standard_id 0.1.2 → 0.1.4

data/lib/standard_id/social_providers/google.rb

@@ -0,0 +1,168 @@
+require_relative "response_builder"
+
+module StandardId
+  module SocialProviders
+    class Google
+      include ResponseBuilder
+
+      AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth".freeze
+      TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token".freeze
+      USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo".freeze
+      TOKEN_INFO_ENDPOINT = "https://oauth2.googleapis.com/tokeninfo".freeze
+      DEFAULT_SCOPE = "openid email profile".freeze
+
+      class << self
+        def authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, prompt: nil)
+          query = {
+            client_id: credentials[:client_id],
+            redirect_uri: redirect_uri,
+            response_type: "code",
+            scope: scope,
+            state: state
+          }
+
+          query[:prompt] = prompt if prompt.present?
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+        end
+
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil)
+          if id_token.present?
+            build_response(
+              verify_id_token(id_token: id_token),
+              tokens: { id_token: id_token }
+            )
+          elsif access_token.present?
+            build_response(
+              fetch_user_info(access_token: access_token),
+              tokens: { access_token: access_token }
+            )
+          elsif code.present?
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri)
+          else
+            raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
+          end
+        end
+
+        def exchange_code_for_user_info(code:, redirect_uri:)
+          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
+
+          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
+            client_id: credentials[:client_id],
+            client_secret: credentials[:client_secret],
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: redirect_uri
+          }.compact)
+
+          unless token_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to exchange Google authorization code"
+          end
+
+          parsed_token = JSON.parse(token_response.body)
+          access_token = parsed_token["access_token"]
+          raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?
+
+          tokens = extract_token_payload(parsed_token)
+          user_info = fetch_user_info(access_token: access_token)
+
+          build_response(user_info, tokens: tokens)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def verify_id_token(id_token:)
+          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
+
+          response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)
+
+          unless response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Invalid or expired id_token"
+          end
+
+          token_info = JSON.parse(response.body)
+
+          unless token_info["aud"] == credentials[:client_id]
+            raise StandardId::InvalidRequestError, "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
+          end
+
+          unless ["accounts.google.com", "https://accounts.google.com"].include?(token_info["iss"])
+            raise StandardId::InvalidRequestError, "ID token issuer invalid. Expected Google, got: #{token_info['iss']}"
+          end
+
+          {
+            "sub" => token_info["sub"],
+            "email" => token_info["email"],
+            "email_verified" => token_info["email_verified"],
+            "name" => token_info["name"],
+            "given_name" => token_info["given_name"],
+            "family_name" => token_info["family_name"],
+            "picture" => token_info["picture"],
+            "locale" => token_info["locale"]
+          }.compact
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def fetch_user_info(access_token:)
+          raise StandardId::InvalidRequestError, "Missing access token" if access_token.blank?
+
+          verify_token(access_token)
+          user_response = HttpClient.get_with_bearer(USERINFO_ENDPOINT, access_token)
+
+          unless user_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to fetch Google user info"
+          end
+
+          JSON.parse(user_response.body)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        private
+
+        def credentials
+          @credentials ||= begin
+            if StandardId.config.google_client_id.blank? || StandardId.config.google_client_secret.blank?
+              raise StandardId::InvalidRequestError, "Google provider is not configured"
+            end
+
+            {
+              client_id: StandardId.config.google_client_id,
+              client_secret: StandardId.config.google_client_secret
+            }
+          end
+        end
+
+        def verify_token(access_token)
+          token_info_uri = "https://www.googleapis.com/oauth2/v3/tokeninfo"
+
+          response = HttpClient.post_form(token_info_uri, access_token: access_token)
+
+          unless response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Invalid or expired access token"
+          end
+
+          token_info = JSON.parse(response.body)
+
+          unless token_info["aud"] == credentials[:client_id]
+            raise StandardId::InvalidRequestError, "Access token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
+          end
+
+          token_info
+        end
+
+        def extract_token_payload(parsed_token)
+          {
+            access_token: parsed_token["access_token"],
+            refresh_token: parsed_token["refresh_token"],
+            id_token: parsed_token["id_token"]
+          }.compact
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/social_providers/response_builder.rb

@@ -0,0 +1,18 @@
+require "active_support/concern"
+
+module StandardId
+  module SocialProviders
+    module ResponseBuilder
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def build_response(user_info, tokens: {})
+          {
+            user_info: user_info,
+            tokens: tokens.compact
+          }.with_indifferent_access
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/utils/callable_parameter_filter.rb

@@ -0,0 +1,36 @@
+module StandardId
+  module Utils
+    class CallableParameterFilter
+      class << self
+        def filter(callable, context)
+          return {} unless callable.respond_to?(:call) && context.present?
+
+          payload = context.to_h.symbolize_keys
+          accepted_keys = accepted_parameters(callable)
+          return payload if accepted_keys.nil?
+
+          payload.slice(*accepted_keys)
+        end
+
+        private
+
+        def accepted_parameters(callable)
+          parameters = parameter_list(callable)
+          return nil if parameters.any? { |type, _| type == :keyrest }
+
+          parameters.map { |_, name| name&.to_sym }.compact
+        end
+
+        def parameter_list(callable)
+          if callable.respond_to?(:parameters)
+            callable.parameters
+          elsif callable.respond_to?(:method)
+            callable.method(:call).parameters
+          else
+            []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.2"
+  VERSION = "0.1.4"
 end

data/lib/standard_id.rb

@@ -4,6 +4,7 @@ require "standard_id/web_engine"
 require "standard_id/api_engine"
 require "standard_id/config/schema"
 require "standard_id/errors"
+require "standard_id/http_client"
 require "standard_id/jwt_service"
 require "standard_id/web/session_manager"
 require "standard_id/web/token_manager"
@@ -18,6 +19,7 @@ require "standard_id/oauth/client_credentials_flow"
 require "standard_id/oauth/authorization_code_flow"
 require "standard_id/oauth/password_flow"
 require "standard_id/oauth/refresh_token_flow"
+require "standard_id/oauth/social_flow"
 require "standard_id/oauth/authorization_flow"
 require "standard_id/oauth/authorization_code_authorization_flow"
 require "standard_id/oauth/implicit_authorization_flow"
@@ -28,6 +30,9 @@ require "standard_id/oauth/passwordless_otp_flow"
 require "standard_id/passwordless/base_strategy"
 require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
+require "standard_id/utils/callable_parameter_filter"
+require "standard_id/social_providers/google"
+require "standard_id/social_providers/apple"
 
 module StandardId
   class << self

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - Jaryl Sim
@@ -65,14 +65,15 @@ files:
 - Rakefile
 - app/assets/stylesheets/standard_id/application.css
 - app/controllers/concerns/standard_id/api_authentication.rb
+- app/controllers/concerns/standard_id/social_authentication.rb
 - app/controllers/concerns/standard_id/web_authentication.rb
 - app/controllers/standard_id/api/authorization_controller.rb
 - app/controllers/standard_id/api/base_controller.rb
 - app/controllers/standard_id/api/oauth/base_controller.rb
+- app/controllers/standard_id/api/oauth/callback/providers_controller.rb
 - app/controllers/standard_id/api/oauth/tokens_controller.rb
 - app/controllers/standard_id/api/oidc/logout_controller.rb
 - app/controllers/standard_id/api/passwordless_controller.rb
-- app/controllers/standard_id/api/providers_controller.rb
 - app/controllers/standard_id/api/userinfo_controller.rb
 - app/controllers/standard_id/web/account_controller.rb
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
@@ -114,6 +115,7 @@ files:
 - app/models/standard_id/username_identifier.rb
 - app/views/standard_id/web/account/edit.html.erb
 - app/views/standard_id/web/account/show.html.erb
+- app/views/standard_id/web/auth/callback/providers/apple_mobile.html.erb
 - app/views/standard_id/web/login/show.html.erb
 - app/views/standard_id/web/reset_password/confirm/show.html.erb
 - app/views/standard_id/web/reset_password/start/show.html.erb
@@ -146,6 +148,7 @@ files:
 - lib/standard_id/config/schema.rb
 - lib/standard_id/engine.rb
 - lib/standard_id/errors.rb
+- lib/standard_id/http_client.rb
 - lib/standard_id/jwt_service.rb
 - lib/standard_id/oauth/authorization_code_authorization_flow.rb
 - lib/standard_id/oauth/authorization_code_flow.rb
@@ -156,6 +159,7 @@ files:
 - lib/standard_id/oauth/password_flow.rb
 - lib/standard_id/oauth/passwordless_otp_flow.rb
 - lib/standard_id/oauth/refresh_token_flow.rb
+- lib/standard_id/oauth/social_flow.rb
 - lib/standard_id/oauth/subflows/base.rb
 - lib/standard_id/oauth/subflows/social_login_grant.rb
 - lib/standard_id/oauth/subflows/traditional_code_grant.rb
@@ -164,6 +168,10 @@ files:
 - lib/standard_id/passwordless/base_strategy.rb
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb
+- lib/standard_id/social_providers/apple.rb
+- lib/standard_id/social_providers/google.rb
+- lib/standard_id/social_providers/response_builder.rb
+- lib/standard_id/utils/callable_parameter_filter.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb
 - lib/standard_id/web/session_manager.rb

