@luanpdd/kit-mcp 1.30.2 → 1.32.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -21
- package/README.md +168 -168
- package/gates/agent-no-recursive-dispatch.md +84 -82
- package/kit/COMANDOS.md +138 -138
- package/kit/COMPATIBILITY.md +5 -0
- package/kit/README.md +76 -76
- package/kit/agents/advisor-researcher.md +107 -106
- package/kit/agents/ai-mutation-tester.md +1 -0
- package/kit/agents/assumptions-analyzer.md +108 -107
- package/kit/agents/audit-log-implementer.md +314 -313
- package/kit/agents/auditor-consistencia-isolamento.md +414 -413
- package/kit/agents/b2b-saas-architect.md +157 -156
- package/kit/agents/burn-rate-forecaster.md +1 -0
- package/kit/agents/cascading-failures-auditor.md +299 -298
- package/kit/agents/codebase-mapper.md +769 -768
- package/kit/agents/crm-pipeline-implementer.md +257 -256
- package/kit/agents/debugger.md +814 -813
- package/kit/agents/detector-tenant-quente.md +338 -337
- package/kit/agents/evolution-go-integrator.md +201 -200
- package/kit/agents/example-reviewer.md +22 -21
- package/kit/agents/executor.md +565 -564
- package/kit/agents/golden-signals-instrumenter.md +1 -0
- package/kit/agents/incident-investigator.md +1 -0
- package/kit/agents/integration-checker.md +201 -200
- package/kit/agents/invite-flow-implementer.md +190 -189
- package/kit/agents/legacy-characterizer.md +369 -368
- package/kit/agents/lgpd-compliance-auditor.md +296 -295
- package/kit/agents/load-shedding-instrumenter.md +1 -0
- package/kit/agents/multi-tenant-isolation-auditor.md +254 -253
- package/kit/agents/multi-tenant-rls-writer.md +341 -340
- package/kit/agents/nyquist-auditor.md +179 -178
- package/kit/agents/observability-coverage-auditor.md +316 -315
- package/kit/agents/observability-instrumenter.md +1 -0
- package/kit/agents/omm-auditor.md +1 -0
- package/kit/agents/org-onboarding-implementer.md +224 -223
- package/kit/agents/payload-capture-instrumenter.md +274 -273
- package/kit/agents/phase-researcher.md +697 -696
- package/kit/agents/plan-checker.md +273 -272
- package/kit/agents/planner.md +923 -922
- package/kit/agents/postmortem-writer.md +1 -0
- package/kit/agents/project-researcher.md +653 -652
- package/kit/agents/prr-conductor.md +1 -0
- package/kit/agents/refactor-safety-auditor.md +405 -404
- package/kit/agents/release-pipeline-auditor.md +1 -0
- package/kit/agents/research-synthesizer.md +246 -245
- package/kit/agents/roadmapper.md +678 -677
- package/kit/agents/schema-checker.md +1 -0
- package/kit/agents/seam-finder.md +360 -359
- package/kit/agents/shotgun-surgery-detector.md +350 -349
- package/kit/agents/slo-engineer.md +1 -0
- package/kit/agents/storytelling-analyst.md +1 -0
- package/kit/agents/supabase-architect.md +1 -0
- package/kit/agents/supabase-auth-bootstrapper.md +16 -1
- package/kit/agents/supabase-auth-hook-writer.md +418 -0
- package/kit/agents/supabase-branching-architect.md +563 -562
- package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -777
- package/kit/agents/supabase-column-privileges-writer.md +400 -399
- package/kit/agents/supabase-edge-fn-tester.md +2 -1
- package/kit/agents/supabase-edge-fn-writer.md +2 -1
- package/kit/agents/supabase-mfa-implementer.md +439 -0
- package/kit/agents/supabase-migration-writer.md +386 -385
- package/kit/agents/supabase-oauth-server-implementer.md +507 -0
- package/kit/agents/supabase-rbac-implementer.md +393 -392
- package/kit/agents/supabase-realtime-implementer.md +364 -363
- package/kit/agents/supabase-rls-hardener.md +522 -521
- package/kit/agents/supabase-rls-writer.md +324 -323
- package/kit/agents/supabase-roles-implementer.md +356 -355
- package/kit/agents/supabase-social-auth-implementer.md +451 -0
- package/kit/agents/supabase-sso-saml-architect.md +549 -0
- package/kit/agents/supabase-storage-implementer.md +1 -0
- package/kit/agents/super-admin-implementer.md +282 -281
- package/kit/agents/toil-auditor.md +1 -0
- package/kit/agents/ui-auditor.md +438 -437
- package/kit/agents/ui-checker.md +303 -302
- package/kit/agents/ui-researcher.md +356 -355
- package/kit/agents/user-profiler.md +176 -175
- package/kit/agents/validador-evolucao-schema.md +336 -335
- package/kit/agents/verifier.md +729 -728
- package/kit/commands/adicionar-backlog.md +75 -75
- package/kit/commands/adicionar-fase.md +42 -42
- package/kit/commands/adicionar-tarefa.md +45 -45
- package/kit/commands/adicionar-testes.md +41 -41
- package/kit/commands/ajuda.md +21 -21
- package/kit/commands/atualizar.md +37 -37
- package/kit/commands/auditar-cascading.md +111 -111
- package/kit/commands/auditar-marco.md +179 -179
- package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
- package/kit/commands/auditar-refactor.md +219 -219
- package/kit/commands/auditar-release.md +109 -109
- package/kit/commands/auditar-uat.md +23 -23
- package/kit/commands/autonomo.md +40 -40
- package/kit/commands/branch-pr.md +24 -24
- package/kit/commands/burn-rate-status.md +408 -408
- package/kit/commands/capturar-payloads.md +193 -193
- package/kit/commands/caracterizar.md +212 -212
- package/kit/commands/concluir-marco.md +247 -247
- package/kit/commands/configuracoes.md +36 -36
- package/kit/commands/dados-distribuidos.md +188 -188
- package/kit/commands/definir-perfil.md +10 -10
- package/kit/commands/depurar.md +190 -190
- package/kit/commands/detectar-duplicacao.md +197 -197
- package/kit/commands/discutir-fase.md +131 -131
- package/kit/commands/encontrar-seams.md +136 -136
- package/kit/commands/entrar-discord.md +17 -17
- package/kit/commands/estatisticas.md +18 -18
- package/kit/commands/example-greeting.md +33 -33
- package/kit/commands/executar-fase.md +58 -58
- package/kit/commands/expresso.md +56 -56
- package/kit/commands/fase-ui.md +34 -34
- package/kit/commands/fazer.md +57 -57
- package/kit/commands/fio.md +125 -125
- package/kit/commands/fluxos-trabalho.md +64 -64
- package/kit/commands/forense.md +176 -176
