himari 0.5.0 → 0.7.0

data/lib/himari/services/oidc_token_endpoint.rb

@@ -1,14 +1,22 @@
+# frozen_string_literal: true
+
 require 'rack/oauth2'
 require 'digest/sha2'
 require 'openid_connect'
 require 'himari/access_token'
+require 'himari/refresh_token'
 require 'himari/id_token'
+require 'himari/storages/base'
+require 'himari/services/downstream_authorization'
+require 'himari/services/upstream_authentication'
 
 module Himari
   module Services
     class OidcTokenEndpoint
       class SigningKeyMissing < StandardError; end
 
+      Issued = Struct.new(:access, :access_token_string, :id_token_jwt, :signing_key, keyword_init: true)
+
       # @param client_provider [Himari::ProviderChain<Himari::ClientRegistration>]
       # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>]
       # @param storage [Himari::Storages::Base]
@@ -25,70 +33,241 @@ module Himari
       def call(env)
         app(env).call(env)
       rescue Rack::OAuth2::Server::Abstract::Error => e
-        @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: returning error', req: env['himari.request_as_log'], client: client.as_log, err: e.class.inspect, err_content: e.protocol_params))
+        @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: returning error', req: env['himari.request_as_log'], err: e.class.inspect, err_content: e.protocol_params))
         e.finish
       end
 
       def app(env)
         Rack::OAuth2::Server::Token.new do |req, res|
-          code_dgst = req.code ? Digest::SHA256.hexdigest(req.code) : nil
           client = @client_provider.find(id: req.client_id)
           unless client
-            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, no client registration', req: env['himari.request_as_log'], client_id: req.client_id, code_dgst: code_dgst))
+            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, no client registration', req: env['himari.request_as_log'], client_id: req.client_id))
             next req.invalid_client!
           end
-          unless client.match_secret?(req.client_secret)
-            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, client secret mismatch', req: env['himari.request_as_log'], client: client.as_log, code_dgst: code_dgst))
-            next req.invalid_client! 
+          # Public clients (token_endpoint_auth_method=none) present no secret; they are bound
+          # to the authorization code by PKCE and the client_id check in handle_authorization_code.
+          if client.confidential? && !client.match_secret?(req.client_secret)
+            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, client secret mismatch', req: env['himari.request_as_log'], client: client.as_log))
+            next req.invalid_client!
           end
 
