standard_id 0.1.3 → 0.1.4

data/lib/standard_id/oauth/social_flow.rb

@@ -0,0 +1,61 @@
+module StandardId
+  module Oauth
+    class SocialFlow < TokenGrantFlow
+      attr_reader :account, :connection, :original_params
+
+      def initialize(params, request, account:, connection:, original_params: {})
+        super(params, request)
+        @account = account
+        @connection = connection
+        @original_params = original_params
+      end
+
+      def authenticate!
+        raise StandardId::InvalidGrantError, "Account is required for social flow" if @account.blank?
+      end
+
+      private
+
+      def subject_id
+        @account.id
+      end
+
+      def client_id
+        @original_params["client_id"]
+      end
+
+      def token_scope
+        @original_params["scope"]
+      end
+
+      def grant_type
+        "social"
+      end
+
+      def audience
+        @original_params["audience"]
+      end
+
+      def supports_refresh_token?
+        true
+      end
+
+      def token_lifetime_key
+        :social
+      end
+
+      def token_account
+        @account
+      end
+
+      def token_client
+        nil
+      end
+
+      def build_jwt_payload(expires_in)
+        base_payload = super(expires_in)
+        base_payload.merge(provider: @connection).compact
+      end
+    end
+  end
+end

data/lib/standard_id/oauth/subflows/social_login_grant.rb

@@ -10,7 +10,7 @@ module StandardId
 
         def social_provider_url
           @social_provider_url ||= case params[:connection]
-          when "google-oauth2"
+          when "google"
             build_google_oauth_url
           when "apple"
             build_apple_oauth_url
@@ -20,28 +20,18 @@ module StandardId
         end
 
         def build_google_oauth_url
-          google_params = {
-            client_id: StandardId.config.google_client_id,
+          StandardId::SocialProviders::Google.authorization_url(
+            state: encode_state_with_original_params,
             redirect_uri: "#{params[:base_url]}/api/oauth/callback/google",
-            response_type: "code",
-            scope: "openid email profile",
-            state: encode_state_with_original_params
-          }
-
-          "https://accounts.google.com/o/oauth2/v2/auth?" + URI.encode_www_form(google_params)
+            scope: "openid email profile"
+          )
         end
 
         def build_apple_oauth_url
-          apple_params = {
-            client_id: StandardId.config.apple_client_id,
-            redirect_uri: "#{params[:base_url]}/api/oauth/callback/apple",
-            response_type: "code",
-            scope: "name email",
-            response_mode: "form_post",
-            state: encode_state_with_original_params
-          }
-
-          "https://appleid.apple.com/auth/authorize?" + URI.encode_www_form(apple_params)
+          StandardId::SocialProviders::Apple.authorization_url(
+            state: encode_state_with_original_params,
+            redirect_uri: "#{params[:base_url]}/api/oauth/callback/apple"
+          )
         end
 
         def encode_state_with_original_params

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -155,22 +155,9 @@ module StandardId
         }
       end
 
-      def callable_parameters(resolver)
-        parameters = if resolver.respond_to?(:parameters)
-          resolver.parameters
-        elsif resolver.respond_to?(:method) && resolver.respond_to?(:call)
-          resolver.method(:call).parameters
-        else
-          []
-        end
-
-        accepts_all = parameters.any? { |type, _| type == :keyrest }
-
-        accepts_all ?  claim_resolvers_context.keys : parameters.map { |_, name| name.to_sym }
-      end
-
       def resolve_claim_value(resolver)
-        resolver&.call(**claim_resolvers_context.slice(*callable_parameters(resolver)))
+        filtered_context = StandardId::Utils::CallableParameterFilter.filter(resolver, claim_resolvers_context)
+        resolver.call(**filtered_context)
       end
     end
   end

