Correções de segurança

app/Controllers/SettingsController.php

@@ -36,6 +36,7 @@ class SettingsController
     {
         header('Content-Type: application/json');
 
+        try {
             $telegramService = new TelegramService();
 
             // Use sendOrderNotification to test with the configured template
@@ -45,14 +46,22 @@ class SettingsController
                 'type' => 'Teste'
             ], 999);
 
+            if ($response === false) {
+                throw new \Exception("Falha ao conectar com a API do Telegram (curl retornou false). Verifique o Token e o Chat ID.");
+            }
+
             $result = json_decode($response, true);
 
             if ($result && isset($result['ok']) && $result['ok']) {
                 echo json_encode(['success' => true, 'message' => 'Mensagem enviada com sucesso!']);
             } else {
-            $error = $result['description'] ?? 'Erro desconhecido ao contatar API do Telegram.';
+                $error = $result['description'] ?? 'Erro desconhecido ao contatar API do Telegram. Resposta bruta: ' . $response;
                 echo json_encode(['success' => false, 'message' => 'Falha ao enviar: ' . $error]);
             }
+        } catch (\Throwable $e) {
+            error_log("Erro no teste do Telegram: " . $e->getMessage());
+            echo json_encode(['success' => false, 'message' => 'Erro interno: ' . $e->getMessage()]);
+        }
         exit;
     }
 }

app/Middleware/AdminMiddleware.php

@@ -9,6 +9,7 @@ class AdminMiddleware
     public function handle()
     {
         if (!isset($_SESSION['user_role']) || $_SESSION['user_role'] !== 'admin') {
+            error_log("AdminMiddleware Redirecting: Session Role: " . ($_SESSION['user_role'] ?? 'NOT SET') . " | Session ID: " . session_id());
             View::redirect('/login');
             return false;
         }

app/routes.php

@@ -9,47 +9,92 @@ $router->get('/login', [AuthController::class, 'login']);
 $router->post('/login', [AuthController::class, 'authenticate']);
 $router->get('/logout', [AuthController::class, 'logout']);
 
+// Admin Routes
 // Admin Routes
 $router->get('/admin/dashboard', [\App\Controllers\AdminDashboardController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/search', [\App\Controllers\SearchController::class, 'search']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/logs', [\App\Controllers\LogController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
 // Admin Profile
 $router->get('/admin/profile', [\App\Controllers\AdminProfileController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/profile/update', [\App\Controllers\AdminProfileController::class, 'update']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/profile/password', [\App\Controllers\AdminProfileController::class, 'updatePassword']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
 // Clients CRUD
 $router->get('/admin/clients', [\App\Controllers\ClientController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/clients/create', [\App\Controllers\ClientController::class, 'create']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/clients/store', [\App\Controllers\ClientController::class, 'store']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/clients/edit/{id}', [\App\Controllers\ClientController::class, 'edit']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/clients/update/{id}', [\App\Controllers\ClientController::class, 'update']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/clients/delete/{id}', [\App\Controllers\ClientController::class, 'delete']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
 // Servers CRUD
 $router->get('/admin/servers', [\App\Controllers\ServerController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/servers/create', [\App\Controllers\ServerController::class, 'create']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/servers/store', [\App\Controllers\ServerController::class, 'store']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/servers/edit/{id}', [\App\Controllers\ServerController::class, 'edit']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/servers/update/{id}', [\App\Controllers\ServerController::class, 'update']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/servers/delete/{id}', [\App\Controllers\ServerController::class, 'delete']);
-$router->get('/admin/servers/delete/{id}', [\App\Controllers\ServerController::class, 'delete']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/servers/reset-machine/{id}', [\App\Controllers\ServerController::class, 'resetMachineId']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
 // Orders CRUD
 $router->get('/admin/orders', [\App\Controllers\OrderController::class, 'index']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/orders/create', [\App\Controllers\OrderController::class, 'create']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->post('/admin/orders/store', [\App\Controllers\OrderController::class, 'store']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
 $router->get('/admin/orders/view/{id}', [\App\Controllers\OrderController::class, 'view']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
 // Settings
 $router->get('/admin/settings', [\App\Controllers\SettingsController::class, 'index']);
-$router->post('/admin/settings/update', [\App\Controllers\SettingsController::class, 'update']);
-$router->post('/admin/settings/test-telegram', [\App\Controllers\SettingsController::class, 'testTelegram']);
-
 $router->addMiddleware(\App\Middleware\AdminMiddleware::class);
 
+$router->post('/admin/settings/update', [\App\Controllers\SettingsController::class, 'update']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
+$router->post('/admin/settings/test-telegram', [\App\Controllers\SettingsController::class, 'testTelegram']);
+$router->addMiddleware(\App\Middleware\AdminMiddleware::class);
+
+
 // API Routes
 $router->post('/api/auth/login', [\App\Controllers\ApiAuthController::class, 'login']);
 
@@ -58,10 +103,19 @@ $router->addMiddleware(\App\Middleware\ApiMiddleware::class);
 
 // Client Routes
 $router->get('/client/dashboard', [\App\Controllers\ClientDashboardController::class, 'index']);
-$router->get('/client/servers', [\App\Controllers\ClientDashboardController::class, 'servers']);
-$router->get('/client/orders', [\App\Controllers\ClientDashboardController::class, 'orders']);
-$router->get('/client/orders/view/{id}', [\App\Controllers\ClientDashboardController::class, 'viewOrder']);
-$router->get('/client/profile', [\App\Controllers\ClientDashboardController::class, 'profile']);
-$router->post('/client/profile/password', [\App\Controllers\ClientDashboardController::class, 'updatePassword']);
-
+$router->addMiddleware(\App\Middleware\ClientMiddleware::class);
+
+$router->get('/client/servers', [\App\Controllers\ClientDashboardController::class, 'servers']);
+$router->addMiddleware(\App\Middleware\ClientMiddleware::class);
+
+$router->get('/client/orders', [\App\Controllers\ClientDashboardController::class, 'orders']);
+$router->addMiddleware(\App\Middleware\ClientMiddleware::class);
+
+$router->get('/client/orders/view/{id}', [\App\Controllers\ClientDashboardController::class, 'viewOrder']);
+$router->addMiddleware(\App\Middleware\ClientMiddleware::class);
+
+$router->get('/client/profile', [\App\Controllers\ClientDashboardController::class, 'profile']);
+$router->addMiddleware(\App\Middleware\ClientMiddleware::class);
+
+$router->post('/client/profile/password', [\App\Controllers\ClientDashboardController::class, 'updatePassword']);
 $router->addMiddleware(\App\Middleware\ClientMiddleware::class);

resources/views/admin/settings/index.php

@@ -118,7 +118,14 @@
                         'X-Requested-With': 'XMLHttpRequest'
                     }
                 })
-                    .then(response => response.json())
+                    .then(async response => {
+                        const text = await response.text();
+                        try {
+                            return JSON.parse(text);
+                        } catch (e) {
+                            throw new Error(`Resposta inválida do servidor (${response.status}): ${text.substring(0, 100)}...`);
+                        }
+                    })
                     .then(data => {
                         this.$dispatch('notify', {
                             type: data.success ? 'success' : 'error',
@@ -127,10 +134,11 @@
                         });
                     })
                     .catch(error => {
+                        console.error('Erro no teste:', error);
                         this.$dispatch('notify', {
                             type: 'error',
                             title: 'Erro',
-                            message: 'Falha na requisição.'
+                            message: 'Erro: ' + error.message
                         });
                     })
                     .finally(() => {