.exports) {
+        for (const [key, path] of Object.entries(wu.exports)) {
+          if (!this._isUrlSafe(path)) {
+            throw new Error(`Dangerous export path: ${key}`);
+          }
+        }
+      }
+
       if (wu.imports && !Array.isArray(wu.imports)) {
         throw new Error('wu.imports must be an array');
       }
 
+      // 🔐 Validar límites de imports
+      if (wu.imports && wu.imports.length > this.security.maxImports) {
+        throw new Error(`Too many imports (max ${this.security.maxImports})`);
+      }
+
       if (wu.routes && !Array.isArray(wu.routes)) {
         throw new Error('wu.routes must be an array');
       }
 
+      // 🔐 Validar límites de routes
+      if (wu.routes && wu.routes.length > this.security.maxRoutes) {
+        throw new Error(`Too many routes (max ${this.security.maxRoutes})`);
+      }
+
       if (wu.permissions && !Array.isArray(wu.permissions)) {
         throw new Error('wu.permissions must be an array');
       }