npm - @dudousxd/adonis-authkit-server - Versions diffs - 0.1.0 - Mend

@dudousxd/adonis-authkit-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/LICENSE +21 -0
package/README.md +137 -0
package/build/assets/grafana/authkit-dashboard.json +118 -0
package/build/commands/commands.json +30 -0
package/build/commands/configure.d.ts +2 -0
package/build/commands/configure.js +42 -0
package/build/commands/eject.d.ts +11 -0
package/build/commands/eject.js +96 -0
package/build/commands/main.d.ts +12 -0
package/build/commands/main.js +38 -0
package/build/commands/ui_preset.d.ts +4 -0
package/build/commands/ui_preset.js +32 -0
package/build/database/migrations/make_authkit_oidc_table.d.ts +6 -0
package/build/database/migrations/make_authkit_oidc_table.js +19 -0
package/build/host/views/account/login.edge +29 -0
package/build/host/views/account/mfa.edge +151 -0
package/build/host/views/account/tokens.edge +70 -0
package/build/host/views/admin/audit.edge +72 -0
package/build/host/views/admin/clients.edge +51 -0
package/build/host/views/admin/dashboard.edge +58 -0
package/build/host/views/admin/users.edge +76 -0
package/build/host/views/consent.edge +19 -0
package/build/host/views/forgot.edge +30 -0
package/build/host/views/login.edge +91 -0
package/build/host/views/mfa-challenge.edge +88 -0
package/build/host/views/reset.edge +29 -0
package/build/host/views/signup.edge +44 -0
package/build/host/views/verify-email.edge +16 -0
package/build/index.d.ts +42 -0
package/build/index.js +28 -0
package/build/providers/authkit_server_provider.d.ts +19 -0
package/build/providers/authkit_server_provider.js +81 -0
package/build/src/accounts/account_store.d.ts +136 -0
package/build/src/accounts/account_store.js +1 -0
package/build/src/accounts/lucid_account_store.d.ts +75 -0
package/build/src/accounts/lucid_account_store.js +396 -0
package/build/src/adapters/adapter_contract.d.ts +18 -0
package/build/src/adapters/adapter_contract.js +1 -0
package/build/src/adapters/database_adapter.d.ts +15 -0
package/build/src/adapters/database_adapter.js +63 -0
package/build/src/adapters/factory.d.ts +30 -0
package/build/src/adapters/factory.js +43 -0
package/build/src/adapters/redis_adapter.d.ts +16 -0
package/build/src/adapters/redis_adapter.js +95 -0
package/build/src/audit/audit_sink.d.ts +54 -0
package/build/src/audit/audit_sink.js +1 -0
package/build/src/audit/lucid_audit_sink.d.ts +10 -0
package/build/src/audit/lucid_audit_sink.js +60 -0
package/build/src/controllers/oidc_callback_controller.d.ts +22 -0
package/build/src/controllers/oidc_callback_controller.js +33 -0
package/build/src/define_config.d.ts +261 -0
package/build/src/define_config.js +115 -0
package/build/src/host/account_lockout.d.ts +86 -0
package/build/src/host/account_lockout.js +185 -0
package/build/src/host/augmentations.d.ts +1 -0
package/build/src/host/augmentations.js +1 -0
package/build/src/host/branding.d.ts +17 -0
package/build/src/host/branding.js +8 -0
package/build/src/host/controllers/account_mfa_controller.d.ts +30 -0
package/build/src/host/controllers/account_mfa_controller.js +157 -0
package/build/src/host/controllers/account_session_controller.d.ts +7 -0
package/build/src/host/controllers/account_session_controller.js +50 -0
package/build/src/host/controllers/account_tokens_controller.d.ts +7 -0
package/build/src/host/controllers/account_tokens_controller.js +55 -0
package/build/src/host/controllers/admin/admin_audit_controller.d.ts +10 -0
package/build/src/host/controllers/admin/admin_audit_controller.js +56 -0
package/build/src/host/controllers/admin/admin_clients_controller.d.ts +10 -0
package/build/src/host/controllers/admin/admin_clients_controller.js +24 -0
package/build/src/host/controllers/admin/admin_dashboard_controller.d.ts +10 -0
package/build/src/host/controllers/admin/admin_dashboard_controller.js +27 -0
package/build/src/host/controllers/admin/admin_users_controller.d.ts +11 -0
package/build/src/host/controllers/admin/admin_users_controller.js +53 -0
package/build/src/host/controllers/interaction_controller.d.ts +44 -0
package/build/src/host/controllers/interaction_controller.js +304 -0
package/build/src/host/controllers/pat_introspection_controller.d.ts +22 -0
package/build/src/host/controllers/pat_introspection_controller.js +46 -0
package/build/src/host/controllers/registration_controller.d.ts +18 -0
package/build/src/host/controllers/registration_controller.js +169 -0
package/build/src/host/controllers/social_controller.d.ts +8 -0
package/build/src/host/controllers/social_controller.js +82 -0
package/build/src/host/default_mailer.d.ts +39 -0
package/build/src/host/default_mailer.js +141 -0
package/build/src/host/email_templates.d.ts +35 -0
