@dudousxd/adonis-authkit-server 0.5.0 → 0.6.0

package/README.md

@@ -1,7 +1,28 @@
 # @dudousxd/adonis-authkit-server
 
-Authorization Server OpenID Connect para AdonisJS — um wrapper idiomático em volta do
-[`oidc-provider`](https://github.com/panva/node-oidc-provider).
+OpenID Connect / OAuth2 Authorization Server (Identity Provider) for AdonisJS — an idiomatic
+wrapper around [`oidc-provider`](https://github.com/panva/node-oidc-provider).
+
+## Features
+
+- **OIDC / OAuth2 AS** — authorization code + PKCE, refresh tokens (rotated), token exchange,
+  discovery, JWKS (managed + rotatable), revocation, introspection.
+- **MFA** — TOTP, WebAuthn passkeys, recovery codes, trusted-device skip.
+- **Passwordless** — magic-link email login and passkey-first login.
+- **Protocol extensions** — Device Flow (RFC 8628), DPoP (RFC 9449), PAR (RFC 9126), step-up
+  auth via `acr_values`, Dynamic Client Registration (RFC 7591/7592).
+- **Admin console** — user CRUD (+ disable), client CRUD, sessions, audit log (opt-in,
+  role-gated).
+- **Account console** — self-service apps/consent, security (password/email/sessions),
+  profile.
+- **Tokens & federation** — Personal Access Tokens, admin impersonation, back-channel logout,
+  RP-initiated logout.
+- **Hardening** — progressive account lockout, per-IP rate-limiting, audit logging with an
+  events/webhook fan-out, new-login email alerts.
+- **Operability** — i18n (English default, pt-BR built in), OpenTelemetry metrics, the
+  `authkit:doctor` and `authkit:rotate-keys` commands.
+
+> The remaining sections are in Portuguese pending a full translation pass.
 
 ## Instalação
 

package/build/host/views/account/apps.edge

@@ -0,0 +1,58 @@
+<!doctype html>
+<html lang="pt-br"><head><meta charset="utf-8"><title>{{ t('account.apps.page_title') }}</title>
+<script src="https://cdn.tailwindcss.com"></script></head>
+<body class="min-h-screen bg-gray-100 p-4">
+  <div class="mx-auto max-w-2xl">
+    <div class="flex items-center justify-between py-6">
+      <div>
+        <div class="text-xs font-semibold uppercase tracking-widest text-gray-400">{{ t('common.brand_eyebrow') }}</div>
+        <h1 class="text-xl font-semibold text-gray-900">{{ t('account.apps.title') }}</h1>
+        <p class="mt-1 text-sm text-gray-500">{{ t('account.apps.intro') }}</p>
+      </div>
+      <form method="POST" action="/account/logout">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.apps.logout') }}</button>
+      </form>
+    </div>
+
+    <nav class="mb-6 flex gap-4 text-sm font-medium">
+      <a href="/account/tokens" class="text-gray-500 hover:underline">{{ t('account.tokens.title') }}</a>
+      <a href="/account/security" class="text-gray-500 hover:underline">{{ t('account.security.title') }}</a>
+      <a href="/account/apps" class="text-gray-900 underline">{{ t('account.apps.title') }}</a>
+    </nav>
+
+    @if(revoked)
+      <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+        <p class="text-sm font-medium text-emerald-900">{{ revoked }}</p>
+      </div>
+    @end
+
+    @if(!supported)
+      <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
+        {{ t('account.apps.not_supported') }}
+      </div>
+    @else
+      <div class="overflow-hidden rounded-xl bg-white shadow-sm ring-1 ring-black/5">
+        @if(apps.length === 0)
+          <p class="p-6 text-sm text-gray-500">{{ t('account.apps.empty') }}</p>
+        @else
+          @each(app in apps)
+            <div class="flex items-center justify-between border-b border-gray-100 p-4 last:border-0">
+              <div>
+                <p class="text-sm font-medium text-gray-900">{{ app.name }}</p>
+                <p class="text-xs text-gray-500">{{ t('account.apps.tokens', { accessTokens: app.accessTokens, refreshTokens: app.refreshTokens }) }}</p>
+              </div>
+              <form method="POST" action="/account/apps/{{ app.clientId }}/revoke"
+                onsubmit="return confirm('{{ t('account.apps.revoke_confirm') }}')">
+                <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                <button type="submit" class="rounded-lg border border-red-300 px-3 py-1.5 text-sm font-semibold text-red-700 hover:bg-red-50">
+                  {{ t('account.apps.revoke') }}
+                </button>
+              </form>
+            </div>
+          @end
+        @end
+      </div>
+    @end
+  </div>
+</body></html>

