npm - create-fluxstack - Versions diffs - 1.12.1 → 1.14.0 - Mend

create-fluxstack 1.12.1 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/LLMD/INDEX.md +8 -1
package/LLMD/agent.md +867 -0
package/LLMD/config/environment-vars.md +30 -0
package/LLMD/patterns/anti-patterns.md +100 -0
package/LLMD/reference/routing.md +39 -39
package/LLMD/resources/live-auth.md +465 -0
package/LLMD/resources/live-components.md +168 -26
package/LLMD/resources/live-logging.md +220 -0
package/LLMD/resources/live-upload.md +59 -8
package/LLMD/resources/rest-auth.md +290 -0
package/README.md +520 -340
package/app/client/index.html +2 -2
package/app/client/public/favicon.svg +46 -0
package/app/client/src/App.tsx +13 -1
package/app/client/src/assets/fluxstack-static.svg +46 -0
package/app/client/src/assets/fluxstack.svg +183 -0
package/app/client/src/components/AppLayout.tsx +139 -9
package/app/client/src/components/BackButton.tsx +13 -13
package/app/client/src/components/DemoPage.tsx +4 -4
package/app/client/src/live/AuthDemo.tsx +334 -0
package/app/client/src/live/ChatDemo.tsx +2 -2
package/app/client/src/live/CounterDemo.tsx +12 -12
package/app/client/src/live/FormDemo.tsx +2 -2
package/app/client/src/live/LiveDebuggerPanel.tsx +779 -0
package/app/client/src/live/RoomChatDemo.tsx +24 -16
package/app/client/src/main.tsx +13 -13
package/app/client/src/pages/ApiTestPage.tsx +6 -6
package/app/client/src/pages/HomePage.tsx +80 -52
package/app/server/auth/AuthManager.ts +213 -0
package/app/server/auth/DevAuthProvider.ts +66 -0
package/app/server/auth/HashManager.ts +123 -0
package/app/server/auth/JWTAuthProvider.example.ts +101 -0
package/app/server/auth/RateLimiter.ts +106 -0
package/app/server/auth/contracts.ts +192 -0
package/app/server/auth/guards/SessionGuard.ts +167 -0
package/app/server/auth/guards/TokenGuard.ts +202 -0
package/app/server/auth/index.ts +174 -0
package/app/server/auth/middleware.ts +163 -0
package/app/server/auth/providers/InMemoryProvider.ts +162 -0
package/app/server/auth/sessions/SessionManager.ts +164 -0
package/app/server/cache/CacheManager.ts +81 -0
package/app/server/cache/MemoryDriver.ts +112 -0
package/app/server/cache/contracts.ts +49 -0
package/app/server/cache/index.ts +42 -0
package/app/server/index.ts +14 -0
package/app/server/live/LiveAdminPanel.ts +174 -0
package/app/server/live/LiveChat.ts +78 -77
package/app/server/live/LiveCounter.ts +1 -0
package/app/server/live/LiveForm.ts +1 -0
package/app/server/live/LiveLocalCounter.ts +38 -32
package/app/server/live/LiveProtectedChat.ts +151 -0
package/app/server/live/LiveRoomChat.ts +1 -0
package/app/server/live/LiveUpload.ts +1 -0
package/app/server/live/register-components.ts +19 -19
package/app/server/routes/auth.routes.ts +278 -0
package/app/server/routes/index.ts +2 -0
package/config/index.ts +8 -0
package/config/system/auth.config.ts +49 -0
package/config/system/runtime.config.ts +4 -0
package/config/system/session.config.ts +33 -0
package/core/build/optimizer.ts +235 -235
package/core/client/LiveComponentsProvider.tsx +76 -5
