Prepara versao dev 1.0

2025-12-08 21:47:38 -03:00
parent 512287698e
commit 190fde20c3
85 changed files with 7755 additions and 2317 deletions
--- a/backend/internal/api/handlers/agency.go
+++ b/backend/internal/api/handlers/agency.go
@@ -0,0 +1,192 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+
+	"aggios-app/backend/internal/config"
+	"aggios-app/backend/internal/domain"
+	"aggios-app/backend/internal/service"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+// AgencyRegistrationHandler handles agency management endpoints
+type AgencyRegistrationHandler struct {
+	agencyService *service.AgencyService
+	cfg           *config.Config
+}
+
+// NewAgencyRegistrationHandler creates a new agency registration handler
+func NewAgencyRegistrationHandler(agencyService *service.AgencyService, cfg *config.Config) *AgencyRegistrationHandler {
+	return &AgencyRegistrationHandler{
+		agencyService: agencyService,
+		cfg:           cfg,
+	}
+}
+
+// RegisterAgency handles agency registration (SUPERADMIN only)
+func (h *AgencyRegistrationHandler) RegisterAgency(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req domain.RegisterAgencyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		log.Printf("❌ Error decoding request: %v", err)
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("📥 Registering agency: %s (subdomain: %s)", req.AgencyName, req.Subdomain)
+
+	tenant, admin, err := h.agencyService.RegisterAgency(req)
+	if err != nil {
+		log.Printf("❌ Error registering agency: %v", err)
+		switch err {
+		case service.ErrSubdomainTaken:
+			http.Error(w, err.Error(), http.StatusConflict)
+		case service.ErrEmailAlreadyExists:
+			http.Error(w, err.Error(), http.StatusConflict)
+		case service.ErrWeakPassword:
+			http.Error(w, err.Error(), http.StatusBadRequest)
+		default:
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	log.Printf("✅ Agency created: %s (ID: %s)", tenant.Name, tenant.ID)
+
+	// Generate JWT token for the new admin
+	claims := jwt.MapClaims{
+		"user_id":   admin.ID.String(),
+		"email":     admin.Email,
+		"role":      admin.Role,
+		"tenant_id": tenant.ID.String(),
+		"exp":       time.Now().Add(time.Hour * 24 * 7).Unix(), // 7 days
+		"iat":       time.Now().Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString([]byte(h.cfg.JWT.Secret))
+	if err != nil {
+		http.Error(w, "Failed to generate token", http.StatusInternalServerError)
+		return
+	}
+
+	protocol := "http://"
+	if h.cfg.App.Environment == "production" {
+		protocol = "https://"
+	}
+
+	response := map[string]interface{}{
+		"token":      tokenString,
+		"id":         admin.ID,
+		"email":      admin.Email,
+		"name":       admin.Name,
+		"role":       admin.Role,
+		"tenantId":   tenant.ID,
+		"company":    tenant.Name,
+		"subdomain":  tenant.Subdomain,
+		"message":    "Agency registered successfully",
+		"access_url": protocol + tenant.Domain,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(response)
+}
+
+// RegisterClient handles client registration (ADMIN_AGENCIA only)
+func (h *AgencyRegistrationHandler) RegisterClient(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// TODO: Get tenant_id from authenticated user context
+	// For now, this would need the auth middleware to set it
+
+	var req domain.RegisterClientRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	// Get tenantID from context (set by middleware)
+	tenantIDStr := r.Header.Get("X-Tenant-ID")
+	if tenantIDStr == "" {
+		http.Error(w, "Tenant not found", http.StatusBadRequest)
+		return
+	}
+
+	// Parse tenant ID
+	// tenantID, _ := uuid.Parse(tenantIDStr)
+
+	// client, err := h.agencyService.RegisterClient(req, tenantID)
+	// ... handle response
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(map[string]string{
+		"message": "Client registration endpoint - implementation pending",
+	})
+}
+
+// HandleAgency supports GET (details) and DELETE operations for a specific agency
+func (h *AgencyRegistrationHandler) HandleAgency(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path == "/api/admin/agencies/" {
+		http.Error(w, "Agency ID required", http.StatusBadRequest)
+		return
+	}
+
+	agencyID := strings.TrimPrefix(r.URL.Path, "/api/admin/agencies/")
+	if agencyID == "" || agencyID == r.URL.Path {
+		http.NotFound(w, r)
+		return
+	}
+
+	id, err := uuid.Parse(agencyID)
+	if err != nil {
+		http.Error(w, "Invalid agency ID", http.StatusBadRequest)
+		return
+	}
+
+	switch r.Method {
+	case http.MethodGet:
+		details, err := h.agencyService.GetAgencyDetails(id)
