fix(csp): mover CSP para proxy.ts para leitura em runtime

Content-Security-Policy estava em next.config.ts (build time),
então S3_ENDPOINT nunca era incluído no connect-src ao buildar
via Docker no CI. Movido para proxy.ts que avalia em runtime.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,30 @@ e este projeto adere ao [Versionamento Semântico](https://semver.org/lang/pt-BR
 
 ## [Unreleased]
 
+## [2.3.5] - 2026-04-07
+
+### Corrigido
+
+- CSP: movido `Content-Security-Policy` do `next.config.ts` (build time) para `proxy.ts` (runtime), corrigindo bloqueio de upload de anexos quando `S3_ENDPOINT` não estava disponível durante o build do Docker
+
+## [2.3.4] - 2026-04-05
+
+### Corrigido
+
+- Anexos: corrigido upload que falhava com `NetworkError` — CSP `connect-src` bloqueava fetch para o Storage
+
+## [2.3.3] - 2026-04-05
+
+### Corrigido
+
+- Tokens: corrigido `/api/auth/device/verify` que rejeitava tokens criados via Settings (revertido de JWT para hash lookup)
+
+### Alterado
+
+- Tokens: prefixo renomeado de `os_` para `opm_` (OpenMonetis); tokens existentes precisam ser recriados
+- Tokens: removidas rotas JWT não utilizadas (`/api/auth/device/token` e `/api/auth/device/refresh`)
+- Tokens: `api-token.ts` simplificado para conter apenas `hashToken` e `extractBearerToken`
+
 ## [2.3.2] - 2026-04-04
 
 ### Segurança

README.md

@@ -8,7 +8,7 @@
 
 > **⚠️ Não há versão online hospedada.** Você precisa clonar o repositório e rodar localmente ou no seu próprio servidor.
 
-[![Version](https://img.shields.io/badge/version-2.1.2-blue?style=flat-square)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-2.3.4-blue?style=flat-square)](CHANGELOG.md)
 [![Next.js](https://img.shields.io/badge/Next.js-black?style=flat-square&logo=next.js)](https://nextjs.org/)
 [![TypeScript](https://img.shields.io/badge/TypeScript-blue?style=flat-square&logo=typescript)](https://www.typescriptlang.org/)
 [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-blue?style=flat-square&logo=postgresql)](https://www.postgresql.org/)

next.config.ts

@@ -42,18 +42,6 @@ const nextConfig: NextConfig = {
 						key: "X-Frame-Options",
 						value: "DENY",
 					},
-					{
-						key: "Content-Security-Policy",
-						value: [
-							"default-src 'self'",
-							"script-src 'self' 'unsafe-inline' https://umami.felipecoutinho.com",
-							"style-src 'self' 'unsafe-inline'",
-							"img-src 'self' https://lh3.googleusercontent.com data: blob:",
-							"font-src 'self'",
-							"connect-src 'self' https://umami.felipecoutinho.com",
-							"frame-ancestors 'none'",
-						].join("; "),
-					},
 					{
 						key: "Referrer-Policy",
 						value: "strict-origin-when-cross-origin",

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "openmonetis",
-	"version": "2.3.2",
+	"version": "2.3.5",
 	"private": true,
 	"packageManager": "pnpm@10.33.0",
 	"scripts": {
@@ -72,6 +72,7 @@
 		"cmdk": "^1.1.1",
 		"date-fns": "^4.1.0",
 		"drizzle-orm": "0.45.2",
+		"exceljs": "^4.4.0",
 		"jspdf": "^4.2.1",
 		"jspdf-autotable": "^5.0.7",
 		"next": "16.2.2",
@@ -87,7 +88,6 @@
 		"sonner": "2.0.7",
 		"tailwind-merge": "3.5.0",
 		"vaul": "1.1.2",
-		"xlsx": "^0.18.5",
 		"zod": "4.3.6"
 	},
 	"devDependencies": {

