npm - @dudousxd/adonis-authkit-server - Versions diffs - 0.7.0 → 0.8.0 - Mend

@dudousxd/adonis-authkit-server 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/build/index.d.ts +14 -2
package/build/index.js +9 -1
package/build/src/define_config.d.ts +25 -0
package/build/src/define_config.js +7 -0
package/build/src/host/admin_api/admin_api_guard.d.ts +8 -0
package/build/src/host/admin_api/admin_api_guard.js +41 -0
package/build/src/host/admin_api/admin_users_service.d.ts +59 -0
package/build/src/host/admin_api/admin_users_service.js +112 -0
package/build/src/host/admin_api/api_clients_controller.d.ts +48 -0
package/build/src/host/admin_api/api_clients_controller.js +104 -0
package/build/src/host/admin_api/api_misc_controller.d.ts +17 -0
package/build/src/host/admin_api/api_misc_controller.js +37 -0
package/build/src/host/admin_api/api_users_controller.d.ts +78 -0
package/build/src/host/admin_api/api_users_controller.js +135 -0
package/build/src/host/admin_api/dto.d.ts +57 -0
package/build/src/host/admin_api/dto.js +62 -0
package/build/src/host/admin_api/token_verify_service.d.ts +34 -0
package/build/src/host/admin_api/token_verify_service.js +74 -0
package/build/src/host/controllers/admin/admin_users_controller.js +7 -58
package/build/src/host/register_auth_host.d.ts +7 -0
package/build/src/host/register_auth_host.js +39 -0
package/package.json +1 -1

package/build/index.d.ts CHANGED Viewed

@@ -5,8 +5,8 @@ export { withCredentials } from './src/mixins/with_credentials.js';
 export { withMfa } from './src/mixins/with_mfa.js';
 export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
-export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, } from './src/define_config.js';
-export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
+export type { AuthServerConfigInput, ResolvedServerConfig, DynamicRegistrationConfigInput, ResolvedDynamicRegistrationConfig, AdminConfigInput, ResolvedAdminConfig, AdminApiConfigInput, ResolvedAdminApiConfig, } from './src/define_config.js';
+export { resolveAdmin, resolveAdminApi, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export type { WebauthnConfigInput, ResolvedWebauthnConfig } from './src/define_config.js';
 export { resolvePasswordless } from './src/define_config.js';
 export type { PasswordlessConfigInput, ResolvedPasswordlessConfig, } from './src/define_config.js';
@@ -42,6 +42,18 @@ export type { NotificationsConfigInput, ResolvedNotificationsConfig, } from './s
 export type { RateLimitConfigInput, RateLimitBucket, ResolvedRateLimitConfig, } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
 export type { AuthThrottles, ThrottleMiddleware } from './src/host/rate_limit.js';
+/**
+ * Admin services compartilhados pelo console (B6/HTML), pela Admin REST API (R6)
+ * e pelo driver `embedded` do @dudousxd/adonis-authkit-sdk (in-process).
+ */
+export { AdminUsersService } from './src/host/admin_api/admin_users_service.js';
+export type { AdminActor, CreateUserInput as AdminCreateUserInput, CreateUserResult as AdminCreateUserResult, } from './src/host/admin_api/admin_users_service.js';
+export { AdminClientsService } from './src/host/admin_clients_service.js';
+export type { AdminClient, ClientInput as AdminClientInput, CreatedClient, TokenEndpointAuthMethod, } from './src/host/admin_clients_service.js';
+export { AdminSessionsService } from './src/host/admin_sessions_service.js';
+export type { AdminSession, AdminGrant, RevokeResult, } from './src/host/admin_sessions_service.js';
+export { TokenVerifyService } from './src/host/admin_api/token_verify_service.js';
+export type { VerifyResult } from './src/host/admin_api/token_verify_service.js';
 /**
  * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
  * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.

package/build/index.js CHANGED Viewed

@@ -5,7 +5,7 @@ export { withCredentials } from './src/mixins/with_credentials.js';
 export { withMfa } from './src/mixins/with_mfa.js';
 export { OidcService } from './src/provider/oidc_service.js';
 export { registerOidcRoutes } from './src/register_routes.js';
-export { resolveAdmin, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
+export { resolveAdmin, resolveAdminApi, resolveWebauthn, resolveDynamicRegistration } from './src/define_config.js';
 export { resolvePasswordless } from './src/define_config.js';
 export { resolveTrustedDevices, isTrustedDeviceValid, buildTrustedDevicePayload, TRUSTED_DEVICE_COOKIE, } from './src/host/trusted_device.js';
 export { lucidAccountStore } from './src/accounts/lucid_account_store.js';
@@ -24,6 +24,14 @@ export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_M
 export { registerAuthHost } from './src/host/register_auth_host.js';
 export { resolveRateLimit, resolveNotifications } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';
+/**
+ * Admin services compartilhados pelo console (B6/HTML), pela Admin REST API (R6)
+ * e pelo driver `embedded` do @dudousxd/adonis-authkit-sdk (in-process).
+ */
+export { AdminUsersService } from './src/host/admin_api/admin_users_service.js';
+export { AdminClientsService } from './src/host/admin_clients_service.js';
+export { AdminSessionsService } from './src/host/admin_sessions_service.js';
+export { TokenVerifyService } from './src/host/admin_api/token_verify_service.js';
 /**
  * Configure hook + stubsRoot resolvidos pelo `node ace configure @dudousxd/adonis-authkit-server`.
  * O comando do AdonisJS importa o entrypoint principal e procura por estes exports.

package/build/src/define_config.d.ts CHANGED Viewed

@@ -278,6 +278,23 @@ export interface ResolvedAdminConfig {
     roles: string[];
 }
 export declare function resolveAdmin(input?: AdminConfigInput): ResolvedAdminConfig;
+/**
+ * Admin REST API (R6) — superfície de gestão machine-to-machine, consumida por um
+ * futuro SDK. Default: DESLIGADA. A autenticação é por API key (Bearer), checada
+ * em tempo constante contra `apiKeys`. Independente do console admin (B6): pode
+ * ligar uma sem a outra.
+ */
+export interface AdminApiConfigInput {
+    /** Liga a Admin REST API (`/api/authkit/v1`). Default: false. */
+    enabled: boolean;
+    /** API keys aceitas no header `Authorization: Bearer <key>`. */
+    apiKeys?: string[];
+}
+export interface ResolvedAdminApiConfig {
+    enabled: boolean;
+    apiKeys: string[];
+}
+export declare function resolveAdminApi(input?: AdminApiConfigInput): ResolvedAdminApiConfig;
 /**
  * Parâmetros do Relying Party (RP) das cerimônias WebAuthn / passkeys. Quando
  * omitidos, são derivados do `issuer`: `rpId` = hostname (sem porta), `origin` =
@@ -387,6 +404,12 @@ export interface AuthServerConfigInput {
      * (a montagem das rotas acontece antes do config resolver).
      */
     admin?: AdminConfigInput;
+    /**
+     * Admin REST API (R6). Default: desligada. Quando ligada, o host também deve
+     * passar `adminApi: true` em {@link AuthHostOptions} no registro de rotas (a
+     * montagem das rotas acontece antes do config resolver). Autenticação por API key.
+     */
+    adminApi?: AdminApiConfigInput;
 }
 export interface ResolvedServerConfig {
     issuer: string;
@@ -442,6 +465,8 @@ export interface ResolvedServerConfig {
     passwordless: ResolvedPasswordlessConfig;
     /** Console admin resolvido (sempre presente; default desligado). */
     admin: ResolvedAdminConfig;
+    /** Admin REST API resolvida (sempre presente; default desligada). */
+    adminApi: ResolvedAdminApiConfig;
     /** Catálogo de mensagens ativo (locale resolvido), pronto para os renderers. */
     messages: AuthMessages;
     /** Locale ativo (default 'pt-BR'). */

package/build/src/define_config.js CHANGED Viewed

@@ -92,6 +92,12 @@ export function resolveAdmin(input) {
         roles: input?.roles && input.roles.length > 0 ? input.roles : ['ADMIN'],
     };
 }
+export function resolveAdminApi(input) {
+    return {
+        enabled: input?.enabled ?? false,
+        apiKeys: input?.apiKeys ?? [],
+    };
+}
 /**
  * Resolve os parâmetros do RP de WebAuthn a partir do `issuer` quando omitidos.
  * `rpName` cai no `fallbackName` (branding/mfaIssuer) quando ausente.
@@ -189,6 +195,7 @@ export function defineConfig(config) {
             trustedDevices: resolveTrustedDevices(config.trustedDevices),
             passwordless: resolvePasswordless(config.passwordless),
             admin: resolveAdmin(config.admin),
+            adminApi: resolveAdminApi(config.adminApi),
             messages: resolveMessages(config.i18n),
             locale: config.i18n?.locale ?? 'pt-BR',
         };

package/build/src/host/admin_api/admin_api_guard.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Guard da Admin REST API (R6). Espelha o `adminGuard` do console (B6):
+ *   0. `config.adminApi.enabled` desligado → 404 (não vaza a existência da API);
+ *   1. `Authorization: Bearer <key>` ausente/inválido → 401 JSON.
+ * Sem nenhuma API key configurada, qualquer request é 401 (fail-safe). As respostas
+ * de erro seguem o envelope `{ error: { code, message } }`.
+ */
+export declare const adminApiGuard: (ctx: any, next: () => Promise<void>) => Promise<any>;

package/build/src/host/admin_api/admin_api_guard.js ADDED Viewed

@@ -0,0 +1,41 @@
+import { timingSafeEqual } from 'node:crypto';
+/**
+ * Compara o Bearer recebido contra a lista de API keys em tempo constante. Cada
+ * comparação só roda quando os comprimentos batem (o `timingSafeEqual` lança em
+ * tamanhos diferentes); o curto-circuito por comprimento NÃO vaza a key (só o seu
+ * tamanho), aceitável para um segredo de alta entropia gerado pelo operador.
+ */
+function keyMatches(header, keys) {
+    if (!header || !header.startsWith('Bearer '))
+        return false;
+    const provided = Buffer.from(header.slice(7));
+    let matched = false;
+    for (const key of keys) {
+        const expected = Buffer.from(key);
+        if (provided.length === expected.length && timingSafeEqual(provided, expected)) {
+            matched = true;
+        }
+    }
+    return matched;
+}
+/**
+ * Guard da Admin REST API (R6). Espelha o `adminGuard` do console (B6):
+ *   0. `config.adminApi.enabled` desligado → 404 (não vaza a existência da API);
+ *   1. `Authorization: Bearer <key>` ausente/inválido → 401 JSON.
+ * Sem nenhuma API key configurada, qualquer request é 401 (fail-safe). As respostas
+ * de erro seguem o envelope `{ error: { code, message } }`.
+ */
+export const adminApiGuard = async (ctx, next) => {
+    const service = await ctx.containerResolver.make('authkit.server');
+    const cfg = service.config;
+    if (!cfg.adminApi.enabled) {
+        return ctx.response.notFound();
+    }
+    const keys = cfg.adminApi.apiKeys;
+    if (keys.length === 0 || !keyMatches(ctx.request.header('authorization'), keys)) {
+        return ctx.response.unauthorized({
+            error: { code: 'unauthorized', message: 'API key ausente ou inválida.' },
+        });
+    }
+    return next();
+};

package/build/src/host/admin_api/admin_users_service.d.ts ADDED Viewed

@@ -0,0 +1,59 @@
+import type { HttpContext } from '@adonisjs/core/http';
+import type { ResolvedServerConfig } from '../../define_config.js';
+import type { AuthAccount } from '../../accounts/account_store.js';
+/** Quem disparou a operação (para auditoria). `admin-api` quando via REST API. */
+export interface AdminActor {
+    actorId: string | null;
+    ip: string | null;
+    /** Marca metadata da auditoria — 'admin-api' nas escritas via REST. */
+    source?: 'admin-api';
+}
+export interface CreateUserInput {
+    email: string;
+    name?: string | null;
+    password?: string | null;
+    /** Quando true (e sem password), cria com senha aleatória e envia convite/reset. */
+    invite?: boolean;
+}
+export type CreateUserResult = {
+    ok: true;
+    account: AuthAccount;
+    invited: boolean;
+} | {
+    ok: false;
+    reason: 'email_taken';
+};
+/**
+ * Lógica de gestão de usuários compartilhada entre o console admin (B6, HTML) e a
+ * Admin REST API (R6, JSON). Encapsula o fluxo "create + invite", reset de senha,
+ * troca de status e atualização de perfil/roles — todos auditando com o `actor`
+ * informado (`admin-api` nas chamadas REST).
+ */
+export declare class AdminUsersService {
+    private cfg;
+    constructor(cfg: ResolvedServerConfig);
+    /**
+     * Cria uma conta. Com `password`: já nasce com a senha. Sem `password` (ou
+     * `invite: true`): cria com senha aleatória forte e dispara o e-mail de reset
+     * (o usuário define a própria). Audita `user.created`.
+     */
+    create(ctx: HttpContext, input: CreateUserInput, actor: AdminActor): Promise<CreateUserResult>;
+    /** Emite token de reset + envia e-mail. Retorna a conta (ou null se inexistente). */
+    resetPassword(ctx: HttpContext, accountId: string, actor: AdminActor): Promise<AuthAccount | null>;
+    /**
+     * Habilita/desabilita uma conta. Retorna false quando o store não suporta a
+     * capacidade (o caller responde 409). Audita `user.disabled`/`user.enabled`.
+     */
+    setStatus(accountId: string, disable: boolean, actor: AdminActor): Promise<boolean>;
+    /** Substitui as roles globais de uma conta (normaliza nada — recebe array pronto). */
+    setGlobalRoles(accountId: string, roles: string[]): Promise<void>;
+    /** Atualiza nome/avatar (capacidade opcional). Retorna a conta ou null. */
+    updateProfile(accountId: string, patch: {
+        name?: string | null;
+        avatarUrl?: string | null;
+    }): Promise<AuthAccount | null>;
+    /** Indica se a conta está desabilitada (false quando a capacidade não existe). */
+    isDisabled(accountId: string): Promise<boolean>;
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    private sendResetEmail;
+}

package/build/src/host/admin_api/admin_users_service.js ADDED Viewed

@@ -0,0 +1,112 @@
+import { randomBytes } from 'node:crypto';
+import { supportsAccountStatus, supportsProfile } from '../../accounts/account_store.js';
+import { sendPasswordResetEmail } from '../default_mailer.js';
+/**
+ * Lógica de gestão de usuários compartilhada entre o console admin (B6, HTML) e a
+ * Admin REST API (R6, JSON). Encapsula o fluxo "create + invite", reset de senha,
+ * troca de status e atualização de perfil/roles — todos auditando com o `actor`
+ * informado (`admin-api` nas chamadas REST).
+ */
+export class AdminUsersService {
+    cfg;
+    constructor(cfg) {
+        this.cfg = cfg;
+    }
+    /**
+     * Cria uma conta. Com `password`: já nasce com a senha. Sem `password` (ou
+     * `invite: true`): cria com senha aleatória forte e dispara o e-mail de reset
+     * (o usuário define a própria). Audita `user.created`.
+     */
+    async create(ctx, input, actor) {
+        const store = this.cfg.accountStore;
+        const existing = await store.findByEmail(input.email);
+        if (existing)
+            return { ok: false, reason: 'email_taken' };
+        const hasPassword = !!input.password;
+        const initialPassword = input.password ?? randomBytes(24).toString('hex');
+        const account = await store.create({
+            email: input.email,
+            password: initialPassword,
+            fullName: input.name ?? null,
+        });
+        await this.cfg.audit?.record({
+            type: 'user.created',
+            accountId: account.id,
+            email: input.email,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            metadata: { invited: !hasPassword, ...(actor.source ? { actor: actor.source } : {}) },
+        });
+        if (!hasPassword) {
+            await this.sendResetEmail(ctx, account.email);
+        }
+        return { ok: true, account, invited: !hasPassword };
+    }
+    /** Emite token de reset + envia e-mail. Retorna a conta (ou null se inexistente). */
+    async resetPassword(ctx, accountId, actor) {
+        const account = await this.cfg.accountStore.findById(accountId);
+        if (!account)
+            return null;
+        await this.sendResetEmail(ctx, account.email);
+        await this.cfg.audit?.record({
+            type: 'user.password_reset_sent',
+            accountId,
+            email: account.email,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            ...(actor.source ? { metadata: { actor: actor.source } } : {}),
+        });
+        return account;
+    }
+    /**
+     * Habilita/desabilita uma conta. Retorna false quando o store não suporta a
+     * capacidade (o caller responde 409). Audita `user.disabled`/`user.enabled`.
+     */
+    async setStatus(accountId, disable, actor) {
+        const store = this.cfg.accountStore;
+        if (!supportsAccountStatus(store))
+            return false;
+        if (disable)
+            await store.disableAccount(accountId);
+        else
+            await store.enableAccount(accountId);
+        await this.cfg.audit?.record({
+            type: disable ? 'user.disabled' : 'user.enabled',
+            accountId,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            ...(actor.source ? { metadata: { actor: actor.source } } : {}),
+        });
+        return true;
+    }
+    /** Substitui as roles globais de uma conta (normaliza nada — recebe array pronto). */
+    async setGlobalRoles(accountId, roles) {
+        await this.cfg.accountStore.setGlobalRoles(accountId, roles);
+    }
+    /** Atualiza nome/avatar (capacidade opcional). Retorna a conta ou null. */
+    async updateProfile(accountId, patch) {
+        const store = this.cfg.accountStore;
+        if (!supportsProfile(store))
+            return null;
+        return store.updateProfile(accountId, patch);
+    }
+    /** Indica se a conta está desabilitada (false quando a capacidade não existe). */
+    async isDisabled(accountId) {
+        const store = this.cfg.accountStore;
+        return supportsAccountStatus(store) ? store.isDisabled(accountId) : false;
+    }
+    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
+    async sendResetEmail(ctx, email) {
+        const issued = await this.cfg.accountStore.issuePasswordResetToken(email);
+        if (!issued)
+            return;
+        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
+        if (this.cfg.mail?.onPasswordReset) {
+            await this.cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
+        }
+        else {
+            await sendPasswordResetEmail(ctx, { email, resetUrl });
+        }
+    }
+}

package/build/src/host/admin_api/api_clients_controller.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Recurso de clients OIDC da Admin REST API (R6). Reaproveita o
+ * {@link AdminClientsService} (mesmo que o console B6). O secret é retornado UMA vez
+ * em create/regenerate. Audita create/update/delete.
+ */
+export default class ApiClientsController {
+    index(ctx: HttpContext): Promise<{
+        data: {
+            clientId: string;
+            confidential: boolean;
+            grants: string[];
+            redirectUris: string[];
+            postLogoutRedirectUris: string[];
+            tokenEndpointAuthMethod: string;
+        }[];
+        canList: boolean;
+    }>;
+    show(ctx: HttpContext): Promise<void | {
+        clientId: string;
+        confidential: boolean;
+        grants: string[];
+        redirectUris: string[];
+        postLogoutRedirectUris: string[];
+        tokenEndpointAuthMethod: string;
+    }>;
+    store(ctx: HttpContext): Promise<{
+        clientId: string;
+        clientSecret: string | null;
+    }>;
+    update(ctx: HttpContext): Promise<void | {
+        clientId: string;
+        confidential: boolean;
+        grants: string[];
+        redirectUris: string[];
+        postLogoutRedirectUris: string[];
+        tokenEndpointAuthMethod: string;
+    }>;
+    regenerateSecret(ctx: HttpContext): Promise<void | {
+        clientId: any;
+        clientSecret: string;
+    }>;
+    destroy(ctx: HttpContext): Promise<{
+        clientId: any;
+        deleted: boolean;
+    }>;
+}

package/build/src/host/admin_api/api_clients_controller.js ADDED Viewed

@@ -0,0 +1,104 @@
+import '../augmentations.js';
+import { AdminClientsService } from '../admin_clients_service.js';
+import { clientDto, createdClientDto, apiError } from './dto.js';
+/** Resolve o serviço (== OidcService) + o AdminClientsService. */
+async function clientsService(ctx) {
+    const service = await ctx.containerResolver.make('authkit.server');
+    return { service, svc: new AdminClientsService(service) };
+}
+function asArray(value) {
+    if (Array.isArray(value))
+        return value.map((v) => String(v)).filter(Boolean);
+    if (typeof value === 'string' && value.trim())
+        return [value.trim()];
+    return [];
+}
+function readInput(ctx) {
+    return {
+        clientId: ctx.request.input('clientId')?.trim() || undefined,
+        redirectUris: asArray(ctx.request.input('redirectUris')),
+        postLogoutRedirectUris: asArray(ctx.request.input('postLogoutRedirectUris')),
+        grantTypes: asArray(ctx.request.input('grantTypes')),
+        tokenEndpointAuthMethod: ctx.request.input('tokenEndpointAuthMethod', 'client_secret_basic'),
+    };
+}
+/**
+ * Recurso de clients OIDC da Admin REST API (R6). Reaproveita o
+ * {@link AdminClientsService} (mesmo que o console B6). O secret é retornado UMA vez
+ * em create/regenerate. Audita create/update/delete.
+ */
+export default class ApiClientsController {
+    async index(ctx) {
+        const { svc } = await clientsService(ctx);
+        if (!svc.canList) {
+            return { data: [], canList: false };
+        }
+        const clients = await svc.list();
+        return { data: clients.map(clientDto), canList: true };
+    }
+    async show(ctx) {
+        const { svc } = await clientsService(ctx);
+        const client = await svc.find(ctx.request.param('id'));
+        if (!client)
+            return ctx.response.notFound(apiError('not_found', 'Client não encontrado.'));
+        return clientDto(client);
+    }
+    async store(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const input = readInput(ctx);
+        const created = await svc.create(input);
+        await service.config.audit?.record({
+            type: 'client.created',
+            clientId: created.clientId,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        ctx.response.status(201);
+        return createdClientDto(created);
+    }
+    async update(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        const existing = await svc.find(id);
+        if (!existing)
+            return ctx.response.notFound(apiError('not_found', 'Client não encontrado.'));
+        await svc.update(id, readInput(ctx));
+        await service.config.audit?.record({
+            type: 'client.updated',
+            clientId: id,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        const updated = await svc.find(id);
+        return clientDto(updated);
+    }
+    async regenerateSecret(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        try {
+            const secret = await svc.regenerateSecret(id);
+            await service.config.audit?.record({
+                type: 'client.updated',
+                clientId: id,
+                ip: ctx.request.ip?.() ?? null,
+                metadata: { actor: 'admin-api', action: 'regenerate_secret' },
+            });
+            return { clientId: id, clientSecret: secret };
+        }
+        catch (e) {
+            return ctx.response.conflict(apiError('cannot_regenerate', e.message));
+        }
+    }
+    async destroy(ctx) {
+        const { service, svc } = await clientsService(ctx);
+        const id = ctx.request.param('id');
+        await svc.delete(id);
+        await service.config.audit?.record({
+            type: 'client.deleted',
+            clientId: id,
+            ip: ctx.request.ip?.() ?? null,
+            metadata: { actor: 'admin-api' },
+        });
+        return { clientId: id, deleted: true };
+    }
+}

package/build/src/host/admin_api/api_misc_controller.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Endpoints utilitários da Admin REST API: log de auditoria (`GET /audit`) e
+ * introspecção genérica de token (`POST /tokens/verify`).
+ */
+export default class ApiMiscController {
+    /** GET /audit — listagem paginada (501 JSON quando o sink não consulta). */
+    audit(ctx: HttpContext): Promise<void | {
+        data: any;
+        total: any;
+        page: number;
+        limit: number;
+    }>;
+    /** POST /tokens/verify — { token } → resultado de introspecção (PAT ou opaque AT). */
+    verify(ctx: HttpContext): Promise<void | import("./token_verify_service.js").VerifyResult>;
+}

package/build/src/host/admin_api/api_misc_controller.js ADDED Viewed

@@ -0,0 +1,37 @@
+import '../augmentations.js';
+import { TokenVerifyService } from './token_verify_service.js';
+import { auditDto, apiError } from './dto.js';
+/**
+ * Endpoints utilitários da Admin REST API: log de auditoria (`GET /audit`) e
+ * introspecção genérica de token (`POST /tokens/verify`).
+ */
+export default class ApiMiscController {
+    /** GET /audit — listagem paginada (501 JSON quando o sink não consulta). */
+    async audit(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const sink = cfg.audit;
+        if (!sink || typeof sink.list !== 'function') {
+            return ctx.response
+                .status(501)
+                .send(apiError('not_implemented', 'O sink de auditoria configurado não suporta consulta.'));
+        }
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const limit = Math.max(1, Math.min(100, Number.parseInt(ctx.request.input('limit', '20'), 10) || 20));
+        const type = ctx.request.input('type')?.trim() || undefined;
+        const subject = ctx.request.input('subject')?.trim() || undefined;
+        const result = await sink.list({ page, limit, type, subject });
+        return { data: result.data.map(auditDto), total: result.total, page, limit };
+    }
+    /** POST /tokens/verify — { token } → resultado de introspecção (PAT ou opaque AT). */
+    async verify(ctx) {
+        const service = await ctx.containerResolver.make('authkit.server');
+        const cfg = service.config;
+        const token = ctx.request.input('token');
+        if (!token || typeof token !== 'string') {
+            return ctx.response.badRequest(apiError('invalid_request', 'O campo token é obrigatório.'));
+        }
+        const verifier = new TokenVerifyService(cfg, service.provider);
+        return verifier.verify(token);
+    }
+}

