@dudousxd/adonis-authkit-server 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Davi de Carvalho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,137 @@
+# @dudousxd/adonis-authkit-server
+
+Authorization Server OpenID Connect para AdonisJS — um wrapper idiomático em volta do
+[`oidc-provider`](https://github.com/panva/node-oidc-provider).
+
+## Instalação
+
+```bash
+node ace add @dudousxd/adonis-authkit-server
+# ou: pnpm add @dudousxd/adonis-authkit-server && node ace configure @dudousxd/adonis-authkit-server
+```
+
+O `configure` publica `config/authkit_server.ts`, o model `app/models/auth_user.ts`,
+o controller de interactions (`app/controllers/auth_interaction_controller.ts`) e
+registra o provider.
+
+## Montar as rotas OIDC
+
+```ts
+// start/routes.ts
+import router from '@adonisjs/core/services/router'
+import { registerOidcRoutes } from '@dudousxd/adonis-authkit-server'
+
+registerOidcRoutes(router) // monta em /oidc por padrão
+```
+
+Defina `AUTHKIT_ISSUER` apontando para `<host>/oidc` (o issuer deve terminar no mount path).
+
+## Rotas de interaction (login/consentimento)
+
+O `oidc-provider` redireciona o usuário não autenticado para `interactions.url`
+(`/auth/interaction/:uid`). Essas telas são **suas** (o `configure` ejeta
+`app/controllers/auth_interaction_controller.ts`). Registre as rotas que apontam para ele:
+
+```ts
+// start/routes.ts
+import AuthInteractionController from '#controllers/auth_interaction_controller'
+
+router.get('/auth/interaction/:uid', [AuthInteractionController, 'show'])
+router.post('/auth/interaction/:uid/login', [AuthInteractionController, 'login'])
+router.post('/auth/interaction/:uid/consent', [AuthInteractionController, 'consent'])
+```
+
+Sem essas rotas o fluxo de autorização cai num 404 ao chegar na tela de login.
+
+## UI de login/consent (configurável)
+
+O `configure` ejeta as telas de interaction a partir de um preset escolhido:
+
+```bash
+node ace configure @dudousxd/adonis-authkit-server --ui=edge
+# valores: edge | react | headless — se omitir, o configure pergunta
+```
+
+Cada preset publica:
+
+- **`headless`** — apenas o controller (`app/controllers/auth_interaction_controller.ts`).
+  `show` devolve JSON (`{ uid, prompt, params }`) e `login`/`consent` respondem JSON/erro.
+  Você constrói o front como quiser.
+- **`edge`** — controller + views Edge (`resources/views/authkit/login.edge` e
+  `consent.edge`). `show` renderiza a view de acordo com o prompt.
+- **`react`** — controller + páginas Inertia/React (`inertia/pages/authkit/login.tsx` e
+  `consent.tsx`). `show` faz `inertia.render`. Exige `@adonisjs/inertia` + Vite + React no
+  app — o `configure` valida essa stack antes de publicar o preset.
+
+Em todos os presets o controller ejetado é **casca**: a lógica vive em
+`service.interactions` (resolvido via `containerResolver.make('authkit.server')`), que expõe
+`details(ctx)`, `login(ctx, { email, password })` e `consent(ctx)`. Você edita só a parte de
+render/redirect.
+
+Quem decide se as credenciais valem é o `verifyCredentials` do `config/authkit_server.ts`
+— é o que o `service.interactions.login` chama. O default consulta o `AuthUser` por e-mail e
+usa `verifyPassword`; sobrescreva para plugar sua própria base de usuários.
+
+As 3 rotas que o consumidor registra são as mesmas da seção anterior:
+
+```ts
+import AuthInteractionController from '#controllers/auth_interaction_controller'
+
+router.get('/auth/interaction/:uid', [AuthInteractionController, 'show'])
+router.post('/auth/interaction/:uid/login', [AuthInteractionController, 'login'])
+router.post('/auth/interaction/:uid/consent', [AuthInteractionController, 'consent'])
+```
+
+## Persistência
+
+Escolha o backend no `config/authkit_server.ts`:
+- `adapters.redis({ connection })` — requer `@adonisjs/redis` configurado.
+- `adapters.database({ connection? })` — Lucid; rode a migração `authkit_oidc_payloads`.
+
+## Observabilidade
+
+A lib agrega métricas de auth (logins, tokens, refresh, grants revogados, duração/erros
+de resolve) e as expõe de forma opt-in.
+
+### Configuração
+
+No `config/authkit_server.ts`, use a chave `observability`:
+
+```ts
+observability: {
+  metrics: true,    // habilita a coleta/agregação de métricas
+  jsonRoutes: true, // libera a rota JSON de snapshot
+  dashboard: true,  // libera o dashboard HTML embutido
+}
+```
+
+### Rotas
+
+Passe as flags em `registerOidcRoutes` no `start/routes.ts`:
+
+```ts
+import { registerOidcRoutes } from '@dudousxd/adonis-authkit-server'
+
+registerOidcRoutes(router, { metrics: true, dashboard: true })
+```
+
+- `GET /authkit/metrics` — snapshot agregado em JSON (`{ counters, histograms, updatedAt }`).
+- `GET /authkit/dashboard` — dashboard HTML embutido (auto-refresh a cada 5s, sem
+  dependência do Edge do consumidor).
+
+### OpenTelemetry
+
+As métricas são emitidas via OpenTelemetry **quando** `@opentelemetry/api` e `@adonisjs/otel`
+estão instalados. Sem esses pacotes a emissão é no-op — a agregação em memória (e as rotas
+JSON/HTML) continua funcionando normalmente.
+
+### Grafana
+
+O arquivo `assets/grafana/authkit-dashboard.json` pode ser importado diretamente no Grafana
+(Dashboards → Import). Ele usa nomes de métrica no padrão OTel→Prometheus (pontos viram
+underscores e counters ganham `_total`), portanto requer um exporter Prometheus no pipeline
+OTel para que as séries existam.
+
+## Notas
+- Access tokens são opacos; ID tokens são JWT (assinados pelo JWKS gerido).
+- PKCE (S256) é obrigatório; refresh tokens são rotacionados.