src/app/api/auth/device/refresh/route.ts

@@ -1,86 +0,0 @@
-import { and, eq, gt, isNull } from "drizzle-orm";
-import { NextResponse } from "next/server";
-import { apiTokens } from "@/db/schema";
-import {
-	extractBearerToken,
-	refreshAccessToken,
-	verifyJwt,
-} from "@/shared/lib/auth/api-token";
-import { db } from "@/shared/lib/db";
-
-export async function POST(request: Request) {
-	try {
-		// Extrair refresh token do header
-		const authHeader = request.headers.get("Authorization");
-		const token = extractBearerToken(authHeader);
-
-		if (!token) {
-			return NextResponse.json(
-				{ error: "Refresh token não fornecido" },
-				{ status: 401 },
-			);
-		}
-
-		// Validar refresh token
-		const payload = verifyJwt(token);
-
-		if (!payload || payload.type !== "api_refresh") {
-			return NextResponse.json(
-				{ error: "Refresh token inválido ou expirado" },
-				{ status: 401 },
-			);
-		}
-
-		// Verificar se token não foi revogado
-		const tokenRecord = await db.query.apiTokens.findFirst({
-			where: and(
-				eq(apiTokens.id, payload.tokenId),
-				eq(apiTokens.userId, payload.sub),
-				isNull(apiTokens.revokedAt),
-				gt(apiTokens.expiresAt, new Date()),
-			),
-		});
-
-		if (!tokenRecord) {
-			return NextResponse.json(
-				{ error: "Token revogado ou não encontrado" },
-				{ status: 401 },
-			);
-		}
-
-		// Gerar novo access token
-		const result = refreshAccessToken(token);
-
-		if (!result) {
-			return NextResponse.json(
-				{ error: "Não foi possível renovar o token" },
-				{ status: 401 },
-			);
-		}
-
-		// Atualizar último uso e expiração (sem sobrescrever tokenHash,
-		// pois o JWT é auto-verificável por assinatura)
-		await db
-			.update(apiTokens)
-			.set({
-				lastUsedAt: new Date(),
-				lastUsedIp:
-					request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
-					request.headers.get("x-real-ip") ||
-					null,
-				expiresAt: result.expiresAt,
-			})
-			.where(eq(apiTokens.id, payload.tokenId));
-
-		return NextResponse.json({
-			accessToken: result.accessToken,
-			expiresAt: result.expiresAt.toISOString(),
-		});
-	} catch (error) {
-		console.error("[API] Error refreshing device token:", error);
-		return NextResponse.json(
-			{ error: "Erro ao renovar token" },
-			{ status: 500 },
-		);
-	}
-}

src/app/api/auth/device/token/route.ts

@@ -1,74 +0,0 @@
-import { headers } from "next/headers";
-import { connection, NextResponse } from "next/server";
-import { z } from "zod";
-import { apiTokens } from "@/db/schema";
-import {
-	generateTokenPair,
-	getTokenPrefix,
-	hashToken,
-} from "@/shared/lib/auth/api-token";
-import { auth } from "@/shared/lib/auth/config";
-import { db } from "@/shared/lib/db";
-
-const createTokenSchema = z.object({
-	name: z.string().min(1, "Nome é obrigatório").max(100, "Nome muito longo"),
-	deviceId: z.string().optional(),
-});
-
-export async function POST(request: Request) {
-	await connection();
-
-	// Verificar autenticação via sessão web
-	const requestHeaders = new Headers(await headers());
-	const session = await auth.api.getSession({ headers: requestHeaders });
-
-	if (!session?.user) {
-		return NextResponse.json({ error: "Não autenticado" }, { status: 401 });
-	}
-
-	try {
-		// Validar body
-		const body = await request.json();
-		const { name, deviceId } = createTokenSchema.parse(body);
-
-		// Gerar par de tokens
-		const { accessToken, refreshToken, tokenId, expiresAt } = generateTokenPair(
-			session.user.id,
-			deviceId,
-		);
-
-		// Salvar hash do token no banco
-		await db.insert(apiTokens).values({
-			id: tokenId,
-			userId: session.user.id,
-			name,
-			tokenHash: hashToken(accessToken),
-			tokenPrefix: getTokenPrefix(accessToken),
-			expiresAt,
-		});
-
-		// Retornar tokens (mostrados apenas uma vez)
-		return NextResponse.json(
-			{
-				accessToken,
-				refreshToken,
-				tokenId,
-				name,
-				expiresAt: expiresAt.toISOString(),
-				message:
-					"Token criado com sucesso. Guarde-o em local seguro, ele não será mostrado novamente.",
-			},
-			{ status: 201 },
-		);
-	} catch (error) {
-		if (error instanceof z.ZodError) {
-			return NextResponse.json(
-				{ error: error.issues[0]?.message ?? "Dados inválidos" },
-				{ status: 400 },
-			);
-		}
-
-		console.error("[API] Error creating device token:", error);
-		return NextResponse.json({ error: "Erro ao criar token" }, { status: 500 });
-	}
-}

