standard_id 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d8da5350b060ff2f0494489d5cc6718cc08b2dbca835a9c28927e228b712e39d
-  data.tar.gz: 96ac14f364fd07b8d6750d31bd015b7bc2717d692206a203b3fe8161a6a1008f
+  metadata.gz: 69b5bf55ec553e3b3708be74454f71c489125cfbf940f08b72e0225f3999a785
+  data.tar.gz: '0908e70df1d46b755d5b00db7b2d1607e6982b10d04f07e47315063934dbe3a2'
 SHA512:
-  metadata.gz: 195c91598a768df91279b0c6bda4d8b312f73a94d4c52c68b2864fd75453f2c474059c4f7d740e0d8c0b4086471ea193c9ded4bb7b492f3c098c950f941f6140
-  data.tar.gz: 80d64202a7b69456e241952b79f0a65ea9a88ed8b242ff31015e11854d141bd32ccbeaccc2f60ccddf78d188dbbec74e48f839c9181a2b4cdce01917001e4125
+  metadata.gz: dc37d401a1ec647be6750b5ec05f23b633e752704c00e69e8e721230070c574ebf5c52b0f3d515808c4aa59c12172b815f2c6cb20ff0b7c38775e5d7e721ae6f
+  data.tar.gz: 1987f39eeb1b7fe3924de437ad6de02d05650a84964c3cbb20ac9733dec5a75c5d7a4a288ae543443cd34c16d8eefb00569d85a38679d4693531ff9ae9815418

data/README.md

@@ -133,6 +133,27 @@ end
 
 `default_token_lifetime` is applied to every OAuth grant unless you override it in `oauth.token_lifetimes`. Keys map to OAuth grant types (for example `:password`, `:client_credentials`, `:refresh_token`) and should return durations in seconds. Non-token endpoint flows such as the implicit flow can be customized with their symbol key (e.g. `:implicit`). Refresh tokens can be tuned separately through `oauth.refresh_token_lifetime`.
 
+### Custom Token Claims
+
+You can add additional JWT claims for any token issued through the OAuth token endpoint by mapping scopes to claim names and providing callbacks to resolve each claim. Scopes listed in `oauth.scope_claims` are evaluated against the requested token scopes; when a scope matches, every claim listed for that scope is resolved via the callable defined in `oauth.claim_resolvers`.
+
+```ruby
+StandardId.configure do |config|
+  config.oauth.scope_claims = {
+    profile: %i[email display_name]
+  }
+
+  config.oauth.claim_resolvers = {
+    email: ->(account:) { account.email },
+    display_name: ->(account:, client:) {
+      "#{account.name} for #{client.client_id}"
+    }
+  }
+end
+```
+
+Resolvers receive keyword arguments with the context containing `client`, `account`, and `request`, so you can reference only what you need. This lets you, for example, pull organization info off the client application or decorate claims with account attributes.
+
 ### Social Login Setup
 
 ```ruby
@@ -142,13 +163,35 @@ StandardId.configure do |config|
   config.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
 
   # Apple Sign In
+  config.social.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"]
   config.social.apple_client_id = ENV["APPLE_CLIENT_ID"]
   config.social.apple_private_key = ENV["APPLE_PRIVATE_KEY"]
   config.social.apple_key_id = ENV["APPLE_KEY_ID"]
   config.social.apple_team_id = ENV["APPLE_TEAM_ID"]
+  config.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
+
+  # Optional: adjust which attributes are persisted during social signup
+  config.social.social_account_attributes = ->(social_info:, provider:) {
+    {
+      email: social_info[:email],
+      name: social_info[:name] || social_info[:given_name]
+    }
+  }
+
+  # Optional: run a callback whenever a social login completes
+  config.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
+    AuditLog.social_login(
+      provider: provider,
+      email: social_info[:email],
+      tokens: tokens,
+      account_id: account.id,
+    )
+  }
 end
 ```
 
+`social_info` is an indifferent-access hash containing at least `email`, `name`, and `provider_id`.
+
 ### Passwordless Authentication
 
 ```ruby
@@ -201,7 +244,7 @@ redirect_to "/api/authorize?" + {
   response_type: "code",
   client_id: "your_client_id",
   redirect_uri: "https://your-app.com/callback",
-  connection: "google-oauth2"
+  connection: "google"
 }.to_query
 
 # Apple login

data/app/controllers/concerns/standard_id/api_authentication.rb

@@ -14,6 +14,10 @@ module StandardId
       authentication_guard.require_session!(session_manager)
     end
 
+    def require_scopes!(*required_scopes)
+      authentication_guard.require_scopes!(session_manager, *required_scopes)
+    end
+
     def session_manager
       @session_manager ||= StandardId::Api::SessionManager.new(token_manager, request:)
     end

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -0,0 +1,105 @@
+module StandardId
+  module SocialAuthentication
+    extend ActiveSupport::Concern
+
+    private
+
+    def get_user_info_from_provider(connection, redirect_uri: nil, flow: :web)
+      case connection
+      when "google"
+        StandardId::SocialProviders::Google.get_user_info(
+          code: params[:code],
+          id_token: params[:id_token],
+          access_token: params[:access_token],
+          redirect_uri: redirect_uri
+        )
+      when "apple"
+        StandardId::SocialProviders::Apple.get_user_info(
+        code: params[:code],
+          id_token: params[:id_token],
+          redirect_uri: redirect_uri,
+          client_id: apple_client_id_for_flow(flow)
+        )
+      else
+        raise StandardId::InvalidRequestError, "Unsupported provider: #{connection}"
+      end
+    end
+
+    def apple_client_id_for_flow(flow)
+      flow == :web ? StandardId.config.apple_client_id : StandardId.config.apple_mobile_client_id
+    end
+
+    def find_or_create_account_from_social(raw_social_info, provider)
+      social_info = raw_social_info.to_h.with_indifferent_access
+      email = social_info[:email]
+      raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
+
+      identifier = StandardId::EmailIdentifier.find_by(value: email)
+
+      if identifier.present?
+        identifier.account
+      else
+        account = build_account_from_social(social_info, provider)
+        identifier = StandardId::EmailIdentifier.create!(
+          account: account,
+          value: email
+        )
+        identifier.verify! if identifier.respond_to?(:verify!)
+        account
+      end
+    end
+
+    def build_account_from_social(social_info, provider)
+      attrs = resolve_account_attributes(social_info, provider)
+      StandardId.account_class.create!(attrs)
+    end
+
+    def resolve_account_attributes(social_info, provider)
+      resolver = StandardId.config.social_account_attributes
+      attrs = if resolver.respond_to?(:call)
+                resolver.call(social_info: social_info, provider: provider)
+      else
+                {
+                  email: social_info[:email],
+                  name: social_info[:name].presence || social_info[:given_name].presence || social_info[:email]
+                }
+      end
+
+      unless attrs.is_a?(Hash)
+        raise StandardId::InvalidRequestError, "Social account attribute resolver must return a hash"
+      end
+
+      attrs.symbolize_keys
+    end
+
+    def allow_other_host_redirect?(redirect_uri)
+      return false if redirect_uri.blank?
+
+      allowed = Array(StandardId.config.allowed_redirect_url_prefixes)
+      return false if allowed.blank?
+
+      allowed.any? do |entry|
+        case entry
+        when Regexp
+          entry.match?(redirect_uri)
+        else
+          redirect_uri.start_with?(entry.to_s)
+        end
+      end
+    end
+
+    def run_social_callback(provider:, social_info:, provider_tokens:, account:)
+      callback = StandardId.config.social_callback
+
+      payload = {
+        provider: provider,
+        social_info: social_info,
+        tokens: provider_tokens.presence,
+        account: account
+      }
+
+      filtered_payload = StandardId::Utils::CallableParameterFilter.filter(callback, payload)
+      callback.call(**filtered_payload.symbolize_keys)
+    end
+  end
+end

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -0,0 +1,68 @@
+module StandardId
+  module Api::Oauth
+    module Callback
+      class ProvidersController < BaseController
+        include StandardId::SocialAuthentication
+
+        skip_before_action :validate_content_type!
+
+        def google
+          expect_and_permit!([], [:id_token, :code])
+          handle_social_callback("google")
+        end
+
+        def apple
+          expect_and_permit!([], [:id_token, :code, :state, :flow])
+          handle_social_callback("apple")
+        end
+
+        private
+
+        def handle_social_callback(connection)
+          original_params = decode_state_params
+          flow = resolve_flow_for(connection)
+          provider_response = get_user_info_from_provider(connection, flow: flow)
+          social_info = provider_response[:user_info]
+          provider_tokens = provider_response[:tokens]
+          account = find_or_create_account_from_social(social_info, connection)
+
+          flow = StandardId::Oauth::SocialFlow.new(
+            params,
+            request,
+            account: account,
+            connection: connection,
+            original_params: original_params
+          )
+
+          token_response = flow.execute
+          run_social_callback(
+            provider: connection,
+            social_info: social_info,
+            provider_tokens: provider_tokens,
+            account: account,
+          )
+          render json: token_response, status: :ok
+        end
+
+        def decode_state_params
+          encoded_state = params[:state]
+
+          return {} if encoded_state.blank?