package/build/assets/grafana/authkit-dashboard.json

@@ -0,0 +1,118 @@
+{
+  "title": "AuthKit",
+  "uid": "authkit",
+  "schemaVersion": 39,
+  "version": 1,
+  "editable": true,
+  "graphTooltip": 0,
+  "time": { "from": "now-6h", "to": "now" },
+  "refresh": "30s",
+  "tags": ["authkit", "oidc", "auth"],
+  "templating": {
+    "list": [
+      {
+        "name": "datasource",
+        "label": "Datasource",
+        "type": "datasource",
+        "query": "prometheus",
+        "current": {},
+        "hide": 0,
+        "refresh": 1
+      }
+    ]
+  },
+  "panels": [
+    {
+      "id": 1,
+      "title": "Login (sucesso vs falha)",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 0 },
+      "fieldConfig": { "defaults": { "unit": "ops" }, "overrides": [] },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "rate(authkit_login_success_total[5m])",
+          "legendFormat": "success"
+        },
+        {
+          "refId": "B",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "rate(authkit_login_failure_total[5m])",
+          "legendFormat": "failure"
+        }
+      ]
+    },
+    {
+      "id": 2,
+      "title": "Tokens emitidos vs refresh rotacionados",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 0 },
+      "fieldConfig": { "defaults": { "unit": "ops" }, "overrides": [] },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "rate(authkit_token_issued_total[5m])",
+          "legendFormat": "issued"
+        },
+        {
+          "refId": "B",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "rate(authkit_refresh_rotated_total[5m])",
+          "legendFormat": "refresh rotated"
+        }
+      ]
+    },
+    {
+      "id": 3,
+      "title": "Grants revogados (total)",
+      "type": "stat",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "gridPos": { "h": 8, "w": 8, "x": 0, "y": 8 },
+      "fieldConfig": { "defaults": { "unit": "short" }, "overrides": [] },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "sum(authkit_grant_revoked_total)",
+          "legendFormat": "revoked"
+        }
+      ]
+    },
+    {
+      "id": 4,
+      "title": "Resolve duration (p95)",
+      "type": "timeseries",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "gridPos": { "h": 8, "w": 8, "x": 8, "y": 8 },
+      "fieldConfig": { "defaults": { "unit": "s" }, "overrides": [] },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "histogram_quantile(0.95, rate(authkit_resolve_duration_bucket[5m]))",
+          "legendFormat": "p95"
+        }
+      ]
+    },
+    {
+      "id": 5,
+      "title": "Erros de resolve (total)",
+      "type": "stat",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "gridPos": { "h": 8, "w": 8, "x": 16, "y": 8 },
+      "fieldConfig": { "defaults": { "unit": "short" }, "overrides": [] },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "expr": "sum(authkit_resolve_errors_total)",
+          "legendFormat": "errors"
+        }
+      ]
+    }
+  ]
+}