package/build/src/host/admin_api/api_users_controller.d.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import '../augmentations.js';
+import type { HttpContext } from '@adonisjs/core/http';
+/**
+ * Recurso de usuários da Admin REST API (R6). JSON puro (camelCase), erros no
+ * envelope `{ error: { code, message } }`. Toda escrita audita com `actor: 'admin-api'`.
+ */
+export default class ApiUsersController {
+    #private;
+    /** GET /users — listagem paginada com busca por e-mail. */
+    index(ctx: HttpContext): Promise<{
+        data: any[];
+        total: any;
+        page: number;
+        limit: number;
+    }>;
+    /** GET /users/:id */
+    show(ctx: HttpContext): Promise<void | {
+        id: string;
+        email: string;
+        name: string | null;
+        avatarUrl: string | null;
+        globalRoles: string[];
+        disabled: boolean;
+    }>;
+    /** POST /users — { email, name?, password? | invite?:true }. */
+    store(ctx: HttpContext): Promise<void | {
+        invited: boolean;
+        id: string;
+        email: string;
+        name: string | null;
+        avatarUrl: string | null;
+        globalRoles: string[];
+        disabled: boolean;
+    }>;
+    /** PATCH /users/:id — { globalRoles?, name?, avatarUrl? }. */
+    update(ctx: HttpContext): Promise<void | {
+        id: string;
+        email: string;
+        name: string | null;
+        avatarUrl: string | null;
+        globalRoles: string[];
+        disabled: boolean;
+    }>;
+    /** POST /users/:id/disable */
+    disable(ctx: HttpContext): Promise<void | {
+        id: any;
+        disabled: boolean;
+    }>;
+    /** POST /users/:id/enable */
+    enable(ctx: HttpContext): Promise<void | {
+        id: any;
+        disabled: boolean;
+    }>;
+    /** POST /users/:id/reset-password — envia o e-mail de reset. */
+    resetPassword(ctx: HttpContext): Promise<void | {
+        id: any;
+        sent: boolean;
+    }>;
+    /** GET /users/:id/sessions — sessões + grants ativos. */
+    sessions(ctx: HttpContext): Promise<{
+        canList: boolean;
+        sessions: {
+            id: string;
+            accountId: string;
+            loginTs: number | null;
+            amr: string[];
+        }[];
+        grants: {
+            id: string;
+            accountId: string;
+            clientId: string | null;
+            accessTokens: number;
+            refreshTokens: number;
+        }[];
+    }>;
+    /** POST /users/:id/revoke-sessions — revoga todas as sessões/grants. */
+    revokeSessions(ctx: HttpContext): Promise<import("../admin_sessions_service.js").RevokeResult>;
+}

package/build/src/host/admin_api/api_users_controller.js ADDED Viewed

@@ -0,0 +1,135 @@
+import '../augmentations.js';
+import { AdminUsersService } from './admin_users_service.js';
+import { AdminSessionsService } from '../admin_sessions_service.js';
+import { userDto, sessionDto, grantDto, apiError } from './dto.js';
+const PAGE_SIZE = 20;
+/** Lê a config + monta o actor `admin-api` para auditoria. */
+async function ctxBits(ctx) {
+    const service = await ctx.containerResolver.make('authkit.server');
+    const cfg = service.config;
+    const actor = { actorId: null, ip: ctx.request.ip?.() ?? null, source: 'admin-api' };
+    return { service, cfg, actor };
+}
+/**
+ * Recurso de usuários da Admin REST API (R6). JSON puro (camelCase), erros no
+ * envelope `{ error: { code, message } }`. Toda escrita audita com `actor: 'admin-api'`.
+ */
+export default class ApiUsersController {
+    /** GET /users — listagem paginada com busca por e-mail. */
+    async index(ctx) {
+        const { cfg } = await ctxBits(ctx);
+        const search = ctx.request.input('search', '').trim();
+        const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);
+        const limit = Math.max(1, Math.min(100, Number.parseInt(ctx.request.input('limit', String(PAGE_SIZE)), 10) || PAGE_SIZE));
+        const result = await cfg.accountStore.listAccounts({ search, page, limit });
+        const users = new AdminUsersService(cfg);
+        const data = await Promise.all(result.data.map(async (u) => userDto(u, await users.isDisabled(u.id))));
+        return { data, total: result.total, page, limit };
+    }
+    /** GET /users/:id */
+    async show(ctx) {
+        const { cfg } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const account = await cfg.accountStore.findById(id);
+        if (!account)
+            return ctx.response.notFound(apiError('not_found', 'Usuário não encontrado.'));
+        const disabled = await new AdminUsersService(cfg).isDisabled(id);
+        return userDto(account, disabled);
+    }
+    /** POST /users — { email, name?, password? | invite?:true }. */
+    async store(ctx) {
+        const { cfg, actor } = await ctxBits(ctx);
+        const email = ctx.request.input('email', '').trim();
+        const name = ctx.request.input('name') ?? null;
+        const password = ctx.request.input('password') ?? null;
+        const invite = ctx.request.input('invite') === true || ctx.request.input('invite') === 'true';
+        if (!email)
+            return ctx.response.badRequest(apiError('invalid_request', 'O campo email é obrigatório.'));
+        const users = new AdminUsersService(cfg);
+        const result = await users.create(ctx, { email, name, password, invite }, actor);
+        if (!result.ok) {
+            return ctx.response.conflict(apiError('email_taken', 'Já existe uma conta com este e-mail.'));
+        }
+        ctx.response.status(201);
+        return { ...userDto(result.account), invited: result.invited };
+    }
+    /** PATCH /users/:id — { globalRoles?, name?, avatarUrl? }. */
+    async update(ctx) {
+        const { cfg } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const account = await cfg.accountStore.findById(id);
+        if (!account)
+            return ctx.response.notFound(apiError('not_found', 'Usuário não encontrado.'));
+        const users = new AdminUsersService(cfg);
+        const roles = ctx.request.input('globalRoles');
+        if (Array.isArray(roles)) {
+            const normalized = Array.from(new Set(roles.map((r) => String(r).trim()).filter(Boolean)));
+            await users.setGlobalRoles(id, normalized);
+        }
+        const name = ctx.request.input('name');
+        const avatarUrl = ctx.request.input('avatarUrl');
+        if (name !== undefined || avatarUrl !== undefined) {
+            const patch = {};
+            if (name !== undefined)
+                patch.name = name;
+            if (avatarUrl !== undefined)
+                patch.avatarUrl = avatarUrl;
+            await users.updateProfile(id, patch);
+        }
+        const updated = await cfg.accountStore.findById(id);
+        return userDto(updated, await users.isDisabled(id));
+    }
+    /** POST /users/:id/disable */
+    async disable(ctx) {
+        return this.#setStatus(ctx, true);
+    }
+    /** POST /users/:id/enable */
+    async enable(ctx) {
+        return this.#setStatus(ctx, false);
+    }
+    async #setStatus(ctx, disable) {
+        const { cfg, actor } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const applied = await new AdminUsersService(cfg).setStatus(id, disable, actor);
+        if (!applied) {
+            return ctx.response.conflict(apiError('capability_unsupported', 'O store de contas não suporta habilitar/desabilitar.'));
+        }
+        return { id, disabled: disable };
+    }
+    /** POST /users/:id/reset-password — envia o e-mail de reset. */
+    async resetPassword(ctx) {
+        const { cfg, actor } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const account = await new AdminUsersService(cfg).resetPassword(ctx, id, actor);
+        if (!account)
+            return ctx.response.notFound(apiError('not_found', 'Usuário não encontrado.'));
+        return { id, sent: true };
+    }
+    /** GET /users/:id/sessions — sessões + grants ativos. */
+    async sessions(ctx) {
+        const { service } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const admin = new AdminSessionsService(service);
+        const sessions = await admin.listSessions(id);
+        const grants = await admin.listGrants(id);
+        return {
+            canList: admin.canList,
+            sessions: sessions.map(sessionDto),
+            grants: grants.map(grantDto),
+        };
+    }
+    /** POST /users/:id/revoke-sessions — revoga todas as sessões/grants. */
+    async revokeSessions(ctx) {
+        const { service, cfg, actor } = await ctxBits(ctx);
+        const id = ctx.request.param('id');
+        const result = await new AdminSessionsService(service).revokeAll(id);
+        await cfg.audit?.record({
+            type: 'session.revoked_all',
+            accountId: id,
+            actorId: actor.actorId,
+            ip: actor.ip,
+            metadata: { actor: actor.source, ...result },
+        });
+        return result;
+    }
+}

