diff --git a/CORRECAO_NETLIFY_AUTH.md b/CORRECAO_NETLIFY_AUTH.md new file mode 100644 index 0000000..ffe16f1 --- /dev/null +++ b/CORRECAO_NETLIFY_AUTH.md @@ -0,0 +1,211 @@ +# šŸ”§ CORREƇƃO: AutenticaĆ§Ć£o no Netlify + +## šŸŽÆ PROBLEMA IDENTIFICADO + +O app funciona localmente (localhost:5173 e :3000) mas falha ao autenticar no Netlify devido a: + +1. āŒ VariĆ”veis de ambiente nĆ£o configuradas no Netlify +2. āŒ URLs de callback OAuth nĆ£o configuradas no Supabase +3. āŒ PolĆ­ticas RLS bloqueando acesso apĆ³s OAuth + +--- + +## āœ… SOLUƇƃO COMPLETA + +### 1ļøāƒ£ CONFIGURAR VARIƁVEIS DE AMBIENTE NO NETLIFY + +Acesse: https://app.netlify.com ā†’ Seu Site ā†’ Site settings ā†’ Environment variables + +Adicione estas variĆ”veis: + +``` +VITE_SUPABASE_URL=https://xzudfhifaancyxxfdejx.supabase.co +VITE_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Inh6dWRmaGlmYWFuY3l4eGZkZWp4Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzEzNjE0MTAsImV4cCI6MjA4NjkzNzQxMH0.c5CHWhfXcMrm27LfxEt6OZtttXXvVJOeWu-IbnNLfWY +``` + +**IMPORTANTE:** ApĆ³s adicionar, faƧa um novo deploy! + +--- + +### 2ļøāƒ£ CONFIGURAR REDIRECT URLs NO SUPABASE + +Acesse: https://supabase.com/dashboard/project/xzudfhifaancyxxfdejx/auth/url-configuration + +Na seĆ§Ć£o **Redirect URLs**, adicione: + +``` +https://SEU-SITE.netlify.app/auth/callback +https://SEU-SITE.netlify.app/* +``` + +**Exemplo:** +``` +https://rdo-tracksteel.netlify.app/auth/callback +https://rdo-tracksteel.netlify.app/* +``` + +Na seĆ§Ć£o **Site URL**, configure: +``` +https://SEU-SITE.netlify.app +``` + +--- + +### 3ļøāƒ£ CORRIGIR POLƍTICAS RLS PARA OAUTH + +O problema principal: quando um usuĆ”rio faz login via Google OAuth, o Supabase cria o registro em `auth.users`, mas a polĆ­tica RLS impede a criaĆ§Ć£o automĆ”tica do perfil em `public.usuarios`. + +Execute este SQL no Supabase (SQL Editor): + +```sql +-- ============================================================================ +-- CORREƇƃO RLS PARA OAUTH - PERMITIR CRIAƇƃO AUTOMƁTICA DE PERFIL +-- ============================================================================ + +-- 1. Permitir INSERT na tabela usuarios para usuĆ”rios autenticados +DROP POLICY IF EXISTS "Users can create own profile" ON public.usuarios; + +CREATE POLICY "Users can create own profile" ON public.usuarios + FOR INSERT + WITH CHECK (auth.uid() = id); + +-- 2. Garantir que o trigger handle_new_user funciona +-- Verificar se a funĆ§Ć£o existe +CREATE OR REPLACE FUNCTION public.handle_new_user() +RETURNS TRIGGER AS $$ +BEGIN + -- Inserir novo usuĆ”rio na tabela public.usuarios + INSERT INTO public.usuarios ( + id, + email, + nome, + role, + ativo + ) VALUES ( + NEW.id, + NEW.email, + COALESCE(NEW.raw_user_meta_data->>'nome', NEW.raw_user_meta_data->>'name', split_part(NEW.email, '@', 1)), + 'usuario', + true + ) + ON CONFLICT (id) DO UPDATE SET + email = EXCLUDED.email, + nome = COALESCE(EXCLUDED.nome, public.usuarios.nome), + updated_at = NOW(); + + RETURN NEW; +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- 3. Garantir que o trigger estĆ” ativo +DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users; + +CREATE TRIGGER on_auth_user_created + AFTER INSERT ON auth.users + FOR EACH ROW + EXECUTE FUNCTION public.handle_new_user(); + +-- 4. Permitir leitura de organizaƧƵes para usuĆ”rios sem organizaĆ§Ć£o (signup) +DROP POLICY IF EXISTS "Users can view orgs during signup" ON public.organizacoes; + +CREATE POLICY "Users can view orgs during signup" ON public.organizacoes + FOR SELECT + USING (auth.uid() IS NOT NULL); + +-- 5. Permitir criaĆ§Ć£o de organizaĆ§Ć£o para novos usuĆ”rios +DROP POLICY IF EXISTS "Users can create org" ON public.organizacoes; + +CREATE POLICY "Users can create org" ON public.organizacoes + FOR INSERT + WITH CHECK (auth.uid() IS NOT NULL); + +-- ============================================================================ +-- FIM DA CORREƇƃO +-- ============================================================================ +``` + +--- + +### 4ļøāƒ£ VERIFICAR CONFIGURAƇƃO