add rls policies

Author: Bulletdev

internal/database/migrations/000007_add_rls_policies.down.sql

@@ -0,0 +1,35 @@
+-- Drop policies and disable RLS for 'categories'
+DROP POLICY IF EXISTS "Allow modification for authenticated users" ON categories;
+DROP POLICY IF EXISTS "Allow public select access" ON categories;
+ALTER TABLE categories DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'products'
+DROP POLICY IF EXISTS "Allow modification for authenticated users" ON products;
+DROP POLICY IF EXISTS "Allow public select access" ON products;
+ALTER TABLE products DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'order_items'
+DROP POLICY IF EXISTS "Allow select based on order owner" ON order_items;
+ALTER TABLE order_items DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'orders'
+DROP POLICY IF EXISTS "Allow insert for authenticated users" ON orders;
+DROP POLICY IF EXISTS "Allow select access to owner" ON orders;
+ALTER TABLE orders DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'cart_items'
+DROP POLICY IF EXISTS "Allow access based on cart owner" ON cart_items;
+ALTER TABLE cart_items DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'carts'
+DROP POLICY IF EXISTS "Allow full access to owner" ON carts;
+ALTER TABLE carts DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'addresses'
+DROP POLICY IF EXISTS "Allow full access to owner" ON addresses;
+ALTER TABLE addresses DISABLE ROW LEVEL SECURITY;
+
+-- Drop policies and disable RLS for 'users'
+DROP POLICY IF EXISTS "Allow individual update access" ON users;
+DROP POLICY IF EXISTS "Allow individual select access" ON users;
+ALTER TABLE users DISABLE ROW LEVEL SECURITY;

internal/database/migrations/000007_add_rls_policies.up.sql

@@ -0,0 +1,80 @@
+-- Enable Row Level Security for all relevant tables
+ALTER TABLE users ENABLE ROW LEVEL SECURITY;
+ALTER TABLE addresses ENABLE ROW LEVEL SECURITY;
+ALTER TABLE carts ENABLE ROW LEVEL SECURITY;
+ALTER TABLE cart_items ENABLE ROW LEVEL SECURITY;
+ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
+ALTER TABLE order_items ENABLE ROW LEVEL SECURITY;
+ALTER TABLE products ENABLE ROW LEVEL SECURITY;
+ALTER TABLE categories ENABLE ROW LEVEL SECURITY;
+
+-- Force RLS for table owners (recommended by Supabase)
+ALTER TABLE users FORCE ROW LEVEL SECURITY;
+ALTER TABLE addresses FORCE ROW LEVEL SECURITY;
+ALTER TABLE carts FORCE ROW LEVEL SECURITY;
+ALTER TABLE cart_items FORCE ROW LEVEL SECURITY;
+ALTER TABLE orders FORCE ROW LEVEL SECURITY;
+ALTER TABLE order_items FORCE ROW LEVEL SECURITY;
+ALTER TABLE products FORCE ROW LEVEL SECURITY;
+ALTER TABLE categories FORCE ROW LEVEL SECURITY;
+
+
+-- Policies for 'users' table
+-- Users can select their own data
+CREATE POLICY "Allow individual select access" ON users FOR SELECT
+    USING (auth.uid() = id);
+-- Users can update their own data
+CREATE POLICY "Allow individual update access" ON users FOR UPDATE
+    USING (auth.uid() = id)
+    WITH CHECK (auth.uid() = id);
+
+-- Policies for 'addresses' table
+-- Users can manage their own addresses fully
+CREATE POLICY "Allow full access to owner" ON addresses FOR ALL
+    USING (auth.uid() = user_id)
+    WITH CHECK (auth.uid() = user_id);
+
+-- Policies for 'carts' table
+-- Users can manage their own cart fully
+CREATE POLICY "Allow full access to owner" ON carts FOR ALL
+    USING (auth.uid() = user_id)
+    WITH CHECK (auth.uid() = user_id);
+
+-- Policies for 'cart_items' table
+-- Users can manage items only if they own the corresponding cart
+CREATE POLICY "Allow access based on cart owner" ON cart_items FOR ALL
+    USING ( EXISTS (SELECT 1 FROM carts WHERE carts.id = cart_items.cart_id AND carts.user_id = auth.uid()) )
+    WITH CHECK ( EXISTS (SELECT 1 FROM carts WHERE carts.id = cart_items.cart_id AND carts.user_id = auth.uid()) );
+
+-- Policies for 'orders' table
+-- Users can select their own orders
+CREATE POLICY "Allow select access to owner" ON orders FOR SELECT
+    USING (auth.uid() = user_id);
+-- Users can insert orders (user_id check ensures they insert for themselves)
+CREATE POLICY "Allow insert for authenticated users" ON orders FOR INSERT
+    WITH CHECK (auth.uid() = user_id);
+-- (No UPDATE/DELETE policies initially - managed by API logic)
+
+-- Policies for 'order_items' table
+-- Users can select items belonging to their own orders
+CREATE POLICY "Allow select based on order owner" ON order_items FOR SELECT
+    USING ( EXISTS (SELECT 1 FROM orders WHERE orders.id = order_items.order_id AND orders.user_id = auth.uid()) );
+-- (No INSERT/UPDATE/DELETE policies initially)
+
+-- Policies for 'products' table
+-- Allow public read access to products
+CREATE POLICY "Allow public select access" ON products FOR SELECT
+    USING (true);
+-- Allow authenticated users to manage products (can be restricted to admin later)
+CREATE POLICY "Allow modification for authenticated users" ON products FOR ALL
+    USING (auth.role() = 'authenticated') -- Allow reading existing rows if authenticated
+    WITH CHECK (auth.role() = 'authenticated'); -- Check applies to INSERT/UPDATE
+
+-- Policies for 'categories' table
+-- Allow public read access to categories
+CREATE POLICY "Allow public select access" ON categories FOR SELECT
+    USING (true);
+-- Allow authenticated users to manage categories (can be restricted to admin later)
+CREATE POLICY "Allow modification for authenticated users" ON categories FOR ALL
+    USING (auth.role() = 'authenticated') -- Allow reading existing rows if authenticated
+    WITH CHECK (auth.role() = 'authenticated'); -- Check applies to INSERT/UPDATE

