Gava/agenciapsilmno
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

freemium F3a: blacklist de e-mails e slugs

Browse Source 
- tabela blacklist (kind email|slug, value normalizado, RLS saas_admin)
- is_email_blacklisted (exato + '@dominio.com') / is_slug_blacklisted
- trigger BEFORE INSERT em auth.users bloqueia cadastro DE VERDADE (EMAIL_BLOCKED)
- slug_disponivel passa a retornar motivo 'bloqueado'
- testado em ROLLBACK: email exato/dominio/signUp/slug

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Leonardo
2026-06-13 19:30:55 -03:00
parent 5a87c29dd0
commit c189906c58
1 changed files with 104 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
database-novo/manual/freemium_f3a_blacklist.supabase_admin.sql
+104
View File
@@ -0,0 +1,104 @@
-- =============================================================================
-- Freemium F3a — Blacklist de e-mails e slugs
--
-- ⚠️ APLICAR COMO supabase_admin (cria trigger em auth.users + altera
-- slug_disponivel, que é owned por supabase_admin).
--
-- Tabela blacklist (kind email|slug). E-mail bloqueia o cadastro DE VERDADE via
-- trigger BEFORE INSERT em auth.users (não só no front); suporta domínio inteiro
-- com entrada '@dominio.com'. Slug integra no slug_disponivel (motivo 'bloqueado').
-- Gerida por saas_admin (dev) em Configurações.
-- =============================================================================
BEGIN;
CREATE TABLE IF NOT EXISTS public.blacklist (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
kind text NOT NULL CHECK (kind IN ('email','slug')),
value text NOT NULL,
note text,
created_by uuid,
created_at timestamptz NOT NULL DEFAULT now(),
UNIQUE (kind, value)
);
-- normaliza value (lower+trim) sempre
CREATE OR REPLACE FUNCTION public.blacklist_normalize()
RETURNS trigger LANGUAGE plpgsql AS $$
BEGIN
NEW.value := lower(trim(NEW.value));
IF NEW.value = '' THEN RAISE EXCEPTION 'valor vazio'; END IF;
RETURN NEW;
END $$;
DROP TRIGGER IF EXISTS trg_blacklist_normalize ON public.blacklist;
CREATE TRIGGER trg_blacklist_normalize BEFORE INSERT OR UPDATE ON public.blacklist
FOR EACH ROW EXECUTE FUNCTION public.blacklist_normalize();
-- RLS: só saas_admin gere
ALTER TABLE public.blacklist ENABLE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS blacklist_saas_admin ON public.blacklist;
CREATE POLICY blacklist_saas_admin ON public.blacklist
FOR ALL USING (public.is_saas_admin()) WITH CHECK (public.is_saas_admin());
-- helpers ----------------------------------------------------------------------
CREATE OR REPLACE FUNCTION public.is_email_blacklisted(p_email text)
RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER SET search_path TO 'public','pg_temp'
AS $$
SELECT EXISTS (
SELECT 1 FROM public.blacklist
WHERE kind = 'email'
AND value IN (
lower(trim(p_email)),
'@' || split_part(lower(trim(p_email)), '@', 2)
)
);
$$;
ALTER FUNCTION public.is_email_blacklisted(text) OWNER TO supabase_admin;
CREATE OR REPLACE FUNCTION public.is_slug_blacklisted(p_slug text)
RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER SET search_path TO 'public','pg_temp'
AS $$
SELECT EXISTS (SELECT 1 FROM public.blacklist WHERE kind = 'slug' AND value = lower(trim(p_slug)));
$$;
ALTER FUNCTION public.is_slug_blacklisted(text) OWNER TO supabase_admin;
-- trigger de bloqueio real no cadastro -----------------------------------------
CREATE OR REPLACE FUNCTION public.enforce_email_blacklist()
RETURNS trigger LANGUAGE plpgsql SECURITY DEFINER SET search_path TO 'public','pg_temp'
AS $$
BEGIN
IF NEW.email IS NOT NULL AND public.is_email_blacklisted(NEW.email) THEN
RAISE EXCEPTION 'EMAIL_BLOCKED' USING ERRCODE = 'P0001';
END IF;
RETURN NEW;
END $$;
ALTER FUNCTION public.enforce_email_blacklist() OWNER TO supabase_admin;
DROP TRIGGER IF EXISTS trg_enforce_email_blacklist ON auth.users;
CREATE TRIGGER trg_enforce_email_blacklist BEFORE INSERT ON auth.users
FOR EACH ROW EXECUTE FUNCTION public.enforce_email_blacklist();
-- integra no slug_disponivel (motivo 'bloqueado') ------------------------------
CREATE OR REPLACE FUNCTION public.slug_disponivel(p_slug text)
RETURNS jsonb
LANGUAGE plpgsql STABLE SECURITY DEFINER SET search_path TO 'public','pg_temp'
AS $$
DECLARE
v text := lower(trim(coalesce(p_slug, '')));
v_reservados text[] := ARRAY['public','tenant','admin','www','api','app','auth','supabase','postgres','saas','suporte','support'];
BEGIN
IF length(v) < 3 THEN RETURN jsonb_build_object('ok', false, 'motivo', 'curto'); END IF;
IF length(v) > 48 THEN RETURN jsonb_build_object('ok', false, 'motivo', 'longo'); END IF;
IF v !~ '^[a-z][a-z0-9_]*$' THEN RETURN jsonb_build_object('ok', false, 'motivo', 'invalido'); END IF;
IF v = ANY(v_reservados) THEN RETURN jsonb_build_object('ok', false, 'motivo', 'reservado'); END IF;
IF public.is_slug_blacklisted(v) THEN RETURN jsonb_build_object('ok', false, 'motivo', 'bloqueado'); END IF;
IF EXISTS (SELECT 1 FROM public.tenants WHERE slug = v) THEN RETURN jsonb_build_object('ok', false, 'motivo', 'em_uso'); END IF;
RETURN jsonb_build_object('ok', true, 'motivo', 'disponivel');
END $$;
ALTER FUNCTION public.slug_disponivel(text) OWNER TO supabase_admin;
REVOKE ALL ON FUNCTION public.slug_disponivel(text) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION public.slug_disponivel(text) TO anon, authenticated, service_role;
GRANT SELECT, INSERT, UPDATE, DELETE ON public.blacklist TO authenticated;
COMMIT;