standard_id 0.1.0

data/app/controllers/standard_id/web/account_controller.rb

@@ -0,0 +1,32 @@
+module StandardId
+  module Web
+    class AccountController < BaseController
+      def show
+        @account = current_account
+        @sessions = current_account.sessions.active.order(created_at: :desc)
+      end
+
+      def edit
+        @account = current_account
+      end
+
+      def update
+        @account = current_account
+
+        if @account.update(account_params)
+          redirect_to account_path, notice: "Account updated successfully"
+        else
+          flash.now[:alert] = @account.errors.full_messages.join(", ")
+          render :edit, status: :unprocessable_content
+        end
+      end
+
+      private
+
+      def account_params
+        # Add account fields as they're defined in the Account model
+        params.require(:account).permit()
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -0,0 +1,126 @@
+module StandardId
+  module Web
+    module Auth
+      module Callback
+        class ProvidersController < StandardId::Web::BaseController
+          include StandardId::WebAuthentication
+
+          # Social callbacks must be accessible without an existing browser session
+          # because they create/sign-in the session upon successful callback.
+          skip_before_action :require_browser_session!, only: [:google, :apple]
+
+          def google
+            handle_social_callback("google-oauth2")
+          end
+
+          def apple
+            handle_social_callback("apple")
+          end
+
+          private
+
+          def handle_social_callback(provider)
+            # This handles the callback from social providers in web context
+            # After successful social auth, we need to:
+            # 1. Extract user info from the callback
+            # 2. Create/find account
+            # 3. Sign in the user with web session
+            # 4. Redirect to original destination
+
+            if params[:error].present?
+              handle_callback_error
+              return
+            end
+
+            begin
+              user_info = extract_user_info(provider)
+              account = find_or_create_account_from_social(user_info, provider)
+              session_manager.sign_in_account(account)
+
+              redirect_to decode_redirect_uri, notice: "Successfully signed in with #{provider.humanize}"
+            rescue StandardId::OAuthError => e
+              redirect_to login_path, alert: "Authentication failed: #{e.message}"
+            end
+          end
+
+          def extract_user_info(provider)
+            case provider
+            when "google-oauth2"
+              extract_google_user_info
+            when "apple"
+              extract_apple_user_info
+            else
+              raise StandardId::InvalidRequestError, "Unsupported connection/provider: #{provider}"
+            end
+          end
+
+          def extract_google_user_info
+            # Exchange code for Google user info
+            # This would integrate with Google OAuth API
+            {
+              email: params[:email] || "user@example.com", # Placeholder
+              name: params[:name] || "Google User",
+              provider: "google-oauth2",
+              provider_id: params[:sub] || "google_123"
+            }
+          end
+
+          def extract_apple_user_info
+            # Extract user info from Apple Sign In callback
+            # This would decode the Apple ID token
+            {
+              email: params[:email] || "user@privaterelay.appleid.com", # Placeholder
+              name: params[:name] || "Apple User",
+              provider: "apple",
+              provider_id: params[:sub] || "apple_123"
+            }
+          end
+
+          def find_or_create_account_from_social(user_info, provider)
+            # Find existing account by email or create new one
+            identifier = StandardId::EmailIdentifier.find_by(value: user_info[:email])
+
+            if identifier
+              identifier.account
+            else
+              # Create new account with social login
+              account = ::Account.create!(
+                email: user_info[:email],
+                name: user_info[:name].presence || "User"
+              )
+              StandardId::EmailIdentifier.create!(
+                account: account,
+                value: user_info[:email]
+              )
+              account
+            end
+          end
+
+          def decode_redirect_uri
+            return "/" unless params[:state].present?
+
+            begin
+              state_data = JSON.parse(Base64.urlsafe_decode64(params[:state]))
+              state_data["redirect_uri"] || "/"
+            rescue JSON::ParserError, ArgumentError
+              "/"
+            end
+          end
+
+          def handle_callback_error
+            error_message = case params[:error]
+            when "access_denied"
+                            "Authentication was cancelled"
+            when "invalid_request"
+                            "Invalid authentication request"
+            else
+                            "Authentication failed"
+            end
+
+            redirect_to login_path, alert: error_message
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/base_controller.rb

