shakha 0.1.0 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dab553b64eb62de5d3a4225c5a4aa4fb470f8c6cf4aeea518f549dd664b7e67a
-  data.tar.gz: 0206f67ee329e747bad7da7cd3082c6be17811e19ef97ec67843d61bf50922de
+  metadata.gz: 7ff145da09437c51afcef947199c0225b2fb557a6e0559e1792e07d7af646250
+  data.tar.gz: d95b3e5a110d49b7defde447935240d27e0faf2a76e3874b4b05dba7f174336e
 SHA512:
-  metadata.gz: 1704c398b0c6cdfa415a08f0662574eab25acb72b28ac9d8e8b83658750793111aeb9f24248ba22641ebc566500d6fbef2e63b250a895f43d6c7eb451c877d07
-  data.tar.gz: 9eab6f79cb46672c4df6dfc26507e91518616ac67ae7119bd07bfe7a177e7488f97918c09280eafcf8192953014d264bbc5beacc9c6bd5ced23fbb2e885f1e26
+  metadata.gz: f61b03a6afdb461afde6274f2892b54f1f7979369023a1421b5037f99b333351c5c7bca5194c7f76db22d9f516594c4c737d96f501f82b8663c2ad5fafa472d1
+  data.tar.gz: 344441bf4fcfc2dc8061bb25fab5dfbe64485919405658cbbd16c376ffcdddc685682e0256d7e2fe2401c29e22a8122a157439e111748ccb8d6e0b8c266dc9a4

data/README.md

@@ -1,22 +1,72 @@
 # Shakha
 
-Minimal auth broker for Google OAuth with PKCE and pairwise subjects.
+Headless Google OAuth broker for Rails — PKCE, pairwise subjects, zero JavaScript.
 
-## Installation
+Same Google account, different IDs per application. Built DHH-style: database sessions, Turbo native, single "Continue with Google" button.
 
-Add to your Gemfile:
+## Installation
 
 ```ruby
 gem "shakha"
 ```
 
-Run the installer:
+Run the migration:
 
 ```bash
-rails generate shakha:install
+bin/rails generate migration CreateShakhaTables
+```
+
+```ruby
+class CreateShakhaTables < ActiveRecord::Migration[7.1]
+  def change
+    create_table :shakha_clients do |t|
+      t.string :name, null: false
+      t.string :origin, null: false
+      t.timestamps
+      t.index :origin, unique: true
+    end
+
+    create_table :shakha_users do |t|
+      t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
+      t.string :pairwise_sub, null: false
+      t.string :email
+      t.string :name
+      t.string :picture
+      t.timestamps
+      t.index :pairwise_sub, unique: true
+      t.index :email
+    end
+
+    create_table :shakha_sessions do |t|
+      t.references :user, foreign_key: { to_table: :shakha_users }
+      t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
+      t.string :token, null: false
+      t.string :jti, null: false
+      t.timestamps
+      t.index :token, unique: true
+      t.index :jti, unique: true
+      t.index :created_at
+    end
+  end
+end
+```
+
+## Configuration
+
+Create `config/initializers/shakha.rb`:
+
+```ruby
+Shakha.setup do |config|
+  config.app_origin = ENV.fetch("SHAKHA_APP_ORIGIN", "http://localhost:3000")
+  config.service_url = ENV["SHAKHA_SERVICE_URL"]        # omit for embedded mode
+  config.service_secret = ENV["SHAKHA_SERVICE_SECRET"]
+  config.google_client_id = ENV["GOOGLE_CLIENT_ID"]
+  config.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
+  config.session_lifetime = 30.days
+end
 ```
 
-Set environment variables:
+Environment variables:
 
 ```bash
 export SHAKHA_APP_ORIGIN="https://yourapp.com"
@@ -25,60 +75,67 @@ export GOOGLE_CLIENT_ID="your-google-client-id"
 export GOOGLE_CLIENT_SECRET="your-google-client-secret"
 ```
 
-## Configuration
-
-See `config/initializers/shakha.rb` for all options.
+Google Cloud Console redirect URI: `https://yourapp.com/auth/shakha/callback`
 
 ## Usage
 
 ### Sign In
 
-Redirect users to sign in:
-
 ```erb
 <%= link_to "Sign in with Google", shakha.new_auth_path %>
 ```
 
-### Current User
-
-In controllers:
+### Protect Routes
 
 ```ruby
 class ApplicationController < ActionController::Base
   include Shakha::ControllerHelpers
+  before_action :authenticate!
 end
 ```
 
