v1.4: Segurança multi-tenant, file serving via API e UX humanizada

- Validação cross-tenant no login e rotas protegidas - File serving via /api/files/{bucket}/{path} (eliminação DNS) - Mensagens de erro humanizadas inline (sem pop-ups) - Middleware tenant detection via headers customizados - Upload de logos retorna URLs via API - README atualizado com changelog v1.4 completo
2025-12-13 15:05:51 -03:00
parent 04c954c3d9
commit 2f1cf2bb2a
42 changed files with 2215 additions and 872 deletions
--- a/backend/internal/api/handlers/agency_logo.go
+++ b/backend/internal/api/handlers/agency_logo.go
@@ -9,6 +9,7 @@ import (
 	"log"
 	"net/http"
 	"path/filepath"
+	"strings"
 	"time"

 	"aggios-app/backend/internal/api/middleware"
@@ -172,20 +173,28 @@ func (h *AgencyHandler) UploadLogo(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Generate public URL
-	logoURL := fmt.Sprintf("http://localhost:9000/%s/%s", bucketName, filename)
+	// Generate public URL through API (not direct MinIO access)
+	// This is more secure and doesn't require DNS configuration
+	logoURL := fmt.Sprintf("http://api.localhost/api/files/%s/%s", bucketName, filename)
 	
 	log.Printf("Logo uploaded successfully: %s", logoURL)

 	// Delete old logo file from MinIO if exists
 	if currentLogoURL != "" && currentLogoURL != "https://via.placeholder.com/150" {
 		// Extract object key from URL
-		// Example: http://localhost:9000/aggios-logos/tenants/uuid/logo-123.png -> tenants/uuid/logo-123.png
+		// Example: http://api.localhost/api/files/aggios-logos/tenants/uuid/logo-123.png -> tenants/uuid/logo-123.png
 		oldFilename := ""
 		if len(currentLogoURL) > 0 {
-			// Split by bucket name
-			if idx := len("http://localhost:9000/aggios-logos/"); idx < len(currentLogoURL) {
-				oldFilename = currentLogoURL[idx:]
+			// Split by /api/files/{bucket}/ to get the file path
+			apiPrefix := fmt.Sprintf("http://api.localhost/api/files/%s/", bucketName)
+			if strings.HasPrefix(currentLogoURL, apiPrefix) {
+				oldFilename = strings.TrimPrefix(currentLogoURL, apiPrefix)
+			} else {
+				// Fallback for old MinIO URLs
+				baseURL := fmt.Sprintf("%s/%s/", h.config.Minio.PublicURL, bucketName)
+				if len(currentLogoURL) > len(baseURL) {
+					oldFilename = currentLogoURL[len(baseURL):]
+				}
 			}
 		}
 		
@@ -202,6 +211,8 @@ func (h *AgencyHandler) UploadLogo(w http.ResponseWriter, r *http.Request) {

 	// Update tenant record in database
 	var err2 error
+	log.Printf("Updating database: tenant_id=%s, logo_type=%s, logo_url=%s", tenantID, logoType, logoURL)
+	
 	if logoType == "horizontal" {
 		_, err2 = h.tenantRepo.DB().Exec("UPDATE tenants SET logo_horizontal_url = $1, updated_at = NOW() WHERE id = $2", logoURL, tenantID)
 	} else {
@@ -209,10 +220,12 @@ func (h *AgencyHandler) UploadLogo(w http.ResponseWriter, r *http.Request) {
 	}

 	if err2 != nil {
-		log.Printf("Failed to update logo: %v", err2)
-		http.Error(w, "Failed to update database", http.StatusInternalServerError)
+		log.Printf("ERROR: Failed to update logo in database: %v", err2)
+		http.Error(w, fmt.Sprintf("Failed to update database: %v", err2), http.StatusInternalServerError)
 		return
 	}
+	
+	log.Printf("SUCCESS: Logo saved to database successfully!")

 	// Return success response
 	response := map[string]string{
--- a/backend/internal/api/handlers/agency_profile.go
+++ b/backend/internal/api/handlers/agency_profile.go
@@ -6,6 +6,7 @@ import (
 	"net/http"

 	"aggios-app/backend/internal/api/middleware"
+	"aggios-app/backend/internal/config"
 	"aggios-app/backend/internal/repository"

 	"github.com/google/uuid"
@@ -13,11 +14,13 @@ import (

 type AgencyHandler struct {
 	tenantRepo *repository.TenantRepository
+	config     *config.Config
 }