package/build/src/host/email_templates.js +66 -0
package/build/src/host/i18n.d.ts +178 -0
package/build/src/host/i18n.js +208 -0
package/build/src/host/middleware/account_auth.d.ts +7 -0
package/build/src/host/middleware/account_auth.js +11 -0
package/build/src/host/rate_limit.d.ts +32 -0
package/build/src/host/rate_limit.js +87 -0
package/build/src/host/register_auth_host.d.ts +41 -0
package/build/src/host/register_auth_host.js +133 -0
package/build/src/host/renderers/edge_renderer.d.ts +3 -0
package/build/src/host/renderers/edge_renderer.js +29 -0
package/build/src/host/renderers/inertia_renderer.d.ts +5 -0
package/build/src/host/renderers/inertia_renderer.js +26 -0
package/build/src/host/validators.d.ts +39 -0
package/build/src/host/validators.js +13 -0
package/build/src/keys/jwks_manager.d.ts +6 -0
package/build/src/keys/jwks_manager.js +11 -0
package/build/src/mixins/with_audit_log.d.ts +19 -0
package/build/src/mixins/with_audit_log.js +41 -0
package/build/src/mixins/with_auth_user.d.ts +18 -0
package/build/src/mixins/with_auth_user.js +39 -0
package/build/src/mixins/with_credentials.d.ts +20 -0
package/build/src/mixins/with_credentials.js +29 -0
package/build/src/mixins/with_mfa.d.ts +31 -0
package/build/src/mixins/with_mfa.js +39 -0
package/build/src/mixins/with_personal_access_token.d.ts +19 -0
package/build/src/mixins/with_personal_access_token.js +44 -0
package/build/src/mixins/with_provider_identity.d.ts +20 -0
package/build/src/mixins/with_provider_identity.js +32 -0
package/build/src/mixins/with_webauthn_credential.d.ts +37 -0
package/build/src/mixins/with_webauthn_credential.js +49 -0
package/build/src/observability/metrics_controller.d.ts +5 -0
package/build/src/observability/metrics_controller.js +24 -0
package/build/src/observability/metrics_service.d.ts +2 -0
package/build/src/observability/metrics_service.js +7 -0
package/build/src/observability/otel_recorder.d.ts +10 -0
package/build/src/observability/otel_recorder.js +59 -0
package/build/src/observability/wire_provider_events.d.ts +12 -0
package/build/src/observability/wire_provider_events.js +19 -0
package/build/src/pat/lucid_pat_store.d.ts +6 -0
package/build/src/pat/lucid_pat_store.js +62 -0
package/build/src/pat/pat_store.d.ts +31 -0
package/build/src/pat/pat_store.js +1 -0
package/build/src/pat/pat_tokens.d.ts +4 -0
package/build/src/pat/pat_tokens.js +9 -0
package/build/src/provider/build_provider.d.ts +8 -0
package/build/src/provider/build_provider.js +101 -0
package/build/src/provider/interaction_actions.d.ts +21 -0
package/build/src/provider/interaction_actions.js +32 -0
package/build/src/provider/oidc_service.d.ts +17 -0
package/build/src/provider/oidc_service.js +84 -0
package/build/src/provider/token_exchange.d.ts +15 -0
package/build/src/provider/token_exchange.js +72 -0
package/build/src/register_routes.d.ts +16 -0
package/build/src/register_routes.js +21 -0
package/build/stubs/config/authkit.stub +29 -0
package/build/stubs/main.d.ts +1 -0
package/build/stubs/main.js +2 -0
package/build/stubs/models/auth_user.stub +13 -0
package/build/stubs/ui/edge/views/consent.edge +13 -0
package/build/stubs/ui/edge/views/login.edge +19 -0
package/build/stubs/ui/react/components/auth_shell.tsx +67 -0
package/build/stubs/ui/react/pages/account/login.tsx +56 -0
package/build/stubs/ui/react/pages/account/mfa.tsx +132 -0
package/build/stubs/ui/react/pages/account/tokens.tsx +88 -0
package/build/stubs/ui/react/pages/consent.tsx +39 -0
package/build/stubs/ui/react/pages/forgot.tsx +44 -0
package/build/stubs/ui/react/pages/login.tsx +171 -0
package/build/stubs/ui/react/pages/mfa-challenge.tsx +72 -0
package/build/stubs/ui/react/pages/reset.tsx +58 -0
package/build/stubs/ui/react/pages/signup.tsx +78 -0
package/build/stubs/ui/react/pages/verify-email.tsx +24 -0
package/build/types.d.ts +7 -0
package/build/types.js +1 -0
package/package.json +108 -0
package/stubs/config/authkit.stub +29 -0
package/stubs/main.ts +2 -0
package/stubs/models/auth_user.stub +13 -0
package/stubs/ui/edge/views/consent.edge +13 -0
package/stubs/ui/edge/views/login.edge +19 -0
package/stubs/ui/react/components/auth_shell.tsx +67 -0
package/stubs/ui/react/pages/account/login.tsx +56 -0
package/stubs/ui/react/pages/account/mfa.tsx +132 -0
package/stubs/ui/react/pages/account/tokens.tsx +88 -0
package/stubs/ui/react/pages/consent.tsx +39 -0
package/stubs/ui/react/pages/forgot.tsx +44 -0
package/stubs/ui/react/pages/login.tsx +171 -0
package/stubs/ui/react/pages/mfa-challenge.tsx +72 -0
package/stubs/ui/react/pages/reset.tsx +58 -0
package/stubs/ui/react/pages/signup.tsx +78 -0
package/stubs/ui/react/pages/verify-email.tsx +24 -0