package/build/commands/commands.json

@@ -0,0 +1,30 @@
+{
+  "version": 1,
+  "commands": [
+    {
+      "commandName": "authkit:eject",
+      "description": "Ejeta views Edge ou um controller do host-kit do @dudousxd/adonis-authkit-server para customização local",
+      "namespace": "authkit",
+      "aliases": [],
+      "flags": [
+        {
+          "name": "views",
+          "flagName": "views",
+          "required": false,
+          "type": "boolean",
+          "description": "Copia as views Edge da lib para resources/views/authkit/"
+        },
+        {
+          "name": "controller",
+          "flagName": "controller",
+          "required": false,
+          "type": "string",
+          "description": "Copia um controller do host-kit (ex.: interaction) para app/controllers/authkit/"
+        }
+      ],
+      "args": [],
+      "options": {},
+      "filePath": "eject.js"
+    }
+  ]
+}

package/build/commands/configure.d.ts

@@ -0,0 +1,2 @@
+import type Configure from '@adonisjs/core/commands/configure';
+export declare function configure(command: Configure): Promise<void>;

package/build/commands/configure.js

@@ -0,0 +1,42 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { stubsRoot } from '../stubs/main.js';
+import { resolveUiPreset, uiStubPaths } from './ui_preset.js';
+function assertPresetPrereqs(preset, appRoot) {
+    if (preset !== 'react')
+        return;
+    const pkgPath = join(appRoot, 'package.json');
+    const pkg = existsSync(pkgPath) ? JSON.parse(readFileSync(pkgPath, 'utf8')) : {};
+    const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+    const hasInertia = !!deps['@adonisjs/inertia'];
+    const hasReact = !!deps['react'];
+    const hasVite = existsSync(join(appRoot, 'vite.config.ts')) || existsSync(join(appRoot, 'vite.config.js'));
+    if (!hasInertia || !hasReact || !hasVite) {
+        throw new Error('authkit --ui=react requer @adonisjs/inertia + react + Vite no app. ' +
+            'Rode `node ace add @adonisjs/inertia` (com React) antes, ou use --ui=edge|headless.');
+    }
+}
+export async function configure(command) {
+    const flag = command.parsedFlags?.ui;
+    const chosen = flag ?? (await command.prompt.choice('UI das telas de login/consent', ['edge', 'react', 'headless']));
+    const preset = resolveUiPreset(chosen);
+    assertPresetPrereqs(preset, command.app.makePath());
+    const codemods = await command.createCodemods();
+    await codemods.makeUsingStub(stubsRoot, 'config/authkit.stub', {});
+    await codemods.makeUsingStub(stubsRoot, 'models/auth_user.stub', {});
+    for (const path of uiStubPaths(preset)) {
+        await codemods.makeUsingStub(stubsRoot, path, {});
+    }
+    await codemods.updateRcFile((rcFile) => {
+        rcFile.addProvider('@dudousxd/adonis-authkit-server/authkit_server_provider');
+    });
+    await codemods.defineEnvValidations({
+        leadingComment: 'Variáveis do @dudousxd/adonis-authkit-server (Authorization Server OIDC)',
+        variables: {
+            AUTHKIT_ISSUER: `Env.schema.string({ format: 'url', tld: false })`,
+        },
+    });
+    await codemods.defineEnvVariables({
+        AUTHKIT_ISSUER: 'http://localhost:3333/oidc',
+    });
+}

package/build/commands/eject.d.ts

@@ -0,0 +1,11 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+export default class AuthkitEject extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static help: string[];
+    static options: CommandOptions;
+    views: boolean;
+    controller?: string;
+    run(): Promise<void>;
+}

package/build/commands/eject.js

@@ -0,0 +1,96 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { BaseCommand, flags } from '@adonisjs/core/ace';
+const KNOWN_CONTROLLERS = [
+    'interaction',
+    'registration',
+    'social',
+    'account_session',
+    'account_tokens',
+    'pat_introspection',
+];
+export default class AuthkitEject extends BaseCommand {
+    static commandName = 'authkit:eject';
+    static description = 'Ejeta views Edge ou um controller do host-kit do @dudousxd/adonis-authkit-server para customização local';
+    static help = [
+        'Use --views para copiar as views Edge da lib para resources/views/authkit/.',
+        'Depois de ejetar as views, o app as servirá pelo ViewPath padrão',
+        '(sem o disco authkit::) — renomeie as chamadas view() nos controllers.',
+        '',
+        'Use --controller=<nome> para copiar um controller do host-kit para',
+        'app/controllers/authkit/<nome>_controller.ts e customizá-lo livremente.',
+        '',
+        `Controllers disponíveis: ${KNOWN_CONTROLLERS.join(', ')}`,
+    ];
+    static options = {};
+    async run() {
+        const fs = await import('node:fs');
+        const { fileURLToPath } = await import('node:url');
+        /**
+         * Resolve o diretório dentro de `host/` — prefere o build compilado,
+         * cai de volta para o src quando rodando no contexto de dev da lib.
+         */
+        const pickDir = (rel) => {
+            const built = new URL(`../build/host/${rel}`, import.meta.url);
+            const src = new URL(`../src/host/${rel}`, import.meta.url);
+            return fs.existsSync(fileURLToPath(built)) ? built : src;
+        };
+        if (this.views) {
+            const fromPath = fileURLToPath(pickDir('views'));
+            if (!fs.existsSync(fromPath)) {
+                this.logger.error('Diretório de views não encontrado. Execute `pnpm build` no pacote primeiro.');
+                this.exitCode = 1;
+                return;
+            }
+            const toPath = this.app.makePath('resources/views/authkit');
+            fs.mkdirSync(toPath, { recursive: true });
+            fs.cpSync(fromPath, toPath, { recursive: true });
+            this.logger.success(`Views Edge ejetadas → ${toPath}`);
+            this.logger.info('Lembre-se de ajustar as chamadas view() nos controllers para usar o caminho local ao invés do disco authkit::.');
+        }
+        if (this.controller) {
+            const knownList = KNOWN_CONTROLLERS;
+            if (!knownList.includes(this.controller)) {
+                this.logger.error(`Controller desconhecido: "${this.controller}". Disponíveis: ${KNOWN_CONTROLLERS.join(', ')}`);
+                this.exitCode = 1;
+                return;
+            }
+            const file = `${this.controller}_controller`;
+            const fromDirPath = fileURLToPath(pickDir('controllers'));
+            // Prefere .js (build) com fallback para .ts (src)
+            const jsPath = `${fromDirPath}/${file}.js`;
+            const tsPath = `${fromDirPath}/${file}.ts`;
+            const fromFilePath = fs.existsSync(jsPath) ? jsPath : tsPath;
+            const ext = fs.existsSync(jsPath) ? 'js' : 'ts';
+            if (!fs.existsSync(fromFilePath)) {
+                this.logger.error(`Arquivo do controller não encontrado: ${fromFilePath}. Execute \`pnpm build\` no pacote primeiro.`);
+                this.exitCode = 1;
+                return;
+            }
+            const toDirPath = this.app.makePath('app/controllers/authkit');
+            fs.mkdirSync(toDirPath, { recursive: true });
+            const toFilePath = `${toDirPath}/${file}.${ext}`;
+            fs.copyFileSync(fromFilePath, toFilePath);
+            this.logger.success(`Controller "${this.controller}" ejetado → ${toFilePath}`);
+            this.logger.info(`Atualize as rotas do host para apontar para app/controllers/authkit/${file}.`);
+        }
+        if (!this.views && !this.controller) {
+            this.logger.info('Nenhuma opção especificada. Use --views ou --controller=<nome>.');
+            this.logger.info(`Controllers disponíveis: ${KNOWN_CONTROLLERS.join(', ')}`);
+        }
+    }
+}
+__decorate([
+    flags.boolean({
+        description: 'Copia as views Edge da lib para resources/views/authkit/',
+    })
+], AuthkitEject.prototype, "views", void 0);
+__decorate([
+    flags.string({
+        description: `Copia um controller do host-kit (ex.: interaction) para app/controllers/authkit/`,
+    })
+], AuthkitEject.prototype, "controller", void 0);

package/build/commands/main.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Lê os metadados dos commands a partir do arquivo commands.json.
+ * O Ace usa esta função para listar os comandos disponíveis do pacote.
+ */
+export declare function getMetaData(): Promise<any[] | undefined>;
+/**
+ * Importa a classe do comando pelo `commandName`.
+ * O Ace chama esta função quando precisa executar um comando do pacote.
+ */
+export declare function getCommand(metaData: {
+    commandName: string;
+}): Promise<any>;

package/build/commands/main.js

@@ -0,0 +1,38 @@
+var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExtension) || function (path, preserveJsx) {
+    if (typeof path === "string" && /^\.\.?\//.test(path)) {
+        return path.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function (m, tsx, d, ext, cm) {
+            return tsx ? preserveJsx ? ".jsx" : ".js" : d && (!ext || !cm) ? m : (d + ext + "." + cm.toLowerCase() + "js");
+        });
+    }
+    return path;
+};
+import { readFile } from 'node:fs/promises';
+/**
+ * Cache in-memory após primeira leitura
+ */
+let commandsMetaData;
+/**
+ * Lê os metadados dos commands a partir do arquivo commands.json.
+ * O Ace usa esta função para listar os comandos disponíveis do pacote.
+ */
+export async function getMetaData() {
+    if (commandsMetaData) {
+        return commandsMetaData;
+    }
+    const commandsIndex = await readFile(new URL('./commands.json', import.meta.url), 'utf-8');
+    commandsMetaData = JSON.parse(commandsIndex).commands;
+    return commandsMetaData;
+}
+/**
+ * Importa a classe do comando pelo `commandName`.
+ * O Ace chama esta função quando precisa executar um comando do pacote.
+ */
+export async function getCommand(metaData) {
+    const commands = await getMetaData();
+    const command = commands.find(({ commandName }) => metaData.commandName === commandName);
+    if (!command) {
+        return null;
+    }
+    const { default: commandConstructor } = await import(__rewriteRelativeImportExtension(new URL(command.filePath, import.meta.url).href));
+    return commandConstructor;
+}