package/build/src/host/admin_api/dto.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+import type { AuthAccount } from '../../accounts/account_store.js';
+import type { AdminClient, CreatedClient } from '../admin_clients_service.js';
+import type { AdminSession, AdminGrant } from '../admin_sessions_service.js';
+import type { StoredAuditEvent } from '../../audit/audit_sink.js';
+/** Projeta uma conta para a forma JSON (camelCase) da Admin REST API. */
+export declare function userDto(account: AuthAccount, disabled?: boolean): {
+    id: string;
+    email: string;
+    name: string | null;
+    avatarUrl: string | null;
+    globalRoles: string[];
+    disabled: boolean;
+};
+export declare function clientDto(client: AdminClient): {
+    clientId: string;
+    confidential: boolean;
+    grants: string[];
+    redirectUris: string[];
+    postLogoutRedirectUris: string[];
+    tokenEndpointAuthMethod: string;
+};
+/** Inclui o secret (mostrado UMA vez) em create/regenerate. */
+export declare function createdClientDto(created: CreatedClient): {
+    clientId: string;
+    clientSecret: string | null;
+};
+export declare function sessionDto(session: AdminSession): {
+    id: string;
+    accountId: string;
+    loginTs: number | null;
+    amr: string[];
+};
+export declare function grantDto(grant: AdminGrant): {
+    id: string;
+    accountId: string;
+    clientId: string | null;
+    accessTokens: number;
+    refreshTokens: number;
+};
+export declare function auditDto(event: StoredAuditEvent): {
+    id: string;
+    type: import("../../audit/audit_sink.js").AuditEventType;
+    accountId: string | null;
+    email: string | null;
+    clientId: string | null;
+    actorId: string | null;
+    ip: string | null;
+    metadata: Record<string, unknown> | null;
+    createdAt: string | null;
+};
+/** Envelope de erro padrão da Admin REST API. */
+export declare function apiError(code: string, message: string): {
+    error: {
+        code: string;
+        message: string;
+    };
+};

package/build/src/host/admin_api/dto.js ADDED Viewed

@@ -0,0 +1,62 @@
+/** Projeta uma conta para a forma JSON (camelCase) da Admin REST API. */
+export function userDto(account, disabled = false) {
+    return {
+        id: account.id,
+        email: account.email,
+        name: account.name ?? null,
+        avatarUrl: account.avatarUrl ?? null,
+        globalRoles: account.globalRoles ?? [],
+        disabled,
+    };
+}
+export function clientDto(client) {
+    return {
+        clientId: client.clientId,
+        confidential: client.confidential,
+        grants: client.grants,
+        redirectUris: client.redirectUris,
+        postLogoutRedirectUris: client.postLogoutRedirectUris,
+        tokenEndpointAuthMethod: client.tokenEndpointAuthMethod,
+    };
+}
+/** Inclui o secret (mostrado UMA vez) em create/regenerate. */
+export function createdClientDto(created) {
+    return {
+        clientId: created.clientId,
+        clientSecret: created.clientSecret ?? null,
+    };
+}
+export function sessionDto(session) {
+    return {
+        id: session.id,
+        accountId: session.accountId,
+        loginTs: session.loginTs ?? null,
+        amr: session.amr ?? [],
+    };
+}
+export function grantDto(grant) {
+    return {
+        id: grant.id,
+        accountId: grant.accountId,
+        clientId: grant.clientId ?? null,
+        accessTokens: grant.accessTokens,
+        refreshTokens: grant.refreshTokens,
+    };
+}
+export function auditDto(event) {
+    return {
+        id: event.id,
+        type: event.type,
+        accountId: event.accountId ?? null,
+        email: event.email ?? null,
+        clientId: event.clientId ?? null,
+        actorId: event.actorId ?? null,
+        ip: event.ip ?? null,
+        metadata: event.metadata ?? null,
+        createdAt: event.createdAt instanceof Date ? event.createdAt.toISOString() : event.createdAt,
+    };
+}
+/** Envelope de erro padrão da Admin REST API. */
+export function apiError(code, message) {
+    return { error: { code, message } };
+}