package/build/host/views/account/security.edge

@@ -17,6 +17,41 @@
       </form>
     </div>
 
+    <nav class="mb-6 flex gap-4 text-sm font-medium">
+      <a href="/account/tokens" class="text-gray-500 hover:underline">{{ t('account.tokens.title') }}</a>
+      <a href="/account/security" class="text-gray-900 underline">{{ t('account.security.title') }}</a>
+      <a href="/account/apps" class="text-gray-500 hover:underline">{{ t('account.apps.title') }}</a>
+    </nav>
+
+    @if(profileUpdated)
+      <div class="mb-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+        <p class="text-sm font-medium text-emerald-900">{{ profileUpdated }}</p>
+      </div>
+    @end
+
+    @if(profileSupported)
+      <div class="mb-6 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-1 text-sm font-semibold text-gray-900">{{ t('account.profile.section') }}</h2>
+        <p class="mb-4 text-xs text-gray-500">{{ t('account.profile.intro') }}</p>
+        <form method="POST" action="/account/security/profile" class="space-y-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.profile.name_label') }}</label>
+            <input name="name" type="text" value="{{ name }}" maxlength="255"
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <div>
+            <label class="mb-1 block text-sm font-medium text-gray-700">{{ t('account.profile.avatar_label') }}</label>
+            <input name="avatarUrl" type="url" value="{{ avatarUrl }}"
+              class="w-full rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+          </div>
+          <button type="submit" class="rounded-lg bg-gray-900 px-4 py-2 text-sm font-semibold text-white">
+            {{ t('account.profile.submit') }}
+          </button>
+        </form>
+      </div>
+    @end
+
     @if(!supported)
       <div class="rounded-xl bg-white p-6 text-sm text-gray-500 shadow-sm ring-1 ring-black/5">
         {{ t('account.security.not_supported') }}
@@ -79,5 +114,23 @@
         </form>
       </div>
     @end
+
+    @if(trustedDevicesEnabled)
+      @if(trustedDevicesRevoked)
+        <div class="mt-6 rounded-lg border border-emerald-300 bg-emerald-50 p-4">
+          <p class="text-sm font-medium text-emerald-900">{{ trustedDevicesRevoked }}</p>
+        </div>
+      @end
+      <div class="mt-6 rounded-xl bg-white p-6 shadow-sm ring-1 ring-black/5">
+        <h2 class="mb-1 text-sm font-semibold text-gray-900">{{ t('account.security.trusted_devices_section') }}</h2>
+        <p class="mb-4 text-xs text-gray-500">{{ t('account.security.trusted_devices_intro') }}</p>
+        <form method="POST" action="/account/security/trusted-devices/revoke">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit" class="rounded-lg border border-gray-300 px-4 py-2 text-sm font-semibold text-gray-700 hover:bg-gray-50">
+            {{ t('account.security.trusted_devices_revoke') }}
+          </button>
+        </form>
+      </div>
+    @end
   </div>
 </body></html>

package/build/host/views/account/tokens.edge

@@ -10,6 +10,7 @@
       </div>
       <div class="flex items-center gap-4">
         <a href="/account/security" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.security') }}</a>
+        <a href="/account/apps" class="text-sm text-gray-500 hover:underline">{{ t('account.apps.title') }}</a>
         <form method="POST" action="/account/logout">
           <input type="hidden" name="_csrf" value="{{ csrfToken }}">
           <button type="submit" class="text-sm text-gray-500 hover:underline">{{ t('account.tokens.logout') }}</button>

package/build/host/views/admin/users.edge

@@ -21,6 +21,35 @@
       <a href="/admin/audit" class="text-gray-500 hover:underline">{{ t('admin.nav.audit') }}</a>
     </nav>
 