+		if err != nil {
+			if errors.Is(err, service.ErrTenantNotFound) {
+				http.Error(w, "Agency not found", http.StatusNotFound)
+				return
+			}
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(details)
+
+	case http.MethodDelete:
+		if err := h.agencyService.DeleteAgency(id); err != nil {
+			if errors.Is(err, service.ErrTenantNotFound) {
+				http.Error(w, "Agency not found", http.StatusNotFound)
+				return
+			}
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+			return
+		}
+
+		w.WriteHeader(http.StatusNoContent)
+
+	default:
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+	}
+}
--- a/backend/internal/api/handlers/agency_profile.go
+++ b/backend/internal/api/handlers/agency_profile.go
@@ -0,0 +1,179 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"aggios-app/backend/internal/repository"
+
+	"github.com/google/uuid"
+)
+
+type AgencyHandler struct {
+	tenantRepo *repository.TenantRepository
+}
+
+func NewAgencyHandler(tenantRepo *repository.TenantRepository) *AgencyHandler {
+	return &AgencyHandler{
+		tenantRepo: tenantRepo,
+	}
+}
+
+type AgencyProfileResponse struct {
+	ID          string `json:"id"`
+	Name        string `json:"name"`
+	CNPJ        string `json:"cnpj"`
+	Email       string `json:"email"`
+	Phone       string `json:"phone"`
+	Website     string `json:"website"`
+	Address     string `json:"address"`
+	City        string `json:"city"`
+	State       string `json:"state"`
+	Zip         string `json:"zip"`
+	RazaoSocial string `json:"razao_social"`
+	Description string `json:"description"`
+	Industry    string `json:"industry"`
+}
+
+type UpdateAgencyProfileRequest struct {
+	Name        string `json:"name"`
+	CNPJ        string `json:"cnpj"`
+	Email       string `json:"email"`
+	Phone       string `json:"phone"`
+	Website     string `json:"website"`
+	Address     string `json:"address"`
+	City        string `json:"city"`
+	State       string `json:"state"`
+	Zip         string `json:"zip"`
+	RazaoSocial string `json:"razao_social"`
+	Description string `json:"description"`
+	Industry    string `json:"industry"`
+}
+
+// GetProfile returns the current agency profile
+func (h *AgencyHandler) GetProfile(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Get tenant from context (set by middleware)
+	tenantID := r.Context().Value("tenantID")
+	if tenantID == nil {
+		http.Error(w, "Tenant not found", http.StatusUnauthorized)
+		return
+	}
+
+	// Parse tenant ID
+	tid, err := uuid.Parse(tenantID.(string))
+	if err != nil {
+		http.Error(w, "Invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Get tenant from database
+	tenant, err := h.tenantRepo.FindByID(tid)
+	if err != nil {
+		http.Error(w, "Error fetching profile", http.StatusInternalServerError)
+		return
+	}
+	if tenant == nil {
+		http.Error(w, "Tenant not found", http.StatusNotFound)
+		return
+	}
+
+	response := AgencyProfileResponse{
+		ID:          tenant.ID.String(),
+		Name:        tenant.Name,
+		CNPJ:        tenant.CNPJ,
+		Email:       tenant.Email,
+		Phone:       tenant.Phone,
+		Website:     tenant.Website,
+		Address:     tenant.Address,
+		City:        tenant.City,
+		State:       tenant.State,
+		Zip:         tenant.Zip,
+		RazaoSocial: tenant.RazaoSocial,
+		Description: tenant.Description,
+		Industry:    tenant.Industry,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+// UpdateProfile updates the current agency profile
+func (h *AgencyHandler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPut && r.Method != http.MethodPatch {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Get tenant from context
+	tenantID := r.Context().Value("tenantID")
+	if tenantID == nil {
+		http.Error(w, "Tenant not found", http.StatusUnauthorized)
+		return
+	}
+
+	var req UpdateAgencyProfileRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	// Parse tenant ID
+	tid, err := uuid.Parse(tenantID.(string))
+	if err != nil {
+		http.Error(w, "Invalid tenant ID", http.StatusBadRequest)
+		return
+	}
+
+	// Prepare updates
+	updates := map[string]interface{}{
+		"name":         req.Name,
+		"cnpj":         req.CNPJ,
+		"razao_social": req.RazaoSocial,
+		"email":        req.Email,
+		"phone":        req.Phone,
+		"website":      req.Website,
+		"address":      req.Address,
+		"city":         req.City,
+		"state":        req.State,
+		"zip":          req.Zip,
+		"description":  req.Description,
+		"industry":     req.Industry,
+	}
+
+	// Update in database
+	if err := h.tenantRepo.UpdateProfile(tid, updates); err != nil {
