fix(segurança): corrigir 10 vulnerabilidades do relatório de segurança

- tokens: remover aceite de expiresAt NULL e forçar TTL de 1 ano - tokens: corrigir refresh que invalidava access token anterior - xlsx: desabilitar parsing de fórmulas (CVE-2024-44294) - csp: expandir Content-Security-Policy com origens explícitas - headers: adicionar Referrer-Policy e X-Permitted-Cross-Domain-Policies - api: retornar 401 JSON em vez de redirect 302 em rotas autenticadas - health: remover version disclosure do /api/health - robots.txt: simplificar para não expor rotas internas - sitemap: corrigir URL com protocolo duplicado - criar security.txt (RFC 9116) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-09 11:01:45 +00:00 · 2026-04-04 02:47:05 +00:00
parent fd4d90a53e
commit 10afef9fec
17 changed files with 113 additions and 52 deletions
--- a/src/app/api/attachments/[attachmentId]/presign/route.ts
+++ b/src/app/api/attachments/[attachmentId]/presign/route.ts
@@ -1,7 +1,7 @@
 import { and, eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { attachments } from "@/db/schema";
-import { getUserId } from "@/shared/lib/auth/server";
+import { getOptionalUserSession } from "@/shared/lib/auth/server";
 import { db } from "@/shared/lib/db";
 import { createPresignedGetUrl } from "@/shared/lib/storage/presign";

@@ -13,7 +13,19 @@ export async function GET(
 	_request: Request,
 	{ params }: { params: Promise<{ attachmentId: string }> },
 ) {
-	const [userId, { attachmentId }] = await Promise.all([getUserId(), params]);
+	const [session, { attachmentId }] = await Promise.all([
+		getOptionalUserSession(),
+		params,
+	]);
+
+	if (!session?.user) {
+		return NextResponse.json(
+			{ error: "Não autenticado" },
+			{ status: 401, headers: PRIVATE_RESPONSE_HEADERS },
+		);
+	}
+
+	const userId = session.user.id;

 	const [row] = await db
 		.select({ fileKey: attachments.fileKey })
--- a/src/app/api/auth/device/refresh/route.ts
+++ b/src/app/api/auth/device/refresh/route.ts
@@ -3,7 +3,6 @@ import { NextResponse } from "next/server";
 import { apiTokens } from "@/db/schema";
 import {
 	extractBearerToken,
-	hashToken,
 	refreshAccessToken,
 	verifyJwt,
 } from "@/shared/lib/auth/api-token";
@@ -59,11 +58,11 @@ export async function POST(request: Request) {
 			);
 		}

-		// Atualizar hash do token e último uso
+		// Atualizar último uso e expiração (sem sobrescrever tokenHash,
+		// pois o JWT é auto-verificável por assinatura)
 		await db
 			.update(apiTokens)
 			.set({
-				tokenHash: hashToken(result.accessToken),
 				lastUsedAt: new Date(),
 				lastUsedIp:
 					request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
--- a/src/app/api/auth/device/verify/route.ts
+++ b/src/app/api/auth/device/verify/route.ts
@@ -1,7 +1,7 @@
 import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { apiTokens } from "@/db/schema";
-import { extractBearerToken, hashToken } from "@/shared/lib/auth/api-token";
+import { extractBearerToken, verifyJwt } from "@/shared/lib/auth/api-token";
 import { db } from "@/shared/lib/db";

 export async function POST(request: Request) {
@@ -17,21 +17,21 @@ export async function POST(request: Request) {
 			);
 		}

-		// Validar token os_xxx via hash lookup
-		if (!token.startsWith("os_")) {
+		// Verificar JWT (assinatura + expiração)
+		const payload = verifyJwt(token);
+
+		if (!payload || payload.type !== "api_access") {
 			return NextResponse.json(
-				{ valid: false, error: "Formato de token inválido" },
+				{ valid: false, error: "Token inválido ou expirado" },
 				{ status: 401 },
 			);
 		}

-		// Hash do token para buscar no DB
-		const tokenHash = hashToken(token);
-
-		// Buscar token no banco
+		// Buscar token no banco por tokenId para checar revogação
 		const tokenRecord = await db.query.apiTokens.findFirst({
 			where: and(
-				eq(apiTokens.tokenHash, tokenHash),
+				eq(apiTokens.id, payload.tokenId),
+				eq(apiTokens.userId, payload.sub),
 				isNull(apiTokens.revokedAt),
 				gt(apiTokens.expiresAt, new Date()),
 			),
@@ -39,7 +39,7 @@ export async function POST(request: Request) {

 		if (!tokenRecord) {
 			return NextResponse.json(
-				{ valid: false, error: "Token inválido ou revogado" },
+				{ valid: false, error: "Token revogado ou não encontrado" },
 				{ status: 401 },
 			);
 		}
--- a/src/app/api/health/route.ts
+++ b/src/app/api/health/route.ts
@@ -1,5 +1,4 @@
 import { NextResponse } from "next/server";
-import { version as APP_VERSION } from "@/package.json";
 import { db } from "@/shared/lib/db";