+    @if(error)
+      <div class="mb-4 rounded-lg border border-red-300 bg-red-50 p-3"><p class="text-sm font-medium text-red-900">{{ error }}</p></div>
+    @end
+    @if(created)
+      <div class="mb-4 rounded-lg border border-emerald-300 bg-emerald-50 p-3"><p class="text-sm font-medium text-emerald-900">{{ created }}</p></div>
+    @end
+    @if(resetSent)
+      <div class="mb-4 rounded-lg border border-blue-300 bg-blue-50 p-3"><p class="text-sm font-medium text-blue-900">{{ resetSent }}</p></div>
+    @end
+    @if(statusChanged)
+      <div class="mb-4 rounded-lg border border-amber-300 bg-amber-50 p-3"><p class="text-sm font-medium text-amber-900">{{ statusChanged }}</p></div>
+    @end
+
+    <div class="mb-6 rounded-xl bg-white p-4 shadow-sm ring-1 ring-black/5">
+      <h2 class="mb-3 text-sm font-semibold text-gray-900">{{ t('admin.users.create_section') }}</h2>
+      <form method="POST" action="/admin/users" class="grid gap-2 sm:grid-cols-4">
+        <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+        <input name="email" type="email" required placeholder="{{ t('admin.users.create_email_placeholder') }}"
+          class="rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+        <input name="name" type="text" placeholder="{{ t('admin.users.create_name_placeholder') }}"
+          class="rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+        <input name="password" type="password" minlength="8" placeholder="{{ t('admin.users.create_password_placeholder') }}"
+          class="rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
+        <button type="submit" class="rounded-lg bg-gray-900 px-4 text-sm font-semibold text-white">
+          {{ t('admin.users.create_submit') }}
+        </button>
+      </form>
+    </div>
+
     <form method="GET" action="/admin/users" class="mb-6 flex gap-2">
       <input name="search" value="{{ search }}" placeholder="{{ t('admin.users.search_placeholder') }}"
         class="flex-1 rounded-lg border border-gray-300 px-3 py-2 text-sm outline-none focus:border-gray-900" />
@@ -37,12 +66,43 @@
           <div class="border-b border-gray-100 p-4 last:border-0">
             <div class="flex items-center justify-between">
               <div>
-                <p class="text-sm font-medium text-gray-900">{{ user.email }}</p>
+                <p class="text-sm font-medium text-gray-900">
+                  {{ user.email }}
+                  @if(user.disabled)
+                    <span class="ml-2 rounded bg-red-100 px-2 py-0.5 text-xs font-semibold text-red-700">{{ t('admin.users.disabled_badge') }}</span>
+                  @end
+                </p>
                 @if(user.name)
                   <p class="text-xs text-gray-500">{{ user.name }}</p>
                 @end
               </div>
-              <a href="/admin/users/{{ user.id }}/sessions" class="text-sm text-gray-500 hover:underline">{{ t('admin.users.sessions') }}</a>
+              <div class="flex items-center gap-3 text-sm">
+                <a href="/admin/users/{{ user.id }}/sessions" class="text-gray-500 hover:underline">{{ t('admin.users.sessions') }}</a>
+                <form method="POST" action="/admin/users/{{ user.id }}/reset-password" class="inline">
+                  <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                  <input type="hidden" name="search" value="{{ search }}">
+                  <input type="hidden" name="page" value="{{ page }}">
+                  <button type="submit" class="text-gray-500 hover:underline">{{ t('admin.users.reset_password') }}</button>
+                </form>
+                @if(statusSupported)
+                  @if(user.disabled)
+                    <form method="POST" action="/admin/users/{{ user.id }}/enable" class="inline">
+                      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                      <input type="hidden" name="search" value="{{ search }}">
+                      <input type="hidden" name="page" value="{{ page }}">
+                      <button type="submit" class="text-emerald-700 hover:underline">{{ t('admin.users.enable') }}</button>
+                    </form>
+                  @else
+                    <form method="POST" action="/admin/users/{{ user.id }}/disable" class="inline"
+                      onsubmit="return confirm('{{ t('admin.users.disable_confirm') }}')">
+                      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+                      <input type="hidden" name="search" value="{{ search }}">
+                      <input type="hidden" name="page" value="{{ page }}">
+                      <button type="submit" class="text-red-700 hover:underline">{{ t('admin.users.disable') }}</button>
+                    </form>
+                  @end
+                @end
+              </div>
             </div>
             <form method="POST" action="/admin/users/{{ user.id }}/roles" class="mt-3 flex gap-2">
               <input type="hidden" name="_csrf" value="{{ csrfToken }}">

package/build/host/views/login.edge

@@ -86,6 +86,61 @@
           <a href="/auth/forgot-password" class="hover:underline">{{ t('login.forgot_password') }}</a>
         </div>
       </form>
+
+      {{-- Passwordless: confirmação de magic link enviado (anti-enumeração). --}}
+      @if(magicLinkSent)
+        <p class="mt-4 rounded-lg bg-green-50 px-3 py-2 text-sm text-green-700">{{ t('login.magic_link_sent') }}</p>
+      @end
+
+      {{-- Passwordless: "me envie um link de login" (mesma sessão/e-mail; não pede senha). --}}
+      @if(magicLinkAvailable && !magicLinkSent)
+        <form method="POST" action="/auth/interaction/{{ uid }}/magic" class="mt-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <button type="submit"
+            class="w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
+            {{ t('login.magic_link_button') }}
+          </button>
+        </form>
+      @end
+
+      {{-- Passwordless: "entrar com passkey" ANTES da senha. Reusa as cerimônias
+           de passkey do MFA (begin/finish) liberadas no estágio de senha. --}}
+      @if(passkeyFirstAvailable)
+        <form id="passkey-form" method="POST" action="/auth/interaction/{{ uid }}/passkey/verify" class="mt-4">
+          <input type="hidden" name="_csrf" value="{{ csrfToken }}">
+          <input type="hidden" name="response" id="passkey-response">
+        </form>
+        <button type="button" id="passkey-button"
+          class="mt-4 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
+          {{ t('login.passkey_button') }}
+        </button>
+        <p id="passkey-error" class="mt-3 hidden text-sm text-red-600">{{ t('mfa_challenge.passkey_error') }}</p>
+        <script type="module">
+          import { startAuthentication } from 'https://cdn.jsdelivr.net/npm/@simplewebauthn/browser@13/dist/bundle/index.js'
+          const btn = document.getElementById('passkey-button')
+          const errEl = document.getElementById('passkey-error')
+          const csrf = document.querySelector('#passkey-form input[name="_csrf"]').value
+          btn?.addEventListener('click', async () => {
+            errEl.classList.add('hidden')
+            btn.disabled = true
+            try {
+              const res = await fetch('/auth/interaction/{{ uid }}/passkey/options', {
+                method: 'POST',
+                headers: { 'content-type': 'application/json', 'x-csrf-token': csrf },
+                body: JSON.stringify({}),
+              })
+              if (!res.ok) throw new Error('options')
+              const optionsJSON = await res.json()
+              const assertion = await startAuthentication({ optionsJSON })
+              document.getElementById('passkey-response').value = JSON.stringify(assertion)
+              document.getElementById('passkey-form').submit()
+            } catch (e) {
+              errEl.classList.remove('hidden')
+              btn.disabled = false
+            }
+          })
+        </script>
+      @end
     </div>
   @end
 </body></html>

package/build/host/views/mfa-challenge.edge

@@ -24,6 +24,13 @@
             class="w-full rounded-lg border border-gray-300 px-3 py-2 text-center text-lg tracking-[0.4em] outline-none transition focus:border-gray-900 focus:ring-2 focus:ring-gray-900" />
         </div>
 
+        @if(trustedDevicesEnabled)
+          <label class="mt-4 flex items-center gap-2 text-sm text-gray-600">
+            <input type="checkbox" name="trustDevice" value="on" class="h-4 w-4 rounded border-gray-300">
+            {{ t('mfa_challenge.trust_device', { days: trustedDeviceDays }) }}
+          </label>
+        @end
+
         <button type="submit"
           class="mt-6 w-full rounded-lg bg-gray-900 py-2.5 text-sm font-semibold text-white transition hover:opacity-90">
           {{ t('mfa_challenge.submit') }}
@@ -37,6 +44,7 @@
       <form id="passkey-form" method="POST" action="/auth/interaction/{{ uid }}/passkey/verify" class="mt-4">
         <input type="hidden" name="_csrf" value="{{ csrfToken }}">
         <input type="hidden" name="response" id="passkey-response">
+        <input type="hidden" name="trustDevice" id="passkey-trust" value="">
       </form>
       <button type="button" id="passkey-button"
         class="mt-4 w-full rounded-lg border border-gray-300 py-2.5 text-sm font-semibold text-gray-700 transition hover:bg-gray-50">
@@ -83,6 +91,10 @@
           const assertion = await startAuthentication({ optionsJSON })
           // 3) Submete a assertion como POST de página inteira (segue o 303).
           document.getElementById('passkey-response').value = JSON.stringify(assertion)
+          // Carrega a escolha de "confiar neste dispositivo" para o form da passkey.
+          const trustChk = document.querySelector('input[name="trustDevice"][type="checkbox"]')
+          const trustHidden = document.getElementById('passkey-trust')
+          if (trustHidden) trustHidden.value = trustChk && trustChk.checked ? 'on' : ''
           document.getElementById('passkey-form').submit()
         } catch (e) {
           errEl.classList.remove('hidden')