- package/kit/commands/gerenciador.md +38 -38
- package/kit/commands/inserir-fase.md +31 -31
- package/kit/commands/legacy.md +263 -263
- package/kit/commands/limpeza.md +17 -17
- package/kit/commands/listar-hipoteses-fase.md +45 -45
- package/kit/commands/listar-workspaces.md +18 -18
- package/kit/commands/load-shedding.md +117 -117
- package/kit/commands/mapear-codebase.md +70 -70
- package/kit/commands/multi-tenant.md +163 -163
- package/kit/commands/nota.md +33 -33
- package/kit/commands/novo-marco.md +43 -43
- package/kit/commands/novo-projeto.md +41 -41
- package/kit/commands/novo-workspace.md +43 -43
- package/kit/commands/pausar-trabalho.md +37 -37
- package/kit/commands/perfil-usuario.md +45 -45
- package/kit/commands/pesquisar-fase.md +195 -195
- package/kit/commands/planejar-fase.md +67 -67
- package/kit/commands/planejar-lacunas.md +33 -33
- package/kit/commands/plantar-ideia.md +25 -25
- package/kit/commands/progresso.md +24 -24
- package/kit/commands/proximo.md +30 -30
- package/kit/commands/publicar.md +490 -490
- package/kit/commands/rapido.md +35 -35
- package/kit/commands/reaplicar-patches.md +124 -124
- package/kit/commands/refactor-seguro.md +321 -321
- package/kit/commands/relatorio-sessao.md +19 -19
- package/kit/commands/remover-fase.md +31 -31
- package/kit/commands/remover-workspace.md +26 -26
- package/kit/commands/resumo-marco.md +50 -50
- package/kit/commands/retomar-trabalho.md +40 -40
- package/kit/commands/revisar-backlog.md +60 -60
- package/kit/commands/revisar-ui.md +32 -32
- package/kit/commands/revisar.md +37 -37
- package/kit/commands/saude.md +21 -21
- package/kit/commands/setup-notion.md +93 -93
- package/kit/commands/storytelling.md +179 -179
- package/kit/commands/supabase.md +21 -1
- package/kit/commands/sync-main.md +68 -68
- package/kit/commands/validar-fase.md +35 -35
- package/kit/commands/verificar-tarefas.md +44 -44
- package/kit/commands/verificar-trabalho.md +64 -64
- package/kit/file-manifest.json +100 -84
- package/kit/framework/bin/lib/commands.cjs +959 -959
- package/kit/framework/bin/lib/config.cjs +442 -442
- package/kit/framework/bin/lib/core.cjs +1230 -1230
- package/kit/framework/bin/lib/frontmatter.cjs +336 -336
- package/kit/framework/bin/lib/init.cjs +1442 -1442
- package/kit/framework/bin/lib/milestone.cjs +252 -252
- package/kit/framework/bin/lib/model-profiles.cjs +68 -68
- package/kit/framework/bin/lib/phase.cjs +888 -888
- package/kit/framework/bin/lib/profile-output.cjs +952 -952
- package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
- package/kit/framework/bin/lib/roadmap.cjs +329 -329
- package/kit/framework/bin/lib/security.cjs +382 -382
- package/kit/framework/bin/lib/state.cjs +1031 -1031
- package/kit/framework/bin/lib/template.cjs +222 -222
- package/kit/framework/bin/lib/uat.cjs +282 -282
- package/kit/framework/bin/lib/verify.cjs +888 -888
- package/kit/framework/bin/lib/workstream.cjs +491 -491
- package/kit/framework/bin/tools.cjs +918 -918
- package/kit/framework/commands/workstreams.md +63 -63
- package/kit/framework/references/checkpoints.md +778 -778
- package/kit/framework/references/continuation-format.md +249 -249
- package/kit/framework/references/decimal-phase-calculation.md +64 -64
- package/kit/framework/references/git-integration.md +295 -295
- package/kit/framework/references/git-planning-commit.md +38 -38
- package/kit/framework/references/model-profile-resolution.md +36 -36
- package/kit/framework/references/model-profiles.md +139 -139
- package/kit/framework/references/phase-argument-parsing.md +61 -61
- package/kit/framework/references/planning-config.md +202 -202
- package/kit/framework/references/questioning.md +162 -162
- package/kit/framework/references/tdd.md +263 -263
- package/kit/framework/references/ui-brand.md +160 -160
- package/kit/framework/references/user-profiling.md +657 -657
- package/kit/framework/references/verification-patterns.md +612 -612
- package/kit/framework/references/workstream-flag.md +58 -58
- package/kit/framework/templates/DEBUG.md +164 -164
- package/kit/framework/templates/UAT.md +265 -265
- package/kit/framework/templates/UI-SPEC.md +100 -100
- package/kit/framework/templates/VALIDATION.md +76 -76
- package/kit/framework/templates/claude-md.md +122 -122
- package/kit/framework/templates/codebase/architecture.md +185 -185
- package/kit/framework/templates/codebase/concerns.md +205 -205
- package/kit/framework/templates/codebase/conventions.md +204 -204
- package/kit/framework/templates/codebase/integrations.md +192 -192
- package/kit/framework/templates/codebase/stack.md +158 -158
- package/kit/framework/templates/codebase/structure.md +199 -199
- package/kit/framework/templates/codebase/testing.md +301 -301
- package/kit/framework/templates/config.json +44 -44
- package/kit/framework/templates/context.md +352 -352
- package/kit/framework/templates/continue-here.md +78 -78
- package/kit/framework/templates/copilot-instructions.md +7 -7
- package/kit/framework/templates/debug-subagent-prompt.md +91 -91
- package/kit/framework/templates/dev-preferences.md +20 -20
- package/kit/framework/templates/discovery.md +146 -146
- package/kit/framework/templates/discussion-log.md +63 -63
- package/kit/framework/templates/milestone-archive.md +123 -123
- package/kit/framework/templates/milestone.md +115 -115
- package/kit/framework/templates/phase-prompt.md +610 -610
- package/kit/framework/templates/planner-subagent-prompt.md +117 -117
- package/kit/framework/templates/project.md +186 -186
- package/kit/framework/templates/requirements.md +231 -231
- package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
- package/kit/framework/templates/research-project/FEATURES.md +147 -147
- package/kit/framework/templates/research-project/PITFALLS.md +200 -200
- package/kit/framework/templates/research-project/STACK.md +120 -120