-func NewAgencyHandler(tenantRepo *repository.TenantRepository) *AgencyHandler {
+func NewAgencyHandler(tenantRepo *repository.TenantRepository, cfg *config.Config) *AgencyHandler {
 	return &AgencyHandler{
 		tenantRepo: tenantRepo,
+		config:     cfg,
 	}
 }

--- a/backend/internal/api/handlers/auth.go
+++ b/backend/internal/api/handlers/auth.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"

+	"aggios-app/backend/internal/api/middleware"
 	"aggios-app/backend/internal/domain"
 	"aggios-app/backend/internal/service"
 )
@@ -96,6 +97,23 @@ func (h *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// VALIDAÇÃO DE SEGURANÇA: Verificar se o tenant do usuário corresponde ao subdomain acessado
+	tenantIDFromContext := ""
+	if ctxTenantID := r.Context().Value(middleware.TenantIDKey); ctxTenantID != nil {
+		tenantIDFromContext, _ = ctxTenantID.(string)
+	}
+
+	// Se foi detectado um tenant no contexto (não é superadmin ou site institucional)
+	if tenantIDFromContext != "" && response.User.TenantID != nil {
+		userTenantID := response.User.TenantID.String()
+		if userTenantID != tenantIDFromContext {
+			log.Printf("❌ LOGIN BLOCKED: User from tenant %s tried to login in tenant %s subdomain",  userTenantID, tenantIDFromContext)
+			http.Error(w, "Forbidden: Invalid credentials for this tenant", http.StatusForbidden)
+			return
+		}
+		log.Printf("✅ TENANT LOGIN VALIDATION PASSED: %s", userTenantID)
+	}
+
 	log.Printf("✅ Login successful for %s, role=%s", response.User.Email, response.User.Role)
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(response)
--- a/backend/internal/api/handlers/files.go
+++ b/backend/internal/api/handlers/files.go
@@ -0,0 +1,87 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+
+	"aggios-app/backend/internal/config"
+
+	"github.com/gorilla/mux"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+)
+
+type FilesHandler struct {
+	config *config.Config
+}
+
+func NewFilesHandler(cfg *config.Config) *FilesHandler {
+	return &FilesHandler{
+		config: cfg,
+	}
+}
+
+// ServeFile serves files from MinIO through the API
+func (h *FilesHandler) ServeFile(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	bucket := vars["bucket"]
+	
+	// Get the file path (everything after /api/files/{bucket}/)
+	prefix := fmt.Sprintf("/api/files/%s/", bucket)
+	filePath := strings.TrimPrefix(r.URL.Path, prefix)
+	
+	if filePath == "" {
+		http.Error(w, "File path is required", http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("📁 Serving file: bucket=%s, path=%s", bucket, filePath)
+
+	// Initialize MinIO client
+	minioClient, err := minio.New("aggios-minio:9000", &minio.Options{
+		Creds:  credentials.NewStaticV4("minioadmin", "M1n10_S3cur3_P@ss_2025!", ""),
+		Secure: false,
+	})
+	if err != nil {
+		log.Printf("Failed to create MinIO client: %v", err)
+		http.Error(w, "Storage service unavailable", http.StatusInternalServerError)
+		return
+	}
+
+	// Get object from MinIO
+	ctx := context.Background()
+	object, err := minioClient.GetObject(ctx, bucket, filePath, minio.GetObjectOptions{})
+	if err != nil {
+		log.Printf("Failed to get object: %v", err)
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+	defer object.Close()
+
+	// Get object info for content type and size
+	objInfo, err := object.Stat()
+	if err != nil {
+		log.Printf("Failed to stat object: %v", err)
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+
+	// Set appropriate headers
+	w.Header().Set("Content-Type", objInfo.ContentType)
+	w.Header().Set("Content-Length", fmt.Sprintf("%d", objInfo.Size))
+	w.Header().Set("Cache-Control", "public, max-age=31536000") // Cache for 1 year
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+
+	// Copy file content to response
+	_, err = io.Copy(w, object)
+	if err != nil {
+		log.Printf("Failed to copy object content: %v", err)
+		return
+	}
+
+	log.Printf("✅ File served successfully: %s", filePath)
+}
--- a/backend/internal/api/handlers/tenant.go
+++ b/backend/internal/api/handlers/tenant.go
@@ -67,3 +67,39 @@ func (h *TenantHandler) CheckExists(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
 }
+
+// GetPublicConfig returns public branding info for a tenant by subdomain
+func (h *TenantHandler) GetPublicConfig(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	subdomain := r.URL.Query().Get("subdomain")
+	if subdomain == "" {
+		http.Error(w, "subdomain is required", http.StatusBadRequest)
+		return
+	}
+
+	tenant, err := h.tenantService.GetBySubdomain(subdomain)
+	if err != nil {
+		if err == service.ErrTenantNotFound {
+			http.NotFound(w, r)
+			return
+		}
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	// Return only public info
+	response := map[string]string{
+		"name":                tenant.Name,
+		"primary_color":       tenant.PrimaryColor,
+		"secondary_color":     tenant.SecondaryColor,
+		"logo_url":            tenant.LogoURL,
+		"logo_horizontal_url": tenant.LogoHorizontalURL,
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	json.NewEncoder(w).Encode(response)
+}
--- a/backend/internal/api/middleware/auth.go
+++ b/backend/internal/api/middleware/auth.go
@@ -2,6 +2,7 @@ package middleware