+		http.Error(w, "Error updating profile", http.StatusInternalServerError)
+		return
+	}
+
+	// Fetch updated data
+	tenant, err := h.tenantRepo.FindByID(tid)
+	if err != nil {
+		http.Error(w, "Error fetching updated profile", http.StatusInternalServerError)
+		return
+	}
+
+	response := AgencyProfileResponse{
+		ID:          tenant.ID.String(),
+		Name:        tenant.Name,
+		CNPJ:        tenant.CNPJ,
+		Email:       tenant.Email,
+		Phone:       tenant.Phone,
+		Website:     tenant.Website,
+		Address:     tenant.Address,
+		City:        tenant.City,
+		State:       tenant.State,
+		Zip:         tenant.Zip,
+		RazaoSocial: tenant.RazaoSocial,
+		Description: tenant.Description,
+		Industry:    tenant.Industry,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
--- a/backend/internal/api/handlers/auth.go
+++ b/backend/internal/api/handlers/auth.go
@@ -0,0 +1,139 @@
+package handlers
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+
+	"aggios-app/backend/internal/domain"
+	"aggios-app/backend/internal/service"
+)
+
+// AuthHandler handles authentication endpoints
+type AuthHandler struct {
+	authService *service.AuthService
+}
+
+// NewAuthHandler creates a new auth handler
+func NewAuthHandler(authService *service.AuthService) *AuthHandler {
+	return &AuthHandler{
+		authService: authService,
+	}
+}
+
+// Register handles user registration
+func (h *AuthHandler) Register(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req domain.CreateUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	user, err := h.authService.Register(req)
+	if err != nil {
+		switch err {
+		case service.ErrEmailAlreadyExists:
+			http.Error(w, err.Error(), http.StatusConflict)
+		case service.ErrWeakPassword:
+			http.Error(w, err.Error(), http.StatusBadRequest)
+		default:
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(user)
+}
+
+// Login handles user login
+func (h *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	bodyBytes, err := io.ReadAll(r.Body)
+	if err != nil {
+		http.Error(w, "Failed to read request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	// Trim whitespace to avoid decode errors caused by BOM or stray chars
+	sanitized := strings.TrimSpace(string(bodyBytes))
+	var req domain.LoginRequest
+	if err := json.Unmarshal([]byte(sanitized), &req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	response, err := h.authService.Login(req)
+	if err != nil {
+		if err == service.ErrInvalidCredentials {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+		} else {
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+// ChangePasswordRequest represents a password change request
+type ChangePasswordRequest struct {
+	CurrentPassword string `json:"currentPassword"`
+	NewPassword     string `json:"newPassword"`
+}
+
+// ChangePassword handles password change
+func (h *AuthHandler) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Get user ID from context (set by auth middleware)
+	userID, ok := r.Context().Value("userID").(string)
+	if !ok {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req ChangePasswordRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	if req.CurrentPassword == "" || req.NewPassword == "" {
+		http.Error(w, "Current password and new password are required", http.StatusBadRequest)
+		return
+	}
+
+	// Call auth service to change password
+	if err := h.authService.ChangePassword(userID, req.CurrentPassword, req.NewPassword); err != nil {
+		if err == service.ErrInvalidCredentials {
+			http.Error(w, "Current password is incorrect", http.StatusUnauthorized)
+		} else if err == service.ErrWeakPassword {
+			http.Error(w, "New password is too weak", http.StatusBadRequest)
+		} else {
+			http.Error(w, "Error changing password", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"message": "Password changed successfully",
+	})
+}
--- a/backend/internal/api/handlers/company.go
+++ b/backend/internal/api/handlers/company.go
@@ -0,0 +1,90 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"aggios-app/backend/internal/api/middleware"
+	"aggios-app/backend/internal/domain"
+	"aggios-app/backend/internal/service"
+
+	"github.com/google/uuid"
+)
+
+// CompanyHandler handles company endpoints
+type CompanyHandler struct {
+	companyService *service.CompanyService
+}
+
+// NewCompanyHandler creates a new company handler
+func NewCompanyHandler(companyService *service.CompanyService) *CompanyHandler {
+	return &CompanyHandler{
+		companyService: companyService,
