feat: implement secure multi-tenancy, RBAC, and premium dark mode
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m54s
All checks were successful
Build and Deploy / build-and-push (push) Successful in 1m54s
- Enforced tenant isolation and Role-Based Access Control across all API routes - Implemented secure profile avatar upload using multer and UUIDs - Redesigned UI with a premium "Onyx & Gold" Charcoal dark mode - Added Funnel Stage and Origin filters to Dashboard and User Detail pages - Replaced "Referral" with "Indicação" across the platform and database - Optimized Dockerfile and local environment setup for reliable deployments - Fixed frontend syntax errors and improved KPI/Chart visualizations
This commit is contained in:
Cauê Faleiros
151
backend/index.js
151
backend/index.js
@@ -1,3 +1,4 @@
|
||||
require('dotenv').config();
|
||||
const express = require('express');
|
||||
const cors = require('cors');
|
||||
const path = require('path');
|
||||
@@ -5,6 +6,9 @@ const bcrypt = require('bcryptjs');
|
||||
const jwt = require('jsonwebtoken');
|
||||
const crypto = require('crypto');
|
||||
const nodemailer = require('nodemailer');
|
||||
const multer = require('multer');
|
||||
const { v4: uuidv4 } = require('uuid');
|
||||
const fs = require('fs');
|
||||
const pool = require('./db');
|
||||
|
||||
const app = express();
|
||||
@@ -37,9 +41,68 @@ app.use((req, res, next) => {
|
||||
next();
|
||||
});
|
||||
|
||||
// --- Configuração Multer (Upload Seguro) ---
|
||||
const uploadDir = path.join(__dirname, 'uploads');
|
||||
if (!fs.existsSync(uploadDir)) {
|
||||
fs.mkdirSync(uploadDir, { recursive: true });
|
||||
}
|
||||
|
||||
const storage = multer.diskStorage({
|
||||
destination: (req, file, cb) => {
|
||||
cb(null, uploadDir);
|
||||
},
|
||||
filename: (req, file, cb) => {
|
||||
const ext = path.extname(file.originalname).toLowerCase();
|
||||
cb(null, `${uuidv4()}${ext}`);
|
||||
}
|
||||
});
|
||||
|
||||
const upload = multer({
|
||||
storage: storage,
|
||||
limits: { fileSize: 2 * 1024 * 1024 }, // 2MB
|
||||
fileFilter: (req, file, cb) => {
|
||||
const allowedTypes = ['image/jpeg', 'image/png', 'image/webp'];
|
||||
if (allowedTypes.includes(file.mimetype)) {
|
||||
cb(null, true);
|
||||
} else {
|
||||
cb(new Error('Tipo de arquivo inválido. Apenas JPG, PNG e WEBP são permitidos.'));
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
app.use('/uploads', express.static(uploadDir, {
|
||||
setHeaders: (res) => {
|
||||
res.set('X-Content-Type-Options', 'nosniff');
|
||||
}
|
||||
}));
|
||||
|
||||
// --- API Router ---
|
||||
const apiRouter = express.Router();
|
||||
|
||||
// Middleware de autenticação
|
||||
const authenticateToken = (req, res, next) => {
|
||||
// Ignorar rotas de auth
|
||||
if (req.path.startsWith('/auth/')) return next();
|
||||
|
||||
const authHeader = req.headers['authorization'];
|
||||
const token = authHeader && authHeader.split(' ')[1];
|
||||
|
||||
if (!token) return res.status(401).json({ error: 'Token não fornecido.' });
|
||||
|
||||
jwt.verify(token, JWT_SECRET, (err, user) => {
|
||||
if (err) return res.status(403).json({ error: 'Token inválido ou expirado.' });
|
||||
req.user = user;
|
||||
next();
|
||||
});
|
||||
};
|
||||
|
||||
const requireRole = (roles) => (req, res, next) => {
|
||||
if (!roles.includes(req.user.role)) return res.status(403).json({ error: 'Acesso negado. Esta ação requer as seguintes permissões: ' + roles.join(', ') });
