standard_id 0.1.0

data/app/models/standard_id/authorization_code.rb

@@ -0,0 +1,86 @@
+module StandardId
+  class AuthorizationCode < ApplicationRecord
+    self.table_name = "standard_id_authorization_codes"
+
+    belongs_to :account, class_name: StandardId.config.account_class_name, optional: true
+
+    # Validations
+    validates :code_hash, presence: true, uniqueness: true
+    validates :client_id, presence: true
+    validates :redirect_uri, presence: true
+    validates :issued_at, presence: true
+    validates :expires_at, presence: true
+
+    scope :unexpired, -> { where("expires_at > ?", Time.current) }
+    scope :unused, -> { where(consumed_at: nil) }
+
+    before_validation :set_issued_and_expiry, on: :create
+
+    def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, metadata: {})
+      create!(
+        account: account,
+        code_hash: hash_for(plaintext_code),
+        client_id: client_id,
+        redirect_uri: redirect_uri,
+        scope: scope,
+        audience: audience,
+        code_challenge: code_challenge,
+        code_challenge_method: code_challenge_method,
+        issued_at: Time.current,
+        expires_at: Time.current + default_ttl,
+        metadata: metadata || {}
+      )
+    end
+
+    def self.lookup(plaintext_code)
+      find_by(code_hash: hash_for(plaintext_code))
+    end
+
+    def self.hash_for(plaintext_code)
+      Digest::SHA256.hexdigest("#{plaintext_code}:#{Rails.configuration.secret_key_base}")
+    end
+
+    def self.default_ttl
+      10.minutes
+    end
+
+    def valid_for_client?(client_id)
+      self.client_id == client_id && consumed_at.nil? && !expired?
+    end
+
+    def expired?
+      expires_at <= Time.current
+    end
+
+    def pkce_valid?(code_verifier)
+      return true if code_challenge.blank?
+
+      return false if code_verifier.blank?
+
+      case (code_challenge_method || "plain").downcase
+      when "s256"
+        expected = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).delete("=")
+        ActiveSupport::SecurityUtils.secure_compare(expected, code_challenge)
+      when "plain"
+        ActiveSupport::SecurityUtils.secure_compare(code_verifier, code_challenge)
+      else
+        false
+      end
+    end
+
+    def mark_as_used!
+      with_lock do
+        raise StandardId::InvalidGrantError, "Authorization code already used" if consumed_at.present?
+        raise StandardId::InvalidGrantError, "Authorization code expired" if expired?
+        update!(consumed_at: Time.current)
+      end
+    end
+
+    private
+
+    def set_issued_and_expiry
+      self.issued_at ||= Time.current
+      self.expires_at ||= issued_at + self.class.default_ttl
+    end
+  end
+end

data/app/models/standard_id/browser_session.rb

@@ -0,0 +1,27 @@
+module StandardId
+  class BrowserSession < Session
+    validates :user_agent, presence: true
+
+    def browser_info
+      return {} if user_agent.blank?
+
+      # Simple user agent parsing - in production you might want to use a gem like browser
+      case user_agent
+      when /Edge/i
+        { browser: "Edge", type: "browser" }
+      when /Chrome/i
+        { browser: "Chrome", type: "browser" }
+      when /Firefox/i
+        { browser: "Firefox", type: "browser" }
+      when /Safari/i
+        { browser: "Safari", type: "browser" }
+      else
+        { browser: "Unknown", type: "browser" }
+      end
+    end
+
+    def display_name
+      "#{browser_info[:browser]} Browser Session"
+    end
+  end
+end

