@dudousxd/adonis-authkit-server 0.4.0 → 0.6.0

package/build/src/host/controllers/account_apps_controller.js

@@ -0,0 +1,61 @@
+import '../augmentations.js';
+import { ACCOUNT_SESSION_KEY } from '../middleware/account_auth.js';
+import { AdminSessionsService } from '../admin_sessions_service.js';
+/**
+ * Self-service de consentimento ("apps com acesso") no console de conta. Lista os
+ * Grants da própria conta agrupados por client (resolvendo o nome do client da
+ * config estática ou do payload do adapter) e permite revogar o acesso de um
+ * client (destrói os grants + AT/RT daquele client). Degrada graciosamente quando
+ * o adapter OIDC não enumera (`list`), espelhando o console admin.
+ */
+export default class AccountAppsController {
+    /** GET /account/apps — lista os apps com acesso (grants) da conta logada. */
+    async index(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const accountId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        const sessions = new AdminSessionsService(service);
+        const supported = sessions.canList;
+        const grantList = supported ? await sessions.listGrants(accountId) : [];
+        // Resolve o nome amigável do client: clientId é o fallback (config estática não
+        // carrega um display name).
+        const nameOf = (clientId) => clientId ?? '';
+        const revoked = ctx.session.flashMessages.get('appRevoked');
+        return render(ctx, 'account/apps', {
+            csrfToken: ctx.request.csrfToken,
+            supported,
+            revoked: revoked ?? null,
+            apps: grantList
+                .filter((g) => !!g.clientId)
+                .map((g) => ({
+                clientId: g.clientId,
+                name: nameOf(g.clientId),
+                accessTokens: g.accessTokens,
+                refreshTokens: g.refreshTokens,
+            })),
+        });
+    }
+    /** POST /account/apps/:clientId/revoke — revoga o acesso de um client. */
+    async revoke(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const accountId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        const clientId = ctx.request.param('clientId');
+        const sessions = new AdminSessionsService(service);
+        const result = await sessions.revokeClientGrants(accountId, clientId);
+        await cfg.audit?.record({
+            type: 'grant.revoked_by_user',
+            accountId,
+            clientId,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: {
+                grants: result.grants,
+                accessTokens: result.accessTokens,
+                refreshTokens: result.refreshTokens,
+            },
+        });
+        ctx.session.flash('appRevoked', cfg.messages['account.apps.revoked'] ?? 'account.apps.revoked');
+        return ctx.response.redirect('/account/apps');
+    }
+}

package/build/src/host/controllers/account_mfa_controller.js

@@ -39,7 +39,9 @@ export default class AccountMfaController {
         const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
         const generated = await cfg.accountStore.generatePasskeyRegistrationOptions?.(userId);
         if (!generated) {
-            return ctx.response.notFound({ message: 'Passkeys indisponíveis' });
+            return ctx.response.notFound({
+                message: translate(cfg.messages, 'errors.passkeys_unavailable'),
+            });
         }
         ctx.session.put(PASSKEY_REG_CHALLENGE_KEY, generated.challenge);
         return generated.options;
@@ -54,7 +56,9 @@ export default class AccountMfaController {
         const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
         const challenge = ctx.session.get(PASSKEY_REG_CHALLENGE_KEY);
         if (!challenge) {
-            return ctx.response.badRequest({ message: 'Desafio expirado' });
+            return ctx.response.badRequest({
+                message: translate(cfg.messages, 'errors.challenge_expired'),
+            });
         }
         const body = ctx.request.input('response', ctx.request.body());
         const ok = (await cfg.accountStore.verifyPasskeyRegistration?.(userId, body, challenge)) ?? false;

package/build/src/host/controllers/account_security_controller.d.ts

@@ -9,6 +9,15 @@ import type { HttpContext } from '@adonisjs/core/http';
  */
 export default class AccountSecurityController {
     index(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /account/security/trusted-devices/revoke
+     * Limpa o cookie de dispositivo confiável DESTE navegador (o MFA volta a ser
+     * exigido aqui). Revogação global por-dispositivo não existe sem estado
+     * server-side; re-enrolar o MFA invalida a confiança em TODOS os dispositivos.
+     */
+    revokeTrustedDevices(ctx: HttpContext): Promise<void>;
+    /** POST /account/security/profile — atualiza nome + avatar do próprio perfil. */
+    updateProfile(ctx: HttpContext): Promise<void>;
     changePassword(ctx: HttpContext): Promise<void>;
     changeEmail(ctx: HttpContext): Promise<void>;
     /** GET /account/email/confirm?token=... — consome o token e aplica o novo e-mail. */

package/build/src/host/controllers/account_security_controller.js

@@ -1,9 +1,10 @@
 import '../augmentations.js';
 import { ACCOUNT_SESSION_KEY } from '../middleware/account_auth.js';
-import { supportsAccountSecurity } from '../../accounts/account_store.js';
-import { changePasswordValidator, changeEmailValidator } from '../validators.js';
+import { supportsAccountSecurity, supportsProfile } from '../../accounts/account_store.js';
+import { changePasswordValidator, changeEmailValidator, updateProfileValidator } from '../validators.js';
 import { sendEmailChangeConfirmationEmail } from '../default_mailer.js';
 import { translate } from '../i18n.js';
+import { TRUSTED_DEVICE_COOKIE } from '../trusted_device.js';
 /**
  * Self-service de segurança da conta (console de conta): trocar a senha e o
  * e-mail. A troca de senha exige a senha ATUAL (verifyCredentials). A troca de
@@ -21,13 +22,62 @@ export default class AccountSecurityController {
         return render(ctx, 'account/security', {
             csrfToken: ctx.request.csrfToken,
             supported: supportsAccountSecurity(cfg.accountStore),
+            profileSupported: supportsProfile(cfg.accountStore),
             email: account?.email ?? '',
+            name: account?.name ?? '',
+            avatarUrl: account?.avatarUrl ?? '',
             passwordChanged: ctx.session.flashMessages.get('passwordChanged') ?? null,
             emailChangeRequested: ctx.session.flashMessages.get('emailChangeRequested') ?? null,
             emailChanged: ctx.session.flashMessages.get('emailChanged') ?? null,
+            profileUpdated: ctx.session.flashMessages.get('profileUpdated') ?? null,
             error: ctx.session.flashMessages.get('securityError') ?? null,
+            trustedDevicesEnabled: cfg.trustedDevices.enabled,
+            trustedDevicesRevoked: ctx.session.flashMessages.get('trustedDevicesRevoked') ?? null,
         });
     }
+    /**
+     * POST /account/security/trusted-devices/revoke
+     * Limpa o cookie de dispositivo confiável DESTE navegador (o MFA volta a ser
+     * exigido aqui). Revogação global por-dispositivo não existe sem estado
+     * server-side; re-enrolar o MFA invalida a confiança em TODOS os dispositivos.
+     */
+    async revokeTrustedDevices(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        ctx.response.clearCookie(TRUSTED_DEVICE_COOKIE);
+        const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        await cfg.audit?.record({
+            type: 'trusted_device.revoked',
+            accountId: userId,
+            ip: ctx.request.ip?.() ?? null,
+        });
+        ctx.session.flash('trustedDevicesRevoked', translate(cfg.messages, 'account.security.trusted_devices_revoked'));
+        return ctx.response.redirect('/account/security');
+    }
+    /** POST /account/security/profile — atualiza nome + avatar do próprio perfil. */
+    async updateProfile(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        if (!supportsProfile(store)) {
+            return ctx.response.redirect('/account/security');
+        }
+        const { name, avatarUrl } = await ctx.request.validateUsing(updateProfileValidator);
+        // Campos ausentes no form viram string vazia (limpa o valor); enviamos null
+        // para limpar, ou o valor trimado.
+        await store.updateProfile(userId, {
+            name: name ?? null,
+            avatarUrl: avatarUrl ?? null,
+        });
+        await cfg.audit?.record({
+            type: 'profile.updated',
+            accountId: userId,
+            ip: ctx.request.ip?.() ?? null,
+        });
+        ctx.session.flash('profileUpdated', translate(cfg.messages, 'account.profile.updated'));
+        return ctx.response.redirect('/account/security');
+    }
     async changePassword(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;

package/build/src/host/controllers/account_session_controller.js

@@ -28,7 +28,9 @@ export default class AccountSessionController {
                     ? translate(cfg.messages, 'errors.account_locked', {
                         seconds: result.retryAfterSec ?? 0,
                     })
-                    : translate(cfg.messages, 'errors.invalid_credentials'),
+                    : result.disabled
+                        ? translate(cfg.messages, 'errors.account_disabled')
+                        : translate(cfg.messages, 'errors.invalid_credentials'),
             });
         }
         const acc = result.account;

package/build/src/host/controllers/admin/admin_users_controller.d.ts

@@ -6,6 +6,19 @@ import type { HttpContext } from '@adonisjs/core/http';
  * vírgula no formulário e normalizadas aqui.
  */
 export default class AdminUsersController {
+    #private;
     index(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /admin/users — cria uma conta. Se `password` for informado, a conta já
+     * nasce com senha. Senão, emite um token de reset e envia o e-mail (o usuário
+     * define a própria senha) — fluxo "create + invite". Audita `user.created`.
+     */
+    store(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/reset-password — emite token de reset + envia e-mail. */
+    resetPassword(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/disable — desabilita a conta (bloqueia login). */
+    disable(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/enable — reabilita a conta. */
+    enable(ctx: HttpContext): Promise<void>;
     updateRoles(ctx: HttpContext): Promise<void>;
 }

package/build/src/host/controllers/admin/admin_users_controller.js

@@ -1,4 +1,9 @@
 import '../../augmentations.js';
+import { randomBytes } from 'node:crypto';
+import { supportsAccountStatus } from '../../../accounts/account_store.js';
+import { ACCOUNT_SESSION_KEY } from '../../middleware/account_auth.js';
+import { adminCreateUserValidator } from '../../validators.js';
+import { sendPasswordResetEmail } from '../../default_mailer.js';
 const PAGE_SIZE = 20;
 /**
  * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
@@ -14,21 +19,149 @@ export default class AdminUsersController {
         const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
         const result = await cfg.accountStore.listAccounts({ search, page, limit: PAGE_SIZE });
         const totalPages = Math.max(1, Math.ceil(result.total / PAGE_SIZE));
+        const store = cfg.accountStore;
+        const statusSupported = supportsAccountStatus(store);
+        // Resolve o estado de disabled por conta (só quando suportado).
+        const disabledMap = new Map();
+        if (statusSupported) {
+            for (const u of result.data) {
+                disabledMap.set(u.id, await store.isDisabled(u.id));
+            }
+        }
         return render(ctx, 'admin/users', {
             csrfToken: ctx.request.csrfToken,
             search,
             page,
             totalPages,
             total: result.total,
+            statusSupported,
+            created: ctx.session.flashMessages.get('userCreated') ?? null,
+            resetSent: ctx.session.flashMessages.get('resetSent') ?? null,
+            statusChanged: ctx.session.flashMessages.get('statusChanged') ?? null,
+            error: ctx.session.flashMessages.get('usersError') ?? null,
             users: result.data.map((u) => ({
                 id: u.id,
                 email: u.email,
                 name: u.name ?? '',
                 roles: u.globalRoles ?? [],
                 rolesText: (u.globalRoles ?? []).join(', '),
+                disabled: disabledMap.get(u.id) ?? false,
             })),
         });
     }
+    /**
+     * POST /admin/users — cria uma conta. Se `password` for informado, a conta já
+     * nasce com senha. Senão, emite um token de reset e envia o e-mail (o usuário
+     * define a própria senha) — fluxo "create + invite". Audita `user.created`.
+     */
+    async store(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const { email, name, password } = await ctx.request.validateUsing(adminCreateUserValidator);
+        const existing = await store.findByEmail(email);
+        if (existing) {
+            ctx.session.flash('usersError', cfg.messages['errors.email_taken'] ?? 'errors.email_taken');
+            return ctx.response.redirect('/admin/users');
+        }
+        // Sem senha informada: cria com uma senha aleatória forte (descartável) e
+        // dispara o fluxo de reset para o usuário definir a sua.
+        const initialPassword = password ?? randomBytes(24).toString('hex');
+        const account = await store.create({ email, password: initialPassword, fullName: name ?? null });
+        await cfg.audit?.record({
+            type: 'user.created',
+            accountId: account.id,
+            email,
+            actorId,
+            ip,
+            metadata: { invited: !password },
+        });
+        if (!password) {
+            await this.#sendResetEmail(ctx, cfg, email);
+        }
+        ctx.session.flash('userCreated', cfg.messages['admin.users.created'] ?? 'admin.users.created');
+        return ctx.response.redirect('/admin/users');
+    }
+    /** POST /admin/users/:id/reset-password — emite token de reset + envia e-mail. */
+    async resetPassword(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const accountId = ctx.request.param('id');
+        const account = await store.findById(accountId);
+        if (account) {
+            await this.#sendResetEmail(ctx, cfg, account.email);
+            await cfg.audit?.record({
+                type: 'user.password_reset_sent',
+                accountId,
+                email: account.email,
+                actorId,
+                ip,
+            });
+        }
+        ctx.session.flash('resetSent', cfg.messages['admin.users.reset_sent'] ?? 'admin.users.reset_sent');
+        return this.#redirectBack(ctx);
+    }
+    /** POST /admin/users/:id/disable — desabilita a conta (bloqueia login). */
+    async disable(ctx) {
+        return this.#toggleStatus(ctx, true);
+    }
+    /** POST /admin/users/:id/enable — reabilita a conta. */
+    async enable(ctx) {
+        return this.#toggleStatus(ctx, false);
+    }
+    async #toggleStatus(ctx, disable) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const accountId = ctx.request.param('id');
+        if (supportsAccountStatus(store)) {
+            if (disable)
+                await store.disableAccount(accountId);
+            else
+                await store.enableAccount(accountId);
+            await cfg.audit?.record({
+                type: disable ? 'user.disabled' : 'user.enabled',
+                accountId,
+                actorId,
+                ip,
+            });
+            ctx.session.flash('statusChanged', cfg.messages[disable ? 'admin.users.disabled' : 'admin.users.enabled'] ??
+                (disable ? 'admin.users.disabled' : 'admin.users.enabled'));
+        }
+        return this.#redirectBack(ctx);
+    }
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    async #sendResetEmail(ctx, cfg, email) {
+        const issued = await cfg.accountStore.issuePasswordResetToken(email);
+        if (!issued)
+            return;
+        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
+        if (cfg.mail?.onPasswordReset) {
+            await cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
+        }
+        else {
+            await sendPasswordResetEmail(ctx, { email, resetUrl });
+        }
+    }
+    #redirectBack(ctx) {
+        const search = ctx.request.input('search', '').trim();
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const qs = new URLSearchParams();
+        if (search)
+            qs.set('search', search);
+        if (page > 1)
+            qs.set('page', String(page));
+        const query = qs.toString();
+        return ctx.response.redirect(`/admin/users${query ? `?${query}` : ''}`);
+    }
     async updateRoles(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;

