feat: implement arenaBR free agents register

Author: Bulletdev

.brakeman.ignore

@@ -1,5 +1,15 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "f2fd7351c85e531b66f6444ab8a89071e039b96befcdd5a6f897d3f55bb2d9dd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/players/controllers/players_controller.rb",
+      "line": 368,
+      "note": "':role' is a player in-game position (top/jungle/mid/adc/support), not a user access role. riot_puuid and riot_summoner_id were intentionally removed from this permit list."
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,

app/controllers/api/v1/organizations_controller.rb

@@ -63,14 +63,13 @@ def set_organization
       end
 
       def require_admin_or_owner
-        allowed_roles = %w[admin owner]
-        unless allowed_roles.include?(@current_user.role)
-          return render_error(
-            message: 'Only admins and owners can update organization settings',
-            code: 'FORBIDDEN',
-            status: :forbidden
-          )
-        end
+        return if %w[admin owner].include?(@current_user.role)
+
+        render_error(
+          message: 'Only admins and owners can update organization settings',
+          code: 'FORBIDDEN',
+          status: :forbidden
+        )
       end
 
       def org_params

app/controllers/concerns/authenticatable.rb

@@ -27,11 +27,15 @@ def authenticate_request! # rubocop:disable Metrics/AbcSize, Metrics/MethodLengt
 
       if @jwt_payload[:entity_type] == 'player'
         # ── Player token ──────────────────────────────────────────────────────
-        @current_player       = Player.unscoped.find(@jwt_payload[:player_id])
-        @current_organization = Organization.find(@jwt_payload[:organization_id])
+        # Free agents (auto-cadastro via ArenaBR) têm organization_id: nil
+        @current_player = Player.unscoped.find(@jwt_payload[:player_id])
 
-        Current.organization_id = @current_organization.id
-        Rails.logger.info("[AUTH] Player token: player_id=#{@current_player.id} org=#{@current_organization.id}")
+        org_id = @jwt_payload[:organization_id]
+        @current_organization = org_id.present? ? Organization.find(org_id) : nil
+
+        Current.organization_id = @current_organization&.id
+        org_label = @current_organization&.id || 'free_agent'
+        Rails.logger.info("[AUTH] Player token: player_id=#{@current_player.id} org=#{org_label}")
         return
       end
 

app/modules/admin/controllers/status_incidents_controller.rb

@@ -111,6 +111,9 @@ def require_admin_access
       end
 
       def set_incident
+        # StatusIncidents are platform-wide (not org-scoped) — intentionally unscoped.
+        # This endpoint requires admin or owner role (see require_admin_access before_action).
+        # nosemgrep: ruby.rails.security.brakeman.check-unscoped-find
         @incident = StatusIncident.find(params[:id])
       end
 

app/modules/authentication/controllers/auth_controller.rb

@@ -26,7 +26,7 @@ module Controllers
     #
     class AuthController < Api::V1::BaseController
       skip_before_action :authenticate_request!,
-                         only: %i[register login player_login forgot_password reset_password refresh]
+                         only: %i[register login player_login player_register forgot_password reset_password refresh]
 
       # Registers a new user and organization
       #
@@ -170,6 +170,11 @@ def player_login # rubocop:disable Metrics/CyclomaticComplexity, Metrics/Perceiv
         tokens = JwtService.generate_player_tokens(player)
         player.update_last_login!
 
+        Rails.logger.info(
+          "[AUTH] player_login: id=#{player.id} email=#{player_email} " \
+          "org=#{player.organization_id || 'free_agent'} ip=#{request.remote_ip}"
+        )
+
         render_success(
           {
             player: {
@@ -212,6 +217,124 @@ def player_login # rubocop:disable Metrics/CyclomaticComplexity, Metrics/Perceiv
         render_error(message: 'Credenciais inválidas', code: 'INVALID_CREDENTIALS', status: :unauthorized)
       end
 