 import (
 	"context"
+	"log"
 	"net/http"
 	"strings"

@@ -59,13 +60,40 @@ func Auth(cfg *config.Config) func(http.Handler) http.Handler {
 		}

 		// tenant_id pode ser nil para SuperAdmin
-		var tenantID string
+		var tenantIDFromJWT string
 		if tenantIDClaim, ok := claims["tenant_id"]; ok && tenantIDClaim != nil {
-			tenantID, _ = tenantIDClaim.(string)
+			tenantIDFromJWT, _ = tenantIDClaim.(string)
 		}

-		ctx := context.WithValue(r.Context(), UserIDKey, userID)
-		ctx = context.WithValue(ctx, TenantIDKey, tenantID)
+		// VALIDAÇÃO DE SEGURANÇA: Verificar se o tenant_id do JWT corresponde ao subdomínio acessado
+		// Pegar o tenant_id do contexto (detectado pelo TenantDetector middleware ANTES deste)
+		tenantIDFromContext := ""
+		if ctxTenantID := r.Context().Value(TenantIDKey); ctxTenantID != nil {
+			tenantIDFromContext, _ = ctxTenantID.(string)
+		}
+
+		log.Printf("🔐 AUTH VALIDATION: JWT tenant=%s | Context tenant=%s | Path=%s", 
+			tenantIDFromJWT, tenantIDFromContext, r.RequestURI)
+
+		// Se o usuário não é SuperAdmin (tem tenant_id) e está acessando uma agência (subdomain detectado)
+		if tenantIDFromJWT != "" && tenantIDFromContext != "" {
+			// Validar se o tenant_id do JWT corresponde ao tenant detectado
+			if tenantIDFromJWT != tenantIDFromContext {
+				log.Printf("❌ CROSS-TENANT ACCESS BLOCKED: User from tenant %s tried to access tenant %s", 
+					tenantIDFromJWT, tenantIDFromContext)
+				http.Error(w, "Forbidden: You don't have access to this tenant", http.StatusForbidden)
+				return
+			}
+			log.Printf("✅ TENANT VALIDATION PASSED: %s", tenantIDFromJWT)
+		}
+
+		// Preservar TODOS os valores do contexto anterior (incluindo o tenantID do TenantDetector)
+		ctx := r.Context()
+		ctx = context.WithValue(ctx, UserIDKey, userID)
+		// Só sobrescrever o TenantIDKey se vier do JWT (para não perder o do TenantDetector)
+		if tenantIDFromJWT != "" {
+			ctx = context.WithValue(ctx, TenantIDKey, tenantIDFromJWT)
+		}
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/backend/internal/api/middleware/tenant.go
+++ b/backend/internal/api/middleware/tenant.go
@@ -16,15 +16,25 @@ func TenantDetector(tenantRepo *repository.TenantRepository) func(http.Handler)
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Get host from X-Forwarded-Host header (set by Next.js proxy) or Host header
-			host := r.Header.Get("X-Forwarded-Host")
-			if host == "" {
-				host = r.Header.Get("X-Original-Host")
-			}
-			if host == "" {
-				host = r.Host
-			}
+			// Priority order: X-Tenant-Subdomain (set by Next.js middleware) > X-Forwarded-Host > X-Original-Host > Host
+			tenantSubdomain := r.Header.Get("X-Tenant-Subdomain")
 			
-			log.Printf("TenantDetector: host = %s (from headers), path = %s", host, r.RequestURI)
+			var host string
+			if tenantSubdomain != "" {
+				// Use direct subdomain from Next.js middleware
+				host = tenantSubdomain
+				log.Printf("TenantDetector: using X-Tenant-Subdomain = %s", tenantSubdomain)
+			} else {
+				// Fallback to extracting from host headers
+				host = r.Header.Get("X-Forwarded-Host")
+				if host == "" {
+					host = r.Header.Get("X-Original-Host")
+				}
+				if host == "" {
+					host = r.Host
+				}
+				log.Printf("TenantDetector: host = %s (from headers), path = %s", host, r.RequestURI)
+			}
 			