package/build/host/views/mfa-challenge.edge ADDED Viewed

@@ -0,0 +1,88 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('mfa_challenge.page_title') }} — {{ brand && brand.appName ? brand.appName : t('common.app_fallback') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-50">
+  <div class="w-full max-w-sm bg-white p-8 rounded-2xl shadow-xl ring-1 ring-black/5">
+    <form method="POST" action="/auth/interaction/{{ uid }}/mfa">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+      <h1 class="text-xl font-semibold text-gray-900">{{ t('mfa_challenge.title') }}</h1>
+      <p class="mt-1 text-sm text-gray-500">
+        {{ t('mfa_challenge.intro') }}
+      </p>
+      @if(error)
+        <p class="mt-4 text-sm text-red-600">{{ error }}</p>
+      @end
+      <div class="mt-6">
+        <label for="code" class="mb-1 block text-sm font-medium text-gray-700">{{ t('mfa_challenge.code_label') }}</label>
+        <input id="code" name="code" inputmode="numeric" autocomplete="one-time-code"
+          pattern="[0-9]*" maxlength="6" autofocus
+          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-center text-lg tracking-[0.4em] outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+      </div>
+      <button type="submit"
+        class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
+        {{ t('mfa_challenge.submit') }}
+      </button>
+    </form>
+    @if(passkeyAvailable)
+      {{-- Passkey como alternativa ao código TOTP. O form é submetido por página
+           inteira (não fetch) para que o 303 de volta ao client navegue o browser. --}}
+      <form id="passkey-form" method="POST" action="/auth/interaction/{{ uid }}/passkey/verify" class="mt-4">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <input type="hidden" name="response" id="passkey-response">
+      </form>
+      <button type="button" id="passkey-button"
+        class="mt-4 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
+        {{ t('mfa_challenge.passkey_button') }}
+      </button>
+      <p id="passkey-error" class="mt-3 hidden text-sm text-red-600">{{ t('mfa_challenge.passkey_error') }}</p>
+    @end
+    <details class="mt-6 text-sm text-gray-600">
+      <summary class="cursor-pointer hover:underline">{{ t('mfa_challenge.recovery_summary') }}</summary>
+      <form method="POST" action="/auth/interaction/{{ uid }}/mfa" class="mt-3">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <input name="recoveryCode" placeholder="xxxxx-xxxxx"
+          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+        <button type="submit"
+          class="mt-3 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
+          {{ t('mfa_challenge.recovery_submit') }}
+        </button>
+      </form>
+    </details>
+  </div>
+  @if(passkeyAvailable)
+    <script type="module">
+      import { startAuthentication } from 'https://cdn.jsdelivr.net/npm/@simplewebauthn/browser@13/dist/bundle/index.js'
+      const btn = document.getElementById('passkey-button')
+      const errEl = document.getElementById('passkey-error')
+      const csrf = document.querySelector('#passkey-form input[name="_csrf"]').value
+      btn?.addEventListener('click', async () => {
+        errEl.classList.add('hidden')
+        btn.disabled = true
+        try {
+          // 1) Busca as opções de autenticação (challenge guardado na sessão server-side).
+          const res = await fetch('/auth/interaction/{{ uid }}/passkey/options', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json', 'x-csrf-token': csrf },
+            body: JSON.stringify({}),
+          })
+          if (!res.ok) throw new Error('options')
+          const optionsJSON = await res.json()
+          // 2) Cerimônia no authenticator.
+          const assertion = await startAuthentication({ optionsJSON })
+          // 3) Submete a assertion como POST de página inteira (segue o 303).
+          document.getElementById('passkey-response').value = JSON.stringify(assertion)
+          document.getElementById('passkey-form').submit()
+        } catch (e) {
+          errEl.classList.remove('hidden')
+          btn.disabled = false
+        }
+      })
+    </script>
+  @end
+</body></html>

