standard_id 0.1.2 → 0.1.4

data/lib/standard_config/config.rb

@@ -23,9 +23,10 @@ module StandardConfig
     # If set, Authorization endpoints can redirect to this path with a redirect_uri param
     attr_accessor :login_url
 
-    # Social login provider credentials
+    # Social login provider credentials and hooks
     attr_accessor :google_client_id, :google_client_secret
     attr_accessor :apple_client_id, :apple_client_secret, :apple_private_key, :apple_key_id, :apple_team_id
+    attr_accessor :social_account_attributes, :social_callback
 
     # Passwordless authentication callbacks
     # These should be callable objects (procs/lambdas) that accept (recipient, code) parameters
@@ -54,6 +55,8 @@ module StandardConfig
       @apple_private_key = nil
       @apple_key_id = nil
       @apple_team_id = nil
+      @social_account_attributes = nil
+      @social_callback = nil
       @passwordless_email_sender = nil
       @passwordless_sms_sender = nil
       @allowed_post_logout_redirect_uris = []

data/lib/standard_id/api/authentication_guard.rb

@@ -15,6 +15,42 @@ module StandardId
 
         api_session
       end
+
+      def require_scopes!(session_manager, *required_scopes)
+        api_session = require_session!(session_manager)
+
+        expected_scopes = normalize_scopes(required_scopes)
+        return api_session if expected_scopes.empty?
+
+        token_scopes = extract_session_scopes(api_session)
+        unless (token_scopes & expected_scopes).any?
+          raise StandardId::InvalidScopeError,
+            "Access token missing required scope. Requires one of: #{expected_scopes.join(', ')}"
+        end
+
+        api_session
+      end
+
+      private
+
+      def extract_session_scopes(api_session)
+        api_session&.scopes || []
+      end
+
+      def normalize_scopes(required_scopes)
+        return [] if required_scopes.nil?
+
+        case required_scopes
+        when String
+          [required_scopes]
+        when Symbol
+          [required_scopes.to_s]
+        when Array
+          required_scopes.flat_map { |value| normalize_scopes(value) }.uniq
+        else
+          raise ArgumentError, "Scopes must be provided as a String, Symbol, or Array"
+        end
+      end
     end
   end
 end

data/lib/standard_id/config/schema.rb

@@ -35,6 +35,8 @@ StandardConfig.schema.draw do
     field :token_lifetimes, type: :hash, default: -> { {} }
     field :client_id, type: :string, default: nil
     field :client_secret, type: :string, default: nil
+    field :scope_claims, type: :hash, default: -> { {} }
+    field :claim_resolvers, type: :hash, default: -> { {} }
   end
 
   scope :social do
@@ -45,5 +47,9 @@ StandardConfig.schema.draw do
     field :apple_private_key, type: :string, default: nil
     field :apple_key_id, type: :string, default: nil
     field :apple_team_id, type: :string, default: nil
+    field :apple_mobile_client_id, type: :string, default: nil
+    field :social_account_attributes, type: :any, default: nil
+    field :allowed_redirect_url_prefixes, type: :array, default: []
+    field :social_callback, type: :any, default: nil
   end
 end

data/lib/standard_id/http_client.rb

@@ -0,0 +1,22 @@
+require "net/http"
+require "uri"
+
+module StandardId
+  class HttpClient
+    class << self
+      def post_form(endpoint, params)
+        uri = URI(endpoint)
+        Net::HTTP.post_form(uri, params)
+      end
+
+      def get_with_bearer(endpoint, access_token)
+        uri = URI(endpoint)
+        request = Net::HTTP::Get.new(uri)
+        request["Authorization"] = "Bearer #{access_token}"
+        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
+          http.request(request)
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/jwt_service.rb

@@ -3,9 +3,14 @@ require "jwt"
 module StandardId
   class JwtService
     ALGORITHM = "HS256"
-    Session = Struct.new(:account_id, :client_id, :scopes, :grant_type, keyword_init: true) do
-      def active?
-        true
+    RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
+    BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type]
+
+    def self.session_class
+      Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
+        def active?
+          true
+        end
       end
     end
 
