@dudousxd/adonis-authkit-server 0.6.0 → 0.8.0

package/build/src/host/controllers/account_security_controller.js

@@ -3,6 +3,7 @@ import { ACCOUNT_SESSION_KEY } from '../middleware/account_auth.js';
 import { supportsAccountSecurity, supportsProfile } from '../../accounts/account_store.js';
 import { changePasswordValidator, changeEmailValidator, updateProfileValidator } from '../validators.js';
 import { sendEmailChangeConfirmationEmail } from '../default_mailer.js';
+import { storeAvatar, isDriveAvailable, AvatarUploadError } from '../avatar_storage.js';
 import { translate } from '../i18n.js';
 import { TRUSTED_DEVICE_COOKIE } from '../trusted_device.js';
 /**
@@ -23,6 +24,8 @@ export default class AccountSecurityController {
             csrfToken: ctx.request.csrfToken,
             supported: supportsAccountSecurity(cfg.accountStore),
             profileSupported: supportsProfile(cfg.accountStore),
+            // Só mostramos o input de arquivo se o drive do app estiver disponível.
+            avatarUploadSupported: await isDriveAvailable(),
             email: account?.email ?? '',
             name: account?.name ?? '',
             avatarUrl: account?.avatarUrl ?? '',
@@ -64,16 +67,45 @@ export default class AccountSecurityController {
             return ctx.response.redirect('/account/security');
         }
         const { name, avatarUrl } = await ctx.request.validateUsing(updateProfileValidator);
+        // Upload de avatar via o drive do app (opt-in pela presença do arquivo).
+        // Se um arquivo for enviado e o drive estiver disponível, a URL resultante
+        // tem prioridade sobre o input de URL; senão caímos no avatarUrl (texto).
+        let resolvedAvatarUrl = avatarUrl ?? null;
+        let via = 'url';
+        const file = ctx.request.file('avatar', {
+            size: `${cfg.uploads.avatars.maxSizeMb}mb`,
+            extnames: ['jpg', 'jpeg', 'png', 'webp'],
+        });
+        if (file) {
+            try {
+                const uploadedUrl = await storeAvatar(ctx, cfg.uploads, file, userId, {
+                    extname: translate(cfg.messages, 'account.profile.avatar_invalid_type'),
+                    size: translate(cfg.messages, 'account.profile.avatar_too_large'),
+                });
+                if (uploadedUrl) {
+                    resolvedAvatarUrl = uploadedUrl;
+                    via = 'upload';
+                }
+            }
+            catch (error) {
+                if (error instanceof AvatarUploadError) {
+                    ctx.session.flash('securityError', error.message);
+                    return ctx.response.redirect('/account/security');
+                }
+                throw error;
+            }
+        }
         // Campos ausentes no form viram string vazia (limpa o valor); enviamos null
         // para limpar, ou o valor trimado.
         await store.updateProfile(userId, {
             name: name ?? null,
-            avatarUrl: avatarUrl ?? null,
+            avatarUrl: resolvedAvatarUrl,
         });
         await cfg.audit?.record({
             type: 'profile.updated',
             accountId: userId,
             ip: ctx.request.ip?.() ?? null,
+            metadata: { via },
         });
         ctx.session.flash('profileUpdated', translate(cfg.messages, 'account.profile.updated'));
         return ctx.response.redirect('/account/security');