+### Current User
+
 ```ruby
 current_user        # Shakha::User or nil
-current_session    # Shakha::Session or nil
-signed_in?         # boolean
-authenticate!      # redirect to login if not signed in
+current_session     # Shakha::Session or nil
+signed_in?          # boolean
+authenticate!       # redirects to login if not signed in
 ```
 
-### Protect Routes
+### Sign Out
 
-```ruby
-class PostsController < ApplicationController
-  before_action :authenticate!
-end
+```erb
+<%= link_to "Sign out", shakha.session_path, data: { turbo_method: :delete } %>
 ```
 
 ### JWT Verification (API Mode)
 
 ```ruby
 payload = Shakha.verify_token(id_token)
-user_id = payload[:sub]
+user_id = payload[:pairwise_sub]
 ```
 
 ## Architecture
 
 - **PKCE** — S256 code challenges on every flow
-- **Pairwise subjects** — domain-scoped user identifiers
-- **ES256 JWTs** — signed with JWKS endpoint
+- **Pairwise subjects** — domain-scoped user identifiers (HMAC-SHA256)
+- **ES256 JWTs** — signed with JWKS endpoint at `.well-known/jwks.json`
+- **OpenID Connect** — `.well-known/openid-configuration` endpoint
 - **Database sessions** — DHH-style, no Redis
-- **Turbo native** — zero JS needed
+- **Turbo native** — zero JavaScript needed
+- **Embedded or standalone** — runs as Rails engine or headless service
+
+## Modes
+
+### Embedded (default)
+
+Mount in your Rails app. Routes served at `/auth/shakha`. Uses the app's own `shakha_clients` table with a single client auto-created on first request.
+
+### Service (multi-tenant)
+
+Set `SHAKHA_SERVICE_URL` and register each app's origin in `shakha_clients`. Each app gets different pairwise subjects for the same Google user.
 
 ## License
 
-MIT
+MIT

data/app/controllers/shakha/application_controller.rb

@@ -9,7 +9,7 @@ module Shakha
 
     layout -> { false if request.format == :json }
 
-    rescue_from ActiveSupport::ActionController::InvalidAuthenticityToken, with: :invalid_csrf_token
+    rescue_from ActionController::InvalidAuthenticityToken, with: :invalid_csrf_token
 
     private
 

data/app/controllers/shakha/auth_controller.rb

@@ -11,24 +11,25 @@ module Shakha
 
     def new
       @client = find_or_create_client
-      @return_to = params[:return_to] || "/"
+      @return_to = sanitize_return_to(params[:return_to])
     end
 
     def authorize
+      params[:return_to] = sanitize_return_to(params[:return_to])
       pkce = create_pkce_bundle
       @client = find_or_create_client
 
       google_auth_url = build_google_auth_url(pkce)
 
-      redirect_to google_auth_url
+      redirect_to google_auth_url, allow_other_host: true
     end
 
     def callback
-      verifier = verify_pkce!(params[:code])
-
-      exchange_code_for_tokens(params[:code], verifier)
+      pkce_result = verify_pkce!(params[:code], params[:state])
+      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
     rescue PKCEError, GoogleOAuthError => e
-      redirect_to shakha.error_path(message: e.message)
+      Rails.logger.warn("[Shakha] Auth error: #{e.class}: #{e.message}")
+      redirect_to "/auth/shakha/error?message=#{URI.encode_www_form_component(user_facing_error(e))}"
     end
 
     def token
@@ -55,17 +56,58 @@ module Shakha
 
     private
 
-    def find_or_create_client
-      origin = URI.parse(request.origin).origin
+    def sanitize_return_to(raw)
+      return "/" if raw.blank?
+
+      uri = URI.parse(raw)
+      return "/" if uri.host.present? && ![app_origin_host, client_origin_host].include?(uri.host)
+      return "/" unless uri.path.present? && uri.path.start_with?("/")
+
+      uri.path
+    rescue URI::InvalidURIError
+      "/"
+    end
+
+    def app_origin_host
+      URI.parse(Shakha.config.app_origin).host
+    end
+
+    def client_origin_host
+      URI.parse(Shakha.config.service_base_url).host
+    rescue URI::InvalidURIError
+      nil
+    end
 
-      Shakha::Client.find_or_create_by!(origin: origin) do |client|
-        client.name = URI.parse(request.origin).host
+    def user_facing_error(exception)
+      case exception
+      when PKCEError
+        "Authentication failed. Please try again."
+      when GoogleOAuthError
+        "Unable to sign in with Google. Please try again later."
+      else
+        "An unexpected error occurred. Please try again."
       end
     end
 
+    def find_or_create_client
+      origin = request.origin || Shakha.config.app_origin
+      origin_uri = URI.parse(origin).origin
+
+      if Shakha.config.embedded?
+        Shakha::Client.find_or_create_by!(origin: origin_uri) do |client|
+          client.name = URI.parse(origin).host
+        end
+      else
+        Shakha::Client.find_by!(origin: origin_uri)
+      end
+    rescue ActiveRecord::RecordNotFound
+      raise ConfigurationError, "Unknown client origin: #{origin_uri}. Register this origin in shakha_clients first."
+    end
+
     def build_google_auth_url(pkce)
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
-      redirect_uri = "#{Shakha.config.service_base_url}/auth/shakha/callback"
+      base_url = Shakha.config.service_base_url || "http://localhost:3000"
+      redirect_uri = "#{base_url}/auth/shakha/callback"
 
       scopes = ["openid", "email", "profile"].join(" ")
       scopes += " https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile" if params[:request_pii]
@@ -87,10 +129,11 @@ module Shakha
       end.to_s
     end
 
-    def exchange_code_for_tokens(code, verifier)
+    def exchange_code_for_tokens(code, verifier, return_to = "/")
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
       client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
-      redirect_uri = "#{Shakha.config.service_base_url}/auth/shakha/callback"
+      base_url = Shakha.config.service_base_url || "http://localhost:3000"
+      redirect_uri = "#{base_url}/auth/shakha/callback"
 
       response = http_post(
         "https://oauth2.googleapis.com/token",
@@ -112,12 +155,13 @@ module Shakha
 
       payload = decode_id_token(id_token)
       google_sub = payload["sub"]
-      pairwise_sub = Shakha.derive_pairwise_sub(google_sub)
 
       client = find_or_create_client
-      user = Shakha::User.find_or_initialize_by(pairwise_sub: pairwise_sub)
+      pairwise_sub = Shakha.derive_pairwise_sub(google_sub, client.client_id)
 
-      if params[:request_pii] && payload["email"]
+      user = Shakha::User.find_or_initialize_by(pairwise_sub: pairwise_sub, client: client)
+
+      if payload["email"]
         user.assign_attributes(
           email: payload["email"],
           name: payload["name"],
@@ -140,9 +184,7 @@ module Shakha
         expires: Shakha.config.session_lifetime.from_now
       }
 
-      return_to = pkce_state&.dig(:return_to) || "/"
-
-      redirect_to return_to
+      redirect_to sanitize_return_to(return_to)
     end
 
     def exchange_code_for_id_token(code, verifier)

data/app/controllers/shakha/session_controller.rb

@@ -27,7 +27,11 @@ module Shakha
     def destroy
       current_session&.destroy
       cookies.delete(:shakha_session_token)
-      render json: { status: "signed_out" }
+
+      respond_to do |format|
+        format.html { redirect_to params[:return_to].presence || "/" }
+        format.json { render json: { status: "signed_out" } }
+      end
     end
   end
 end

data/app/models/shakha/user.rb

@@ -4,10 +4,11 @@ module Shakha
   class User < ::ApplicationRecord
     self.table_name = "shakha_users"
 
+    belongs_to :client, class_name: "Shakha::Client"
     has_many :sessions, class_name: "Shakha::Session", dependent: :destroy
 
-    validates :pairwise_sub, presence: true, uniqueness: true
-    validates :email, uniqueness: true, allow_blank: true
+    validates :pairwise_sub, presence: true
+    validates :email, uniqueness: { scope: :client_id }, allow_blank: true
 
     def can_access?(resource)
       true

data/app/views/shakha/auth/error.html.erb

@@ -0,0 +1,18 @@
+<% content_for :title, "Authentication Error" %>
+
+<div class="shakha-container">
+  <div class="shakha-card shakha-card-error">
+    <div class="shakha-error-icon">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+        <circle cx="12" cy="12" r="10"/>
+        <line x1="12" y1="8" x2="12" y2="12"/>
+        <line x1="12" y1="16" x2="12.01" y2="16"/>
+      </svg>
+    </div>
+
+    <h1>Authentication Failed</h1>
+    <p class="shakha-error-message"><%= params[:message] || "An error occurred" %></p>
+
+    <%= link_to "Try Again", "/auth/shakha", class: "shakha-button shakha-button-primary" %>
+  </div>
+</div>

data/{generators → lib/generators}/shakha/install_generator.rb

@@ -1,8 +1,4 @@
