standard_id 0.1.1 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7150dd77b059e80767d262bc8a8b507399491977208404f3bd2d04209f9f45d
-  data.tar.gz: e5157110e538a9e6cf625cee184fb423747235eac74c65821fb1b62ba0201452
+  metadata.gz: 70f439b35a454065b4a2e45dfedc85b7316b26b0140d6f005930fc909ac78efd
+  data.tar.gz: bbf731529fdb2c0cb979e6fecfa711e83daaa1fddfd111263d44618b38bd8fa4
 SHA512:
-  metadata.gz: 6c06a909ce1cca77763f8a9c23a01e2703a84c4b4b99435c5f63dc0a9f3ccf54c3f55c98ea9147b51a9b8ce538be6be57003a4f7c744f608c2a4fe40bf04df46
-  data.tar.gz: b6dc47dc00160c2487c8611b73c21330cd6cbec0865036e235628fb744151c4f946afd0db17f02fa0ca31f3df7261cf94adad09d8c9b2963ed32806dcaf19e63
+  metadata.gz: f1d1c0de85827c32f47680adad39da9457528b24376079c154aced6bd46fe40fbe72918df27a9290f54ef6df58e862b251dad7568d16d1abe5dd45c2b477bd45
+  data.tar.gz: 8d3a5b5c14e42b1850969b6268728ff47c0b78eb5e482f94b0ad4e2b752e98addc52267588adac384d82d01a207047b1e15b25bc9640c56282d5f67c0f297bd0

data/README.md

@@ -87,12 +87,12 @@ end
 ```ruby
 # For web controllers
 class ApplicationController < ActionController::Base
-  include StandardId::Web::WebAuthentication
+  include StandardId::WebAuthentication
 end
 
 # For API controllers
 class ApiController < ActionController::API
-  include StandardId::Api::ApiAuthentication
+  include StandardId::ApiAuthentication
 end
 ```
 
@@ -123,9 +123,37 @@ StandardId.configure do |config|
   # config.password.require_special_chars = true
   # config.passwordless.code_ttl = 600
   # config.oauth.default_token_lifetime = 3600
+  # config.oauth.refresh_token_lifetime = 2_592_000
+  # config.oauth.token_lifetimes = {
+  #   password: 8.hours.to_i,
+  #   implicit: 15.minutes.to_i
+  # }
 end
 ```
 
+`default_token_lifetime` is applied to every OAuth grant unless you override it in `oauth.token_lifetimes`. Keys map to OAuth grant types (for example `:password`, `:client_credentials`, `:refresh_token`) and should return durations in seconds. Non-token endpoint flows such as the implicit flow can be customized with their symbol key (e.g. `:implicit`). Refresh tokens can be tuned separately through `oauth.refresh_token_lifetime`.
+
+### Custom Token Claims
+
+You can add additional JWT claims for any token issued through the OAuth token endpoint by mapping scopes to claim names and providing callbacks to resolve each claim. Scopes listed in `oauth.scope_claims` are evaluated against the requested token scopes; when a scope matches, every claim listed for that scope is resolved via the callable defined in `oauth.claim_resolvers`.
+
+```ruby
+StandardId.configure do |config|
+  config.oauth.scope_claims = {
+    profile: %i[email display_name]
+  }
+
+  config.oauth.claim_resolvers = {
+    email: ->(account:) { account.email },
+    display_name: ->(account:, client:) {
+      "#{account.name} for #{client.client_id}"
+    }
+  }
+end
+```
+
+Resolvers receive keyword arguments with the context containing `client`, `account`, and `request`, so you can reference only what you need. This lets you, for example, pull organization info off the client application or decorate claims with account attributes.