+      # Registers a new player (ArenaBR self-registration)
+      #
+      # Creates a Player without an organization — the player enters as a Free Agent.
+      # Uses the separate player_password auth path, completely isolated from User auth.
+      #
+      # Security:
+      # - organization_id is NEVER accepted from params (prevents privilege escalation)
+      # - player_access_enabled is always set server-side
+      # - password minimum 8 chars enforced at model level
+      # - summoner_name is the only game identity accepted (no riot_puuid injection)
+      # - rate-limited by rack-attack (player-register/ip: 5/hour)
+      #
+      # POST /api/v1/auth/player-register
+      #
+      # @param player_email [String] Email for player login
+      # @param password [String] Password (min 8 chars)
+      # @param password_confirmation [String] Must match password
+      # @param summoner_name [String] Riot summoner name (e.g. "GameName#TAG")
+      # @param discord_user_id [String] Discord username (optional)
+      #
+      def player_register # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+        player_email  = params[:player_email]&.downcase&.strip
+        summoner_name = params[:summoner_name]&.strip
+        password      = params[:password]
+        password_conf = params[:password_confirmation]
+        discord       = params[:discord_user_id]&.strip
+
+        # ── Validate required fields ─────────────────────────────────────────
+        missing = []
+        missing << 'player_email'  if player_email.blank?
+        missing << 'password'      if password.blank?
+        missing << 'summoner_name' if summoner_name.blank?
+
+        if missing.any?
+          return render_error(
+            message: "Campos obrigatórios faltando: #{missing.join(', ')}",
+            code: 'MISSING_FIELDS',
+            status: :bad_request
+          )
+        end
+
+        # ── Password confirmation ─────────────────────────────────────────────
+        if password != password_conf
+          return render_error(
+            message: 'Senhas não coincidem',
+            code: 'PASSWORD_MISMATCH',
+            status: :unprocessable_entity
+          )
+        end
+
+        # ── Duplicate email check ─────────────────────────────────────────────
+        if Player.exists?(player_email: player_email)
+          return render_error(
+            message: 'Já existe uma conta de jogador com este email',
+            code: 'DUPLICATE_EMAIL',
+            status: :unprocessable_entity
+          )
+        end
+
+        # ── Duplicate summoner name check ──────────────────────────────────────
+        if Player.exists?(['LOWER(summoner_name) = ?', summoner_name.downcase])
+          return render_error(
+            message: 'Summoner name já cadastrado na plataforma',
+            code: 'DUPLICATE_SUMMONER',
+            status: :unprocessable_entity
+          )
+        end
+
+        # ── Create player — SECURITY: organization_id always nil (free agent) ──
+        player = Player.new(
+          player_email: player_email,
+          player_password: password,
+          summoner_name: summoner_name,
+          discord_user_id: discord.presence,
+          player_access_enabled: true,
+          status: 'active',
+          role: 'top' # placeholder — player updates via profile
+          # organization_id intentionally omitted (nil) — free agent
+        )
+
+        unless player.save
+          return render_error(
+            message: 'Erro ao criar conta',
+            code: 'VALIDATION_ERROR',
+            status: :unprocessable_entity,
+            details: player.errors.as_json
+          )
+        end
+
+        Rails.logger.info("[AUTH] Player registered: id=#{player.id} email=#{player_email} summoner=#{summoner_name}")
+
+        tokens = JwtService.generate_player_tokens(player)
+
+        render_created(
+          {
+            player: {
+              id: player.id,
+              summoner_name: player.summoner_name,
+              player_email: player.player_email,
+              discord_user_id: player.discord_user_id,
+              role: player.role,
+              status: player.status,
+              organization_id: nil,
+              organization_name: nil,
+              is_free_agent: true,
+              solo_queue_tier: nil,
+              solo_queue_rank: nil,
+              solo_queue_lp: nil,
+              current_rank: nil
+            }
+          }.merge(tokens),
+          message: 'Conta criada! Você está no pool de Free Agents do ArenaBR Season 1.'
+        )
+      rescue StandardError => e
+        Rails.logger.error("Player register error: #{e.class} - #{e.message}")
+        render_error(message: 'Erro interno ao criar conta', code: 'INTERNAL_ERROR', status: :internal_server_error)
+      end
+
       # Refreshes an access token using a refresh token
       #
       # Validates the refresh token and generates a new access token.

app/modules/matchmaking/services/match_suggestion_service.rb

@@ -32,6 +32,18 @@ def available_now
                       .map { |w| build_suggestion(w, score_window(w)[:score]) }
   end
 
+  TIER_SCORE = {
+    'CHALLENGER' => 9, 'GRANDMASTER' => 8, 'MASTER' => 7,
+    'DIAMOND' => 6, 'EMERALD' => 5, 'PLATINUM' => 4,
+    'GOLD' => 3, 'SILVER' => 2, 'BRONZE' => 1, 'IRON' => 0
+  }.freeze
+
+  TIER_LABEL = {
+    9 => 'Challenger', 8 => 'Grandmaster', 7 => 'Master',
+    6 => 'Diamond', 5 => 'Emerald', 4 => 'Platinum',
+    3 => 'Gold', 2 => 'Silver', 1 => 'Bronze', 0 => 'Iron'
+  }.freeze
+
   private
 
   def find_candidate_windows
@@ -95,18 +107,6 @@ def build_suggestion(window, score)
     }
   end
 
