Leonardo
7c20b518d4
Repositorio estava ha ~5 sessoes sem commit. Consolida tudo desde d088a89.
Ver commit.md na raiz para descricao completa por sessao.
# Numeros
- A# auditoria abertos: 0/30
- V# verificacoes abertos: 5/52 (todos adiados com plano)
- T# testes escritos: 10/10
- Vitest: 192/192
- SQL integration: 33/33
- E2E (Playwright, novo): 5/5
- Migrations: 17 (10 novas Sessao 6)
- Areas auditadas: 7 (+documentos com 10 V#)
# Highlights Sessao 6 (hoje)
- V#34/V#41 Opcao B2: tenant_features com plano + override (RPC SECURITY DEFINER, tela /saas/tenant-features)
- A#20 rev2 self-hosted: defesa em 5 camadas (honeypot + rate limit + math captcha condicional + paranoid mode + dashboard /saas/security)
- Documentos hardening (V#43-V#49): tenant scoping em storage policies (vazamento entre clinicas eliminado), RPC validate_share_token, signatures policy granular
- SaaS Twilio Config (/saas/twilio-config): UI editavel para SID/webhook/cotacao; AUTH_TOKEN permanece em env var
- T#9 + T#10: useAgendaEvents.spec.js + Playwright E2E (descobriu bug no front que foi corrigido)
# Sessoes anteriores (1-5) consolidadas
- Sessao 1: auth/router/session, normalizeRole extraido
- Sessao 2: agenda - composables/services consolidados
- Sessao 3: pacientes - tenant_id em todas queries
- Sessao 4: security review pagina publica - 14/15 vulnerabilidades corrigidas
- Sessao 5: SaaS - P0 (A#30: 7 tabelas com RLS off corrigidas)
# .gitignore ajustado
- supabase/* + !supabase/functions/ (mantem 10 edge functions, ignora .temp/migrations gerados pelo CLI)
- database-novo/backups/ (regeneravel via db.cjs backup)
- test-results/ + playwright-report/
- .claude/settings.local.json (config local com senha de dev removida do tracking)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
224 lines
8.1 KiB
PL/PgSQL
224 lines
8.1 KiB
PL/PgSQL
-- Functions: extensions
|
|
-- Gerado automaticamente em 2026-04-17T12:23:05.222Z
|
|
-- Total: 6
|
|
|
|
CREATE FUNCTION extensions.grant_pg_cron_access() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $$
|
|
BEGIN
|
|
IF EXISTS (
|
|
SELECT
|
|
FROM pg_event_trigger_ddl_commands() AS ev
|
|
JOIN pg_extension AS ext
|
|
ON ev.objid = ext.oid
|
|
WHERE ext.extname = 'pg_cron'
|
|
)
|
|
THEN
|
|
grant usage on schema cron to postgres with grant option;
|
|
|
|
alter default privileges in schema cron grant all on tables to postgres with grant option;
|
|
alter default privileges in schema cron grant all on functions to postgres with grant option;
|
|
alter default privileges in schema cron grant all on sequences to postgres with grant option;
|
|
|
|
alter default privileges for user supabase_admin in schema cron grant all
|
|
on sequences to postgres with grant option;
|
|
alter default privileges for user supabase_admin in schema cron grant all
|
|
on tables to postgres with grant option;
|
|
alter default privileges for user supabase_admin in schema cron grant all
|
|
on functions to postgres with grant option;
|
|
|
|
grant all privileges on all tables in schema cron to postgres with grant option;
|
|
revoke all on table cron.job from postgres;
|
|
grant select on table cron.job to postgres with grant option;
|
|
END IF;
|
|
END;
|
|
$$;
|
|
|
|
CREATE FUNCTION extensions.grant_pg_graphql_access() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $_$
|
|
DECLARE
|
|
func_is_graphql_resolve bool;
|
|
BEGIN
|
|
func_is_graphql_resolve = (
|
|
SELECT n.proname = 'resolve'
|
|
FROM pg_event_trigger_ddl_commands() AS ev
|
|
LEFT JOIN pg_catalog.pg_proc AS n
|
|
ON ev.objid = n.oid
|
|
);
|
|
|
|
IF func_is_graphql_resolve
|
|
THEN
|
|
-- Update public wrapper to pass all arguments through to the pg_graphql resolve func
|
|
DROP FUNCTION IF EXISTS graphql_public.graphql;
|
|
create or replace function graphql_public.graphql(
|
|
"operationName" text default null,
|
|
query text default null,
|
|
variables jsonb default null,
|
|
extensions jsonb default null
|
|
)
|
|
returns jsonb
|
|
language sql
|
|
as $$
|
|
select graphql.resolve(
|
|
query := query,
|
|
variables := coalesce(variables, '{}'),
|
|
"operationName" := "operationName",
|
|
extensions := extensions
|
|
);
|
|
$$;
|
|
|
|
-- This hook executes when `graphql.resolve` is created. That is not necessarily the last
|
|
-- function in the extension so we need to grant permissions on existing entities AND
|
|
-- update default permissions to any others that are created after `graphql.resolve`
|
|