           case req.grant_type
           when :authorization_code
-            authz = @storage.find_authorization(req.code)
-            unless authz
-              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, no grant code found', req: env['himari.request_as_log'], client: client.as_log))
-              next req.invalid_grant! 
-            end
-            unless authz.valid_redirect_uri?(req.redirect_uri)
-              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, redirect_uri mismatch', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
-              next req.invalid_grant! 
-            end
-            if authz.expiry <= Time.now.to_i
-              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, expired grant', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
-              next req.invalid_grant! 
-            end
-
-            if authz.pkce?
-              if req.verify_code_verifier!(authz.code_challenge, authz.code_challenge_method)
-                # do nothing
-              else
-                # :nocov:
-                @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, invalid pkce', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
-                next req.invalid_grant!
-                # :nocov:
-              end
-            elsif client.require_pkce
-              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, pkce is mandatory', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
-              next req.invalid_grant!
-            end
-
-            token = AccessToken.from_authz(authz)
-            @storage.put_token(token)
-            res.access_token = token.to_bearer
-
-            if authz.openid
-              signing_key = @signing_key_provider.find(group: client.preferred_key_group, active: true)
-              raise SigningKeyMissing unless signing_key
-              res.id_token = IdToken.from_authz(authz, signing_key: signing_key, access_token: token.format.to_s, issuer: @issuer).to_jwt
-            end
-
-            @storage.delete_authorization(authz)
-            @logger&.info(Himari::LogLine.new('OidcTokenEndpoint: issued', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log, token: token.as_log, signing_key_kid: signing_key&.id))
+            handle_authorization_code(env, req, res, client)
+          when :refresh_token
+            handle_refresh_token(env, req, res, client)
           else
             req.unsupported_response_type!
           end
         end
       end
+
+      private def handle_authorization_code(env, req, res, client)
+        authz = @storage.find_authorization(req.code)
+        unless authz
+          @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, no grant code found', req: env['himari.request_as_log'], client: client.as_log))
+          return req.invalid_grant!
+        end
+        unless authz.client_id == client.id
+          @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, grant client_id mismatch', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+          return req.invalid_grant!
+        end
+        unless authz.valid_redirect_uri?(req.redirect_uri)
+          @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, redirect_uri mismatch', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+          return req.invalid_grant!
+        end
+        if authz.expiry <= Time.now.to_i
+          @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, expired grant', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+          return req.invalid_grant!
+        end
+
+        if authz.pkce?
+          if req.verify_code_verifier!(authz.code_challenge, authz.code_challenge_method)
+            # do nothing
+          else
+            # :nocov:
+            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, invalid pkce', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+            return req.invalid_grant!
+            # :nocov:
+          end
+        elsif client.require_pkce
+          @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, pkce is mandatory', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+          return req.invalid_grant!
+        end
+
+        issued = issue_access_and_id(
+          client: client,
+          claims: authz.claims,
+          scopes: authz.scopes,
+          lifetime: authz.lifetime,
+          openid: authz.openid,
+          session_handle: authz.session_handle,
+          nonce: authz.nonce,
+          mint_jwt_access_token: authz.mint_jwt_access_token,
+        )
+
+        refresh = nil
+        if authz.offline_access && authz.session_handle && authz.lifetime&.refresh_token
+          refresh = RefreshToken.make(client_id: client.id, claims: authz.claims, session_handle: authz.session_handle, openid: authz.openid, scopes: authz.scopes, lifetime: authz.lifetime.refresh_token)
+          @storage.put_refresh_token(refresh)
+        end
+
+        bearer = issued.access.to_bearer(token_string: issued.access_token_string)
+        bearer.refresh_token = refresh.format.to_s if refresh
+        res.access_token = bearer
+        res.id_token = issued.id_token_jwt if issued.id_token_jwt
+
+        @storage.delete_authorization(authz)
+        @logger&.info(Himari::LogLine.new('OidcTokenEndpoint: issued', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log, token: issued.access.as_log, refresh_token: refresh&.as_log, signing_key_kid: issued.signing_key&.id))
+      end
+
+      private def handle_refresh_token(env, req, res, client)
+        given_token_str = req.refresh_token
+        unless given_token_str
+          return reject_refresh!(env, req, client, 'no refresh_token given')
+        end
+
+        begin
+          parsed = Himari::RefreshToken.parse(given_token_str)
+        rescue Himari::TokenString::InvalidFormat => e
+          return reject_refresh!(env, req, client, 'invalid refresh_token format', err: e.class.inspect)
+        end
+
+        refresh = @storage.find_refresh_token(parsed.handle)
+        unless refresh
+          return reject_refresh!(env, req, client, 'unknown refresh_token')
+        end
+
+        begin
+          refresh.verify!(secret: parsed.secret)
+        rescue Himari::TokenString::Error => e
+          return reject_refresh!(env, req, client, 'refresh_token verify failed', refresh: refresh, err: e.class.inspect)
+        end
+
+        unless refresh.client_id == client.id
+          return reject_refresh!(env, req, client, 'refresh_token client_id mismatch', refresh: refresh)
+        end
+
