standard_id 0.1.5 → 0.1.7

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -2,64 +2,70 @@ module StandardId
   module SocialAuthentication
     extend ActiveSupport::Concern
 
+    included do
+      prepend_before_action :prepare_provider
+    end
+
     private
 
-    def get_user_info_from_provider(connection, redirect_uri: nil, flow: :web)
-      case connection
-      when "google"
-        StandardId::SocialProviders::Google.get_user_info(
-          code: params[:code],
-          id_token: params[:id_token],
-          access_token: params[:access_token],
-          redirect_uri: redirect_uri
-        )
-      when "apple"
-        StandardId::SocialProviders::Apple.get_user_info(
-        code: params[:code],
-          id_token: params[:id_token],
-          redirect_uri: redirect_uri,
-          client_id: apple_client_id_for_flow(flow)
-        )
-      else
-        raise StandardId::InvalidRequestError, "Unsupported provider: #{connection}"
-      end
+    attr_reader :provider
+
+    def prepare_provider
+      @provider = StandardId::ProviderRegistry.get(params[:provider])
+    rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
+      raise StandardId::InvalidRequestError, e.message
     end
 
-    def apple_client_id_for_flow(flow)
-      flow == :web ? StandardId.config.apple_client_id : StandardId.config.apple_mobile_client_id
+    def get_user_info_from_provider(redirect_uri: nil, flow: :web)
+      provider_params = {
+        code: params[:code],
+        id_token: params[:id_token],
+        access_token: params[:access_token],
+        redirect_uri: redirect_uri
+      }
+
+      resolved_params = provider.resolve_params(provider_params, context: { flow: flow })
+      provider.get_user_info(**resolved_params.compact)
     end
 
-    def find_or_create_account_from_social(raw_social_info, provider)
+    def find_or_create_account_from_social(raw_social_info)
       social_info = raw_social_info.to_h.with_indifferent_access
       email = social_info[:email]
-      raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
+      raise StandardId::InvalidRequestError, "No email provided by #{provider.provider_name}" if email.blank?
+
+      emit_social_user_info_fetched(provider, social_info, email)
 
       identifier = StandardId::EmailIdentifier.find_by(value: email)
 
       if identifier.present?
+        emit_social_account_linked(identifier.account, provider, identifier)
         identifier.account
       else
-        account = build_account_from_social(social_info, provider)
+        account = build_account_from_social(social_info)
         identifier = StandardId::EmailIdentifier.create!(
           account: account,
           value: email
         )
         identifier.verify! if identifier.respond_to?(:verify!)
+        emit_social_account_created(account, provider, social_info)
         account
       end
     end
 
-    def build_account_from_social(social_info, provider)
-      attrs = resolve_account_attributes(social_info, provider)
-      StandardId.account_class.create!(attrs)
+    def build_account_from_social(social_info)
+      emit_account_creating_from_social(social_info)
+      attrs = resolve_account_attributes(social_info)
+      account = StandardId.account_class.create!(attrs)
+      emit_account_created_from_social(account)
+      account
     end
 
-    def resolve_account_attributes(social_info, provider)
+    def resolve_account_attributes(social_info)
       resolver = StandardId.config.social_account_attributes
       attrs = if resolver.respond_to?(:call)
                 payload = {
                   social_info: social_info,
-                  provider: provider
+                  provider: provider.provider_name
                 }
 
                 filtered_payload = StandardId::Utils::CallableParameterFilter.filter(resolver, payload)
@@ -95,18 +101,61 @@ module StandardId
     end
 
     def run_social_callback(provider:, social_info:, provider_tokens:, account:)
-      callback = StandardId.config.social_callback
-      return if callback.blank?
+      emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    end
 
