standard_id 0.1.5 → 0.1.7

data/app/models/standard_id/identifier.rb

@@ -11,6 +11,7 @@ module StandardId
     validates :value, presence: true, uniqueness: { scope: [:account_id, :type] }
 
     after_commit :mark_account_verified!, on: :update, if: :just_verified?
+    after_commit :emit_identifier_created_event, on: :create
 
     def verified?
       verified_at.present?
@@ -18,6 +19,7 @@ module StandardId
 
     def verify!
       update!(verified_at: Time.current)
+      emit_verification_succeeded
     end
 
     def unverify!
@@ -37,6 +39,32 @@ module StandardId
       return unless account.has_attribute?(:verified_at)
 
       account.update!(verified: true, verified_at: Time.current)
+      emit_account_verified
+    end
+
+    def emit_identifier_created_event
+      StandardId::Events.publish(
+        StandardId::Events::IDENTIFIER_CREATED,
+        identifier: self,
+        account: account
+      )
+    end
+
+    def emit_verification_succeeded
+      StandardId::Events.publish(
+        StandardId::Events::IDENTIFIER_VERIFICATION_SUCCEEDED,
+        identifier: self,
+        account: account,
+        verified_at: verified_at
+      )
+    end
+
+    def emit_account_verified
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_VERIFIED,
+        account: account,
+        verified_via: type.demodulize.underscore.gsub("_identifier", "")
+      )
     end
   end
 end

data/app/models/standard_id/service_session.rb

@@ -21,7 +21,7 @@ module StandardId
     end
 
     def self.default_expiry
-      90.days.from_now # TODO: make this configurable
+      StandardId.config.session.service_session_lifetime.seconds.from_now
     end
 
     def refresh!

data/app/models/standard_id/session.rb

@@ -19,7 +19,7 @@ module StandardId
     attr_reader :token
 
     before_validation :generate_token, :generate_token_digest, :generate_lookup_hash, on: :create
-
+    after_commit :emit_session_revoked_event, on: :update, if: :just_revoked?
 
     def active?
       !revoked? && !expired?
@@ -33,7 +33,8 @@ module StandardId
       revoked_at.present?
     end
 
-    def revoke!
+    def revoke!(reason: nil)
+      @reason = reason
       update!(revoked_at: Time.current)
     end
 
@@ -50,5 +51,18 @@ module StandardId
     def generate_lookup_hash
       self.lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
     end
+
+    def just_revoked?
+      saved_change_to_revoked_at? && revoked?
+    end
+
+    def emit_session_revoked_event
+      StandardId::Events.publish(
+        StandardId::Events::SESSION_REVOKED,
+        session: self,
+        account:,
+        reason: @reason
+      )
+    end
   end
 end

data/app/views/standard_id/web/auth/callback/providers/{apple_mobile.html.erb → mobile_callback.html.erb}

@@ -2,7 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8" />
-    <title>Continuing Sign in with Apple…</title>
+    <title>Continuing Sign in with <% @provider.provider_name.humanize %> …</title>
     <style>
       body {
         font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;

data/config/routes/api.rb

@@ -16,8 +16,7 @@ StandardId::ApiEngine.routes.draw do
       resource :token, only: [:create]
 
       namespace :callback do
-        post :google, to: "providers#google"
-        post :apple, to: "providers#apple"
+        post ":provider", to: "providers#callback", as: :provider
       end
     end
   end