+        session = refresh.session_handle && @storage.find_session(refresh.session_handle)
+        unless session
+          return reject_refresh!(env, req, client, 'refresh_token has no session', refresh: refresh)
+        end
+
+        unless session.refreshable?
+          return reject_refresh!(env, req, client, 'session is not refreshable (no refresh_info)', refresh: refresh, session: session.as_log)
+        end
+
+        unless session.active?
+          return reject_refresh!(env, req, client, 'session expired', refresh: refresh, session: session.as_log)
+        end
+
+        rack_request = Rack::Request.new(env)
+
+        begin
+          authn = Himari::Services::UpstreamAuthentication.revalidate_from_request(session: session, request: rack_request).perform
+        rescue Himari::Services::UpstreamAuthentication::UnauthorizedError => e
+          return reject_refresh!(env, req, client, 'refresh upstream authn denied', refresh: refresh, session: session.as_log, result: e.as_log)
+        end
+
+        updated_session = authn.session_data
+
+        begin
+          downstream = Himari::Services::DownstreamAuthorization.from_request(session: updated_session, client: client, request: rack_request, grant_type: :refresh_token, requested_scopes: refresh.scopes).perform
+        rescue Himari::Services::DownstreamAuthorization::ForbiddenError => e
+          return reject_refresh!(env, req, client, 'refresh downstream authz denied', refresh: refresh, session: updated_session.as_log, result: e.as_log)
+        end
+
+        # Refresh lifetime is recomputed by the authz rules on every refresh; if it is no
+        # longer configured the session is no longer refreshable. Fail closed.
+        unless downstream.lifetime&.refresh_token
+          return reject_refresh!(env, req, client, 'refresh_token lifetime no longer configured', refresh: refresh, session: updated_session.as_log)
+        end
+
+        # Rotate the token in place; verify! above recorded which secret the client presented,
+        # which rotate keeps valid as the previous one. The token's original expiry is
+        # preserved (absolute cap); the lifetime guard above only gates whether refresh is
+        # still permitted by the rules, not how long the rotated token lives.
+        rotated = refresh.rotate(claims: downstream.claims, openid: refresh.openid)
+
+        # Compare-and-swap on the version we read. A concurrent refresh that already rotated
+        # this token bumps the version, so the loser's write conflicts. Reject the loser
+        # without revoking — the winner's rotation (same handle) must survive.
+        begin
+          @storage.put_refresh_token(rotated, if_version: refresh.version)
+        rescue Himari::Storages::Base::Conflict
+          return reject_refresh!(env, req, client, 'refresh_token version conflict (concurrent use)', refresh: refresh, revoke: false)
+        end
+
+        @storage.put_session(updated_session, overwrite: true)
+
+        # OIDC core §12.2: refreshed ID Token MAY be returned, with no nonce on refresh.
+        issued = issue_access_and_id(
+          client: client,
+          claims: downstream.claims,
+          scopes: downstream.scopes,
+          lifetime: downstream.lifetime,
+          openid: refresh.openid,
+          session_handle: updated_session.handle,
+          nonce: nil,
+          mint_jwt_access_token: downstream.mint_jwt_access_token,
+        )
+
+        bearer = issued.access.to_bearer(token_string: issued.access_token_string)
+        bearer.refresh_token = rotated.format.to_s
+        res.access_token = bearer
+        res.id_token = issued.id_token_jwt if issued.id_token_jwt
+
+        @logger&.info(Himari::LogLine.new('OidcTokenEndpoint: refreshed', req: env['himari.request_as_log'], client: client.as_log, session: updated_session.as_log, token: issued.access.as_log, refresh_token: rotated.as_log, prev_version: refresh.version, secret_slot: refresh.verification&.via, signing_key_kid: issued.signing_key&.id))
+      end
+
+      # Reject a refresh request with invalid_grant. By default this revokes the presented
+      # refresh token when one was looked up, keeping refresh failures fail-closed against
+      # replay. revoke: false is used only for the concurrent-conflict path, where the
+      # winning request has already rotated this same handle and must not be revoked.
+      private def reject_refresh!(env, req, client, reason, refresh: nil, revoke: true, **fields)
+        log = {req: env['himari.request_as_log'], client: client.as_log}
+        log[:refresh] = refresh.as_log if refresh
+        @logger&.warn(Himari::LogLine.new("OidcTokenEndpoint: invalid_grant, #{reason}", **log, **fields))
+        @storage.delete_refresh_token(refresh) if refresh && revoke
+        req.invalid_grant!
+      end
+
+      # Mint an access token (and, for OIDC, an id_token JWT). Refresh tokens are handled
+      # separately by each grant path: the authorization_code path mints a fresh one, while
+      # the refresh path rotates the presented token in place.
+      private def issue_access_and_id(client:, claims:, scopes:, lifetime:, openid:, session_handle:, nonce:, mint_jwt_access_token:)
+        access = AccessToken.make(client_id: client.id, claims: claims, scopes: scopes, session_handle: session_handle, lifetime: lifetime.access_token)
+        @storage.put_token(access)
+
+        # Both the ID Token and a JWT access token are signed by the same key; resolve it once.
+        signing_key = nil
+        if openid || mint_jwt_access_token
+          signing_key = @signing_key_provider.find(group: client.preferred_key_group, active: true)
+          raise SigningKeyMissing unless signing_key
+        end
+
+        access_token_string = if mint_jwt_access_token
+          access.to_jwt(signing_key: signing_key, issuer: @issuer)
+        else
+          access.format.to_s
+        end
+
+        id_token_jwt = nil
+        if openid
+          id_token_jwt = IdToken.new(
+            claims: claims,
+            client_id: client.id,
+            nonce: nonce,
+            signing_key: signing_key,
+            issuer: @issuer,
+            # at_hash binds the ID Token to the access token actually delivered (JWT or opaque).
+            access_token: access_token_string,
+            lifetime: lifetime.id_token,
+          ).to_jwt
+        end
+
+        Issued.new(access: access, access_token_string: access_token_string, id_token_jwt: id_token_jwt, signing_key: signing_key)
+      end
     end
   end
 end

