standard_id-apple 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63120ccfea7a05fb35a42c90548f441a7d719aa3d5a46e0bb9d72ec97e1e5129
-  data.tar.gz: '0857aa7e1bbafae5621ce60aa2c3364b01931a836b8e0adc121b50bcfacf42af'
+  metadata.gz: 12a977e4ff2079df4c467f77c117bd3ea4564de05381b29514f7c1bbdec87380
+  data.tar.gz: c071fe2549d4dae82f12d98e435214a615e68fa892fd85ff2a0dda88290c1a9b
 SHA512:
-  metadata.gz: da5566c05904516299901bc7cbafb42e97c59c6bfb516959c8a2e77b55afd34f976e07c503ac94781681b972349c82519f4053d97004c7dea6967738ded0fe4a
-  data.tar.gz: 95da64b4f2c8deee61e18867133aa36d7ddea30985c276c266dcba0e8448712de8807c1040f224783621cb7319a998264c982ed0b96cb1e3b52a91447bfd1e0f
+  metadata.gz: c94b517719fa7da262ec4c189e4c3d791eef9e3e352afc4181844f0d353729bf167523932d9aab1c1eae88825001d9e87a7cf0c808b14182a6c081190ab956a3
+  data.tar.gz: b92eb9d4c48fefc7c59e1636f28e8a5483e13e58bdc83753716ca6e4956d334b8880e2a685a4288949b13c5048b433b788db0c874df9d2fd25809ae6b287e847

data/.ruby-version

@@ -1 +1 @@
-3.4.4
+4.0.1

data/CHANGELOG.md

@@ -1,5 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
 ## [Unreleased]
 
+## [0.2.0] - 2026-04-21
+
+### Added
+
+- Auto-register provider with StandardId via `Rails::Railtie` on `config.after_initialize`, so apps that bundle the gem no longer need an explicit initializer (#30)
+
+## [0.1.2] - 2026-01-13
+
+### Added
+
+- Support nonce and passing custom parameters to Apple Sign In (#2)
+
+## [0.1.1] - 2025-12-24
+
+### Changed
+
+- Standardized config access patterns
+
 ## [0.1.0] - 2025-12-20
 
-- Initial release
+### Added
+
+- Initial release of Apple Sign In provider plugin for StandardId

data/CLAUDE.md

@@ -0,0 +1,26 @@
+# CLAUDE.md
+
+## Worktree-Only Workflow (Enforced)
+
+**All file modifications are blocked in the main checkout.** A PreToolUse hook (`enforce-worktree.sh`) rejects Edit, Write, and NotebookEdit operations targeting files outside a worktree. There are no opt-outs. Do not use Bash to write files in the main checkout either (e.g., `echo >`, `sed -i`, `tee`, `cp`) — the hook cannot intercept shell commands, so this rule is instruction-enforced.
+
+Before writing any code, create a worktree:
+
+```bash
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@refs/remotes/origin/@@')
+DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+git fetch origin "$DEFAULT_BRANCH"
+git worktree add .worktrees/<name> -b <branch-name> "origin/$DEFAULT_BRANCH"
+```
+
+Then work inside `.worktrees/<name>/` for the rest of the session.
+
+**Naming:** Use the Linear issue identifier if available (e.g., `.worktrees/<identifier>`), a task slug (e.g., `.worktrees/fix-auth-timeout`), or today's date (e.g., `.worktrees/2026-04-01`) as fallback.
+
+**The hook allows modifications only when:**
+
+1. The file is inside a git worktree (detected via `git rev-parse --git-dir` returning a path under `.git/worktrees/`)
+2. Running in a CI/automated context where the checkout is already isolated
+**Why this matters:** Working directly on the main checkout causes cross-contamination between sessions — uncommitted changes, wrong branches, and dirty state leak into unrelated work. Worktrees eliminate this entirely.
+
+See the `/worktree` and `/start` skills for full conventions and flags.

data/lib/standard_id/apple/providers/apple.rb

@@ -12,40 +12,47 @@ module StandardId
       JWKS_URI = "#{ISSUER}/auth/keys".freeze
       DEFAULT_SCOPE = "name email".freeze
       DEFAULT_RESPONSE_MODE = "form_post".freeze
+      AUTHORIZATION_PARAM_DEFAULTS = {
+        scope: DEFAULT_SCOPE,
+        response_mode: DEFAULT_RESPONSE_MODE
+      }.freeze
 
       class << self
         def provider_name
           "apple"
         end
 
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          response_mode = options[:response_mode] || DEFAULT_RESPONSE_MODE
+        def supported_authorization_params
+          [:nonce, :scope, :response_mode]
+        end
 
+        def authorization_url(state:, redirect_uri:, **options)
           ensure_basic_credentials!
 
           query = {
             client_id: StandardId.config.apple_client_id,
-            redirect_uri: redirect_uri,
+            redirect_uri:,
             response_type: "code",
-            scope: scope,
-            response_mode: response_mode,
-            state: state
+            state:
           }
 
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+          supported_authorization_params.each do |param|
+            query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
+          end
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
         end
 
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options)
           client_id = options[:client_id] || StandardId.config.apple_client_id
 
           if id_token.present?
             build_response(
-              verify_id_token(id_token: id_token, client_id: client_id),
+              verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce),
               tokens: { id_token: id_token }
             )
           elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id, nonce: nonce)
           elsif access_token.present?
             raise StandardId::InvalidRequestError, "Access token login flow is not supported for Apple"
           else
@@ -82,7 +89,7 @@ module StandardId
           params.merge(client_id: client_id)
         end
 
-        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
+        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil)
           ensure_full_credentials!(client_id: client_id)
           raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
 
@@ -108,7 +115,7 @@ module StandardId
           raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
 
           tokens = extract_token_payload(parsed_token)
-          user_info = verify_id_token(id_token: id_token, client_id: client_id)
+          user_info = verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce)
 
           build_response(user_info, tokens: tokens)
         rescue StandardError => e
@@ -117,7 +124,7 @@ module StandardId
           raise StandardId::OAuthError, e.message, cause: e
         end
 
-        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
+        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil)
           raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
           raise StandardId::InvalidRequestError, "Apple client_id is not configured" if client_id.blank?
 
@@ -137,6 +144,15 @@ module StandardId
             verify_aud: true
           )
 
+          # Validate nonce if provided (web flow with server-generated nonce)
+          if nonce.present?
+            token_nonce = verified_payload["nonce"]
+            if token_nonce != nonce
+              raise StandardId::InvalidRequestError,
+                    "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
+            end
+          end
+
           {
             "sub" => verified_payload["sub"],
             "email" => verified_payload["email"],
@@ -224,5 +240,3 @@ module StandardId
     end
   end
 end
-
-StandardId::ProviderRegistry.register(:apple, StandardId::Providers::Apple)

data/lib/standard_id/apple/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module StandardId
+  module Apple
+    class Railtie < ::Rails::Railtie
+      config.after_initialize do
+        StandardId::ProviderRegistry.register(:apple, StandardId::Providers::Apple)
+
+        Rails.logger.debug("[StandardId::Apple] registered provider") if Rails.logger
+      end
+    end
+  end
+end

data/lib/standard_id/apple/version.rb

@@ -2,6 +2,6 @@
 
 module StandardId
   module Apple
-    VERSION = "0.1.1"
+    VERSION = "0.2.0"
   end
 end

data/lib/standard_id/apple.rb

@@ -2,3 +2,4 @@ require "active_support/core_ext/numeric/time"
 require "active_support/core_ext/hash/indifferent_access"
 require "standard_id"
 require "standard_id/apple/providers/apple"
+require "standard_id/apple/railtie" if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id-apple
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -69,12 +69,14 @@ files:
 - ".rubocop.yml"
 - ".ruby-version"
 - CHANGELOG.md
+- CLAUDE.md
 - CODE_OF_CONDUCT.md
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/standard_id/apple.rb
 - lib/standard_id/apple/providers/apple.rb
+- lib/standard_id/apple/railtie.rb
 - lib/standard_id/apple/version.rb
 homepage: https://github.com/rarebit-one/standard_id_apple
 licenses:
@@ -83,6 +85,7 @@ metadata:
   homepage_uri: https://github.com/rarebit-one/standard_id_apple
   source_code_uri: https://github.com/rarebit-one/standard_id_apple
   changelog_uri: https://github.com/rarebit-one/standard_id_apple/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/rarebit-one/standard_id_apple/issues
 rdoc_options: []
 require_paths:
 - lib
@@ -97,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Apple Sign In provider plugin for the StandardId engine.
 test_files: []