From e269fb108f0470a36f38cd7d31d2845bdc141c2b Mon Sep 17 00:00:00 2001
From: DevEnv nis2-agile <dev@certisource.it>
Date: Sun, 31 May 2026 16:16:53 +0200
Subject: [PATCH] [SEC] Redatta chiave API mktg esposta in pagine pubbliche (F1
 security audit)

La chiave di produzione nis2_mktg_... (scope admin:licenses) era in chiaro in
mktg-api-doc.html e integrazioniext.html, servite pubblicamente -> chiunque poteva
ottenere una chiave di gestione licenze B2B. Sostituita con placeholder
nis2_mktg_xxxxx in entrambe le pagine (6 occorrenze totali).

NOTA: la chiave reale va ANCORA RUOTATA nel DB (api_keys) in coordinamento con
mktg-agile, poiche' resta nella history git e potenzialmente nota. Questo commit
elimina solo l'esposizione web continua.

Trovato da audit sicurezza multi-agente (F1, priorita' top).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 public/integrazioniext.html | 8 ++++----
 public/mktg-api-doc.html    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/public/integrazioniext.html b/public/integrazioniext.html
index 8387f71..b255858 100644
--- a/public/integrazioniext.html
+++ b/public/integrazioniext.html
@@ -558,14 +558,14 @@ curl "https://nis2.agile.software/api/invites/validate?token=inv_a1b2c3..."
 
     <div class="section-title">Per mktg-agile / E-commerce — Quick Start</div>
     <div class="callout">
-        Chiave API già attiva per mktg-agile: <code style="color:#4ade80">nis2_mktg_8c8bd38e78fccb9faa749d8601051f42</code>
+        Chiave API già attiva per mktg-agile: <code style="color:#4ade80">nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</code>
         · Scope: <code>admin:licenses</code> · Scade: 2028-03-07
         · Doc completa: <a href="/mktg-api-doc.html" style="color:var(--primary)">mktg-api-doc.html</a>
         · Pannello web: <a href="/licenseExt.html" style="color:var(--primary)">licenseExt.html</a>
     </div>
     <div class="code-block"><span class="cmt"># 1. Crea licenza (mktg-agile → NIS2)</span>
 curl -X POST https://nis2.agile.software/api/invites/create \
-  -H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \
+  -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
   -H <span class="str">"Content-Type: application/json"</span> \
   -d <span class="str">'{"plan":"professional","duration_months":12,"max_users_per_org":10,
       "label":"Ordine MKT-001","channel":"ecommerce","price_eur":990}'</span>
@@ -574,11 +574,11 @@ curl -X POST https://nis2.agile.software/api/invites/create \
 <span class="cmt"># → consegna invite_url al cliente nel messaggio di conferma ordine</span>
 
 <span class="cmt"># 2. Verifica stato licenza in qualsiasi momento</span>
-curl -H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \
+curl -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
   "https://nis2.agile.software/api/invites/42"
 
 <span class="cmt"># 3. Lista licenze attive per canale ecommerce</span>
-curl -H <span class="str">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \
+curl -H <span class="str">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
   "https://nis2.agile.software/api/invites/list?channel=ecommerce&amp;status=pending"</div>
 
     <div class="callout">
diff --git a/public/mktg-api-doc.html b/public/mktg-api-doc.html
index c425a4b..74769c9 100644
--- a/public/mktg-api-doc.html
+++ b/public/mktg-api-doc.html
@@ -110,7 +110,7 @@ table.resp code { background: rgba(255,255,255,.06); padding: .1rem .3rem; borde
     <div style="display:grid;grid-template-columns:repeat(auto-fill,minmax(240px,1fr));gap:1rem;margin-bottom:1.25rem">
         <div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem">
             <div style="font-size:.7rem;color:var(--text-secondary);margin-bottom:.4rem">CHIAVE API (già attiva)</div>
-            <code style="font-size:.75rem;color:#4ade80;word-break:break-all">nis2_mktg_8c8bd38e78fccb9faa749d8601051f42</code>
+            <code style="font-size:.75rem;color:#4ade80;word-break:break-all">nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</code>
             <div style="font-size:.68rem;color:var(--text-secondary);margin-top:.3rem">Scope: admin:licenses · Scade: 2028-03-07</div>
         </div>
         <div style="background:rgba(0,0,0,.25);border-radius:8px;padding:1rem">
@@ -146,7 +146,7 @@ table.resp code { background: rgba(255,255,255,.06); padding: .1rem .3rem; borde
 
     <pre style="margin-top:1rem;margin-bottom:0;font-size:.78rem"><span class="cm"># Crea licenza in 1 chiamata:</span>
 curl -X POST https://nis2.agile.software/api/invites/create \
-  -H <span class="sv">"X-API-Key: nis2_mktg_8c8bd38e78fccb9faa749d8601051f42"</span> \
+  -H <span class="sv">"X-API-Key: nis2_mktg_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span> \
   -H <span class="sv">"Content-Type: application/json"</span> \
   -d <span class="sv">'{"plan":"professional","duration_months":12,"label":"Ordine #123","channel":"ecommerce","max_users_per_org":10,"price_eur":990}'</span>