- package/kit/framework/templates/research-project/SUMMARY.md +170 -170
- package/kit/framework/templates/research.md +419 -419
- package/kit/framework/templates/retrospective.md +54 -54
- package/kit/framework/templates/roadmap.md +202 -202
- package/kit/framework/templates/state.md +176 -176
- package/kit/framework/templates/summary-complex.md +59 -59
- package/kit/framework/templates/summary-minimal.md +41 -41
- package/kit/framework/templates/summary-standard.md +48 -48
- package/kit/framework/templates/summary.md +209 -209
- package/kit/framework/templates/user-profile.md +146 -146
- package/kit/framework/templates/user-setup.md +256 -256
- package/kit/framework/templates/verification-report.md +258 -258
- package/kit/framework/workflows/add-phase.md +112 -112
- package/kit/framework/workflows/add-tests.md +351 -351
- package/kit/framework/workflows/add-todo.md +158 -158
- package/kit/framework/workflows/audit-milestone.md +340 -340
- package/kit/framework/workflows/audit-uat.md +109 -109
- package/kit/framework/workflows/autonomous.md +891 -891
- package/kit/framework/workflows/check-todos.md +177 -177
- package/kit/framework/workflows/cleanup.md +152 -152
- package/kit/framework/workflows/complete-milestone.md +696 -696
- package/kit/framework/workflows/diagnose-issues.md +231 -231
- package/kit/framework/workflows/discovery-phase.md +289 -289
- package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
- package/kit/framework/workflows/discuss-phase.md +784 -784
- package/kit/framework/workflows/do.md +104 -104
- package/kit/framework/workflows/execute-phase.md +838 -838
- package/kit/framework/workflows/execute-plan.md +510 -510
- package/kit/framework/workflows/fast.md +102 -102
- package/kit/framework/workflows/forensics.md +265 -265
- package/kit/framework/workflows/health.md +181 -181
- package/kit/framework/workflows/help.md +619 -619
- package/kit/framework/workflows/insert-phase.md +130 -130
- package/kit/framework/workflows/list-phase-assumptions.md +178 -178
- package/kit/framework/workflows/list-workspaces.md +56 -56
- package/kit/framework/workflows/manager.md +362 -362
- package/kit/framework/workflows/map-codebase.md +377 -377
- package/kit/framework/workflows/milestone-summary.md +223 -223
- package/kit/framework/workflows/new-milestone.md +486 -486
- package/kit/framework/workflows/new-project.md +1159 -1159
- package/kit/framework/workflows/new-workspace.md +237 -237
- package/kit/framework/workflows/next.md +97 -97
- package/kit/framework/workflows/node-repair.md +92 -92
- package/kit/framework/workflows/note.md +156 -156
- package/kit/framework/workflows/pause-work.md +176 -176
- package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
- package/kit/framework/workflows/plan-phase.md +765 -765
- package/kit/framework/workflows/plant-seed.md +169 -169
- package/kit/framework/workflows/pr-branch.md +129 -129
- package/kit/framework/workflows/profile-user.md +450 -450
- package/kit/framework/workflows/progress.md +507 -507
- package/kit/framework/workflows/quick.md +757 -757
- package/kit/framework/workflows/remove-phase.md +155 -155
- package/kit/framework/workflows/remove-workspace.md +90 -90
- package/kit/framework/workflows/research-phase.md +82 -82
- package/kit/framework/workflows/resume-project.md +326 -326
- package/kit/framework/workflows/review.md +228 -228
- package/kit/framework/workflows/session-report.md +146 -146
- package/kit/framework/workflows/settings.md +283 -283
- package/kit/framework/workflows/ship.md +228 -228
- package/kit/framework/workflows/stats.md +60 -60
- package/kit/framework/workflows/transition.md +671 -671
- package/kit/framework/workflows/ui-phase.md +302 -302
- package/kit/framework/workflows/ui-review.md +165 -165
- package/kit/framework/workflows/update.md +323 -323
- package/kit/framework/workflows/validate-phase.md +174 -174
- package/kit/framework/workflows/verify-phase.md +252 -252
- package/kit/framework/workflows/verify-work.md +637 -637
- package/kit/hooks/check-update.js +118 -118
- package/kit/hooks/context-monitor.js +163 -163
- package/kit/hooks/kit-attribution-reminder.cjs +29 -50
- package/kit/hooks/kit-router.cjs +137 -0
- package/kit/hooks/prompt-guard.js +103 -103
- package/kit/hooks/statusline.js +125 -125
- package/kit/hooks/workflow-guard.js +101 -101
- package/kit/settings.json +45 -45
- package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
- package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
- package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
- package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
- package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
- package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
- package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
- package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
- package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
- package/kit/skills/example-skill/SKILL.md +42 -42
- package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
- package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
- package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
- package/kit/skills/legacy-extract-class/SKILL.md +203 -203
- package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
- package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
- package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
- package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
- package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
- package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
- package/kit/skills/member-invite-flow/SKILL.md +305 -305
- package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
- package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
- package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
- package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