readme.md

@@ -24,38 +24,24 @@
 </p>
 
 # ✨ Recursos Atuais e Planejados
-<div>
-Autenticação e Gerenciamento de Usuários (Registro, Login, Dados do Usuário, Endereços)
-</div>  
-<div>
-Gerenciamento de Produtos e Categorias
-</div>
-<div>
-Carrinho de Compras
-</div>
-<div>
-Gerenciamento de Pedidos (Criação e Listagem)
-</div>
-<div>
-Armazenamento de dados com PostgreSQL (via Supabase)
-</div> 
-<div>
-Autenticação segura com JWT e Hashing de Senha (bcrypt)
-</div> 
-<div>
-Endpoints RESTful com prefixo `/api`
-</div> 
-<div>
+ 
+- Autenticação e Gerenciamento de Usuários (Registro, Login, Dados do Usuário, Endereços)
+- Gerenciamento de Produtos e Categorias
+- Carrinho de Compras
+- Gerenciamento de Pedidos (Criação e Listagem)
+- Armazenamento de dados com PostgreSQL (via Supabase)
+- Autenticação segura com JWT e Hashing de Senha (bcrypt)
+- Endpoints RESTful com prefixo `/api`
 Health check
-</div> 
-<div> 
-Testes Unitários para Handlers (Auth, User/Address, Product, Category, Cart)
-</div> 
-<div>
-*Planejado:* Testes para OrderHandler, Testes de Integração, Lógica de Frete, Paginação, Filtros, Validação Avançada, Permissões (Admin), Documentação Swagger completa.
-</div>
+- Testes Unitários para Handlers (Auth, User/Address, Product, Category, Cart)
 
-## 🚀 Exemplo de uso
+## Planejado:
+>>> Testes para OrderHandler, Testes de Integração, Lógica de Frete, Paginação, Filtros, Validação Avançada, Permissões (Admin), Documentação Swagger completa.
+
+
+##  Exemplo de uso
+
+<details>
 
 (Veja a seção Endpoints Atuais para mais detalhes)
 
@@ -126,6 +112,7 @@ curl -X POST http://localhost:4444/api/orders \\
 -H "Authorization: Bearer $TOKEN"
 ```
 
+</details>
 
 ## Documentação da API (Planejada)
 
@@ -220,6 +207,8 @@ stretchr/testify (Testes Unitários)
 
 ## 🔍 Endpoints Atuais
 
+<details>
+ 
 **Saúde**
 *   `GET /api/health`: Verifica status da aplicação.
 
@@ -323,6 +312,8 @@ stretchr/testify (Testes Unitários)
     *   **Sucesso (200):** Objeto `{"order": {...}, "items": [{...}]}`.
     *   **Erros:** `401`, `403` (não é dono), `404` (pedido não encontrado/ID inválido), `500`.
 
+</details>
+
 *(Funcionalidades de Pedidos como cancelamento e atualização de status foram implementadas no repositório mas não expostas em rotas ainda).*
 
 
@@ -333,6 +324,7 @@ Para rodar os testes unitários dos handlers:
 go test -v ./internal/handlers/...
 ```
 
-📄 Licença
+### 📄 Licença
+
+GNU-General-Public-License-v3.0
 
-BulletDEv all rights reserveds