+	}
+}
+
+// Create handles company creation
+func (h *CompanyHandler) Create(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Get user ID from context (set by auth middleware)
+	userIDStr, ok := r.Context().Value(middleware.UserIDKey).(string)
+	if !ok {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	userID, err := uuid.Parse(userIDStr)
+	if err != nil {
+		http.Error(w, "Invalid user ID", http.StatusBadRequest)
+		return
+	}
+
+	var req domain.CreateCompanyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	// TODO: Get tenantID from user context
+	// For now, this is a placeholder - you'll need to get the tenant from the authenticated user
+	tenantID := uuid.New() // Replace with actual tenant from user
+
+	company, err := h.companyService.Create(req, tenantID, userID)
+	if err != nil {
+		switch err {
+		case service.ErrCNPJAlreadyExists:
+			http.Error(w, err.Error(), http.StatusConflict)
+		default:
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(company)
+}
+
+// List handles listing companies for a tenant
+func (h *CompanyHandler) List(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// TODO: Get tenantID from authenticated user
+	tenantID := uuid.New() // Replace with actual tenant from user
+
+	companies, err := h.companyService.ListByTenant(tenantID)
+	if err != nil {
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(companies)
+}
--- a/backend/internal/api/handlers/health.go
+++ b/backend/internal/api/handlers/health.go
@@ -0,0 +1,31 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+// HealthHandler handles health check endpoint
+type HealthHandler struct{}
+
+// NewHealthHandler creates a new health handler
+func NewHealthHandler() *HealthHandler {
+	return &HealthHandler{}
+}
+
+// Check returns API health status
+func (h *HealthHandler) Check(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	response := map[string]interface{}{
+		"status":  "healthy",
+		"service": "aggios-api",
+		"version": "1.0.0",
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
--- a/backend/internal/api/handlers/tenant.go
+++ b/backend/internal/api/handlers/tenant.go
@@ -0,0 +1,42 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"aggios-app/backend/internal/domain"
+	"aggios-app/backend/internal/service"
+)
+
+// TenantHandler handles tenant/agency listing endpoints
+type TenantHandler struct {
+	tenantService *service.TenantService
+}
+
+// NewTenantHandler creates a new tenant handler
+func NewTenantHandler(tenantService *service.TenantService) *TenantHandler {
+	return &TenantHandler{
+		tenantService: tenantService,
+	}
+}
+
+// ListAll lists all agencies/tenants (SUPERADMIN only)
+func (h *TenantHandler) ListAll(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	tenants, err := h.tenantService.ListAll()
+	if err != nil {
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	if tenants == nil {
+		tenants = []*domain.Tenant{}
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	json.NewEncoder(w).Encode(tenants)
+}
--- a/backend/internal/api/middleware/auth.go
+++ b/backend/internal/api/middleware/auth.go
@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"aggios-app/backend/internal/config"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type contextKey string
+
+const UserIDKey contextKey = "userID"
+
+// Auth validates JWT tokens
+func Auth(cfg *config.Config) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" {
+				http.Error(w, "Unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			bearerToken := strings.Split(authHeader, " ")
+			if len(bearerToken) != 2 || bearerToken[0] != "Bearer" {
+				http.Error(w, "Invalid token format", http.StatusUnauthorized)
+				return
+			}
+
+			token, err := jwt.Parse(bearerToken[1], func(token *jwt.Token) (interface{}, error) {
+				return []byte(cfg.JWT.Secret), nil
+			})
+
+			if err != nil || !token.Valid {
+				http.Error(w, "Invalid token", http.StatusUnauthorized)
+				return
+			}
+
+			claims, ok := token.Claims.(jwt.MapClaims)
+			if !ok {
+				http.Error(w, "Invalid token claims", http.StatusUnauthorized)
+				return
+			}
+
+			userID := claims["user_id"].(string)
+			ctx := context.WithValue(r.Context(), UserIDKey, userID)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
--- a/backend/internal/api/middleware/cors.go
+++ b/backend/internal/api/middleware/cors.go
@@ -0,0 +1,34 @@
+package middleware
+
+import (
+	"net/http"
+
+	"aggios-app/backend/internal/config"
+)
+
+// CORS adds CORS headers to responses