data/app/models/standard_id/client_application.rb

@@ -0,0 +1,143 @@
+module StandardId
+  class ClientApplication < ApplicationRecord
+    self.table_name = "standard_id_client_applications"
+    belongs_to :owner, polymorphic: true
+
+    has_many :client_secret_credentials, dependent: :destroy
+    has_many :authorization_codes, foreign_key: :client_id, primary_key: :client_id, dependent: :destroy
+
+    accepts_nested_attributes_for :client_secret_credentials, allow_destroy: false
+
+    # Validations
+    validates :name, presence: true, length: { maximum: 255 }
+    validates :description, length: { maximum: 1000 }
+    validates :redirect_uris, presence: true
+    validates :client_type, inclusion: { in: %w[confidential public] }
+    validates :grant_types, presence: true
+    validates :response_types, presence: true
+    validates :scopes, presence: true
+    validates :code_challenge_methods, presence: true, if: :require_pkce?
+
+    # Lifecycle validations
+    validates :access_token_lifetime, :refresh_token_lifetime, :authorization_code_lifetime,
+              presence: true, numericality: { greater_than: 0 }
+
+    # Scopes
+    scope :active, -> { where(active: true) }
+    scope :confidential, -> { where(client_type: "confidential") }
+    scope :public_clients, -> { where(client_type: "public") }
+    scope :for_owner, ->(owner) { where(owner: owner) }
+
+    # Callbacks
+    before_create :generate_client_id
+    before_update :set_deactivated_at, if: :will_save_change_to_active?
+
+    def deactivate!
+      update!(active: false, deactivated_at: Time.current)
+    end
+
+    def activate!
+      update!(active: true, deactivated_at: nil)
+    end
+
+    def active?
+      active && deactivated_at.nil?
+    end
+
+    # OAuth configuration helpers
+    def redirect_uris_array
+      redirect_uris.to_s.split(/\s+/).map(&:strip).reject(&:blank?)
+    end
+
+    def scopes_array
+      scopes.to_s.split(/\s+/).map(&:strip).reject(&:blank?)
+    end
+
+    def grant_types_array
+      grant_types.to_s.split(/\s+/).map(&:strip).reject(&:blank?)
+    end
+
+    def response_types_array
+      response_types.to_s.split(/\s+/).map(&:strip).reject(&:blank?)
+    end
+
+    def code_challenge_methods_array
+      code_challenge_methods.to_s.split(/\s+/).map(&:strip).reject(&:blank?)
+    end
+
+    def supports_grant_type?(grant_type)
+      grant_types_array.include?(grant_type.to_s)
+    end
+
+    def supports_response_type?(response_type)
+      response_types_array.include?(response_type.to_s)
+    end
+
+    def supports_pkce_method?(method)
+      return false unless require_pkce?
+      code_challenge_methods_array.include?(method.to_s)
+    end
+
+    def valid_redirect_uri?(uri)
+      redirect_uris_array.include?(uri.to_s)
+    end
+
+    def confidential?
+      client_type == "confidential"
+    end
+
+    def public?
+      client_type == "public"
+    end
+
+    # Generate a new client secret credential
+    def create_client_secret!(name: "Default Secret", **options)
+      client_secret_credentials.create!({
+        name: name,
+        client_id: client_id
+      }.merge(options))
+    end
+
+    # Get the primary (first active) client secret
+    def primary_client_secret
+      client_secret_credentials.active.first
+    end
+
+    # Client secret rotation support
+    def rotate_client_secret!(new_secret_name: "Rotated Secret #{Time.current.strftime('%Y%m%d')}", client_secret: SecureRandom.hex(32))
+      transaction do
+        # Create new secret
+        new_secret = create_client_secret!(name: new_secret_name, client_secret: client_secret)
+
+        # Deactivate old secrets (but don't delete for audit trail)
+        client_secret_credentials.where.not(id: new_secret.id).update_all(
+          active: false,
+          revoked_at: Time.current
+        )
+
+        new_secret
+      end
+    end
+
+    # Check if client can authenticate with given secret
+    def authenticate_client_secret(secret)
+      client_secret_credentials.active.find { |cred| cred.authenticate_client_secret(secret) }
+    end
+
+    private
+
+    def generate_client_id
+      self.client_id ||= SecureRandom.hex(16)
+    end
+
+    def set_deactivated_at
+      if will_save_change_to_active?
+        if active?
+          self.deactivated_at = nil
+        else
+          self.deactivated_at = Time.current if deactivated_at.nil?
+        end
+      end
+    end
+  end
+end

data/app/models/standard_id/client_secret_credential.rb

@@ -0,0 +1,63 @@
+require "securerandom"
+
+module StandardId
+  class ClientSecretCredential < ApplicationRecord
+    include StandardId::Credentiable
+
+    belongs_to :client_application, class_name: "StandardId::ClientApplication"
+    has_secure_password :client_secret
+
+    before_validation :set_client_id_from_client, on: :create
+    before_validation :ensure_client_secret, on: :create
+
+    validates :name, presence: true
+    validates :client_id, presence: true
+    validates :active, inclusion: { in: [true, false] }
+
+    scope :active, -> { where(active: true, revoked_at: nil) }
+
+    def revoke!
+      update!(active: false, revoked_at: Time.current)
+    end
+
+    def active?
+      active && revoked_at.nil?
+    end
+
+    def scopes_array
+      (scopes || "").split(" ").map(&:strip).reject(&:blank?)
+    end
+
+    def default_redirect_uri
+      redirect_uris&.split(" ")&.first
+    end
+
+    # Effective configuration with per-secret override fallback
+    def effective_scopes_array
+      return scopes_array if scopes.present?
+      client_application.scopes_array
+    end
+
+    def effective_redirect_uris_array
+      return redirect_uris.to_s.split(/\s+/).map(&:strip).reject(&:blank?) if redirect_uris.present?
+      client_application.redirect_uris_array
+    end
+
+    def effective_default_redirect_uri
+      effective_redirect_uris_array.first
+    end
+
+    private
+
+    def set_client_id_from_client
+      self.client_id = client_application&.client_id if client_id.blank?
+    end
+
+    def ensure_client_secret
+      self.client_secret ||= SecureRandom.hex(32)
+    end
+
+    # Note: We intentionally do not enforce subset validation for per-secret overrides here.
+    # If needed later, we can introduce a configuration flag to enable enforcement.
+  end
+end