data/config/routes/web.rb

@@ -7,10 +7,11 @@ StandardId::WebEngine.routes.draw do
 
     # Social authentication callbacks (web flow)
     namespace :auth do
+      post "callback_mobile/:provider", to: "callback/providers#mobile_callback", as: :callback_mobile
+
       namespace :callback do
-        get :google, to: "providers#google"
-        post :apple, to: "providers#apple"
-        post :apple_mobile, to: "providers#apple_mobile"
+        get ":provider", to: "providers#callback", as: :provider
+        post ":provider", to: "providers#callback"
       end
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -7,6 +7,21 @@ StandardId.configure do |c|
   # c.cache_store = Rails.cache
   # c.logger = Rails.logger
   # c.web_layout = "application"
+
+  # Inertia.js support (requires inertia_rails gem)
+  # When enabled, StandardId web controllers will render Inertia components
+  # instead of ERB views. You must create the corresponding components in your
+  # frontend (e.g., pages/auth/login/show.tsx)
+  # c.use_inertia = true
+  # c.inertia_component_namespace = "auth" # Component path prefix (e.g., "auth/login/show")
+
+  # Session lifetimes (in seconds)
+  # c.session.browser_session_lifetime = 86400      # 24 hours (web sessions)
+  # c.session.browser_session_remember_me_lifetime = 2_592_000 # 30 days (remember me cookies)
+  # c.session.device_session_lifetime = 2_592_000   # 30 days (API device sessions)
+  # c.session.service_session_lifetime = 7_776_000  # 90 days (service-to-service sessions)
+
+  # Passwordless authentication delivery (DEPRECATED - use event subscriptions instead)
   # c.passwordless_email_sender = ->(email, code) { PasswordlessMailer.with(code: code, to: email).deliver_later }
   # c.passwordless_sms_sender   = ->(phone, code) { SmsProvider.send_code(phone: phone, code: code) }
 
@@ -32,6 +47,10 @@ StandardId.configure do |c|
   #   }
   # }
 
+  # Events
+  # Enable or disable logging emitted via the internal event system
+  # c.events.enable_logging = false
+
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]
   # c.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
@@ -47,14 +66,6 @@ StandardId.configure do |c|
   #     name: social_info[:name] || social_info[:given_name]
   #   }
   # }
-  # c.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
-  #   Analytics.track_social_login(
-  #     provider: provider,
-  #     email: social_info[:email],
-  #     tokens: tokens,
-  #     account_id: account.id
-  #   )
-  # }
 
   # OIDC Logout allow list
   # c.allowed_post_logout_redirect_uris = [

data/lib/standard_config/config.rb

@@ -23,13 +23,10 @@ module StandardConfig
     # If set, Authorization endpoints can redirect to this path with a redirect_uri param
     attr_accessor :login_url
 
-    # Social login provider credentials and hooks
-    attr_accessor :google_client_id, :google_client_secret
-    attr_accessor :apple_client_id, :apple_client_secret, :apple_private_key, :apple_key_id, :apple_team_id
-    attr_accessor :social_account_attributes, :social_callback
+    # Social login hooks
+    attr_accessor :social_account_attributes
 
-    # Passwordless authentication callbacks
-    # These should be callable objects (procs/lambdas) that accept (recipient, code) parameters
+    # Passwordless authentication delivery callbacks (deprecated - use events instead)
     attr_accessor :passwordless_email_sender, :passwordless_sms_sender
 
     # Allowed post-logout redirect URIs for OIDC logout endpoint
@@ -42,25 +39,29 @@ module StandardConfig
     # Examples: "application", "standard_id/web/application", "my_custom_layout"
     attr_accessor :web_layout
 
+    # Enable Inertia.js rendering for StandardId Web controllers
+    # When true and inertia_rails gem is available, controllers will render Inertia components
+    attr_accessor :use_inertia
+
+    # Namespace prefix for Inertia component paths
+    # Example: "Auth" will generate component paths like "Auth/Login/show"
+    attr_accessor :inertia_component_namespace
+
     def initialize
       @account_class_name = nil
       @cache_store = nil
       @logger = nil
       @issuer = nil
       @login_url = nil
-      @google_client_id = nil
-      @google_client_secret = nil
-      @apple_client_id = nil
-      @apple_client_secret = nil
-      @apple_private_key = nil
       @apple_key_id = nil
       @apple_team_id = nil
       @social_account_attributes = nil
-      @social_callback = nil
       @passwordless_email_sender = nil
       @passwordless_sms_sender = nil
       @allowed_post_logout_redirect_uris = []
       @web_layout = nil
+      @use_inertia = nil
+      @inertia_component_namespace = nil
     end
 
     def account_class

data/lib/standard_config/config_provider.rb

@@ -9,9 +9,9 @@ module StandardConfig
     end
 
     def method_missing(method_name, *args)
-      if method_name.to_s.end_with?('=')
+      if method_name.to_s.end_with?("=")
         # Setter - only works for static configs (OpenStruct objects)
-        field_name = method_name.to_s.chomp('=').to_sym
+        field_name = method_name.to_s.chomp("=").to_sym
         validate_field!(field_name)
 
         config_object = @resolver_proc.call
@@ -42,11 +42,11 @@ module StandardConfig
       config_object = @resolver_proc.call
       raw_value = if config_object.respond_to?(field_name)
                     config_object.send(field_name)
-                  elsif config_object.respond_to?(:[])
+      elsif config_object.respond_to?(:[])
                     config_object[field_name] || config_object[field_name.to_s]
-                  else
+      else
                     nil
-                  end
+      end
 
       # Cast the value according to schema
       field_def = @schema&.field_definition(@scope_name, field_name)
@@ -64,7 +64,7 @@ module StandardConfig
     end
 
     def respond_to_missing?(method_name, include_private = false)
-      field_name = method_name.to_s.end_with?('=') ? method_name.to_s.chomp('=').to_sym : method_name.to_sym
+      field_name = method_name.to_s.end_with?("=") ? method_name.to_s.chomp("=").to_sym : method_name.to_sym
       @schema&.valid_field?(@scope_name, field_name) || super
     end
 

data/lib/standard_config/schema.rb

@@ -55,8 +55,8 @@ module StandardConfig
       when :boolean
         case value
         when true, false then value
-        when 'true', '1', 1 then true
-        when 'false', '0', 0 then false
+        when "true", "1", 1 then true
+        when "false", "0", 0 then false
         else !!value
         end
       when :array

data/lib/standard_id/account_locking.rb

@@ -0,0 +1,86 @@
+module StandardId
+  module AccountLocking
+    extend ActiveSupport::Concern
+
+    included do
+      belongs_to :locked_by, polymorphic: true, optional: true
+      belongs_to :unlocked_by, polymorphic: true, optional: true
+
+      scope :locked, -> { where(locked: true) }
+      scope :unlocked, -> { where(locked: false) }
+
+      after_commit :emit_account_locked_event, on: :update, if: :just_locked?
+      after_commit :emit_account_unlocked_event, on: :update, if: :just_unlocked?
+
+      # Subscribe to events to enforce lock status
+      # Lock check runs BEFORE status check (more restrictive first)
+      StandardId::Events.subscribe(
+        StandardId::Events::OAUTH_TOKEN_ISSUING,
+        StandardId::Events::SESSION_CREATING,
+        StandardId::Events::SESSION_VALIDATING
+      ) do |event|
+        account = event[:account]
+        if account&.locked?
+          raise StandardId::AccountLockedError.new(account)
+        end
+      end
+    end
+
+    def locked?
+      locked == true
+    end
+
+    def unlocked?
+      !locked?
+    end
+
+    def lock!(reason:, locked_by: nil)
+      return true if locked?
+
+      update!(
+        locked: true,
+        locked_at: Time.current,
+        lock_reason: reason,
+        locked_by: locked_by
+      )
+    end
+
+    def unlock!(unlocked_by: nil)
+      return true if unlocked?
+
+      update!(
+        locked: false,
+        unlocked_at: Time.current,
+        unlocked_by: unlocked_by,
+        lock_reason: nil
+      )
+    end
+
+    private
+
+    def just_locked?
+      locked_previously_changed? && locked?
+    end
+
+    def just_unlocked?
+      locked_previously_changed? && unlocked?
+    end
+
+    def emit_account_locked_event
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_LOCKED,
+        account: self,
+        reason: lock_reason,
+        locked_by:
+      )
+    end
+
+    def emit_account_unlocked_event
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_UNLOCKED,
+        account: self,
+        unlocked_by:
+      )
+    end
+  end
+end

