@dudousxd/adonis-authkit-server 0.1.0

package/build/src/host/register_auth_host.js

@@ -0,0 +1,133 @@
+import { resolveRateLimit } from '../define_config.js';
+import { createAuthThrottles } from './rate_limit.js';
+import { ACCOUNT_SESSION_KEY } from './middleware/account_auth.js';
+/**
+ * Guard inline do console de conta. Usamos uma closure (forma confiável do
+ * `.use()` do AdonisJS) em vez de `() => import(middleware)` — a forma lazy de
+ * classe NÃO era aplicada em runtime num grupo, deixando /account/tokens e
+ * /account/mfa acessíveis sem sessão.
+ */
+const accountGuard = async (ctx, next) => {
+    if (!ctx.session?.get(ACCOUNT_SESSION_KEY)) {
+        return ctx.response.redirect('/account/login');
+    }
+    return next();
+};
+/**
+ * Guard do console admin (B6). Como o `accountGuard`, é uma closure inline (forma
+ * confiável do `.use()` num grupo). Exige:
+ *   1. sessão de conta ativa (senão → /account/login);
+ *   2. a conta logada com pelo menos UMA das `config.admin.roles` nas roles globais
+ *      (senão → /account/tokens, evitando vazar a existência do /admin).
+ * As roles permitidas são resolvidas em runtime do `authkit.server` (config lazy).
+ */
+export const adminGuard = async (ctx, next) => {
+    const accountId = ctx.session?.get(ACCOUNT_SESSION_KEY);
+    if (!accountId) {
+        return ctx.response.redirect('/account/login');
+    }
+    const service = await ctx.containerResolver.make('authkit.server');
+    const cfg = service.config;
+    const allowed = cfg.admin.roles;
+    const account = await cfg.accountStore.findById(accountId);
+    const roles = account?.globalRoles ?? [];
+    const isAdmin = roles.some((r) => allowed.includes(r));
+    if (!isAdmin) {
+        return ctx.response.redirect('/account/tokens');
+    }
+    return next();
+};
+const C = {
+    oidc: () => import('../controllers/oidc_callback_controller.js'),
+    interaction: () => import('./controllers/interaction_controller.js'),
+    registration: () => import('./controllers/registration_controller.js'),
+    social: () => import('./controllers/social_controller.js'),
+    patIntrospection: () => import('./controllers/pat_introspection_controller.js'),
+    accountSession: () => import('./controllers/account_session_controller.js'),
+    accountTokens: () => import('./controllers/account_tokens_controller.js'),
+    accountMfa: () => import('./controllers/account_mfa_controller.js'),
+    adminDashboard: () => import('./controllers/admin/admin_dashboard_controller.js'),
+    adminUsers: () => import('./controllers/admin/admin_users_controller.js'),
+    adminClients: () => import('./controllers/admin/admin_clients_controller.js'),
+    adminAudit: () => import('./controllers/admin/admin_audit_controller.js'),
+};
+/**
+ * Monta todas as rotas do host-kit do Authorization Server numa chamada.
+ * Substitui registerOidcRoutes + o hand-wiring do start/routes.ts do host.
+ */
+export function registerAuthHost(router, opts) {
+    const mount = opts.mountPath;
+    // Throttles opt-in (anti-brute-force). `undefined` quando rate-limit desligado.
+    const throttles = createAuthThrottles(resolveRateLimit(opts.rateLimit));
+    // Helpers: aplicam o middleware de throttle quando presente; senão no-op.
+    const withLogin = (route) => {
+        if (throttles)
+            route.use([throttles.login]);
+    };
+    const withIntrospection = (route) => {
+        if (throttles)
+            route.use([throttles.introspection]);
+    };
+    // Provider OIDC (wildcard + root) — o que registerOidcRoutes fazia.
+    router.any(`${mount}/*`, [C.oidc]).as('authkit.oidc.wildcard');
+    router.any(mount, [C.oidc]).as('authkit.oidc.root');
+    // Interaction (login multi-step + consent + signup).