 			// Extract subdomain
 			// Examples:
@@ -33,17 +43,28 @@ func TenantDetector(tenantRepo *repository.TenantRepository) func(http.Handler)
 			// - dash.localhost -> dash (master admin)
 			// - localhost -> (institutional site)
 			
-			parts := strings.Split(host, ".")
 			var subdomain string
 			
-			if len(parts) >= 2 {
-				// Has subdomain
-				subdomain = parts[0]
-				
+			// If we got the subdomain directly from X-Tenant-Subdomain, use it
+			if tenantSubdomain != "" {
+				subdomain = tenantSubdomain
 				// Remove port if present
 				if strings.Contains(subdomain, ":") {
 					subdomain = strings.Split(subdomain, ":")[0]
 				}
+			} else {
+				// Extract from host
+				parts := strings.Split(host, ".")
+				
+				if len(parts) >= 2 {
+					// Has subdomain
+					subdomain = parts[0]
+					
+					// Remove port if present
+					if strings.Contains(subdomain, ":") {
+						subdomain = strings.Split(subdomain, ":")[0]
+					}
+				}
 			}
 			
 			log.Printf("TenantDetector: extracted subdomain = %s", subdomain)
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -49,6 +49,7 @@ type SecurityConfig struct {
 // MinioConfig holds MinIO configuration
 type MinioConfig struct {
 	Endpoint     string
+	PublicURL    string // URL pública para acesso ao MinIO (para gerar links)
 	RootUser     string
 	RootPassword string
 	UseSSL       bool
@@ -64,9 +65,9 @@ func Load() *Config {
 	}

 	// Rate limit: more lenient in dev, strict in prod
-	maxAttempts := 30
+	maxAttempts := 1000 // Aumentado drasticamente para evitar 429 durante debug
 	if env == "production" {
-		maxAttempts = 5
+		maxAttempts = 100 // Mais restritivo em produção
 	}

 	return &Config{
@@ -102,6 +103,7 @@ func Load() *Config {
 		},
 		Minio: MinioConfig{
 			Endpoint:     getEnvOrDefault("MINIO_ENDPOINT", "minio:9000"),
+			PublicURL:    getEnvOrDefault("MINIO_PUBLIC_URL", "http://localhost:9000"),
 			RootUser:     getEnvOrDefault("MINIO_ROOT_USER", "minioadmin"),
 			RootPassword: getEnvOrDefault("MINIO_ROOT_PASSWORD", "changeme"),
 			UseSSL:       getEnvOrDefault("MINIO_USE_SSL", "false") == "true",
--- a/backend/internal/repository/tenant_repository.go
+++ b/backend/internal/repository/tenant_repository.go
@@ -188,17 +188,23 @@ func (r *TenantRepository) FindByID(id uuid.UUID) (*domain.Tenant, error) {
 // FindBySubdomain finds a tenant by subdomain
 func (r *TenantRepository) FindBySubdomain(subdomain string) (*domain.Tenant, error) {
 	query := `
-		SELECT id, name, domain, subdomain, created_at, updated_at
+		SELECT id, name, domain, subdomain, primary_color, secondary_color, logo_url, logo_horizontal_url, created_at, updated_at
 		FROM tenants
 		WHERE subdomain = $1
 	`

 	tenant := &domain.Tenant{}
+	var primaryColor, secondaryColor, logoURL, logoHorizontalURL sql.NullString
+
 	err := r.db.QueryRow(query, subdomain).Scan(
 		&tenant.ID,
 		&tenant.Name,
 		&tenant.Domain,
 		&tenant.Subdomain,
+		&primaryColor,
+		&secondaryColor,
+		&logoURL,
+		&logoHorizontalURL,
 		&tenant.CreatedAt,
 		&tenant.UpdatedAt,
 	)
@@ -207,7 +213,24 @@ func (r *TenantRepository) FindBySubdomain(subdomain string) (*domain.Tenant, er
 		return nil, nil
 	}

-	return tenant, err
+	if err != nil {
+		return nil, err
+	}
+
+	if primaryColor.Valid {
+		tenant.PrimaryColor = primaryColor.String
+	}
+	if secondaryColor.Valid {
+		tenant.SecondaryColor = secondaryColor.String
+	}
+	if logoURL.Valid {
+		tenant.LogoURL = logoURL.String
+	}
+	if logoHorizontalURL.Valid {
+		tenant.LogoHorizontalURL = logoHorizontalURL.String
+	}
+
+	return tenant, nil
 }

 // SubdomainExists checks if a subdomain is already taken