package/build/host/views/reset.edge ADDED Viewed

@@ -0,0 +1,29 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('reset.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-50">
+  <div class="w-full max-w-sm bg-white p-8 rounded-2xl shadow-xl ring-1 ring-black/5">
+    @if(done)
+      <h1 class="text-xl font-semibold text-gray-900">{{ t('reset.done_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('reset.done_body') }}</p>
+    @else
+      <form method="POST" action="/auth/reset-password">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <input type="hidden" name="token" value="{{ token }}">
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('reset.title') }}</h1>
+        <p class="mt-1 text-sm text-gray-500">{{ t('reset.intro') }}</p>
+        <div class="mt-6">
+          <label for="password" class="mb-1 block text-sm font-medium text-gray-700">{{ t('reset.password_label') }}</label>
+          <input id="password" name="password" type="password" required minlength="8"
+            class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+        </div>
+        <button type="submit"
+          class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
+          {{ t('reset.submit') }}
+        </button>
+      </form>
+    @end
+  </div>
+</body></html>

package/build/host/views/signup.edge ADDED Viewed

@@ -0,0 +1,44 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('signup.page_title') }} — {{ brand && brand.appName ? brand.appName : t('common.app_fallback') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-50">
+  <div class="w-full max-w-sm bg-white p-8 rounded-2xl shadow-xl ring-1 ring-black/5">
+    <form method="POST" action="/auth/interaction/{{ uid }}/signup">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+      <h1 class="text-xl font-semibold text-gray-900">{{ t('signup.title') }}</h1>
+      <p class="mt-1 text-sm text-gray-500">{{ t('signup.intro') }}</p>
+      @if(error)
+        <p class="mt-4 text-sm text-red-600">{{ error }}</p>
+      @end
+      <div class="mt-6">
+        <label for="fullName" class="mb-1 block text-sm font-medium text-gray-700">{{ t('signup.name_label') }}</label>
+        <input id="fullName" name="fullName" type="text" required
+          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+      </div>
+      <div class="mt-4">
+        <label for="email" class="mb-1 block text-sm font-medium text-gray-700">{{ t('signup.email_label') }}</label>
+        <input id="email" name="email" type="email" required
+          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+      </div>
+      <div class="mt-4">
+        <label for="password" class="mb-1 block text-sm font-medium text-gray-700">{{ t('signup.password_label') }}</label>
+        <input id="password" name="password" type="password" required minlength="8"
+          class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
+      </div>
+      <button type="submit"
+        class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
+        {{ t('signup.submit') }}
+      </button>
+      <a href="/auth/interaction/{{ uid }}"
+        class="mt-4 block text-center text-sm text-gray-600 hover:underline">
+        {{ t('signup.have_account') }}
+      </a>
+    </form>
+  </div>
+</body></html>

package/build/host/views/verify-email.edge ADDED Viewed

@@ -0,0 +1,16 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('verify_email.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-50">
+  <div class="w-full max-w-sm bg-white p-8 rounded-2xl shadow-xl ring-1 ring-black/5">
+    @if(verified)
+      <h1 class="text-xl font-semibold text-gray-900">{{ t('verify_email.verified_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('verify_email.verified_body') }}</p>
+    @else
+      <h1 class="text-xl font-semibold text-gray-900">{{ t('verify_email.invalid_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">
+        {{ t('verify_email.invalid_body') }}
+      </p>
+    @end
+  </div>
+</body></html>

