@dudousxd/adonis-authkit-server 0.1.0

package/build/src/host/controllers/admin/admin_dashboard_controller.js

@@ -0,0 +1,27 @@
+import '../../augmentations.js';
+/**
+ * Dashboard do console admin: contagens-resumo (usuários, clients estáticos) e
+ * os eventos de auditoria mais recentes. Degrada graciosamente quando o sink de
+ * auditoria não suporta consulta (`list` ausente).
+ */
+export default class AdminDashboardController {
+    async index(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        // Total de usuários (página vazia só para ler o `total`).
+        const usersPage = await cfg.accountStore.listAccounts({ page: 1, limit: 1 });
+        const clientsCount = cfg.clients.length;
+        // Eventos recentes (best-effort: só se o sink suportar consulta).
+        const auditSupported = typeof cfg.audit?.list === 'function';
+        const recent = auditSupported ? await cfg.audit.list({ page: 1, limit: 5 }) : null;
+        return render(ctx, 'admin/dashboard', {
+            csrfToken: ctx.request.csrfToken,
+            usersTotal: usersPage.total,
+            clientsCount,
+            auditSupported,
+            auditTotal: recent?.total ?? 0,
+            recentEvents: recent?.data ?? [],
+        });
+    }
+}

package/build/src/host/controllers/admin/admin_users_controller.d.ts

@@ -0,0 +1,11 @@
+import '../../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
+ * roles globais de uma conta. As roles são informadas como texto separado por
+ * vírgula no formulário e normalizadas aqui.
+ */
+export default class AdminUsersController {
+    index(ctx: HttpContext): Promise<any>;
+    updateRoles(ctx: HttpContext): Promise<void>;
+}

package/build/src/host/controllers/admin/admin_users_controller.js

@@ -0,0 +1,53 @@
+import '../../augmentations.js';
+const PAGE_SIZE = 20;
+/**
+ * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
+ * roles globais de uma conta. As roles são informadas como texto separado por
+ * vírgula no formulário e normalizadas aqui.
+ */
+export default class AdminUsersController {
+    async index(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const search = ctx.request.input('search', '').trim();
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const result = await cfg.accountStore.listAccounts({ search, page, limit: PAGE_SIZE });
+        const totalPages = Math.max(1, Math.ceil(result.total / PAGE_SIZE));
+        return render(ctx, 'admin/users', {
+            csrfToken: ctx.request.csrfToken,
+            search,
+            page,
+            totalPages,
+            total: result.total,
+            users: result.data.map((u) => ({
+                id: u.id,
+                email: u.email,
+                name: u.name ?? '',
+                roles: u.globalRoles ?? [],
+                rolesText: (u.globalRoles ?? []).join(', '),
+            })),
+        });
+    }
+    async updateRoles(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const accountId = ctx.request.param('id');
+        const raw = ctx.request.input('roles', '') ?? '';
+        // Normaliza: split por vírgula, trim, remove vazios e duplicatas.
+        const roles = Array.from(new Set(raw
+            .split(',')
+            .map((r) => r.trim())
+            .filter((r) => r.length > 0)));
+        await cfg.accountStore.setGlobalRoles(accountId, roles);
+        const search = ctx.request.input('search', '').trim();
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const qs = new URLSearchParams();
+        if (search)
+            qs.set('search', search);
+        if (page > 1)
+            qs.set('page', String(page));
+        const query = qs.toString();
+        return ctx.response.redirect(`/admin/users${query ? `?${query}` : ''}`);
+    }
+}