- package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
- package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
- package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
- package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
- package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
- package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
- package/kit/skills/supabase-auth-hardening/SKILL.md +674 -0
- package/kit/skills/supabase-auth-hooks/SKILL.md +875 -0
- package/kit/skills/supabase-auth-methods/SKILL.md +486 -0
- package/kit/skills/supabase-auth-sessions/SKILL.md +579 -0
- package/kit/skills/supabase-auth-ssr/SKILL.md +60 -14
- package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
- package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
- package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
- package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
- package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
- package/kit/skills/supabase-edge-functions/SKILL.md +1 -1
- package/kit/skills/supabase-edge-functions-auth/SKILL.md +1 -1
- package/kit/skills/supabase-edge-functions-limits/SKILL.md +1 -1
- package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +1 -1
- package/kit/skills/supabase-edge-functions-testing/SKILL.md +1 -1
- package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +1 -1
- package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -0
- package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -0
- package/kit/skills/supabase-mfa/SKILL.md +488 -0
- package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
- package/kit/skills/supabase-migrations/SKILL.md +297 -297
- package/kit/skills/supabase-oauth-server/SKILL.md +537 -0
- package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
- package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
- package/kit/skills/supabase-realtime/SKILL.md +460 -460
- package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
- package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
- package/kit/skills/supabase-social-oauth/SKILL.md +480 -0
- package/kit/skills/supabase-third-party-auth/SKILL.md +450 -0
- package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
- package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
- package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
- package/package.json +1 -1
- package/src/core/kit.js +216 -216
- package/src/core/reflect.js +247 -247
- package/src/core/reverse-sync.js +372 -372
- package/src/core/sync.js +437 -418
- package/src/core/watch.js +121 -121
- package/src/mcp-server/index.js +794 -746
|
@@ -0,0 +1,480 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: supabase-social-oauth
|
|
3
|
+
description: Use ao implementar login social com OAuth no Supabase — signInWithOAuth, PKCE callback, signInWithIdToken, Google One Tap e providers customizados.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Supabase — Social Login / OAuth
|
|
7
|
+
|
|
8
|
+
## Quando usar
|
|
9
|
+
|
|
10
|
+
LLM carrega esta skill quando implementar **login social com providers OAuth** no Supabase — qualquer fluxo de terceiro que redireciona o usuário para autenticação externa.
|
|
11
|
+
|
|
12
|
+
Trigger phrases:
|
|
13
|
+
|
|
14
|
+
- "login with Google", "signInWithOAuth", "OAuth Supabase"
|
|
15
|
+
- "OAuth callback Supabase", "exchangeCodeForSession", "callback route"
|
|
16
|
+
- "signInWithIdToken", "ID token Supabase"
|
|
17
|
+
- "Google One Tap", "FedCM", "use_fedcm_for_prompt"
|
|
18
|
+
- "Sign in with Apple", "Apple login Supabase"
|
|
19
|
+
- "GitHub login", "Facebook login", "LinkedIn login"
|
|
20
|
+
- "custom OAuth provider", "OIDC provider Supabase"
|
|
21
|
+
- "provider_token", "provider_refresh_token"
|
|
22
|
+
- "nonce OAuth", "nonce Google Apple"
|
|
23
|
+
|
|
24
|
+
## Regras absolutas
|
|
25
|
+
|
|
26
|
+
1. **SSR sempre usa PKCE.** `signInWithOAuth` em contexto server-side ou Next.js App Router exige `flowType: 'pkce'` no client e rota `/auth/callback` com `exchangeCodeForSession(code)`.
|
|
27
|
+
2. **`redirectTo` deve estar na allowlist** de Redirect URLs no Dashboard (`Authentication > URL Configuration`). Requisição com `redirectTo` fora da allowlist é rejeitada silenciosamente e redireciona para URL padrão.
|
|
28
|
+
3. **Nunca armazenar `provider_token`/`provider_refresh_token` em tabela pública** sem cifragem — são tokens de acesso do provider (Google, GitHub etc.) com escopo potencialmente amplo.
|
|
29
|
+
4. **Nome do Apple só vem no primeiro sign-in.** Salvar imediatamente via `updateUser({ data: { full_name } })`. Requisições subsequentes retornam campo vazio.
|
|
30
|
+
5. **Secret key da Apple rotaciona a cada 6 meses.** Configurar alarme de expiração; após expirar, todos os logins com Apple falham.
|
|
31
|
+
6. **`@supabase/ssr` sempre, `@supabase/auth-helpers-nextjs` nunca.** O pacote `auth-helpers-nextjs` está deprecated.
|
|
32
|
+
7. **Validar sessão no servidor com `getClaims()`**, nunca com `getSession()`.
|
|
33
|
+
|
|
34
|
+
## `signInWithOAuth` — fluxo PKCE (SSR / Next.js)
|
|
35
|
+
|
|
36
|
+
### Estrutura necessária
|
|
37
|
+
|
|
38
|
+
Dois arquivos obrigatórios:
|
|
39
|
+
|
|
40
|
+
1. **Função de login** (Client Component) — inicia o fluxo OAuth
|
|
41
|
+
2. **Route handler `/auth/callback`** — finaliza o fluxo trocando o `code` por uma sessão
|
|
42
|
+
|
|
43
|
+
### 1. Função de login (Client Component)
|
|
44
|
+
|
|
45
|
+
```ts
|
|
46
|
+
// components/LoginComGoogle.tsx
|
|
47
|
+
'use client'
|
|
48
|
+
import { createBrowserClient } from '@supabase/ssr'
|
|
49
|
+
|
|
50
|
+
function LoginComGoogle() {
|
|
51
|
+
const supabase = createBrowserClient(
|
|
52
|
+
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
|
53
|
+
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY! // sb_publishable_...