data/lib/standard_id/account_status.rb

@@ -0,0 +1,45 @@
+module StandardId
+  module AccountStatus
+    extend ActiveSupport::Concern
+
+    included do
+      enum :status, { active: "active", inactive: "inactive" }, default: :active
+
+      after_commit :emit_account_status_changed_event, on: :update, if: :status_previously_changed?
+
+      StandardId::Events.subscribe(
+        StandardId::Events::OAUTH_TOKEN_ISSUING,
+        StandardId::Events::SESSION_CREATING,
+        StandardId::Events::SESSION_VALIDATING
+      ) do |event|
+        account = event[:account]
+        if account&.inactive?
+          raise StandardId::AccountDeactivatedError, "Account is deactivated"
+        end
+      end
+    end
+
+    def activate!
+      return true if active?
+
+      update!(status: :active, activated_at: Time.current)
+    end
+
+    def deactivate!
+      return true if inactive?
+
+      update!(status: :inactive, deactivated_at: Time.current)
+    end
+
+    private
+
+    def emit_account_status_changed_event
+      event = inactive? ? StandardId::Events::ACCOUNT_DEACTIVATED : StandardId::Events::ACCOUNT_ACTIVATED
+      StandardId::Events.publish(
+        event,
+        account: self,
+        previous_status: status_previously_was
+      )
+    end
+  end
+end

data/lib/standard_id/api/authentication_guard.rb

@@ -1,18 +1,21 @@
 module StandardId
   module Api
     class AuthenticationGuard
-      def require_session!(session_manager)
+      def require_session!(session_manager, request: nil)
         api_session = session_manager.current_session
+        emit_session_validating(api_session, request)
 
         if api_session.blank?
           raise StandardId::NotAuthenticatedError, "Invalid or missing access token"
         elsif api_session.respond_to?(:expired?) && api_session.expired?
+          emit_session_expired(api_session)
           raise StandardId::ExpiredSessionError, "Session has expired"
         elsif api_session.respond_to?(:revoked?) && api_session.revoked?
           session_manager.clear_session!
           raise StandardId::RevokedSessionError, "Session has been revoked"
         end
 
+        emit_session_validated(api_session)
         api_session
       end
 
@@ -51,6 +54,42 @@ module StandardId
           raise ArgumentError, "Scopes must be provided as a String, Symbol, or Array"
         end
       end
+
+      def emit_session_validating(api_session, request)
+        StandardId::Events.publish(
+          StandardId::Events::SESSION_VALIDATING,
+          session: api_session
+        )
+      end
+
+      def emit_session_validated(api_session)
+        account = if api_session.respond_to?(:account)
+                    api_session.account
+        elsif api_session.respond_to?(:account_id)
+                    StandardId.account_class.find_by(id: api_session.account_id)
+        end
+
+        StandardId::Events.publish(
+          StandardId::Events::SESSION_VALIDATED,
+          session: api_session,
+          account: account
+        )
+      end
+
+      def emit_session_expired(api_session)
+        account = if api_session.respond_to?(:account)
+                    api_session.account
+        elsif api_session.respond_to?(:account_id)
+                    StandardId.account_class.find_by(id: api_session.account_id)
+        end
+
+        StandardId::Events.publish(
+          StandardId::Events::SESSION_EXPIRED,
+          session: api_session,
+          account: account,
+          expired_at: api_session.respond_to?(:expires_at) ? api_session.expires_at : nil
+        )
+      end
     end
   end
 end

