standard_id 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7150dd77b059e80767d262bc8a8b507399491977208404f3bd2d04209f9f45d
-  data.tar.gz: e5157110e538a9e6cf625cee184fb423747235eac74c65821fb1b62ba0201452
+  metadata.gz: d8da5350b060ff2f0494489d5cc6718cc08b2dbca835a9c28927e228b712e39d
+  data.tar.gz: 96ac14f364fd07b8d6750d31bd015b7bc2717d692206a203b3fe8161a6a1008f
 SHA512:
-  metadata.gz: 6c06a909ce1cca77763f8a9c23a01e2703a84c4b4b99435c5f63dc0a9f3ccf54c3f55c98ea9147b51a9b8ce538be6be57003a4f7c744f608c2a4fe40bf04df46
-  data.tar.gz: b6dc47dc00160c2487c8611b73c21330cd6cbec0865036e235628fb744151c4f946afd0db17f02fa0ca31f3df7261cf94adad09d8c9b2963ed32806dcaf19e63
+  metadata.gz: 195c91598a768df91279b0c6bda4d8b312f73a94d4c52c68b2864fd75453f2c474059c4f7d740e0d8c0b4086471ea193c9ded4bb7b492f3c098c950f941f6140
+  data.tar.gz: 80d64202a7b69456e241952b79f0a65ea9a88ed8b242ff31015e11854d141bd32ccbeaccc2f60ccddf78d188dbbec74e48f839c9181a2b4cdce01917001e4125

data/README.md

@@ -87,12 +87,12 @@ end
 ```ruby
 # For web controllers
 class ApplicationController < ActionController::Base
-  include StandardId::Web::WebAuthentication
+  include StandardId::WebAuthentication
 end
 
 # For API controllers
 class ApiController < ActionController::API
-  include StandardId::Api::ApiAuthentication
+  include StandardId::ApiAuthentication
 end
 ```
 
@@ -123,9 +123,16 @@ StandardId.configure do |config|
   # config.password.require_special_chars = true
   # config.passwordless.code_ttl = 600
   # config.oauth.default_token_lifetime = 3600
+  # config.oauth.refresh_token_lifetime = 2_592_000
+  # config.oauth.token_lifetimes = {
+  #   password: 8.hours.to_i,
+  #   implicit: 15.minutes.to_i
+  # }
 end
 ```
 
+`default_token_lifetime` is applied to every OAuth grant unless you override it in `oauth.token_lifetimes`. Keys map to OAuth grant types (for example `:password`, `:client_credentials`, `:refresh_token`) and should return durations in seconds. Non-token endpoint flows such as the implicit flow can be customized with their symbol key (e.g. `:implicit`). Refresh tokens can be tuned separately through `oauth.refresh_token_lifetime`.
+
 ### Social Login Setup
 
 ```ruby
@@ -274,7 +281,7 @@ StandardId creates the following tables:
 
 ```ruby
 # Create OAuth client
-client = StandardId::Client.create!(
+client = StandardId::ClientApplication.create!(
   owner: current_account,
   name: "My Application",
   redirect_uris: "https://app.com/callback",

data/app/models/standard_id/client_application.rb

@@ -94,7 +94,8 @@ module StandardId
     def create_client_secret!(name: "Default Secret", **options)
       client_secret_credentials.create!({
         name: name,
-        client_id: client_id
+        client_id: client_id,
+        scopes: scopes
       }.merge(options))
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -16,6 +16,11 @@ StandardId.configure do |c|
   # c.password.minimum_length = 8
   # c.password.require_special_chars = true
   # c.oauth.default_token_lifetime = 3600 # 1 hour
+  # c.oauth.refresh_token_lifetime = 2_592_000 # 30 days
+  # c.oauth.token_lifetimes = {
+  #   password: 8.hours,
+  #   client_credentials: 24.hours
+  # }
 
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]

data/lib/standard_id/config/schema.rb

@@ -32,6 +32,7 @@ StandardConfig.schema.draw do
   scope :oauth do
     field :default_token_lifetime, type: :integer, default: 3600 # 1 hour in seconds
     field :refresh_token_lifetime, type: :integer, default: 2592000 # 30 days in seconds
+    field :token_lifetimes, type: :hash, default: -> { {} }
     field :client_id, type: :string, default: nil
     field :client_secret, type: :string, default: nil
   end

data/lib/standard_id/oauth/client_credentials_flow.rb

@@ -11,7 +11,7 @@ module StandardId
       private
 
       def subject_id
-        @credential.account_id
+        @credential.client_id
       end
 
       def client_id
@@ -29,10 +29,6 @@ module StandardId
       def audience
         params[:audience]
       end
-
-      def token_expiry
-        1.hour
-      end
     end
   end
 end

data/lib/standard_id/oauth/implicit_authorization_flow.rb

@@ -68,7 +68,7 @@ module StandardId
       end
 
       def token_expiry
-        1.hour
+        TokenLifetimeResolver.access_token_for(:implicit)
       end
 
       def subject_id

data/lib/standard_id/oauth/password_flow.rb

@@ -39,10 +39,6 @@ module StandardId
         true
       end
 
-      def token_expiry
-        8.hours # Longer expiry for user sessions
-      end
-
       def authenticate_account(username, password)
         StandardId::PasswordCredential
           .includes(credential: :account)

data/lib/standard_id/oauth/passwordless_otp_flow.rb

@@ -41,10 +41,6 @@ module StandardId
         true
       end
 
-      def token_expiry
-        1.hour
-      end
-
       def code_challenge
         @code_challenge ||= StandardId::CodeChallenge.active.find_by(
           realm: "authentication",

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -62,7 +62,7 @@ module StandardId
       end
 
       def token_expiry
-        1.hour
+        TokenLifetimeResolver.access_token_for(token_lifetime_key)
       end
 
       def supports_refresh_token?
@@ -80,7 +80,11 @@ module StandardId
       end
 
       def refresh_token_expiry
-        30.days
+        TokenLifetimeResolver.refresh_token_lifetime
+      end
+
+      def token_lifetime_key
+        grant_type&.to_sym
       end
 
       def subject_id

data/lib/standard_id/oauth/token_lifetime_resolver.rb

@@ -0,0 +1,50 @@
+module StandardId
+  module Oauth
+    class TokenLifetimeResolver
+      class << self
+        DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
+        DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+
+        def access_token_for(flow_key)
+          configured = lookup_token_lifetime(flow_key)
+          positive_seconds(configured, default_access_token_lifetime)
+        end
+
+        def refresh_token_lifetime
+          positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+        end
+
+        private
+
+        def default_access_token_lifetime
+          positive_seconds(oauth_config.default_token_lifetime, DEFAULT_ACCESS_TOKEN_LIFETIME)
+        end
+
+        def lookup_token_lifetime(flow_key)
+          config = oauth_config
+          return nil unless config.respond_to?(:token_lifetimes)
+
+          lifetimes = config.token_lifetimes || {}
+          lifetimes[flow_key.to_sym] || lifetimes[flow_key.to_s] if flow_key
+        end
+
+        def positive_seconds(value, fallback_value)
+          normalized_value = case value
+          when ActiveSupport::Duration
+            value.to_i
+          when Numeric, String
+            value.to_i
+          else
+            0
+          end
+
+          (normalized_value.positive? ? normalized_value : fallback_value).seconds
+        end
+
+        def oauth_config
+          StandardId.config.oauth
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/lib/standard_id.rb

@@ -12,6 +12,7 @@ require "standard_id/api/session_manager"
 require "standard_id/api/token_manager"
 require "standard_id/api/authentication_guard"
 require "standard_id/oauth/base_request_flow"
+require "standard_id/oauth/token_lifetime_resolver"
 require "standard_id/oauth/token_grant_flow"
 require "standard_id/oauth/client_credentials_flow"
 require "standard_id/oauth/authorization_code_flow"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Jaryl Sim
@@ -160,6 +160,7 @@ files:
 - lib/standard_id/oauth/subflows/social_login_grant.rb
 - lib/standard_id/oauth/subflows/traditional_code_grant.rb
 - lib/standard_id/oauth/token_grant_flow.rb
+- lib/standard_id/oauth/token_lifetime_resolver.rb
 - lib/standard_id/passwordless/base_strategy.rb
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb