npm - @dudousxd/adonis-authkit-server - Versions diffs - 0.5.0 → 0.6.0 - Mend

@dudousxd/adonis-authkit-server 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/README.md +23 -2
package/build/host/views/account/apps.edge +58 -0
package/build/host/views/account/security.edge +53 -0
package/build/host/views/account/tokens.edge +1 -0
package/build/host/views/admin/users.edge +62 -2
package/build/host/views/login.edge +55 -0
package/build/host/views/mfa-challenge.edge +12 -0
package/build/index.d.ts +8 -2
package/build/index.js +4 -1
package/build/src/accounts/account_store.d.ts +80 -2
package/build/src/accounts/account_store.js +12 -0
package/build/src/accounts/lucid_account_store.js +8 -0
package/build/src/accounts/lucid_store/core.d.ts +2 -2
package/build/src/accounts/lucid_store/core.js +33 -0
package/build/src/accounts/lucid_store/mfa.js +4 -1
package/build/src/accounts/lucid_store/status_profile.d.ts +21 -0
package/build/src/accounts/lucid_store/status_profile.js +66 -0
package/build/src/audit/audit_sink.d.ts +1 -1
package/build/src/define_config.d.ts +53 -0
package/build/src/define_config.js +14 -1
package/build/src/doctor/checks.js +32 -32
package/build/src/events/dispatcher.d.ts +45 -0
package/build/src/events/dispatcher.js +92 -0
package/build/src/host/admin_sessions_service.d.ts +8 -0
package/build/src/host/admin_sessions_service.js +19 -0
package/build/src/host/controllers/account_apps_controller.d.ts +15 -0
package/build/src/host/controllers/account_apps_controller.js +61 -0
package/build/src/host/controllers/account_security_controller.d.ts +9 -0
package/build/src/host/controllers/account_security_controller.js +52 -2
package/build/src/host/controllers/account_session_controller.js +3 -1
package/build/src/host/controllers/admin/admin_users_controller.d.ts +13 -0
package/build/src/host/controllers/admin/admin_users_controller.js +133 -0
package/build/src/host/controllers/interaction_controller.d.ts +32 -0
package/build/src/host/controllers/interaction_controller.js +169 -6
package/build/src/host/default_mailer.d.ts +8 -0
package/build/src/host/default_mailer.js +28 -0
package/build/src/host/i18n.d.ts +90 -0
package/build/src/host/i18n.js +98 -0
package/build/src/host/login_attempt.d.ts +1 -0
package/build/src/host/login_attempt.js +11 -0
package/build/src/host/register_auth_host.js +18 -1
package/build/src/host/trusted_device.d.ts +61 -0
package/build/src/host/trusted_device.js +65 -0
package/build/src/host/validators.d.ts +35 -0
package/build/src/host/validators.js +14 -0
package/package.json +1 -1

package/build/src/host/controllers/account_apps_controller.js ADDED Viewed

@@ -0,0 +1,61 @@
+import '../augmentations.js';
+import { ACCOUNT_SESSION_KEY } from '../middleware/account_auth.js';
+import { AdminSessionsService } from '../admin_sessions_service.js';
+/**
+ * Self-service de consentimento ("apps com acesso") no console de conta. Lista os
+ * Grants da própria conta agrupados por client (resolvendo o nome do client da
+ * config estática ou do payload do adapter) e permite revogar o acesso de um
+ * client (destrói os grants + AT/RT daquele client). Degrada graciosamente quando
+ * o adapter OIDC não enumera (`list`), espelhando o console admin.
+ */
+export default class AccountAppsController {
+    /** GET /account/apps — lista os apps com acesso (grants) da conta logada. */
+    async index(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const accountId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        const sessions = new AdminSessionsService(service);
+        const supported = sessions.canList;
+        const grantList = supported ? await sessions.listGrants(accountId) : [];
+        // Resolve o nome amigável do client: clientId é o fallback (config estática não
+        // carrega um display name).
+        const nameOf = (clientId) => clientId ?? '';
+        const revoked = ctx.session.flashMessages.get('appRevoked');
+        return render(ctx, 'account/apps', {
+            csrfToken: ctx.request.csrfToken,
+            supported,
+            revoked: revoked ?? null,
+            apps: grantList
+                .filter((g) => !!g.clientId)
+                .map((g) => ({
+                clientId: g.clientId,
+                name: nameOf(g.clientId),
+                accessTokens: g.accessTokens,
+                refreshTokens: g.refreshTokens,
+            })),
+        });
+    }
+    /** POST /account/apps/:clientId/revoke — revoga o acesso de um client. */
+    async revoke(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const accountId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        const clientId = ctx.request.param('clientId');
+        const sessions = new AdminSessionsService(service);
+        const result = await sessions.revokeClientGrants(accountId, clientId);
+        await cfg.audit?.record({
+            type: 'grant.revoked_by_user',
+            accountId,
+            clientId,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: {
+                grants: result.grants,
+                accessTokens: result.accessTokens,
+                refreshTokens: result.refreshTokens,
+            },
+        });
+        ctx.session.flash('appRevoked', cfg.messages['account.apps.revoked'] ?? 'account.apps.revoked');
+        return ctx.response.redirect('/account/apps');
+    }
+}

package/build/src/host/controllers/account_security_controller.d.ts CHANGED Viewed

@@ -9,6 +9,15 @@ import type { HttpContext } from '@adonisjs/core/http';
  */
 export default class AccountSecurityController {
     index(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /account/security/trusted-devices/revoke
+     * Limpa o cookie de dispositivo confiável DESTE navegador (o MFA volta a ser
+     * exigido aqui). Revogação global por-dispositivo não existe sem estado
+     * server-side; re-enrolar o MFA invalida a confiança em TODOS os dispositivos.
+     */
+    revokeTrustedDevices(ctx: HttpContext): Promise<void>;
+    /** POST /account/security/profile — atualiza nome + avatar do próprio perfil. */
+    updateProfile(ctx: HttpContext): Promise<void>;
     changePassword(ctx: HttpContext): Promise<void>;
     changeEmail(ctx: HttpContext): Promise<void>;
     /** GET /account/email/confirm?token=... — consome o token e aplica o novo e-mail. */

package/build/src/host/controllers/account_security_controller.js CHANGED Viewed

@@ -1,9 +1,10 @@
 import '../augmentations.js';
 import { ACCOUNT_SESSION_KEY } from '../middleware/account_auth.js';
-import { supportsAccountSecurity } from '../../accounts/account_store.js';
-import { changePasswordValidator, changeEmailValidator } from '../validators.js';
+import { supportsAccountSecurity, supportsProfile } from '../../accounts/account_store.js';
+import { changePasswordValidator, changeEmailValidator, updateProfileValidator } from '../validators.js';
 import { sendEmailChangeConfirmationEmail } from '../default_mailer.js';
 import { translate } from '../i18n.js';
+import { TRUSTED_DEVICE_COOKIE } from '../trusted_device.js';
 /**
  * Self-service de segurança da conta (console de conta): trocar a senha e o
  * e-mail. A troca de senha exige a senha ATUAL (verifyCredentials). A troca de
@@ -21,13 +22,62 @@ export default class AccountSecurityController {
         return render(ctx, 'account/security', {
             csrfToken: ctx.request.csrfToken,
             supported: supportsAccountSecurity(cfg.accountStore),
+            profileSupported: supportsProfile(cfg.accountStore),
             email: account?.email ?? '',
+            name: account?.name ?? '',
+            avatarUrl: account?.avatarUrl ?? '',
             passwordChanged: ctx.session.flashMessages.get('passwordChanged') ?? null,
             emailChangeRequested: ctx.session.flashMessages.get('emailChangeRequested') ?? null,
             emailChanged: ctx.session.flashMessages.get('emailChanged') ?? null,
+            profileUpdated: ctx.session.flashMessages.get('profileUpdated') ?? null,
             error: ctx.session.flashMessages.get('securityError') ?? null,
+            trustedDevicesEnabled: cfg.trustedDevices.enabled,
+            trustedDevicesRevoked: ctx.session.flashMessages.get('trustedDevicesRevoked') ?? null,
         });
     }
+    /**
+     * POST /account/security/trusted-devices/revoke
+     * Limpa o cookie de dispositivo confiável DESTE navegador (o MFA volta a ser
+     * exigido aqui). Revogação global por-dispositivo não existe sem estado
+     * server-side; re-enrolar o MFA invalida a confiança em TODOS os dispositivos.
+     */
+    async revokeTrustedDevices(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        ctx.response.clearCookie(TRUSTED_DEVICE_COOKIE);
+        const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        await cfg.audit?.record({
+            type: 'trusted_device.revoked',
+            accountId: userId,
+            ip: ctx.request.ip?.() ?? null,
+        });
+        ctx.session.flash('trustedDevicesRevoked', translate(cfg.messages, 'account.security.trusted_devices_revoked'));
+        return ctx.response.redirect('/account/security');
+    }
+    /** POST /account/security/profile — atualiza nome + avatar do próprio perfil. */
+    async updateProfile(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
+        if (!supportsProfile(store)) {
+            return ctx.response.redirect('/account/security');
+        }
+        const { name, avatarUrl } = await ctx.request.validateUsing(updateProfileValidator);
+        // Campos ausentes no form viram string vazia (limpa o valor); enviamos null
+        // para limpar, ou o valor trimado.
+        await store.updateProfile(userId, {
+            name: name ?? null,
+            avatarUrl: avatarUrl ?? null,
+        });
+        await cfg.audit?.record({
+            type: 'profile.updated',
+            accountId: userId,
+            ip: ctx.request.ip?.() ?? null,
+        });
+        ctx.session.flash('profileUpdated', translate(cfg.messages, 'account.profile.updated'));
+        return ctx.response.redirect('/account/security');
+    }
     async changePassword(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;

package/build/src/host/controllers/account_session_controller.js CHANGED Viewed

@@ -28,7 +28,9 @@ export default class AccountSessionController {
                     ? translate(cfg.messages, 'errors.account_locked', {
                         seconds: result.retryAfterSec ?? 0,
                     })
-                    : translate(cfg.messages, 'errors.invalid_credentials'),
+                    : result.disabled
+                        ? translate(cfg.messages, 'errors.account_disabled')
+                        : translate(cfg.messages, 'errors.invalid_credentials'),
             });
         }
         const acc = result.account;

package/build/src/host/controllers/admin/admin_users_controller.d.ts CHANGED Viewed

@@ -6,6 +6,19 @@ import type { HttpContext } from '@adonisjs/core/http';
  * vírgula no formulário e normalizadas aqui.
  */
 export default class AdminUsersController {
+    #private;
     index(ctx: HttpContext): Promise<any>;
+    /**
+     * POST /admin/users — cria uma conta. Se `password` for informado, a conta já
+     * nasce com senha. Senão, emite um token de reset e envia o e-mail (o usuário
+     * define a própria senha) — fluxo "create + invite". Audita `user.created`.
+     */
+    store(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/reset-password — emite token de reset + envia e-mail. */
+    resetPassword(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/disable — desabilita a conta (bloqueia login). */
+    disable(ctx: HttpContext): Promise<void>;
+    /** POST /admin/users/:id/enable — reabilita a conta. */
+    enable(ctx: HttpContext): Promise<void>;
     updateRoles(ctx: HttpContext): Promise<void>;
 }

package/build/src/host/controllers/admin/admin_users_controller.js CHANGED Viewed

@@ -1,4 +1,9 @@
 import '../../augmentations.js';
+import { randomBytes } from 'node:crypto';
+import { supportsAccountStatus } from '../../../accounts/account_store.js';
+import { ACCOUNT_SESSION_KEY } from '../../middleware/account_auth.js';
+import { adminCreateUserValidator } from '../../validators.js';
+import { sendPasswordResetEmail } from '../../default_mailer.js';
 const PAGE_SIZE = 20;
 /**
  * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
@@ -14,21 +19,149 @@ export default class AdminUsersController {
         const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
         const result = await cfg.accountStore.listAccounts({ search, page, limit: PAGE_SIZE });
         const totalPages = Math.max(1, Math.ceil(result.total / PAGE_SIZE));
+        const store = cfg.accountStore;
+        const statusSupported = supportsAccountStatus(store);
+        // Resolve o estado de disabled por conta (só quando suportado).
+        const disabledMap = new Map();
+        if (statusSupported) {
+            for (const u of result.data) {
+                disabledMap.set(u.id, await store.isDisabled(u.id));
+            }
+        }
         return render(ctx, 'admin/users', {
             csrfToken: ctx.request.csrfToken,
             search,
             page,
             totalPages,
             total: result.total,
+            statusSupported,
+            created: ctx.session.flashMessages.get('userCreated') ?? null,
+            resetSent: ctx.session.flashMessages.get('resetSent') ?? null,
+            statusChanged: ctx.session.flashMessages.get('statusChanged') ?? null,
+            error: ctx.session.flashMessages.get('usersError') ?? null,
             users: result.data.map((u) => ({
                 id: u.id,
                 email: u.email,
                 name: u.name ?? '',
                 roles: u.globalRoles ?? [],
                 rolesText: (u.globalRoles ?? []).join(', '),
+                disabled: disabledMap.get(u.id) ?? false,
             })),
         });
     }
+    /**
+     * POST /admin/users — cria uma conta. Se `password` for informado, a conta já
+     * nasce com senha. Senão, emite um token de reset e envia o e-mail (o usuário
+     * define a própria senha) — fluxo "create + invite". Audita `user.created`.
+     */
+    async store(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const { email, name, password } = await ctx.request.validateUsing(adminCreateUserValidator);
+        const existing = await store.findByEmail(email);
+        if (existing) {
+            ctx.session.flash('usersError', cfg.messages['errors.email_taken'] ?? 'errors.email_taken');
+            return ctx.response.redirect('/admin/users');
+        }
+        // Sem senha informada: cria com uma senha aleatória forte (descartável) e
+        // dispara o fluxo de reset para o usuário definir a sua.
+        const initialPassword = password ?? randomBytes(24).toString('hex');
+        const account = await store.create({ email, password: initialPassword, fullName: name ?? null });
+        await cfg.audit?.record({
+            type: 'user.created',
+            accountId: account.id,
+            email,
+            actorId,
+            ip,
+            metadata: { invited: !password },
+        });
+        if (!password) {
+            await this.#sendResetEmail(ctx, cfg, email);
+        }
+        ctx.session.flash('userCreated', cfg.messages['admin.users.created'] ?? 'admin.users.created');
+        return ctx.response.redirect('/admin/users');
+    }
+    /** POST /admin/users/:id/reset-password — emite token de reset + envia e-mail. */
+    async resetPassword(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const accountId = ctx.request.param('id');
+        const account = await store.findById(accountId);
+        if (account) {
+            await this.#sendResetEmail(ctx, cfg, account.email);
+            await cfg.audit?.record({
+                type: 'user.password_reset_sent',
+                accountId,
+                email: account.email,
+                actorId,
+                ip,
+            });
+        }
+        ctx.session.flash('resetSent', cfg.messages['admin.users.reset_sent'] ?? 'admin.users.reset_sent');
+        return this.#redirectBack(ctx);
+    }
+    /** POST /admin/users/:id/disable — desabilita a conta (bloqueia login). */
+    async disable(ctx) {
+        return this.#toggleStatus(ctx, true);
+    }
+    /** POST /admin/users/:id/enable — reabilita a conta. */
+    async enable(ctx) {
+        return this.#toggleStatus(ctx, false);
+    }
+    async #toggleStatus(ctx, disable) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const store = cfg.accountStore;
+        const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
+        const ip = ctx.request.ip?.() ?? null;
+        const accountId = ctx.request.param('id');
+        if (supportsAccountStatus(store)) {
+            if (disable)
+                await store.disableAccount(accountId);
+            else
+                await store.enableAccount(accountId);
+            await cfg.audit?.record({
+                type: disable ? 'user.disabled' : 'user.enabled',
+                accountId,
+                actorId,
+                ip,
+            });
+            ctx.session.flash('statusChanged', cfg.messages[disable ? 'admin.users.disabled' : 'admin.users.enabled'] ??
+                (disable ? 'admin.users.disabled' : 'admin.users.enabled'));
+        }
+        return this.#redirectBack(ctx);
+    }
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    async #sendResetEmail(ctx, cfg, email) {
+        const issued = await cfg.accountStore.issuePasswordResetToken(email);
+        if (!issued)
+            return;
+        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
+        if (cfg.mail?.onPasswordReset) {
+            await cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
+        }
+        else {
+            await sendPasswordResetEmail(ctx, { email, resetUrl });
+        }
+    }
+    #redirectBack(ctx) {
+        const search = ctx.request.input('search', '').trim();
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const qs = new URLSearchParams();
+        if (search)
+            qs.set('search', search);
+        if (page > 1)
+            qs.set('page', String(page));
+        const query = qs.toString();
+        return ctx.response.redirect(`/admin/users${query ? `?${query}` : ''}`);
+    }
     async updateRoles(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;