src/app/api/auth/device/verify/route.ts

@@ -1,7 +1,7 @@
 import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { apiTokens } from "@/db/schema";
-import { extractBearerToken, verifyJwt } from "@/shared/lib/auth/api-token";
+import { extractBearerToken, hashToken } from "@/shared/lib/auth/api-token";
 import { db } from "@/shared/lib/db";
 
 export async function POST(request: Request) {
@@ -17,21 +17,20 @@ export async function POST(request: Request) {
 			);
 		}
 
-		// Verificar JWT (assinatura + expiração)
-		const payload = verifyJwt(token);
-
-		if (!payload || payload.type !== "api_access") {
+		// Validar token opm_xxx via hash
+		if (!token.startsWith("opm_")) {
 			return NextResponse.json(
-				{ valid: false, error: "Token inválido ou expirado" },
+				{ valid: false, error: "Formato de token inválido" },
 				{ status: 401 },
 			);
 		}
 
-		// Buscar token no banco por tokenId para checar revogação
+		const tokenHash = hashToken(token);
+
+		// Buscar token no banco
 		const tokenRecord = await db.query.apiTokens.findFirst({
 			where: and(
-				eq(apiTokens.id, payload.tokenId),
-				eq(apiTokens.userId, payload.sub),
+				eq(apiTokens.tokenHash, tokenHash),
 				isNull(apiTokens.revokedAt),
 				gt(apiTokens.expiresAt, new Date()),
 			),
@@ -39,7 +38,7 @@ export async function POST(request: Request) {
 
 		if (!tokenRecord) {
 			return NextResponse.json(
-				{ valid: false, error: "Token revogado ou não encontrado" },
+				{ valid: false, error: "Token inválido ou revogado" },
 				{ status: 401 },
 			);
 		}

src/app/api/inbox/batch/route.ts

@@ -48,8 +48,8 @@ export async function POST(request: Request) {
 			);
 		}
 
-		// Validar token os_xxx via hash
-		if (!token.startsWith("os_")) {
+		// Validar token opm_xxx via hash
+		if (!token.startsWith("opm_")) {
 			return NextResponse.json(
 				{ error: "Formato de token inválido" },
 				{ status: 401 },

src/app/api/inbox/route.ts

@@ -41,8 +41,8 @@ export async function POST(request: Request) {
 			);
 		}
 
-		// Validar token os_xxx via hash
-		if (!token.startsWith("os_")) {
+		// Validar token opm_xxx via hash
+		if (!token.startsWith("opm_")) {
 			return NextResponse.json(
 				{ error: "Formato de token inválido" },
 				{ status: 401 },

src/features/reports/components/category-report-export.tsx

@@ -33,7 +33,7 @@ interface CategoryReportExportProps {
 	filters: FilterState;
 }
 
-const loadXlsx = () => import("xlsx");
+const loadExcelJS = () => import("exceljs");
 
 const loadPdfDeps = async () => {
 	const [{ default: jsPDF }, { default: autoTable }] = await Promise.all([
@@ -134,7 +134,7 @@ export function CategoryReportExport({
 	const exportToExcel = async () => {
 		try {
 			setIsExporting(true);
-			const XLSX = await loadXlsx();
+			const ExcelJS = await loadExcelJS();
 
 			// Build data array
 			const headers = [
@@ -179,20 +179,32 @@ export function CategoryReportExport({
 			totalsRow.push(formatCurrency(data.grandTotal));
 			rows.push(totalsRow);
 