+
+          begin
+            JSON.parse(Base64.urlsafe_decode64(encoded_state))
+          rescue JSON::ParserError, ArgumentError
+            raise StandardId::InvalidRequestError, "Invalid state parameter"
+          end
+        end
+
+        def resolve_flow_for(connection)
+          return :mobile unless connection == "apple"
+
+          flow_param = params[:flow].to_s.downcase
+          flow_param == "web" ? :web : :mobile
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -4,107 +4,88 @@ module StandardId
       module Callback
         class ProvidersController < StandardId::Web::BaseController
           include StandardId::WebAuthentication
+          include StandardId::SocialAuthentication
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
-          skip_before_action :require_browser_session!, only: [:google, :apple]
+          skip_before_action :require_browser_session!, only: [:google, :apple, :apple_mobile]
+          skip_before_action :verify_authenticity_token, only: [:apple, :apple_mobile]
 
           def google
-            handle_social_callback("google-oauth2")
+            handle_social_callback("google")
           end
 
           def apple
             handle_social_callback("apple")
           end
 
-          private
+          def apple_mobile
+            state_data = decode_state_params
+            destination = state_data["redirect_uri"]
+
+            unless allow_other_host_redirect?(destination)
+              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
+            end
 
-          def handle_social_callback(provider)
-            # This handles the callback from social providers in web context
-            # After successful social auth, we need to:
-            # 1. Extract user info from the callback
-            # 2. Create/find account
-            # 3. Sign in the user with web session
-            # 4. Redirect to original destination
+            relay_params = mobile_relay_params
+            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
+            render :apple_mobile, layout: false
+          rescue StandardId::InvalidRequestError => e
+            render plain: e.message, status: :unprocessable_entity
+          end
 
+          private
+
+          def handle_social_callback(connection)
             if params[:error].present?
               handle_callback_error
               return
             end
 
+            state_data = nil
+
             begin
-              user_info = extract_user_info(provider)
-              account = find_or_create_account_from_social(user_info, provider)
+              state_data = decode_state_params
+              redirect_uri = connection == "apple" ? apple_callback_url : google_callback_url
+              provider_response = get_user_info_from_provider(connection, redirect_uri: redirect_uri)
+              social_info = provider_response[:user_info]
+              provider_tokens = provider_response[:tokens]
+              account = find_or_create_account_from_social(social_info, connection)
               session_manager.sign_in_account(account)
 
-              redirect_to decode_redirect_uri, notice: "Successfully signed in with #{provider.humanize}"
-            rescue StandardId::OAuthError => e
-              redirect_to login_path, alert: "Authentication failed: #{e.message}"
-            end
-          end
+              run_social_callback(
+                provider: connection,
+                social_info: social_info,
+                provider_tokens: provider_tokens,
+                account: account,
+              )
 
-          def extract_user_info(provider)
-            case provider
-            when "google-oauth2"
-              extract_google_user_info
-            when "apple"
-              extract_apple_user_info
-            else
-              raise StandardId::InvalidRequestError, "Unsupported connection/provider: #{provider}"
+              destination = state_data["redirect_uri"]
+              redirect_options = { notice: "Successfully signed in with #{connection.humanize}" }
+              redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
+              redirect_to destination, redirect_options
+            rescue StandardId::OAuthError => e
+              redirect_to StandardId::WebEngine.routes.url_helpers.login_path(redirect_uri: state_data&.dig("redirect_uri")), alert: "Authentication failed: #{e.message}"
             end
           end
 
-          def extract_google_user_info
-            # Exchange code for Google user info
-            # This would integrate with Google OAuth API
-            {
-              email: params[:email] || "user@example.com", # Placeholder
-              name: params[:name] || "Google User",
-              provider: "google-oauth2",
-              provider_id: params[:sub] || "google_123"
-            }
+          def google_callback_url
+            auth_callback_google_url
           end
 
-          def extract_apple_user_info
-            # Extract user info from Apple Sign In callback
-            # This would decode the Apple ID token
-            {
-              email: params[:email] || "user@privaterelay.appleid.com", # Placeholder
-              name: params[:name] || "Apple User",
-              provider: "apple",
-              provider_id: params[:sub] || "apple_123"
-            }
+          def apple_callback_url
+            auth_callback_apple_url
           end
 
-          def find_or_create_account_from_social(user_info, provider)
-            # Find existing account by email or create new one
-            identifier = StandardId::EmailIdentifier.find_by(value: user_info[:email])
+          def decode_state_params
+            encoded_state = params[:state]
+            raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
 
-            if identifier
-              identifier.account
-            else
-              # Create new account with social login
-              account = ::Account.create!(
-                email: user_info[:email],
-                name: user_info[:name].presence || "User"
-              )
-              StandardId::EmailIdentifier.create!(
-                account: account,
-                value: user_info[:email]
-              )
-              account
-            end
-          end
-
-          def decode_redirect_uri
-            return "/" unless params[:state].present?