package/build/src/host/controllers/interaction_controller.d.ts CHANGED Viewed

@@ -32,6 +32,38 @@ export default class AuthInteractionController {
     private stepUpExtra;
     /** true se o store suporta passkeys E a conta tem ao menos uma registrada. */
     private hasPasskeys;
+    /**
+     * Lê o cookie de dispositivo confiável (encriptado, appKey-backed) e valida que
+     * pertence a `accountId`, não expirou e é posterior ao último (re)enrollment de
+     * MFA. Step-up NÃO chama isto (força sempre o MFA). Best-effort: qualquer erro de
+     * leitura → não confiável.
+     */
+    private checkTrustedDevice;
+    /**
+     * Se o checkbox "confiar neste dispositivo" foi marcado E o mecanismo está ligado,
+     * grava o cookie encriptado de confiança para a conta (skip MFA por N dias).
+     */
+    private maybeTrustDevice;
+    /**
+     * accountId para uma cerimônia de passkey no login. Prioriza o accountId pendente
+     * do MFA (passkey como 2º fator). Quando ausente e o passkey-first está ligado,
+     * resolve a conta pelo e-mail guardado na sessão (passkey ANTES da senha) — só se
+     * a conta existe E tem ao menos uma passkey.
+     */
+    private resolvePasskeyAccountId;
+    /**
+     * POST /auth/interaction/:uid/magic
+     * Magic link: lê o e-mail da sessão (passwordless.magicLink ligado), emite um
+     * token de uso único e dispara o e-mail. SEMPRE renderiza "link enviado",
+     * independentemente de a conta existir (anti-enumeração). Throttled como o login.
+     */
+    magicLinkRequest(ctx: HttpContext): Promise<any>;
+    /**
+     * GET /auth/interaction/:uid/magic?token=...
+     * Consome o magic link. Em sucesso finaliza o login (amr `['email']`). Token
+     * inválido/expirado volta ao início do login.
+     */
+    magicLinkConsume(ctx: HttpContext): Promise<void>;
     /**
      * POST /auth/interaction/:uid/passkey/options
      * Gera as opções de autenticação por passkey para o accountId pendente do MFA,

