standard_id 0.1.0

data/lib/standard_id/oauth/implicit_authorization_flow.rb

@@ -0,0 +1,79 @@
+module StandardId
+  module Oauth
+    class ImplicitAuthorizationFlow < AuthorizationFlow
+      expect_params :client_id
+      permit_params :audience, :scope, :state, :redirect_uri, :nonce, :connection, :prompt, :organization, :invitation
+
+      private
+
+      def generate_authorization_response
+        access_token = generate_access_token
+
+        id_token = generate_id_token if include_id_token?
+
+        fragment_params = {
+          access_token: access_token,
+          token_type: "Bearer",
+          expires_in: token_expiry.to_i,
+          scope: scope,
+          state: state
+        }
+
+        fragment_params[:id_token] = id_token if id_token
+
+        {
+          redirect_to: build_fragment_uri(redirect_uri, fragment_params),
+          status: :found
+        }
+      end
+
+      def generate_access_token
+        expires_in = token_expiry
+        payload = build_access_token_payload(expires_in)
+        StandardId::JwtService.encode(payload, expires_in: expires_in)
+      end
+
+      def generate_id_token
+        return nil unless include_id_token?
+
+        expires_in = token_expiry
+        payload = build_id_token_payload(expires_in)
+        StandardId::JwtService.encode(payload, expires_in: expires_in)
+      end
+
+      def include_id_token?
+        params[:response_type]&.include?("id_token")
+      end
+
+      def build_access_token_payload(expires_in)
+        {
+          sub: subject_id,
+          client_id: params[:client_id],
+          scope: scope,
+          aud: audience,
+          iat: Time.current.to_i,
+          exp: (Time.current + expires_in).to_i
+        }.compact
+      end
+
+      def build_id_token_payload(expires_in)
+        {
+          sub: subject_id,
+          aud: params[:client_id],
+          iss: StandardId.config.issuer,
+          iat: Time.current.to_i,
+          exp: (Time.current + expires_in).to_i,
+          nonce: params[:nonce]
+        }.compact
+      end
+
+      def token_expiry
+        1.hour
+      end
+
+      def subject_id
+        current_account.id
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/password_flow.rb

@@ -0,0 +1,70 @@
+module StandardId
+  module Oauth
+    class PasswordFlow < TokenGrantFlow
+      expect_params :username, :password, :client_id
+      permit_params :client_secret, :audience, :scope, :realm
+
+      def authenticate!
+        validate_client_secret!(params[:client_id], params[:client_secret]) if params[:client_secret].present?
+
+        @account = authenticate_account(params[:username], params[:password])
+        raise StandardId::InvalidGrantError, "Invalid username or password" if @account.blank?
+
+        validate_requested_scope!
+      end
+
+      private
+
+      def subject_id
+        @account.id
+      end
+
+      def client_id
+        params[:client_id]
+      end
+
+      def token_scope
+        params[:scope] || default_scope
+      end
+
+      def grant_type
+        "password"
+      end
+
+      def audience
+        params[:audience]
+      end
+
+      def supports_refresh_token?
+        true
+      end
+
+      def token_expiry
+        8.hours # Longer expiry for user sessions
+      end
+
+      def authenticate_account(username, password)
+        StandardId::PasswordCredential
+          .includes(credential: :account)
+          .find_by(login: username)
+          &.authenticate(password)
+          &.account
+      end
+
+      def validate_requested_scope!
+        return unless params[:scope].present?
+
+        scope_tokens = params[:scope].split(/\s+/)
+        invalid_tokens = scope_tokens.reject { |token| token.match?(/\A[a-zA-Z0-9_:-]+\z/) }
+
+        if invalid_tokens.any?
+          raise StandardId::InvalidScopeError, "Invalid scope tokens: #{invalid_tokens.join(', ')}"
+        end
+      end
+
+      def default_scope
+        "read"
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/passwordless_otp_flow.rb