|
|
54
|
+
)
|
|
55
|
+
|
|
56
|
+
const handleLogin = async () => {
|
|
57
|
+
await supabase.auth.signInWithOAuth({
|
|
58
|
+
provider: 'google',
|
|
59
|
+
options: {
|
|
60
|
+
redirectTo: `${location.origin}/auth/callback`,
|
|
61
|
+
// Parâmetros extras para o provider:
|
|
62
|
+
queryParams: {
|
|
63
|
+
access_type: 'offline', // necessário para refresh token do Google
|
|
64
|
+
prompt: 'consent', // força exibição da tela de consentimento
|
|
65
|
+
},
|
|
66
|
+
scopes: 'email profile', // escopos OAuth solicitados
|
|
67
|
+
},
|
|
68
|
+
})
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
return <button onClick={handleLogin}>Entrar com Google</button>
|
|
72
|
+
}
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
### 2. Route handler `/auth/callback`
|
|
76
|
+
|
|
77
|
+
```ts
|
|
78
|
+
// app/auth/callback/route.ts
|
|
79
|
+
import { NextResponse, type NextRequest } from 'next/server'
|
|
80
|
+
import { createServerClient } from '@supabase/ssr'
|
|
81
|
+
import { cookies } from 'next/headers'
|
|
82
|
+
|
|
83
|
+
export async function GET(request: NextRequest) {
|
|
84
|
+
const { searchParams, origin } = new URL(request.url)
|
|
85
|
+
const code = searchParams.get('code')
|
|
86
|
+
const next = searchParams.get('next') ?? '/'
|
|
87
|
+
|
|
88
|
+
if (code) {
|
|
89
|
+
const cookieStore = await cookies()
|
|
90
|
+
const supabase = createServerClient(
|
|
91
|
+
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
|
92
|
+
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
|
|
93
|
+
{
|
|
94
|
+
cookies: {
|
|
95
|
+
getAll() { return cookieStore.getAll() },
|
|
96
|
+
setAll(cookiesToSet) {
|
|
97
|
+
cookiesToSet.forEach(({ name, value, options }) =>
|
|
98
|
+
cookieStore.set(name, value, options)
|
|
99
|
+
)
|
|
100
|
+
},
|
|
101
|
+
},
|
|
102
|
+
}
|
|
103
|
+
)
|
|
104
|
+
|
|
105
|
+
const { error } = await supabase.auth.exchangeCodeForSession(code)
|
|
106
|
+
|
|
107
|
+
if (!error) {
|
|
108
|
+
// Tratar proxy reverso em produção (Vercel, Nginx, etc.)
|
|
109
|
+
const forwardedHost = request.headers.get('x-forwarded-host')
|
|
110
|
+
const isLocalEnv = process.env.NODE_ENV === 'development'
|
|
111
|
+
|
|
112
|
+
if (isLocalEnv) {
|
|
113
|
+
return NextResponse.redirect(`${origin}${next}`)
|
|
114
|
+
} else if (forwardedHost) {
|
|
115
|
+
return NextResponse.redirect(`https://${forwardedHost}${next}`)
|
|
116
|
+
} else {
|
|
117
|
+
return NextResponse.redirect(`${origin}${next}`)
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
return NextResponse.redirect(`${origin}/auth/error`)
|
|
123
|
+
}
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
## Configuração de providers no Dashboard
|
|
127
|
+
|
|
128
|
+
### URL de callback obrigatória
|
|
129
|
+
|
|
130
|
+
Registre no console do provider (Google Cloud, GitHub Apps etc.) a seguinte URL de callback:
|
|
131
|
+
|
|
132
|
+
```
|
|
133
|
+
# Produção
|
|
134
|
+
https://<seu-project-ref>.supabase.co/auth/v1/callback
|
|
135
|
+
|
|
136
|
+
# Desenvolvimento local
|
|
137
|
+
http://localhost:54321/auth/v1/callback
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
### Google
|
|
141
|
+
|
|
142
|
+
1. [Google Cloud Console](https://console.cloud.google.com/) > APIs & Services > Credentials
|
|
143
|
+
2. Criar OAuth 2.0 Client ID (Web application)
|
|
144
|
+
3. Authorized redirect URIs: adicionar URL de callback do Supabase
|
|
145
|
+
4. Dashboard Supabase: `Authentication > Sign in / Sign up > Google` — inserir Client ID e Client Secret
|
|
146
|
+
|
|
147
|
+
```ts
|
|
148
|
+
// Escopos comuns do Google
|
|
149
|
+
scopes: 'email profile' // padrão
|
|
150
|
+
scopes: 'email profile openid' // + token de identidade
|
|
151
|
+
scopes: 'email profile https://www.googleapis.com/auth/calendar.readonly' // + Google Calendar
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
### GitHub
|
|
155
|
+
|
|
156
|
+
1. GitHub > Settings > Developer Settings > OAuth Apps > New OAuth App
|
|
157
|
+
2. Authorization callback URL: URL de callback do Supabase
|
|
158
|
+
3. Dashboard Supabase: `Authentication > Sign in / Sign up > GitHub` — inserir Client ID e Client Secret
|
|
159
|
+
|
|
160
|
+
```ts
|
|
161
|
+
await supabase.auth.signInWithOAuth({
|
|
162
|
+
provider: 'github',
|
|
163
|
+
options: {
|
|
164
|
+
redirectTo: `${location.origin}/auth/callback`,
|
|
165
|
+
scopes: 'read:user user:email', // escopos mínimos para login
|
|
166
|
+
},
|
|
167
|
+
})
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
### Facebook
|
|
171
|
+
|
|
172
|
+
1. [Meta for Developers](https://developers.facebook.com/) > Create App > Consumer
|
|
173
|
+
2. Facebook Login > Settings > Valid OAuth Redirect URIs: URL de callback do Supabase
|
|
174
|
+
3. Dashboard Supabase: `Authentication > Sign in / Sign up > Facebook`
|
|
175
|
+
|
|
176
|
+
### Apple
|
|
177
|
+
|
|
178
|
+
```ts
|
|
179
|
+
await supabase.auth.signInWithOAuth({
|
|
180
|
+
provider: 'apple',
|
|
181
|
+
options: {
|
|
182
|
+
redirectTo: `${location.origin}/auth/callback`,
|
|
183
|
+
},
|
|
184
|
+
})
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
**Caveats críticos do Apple:**
|
|
188
|
+
|
|
189
|
+
- **Rotação da secret key a cada 6 meses** — configure um alarme/reminder. A secret key é um JWT gerado com a chave privada do Apple Developer. Após expirar, TODOS os logins com Apple falham.