package/build/src/host/controllers/admin/admin_users_controller.js

@@ -1,9 +1,8 @@
 import '../../augmentations.js';
-import { randomBytes } from 'node:crypto';
 import { supportsAccountStatus } from '../../../accounts/account_store.js';
 import { ACCOUNT_SESSION_KEY } from '../../middleware/account_auth.js';
 import { adminCreateUserValidator } from '../../validators.js';
-import { sendPasswordResetEmail } from '../../default_mailer.js';
+import { AdminUsersService } from '../../admin_api/admin_users_service.js';
 const PAGE_SIZE = 20;
 /**
  * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
@@ -57,30 +56,15 @@ export default class AdminUsersController {
     async store(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const { email, name, password } = await ctx.request.validateUsing(adminCreateUserValidator);
-        const existing = await store.findByEmail(email);
-        if (existing) {
+        const users = new AdminUsersService(cfg);
+        const result = await users.create(ctx, { email, name, password }, { actorId, ip });
+        if (!result.ok) {
             ctx.session.flash('usersError', cfg.messages['errors.email_taken'] ?? 'errors.email_taken');
             return ctx.response.redirect('/admin/users');
         }
-        // Sem senha informada: cria com uma senha aleatória forte (descartável) e
-        // dispara o fluxo de reset para o usuário definir a sua.
-        const initialPassword = password ?? randomBytes(24).toString('hex');
-        const account = await store.create({ email, password: initialPassword, fullName: name ?? null });
-        await cfg.audit?.record({
-            type: 'user.created',
-            accountId: account.id,
-            email,
-            actorId,
-            ip,
-            metadata: { invited: !password },
-        });
-        if (!password) {
-            await this.#sendResetEmail(ctx, cfg, email);
-        }
         ctx.session.flash('userCreated', cfg.messages['admin.users.created'] ?? 'admin.users.created');
         return ctx.response.redirect('/admin/users');
     }
@@ -88,21 +72,10 @@ export default class AdminUsersController {
     async resetPassword(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const accountId = ctx.request.param('id');
-        const account = await store.findById(accountId);
-        if (account) {
-            await this.#sendResetEmail(ctx, cfg, account.email);
-            await cfg.audit?.record({
-                type: 'user.password_reset_sent',
-                accountId,
-                email: account.email,
-                actorId,
-                ip,
-            });
-        }
+        await new AdminUsersService(cfg).resetPassword(ctx, accountId, { actorId, ip });
         ctx.session.flash('resetSent', cfg.messages['admin.users.reset_sent'] ?? 'admin.users.reset_sent');
         return this.#redirectBack(ctx);
     }
@@ -117,40 +90,16 @@ export default class AdminUsersController {
     async #toggleStatus(ctx, disable) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const accountId = ctx.request.param('id');
-        if (supportsAccountStatus(store)) {
-            if (disable)
-                await store.disableAccount(accountId);
-            else
-                await store.enableAccount(accountId);
-            await cfg.audit?.record({
-                type: disable ? 'user.disabled' : 'user.enabled',
-                accountId,
-                actorId,
-                ip,
-            });
+        const applied = await new AdminUsersService(cfg).setStatus(accountId, disable, { actorId, ip });
+        if (applied) {
             ctx.session.flash('statusChanged', cfg.messages[disable ? 'admin.users.disabled' : 'admin.users.enabled'] ??
                 (disable ? 'admin.users.disabled' : 'admin.users.enabled'));
         }
         return this.#redirectBack(ctx);
     }
-    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
-    async #sendResetEmail(ctx, cfg, email) {
-        const issued = await cfg.accountStore.issuePasswordResetToken(email);
-        if (!issued)
-            return;
-        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
-        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
-        if (cfg.mail?.onPasswordReset) {
-            await cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
-        }
-        else {
-            await sendPasswordResetEmail(ctx, { email, resetUrl });
-        }
-    }
     #redirectBack(ctx) {
         const search = ctx.request.input('search', '').trim();
         const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);

package/build/src/host/i18n.d.ts

@@ -133,6 +133,10 @@ export declare const DEFAULT_MESSAGES: {
     'account.profile.intro': string;
     'account.profile.name_label': string;
     'account.profile.avatar_label': string;
+    'account.profile.avatar_upload_label': string;
+    'account.profile.avatar_upload_hint': string;
+    'account.profile.avatar_invalid_type': string;
+    'account.profile.avatar_too_large': string;
     'account.profile.submit': string;
     'account.profile.updated': string;
     'account.profile.not_supported': string;
@@ -432,6 +436,10 @@ export declare const PT_BR_MESSAGES: {
     'account.profile.intro': string;
     'account.profile.name_label': string;
     'account.profile.avatar_label': string;
+    'account.profile.avatar_upload_label': string;
+    'account.profile.avatar_upload_hint': string;
+    'account.profile.avatar_invalid_type': string;
+    'account.profile.avatar_too_large': string;
     'account.profile.submit': string;
     'account.profile.updated': string;
     'account.profile.not_supported': string;

package/build/src/host/i18n.js

@@ -135,6 +135,10 @@ export const DEFAULT_MESSAGES = {
     'account.profile.intro': 'Update your display name and avatar.',
     'account.profile.name_label': 'Name',
     'account.profile.avatar_label': 'Avatar URL',
+    'account.profile.avatar_upload_label': 'Upload avatar',
+    'account.profile.avatar_upload_hint': 'JPG, PNG or WebP, up to 5MB.',
+    'account.profile.avatar_invalid_type': 'Invalid image type. Use JPG, PNG or WebP.',
+    'account.profile.avatar_too_large': 'Image is too large.',
     'account.profile.submit': 'Save profile',
     'account.profile.updated': 'Profile updated successfully.',
     'account.profile.not_supported': 'Profile editing is not available in this installation.',
@@ -463,6 +467,10 @@ export const PT_BR_MESSAGES = {
     'account.profile.intro': 'Atualize seu nome de exibição e avatar.',
     'account.profile.name_label': 'Nome',
     'account.profile.avatar_label': 'URL do avatar',
+    'account.profile.avatar_upload_label': 'Enviar avatar',
+    'account.profile.avatar_upload_hint': 'JPG, PNG ou WebP, até 5MB.',
+    'account.profile.avatar_invalid_type': 'Tipo de imagem inválido. Use JPG, PNG ou WebP.',
+    'account.profile.avatar_too_large': 'A imagem é muito grande.',
     'account.profile.submit': 'Salvar perfil',
     'account.profile.updated': 'Perfil atualizado com sucesso.',
     'account.profile.not_supported': 'A edição de perfil não está disponível nesta instalação.',

package/build/src/host/register_auth_host.d.ts

@@ -46,6 +46,13 @@ export interface AuthHostOptions {
      * Espelhe o `admin.enabled` de config/authkit.ts.
      */
     admin?: boolean;
+    /**
+     * Admin REST API opt-in (R6); quando `true`, monta o grupo `/api/authkit/v1/*`
+     * atrás do `adminApiGuard` (API key). Necessário aqui (e não só no config) porque
+     * a decisão de montar as rotas é tomada em tempo de registro, antes do config
+     * (lazy) resolver. Espelhe o `adminApi.enabled` de config/authkit.ts.
+     */
+    adminApi?: boolean;
 }
 /**
  * Monta todas as rotas do host-kit do Authorization Server numa chamada.