data/lib/himari/services/oidc_userinfo_endpoint.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/access_token'
 require 'himari/token_string'
 require 'himari/log_line'
@@ -6,9 +8,12 @@ module Himari
   module Services
     class OidcUserinfoEndpoint
       # @param storage [Himari::Storages::Base]
+      # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>] verifies RFC 9068
+      #   JWT access tokens; opaque tokens do not need it
       # @param logger [Logger]
-      def initialize(storage:, logger: nil)
+      def initialize(storage:, signing_key_provider: nil, logger: nil)
         @storage = storage
+        @signing_key_provider = signing_key_provider
         @logger = logger
       end
 
@@ -17,14 +22,15 @@ module Himari
       end
 
       def call(env)
-        Handler.new(storage: @storage, env: env, logger: @logger).response
+        Handler.new(storage: @storage, signing_key_provider: @signing_key_provider, env: env, logger: @logger).response
       end
 
       class Handler
         class InvalidToken < StandardError; end
 
-        def initialize(storage:, env:, logger:)
+        def initialize(storage:, env:, logger:, signing_key_provider: nil)
           @storage = storage
+          @signing_key_provider = signing_key_provider
           @env = env
           @logger = logger
         end
@@ -34,11 +40,13 @@ module Himari
           return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless %w(GET POST).include?(@env['REQUEST_METHOD'])
 
           raise InvalidToken unless given_token
-          given_parsed_token = Himari::AccessToken.parse(given_token)
+
+          given_parsed_token = Himari::AccessToken.parse(given_token, signing_key_provider: @signing_key_provider)
 
           token = @storage.find_token(given_parsed_token.handle)
           raise InvalidToken unless token
-          token.verify_expiry!()
+
+          token.verify_expiry!
           token.verify_secret!(given_parsed_token.secret)
 
           @logger&.info(Himari::LogLine.new('OidcUserinfoEndpoint: returning', req: @env['himari.request_as_log'], token: token.as_log))
@@ -63,8 +71,6 @@ module Himari
             method, token = ah&.split(/\s+/, 2) # https://www.rfc-editor.org/rfc/rfc9110#name-credentials
             if method&.downcase == 'bearer' && token && !token.empty?
               token
-            else
-              nil
             end
           end
         end

data/lib/himari/services/upstream_authentication.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/log_line'
 require 'himari/decisions/authentication'
 require 'himari/decisions/claims'
@@ -29,20 +31,26 @@ module Himari
           {
             session: session_data&.as_log,
             decision: {
-              claims: claims_result&.as_log&.reject{ |k,_v| %i(allowed explicit_deny).include?(k) },
+              claims: claims_result&.as_log&.reject { |k, _v| %i(allowed explicit_deny).include?(k) },
               authentication: authn_result&.as_log,
             },
           }
         end
       end
 
-      # @param auth [Hash] Omniauth Auth Hash
+      # @param auth [Hash, nil] Omniauth Auth Hash (nil on revalidation)
+      # @param session [Himari::SessionData, nil] Existing session to revalidate (nil on initial login)
+      # @param grant_type [Symbol] :initial for omniauth callback, :refresh_token for revalidation
       # @param claims_rules [Array<Himari::Rule>] Claims Rules
       # @param authn_rules [Array<Himari::Rule>] Authentication Rules
       # @param logger [Logger]
-      def initialize(auth:, request: nil, claims_rules: [], authn_rules: [], logger: nil)
+      def initialize(auth: nil, session: nil, grant_type: :initial, request: nil, claims_rules: [], authn_rules: [], logger: nil)
+        raise ArgumentError, "auth or session is required" if auth.nil? && session.nil?
+
         @request = request
         @auth = auth
+        @session = session
+        @grant_type = grant_type
         @claims_rules = claims_rules
         @authn_rules = authn_rules
         @logger = logger
@@ -52,6 +60,22 @@ module Himari
       def self.from_request(request)
         new(
           auth: request.env.fetch('omniauth.auth'),
+          grant_type: :initial,
+          request: request,
+          claims_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::ClaimsRule::RACK_KEY] || []).collect,
+          authn_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthenticationRule::RACK_KEY] || []).collect,
+          logger: request.env['rack.logger'],
+        )
+      end
+
+      # Re-run claims/authn rules against an existing session, e.g. on refresh_token grant.
+      #
+      # @param session [Himari::SessionData] existing session loaded from storage
+      # @param request [Rack::Request]
+      def self.revalidate_from_request(session:, request:)
+        new(
+          session: session,
+          grant_type: :refresh_token,
           request: request,
           claims_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::ClaimsRule::RACK_KEY] || []).collect,
           authn_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthenticationRule::RACK_KEY] || []).collect,
@@ -60,27 +84,37 @@ module Himari
       end
 