package/core/client/components/Live.tsx +17 -10
package/core/client/components/LiveDebugger.tsx +1324 -0
package/core/client/hooks/AdaptiveChunkSizer.ts +215 -215
package/core/client/hooks/useLiveComponent.ts +58 -5
package/core/client/hooks/useLiveDebugger.ts +392 -0
package/core/client/index.ts +16 -1
package/core/framework/server.ts +36 -4
package/core/plugins/built-in/index.ts +134 -134
package/core/plugins/built-in/live-components/commands/create-live-component.ts +19 -8
package/core/plugins/built-in/monitoring/index.ts +10 -3
package/core/plugins/built-in/vite/index.ts +151 -20
package/core/plugins/config.ts +5 -4
package/core/plugins/discovery.ts +11 -2
package/core/plugins/manager.ts +11 -5
package/core/plugins/module-resolver.ts +1 -1
package/core/plugins/registry.ts +53 -25
package/core/server/index.ts +15 -15
package/core/server/live/ComponentRegistry.ts +134 -50
package/core/server/live/FileUploadManager.ts +188 -24
package/core/server/live/LiveComponentPerformanceMonitor.ts +9 -8
package/core/server/live/LiveDebugger.ts +462 -0
package/core/server/live/LiveLogger.ts +144 -0
package/core/server/live/LiveRoomManager.ts +22 -5
package/core/server/live/StateSignature.ts +704 -643
package/core/server/live/WebSocketConnectionManager.ts +11 -10
package/core/server/live/auth/LiveAuthContext.ts +71 -0
package/core/server/live/auth/LiveAuthManager.ts +304 -0
package/core/server/live/auth/index.ts +19 -0
package/core/server/live/auth/types.ts +179 -0
package/core/server/live/auto-generated-components.ts +8 -2
package/core/server/live/index.ts +16 -0
package/core/server/live/websocket-plugin.ts +323 -22
package/core/server/plugins/static-files-plugin.ts +179 -69
package/core/templates/create-project.ts +0 -3
package/core/types/build.ts +219 -219
package/core/types/plugin.ts +107 -107
package/core/types/types.ts +278 -22
package/core/utils/index.ts +17 -17
package/core/utils/logger/index.ts +5 -2
package/core/utils/logger/startup-banner.ts +82 -82
package/core/utils/version.ts +6 -6
package/package.json +1 -8
package/plugins/crypto-auth/index.ts +6 -0
package/plugins/crypto-auth/server/CryptoAuthLiveProvider.ts +58 -0
package/plugins/crypto-auth/server/index.ts +24 -21
package/rest-tests/README.md +57 -0
package/rest-tests/auth-token.http +113 -0
package/rest-tests/auth.http +112 -0
package/rest-tests/rooms-token.http +69 -0
package/rest-tests/users-token.http +62 -0
package/.dockerignore +0 -81
package/Dockerfile +0 -70
package/LIVE_COMPONENTS_REVIEW.md +0 -781
package/app/client/src/assets/react.svg +0 -1

package/app/server/auth/guards/TokenGuard.ts ADDED Viewed

@@ -0,0 +1,202 @@
+/**
+ * FluxStack Auth - Token Guard
+ *
+ * Guard baseado em Bearer token (header Authorization).
+ * Para APIs consumidas por mobile apps, CLIs, integrações.
+ *
+ * Fluxo:
+ * 1. Client envia: Authorization: Bearer <token>
+ * 2. Guard busca user pelo token no provider
+ * 3. Se válido, user está autenticado
+ *
+ * Tokens são armazenados no cache com referência ao userId.
+ */
+import type {
+  Guard,
+  Authenticatable,
+  UserProvider,
+  RequestContext,
+} from '../contracts'
+import type { CacheDriver } from '@server/cache/contracts'
+interface StoredToken {
+  userId: string | number
+  createdAt: number
+  expiresAt: number | null
+}
+export class TokenGuard implements Guard {
+  readonly name: string
+  private provider: UserProvider
+  private cache: CacheDriver
+  private request: RequestContext | null = null
+  private tokenTtl: number
+  /** Cache do usuário para a request atual */
+  private resolvedUser: Authenticatable | null | undefined = undefined
+  constructor(
+    name: string,
+    provider: UserProvider,
+    cache: CacheDriver,
+    tokenTtlSeconds: number = 86400 // 24h default
+  ) {
+    this.name = name
+    this.provider = provider
+    this.cache = cache
+    this.tokenTtl = tokenTtlSeconds
+  }
+  setRequest(context: RequestContext): void {
+    this.request = context
+    this.resolvedUser = undefined
+  }
+  async user(): Promise<Authenticatable | null> {
+    if (this.resolvedUser !== undefined) {
+      return this.resolvedUser
+    }
+    this.resolvedUser = null
+    if (!this.request) return null
+    // 1. Extrair token do header Authorization
+    const token = this.getBearerToken()
+    if (!token) return null
+    // 2. Buscar token no cache
+    const tokenData = await this.cache.get<StoredToken>(`auth_token:${this.hashToken(token)}`)
+    if (!tokenData) return null
+    // 3. Verificar expiração
+    if (tokenData.expiresAt && Date.now() > tokenData.expiresAt) {
+      await this.cache.delete(`auth_token:${this.hashToken(token)}`)
+      return null
+    }
+    // 4. Buscar usuário
+    const user = await this.provider.retrieveById(tokenData.userId)
+    if (user) {
+      this.resolvedUser = user
+    }
+    return this.resolvedUser
+  }
+  async id(): Promise<string | number | null> {
+    const user = await this.user()
+    return user?.getAuthId() ?? null
+  }
+  async check(): Promise<boolean> {
+    return (await this.user()) !== null
+  }
+  async guest(): Promise<boolean> {
+    return (await this.user()) === null
+  }
+  async attempt(credentials: Record<string, unknown>): Promise<Authenticatable | null> {
+    // 1. Buscar user
+    const user = await this.provider.retrieveByCredentials(credentials)
+    if (!user) return null
+    // 2. Validar password
+    const valid = await this.provider.validateCredentials(user, credentials)
+    if (!valid) return null
+    // 3. Gerar e armazenar token
+    await this.login(user)
+    return user
+  }
+  async login(user: Authenticatable): Promise<void> {
+    // Gerar token
+    const token = this.generateToken()
+    const hashedToken = this.hashToken(token)
+    // Armazenar no cache
+    const tokenData: StoredToken = {
+      userId: user.getAuthId(),
+      createdAt: Date.now(),
+      expiresAt: this.tokenTtl > 0 ? Date.now() + (this.tokenTtl * 1000) : null,
+    }
+    await this.cache.set(`auth_token:${hashedToken}`, tokenData, this.tokenTtl || undefined)
+    // Armazenar lista de tokens do user (para revogação em massa)
+    const userTokensKey = `user_tokens:${user.getAuthId()}`
+    const existingTokens = await this.cache.get<string[]>(userTokensKey) ?? []
+    existingTokens.push(hashedToken)
+    await this.cache.set(userTokensKey, existingTokens)
+    // Cache do user
+    this.resolvedUser = user
+    // Salvar token plain-text temporariamente para a response poder retorná-lo
+    ;(this as any)._lastGeneratedToken = token
+  }
+  async logout(): Promise<void> {
+    if (!this.request) return
+    const token = this.getBearerToken()
+    if (token) {
+      await this.cache.delete(`auth_token:${this.hashToken(token)}`)
+    }
+    this.resolvedUser = null
+  }
+  async validate(credentials: Record<string, unknown>): Promise<boolean> {
+    const user = await this.provider.retrieveByCredentials(credentials)
+    if (!user) return false
+    return this.provider.validateCredentials(user, credentials)
+  }
+  /**
+   * Revoga todos os tokens de um usuário.
+   */
+  async revokeAllTokens(userId: string | number): Promise<void> {
+    const userTokensKey = `user_tokens:${userId}`
+    const tokens = await this.cache.get<string[]>(userTokensKey) ?? []
+    for (const hashedToken of tokens) {
+      await this.cache.delete(`auth_token:${hashedToken}`)
+    }
+    await this.cache.delete(userTokensKey)
+  }
+  /** Retorna o último token gerado (para a response após login) */
+  getLastGeneratedToken(): string | null {
+    return (this as any)._lastGeneratedToken ?? null
+  }
+  /** Extrai Bearer token do header Authorization */
+  private getBearerToken(): string | null {
+    if (!this.request) return null
+    const authHeader = this.request.headers['authorization'] ?? this.request.headers['Authorization']
+    if (!authHeader?.startsWith('Bearer ')) return null
+    return authHeader.slice(7)
+  }
+  /** Gera um token criptograficamente seguro */
+  private generateToken(): string {
+    const bytes = new Uint8Array(32)
+    crypto.getRandomValues(bytes)
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('')
+  }
+  /** Hash do token para armazenamento (nunca guardar plain-text) */
+  private hashToken(token: string): string {
+    const hasher = new Bun.CryptoHasher('sha256')
+    hasher.update(token)
+    return hasher.digest('hex')
+  }
+}

package/app/server/auth/index.ts ADDED Viewed

@@ -0,0 +1,174 @@
+/**
+ * FluxStack Auth System
+ *
+ * Sistema de autenticação modular inspirado no Laravel.
+ * Guard + Provider pattern com session e token support.
+ *
+ * ```ts
+ * import { auth, guest, initAuth, getAuthManager } from '@server/auth'
+ *
+ * // Inicializar (no boot da app)
+ * initAuth()
+ *
+ * // Proteger rotas
+ * app.use(auth()).get('/me', ({ user }) => user.toJSON())
+ * app.use(guest()).post('/login', loginHandler)
+ *
+ * // Usar auth manager diretamente
+ * const manager = getAuthManager()
+ * const guard = manager.guard('session')
+ * const user = await guard.attempt({ email, password })
+ * ```
+ */
+// Contracts
+export type {
+  Authenticatable,
+  Guard,
+  UserProvider,
+  RequestContext,
+  CookieOptions,
+  GuardConfig,
+  GuardFactory,
+} from './contracts'
+// Auth Manager
+export { AuthManager } from './AuthManager'
+export type { AuthManagerConfig, ProviderConfig } from './AuthManager'
+// Hash
+export { HashManager, Hash, getHashManager, setHashManager } from './HashManager'
+export type { HashAlgorithm, HashOptions } from './HashManager'
+// Rate Limiter
+export { RateLimiter } from './RateLimiter'
+// Guards
+export { SessionGuard } from './guards/SessionGuard'
+export { TokenGuard } from './guards/TokenGuard'
+// Providers
+export { InMemoryUserProvider, InMemoryUser } from './providers/InMemoryProvider'
+// Sessions
+export { SessionManager } from './sessions/SessionManager'
+export type { SessionData, SessionConfig } from './sessions/SessionManager'
+// Middleware
+export { auth, guest, authOptional } from './middleware'
+// ===== Boot =====
+import { AuthManager } from './AuthManager'
+import { HashManager, setHashManager } from './HashManager'
+import { RateLimiter } from './RateLimiter'
+import { SessionManager } from './sessions/SessionManager'
+import { InMemoryUserProvider } from './providers/InMemoryProvider'
+import { setAuthManagerForMiddleware, buildRequestContext } from './middleware'
+import { cacheManager } from '@server/cache'
+import { authConfig } from '@config/system/auth.config'
+import { sessionConfig } from '@config/system/session.config'
+let authManagerInstance: AuthManager | null = null
+let rateLimiterInstance: RateLimiter | null = null
+let sessionManagerInstance: SessionManager | null = null
+/**
+ * Inicializa o sistema de auth.
+ * Deve ser chamado uma vez no boot da aplicação.