-			// Create worksheet
-			const ws = XLSX.utils.aoa_to_sheet([headers, ...rows]);
+			// Create workbook and worksheet
+			const workbook = new ExcelJS.Workbook();
+			const ws = workbook.addWorksheet("Relatório de Categorias");
+
+			ws.addRows([headers, ...rows]);
 
 			// Set column widths
-			ws["!cols"] = [
-				{ wch: 20 }, // Category
-				...data.periods.map(() => ({ wch: 15 })), // Periods
-				{ wch: 15 }, // Total
-			];
+			ws.getColumn(1).width = 20;
+			for (let i = 0; i < data.periods.length; i++) {
+				ws.getColumn(i + 2).width = 15;
+			}
+			ws.getColumn(data.periods.length + 2).width = 15;
 
-			// Create workbook and download
-			const wb = XLSX.utils.book_new();
-			XLSX.utils.book_append_sheet(wb, ws, "Relatório de Categorias");
-			XLSX.writeFile(wb, getFileName("xlsx"));
+			// Download
+			const buffer = await workbook.xlsx.writeBuffer();
+			const blob = new Blob([buffer], {
+				type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+			});
+			const url = URL.createObjectURL(blob);
+			const link = document.createElement("a");
+			link.href = url;
+			link.download = getFileName("xlsx");
+			document.body.appendChild(link);
+			link.click();
+			document.body.removeChild(link);
+			URL.revokeObjectURL(url);
 
 			toast.success("Relatório exportado em Excel com sucesso!");
 		} catch (error) {

src/features/settings/actions.ts

@@ -610,7 +610,7 @@ const revokeApiTokenSchema = z.object({
 });
 
 function generateSecureToken(): string {
-	const prefix = "os";
+	const prefix = "opm";
 	const randomPart = randomBytes(32).toString("base64url");
 	return `${prefix}_${randomPart}`;
 }

src/features/transactions/components/import/upload-zone.tsx

@@ -45,10 +45,10 @@ export function UploadZone({ onParsed }: UploadZoneProps) {
 			reader.readAsText(file, "windows-1252");
 		} else {
 			const reader = new FileReader();
-			reader.onload = (e) => {
+			reader.onload = async (e) => {
 				try {
 					const buffer = e.target?.result as ArrayBuffer;
-					const statement = parseXls(buffer);
+					const statement = await parseXls(buffer);
 					onParsed(statement);
 				} catch (err) {
 					setError(
@@ -62,8 +62,8 @@ export function UploadZone({ onParsed }: UploadZoneProps) {
 		}
 	};
 
-	const handleDownloadTemplate = () => {
-		const bytes = generateXlsTemplate();
+	const handleDownloadTemplate = async () => {
+		const bytes = await generateXlsTemplate();
 		const blob = new Blob([bytes], {
 			type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
 		});

src/features/transactions/components/transactions-export.tsx

@@ -32,7 +32,7 @@ interface LancamentosExportProps {
 	exportContext?: TransactionsExportContext;
 }
 
-const loadXlsx = () => import("xlsx");
+const loadExcelJS = () => import("exceljs");
 
 const loadPdfDeps = async () => {
 	const [{ default: jsPDF }, { default: autoTable }] = await Promise.all([
@@ -158,7 +158,7 @@ export function TransactionsExport({
 		try {
 			setIsExporting(true);
 			const transactions = await loadTransactions();
-			const XLSX = await loadXlsx();
+			const ExcelJS = await loadExcelJS();
 
 			const headers = [
 				"Data",
@@ -188,23 +188,28 @@ export function TransactionsExport({
 				rows.push(row);
 			});
 
-			const ws = XLSX.utils.aoa_to_sheet([headers, ...rows]);
+			const workbook = new ExcelJS.Workbook();
+			const ws = workbook.addWorksheet("Lançamentos");
 