@@ -33,11 +38,12 @@ module StandardId
         Array(payload[:scope]).compact
       end
 
-      Session.new(
+      session_class.new(
+        **payload.slice(*claim_resolver_keys),
         account_id: payload[:sub],
         client_id: payload[:client_id],
         scopes: scopes,
-        grant_type: payload[:grant_type]
+        grant_type: payload[:grant_type],
       )
     end
 
@@ -46,5 +52,13 @@ module StandardId
     def self.secret_key
       Rails.application.secret_key_base
     end
+
+    def self.claim_resolver_keys
+      resolvers = StandardId.config.oauth.claim_resolvers
+      keys = Hash.try_convert(resolvers)&.keys
+      keys.compact.map(&:to_sym).uniq.excluding(*RESERVED_JWT_KEYS)
+    rescue StandardError
+      []
+    end
   end
 end

data/lib/standard_id/oauth/authorization_code_flow.rb

@@ -48,6 +48,14 @@ module StandardId
       def find_authorization_code(code)
         StandardId::AuthorizationCode.lookup(code)
       end
+
+      def token_client
+        @credential&.client_application
+      end
+
+      def token_account
+        @authorization_code&.account
+      end
     end
   end
 end

data/lib/standard_id/oauth/client_credentials_flow.rb

@@ -29,6 +29,14 @@ module StandardId
       def audience
         params[:audience]
       end
+
+      def token_client
+        @credential&.client_application
+      end
+
+      def token_account
+        nil
+      end
     end
   end
 end

data/lib/standard_id/oauth/password_flow.rb

@@ -61,6 +61,10 @@ module StandardId
       def default_scope
         "read"
       end
+
+      def token_account
+        @account
+      end
     end
   end
 end

data/lib/standard_id/oauth/passwordless_otp_flow.rb

@@ -79,6 +79,10 @@ module StandardId
       def default_scope
         "read"
       end
+
+      def token_account
+        account
+      end
     end
   end
 end

data/lib/standard_id/oauth/social_flow.rb

@@ -0,0 +1,61 @@
+module StandardId
+  module Oauth
+    class SocialFlow < TokenGrantFlow
+      attr_reader :account, :connection, :original_params
+
+      def initialize(params, request, account:, connection:, original_params: {})
+        super(params, request)
+        @account = account
+        @connection = connection
+        @original_params = original_params
+      end
+
+      def authenticate!
+        raise StandardId::InvalidGrantError, "Account is required for social flow" if @account.blank?
+      end
+
+      private
+
+      def subject_id
+        @account.id
+      end
+
+      def client_id
+        @original_params["client_id"]
+      end
+
+      def token_scope
+        @original_params["scope"]
+      end
+
+      def grant_type
+        "social"
+      end
+
+      def audience
+        @original_params["audience"]
+      end
+
+      def supports_refresh_token?
+        true
+      end
+
+      def token_lifetime_key
+        :social
+      end
+
+      def token_account
+        @account
+      end
+
+      def token_client
+        nil
+      end
+
+      def build_jwt_payload(expires_in)
+        base_payload = super(expires_in)
+        base_payload.merge(provider: @connection).compact
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/subflows/social_login_grant.rb

@@ -10,7 +10,7 @@ module StandardId
 
         def social_provider_url
           @social_provider_url ||= case params[:connection]
-          when "google-oauth2"
+          when "google"
             build_google_oauth_url
           when "apple"
             build_apple_oauth_url
@@ -20,28 +20,18 @@ module StandardId
         end
 
         def build_google_oauth_url
-          google_params = {
-            client_id: StandardId.config.google_client_id,
+          StandardId::SocialProviders::Google.authorization_url(
+            state: encode_state_with_original_params,
             redirect_uri: "#{params[:base_url]}/api/oauth/callback/google",
-            response_type: "code",
-            scope: "openid email profile",
-            state: encode_state_with_original_params
-          }
-
-          "https://accounts.google.com/o/oauth2/v2/auth?" + URI.encode_www_form(google_params)
+            scope: "openid email profile"
+          )
         end
 