-      payload = {
+    def emit_social_user_info_fetched(provider, social_info, email)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_USER_INFO_FETCHED,
         provider: provider,
         social_info: social_info,
-        tokens: provider_tokens.presence,
-        account: account
-      }
+        email: email
+      )
+    end
+
+    def emit_social_account_created(account, provider, social_info)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_ACCOUNT_CREATED,
+        account: account,
+        provider: provider,
+        social_info: social_info
+      )
+    end
+
+    def emit_social_account_linked(account, provider, identifier)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_ACCOUNT_LINKED,
+        account: account,
+        provider: provider,
+        identifier: identifier
+      )
+    end
+
+    def emit_social_auth_completed(provider, social_info, provider_tokens, account)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_AUTH_COMPLETED,
+        account: account,
+        provider: provider,
+        social_info: social_info,
+        tokens: provider_tokens
+      )
+    end
+
+    def emit_account_creating_from_social(social_info)
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_CREATING,
+        account_params: resolve_account_attributes(social_info),
+        auth_method: "social:#{provider.provider_name}"
+      )
+    end
 
-      filtered_payload = StandardId::Utils::CallableParameterFilter.filter(callback, payload)
-      callback.call(**filtered_payload.symbolize_keys)
+    def emit_account_created_from_social(account)
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_CREATED,
+        account: account,
+        auth_method: "social:#{provider.provider_name}",
+        source: "social"
+      )
     end
   end
 end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -3,6 +3,7 @@ module StandardId
     extend ActiveSupport::Concern
 
     included do
+      include StandardId::InertiaSupport
       helper_method :current_account, :authenticated?
     end
 
@@ -18,6 +19,26 @@ module StandardId
       authentication_guard.require_session!(session_manager, session: session, request: request)
     end
 
+    # Require authentication with redirect to login page instead of raising an error.
+    # Use this for pages that should redirect unauthenticated users to login.
+    def authenticate_account!
+      return if authenticated?
+
+      store_location_for_redirect
+      redirect_to_login
+    end
+
+    # Store the current URL to redirect back after authentication
+    def store_location_for_redirect
+      session[:return_to_after_authenticating] = request.url if request.get?
+    end
+
+    # Redirect to login page, handling both Inertia and standard requests
+    def redirect_to_login
+      login_path = StandardId.config.login_url.presence || "/login"
+      redirect_with_inertia login_path
+    end
+
     def after_authentication_url
       # TODO: add configurable value
       session.delete(:return_to_after_authenticating) || "/"
@@ -28,11 +49,39 @@ module StandardId
       password = login_params[:password]
       remember_me = ActiveModel::Type::Boolean.new.cast(login_params[:remember_me])
 
+      StandardId::Events.publish(
+        StandardId::Events::AUTHENTICATION_ATTEMPT_STARTED,
+        account_lookup: login,
+        auth_method: "password"
+      )
+
       StandardId::PasswordCredential.find_by(login:).tap do |password_credential|
-        return nil unless password_credential&.authenticate(password)
+        unless password_credential&.authenticate(password)
+          StandardId::Events.publish(
+            StandardId::Events::AUTHENTICATION_FAILED,
+            account_lookup: login,
+            auth_method: "password",
+            error_code: "invalid_credentials",
+            error_message: "Invalid login or password"
+          )
+          return nil
+        end
+
+        StandardId::Events.publish(
+          StandardId::Events::PASSWORD_VALIDATED,
+          account: password_credential.account,
+          credential_id: password_credential.id
+        )
 
         session_manager.sign_in_account(password_credential.account)
         session_manager.set_remember_cookie(password_credential) if remember_me
+
+        StandardId::Events.publish(
+          StandardId::Events::AUTHENTICATION_SUCCEEDED,
+          account: password_credential.account,
+          auth_method: "password",
+          session_type: "browser"
+        )
       end
     end
 

data/app/controllers/standard_id/api/base_controller.rb

@@ -2,6 +2,7 @@ module StandardId
   module Api
     class BaseController < ActionController::API
       include StandardId::ApiAuthentication
+      include StandardId::SetCurrentRequestDetails
 
       before_action :validate_content_type!
 