|
||||
next();
|
||||
};
|
||||
|
||||
apiRouter.use(authenticateToken);
|
||||
|
||||
// --- Auth Routes ---
|
||||
|
||||
// Register
|
||||
@@ -190,9 +253,11 @@ apiRouter.post('/auth/reset-password', async (req, res) => {
|
||||
apiRouter.get('/users', async (req, res) => {
|
||||
try {
|
||||
const { tenantId } = req.query;
|
||||
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
|
||||
|
||||
let q = 'SELECT * FROM users';
|
||||
const params = [];
|
||||
if (tenantId && tenantId !== 'all') { q += ' WHERE tenant_id = ?'; params.push(tenantId); }
|
||||
if (effectiveTenantId && effectiveTenantId !== 'all') { q += ' WHERE tenant_id = ?'; params.push(effectiveTenantId); }
|
||||
const [rows] = await pool.query(q, params);
|
||||
res.json(rows);
|
||||
} catch (error) { res.status(500).json({ error: error.message }); }
|
||||
@@ -202,15 +267,17 @@ apiRouter.get('/users/:id', async (req, res) => {
|
||||
try {
|
||||
const [rows] = await pool.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
|
||||
if (rows.length === 0) return res.status(404).json({ error: 'Not found' });
|
||||
if (req.user.role !== 'super_admin' && rows[0].tenant_id !== req.user.tenant_id) {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
res.json(rows[0]);
|
||||
} catch (error) { res.status(500).json({ error: error.message }); }
|
||||
});
|
||||
|
||||
// Convidar Novo Membro (Admin criando usuário)
|
||||
apiRouter.post('/users', async (req, res) => {
|
||||
apiRouter.post('/users', requireRole(['admin', 'owner', 'super_admin']), async (req, res) => {
|
||||
const { name, email, role, team_id, tenant_id } = req.body;
|
||||
console.log('--- User Creation Request ---');
|
||||
console.log('Body:', req.body);
|
||||
const effectiveTenantId = req.user.role === 'super_admin' ? tenant_id : req.user.tenant_id;
|
||||
try {
|
||||
// 1. Verificar se e-mail já existe
|
||||
const [existing] = await pool.query('SELECT id FROM users WHERE email = ?', [email]);
|
||||
@@ -222,7 +289,7 @@ apiRouter.post('/users', async (req, res) => {
|
||||
// 2. Criar Usuário
|
||||
await pool.query(
|
||||
'INSERT INTO users (id, tenant_id, team_id, name, email, password_hash, role, status) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
|
||||
[uid, tenant_id, team_id || null, name, email, placeholderHash, role || 'agent', 'active']
|
||||
[uid, effectiveTenantId, team_id || null, name, email, placeholderHash, role || 'agent', 'active']
|
||||
);
|
||||
|
||||
// 3. Gerar Token de Setup de Senha (reusando lógica de reset)
|
||||
@@ -262,9 +329,15 @@ apiRouter.post('/users', async (req, res) => {
|
||||
}
|
||||
});
|
||||
|
||||
apiRouter.put('/users/:id', async (req, res) => {
|
||||
apiRouter.put('/users/:id', requireRole(['admin', 'owner', 'manager', 'super_admin']), async (req, res) => {
|
||||
const { name, bio, role, team_id, status } = req.body;
|
||||
try {
|
||||
const [existing] = await pool.query('SELECT tenant_id FROM users WHERE id = ?', [req.params.id]);
|
||||
if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
|
||||
if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
|
||||
await pool.query(
|
||||
'UPDATE users SET name = ?, bio = ?, role = ?, team_id = ?, status = ? WHERE id = ?',
|
||||
[name, bio, role, team_id || null, status, req.params.id]
|
||||
@@ -276,8 +349,14 @@ apiRouter.put('/users/:id', async (req, res) => {
|
||||
}