package/build/index.d.ts

@@ -8,10 +8,14 @@ export { registerOidcRoutes } from './src/register_routes.js';
 export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, } from './src/define_config.js';
 export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export type { WebauthnConfigInput, ResolvedWebauthnConfig } from './src/define_config.js';
+export { resolvePasswordless } from './src/define_config.js';
+export type { PasswordlessConfigInput, ResolvedPasswordlessConfig, } from './src/define_config.js';
+export { resolveTrustedDevices, isTrustedDeviceValid, buildTrustedDevicePayload, TRUSTED_DEVICE_COOKIE, } from './src/host/trusted_device.js';
+export type { TrustedDevicesConfigInput, ResolvedTrustedDevicesConfig, TrustedDevicePayload, } from './src/host/trusted_device.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
 export type { LucidAccountStoreOptions, AccountSecretEncrypter, } from './src/accounts/lucid_account_store.js';
-export type { AccountStore, CoreAccountStore, AdminCapability, MfaCapability, WebauthnCapability, ProviderIdentityCapability, AccountSecurityCapability, AuthAccount, CreateAccountInput, LinkProviderIdentityInput, ListAccountsParams, Paginated, PasskeySummary, } from './src/accounts/account_store.js';
-export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, } from './src/accounts/account_store.js';
+export type { AccountStore, CoreAccountStore, AdminCapability, MfaCapability, WebauthnCapability, ProviderIdentityCapability, AccountSecurityCapability, MagicLinkCapability, AuthAccount, CreateAccountInput, LinkProviderIdentityInput, ListAccountsParams, Paginated, PasskeySummary, } from './src/accounts/account_store.js';
+export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, supportsMagicLink, } from './src/accounts/account_store.js';
 export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
 export type { ProviderIdentityRow, ProviderIdentityClass, } from './src/mixins/with_provider_identity.js';
 export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
@@ -22,6 +26,8 @@ export { withPersonalAccessToken } from './src/mixins/with_personal_access_token
 export { lucidAuditSink } from './src/audit/lucid_audit_sink.js';
 export type { AuditSink, AuditEvent, AuditEventType, StoredAuditEvent, ListAuditParams, AuditPage, } from './src/audit/audit_sink.js';
 export { withAuditLog } from './src/mixins/with_audit_log.js';
+export { composeAuditSink, resolveEvents, buildWebhookBody, signWebhookBody, } from './src/events/dispatcher.js';
+export type { EventsConfigInput, ResolvedEventsConfig } from './src/events/dispatcher.js';
 export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';

package/build/index.js

@@ -6,14 +6,17 @@ export { withMfa } from './src/mixins/with_mfa.js';
 export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
 export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
+export { resolvePasswordless } from './src/define_config.js';
+export { resolveTrustedDevices, isTrustedDeviceValid, buildTrustedDevicePayload, TRUSTED_DEVICE_COOKIE, } from './src/host/trusted_device.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
-export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, } from './src/accounts/account_store.js';
+export { supportsMfa, supportsPasskeys, supportsProviderIdentity, supportsAccountSecurity, supportsMagicLink, } from './src/accounts/account_store.js';
 export { withProviderIdentity } from './src/mixins/with_provider_identity.js';
 export { withWebauthnCredential } from './src/mixins/with_webauthn_credential.js';
 export { lucidPatStore } from './src/pat/lucid_pat_store.js';
 export { withPersonalAccessToken } from './src/mixins/with_personal_access_token.js';
 export { lucidAuditSink } from './src/audit/lucid_audit_sink.js';
 export { withAuditLog } from './src/mixins/with_audit_log.js';
+export { composeAuditSink, resolveEvents, buildWebhookBody, signWebhookBody, } from './src/events/dispatcher.js';
 export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';