+
 ### Social Login Setup
 
 ```ruby
@@ -274,7 +302,7 @@ StandardId creates the following tables:
 
 ```ruby
 # Create OAuth client
-client = StandardId::Client.create!(
+client = StandardId::ClientApplication.create!(
   owner: current_account,
   name: "My Application",
   redirect_uris: "https://app.com/callback",

data/app/controllers/concerns/standard_id/api_authentication.rb

@@ -14,6 +14,10 @@ module StandardId
       authentication_guard.require_session!(session_manager)
     end
 
+    def require_scopes!(*required_scopes)
+      authentication_guard.require_scopes!(session_manager, *required_scopes)
+    end
+
     def session_manager
       @session_manager ||= StandardId::Api::SessionManager.new(token_manager, request:)
     end

data/app/models/standard_id/client_application.rb

@@ -94,7 +94,8 @@ module StandardId
     def create_client_secret!(name: "Default Secret", **options)
       client_secret_credentials.create!({
         name: name,
-        client_id: client_id
+        client_id: client_id,
+        scopes: scopes
       }.merge(options))
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -16,6 +16,20 @@ StandardId.configure do |c|
   # c.password.minimum_length = 8
   # c.password.require_special_chars = true
   # c.oauth.default_token_lifetime = 3600 # 1 hour
+  # c.oauth.refresh_token_lifetime = 2_592_000 # 30 days
+  # c.oauth.token_lifetimes = {
+  #   password: 8.hours,
+  #   client_credentials: 24.hours
+  # }
+  # c.oauth.scope_claims = {
+  #   profile: %i[email display_name]
+  # }
+  # c.oauth.claim_resolvers = {
+  #   email: ->(account:) { account.email },
+  #   display_name: ->(account:, client:) {
+  #     "#{account.name} for #{client.client_id}"
+  #   }
+  # }
 
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]

data/lib/standard_id/api/authentication_guard.rb

@@ -15,6 +15,42 @@ module StandardId
 
         api_session
       end
+
+      def require_scopes!(session_manager, *required_scopes)
+        api_session = require_session!(session_manager)
+
+        expected_scopes = normalize_scopes(required_scopes)
+        return api_session if expected_scopes.empty?
+
+        token_scopes = extract_session_scopes(api_session)
+        unless (token_scopes & expected_scopes).any?
+          raise StandardId::InvalidScopeError,
+            "Access token missing required scope. Requires one of: #{expected_scopes.join(', ')}"
+        end
+
+        api_session
+      end
+
+      private
+
+      def extract_session_scopes(api_session)
+        api_session&.scopes || []
+      end
+
+      def normalize_scopes(required_scopes)
+        return [] if required_scopes.nil?
+
+        case required_scopes
+        when String
+          [required_scopes]
+        when Symbol
+          [required_scopes.to_s]
+        when Array
+          required_scopes.flat_map { |value| normalize_scopes(value) }.uniq
+        else
+          raise ArgumentError, "Scopes must be provided as a String, Symbol, or Array"
+        end
+      end
     end
   end
 end

data/lib/standard_id/config/schema.rb

@@ -32,8 +32,11 @@ StandardConfig.schema.draw do
   scope :oauth do
     field :default_token_lifetime, type: :integer, default: 3600 # 1 hour in seconds
     field :refresh_token_lifetime, type: :integer, default: 2592000 # 30 days in seconds
+    field :token_lifetimes, type: :hash, default: -> { {} }
     field :client_id, type: :string, default: nil
     field :client_secret, type: :string, default: nil
+    field :scope_claims, type: :hash, default: -> { {} }
+    field :claim_resolvers, type: :hash, default: -> { {} }
   end
 
   scope :social do

data/lib/standard_id/jwt_service.rb

@@ -3,9 +3,14 @@ require "jwt"
 module StandardId
   class JwtService
     ALGORITHM = "HS256"
-    Session = Struct.new(:account_id, :client_id, :scopes, :grant_type, keyword_init: true) do
-      def active?
-        true
+    RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
+    BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type]
+
+    def self.session_class
+      Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
+        def active?
+          true
+        end
       end
     end
 
@@ -33,11 +38,12 @@ module StandardId
         Array(payload[:scope]).compact
       end
 
-      Session.new(
+      session_class.new(
+        **payload.slice(*claim_resolver_keys),
         account_id: payload[:sub],
         client_id: payload[:client_id],
         scopes: scopes,
-        grant_type: payload[:grant_type]
+        grant_type: payload[:grant_type],
       )
     end
 
@@ -46,5 +52,13 @@ module StandardId
     def self.secret_key
       Rails.application.secret_key_base
     end
+
+    def self.claim_resolver_keys
+      resolvers = StandardId.config.oauth.claim_resolvers
+      keys = Hash.try_convert(resolvers)&.keys
+      keys.compact.map(&:to_sym).uniq.excluding(*RESERVED_JWT_KEYS)
+    rescue StandardError
+      []
+    end
   end
 end

data/lib/standard_id/oauth/authorization_code_flow.rb

@@ -48,6 +48,14 @@ module StandardId
       def find_authorization_code(code)
         StandardId::AuthorizationCode.lookup(code)
       end
+
+      def token_client
+        @credential&.client_application
+      end
+
+      def token_account
+        @authorization_code&.account
+      end
     end
   end
 end

data/lib/standard_id/oauth/client_credentials_flow.rb

@@ -11,7 +11,7 @@ module StandardId
       private
 
       def subject_id
-        @credential.account_id
+        @credential.client_id
       end
 
       def client_id
@@ -30,8 +30,12 @@ module StandardId
         params[:audience]
       end
 
-      def token_expiry
-        1.hour
+      def token_client
+        @credential&.client_application
+      end
+
+      def token_account
+        nil
       end
     end
   end

data/lib/standard_id/oauth/implicit_authorization_flow.rb

@@ -68,7 +68,7 @@ module StandardId
       end
 
       def token_expiry
-        1.hour
+        TokenLifetimeResolver.access_token_for(:implicit)
       end
 
       def subject_id

data/lib/standard_id/oauth/password_flow.rb

@@ -39,10 +39,6 @@ module StandardId
         true
       end
 
-      def token_expiry
-        8.hours # Longer expiry for user sessions
-      end
-
       def authenticate_account(username, password)
         StandardId::PasswordCredential
           .includes(credential: :account)
@@ -65,6 +61,10 @@ module StandardId
       def default_scope
         "read"
       end
+
+      def token_account
+        @account
+      end
     end
   end
 end

data/lib/standard_id/oauth/passwordless_otp_flow.rb

@@ -41,10 +41,6 @@ module StandardId
         true
       end
 
-      def token_expiry
-        1.hour
-      end
-
       def code_challenge
         @code_challenge ||= StandardId::CodeChallenge.active.find_by(
           realm: "authentication",
@@ -83,6 +79,10 @@ module StandardId
       def default_scope
         "read"
       end
+
+      def token_account
+        account
+      end
     end
   end
 end

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -52,17 +52,19 @@ module StandardId
       end
 
       def build_jwt_payload(expires_in)
-        {
+        base_payload = {
           sub: subject_id,
           client_id: client_id,
           scope: token_scope,
           grant_type: grant_type,
           aud: audience
         }.compact
+
+        base_payload.merge(claims_from_scope_mapping)
       end
 
       def token_expiry
-        1.hour
+        TokenLifetimeResolver.access_token_for(token_lifetime_key)
       end
 
       def supports_refresh_token?
@@ -80,7 +82,11 @@ module StandardId
       end
 
       def refresh_token_expiry
-        30.days
+        TokenLifetimeResolver.refresh_token_lifetime
+      end
+
+      def token_lifetime_key
+        grant_type&.to_sym
       end
 
       def subject_id
@@ -102,6 +108,70 @@ module StandardId
       def audience
         params[:audience]
       end
+
+      def claims_from_scope_mapping
+        scope_claims = StandardId.config.oauth.scope_claims.with_indifferent_access
+        resolvers = StandardId.config.oauth.claim_resolvers.with_indifferent_access
+        return {} if scope_claims.empty? || resolvers.empty?
+
+        claims = {}
+        current_scopes.each do |scope|
+          Array(scope_claims[scope]).each do |claim_key|
+            next if claims.key?(claim_key)
+
+            value = resolve_claim_value(resolvers[claim_key])
+            claims[claim_key] = value unless value.nil?
+          end
+        end
+
+        claims.compact.symbolize_keys
+      end
+
+      def current_scopes
+        Array.wrap(token_scope)
+          .flat_map { |value| value.to_s.split(/\s+/) }
+          .reject(&:blank?)
+          .uniq
+      end
+
+      def token_account
+        return nil if subject_id.blank?
+
+        account_class = StandardId.account_class
+        return nil unless account_class.respond_to?(:find_by)
+
+        account_class.find_by(id: subject_id)
+      end
+
+      def token_client
+        StandardId::ClientApplication.find_by(client_id: client_id)
+      end
+
+      def claim_resolvers_context
+        @claim_resolvers_context ||= {
+          client: token_client,
+          account: token_account,
+          request: request
+        }
+      end
+
+      def callable_parameters(resolver)
+        parameters = if resolver.respond_to?(:parameters)
+          resolver.parameters
+        elsif resolver.respond_to?(:method) && resolver.respond_to?(:call)
+          resolver.method(:call).parameters
+        else
+          []
+        end
+
+        accepts_all = parameters.any? { |type, _| type == :keyrest }
+
+        accepts_all ?  claim_resolvers_context.keys : parameters.map { |_, name| name.to_sym }
+      end
+
+      def resolve_claim_value(resolver)
+        resolver&.call(**claim_resolvers_context.slice(*callable_parameters(resolver)))
+      end
     end
   end
 end

data/lib/standard_id/oauth/token_lifetime_resolver.rb

@@ -0,0 +1,50 @@
+module StandardId
+  module Oauth
+    class TokenLifetimeResolver
+      class << self
+        DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
+        DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+
+        def access_token_for(flow_key)
+          configured = lookup_token_lifetime(flow_key)
+          positive_seconds(configured, default_access_token_lifetime)
+        end
+
+        def refresh_token_lifetime
+          positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+        end
+
+        private
+
+        def default_access_token_lifetime
+          positive_seconds(oauth_config.default_token_lifetime, DEFAULT_ACCESS_TOKEN_LIFETIME)
+        end
+
+        def lookup_token_lifetime(flow_key)
+          config = oauth_config
+          return nil unless config.respond_to?(:token_lifetimes)
+
+          lifetimes = config.token_lifetimes || {}
+          lifetimes[flow_key.to_sym] || lifetimes[flow_key.to_s] if flow_key
+        end
+
+        def positive_seconds(value, fallback_value)
+          normalized_value = case value
+          when ActiveSupport::Duration
+            value.to_i
+          when Numeric, String
+            value.to_i
+          else
+            0
+          end
+
+          (normalized_value.positive? ? normalized_value : fallback_value).seconds
+        end
+
+        def oauth_config
+          StandardId.config.oauth
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.1"
+  VERSION = "0.1.3"
 end

data/lib/standard_id.rb

@@ -12,6 +12,7 @@ require "standard_id/api/session_manager"
 require "standard_id/api/token_manager"
 require "standard_id/api/authentication_guard"
 require "standard_id/oauth/base_request_flow"
+require "standard_id/oauth/token_lifetime_resolver"
 require "standard_id/oauth/token_grant_flow"
 require "standard_id/oauth/client_credentials_flow"
 require "standard_id/oauth/authorization_code_flow"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Jaryl Sim
@@ -160,6 +160,7 @@ files:
 - lib/standard_id/oauth/subflows/social_login_grant.rb
 - lib/standard_id/oauth/subflows/traditional_code_grant.rb
 - lib/standard_id/oauth/token_grant_flow.rb
+- lib/standard_id/oauth/token_lifetime_resolver.rb
 - lib/standard_id/passwordless/base_strategy.rb
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb