shakha 0.1.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 111afb5f4917b2fb01033e9b93c37fabc0b099a886c7cce7eb80d4485e69e9a1
-  data.tar.gz: '008356dd3f1538432a84ff2e83c2b6d32e3ec5962ed252c79c8dc3229677c16d'
+  metadata.gz: 366829b83286435b8a3ff8a9b74cdfe319e072768efabbbfa0777d3ce7a9bb6b
+  data.tar.gz: 5aafc4d8d1db8bf6287c40ffea5dbb614903e288ddfeb35ae4d1c1e0b0ecff34
 SHA512:
-  metadata.gz: 369843a745888523d8d3392e1111804d7113247005654de91c2fc75436a5a799ea505ad20858dbc057f9e81f5f3179dcaec77cd084923f3a1ae0121bcdb45960
-  data.tar.gz: 8bb91783e33cbac949565f21abded2d958b652b95f62b62f3d51eaabeaaf979224163376c98e58d25ecae57fbd41556f4a0db7c2415316e24e3778700e06af1e
+  metadata.gz: 6a7982ee421c97e9f66eb5eceb29dddd2159806d37d37bb759e84c80686390f395703adfd8b881c7a0d5eafa3c5e2bc969844ad6375ce4a04572b5e4758b5f75
+  data.tar.gz: f41c800d89c409fbcea81ab122d7f9e59028777b15643ec006ff0b6e0cddb7adcc621c463cdc538b088e171f9f4eb460cf5197b48b361700a041373c5899b2f7

data/README.md

@@ -42,6 +42,8 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
       t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
       t.string :token, null: false
       t.string :jti, null: false
+      t.string :ip_address
+      t.string :user_agent
       t.timestamps
       t.index :token, unique: true
       t.index :jti, unique: true

data/app/assets/stylesheets/shakha.css

@@ -1,193 +1,580 @@
-@layer shakha.base {
+/* Shakha Design System — Zero JS, CSS-only */
+
+@layer shakha.tokens {
   :root {
-    --shakha-bg: oklch(98% 0.002 250);
-    --shakha-surface: oklch(100% 0 0);
-    --shakha-border: oklch(87% 0.01 250);
-    --shakha-text: oklch(20% 0.03 250);
-    --shakha-text-muted: oklch(50% 0.02 250);
-    --shakha-primary: oklch(55% 0.2 250);
-    --shakha-primary-hover: oklch(50% 0.22 250);
-    --shakha-error: oklch(60% 0.2 25);
-    --shakha-radius: 8px;
-    --shakha-shadow: 0 1px 3px oklch(0% 0 0 / 0.05), 0 1px 2px oklch(0% 0 0 / 0.1);
-  }
-
-  * {
+    /* Colors — OKLCH for perceptual uniformity */
+    --sh-bg: oklch(98% 0.002 250);
+    --sh-surface: oklch(100% 0 0);
+    --sh-surface-elevated: oklch(100% 0 0);
+    --sh-border: oklch(87% 0.01 250);
+    --sh-text: oklch(20% 0.03 250);
+    --sh-text-secondary: oklch(45% 0.02 250);
+    --sh-text-tertiary: oklch(60% 0.01 250);
+    --sh-primary: oklch(55% 0.18 250);
+    --sh-primary-hover: oklch(50% 0.2 250);
+    --sh-primary-subtle: oklch(95% 0.03 250);
+    --sh-error: oklch(55% 0.18 25);
+    --sh-error-subtle: oklch(95% 0.03 25);
+    --sh-success: oklch(55% 0.15 145);
+    --sh-success-subtle: oklch(95% 0.03 145);
+
+    /* Spacing — modular scale */
+    --sh-space-1: 0.25rem;
+    --sh-space-2: 0.5rem;
+    --sh-space-3: 0.75rem;
+    --sh-space-4: 1rem;
+    --sh-space-5: 1.25rem;
+    --sh-space-6: 1.5rem;
+    --sh-space-8: 2rem;
+    --sh-space-10: 2.5rem;
+    --sh-space-12: 3rem;
+    --sh-space-16: 4rem;
+
+    /* Typography */
+    --sh-font-sans: system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", sans-serif;
+    --sh-font-mono: "SF Mono", "Fira Code", "Cascadia Code", monospace;
+    --sh-text-xs: 0.75rem;
+    --sh-text-sm: 0.875rem;
+    --sh-text-base: 1rem;
+    --sh-text-lg: 1.125rem;
+    --sh-text-xl: 1.25rem;
+    --sh-text-2xl: 1.5rem;
+    --sh-text-3xl: 1.875rem;
+
+    /* Effects */
+    --sh-radius-sm: 6px;
+    --sh-radius-md: 10px;
+    --sh-radius-lg: 14px;
+    --sh-radius-xl: 20px;
+    --sh-shadow-sm: 0 1px 2px oklch(0% 0 0 / 0.04);
+    --sh-shadow-md: 0 4px 12px oklch(0% 0 0 / 0.06), 0 1px 3px oklch(0% 0 0 / 0.04);
+    --sh-shadow-lg: 0 12px 40px oklch(0% 0 0 / 0.08), 0 4px 12px oklch(0% 0 0 / 0.04);
+    --sh-shadow-glow: 0 0 40px oklch(55% 0.18 250 / 0.15);
+
+    /* Transitions */
+    --sh-transition-fast: 150ms cubic-bezier(0.4, 0, 0.2, 1);
+    --sh-transition-base: 250ms cubic-bezier(0.4, 0, 0.2, 1);
+    --sh-transition-slow: 400ms cubic-bezier(0.4, 0, 0.2, 1);
+  }
+
+  @media (prefers-color-scheme: dark) {
+    :root {
+      --sh-bg: oklch(18% 0.02 250);
+      --sh-surface: oklch(22% 0.025 250);
+      --sh-surface-elevated: oklch(26% 0.03 250);
+      --sh-border: oklch(35% 0.04 250);
+      --sh-text: oklch(95% 0.01 250);
+      --sh-text-secondary: oklch(75% 0.015 250);
+      --sh-text-tertiary: oklch(55% 0.02 250);
+      --sh-primary: oklch(65% 0.18 250);
+      --sh-primary-hover: oklch(70% 0.2 250);
+      --sh-primary-subtle: oklch(30% 0.06 250);
+      --sh-error: oklch(65% 0.18 25);
+      --sh-error-subtle: oklch(30% 0.05 25);
+      --sh-success: oklch(65% 0.15 145);
+      --sh-success-subtle: oklch(30% 0.04 145);
+      --sh-shadow-sm: 0 1px 2px oklch(0% 0 0 / 0.2);
+      --sh-shadow-md: 0 4px 12px oklch(0% 0 0 / 0.3), 0 1px 3px oklch(0% 0 0 / 0.2);
+      --sh-shadow-lg: 0 12px 40px oklch(0% 0 0 / 0.4), 0 4px 12px oklch(0% 0 0 / 0.2);
+      --sh-shadow-glow: 0 0 60px oklch(65% 0.18 250 / 0.2);
+    }
+  }
+}
+
+@layer shakha.reset {
+  *, *::before, *::after {
     margin: 0;
     padding: 0;
     box-sizing: border-box;
   }
 
