fix(segurança): corrigir 10 vulnerabilidades do relatório de segurança

- tokens: remover aceite de expiresAt NULL e forçar TTL de 1 ano - tokens: corrigir refresh que invalidava access token anterior - xlsx: desabilitar parsing de fórmulas (CVE-2024-44294) - csp: expandir Content-Security-Policy com origens explícitas - headers: adicionar Referrer-Policy e X-Permitted-Cross-Domain-Policies - api: retornar 401 JSON em vez de redirect 302 em rotas autenticadas - health: remover version disclosure do /api/health - robots.txt: simplificar para não expor rotas internas - sitemap: corrigir URL com protocolo duplicado - criar security.txt (RFC 9116) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-10 03:11:46 +00:00 · 2026-04-04 02:47:05 +00:00
parent fd4d90a53e
commit 10afef9fec
17 changed files with 113 additions and 52 deletions
--- a/src/app/api/attachments/[attachmentId]/presign/route.ts
+++ b/src/app/api/attachments/[attachmentId]/presign/route.ts
@@ -1,7 +1,7 @@
 import { and, eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { attachments } from "@/db/schema";
-import { getUserId } from "@/shared/lib/auth/server";
+import { getOptionalUserSession } from "@/shared/lib/auth/server";
 import { db } from "@/shared/lib/db";
 import { createPresignedGetUrl } from "@/shared/lib/storage/presign";

@@ -13,7 +13,19 @@ export async function GET(
 	_request: Request,
 	{ params }: { params: Promise<{ attachmentId: string }> },
 ) {
-	const [userId, { attachmentId }] = await Promise.all([getUserId(), params]);
+	const [session, { attachmentId }] = await Promise.all([
+		getOptionalUserSession(),
+		params,
+	]);
+
+	if (!session?.user) {
+		return NextResponse.json(
+			{ error: "Não autenticado" },
+			{ status: 401, headers: PRIVATE_RESPONSE_HEADERS },
+		);
+	}
+
+	const userId = session.user.id;

 	const [row] = await db
 		.select({ fileKey: attachments.fileKey })