data/app/controllers/standard_id/api/providers_controller.rb

@@ -1,174 +0,0 @@
-module StandardId
-  module Api
-    class ProvidersController < BaseController
-      skip_before_action :validate_content_type!
-
-      def google
-        expect_and_permit!([:state, :code], [:state, :code])
-        handle_social_callback("google-oauth2")
-      end
-
-      def apple
-        expect_and_permit!([:state, :code], [:state, :code])
-        handle_social_callback("apple")
-      end
-
-      private
-
-      def handle_social_callback(provider)
-        original_params = decode_state_params
-        user_info = exchange_social_code_for_user_info(provider, params[:code])
-        account = find_or_create_account_from_social(user_info, provider)
-
-        authorization_code = generate_authorization_code
-        store_authorization_code(authorization_code, original_params, account, provider)
-
-        redirect_params = {
-          code: authorization_code,
-          state: original_params["state"]
-        }.compact
-
-        redirect_url = build_redirect_uri(original_params["redirect_uri"], redirect_params)
-        redirect_to redirect_url, allow_other_host: true, status: :found
-      end
-
-      def decode_state_params
-        encoded_state = params[:state]
-        raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
-
-        begin
-          JSON.parse(Base64.urlsafe_decode64(encoded_state))
-        rescue JSON::ParserError, ArgumentError
-          raise StandardId::InvalidRequestError, "Invalid state parameter"
-        end
-      end
-
-      def exchange_social_code_for_user_info(provider, code)
-        case provider
-        when "google-oauth2"
-          exchange_google_code(code)
-        when "apple"
-          exchange_apple_code(code)
-        else
-          raise StandardId::InvalidRequestError, "Unsupported provider: #{provider}"
-        end
-      end
-
-      def exchange_google_code(code)
-        token_response = HTTParty.post("https://oauth2.googleapis.com/token", {
-          body: {
-            client_id: StandardId.config.google_client_id,
-            client_secret: StandardId.config.google_client_secret,
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: "#{request.base_url}/api/oauth/callback/google"
-          },
-          headers: { "Content-Type" => "application/x-www-form-urlencoded" }
-        })
-
-        raise StandardId::InvalidRequestError, "Failed to exchange Google code" unless token_response.success?
-
-        access_token = token_response.parsed_response["access_token"]
-
-        user_response = HTTParty.get("https://www.googleapis.com/oauth2/v2/userinfo", {
-          headers: { "Authorization" => "Bearer #{access_token}" }
-        })
-
-        raise StandardId::InvalidRequestError, "Failed to get Google user info" unless user_response.success?
-
-        user_response.parsed_response
-      end
-
-      def exchange_apple_code(code)
-        client_secret = generate_apple_client_secret
-
-        token_response = HTTParty.post("https://appleid.apple.com/auth/token", {
-          body: {
-            client_id: StandardId.config.apple_client_id,
-            client_secret: client_secret,
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: "#{request.base_url}/api/oauth/callback/apple"
-          },
-          headers: { "Content-Type" => "application/x-www-form-urlencoded" }
-        })
-
-        raise StandardId::InvalidRequestError, "Failed to exchange Apple code" unless token_response.success?
-
-        id_token = token_response.parsed_response["id_token"]
-        JWT.decode(id_token, nil, false)[0]
-      end
-
-      def generate_apple_client_secret
-        header = {
-          alg: "ES256",
-          kid: StandardId.config.apple_key_id
-        }
-
-        payload = {
-          iss: StandardId.config.apple_team_id,
-          iat: Time.current.to_i,
-          exp: Time.current.to_i + 3600,
-          aud: "https://appleid.apple.com",
-          sub: StandardId.config.apple_client_id
-        }
-
-        private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
-        JWT.encode(payload, private_key, "ES256", header)
-      end
-
-      def find_or_create_account_from_social(user_info, provider)
-        email = user_info["email"]
-        raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
-
-        identifier = StandardId::EmailIdentifier.find_by(value: email)
-
-        return identifier.account if identifier.present?
-
-        account = Account.create!(
-          name: (user_info["name"] || user_info["given_name"] || email),
-          email:
-        )
-
-        identifier = StandardId::EmailIdentifier.create!(
-          account:,
-          value: email
-        )
-
-        identifier.verify!
-
-        account
-      end
-
-      def generate_authorization_code
-        SecureRandom.urlsafe_base64(32)
-      end
-
-      def store_authorization_code(code, original_params, account, provider)
-        StandardId::AuthorizationCode.issue!(
-          plaintext_code: code,
-          client_id: original_params["client_id"],
-          redirect_uri: original_params["redirect_uri"],
-          scope: original_params["scope"],
-          audience: original_params["audience"],
-          account: account,
-          code_challenge: original_params["code_challenge"],
-          code_challenge_method: original_params["code_challenge_method"],
-          metadata: { state: original_params["state"], provider: provider }.compact
-        )
-      end
-
-      def build_redirect_uri(base_uri, params_hash)
-        uri = URI.parse(base_uri)
-        query_params = URI.decode_www_form(uri.query || "")
-
-        params_hash.each do |key, value|
-          query_params << [key.to_s, value.to_s] if value.present?
-        end
-
-        uri.query = URI.encode_www_form(query_params)
-        uri.to_s
-      end
-    end
-  end
-end