package/build/src/host/controllers/interaction_controller.d.ts

@@ -0,0 +1,44 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+export default class AuthInteractionController {
+    show(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /auth/interaction/:uid/identifier
+     * Step 1: receive email, store in session, redirect to step 2.
+     * ENUMERATION-SAFE: always advances regardless of whether the email exists.
+     */
+    identifier(ctx: HttpContext): Promise<void>;
+    /**
+     * POST /auth/interaction/:uid/login
+     * Step 2: password submit. Reads email from session (never from form).
+     */
+    login(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /auth/interaction/:uid/mfa
+     * 2º fator: lê o accountId pendente da sessão e aceita um código TOTP (`code`)
+     * OU um recovery code (`recoveryCode`). Em caso de sucesso finaliza a interaction.
+     */
+    mfaVerify(ctx: HttpContext): Promise<any>;
+    /** true se o store suporta passkeys E a conta tem ao menos uma registrada. */
+    private hasPasskeys;
+    /**
+     * POST /auth/interaction/:uid/passkey/options
+     * Gera as opções de autenticação por passkey para o accountId pendente do MFA,
+     * guarda o challenge na sessão e devolve as opções JSON para o browser.
+     */
+    passkeyOptions(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /auth/interaction/:uid/passkey/verify
+     * Verifica a resposta de autenticação por passkey contra o challenge guardado;
+     * em caso de sucesso FINALIZA a interaction (303 de volta ao client — alternativa
+     * ao código TOTP). É um POST de página inteira (form), não fetch: o browser
+     * submete o JSON da assertion no campo `response` e segue o redirect normalmente.
+     */
+    passkeyVerify(ctx: HttpContext): Promise<any>;
+    /**
+     * GET /auth/interaction/:uid/switch
+     * Clears the stored email and redirects back to step 1.
+     */
+    switchIdentifier(ctx: HttpContext): Promise<void>;
+    consent(ctx: HttpContext): Promise<void>;
+}

package/build/src/host/controllers/interaction_controller.js

@@ -0,0 +1,304 @@
+import '../augmentations.js';
+import { brandFor, isFirstParty } from '../branding.js';
+import { translate } from '../i18n.js';
+import { createAccountLockout } from '../account_lockout.js';
+const SESSION_KEY = 'authkit_login_email';
+/** accountId aguardando o 2º fator depois da senha verificada. */
+const MFA_PENDING_KEY = 'authkit_mfa_pending';
+/** Desafio WebAuthn pendente (autenticação) guardado entre begin/finish no login. */
+const PASSKEY_AUTH_CHALLENGE_KEY = 'authkit_passkey_auth_challenge';
+export default class AuthInteractionController {
+    async show(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const details = await service.interactions.details(ctx);
+        const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
+        if (details.prompt.name === 'consent' && isFirstParty(cfg.branding, details.params.client_id)) {
+            // Clients first-party: auto-concede o consent (pula a tela de consent).
+            // interactions.consent monta o Grant + interactionFinished e escreve o
+            // redirect de volta para o client — opera via provider.interactionDetails,
+            // independente do metodo HTTP, entao funciona no GET show().
+            return await service.interactions.consent(ctx);
+        }
+        if (details.prompt.name !== 'login') {
+            // Consent or other prompts — unchanged
+            return render(ctx, 'consent', {
+                uid: details.uid,
+                params: details.params,
+                csrfToken: ctx.request.csrfToken,
+                brand,
+            });
+        }
+        const email = ctx.session.get(SESSION_KEY);
+        if (!email) {
+            // Step 1: identifier (email only)
+            return render(ctx, 'login', {
+                uid: details.uid,
+                csrfToken: ctx.request.csrfToken,
+                step: 'identifier',
+                brand,
+            });
+        }
+        // Step 2: password — look up user for personalisation (enumeration-safe: always show step 2)
+        const acc = await cfg.accountStore.findByEmail(email);
+        const account = acc ? { fullName: acc.name ?? null, globalRoles: acc.globalRoles ?? [] } : null;
+        return render(ctx, 'login', {
+            uid: details.uid,
+            csrfToken: ctx.request.csrfToken,
+            step: 'password',
+            email,
+            account,
+            brand,
+        });
+    }
+    /**
+     * POST /auth/interaction/:uid/identifier
+     * Step 1: receive email, store in session, redirect to step 2.
+     * ENUMERATION-SAFE: always advances regardless of whether the email exists.
+     */
+    async identifier(ctx) {
+        const { email } = ctx.request.only(['email']);
+        ctx.session.put(SESSION_KEY, email);
+        return ctx.response.redirect(`/auth/interaction/${ctx.request.param('uid')}`);
+    }
+    /**
+     * POST /auth/interaction/:uid/login
+     * Step 2: password submit. Reads email from session (never from form).
+     */
+    async login(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const details = await service.interactions.details(ctx);
+        const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
+        const email = ctx.session.get(SESSION_KEY);
+        if (!email) {
+            // Session expired or tampered — send back to step 1
+            return ctx.response.redirect(`/auth/interaction/${ctx.request.param('uid')}`);
+        }
+        const { password } = ctx.request.only(['password']);
+        const ip = ctx.request.ip?.() ?? null;
+        const clientId = details.params.client_id ?? null;
+        const lockout = createAccountLockout(cfg.lockout);
+        // Bloqueio progressivo (keyed por email da sessão): se travada, não verifica a senha.
+        const lock = await lockout.isLocked(email);
+        if (lock.locked) {
+            const found = await cfg.accountStore.findByEmail(email);
+            const account = found
+                ? { fullName: found.name ?? null, globalRoles: found.globalRoles ?? [] }
+                : null;
+            return render(ctx, 'login', {
+                uid: ctx.request.param('uid'),
+                csrfToken: ctx.request.csrfToken,
+                step: 'password',
+                email,
+                account,
+                error: translate(cfg.messages, 'errors.account_locked', {
+                    seconds: lock.retryAfterSec ?? 0,
+                }),
+                brand,
+            });
+        }
+        // Verificamos as credenciais ANTES de finalizar a interaction, porque com MFA
+        // ligado precisamos exigir o 2º fator e NÃO podemos chamar interactionFinished
+        // ainda. (`service.interactions.login` verifica E finaliza num passo só — por
+        // isso fazemos a verificação aqui via accountStore e finalizamos depois.)
+        const acc = await cfg.accountStore.verifyCredentials(email, password);
+        if (!acc) {
+            await cfg.audit?.record({ type: 'login.failure', email, ip, clientId });
+            await lockout.recordFailure(email, { sink: cfg.audit, ip });
+            // Re-render password step with error (keep email in session)
+            const found = await cfg.accountStore.findByEmail(email);
+            const account = found
+                ? { fullName: found.name ?? null, globalRoles: found.globalRoles ?? [] }
+                : null;
+            return render(ctx, 'login', {
+                uid: ctx.request.param('uid'),
+                csrfToken: ctx.request.csrfToken,
+                step: 'password',
+                email,
+                account,
+                error: translate(cfg.messages, 'errors.invalid_credentials'),
+                brand,
+            });
+        }
+        // Senha correta: limpa o contador de falhas (o lockout protege a etapa de senha).
+        await lockout.clearFailures(email);
+        // MFA gate: se a conta tem TOTP ativo, NÃO finaliza a interaction agora —
+        // guarda o accountId pendente na sessão e renderiza o desafio do 2º fator.
+        const mfa = (await cfg.accountStore.getMfaState?.(acc.id)) ?? { enabled: false };
+        if (mfa.enabled) {
+            ctx.session.put(MFA_PENDING_KEY, acc.id);
+            // Passkey disponível como alternativa ao TOTP se o store suporta E a conta
+            // tem ao menos uma credencial registrada.
+            const passkeyAvailable = await this.hasPasskeys(cfg, acc.id);
+            return render(ctx, 'mfa-challenge', {
+                uid: ctx.request.param('uid'),
+                csrfToken: ctx.request.csrfToken,
+                brand,
+                passkeyAvailable,
+            });
+        }