package/build/src/accounts/account_store.d.ts

@@ -126,6 +126,43 @@ export interface AccountSecurityCapability {
         ok: false;
     }>;
 }
+/**
+ * Status da conta (habilitar/desabilitar) — usado pelo console admin para
+ * suspender uma conta sem apagá-la. É uma CAPACIDADE opcional: stores sem suporte
+ * omitem os métodos e a UI esconde os botões de disable/enable. Quando suportada,
+ * os fluxos de login (interaction OIDC + console de conta) DEVEM rejeitar contas
+ * desabilitadas (ver `attemptPasswordLogin`).
+ *
+ * O store default (Lucid) implementa via uma coluna `disabled_at` (timestamp
+ * nullable) NO model — quando a coluna existe (probe em `$columnsDefinitions`); se
+ * o model não a tiver, a capacidade fica genuinamente ausente (nenhum método é
+ * montado) e a UI esconde os botões. Hosts adicionam a coluna por migração própria
+ * (mesmo padrão documentado das demais colunas opcionais).
+ */
+export interface AccountStatusCapability {
+    /** Desabilita a conta (impede login). No-op se a conta não existe. */
+    disableAccount(accountId: string): Promise<void>;
+    /** Reabilita a conta. No-op se a conta não existe. */
+    enableAccount(accountId: string): Promise<void>;
+    /** Indica se a conta está desabilitada (false se a conta não existe). */
+    isDisabled(accountId: string): Promise<boolean>;
+}
+/**
+ * Edição do perfil próprio (console de conta): nome e avatar. CAPACIDADE opcional;
+ * stores sem suporte omitem o método e a UI esconde a seção. O store default
+ * (Lucid) grava nas colunas `full_name`/`avatar_url` do model — apenas as que
+ * existirem (probe em `$columnsDefinitions`).
+ */
+export interface ProfileCapability {
+    /**
+     * Atualiza o perfil da conta. Campos `undefined` são deixados como estão;
+     * `null` limpa o valor. Retorna a conta atualizada ou null se inexistente.
+     */
+    updateProfile(accountId: string, patch: {
+        name?: string | null;
+        avatarUrl?: string | null;
+    }): Promise<AuthAccount | null>;
+}
 /**
  * Account linking por identidade de provider (Google, GitHub, …).
  * `(provider, providerUserId)` é a chave estável vinda do provider OAuth — não
@@ -144,9 +181,16 @@ export interface ProviderIdentityCapability {
  * flow trata a ausência como "MFA desligado".
  */
 export interface MfaCapability {
-    /** Estado do MFA da conta (se o desafio TOTP deve ser exigido no login). */
+    /**
+     * Estado do MFA da conta (se o desafio TOTP deve ser exigido no login).
+     * `enabledAt` (epoch ms) é o instante em que o MFA foi (re)enrolado, usado pelo
+     * mecanismo de "trusted devices": um cookie de confiança emitido ANTES desse
+     * instante é considerado inválido (re-enrolar MFA revoga a confiança). Pode ser
+     * `null`/ausente quando o MFA não está ativo ou o store não rastreia o instante.
+     */
     getMfaState(accountId: string): Promise<{
         enabled: boolean;
+        enabledAt?: number | null;
     }>;
     /**
      * Inicia o enrollment TOTP: gera um segredo PENDENTE (mfaEnabledAt continua
@@ -218,6 +262,34 @@ export interface WebauthnCapability {
     /** Remove uma passkey (por credential id) da conta. */
     removePasskey(accountId: string, credentialId: string): Promise<void>;
 }
+/**
+ * Login sem senha por "magic link" — um token de uso único e curta duração
+ * enviado por e-mail. CAPACIDADE opcional: stores sem suporte omitem os métodos e
+ * a UI esconde o botão "me envie um link".
+ *
+ * O store default (Lucid) reaproveita as colunas de reset de senha
+ * (`passwordResetToken` / `passwordResetExpiresAt`) codificando o token com o
+ * prefixo `ml:` — assim NÃO exige migração nova (mesmo padrão do `ec:` da troca de
+ * e-mail). O tradeoff é que um magic link e um reset de senha pendentes não
+ * coexistem (mesma coluna); na prática são fluxos distintos no tempo. Consumir um
+ * magic link NÃO altera a senha.
+ */
+export interface MagicLinkCapability {
+    /**
+     * Emite um magic link para o e-mail. Retorna o token + a conta, ou null se a
+     * conta não existe (o controller SEMPRE renderiza "link enviado" para não vazar
+     * a existência de contas).
+     */
+    issueMagicLinkToken(email: string): Promise<{
+        token: string;
+        account: AuthAccount;
+    } | null>;
+    /**
+     * Consome (single-use) um magic link. Retorna a conta autenticada ou null se o
+     * token é inválido/expirado. NÃO altera a senha.
+     */
+    consumeMagicLinkToken(token: string): Promise<AuthAccount | null>;
+}
 /**
  * Store de contas usado pela config. É o núcleo SEMPRE presente
  * ({@link CoreAccountStore}) + as capacidades opcionais (MFA, WebAuthn, account
@@ -227,7 +299,7 @@ export interface WebauthnCapability {
  * presentes-mas-lançando). Use os type guards {@link supportsMfa},
  * {@link supportsPasskeys}, {@link supportsProviderIdentity} para estreitar.
  */
-export type AccountStore = CoreAccountStore & Partial<MfaCapability & WebauthnCapability & ProviderIdentityCapability & AccountSecurityCapability>;
+export type AccountStore = CoreAccountStore & Partial<MfaCapability & WebauthnCapability & ProviderIdentityCapability & AccountSecurityCapability & AccountStatusCapability & ProfileCapability & MagicLinkCapability>;
 /** Type guard: o store implementa a capacidade de MFA / TOTP. */
 export declare function supportsMfa(store: AccountStore): store is AccountStore & MfaCapability;
 /** Type guard: o store implementa a capacidade de passkeys / WebAuthn. */
@@ -236,3 +308,9 @@ export declare function supportsPasskeys(store: AccountStore): store is AccountS
 export declare function supportsProviderIdentity(store: AccountStore): store is AccountStore & ProviderIdentityCapability;
 /** Type guard: o store implementa o self-service de segurança (senha/e-mail). */
 export declare function supportsAccountSecurity(store: AccountStore): store is AccountStore & AccountSecurityCapability;
+/** Type guard: o store implementa habilitar/desabilitar conta. */
+export declare function supportsAccountStatus(store: AccountStore): store is AccountStore & AccountStatusCapability;
+/** Type guard: o store implementa a edição de perfil (nome/avatar). */
+export declare function supportsProfile(store: AccountStore): store is AccountStore & ProfileCapability;
+/** Type guard: o store implementa login por magic link (passwordless). */
+export declare function supportsMagicLink(store: AccountStore): store is AccountStore & MagicLinkCapability;