DO GOOGLE OAUTH + +No Google Cloud Console (https://console.cloud.google.com): + +1. Acesse: APIs & Services ā†’ Credentials +2. Clique no seu OAuth 2.0 Client ID +3. Em **Authorized redirect URIs**, adicione: + +``` +https://xzudfhifaancyxxfdejx.supabase.co/auth/v1/callback +https://SEU-SITE.netlify.app/auth/callback +``` + +--- + +## šŸ§Ŗ TESTAR A CORREƇƃO + +### Teste 1: VariĆ”veis de Ambiente +```bash +# No console do navegador (F12) no site Netlify: +console.log(import.meta.env.VITE_SUPABASE_URL) +``` +Deve retornar: `https://xzudfhifaancyxxfdejx.supabase.co` + +### Teste 2: Login OAuth +1. Acesse seu site no Netlify +2. Clique em "Login com Google" +3. Autorize o app +4. Deve redirecionar e autenticar com sucesso + +### Teste 3: Verificar Perfil Criado +No Supabase SQL Editor: +```sql +SELECT * FROM public.usuarios WHERE email = 'seu-email@gmail.com'; +``` + +--- + +## šŸ” DIAGNƓSTICO DE PROBLEMAS + +### Erro: "Invalid redirect URL" +- āœ… Verifique se adicionou a URL no Supabase (passo 2) +- āœ… Verifique se adicionou no Google Cloud (passo 4) + +### Erro: "User not found" ou "Permission denied" +- āœ… Execute o SQL de correĆ§Ć£o RLS (passo 3) +- āœ… Verifique se o trigger `handle_new_user` estĆ” ativo + +### Erro: "Environment variables not defined" +- āœ… Configure variĆ”veis no Netlify (passo 1) +- āœ… FaƧa um novo deploy apĆ³s adicionar + +### Login funciona mas nĆ£o carrega dados +- āœ… Problema de RLS - execute o SQL do passo 3 +- āœ… Verifique se o usuĆ”rio foi criado em `public.usuarios` + +--- + +## šŸ“‹ CHECKLIST FINAL + +- [ ] VariĆ”veis de ambiente configuradas no Netlify +- [ ] Novo deploy realizado apĆ³s configurar variĆ”veis +- [ ] Redirect URLs adicionadas no Supabase +- [ ] Redirect URIs adicionadas no Google Cloud +- [ ] SQL de correĆ§Ć£o RLS executado no Supabase +- [ ] Teste de login OAuth realizado com sucesso +- [ ] Perfil do usuĆ”rio criado em `public.usuarios` + +--- + +## šŸŽÆ RESULTADO ESPERADO + +ApĆ³s seguir todos os passos: + +āœ… Login via Google funciona no Netlify +āœ… Perfil do usuĆ”rio Ć© criado automaticamente +āœ… UsuĆ”rio consegue acessar o app normalmente +āœ… RLS permite acesso aos dados da organizaĆ§Ć£o + +--- + +**Data:** 24/02/2026 +**Status:** Aguardando aplicaĆ§Ć£o das correƧƵes diff --git a/fix_oauth_rls_netlify.sql b/fix_oauth_rls_netlify.sql new file mode 100644 index 0000000..51cfb73 --- /dev/null +++ b/fix_oauth_rls_netlify.sql @@ -0,0 +1,181 @@ +-- ============================================================================ +-- CORREƇƃO RLS PARA OAUTH NO NETLIFY +-- ============================================================================ +-- Este script corrige as polĆ­ticas RLS para permitir autenticaĆ§Ć£o OAuth +-- quando o app estĆ” hospedado no Netlify +-- ============================================================================ + +-- 1. PERMITIR CRIAƇƃO AUTOMƁTICA DE PERFIL APƓS OAUTH +-- ============================================================================ + +DROP POLICY IF EXISTS "Users can create own profile" ON public.usuarios; + +CREATE POLICY "Users can create own profile" ON public.usuarios + FOR INSERT + WITH CHECK (auth.uid() = id); + +-- 2. CORRIGIR FUNƇƃO DE CRIAƇƃO DE USUƁRIO +-- ============================================================================ + +CREATE OR REPLACE FUNCTION public.handle_new_user() +RETURNS TRIGGER AS $$ +BEGIN + -- Inserir novo usuĆ”rio na tabela public.usuarios + INSERT INTO public.usuarios ( + id, + email, + nome, + role, + ativo + ) VALUES ( + NEW.id, + NEW.email, + COALESCE( + NEW.raw_user_meta_data->>'nome', + NEW.raw_user_meta_data->>'name', + NEW.raw_user_meta_data->>'full_name', + split_part(NEW.email, '@', 1) + ), + 'usuario', + true + ) + ON CONFLICT (id) DO UPDATE SET + email = EXCLUDED.email, + nome = COALESCE(EXCLUDED.nome, public.usuarios.nome), + updated_at = NOW(); + + RETURN NEW; +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- 3. GARANTIR QUE O TRIGGER ESTƁ ATIVO +-- ============================================================================ + +DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users; + +CREATE TRIGGER on_auth_user_created + AFTER INSERT ON auth.users + FOR EACH ROW + EXECUTE FUNCTION public.handle_new_user(); + +-- 4. PERMITIR LEITURA DE ORGANIZAƇƕES PARA NOVOS USUƁRIOS +-- ============================================================================ + +DROP POLICY IF EXISTS "Users can view orgs during signup" ON public.organizacoes; + +CREATE POLICY "Users can view orgs during signup" ON public.organizacoes + FOR SELECT + USING (auth.uid() IS NOT NULL); + +-- 5. PERMITIR CRIAƇƃO DE ORGANIZAƇƃO PARA NOVOS USUƁRIOS +-- ============================================================================ + +DROP POLICY IF EXISTS "Users can create org" ON public.organizacoes; + +CREATE POLICY "Users can create org" ON public.organizacoes + FOR INSERT + WITH CHECK (auth.uid() IS NOT NULL); + +-- 6. PERMITIR CRIAƇƃO DE VƍNCULO ORGANIZAƇƃO-USUƁRIO +-- ============================================================================ + +DROP POLICY IF EXISTS "Users can create org membership" ON public.organizacao_usuarios; + +CREATE POLICY "Users can create org membership" ON public.organizacao_usuarios + FOR INSERT + WITH CHECK ( + usuario_id = auth.uid() + OR organizacao_id IN ( + SELECT organizacao_id + FROM public.organizacao_usuarios + WHERE usuario_id = auth.uid() + AND role IN ('owner', 'admin') + ) + ); + +-- 7. CORRIGIR POLƍTICA DE LEITURA DE USUƁRIOS +-- ============================================================================ + +-- Remover polĆ­tica antiga que pode estar causando recursĆ£o +DROP POLICY IF EXISTS "Admins can view all profiles" ON public.usuarios; + +-- Criar polĆ­tica sem recursĆ£o +CREATE POLICY "Admins can view all profiles" ON public.usuarios + FOR SELECT + USING ( + -- UsuĆ”rio pode ver prĆ³prio perfil + auth.uid() = id + OR + -- Ou Ć© admin/dev (verificaĆ§Ć£o direta sem subquery recursiva) + EXISTS ( + SELECT 1 FROM public.usuarios u + WHERE u.id = auth.uid() + AND u.role IN ('dev', 'admin') + LIMIT 1 + ) + OR + -- Ou estĆ” na mesma organizaĆ§Ć£o + organizacao_id IN ( + SELECT u2.organizacao_id + FROM public.usuarios u2 + WHERE u2.id = auth.uid() + ) + ); + +-- 8. GARANTIR PERMISSƕES PARA AUTHENTICATED ROLE +-- ============================================================================ + +GRANT USAGE ON SCHEMA public TO authenticated; +GRANT SELECT, INSERT, UPDATE ON public.usuarios TO authenticated; +GRANT SELECT, INSERT, UPDATE ON public.organizacoes TO authenticated; +GRANT SELECT, INSERT, UPDATE ON public.organizacao_usuarios TO authenticated; + +-- 9. CRIAR FUNƇƃO AUXILIAR PARA VERIFICAR SE USUƁRIO EXISTE +-- ============================================================================ + +CREATE OR REPLACE FUNCTION public.user_profile_exists(user_id UUID) +RETURNS BOOLEAN AS $$ +BEGIN + RETURN EXISTS ( + SELECT 1 FROM public.usuarios WHERE id = user_id + ); +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; + +-- 10. VERIFICAƇƃO FINAL +-- ============================================================================ + +-- Verificar se as polĆ­ticas foram criadas +SELECT + schemaname, + tablename, + policyname, + permissive, + roles, + cmd +FROM pg_policies +WHERE schemaname = 'public' +AND tablename IN ('usuarios', 'organizacoes', 'organizacao_usuarios') +ORDER BY tablename, policyname; + +-- Verificar se o trigger estĆ” ativo +SELECT + trigger_name, + event_manipulation, + event_object_table, + action_statement +FROM information_schema.triggers +WHERE trigger_schema = 'auth' +AND event_object_table = 'users'; + +-- ============================================================================ +-- FIM DA CORREƇƃO +-- ============================================================================ + +-- INSTRUƇƕES DE USO: +-- 1. Copie todo este script +-- 2. Acesse: https://supabase.com/dashboard/project/xzudfhifaancyxxfdejx/sql/new +-- 3. Cole o script e clique em "Run" +-- 4. Verifique se nĆ£o hĆ” erros +-- 5. Teste o login OAuth no Netlify +