package/build/src/host/register_auth_host.js

@@ -1,6 +1,7 @@
 import { resolveRateLimit } from '../define_config.js';
 import { createAuthThrottles } from './rate_limit.js';
 import { ACCOUNT_SESSION_KEY } from './middleware/account_auth.js';
+import { adminApiGuard } from './admin_api/admin_api_guard.js';
 /**
  * Guard inline do console de conta. Usamos uma closure (forma confiável do
  * `.use()` do AdonisJS) em vez de `() => import(middleware)` — a forma lazy de
@@ -60,6 +61,9 @@ const C = {
     adminSessions: () => import('./controllers/admin/admin_sessions_controller.js'),
     adminClients: () => import('./controllers/admin/admin_clients_controller.js'),
     adminAudit: () => import('./controllers/admin/admin_audit_controller.js'),
+    apiUsers: () => import('./admin_api/api_users_controller.js'),
+    apiClients: () => import('./admin_api/api_clients_controller.js'),
+    apiMisc: () => import('./admin_api/api_misc_controller.js'),
 };
 /**
  * Monta todas as rotas do host-kit do Authorization Server numa chamada.
@@ -174,4 +178,39 @@ export function registerAuthHost(router, opts) {
         })
             .use([adminGuard]);
     }
+    // Admin REST API (opt-in — R6). Superfície machine-to-machine atrás do
+    // adminApiGuard (API key). Todas as rotas levam o throttle de introspecção.
+    if (opts.adminApi) {
+        // Aplica o throttle de introspecção a uma rota qualquer (GET ou escrita).
+        const withApiThrottle = (route) => {
+            if (throttles)
+                route.use([throttles.introspection]);
+            return route;
+        };
+        router
+            .group(() => {
+            // Usuários.
+            withApiThrottle(router.get('/users', [C.apiUsers, 'index']));
+            withApiThrottle(router.post('/users', [C.apiUsers, 'store']));
+            withApiThrottle(router.get('/users/:id', [C.apiUsers, 'show']));
+            withApiThrottle(router.patch('/users/:id', [C.apiUsers, 'update']));
+            withApiThrottle(router.post('/users/:id/disable', [C.apiUsers, 'disable']));
+            withApiThrottle(router.post('/users/:id/enable', [C.apiUsers, 'enable']));
+            withApiThrottle(router.post('/users/:id/reset-password', [C.apiUsers, 'resetPassword']));
+            withApiThrottle(router.get('/users/:id/sessions', [C.apiUsers, 'sessions']));
+            withApiThrottle(router.post('/users/:id/revoke-sessions', [C.apiUsers, 'revokeSessions']));
+            // Clients OIDC.
+            withApiThrottle(router.get('/clients', [C.apiClients, 'index']));
+            withApiThrottle(router.post('/clients', [C.apiClients, 'store']));
+            withApiThrottle(router.get('/clients/:id', [C.apiClients, 'show']));
+            withApiThrottle(router.patch('/clients/:id', [C.apiClients, 'update']));
+            withApiThrottle(router.post('/clients/:id/regenerate-secret', [C.apiClients, 'regenerateSecret']));
+            withApiThrottle(router.delete('/clients/:id', [C.apiClients, 'destroy']));
+            // Auditoria + verificação de token.
+            withApiThrottle(router.get('/audit', [C.apiMisc, 'audit']));
+            withApiThrottle(router.post('/tokens/verify', [C.apiMisc, 'verify']));
+        })
+            .prefix('/api/authkit/v1')
+            .use([adminApiGuard]);
+    }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dudousxd/adonis-authkit-server",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "AdonisJS OIDC/OAuth2 provider (Identity Provider) toolkit: ejectable auth server with sessions, rate-limiting, MFA/TOTP, audit log, federated logout and OpenTelemetry metrics.",
   "license": "MIT",
   "author": "dudousxd",
@@ -54,6 +54,7 @@
   "peerDependencies": {
     "@adonisjs/ally": "6.3.0",
     "@adonisjs/core": "7.3.3",
+    "@adonisjs/drive": "4.0.0",
     "@adonisjs/lucid": "22.4.2",
     "@adonisjs/session": "8.1.0",
     "@adonisjs/shield": "9.0.0",
@@ -65,6 +66,9 @@
     },
     "@adonisjs/ally": {
       "optional": true
+    },
+    "@adonisjs/drive": {
+      "optional": true
     }
   },
   "dependencies": {
@@ -81,6 +85,7 @@
   "devDependencies": {
     "@adonisjs/ally": "6.3.0",
     "@adonisjs/core": "7.3.3",
+    "@adonisjs/drive": "4.0.0",
     "@adonisjs/lucid": "22.4.2",
     "@adonisjs/session": "8.1.0",
     "@adonisjs/shield": "9.0.0",