package/build/index.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+export { defineConfig, adapters, toSeconds } from './src/define_config.js';
+export { generatePatToken, hashPatToken } from './src/pat/pat_tokens.js';
+export { withAuthUser } from './src/mixins/with_auth_user.js';
+export { withCredentials } from './src/mixins/with_credentials.js';
+export { withMfa } from './src/mixins/with_mfa.js';
+export { OidcService } from './src/provider/oidc_service.js';
+export { registerOidcRoutes } from './src/register_routes.js';
+export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, } from './src/define_config.js';
+export { resolveAdmin, resolveWebauthn } from './src/define_config.js';
+export type { WebauthnConfigInput, ResolvedWebauthnConfig } from './src/define_config.js';
+export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
+export type { LucidAccountStoreOptions, AccountSecretEncrypter, } from './src/accounts/lucid_account_store.js';
+export type { AccountStore, AuthAccount, CreateAccountInput, LinkProviderIdentityInput, ListAccountsParams, Paginated, PasskeySummary, } from './src/accounts/account_store.js';
+export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
+export type { ProviderIdentityRow, ProviderIdentityClass, } from './src/mixins/with_provider_identity.js';
+export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
+export type { WebauthnCredentialRow, WebauthnCredentialClass, } from './src/mixins/with_webauthn_credential.js';
+export { lucidPatStore } from './src/pat/lucid_pat_store.js';
+export type { PatStore, PatRecord, IssuePatInput } from './src/pat/pat_store.js';
+export { withPersonalAccessToken } from './src/mixins/with_personal_access_token.js';
+export { lucidAuditSink } from './src/audit/lucid_audit_sink.js';
+export type { AuditSink, AuditEvent, AuditEventType, StoredAuditEvent, ListAuditParams, AuditPage, } from './src/audit/audit_sink.js';
+export { withAuditLog } from './src/mixins/with_audit_log.js';
+export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
+export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
+export { brandFor, isFirstParty } from './src/host/branding.js';
+export type { BrandingConfig, ClientBrand } from './src/host/branding.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export type { I18nConfig, AuthMessages } from './src/host/i18n.js';
+export type { AuthHostRenderer, AuthSocialConfig } from './src/define_config.js';
+export { registerAuthHost } from './src/host/register_auth_host.js';
+export type { AuthHostOptions } from './src/host/register_auth_host.js';
+export { resolveRateLimit } from './src/define_config.js';
+export type { RateLimitConfigInput, RateLimitBucket, ResolvedRateLimitConfig, } from './src/define_config.js';
+export { createAuthThrottles } from './src/host/rate_limit.js';
+export type { AuthThrottles, ThrottleMiddleware } from './src/host/rate_limit.js';
+/**
+ * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
+ * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.
+ */
+export { configure } from './commands/configure.js';
+export { stubsRoot } from './stubs/main.js';

package/build/index.js ADDED Viewed

@@ -0,0 +1,28 @@
+export { defineConfig, adapters, toSeconds } from './src/define_config.js';
+export { generatePatToken, hashPatToken } from './src/pat/pat_tokens.js';
+export { withAuthUser } from './src/mixins/with_auth_user.js';
+export { withCredentials } from './src/mixins/with_credentials.js';
+export { withMfa } from './src/mixins/with_mfa.js';
+export { OidcService } from './src/provider/oidc_service.js';
+export { registerOidcRoutes } from './src/register_routes.js';
+export { resolveAdmin, resolveWebauthn } from './src/define_config.js';
+export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
+export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
+export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
+export { lucidPatStore } from './src/pat/lucid_pat_store.js';
+export { withPersonalAccessToken } from './src/mixins/with_personal_access_token.js';
+export { lucidAuditSink } from './src/audit/lucid_audit_sink.js';
+export { withAuditLog } from './src/mixins/with_audit_log.js';
+export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
+export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
+export { brandFor, isFirstParty } from './src/host/branding.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export { registerAuthHost } from './src/host/register_auth_host.js';
+export { resolveRateLimit } from './src/define_config.js';
+export { createAuthThrottles } from './src/host/rate_limit.js';
+/**
+ * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
+ * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.
+ */
+export { configure } from './commands/configure.js';
+export { stubsRoot } from './stubs/main.js';

package/build/providers/authkit_server_provider.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { ApplicationService } from '@adonisjs/core/types';
+import type { MetricsRecorder } from '@dudousxd/adonis-authkit-core';
+import { OidcService } from '../src/provider/oidc_service.js';
+import type { AccountStore } from '../src/accounts/account_store.js';
+import type { PatStore } from '../src/pat/pat_store.js';
+declare module '@adonisjs/core/types' {
+    interface ContainerBindings {
+        'authkit.server': OidcService;
+        'authkit.metrics': MetricsRecorder;
+        'authkit.accountStore': AccountStore;
+        'authkit.patStore': PatStore;
+    }
+}
+export default class AuthkitServerProvider {
+    protected app: ApplicationService;
+    constructor(app: ApplicationService);
+    boot(): Promise<void>;
+    register(): void;
+}