         def build_apple_oauth_url
-          apple_params = {
-            client_id: StandardId.config.apple_client_id,
-            redirect_uri: "#{params[:base_url]}/api/oauth/callback/apple",
-            response_type: "code",
-            scope: "name email",
-            response_mode: "form_post",
-            state: encode_state_with_original_params
-          }
-
-          "https://appleid.apple.com/auth/authorize?" + URI.encode_www_form(apple_params)
+          StandardId::SocialProviders::Apple.authorization_url(
+            state: encode_state_with_original_params,
+            redirect_uri: "#{params[:base_url]}/api/oauth/callback/apple"
+          )
         end
 
         def encode_state_with_original_params

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -52,13 +52,15 @@ module StandardId
       end
 
       def build_jwt_payload(expires_in)
-        {
+        base_payload = {
           sub: subject_id,
           client_id: client_id,
           scope: token_scope,
           grant_type: grant_type,
           aud: audience
         }.compact
+
+        base_payload.merge(claims_from_scope_mapping)
       end
 
       def token_expiry
@@ -106,6 +108,57 @@ module StandardId
       def audience
         params[:audience]
       end
+
+      def claims_from_scope_mapping
+        scope_claims = StandardId.config.oauth.scope_claims.with_indifferent_access
+        resolvers = StandardId.config.oauth.claim_resolvers.with_indifferent_access
+        return {} if scope_claims.empty? || resolvers.empty?
+
+        claims = {}
+        current_scopes.each do |scope|
+          Array(scope_claims[scope]).each do |claim_key|
+            next if claims.key?(claim_key)
+
+            value = resolve_claim_value(resolvers[claim_key])
+            claims[claim_key] = value unless value.nil?
+          end
+        end
+
+        claims.compact.symbolize_keys
+      end
+
+      def current_scopes
+        Array.wrap(token_scope)
+          .flat_map { |value| value.to_s.split(/\s+/) }
+          .reject(&:blank?)
+          .uniq
+      end
+
+      def token_account
+        return nil if subject_id.blank?
+
+        account_class = StandardId.account_class
+        return nil unless account_class.respond_to?(:find_by)
+
+        account_class.find_by(id: subject_id)
+      end
+
+      def token_client
+        StandardId::ClientApplication.find_by(client_id: client_id)
+      end
+
+      def claim_resolvers_context
+        @claim_resolvers_context ||= {
+          client: token_client,
+          account: token_account,
+          request: request
+        }
+      end
+
+      def resolve_claim_value(resolver)
+        filtered_context = StandardId::Utils::CallableParameterFilter.filter(resolver, claim_resolvers_context)
+        resolver.call(**filtered_context)
+      end
     end
   end
 end