-  body {
-    font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-    background: var(--shakha-bg);
-    color: var(--shakha-text);
-    line-height: 1.5;
+  html {
     -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+    text-rendering: optimizeLegibility;
+  }
+
+  body {
+    font-family: var(--sh-font-sans);
+    font-size: var(--sh-text-base);
+    line-height: 1.6;
+    background: var(--sh-bg);
+    color: var(--sh-text);
+    min-height: 100vh;
   }
 
   a {
-    color: var(--shakha-primary);
+    color: var(--sh-primary);
     text-decoration: none;
+    transition: color var(--sh-transition-fast);
   }
 
   a:hover {
-    text-decoration: underline;
+    color: var(--sh-primary-hover);
+  }
+
+  a:focus-visible {
+    outline: 2px solid var(--sh-primary);
+    outline-offset: 2px;
+    border-radius: var(--sh-radius-sm);
+  }
+
+  img, svg {
+    display: block;
+    max-width: 100%;
+  }
+
+  button {
+    font-family: inherit;
+    cursor: pointer;
+    border: none;
+    background: none;
+  }
+
+  button:focus-visible {
+    outline: 2px solid var(--sh-primary);
+    outline-offset: 2px;
   }
 }
 
 @layer shakha.layout {
-  .shakha-container {
+  .sh-layout {
     min-height: 100vh;
-    display: flex;
-    align-items: center;
-    justify-content: center;
-    padding: 1.5rem;
+    display: grid;
+    place-items: center;
+    padding: var(--sh-space-6);
+    position: relative;
+    overflow: hidden;
+  }
+
+  .sh-layout::before {
+    content: "";
+    position: absolute;
+    inset: 0;
+    background:
+      radial-gradient(ellipse 80% 50% at 20% 40%, oklch(55% 0.15 250 / 0.08), transparent 50%),
+      radial-gradient(ellipse 60% 40% at 80% 60%, oklch(65% 0.12 280 / 0.06), transparent 50%);
+    pointer-events: none;
+    z-index: 0;
   }
 
-  .shakha-card {
+  .sh-card {
+    position: relative;
+    z-index: 1;
     width: 100%;
-    max-width: 400px;
-    background: var(--shakha-surface);
-    border: 1px solid var(--shakha-border);
-    border-radius: calc(var(--shakha-radius) + 4px);
-    box-shadow: var(--shakha-shadow);
+    max-width: 420px;
+    background: var(--sh-surface);
+    border: 1px solid var(--sh-border);
+    border-radius: var(--sh-radius-xl);
+    box-shadow: var(--sh-shadow-lg);
     overflow: hidden;
+    transition: transform var(--sh-transition-base), box-shadow var(--sh-transition-base);
   }
 
-  .shakha-card-center {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    justify-content: center;
-    min-height: 200px;
-    padding: 2rem;
+  .sh-card:hover {
+    box-shadow: var(--sh-shadow-lg), var(--sh-shadow-glow);
   }
 
-  .shakha-card-error {
+  .sh-card__header {
+    padding: var(--sh-space-8) var(--sh-space-8) var(--sh-space-4);
     text-align: center;
-    padding: 2rem;
   }
 