data/app/models/standard_id/credential.rb

@@ -0,0 +1,16 @@
+module StandardId
+  class Credential < ApplicationRecord
+    belongs_to :identifier, class_name: "StandardId::Identifier"
+
+    accepts_nested_attributes_for :identifier
+
+    delegate :account, to: :identifier
+
+    delegated_type :credentialable, types: %w[PasswordCredential ClientSecretCredential]
+
+    # Internal alias for future flexibility with multiple subject types
+    def subject
+      account
+    end
+  end
+end

data/app/models/standard_id/device_session.rb

@@ -0,0 +1,38 @@
+module StandardId
+  class DeviceSession < Session
+    validates :device_id, presence: true
+    validates :device_agent, presence: true
+
+    def device_info
+      return {} if device_agent.blank?
+
+      # Simple device agent parsing
+      case device_agent
+      when /iOS/i
+        { platform: "iOS", type: "mobile" }
+      when /Android/i
+        { platform: "Android", type: "mobile" }
+      when /Windows/i
+        { platform: "Windows", type: "desktop" }
+      when /Mac/i
+        { platform: "macOS", type: "desktop" }
+      when /Linux/i
+        { platform: "Linux", type: "desktop" }
+      else
+        { platform: "Unknown", type: "unknown" }
+      end
+    end
+
+    def display_name
+      "#{device_info[:platform]} Device Session"
+    end
+
+    def refresh!
+      update!(last_refreshed_at: Time.current)
+    end
+
+    def stale?
+      last_refreshed_at.nil? || last_refreshed_at < 1.hour.ago
+    end
+  end
+end

data/app/models/standard_id/email_identifier.rb

@@ -0,0 +1,5 @@
+module StandardId
+  class EmailIdentifier < Identifier
+    validates :value, format: { with: URI::MailTo::EMAIL_REGEXP }
+  end
+end

data/app/models/standard_id/identifier.rb

@@ -0,0 +1,25 @@
+module StandardId
+  class Identifier < ApplicationRecord
+    belongs_to :account, class_name: StandardId.config.account_class_name
+
+    has_many :credentials, class_name: "StandardId::Credential", dependent: :restrict_with_exception
+
+    scope :verified, -> { where.not(verified_at: nil) }
+    scope :unverified, -> { where(verified_at: nil) }
+
+    # Shared validations
+    validates :value, presence: true, uniqueness: { scope: [:account_id, :type] }
+
+    def verified?
+      verified_at.present?
+    end
+
+    def verify!
+      update!(verified_at: Time.current)
+    end
+
+    def unverify!
+      update!(verified_at: nil)
+    end
+  end
+end

data/app/models/standard_id/password_credential.rb

@@ -0,0 +1,24 @@
+module StandardId
+  class PasswordCredential < ApplicationRecord
+    include StandardId::Credentiable
+
+    has_secure_password
+
+    generates_token_for :remember_me, expires_in: 30.days do
+      password_digest
+    end
+
+    generates_token_for :password_reset, expires_in: 20.minutes do
+      password_digest
+    end
+
+    validates :login, presence: true, uniqueness: true
+    validates :password, length: { minimum: 8 }, confirmation: true, if: :validate_password?
+
+    private
+
+    def validate_password?
+      password.present? || password_confirmation.present?
+    end
+  end
+end

data/app/models/standard_id/passwordless_challenge.rb

@@ -0,0 +1,30 @@
+module StandardId
+  class PasswordlessChallenge < ApplicationRecord
+    self.table_name = "standard_id_passwordless_challenges"
+
+    validates :connection_type, presence: true, inclusion: { in: %w[email sms] }
+    validates :username, presence: true
+    validates :code, presence: true, uniqueness: { scope: [:connection_type, :username, :expires_at] }
+    validates :expires_at, presence: true
+
+    scope :active, -> { where(used_at: nil).where("expires_at > ?", Time.current) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :used, -> { where.not(used_at: nil) }
+
+    def expired?
+      expires_at <= Time.current
+    end
+
+    def used?
+      used_at.present?
+    end
+
+    def active?
+      !expired? && !used?
+    end
+
+    def use!
+      update!(used_at: Time.current)
+    end
+  end
+end

data/app/models/standard_id/phone_number_identifier.rb

@@ -0,0 +1,5 @@
+module StandardId
+  class PhoneNumberIdentifier < Identifier
+    validates :value, format: { with: /\A\+?[1-9]\d{1,14}\z/ }
+  end
+end