package/build/src/host/admin_api/token_verify_service.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { ResolvedServerConfig } from '../../define_config.js';
+/** Resultado de introspecção genérica (PAT ou opaque access token). */
+export type VerifyResult = {
+    active: false;
+} | {
+    active: true;
+    /** 'pat' (Personal Access Token) ou 'access_token' (opaque AT do provider). */
+    tokenType: 'pat' | 'access_token';
+    sub: string;
+    email?: string | null;
+    name?: string | null;
+    roles?: string[];
+    scopes?: string[];
+    audience?: string | string[] | null;
+    clientId?: string | null;
+    exp?: number | null;
+};
+/**
+ * Introspecção genérica de token usada pela Admin REST API (`POST /tokens/verify`).
+ * Roteia por prefixo: tokens `pat_...` vão pelo {@link PatStore} (mesma rota do
+ * `/authkit/pat/introspect`); os demais são tratados como opaque access tokens e
+ * resolvidos pelo `AccessToken.find` do oidc-provider. Sempre best-effort: token
+ * desconhecido/expirado → `{ active: false }`.
+ */
+export declare class TokenVerifyService {
+    #private;
+    private cfg;
+    /** Provider do oidc-provider (service.provider) — para opaque AT. */
+    private provider;
+    constructor(cfg: ResolvedServerConfig,
+    /** Provider do oidc-provider (service.provider) — para opaque AT. */
+    provider: any);
+    verify(token: string): Promise<VerifyResult>;
+}

package/build/src/host/admin_api/token_verify_service.js ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * Introspecção genérica de token usada pela Admin REST API (`POST /tokens/verify`).
+ * Roteia por prefixo: tokens `pat_...` vão pelo {@link PatStore} (mesma rota do
+ * `/authkit/pat/introspect`); os demais são tratados como opaque access tokens e
+ * resolvidos pelo `AccessToken.find` do oidc-provider. Sempre best-effort: token
+ * desconhecido/expirado → `{ active: false }`.
+ */
+export class TokenVerifyService {
+    cfg;
+    provider;
+    constructor(cfg,
+    /** Provider do oidc-provider (service.provider) — para opaque AT. */
+    provider) {
+        this.cfg = cfg;
+        this.provider = provider;
+    }
+    async verify(token) {
+        if (!token || typeof token !== 'string')
+            return { active: false };
+        if (token.startsWith('pat_'))
+            return this.#verifyPat(token);
+        return this.#verifyAccessToken(token);
+    }
+    async #verifyPat(token) {
+        if (!this.cfg.patStore)
+            return { active: false };
+        const meta = await this.cfg.patStore.findActiveByToken(token);
+        if (!meta)
+            return { active: false };
+        const account = await this.cfg.accountStore.findById(meta.accountId);
+        if (!account)
+            return { active: false };
+        return {
+            active: true,
+            tokenType: 'pat',
+            sub: account.id,
+            email: account.email,
+            name: account.name ?? null,
+            roles: account.globalRoles ?? [],
+            scopes: meta.scopes,
+            audience: meta.audience,
+            exp: meta.exp,
+        };
+    }
+    async #verifyAccessToken(token) {
+        let at;
+        try {
+            at = await this.provider?.AccessToken?.find(token);
+        }
+        catch {
+            return { active: false };
+        }
+        if (!at)
+            return { active: false };
+        // O oidc-provider expira artefatos sozinho; isExpired/exp como guarda extra.
+        if (typeof at.isExpired === 'boolean' && at.isExpired)
+            return { active: false };
+        const sub = at.accountId ?? '';
+        const account = sub ? await this.cfg.accountStore.findById(sub) : null;
+        const scopes = typeof at.scope === 'string' ? at.scope.split(' ').filter(Boolean) : [];
+        return {
+            active: true,
+            tokenType: 'access_token',
+            sub,
+            email: account?.email ?? null,
+            name: account?.name ?? null,
+            roles: account?.globalRoles ?? [],
+            scopes,
+            audience: at.aud ?? null,
+            clientId: at.clientId ?? null,
+            exp: typeof at.exp === 'number' ? at.exp : null,
+        };
+    }
+}

package/build/src/host/controllers/admin/admin_users_controller.js CHANGED Viewed

@@ -1,9 +1,8 @@
 import '../../augmentations.js';
-import { randomBytes } from 'node:crypto';
 import { supportsAccountStatus } from '../../../accounts/account_store.js';
 import { ACCOUNT_SESSION_KEY } from '../../middleware/account_auth.js';
 import { adminCreateUserValidator } from '../../validators.js';
-import { sendPasswordResetEmail } from '../../default_mailer.js';
+import { AdminUsersService } from '../../admin_api/admin_users_service.js';
 const PAGE_SIZE = 20;
 /**
  * Gestão de usuários do IdP: listagem paginada com busca por e-mail e edição das
@@ -57,30 +56,15 @@ export default class AdminUsersController {
     async store(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const { email, name, password } = await ctx.request.validateUsing(adminCreateUserValidator);
-        const existing = await store.findByEmail(email);
-        if (existing) {
+        const users = new AdminUsersService(cfg);
+        const result = await users.create(ctx, { email, name, password }, { actorId, ip });
+        if (!result.ok) {
             ctx.session.flash('usersError', cfg.messages['errors.email_taken'] ?? 'errors.email_taken');
             return ctx.response.redirect('/admin/users');
         }
-        // Sem senha informada: cria com uma senha aleatória forte (descartável) e
-        // dispara o fluxo de reset para o usuário definir a sua.
-        const initialPassword = password ?? randomBytes(24).toString('hex');
-        const account = await store.create({ email, password: initialPassword, fullName: name ?? null });
-        await cfg.audit?.record({
-            type: 'user.created',
-            accountId: account.id,
-            email,
-            actorId,
-            ip,
-            metadata: { invited: !password },
-        });
-        if (!password) {
-            await this.#sendResetEmail(ctx, cfg, email);
-        }
         ctx.session.flash('userCreated', cfg.messages['admin.users.created'] ?? 'admin.users.created');
         return ctx.response.redirect('/admin/users');
     }
@@ -88,21 +72,10 @@ export default class AdminUsersController {
     async resetPassword(ctx) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const accountId = ctx.request.param('id');
-        const account = await store.findById(accountId);
-        if (account) {
-            await this.#sendResetEmail(ctx, cfg, account.email);
-            await cfg.audit?.record({
-                type: 'user.password_reset_sent',
-                accountId,
-                email: account.email,
-                actorId,
-                ip,
-            });
-        }
+        await new AdminUsersService(cfg).resetPassword(ctx, accountId, { actorId, ip });
         ctx.session.flash('resetSent', cfg.messages['admin.users.reset_sent'] ?? 'admin.users.reset_sent');
         return this.#redirectBack(ctx);
     }
@@ -117,40 +90,16 @@ export default class AdminUsersController {
     async #toggleStatus(ctx, disable) {
         const service = await ctx.containerResolver.make('authkit.server');
         const cfg = service.config;
-        const store = cfg.accountStore;
         const actorId = ctx.session.get(ACCOUNT_SESSION_KEY) ?? null;
         const ip = ctx.request.ip?.() ?? null;
         const accountId = ctx.request.param('id');
-        if (supportsAccountStatus(store)) {
-            if (disable)
-                await store.disableAccount(accountId);
-            else
-                await store.enableAccount(accountId);
-            await cfg.audit?.record({
-                type: disable ? 'user.disabled' : 'user.enabled',
-                accountId,
-                actorId,
-                ip,
-            });
+        const applied = await new AdminUsersService(cfg).setStatus(accountId, disable, { actorId, ip });
+        if (applied) {
             ctx.session.flash('statusChanged', cfg.messages[disable ? 'admin.users.disabled' : 'admin.users.enabled'] ??
                 (disable ? 'admin.users.disabled' : 'admin.users.enabled'));
         }
         return this.#redirectBack(ctx);
     }
-    /** Emite o token de reset e dispara o e-mail (hook do config tem prioridade). */
-    async #sendResetEmail(ctx, cfg, email) {
-        const issued = await cfg.accountStore.issuePasswordResetToken(email);
-        if (!issued)
-            return;
-        const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
-        const resetUrl = `${origin}/auth/reset-password?token=${encodeURIComponent(issued.token)}`;
-        if (cfg.mail?.onPasswordReset) {
-            await cfg.mail.onPasswordReset({ email, resetUrl, token: issued.token });
-        }
-        else {
-            await sendPasswordResetEmail(ctx, { email, resetUrl });
-        }
-    }
     #redirectBack(ctx) {
         const search = ctx.request.input('search', '').trim();
         const page = Math.max(1, Number.parseInt(ctx.request.input('page', '1'), 10) || 1);

