@dudousxd/adonis-authkit-server 0.2.0 → 0.4.0

package/build/commands/commands.json

@@ -25,6 +25,34 @@
       "args": [],
       "options": {},
       "filePath": "eject.js"
+    },
+    {
+      "commandName": "authkit:doctor",
+      "description": "Valida a configuração do AuthKit no host e imprime achados (✅/⚠️/❌). Sai com código !=0 se houver erros.",
+      "namespace": "authkit",
+      "aliases": [],
+      "flags": [],
+      "args": [],
+      "options": { "startApp": true },
+      "filePath": "doctor.js"
+    },
+    {
+      "commandName": "authkit:rotate-keys",
+      "description": "Rotaciona as chaves de assinatura JWKS managed: gera uma nova chave (novo kid), mantém as N anteriores no JWKS para validar tokens antigos.",
+      "namespace": "authkit",
+      "aliases": [],
+      "flags": [
+        {
+          "name": "keep",
+          "flagName": "keep",
+          "required": false,
+          "type": "number",
+          "description": "Quantas chaves manter no JWKS (default 2)."
+        }
+      ],
+      "args": [],
+      "options": { "startApp": true },
+      "filePath": "rotate_keys.js"
     }
   ]
 }

package/build/commands/doctor.d.ts

@@ -0,0 +1,10 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+export default class AuthkitDoctor extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static help: string[];
+    static options: CommandOptions;
+    run(): Promise<void>;
+    private print;
+}

package/build/commands/doctor.js

@@ -0,0 +1,66 @@
+var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExtension) || function (path, preserveJsx) {
+    if (typeof path === "string" && /^\.\.?\//.test(path)) {
+        return path.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function (m, tsx, d, ext, cm) {
+            return tsx ? preserveJsx ? ".jsx" : ".js" : d && (!ext || !cm) ? m : (d + ext + "." + cm.toLowerCase() + "js");
+        });
+    }
+    return path;
+};
+import { BaseCommand } from '@adonisjs/core/ace';
+import { runAllChecks, hasErrors } from '../src/doctor/checks.js';
+/** Tenta importar um peer; true se importável. */
+async function canImport(specifier) {
+    try {
+        await import(__rewriteRelativeImportExtension(specifier));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export default class AuthkitDoctor extends BaseCommand {
+    static commandName = 'authkit:doctor';
+    static description = 'Valida a configuração do AuthKit no host e imprime achados (✅/⚠️/❌). Sai com código !=0 se houver erros.';
+    static help = [
+        'Roda uma bateria de checagens sobre a config `authkit` do host:',
+        'issuer/mountPath, clients, accountStore + capacidades, session, shield,',
+        'ally (social), rate-limit, admin, webauthn e jwks.',
+    ];
+    static options = { startApp: true };
+    async run() {
+        const config = await this.app.container.make('config');
+        const authkitConfig = config.get('authkit', null) ?? null;
+        const sessionConfig = config.get('session', null) ?? null;
+        const input = {
+            authkitConfig,
+            sessionConfig,
+            peers: {
+                session: await canImport('@adonisjs/session'),
+                shield: await canImport('@adonisjs/shield'),
+                ally: await canImport('@adonisjs/ally'),
+                limiter: await canImport('@adonisjs/limiter'),
+            },
+        };
+        const findings = runAllChecks(input);
+        this.print(findings);
+        if (hasErrors(findings)) {
+            this.exitCode = 1;
+        }
+    }
+    print(findings) {
+        const icon = (l) => (l === 'ok' ? '✅' : l === 'warn' ? '⚠️ ' : '❌');
+        this.logger.info('AuthKit doctor — checagem da configuração do host\n');
+        for (const f of findings) {
+            const line = `${icon(f.level)} ${f.message}`;
+            if (f.level === 'error')
+                this.logger.logError(line);
+            else if (f.level === 'warn')
+                this.logger.warning(line);
+            else
+                this.logger.success(line);
+        }
+        const errors = findings.filter((f) => f.level === 'error').length;
+        const warns = findings.filter((f) => f.level === 'warn').length;
+        this.logger.info(`\nResumo: ${errors} erro(s), ${warns} aviso(s).`);
+    }
+}

package/build/commands/rotate_keys.d.ts

@@ -0,0 +1,10 @@
+import { BaseCommand } from '@adonisjs/core/ace';
+import type { CommandOptions } from '@adonisjs/core/types/ace';
+export default class AuthkitRotateKeys extends BaseCommand {
+    static commandName: string;
+    static description: string;
+    static help: string[];
+    static options: CommandOptions;
+    keep?: number;
+    run(): Promise<void>;
+}

package/build/commands/rotate_keys.js

@@ -0,0 +1,53 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { BaseCommand, flags } from '@adonisjs/core/ace';
+import { rotateKeystore } from '../src/keys/keystore.js';
+export default class AuthkitRotateKeys extends BaseCommand {
+    static commandName = 'authkit:rotate-keys';
+    static description = 'Rotaciona as chaves de assinatura JWKS managed: gera uma nova chave (novo kid), mantém as N anteriores no JWKS para validar tokens antigos.';
+    static help = [
+        'Requer `jwks: { source: "managed", store: "<arquivo>" }` na config authkit.',
+        'A chave nova vira a de assinatura corrente; as `--keep` mais recentes são',
+        'preservadas no JWKS público para que tokens emitidos antes ainda validem.',
+    ];
+    static options = { startApp: true };
+    async run() {
+        const config = await this.app.container.make('config');
+        const authkitConfig = config.get('authkit', null);
+        if (!authkitConfig?.jwks) {
+            this.logger.logError("❌ config('authkit').jwks ausente.");
+            this.exitCode = 1;
+            return;
+        }
+        const { source, store, algorithm } = authkitConfig.jwks;
+        if (source !== 'managed') {
+            this.logger.logError('❌ Rotação só se aplica a jwks.source = "managed".');
+            this.exitCode = 1;
+            return;
+        }
+        if (!store) {
+            this.logger.logError('❌ jwks.store não configurado. A rotação exige um keystore persistido em arquivo ' +
+                '(ex.: jwks: { source: "managed", store: "tmp/authkit_jwks.json" }). ' +
+                'Sem store, o modo managed gera uma chave efêmera por boot e rotacionar não tem efeito.');
+            this.exitCode = 1;
+            return;
+        }
+        const storePath = this.app.makePath(store);
+        const alg = algorithm ?? 'RS256';
+        const keep = this.keep ?? 2;
+        const { newKid, retiredKids, store: result } = await rotateKeystore(storePath, alg, keep);
+        this.logger.success(`✅ Nova chave de assinatura gerada: kid=${newKid} (alg=${alg}).`);
+        this.logger.info(`JWKS agora serve ${result.keys.length} chave(s) (kids: ${result.keys.map((k) => k.kid).join(', ')}).`);
+        if (retiredKids.length) {
+            this.logger.warning(`⚠️  Chaves aposentadas (tokens assinados por elas deixarão de validar): ${retiredKids.join(', ')}`);
+        }
+        this.logger.info('Reinicie o processo (ou recarregue a config) para passar a assinar com a nova chave.');
+    }
+}
+__decorate([
+    flags.number({ description: 'Quantas chaves manter no JWKS (default 2).' })
+], AuthkitRotateKeys.prototype, "keep", void 0);

package/build/host/views/account/email-confirmed.edge

@@ -0,0 +1,15 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.email_confirmed.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen flex items-center justify-center bg-gray-100 p-4">
+  <div class="w-full max-w-sm rounded-2xl bg-white p-8 text-center shadow-xl ring-1 ring-black/5">
+    <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+    @if(ok)
+      <h1 class="mt-2 text-xl font-semibold text-emerald-700">{{ t('account.email_confirmed.ok_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('account.email_confirmed.ok_body') }}</p>
+    @else
+      <h1 class="mt-2 text-xl font-semibold text-red-700">{{ t('account.email_confirmed.invalid_title') }}</h1>
+      <p class="mt-2 text-sm text-gray-600">{{ t('account.email_confirmed.invalid_body') }}</p>
+    @end
+  </div>
+</body></html>

package/build/host/views/account/security.edge

@@ -0,0 +1,83 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.security.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-2xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('account.security.title') }}</h1>
+        @if(email)
+          <p class="mt-1 text-sm text-gray-500">{{ t('account.security.current_email', { email: email }) }}</p>
+        @end
+      </div>
+      <form method="POST" action="/account/logout">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.security.logout') }}</button>
+      </form>
+    </div>
+
+    @if(!supported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('account.security.not_supported') }}
+      </div>
+    @else
+      @if(error)
+        <div class="mb-6 rounded-lg border border-red-300 bg-red-50 p-4">
+          <p class="text-sm font-medium text-red-900">{{ error }}</p>
+        </div>
+      @end
+      @if(passwordChanged)
+        <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+          <p class="text-sm font-medium text-emerald-900">{{ passwordChanged }}</p>
+        </div>
+      @end
+      @if(emailChangeRequested)
+        <div class="mb-6 rounded-lg border border-blue-300 bg-blue-50 p-4">
+          <p class="text-sm font-medium text-blue-900">{{ emailChangeRequested }}</p>
+        </div>
+      @end
+
+      <div class="mb-6 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-4 text-sm font-semibold text-gray-900">{{ t('account.security.password_section') }}</h2>
+        <form method="POST" action="/account/security/password" class="space-y-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.current_password_label') }}</label>
+            <input name="currentPassword" type="password" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.new_password_label') }}</label>
+            <input name="newPassword" type="password" required minlength="8"
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white">
+            {{ t('account.security.change_password_submit') }}
+          </button>
+        </form>
+      </div>
+
+      <div class="rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-1 text-sm font-semibold text-gray-900">{{ t('account.security.email_section') }}</h2>
+        <p class="mb-4 text-xs text-gray-500">{{ t('account.security.email_intro') }}</p>
+        <form method="POST" action="/account/security/email" class="space-y-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.new_email_label') }}</label>
+            <input name="newEmail" type="email" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.security.email_password_label') }}</label>
+            <input name="currentPassword" type="password" required
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white">
+            {{ t('account.security.change_email_submit') }}
+          </button>
+        </form>
+      </div>
+    @end
+  </div>
+</body></html>

package/build/host/views/account/tokens.edge

@@ -8,10 +8,13 @@
         <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
         <h1 class="text-xl font-semibold text-gray-900">{{ t('account.tokens.title') }}</h1>
       </div>
-      <form method="POST" action="/account/logout">
-        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
-        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.logout') }}</button>
-      </form>
+      <div class="flex items-center gap-4">
+        <a href="/account/security" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.security') }}</a>
+        <form method="POST" action="/account/logout">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.logout') }}</button>
+        </form>
+      </div>
     </div>
 
     @if(createdToken)

package/build/host/views/admin/client_form.edge

@@ -0,0 +1,83 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ mode === 'edit' ? t('admin.clients.edit_title') : t('admin.clients.new_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-2xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ mode === 'edit' ? t('admin.clients.edit_title') : t('admin.clients.new_title') }}</h1>
+      </div>
+      <a href="/admin/clients" class="text-sm text-gray-500 hover:underline">{{ t('admin.clients.back') }}</a>
+    </div>
+
+    <form
+      method="POST"
+      action="{{ mode === 'edit' ? `/admin/clients/${client.clientId}/edit` : '/admin/clients' }}"
+      class="space-y-5 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5"
+    >
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+
+      <div>
+        <label class="block text-sm font-medium text-gray-700">{{ t('admin.clients.field_client_id') }}</label>
+        @if(mode === 'edit')
+          <input type="text" value="{{ client.clientId }}" disabled
+            class="mt-1 w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 font-mono text-sm text-gray-500" />
+        @else
+          <input type="text" name="client_id" value="{{ client.clientId }}" placeholder="{{ t('admin.clients.field_client_id_placeholder') }}"
+            class="mt-1 w-full rounded-lg border border-gray-300 px-3 py-2 font-mono text-sm outline-none focus:border-gray-900" />
+          <p class="mt-1 text-xs text-gray-400">{{ t('admin.clients.field_client_id_help') }}</p>
+        @end
+      </div>
+
+      <div>
+        <label class="block text-sm font-medium text-gray-700">{{ t('admin.clients.field_redirect_uris') }}</label>
+        <textarea name="redirect_uris" rows="3" placeholder="https://app.exemplo.com/callback"
+          class="mt-1 w-full rounded-lg border border-gray-300 px-3 py-2 font-mono text-sm outline-none focus:border-gray-900">{{ client.redirectUris.join('\n') }}</textarea>
+        <p class="mt-1 text-xs text-gray-400">{{ t('admin.clients.field_redirect_uris_help') }}</p>
+      </div>
+
+      <div>
+        <label class="block text-sm font-medium text-gray-700">{{ t('admin.clients.field_post_logout_uris') }}</label>
+        <textarea name="post_logout_redirect_uris" rows="2"
+          class="mt-1 w-full rounded-lg border border-gray-300 px-3 py-2 font-mono text-sm outline-none focus:border-gray-900">{{ client.postLogoutRedirectUris.join('\n') }}</textarea>
+        <p class="mt-1 text-xs text-gray-400">{{ t('admin.clients.field_post_logout_uris_help') }}</p>
+      </div>
+
+      <div>
+        <span class="block text-sm font-medium text-gray-700">{{ t('admin.clients.field_grant_types') }}</span>
+        <div class="mt-2 space-y-1">
+          <label class="flex items-center gap-2 text-sm text-gray-700">
+            <input type="checkbox" name="grant_types" value="authorization_code" {{ client.grants.includes('authorization_code') ? 'checked' : '' }}>
+            authorization_code
+          </label>
+          <label class="flex items-center gap-2 text-sm text-gray-700">
+            <input type="checkbox" name="grant_types" value="refresh_token" {{ client.grants.includes('refresh_token') ? 'checked' : '' }}>
+            refresh_token
+          </label>
+          <label class="flex items-center gap-2 text-sm text-gray-700">
+            <input type="checkbox" name="grant_types" value="client_credentials" {{ client.grants.includes('client_credentials') ? 'checked' : '' }}>
+            client_credentials
+          </label>
+        </div>
+      </div>
+
+      <div>
+        <label class="block text-sm font-medium text-gray-700">{{ t('admin.clients.field_auth_method') }}</label>
+        <select name="token_endpoint_auth_method"
+          class="mt-1 w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900">
+          <option value="client_secret_basic" {{ client.tokenEndpointAuthMethod === 'client_secret_basic' ? 'selected' : '' }}>client_secret_basic</option>
+          <option value="client_secret_post" {{ client.tokenEndpointAuthMethod === 'client_secret_post' ? 'selected' : '' }}>client_secret_post</option>
+          <option value="none" {{ client.tokenEndpointAuthMethod === 'none' ? 'selected' : '' }}>none ({{ t('admin.clients.public') }})</option>
+        </select>
+      </div>
+
+      <div class="flex items-center justify-end gap-2 pt-2">
+        <a href="/admin/clients" class="rounded-lg border border-gray-300 px-4 py-2 text-sm text-gray-700 hover:bg-gray-50">{{ t('admin.clients.cancel') }}</a>
+        <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white hover:bg-gray-800">
+          {{ mode === 'edit' ? t('admin.clients.save') : t('admin.clients.create') }}
+        </button>
+      </div>
+    </form>
+  </div>
+</body></html>

package/build/host/views/admin/clients.edge

@@ -21,17 +21,30 @@
       <a href="/admin/audit" class="text-gray-500 hover:underline">{{ t('admin.nav.audit') }}</a>
     </nav>
 
+    @if(createdSecret)
+      <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4 text-sm text-emerald-900">
+        <p class="font-semibold">{{ t('admin.clients.secret_once_title') }}</p>
+        <p class="mt-1">{{ t('admin.clients.secret_once_notice') }}</p>
+        <p class="mt-2 break-all font-mono text-xs">
+          <span class="text-emerald-700">client_id:</span> {{ createdSecret.clientId }}<br>
+          <span class="text-emerald-700">client_secret:</span> {{ createdSecret.clientSecret }}
+        </p>
+      </div>
+    @end
+
     @if(dynamicEnabled)
       <div class="mb-6 rounded-lg border border-amber-300 bg-amber-50 p-4 text-sm text-amber-900">
         {{ t('admin.clients.dynamic_notice') }}
       </div>
     @end
 
-    <div class="overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
-      @if(clients.length === 0)
+    {{-- Clients estáticos (config, somente leitura). --}}
+    <h2 class="mb-2 text-sm font-semibold uppercase tracking-wide text-gray-500">{{ t('admin.clients.static_section') }}</h2>
+    <div class="mb-8 overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+      @if(staticClients.length === 0)
         <p class="p-6 text-sm text-gray-500">{{ t('admin.clients.empty') }}</p>
       @else
-        @each(client in clients)
+        @each(client in staticClients)
           <div class="border-b border-gray-100 p-4 last:border-0">
             <div class="flex items-center justify-between">
               <p class="text-sm font-medium text-gray-900">{{ client.clientId }}</p>
@@ -47,5 +60,57 @@
         @end
       @end
     </div>
+
+    {{-- Clients dinâmicos (adapter, com CRUD). --}}
+    <div class="mb-2 flex items-center justify-between">
+      <h2 class="text-sm font-semibold uppercase tracking-wide text-gray-500">{{ t('admin.clients.dynamic_section') }}</h2>
+      @if(dynamicSupported)
+        <a href="/admin/clients/new" class="rounded-lg bg-gray-900 px-3 py-1.5 text-sm font-semibold text-white hover:bg-gray-800">
+          {{ t('admin.clients.new') }}
+        </a>
+      @end
+    </div>
+
+    @if(!dynamicSupported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('admin.clients.dynamic_not_supported') }}
+      </div>
+    @else
+      <div class="overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(dynamicClients.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('admin.clients.dynamic_empty') }}</p>
+        @else
+          @each(client in dynamicClients)
+            <div class="border-b border-gray-100 p-4 last:border-0">
+              <div class="flex items-center justify-between gap-2">
+                <p class="break-all text-sm font-medium text-gray-900">{{ client.clientId }}</p>
+                <span class="shrink-0 rounded-full px-2 py-0.5 text-xs {{ client.confidential ? 'bg-gray-900 text-white' : 'bg-gray-100 text-gray-600' }}">
+                  {{ client.confidential ? t('admin.clients.confidential') : t('admin.clients.public') }}
+                </span>
+              </div>
+              <p class="mt-1 text-xs text-gray-500">{{ t('admin.clients.grants', { grants: client.grants.join(', ') }) }}</p>
+              @if(client.redirectUris.length > 0)
+                <p class="text-xs text-gray-400">{{ t('admin.clients.redirect_uris', { uris: client.redirectUris.join(', ') }) }}</p>
+              @end
+              <div class="mt-3 flex flex-wrap items-center gap-2">
+                <a href="/admin/clients/{{ client.clientId }}/edit" class="rounded border border-gray-300 px-3 py-1 text-xs hover:bg-gray-50">
+                  {{ t('admin.clients.edit') }}
+                </a>
+                @if(client.confidential)
+                  <form method="POST" action="/admin/clients/{{ client.clientId }}/regenerate-secret" onsubmit="return confirm('{{ t('admin.clients.regenerate_confirm') }}')">
+                    <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                    <button type="submit" class="rounded border border-gray-300 px-3 py-1 text-xs hover:bg-gray-50">{{ t('admin.clients.regenerate_secret') }}</button>
+                  </form>
+                @end
+                <form method="POST" action="/admin/clients/{{ client.clientId }}/delete" onsubmit="return confirm('{{ t('admin.clients.delete_confirm') }}')">
+                  <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                  <button type="submit" class="rounded border border-red-300 px-3 py-1 text-xs text-red-700 hover:bg-red-50">{{ t('admin.clients.delete') }}</button>
+                </form>
+              </div>
+            </div>
+          @end
+        @end
+      </div>
+    @end
   </div>
 </body></html>