data/app/models/standard_id/service_session.rb

@@ -0,0 +1,44 @@
+module StandardId
+  class ServiceSession < Session
+    belongs_to :owner, polymorphic: true, optional: true
+
+    validates :service_name, presence: true
+    validates :service_version, presence: true
+    validates :owner, presence: true
+
+    before_validation :set_default_expiry, on: :create
+
+    def display_name
+      "#{service_name} Service Session (v#{service_version})"
+    end
+
+    def service_info
+      {
+        name: service_name,
+        version: service_version,
+        type: "service"
+      }
+    end
+
+    def self.default_expiry
+      90.days.from_now # TODO: make this configurable
+    end
+
+    def refresh!
+      # No-op for service sessions - they don't get refreshed
+      # Services should create new sessions when needed
+    end
+
+    def stale?
+      # Service sessions are never considered stale
+      # They're valid until they expire or are revoked
+      false
+    end
+
+    private
+
+    def set_default_expiry
+      self.expires_at ||= self.class.default_expiry
+    end
+  end
+end

data/app/models/standard_id/session.rb

@@ -0,0 +1,54 @@
+require "bcrypt"
+
+module StandardId
+  class Session < ApplicationRecord
+    self.table_name = "standard_id_sessions"
+
+    belongs_to :account, class_name: StandardId.config.account_class_name
+
+    scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :revoked, -> { where.not(revoked_at: nil) }
+
+    scope :api_compatible, -> { where(type: ["StandardId::DeviceSession", "StandardId::ServiceSession"]) }
+    scope :by_token, ->(token) {
+      lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
+      where(lookup_hash:)
+    }
+
+    attr_reader :token
+
+    before_validation :generate_token, :generate_token_digest, :generate_lookup_hash, on: :create
+
+
+    def active?
+      !revoked? && !expired?
+    end
+
+    def expired?
+      expires_at <= Time.current
+    end
+
+    def revoked?
+      revoked_at.present?
+    end
+
+    def revoke!
+      update!(revoked_at: Time.current)
+    end
+
+    private
+
+    def generate_token
+      @token ||= SecureRandom.urlsafe_base64(32)
+    end
+
+    def generate_token_digest
+      self.token_digest = BCrypt::Password.create(token)
+    end
+
+    def generate_lookup_hash
+      self.lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
+    end
+  end
+end

data/app/models/standard_id/username_identifier.rb

@@ -0,0 +1,5 @@
+module StandardId
+  class UsernameIdentifier < Identifier
+    validates :value, format: { with: /\A[a-zA-Z0-9_]+\z/ }
+  end
+end

data/app/views/standard_id/web/account/edit.html.erb

@@ -0,0 +1,26 @@
+<% content_for :title, "Edit Account" %>
+
+<div class="container">
+  <h1>Edit Account</h1>
+
+  <% if @account.errors.any? %>
+    <div class="alert alert-error">
+      <ul>
+        <% @account.errors.full_messages.each do |msg| %>
+          <li><%= msg %></li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <%= form_with model: @account, url: account_path, method: :patch, local: true do |form| %>
+    <!-- Add account fields here when available -->
+    <p>No editable fields are defined yet.</p>
+
+    <%= form.submit "Save Changes", class: "btn" %>
+  <% end %>
+
+  <div class="mt-3">
+    <%= link_to "Back", account_path, class: "btn btn-secondary" %>
+  </div>
+</div>

data/app/views/standard_id/web/account/show.html.erb

@@ -0,0 +1,31 @@
+<% content_for :title, "Account" %>
+
+<div class="container">
+  <h1>My Account</h1>
+
+  <div class="mb-3">
+    <h2>Account Information</h2>
+    <p><strong>Account ID:</strong> <%= @account.id %></p>
+    <p><strong>Created:</strong> <%= @account.created_at.strftime("%B %d, %Y") %></p>
+  </div>
+
+  <div class="mb-3">
+    <%= link_to "Edit Account", edit_account_path, class: "btn btn-secondary" %>
+  </div>
+
+  <div class="mb-3">
+    <h2>Active Sessions</h2>
+    <% if @sessions.any? %>
+      <p>You have <%= pluralize(@sessions.count, 'active session') %>.</p>
+      <%= link_to "Manage Sessions", sessions_path, class: "btn btn-secondary" %>
+    <% else %>
+      <p>No active sessions found.</p>
+    <% end %>
+  </div>
+
+  <div class="text-center mt-3">
+    <%= form_with url: logout_path, method: :post, local: true do |form| %>
+      <%= form.submit "Sign Out", class: "btn btn-secondary" %>
+    <% end %>
+  </div>
+</div>