data/lib/standard_id/social_providers/apple.rb

@@ -0,0 +1,184 @@
+require "uri"
+require "net/http"
+require "json"
+require "jwt"
+require_relative "response_builder"
+
+module StandardId
+  module SocialProviders
+    class Apple
+      include ResponseBuilder
+
+      ISSUER = "https://appleid.apple.com".freeze
+      AUTH_ENDPOINT = "#{ISSUER}/auth/authorize".freeze
+      TOKEN_ENDPOINT = "#{ISSUER}/auth/token".freeze
+      JWKS_URI = "#{ISSUER}/auth/keys".freeze
+      DEFAULT_SCOPE = "name email".freeze
+      DEFAULT_RESPONSE_MODE = "form_post".freeze
+
+      class << self
+        def authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE)
+          ensure_basic_credentials!
+
+          query = {
+            client_id: StandardId.config.apple_client_id,
+            redirect_uri: redirect_uri,
+            response_type: "code",
+            scope: scope,
+            response_mode: response_mode,
+            state: state
+          }
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+        end
+
+        def get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id)
+          if id_token.present?
+            build_response(
+              verify_id_token(id_token: id_token, client_id: client_id),
+              tokens: { id_token: id_token }
+            )
+          elsif code.present?
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
+          else
+            raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
+          end
+        end
+
+        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
+          ensure_full_credentials!(client_id: client_id)
+          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
+
+          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
+            client_id: client_id,
+            client_secret: generate_client_secret(client_id: client_id),
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: redirect_uri
+          })
+
+          unless token_response.is_a?(Net::HTTPSuccess)
+            error_body = JSON.parse(token_response.body) rescue {}
+            raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body['error']}"
+          end
+
+          parsed_token = JSON.parse(token_response.body)
+          id_token = parsed_token["id_token"]
+          raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
+
+          tokens = extract_token_payload(parsed_token)
+          user_info = verify_id_token(id_token: id_token, client_id: client_id)
+
+          build_response(user_info, tokens: tokens)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
+          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
+          if client_id.blank?
+            raise StandardId::InvalidRequestError, "Apple client_id is not configured"
+          end
+
+          decoded_token = JWT.decode(id_token, nil, false)
+          header = decoded_token[1]
+
+          jwk = fetch_jwk(kid: header["kid"])
+
+          verified_payload, = JWT.decode(
+            id_token,
+            jwk.public_key,
+            true,
+            algorithm: "RS256",
+            iss: ISSUER,
+            verify_iss: true,
+            aud: client_id,
+            verify_aud: true
+          )
+
+          {
+            "sub" => verified_payload["sub"],
+            "email" => verified_payload["email"],
+            "email_verified" => verified_payload["email_verified"],
+            "is_private_email" => verified_payload["is_private_email"]
+          }.compact
+        rescue JWT::InvalidAudError => e
+          raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
+        rescue JWT::DecodeError => e
+          raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        private
+
+        def ensure_basic_credentials!(client_id: StandardId.config.apple_client_id)
+          if client_id.blank?
+            raise StandardId::InvalidRequestError, "Apple OAuth is not configured"
+          end
+        end
+
+        def ensure_full_credentials!(client_id: nil)
+          ensure_basic_credentials!(client_id: client_id)
+
+          required = [
+            StandardId.config.apple_private_key,
+            StandardId.config.apple_key_id,
+            StandardId.config.apple_team_id
+          ]
+
+          if required.any?(&:blank?)
+            raise StandardId::InvalidRequestError, "Apple OAuth credentials are incomplete"
+          end
+        end
+
+        def generate_client_secret(client_id: StandardId.config.apple_client_id)
+          header = {
+            alg: "ES256",
+            kid: StandardId.config.apple_key_id
+          }
+
+          payload = {
+            iss: StandardId.config.apple_team_id,
+            iat: Time.current.to_i,
+            exp: Time.current.to_i + 3600,
+            aud: ISSUER,
+            sub: client_id
+          }
+
+          private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
+          JWT.encode(payload, private_key, "ES256", header)
+        end
+
+        def fetch_jwk(kid:)
+          uri = URI(JWKS_URI)
+          jwks_response = Net::HTTP.get_response(uri)
+
+          unless jwks_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to fetch Apple JWKS"
+          end
+
+          jwks_data = JSON.parse(jwks_response.body)
+          jwk_data = jwks_data["keys"].find { |key| key["kid"] == kid }
+
+          raise StandardId::InvalidRequestError, "JWK with kid '#{kid}' not found in Apple's JWKS" unless jwk_data
+
+          JWT::JWK.import(jwk_data)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, "Failed to fetch JWK: #{e.message}"
+        end
+
+        def extract_token_payload(parsed_token)
+          {
+            access_token: parsed_token["access_token"],
+            refresh_token: parsed_token["refresh_token"],
+            id_token: parsed_token["id_token"]
+          }.compact
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/social_providers/google.rb