-  TIER_SCORE = {
-    'CHALLENGER' => 9, 'GRANDMASTER' => 8, 'MASTER' => 7,
-    'DIAMOND' => 6, 'EMERALD' => 5, 'PLATINUM' => 4,
-    'GOLD' => 3, 'SILVER' => 2, 'BRONZE' => 1, 'IRON' => 0
-  }.freeze
-
-  TIER_LABEL = {
-    9 => 'Challenger', 8 => 'Grandmaster', 7 => 'Master',
-    6 => 'Diamond', 5 => 'Emerald', 4 => 'Platinum',
-    3 => 'Gold', 2 => 'Silver', 1 => 'Bronze', 0 => 'Iron'
-  }.freeze
-
   # Returns confirmed W/L from cross-org validated reports only
   def compute_record(org)
     confirmed = ScrimResultReport.confirmed.where(organization: org)

app/modules/players/controllers/players_controller.rb

@@ -372,7 +372,8 @@ def player_params
           :solo_queue_wins, :solo_queue_losses,
           :flex_queue_tier, :flex_queue_rank, :flex_queue_lp,
           :peak_tier, :peak_rank, :peak_season,
-          :riot_puuid, :riot_summoner_id,
+          # riot_puuid and riot_summoner_id are intentionally excluded —
+          # these fields must only be updated via the Riot sync service, never by user input.
           :twitter_handle, :twitch_channel, :instagram_handle,
           :notes
         )

app/modules/players/models/player.rb

@@ -38,7 +38,8 @@ class Player < ApplicationRecord
   include Searchable
 
   # Associations
-  belongs_to :organization
+  # optional: true — self-registered free agents (ArenaBR) can exist without an org
+  belongs_to :organization, optional: true
   has_many :player_match_stats, dependent: :destroy
   has_many :matches, through: :player_match_stats
   has_many :champion_pools, dependent: :destroy

app/modules/scrims/services/scrim_result_validation_service.rb

@@ -37,9 +37,7 @@ def call
       outcome = compare_with_opponent(report)
       { status: outcome, report: report }
     end
-  rescue ArgumentError => e
-    { status: :error, message: e.message }
-  rescue ActiveRecord::RecordInvalid => e
+  rescue ArgumentError, ActiveRecord::RecordInvalid => e
     { status: :error, message: e.message }
   end
 

config/brakeman.ignore

@@ -1,17 +1,13 @@
 {
   "ignored_warnings": [
     {
-      "fingerprint": "2df0aabf76fb1d7111cc2955d44606976db16719d3b2350db8c3b09fb5cbe613",
-      "note": "False positive — :role is an in-game position (top/jungle/mid/adc/support), NOT a user authorization/admin role. The Player model has no privileged role attribute. Reviewed 2026-02-28."
+      "fingerprint": "f2fd7351c85e531b66f6444ab8a89071e039b96befcdd5a6f897d3f55bb2d9dd",
+      "note": "False positive — :role is a League of Legends in-game position (top/jungle/mid/adc/support), NOT a user authorization role. riot_puuid and riot_summoner_id were intentionally removed from this permit list. Reviewed 2026-04-09."
     },
     {
       "fingerprint": "4e9eb66fae6365a1347b7ceb5de9c3834f80bfac2416c80526b09fc6a66eb4fa",
       "note": "False positive — the SQL interpolation only inserts PostgreSQL numbered bind-parameter placeholders ($1, $2, ...). The actual type_names values are passed separately as exec_query bind parameters, never concatenated into the SQL string. No user input reaches this code path. Reviewed 2026-02-28."
     },
-    {
-      "fingerprint": "7bdf978768b5058d8c79ec541e68cb8643bbf19ab5ab52d60e6bd420a91bc416",
-      "note": "False positive — safe_ids values come from Meilisearch hit IDs (internal database PKs) and are individually escaped via ActiveRecord::Base.connection.quote() before interpolation. User search query is sent only to Meilisearch, never interpolated into SQL. Reviewed 2026-02-28."
-    },
     {
       "fingerprint": "82553a8da70acefb77b22bab7fb95616b808a9604a23dff455508e0ad77e3107",
       "note": "False positive — the SQL interpolation only inserts PostgreSQL numbered bind-parameter placeholders ($1, $2, ...). The actual type_names values are passed separately as exec_query bind parameters. No user input reaches this code path. Reviewed 2026-04-05."
@@ -31,10 +27,6 @@
     {
       "fingerprint": "a53e36aea1309fb0af3b08b9d5403838087ed98264a2a158a98adde5f6d496d3",
       "note": "False positive — :role is a League of Legends champion role (adc/jungle/mid/support/top), NOT a user authorization role. SavedBuild model has no admin/banned/account_id or privilege-escalation fields. Reviewed 2026-02-28."
-    },
-    {
-      "fingerprint": "c98c465cbb4e6f99aae70dcf4cef99d859236873e06d64cc46a02a1f51f508a5",
-      "note": "False positive — identical pattern to pg_type_cache. Only PostgreSQL numbered placeholders ($1, $2, ...) are interpolated; actual type name values are bound separately via exec_query params. type_names defaults to a hard-coded whitelist of pg type strings, never accepts raw user input. Reviewed 2026-02-28."
     }
   ]
 }