|
|
190
|
+
- **Nome completo só vem no PRIMEIRO sign-in** — salve imediatamente:
|
|
191
|
+
|
|
192
|
+
```ts
|
|
193
|
+
// No callback após exchangeCodeForSession, verifique se é o primeiro login
|
|
194
|
+
const { data: { claims } } = await supabase.auth.getClaims()
|
|
195
|
+
const { data: { user } } = await supabase.auth.getUser()
|
|
196
|
+
|
|
197
|
+
// Apple retorna full_name apenas no primeiro login (identities[0].identity_data)
|
|
198
|
+
const identity = user?.identities?.find(i => i.provider === 'apple')
|
|
199
|
+
if (identity?.identity_data?.full_name) {
|
|
200
|
+
await supabase.auth.updateUser({
|
|
201
|
+
data: { full_name: identity.identity_data.full_name },
|
|
202
|
+
})
|
|
203
|
+
}
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
### LinkedIn (OIDC)
|
|
207
|
+
|
|
208
|
+
LinkedIn usa o provider `linkedin_oidc` (não `linkedin`):
|
|
209
|
+
|
|
210
|
+
```ts
|
|
211
|
+
await supabase.auth.signInWithOAuth({
|
|
212
|
+
provider: 'linkedin_oidc', // ATENÇÃO: não 'linkedin'
|
|
213
|
+
options: {
|
|
214
|
+
redirectTo: `${location.origin}/auth/callback`,
|
|
215
|
+
scopes: 'openid profile email',
|
|
216
|
+
},
|
|
217
|
+
})
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
## `signInWithIdToken` — login nativo com Google / Apple
|
|
221
|
+
|
|
222
|
+
Quando o app já possui um ID token do provider (ex: Google Sign-In nativo em iOS/Android, ou após Google One Tap), use `signInWithIdToken` diretamente — sem redirecionamento.
|
|
223
|
+
|
|
224
|
+
```ts
|
|
225
|
+
// Google ID token (obtido do SDK do Google)
|
|
226
|
+
const { data, error } = await supabase.auth.signInWithIdToken({
|
|
227
|
+
provider: 'google',
|
|
228
|
+
token: idTokenDoGoogle, // JWT emitido pelo Google
|
|
229
|
+
nonce: nonceRaw, // IMPORTANTE: valor cru (antes do hash)
|
|
230
|
+
})
|
|
231
|
+
|
|
232
|
+
// Apple ID token (obtido do Sign in with Apple SDK)
|
|
233
|
+
const { data, error } = await supabase.auth.signInWithIdToken({
|
|
234
|
+
provider: 'apple',
|
|
235
|
+
token: idTokenDaApple,
|
|
236
|
+
nonce: nonceRaw,
|
|
237
|
+
})
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
### Geração de nonce (obrigatória para Google/Apple)
|
|
241
|
+
|
|
242
|
+
O nonce previne ataques de replay. Enviar o hash SHA-256 para o provider, e o valor cru para o Supabase:
|
|
243
|
+
|
|
244
|
+
```ts
|
|
245
|
+
// Gerar nonce criptograficamente seguro
|
|
246
|
+
function generateNonce(): { raw: string; hashed: string } {
|
|
247
|
+
const array = new Uint8Array(32)
|
|
248
|
+
crypto.getRandomValues(array)
|
|
249
|
+
const raw = btoa(String.fromCharCode(...array))
|
|
250
|
+
|
|
251
|
+
// Hash SHA-256 para o provider (Google/Apple recebe o hash)
|
|
252
|
+
const encoder = new TextEncoder()
|
|
253
|
+
const data = encoder.encode(raw)
|
|
254
|
+
return crypto.subtle.digest('SHA-256', data).then(hash => {
|
|
255
|
+
const hashed = btoa(String.fromCharCode(...new Uint8Array(hash)))
|
|
256
|
+
return { raw, hashed }
|
|
257
|
+
}) as any
|
|
258
|
+
}
|
|
259
|
+
|
|
260
|
+
// Uso
|
|
261
|
+
const { raw: nonceRaw, hashed: nonceHashed } = await generateNonce()
|
|
262
|
+
|
|
263
|
+
// Passe nonceHashed para o SDK do Google/Apple
|
|
264
|
+
// Passe nonceRaw para o Supabase no signInWithIdToken
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
## Google One Tap (FedCM)
|
|
268
|
+
|
|
269
|
+
```ts
|
|
270
|
+
// Exemplo completo com Google One Tap + FedCM
|
|
271
|
+
import { createBrowserClient } from '@supabase/ssr'
|
|
272
|
+
|
|
273
|
+
const supabase = createBrowserClient(
|
|
274
|
+
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
|
275
|
+
process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!
|
|
276
|
+
)
|
|
277
|
+
|
|
278
|
+
// Inicializar Google Identity Services
|
|
279
|
+
function initializeGoogleOneTap() {
|
|
280
|
+
const { raw: nonceRaw, hashed: nonceHashed } = /* generateNonce() */ {}
|
|
281
|
+
|
|
282
|
+
window.google.accounts.id.initialize({
|
|
283
|
+
client_id: process.env.NEXT_PUBLIC_GOOGLE_CLIENT_ID!,
|
|
284
|
+
nonce: nonceHashed, // hash SHA-256 para o Google
|
|
285
|
+
use_fedcm_for_prompt: true, // habilita FedCM (Privacy Sandbox)
|
|
286
|
+
callback: async ({ credential }) => {
|
|
287
|
+
// credential = ID token do Google
|
|
288
|
+
const { data, error } = await supabase.auth.signInWithIdToken({
|
|
289
|
+
provider: 'google',
|
|
290
|
+
token: credential,
|
|
291
|
+
nonce: nonceRaw, // valor cru para o Supabase
|
|
292
|
+
})
|
|
293
|
+
|
|
294
|
+
if (!error) {
|
|
295
|
+
// Login bem-sucedido — redirecionar ou atualizar UI
|
|
296
|
+
window.location.href = '/dashboard'
|
|
297
|
+
}
|
|
298
|
+
},
|
|
299
|
+
})