-			ws["!cols"] = [
-				{ wch: 12 }, // Data
-				{ wch: 42 }, // Nome
-				{ wch: 15 }, // Tipo
-				{ wch: 15 }, // Condição
-				{ wch: 20 }, // Pagamento
-				{ wch: 15 }, // Valor
-				{ wch: 20 }, // Category
-				{ wch: 20 }, // Conta/Cartão
-				{ wch: 20 }, // Payer
-			];
+			ws.addRows([headers, ...rows]);
 
-			const wb = XLSX.utils.book_new();
-			XLSX.utils.book_append_sheet(wb, ws, "Lançamentos");
-			XLSX.writeFile(wb, getFileName("xlsx"));
+			const colWidths = [12, 42, 15, 15, 20, 15, 20, 20, 20];
+			colWidths.forEach((w, i) => {
+				ws.getColumn(i + 1).width = w;
+			});
+
+			const buffer = await workbook.xlsx.writeBuffer();
+			const blob = new Blob([buffer], {
+				type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+			});
+			const url = URL.createObjectURL(blob);
+			const link = document.createElement("a");
+			link.href = url;
+			link.download = getFileName("xlsx");
+			document.body.appendChild(link);
+			link.click();
+			document.body.removeChild(link);
+			URL.revokeObjectURL(url);
 
 			toast.success("Lançamentos exportados em Excel com sucesso!");
 		} catch (error) {

src/proxy.ts

@@ -21,6 +21,38 @@ const PROTECTED_ROUTES = [
 // Rotas públicas (não requerem autenticação)
 const PUBLIC_AUTH_ROUTES = ["/login", "/signup"];
 
+function buildCsp(): string {
+	const isDev = process.env.NODE_ENV === "development";
+
+	const s3Origin = (() => {
+		try {
+			return process.env.S3_ENDPOINT
+				? new URL(process.env.S3_ENDPOINT).origin
+				: "";
+		} catch {
+			return "";
+		}
+	})();
+
+	const connectExtras = ["https://umami.felipecoutinho.com", s3Origin]
+		.filter(Boolean)
+		.join(" ");
+
+	const imgExtras = ["https://lh3.googleusercontent.com", s3Origin]
+		.filter(Boolean)
+		.join(" ");
+
+	return [
+		"default-src 'self'",
+		`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""} https://umami.felipecoutinho.com`,
+		"style-src 'self' 'unsafe-inline'",
+		`img-src 'self' ${imgExtras} data: blob:`,
+		"font-src 'self'",
+		`connect-src 'self' ${connectExtras}`,
+		"frame-ancestors 'none'",
+	].join("; ");
+}
+
 export default async function proxy(request: NextRequest) {
 	const { pathname } = request.nextUrl;
 
@@ -63,7 +95,9 @@ export default async function proxy(request: NextRequest) {
 		return NextResponse.redirect(new URL("/login", request.url));
 	}
 
-	return NextResponse.next();
+	const response = NextResponse.next();
+	response.headers.set("Content-Security-Policy", buildCsp());
+	return response;
 }
 
 export const config = {

src/shared/lib/auth/api-token.ts

@@ -1,149 +1,5 @@
 import crypto from "node:crypto";
 
