fred/Agents-Orchestrator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d7d2421fc2aba5f0d8c94c82fb5e7617f33dacfd
Agents-Orchestrator/server.js
Frederico Castro d7d2421fc2 Proteção XSS, assinatura de webhook, limite de execuções e data no histórico 
- Utilitário centralizado Utils.escapeHtml() substituindo duplicações locais
- Escaping completo em todos os componentes (agents, tasks, schedules, pipelines, webhooks, terminal, history, tags)
- Verificação HMAC-SHA256 para webhooks usando raw body
- Limite de 5000 registros no store de execuções (maxSize)
- Data de execução visível no histórico com ícone de calendário
- Remoção de mutex desnecessário no flush síncrono do db.js
- Novos stores preparatórios (secrets, notifications, agentVersions)
2026-02-26 18:26:27 -03:00

137 lines
4.4 KiB
JavaScript
Raw Blame History

import express from 'express';
import { createServer } from 'http';
import { WebSocketServer } from 'ws';
import { fileURLToPath } from 'url';
import { dirname, join } from 'path';
import { v4 as uuidv4 } from 'uuid';
import crypto from 'crypto';
import apiRouter, { setWsBroadcast, setWsBroadcastTo, hookRouter } from './src/routes/api.js';
import * as manager from './src/agents/manager.js';
import { setGlobalBroadcast } from './src/agents/manager.js';
import { cancelAllExecutions } from './src/agents/executor.js';
import { flushAllStores } from './src/store/db.js';
const __dirname = dirname(fileURLToPath(import.meta.url));
const PORT = process.env.PORT || 3000;
const AUTH_TOKEN = process.env.AUTH_TOKEN || '';
const ALLOWED_ORIGIN = process.env.ALLOWED_ORIGIN || '';
const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET || '';
function verifyWebhookSignature(req, res, next) {
if (!WEBHOOK_SECRET) return next();
const sig = req.headers['x-hub-signature-256'];
if (!sig) return res.status(401).json({ error: 'Assinatura ausente' });
const hmac = crypto.createHmac('sha256', WEBHOOK_SECRET);
hmac.update(req.rawBody || '');
const expected = 'sha256=' + hmac.digest('hex');
try {
if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
return res.status(401).json({ error: 'Assinatura inválida' });
}
} catch {
return res.status(401).json({ error: 'Assinatura inválida' });
}
next();
}
const app = express();
const httpServer = createServer(app);
const wss = new WebSocketServer({ server: httpServer });
app.use((req, res, next) => {
const origin = ALLOWED_ORIGIN || req.headers.origin || '*';
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Client-Id');
if (req.method === 'OPTIONS') return res.sendStatus(204);
next();
});
if (AUTH_TOKEN) {
app.use('/api', (req, res, next) => {
const header = req.headers.authorization || '';
const token = header.startsWith('Bearer ') ? header.slice(7) : req.query.token;
if (token !== AUTH_TOKEN) {
return res.status(401).json({ error: 'Token de autenticação inválido' });
}
next();
});
}
app.use(express.json({
verify: (req, res, buf) => { req.rawBody = buf; },
}));
app.use('/hook', verifyWebhookSignature, hookRouter);
app.use(express.static(join(__dirname, 'public')));
app.use('/api', apiRouter);
const connectedClients = new Map();
wss.on('connection', (ws, req) => {
const clientId = new URL(req.url, 'http://localhost').searchParams.get('clientId') || uuidv4();
if (AUTH_TOKEN) {
const token = new URL(req.url, 'http://localhost').searchParams.get('token');
if (token !== AUTH_TOKEN) {
ws.close(4001, 'Token inválido');
return;
}
}
ws.clientId = clientId;
connectedClients.set(clientId, ws);
ws.on('close', () => connectedClients.delete(clientId));
ws.on('error', () => connectedClients.delete(clientId));
ws.send(JSON.stringify({ type: 'connected', clientId }));
});
function broadcast(message) {
const payload = JSON.stringify(message);
for (const [, client] of connectedClients) {
if (client.readyState === 1) client.send(payload);
}
}
function broadcastTo(clientId, message) {
const payload = JSON.stringify(message);
const client = connectedClients.get(clientId);
if (client && client.readyState === 1) client.send(payload);
else broadcast(message);
}
setWsBroadcast(broadcast);
setWsBroadcastTo(broadcastTo);
setGlobalBroadcast(broadcast);
function gracefulShutdown(signal) {
console.log(`\nSinal ${signal} recebido. Encerrando servidor...`);
cancelAllExecutions();
console.log('Execuções ativas canceladas.');
flushAllStores();
console.log('Dados persistidos.');
httpServer.close(() => {
console.log('Servidor HTTP encerrado.');
process.exit(0);
});
setTimeout(() => {
console.error('Forçando encerramento após timeout.');
process.exit(1);
}, 10000);
}
process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
process.on('SIGINT', () => gracefulShutdown('SIGINT'));
manager.restoreSchedules();
httpServer.listen(PORT, () => {
console.log(`Painel administrativo disponível em http://localhost:${PORT}`);
console.log(`WebSocket server ativo na mesma porta.`);
if (AUTH_TOKEN) console.log('Autenticação por token ativada.');
});
Reference in New Issue View Git Blame Copy Permalink