       def provider
-        @auth&.fetch(:provider)
+        (@auth && @auth[:provider]) || @session&.user_data&.dig(:provider)
       end
 
-      def perform
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: perform', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider]))
-        claims_result = make_claims()
-        session_data = claims_result.decision.output
+      def uid_for_log
+        (@auth && @auth[:uid]) || @session&.claims&.dig(:sub)
+      end
 
-        authn_result = check_authn(claims_result, session_data)
+      def perform
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: perform', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type))
+        claims_result = make_claims
+        base = derive_base_session(claims_result)
 
+        authn_result = check_authn(claims_result, base)
+        final_refresh_info = authn_result.decision&.refresh_info || claims_result.decision&.refresh_info
+        session_data = base.with(refresh_info: final_refresh_info)
 
         result = Result.new(claims_result, authn_result, session_data)
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: result', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: result', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, result: result.as_log))
         result
       end
 
       def make_claims
-        context = Himari::Decisions::Claims::Context.new(request: @request, auth: @auth).freeze
+        context = Himari::Decisions::Claims::Context.new(request: @request, auth: @auth, provider: provider, grant_type: @grant_type, refresh_info: @session&.refresh_info).freeze
         result = Himari::RuleProcessor.new(context, Himari::Decisions::Claims.new).run(@claims_rules)
 
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: claims', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], claims_result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: claims', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, claims_result: result.as_log))
+
+        if result.explicit_deny
+          @logger&.warn(Himari::LogLine.new('UpstreamAuthentication: claims explicit deny', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, claims_result: result.as_log))
+          raise UnauthorizedError.new(Result.new(result, nil, nil))
+        end
 
         begin
           claims = result.decision&.output&.claims
@@ -92,13 +126,27 @@ module Himari
         result
       end
 
+      def derive_base_session(claims_result)
+        decision = claims_result.decision
+        if @session
+          # revalidation: keep existing handle/secret/expiry, refresh claims/user_data
+          @session.with(claims: decision.claims, user_data: decision.user_data)
+        else
+          decision.output
+        end
+      end
+
       def check_authn(claims_result, session_data)
-        context = Himari::Decisions::Authentication::Context.new(provider: provider, claims: session_data.claims, user_data: session_data.user_data, request: @request).freeze
+        context = Himari::Decisions::Authentication::Context.new(provider: provider, claims: session_data.claims, user_data: session_data.user_data, request: @request, grant_type: @grant_type, refresh_info: @session&.refresh_info).freeze
+        # Don't preseed decision.refresh_info from session; otherwise a no-op authn rule would clobber whatever
+        # the claims rule wrote (via Claims#refresh_info=). Authn rules that want to preserve session.refresh_info
+        # must read context.refresh_info and assign it explicitly.
         result = Himari::RuleProcessor.new(context, Himari::Decisions::Authentication.new).run(@authn_rules)
 
-        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: authentication', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider],  authn_result: result.as_log))
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: authentication', objid: object_id.to_s(16), uid: uid_for_log, provider: provider, grant_type: @grant_type, authn_result: result.as_log))
 
         raise UnauthorizedError.new(Result.new(claims_result, result, nil)) unless result.allowed
+
         result
       end
     end

data/lib/himari/session_data.rb

@@ -1,17 +1,22 @@
+# frozen_string_literal: true
+
 require 'himari/token_string'
 
 module Himari
   class SessionData
     include Himari::TokenString
 
-    def initialize(claims: {}, user_data: {}, handle:, secret: nil, secret_hash: nil, expiry: nil)
+    def initialize(claims: {}, user_data: {}, refresh_info: nil, handle:, secret: nil, secret_hash: nil, expiry: nil)
       @claims = claims
       @user_data = user_data
+      @refresh_info = refresh_info
 