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -6,37 +6,24 @@ module StandardId
 
         skip_before_action :validate_content_type!
 
-        def google
-          expect_and_permit!([], [:id_token, :code])
-          handle_social_callback("google")
-        end
-
-        def apple
-          expect_and_permit!([], [:id_token, :code, :state, :flow])
-          handle_social_callback("apple")
-        end
-
-        private
-
-        def handle_social_callback(connection)
+        def callback
           original_params = decode_state_params
-          flow = resolve_flow_for(connection)
-          provider_response = get_user_info_from_provider(connection, flow: flow)
+          provider_response = get_user_info_from_provider(flow: resolve_flow_for(provider.provider_name))
           social_info = provider_response[:user_info]
           provider_tokens = provider_response[:tokens]
-          account = find_or_create_account_from_social(social_info, connection)
+          account = find_or_create_account_from_social(social_info)
 
           flow = StandardId::Oauth::SocialFlow.new(
             params,
             request,
             account: account,
-            connection: connection,
+            connection: provider.provider_name,
             original_params: original_params
           )
 
           token_response = flow.execute
           run_social_callback(
-            provider: connection,
+            provider: provider.provider_name,
             social_info: social_info,
             provider_tokens: provider_tokens,
             account: account,
@@ -44,6 +31,8 @@ module StandardId
           render json: token_response, status: :ok
         end
 
+        private
+
         def decode_state_params
           encoded_state = params[:state]
 

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -8,35 +8,10 @@ module StandardId
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
-          skip_before_action :require_browser_session!, only: [:google, :apple, :apple_mobile]
-          skip_before_action :verify_authenticity_token, only: [:apple, :apple_mobile]
+          skip_before_action :require_browser_session!, only: [:callback, :mobile_callback]
+          skip_before_action :verify_authenticity_token, only: [:callback, :mobile_callback], if: :skip_csrf_verification?
 
-          def google
-            handle_social_callback("google")
-          end
-
-          def apple
-            handle_social_callback("apple")
-          end
-
-          def apple_mobile
-            state_data = decode_state_params
-            destination = state_data["redirect_uri"]
-
-            unless allow_other_host_redirect?(destination)
-              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
-            end
-
-            relay_params = mobile_relay_params
-            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
-            render :apple_mobile, layout: false
-          rescue StandardId::InvalidRequestError => e
-            render plain: e.message, status: :unprocessable_entity
-          end
-
-          private
-
-          def handle_social_callback(connection)
+          def callback
             if params[:error].present?
               handle_callback_error
               return
@@ -46,22 +21,22 @@ module StandardId
 
             begin
               state_data = decode_state_params
-              redirect_uri = connection == "apple" ? apple_callback_url : google_callback_url
-              provider_response = get_user_info_from_provider(connection, redirect_uri: redirect_uri)
+              redirect_uri = callback_url_for
+              provider_response = get_user_info_from_provider(redirect_uri: redirect_uri)
               social_info = provider_response[:user_info]
               provider_tokens = provider_response[:tokens]
-              account = find_or_create_account_from_social(social_info, connection)
+              account = find_or_create_account_from_social(social_info)
               session_manager.sign_in_account(account)
 
               run_social_callback(
-                provider: connection,
+                provider: provider.provider_name,
                 social_info: social_info,
                 provider_tokens: provider_tokens,
                 account: account,
               )
 
               destination = state_data["redirect_uri"]
-              redirect_options = { notice: "Successfully signed in with #{connection.humanize}" }
+              redirect_options = { notice: "Successfully signed in with #{provider.provider_name.humanize}" }
               redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
               redirect_to destination, redirect_options
             rescue StandardId::OAuthError => e
@@ -69,12 +44,33 @@ module StandardId
             end
           end
 