+        // Sem MFA: finaliza a interaction (escreve o 303 de volta para o client).
+        await service.interactions.completeLogin(ctx, acc.id);
+        await cfg.audit?.record({ type: 'login.success', accountId: acc.id, email, ip, clientId });
+        // Clean up the session key after a successful login.
+        ctx.session.forget(SESSION_KEY);
+    }
+    /**
+     * POST /auth/interaction/:uid/mfa
+     * 2º fator: lê o accountId pendente da sessão e aceita um código TOTP (`code`)
+     * OU um recovery code (`recoveryCode`). Em caso de sucesso finaliza a interaction.
+     */
+    async mfaVerify(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const details = await service.interactions.details(ctx);
+        const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
+        const accountId = ctx.session.get(MFA_PENDING_KEY);
+        const ip = ctx.request.ip?.() ?? null;
+        const clientId = details.params.client_id ?? null;
+        if (!accountId) {
+            // Sessão expirou/foi adulterada — volta ao início do login.
+            return ctx.response.redirect(`/auth/interaction/${ctx.request.param('uid')}`);
+        }
+        const { code, recoveryCode } = ctx.request.only(['code', 'recoveryCode']);
+        let ok = false;
+        let usedRecovery = false;
+        if (recoveryCode) {
+            ok = (await cfg.accountStore.consumeRecoveryCode?.(accountId, recoveryCode)) ?? false;
+            usedRecovery = ok;
+        }
+        else if (code) {
+            ok = (await cfg.accountStore.verifyTotp?.(accountId, code)) ?? false;
+        }
+        if (!ok) {
+            await cfg.audit?.record({
+                type: 'login.failure',
+                accountId,
+                ip,
+                clientId,
+                metadata: { stage: 'mfa' },
+            });
+            return render(ctx, 'mfa-challenge', {
+                uid: ctx.request.param('uid'),
+                csrfToken: ctx.request.csrfToken,
+                error: translate(cfg.messages, 'errors.invalid_code'),
+                brand,
+                passkeyAvailable: await this.hasPasskeys(cfg, accountId),
+            });
+        }
+        // Sucesso no 2º fator: finaliza a interaction para o accountId pendente.
+        ctx.session.forget(MFA_PENDING_KEY);
+        ctx.session.forget(SESSION_KEY);
+        await cfg.audit?.record({
+            type: 'login.success',
+            accountId,
+            ip,
+            clientId,
+            metadata: { mfa: usedRecovery ? 'recovery' : 'totp' },
+        });
+        await service.interactions.completeLogin(ctx, accountId);
+    }
+    /** true se o store suporta passkeys E a conta tem ao menos uma registrada. */
+    async hasPasskeys(cfg, accountId) {
+        if (typeof cfg.accountStore.listPasskeys !== 'function')
+            return false;
+        const list = await cfg.accountStore.listPasskeys(accountId);
+        return Array.isArray(list) && list.length > 0;
+    }
+    /**
+     * POST /auth/interaction/:uid/passkey/options
+     * Gera as opções de autenticação por passkey para o accountId pendente do MFA,
+     * guarda o challenge na sessão e devolve as opções JSON para o browser.
+     */
+    async passkeyOptions(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const accountId = ctx.session.get(MFA_PENDING_KEY);
+        if (!accountId) {
+            return ctx.response.badRequest({ message: 'Sessão expirada' });
+        }
+        const generated = await cfg.accountStore.generatePasskeyAuthenticationOptions?.(accountId);
+        if (!generated) {
+            return ctx.response.notFound({ message: 'Nenhuma passkey registrada' });
+        }
+        ctx.session.put(PASSKEY_AUTH_CHALLENGE_KEY, generated.challenge);
+        return generated.options;
+    }
+    /**
+     * POST /auth/interaction/:uid/passkey/verify
+     * Verifica a resposta de autenticação por passkey contra o challenge guardado;
+     * em caso de sucesso FINALIZA a interaction (303 de volta ao client — alternativa
+     * ao código TOTP). É um POST de página inteira (form), não fetch: o browser
+     * submete o JSON da assertion no campo `response` e segue o redirect normalmente.
+     */
+    async passkeyVerify(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const details = await service.interactions.details(ctx);
+        const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
+        const accountId = ctx.session.get(MFA_PENDING_KEY);
+        const challenge = ctx.session.get(PASSKEY_AUTH_CHALLENGE_KEY);
+        const ip = ctx.request.ip?.() ?? null;
+        const clientId = details.params.client_id ?? null;
+        if (!accountId || !challenge) {
+            // Sessão expirou/foi adulterada — volta ao início do login.
+            return ctx.response.redirect(`/auth/interaction/${ctx.request.param('uid')}`);
+        }
+        // A assertion vem serializada como JSON no campo `response` do form.
+        const raw = ctx.request.input('response');
+        let parsed = null;
+        try {
+            parsed = raw ? JSON.parse(raw) : null;
+        }
+        catch {
+            parsed = null;
+        }
+        const ok = parsed
+            ? ((await cfg.accountStore.verifyPasskeyAuthentication?.(accountId, parsed, challenge)) ?? false)
+            : false;
+        ctx.session.forget(PASSKEY_AUTH_CHALLENGE_KEY);
+        if (!ok) {
+            await cfg.audit?.record({
+                type: 'login.failure',
+                accountId,
+                ip,
+                clientId,
+                metadata: { stage: 'mfa', method: 'webauthn' },
+            });
+            return render(ctx, 'mfa-challenge', {
+                uid: ctx.request.param('uid'),
+                csrfToken: ctx.request.csrfToken,
+                error: translate(cfg.messages, 'mfa_challenge.passkey_error'),
+                brand,
+                passkeyAvailable: await this.hasPasskeys(cfg, accountId),
+            });
+        }
+        ctx.session.forget(MFA_PENDING_KEY);
+        ctx.session.forget(SESSION_KEY);
+        await cfg.audit?.record({
+            type: 'login.success',
+            accountId,
+            ip,
+            clientId,
+            metadata: { mfa: 'webauthn' },
+        });
+        await service.interactions.completeLogin(ctx, accountId);
+    }
+    /**
+     * GET /auth/interaction/:uid/switch
+     * Clears the stored email and redirects back to step 1.
+     */
+    async switchIdentifier(ctx) {
+        ctx.session.forget(SESSION_KEY);
+        return ctx.response.redirect(`/auth/interaction/${ctx.request.param('uid')}`);
+    }
+    async consent(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        await service.interactions.consent(ctx);
+    }
+}

