Güvenlik Doğrulaması,Login Logları

supabase/migrations/20251230_add_master_otp.sql

@@ -0,0 +1,12 @@
+-- Enable pgcrypto extension for hashing
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- Add master_code_hash column to profiles
+ALTER TABLE public.profiles ADD COLUMN IF NOT EXISTS master_code_hash TEXT;
+
+-- Set a default master code for Kenan Karaer (or all admins)
+-- The hash below is for '123456' using bcrypt
+-- You can generate new hashes using: select crypt('YOUR_CODE', gen_salt('bf'));
+UPDATE public.profiles
+SET master_code_hash = crypt('271210220792', gen_salt('bf'))
+WHERE role = 'admin';

supabase/migrations/20251230_create_auth_codes.sql

@@ -0,0 +1,19 @@
+-- Create a table to store OTP codes
+CREATE TABLE IF NOT EXISTS public.auth_codes (
+    id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+    user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL,
+    code TEXT NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::text, now()) NOT NULL,
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL
+);
+
+-- Enable Row Level Security
+ALTER TABLE public.auth_codes ENABLE ROW LEVEL SECURITY;
+
+-- Allow users to see only their own codes
+CREATE POLICY "Users can see their own codes" ON public.auth_codes
+    FOR SELECT USING (auth.uid() = user_id);
+
+-- Allow server-side operations (Service Role will bypass RLS, but good to have)
+CREATE POLICY "Users can insert their own codes" ON public.auth_codes
+    FOR INSERT WITH CHECK (auth.uid() = user_id);

supabase/migrations/20251230_create_security_tables.sql

@@ -0,0 +1,34 @@
+-- Create auth_logs table
+CREATE TABLE IF NOT EXISTS public.auth_logs (
+    id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+    user_id UUID REFERENCES auth.users(id) ON DELETE SET NULL,
+    event_type TEXT NOT NULL, -- 'login', '2fa_verify', '2fa_fail', 'logout', 'otp_sent'
+    ip_address TEXT,
+    user_agent TEXT,
+    details JSONB DEFAULT '{}'::jsonb,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::text, now()) NOT NULL
+);
+
+-- Associate auth_logs with profiles if needed, but auth.users is safer for raw auth logs.
+-- Enable RLS for auth_logs (Admins can view all, users can view own?)
+ALTER TABLE public.auth_logs ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Admins can view all logs" ON public.auth_logs
+    FOR SELECT USING (
+        EXISTS (
+            SELECT 1 FROM public.profiles
+            WHERE profiles.id = auth.uid() AND profiles.role = 'admin'
+        )
+    );
+
+-- Create rate_limits table (simplified for IP based blocking)
+CREATE TABLE IF NOT EXISTS public.rate_limits (
+    id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+    ip_address TEXT NOT NULL,
+    action TEXT NOT NULL, -- 'login_attempt', 'otp_verify'
+    count INTEGER DEFAULT 1,
+    last_attempt TIMESTAMP WITH TIME ZONE DEFAULT timezone('utc'::text, now()) NOT NULL,
+    blocked_until TIMESTAMP WITH TIME ZONE
+);
+
+CREATE INDEX idx_rate_limits_ip_action ON public.rate_limits(ip_address, action);

supabase/migrations/20251230_fix_auth_logs_policy.sql

@@ -0,0 +1,21 @@
+-- Allow anonymous and authenticated users to insert logs
+-- This ensures logging works even if Admin Client (Service Role) fails
+create policy "Enable insert for all users"
+on public.auth_logs
+for insert
+with check (true);
+
+create policy "Enable insert for all users"
+on public.rate_limits
+for insert
+with check (true);
+
+create policy "Enable update for all users"
+on public.rate_limits
+for update
+using (true);
+
+create policy "Enable select for all users"
+on public.rate_limits
+for select
+using (true);