-  .shakha-header {
-    padding: 1.5rem 1.5rem 0;
-    text-align: center;
+  .sh-card__body {
+    padding: var(--sh-space-4) var(--sh-space-8) var(--sh-space-8);
   }
 
-  .shakha-header h1 {
-    font-size: 1.25rem;
-    font-weight: 600;
-    color: var(--shakha-text);
+  .sh-card__footer {
+    padding: var(--sh-space-4) var(--sh-space-8);
+    background: var(--sh-primary-subtle);
+    border-top: 1px solid var(--sh-border);
+    text-align: center;
   }
 
-  .shakha-body {
-    padding: 1.5rem;
+  @media (prefers-color-scheme: dark) {
+    .sh-card__footer {
+      background: oklch(25% 0.04 250);
+    }
   }
 }
 
 @layer shakha.components {
-  .shakha-button {
+  /* Logo / Brand */
+  .sh-brand {
     display: flex;
     align-items: center;
     justify-content: center;
-    gap: 0.75rem;
+    gap: var(--sh-space-3);
+    margin-bottom: var(--sh-space-6);
+  }
+
+  .sh-brand__icon {
+    width: 40px;
+    height: 40px;
+    background: linear-gradient(135deg, var(--sh-primary), oklch(65% 0.15 280));
+    border-radius: var(--sh-radius-md);
+    display: grid;
+    place-items: center;
+    color: white;
+    font-weight: 700;
+    font-size: var(--sh-text-lg);
+    box-shadow: 0 4px 12px oklch(55% 0.18 250 / 0.3);
+  }
+
+  .sh-brand__name {
+    font-size: var(--sh-text-xl);
+    font-weight: 700;
+    color: var(--sh-text);
+    letter-spacing: -0.02em;
+  }
+
+  .sh-brand__subtitle {
+    font-size: var(--sh-text-sm);
+    color: var(--sh-text-tertiary);
+    margin-top: var(--sh-space-1);
+  }
+
+  /* Headings */
+  .sh-heading {
+    font-size: var(--sh-text-2xl);
+    font-weight: 700;
+    color: var(--sh-text);
+    letter-spacing: -0.02em;
+    line-height: 1.2;
+    margin-bottom: var(--sh-space-2);
+  }
+
+  .sh-heading--center {
+    text-align: center;
+  }
+
+  .sh-subheading {
+    font-size: var(--sh-text-sm);
+    color: var(--sh-text-secondary);
+    text-align: center;
+    margin-bottom: var(--sh-space-6);
+  }
+
+  /* Buttons */
+  .sh-btn {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    gap: var(--sh-space-3);
     width: 100%;
-    padding: 0.75rem 1rem;
-    border-radius: var(--shakha-radius);
-    font-size: 0.9375rem;
-    font-weight: 500;
+    padding: var(--sh-space-4) var(--sh-space-6);
+    border-radius: var(--sh-radius-md);
+    font-size: var(--sh-text-base);
+    font-weight: 600;
     text-decoration: none;
-    cursor: pointer;
-    transition: background 0.15s ease, border-color 0.15s ease;
+    transition: all var(--sh-transition-fast);
+    position: relative;
+    overflow: hidden;
   }
 
-  .shakha-button-google {
-    background: var(--shakha-surface);
-    border: 1px solid var(--shakha-border);
-    color: var(--shakha-text);
+  .sh-btn::after {
+    content: "";
+    position: absolute;
+    inset: 0;
+    background: linear-gradient(90deg, transparent, oklch(100% 0 0 / 0.1), transparent);
+    transform: translateX(-100%);
+    transition: transform var(--sh-transition-slow);
   }
 
-  .shakha-button-google:hover {
-    background: var(--shakha-bg);
-    text-decoration: none;
+  .sh-btn:hover::after {
+    transform: translateX(100%);
   }
 
-  .shakha-button-primary {
-    background: var(--shakha-primary);
-    border: 1px solid var(--shakha-primary);
+  .sh-btn--primary {
+    background: var(--sh-primary);
     color: white;
+    border: 1px solid transparent;
+    box-shadow: 0 1px 3px oklch(0% 0 0 / 0.1);
   }
 
-  .shakha-button-primary:hover {
-    background: var(--shakha-primary-hover);
+  .sh-btn--primary:hover {
+    background: var(--sh-primary-hover);
+    transform: translateY(-1px);
+    box-shadow: 0 4px 12px oklch(55% 0.18 250 / 0.25);
     text-decoration: none;
   }
 
-  .shakha-google-icon {
-    width: 18px;
-    height: 18px;
+  .sh-btn--google {
+    background: var(--sh-surface);
+    color: var(--sh-text);
+    border: 1px solid var(--sh-border);
+  }
+
+  .sh-btn--google:hover {
+    background: var(--sh-surface-elevated);
+    border-color: var(--sh-primary);
+    transform: translateY(-1px);
+    box-shadow: var(--sh-shadow-md);
+    text-decoration: none;
+  }
+
+  .sh-btn--danger {
+    background: var(--sh-error);
+    color: white;
+    border: 1px solid transparent;
+  }
+
+  .sh-btn--danger:hover {
+    background: oklch(50% 0.2 25);
+    transform: translateY(-1px);
+  }
+
+  .sh-btn--ghost {
+    background: transparent;
+    color: var(--sh-text-secondary);
+    border: 1px solid var(--sh-border);
+  }
+
+  .sh-btn--ghost:hover {
+    background: var(--sh-primary-subtle);
+    color: var(--sh-primary);
+  }
+
+  .sh-btn__icon {
+    width: 20px;
+    height: 20px;
     flex-shrink: 0;
   }
 
-  .shakha-privacy {
-    margin-top: 1rem;
-    font-size: 0.75rem;
-    color: var(--shakha-text-muted);
+  /* Error states */
+  .sh-error {
     text-align: center;
+    padding: var(--sh-space-8);
   }
 
-  .shakha-privacy a {
-    color: var(--shakha-text-muted);
-    text-decoration: underline;
+  .sh-error__icon {
+    width: 64px;
+    height: 64px;
+    margin: 0 auto var(--sh-space-6);
+    background: var(--sh-error-subtle);
+    border-radius: var(--sh-radius-lg);
+    display: grid;
+    place-items: center;
+    color: var(--sh-error);
+    animation: sh-pulse 2s ease-in-out infinite;
+  }
+
+  @keyframes sh-pulse {
+    0%, 100% { transform: scale(1); opacity: 1; }
+    50% { transform: scale(1.05); opacity: 0.8; }
+  }
+
+  .sh-error__title {
+    font-size: var(--sh-text-xl);
+    font-weight: 700;
+    color: var(--sh-text);
+    margin-bottom: var(--sh-space-2);
+  }
+
+  .sh-error__message {
+    font-size: var(--sh-text-base);
+    color: var(--sh-text-secondary);
+    margin-bottom: var(--sh-space-6);
+    line-height: 1.6;
+  }
+
+  /* Success states */
+  .sh-success {
+    text-align: center;
+    padding: var(--sh-space-8);
+  }
+
+  .sh-success__icon {
+    width: 64px;
+    height: 64px;
+    margin: 0 auto var(--sh-space-6);
+    background: var(--sh-success-subtle);
+    border-radius: var(--sh-radius-lg);
+    display: grid;
+    place-items: center;
+    color: var(--sh-success);
   }
-}
 
-@layer shakha.states {
-  .shakha-loading {
+  /* Session list */
+  .sh-sessions {
+    padding: var(--sh-space-6);
+  }
+
+  .sh-sessions__header {
     display: flex;
-    flex-direction: column;
     align-items: center;
-    gap: 1rem;
+    justify-content: space-between;
+    margin-bottom: var(--sh-space-6);
+    padding-bottom: var(--sh-space-4);
+    border-bottom: 1px solid var(--sh-border);
   }
 
-  .shakha-loading p {
-    color: var(--shakha-text-muted);
-    font-size: 0.875rem;
+  .sh-sessions__title {
+    font-size: var(--sh-text-lg);
+    font-weight: 700;
+    color: var(--sh-text);
   }
 
-  .shakha-spinner {
-    width: 32px;
-    height: 32px;
-    border: 3px solid var(--shakha-border);
-    border-top-color: var(--shakha-primary);
-    border-radius: 50%;
-    animation: shakha-spin 0.8s linear infinite;
+  .sh-sessions__count {
+    font-size: var(--sh-text-sm);
+    color: var(--sh-text-tertiary);
+    background: var(--sh-primary-subtle);
+    padding: var(--sh-space-1) var(--sh-space-3);
+    border-radius: var(--sh-radius-sm);
   }
 
-  @keyframes shakha-spin {
-    to {
-      transform: rotate(360deg);
-    }
+  .sh-session {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: var(--sh-space-4) var(--sh-space-4);
+    border-radius: var(--sh-radius-md);
+    border: 1px solid var(--sh-border);
+    margin-bottom: var(--sh-space-3);
+    transition: all var(--sh-transition-fast);
+  }
+
+  .sh-session:hover {
+    background: var(--sh-primary-subtle);
+    border-color: var(--sh-primary);
+    transform: translateX(2px);
+  }
+
+  .sh-session--current {
+    border-color: var(--sh-primary);
+    background: var(--sh-primary-subtle);
+    box-shadow: 0 0 0 1px var(--sh-primary);
+  }
+
+  .sh-session__info {
+    flex: 1;
+  }
+
+  .sh-session__device {
+    font-weight: 600;
+    color: var(--sh-text);
+    font-size: var(--sh-text-sm);
+  }
+
+  .sh-session__meta {
+    font-size: var(--sh-text-xs);
+    color: var(--sh-text-tertiary);
+    margin-top: var(--sh-space-1);
+  }
+
+  .sh-session__badge {
+    font-size: var(--sh-text-xs);
+    font-weight: 600;
+    padding: var(--sh-space-1) var(--sh-space-2);
+    border-radius: var(--sh-radius-sm);
+    background: var(--sh-primary);
+    color: white;
+    margin-right: var(--sh-space-3);
+  }
+
+  .sh-session__actions {
+    display: flex;
+    gap: var(--sh-space-2);
+  }
+
+  .sh-session__btn {
+    padding: var(--sh-space-2) var(--sh-space-3);
+    border-radius: var(--sh-radius-sm);
+    font-size: var(--sh-text-xs);
+    font-weight: 600;
+    border: 1px solid var(--sh-border);
+    background: var(--sh-surface);
+    color: var(--sh-text-secondary);
+    transition: all var(--sh-transition-fast);
+  }
+
+  .sh-session__btn:hover {
+    background: var(--sh-error);
+    color: white;
+    border-color: var(--sh-error);
   }
 