@@ -0,0 +1,14 @@
+module StandardId
+  module Web
+    class BaseController < ApplicationController
+      include StandardId::WebAuthentication
+
+      include StandardId::WebEngine.routes.url_helpers
+      helper StandardId::WebEngine.routes.url_helpers
+
+      layout -> { StandardId.config.web_layout.presence || "application" }
+
+      before_action :require_browser_session!
+    end
+  end
+end

data/app/controllers/standard_id/web/login_controller.rb

@@ -0,0 +1,69 @@
+module StandardId
+  module Web
+    class LoginController < BaseController
+      layout "public"
+
+      skip_before_action :require_browser_session!, only: [:show, :create]
+
+      before_action :redirect_if_authenticated, only: [:show]
+      before_action :redirect_if_social_login, only: [:create]
+
+      def show
+        @redirect_uri = params[:redirect_uri] || after_authentication_url
+        @connection = params[:connection]
+      end
+
+      def create
+        if sign_in_account(login_params)
+          redirect_to params[:redirect_uri] || after_authentication_url, status: :see_other, notice: "Successfully signed in"
+        else
+          flash.now[:alert] = "Invalid email or password"
+          render :show, status: :unprocessable_content
+        end
+      end
+
+      private
+
+      def redirect_if_authenticated
+        redirect_to after_authentication_url, status: :see_other, notice: "You are already signed in" if authenticated?
+      end
+
+      def redirect_if_social_login
+        redirect_to social_login_url, allow_other_host: true if params[:connection].present?
+      end
+
+      def social_login_url
+        uri = URI.parse("/api/authorize")
+        query = {
+          response_type: "code",
+          client_id: StandardId.config.default_client_id,
+          redirect_uri: callback_url,
+          connection: params[:connection],
+          state: encode_state
+        }.to_query
+        uri.query = query
+        uri.to_s
+      end
+
+      def callback_url
+        case params[:connection]
+        when "google-oauth2"
+          auth_callback_google_path
+        when "apple"
+          auth_callback_apple_path
+        end
+      end
+
+      def encode_state
+        Base64.urlsafe_encode64({
+          redirect_uri: params[:redirect_uri] || after_authentication_url,
+          timestamp: Time.current.to_i
+        }.to_json)
+      end
+
+      def login_params
+        params.require(:login).permit(:email, :password, :remember_me)
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/logout_controller.rb

@@ -0,0 +1,20 @@
+module StandardId
+  module Web
+    class LogoutController < BaseController
+      skip_before_action :require_browser_session!, only: [:create]
+
+      before_action :redirect_if_not_authenticated
+
+      def create
+        revoke_current_session!
+        redirect_to params[:redirect_uri] || root_path, notice: "Successfully signed out"
+      end
+
+      private
+
+      def redirect_if_not_authenticated
+        redirect_to params[:redirect_uri] || root_path unless authenticated?
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/reset_password/confirm_controller.rb

@@ -0,0 +1,46 @@
+module StandardId
+  module Web
+    module ResetPassword
+      class ConfirmController < BaseController
+        layout "public"
+
+        skip_before_action :require_browser_session!, only: [:show, :update]
+
+        before_action :prepare_password_credential, only: [:show, :update]
+        before_action :redirect_if_token_invalid, only: [:show, :update]
+
+        def show
+        end
+
+        def update
+          form = StandardId::Web::ResetPasswordConfirmForm.new(@password_credential, reset_password_confirm_form_params)
+
+          if form.submit
+            flash[:notice] = "Your password has been successfully reset. Please sign in with your new password."
+            redirect_to login_path, status: :see_other
+          else
+            flash.now[:alert] = form.errors.full_messages.to_sentence
+            render :show, status: :unprocessable_content
+          end
+        end
+
+        private
+
+        def prepare_password_credential
+          @password_credential = StandardId::PasswordCredential.find_by_token_for(:password_reset, params[:token])
+        end
+
+        def reset_password_confirm_form_params
+          params.permit(:password, :password_confirmation)
+        end
+
+        def redirect_if_token_invalid
+          return if @password_credential.present?
+
+          flash[:alert] = "Invalid or expired password reset link"
+          redirect_to login_path, status: :see_other
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/reset_password/start_controller.rb