package/build/src/host/controllers/pat_introspection_controller.d.ts

@@ -0,0 +1,22 @@
+import type { HttpContext } from '@adonisjs/core/http';
+export default class PatIntrospectionController {
+    handle(ctx: HttpContext): Promise<void | {
+        active: boolean;
+        sub?: undefined;
+        email?: undefined;
+        name?: undefined;
+        roles?: undefined;
+        scopes?: undefined;
+        audience?: undefined;
+        exp?: undefined;
+    } | {
+        active: boolean;
+        sub: any;
+        email: any;
+        name: any;
+        roles: any;
+        scopes: any;
+        audience: any;
+        exp: any;
+    }>;
+}

package/build/src/host/controllers/pat_introspection_controller.js

@@ -0,0 +1,46 @@
+import { timingSafeEqual } from 'node:crypto';
+function bearerMatches(header, expected) {
+    if (!header || !header.startsWith('Bearer '))
+        return false;
+    const provided = header.slice(7);
+    const a = Buffer.from(provided);
+    const b = Buffer.from(expected);
+    return a.length === b.length && timingSafeEqual(a, b);
+}
+export default class PatIntrospectionController {
+    async handle(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const secret = cfg.patIntrospectionSecret;
+        if (!secret || !bearerMatches(ctx.request.header('authorization'), secret)) {
+            return ctx.response.unauthorized({ error: 'invalid_client' });
+        }
+        const token = ctx.request.input('token');
+        if (!token || typeof token !== 'string') {
+            return { active: false };
+        }
+        const meta = await cfg.patStore.findActiveByToken(token);
+        if (!meta)
+            return { active: false };
+        const account = await cfg.accountStore.findById(meta.accountId);
+        if (!account)
+            return { active: false };
+        await cfg.audit?.record({
+            type: 'pat.used',
+            accountId: account.id,
+            email: account.email,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { audience: meta.audience },
+        });
+        return {
+            active: true,
+            sub: account.id,
+            email: account.email,
+            name: account.name ?? null,
+            roles: account.globalRoles ?? [],
+            scopes: meta.scopes,
+            audience: meta.audience,
+            exp: meta.exp,
+        };
+    }
+}

package/build/src/host/controllers/registration_controller.d.ts

@@ -0,0 +1,18 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+export default class AuthRegistrationController {
+    /** GET /auth/interaction/:uid/signup — tela de cadastro (dentro do fluxo OIDC). */
+    showSignup(ctx: HttpContext): Promise<any>;
+    /** POST /auth/interaction/:uid/signup — cria o usuário e finaliza o login. */
+    signup(ctx: HttpContext): Promise<any>;
+    /** GET /auth/forgot-password — tela standalone. */
+    showForgot(ctx: HttpContext): Promise<any>;
+    /** POST /auth/forgot-password — gera token e (dev) loga o link. Sempre responde sucesso (não vaza emails). */
+    forgot(ctx: HttpContext): Promise<any>;
+    /** GET /auth/reset-password?token=... — tela standalone. */
+    showReset(ctx: HttpContext): Promise<any>;
+    /** POST /auth/reset-password — redefine a senha. */
+    reset(ctx: HttpContext): Promise<any>;
+    /** GET /auth/verify-email?token=... — consome o token e mostra sucesso/falha. */
+    verifyEmail(ctx: HttpContext): Promise<any>;
+}