@@ -0,0 +1,87 @@
+module StandardId
+  module Oauth
+    class PasswordlessOtpFlow < TokenGrantFlow
+      expect_params :username, :otp, :connection, :client_id
+      permit_params :client_secret, :audience, :scope
+
+      def authenticate!
+        validate_client_secret!(params[:client_id], params[:client_secret]) if params[:client_secret].present?
+
+        raise StandardId::InvalidGrantError, "Invalid or expired verification code" if passwordless_challenge.blank?
+        raise StandardId::InvalidGrantError, "Unable to authenticate user" if account.blank?
+
+        validate_requested_scope!
+
+        passwordless_challenge.use!
+      end
+
+      private
+
+      def subject_id
+        account.id
+      end
+
+      def client_id
+        params[:client_id]
+      end
+
+      def token_scope
+        params[:scope] || default_scope
+      end
+
+      def grant_type
+        "passwordless_otp"
+      end
+
+      def audience
+        params[:audience]
+      end
+
+      def supports_refresh_token?
+        true
+      end
+
+      def token_expiry
+        1.hour
+      end
+
+      def passwordless_challenge
+        @passwordless_challenge ||= StandardId::PasswordlessChallenge.active.find_by(
+          connection_type: params[:connection],
+          username: params[:username],
+          code: params[:otp]
+        )
+      end
+
+      def account
+        @account ||= strategy_for(params[:connection]).find_or_create_account(params[:username])
+      end
+
+      def strategy_for(connection)
+        case connection
+        when "email"
+          StandardId::Passwordless::EmailStrategy.new(request)
+        when "sms"
+          StandardId::Passwordless::SmsStrategy.new(request)
+        else
+          raise StandardId::InvalidRequestError, "Unsupported connection type: #{connection}"
+        end
+      end
+
+      def validate_requested_scope!
+        return unless params[:scope].present?
+
+        scope_tokens = params[:scope].split(/\s+/)
+        invalid_tokens = scope_tokens.reject { |token| token.match?(/\A[a-zA-Z0-9_:-]+\z/) }
+
+        if invalid_tokens.any?
+          raise StandardId::InvalidScopeError, "Invalid scope tokens: #{invalid_tokens.join(", ")}"
+        end
+      end
+
+      def default_scope
+        "read"
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/refresh_token_flow.rb

@@ -0,0 +1,61 @@
+module StandardId
+  module Oauth
+    class RefreshTokenFlow < TokenGrantFlow
+      expect_params :refresh_token, :client_id
+      permit_params :client_secret, :scope, :audience
+
+      def authenticate!
+        validate_client_secret!(params[:client_id], params[:client_secret]) if params[:client_secret].present?
+
+        @refresh_payload = StandardId::JwtService.decode(params[:refresh_token])
+        raise StandardId::InvalidGrantError, "Invalid or expired refresh_token" if @refresh_payload.blank?
+
+        if @refresh_payload[:client_id] != params[:client_id]
+          raise StandardId::InvalidGrantError, "Refresh token was not issued to this client"
+        end
+
+        validate_scope_narrowing!
+      end
+
+      private
+
+      def subject_id
+        @refresh_payload[:sub]
+      end
+
+      def client_id
+        @refresh_payload[:client_id]
+      end
+
+      def token_scope
+        requested = params[:scope].presence
+        return requested if requested.present?
+        @refresh_payload[:scope]
+      end
+
+      def grant_type
+        "refresh_token"
+      end
+
+      def supports_refresh_token?
+        true
+      end
+
+      def validate_scope_narrowing!
+        return unless params[:scope].present?
+
+        original_scopes = Array(@refresh_payload[:scope].to_s.split(/\s+/)).reject(&:blank?)
+        requested_scopes = Array(params[:scope].to_s.split(/\s+/)).reject(&:blank?)
+
+        unless (requested_scopes - original_scopes).empty?
+          raise StandardId::InvalidScopeError, "Requested scope exceeds originally granted scope"
+        end
+
+        invalid_tokens = requested_scopes.reject { |t| t.match?(/\A[a-zA-Z0-9_:-]+\z/) }
+        if invalid_tokens.any?
+          raise StandardId::InvalidScopeError, "Invalid scope tokens: #{invalid_tokens.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/subflows/base.rb

@@ -0,0 +1,19 @@
+module StandardId
+  module Oauth
+    module Subflows
+      class Base
+        def initialize(**params)
+          @params = params
+        end
+
+        def call
+          raise NotImplementedError, "Subclasses must implement #call"
+        end
+
+        private
+
+        attr_reader :params
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/subflows/social_login_grant.rb