 # frozen_string_literal: true
-# This generator creates a migration for the Shakha tables
-
-require "rails/generators/active_record/migration"
-require "rails/generators/active_record/migration/migration_generator"
 
 module Shakha
   class InstallGenerator < Rails::Generators::Base
@@ -17,21 +13,13 @@ module Shakha
     def create_migration
       return if options[:skip_migration]
 
-      migration_template(
-        "migration.rb.erb",
-        "db/migrate/create_shakha_tables.rb",
-        migration_version: migration_version
-      )
+      sleep 1
+      migration_number = Time.now.strftime("%Y%m%d%H%M%S")
+      template "migration.rb.erb", "db/migrate/#{migration_number}_create_shakha_tables.rb"
     end
 
     def add_routes
       route 'mount Shakha::Engine => "/auth/shakha", as: :shakha'
     end
-
-    private
-
-    def migration_version
-      ">= 7.1" ? "[7.1]" : ""
-    end
   end
 end

data/{generators → lib/generators}/shakha/templates/initializer.rb.erb

@@ -20,7 +20,7 @@ Shakha.setup do |config|
   config.google_client_id = ENV["GOOGLE_CLIENT_ID"]
   config.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
   config.issuer = ENV.fetch("SHAKHA_ISSUER", "https://shakha.dev")
-  config.session_lifetime = ENV.fetch("SHAKHA_SESSION_LIFETIME", "30.days")
+  config.session_lifetime = 30.days
 
   # JWT signing keys (required for service mode)
   config.signing_key = ENV["SHAKHA_SIGNING_KEY"]

data/{generators → lib/generators}/shakha/templates/migration.rb.erb

@@ -2,7 +2,7 @@
 
 class CreateShakhaTables < ActiveRecord::Migration[7.1]
   def change
-    create_table :shakha_clients, id: :uuid do |t|
+    create_table :shakha_clients do |t|
       t.string :name, null: false
       t.string :origin, null: false
       t.string :client_id
@@ -14,12 +14,12 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
     add_index :shakha_clients, :origin, unique: true
     add_index :shakha_clients, :client_id, unique: true
 
-    create_table :shakha_users, id: :uuid do |t|
+    create_table :shakha_users do |t|
       t.string :pairwise_sub, null: false
       t.string :email
       t.string :name
       t.string :picture
-      t.references :client, type: :uuid, null: false
+      t.references :client, null: false
 
       t.timestamps
     end
@@ -27,11 +27,11 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
     add_index :shakha_users, :pairwise_sub, unique: true
     add_index :shakha_users, :email
 
-    create_table :shakha_sessions, id: :uuid do |t|
+    create_table :shakha_sessions do |t|
       t.string :token, null: false
       t.string :jti, null: false
-      t.references :user, type: :uuid, null: false
-      t.references :client, type: :uuid, null: false
+      t.references :user, null: false
+      t.references :client, null: false
       t.string :ip_address
       t.string :user_agent
 

data/lib/shakha/config.rb

@@ -8,7 +8,10 @@ module Shakha
                   :google_client_id,
                   :google_client_secret,
                   :issuer,
-                  :session_lifetime
+                  :session_lifetime,
+                  :signing_key,
+                  :verification_key,
+                  :key_id
 
     def initialize
       @session_lifetime = 30.days

data/lib/shakha/config_validator.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Shakha
+  module ConfigValidator
+    class << self
+      def validate!(config)
+        missing = []
+        missing << "SHAKHA_APP_ORIGIN" unless config.app_origin.present?
+        missing << "GOOGLE_CLIENT_ID" unless config.google_client_id.present?
+        missing << "GOOGLE_CLIENT_SECRET" unless config.google_client_secret.present?
+        missing << "SHAKHA_SERVICE_SECRET" unless config.service_secret.present?
+
+        unless missing.empty?
+          message = "Shakha: missing required configuration: #{missing.join(', ')}"
+          if Rails.env.production?
+            raise ConfigurationError, message
+          else
+            Rails.logger.warn(message)
+          end
+        end
+
+        true
+      end
+    end
+  end
+end

data/lib/shakha/engine.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "ostruct"
-
 module Shakha
   class Engine < ::Rails::Engine
     isolate_namespace Shakha
@@ -9,85 +7,24 @@ module Shakha
     config.app_middleware.use Shakha::Middleware
 