-  .shakha-error-icon {
-    margin-bottom: 1rem;
+  /* Empty state */
+  .sh-empty {
+    text-align: center;
+    padding: var(--sh-space-12);
+    color: var(--sh-text-tertiary);
   }
 
-  .shakha-error-icon svg {
+  .sh-empty__icon {
     width: 48px;
     height: 48px;
-    color: var(--shakha-error);
+    margin: 0 auto var(--sh-space-4);
+    opacity: 0.5;
   }
 
-  .shakha-card-error h1 {
-    font-size: 1.25rem;
-    font-weight: 600;
-    margin-bottom: 0.5rem;
+  /* Links */
+  .sh-link {
+    color: var(--sh-primary);
+    font-size: var(--sh-text-sm);
+    font-weight: 500;
+    transition: all var(--sh-transition-fast);
+  }
+
+  .sh-link:hover {
+    text-decoration: underline;
+  }
+
+  .sh-link--subtle {
+    color: var(--sh-text-tertiary);
+  }
+
+  .sh-link--subtle:hover {
+    color: var(--sh-text-secondary);
+  }
+
+  /* Divider */
+  .sh-divider {
+    display: flex;
+    align-items: center;
+    gap: var(--sh-space-4);
+    margin: var(--sh-space-6) 0;
+    color: var(--sh-text-tertiary);
+    font-size: var(--sh-text-xs);
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+  }
+
+  .sh-divider::before,
+  .sh-divider::after {
+    content: "";
+    flex: 1;
+    height: 1px;
+    background: var(--sh-border);
   }
 
-  .shakha-error-message {
-    color: var(--shakha-text-muted);
-    margin-bottom: 1.5rem;
+  /* Animations */
+  @keyframes sh-fade-in {
+    from { opacity: 0; transform: translateY(10px); }
+    to { opacity: 1; transform: translateY(0); }
   }
-}
+
+  @keyframes sh-slide-up {
+    from { opacity: 0; transform: translateY(20px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+
+  .sh-animate-fade {
+    animation: sh-fade-in var(--sh-transition-slow) both;
+  }
+
+  .sh-animate-slide {
+    animation: sh-slide-up var(--sh-transition-slow) both;
+    animation-delay: 100ms;
+  }
+}
+
+@layer shakha.utilities {
+  .sh-text-center { text-align: center; }
+  .sh-mt-2 { margin-top: var(--sh-space-2); }
+  .sh-mt-4 { margin-top: var(--sh-space-4); }
+  .sh-mt-6 { margin-top: var(--sh-space-6); }
+  .sh-mb-2 { margin-bottom: var(--sh-space-2); }
+  .sh-mb-4 { margin-bottom: var(--sh-space-4); }
+  .sh-mb-6 { margin-bottom: var(--sh-space-6); }
+}

data/app/controllers/shakha/auth_controller.rb

@@ -26,8 +26,8 @@ module Shakha
     end
 
     def callback
-      pkce_result = verify_pkce!(params[:code], params[:state])
-      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
+      pkce_result = verify_pkce!(params[:state])
+      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to], pkce_result[:nonce])
     rescue PKCEError, GoogleOAuthError => e
       ActiveSupport::Notifications.instrument("shakha.sign_in_failed", {
         reason: e.class.name,
@@ -65,14 +65,25 @@ module Shakha
       return "/" if raw.blank?
 
       uri = URI.parse(raw)
-      return "/" if uri.host.present? && ![app_origin_host, client_origin_host].include?(uri.host)
+      app_host = URI.parse(Shakha.config.app_origin).host
+
+      # Must have a path
       return "/" unless uri.path.present? && uri.path.start_with?("/")
 
-      uri.path
+      # If external host, must be in allowed origins
+      if uri.host.present? && uri.host != app_host && !allowed_origin?(uri.origin)
+        return "/"
+      end
+
+      raw
     rescue URI::InvalidURIError
       "/"
     end
 
+    def allowed_origin?(origin)
+      Shakha.config.allowed_redirect_origins&.include?(origin) || false
+    end
+
     def app_origin_host
       URI.parse(Shakha.config.app_origin).host
     end
@@ -125,6 +136,7 @@ module Shakha
         code_challenge: pkce[:challenge],
         code_challenge_method: "S256",
         state: pkce[:state],
+        nonce: pkce[:nonce],
         access_type: "offline",
         prompt: "consent"
       }
@@ -134,7 +146,7 @@ module Shakha
       end.to_s
     end
 