data/lib/standard_id/api/token_manager.rb

@@ -13,7 +13,7 @@ module StandardId
           ip_address: @request.remote_ip,
           device_id: device_id || SecureRandom.uuid,
           device_agent: device_agent || @request.user_agent,
-          expires_at: 30.days.from_now # TODO: make this configurable
+          expires_at: StandardId::DeviceSession.expiry
         )
       end
 

data/lib/standard_id/config/schema.rb

@@ -14,6 +14,12 @@ StandardConfig.schema.draw do
     field :issuer, type: :string, default: nil
     field :login_url, type: :string, default: nil
     field :allowed_post_logout_redirect_uris, type: :array, default: []
+    field :use_inertia, type: :boolean, default: false
+    field :inertia_component_namespace, type: :string, default: "standard_id"
+  end
+
+  scope :events do
+    field :enable_logging, type: :boolean, default: false
   end
 
   scope :passwordless do
@@ -29,6 +35,13 @@ StandardConfig.schema.draw do
     field :require_numbers, type: :boolean, default: false
   end
 
+  scope :session do
+    field :browser_session_lifetime, type: :integer, default: 86400 # 24 hours in seconds
+    field :browser_session_remember_me_lifetime, type: :integer, default: 2592000 # 30 days in seconds
+    field :device_session_lifetime, type: :integer, default: 2592000 # 30 days in seconds
+    field :service_session_lifetime, type: :integer, default: 7776000 # 90 days in seconds
+  end
+
   scope :oauth do
     field :default_token_lifetime, type: :integer, default: 3600 # 1 hour in seconds
     field :refresh_token_lifetime, type: :integer, default: 2592000 # 30 days in seconds
@@ -40,16 +53,7 @@ StandardConfig.schema.draw do
   end
 
   scope :social do
-    field :google_client_id, type: :string, default: nil
-    field :google_client_secret, type: :string, default: nil
-    field :apple_client_id, type: :string, default: nil
-    field :apple_client_secret, type: :string, default: nil
-    field :apple_private_key, type: :string, default: nil
-    field :apple_key_id, type: :string, default: nil
-    field :apple_team_id, type: :string, default: nil
-    field :apple_mobile_client_id, type: :string, default: nil
     field :social_account_attributes, type: :any, default: nil
     field :allowed_redirect_url_prefixes, type: :array, default: []
-    field :social_callback, type: :any, default: nil
   end
 end

data/lib/standard_id/current_attributes.rb

@@ -0,0 +1,9 @@
+module StandardId
+  module CurrentAttributes
+    extend ActiveSupport::Concern
+
+    included do
+      attribute :session, :account, :request_id, :ip_address, :user_agent
+    end
+  end
+end

data/lib/standard_id/engine.rb

@@ -1,5 +1,14 @@
 module StandardId
   class Engine < ::Rails::Engine
     isolate_namespace StandardId
+
+    config.after_initialize do
+      if StandardId.config.events.enable_logging
+        StandardId::Events::Subscribers::LoggingSubscriber.attach
+      end
+
+      StandardId::Events::Subscribers::AccountStatusSubscriber.attach
+      StandardId::Events::Subscribers::AccountLockingSubscriber.attach
+    end
   end
 end

data/lib/standard_id/errors.rb

@@ -4,6 +4,18 @@ module StandardId
   class InvalidSessionError < StandardError; end
   class ExpiredSessionError < InvalidSessionError; end
   class RevokedSessionError < InvalidSessionError; end
+  class AccountDeactivatedError < StandardError; end
+
+  class AccountLockedError < StandardError
+    attr_reader :account, :lock_reason, :locked_at
+
+    def initialize(account)
+      @account = account
+      @lock_reason = account.lock_reason
+      @locked_at = account.locked_at
+      super("Account has been locked#{lock_reason ? ": #{lock_reason}" : ""}")
+    end
+  end
 
   class OAuthError < StandardError
     def oauth_error_code