+func CORS(cfg *config.Config) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+			
+			// Allow all localhost origins for development
+			if origin != "" {
+				w.Header().Set("Access-Control-Allow-Origin", origin)
+				w.Header().Set("Access-Control-Allow-Credentials", "true")
+			}
+			
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, Host")
+			w.Header().Set("Access-Control-Max-Age", "3600")
+
+			// Handle preflight request
+			if r.Method == "OPTIONS" {
+				w.WriteHeader(http.StatusOK)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
--- a/backend/internal/api/middleware/ratelimit.go
+++ b/backend/internal/api/middleware/ratelimit.go
@@ -0,0 +1,96 @@
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"aggios-app/backend/internal/config"
+)
+
+type rateLimiter struct {
+	mu       sync.Mutex
+	attempts map[string][]time.Time
+	maxAttempts int
+}
+
+func newRateLimiter(maxAttempts int) *rateLimiter {
+	rl := &rateLimiter{
+		attempts: make(map[string][]time.Time),
+		maxAttempts: maxAttempts,
+	}
+	
+	// Clean old entries every minute
+	go func() {
+		ticker := time.NewTicker(1 * time.Minute)
+		defer ticker.Stop()
+		for range ticker.C {
+			rl.cleanup()
+		}
+	}()
+	
+	return rl
+}
+
+func (rl *rateLimiter) cleanup() {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+	
+	now := time.Now()
+	for ip, attempts := range rl.attempts {
+		var valid []time.Time
+		for _, t := range attempts {
+			if now.Sub(t) < time.Minute {
+				valid = append(valid, t)
+			}
+		}
+		if len(valid) == 0 {
+			delete(rl.attempts, ip)
+		} else {
+			rl.attempts[ip] = valid
+		}
+	}
+}
+
+func (rl *rateLimiter) isAllowed(ip string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+	
+	now := time.Now()
+	attempts := rl.attempts[ip]
+	
+	// Filter attempts within the last minute
+	var validAttempts []time.Time
+	for _, t := range attempts {
+		if now.Sub(t) < time.Minute {
+			validAttempts = append(validAttempts, t)
+		}
+	}
+	
+	if len(validAttempts) >= rl.maxAttempts {
+		return false
+	}
+	
+	validAttempts = append(validAttempts, now)
+	rl.attempts[ip] = validAttempts
+	
+	return true
+}
+
+// RateLimit limits requests per IP address
+func RateLimit(cfg *config.Config) func(http.Handler) http.Handler {
+	limiter := newRateLimiter(cfg.Security.MaxAttemptsPerMin)
+	
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ip := r.RemoteAddr
+			
+			if !limiter.isAllowed(ip) {
+				http.Error(w, "Too many requests", http.StatusTooManyRequests)
+				return
+			}
+			
+			next.ServeHTTP(w, r)
+		})
+	}
+}
--- a/backend/internal/api/middleware/security.go
+++ b/backend/internal/api/middleware/security.go
@@ -0,0 +1,17 @@
+package middleware
+
+import (
+	"net/http"
+)
+
+// SecurityHeaders adds security headers to responses
+func SecurityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1; mode=block")
+		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		
+		next.ServeHTTP(w, r)
+	})
+}
--- a/backend/internal/api/middleware/tenant.go
+++ b/backend/internal/api/middleware/tenant.go
@@ -0,0 +1,56 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"aggios-app/backend/internal/repository"
+)
+
+type tenantContextKey string
+
+const TenantIDKey tenantContextKey = "tenantID"
+const SubdomainKey tenantContextKey = "subdomain"
+
+// TenantDetector detects tenant from subdomain
+func TenantDetector(tenantRepo *repository.TenantRepository) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			host := r.Host
+			
+			// Extract subdomain
+			// Examples:
+			// - agencia-xyz.localhost -> agencia-xyz
+			// - agencia-xyz.aggios.app -> agencia-xyz
+			// - dash.localhost -> dash (master admin)
+			// - localhost -> (institutional site)
+			
+			parts := strings.Split(host, ".")
+			var subdomain string
+			
+			if len(parts) >= 2 {
+				// Has subdomain
+				subdomain = parts[0]
+				
+				// Remove port if present
+				if strings.Contains(subdomain, ":") {
+					subdomain = strings.Split(subdomain, ":")[0]
+				}
+			}
+			
+			// Add subdomain to context
+			ctx := context.WithValue(r.Context(), SubdomainKey, subdomain)
+			
+			// If subdomain is not empty and not "dash" or "api", try to find tenant
+			if subdomain != "" && subdomain != "dash" && subdomain != "api" && subdomain != "localhost" {
+				tenant, err := tenantRepo.FindBySubdomain(subdomain)
+				if err == nil && tenant != nil {
+					ctx = context.WithValue(ctx, TenantIDKey, tenant.ID.String())
+				}
+			}
+			
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}