package/build/src/host/controllers/interaction_controller.js CHANGED Viewed

@@ -3,7 +3,9 @@ import { brandFor, isFirstParty } from '../branding.js';
 import { translate } from '../i18n.js';
 import { attemptPasswordLogin } from '../login_attempt.js';
 import { notifyLoginSuccess } from '../login_notify.js';
-import { supportsPasskeys } from '../../accounts/account_store.js';
+import { supportsPasskeys, supportsMagicLink } from '../../accounts/account_store.js';
+import { sendMagicLinkEmail } from '../default_mailer.js';
+import { TRUSTED_DEVICE_COOKIE, buildTrustedDevicePayload, isTrustedDeviceValid, } from '../trusted_device.js';
 const SESSION_KEY = 'authkit_login_email';
 /** accountId aguardando o 2º fator depois da senha verificada. */
 const MFA_PENDING_KEY = 'authkit_mfa_pending';
@@ -45,6 +47,10 @@ export default class AuthInteractionController {
         // Step 2: password — look up user for personalisation (enumeration-safe: always show step 2)
         const acc = await cfg.accountStore.findByEmail(email);
         const account = acc ? { fullName: acc.name ?? null, globalRoles: acc.globalRoles ?? [] } : null;
+        // Passwordless: magic link disponível se ligado E o store suporta. Passkey-first
+        // disponível se ligado, o store suporta E a conta tem ao menos uma passkey.
+        const magicLinkAvailable = cfg.passwordless.magicLink && supportsMagicLink(cfg.accountStore);
+        const passkeyFirstAvailable = cfg.passwordless.passkeyFirst && !!acc && (await this.hasPasskeys(cfg, acc.id));
         return render(ctx, 'login', {
             uid: details.uid,
             csrfToken: ctx.request.csrfToken,
@@ -52,6 +58,8 @@ export default class AuthInteractionController {
             email,
             account,
             brand,
+            magicLinkAvailable,
+            passkeyFirstAvailable,
         });
     }
     /**
@@ -102,7 +110,9 @@ export default class AuthInteractionController {
                     ? translate(cfg.messages, 'errors.account_locked', {
                         seconds: result.retryAfterSec ?? 0,
                     })
-                    : translate(cfg.messages, 'errors.invalid_credentials'),
+                    : result.disabled
+                        ? translate(cfg.messages, 'errors.account_disabled')
+                        : translate(cfg.messages, 'errors.invalid_credentials'),
                 brand,
             });
         }
@@ -126,6 +136,18 @@ export default class AuthInteractionController {
                     noEnrollment: true,
                 });
             }
+            // Trusted device: se o mecanismo está ligado, a conta JÁ tem MFA enrolado e
+            // o request NÃO é um step-up (que sempre força o MFA), um cookie de confiança
+            // válido para ESTA conta pula o 2º fator. amr fica `['pwd']` (sem acr de MFA).
+            if (cfg.trustedDevices.enabled && mfa.enabled && !mfaRequired) {
+                const trusted = await this.checkTrustedDevice(ctx, acc.id, mfa.enabledAt ?? null);
+                if (trusted) {
+                    await service.interactions.completeLogin(ctx, acc.id, { amr: ['pwd'] });
+                    await notifyLoginSuccess(ctx, cfg, { accountId: acc.id, email, ip, clientId });
+                    ctx.session.forget(SESSION_KEY);
+                    return;
+                }
+            }
             ctx.session.put(MFA_PENDING_KEY, acc.id);
             // Passkey disponível como alternativa ao TOTP se o store suporta E a conta
             // tem ao menos uma credencial registrada.
@@ -135,6 +157,8 @@ export default class AuthInteractionController {
                 csrfToken: ctx.request.csrfToken,
                 brand,
                 passkeyAvailable,
+                trustedDevicesEnabled: cfg.trustedDevices.enabled,
+                trustedDeviceDays: cfg.trustedDevices.days,
             });
         }
         // Sem MFA: finaliza a interaction (escreve o 303 de volta para o client).
@@ -185,9 +209,13 @@ export default class AuthInteractionController {
                 error: translate(cfg.messages, 'errors.invalid_code'),
                 brand,
                 passkeyAvailable: await this.hasPasskeys(cfg, accountId),
+                trustedDevicesEnabled: cfg.trustedDevices.enabled,
+                trustedDeviceDays: cfg.trustedDevices.days,
             });
         }
-        // Sucesso no 2º fator: finaliza a interaction para o accountId pendente.
+        // Sucesso no 2º fator: opcionalmente confia neste dispositivo (checkbox).