-
-            begin
-              state_data = JSON.parse(Base64.urlsafe_decode64(params[:state]))
-              state_data["redirect_uri"] || "/"
-            rescue JSON::ParserError, ArgumentError
-              "/"
-            end
+            state = JSON.parse(Base64.urlsafe_decode64(encoded_state))
+            state["redirect_uri"] ||= after_authentication_url
+            state
+          rescue JSON::ParserError, ArgumentError
+            raise StandardId::InvalidRequestError, "Invalid state parameter"
           end
 
           def handle_callback_error
@@ -117,7 +98,21 @@ module StandardId
                             "Authentication failed"
             end
 
-            redirect_to login_path, alert: error_message
+            redirect_to StandardId::WebEngine.routes.url_helpers.login_path, alert: error_message
+          end
+
+          def mobile_relay_params
+            params.permit(:code, :state, :user, :userIdentifier, :id_token, :identity_token, :nonce).to_h.compact
+          end
+
+          def build_mobile_redirect(destination, extra_params)
+            uri = URI.parse(destination)
+            existing = Rack::Utils.parse_nested_query(uri.query)
+            merged = existing.merge(extra_params)
+            uri.query = merged.to_query.presence
+            uri.to_s
+          rescue URI::InvalidURIError
+            destination
           end
         end
       end

data/app/controllers/standard_id/web/login_controller.rb

@@ -33,32 +33,35 @@ module StandardId
       end
 
       def social_login_url
-        uri = URI.parse("/api/authorize")
-        query = {
-          response_type: "code",
-          client_id: StandardId.config.default_client_id,
-          redirect_uri: callback_url,
-          connection: params[:connection],
-          state: encode_state
-        }.to_query
-        uri.query = query
-        uri.to_s
-      end
-
-      def callback_url
         case params[:connection]
-        when "google-oauth2"
-          auth_callback_google_path
+        when "google"
+          google_authorization_url
         when "apple"
-          auth_callback_apple_path
+          apple_authorization_url
+        else
+          raise StandardId::InvalidRequestError, "Unsupported social connection: #{connection}"
         end
       end
 
+      def google_authorization_url
+        StandardId::SocialProviders::Google.authorization_url(
+          state: encode_state,
+          redirect_uri: auth_callback_google_url
+        )
+      end
+
+      def apple_authorization_url
+        StandardId::SocialProviders::Apple.authorization_url(
+          state: encode_state,
+          redirect_uri: auth_callback_apple_url
+        )
+      end
+
       def encode_state
         Base64.urlsafe_encode64({
           redirect_uri: params[:redirect_uri] || after_authentication_url,
           timestamp: Time.current.to_i
-        }.to_json)
+        }.compact.to_json)
       end
 
       def login_params

data/app/controllers/standard_id/web/signup_controller.rb

@@ -56,7 +56,7 @@ module StandardId
 
       def callback_url
         case params[:connection]
-        when "google-oauth2"
+        when "google"
           auth_callback_google_url
         when "apple"
           auth_callback_apple_url

data/app/views/standard_id/web/auth/callback/providers/apple_mobile.html.erb

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Continuing Sign in with Apple…</title>
+    <style>
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+        margin: 0;
+        padding: 2rem;
+        text-align: center;
+        color: #111;
+        background: #f8f8f8;
+      }
+
+      .card {
+        margin: 0 auto;
+        max-width: 420px;
+        padding: 2rem;
+        background: #fff;
+        border-radius: 12px;
+        box-shadow: 0 10px 30px rgba(0, 0, 0, 0.08);
+      }
+
+      h1 {
+        font-size: 1.3rem;
+        margin-bottom: 0.5rem;
+      }
+
+      p {
+        margin: 0;
+        color: #555;
+      }
+    </style>
+    <script>
+      document.addEventListener("DOMContentLoaded", function () {