     config.after_initialize do
-      if Shakha.config.app_origin.blank?
-        raise ConfigurationError, "Shakha.app_origin must be set"
-      end
-    end
-
-    class EngineRouter
-      def self.draw
-        Drawer.new
-      end
-
-      class Drawer
-        def initialize
-          @routes = []
-        end
-
-        def resources(*args, &block)
-          resource_options = args.last.is_a?(Hash) ? args.pop : {}
-          resource_name = args.first
-
-          @routes << { type: :resources, name: resource_name, options: resource_options, block: block }
-        end
-
-        def resource(*args, &block)
-          resource_options = args.last.is_a?(Hash) ? args.pop : {}
-          resource_name = args.first
-
-          @routes << { type: :resource, name: resource_name, options: resource_options, block: block }
-        end
-
-        def get(path, to:, as: nil)
-          @routes << { type: :get, path: path, to: to, as: as }
-        end
-
-        def post(path, to:, as: nil)
-          @routes << { type: :post, path: path, to: to, as: as }
-        end
-
-        def match(path, to:, via:, as: nil)
-          @routes << { type: :match, path: path, to: to, via: via, as: as }
-        end
-
-        def routes
-          @routes
-        end
-      end
+      Shakha::ConfigValidator.validate!(Shakha.config)
     end
 
-    initializer "shakha.routes" do |app|
-      Shakha::EngineRouter.draw do
-        get "/auth/shakha", to: "auth#new", as: :new_auth
-        get "/auth/shakha/authorize", to: "auth#authorize", as: :authorize
-        get "/auth/shakha/callback", to: "auth#callback", as: :callback
-        post "/auth/shakha/token", to: "auth#token", as: :token
-        get "/auth/shakha/error", to: "auth#error", as: :error
+    # Engine routes - these should be relative paths
+    routes do
+      root to: "auth#new"
 
-        get "/auth/shakha/session", to: "session#show", as: :session
-        post "/auth/shakha/session/check", to: "session#check", as: :check_session
-        delete "/auth/shakha/session", to: "session#destroy", as: :destroy_session
+      get "authorize" => "auth#authorize"
+      get "callback" => "auth#callback"
+      post "token" => "auth#token"
+      get "error" => "auth#error"
 
-        get "/.well-known/jwks.json", to: "jwks#show"
-        get "/.well-known/openid-configuration", to: "openid#configuration"
-      end
+      get "session" => "session#show"
+      post "session/check" => "session#check"
+      delete "session" => "session#destroy"
 
-      Shakha::EngineRouter.routes.each do |route|
-        case route[:type]
-        when :get
-          app.routes.append do
-            get route[:path], to: route[:to], as: route[:as]
-          end
-        when :post
-          app.routes.append do
-            post route[:path], to: route[:to], as: route[:as]
-          end
-        when :match
-          app.routes.append do
-            match route[:path], to: route[:to], as: route[:as], via: route[:via]
-          end
-        end
-      end
+      get ".well-known/jwks.json" => "jwks#show"
+      get ".well-known/openid-configuration" => "openid#configuration"
     end
   end
 end

data/lib/shakha/error_handler.rb

@@ -24,11 +24,12 @@ module Shakha
     end
 
     def bad_request(exception)
-      render json: { error: exception.message }, status: :bad_request
+      render json: { error: "Bad request" }, status: :bad_request
     end
 
     def bad_gateway(exception)
-      render json: { error: exception.message }, status: :bad_gateway
+      Rails.logger.error("[Shakha] Google OAuth error: #{exception.message}")
+      render json: { error: "Authentication service unavailable" }, status: :bad_gateway
     end
   end
 end

data/lib/shakha/pkce.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "json"
 require "active_support/concern"
 
 module Shakha
@@ -8,6 +9,8 @@ module Shakha
 
     CODE_VERIFIER_LENGTH = 64
     CODE_CHALLENGE_METHOD = "S256"
+    PKCE_COOKIE_NAME = "shakha_pkce"
+    PKCE_COOKIE_EXPIRY_SECONDS = 600
 
     class << self
       def generate_code_verifier
@@ -30,31 +33,56 @@ module Shakha
       verifier = PKCEMixin.generate_code_verifier
       challenge = PKCEMixin.generate_code_challenge(verifier)
       state = SecureRandom.urlsafe_base64(32)
+      return_to = params[:return_to] || "/"
 