-function getJwtSecret(): string {
-	const secret = process.env.BETTER_AUTH_SECRET;
-	if (!secret) {
-		throw new Error(
-			"BETTER_AUTH_SECRET is required. Set it in your .env file.",
-		);
-	}
-	return secret;
-}
-const ACCESS_TOKEN_EXPIRY = 7 * 24 * 60 * 60; // 7 days in seconds
-const REFRESH_TOKEN_EXPIRY = 90 * 24 * 60 * 60; // 90 days in seconds
-
-// ============================================================================
-// TYPES
-// ============================================================================
-
-export interface JwtPayload {
-	sub: string; // userId
-	type: "api_access" | "api_refresh";
-	tokenId: string;
-	deviceId?: string;
-	iat: number;
-	exp: number;
-}
-
-export interface TokenPair {
-	accessToken: string;
-	refreshToken: string;
-	tokenId: string;
-	expiresAt: Date;
-}
-
-// ============================================================================
-// JWT UTILITIES
-// ============================================================================
-
-/**
- * Base64URL encode a string
- */
-function base64UrlEncode(str: string): string {
-	return Buffer.from(str)
-		.toString("base64")
-		.replace(/\+/g, "-")
-		.replace(/\//g, "_")
-		.replace(/=/g, "");
-}
-
-/**
- * Base64URL decode a string
- */
-function base64UrlDecode(str: string): string {
-	str = str.replace(/-/g, "+").replace(/_/g, "/");
-	const pad = str.length % 4;
-	if (pad) {
-		str += "=".repeat(4 - pad);
-	}
-	return Buffer.from(str, "base64").toString();
-}
-
-/**
- * Create HMAC-SHA256 signature
- */
-function createSignature(data: string): string {
-	return crypto
-		.createHmac("sha256", getJwtSecret())
-		.update(data)
-		.digest("base64")
-		.replace(/\+/g, "-")
-		.replace(/\//g, "_")
-		.replace(/=/g, "");
-}
-
-/**
- * Create a JWT token
- */
-export function createJwt(
-	payload: Omit<JwtPayload, "iat" | "exp">,
-	expiresIn: number,
-): string {
-	const header = { alg: "HS256", typ: "JWT" };
-	const now = Math.floor(Date.now() / 1000);
-
-	const fullPayload: JwtPayload = {
-		...payload,
-		iat: now,
-		exp: now + expiresIn,
-	};
-
-	const headerEncoded = base64UrlEncode(JSON.stringify(header));
-	const payloadEncoded = base64UrlEncode(JSON.stringify(fullPayload));
-	const signature = createSignature(`${headerEncoded}.${payloadEncoded}`);
-
-	return `${headerEncoded}.${payloadEncoded}.${signature}`;
-}
-
-/**
- * Verify and decode a JWT token
- * @returns The decoded payload or null if invalid
- */
-export function verifyJwt(token: string): JwtPayload | null {
-	try {
-		const parts = token.split(".");
-		if (parts.length !== 3) return null;
-
-		const [headerEncoded, payloadEncoded, signature] = parts;
-		const expectedSignature = createSignature(
-			`${headerEncoded}.${payloadEncoded}`,
-		);
-
-		// Constant-time comparison to prevent timing attacks
-		if (
-			!crypto.timingSafeEqual(
-				Buffer.from(signature),
-				Buffer.from(expectedSignature),
-			)
-		) {
-			return null;
-		}
-
-		const payload: JwtPayload = JSON.parse(base64UrlDecode(payloadEncoded));
-
-		// Check expiration
-		const now = Math.floor(Date.now() / 1000);
-		if (payload.exp < now) {
-			return null;
-		}
-
-		return payload;
-	} catch {
-		return null;
-	}
-}
-
-// ============================================================================
-// TOKEN GENERATION
-// ============================================================================
-
-/**
- * Generate a random token ID
- */
-export function generateTokenId(): string {
-	return crypto.randomUUID();
-}
-
 /**
  * Hash a token using SHA-256
  */
@@ -151,74 +7,6 @@ export function hashToken(token: string): string {
 	return crypto.createHash("sha256").update(token).digest("hex");
 }
 
-/**
- * Get the display prefix of a token (first 8 chars after prefix)
- */
-export function getTokenPrefix(token: string): string {
-	// Remove "os_" prefix and get first 8 chars
-	const withoutPrefix = token.replace(/^os_/, "");
-	return `os_${withoutPrefix.substring(0, 8)}...`;
-}
-
-/**
- * Generate a complete token pair (access + refresh)
- */
-export function generateTokenPair(
-	userId: string,
-	deviceId?: string,
-): TokenPair {
-	const tokenId = generateTokenId();
-	const expiresAt = new Date(Date.now() + ACCESS_TOKEN_EXPIRY * 1000);
-
-	const accessToken = createJwt(
-		{ sub: userId, type: "api_access", tokenId, deviceId },
-		ACCESS_TOKEN_EXPIRY,
-	);
-
-	const refreshToken = createJwt(
-		{ sub: userId, type: "api_refresh", tokenId, deviceId },
-		REFRESH_TOKEN_EXPIRY,
-	);
-
-	return {
-		accessToken,
-		refreshToken,
-		tokenId,
-		expiresAt,
-	};
-}
-
-/**
- * Refresh an access token using a refresh token
- */
-export function refreshAccessToken(
-	refreshToken: string,
-): { accessToken: string; expiresAt: Date } | null {
-	const payload = verifyJwt(refreshToken);
-
-	if (!payload || payload.type !== "api_refresh") {
-		return null;
-	}
-
-	const expiresAt = new Date(Date.now() + ACCESS_TOKEN_EXPIRY * 1000);
-
-	const accessToken = createJwt(
-		{
-			sub: payload.sub,
-			type: "api_access",
-			tokenId: payload.tokenId,
-			deviceId: payload.deviceId,
-		},
-		ACCESS_TOKEN_EXPIRY,
-	);
-
-	return { accessToken, expiresAt };
-}
-
-// ============================================================================
-// VALIDATION HELPERS
-// ============================================================================
-
 /**
  * Extract bearer token from Authorization header
  */

