From a4b8dd3f77dfe575580f33db3949ae3727e19267 Mon Sep 17 00:00:00 2001
From: killer-cf <costa.kilder@live.com>
Date: Mon, 12 Jan 2026 13:31:04 -0300
Subject: [PATCH] fix: improve login flow by ensuring proper type handling for
 redirect and prevent loopback IP blocking in security checks

---
 apps/web/src/routes/(public)/login/+page.svelte |  3 ++-
 packages/backend/convex/security.ts             | 12 +++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/routes/(public)/login/+page.svelte b/apps/web/src/routes/(public)/login/+page.svelte
index 94daa52..7d093ed 100644
--- a/apps/web/src/routes/(public)/login/+page.svelte
+++ b/apps/web/src/routes/(public)/login/+page.svelte
@@ -69,6 +69,7 @@
 		}
 
 		const gpsPromise = coletarGPS();
+
 		const result = await authClient.signIn.email(
 			{ email: matricula.trim(), password: senha },
 			{
@@ -163,7 +164,7 @@
 				}
 			})();
 
-			await goto(resolve(redirectAfterLogin as string), { replaceState: true });
+			await goto(resolve(redirectAfterLogin as any) as any, { replaceState: true });
 		} else {
 			erroLogin = result.error?.message || 'Erro ao fazer login';
 		}
diff --git a/packages/backend/convex/security.ts b/packages/backend/convex/security.ts
index 1c98ebb..792227f 100644
--- a/packages/backend/convex/security.ts
+++ b/packages/backend/convex/security.ts
@@ -447,6 +447,7 @@ export const enforceRequest = mutation({
 		const ip = args.ip.trim();
 		const path = args.path.trim() || '/';
 		const pathKey = path.replace(/^\/+/, '');
+		const isLoopback = ip === '::1' || ip === '127.0.0.1' || ip.startsWith('127.');
 
 		// 1) Blacklist enforcement (somente IP)
 		const registroIp = await ctx.db
@@ -455,7 +456,16 @@ export const enforceRequest = mutation({
 			.order('desc')
 			.first();
 
-		if (registroIp && registroIp.categoria === 'ip' && registroIp.blacklist === true) {
+		// NOTE: em desenvolvimento local, evitar bloquear loopback por blacklist,
+		// senão o login e a sessão (Better Auth) ficam impossíveis.
+		// Também priorizamos whitelist caso exista um registro marcado como ambos.
+		if (
+			registroIp &&
+			registroIp.categoria === 'ip' &&
+			registroIp.blacklist === true &&
+			registroIp.whitelist !== true &&
+			!isLoopback
+		) {
 			const ativo = !registroIp.bloqueadoAte || registroIp.bloqueadoAte > agora;
 			if (ativo) {
 				return {