+        await this.maybeTrustDevice(ctx, cfg, accountId);
+        // Finaliza a interaction para o accountId pendente.
         ctx.session.forget(MFA_PENDING_KEY);
         ctx.session.forget(SESSION_KEY);
         await notifyLoginSuccess(ctx, cfg, {
@@ -230,6 +258,135 @@ export default class AuthInteractionController {
         const list = await cfg.accountStore.listPasskeys(accountId);
         return Array.isArray(list) && list.length > 0;
     }
+    /**
+     * Lê o cookie de dispositivo confiável (encriptado, appKey-backed) e valida que
+     * pertence a `accountId`, não expirou e é posterior ao último (re)enrollment de
+     * MFA. Step-up NÃO chama isto (força sempre o MFA). Best-effort: qualquer erro de
+     * leitura → não confiável.
+     */
+    async checkTrustedDevice(ctx, accountId, mfaEnabledAt) {
+        try {
+            const payload = ctx.request.encryptedCookie(TRUSTED_DEVICE_COOKIE);
+            return isTrustedDeviceValid(payload, { accountId, mfaEnabledAt });
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Se o checkbox "confiar neste dispositivo" foi marcado E o mecanismo está ligado,
+     * grava o cookie encriptado de confiança para a conta (skip MFA por N dias).
+     */
+    async maybeTrustDevice(ctx, cfg, accountId) {
+        if (!cfg.trustedDevices.enabled)
+            return;
+        const checked = ctx.request.input('trustDevice');
+        // Checkbox HTML: presente ('on'/'true'/'1') = marcado.
+        const on = checked === 'on' || checked === 'true' || checked === '1' || checked === true;
+        if (!on)
+            return;
+        const payload = buildTrustedDevicePayload(accountId, cfg.trustedDevices);
+        ctx.response.encryptedCookie(TRUSTED_DEVICE_COOKIE, payload, {
+            httpOnly: true,
+            sameSite: 'lax',
+            maxAge: cfg.trustedDevices.days * 24 * 60 * 60,
+        });
+    }
+    /**
+     * accountId para uma cerimônia de passkey no login. Prioriza o accountId pendente
+     * do MFA (passkey como 2º fator). Quando ausente e o passkey-first está ligado,
+     * resolve a conta pelo e-mail guardado na sessão (passkey ANTES da senha) — só se
+     * a conta existe E tem ao menos uma passkey.
+     */
+    async resolvePasskeyAccountId(ctx, cfg) {
+        const pending = ctx.session.get(MFA_PENDING_KEY);
+        if (pending)
+            return pending;
+        if (!cfg.passwordless?.passkeyFirst)
+            return undefined;
+        const email = ctx.session.get(SESSION_KEY);
+        if (!email)
+            return undefined;
+        const acc = await cfg.accountStore.findByEmail(email);
+        if (!acc)
+            return undefined;
+        return (await this.hasPasskeys(cfg, acc.id)) ? acc.id : undefined;
+    }
+    /**
+     * POST /auth/interaction/:uid/magic
+     * Magic link: lê o e-mail da sessão (passwordless.magicLink ligado), emite um
+     * token de uso único e dispara o e-mail. SEMPRE renderiza "link enviado",
+     * independentemente de a conta existir (anti-enumeração). Throttled como o login.
+     */
+    async magicLinkRequest(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const render = cfg.render;
+        const details = await service.interactions.details(ctx);
+        const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
+        const email = ctx.session.get(SESSION_KEY);
+        const uid = ctx.request.param('uid');
+        if (cfg.passwordless.magicLink && supportsMagicLink(cfg.accountStore) && email) {
+            const issued = await cfg.accountStore.issueMagicLinkToken(email);
+            if (issued) {
+                await cfg.audit?.record({
+                    type: 'login.magic_link_sent',
+                    accountId: issued.account.id,
+                    email,
+                    ip: ctx.request.ip?.() ?? null,
+                    clientId: details.params.client_id ?? null,
+                });
+                const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+                const magicUrl = `${origin}/auth/interaction/${uid}/magic?token=${encodeURIComponent(issued.token)}`;
+                if (cfg.mail?.onMagicLink) {
+                    await cfg.mail.onMagicLink({ email, magicUrl, token: issued.token });
+                }
+                else {
+                    await sendMagicLinkEmail(ctx, { email, magicUrl });
+                }
+            }
+        }
+        // Resposta uniforme (não vaza existência de conta).
+        return render(ctx, 'login', {
+            uid,
+            csrfToken: ctx.request.csrfToken,