@@ -0,0 +1,168 @@
+require_relative "response_builder"
+
+module StandardId
+  module SocialProviders
+    class Google
+      include ResponseBuilder
+
+      AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth".freeze
+      TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token".freeze
+      USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo".freeze
+      TOKEN_INFO_ENDPOINT = "https://oauth2.googleapis.com/tokeninfo".freeze
+      DEFAULT_SCOPE = "openid email profile".freeze
+
+      class << self
+        def authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, prompt: nil)
+          query = {
+            client_id: credentials[:client_id],
+            redirect_uri: redirect_uri,
+            response_type: "code",
+            scope: scope,
+            state: state
+          }
+
+          query[:prompt] = prompt if prompt.present?
+
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+        end
+
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil)
+          if id_token.present?
+            build_response(
+              verify_id_token(id_token: id_token),
+              tokens: { id_token: id_token }
+            )
+          elsif access_token.present?
+            build_response(
+              fetch_user_info(access_token: access_token),
+              tokens: { access_token: access_token }
+            )
+          elsif code.present?
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri)
+          else
+            raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
+          end
+        end
+
+        def exchange_code_for_user_info(code:, redirect_uri:)
+          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
+
+          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
+            client_id: credentials[:client_id],
+            client_secret: credentials[:client_secret],
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: redirect_uri
+          }.compact)
+
+          unless token_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to exchange Google authorization code"
+          end
+
+          parsed_token = JSON.parse(token_response.body)
+          access_token = parsed_token["access_token"]
+          raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?
+
+          tokens = extract_token_payload(parsed_token)
+          user_info = fetch_user_info(access_token: access_token)
+
+          build_response(user_info, tokens: tokens)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def verify_id_token(id_token:)
+          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
+
+          response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)
+
+          unless response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Invalid or expired id_token"
+          end
+
+          token_info = JSON.parse(response.body)
+
+          unless token_info["aud"] == credentials[:client_id]
+            raise StandardId::InvalidRequestError, "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
+          end
+
+          unless ["accounts.google.com", "https://accounts.google.com"].include?(token_info["iss"])
+            raise StandardId::InvalidRequestError, "ID token issuer invalid. Expected Google, got: #{token_info['iss']}"
+          end
+
+          {
+            "sub" => token_info["sub"],
+            "email" => token_info["email"],
+            "email_verified" => token_info["email_verified"],
+            "name" => token_info["name"],
+            "given_name" => token_info["given_name"],
+            "family_name" => token_info["family_name"],
+            "picture" => token_info["picture"],
+            "locale" => token_info["locale"]
+          }.compact
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        def fetch_user_info(access_token:)
+          raise StandardId::InvalidRequestError, "Missing access token" if access_token.blank?
+
+          verify_token(access_token)
+          user_response = HttpClient.get_with_bearer(USERINFO_ENDPOINT, access_token)
+
+          unless user_response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Failed to fetch Google user info"
+          end
+
+          JSON.parse(user_response.body)
+        rescue StandardError => e
+          raise e if e.is_a?(StandardId::OAuthError)
+          raise StandardId::OAuthError, e.message, cause: e
+        end
+
+        private
+
+        def credentials
+          @credentials ||= begin
+            if StandardId.config.google_client_id.blank? || StandardId.config.google_client_secret.blank?
+              raise StandardId::InvalidRequestError, "Google provider is not configured"
+            end
+
+            {
+              client_id: StandardId.config.google_client_id,
+              client_secret: StandardId.config.google_client_secret
+            }
+          end
+        end
+
+        def verify_token(access_token)
+          token_info_uri = "https://www.googleapis.com/oauth2/v3/tokeninfo"
+
+          response = HttpClient.post_form(token_info_uri, access_token: access_token)
+
+          unless response.is_a?(Net::HTTPSuccess)
+            raise StandardId::InvalidRequestError, "Invalid or expired access token"
+          end
+
+          token_info = JSON.parse(response.body)
+
+          unless token_info["aud"] == credentials[:client_id]
+            raise StandardId::InvalidRequestError, "Access token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
+          end
+
+          token_info
+        end
+
+        def extract_token_payload(parsed_token)
+          {
+            access_token: parsed_token["access_token"],
+            refresh_token: parsed_token["refresh_token"],
+            id_token: parsed_token["id_token"]
+          }.compact
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/social_providers/response_builder.rb

@@ -0,0 +1,18 @@
+require "active_support/concern"
+
+module StandardId
+  module SocialProviders
+    module ResponseBuilder
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def build_response(user_info, tokens: {})
+          {
+            user_info: user_info,
+            tokens: tokens.compact
+          }.with_indifferent_access
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/utils/callable_parameter_filter.rb