data/lib/standard_id/social_providers/apple.rb

@@ -0,0 +1,184 @@
+require "uri"
+require "net/http"
+require "json"
+require "jwt"
+require_relative "response_builder"
+
+module StandardId
+  module SocialProviders
+    class Apple
+      include ResponseBuilder
+
+      ISSUER = "https://appleid.apple.com".freeze
+      AUTH_ENDPOINT = "#{ISSUER}/auth/authorize".freeze
+      TOKEN_ENDPOINT = "#{ISSUER}/auth/token".freeze
+      JWKS_URI = "#{ISSUER}/auth/keys".freeze
+      DEFAULT_SCOPE = "name email".freeze
+      DEFAULT_RESPONSE_MODE = "form_post".freeze
+
+      class << self
+        def authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE)
+          ensure_basic_credentials!
+
+          query = {
+            client_id: StandardId.config.apple_client_id,
+            redirect_uri: redirect_uri,
+            response_type: "code",
+            scope: scope,
+            response_mode: response_mode,
+            state: state
+          }
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+        end
+
+        def get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id)
+          if id_token.present?
+            build_response(
+              verify_id_token(id_token: id_token, client_id: client_id),
+              tokens: { id_token: id_token }
+            )
+          elsif code.present?
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
+          else
+            raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
+          end
+        end
+
+        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
+          ensure_full_credentials!(client_id: client_id)
+          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
+
+          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
+            client_id: client_id,
+            client_secret: generate_client_secret(client_id: client_id),
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: redirect_uri
+          })
+
+          unless token_response.is_a?(Net::HTTPSuccess)
+            error_body = JSON.parse(token_response.body) rescue {}
+            raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body['error']}"
+          end
+
+          parsed_token = JSON.parse(token_response.body)
+          id_token = parsed_token["id_token"]
+          raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
+
+          tokens = extract_token_payload(parsed_token)
+          user_info = verify_id_token(id_token: id_token, client_id: client_id)
+
+          build_response(user_info, tokens: tokens)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
+          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
+          if client_id.blank?
+            raise StandardId::InvalidRequestError, "Apple client_id is not configured"
+          end
+
+          decoded_token = JWT.decode(id_token, nil, false)
+          header = decoded_token[1]
+
+          jwk = fetch_jwk(kid: header["kid"])
+
+          verified_payload, = JWT.decode(
+            id_token,
+            jwk.public_key,
+            true,
+            algorithm: "RS256",
+            iss: ISSUER,
+            verify_iss: true,
+            aud: client_id,
+            verify_aud: true
+          )
+
+          {
+            "sub" => verified_payload["sub"],
+            "email" => verified_payload["email"],
+            "email_verified" => verified_payload["email_verified"],
+            "is_private_email" => verified_payload["is_private_email"]
+          }.compact
+        rescue JWT::InvalidAudError => e
+          raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
+        rescue JWT::DecodeError => e
+          raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        private
+
+        def ensure_basic_credentials!(client_id: StandardId.config.apple_client_id)
+          if client_id.blank?
+            raise StandardId::InvalidRequestError, "Apple OAuth is not configured"
+          end
+        end
+
+        def ensure_full_credentials!(client_id: nil)
+          ensure_basic_credentials!(client_id: client_id)
+
+          required = [
+            StandardId.config.apple_private_key,
+            StandardId.config.apple_key_id,
+            StandardId.config.apple_team_id
+          ]
+
+          if required.any?(&:blank?)
+            raise StandardId::InvalidRequestError, "Apple OAuth credentials are incomplete"
+          end
+        end
+
+        def generate_client_secret(client_id: StandardId.config.apple_client_id)
+          header = {
+            alg: "ES256",
+            kid: StandardId.config.apple_key_id
+          }
+
+          payload = {
+            iss: StandardId.config.apple_team_id,
+            iat: Time.current.to_i,
+            exp: Time.current.to_i + 3600,
+            aud: ISSUER,
+            sub: client_id
+          }
+
+          private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
+          JWT.encode(payload, private_key, "ES256", header)
+        end
+
+        def fetch_jwk(kid:)
+          uri = URI(JWKS_URI)
+          jwks_response = Net::HTTP.get_response(uri)
+
+          unless jwks_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to fetch Apple JWKS"
+          end
+
+          jwks_data = JSON.parse(jwks_response.body)
+          jwk_data = jwks_data["keys"].find { |key| key["kid"] == kid }
+
+          raise StandardId::InvalidRequestError, "JWK with kid '#{kid}' not found in Apple's JWKS" unless jwk_data
+
+          JWT::JWK.import(jwk_data)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, "Failed to fetch JWK: #{e.message}"
+        end
+
+        def extract_token_payload(parsed_token)
+          {
+            access_token: parsed_token["access_token"],
+            refresh_token: parsed_token["refresh_token"],
+            id_token: parsed_token["id_token"]
+          }.compact
+        end
+      end
+    end
+  end
+end