+            step: 'password',
+            email,
+            account: null,
+            brand,
+            magicLinkSent: true,
+        });
+    }
+    /**
+     * GET /auth/interaction/:uid/magic?token=...
+     * Consome o magic link. Em sucesso finaliza o login (amr `['email']`). Token
+     * inválido/expirado volta ao início do login.
+     */
+    async magicLinkConsume(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const uid = ctx.request.param('uid');
+        const ip = ctx.request.ip?.() ?? null;
+        const clientId = (await service.interactions.details(ctx)).params.client_id;
+        const token = ctx.request.qs().token ?? '';
+        if (!cfg.passwordless.magicLink || !supportsMagicLink(cfg.accountStore) || !token) {
+            return ctx.response.redirect(`/auth/interaction/${uid}`);
+        }
+        const acc = await cfg.accountStore.consumeMagicLinkToken(token);
+        if (!acc) {
+            await cfg.audit?.record({ type: 'login.failure', ip, clientId, metadata: { stage: 'magic_link' } });
+            return ctx.response.redirect(`/auth/interaction/${uid}`);
+        }
+        await notifyLoginSuccess(ctx, cfg, {
+            accountId: acc.id,
+            email: acc.email,
+            ip,
+            clientId: clientId ?? null,
+            metadata: { method: 'magic_link' },
+        });
+        ctx.session.forget(SESSION_KEY);
+        await service.interactions.completeLogin(ctx, acc.id, { amr: ['email'] });
+    }
     /**
      * POST /auth/interaction/:uid/passkey/options
      * Gera as opções de autenticação por passkey para o accountId pendente do MFA,
@@ -238,7 +395,7 @@ export default class AuthInteractionController {
     async passkeyOptions(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const accountId = ctx.session.get(MFA_PENDING_KEY);
+        const accountId = await this.resolvePasskeyAccountId(ctx, cfg);
         if (!accountId) {
             return ctx.response.badRequest({
                 message: translate(cfg.messages, 'errors.session_expired'),
@@ -266,7 +423,7 @@ export default class AuthInteractionController {
         const render = cfg.render;
         const details = await service.interactions.details(ctx);
         const brand = brandFor(cfg.branding, details.params.client_id, details.params.audience);
-        const accountId = ctx.session.get(MFA_PENDING_KEY);
+        const accountId = await this.resolvePasskeyAccountId(ctx, cfg);
         const challenge = ctx.session.get(PASSKEY_AUTH_CHALLENGE_KEY);
         const ip = ctx.request.ip?.() ?? null;
         const clientId = details.params.client_id ?? null;
@@ -301,8 +458,12 @@ export default class AuthInteractionController {
                 error: translate(cfg.messages, 'mfa_challenge.passkey_error'),
                 brand,
                 passkeyAvailable: await this.hasPasskeys(cfg, accountId),
+                trustedDevicesEnabled: cfg.trustedDevices.enabled,
+                trustedDeviceDays: cfg.trustedDevices.days,
             });
         }
+        // Passkey OK: opcionalmente confia neste dispositivo (checkbox no challenge).
+        await this.maybeTrustDevice(ctx, cfg, accountId);
         ctx.session.forget(MFA_PENDING_KEY);
         ctx.session.forget(SESSION_KEY);
         await notifyLoginSuccess(ctx, cfg, {
@@ -311,7 +472,9 @@ export default class AuthInteractionController {
             clientId,
             metadata: { mfa: 'webauthn' },
         });
-        await service.interactions.completeLogin(ctx, accountId, this.stepUpExtra(cfg, details, 'webauthn'));
+        // Step-up carimba acr/amr quando solicitado; senão a passkey conta como o fator
+        // forte do login (amr `['webauthn']`) — vale tanto p/ MFA quanto passkey-first.
+        await service.interactions.completeLogin(ctx, accountId, this.stepUpExtra(cfg, details, 'webauthn') ?? { amr: ['webauthn'] });
     }
     /**
      * GET /auth/interaction/:uid/switch

package/build/src/host/default_mailer.d.ts CHANGED Viewed

@@ -45,6 +45,14 @@ export declare function sendNewLoginEmail(ctx: HttpContext, data: {
     ip: string;
     when: string;
 }): Promise<void>;
+/**
+ * Envia o e-mail de magic link (login passwordless) pelo mailer default do host.
+ * Best-effort: no fallback (sem mail) loga o link; nunca lança.
+ */
+export declare function sendMagicLinkEmail(ctx: HttpContext, data: {
+    email: string;
+    magicUrl: string;
+}): Promise<void>;
 /**
  * Envia o e-mail de verificação pelo mailer default do host.
  * Best-effort: no fallback (sem mail) loga o link; nunca lança.