@@ -0,0 +1,27 @@
+module StandardId
+  module Web
+    module ResetPassword
+      class StartController < BaseController
+        layout "public"
+
+        skip_before_action :require_browser_session!, only: [:show, :create]
+
+        def show
+          # Display the password reset request form
+        end
+
+        def create
+          form = StandardId::Web::ResetPasswordStartForm.new(email: params[:email])
+
+          if form.submit
+            flash[:notice] = "If an account with that email exists, we've sent password reset instructions."
+            redirect_to login_path, status: :see_other
+          else
+            flash.now[:alert] = form.errors[:email].first || "Please enter your email address"
+            render :show, status: :unprocessable_content
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/sessions_controller.rb

@@ -0,0 +1,26 @@
+module StandardId
+  module Web
+    class SessionsController < BaseController
+      def index
+        @sessions = current_account.sessions.active.order(created_at: :desc)
+        @current_session = current_session
+      end
+
+      def destroy
+        session = current_account.sessions.find(params[:id])
+
+        if session == current_session
+          # If revoking current session, sign out and redirect
+          revoke_current_session!
+          redirect_to "/", notice: "Session revoked. You have been signed out."
+        else
+          # Revoke other session
+          session.revoke!
+          redirect_to sessions_path, notice: "Session revoked successfully"
+        end
+      rescue ActiveRecord::RecordNotFound
+        redirect_to sessions_path, alert: "Session not found"
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/signup_controller.rb

@@ -0,0 +1,83 @@
+module StandardId
+  module Web
+    class SignupController < BaseController
+      layout "public"
+
+      skip_before_action :require_browser_session!, only: [:show, :create]
+
+      before_action :redirect_if_authenticated, only: [:show]
+      before_action :redirect_if_social_login, only: [:create]
+
+      def show
+        @redirect_uri = params[:redirect_uri] || after_authentication_url
+        @connection = params[:connection] # For social login detection
+      end
+
+      def create
+        handle_password_signup
+      end
+
+      private
+
+      def redirect_if_authenticated
+        redirect_to after_authentication_url if authenticated?
+      end
+
+      def redirect_if_social_login
+        redirect_to social_signup_url, allow_other_host: true if params[:connection].present?
+      end
+
+      def handle_password_signup
+        form = StandardId::Web::SignupForm.new(signup_params)
+
+        if form.submit
+          session_manager.sign_in_account(form.account)
+          redirect_to params[:redirect_uri] || after_authentication_url,
+                      notice: "Account created successfully"
+        else
+          flash.now[:alert] = form.errors.full_messages.join(", ")
+          render :show, status: :unprocessable_content
+        end
+      end
+
+      def social_signup_url
+        # Same as login - social providers handle signup/login automatically
+        uri = URI.parse("/api/authorize")
+        query = {
+          response_type: "code",
+          client_id: StandardId.config.default_client_id,
+          redirect_uri: callback_url,
+          connection: params[:connection],
+          state: encode_state
+        }.to_query
+        uri.query = query
+        uri.to_s
+      end
+
+      def callback_url
+        case params[:connection]
+        when "google-oauth2"
+          auth_callback_google_url
+        when "apple"
+          auth_callback_apple_url
+        end
+      end
+
+      def encode_state
+        Base64.urlsafe_encode64({
+          redirect_uri: params[:redirect_uri] || after_authentication_url,
+          timestamp: Time.current.to_i
+        }.to_json)
+      end
+
+      def account_params
+        # Add any additional account fields as needed
+        {}
+      end
+
+      def signup_params
+        params.require(:signup).permit(:email, :password, :password_confirmation)
+      end
+    end
+  end
+end

data/app/forms/standard_id/web/reset_password_confirm_form.rb

@@ -0,0 +1,37 @@
+module StandardId
+  module Web
+    class ResetPasswordConfirmForm
+      include ActiveModel::Model
+      include ActiveModel::Attributes
+
+      attribute :password, :string
+      attribute :password_confirmation, :string
+
+      attr_reader :password_credential
+
+      validates :password,
+        presence: { message: "cannot be blank" },
+        length: { minimum: 8, too_short: "must be at least 8 characters long" },
+        confirmation: { message: "confirmation doesn't match" }
+
+      def initialize(password_credential, params = {})
+        @password_credential = password_credential
+        super(params)
+      end
+
+      def submit
+        return false unless valid?
+
+        ActiveRecord::Base.transaction do
+          @password_credential.update!(password: password, password_confirmation: password_confirmation)
+          @password_credential.account.sessions.destroy_all
+        end
+
+        true
+      rescue ActiveRecord::RecordInvalid => e
+        errors.add(:base, e.record.errors.full_messages.join(", "))
+        false
+      end
+    end
+  end
+end