|
|
300
|
+
|
|
301
|
+
window.google.accounts.id.prompt() // exibe o prompt do One Tap
|
|
302
|
+
}
|
|
303
|
+
```
|
|
304
|
+
|
|
305
|
+
**Pré-requisito:** adicionar domínio nas origens JavaScript autorizadas no Google Cloud Console.
|
|
306
|
+
|
|
307
|
+
## Provider Tokens (acesso a APIs do provider)
|
|
308
|
+
|
|
309
|
+
```ts
|
|
310
|
+
// provider_token e provider_refresh_token ficam na sessão, NÃO no banco
|
|
311
|
+
const { data: { session } } = await supabase.auth.getSession()
|
|
312
|
+
|
|
313
|
+
const providerToken = session?.provider_token // access token do Google/GitHub
|
|
314
|
+
const providerRefreshToken = session?.provider_refresh_token // refresh token (se solicitado)
|
|
315
|
+
|
|
316
|
+
// Usar provider_token para chamar API do Google diretamente
|
|
317
|
+
const response = await fetch('https://www.googleapis.com/drive/v3/files', {
|
|
318
|
+
headers: { Authorization: `Bearer ${providerToken}` },
|
|
319
|
+
})
|
|
320
|
+
```
|
|
321
|
+
|
|
322
|
+
**Aviso importante:** `provider_token`/`provider_refresh_token` são armazenados na sessão local (cookie), mas **não são persistidos no banco de dados** pelo Supabase. Se precisar do refresh token após o usuário fechar o browser:
|
|
323
|
+
|
|
324
|
+
1. Salve `provider_refresh_token` em tabela protegida (com RLS e campo cifrado)
|
|
325
|
+
2. Para Google: passe `queryParams: { access_type: 'offline', prompt: 'consent' }` no `signInWithOAuth` para garantir que o refresh token seja emitido
|
|
326
|
+
|
|
327
|
+
```ts
|
|
328
|
+
// Salvar provider_refresh_token no banco (se necessário)
|
|
329
|
+
if (session?.provider_refresh_token) {
|
|
330
|
+
await supabase.from('oauth_tokens').upsert({
|
|
331
|
+
user_id: session.user.id,
|
|
332
|
+
provider: 'google',
|
|
333
|
+
refresh_token: session.provider_refresh_token, // considerar cifrar este valor
|
|
334
|
+
updated_at: new Date().toISOString(),
|
|
335
|
+
})
|
|
336
|
+
}
|
|
337
|
+
```
|
|
338
|
+
|
|
339
|
+
## Custom OAuth / OIDC Providers
|
|
340
|
+
|
|
341
|
+
Para providers não suportados nativamente (Okta, Auth0 como IdP, Keycloak etc.):
|
|
342
|
+
|
|
343
|
+
```ts
|
|
344
|
+
// Providers customizados usam prefixo 'custom:'
|
|
345
|
+
await supabase.auth.signInWithOAuth({
|
|
346
|
+
provider: 'custom:meu-provider',
|
|
347
|
+
options: { redirectTo: `${location.origin}/auth/callback` },
|
|
348
|
+
})
|
|
349
|
+
```
|
|
350
|
+
|
|
351
|
+
**Configuração via Management API (server-side com service_role):**
|
|
352
|
+
|
|
353
|
+
```ts
|
|
354
|
+
import { createClient } from '@supabase/supabase-js'
|
|
355
|
+
|
|
356
|
+
const adminClient = createClient(
|
|
357
|
+
process.env.NEXT_PUBLIC_SUPABASE_URL!,
|
|
358
|
+
process.env.SUPABASE_SECRET_KEY! // sb_secret_... apenas no servidor
|
|
359
|
+
)
|
|
360
|
+
|
|
361
|
+
// Criar provider OAuth2 customizado
|
|
362
|
+
await adminClient.auth.admin.customProviders.createProvider({
|
|
363
|
+
type: 'oauth2',
|
|
364
|
+
provider_id: 'meu-provider', // será 'custom:meu-provider' no signInWithOAuth
|
|
365
|
+
authorization_endpoint: 'https://auth.meuidentityprovider.com/oauth/authorize',
|
|
366
|
+
token_endpoint: 'https://auth.meuidentityprovider.com/oauth/token',
|
|
367
|
+
client_id: process.env.CUSTOM_OAUTH_CLIENT_ID!,
|
|
368
|
+
client_secret: process.env.CUSTOM_OAUTH_CLIENT_SECRET!,
|
|
369
|
+
// PKCE habilitado por padrão em custom providers
|
|
370
|
+
})
|
|
371
|
+
|
|
372
|
+
// Criar provider OIDC (OpenID Connect)
|
|
373
|
+
await adminClient.auth.admin.customProviders.createProvider({
|
|
374
|
+
type: 'oidc',
|
|
375
|
+
provider_id: 'meu-oidc',
|
|
376
|
+
issuer_url: 'https://accounts.meuidentityprovider.com',
|
|
377
|
+
client_id: process.env.OIDC_CLIENT_ID!,
|
|
378
|
+
client_secret: process.env.OIDC_CLIENT_SECRET!,
|
|
379
|
+
})
|
|
380
|
+
```
|
|
381
|
+
|
|
382
|
+
## Anti-patterns
|
|
383
|
+
|
|
384
|
+
### 1. Implicit flow no servidor (SSR)
|
|
385
|
+
|
|
386
|
+
**Errado:**
|
|
387
|
+
```ts
|
|
388
|
+
// Server Component ou Route Handler
|
|
389
|
+
await supabase.auth.signInWithOAuth({
|
|
390
|
+
provider: 'google',
|
|
391
|
+
options: { redirectTo: '/dashboard' }, // sem rota /auth/callback
|
|
392
|
+
})
|
|
393
|
+
// O código de autorização retorna como fragment (#access_token=...) — servidor nunca o vê
|
|
394
|
+
```
|
|
395
|
+
|
|
396
|
+
**Por quê:** em fluxo implícito, tokens chegam no URL fragment (`#`). Navegadores não enviam fragmentos ao servidor — é uma feature de segurança do HTTP. O servidor nunca processa o token.