@@ -0,0 +1,36 @@
+module StandardId
+  module Utils
+    class CallableParameterFilter
+      class << self
+        def filter(callable, context)
+          return {} unless callable.respond_to?(:call) && context.present?
+
+          payload = context.to_h.symbolize_keys
+          accepted_keys = accepted_parameters(callable)
+          return payload if accepted_keys.nil?
+
+          payload.slice(*accepted_keys)
+        end
+
+        private
+
+        def accepted_parameters(callable)
+          parameters = parameter_list(callable)
+          return nil if parameters.any? { |type, _| type == :keyrest }
+
+          parameters.map { |_, name| name&.to_sym }.compact
+        end
+
+        def parameter_list(callable)
+          if callable.respond_to?(:parameters)
+            callable.parameters
+          elsif callable.respond_to?(:method)
+            callable.method(:call).parameters
+          else
+            []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/lib/standard_id.rb

@@ -4,6 +4,7 @@ require "standard_id/web_engine"
 require "standard_id/api_engine"
 require "standard_id/config/schema"
 require "standard_id/errors"
+require "standard_id/http_client"
 require "standard_id/jwt_service"
 require "standard_id/web/session_manager"
 require "standard_id/web/token_manager"
@@ -18,6 +19,7 @@ require "standard_id/oauth/client_credentials_flow"
 require "standard_id/oauth/authorization_code_flow"
 require "standard_id/oauth/password_flow"
 require "standard_id/oauth/refresh_token_flow"
+require "standard_id/oauth/social_flow"
 require "standard_id/oauth/authorization_flow"
 require "standard_id/oauth/authorization_code_authorization_flow"
 require "standard_id/oauth/implicit_authorization_flow"
@@ -28,6 +30,9 @@ require "standard_id/oauth/passwordless_otp_flow"
 require "standard_id/passwordless/base_strategy"
 require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
+require "standard_id/utils/callable_parameter_filter"
+require "standard_id/social_providers/google"
+require "standard_id/social_providers/apple"
 
 module StandardId
   class << self

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Jaryl Sim
@@ -65,14 +65,15 @@ files:
 - Rakefile
 - app/assets/stylesheets/standard_id/application.css
 - app/controllers/concerns/standard_id/api_authentication.rb
+- app/controllers/concerns/standard_id/social_authentication.rb
 - app/controllers/concerns/standard_id/web_authentication.rb
 - app/controllers/standard_id/api/authorization_controller.rb
 - app/controllers/standard_id/api/base_controller.rb
 - app/controllers/standard_id/api/oauth/base_controller.rb
+- app/controllers/standard_id/api/oauth/callback/providers_controller.rb
 - app/controllers/standard_id/api/oauth/tokens_controller.rb
 - app/controllers/standard_id/api/oidc/logout_controller.rb
 - app/controllers/standard_id/api/passwordless_controller.rb
-- app/controllers/standard_id/api/providers_controller.rb
 - app/controllers/standard_id/api/userinfo_controller.rb
 - app/controllers/standard_id/web/account_controller.rb
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
@@ -114,6 +115,7 @@ files:
 - app/models/standard_id/username_identifier.rb
 - app/views/standard_id/web/account/edit.html.erb
 - app/views/standard_id/web/account/show.html.erb
+- app/views/standard_id/web/auth/callback/providers/apple_mobile.html.erb
 - app/views/standard_id/web/login/show.html.erb
 - app/views/standard_id/web/reset_password/confirm/show.html.erb
 - app/views/standard_id/web/reset_password/start/show.html.erb
@@ -146,6 +148,7 @@ files:
 - lib/standard_id/config/schema.rb
 - lib/standard_id/engine.rb
 - lib/standard_id/errors.rb
+- lib/standard_id/http_client.rb
 - lib/standard_id/jwt_service.rb
 - lib/standard_id/oauth/authorization_code_authorization_flow.rb
 - lib/standard_id/oauth/authorization_code_flow.rb
@@ -156,6 +159,7 @@ files:
 - lib/standard_id/oauth/password_flow.rb
 - lib/standard_id/oauth/passwordless_otp_flow.rb
 - lib/standard_id/oauth/refresh_token_flow.rb
+- lib/standard_id/oauth/social_flow.rb
 - lib/standard_id/oauth/subflows/base.rb
 - lib/standard_id/oauth/subflows/social_login_grant.rb
 - lib/standard_id/oauth/subflows/traditional_code_grant.rb
@@ -164,6 +168,10 @@ files:
 - lib/standard_id/passwordless/base_strategy.rb
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb
+- lib/standard_id/social_providers/apple.rb
+- lib/standard_id/social_providers/google.rb
+- lib/standard_id/social_providers/response_builder.rb
+- lib/standard_id/utils/callable_parameter_filter.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb
 - lib/standard_id/web/session_manager.rb