-          def google_callback_url
-            auth_callback_google_url
+          def mobile_callback
+            unless provider.supports_mobile_callback?
+              raise StandardId::InvalidRequestError, "Provider #{provider.provider_name} does not support mobile callback"
+            end
+
+            state_data = decode_state_params
+            destination = state_data["redirect_uri"]
+
+            unless allow_other_host_redirect?(destination)
+              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
+            end
+
+            relay_params = mobile_relay_params
+            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
+            render :mobile_callback, layout: false
+          rescue StandardId::InvalidRequestError => e
+            render plain: e.message, status: :unprocessable_entity
+          end
+
+          private
+
+          def callback_url_for
+            "#{request.base_url}#{provider.callback_path}"
           end
 
-          def apple_callback_url
-            auth_callback_apple_url
+          def skip_csrf_verification?
+            provider.skip_csrf?
           end
 
           def decode_state_params

data/app/controllers/standard_id/web/base_controller.rb

@@ -2,6 +2,7 @@ module StandardId
   module Web
     class BaseController < ApplicationController
       include StandardId::WebAuthentication
+      include StandardId::SetCurrentRequestDetails
 
       include StandardId::WebEngine.routes.url_helpers
       helper StandardId::WebEngine.routes.url_helpers

data/app/controllers/standard_id/web/login_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class LoginController < BaseController
+      include StandardId::InertiaRendering
+
       layout "public"
 
       skip_before_action :require_browser_session!, only: [:show, :create]
@@ -11,6 +13,8 @@ module StandardId
       def show
         @redirect_uri = params[:redirect_uri] || after_authentication_url
         @connection = params[:connection]
+
+        render_with_inertia props: auth_page_props
       end
 
       def create
@@ -18,7 +22,7 @@ module StandardId
           redirect_to params[:redirect_uri] || after_authentication_url, status: :see_other, notice: "Successfully signed in"
         else
           flash.now[:alert] = "Invalid email or password"
-          render :show, status: :unprocessable_content
+          render_with_inertia action: :show, props: auth_page_props, status: :unprocessable_content
         end
       end
 
@@ -29,32 +33,19 @@ module StandardId
       end
 
       def redirect_if_social_login
-        redirect_to social_login_url, allow_other_host: true if params[:connection].present?
+        redirect_with_inertia social_login_url, allow_other_host: true if params[:connection].present?
       end
 
       def social_login_url
-        case params[:connection]
-        when "google"
-          google_authorization_url
-        when "apple"
-          apple_authorization_url
-        else
-          raise StandardId::InvalidRequestError, "Unsupported social connection: #{connection}"
-        end
-      end
-
-      def google_authorization_url
-        StandardId::SocialProviders::Google.authorization_url(
-          state: encode_state,
-          redirect_uri: auth_callback_google_url
-        )
-      end
+        connection = params[:connection]
+        provider = StandardId::ProviderRegistry.get(connection)
 
-      def apple_authorization_url
-        StandardId::SocialProviders::Apple.authorization_url(
+        provider.authorization_url(
           state: encode_state,
-          redirect_uri: auth_callback_apple_url
+          redirect_uri: "#{request.base_url}#{provider.callback_path}"
         )
+      rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
+        raise StandardId::InvalidRequestError, e.message
       end
 
       def encode_state

data/app/controllers/standard_id/web/signup_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class SignupController < BaseController
+      include StandardId::InertiaRendering
+
       layout "public"
 
       skip_before_action :require_browser_session!, only: [:show, :create]
@@ -11,6 +13,8 @@ module StandardId
       def show
         @redirect_uri = params[:redirect_uri] || after_authentication_url
         @connection = params[:connection] # For social login detection
+
+        render_with_inertia props: auth_page_props
       end
 
       def create
@@ -24,7 +28,7 @@ module StandardId
       end
 
       def redirect_if_social_login
-        redirect_to social_signup_url, allow_other_host: true if params[:connection].present?
+        redirect_with_inertia social_signup_url, allow_other_host: true if params[:connection].present?
       end
 
       def handle_password_signup
@@ -35,8 +39,10 @@ module StandardId
           redirect_to params[:redirect_uri] || after_authentication_url,
                       notice: "Account created successfully"
         else
+          @redirect_uri = params[:redirect_uri] || after_authentication_url
+          @connection = params[:connection]
           flash.now[:alert] = form.errors.full_messages.join(", ")
-          render :show, status: :unprocessable_content
+          render_with_inertia action: :show, props: auth_page_props(errors: form.errors.to_hash), status: :unprocessable_content
         end
       end
 