|
||||
});
|
||||
|
||||
apiRouter.delete('/users/:id', async (req, res) => {
|
||||
apiRouter.delete('/users/:id', requireRole(['admin', 'owner', 'super_admin']), async (req, res) => {
|
||||
try {
|
||||
const [existing] = await pool.query('SELECT tenant_id FROM users WHERE id = ?', [req.params.id]);
|
||||
if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
|
||||
if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
|
||||
await pool.query('DELETE FROM users WHERE id = ?', [req.params.id]);
|
||||
res.json({ message: 'User deleted successfully.' });
|
||||
} catch (error) {
|
||||
@@ -286,16 +365,41 @@ apiRouter.delete('/users/:id', async (req, res) => {
|
||||
}
|
||||
});
|
||||
|
||||
// Upload de Avatar
|
||||
apiRouter.post('/users/:id/avatar', upload.single('avatar'), async (req, res) => {
|
||||
try {
|
||||
if (!req.file) return res.status(400).json({ error: 'Nenhum arquivo enviado.' });
|
||||
|
||||
// Validar se o usuário está alterando o próprio avatar (ou super_admin)
|
||||
if (req.user.id !== req.params.id && req.user.role !== 'super_admin') {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
|
||||
const avatarUrl = `/uploads/${req.file.filename}`;
|
||||
await pool.query('UPDATE users SET avatar_url = ? WHERE id = ?', [avatarUrl, req.params.id]);
|
||||
|
||||
res.json({ avatarUrl });
|
||||
} catch (error) {
|
||||
console.error('Avatar upload error:', error);
|
||||
res.status(500).json({ error: error.message });
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
// --- Attendance Routes ---
|
||||
apiRouter.get('/attendances', async (req, res) => {
|
||||
try {
|
||||
const { tenantId, userId, teamId, startDate, endDate } = req.query;
|
||||
const { tenantId, userId, teamId, startDate, endDate, funnelStage, origin } = req.query;
|
||||
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
|
||||
|
||||
let q = 'SELECT a.*, u.team_id FROM attendances a JOIN users u ON a.user_id = u.id WHERE a.tenant_id = ?';
|
||||
const params = [tenantId];
|
||||
const params = [effectiveTenantId];
|
||||
if (startDate && endDate) { q += ' AND a.created_at BETWEEN ? AND ?'; params.push(new Date(startDate), new Date(endDate)); }
|
||||
if (userId && userId !== 'all') { q += ' AND a.user_id = ?'; params.push(userId); }
|
||||
if (teamId && teamId !== 'all') { q += ' AND u.team_id = ?'; params.push(teamId); }
|
||||
if (funnelStage && funnelStage !== 'all') { q += ' AND a.funnel_stage = ?'; params.push(funnelStage); }
|
||||
if (origin && origin !== 'all') { q += ' AND a.origin = ?'; params.push(origin); }
|
||||
|
||||
q += ' ORDER BY a.created_at DESC';
|
||||
const [rows] = await pool.query(q, params);
|
||||
const processed = rows.map(r => ({
|
||||
@@ -312,6 +416,11 @@ apiRouter.get('/attendances/:id', async (req, res) => {
|
||||
try {
|
||||
const [rows] = await pool.query('SELECT * FROM attendances WHERE id = ?', [req.params.id]);
|
||||
if (rows.length === 0) return res.status(404).json({ error: 'Not found' });
|
||||
|
||||
if (req.user.role !== 'super_admin' && rows[0].tenant_id !== req.user.tenant_id) {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
|
||||
const r = rows[0];
|
||||
res.json({
|
||||
...r,
|
||||
@@ -323,7 +432,7 @@ apiRouter.get('/attendances/:id', async (req, res) => {
|
||||
});
|
||||
|
||||
// --- Tenant Routes ---
|
||||
apiRouter.get('/tenants', async (req, res) => {
|
||||
apiRouter.get('/tenants', requireRole(['super_admin']), async (req, res) => {