|
|
397
|
+
|
|
398
|
+
**Certo:** sempre use PKCE com rota `/auth/callback` que chama `exchangeCodeForSession(code)`.
|
|
399
|
+
|
|
400
|
+
### 2. Falta da rota `/auth/callback`
|
|
401
|
+
|
|
402
|
+
**Errado:**
|
|
403
|
+
```ts
|
|
404
|
+
// Apenas define o signInWithOAuth sem criar o route handler
|
|
405
|
+
await supabase.auth.signInWithOAuth({ provider: 'github' })
|
|
406
|
+
// Sem app/auth/callback/route.ts — usuário fica preso em loop de redirect
|
|
407
|
+
```
|
|
408
|
+
|
|
409
|
+
**Por quê:** sem a rota callback, o código de autorização nunca é trocado por sessão. O Supabase redireciona de volta ao app com `?code=...`, mas nenhum handler processa o código.
|
|
410
|
+
|
|
411
|
+
**Certo:** criar `app/auth/callback/route.ts` com `exchangeCodeForSession(code)` antes de implementar qualquer OAuth.
|
|
412
|
+
|
|
413
|
+
### 3. `redirectTo` fora da allowlist
|
|
414
|
+
|
|
415
|
+
**Errado:**
|
|
416
|
+
```ts
|
|
417
|
+
await supabase.auth.signInWithOAuth({
|
|
418
|
+
provider: 'google',
|
|
419
|
+
options: { redirectTo: 'https://meuapp.com/pagina-especial' },
|
|
420
|
+
// 'https://meuapp.com/pagina-especial' não está na allowlist
|
|
421
|
+
})
|
|
422
|
+
```
|
|
423
|
+
|
|
424
|
+
**Por quê:** o Supabase ignora silenciosamente `redirectTo` fora da allowlist e redireciona para a URL padrão do projeto. O usuário aterrissa na página errada — confuso e difícil de debugar.
|
|
425
|
+
|
|
426
|
+
**Certo:** adicionar TODAS as URLs de destino em `Authentication > URL Configuration > Redirect URLs` no Dashboard.
|
|
427
|
+
|
|
428
|
+
### 4. Assumir que Apple retorna nome sempre
|
|
429
|
+
|
|
430
|
+
**Errado:**
|
|
431
|
+
```ts
|
|
432
|
+
// No callback após login com Apple
|
|
433
|
+
const { data: { user } } = await supabase.auth.getUser()
|
|
434
|
+
const fullName = user.user_metadata.full_name // retorna undefined no segundo login
|
|
435
|
+
await db.updateUserName(user.id, fullName) // salva undefined — dado perdido
|
|
436
|
+
```
|
|
437
|
+
|
|
438
|
+
**Por quê:** Apple envia `full_name` apenas no PRIMEIRO login. Nas requisições subsequentes, o campo fica vazio.
|
|
439
|
+
|
|
440
|
+
**Certo:** salvar o nome imediatamente no primeiro login e verificar se já existe antes de sobrescrever com vazio.
|
|
441
|
+
|
|
442
|
+
### 5. Armazenar provider_token em campo público sem proteção
|
|
443
|
+
|
|
444
|
+
**Errado:**
|
|
445
|
+
```sql
|
|
446
|
+
-- Coluna pública sem RLS — qualquer usuário autenticado pode ler
|
|
447
|
+
alter table public.usuarios add column google_token text;
|
|
448
|
+
```
|
|
449
|
+
|
|
450
|
+
**Por quê:** `provider_token` é um access token OAuth com escopo potencialmente amplo (ex: acesso ao Google Drive). Vazar esse token expõe a conta Google do usuário.
|
|
451
|
+
|
|
452
|
+
**Certo:** se precisar persistir, use coluna com RLS `using (auth.uid() = user_id)` e considere cifrar o valor com `pgsodium` ou vault do Supabase.
|
|
453
|
+
|
|
454
|
+
### 6. Não tratar `x-forwarded-host` na rota callback
|
|
455
|
+
|
|
456
|
+
**Errado:**
|
|
457
|
+
```ts
|
|
458
|
+
// Na rota callback — funciona em desenvolvimento mas quebra em produção atrás de proxy
|
|
459
|
+
return NextResponse.redirect(`${origin}${next}`)
|
|
460
|
+
```
|
|
461
|
+
|
|
462
|
+
**Por quê:** em produção atrás de proxy reverso (Vercel, Nginx, Cloudflare), `origin` pode ser o IP interno do container, não o domínio público.
|
|
463
|
+
|
|
464
|
+
**Certo:** verificar `x-forwarded-host` header:
|
|
465
|
+
```ts
|
|
466
|
+
const forwardedHost = request.headers.get('x-forwarded-host')
|
|
467
|
+
const isLocalEnv = process.env.NODE_ENV === 'development'
|
|
468
|
+
const redirectBase = isLocalEnv ? origin : (forwardedHost ? `https://${forwardedHost}` : origin)
|
|
469
|
+
return NextResponse.redirect(`${redirectBase}${next}`)
|
|
470
|
+
```
|
|
471
|
+
|
|
472
|
+
## Ver também
|
|
473
|
+
|
|
474
|
+
- [supabase-auth-methods](../supabase-auth-methods/SKILL.md) — fluxos de auth de usuário final (senha, OTP, anônimo, Web3)
|
|
475
|
+
- [supabase-auth-sessions](../supabase-auth-sessions/SKILL.md) — PKCE vs implicit flow, lifetime, refresh token reuse
|
|
476
|
+
- [supabase-auth-ssr](../supabase-auth-ssr/SKILL.md) — configuração completa do cliente SSR com `@supabase/ssr`
|
|
477
|
+
- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — RBAC via Custom Access Token Auth Hook
|
|
478
|
+
- [supabase-rls-defense-in-depth](../supabase-rls-defense-in-depth/SKILL.md) — camadas de segurança complementares ao OAuth
|
|
479
|
+
- [supabase-jwt-signing-keys](../supabase-jwt-signing-keys/SKILL.md) — rotação e validação de chaves JWT
|
|
480
|
+
- [supabase-edge-functions-auth](../supabase-edge-functions-auth/SKILL.md) — validação de JWT em Edge Functions
|