Code Review — Segurança, Arquitetura e Boas Práticas#1
Open
MirandaSls wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a standalone CODE_REVIEW.md document to the repository to record a structured code review of RevoAPP, covering security, architecture/patterns, HTTP semantics/bugs, and general code quality findings.
Changes:
- Introduces
CODE_REVIEW.mdwith 23 review points grouped by category. - Includes suggested remediations and example snippets (bcrypt/JWT/env config/pagination/etc.).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+65
to
+68
| **Sugestão:** Usar variável de ambiente: | ||
|
|
||
| ```ts | ||
| const productionURL = process.env.BASE_URL ?? "http://localhost:3333" |
Comment on lines
+81
to
+89
| export function authenticate(req, res, next) { | ||
| const token = req.headers.authorization?.split(" ")[1] | ||
| if (!token) return res.status(401).json({ message: "Não autenticado" }) | ||
| try { | ||
| const payload = jwt.verify(token, process.env.JWT_SECRET) | ||
| req.userId = payload.sub | ||
| next() | ||
| } catch { | ||
| res.status(401).json({ message: "Token inválido" }) |
|
|
||
| ### [9] Ausência de tratamento de erros (try/catch) — todas as rotas | ||
|
|
||
| **Problema:** Nenhuma rota possui `try/catch`. Se o banco de dados cair ou o Prisma lançar uma exceção inesperada, o Express não captura a promise rejeitada e o servidor derruba com `UnhandledPromiseRejection`. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sobre esta revisão
Code review do projeto RevoAPP cobrindo 23 pontos organizados em 4 categorias: segurança crítica, arquitetura e padrões de projeto, bugs e semântica HTTP, e code smells de qualidade.
O arquivo CODE_REVIEW.md contém todos os comentários detalhados.
Resumo dos problemas encontrados
🔴 Segurança Crítica (5)
user.ts:86— sem hash (bcrypt/argon2)@ts-ignoremascarando bug de segurança —user.ts:130— comparação de senha quebrada em runtimeuser.ts:69—console.log(body)expõe email e senhauser.ts:7eevent.ts:11— deve vir de variável de ambiente🟠 Arquitetura e Padrões de Projeto (6)
productionURLduplicada em dois arquivostry/catchnas rotas, crash em exceptions do bancozod)🟡 Bugs e HTTP Semântico (6)
GET /event/retorna302(redirect) em vez de200forEachatribuído a variável —event.ts:329—goalIdsempreundefinedconstreatribuída —Login/index.js:24—TypeErrorem runtimeLogin/index.js:13— frágil e quebrávelDate()semnew—createEvent/index.js:14— ignora o argumento, usa data atual🔵 Code Smells e Qualidade (6)
sponsership,recevied,accepte_route,exixstfindMany— pode retornar milhares de registrosconsole.logde debug em produção —user.ts:454,event.ts:345indicadores.tsé código morto — funcionalidade idêntica aGET /user/, sem implementação realPadrões de projeto sugeridos
PrismaClient