diff --git a/app.js b/app.js
index 4cc3454..0ab5a09 100644
--- a/app.js
+++ b/app.js
@@ -8,11 +8,13 @@ const csv = require("csv-parser");
 const fastCsv = require("fast-csv");
 const axios = require("axios");
 const cors = require("cors");
+const session = require("express-session"); // adiciona session
 const { geocodeWithGoogle } = require("./service/geocodeService");
 const { fetchJson } = require("./service/fetchService");
 const { BASE_BACKOFF_MS, MAX_RETRIES, REQUEST_DELAY_MS, sleep } = require("./service/retryService");
 const { API_URL, HEADERS } = require("./config/apiConfig");
 const { normalizePartnerSigla } = require("./service/normalizeService");
+const authRoutes = require("./routes/authRoutes.js");
 
 function createApp() {
   const upload = multer({ dest: "uploads/" });
@@ -21,6 +23,19 @@ function createApp() {
   app.use(express.static(path.join(__dirname, "public")));
   app.use(express.json());
 
+  // session deve ser configurada antes de usar req.session nas rotas/middleware
+  app.use(
+    session({
+      secret: process.env.SESSION_SECRET || "change-me",
+      resave: false,
+      saveUninitialized: false,
+      cookie: {
+        // ajuste conforme produção (secure: true se rodando em HTTPS)
+        maxAge: 24 * 60 * 60 * 1000,
+      },
+    })
+  );
+
   async function getMinDistance(lat, lon) {
     // tenta várias vezes com backoff exponencial; trata 429 usando Retry-After se disponível
     let attempt = 0;
diff --git a/routes/authRoutes.js b/routes/authRoutes.js
index c2a503e..a30669f 100644
--- a/routes/authRoutes.js
+++ b/routes/authRoutes.js
@@ -1,35 +1,32 @@
-import express from "express";
-import {getAuthUrl, getTokenFomCode} from "../service/authService.js";
+const express = require("express");
+const { getAuthUrl, getTokenFromCode } = require("../service/authService");
 
 const router = express.Router();
 
 // Rota para iniciar o fluxo de autenticação
-
 router.get("/login", (req, res) => {
-    const authUrl = getAuthUrl();
-    return res.redirect(authUrl);
+  const authUrl = getAuthUrl();
+  return res.redirect(authUrl);
 });
 
-
 // Rota de callback após autenticação
-
 router.get("/auth/callback", async (req, res) => {
-    const code = req.query.code;
+  const code = req.query.code;
 
-    if (!code) {
-        return res.status(400).send("Código de autenticação não fornecido.");
-    }
+  if (!code) {
+    return res.status(400).send("Código de autenticação não fornecido.");
+  }
 
-    try {
-        const tokens = await getTokenFomCode(code);
-        // Armazena os tokens na sessão do usuário
-        req.session.tokens = tokens;
-        return res.redirect("/public/index.html");
-    } catch (error) {
-        console.error("Erro ao obter tokens:", error);
-        return res.status(500).send("Erro ao processar a autenticação.");
-    }
+  try {
+    const tokens = await getTokenFromCode(code);
+    // Armazena os tokens na sessão do usuário
+    if (!req.session) req.session = {};
+    req.session.tokens = tokens;
+    return res.redirect("/public/index.html");
+  } catch (error) {
+    console.error("Erro ao obter tokens:", error);
+    return res.status(500).send("Erro ao processar a autenticação.");
+  }
+});
 
-})
-
-export default router; 
\ No newline at end of file
+module.exports = router;
\ No newline at end of file
diff --git a/service/authService.js b/service/authService.js
index bea1f47..d982372 100644
--- a/service/authService.js
+++ b/service/authService.js
@@ -1,6 +1,5 @@
-import axios from "axios";
-import dotenv from "dotenv";
-dotenv.config();
+const axios = require("axios");
+require("dotenv").config();
 
 const tenantId = process.env.OAUTH_TENANT_ID;
 const clientId = process.env.OAUTH_CLIENT_ID;
@@ -8,7 +7,7 @@ const clientSecret = process.env.OAUTH_CLIENT_SECRET;
 const redirectUri = process.env.OAUTH_REDIRECT_URI;
 
 // Função que gera o link de login para o usuário
-export function getAuthUrl() {
+function getAuthUrl() {
   const params = new URLSearchParams({
     client_id: clientId,
     response_type: "code",
@@ -22,7 +21,7 @@ export function getAuthUrl() {
 }
 
 // Troca o "authorization code" por tokens
-export async function getTokenFromCode(authCode) {
+async function getTokenFromCode(authCode) {
   const url = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
 
   const params = new URLSearchParams({
@@ -34,6 +33,10 @@ export async function getTokenFromCode(authCode) {
     client_secret: clientSecret,
   });
 
-  const response = await axios.post(url, params);
+  const response = await axios.post(url, params.toString(), {
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+  });
   return response.data;
 }
+
+module.exports = { getAuthUrl, getTokenFromCode };