grant usage on schema graphql to postgres, anon, authenticated, service_role;
|
|
grant select on all tables in schema graphql to postgres, anon, authenticated, service_role;
|
|
grant execute on all functions in schema graphql to postgres, anon, authenticated, service_role;
|
|
grant all on all sequences in schema graphql to postgres, anon, authenticated, service_role;
|
|
alter default privileges in schema graphql grant all on tables to postgres, anon, authenticated, service_role;
|
|
alter default privileges in schema graphql grant all on functions to postgres, anon, authenticated, service_role;
|
|
alter default privileges in schema graphql grant all on sequences to postgres, anon, authenticated, service_role;
|
|
|
|
-- Allow postgres role to allow granting usage on graphql and graphql_public schemas to custom roles
|
|
grant usage on schema graphql_public to postgres with grant option;
|
|
grant usage on schema graphql to postgres with grant option;
|
|
END IF;
|
|
|
|
END;
|
|
$_$;
|
|
|
|
CREATE FUNCTION extensions.grant_pg_net_access() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $$
|
|
BEGIN
|
|
IF EXISTS (
|
|
SELECT 1
|
|
FROM pg_event_trigger_ddl_commands() AS ev
|
|
JOIN pg_extension AS ext
|
|
ON ev.objid = ext.oid
|
|
WHERE ext.extname = 'pg_net'
|
|
)
|
|
THEN
|
|
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
|
|
|
|
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
|
|
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
|
|
|
|
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
|
|
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
|
|
|
|
REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
|
|
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
|
|
|
|
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
|
|
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
|
|
END IF;
|
|
END;
|
|
$$;
|
|
|
|
CREATE FUNCTION extensions.pgrst_ddl_watch() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $$
|
|
DECLARE
|
|
cmd record;
|
|
BEGIN
|
|
FOR cmd IN SELECT * FROM pg_event_trigger_ddl_commands()
|
|
LOOP
|
|
IF cmd.command_tag IN (
|
|
'CREATE SCHEMA', 'ALTER SCHEMA'
|
|
, 'CREATE TABLE', 'CREATE TABLE AS', 'SELECT INTO', 'ALTER TABLE'
|
|
, 'CREATE FOREIGN TABLE', 'ALTER FOREIGN TABLE'
|
|
, 'CREATE VIEW', 'ALTER VIEW'
|
|
, 'CREATE MATERIALIZED VIEW', 'ALTER MATERIALIZED VIEW'
|
|
, 'CREATE FUNCTION', 'ALTER FUNCTION'
|
|
, 'CREATE TRIGGER'
|
|
, 'CREATE TYPE', 'ALTER TYPE'
|
|
, 'CREATE RULE'
|
|
, 'COMMENT'
|
|
)
|
|
-- don't notify in case of CREATE TEMP table or other objects created on pg_temp
|
|
AND cmd.schema_name is distinct from 'pg_temp'
|
|
THEN
|
|
NOTIFY pgrst, 'reload schema';
|
|
END IF;
|
|
END LOOP;
|
|
END; $$;
|
|
|
|
CREATE FUNCTION extensions.pgrst_drop_watch() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $$
|
|
DECLARE
|
|
obj record;
|
|
BEGIN
|
|
FOR obj IN SELECT * FROM pg_event_trigger_dropped_objects()
|
|
LOOP
|
|
IF obj.object_type IN (
|
|
'schema'
|
|
, 'table'
|
|
, 'foreign table'
|
|
, 'view'
|
|
, 'materialized view'
|
|
, 'function'
|
|
, 'trigger'
|
|
, 'type'
|
|
, 'rule'
|
|
)
|
|
AND obj.is_temporary IS false -- no pg_temp objects
|
|
THEN
|
|
NOTIFY pgrst, 'reload schema';
|
|
END IF;
|
|
END LOOP;
|
|
END; $$;
|
|
|
|
CREATE FUNCTION extensions.set_graphql_placeholder() RETURNS event_trigger
|
|
LANGUAGE plpgsql
|
|
AS $_$
|
|
DECLARE
|
|
graphql_is_dropped bool;
|
|
BEGIN
|
|
graphql_is_dropped = (
|
|
SELECT ev.schema_name = 'graphql_public'
|
|
FROM pg_event_trigger_dropped_objects() AS ev
|
|
WHERE ev.schema_name = 'graphql_public'
|
|
);
|
|
|
|
IF graphql_is_dropped
|
|
THEN
|
|
create or replace function graphql_public.graphql(
|
|
"operationName" text default null,
|
|
query text default null,
|
|
variables jsonb default null,
|
|
extensions jsonb default null
|
|
)
|
|
returns jsonb
|
|
language plpgsql
|
|
as $$
|
|
DECLARE
|
|
server_version float;
|
|
BEGIN
|
|
server_version = (SELECT (SPLIT_PART((select version()), ' ', 2))::float);
|
|
|
|
IF server_version >= 14 THEN
|
|
RETURN jsonb_build_object(
|
|
'errors', jsonb_build_array(
|
|
jsonb_build_object(
|
|
'message', 'pg_graphql extension is not enabled.'
|
|
)
|
|
)
|
|
);
|
|
ELSE
|
|
RETURN jsonb_build_object(
|
|
'errors', jsonb_build_array(
|
|
jsonb_build_object(
|
|
'message', 'pg_graphql is only available on projects running Postgres 14 onwards.'
|
|
)
|
|
)
|
|
);
|
|
END IF;
|
|
END;
|
|
$$;
|
|
END IF;
|
|
|
|
END;
|
|
$_$;
|