+ */
+export function initAuth(): {
+  authManager: AuthManager
+  rateLimiter: RateLimiter
+  sessionManager: SessionManager
+} {
+  // 1. Configurar Hash
+  const hashManager = new HashManager({
+    algorithm: authConfig.passwords.hashAlgorithm as 'bcrypt' | 'argon2id',
+    bcryptRounds: authConfig.passwords.bcryptRounds,
+  })
+  setHashManager(hashManager)
+  // 2. Criar Session Manager
+  const cache = cacheManager.driver()
+  sessionManagerInstance = new SessionManager(cache, {
+    lifetime: sessionConfig.lifetime,
+    cookieName: sessionConfig.cookieName,
+    httpOnly: sessionConfig.httpOnly,
+    secure: sessionConfig.secure,
+    sameSite: sessionConfig.sameSite as 'strict' | 'lax' | 'none',
+    path: sessionConfig.path,
+    domain: sessionConfig.domain || undefined,
+  })
+  // 3. Criar Rate Limiter
+  rateLimiterInstance = new RateLimiter(cache)
+  // 4. Criar Auth Manager
+  authManagerInstance = new AuthManager(
+    {
+      defaults: {
+        guard: authConfig.defaults.guard ?? 'session',
+        provider: authConfig.defaults.provider ?? 'memory',
+      },
+      guards: {
+        session: {
+          driver: 'session',
+          provider: 'memory',
+        },
+        token: {
+          driver: 'token',
+          provider: 'memory',
+          tokenTtl: authConfig.token.ttl,
+        },
+      },
+      providers: {
+        memory: {
+          driver: 'memory',
+        },
+      },
+    },
+    sessionManagerInstance
+  )
+  // 5. Registrar InMemoryProvider como default
+  const inMemoryProvider = new InMemoryUserProvider()
+  authManagerInstance.registerProvider('memory', inMemoryProvider)
+  // 6. Conectar middleware
+  setAuthManagerForMiddleware(authManagerInstance)
+  console.log(`🔐 Auth system initialized (guard: ${authConfig.defaults.guard}, hash: ${authConfig.passwords.hashAlgorithm})`)
+  return {
+    authManager: authManagerInstance,
+    rateLimiter: rateLimiterInstance,
+    sessionManager: sessionManagerInstance,
+  }
+}
+/** Retorna o AuthManager (deve ser chamado após initAuth) */
+export function getAuthManager(): AuthManager {
+  if (!authManagerInstance) {
+    throw new Error('Auth not initialized. Call initAuth() first.')
+  }
+  return authManagerInstance
+}
+/** Retorna o RateLimiter (deve ser chamado após initAuth) */
+export function getRateLimiter(): RateLimiter {
+  if (!rateLimiterInstance) {
+    throw new Error('Auth not initialized. Call initAuth() first.')
+  }
+  return rateLimiterInstance
+}
+/** Retorna o SessionManager (deve ser chamado após initAuth) */
+export function getSessionManager(): SessionManager {
+  if (!sessionManagerInstance) {
+    throw new Error('Auth not initialized. Call initAuth() first.')
+  }
+  return sessionManagerInstance
+}
+export { buildRequestContext }

package/app/server/auth/middleware.ts ADDED Viewed

@@ -0,0 +1,163 @@
+/**
+ * FluxStack Auth - Elysia Middleware
+ *
+ * Middlewares prontos para proteger rotas:
+ *
+ * ```ts
+ * // Rota protegida (requer login)
+ * app.use(auth()).get('/me', ({ user }) => user.toJSON())
+ *
+ * // Rota de guest (requer NÃO estar logado)
+ * app.use(guest()).post('/login', loginHandler)
+ *
+ * // Guard específico
+ * app.use(auth('api')).get('/api/data', handler)
+ * ```
+ */
+import { Elysia } from 'elysia'
+import type { AuthManager } from './AuthManager'
+import type { Authenticatable, RequestContext } from './contracts'
+/** Referência ao AuthManager (setado no boot) */
+let authManagerRef: AuthManager | null = null
+export function setAuthManagerForMiddleware(manager: AuthManager): void {
+  authManagerRef = manager
+}
+/**
+ * Extrai RequestContext do context do Elysia.