@@ -55,12 +61,9 @@ module StandardId
       end
 
       def callback_url
-        case params[:connection]
-        when "google"
-          auth_callback_google_url
-        when "apple"
-          auth_callback_apple_url
-        end
+        connection = params[:connection]
+        provider = StandardId::ProviderRegistry.get(connection)
+        "#{request.base_url}#{provider.callback_path}"
       end
 
       def encode_state

data/app/forms/standard_id/web/signup_form.rb

@@ -16,15 +16,21 @@ module StandardId
       def submit
         return false unless valid?
 
+        emit_account_creating
+
         ActiveRecord::Base.transaction do
           @account = Account.create!(account_params)
-          StandardId::PasswordCredential.create!(
+
+          password_credential = StandardId::PasswordCredential.create!(
             password_credential_params.merge(
               credential_attributes: {
                 identifier_attributes: email_identifier_params.merge(account: @account)
               }
             )
           )
+
+          emit_account_created
+          emit_credential_created(password_credential)
         end
 
         true
@@ -38,6 +44,31 @@ module StandardId
 
       private
 
+      def emit_account_creating
+        StandardId::Events.publish(
+          StandardId::Events::ACCOUNT_CREATING,
+          account_params: account_params,
+          auth_method: "password"
+        )
+      end
+
+      def emit_account_created
+        StandardId::Events.publish(
+          StandardId::Events::ACCOUNT_CREATED,
+          account: @account,
+          auth_method: "password",
+          source: "signup"
+        )
+      end
+
+      def emit_credential_created(password_credential)
+        StandardId::Events.publish(
+          StandardId::Events::CREDENTIAL_PASSWORD_CREATED,
+          credential: password_credential,
+          account: @account
+        )
+      end
+
       def account_params
         { name: (email.to_s.split("@").first.presence || "User"), email: }
       end

data/app/models/standard_id/browser_session.rb

@@ -2,6 +2,14 @@ module StandardId
   class BrowserSession < Session
     validates :user_agent, presence: true
 
+    def self.expiry
+      StandardId.config.session.browser_session_lifetime.seconds.from_now
+    end
+
+    def self.remember_me_expiry
+      StandardId.config.session.browser_session_remember_me_lifetime.seconds.from_now
+    end
+
     def browser_info
       return {} if user_agent.blank?
 

data/app/models/standard_id/client_secret_credential.rb

@@ -18,6 +18,7 @@ module StandardId
 
     def revoke!
       update!(active: false, revoked_at: Time.current)
+      emit_revoked_event
     end
 
     def active?
@@ -57,6 +58,16 @@ module StandardId
       self.client_secret ||= SecureRandom.hex(32)
     end
 
+    def emit_revoked_event
+      StandardId::Events.publish(
+        StandardId::Events::CREDENTIAL_CLIENT_SECRET_REVOKED,
+        credential: self,
+        client_application: client_application,
+        client_id: client_id,
+        revoked_at: revoked_at
+      )
+    end
+
     # Note: We intentionally do not enforce subset validation for per-secret overrides here.
     # If needed later, we can introduce a configuration flag to enable enforcement.
   end

data/app/models/standard_id/device_session.rb

@@ -3,6 +3,10 @@ module StandardId
     validates :device_id, presence: true
     validates :device_agent, presence: true
 
+    def self.expiry
+      StandardId.config.session.device_session_lifetime.seconds.from_now
+    end
+
     def device_info
       return {} if device_agent.blank?