Gava/agenciapsilmno
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de3898878afae9584b62a3310d69417ecdbeb708
agenciapsilmno/database-novo/migrations/20260521000002_asaas_gateway_rls.sql
T
Leonardo de3898878a asaas: Tier 1 Fase A foundation — migrations + service + edge function stubs 
DESIGN_ASAAS_GATEWAY.md documenta arquitetura. Schema novo: 2
migrations (tables + RLS) cobrindo asaas_customers + asaas_payments
+ asaas_webhook_events. Client service asaasGatewayService.js no
features/financeiro. 3 Edge Function stubs (create-payment-record,
cancel-payment, sync-payment) — webhook financial_records eh Fase B.

Bloqueadores Fase B (implementacao real): user precisa criar conta
Asaas, gerar API keys, configurar webhook, setar ENV vars no
Supabase. Decisao modelo de negocio (A/B/C) tambem pendente.
Stops marcados claramente no DESIGN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 04:20:52 -03:00

73 lines
3.8 KiB
PL/PgSQL
Raw Blame History

-- ============================================================================
-- Asaas Gateway — RLS policies
-- ----------------------------------------------------------------------------
-- Owner-scoped: cada terapeuta vê só os customers/payments do seu tenant.
-- INSERT/UPDATE bloqueado client-side — só Edge Functions (service role)
-- podem escrever. Browser só lê (pra exibir QR code, status, etc).
--
-- API keys em payment_settings: já tem RLS (não duplica).
-- ============================================================================
BEGIN;
-- ──────────────────────────────────────────────────────────────────────────
-- asaas_customers
-- ──────────────────────────────────────────────────────────────────────────
ALTER TABLE public.asaas_customers ENABLE ROW LEVEL SECURITY;
CREATE POLICY asaas_customers_member_select
ON public.asaas_customers FOR SELECT TO authenticated
USING (public.is_tenant_member(tenant_id));
-- INSERT/UPDATE/DELETE bloqueados — Edge Functions usam service_role que bypassa RLS
CREATE POLICY asaas_customers_no_client_write
ON public.asaas_customers FOR INSERT TO authenticated
WITH CHECK (false);
CREATE POLICY asaas_customers_no_client_update
ON public.asaas_customers FOR UPDATE TO authenticated
USING (false);
CREATE POLICY asaas_customers_no_client_delete
ON public.asaas_customers FOR DELETE TO authenticated
USING (false);
-- ──────────────────────────────────────────────────────────────────────────
-- asaas_payments
-- ──────────────────────────────────────────────────────────────────────────
ALTER TABLE public.asaas_payments ENABLE ROW LEVEL SECURITY;
CREATE POLICY asaas_payments_member_select
ON public.asaas_payments FOR SELECT TO authenticated
USING (public.is_tenant_member(tenant_id));
CREATE POLICY asaas_payments_no_client_write
ON public.asaas_payments FOR INSERT TO authenticated
WITH CHECK (false);
CREATE POLICY asaas_payments_no_client_update
ON public.asaas_payments FOR UPDATE TO authenticated
USING (false);
CREATE POLICY asaas_payments_no_client_delete
ON public.asaas_payments FOR DELETE TO authenticated
USING (false);
-- ──────────────────────────────────────────────────────────────────────────
-- asaas_webhook_events
-- ──────────────────────────────────────────────────────────────────────────
-- Audit table — saas_admin lê pra debug. Members não veem.
ALTER TABLE public.asaas_webhook_events ENABLE ROW LEVEL SECURITY;
CREATE POLICY asaas_webhook_events_saas_admin_select
ON public.asaas_webhook_events FOR SELECT TO authenticated
USING (public.is_saas_admin());
CREATE POLICY asaas_webhook_events_no_client_write
ON public.asaas_webhook_events FOR INSERT TO authenticated
WITH CHECK (false);
CREATE POLICY asaas_webhook_events_no_update
ON public.asaas_webhook_events FOR UPDATE TO authenticated
USING (false);
CREATE POLICY asaas_webhook_events_no_delete
ON public.asaas_webhook_events FOR DELETE TO authenticated
USING (false);
COMMIT;
Reference in New Issue View Git Blame Copy Permalink