package/build/host/views/admin/sessions.edge

@@ -0,0 +1,89 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('admin.sessions.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-4xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('admin.sessions.title') }}</h1>
+        @if(email)
+          <p class="mt-1 text-sm text-gray-500">{{ t('admin.sessions.account', { email: email }) }}</p>
+        @end
+      </div>
+      <form method="POST" action="/account/logout">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('admin.nav.logout') }}</button>
+      </form>
+    </div>
+
+    <nav class="mb-6 flex gap-4 text-sm font-medium">
+      <a href="/admin" class="text-gray-500 hover:underline">{{ t('admin.nav.dashboard') }}</a>
+      <a href="/admin/users" class="text-gray-900 underline">{{ t('admin.nav.users') }}</a>
+      <a href="/admin/clients" class="text-gray-500 hover:underline">{{ t('admin.nav.clients') }}</a>
+      <a href="/admin/audit" class="text-gray-500 hover:underline">{{ t('admin.nav.audit') }}</a>
+    </nav>
+
+    <a href="/admin/users" class="mb-4 inline-block text-sm text-gray-500 hover:underline">&larr; {{ t('admin.sessions.back') }}</a>
+
+    @if(!supported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('admin.sessions.not_supported') }}
+      </div>
+    @else
+      @if(revoked)
+        <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+          <p class="text-sm font-medium text-emerald-900">
+            {{ t('admin.sessions.revoked_notice', { sessions: revoked.sessions, grants: revoked.grants, accessTokens: revoked.accessTokens, refreshTokens: revoked.refreshTokens }) }}
+          </p>
+        </div>
+      @end
+
+      <h2 class="mb-2 text-sm font-semibold text-gray-700">{{ t('admin.sessions.sessions_section') }}</h2>
+      <div class="mb-6 overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(sessions.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('admin.sessions.sessions_empty') }}</p>
+        @else
+          @each(session in sessions)
+            <div class="border-b border-gray-100 p-4 last:border-0">
+              <p class="text-sm font-medium text-gray-900">{{ session.id }}</p>
+              @if(session.loginTs)
+                <p class="text-xs text-gray-500">{{ t('admin.sessions.session_login_ts', { date: session.loginTs }) }}</p>
+              @end
+              @if(session.amr)
+                <p class="text-xs text-gray-400">{{ t('admin.sessions.session_amr', { amr: session.amr }) }}</p>
+              @end
+            </div>
+          @end
+        @end
+      </div>
+
+      <h2 class="mb-2 text-sm font-semibold text-gray-700">{{ t('admin.sessions.grants_section') }}</h2>
+      <div class="mb-6 overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(grants.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('admin.sessions.grants_empty') }}</p>
+        @else
+          @each(grant in grants)
+            <div class="border-b border-gray-100 p-4 last:border-0">
+              <p class="text-sm font-medium text-gray-900">{{ grant.id }}</p>
+              @if(grant.clientId)
+                <p class="text-xs text-gray-500">{{ t('admin.sessions.grant_client', { clientId: grant.clientId }) }}</p>
+              @end
+              <p class="text-xs text-gray-400">{{ t('admin.sessions.grant_tokens', { accessTokens: grant.accessTokens, refreshTokens: grant.refreshTokens }) }}</p>
+            </div>
+          @end
+        @end
+      </div>
+
+      @if(sessions.length > 0 || grants.length > 0)
+        <form method="POST" action="/admin/users/{{ accountId }}/revoke-sessions"
+          onsubmit="return confirm('{{ t('admin.sessions.revoke_confirm') }}')">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit" class="rounded-lg bg-red-600 px-4 py-2 text-sm font-semibold text-white hover:opacity-90">
+            {{ t('admin.sessions.revoke_all') }}
+          </button>
+        </form>
+      @end
+    @end
+  </div>
+</body></html>

package/build/host/views/admin/users.edge

@@ -42,6 +42,7 @@
                   <p class="text-xs text-gray-500">{{ user.name }}</p>
                 @end
               </div>
+              <a href="/admin/users/{{ user.id }}/sessions" class="text-sm text-gray-500 hover:underline">{{ t('admin.users.sessions') }}</a>
             </div>
             <form method="POST" action="/admin/users/{{ user.id }}/roles" class="mt-3 flex gap-2">
               <input type="hidden" name="_csrf" value="{{ csrfToken }}">