@@ -0,0 +1,66 @@
+module StandardId
+  module Oauth
+    module Subflows
+      class SocialLoginGrant < Base
+        def call
+          { redirect_to: social_provider_url, status: :found }
+        end
+
+        private
+
+        def social_provider_url
+          @social_provider_url ||= case params[:connection]
+          when "google-oauth2"
+            build_google_oauth_url
+          when "apple"
+            build_apple_oauth_url
+          else
+            raise StandardId::InvalidRequestError, "Unsupported connection: #{params[:connection]}"
+          end
+        end
+
+        def build_google_oauth_url
+          google_params = {
+            client_id: StandardId.config.google_client_id,
+            redirect_uri: "#{params[:base_url]}/api/oauth/callback/google",
+            response_type: "code",
+            scope: "openid email profile",
+            state: encode_state_with_original_params
+          }
+
+          "https://accounts.google.com/o/oauth2/v2/auth?" + URI.encode_www_form(google_params)
+        end
+
+        def build_apple_oauth_url
+          apple_params = {
+            client_id: StandardId.config.apple_client_id,
+            redirect_uri: "#{params[:base_url]}/api/oauth/callback/apple",
+            response_type: "code",
+            scope: "name email",
+            response_mode: "form_post",
+            state: encode_state_with_original_params
+          }
+
+          "https://appleid.apple.com/auth/authorize?" + URI.encode_www_form(apple_params)
+        end
+
+        def encode_state_with_original_params
+          original_params = {
+            client_id: params[:client_id],
+            redirect_uri: params[:redirect_uri],
+            scope: params[:scope],
+            audience: params[:audience],
+            state: params[:state],
+            code_challenge: params[:code_challenge],
+            code_challenge_method: params[:code_challenge_method]
+          }.compact
+
+          # Remove code_challenge_method if code_challenge is not present
+          original_params.delete(:code_challenge_method) if original_params[:code_challenge].blank?
+
+          Base64.urlsafe_encode64(JSON.generate(original_params))
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/subflows/traditional_code_grant.rb

@@ -0,0 +1,52 @@
+module StandardId
+  module Oauth
+    module Subflows
+      class TraditionalCodeGrant < Base
+        def call
+          store_authorization_code
+
+          redirect_params = {
+            code: authorization_code,
+            state: params[:state]
+          }.compact
+
+          redirect_url = build_redirect_uri(params[:redirect_uri], redirect_params)
+
+          { redirect_to: redirect_url, status: :found }
+        end
+
+        private
+
+        def authorization_code
+          @authorization_code ||= SecureRandom.urlsafe_base64(32)
+        end
+
+        def store_authorization_code
+          StandardId::AuthorizationCode.issue!(
+            plaintext_code: authorization_code,
+            client_id: params[:client_id],
+            redirect_uri: params[:redirect_uri],
+            scope: params[:scope],
+            audience: params[:audience],
+            account: params[:current_account],
+            code_challenge: params[:code_challenge],
+            code_challenge_method: params[:code_challenge_method],
+            metadata: { state: params[:state] }.compact
+          )
+        end
+
+        def build_redirect_uri(base_uri, params_hash)
+          uri = URI.parse(base_uri)
+          query_params = URI.decode_www_form(uri.query || "")
+
+          params_hash.each do |key, value|
+            query_params << [key.to_s, value.to_s] if value.present?
+          end
+
+          uri.query = URI.encode_www_form(query_params)
+          uri.to_s
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -0,0 +1,107 @@
+module StandardId
+  module Oauth
+    class TokenGrantFlow < BaseRequestFlow
+      attr_reader :params, :request
+
+      def initialize(params, request, current_account: nil)
+        @params = params
+        @request = request
+        @current_account = current_account
+      end
+
+      class << self
+        def extra_permitted_keys
+          [:grant_type]
+        end
+      end
+
+      def execute
+        authenticate!
+        generate_token_response
+      end
+
+      private
+
+      def authenticate!
+        raise NotImplementedError, "Subclasses must implement authenticate!"
+      end
+
+      def validate_client_secret!(client_id, client_secret)
+        client_secret_credential = StandardId::ClientSecretCredential.active.find_by(client_id: client_id)
+        unless client_secret_credential&.authenticate_client_secret(client_secret)
+          raise StandardId::InvalidClientError, "Client authentication failed"
+        end
+        client_secret_credential
+      end
+
+      def generate_token_response
+        expires_in = token_expiry
+        payload = build_jwt_payload(expires_in)
+        access_token = StandardId::JwtService.encode(payload, expires_in: expires_in)
+
+        response = {
+          access_token: access_token,
+          token_type: "Bearer",
+          expires_in: expires_in.to_i
+        }
+
+        response[:scope] = token_scope if token_scope.present?
+        response[:refresh_token] = generate_refresh_token if supports_refresh_token?
+
+        response.compact
+      end
+
+      def build_jwt_payload(expires_in)
+        {
+          sub: subject_id,
+          client_id: client_id,
+          scope: token_scope,
+          grant_type: grant_type,
+          aud: audience
+        }.compact
+      end
+
+      def token_expiry
+        1.hour
+      end
+
+      def supports_refresh_token?
+        false
+      end
+
+      def generate_refresh_token
+        payload = {
+          sub: subject_id,
+          client_id: client_id,
+          scope: token_scope,
+          grant_type: "refresh_token"
+        }
+        StandardId::JwtService.encode(payload, expires_in: refresh_token_expiry)
+      end
+
+      def refresh_token_expiry
+        30.days
+      end
+
+      def subject_id
+        raise NotImplementedError
+      end
+
+      def client_id
+        raise NotImplementedError
+      end
+
+      def token_scope
+        raise NotImplementedError
+      end
+
+      def grant_type
+        raise NotImplementedError
+      end
+
+      def audience
+        params[:audience]
+      end
+    end
+  end
+end