+    router.get('/auth/interaction/:uid', [C.interaction, 'show']);
+    router.post('/auth/interaction/:uid/identifier', [C.interaction, 'identifier']);
+    withLogin(router.post('/auth/interaction/:uid/login', [C.interaction, 'login']));
+    withLogin(router.post('/auth/interaction/:uid/mfa', [C.interaction, 'mfaVerify']));
+    // Passkey como 2º fator alternativo no login (begin/finish; challenge na sessão).
+    router.post('/auth/interaction/:uid/passkey/options', [C.interaction, 'passkeyOptions']);
+    withLogin(router.post('/auth/interaction/:uid/passkey/verify', [C.interaction, 'passkeyVerify']));
+    router.post('/auth/interaction/:uid/consent', [C.interaction, 'consent']);
+    router.get('/auth/interaction/:uid/switch', [C.interaction, 'switchIdentifier']);
+    router.get('/auth/interaction/:uid/signup', [C.registration, 'showSignup']);
+    withLogin(router.post('/auth/interaction/:uid/signup', [C.registration, 'signup']));
+    // Recuperação de senha (standalone).
+    router.get('/auth/forgot-password', [C.registration, 'showForgot']);
+    withLogin(router.post('/auth/forgot-password', [C.registration, 'forgot']));
+    router.get('/auth/reset-password', [C.registration, 'showReset']);
+    withLogin(router.post('/auth/reset-password', [C.registration, 'reset']));
+    // Verificação de e-mail (standalone, GET-only — consome o token do link).
+    router.get('/auth/verify-email', [C.registration, 'verifyEmail']);
+    // Login social (opt-in).
+    if (opts.social) {
+        router.get('/auth/:provider/redirect/:uid', [C.social, 'redirect']);
+        router.get('/auth/:provider/callback', [C.social, 'callback']);
+    }
+    // PAT introspection (server-to-server).
+    withIntrospection(router.post('/authkit/pat/introspect', [C.patIntrospection, 'handle']));
+    // Console de conta (login de sessão do IdP + gerência de PAT).
+    router.get('/account/login', [C.accountSession, 'show']);
+    router.post('/account/login', [C.accountSession, 'login']);
+    router.post('/account/logout', [C.accountSession, 'logout']);
+    // Rotas de tokens protegidas por AccountAuthMiddleware (redireciona para /account/login se não autenticado).
+    router
+        .group(() => {
+        router.get('/account/tokens', [C.accountTokens, 'index']);
+        router.post('/account/tokens', [C.accountTokens, 'store']);
+        router.post('/account/tokens/:id/revoke', [C.accountTokens, 'destroy']);
+        // MFA / TOTP (enrollment, confirmação, disable).
+        router.get('/account/mfa', [C.accountMfa, 'index']);
+        router.post('/account/mfa/enroll', [C.accountMfa, 'enroll']);
+        router.post('/account/mfa/confirm', [C.accountMfa, 'confirm']);
+        router.post('/account/mfa/disable', [C.accountMfa, 'disable']);
+        // MFA / WebAuthn (passkeys): registro (begin/finish) + remoção.
+        router.post('/account/mfa/passkeys/options', [C.accountMfa, 'passkeyRegisterOptions']);
+        router.post('/account/mfa/passkeys/verify', [C.accountMfa, 'passkeyRegisterVerify']);
+        router.post('/account/mfa/passkeys/:id/remove', [C.accountMfa, 'passkeyRemove']);
+    })
+        .use([accountGuard]);
+    // Console admin (opt-in — B6). Protegido pelo adminGuard (sessão + role global).
+    if (opts.admin) {
+        router
+            .group(() => {
+            router.get('/admin', [C.adminDashboard, 'index']);
+            router.get('/admin/users', [C.adminUsers, 'index']);
+            router.post('/admin/users/:id/roles', [C.adminUsers, 'updateRoles']);
+            router.get('/admin/clients', [C.adminClients, 'index']);
+            router.get('/admin/audit', [C.adminAudit, 'index']);
+        })
+            .use([adminGuard]);
+    }
+}