src/shared/lib/import/xls-parser.ts

@@ -1,15 +1,34 @@
-import * as XLSX from "xlsx";
+import ExcelJS from "exceljs";
 import type {
 	ImportedTransaction,
 	ImportStatement,
 } from "@/shared/lib/import/types";
 
+/**
+ * Converte serial number do Excel (1900 date system) para ano/mês/dia.
+ * Excel trata 1900 como bissexto (serial 60 = 29/02/1900 inexistente).
+ */
+function excelSerialToDate(
+	serial: number,
+): { y: number; m: number; d: number } | null {
+	if (serial < 1) return null;
+	let adjusted = serial;
+	if (serial > 60) adjusted--;
+	const baseDate = new Date(1899, 11, 31);
+	const date = new Date(baseDate.getTime() + adjusted * 86400000);
+	return {
+		y: date.getFullYear(),
+		m: date.getMonth() + 1,
+		d: date.getDate(),
+	};
+}
+
 function parseDateValue(value: unknown): string | null {
 	if (value == null || value === "") return null;
 
 	// Excel date serial number
 	if (typeof value === "number") {
-		const date = XLSX.SSF.parse_date_code(value);
+		const date = excelSerialToDate(value);
 		if (!date) return null;
 		const y = date.y;
 		const m = String(date.m).padStart(2, "0");
@@ -17,6 +36,14 @@ function parseDateValue(value: unknown): string | null {
 		return `${y}-${m}-${d}`;
 	}
 
+	// ExcelJS pode retornar Date objects
+	if (value instanceof Date) {
+		const y = value.getFullYear();
+		const m = String(value.getMonth() + 1).padStart(2, "0");
+		const d = String(value.getDate()).padStart(2, "0");
+		return `${y}-${m}-${d}`;
+	}
+
 	const str = String(value).trim();
 
 	// DD/MM/YYYY
@@ -43,54 +70,37 @@ function parseAmountValue(value: unknown): number | null {
 	return Number.isNaN(num) ? null : Math.abs(num);
 }
 
-export function parseXls(buffer: ArrayBuffer): ImportStatement {
-	const workbook = XLSX.read(new Uint8Array(buffer), {
-		type: "array",
-		cellDates: false,
-		cellFormula: false,
-		cellNF: false,
-	});
+export async function parseXls(buffer: ArrayBuffer): Promise<ImportStatement> {
+	const workbook = new ExcelJS.Workbook();
+	await workbook.xlsx.load(buffer);
 
-	if (!workbook.SheetNames.length) {
+	if (workbook.worksheets.length === 0) {
 		throw new Error("Arquivo sem abas.");
 	}
 
-	const sheetName = workbook.SheetNames[0];
-	const sheet = workbook.Sheets[sheetName];
+	const sheet = workbook.worksheets[0];
 