data/lib/standard_id/passwordless/base_strategy.rb

@@ -0,0 +1,67 @@
+module StandardId
+  module Passwordless
+    class BaseStrategy
+      attr_reader :request
+
+      def initialize(request)
+        @request = request
+      end
+
+      def connection_type
+        raise NotImplementedError
+      end
+
+      # Start flow: validate recipient, create challenge, and trigger sender
+      # attrs: { connection:, username: }
+      def start!(attrs)
+        username = attrs[:username]
+        validate_username!(username)
+        challenge = create_challenge!(username)
+        sender_callback&.call(username, challenge.code)
+        challenge
+      end
+
+      protected
+
+      def create_challenge!(username)
+        StandardId::PasswordlessChallenge.create!(
+          connection_type: connection_type,
+          username: username,
+          code: generate_otp_code,
+          expires_at: 10.minutes.from_now,
+          ip_address: request.remote_ip,
+          user_agent: request.user_agent
+        )
+      end
+
+      def generate_otp_code
+        (SecureRandom.random_number(900_000) + 100_000).to_s
+      end
+
+      def validate_username!(_username)
+        raise NotImplementedError
+      end
+
+      def find_or_create_account!(_username)
+        raise NotImplementedError
+      end
+
+      public
+
+      # Public wrapper to reuse account lookup/creation outside OTP verification
+      def find_or_create_account(username)
+        validate_username!(username)
+        find_or_create_account!(username)
+      end
+
+      def identifier_class
+        raise NotImplementedError
+      end
+
+      def sender_callback
+        # Implement in subclasses
+        nil
+      end
+    end
+  end
+end

data/lib/standard_id/passwordless/email_strategy.rb

@@ -0,0 +1,27 @@
+module StandardId
+  module Passwordless
+    class EmailStrategy < BaseStrategy
+      def connection_type
+        "email"
+      end
+
+      private
+
+      def validate_username!(email)
+        raise StandardId::InvalidRequestError, "Invalid email format" unless email.to_s.match?(/\A[^@\s]+@[^@\s]+\z/)
+      end
+
+      def find_or_create_account!(email)
+        identifier = StandardId::EmailIdentifier.includes(:account).find_by(value: email)
+        return identifier.account if identifier.present?
+
+        identifiers_attributes = [{ type: "StandardId::EmailIdentifier", value: email, verified_at: Time.current }]
+        Account.create!(identifiers_attributes:)
+      end
+
+      def sender_callback
+        StandardId.config.passwordless_email_sender
+      end
+    end
+  end
+end

data/lib/standard_id/passwordless/sms_strategy.rb

@@ -0,0 +1,29 @@
+module StandardId
+  module Passwordless
+    class SmsStrategy < BaseStrategy
+      def connection_type
+        "sms"
+      end
+
+      private
+
+      def validate_username!(phone_number)
+        unless phone_number.to_s.match?(/\A\+?[1-9]\d{1,14}\z/)
+          raise StandardId::InvalidRequestError, "Invalid phone number format"
+        end
+      end
+
+      def find_or_create_account!(phone_number)
+        identifier = StandardId::PhoneNumberIdentifier.includes(:account).find_by(value: phone_number)
+        return identifier.account if identifier.present?
+
+        identifiers_attributes = [{ type: "StandardId::PhoneNumberIdentifier", value: phone_number, verified_at: Time.current }]
+        Account.create!(identifiers_attributes:)
+      end
+
+      def sender_callback
+        StandardId.config.passwordless_sms_sender
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -0,0 +1,3 @@
+module StandardId
+  VERSION = "0.1.0"
+end

data/lib/standard_id/web/authentication_guard.rb

@@ -0,0 +1,23 @@
+module StandardId
+  module Web
+    class AuthenticationGuard
+      def require_session!(session_manager, session:, request:)
+        session[:return_to_after_authenticating] = request.url
+
+        browser_session = session_manager.current_session
+
+        if browser_session.blank?
+          raise StandardId::NotAuthenticatedError
+        elsif browser_session.expired?
+          session_manager.clear_session!
+          raise StandardId::ExpiredSessionError
+        elsif browser_session.revoked?
+          session_manager.clear_session!
+          raise StandardId::RevokedSessionError
+        end
+
+        browser_session
+      end
+    end
+  end
+end