-    def exchange_code_for_tokens(code, verifier, return_to = "/")
+    def exchange_code_for_tokens(code, verifier, return_to = "/", expected_nonce = nil)
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
       client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
       base_url = Shakha.config.service_base_url || "http://localhost:3000"
@@ -161,6 +173,11 @@ module Shakha
       payload = decode_id_token(id_token)
       google_sub = payload["sub"]
 
+      # Verify nonce (OIDC replay protection)
+      if expected_nonce && payload["nonce"] != expected_nonce
+        raise GoogleOAuthError, "Nonce mismatch"
+      end
+
       client = find_or_create_client
       pairwise_sub = Shakha.derive_pairwise_sub(google_sub, client.client_id)
 
@@ -178,7 +195,6 @@ module Shakha
       session_record = Shakha::Session.create!(
         user: user,
         client: client,
-        jti: SecureRandom.uuid,
         ip_address: request.remote_ip,
         user_agent: request.user_agent
       )
@@ -227,12 +243,24 @@ module Shakha
       uri = URI.parse(url)
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = uri.scheme == "https"
+      http.open_timeout = 5
+      http.read_timeout = 10
 
       request = Net::HTTP::Post.new(uri.request_uri)
       request["Content-Type"] = "application/x-www-form-urlencoded"
       request.body = URI.encode_www_form(body)
 
-      http.request(request)
+      response = http.request(request)
+
+      unless response.is_a?(Net::HTTPSuccess)
+        Rails.logger.error("[Shakha] Google API error: HTTP #{response.code} — #{response.body.truncate(500)}")
+        raise GoogleOAuthError, "Google returned HTTP #{response.code}"
+      end
+
+      response
+    rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
+      Rails.logger.error("[Shakha] Network error contacting Google: #{e.message}")
+      raise GoogleOAuthError, "Unable to reach Google authentication service"
     end
   end
 end

data/app/controllers/shakha/session_controller.rb

@@ -54,6 +54,13 @@ module Shakha
       end
     end
 
+    def list
+      return redirect_to "/auth/shakha" unless signed_in?
+
+      @sessions = current_user.sessions.active.order(created_at: :desc)
+      @current_token = current_session&.token
+    end
+
     def revoke
       return render json: { error: "Authentication required" }, status: :unauthorized unless signed_in?
 

data/app/views/shakha/auth/error.html.erb

@@ -1,18 +1,30 @@
 <% content_for :title, "Authentication Error" %>
 
-<div class="shakha-container">
-  <div class="shakha-card shakha-card-error">
-    <div class="shakha-error-icon">
-      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
-        <circle cx="12" cy="12" r="10"/>
-        <line x1="12" y1="8" x2="12" y2="12"/>
-        <line x1="12" y1="16" x2="12.01" y2="16"/>
-      </svg>
-    </div>
+<div class="sh-layout sh-animate-fade">
+  <div class="sh-card sh-animate-slide">
+    <div class="sh-error">
+      <div class="sh-error__icon">
+        <svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <circle cx="12" cy="12" r="10"/>
+          <line x1="12" y1="8" x2="12" y2="12"/>
+          <line x1="12" y1="16" x2="12.01" y2="16"/>
+        </svg>
+      </div>
+
+      <h1 class="sh-error__title">Something went wrong</h1>
+      <p class="sh-error__message"><%= @message || "We couldn't sign you in. Please try again." %></p>
 
-    <h1>Authentication Failed</h1>
-    <p class="shakha-error-message"><%= params[:message] || "An error occurred" %></p>
+      <%= link_to "/auth/shakha", class: "sh-btn sh-btn--primary" do %>
+        <svg class="sh-btn__icon" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <polyline points="1 4 1 10 7 10"/>
+          <path d="M3.51 15a9 9 0 1 0 2.13-9.36L1 10"/>
+        </svg>
+        Try Again
+      <% end %>
 
-    <%= link_to "Try Again", "/auth/shakha", class: "shakha-button shakha-button-primary" %>
+      <p class="sh-mt-4">
+        <a href="mailto:support@shakha.dev" class="sh-link sh-link--subtle">Contact Support</a>
+      </p>
+    </div>
   </div>
 </div>

data/app/views/shakha/auth/new.html.erb

@@ -1,16 +1,25 @@
-<% content_for :title, "Sign In" %>
+<% content_for :title, "Sign in — #{@client&.name || 'Shakha'}" %>
 
-<div class="shakha-container">
-  <div class="shakha-card">
-    <div class="shakha-header">
-      <h1>Sign in to <%= @client&.name || "your app" %></h1>
+<div class="sh-layout sh-animate-fade">
+  <div class="sh-card sh-animate-slide">
+    <div class="sh-card__header">
+      <div class="sh-brand">
+        <div class="sh-brand__icon">S</div>
+        <div>
+          <div class="sh-brand__name"><%= @client&.name || "Shakha" %></div>
+          <div class="sh-brand__subtitle">Secure authentication</div>
+        </div>
+      </div>
+
+      <h1 class="sh-heading sh-heading--center">Welcome back</h1>
+      <p class="sh-subheading">Sign in to continue to <%= @client&.name || "your app" %></p>
     </div>
 