package/build/commands/ui_preset.d.ts

@@ -0,0 +1,4 @@
+export type UiPreset = 'headless' | 'edge' | 'react';
+export declare function resolveUiPreset(value: string | undefined): UiPreset;
+/** Caminhos de stub (relativos ao stubsRoot) que o preset publica. */
+export declare function uiStubPaths(preset: UiPreset): string[];

package/build/commands/ui_preset.js

@@ -0,0 +1,32 @@
+const VALID = ['headless', 'edge', 'react'];
+export function resolveUiPreset(value) {
+    if (value === undefined)
+        return 'edge';
+    if (!VALID.includes(value)) {
+        throw new Error(`authkit: --ui inválido "${value}". Use: ${VALID.join(' | ')}`);
+    }
+    return value;
+}
+/** Caminhos de stub (relativos ao stubsRoot) que o preset publica. */
+export function uiStubPaths(preset) {
+    switch (preset) {
+        case 'headless':
+            return [];
+        case 'edge':
+            return []; // views são donas-da-lib (disco authkit::); nada a scaffoldar
+        case 'react':
+            return [
+                'ui/react/components/auth_shell.tsx',
+                'ui/react/pages/login.tsx',
+                'ui/react/pages/consent.tsx',
+                'ui/react/pages/signup.tsx',
+                'ui/react/pages/forgot.tsx',
+                'ui/react/pages/reset.tsx',
+                'ui/react/pages/verify-email.tsx',
+                'ui/react/pages/mfa-challenge.tsx',
+                'ui/react/pages/account/login.tsx',
+                'ui/react/pages/account/tokens.tsx',
+                'ui/react/pages/account/mfa.tsx',
+            ];
+    }
+}

package/build/database/migrations/make_authkit_oidc_table.d.ts

@@ -0,0 +1,6 @@
+import { BaseSchema } from '@adonisjs/lucid/schema';
+export default class extends BaseSchema {
+    protected tableName: string;
+    up(): Promise<void>;
+    down(): Promise<void>;
+}

package/build/database/migrations/make_authkit_oidc_table.js

@@ -0,0 +1,19 @@
+import { BaseSchema } from '@adonisjs/lucid/schema';
+export default class extends BaseSchema {
+    tableName = 'authkit_oidc_payloads';
+    async up() {
+        this.schema.createTable(this.tableName, (table) => {
+            table.string('id', 255).notNullable();
+            table.string('model_name', 100).notNullable();
+            table.text('payload').notNullable();
+            table.string('grant_id', 255).nullable().index();
+            table.string('user_code', 255).nullable().index();
+            table.string('uid', 255).nullable().index();
+            table.timestamp('expires_at', { useTz: true }).nullable();
+            table.primary(['model_name', 'id']);
+        });
+    }
+    async down() {
+        this.schema.dropTable(this.tableName);
+    }
+}

package/build/host/views/account/login.edge

@@ -0,0 +1,29 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.login.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-100 p-4">
+  <form method="POST" action="/account/login"
+    class="w-full max-w-sm rounded-2xl bg-white p-8 shadow-xl ring-1 ring-black/5">
+    <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+    <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+    <h1 class="mt-2 text-xl font-semibold text-gray-900">{{ t('account.login.title') }}</h1>
+    <p class="mt-1 text-sm text-gray-500">{{ t('account.login.intro') }}</p>
+
+    @if(error)
+      <p class="mt-4 text-sm text-red-600">{{ error }}</p>
+    @end
+
+    <label for="email" class="mt-6 mb-1 block text-sm font-medium text-gray-700">{{ t('account.login.email_label') }}</label>
+    <input id="email" name="email" type="email" required autofocus
+      class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900" />
+
+    <label for="password" class="mt-4 mb-1 block text-sm font-medium text-gray-700">{{ t('account.login.password_label') }}</label>
+    <input id="password" name="password" type="password" required
+      class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900" />
+
+    <button type="submit"
+      class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
+      {{ t('account.login.submit') }}
+    </button>
+  </form>
+</body></html>