|
||||
try {
|
||||
const q = 'SELECT t.*, (SELECT COUNT(*) FROM users u WHERE u.tenant_id = t.id) as user_count, (SELECT COUNT(*) FROM attendances a WHERE a.tenant_id = t.id) as attendance_count FROM tenants t';
|
||||
const [rows] = await pool.query(q);
|
||||
@@ -335,20 +444,22 @@ apiRouter.get('/tenants', async (req, res) => {
|
||||
apiRouter.get('/teams', async (req, res) => {
|
||||
try {
|
||||
const { tenantId } = req.query;
|
||||
const [rows] = await pool.query('SELECT * FROM teams WHERE tenant_id = ?', [tenantId]);
|
||||
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
|
||||
const [rows] = await pool.query('SELECT * FROM teams WHERE tenant_id = ?', [effectiveTenantId]);
|
||||
res.json(rows);
|
||||
} catch (error) {
|
||||
res.status(500).json({ error: error.message });
|
||||
}
|
||||
});
|
||||
|
||||
apiRouter.post('/teams', async (req, res) => {
|
||||
apiRouter.post('/teams', requireRole(['admin', 'manager', 'owner', 'super_admin']), async (req, res) => {
|
||||
const { name, description, tenantId } = req.body;
|
||||
const effectiveTenantId = req.user.role === 'super_admin' ? tenantId : req.user.tenant_id;
|
||||
try {
|
||||
const tid = `team_${crypto.randomUUID().split('-')[0]}`;
|
||||
await pool.query(
|
||||
'INSERT INTO teams (id, tenant_id, name, description) VALUES (?, ?, ?, ?)',
|
||||
[tid, tenantId, name, description || null]
|
||||
[tid, effectiveTenantId, name, description || null]
|
||||
);
|
||||
res.status(201).json({ id: tid, message: 'Time criado com sucesso.' });
|
||||
} catch (error) {
|
||||
@@ -357,9 +468,15 @@ apiRouter.post('/teams', async (req, res) => {
|
||||
}
|
||||
});
|
||||
|
||||
apiRouter.put('/teams/:id', async (req, res) => {
|
||||
apiRouter.put('/teams/:id', requireRole(['admin', 'manager', 'owner', 'super_admin']), async (req, res) => {
|
||||
const { name, description } = req.body;
|
||||
try {
|
||||
const [existing] = await pool.query('SELECT tenant_id FROM teams WHERE id = ?', [req.params.id]);
|
||||
if (existing.length === 0) return res.status(404).json({ error: 'Not found' });
|
||||
if (req.user.role !== 'super_admin' && existing[0].tenant_id !== req.user.tenant_id) {
|
||||
return res.status(403).json({ error: 'Acesso negado.' });
|
||||
}
|
||||
|
||||
await pool.query(
|
||||
'UPDATE teams SET name = ?, description = ? WHERE id = ?',
|
||||
[name, description || null, req.params.id]
|
||||
@@ -373,7 +490,7 @@ apiRouter.put('/teams/:id', async (req, res) => {
|
||||
|
||||
|
||||
|
||||
apiRouter.post('/tenants', async (req, res) => {
|
||||
apiRouter.post('/tenants', requireRole(['super_admin']), async (req, res) => {
|
||||
const { name, slug, admin_email, status } = req.body;
|
||||
const connection = await pool.getConnection();
|
||||
try {
|
||||
@@ -392,11 +509,11 @@ app.use('/api', apiRouter);
|
||||
|
||||
// Serve static files
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
app.use(express.static(path.join(__dirname, '../dist')));
|
||||
app.use(express.static(path.join(__dirname, 'dist')));
|
||||
app.get('*', (req, res) => {
|
||||
// Avoid hijacking API requests
|
||||
if (req.url.startsWith('/api')) return res.status(404).json({ error: 'API route not found' });
|
||||
res.sendFile(path.join(__dirname, '../dist/index.html'));
|
||||
res.sendFile(path.join(__dirname, 'dist/index.html'));
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user