package/build/src/accounts/account_store.js

@@ -14,3 +14,15 @@ export function supportsProviderIdentity(store) {
 export function supportsAccountSecurity(store) {
     return typeof store.changePassword === 'function';
 }
+/** Type guard: o store implementa habilitar/desabilitar conta. */
+export function supportsAccountStatus(store) {
+    return typeof store.disableAccount === 'function';
+}
+/** Type guard: o store implementa a edição de perfil (nome/avatar). */
+export function supportsProfile(store) {
+    return typeof store.updateProfile === 'function';
+}
+/** Type guard: o store implementa login por magic link (passwordless). */
+export function supportsMagicLink(store) {
+    return typeof store.issueMagicLinkToken === 'function';
+}

package/build/src/accounts/lucid_account_store.js

@@ -3,6 +3,7 @@ import { buildCore } from './lucid_store/core.js';
 import { buildMfa } from './lucid_store/mfa.js';
 import { buildProviderIdentity } from './lucid_store/provider_identity.js';
 import { buildWebauthn } from './lucid_store/webauthn.js';
+import { buildStatus, buildProfile, hasColumn } from './lucid_store/status_profile.js';
 /**
  * Implementação default do {@link AccountStore} sobre um model Lucid composto
  * de `withAuthUser()` + `withCredentials()` (+ opcionalmente `withMfa()`). O
@@ -53,6 +54,7 @@ export function lucidAccountStore(Model, options = {}) {
             email: row.email,
             globalRoles: row.globalRoles ?? [],
             name: row.fullName ?? undefined,
+            avatarUrl: row.avatarUrl ?? undefined,
         }),
     };
     // Núcleo + MFA são sempre presentes. Passkeys e provider-identity só entram
@@ -65,5 +67,11 @@ export function lucidAccountStore(Model, options = {}) {
         ...(WebauthnCredentialModel
             ? buildWebauthn(ctx, WebauthnCredentialModel, webauthn, ceremonies)
             : {}),
+        // Status (disable/enable) só quando o model tem a coluna `disabled_at`.
+        ...(hasColumn(Model, 'disabledAt') ? buildStatus(ctx) : {}),
+        // Perfil (nome/avatar) só quando o model tem ao menos uma das colunas.
+        ...(hasColumn(Model, 'fullName') || hasColumn(Model, 'avatarUrl')
+            ? buildProfile(ctx)
+            : {}),
     };
 }