package/build/src/host/renderers/edge_renderer.d.ts

@@ -0,0 +1,3 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/** Renderer do seam para hosts Edge. As views são donas-da-lib (disco `authkit::`). */
+export declare function edgeRenderer(): (ctx: HttpContext, view: string, props: Record<string, unknown>) => Promise<any>;

package/build/src/host/renderers/edge_renderer.js

@@ -0,0 +1,29 @@
+import { DEFAULT_MESSAGES, translate } from '../i18n.js';
+/**
+ * Resolve o catálogo de mensagens ativo a partir do `authkit.server` (config
+ * resolvida com o locale do host). Defensivo: se o container/serviço não estiver
+ * disponível (ex.: teste unitário do renderer com ctx mockado), cai no default
+ * pt-BR embutido — as views continuam renderizando.
+ */
+async function resolveMessagesFromCtx(ctx) {
+    try {
+        const service = await ctx.containerResolver?.make?.('authkit.server');
+        const messages = service?.config?.messages;
+        if (messages)
+            return messages;
+    }
+    catch {
+        // sem container/serviço — usa o default
+    }
+    return { ...DEFAULT_MESSAGES };
+}
+/** Renderer do seam para hosts Edge. As views são donas-da-lib (disco `authkit::`). */
+export function edgeRenderer() {
+    return async (ctx, view, props) => {
+        const messages = await resolveMessagesFromCtx(ctx);
+        // Helper `t` exposto às views: `{{ t('login.title') }}` ou
+        // `{{ t('login.greeting', { name: account.fullName }) }}`.
+        const t = (key, params) => translate(messages, key, params);
+        return ctx.view.render(`authkit::${view}`, { ...props, t, messages });
+    };
+}

package/build/src/host/renderers/inertia_renderer.d.ts

@@ -0,0 +1,5 @@
+import type { HttpContext } from '@adonisjs/core/http';
+/** Renderer do seam para hosts Inertia/React. As páginas vivem no host em `inertia/pages/<prefix>/*`. */
+export declare function inertiaRenderer(opts: {
+    prefix: string;
+}): (ctx: HttpContext, view: string, props: Record<string, unknown>) => Promise<any>;

package/build/src/host/renderers/inertia_renderer.js

@@ -0,0 +1,26 @@
+import { DEFAULT_MESSAGES } from '../i18n.js';
+/**
+ * Resolve o catálogo de mensagens ativo a partir do `authkit.server`. Defensivo:
+ * sem container/serviço (ex.: teste unitário com ctx mockado), cai no default
+ * pt-BR embutido.
+ */
+async function resolveMessagesFromCtx(ctx) {
+    try {
+        const service = await ctx.containerResolver?.make?.('authkit.server');
+        const messages = service?.config?.messages;
+        if (messages)
+            return messages;
+    }
+    catch {
+        // sem container/serviço — usa o default
+    }
+    return { ...DEFAULT_MESSAGES };
+}
+/** Renderer do seam para hosts Inertia/React. As páginas vivem no host em `inertia/pages/<prefix>/*`. */
+export function inertiaRenderer(opts) {
+    return async (ctx, view, props) => {
+        // `messages` vai como shared prop para as páginas React traduzirem.
+        const messages = await resolveMessagesFromCtx(ctx);
+        return ctx.inertia.render(`${opts.prefix}/${view}`, { ...props, messages });
+    };
+}

package/build/src/host/validators.d.ts

@@ -0,0 +1,39 @@
+export declare const signupValidator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+    email: import("@vinejs/vine").VineString;
+    fullName: import("@vinejs/vine").VineString;
+    password: import("@vinejs/vine").VineString;
+}, {
+    email: string;
+    password: string;
+    fullName: string;
+}, {
+    email: string;
+    password: string;
+    fullName: string;
+}, {
+    email: string;
+    password: string;
+    fullName: string;
+}>, Record<string, any> | undefined>;
+export declare const forgotPasswordValidator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+    email: import("@vinejs/vine").VineString;
+}, {
+    email: string;
+}, {
+    email: string;
+}, {
+    email: string;
+}>, Record<string, any> | undefined>;
+export declare const resetPasswordValidator: import("@vinejs/vine").VineValidator<import("@vinejs/vine").VineObject<{
+    token: import("@vinejs/vine").VineString;
+    password: import("@vinejs/vine").VineString;
+}, {
+    password: string;
+    token: string;
+}, {
+    password: string;
+    token: string;
+}, {
+    password: string;
+    token: string;
+}>, Record<string, any> | undefined>;

package/build/src/host/validators.js

@@ -0,0 +1,13 @@
+import vine from '@vinejs/vine';
+export const signupValidator = vine.compile(vine.object({
+    email: vine.string().trim().email().normalizeEmail(),
+    fullName: vine.string().trim().minLength(2).maxLength(255),
+    password: vine.string().minLength(8).maxLength(255),
+}));
+export const forgotPasswordValidator = vine.compile(vine.object({
+    email: vine.string().trim().email().normalizeEmail(),
+}));
+export const resetPasswordValidator = vine.compile(vine.object({
+    token: vine.string().trim().minLength(1),
+    password: vine.string().minLength(8).maxLength(255),
+}));

package/build/src/keys/jwks_manager.d.ts

@@ -0,0 +1,6 @@
+export type SigningAlg = 'RS256' | 'ES256' | 'PS256' | 'EdDSA';
+export interface ManagedJwks {
+    keys: Record<string, any>[];
+}
+/** Gera um JWKS privado (1 chave) pronto para `oidc-provider`. */
+export declare function generateJwks(alg: SigningAlg): Promise<ManagedJwks>;

package/build/src/keys/jwks_manager.js

@@ -0,0 +1,11 @@
+import { generateKeyPair, exportJWK } from 'jose';
+import { randomUUID } from 'node:crypto';
+/** Gera um JWKS privado (1 chave) pronto para `oidc-provider`. */
+export async function generateJwks(alg) {
+    const { privateKey } = await generateKeyPair(alg, { extractable: true });
+    const jwk = (await exportJWK(privateKey));
+    jwk.use = 'sig';
+    jwk.alg = alg;
+    jwk.kid = randomUUID();
+    return { keys: [jwk] };
+}

package/build/src/mixins/with_audit_log.d.ts

@@ -0,0 +1,19 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+import { DateTime } from 'luxon';
+import type { AuditEventType } from '../audit/audit_sink.js';
+/** Instância composta pelo mixin {@link withAuditLog}. */
+export interface AuditLogRow {
+    type: AuditEventType;
+    accountId: string | null;
+    email: string | null;
+    clientId: string | null;
+    actorId: string | null;
+    ip: string | null;
+    metadata: Record<string, unknown> | null;
+    createdAt: DateTime;
+}
+export type AuditLogClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): AuditLogRow;
+};
+export declare function withAuditLog(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => AuditLogClass<Model>;

package/build/src/mixins/with_audit_log.js

@@ -0,0 +1,41 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column } from '@adonisjs/lucid/orm';
+export function withAuditLog() {
+    return (superclass) => {
+        class AuditLogMixin extends superclass {
+        }
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "type", void 0);
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "accountId", void 0);
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "email", void 0);
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "clientId", void 0);
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "actorId", void 0);
+        __decorate([
+            column()
+        ], AuditLogMixin.prototype, "ip", void 0);
+        __decorate([
+            column({
+                prepare: (value) => value ? JSON.stringify(value) : null,
+                consume: (value) => (value ? JSON.parse(value) : null),
+            })
+        ], AuditLogMixin.prototype, "metadata", void 0);
+        __decorate([
+            column.dateTime({ autoCreate: true })
+        ], AuditLogMixin.prototype, "createdAt", void 0);
+        return AuditLogMixin;
+    };
+}

package/build/src/mixins/with_auth_user.d.ts

@@ -0,0 +1,18 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+/**
+ * Instância composta pelo mixin {@link withAuthUser}.
+ */
+export interface AuthUserRow {
+    email: string;
+    password: string;
+    globalRoles: string[];
+    verifyPassword(plain: string): Promise<boolean>;
+}
+/**
+ * Classe resultante da composição com o mixin {@link withAuthUser}.
+ */
+export type AuthUserClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): AuthUserRow;
+};
+export declare function withAuthUser(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => AuthUserClass<Model>;

package/build/src/mixins/with_auth_user.js

@@ -0,0 +1,39 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column, beforeSave } from '@adonisjs/lucid/orm';
+import { Scrypt } from '@adonisjs/core/hash/drivers/scrypt';
+const hasher = new Scrypt({});
+export function withAuthUser() {
+    return (superclass) => {
+        class AuthUserMixin extends superclass {
+            static async hashAuthUserPassword(user) {
+                if (user.$dirty.password) {
+                    user.password = await hasher.make(user.password);
+                }
+            }
+            async verifyPassword(plain) {
+                return hasher.verify(this.password, plain);
+            }
+        }
+        __decorate([
+            column()
+        ], AuthUserMixin.prototype, "email", void 0);
+        __decorate([
+            column({ serializeAs: null })
+        ], AuthUserMixin.prototype, "password", void 0);
+        __decorate([
+            column({
+                prepare: (value) => JSON.stringify(value ?? []),
+                consume: (value) => (value ? JSON.parse(value) : []),
+            })
+        ], AuthUserMixin.prototype, "globalRoles", void 0);
+        __decorate([
+            beforeSave()
+        ], AuthUserMixin, "hashAuthUserPassword", null);
+        return AuthUserMixin;
+    };
+}

package/build/src/mixins/with_credentials.d.ts

@@ -0,0 +1,20 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+import { DateTime } from 'luxon';
+/**
+ * Instância composta pelo mixin {@link withCredentials}.
+ */
+export interface CredentialsRow {
+    emailVerifiedAt: DateTime | null;
+    emailVerificationToken: string | null;
+    passwordResetToken: string | null;
+    passwordResetExpiresAt: DateTime | null;
+    readonly isEmailVerified: boolean;
+}
+/**
+ * Classe resultante da composição com o mixin {@link withCredentials}.
+ */
+export type CredentialsClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): CredentialsRow;
+};
+export declare function withCredentials(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => CredentialsClass<Model>;

package/build/src/mixins/with_credentials.js

@@ -0,0 +1,29 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column } from '@adonisjs/lucid/orm';
+export function withCredentials() {
+    return (superclass) => {
+        class CredentialsMixin extends superclass {
+            get isEmailVerified() {
+                return this.emailVerifiedAt !== null;
+            }
+        }
+        __decorate([
+            column.dateTime()
+        ], CredentialsMixin.prototype, "emailVerifiedAt", void 0);
+        __decorate([
+            column({ serializeAs: null })
+        ], CredentialsMixin.prototype, "emailVerificationToken", void 0);
+        __decorate([
+            column({ serializeAs: null })
+        ], CredentialsMixin.prototype, "passwordResetToken", void 0);
+        __decorate([
+            column.dateTime({ serializeAs: null })
+        ], CredentialsMixin.prototype, "passwordResetExpiresAt", void 0);
+        return CredentialsMixin;
+    };
+}

package/build/src/mixins/with_mfa.d.ts

@@ -0,0 +1,31 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+import { DateTime } from 'luxon';
+/**
+ * Instância composta pelo mixin {@link withMfa}.
+ *
+ * NOTA DE SEGURANÇA: `totpSecret` é o segredo TOTP em claro. No MVP ele é
+ * armazenado as-is — encriptar em repouso (ex.: app-key / KMS) é um follow-up.
+ */
+export interface MfaRow {
+    /** Segredo TOTP (base32). null = sem enrollment. Pendente enquanto `mfaEnabledAt` for null. */
+    totpSecret: string | null;
+    /** Setado quando o enrollment é confirmado. null = MFA desligado. */
+    mfaEnabledAt: DateTime | null;
+    /** Hashes (sha256) dos recovery codes; consumidos single-use. */
+    recoveryCodes: string[] | null;
+    /** true quando o MFA está ativo (segredo confirmado). */
+    readonly isMfaEnabled: boolean;
+}
+/**
+ * Classe resultante da composição com o mixin {@link withMfa}.
+ */
+export type MfaClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): MfaRow;
+};
+/**
+ * Mixin de MFA/TOTP. Adiciona as colunas `totp_secret`, `mfa_enabled_at` e
+ * `recovery_codes` ao model de credenciais. Mantido separado de
+ * {@link withCredentials} para clareza; componha ambos no model do host.
+ */
+export declare function withMfa(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => MfaClass<Model>;

package/build/src/mixins/with_mfa.js

@@ -0,0 +1,39 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column } from '@adonisjs/lucid/orm';
+/**
+ * Mixin de MFA/TOTP. Adiciona as colunas `totp_secret`, `mfa_enabled_at` e
+ * `recovery_codes` ao model de credenciais. Mantido separado de
+ * {@link withCredentials} para clareza; componha ambos no model do host.
+ */
+export function withMfa() {
+    return (superclass) => {
+        class MfaMixin extends superclass {
+            get isMfaEnabled() {
+                return this.mfaEnabledAt !== null;
+            }
+        }
+        __decorate([
+            column({ serializeAs: null })
+        ], MfaMixin.prototype, "totpSecret", void 0);
+        __decorate([
+            column.dateTime()
+        ], MfaMixin.prototype, "mfaEnabledAt", void 0);
+        __decorate([
+            column({
+                serializeAs: null,
+                prepare: (value) => (value ? JSON.stringify(value) : null),
+                consume: (value) => {
+                    if (value === null || value === undefined)
+                        return null;
+                    return Array.isArray(value) ? value : JSON.parse(value);
+                },
+            })
+        ], MfaMixin.prototype, "recoveryCodes", void 0);
+        return MfaMixin;
+    };
+}