package/build/src/host/controllers/interaction_controller.d.ts

@@ -32,6 +32,38 @@ export default class AuthInteractionController {
     private stepUpExtra;
     /** true se o store suporta passkeys E a conta tem ao menos uma registrada. */
     private hasPasskeys;
+    /**
+     * Lê o cookie de dispositivo confiável (encriptado, appKey-backed) e valida que
+     * pertence a `accountId`, não expirou e é posterior ao último (re)enrollment de
+     * MFA. Step-up NÃO chama isto (força sempre o MFA). Best-effort: qualquer erro de
+     * leitura → não confiável.
+     */
+    private checkTrustedDevice;
+    /**
+     * Se o checkbox "confiar neste dispositivo" foi marcado E o mecanismo está ligado,
+     * grava o cookie encriptado de confiança para a conta (skip MFA por N dias).
+     */
+    private maybeTrustDevice;
+    /**
+     * accountId para uma cerimônia de passkey no login. Prioriza o accountId pendente
+     * do MFA (passkey como 2º fator). Quando ausente e o passkey-first está ligado,
+     * resolve a conta pelo e-mail guardado na sessão (passkey ANTES da senha) — só se
+     * a conta existe E tem ao menos uma passkey.
+     */
+    private resolvePasskeyAccountId;
+    /**
+     * POST /auth/interaction/:uid/magic
+     * Magic link: lê o e-mail da sessão (passwordless.magicLink ligado), emite um
+     * token de uso único e dispara o e-mail. SEMPRE renderiza "link enviado",
+     * independentemente de a conta existir (anti-enumeração). Throttled como o login.
+     */
+    magicLinkRequest(ctx: HttpContext): Promise<any>;
+    /**
+     * GET /auth/interaction/:uid/magic?token=...
+     * Consome o magic link. Em sucesso finaliza o login (amr `['email']`). Token
+     * inválido/expirado volta ao início do login.
+     */
+    magicLinkConsume(ctx: HttpContext): Promise<void>;
     /**
      * POST /auth/interaction/:uid/passkey/options
      * Gera as opções de autenticação por passkey para o accountId pendente do MFA,