 /**
@@ -20,7 +19,6 @@ export async function GET() {
 			{
 				status: "ok",
 				name: "OpenMonetis",
-				version: APP_VERSION,
 				timestamp: new Date().toISOString(),
 			},
 			{ status: 200 },
@@ -33,7 +31,6 @@ export async function GET() {
 			{
 				status: "error",
 				name: "OpenMonetis",
-				version: APP_VERSION,
 				timestamp: new Date().toISOString(),
 				message: "Database connection failed",
 			},
--- a/src/app/api/inbox/batch/route.ts
+++ b/src/app/api/inbox/batch/route.ts
@@ -1,4 +1,4 @@
-import { and, eq, gt, isNull, or } from "drizzle-orm";
+import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { z } from "zod";
 import { apiTokens, inboxItems } from "@/db/schema";
@@ -63,7 +63,7 @@ export async function POST(request: Request) {
 			where: and(
 				eq(apiTokens.tokenHash, tokenHash),
 				isNull(apiTokens.revokedAt),
-				or(isNull(apiTokens.expiresAt), gt(apiTokens.expiresAt, new Date())),
+				gt(apiTokens.expiresAt, new Date()),
 			),
 		});

--- a/src/app/api/inbox/route.ts
+++ b/src/app/api/inbox/route.ts
@@ -1,4 +1,4 @@
-import { and, eq, gt, isNull, or } from "drizzle-orm";
+import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { z } from "zod";
 import { apiTokens, inboxItems } from "@/db/schema";
@@ -56,7 +56,7 @@ export async function POST(request: Request) {
 			where: and(
 				eq(apiTokens.tokenHash, tokenHash),
 				isNull(apiTokens.revokedAt),
-				or(isNull(apiTokens.expiresAt), gt(apiTokens.expiresAt, new Date())),
+				gt(apiTokens.expiresAt, new Date()),
 			),
 		});

--- a/src/app/api/insights/saved/route.ts
+++ b/src/app/api/insights/saved/route.ts
@@ -3,7 +3,7 @@ import {
 	fetchSavedInsights,
 	savedInsightsPeriodSchema,
 } from "@/features/insights/queries";
-import { getUserId } from "@/shared/lib/auth/server";
+import { getOptionalUserSession } from "@/shared/lib/auth/server";

 const PRIVATE_RESPONSE_HEADERS = {
 	"Cache-Control": "private, no-store",
@@ -25,8 +25,18 @@ export async function GET(request: Request) {
 		);
 	}

-	const userId = await getUserId();
-	const insights = await fetchSavedInsights(userId, validatedPeriod.data);
+	const session = await getOptionalUserSession();
+	if (!session?.user) {
+		return NextResponse.json(
+			{ error: "Não autenticado" },
+			{ status: 401, headers: PRIVATE_RESPONSE_HEADERS },
+		);
+	}
+
+	const insights = await fetchSavedInsights(
+		session.user.id,
+		validatedPeriod.data,
+	);

 	return NextResponse.json(insights, {
 		headers: PRIVATE_RESPONSE_HEADERS,
--- a/src/app/api/transactions/[transactionId]/attachments/route.ts
+++ b/src/app/api/transactions/[transactionId]/attachments/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server";
 import { fetchTransactionAttachments } from "@/features/transactions/attachment-queries";
-import { getUserId } from "@/shared/lib/auth/server";
+import { getOptionalUserSession } from "@/shared/lib/auth/server";

 const PRIVATE_RESPONSE_HEADERS = {
 	"Cache-Control": "private, no-store",
@@ -10,7 +10,19 @@ export async function GET(
 	_request: Request,
 	{ params }: { params: Promise<{ transactionId: string }> },
 ) {
-	const [userId, { transactionId }] = await Promise.all([getUserId(), params]);
+	const [session, { transactionId }] = await Promise.all([
+		getOptionalUserSession(),
+		params,
+	]);
+
+	if (!session?.user) {
+		return NextResponse.json(
+			{ error: "Não autenticado" },
+			{ status: 401, headers: PRIVATE_RESPONSE_HEADERS },
+		);
+	}
+
+	const userId = session.user.id;
 	const attachments = await fetchTransactionAttachments(userId, transactionId);

 	return NextResponse.json(attachments, {
--- a/src/app/api/transactions/installments/[seriesId]/anticipations/route.ts
+++ b/src/app/api/transactions/installments/[seriesId]/anticipations/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server";
 import { fetchInstallmentAnticipations } from "@/features/transactions/anticipation-queries";
-import { getUserId } from "@/shared/lib/auth/server";
+import { getOptionalUserSession } from "@/shared/lib/auth/server";

 const PRIVATE_RESPONSE_HEADERS = {
 	"Cache-Control": "private, no-store",
@@ -11,7 +11,19 @@ export async function GET(
 	{ params }: { params: Promise<{ seriesId: string }> },
 ) {
 	try {
-		const [userId, { seriesId }] = await Promise.all([getUserId(), params]);
+		const [session, { seriesId }] = await Promise.all([
+			getOptionalUserSession(),
+			params,
+		]);
+
+		if (!session?.user) {
+			return NextResponse.json(
+				{ error: "Não autenticado" },
+				{ status: 401, headers: PRIVATE_RESPONSE_HEADERS },
+			);
+		}
+
+		const userId = session.user.id;
 		const anticipations = await fetchInstallmentAnticipations(userId, seriesId);

 		return NextResponse.json(anticipations, {