package/build/src/accounts/lucid_store/core.d.ts

@@ -1,4 +1,4 @@
-import type { AccountSecurityCapability, CoreAccountStore } from '../account_store.js';
+import type { AccountSecurityCapability, CoreAccountStore, MagicLinkCapability } from '../account_store.js';
 import type { LucidStoreContext } from './shared.js';
 /**
  * Núcleo SEMPRE presente do {@link CoreAccountStore} sobre um model Lucid:
@@ -6,4 +6,4 @@ import type { LucidStoreContext } from './shared.js';
  * (listagem paginada + roles globais) e o self-service de segurança
  * ({@link AccountSecurityCapability}: trocar senha/e-mail).
  */
-export declare function buildCore(ctx: LucidStoreContext): CoreAccountStore & AccountSecurityCapability;
+export declare function buildCore(ctx: LucidStoreContext): CoreAccountStore & AccountSecurityCapability & MagicLinkCapability;

package/build/src/accounts/lucid_store/core.js

@@ -2,6 +2,8 @@ import { randomBytes } from 'node:crypto';
 import { DateTime } from 'luxon';
 /** Prefixo do token de troca de e-mail (reaproveita a coluna emailVerificationToken). */
 const EMAIL_CHANGE_PREFIX = 'ec:';
+/** Prefixo do magic link (reaproveita as colunas de reset de senha). */
+const MAGIC_LINK_PREFIX = 'ml:';
 /**
  * Núcleo SEMPRE presente do {@link CoreAccountStore} sobre um model Lucid:
  * identidade, cadastro, reset de senha, verificação de e-mail, administração
@@ -46,6 +48,10 @@ export function buildCore(ctx) {
             return { token, account: toAccount(row) };
         },
         async consumePasswordResetToken(token, newPassword) {
+            // Magic links (`ml:`) NÃO são tokens de reset de senha — só o fluxo de
+            // consumeMagicLinkToken pode consumi-los (não trocam senha).
+            if (token.startsWith(MAGIC_LINK_PREFIX))
+                return false;
             const row = await Model.query().where('passwordResetToken', token).first();
             if (!row)
                 return false;
@@ -57,6 +63,33 @@ export function buildCore(ctx) {
             await row.save();
             return true;
         },
+        // ----- Magic link (login passwordless) -----
+        async issueMagicLinkToken(email) {
+            const row = await Model.query().where('email', email).first();
+            if (!row)
+                return null;
+            // Token `ml:<random>` nas colunas de reset (sem migração); o prefixo o
+            // distingue de um token de reset de senha. Curta duração (15 min).
+            const token = `${MAGIC_LINK_PREFIX}${randomBytes(32).toString('hex')}`;
+            row.passwordResetToken = token;
+            row.passwordResetExpiresAt = DateTime.now().plus({ minutes: 15 });
+            await row.save();
+            return { token, account: toAccount(row) };
+        },
+        async consumeMagicLinkToken(token) {
+            if (!token || !token.startsWith(MAGIC_LINK_PREFIX))
+                return null;
+            const row = await Model.query().where('passwordResetToken', token).first();
+            if (!row)
+                return null;
+            if (!row.passwordResetExpiresAt || row.passwordResetExpiresAt < DateTime.now())
+                return null;
+            // Single-use: limpa o token (NÃO altera a senha).
+            row.passwordResetToken = null;
+            row.passwordResetExpiresAt = null;
+            await row.save();
+            return toAccount(row);
+        },
         async issueEmailVerificationToken(email) {
             const row = await Model.query().where('email', email).first();
             if (!row)

package/build/src/accounts/lucid_store/mfa.js

@@ -11,7 +11,10 @@ export function buildMfa(ctx) {
     return {
         async getMfaState(accountId) {
             const row = await Model.find(accountId);
-            return { enabled: !!row?.mfaEnabledAt };
+            // `enabledAt` (epoch ms) habilita o trusted-device check: um cookie de
+            // confiança emitido ANTES deste instante é inválido (re-enrolar revoga).
+            const enabledAt = row?.mfaEnabledAt ? row.mfaEnabledAt.toMillis() : null;
+            return { enabled: !!row?.mfaEnabledAt, enabledAt };
         },
         async startTotpEnrollment(accountId) {
             const row = await Model.find(accountId);