-    <div class="shakha-body">
+    <div class="sh-card__body">
       <%= link_to shakha.authorize_path(request_pii: 1),
-                  class: "shakha-button shakha-button-google",
+                  class: "sh-btn sh-btn--google",
                   data: { turbo: false } do %>
-        <svg class="shakha-google-icon" viewBox="0 0 18 18" aria-hidden="true">
+        <svg class="sh-btn__icon" viewBox="0 0 18 18" aria-hidden="true">
           <path fill="#4285F4" d="M17.64 9.2c0-.637-.057-1.251-.164-1.84H9v3.481h4.844c-.209 1.125-.843 2.078-1.796 2.717v2.258h2.908c1.702-1.567 2.684-3.875 2.684-6.615z"/>
           <path fill="#34A853" d="M9 18c2.43 0 4.467-.806 5.956-2.184l-2.908-2.258c-.806.54-1.837.86-3.048.86-2.344 0-4.328-1.584-5.036-3.711H.957v2.332A8.997 8.997 0 0 0 9 18z"/>
           <path fill="#FBBC05" d="M3.964 10.71A5.41 5.41 0 0 1 3.682 9c0-.593.102-1.17.282-1.71V4.958H.957A8.996 8.996 0 0 0 0 9c0 1.452.348 2.827.957 4.042l3.007-2.332z"/>
@@ -19,11 +28,19 @@
         Continue with Google
       <% end %>
 
-      <p class="shakha-privacy">
+      <div class="sh-divider">or</div>
+
+      <p class="sh-text-center" style="color: var(--sh-text-tertiary); font-size: var(--sh-text-sm);">
         By signing in, you agree to our
-        <%= link_to "Terms of Service", "#" %> and
-        <%= link_to "Privacy Policy", "#" %>.
+        <a href="#">Terms</a> and
+        <a href="#">Privacy Policy</a>.
       </p>
     </div>
+
+    <div class="sh-card__footer">
+      <span style="color: var(--sh-text-tertiary); font-size: var(--sh-text-sm);">
+        Secured by <strong style="color: var(--sh-text-secondary);">Shakha</strong>
+      </span>
+    </div>
   </div>
-</div>
+</div>

data/app/views/shakha/auth/sessions.html.erb

@@ -0,0 +1,66 @@
+<% content_for :title, "Active Sessions" %>
+
+<div class="sh-layout sh-animate-fade">
+  <div class="sh-card sh-animate-slide" style="max-width: 560px;">
+    <div class="sh-card__header">
+      <div class="sh-brand">
+        <div class="sh-brand__icon">S</div>
+        <div>
+          <div class="sh-brand__name">Active Sessions</div>
+          <div class="sh-brand__subtitle">Manage your signed-in devices</div>
+        </div>
+      </div>
+    </div>
+
+    <div class="sh-sessions">
+      <div class="sh-sessions__header">
+        <span class="sh-sessions__title">Devices</span>
+        <span class="sh-sessions__count"><%= @sessions&.size || 0 %> active</span>
+      </div>
+
+      <% if @sessions&.any? %>
+        <% @sessions.each do |session| %>
+          <div class="sh-session <%= 'sh-session--current' if session.token == @current_token %>">
+            <div class="sh-session__info">
+              <div style="display: flex; align-items: center; gap: var(--sh-space-2);">
+                <% if session.token == @current_token %>
+                  <span class="sh-session__badge">Current</span>
+                <% end %>
+                <span class="sh-session__device">Web Browser</span>
+              </div>
+              <div class="sh-session__meta">
+                <%= session.ip_address || "Unknown IP" %> ·
+                <%= session.created_at.strftime("%b %d, %Y at %I:%M %p") %>
+              </div>
+            </div>
+
+            <% if session.token != @current_token %>
+              <%= button_to revoke_session_path(session.id),
+                  method: :delete,
+                  class: "sh-session__btn",
+                  data: { turbo: false, confirm: "Revoke this session?" } do %>
+                Revoke
+              <% end %>
+            <% end %>
+          </div>
+        <% end %>
+      <% else %>
+        <div class="sh-empty">
+          <div class="sh-empty__icon">
+            <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5">
+              <rect x="3" y="11" width="18" height="11" rx="2" ry="2"/>
+              <path d="M7 11V7a5 5 0 0 1 10 0v4"/>
+            </svg>
+          </div>
+          <p>No active sessions found.</p>
+        </div>
+      <% end %>
+    </div>
+
+    <div class="sh-card__footer">
+      <%= link_to "/", class: "sh-link" do %>
+        ← Back to app
+      <% end %>
+    </div>
+  </div>
+</div>

data/app/views/shakha/layouts/shakha.html.erb

@@ -1,12 +1,15 @@
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
-  <title><%= yield :title %></title>
+  <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title><%= yield(:title).presence || "Shakha" %></title>
   <%= stylesheet_link_tag "shakha", "data-turbo-track": "reload" %>
   <%= csrf_meta_tags %>
+  <meta name="theme-color" content="#0f0f23" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 </head>
 <body>
   <%= yield %>
 </body>
-</html>
+</html>