package/build/providers/authkit_server_provider.js ADDED Viewed

@@ -0,0 +1,81 @@
+import { existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { configProvider } from '@adonisjs/core';
+import { RuntimeException } from '@adonisjs/core/exceptions';
+import { OidcService } from '../src/provider/oidc_service.js';
+export default class AuthkitServerProvider {
+    app;
+    constructor(app) {
+        this.app = app;
+    }
+    async boot() {
+        // Registra o disco "authkit" no edge.js para que os templates sejam referenciados
+        // como `authkit::login`, `authkit::account/tokens`, etc.
+        // Resolve o diretório das views tanto em produção (provider compilado em
+        // `build/providers/`, views copiadas para `build/host/views`) quanto em dev
+        // (rodando de `providers/` via ts-exec; views em `build/host/views` após build
+        // ou em `src/host/views` sem build).
+        const candidates = [
+            new URL('../host/views', import.meta.url), // prod: build/providers → build/host/views
+            new URL('../build/host/views', import.meta.url), // dev: providers → build/host/views
+            new URL('../src/host/views', import.meta.url), // dev sem build: providers → src/host/views
+        ];
+        const viewsUrl = candidates.find((u) => existsSync(fileURLToPath(u)));
+        if (!viewsUrl)
+            return; // nenhum dir de views resolvível
+        try {
+            const edge = await import('edge.js');
+            const edgeInstance = edge.default ?? edge;
+            edgeInstance.mount('authkit', viewsUrl);
+        }
+        catch {
+            // edge.js ausente (host headless/Inertia-only que não usa edgeRenderer) — ignora.
+        }
+    }
+    register() {
+        this.app.container.singleton('authkit.server', async () => {
+            const configProviderValue = this.app.config.get('authkit');
+            const config = (await configProvider.resolve(this.app, configProviderValue));
+            if (!config) {
+                throw new RuntimeException('Config inválido em "config/authkit.ts". Use o método defineConfig de @dudousxd/adonis-authkit-server.');
+            }
+            // `app.appKey` pode ser uma string crua ou um `Secret` do AdonisJS (config/app.ts
+            // expõe `export const appKey = new Secret(env.get('APP_KEY'))`). O oidc-provider
+            // assina cookies via keygrip e exige uma string — então liberamos o Secret aqui.
+            // Sem isso, a chave chegaria como objeto/undefined e o fluxo de authorize quebraria
+            // (keygrip: "key argument must be of type string ...").
+            const rawAppKey = this.app.config.get('app.appKey');
+            const appKey = rawAppKey && typeof rawAppKey.release === 'function'
+                ? rawAppKey.release()
+                : rawAppKey;
+            if (!appKey || typeof appKey !== 'string') {
+                throw new RuntimeException('APP_KEY ausente: defina `export const appKey = new Secret(env.get(\'APP_KEY\'))` em config/app.ts. ' +
+                    'O @dudousxd/adonis-authkit-server precisa dele para assinar os cookies do oidc-provider.');
+            }
+            const metrics = await this.app.container.make('authkit.metrics');
+            return new OidcService(config, appKey, metrics);
+        });
+        this.app.container.singleton('authkit.metrics', async () => {
+            const value = this.app.config.get('authkit');
+            const config = (await configProvider.resolve(this.app, value));
+            const { createMetricsRecorder } = await import('../src/observability/metrics_service.js');
+            return createMetricsRecorder(config?.observability ?? {}, 'authkit-server');
+        });
+        this.app.container.singleton('authkit.accountStore', async () => {
+            const value = this.app.config.get('authkit');
+            const config = (await configProvider.resolve(this.app, value));
+            if (!config?.accountStore) {
+                throw new RuntimeException('accountStore não configurado em "config/authkit.ts". Use defineConfig de @dudousxd/adonis-authkit-server.');
+            }
+            return config.accountStore;
+        });
+        this.app.container.singleton('authkit.patStore', async () => {
+            const value = this.app.config.get('authkit');
+            const config = (await configProvider.resolve(this.app, value));
+            if (!config?.patStore) {
+                throw new RuntimeException('patStore não configurado em "config/authkit.ts" — necessário para fluxos de PAT.');
+            }
+            return config.patStore;
+        });
+    }
+}

package/build/src/accounts/account_store.d.ts ADDED Viewed

@@ -0,0 +1,136 @@
+/** DTO público da conta — o que o provider e os controllers enxergam. Nunca um model Lucid. */
+export interface AuthAccount {
+    id: string;
+    email: string;
+    globalRoles?: string[];
+    name?: string;
+    avatarUrl?: string;
+}
+export interface CreateAccountInput {
+    email: string;
+    password: string;
+    fullName?: string | null;
+    globalRoles?: string[];
+    /** social/Google entra como true (provider já verificou o email). Default: false. */
+    emailVerified?: boolean;
+}
+/** Dados para ligar uma identidade de provider a uma conta. */
+export interface LinkProviderIdentityInput {
+    accountId: string;
+    provider: string;
+    providerUserId: string;
+    email?: string;
+}
+/** Parâmetros de listagem paginada de contas (console admin). */
+export interface ListAccountsParams {
+    /** Filtro por e-mail (substring, case-insensitive). */
+    search?: string;
+    /** Página (1-based). Default: 1. */
+    page?: number;
+    /** Itens por página. Default: 20. */
+    limit?: number;
+}
+/** Página de resultados + total absoluto (para paginação na UI). */
+export interface Paginated<T> {
+    data: T[];
+    total: number;
+}
+/**
+ * Resumo de uma passkey (credencial WebAuthn) para exibição na UI de gerência.
+ * Nunca expõe a chave pública nem o counter.
+ */
+export interface PasskeySummary {
+    /** Credential id (base64url). */
+    id: string;
+    /** Rótulo legível opcional (ex.: nome do dispositivo). */
+    label?: string;
+    /** ISO timestamp de criação. */
+    createdAt: string;
+}
+export interface AccountStore {
+    findById(id: string): Promise<AuthAccount | null>;
+    verifyCredentials(email: string, password: string): Promise<AuthAccount | null>;
+    findByEmail(email: string): Promise<AuthAccount | null>;
+    create(input: CreateAccountInput): Promise<AuthAccount>;
+    /** Acha a conta ligada a uma identidade de provider; null se desconhecida. */
+    findByProviderIdentity(provider: string, providerUserId: string): Promise<AuthAccount | null>;
+    /** Liga (upsert idempotente na chave única) uma identidade de provider a uma conta. */
+    linkProviderIdentity(data: LinkProviderIdentityInput): Promise<void>;
+    issuePasswordResetToken(email: string): Promise<{
+        token: string;
+        account: AuthAccount;
+    } | null>;
+    consumePasswordResetToken(token: string, newPassword: string): Promise<boolean>;
+    issueEmailVerificationToken(email: string): Promise<{
+        token: string;
+        account: AuthAccount;
+    } | null>;
+    consumeEmailVerificationToken(token: string): Promise<boolean>;
+    /** Lista contas paginadas, opcionalmente filtrando por e-mail. */
+    listAccounts(params: ListAccountsParams): Promise<Paginated<AuthAccount>>;
+    /** Substitui as roles globais de uma conta. */
+    setGlobalRoles(accountId: string, roles: string[]): Promise<void>;
+    /** Estado do MFA da conta (se o desafio TOTP deve ser exigido no login). */
+    getMfaState?(accountId: string): Promise<{
+        enabled: boolean;
+    }>;
+    /**
+     * Inicia o enrollment TOTP: gera um segredo PENDENTE (mfaEnabledAt continua
+     * null) e devolve o segredo + otpauth URI (keyuri). Não ativa o MFA ainda.
+     */
+    startTotpEnrollment?(accountId: string): Promise<{
+        secret: string;
+        otpauthUri: string;
+    } | null>;
+    /**
+     * Confirma o enrollment: verifica o código contra o segredo pendente; em caso
+     * de sucesso ativa o MFA, gera N recovery codes e devolve os códigos em claro
+     * (uma única vez).
+     */
+    confirmTotpEnrollment?(accountId: string, code: string): Promise<{
+        ok: boolean;
+        recoveryCodes?: string[];
+    }>;
+    /** Verifica um código TOTP contra o segredo ativo. */
+    verifyTotp?(accountId: string, code: string): Promise<boolean>;
+    /** Consome (single-use) um recovery code; true se casou e foi removido. */
+    consumeRecoveryCode?(accountId: string, code: string): Promise<boolean>;
+    /** Desliga o MFA: limpa segredo + mfaEnabledAt + recovery codes. */
+    disableMfa?(accountId: string): Promise<void>;
+    /**
+     * Inicia o registro de uma passkey: gera as opções de criação
+     * (`generateRegistrationOptions`) escopadas à conta (e excluindo credenciais já
+     * registradas). Devolve as opções JSON (o controller serializa pro browser) e o
+     * `challenge` (base64url) para guardar na sessão. null = conta inexistente.
+     */
+    generatePasskeyRegistrationOptions?(accountId: string): Promise<{
+        options: Record<string, unknown>;
+        challenge: string;
+    } | null>;
+    /**
+     * Finaliza o registro: verifica a resposta do browser
+     * (`verifyRegistrationResponse`) contra o `expectedChallenge` guardado. Em caso
+     * de sucesso persiste a credencial (id, publicKey, counter, transports) e
+     * habilita o MFA. Retorna true se registrou.
+     */
+    verifyPasskeyRegistration?(accountId: string, response: unknown, expectedChallenge: string): Promise<boolean>;
+    /**
+     * Inicia a autenticação por passkey no login: gera as opções
+     * (`generateAuthenticationOptions`) restritas às credenciais da conta. Devolve
+     * as opções JSON + o `challenge` para guardar na sessão. null = conta sem passkeys.
+     */
+    generatePasskeyAuthenticationOptions?(accountId: string): Promise<{
+        options: Record<string, unknown>;
+        challenge: string;
+    } | null>;
+    /**
+     * Verifica a resposta de autenticação por passkey
+     * (`verifyAuthenticationResponse`) contra o `expectedChallenge` guardado. Em
+     * caso de sucesso atualiza o signature counter armazenado. Retorna true se válido.
+     */
+    verifyPasskeyAuthentication?(accountId: string, response: unknown, expectedChallenge: string): Promise<boolean>;
+    /** Lista as passkeys da conta (sem expor chave pública / counter). */
+    listPasskeys?(accountId: string): Promise<PasskeySummary[]>;
+    /** Remove uma passkey (por credential id) da conta. */
+    removePasskey?(accountId: string, credentialId: string): Promise<void>;
+}

package/build/src/accounts/account_store.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/build/src/accounts/lucid_account_store.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse } from '@simplewebauthn/server';
+import type { AccountStore } from './account_store.js';
+/**
+ * Encripta/decripta um valor (ex.: o segredo TOTP) em repouso. Mantém a lib
+ * desacoplada do serviço de encryption do app — qualquer implementação que
+ * faça round-trip serve (em prod, normalmente o `@adonisjs/core/services/encryption`).
+ * `decrypt` retorna `null` se o valor foi adulterado/é inválido.
+ */
+export interface AccountSecretEncrypter {
+    encrypt(value: string): string;
+    decrypt(value: string): string | null;
+}
+/** Opções do {@link lucidAccountStore}. */
+export interface LucidAccountStoreOptions {
+    /** Label de issuer mostrado no app autenticador (keyuri). Default: 'AuthKit'. */
+    mfaIssuer?: string;
+    /** Quantidade de recovery codes gerados no enrollment. Default: 8. */
+    recoveryCodeCount?: number;
+    /**
+     * Quando fornecido, o segredo TOTP é encriptado antes de persistir e
+     * decriptado na leitura. Ausente (ex.: testes) → segredo em claro.
+     */
+    encrypter?: AccountSecretEncrypter;
+    /**
+     * Model Lucid das identidades de provider (composto de `withProviderIdentity()`),
+     * usado por `findByProviderIdentity`/`linkProviderIdentity` (account linking
+     * social). Ausente → esses dois métodos lançam (hosts email-only continuam
+     * funcionando até optarem por habilitar).
+     */
+    providerIdentityModel?: any;
+    /**
+     * Model Lucid das credenciais WebAuthn / passkeys (composto de
+     * `withWebauthnCredential()`), usado pelos métodos `*Passkey*`. Ausente → esses
+     * métodos viram `undefined` na interface (hosts sem passkeys não mudam de
+     * comportamento; a UI esconde a seção de passkeys).
+     */
+    webauthnCredentialModel?: any;
+    /**
+     * Parâmetros do Relying Party (RP) usados nas cerimônias WebAuthn. Resolvidos a
+     * partir do `issuer` no `define_config` quando omitidos. Necessários sempre que
+     * `webauthnCredentialModel` é fornecido.
+     */
+    webauthn?: {
+        /** Nome do RP mostrado pelo authenticator. Default: `mfaIssuer`. */
+        rpName: string;
+        /** RP ID — normalmente o hostname (sem porta) do issuer. */
+        rpId: string;
+        /** Origin(s) esperada(s) na verificação (scheme://host[:port]). */
+        origin: string | string[];
+    };
+    /**
+     * Seam de injeção das cerimônias WebAuthn (generate/verify). Default: as funções
+     * reais do `@simplewebauthn/server`. Existe para testes (mockar a verificação SEM
+     * um authenticator real) — produção não precisa fornecer.
+     */
+    webauthnCeremonies?: Partial<WebauthnCeremonies>;
+}
+/**
+ * Funções das cerimônias WebAuthn. Espelham a assinatura do `@simplewebauthn/server`
+ * (subconjunto usado). Injetáveis via {@link LucidAccountStoreOptions.webauthnCeremonies}
+ * para testes.
+ */
+export interface WebauthnCeremonies {
+    generateRegistrationOptions: typeof generateRegistrationOptions;
+    verifyRegistrationResponse: typeof verifyRegistrationResponse;
+    generateAuthenticationOptions: typeof generateAuthenticationOptions;
+    verifyAuthenticationResponse: typeof verifyAuthenticationResponse;
+}
+/**
+ * Implementação default do {@link AccountStore} sobre um model Lucid composto
+ * de `withAuthUser()` + `withCredentials()` (+ opcionalmente `withMfa()`). O
+ * model carrega `connection`/`table` (app-específico) e, por convenção, uma
+ * coluna `fullName` (mapeada de `name`).
+ */
+export declare function lucidAccountStore(Model: any, options?: LucidAccountStoreOptions): AccountStore;