From 4ae19622d66119bd30869df988393c6d0185904b Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Mon, 5 Jan 2026 22:40:10 -0300
Subject: [PATCH] =?UTF-8?q?fix:=20ajustes=20de=20bot=C3=A3o=20de=20ajuda?=
 =?UTF-8?q?=20e=20login?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .claude/settings.local.json                   |  3 ++-
 .../ViewComponents/SupportFabViewComponent.cs | 10 ++++++++-
 src/BCards.Web/Program.cs                     | 22 ++++++++++++++-----
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 33a6464..85c3599 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -34,7 +34,8 @@
       "Bash(netstat:*)",
       "Bash(ss:*)",
       "Bash(lsof:*)",
-      "Bash(dotnet run:*)"
+      "Bash(dotnet run:*)",
+      "Bash(dotnet user-secrets:*)"
     ]
   },
   "enableAllProjectMcpServers": false
diff --git a/src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs b/src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs
index 3ab2db7..6293397 100644
--- a/src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs
+++ b/src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs
@@ -20,10 +20,18 @@ public class SupportFabViewComponent : ViewComponent
         try
         {
             var userId = UserClaimsPrincipal?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
+
+            // Não mostrar botão de ajuda para usuários não autenticados
+            if (string.IsNullOrEmpty(userId))
+            {
+                _logger.LogDebug("SupportFab não exibido - usuário não autenticado");
+                return Content(string.Empty);
+            }
+
             var options = await _supportService.GetAvailableOptionsAsync(userId);
 
             _logger.LogDebug("SupportFab invocado para usuário {UserId} - Opções: Rating={CanRate}, Form={CanUseContactForm}, Telegram={CanAccessTelegram}",
-                userId ?? "anônimo", options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
+                userId, options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
 
             return View(options);
         }
diff --git a/src/BCards.Web/Program.cs b/src/BCards.Web/Program.cs
index 6200460..22c7a54 100644
--- a/src/BCards.Web/Program.cs
+++ b/src/BCards.Web/Program.cs
@@ -309,8 +309,18 @@ authBuilder.AddCookie(options =>
     options.SlidingExpiration = true;
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
-    options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
-    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+
+    // SameSite: None para produção (Cloudflare), Lax para desenvolvimento (OAuth local)
+    if (builder.Environment.IsDevelopment())
+    {
+        options.Cookie.SameSite = SameSiteMode.Lax;
+        options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Permite HTTP em dev
+    }
+    else
+    {
+        options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
+        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+    }
 });
 
 // Always register Google and Microsoft authentication schemes
@@ -612,11 +622,11 @@ app.Use(async (context, next) =>
 
     // Content Security Policy - Protects against XSS attacks
     var csp = "default-src 'self'; " +
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com; " +
-              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2; " +
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com https://www.clarity.ms https://static.cloudflareinsights.com; " +
+              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://cdnjs.cloudflare.com; " +
               "img-src 'self' data: https: blob:; " +
-              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
-              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com; " +
+              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; " +
+              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com https://www.clarity.ms; " +
               "frame-src 'self' https://accounts.google.com https://login.microsoftonline.com; " +
               "object-src 'none'; " +
               "base-uri 'self'; " +