package/build/src/host/register_auth_host.d.ts CHANGED Viewed

@@ -46,6 +46,13 @@ export interface AuthHostOptions {
      * Espelhe o `admin.enabled` de config/authkit.ts.
      */
     admin?: boolean;
+    /**
+     * Admin REST API opt-in (R6); quando `true`, monta o grupo `/api/authkit/v1/*`
+     * atrás do `adminApiGuard` (API key). Necessário aqui (e não só no config) porque
+     * a decisão de montar as rotas é tomada em tempo de registro, antes do config
+     * (lazy) resolver. Espelhe o `adminApi.enabled` de config/authkit.ts.
+     */
+    adminApi?: boolean;
 }
 /**
  * Monta todas as rotas do host-kit do Authorization Server numa chamada.

package/build/src/host/register_auth_host.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { resolveRateLimit } from '../define_config.js';
 import { createAuthThrottles } from './rate_limit.js';
 import { ACCOUNT_SESSION_KEY } from './middleware/account_auth.js';
+import { adminApiGuard } from './admin_api/admin_api_guard.js';
 /**
  * Guard inline do console de conta. Usamos uma closure (forma confiável do
  * `.use()` do AdonisJS) em vez de `() => import(middleware)` — a forma lazy de
@@ -60,6 +61,9 @@ const C = {
     adminSessions: () => import('./controllers/admin/admin_sessions_controller.js'),
     adminClients: () => import('./controllers/admin/admin_clients_controller.js'),
     adminAudit: () => import('./controllers/admin/admin_audit_controller.js'),
+    apiUsers: () => import('./admin_api/api_users_controller.js'),
+    apiClients: () => import('./admin_api/api_clients_controller.js'),
+    apiMisc: () => import('./admin_api/api_misc_controller.js'),
 };
 /**
  * Monta todas as rotas do host-kit do Authorization Server numa chamada.
@@ -174,4 +178,39 @@ export function registerAuthHost(router, opts) {
         })
             .use([adminGuard]);
     }
+    // Admin REST API (opt-in — R6). Superfície machine-to-machine atrás do
+    // adminApiGuard (API key). Todas as rotas levam o throttle de introspecção.
+    if (opts.adminApi) {
+        // Aplica o throttle de introspecção a uma rota qualquer (GET ou escrita).
+        const withApiThrottle = (route) => {
+            if (throttles)
+                route.use([throttles.introspection]);
+            return route;
+        };
+        router
+            .group(() => {
+            // Usuários.
+            withApiThrottle(router.get('/users', [C.apiUsers, 'index']));
+            withApiThrottle(router.post('/users', [C.apiUsers, 'store']));
+            withApiThrottle(router.get('/users/:id', [C.apiUsers, 'show']));
+            withApiThrottle(router.patch('/users/:id', [C.apiUsers, 'update']));
+            withApiThrottle(router.post('/users/:id/disable', [C.apiUsers, 'disable']));
+            withApiThrottle(router.post('/users/:id/enable', [C.apiUsers, 'enable']));
+            withApiThrottle(router.post('/users/:id/reset-password', [C.apiUsers, 'resetPassword']));
+            withApiThrottle(router.get('/users/:id/sessions', [C.apiUsers, 'sessions']));
+            withApiThrottle(router.post('/users/:id/revoke-sessions', [C.apiUsers, 'revokeSessions']));
+            // Clients OIDC.
+            withApiThrottle(router.get('/clients', [C.apiClients, 'index']));
+            withApiThrottle(router.post('/clients', [C.apiClients, 'store']));
+            withApiThrottle(router.get('/clients/:id', [C.apiClients, 'show']));
+            withApiThrottle(router.patch('/clients/:id', [C.apiClients, 'update']));
+            withApiThrottle(router.post('/clients/:id/regenerate-secret', [C.apiClients, 'regenerateSecret']));
+            withApiThrottle(router.delete('/clients/:id', [C.apiClients, 'destroy']));
+            // Auditoria + verificação de token.
+            withApiThrottle(router.get('/audit', [C.apiMisc, 'audit']));
+            withApiThrottle(router.post('/tokens/verify', [C.apiMisc, 'verify']));
+        })
+            .prefix('/api/authkit/v1')
+            .use([adminApiGuard]);
+    }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dudousxd/adonis-authkit-server",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "AdonisJS OIDC/OAuth2 provider (Identity Provider) toolkit: ejectable auth server with sessions, rate-limiting, MFA/TOTP, audit log, federated logout and OpenTelemetry metrics.",
   "license": "MIT",
   "author": "dudousxd",