+ */
+function buildRequestContext(ctx: any): RequestContext {
+  const headers: Record<string, string | undefined> = {}
+  if (ctx.headers) {
+    for (const [key, value] of Object.entries(ctx.headers)) {
+      headers[key] = value as string | undefined
+    }
+  }
+  return {
+    headers,
+    cookie: ctx.cookie ?? {},
+    setCookie: (name: string, value: string, options?: any) => {
+      if (ctx.cookie) {
+        ctx.cookie[name].set({
+          value,
+          ...options,
+        })
+      }
+    },
+    removeCookie: (name: string) => {
+      if (ctx.cookie) {
+        ctx.cookie[name].set({
+          value: '',
+          maxAge: 0,
+          path: '/',
+        })
+      }
+    },
+    ip: ctx.request?.headers?.get('x-forwarded-for')
+      ?? ctx.request?.headers?.get('x-real-ip')
+      ?? ctx.server?.requestIP?.(ctx.request)?.address
+      ?? '127.0.0.1',
+  }
+}
+/**
+ * Middleware que requer autenticação.
+ * Injeta `user` (Authenticatable) no context do Elysia.
+ *
+ * Retorna 401 se não autenticado.
+ */
+export function auth(guardName?: string) {
+  return new Elysia({ name: `auth-guard${guardName ? `-${guardName}` : ''}` })
+    .derive(async (ctx) => {
+      if (!authManagerRef) {
+        throw new Error('Auth system not initialized. Did you forget to call initAuth()?')
+      }
+      const requestContext = buildRequestContext(ctx)
+      const guard = authManagerRef.freshGuard(guardName, requestContext)
+      const user = await guard.user()
+      return {
+        user: user as Authenticatable | null,
+        auth: guard,
+      }
+    })
+    .onBeforeHandle(async (ctx) => {
+      if (!(ctx as any).user) {
+        (ctx as any).set.status = 401
+        return {
+          success: false,
+          error: 'Unauthenticated',
+          message: 'You must be logged in to access this resource.',
+        }
+      }
+    })
+    .as('scoped')
+}
+/**
+ * Middleware que requer NÃO estar autenticado.
+ * Útil para rotas de login/register.
+ *
+ * Retorna 409 se já autenticado.
+ */
+export function guest(guardName?: string) {
+  return new Elysia({ name: `guest-guard${guardName ? `-${guardName}` : ''}` })
+    .derive(async (ctx) => {
+      if (!authManagerRef) {
+        throw new Error('Auth system not initialized. Did you forget to call initAuth()?')
+      }
+      const requestContext = buildRequestContext(ctx)
+      const guard = authManagerRef.freshGuard(guardName, requestContext)
+      const user = await guard.user()
+      return {
+        user: user as Authenticatable | null,
+        auth: guard,
+      }
+    })
+    .onBeforeHandle(async (ctx) => {
+      if ((ctx as any).user) {
+        (ctx as any).set.status = 409
+        return {
+          success: false,
+          error: 'AlreadyAuthenticated',
+          message: 'You are already logged in.',
+        }
+      }
+    })
+    .as('scoped')
+}
+/**
+ * Middleware que resolve auth opcionalmente (não bloqueia).
+ * Útil para rotas que funcionam com ou sem login.
+ */
+export function authOptional(guardName?: string) {
+  return new Elysia({ name: `auth-optional${guardName ? `-${guardName}` : ''}` })
+    .derive(async (ctx) => {
+      if (!authManagerRef) {
+        return { user: null, auth: null }
+      }
+      const requestContext = buildRequestContext(ctx)
+      const guard = authManagerRef.freshGuard(guardName, requestContext)
+      const user = await guard.user()
+      return {
+        user: user as Authenticatable | null,
+        auth: guard,
+      }
+    })
+    .as('scoped')
+}
+export { buildRequestContext }

package/app/server/auth/providers/InMemoryProvider.ts ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * FluxStack Auth - In-Memory User Provider
+ *
+ * Provider que armazena usuários em memória.
+ * Ideal para desenvolvimento, demos e testes.