-	if (!sheet) {
-		throw new Error(`Aba "${sheetName}" não encontrada.`);
-	}
-
-	const range = sheet["!ref"];
-	if (!range) {
-		throw new Error("Planilha vazia (sem intervalo de células).");
-	}
-
-	const rows = XLSX.utils.sheet_to_json<unknown[]>(sheet, {
-		header: 1,
-		defval: "",
-	});
-
-	if (rows.length < 2) {
+	if (!sheet || sheet.rowCount < 2) {
 		throw new Error(
-			`Planilha vazia ou sem dados (${rows.length} linha(s) encontrada(s)).`,
+			`Planilha vazia ou sem dados (${sheet?.rowCount ?? 0} linha(s) encontrada(s)).`,
 		);
 	}
 
 	const transactions: ImportedTransaction[] = [];
 
-	for (let i = 1; i < rows.length; i++) {
-		const row = rows[i] as unknown[];
-		if (!row || row.every((cell) => cell == null || cell === "")) continue;
+	sheet.eachRow((row, rowNumber) => {
+		if (rowNumber === 1) return; // skip header
 
-		const date = parseDateValue(row[0]);
-		const description = row[1] != null ? String(row[1]).trim() : "";
-		const amount = parseAmountValue(row[2]);
-		const typeRaw = row[3] != null ? String(row[3]).toLowerCase().trim() : "";
+		// ExcelJS row.values é 1-indexed (values[0] é undefined)
+		const values = row.values as unknown[];
+		const date = parseDateValue(values[1]);
+		const description = values[2] != null ? String(values[2]).trim() : "";
+		const amount = parseAmountValue(values[3]);
+		const typeRaw =
+			values[4] != null ? String(values[4]).toLowerCase().trim() : "";
 		const transactionType = typeRaw === "receita" ? "income" : "expense";
 
-		if (!date || !description || amount === null || amount <= 0) continue;
+		if (!date || !description || amount === null || amount <= 0) return;
 
 		transactions.push({
 			externalId: null,
@@ -99,7 +109,7 @@ export function parseXls(buffer: ArrayBuffer): ImportStatement {
 			description,
 			transactionType,
 		});
-	}
+	});
 
 	if (transactions.length === 0) {
 		throw new Error("Nenhuma transação válida encontrada na planilha.");
@@ -117,31 +127,31 @@ export function parseXls(buffer: ArrayBuffer): ImportStatement {
 	};
 }
 
-export function generateXlsTemplate(): ArrayBuffer {
-	const wb = XLSX.utils.book_new();
+export async function generateXlsTemplate(): Promise<ArrayBuffer> {
+	const workbook = new ExcelJS.Workbook();
+	const ws = workbook.addWorksheet("Lançamentos");
 
-	const data = [
+	ws.addRows([
 		["Data", "Descrição", "Valor", "Tipo"],
 		["01/03/2026", "Ingressos São Januário", 160, "despesa"],
 		["01/03/2026", "Salário", 3000.0, "receita"],
 		["01/03/2026", "Posto do Vasco da Gama", 89.9, "despesa"],
-	];
+	]);
 
-	const ws = XLSX.utils.aoa_to_sheet(data);
+	ws.getColumn(1).width = 14;
+	ws.getColumn(2).width = 32;
+	ws.getColumn(3).width = 12;
+	ws.getColumn(4).width = 10;
 
-	ws["!cols"] = [{ wch: 14 }, { wch: 32 }, { wch: 12 }, { wch: 10 }];
+	// Dropdown para coluna Tipo (D2:D100)
+	for (let i = 2; i <= 100; i++) {
+		ws.getCell(`D${i}`).dataValidation = {
+			type: "list",
+			allowBlank: true,
+			formulae: ['"despesa,receita"'],
+		};
+	}
 
-	// Dropdown para coluna Tipo (D2:D1000)
-	if (!ws["!dataValidations"]) ws["!dataValidations"] = [];
-	(ws["!dataValidations"] as object[]).push({
-		type: "list",
-		sqref: "D2:D1000",
-		formula1: '"despesa,receita"',
-		showDropDown: false,
-	});
-
-	XLSX.utils.book_append_sheet(wb, ws, "Lançamentos");
-
-	const raw = XLSX.write(wb, { type: "array", bookType: "xlsx" }) as number[];
-	return new Uint8Array(raw).buffer as ArrayBuffer;
+	const buffer = await workbook.xlsx.writeBuffer();
+	return buffer as ArrayBuffer;
 }