data/lib/shakha/config.rb

@@ -12,7 +12,8 @@ module Shakha
                   :signing_key,
                   :verification_key,
                   :key_id,
-                  :rate_limiting_enabled
+                  :rate_limiting_enabled,
+                  :allowed_redirect_origins
 
     def initialize
       @session_lifetime = 30.days

data/lib/shakha/engine.rb

@@ -21,6 +21,7 @@ module Shakha
 
       get "session" => "session#show"
       get "sessions" => "session#index"
+      get "sessions/view" => "session#list"
       post "session/check" => "session#check"
       delete "session" => "session#destroy"
       delete "sessions/:id" => "session#revoke"

data/lib/shakha/jwt_handler.rb

@@ -89,7 +89,7 @@ module Shakha
         return signing_key&.public_key if signing_key
 
         public_material = Shakha.config.verification_key
-        return nil unless public_material
+        return nil unless public_materiall
 
         if public_material.start_with?("-----BEGIN")
           OpenSSL::PKey::EC.new(public_material)

data/lib/shakha/pkce.rb

@@ -14,9 +14,7 @@ module Shakha
 
     class << self
       def generate_code_verifier
-        SecureRandom.urlsafe_base64(CODE_VERIFIER_LENGTH)
-          .tr("-_", "+/")
-          .slice(0, CODE_VERIFIER_LENGTH)
+        SecureRandom.urlsafe_base64(CODE_VERIFIER_LENGTH, padding: false)
       end
 
       def generate_code_challenge(verifier)
@@ -33,14 +31,16 @@ module Shakha
       verifier = PKCEMixin.generate_code_verifier
       challenge = PKCEMixin.generate_code_challenge(verifier)
       state = SecureRandom.urlsafe_base64(32)
+      nonce = SecureRandom.urlsafe_base64(32)
       return_to = params[:return_to] || "/"
 
       pkce_record = {
         verifier: verifier,
-        return_to: return_to
+        return_to: return_to,
+        nonce: nonce
       }
 
-      cookies[PKCE_COOKIE_NAME] = {
+      cookies.encrypted[PKCE_COOKIE_NAME] = {
         value: pkce_record.merge(state: state).to_json,
         httponly: true,
         secure: Rails.env.production?,
@@ -48,11 +48,11 @@ module Shakha
         expires: Time.now.utc + PKCE_COOKIE_EXPIRY_SECONDS
       }
 
-      { challenge: challenge, state: state }
+      { challenge: challenge, state: state, nonce: nonce }
     end
 
-    def verify_pkce!(code_verifier, state_param)
-      pkce_json = cookies[PKCE_COOKIE_NAME]
+    def verify_pkce!(state_param)
+      pkce_json = cookies.encrypted[PKCE_COOKIE_NAME]
 
       raise PKCEError, "No PKCE session found" unless pkce_json
 
@@ -63,23 +63,17 @@ module Shakha
       stored_state = pkce_data[:state]
       stored_verifier = pkce_data[:verifier]
       stored_return_to = pkce_data[:return_to]
+      stored_nonce = pkce_data[:nonce]
 
       cookies.delete(PKCE_COOKIE_NAME)
 
-      raise PKCEError, "State mismatch" unless stored_state == state_param
+      raise PKCEError, "State mismatch" unless ActiveSupport::SecurityUtils.secure_compare(stored_state.to_s, state_param.to_s)
 
-      computed = PKCEMixin.generate_code_challenge(code_verifier)
-      code_challenge = params[:code_challenge]
-
-      if code_challenge.present?
-        raise PKCEError, "Invalid code verifier" unless computed == code_challenge
-      end
-
-      { verifier: stored_verifier, return_to: stored_return_to }
+      { verifier: stored_verifier, return_to: stored_return_to, nonce: stored_nonce }
     end
 
     def pkce_state
-      pkce_json = cookies[PKCE_COOKIE_NAME]
+      pkce_json = cookies.encrypted[PKCE_COOKIE_NAME]
       return nil unless pkce_json
 
       JSON.parse(pkce_json).with_indifferent_access

data/lib/shakha/rate_limiter.rb

@@ -23,16 +23,10 @@ module Shakha
       return unless Shakha.config.rate_limiting_enabled
 
       cache_key = "shakha-rate:#{key}:#{request.remote_ip}"
+      count = Rails.cache.increment(cache_key, 1, expires_in: period.seconds)
 
-      count = Rails.cache.read(cache_key).to_i + 1
-
-      if count == 1
-        Rails.cache.write(cache_key, count, expires_in: period.seconds)
-      elsif count > max
+      if count > max
         render json: { error: "Too many requests. Try again later." }, status: :too_many_requests
-        return
-      else
-        Rails.cache.write(cache_key, count, expires_in: period.seconds)
       end
     end
   end

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.1.6"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.2.0
 platform: ruby
 authors:
 - Asrat
@@ -90,6 +90,7 @@ files:
 - app/views/shakha/auth/callback.html.erb
 - app/views/shakha/auth/error.html.erb
 - app/views/shakha/auth/new.html.erb
+- app/views/shakha/auth/sessions.html.erb
 - app/views/shakha/errors/show.html.erb
 - app/views/shakha/layouts/shakha.html.erb
 - lib/generators/shakha/install_generator.rb