+ *
+ * Para produção, implemente UserProvider com seu ORM:
+ * ```ts
+ * class DrizzleUserProvider implements UserProvider {
+ *   async retrieveById(id) {
+ *     return db.select().from(users).where(eq(users.id, id)).get()
+ *   }
+ *   // ...
+ * }
+ * ```
+ */
+import type { Authenticatable, UserProvider } from '../contracts'
+import { Hash } from '../HashManager'
+// ===== In-Memory User Model =====
+export class InMemoryUser implements Authenticatable {
+  id: number
+  name: string
+  email: string
+  passwordHash: string
+  rememberToken: string | null = null
+  createdAt: Date
+  constructor(data: {
+    id: number
+    name: string
+    email: string
+    passwordHash: string
+    createdAt?: Date
+  }) {
+    this.id = data.id
+    this.name = data.name
+    this.email = data.email
+    this.passwordHash = data.passwordHash
+    this.createdAt = data.createdAt ?? new Date()
+  }
+  getAuthId(): number {
+    return this.id
+  }
+  getAuthIdField(): string {
+    return 'id'
+  }
+  getAuthPassword(): string {
+    return this.passwordHash
+  }
+  getRememberToken(): string | null {
+    return this.rememberToken
+  }
+  setRememberToken(token: string | null): void {
+    this.rememberToken = token
+  }
+  toJSON(): Record<string, unknown> {
+    return {
+      id: this.id,
+      name: this.name,
+      email: this.email,
+      createdAt: this.createdAt.toISOString(),
+    }
+  }
+}
+// ===== Provider =====
+export class InMemoryUserProvider implements UserProvider {
+  private users: InMemoryUser[] = []
+  private nextId = 1
+  async retrieveById(id: string | number): Promise<Authenticatable | null> {
+    return this.users.find(u => u.id === Number(id)) ?? null
+  }
+  async retrieveByCredentials(credentials: Record<string, unknown>): Promise<Authenticatable | null> {
+    // Buscar por qualquer campo EXCETO password
+    const { password: _, ...searchFields } = credentials
+    return this.users.find(user => {
+      return Object.entries(searchFields).every(([key, value]) => {
+        return (user as any)[key] === value
+      })
+    }) ?? null
+  }
+  async validateCredentials(user: Authenticatable, credentials: Record<string, unknown>): Promise<boolean> {
+    const password = credentials.password as string | undefined
+    if (!password) return false
+    const valid = await Hash.check(password, user.getAuthPassword())
+    // Rehash transparente se necessário
+    if (valid && Hash.needsRehash(user.getAuthPassword())) {
+      const newHash = await Hash.make(password)
+      // Atualizar hash in-memory
+      const memUser = user as InMemoryUser
+      memUser.passwordHash = newHash
+    }
+    return valid
+  }
+  async retrieveByToken(id: string | number, token: string): Promise<Authenticatable | null> {
+    const user = this.users.find(u => u.id === Number(id))
+    if (!user) return null
+    if (user.getRememberToken() !== token) return null
+    return user
+  }
+  async updateRememberToken(user: Authenticatable, token: string | null): Promise<void> {
+    user.setRememberToken(token)
+  }
+  async createUser(data: Record<string, unknown>): Promise<Authenticatable> {
+    const name = data.name as string
+    const email = data.email as string
+    const password = data.password as string
+    if (!name || !email || !password) {
+      throw new Error('Name, email and password are required')
+    }
+    // Verificar email duplicado
+    const existing = this.users.find(u => u.email === email)
+    if (existing) {
+      throw new Error('Email already in use')
+    }
+    const passwordHash = await Hash.make(password)
+    const user = new InMemoryUser({
+      id: this.nextId++,
+      name,
+      email,
+      passwordHash,
+    })
+    this.users.push(user)
+    return user
+  }
+  /** Para testes: reset completo */
+  reset(): void {
+    this.users = []
+    this.nextId = 1
+  }
+  /** Para testes: retorna todos os usuários */
+  getAll(): InMemoryUser[] {
+    return [...this.users]
+  }
+}