data/app/forms/standard_id/web/reset_password_start_form.rb

@@ -0,0 +1,38 @@
+module StandardId
+  module Web
+    class ResetPasswordStartForm
+      include ActiveModel::Model
+      include ActiveModel::Attributes
+
+      attribute :email, :string
+
+      attr_reader :password_credential, :token
+
+      validates :email, presence: { message: "Please enter your email address" }, format: { with: URI::MailTo::EMAIL_REGEXP }
+
+      def submit
+        return false unless valid?
+
+        if token.present?
+          # TODO: send reset link via email
+        end
+
+        true
+      end
+
+      def password_credential
+        @password_credential ||= identifier&.account&.credentials&.where(credentialable_type: "StandardId::PasswordCredential")&.sole&.credentialable
+      end
+
+      def token
+        @token ||= password_credential&.generate_token_for(:password_reset)
+      end
+
+      private
+
+      def identifier
+        @identifier ||= StandardId::EmailIdentifier.find_by(value: email.to_s.strip.downcase)
+      end
+    end
+  end
+end

data/app/forms/standard_id/web/signup_form.rb

@@ -0,0 +1,65 @@
+module StandardId
+  module Web
+    class SignupForm
+      include ActiveModel::Model
+      include ActiveModel::Attributes
+
+      attribute :email, :string
+      attribute :password, :string
+      attribute :password_confirmation, :string
+
+      attr_reader :account
+
+      validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
+      validates :password, presence: true, length: { minimum: 8 }, confirmation: true
+
+      def submit
+        return false unless valid?
+
+        ActiveRecord::Base.transaction do
+          @account = Account.create!(account_params)
+          StandardId::PasswordCredential.create!(
+            password_credential_params.merge(
+              credential_attributes: {
+                identifier_attributes: email_identifier_params.merge(account: @account)
+              }
+            )
+          )
+        end
+
+        true
+      rescue ActiveRecord::RecordInvalid => e
+        errors.add(:base, e.record.errors.full_messages.join(", "))
+        false
+      rescue ActiveRecord::RecordNotUnique => e
+        errors.add(:base, e.message)
+        false
+      end
+
+      private
+
+      def account_params
+        # Placeholder for account fields. Add/permit additional attributes as needed.
+        {
+          name: (email.to_s.split("@").first.presence || "User"),
+          email: email
+        }
+      end
+
+      def email_identifier_params
+        {
+          value: email,
+          verified_at: Time.current,
+          type: "StandardId::EmailIdentifier"
+        }
+      end
+
+      def password_credential_params
+        {
+          login: email,
+          password: password
+        }
+      end
+    end
+  end
+end

data/app/helpers/standard_id/application_helper.rb

@@ -0,0 +1,4 @@
+module StandardId
+  module ApplicationHelper
+  end
+end

data/app/jobs/standard_id/application_job.rb

@@ -0,0 +1,4 @@
+module StandardId
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/standard_id/application_mailer.rb

@@ -0,0 +1,6 @@
+module StandardId
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/concerns/standard_id/account_associations.rb

@@ -0,0 +1,14 @@
+module StandardId
+  module AccountAssociations
+    extend ActiveSupport::Concern
+
+    included do
+      has_many :identifiers, class_name: "StandardId::Identifier", dependent: :restrict_with_exception
+      has_many :credentials, class_name: "StandardId::Credential", through: :identifiers, source: :credentials, dependent: :restrict_with_exception
+      has_many :sessions, class_name: "StandardId::Session", dependent: :restrict_with_exception
+      has_many :client_applications, class_name: "StandardId::ClientApplication", as: :owner, dependent: :restrict_with_exception
+
+      accepts_nested_attributes_for :identifiers
+    end
+  end
+end

data/app/models/concerns/standard_id/credentiable.rb

@@ -0,0 +1,12 @@
+module StandardId
+  module Credentiable
+    extend ActiveSupport::Concern
+
+    included do
+      has_one :credential, as: :credentialable, touch: true
+      accepts_nested_attributes_for :credential
+
+      delegate :account, to: :credential
+    end
+  end
+end

data/app/models/standard_id/application_record.rb

@@ -0,0 +1,5 @@
+module StandardId
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end