       @handle = handle
       @secret = secret
       @secret_hash = secret_hash
+      @secret_hash_prev = nil
       @expiry = expiry
+      @verification = nil
     end
 
     def self.magic_header
@@ -22,13 +27,36 @@ module Himari
       3600
     end
 
-    attr_reader :claims, :user_data
+    attr_reader :claims, :user_data, :refresh_info
+
+    def refreshable?
+      !@refresh_info.nil?
+    end
+
+    def active?(now: Time.now)
+      @expiry.nil? || @expiry > now.to_i
+    end
+
+    # Return a copy with selected fields replaced. Reads @secret directly to
+    # sidestep TokenString#secret raising SecretMissing for storage-loaded sessions.
+    def with(claims: @claims, user_data: @user_data, refresh_info: @refresh_info, expiry: @expiry)
+      self.class.new(
+        handle: @handle,
+        secret: @secret,
+        secret_hash: @secret_hash,
+        expiry: expiry,
+        claims: claims,
+        user_data: user_data,
+        refresh_info: refresh_info,
+      )
+    end
 
     def as_log
       {
         handle: handle,
         claims: claims,
         expiry: expiry,
+        refreshable: refreshable?,
       }
     end
 
@@ -40,6 +68,7 @@ module Himari
 
         claims: claims,
         user_data: user_data,
+        refresh_info: refresh_info,
       }
     end
   end

data/lib/himari/signing_key.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'digest/sha2'
 require 'base64'
 module Himari
@@ -15,7 +17,6 @@ module Himari
 
     attr_reader :id, :pkey, :group
 
-
     def active?
       !@inactive
     end
@@ -30,7 +31,7 @@ module Himari
       end
 
       result &&= if !active.nil?
-        active == self.active?
+        active == active?
       else
         true
       end
@@ -55,9 +56,9 @@ module Himari
         'RS256'
       when OpenSSL::PKey::EC
         case ec_crv
-        when 'P-256'; 'ES256'
-        when 'P-384'; 'ES384'
-        when 'P-521'; 'ES512'
+        when 'P-256' then 'ES256'
+        when 'P-384' then 'ES384'
+        when 'P-521' then 'ES512'
         else
           raise AlgUnknown
         end
@@ -68,9 +69,9 @@ module Himari
 
     def hash_function
       case alg
-      when 'ES256', 'RS256'; Digest::SHA256
-      when 'ES384'; Digest::SHA384
-      when 'ES512'; Digest::SHA512
+      when 'ES256', 'RS256' then Digest::SHA256
+      when 'ES384' then Digest::SHA384
+      when 'ES512' then Digest::SHA512
       else
         raise AlgUnknown
       end
@@ -78,6 +79,7 @@ module Himari
 
     def ec_crv
       raise OperationInvalid, "this key is not EC" unless pkey.is_a?(OpenSSL::PKey::EC)
+
       # https://www.rfc-editor.org/rfc/rfc8422.html#appendix-A
       case pkey.group.curve_name
       when 'prime256v1', 'secp256r1'
@@ -97,10 +99,11 @@ module Himari
       when OpenSSL::PKey::EC # https://www.rfc-editor.org/rfc/rfc7518#section-6.2
         # https://www.secg.org/sec1-v2.pdf - 2.3.3. Elliptic-Curve-Point-to-Octet-String Conversion
         xy = pkey.public_key.to_octet_string(:uncompressed) # 0x04 || X || Y
-        len = pkey.group.degree/8
-        raise unless xy[0] == "\x04".b && xy.size == ((len*2)+1)
-        x = xy[1,len]
-        y = xy[1+len,len]
+        len = pkey.group.degree / 8
+        raise unless xy[0] == "\x04".b && xy.size == ((len * 2) + 1)
+
+        x = xy[1, len]
+        y = xy[1 + len, len]
 
         {
           kid: id,
@@ -117,8 +120,8 @@ module Himari
           kty: 'RSA',
           use: "sig",
           alg: alg,
-          n: Base64.urlsafe_encode64(pkey.n.to_s(2)).gsub(/=+/,''),
-          e: Base64.urlsafe_encode64(pkey.e.to_s(2)).gsub(/=+/,''),
+          n: Base64.urlsafe_encode64(pkey.n.to_s(2)).gsub(/=+/, ''),
+          e: Base64.urlsafe_encode64(pkey.e.to_s(2)).gsub(/=+/, ''),
         }
       else
         raise AlgUnknown