package/build/src/mixins/with_personal_access_token.d.ts

@@ -0,0 +1,19 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+import { DateTime } from 'luxon';
+/** Instância composta pelo mixin {@link withPersonalAccessToken}. */
+export interface PersonalAccessTokenRow {
+    userId: string;
+    name: string;
+    tokenHash: string;
+    scopes: string[];
+    audience: string | null;
+    expiresAt: DateTime | null;
+    lastUsedAt: DateTime | null;
+    createdAt: DateTime;
+    updatedAt: DateTime;
+}
+export type PersonalAccessTokenClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): PersonalAccessTokenRow;
+};
+export declare function withPersonalAccessToken(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => PersonalAccessTokenClass<Model>;

package/build/src/mixins/with_personal_access_token.js

@@ -0,0 +1,44 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column } from '@adonisjs/lucid/orm';
+export function withPersonalAccessToken() {
+    return (superclass) => {
+        class PatMixin extends superclass {
+        }
+        __decorate([
+            column()
+        ], PatMixin.prototype, "userId", void 0);
+        __decorate([
+            column()
+        ], PatMixin.prototype, "name", void 0);
+        __decorate([
+            column({ serializeAs: null })
+        ], PatMixin.prototype, "tokenHash", void 0);
+        __decorate([
+            column({
+                prepare: (value) => (value ? JSON.stringify(value) : null),
+                consume: (value) => (value ? JSON.parse(value) : []),
+            })
+        ], PatMixin.prototype, "scopes", void 0);
+        __decorate([
+            column()
+        ], PatMixin.prototype, "audience", void 0);
+        __decorate([
+            column.dateTime()
+        ], PatMixin.prototype, "expiresAt", void 0);
+        __decorate([
+            column.dateTime()
+        ], PatMixin.prototype, "lastUsedAt", void 0);
+        __decorate([
+            column.dateTime({ autoCreate: true })
+        ], PatMixin.prototype, "createdAt", void 0);
+        __decorate([
+            column.dateTime({ autoCreate: true, autoUpdate: true })
+        ], PatMixin.prototype, "updatedAt", void 0);
+        return PatMixin;
+    };
+}

package/build/src/mixins/with_provider_identity.d.ts

@@ -0,0 +1,20 @@
+import { BaseModel } from '@adonisjs/lucid/orm';
+import type { NormalizeConstructor } from '@adonisjs/core/types/helpers';
+import { DateTime } from 'luxon';
+/**
+ * Instância composta pelo mixin {@link withProviderIdentity}. Liga uma conta
+ * (`accountId`) a uma identidade externa `(provider, providerUserId)` — ex.:
+ * Google, GitHub. Uma conta pode ter várias identidades (account linking).
+ */
+export interface ProviderIdentityRow {
+    provider: string;
+    providerUserId: string;
+    accountId: string;
+    email: string | null;
+    createdAt: DateTime;
+    updatedAt: DateTime;
+}
+export type ProviderIdentityClass<Model extends NormalizeConstructor<typeof BaseModel>> = Model & {
+    new (...args: any[]): ProviderIdentityRow;
+};
+export declare function withProviderIdentity(): <Model extends NormalizeConstructor<typeof BaseModel>>(superclass: Model) => ProviderIdentityClass<Model>;

package/build/src/mixins/with_provider_identity.js

@@ -0,0 +1,32 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { column } from '@adonisjs/lucid/orm';
+export function withProviderIdentity() {
+    return (superclass) => {
+        class ProviderIdentityMixin extends superclass {
+        }
+        __decorate([
+            column()
+        ], ProviderIdentityMixin.prototype, "provider", void 0);
+        __decorate([
+            column()
+        ], ProviderIdentityMixin.prototype, "providerUserId", void 0);
+        __decorate([
+            column()
+        ], ProviderIdentityMixin.prototype, "accountId", void 0);
+        __decorate([
+            column()
+        ], ProviderIdentityMixin.prototype, "email", void 0);
+        __decorate([
+            column.dateTime({ autoCreate: true })
+        ], ProviderIdentityMixin.prototype, "createdAt", void 0);
+        __decorate([
+            column.dateTime({ autoCreate: true, autoUpdate: true })
+        ], ProviderIdentityMixin.prototype, "updatedAt", void 0);
+        return ProviderIdentityMixin;
+    };
+}