-      session[:shakha_pkce] = {
+      pkce_record = {
         verifier: verifier,
-        state: state,
-        return_to: params[:return_to] || request.referer || "/"
+        return_to: return_to
+      }
+
+      cookies[PKCE_COOKIE_NAME] = {
+        value: pkce_record.merge(state: state).to_json,
+        httponly: true,
+        secure: Rails.env.production?,
+        same_site: :lax,
+        expires: Time.now.utc + PKCE_COOKIE_EXPIRY_SECONDS
       }
 
       { challenge: challenge, state: state }
     end
 
-    def verify_pkce!(code_verifier)
-      stored = session[:shakha_pkce]
+    def verify_pkce!(code_verifier, state_param)
+      pkce_json = cookies[PKCE_COOKIE_NAME]
+
+      raise PKCEError, "No PKCE session found" unless pkce_json
+
+      pkce_data = JSON.parse(pkce_json).with_indifferent_access
+
+      raise PKCEError, "No PKCE session found" unless pkce_data
 
-      raise PKCEError, "No PKCE session found" unless stored
-      raise PKCEError, "State mismatch" unless stored[:state] == params[:state]
+      stored_state = pkce_data[:state]
+      stored_verifier = pkce_data[:verifier]
+      stored_return_to = pkce_data[:return_to]
+
+      cookies.delete(PKCE_COOKIE_NAME)
+
+      raise PKCEError, "State mismatch" unless stored_state == state_param
 
       computed = PKCEMixin.generate_code_challenge(code_verifier)
-      raise PKCEError, "Invalid code verifier" unless computed == params[:code_challenge]
+      code_challenge = params[:code_challenge]
 
-      session.delete(:shakha_pkce)
-      stored[:verifier]
+      if code_challenge.present?
+        raise PKCEError, "Invalid code verifier" unless computed == code_challenge
+      end
+
+      { verifier: stored_verifier, return_to: stored_return_to }
     end
 
     def pkce_state
-      session[:shakha_pkce]
+      pkce_json = cookies[PKCE_COOKIE_NAME]
+      return nil unless pkce_json
+
+      JSON.parse(pkce_json).with_indifferent_access
     end
   end
 

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.1.0"
+  VERSION = "0.1.3"
 end

data/lib/shakha.rb

@@ -2,6 +2,13 @@
 
 require "shakha/version"
 require "shakha/config"
+require "shakha/config_validator"
+require "shakha/pairwise"
+require "shakha/jwt_handler"
+require "shakha/pkce"
+require "shakha/error_handler"
+require "shakha/controller_helpers"
+require "shakha/middleware"
 require "shakha/engine"
 
 module Shakha

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.3
 platform: ruby
 authors:
 - Asrat
@@ -27,19 +27,49 @@ dependencies:
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '10'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '10'
 description: |
-  Shakha handles Google OAuth + PKCE and gives your app a domain-scoped identity (pairwise_sub)
-  and a signed id_token. No client signup. No unnecessary scopes. Just identity.
+  Shakha is a headless authentication broker gem for Rails that handles Google OAuth 2.0
+  with PKCE security. It provides domain-scoped user identifiers via pairwise subjects,
+  ensuring the same Google account gets different IDs across different applications.
+
+  Built DHH-style: database sessions (no Redis), Turbo native (zero JS), and a single
+  "Continue with Google" button. Works as an embedded Rails engine or standalone service.
 email:
 - asrat@example.com
 executables: []
@@ -58,14 +88,16 @@ files:
 - app/models/shakha/session.rb
 - app/models/shakha/user.rb
 - app/views/shakha/auth/callback.html.erb
+- app/views/shakha/auth/error.html.erb
 - app/views/shakha/auth/new.html.erb
 - app/views/shakha/errors/show.html.erb
 - app/views/shakha/layouts/shakha.html.erb
-- generators/shakha/install_generator.rb
-- generators/shakha/templates/initializer.rb.erb
-- generators/shakha/templates/migration.rb.erb
+- lib/generators/shakha/install_generator.rb
+- lib/generators/shakha/templates/initializer.rb.erb
+- lib/generators/shakha/templates/migration.rb.erb
 - lib/shakha.rb
 - lib/shakha/config.rb
+- lib/shakha/config_validator.rb
 - lib/shakha/controller_helpers.rb
 - lib/shakha/engine.rb
 - lib/shakha/error_handler.rb
@@ -95,5 +127,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: Minimal auth broker for Google OAuth with PKCE and pairwise subjects
+summary: Headless Google OAuth broker with PKCE, pairwise subjects, and zero JavaScript
 test_files: []