+        var target = "<%= j @mobile_redirect_url %>";
+        if (target) {
+          window.location.replace(target);
+        }
+      });
+    </script>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Returning to your app…</h1>
+      <p>You can close this window if it doesn't redirect automatically.</p>
+    </div>
+  </body>
+</html>

data/app/views/standard_id/web/login/show.html.erb

@@ -68,8 +68,8 @@
 
           <div class="mt-6 grid grid-cols-2 gap-4">
             <% if StandardId.config.google_client_id.present? %>
-              <%= form_with url: login_path, method: :post, local: true do |form| %>
-                <%= form.hidden_field :connection, value: "google-oauth2" %>
+              <%= form_with url: login_path, method: :post, local: true, data: { turbo: false } do |form| %>
+                <%= form.hidden_field :connection, value: "google" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">
                   <svg viewBox="0 0 24 24" aria-hidden="true" class="h-5 w-5">
@@ -84,7 +84,7 @@
             <% end %>
 
             <% if StandardId.config.apple_client_id.present? %>
-              <%= form_with url: login_path, method: :post, local: true do |form| %>
+              <%= form_with url: login_path, method: :post, local: true, data: { turbo: false } do |form| %>
                 <%= form.hidden_field :connection, value: "apple" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">

data/app/views/standard_id/web/signup/show.html.erb

@@ -57,7 +57,7 @@
           <div class="mt-6 grid grid-cols-2 gap-4">
             <% if StandardId.config.google_client_id.present? %>
               <%= form_with url: signup_path, method: :post, local: true do |form| %>
-                <%= form.hidden_field :connection, value: "google-oauth2" %>
+                <%= form.hidden_field :connection, value: "google" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">
                   <svg viewBox="0 0 24 24" aria-hidden="true" class="h-5 w-5">

data/config/routes/api.rb

@@ -16,7 +16,7 @@ StandardId::ApiEngine.routes.draw do
       resource :token, only: [:create]
 
       namespace :callback do
-        get :google, to: "providers#google"
+        post :google, to: "providers#google"
         post :apple, to: "providers#apple"
       end
     end

data/config/routes/web.rb

@@ -10,6 +10,7 @@ StandardId::WebEngine.routes.draw do
       namespace :callback do
         get :google, to: "providers#google"
         post :apple, to: "providers#apple"
+        post :apple_mobile, to: "providers#apple_mobile"
       end
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -20,15 +20,41 @@ StandardId.configure do |c|
   # c.oauth.token_lifetimes = {
   #   password: 8.hours,
   #   client_credentials: 24.hours
+  #   social: 24.hours
+  # }
+  # c.oauth.scope_claims = {
+  #   profile: %i[email display_name]
+  # }
+  # c.oauth.claim_resolvers = {
+  #   email: ->(account:) { account.email },
+  #   display_name: ->(account:, client:) {
+  #     "#{account.name} for #{client.client_id}"
+  #   }
   # }
 
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]
   # c.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
+  # c.social.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"]
   # c.social.apple_client_id      = ENV["APPLE_CLIENT_ID"]
   # c.social.apple_private_key    = ENV["APPLE_PRIVATE_KEY"]
   # c.social.apple_key_id         = ENV["APPLE_KEY_ID"]
   # c.social.apple_team_id        = ENV["APPLE_TEAM_ID"]
+  # c.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
+  # c.social.social_account_attributes = ->(social_info:, provider:) {
+  #   {
+  #     email: social_info[:email],
+  #     name: social_info[:name] || social_info[:given_name]
+  #   }
+  # }
+  # c.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
+  #   Analytics.track_social_login(
+  #     provider: provider,
+  #     email: social_info[:email],
+  #     tokens: tokens,
+  #     account_id: account.id
+  #   )
+  # }
 
   # OIDC Logout allow list
   # c.allowed_post_logout_redirect_uris = [