standard_id 0.1.6 → 0.1.7

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -6,37 +6,24 @@ module StandardId
 
         skip_before_action :validate_content_type!
 
-        def google
-          expect_and_permit!([], [:id_token, :code])
-          handle_social_callback("google")
-        end
-
-        def apple
-          expect_and_permit!([], [:id_token, :code, :state, :flow])
-          handle_social_callback("apple")
-        end
-
-        private
-
-        def handle_social_callback(connection)
+        def callback
           original_params = decode_state_params
-          flow = resolve_flow_for(connection)
-          provider_response = get_user_info_from_provider(connection, flow: flow)
+          provider_response = get_user_info_from_provider(flow: resolve_flow_for(provider.provider_name))
           social_info = provider_response[:user_info]
           provider_tokens = provider_response[:tokens]
-          account = find_or_create_account_from_social(social_info, connection)
+          account = find_or_create_account_from_social(social_info)
 
           flow = StandardId::Oauth::SocialFlow.new(
             params,
             request,
             account: account,
-            connection: connection,
+            connection: provider.provider_name,
             original_params: original_params
           )
 
           token_response = flow.execute
           run_social_callback(
-            provider: connection,
+            provider: provider.provider_name,
             social_info: social_info,
             provider_tokens: provider_tokens,
             account: account,
@@ -44,6 +31,8 @@ module StandardId
           render json: token_response, status: :ok
         end
 
+        private
+
         def decode_state_params
           encoded_state = params[:state]
 

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -8,35 +8,10 @@ module StandardId
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
-          skip_before_action :require_browser_session!, only: [:google, :apple, :apple_mobile]
-          skip_before_action :verify_authenticity_token, only: [:apple, :apple_mobile]
+          skip_before_action :require_browser_session!, only: [:callback, :mobile_callback]
+          skip_before_action :verify_authenticity_token, only: [:callback, :mobile_callback], if: :skip_csrf_verification?
 
-          def google
-            handle_social_callback("google")
-          end
-
-          def apple
-            handle_social_callback("apple")
-          end
-
-          def apple_mobile
-            state_data = decode_state_params
-            destination = state_data["redirect_uri"]
-
-            unless allow_other_host_redirect?(destination)
-              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
-            end
-
-            relay_params = mobile_relay_params
-            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
-            render :apple_mobile, layout: false
-          rescue StandardId::InvalidRequestError => e
-            render plain: e.message, status: :unprocessable_entity
-          end
-
-          private
-
-          def handle_social_callback(connection)
+          def callback
             if params[:error].present?
               handle_callback_error
               return
@@ -46,22 +21,22 @@ module StandardId
 
             begin
               state_data = decode_state_params
-              redirect_uri = connection == "apple" ? apple_callback_url : google_callback_url
-              provider_response = get_user_info_from_provider(connection, redirect_uri: redirect_uri)
+              redirect_uri = callback_url_for
+              provider_response = get_user_info_from_provider(redirect_uri: redirect_uri)
               social_info = provider_response[:user_info]
               provider_tokens = provider_response[:tokens]
-              account = find_or_create_account_from_social(social_info, connection)
+              account = find_or_create_account_from_social(social_info)
               session_manager.sign_in_account(account)
 
               run_social_callback(
-                provider: connection,
+                provider: provider.provider_name,
                 social_info: social_info,
                 provider_tokens: provider_tokens,
                 account: account,
               )
 
               destination = state_data["redirect_uri"]
-              redirect_options = { notice: "Successfully signed in with #{connection.humanize}" }
+              redirect_options = { notice: "Successfully signed in with #{provider.provider_name.humanize}" }
               redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
               redirect_to destination, redirect_options
             rescue StandardId::OAuthError => e
@@ -69,12 +44,33 @@ module StandardId
             end
           end
 
-          def google_callback_url
-            auth_callback_google_url
+          def mobile_callback
+            unless provider.supports_mobile_callback?
+              raise StandardId::InvalidRequestError, "Provider #{provider.provider_name} does not support mobile callback"
+            end
+
+            state_data = decode_state_params
+            destination = state_data["redirect_uri"]
+
+            unless allow_other_host_redirect?(destination)
+              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
+            end
+
+            relay_params = mobile_relay_params
+            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
+            render :mobile_callback, layout: false
+          rescue StandardId::InvalidRequestError => e
+            render plain: e.message, status: :unprocessable_entity
+          end
+
+          private
+
+          def callback_url_for
+            "#{request.base_url}#{provider.callback_path}"
           end
 
-          def apple_callback_url
-            auth_callback_apple_url
+          def skip_csrf_verification?
+            provider.skip_csrf?
           end
 
           def decode_state_params

data/app/controllers/standard_id/web/base_controller.rb

@@ -2,6 +2,7 @@ module StandardId
   module Web
     class BaseController < ApplicationController
       include StandardId::WebAuthentication
+      include StandardId::SetCurrentRequestDetails
 
       include StandardId::WebEngine.routes.url_helpers
       helper StandardId::WebEngine.routes.url_helpers

data/app/controllers/standard_id/web/login_controller.rb

@@ -37,28 +37,15 @@ module StandardId
       end
 
       def social_login_url
-        case params[:connection]
-        when "google"
-          google_authorization_url
-        when "apple"
-          apple_authorization_url
-        else
-          raise StandardId::InvalidRequestError, "Unsupported social connection: #{connection}"
-        end
-      end
-
-      def google_authorization_url
-        StandardId::SocialProviders::Google.authorization_url(
-          state: encode_state,
-          redirect_uri: auth_callback_google_url
-        )
-      end
+        connection = params[:connection]
+        provider = StandardId::ProviderRegistry.get(connection)
 
-      def apple_authorization_url
-        StandardId::SocialProviders::Apple.authorization_url(
+        provider.authorization_url(
           state: encode_state,
-          redirect_uri: auth_callback_apple_url
+          redirect_uri: "#{request.base_url}#{provider.callback_path}"
         )
+      rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
+        raise StandardId::InvalidRequestError, e.message
       end
 
       def encode_state

data/app/controllers/standard_id/web/signup_controller.rb

@@ -61,12 +61,9 @@ module StandardId
       end
 
       def callback_url
-        case params[:connection]
-        when "google"
-          auth_callback_google_url
-        when "apple"
-          auth_callback_apple_url
-        end
+        connection = params[:connection]
+        provider = StandardId::ProviderRegistry.get(connection)
+        "#{request.base_url}#{provider.callback_path}"
       end
 
       def encode_state

data/app/forms/standard_id/web/signup_form.rb

@@ -16,15 +16,21 @@ module StandardId
       def submit
         return false unless valid?
 
+        emit_account_creating
+
         ActiveRecord::Base.transaction do
           @account = Account.create!(account_params)
-          StandardId::PasswordCredential.create!(
+
+          password_credential = StandardId::PasswordCredential.create!(
             password_credential_params.merge(
               credential_attributes: {
                 identifier_attributes: email_identifier_params.merge(account: @account)
               }
             )
           )
+
+          emit_account_created
+          emit_credential_created(password_credential)
         end
 
         true
@@ -38,6 +44,31 @@ module StandardId
 
       private
 
+      def emit_account_creating
+        StandardId::Events.publish(
+          StandardId::Events::ACCOUNT_CREATING,
+          account_params: account_params,
+          auth_method: "password"
+        )
+      end
+
+      def emit_account_created
+        StandardId::Events.publish(
+          StandardId::Events::ACCOUNT_CREATED,
+          account: @account,
+          auth_method: "password",
+          source: "signup"
+        )
+      end
+
+      def emit_credential_created(password_credential)
+        StandardId::Events.publish(
+          StandardId::Events::CREDENTIAL_PASSWORD_CREATED,
+          credential: password_credential,
+          account: @account
+        )
+      end
+
       def account_params
         { name: (email.to_s.split("@").first.presence || "User"), email: }
       end

data/app/models/standard_id/browser_session.rb

@@ -2,6 +2,14 @@ module StandardId
   class BrowserSession < Session
     validates :user_agent, presence: true
 
+    def self.expiry
+      StandardId.config.session.browser_session_lifetime.seconds.from_now
+    end
+
+    def self.remember_me_expiry
+      StandardId.config.session.browser_session_remember_me_lifetime.seconds.from_now
+    end
+
     def browser_info
       return {} if user_agent.blank?
 

data/app/models/standard_id/client_secret_credential.rb

@@ -18,6 +18,7 @@ module StandardId
 
     def revoke!
       update!(active: false, revoked_at: Time.current)
+      emit_revoked_event
     end
 
     def active?
@@ -57,6 +58,16 @@ module StandardId
       self.client_secret ||= SecureRandom.hex(32)
     end
 
+    def emit_revoked_event
+      StandardId::Events.publish(
+        StandardId::Events::CREDENTIAL_CLIENT_SECRET_REVOKED,
+        credential: self,
+        client_application: client_application,
+        client_id: client_id,
+        revoked_at: revoked_at
+      )
+    end
+
     # Note: We intentionally do not enforce subset validation for per-secret overrides here.
     # If needed later, we can introduce a configuration flag to enable enforcement.
   end

data/app/models/standard_id/device_session.rb

@@ -3,6 +3,10 @@ module StandardId
     validates :device_id, presence: true
     validates :device_agent, presence: true
 
+    def self.expiry
+      StandardId.config.session.device_session_lifetime.seconds.from_now
+    end
+
     def device_info
       return {} if device_agent.blank?
 

data/app/models/standard_id/identifier.rb

@@ -11,6 +11,7 @@ module StandardId
     validates :value, presence: true, uniqueness: { scope: [:account_id, :type] }
 
     after_commit :mark_account_verified!, on: :update, if: :just_verified?
+    after_commit :emit_identifier_created_event, on: :create
 
     def verified?
       verified_at.present?
@@ -18,6 +19,7 @@ module StandardId
 
     def verify!
       update!(verified_at: Time.current)
+      emit_verification_succeeded
     end
 
     def unverify!
@@ -37,6 +39,32 @@ module StandardId
       return unless account.has_attribute?(:verified_at)
 
       account.update!(verified: true, verified_at: Time.current)
+      emit_account_verified
+    end
+
+    def emit_identifier_created_event
+      StandardId::Events.publish(
+        StandardId::Events::IDENTIFIER_CREATED,
+        identifier: self,
+        account: account
+      )
+    end
+
+    def emit_verification_succeeded
+      StandardId::Events.publish(
+        StandardId::Events::IDENTIFIER_VERIFICATION_SUCCEEDED,
+        identifier: self,
+        account: account,
+        verified_at: verified_at
+      )
+    end
+
+    def emit_account_verified
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_VERIFIED,
+        account: account,
+        verified_via: type.demodulize.underscore.gsub("_identifier", "")
+      )
     end
   end
 end

data/app/models/standard_id/service_session.rb

@@ -21,7 +21,7 @@ module StandardId
     end
 
     def self.default_expiry
-      90.days.from_now # TODO: make this configurable
+      StandardId.config.session.service_session_lifetime.seconds.from_now
     end
 
     def refresh!

data/app/models/standard_id/session.rb

@@ -19,7 +19,7 @@ module StandardId
     attr_reader :token
 
     before_validation :generate_token, :generate_token_digest, :generate_lookup_hash, on: :create
-
+    after_commit :emit_session_revoked_event, on: :update, if: :just_revoked?
 
     def active?
       !revoked? && !expired?
@@ -33,7 +33,8 @@ module StandardId
       revoked_at.present?
     end
 
-    def revoke!
+    def revoke!(reason: nil)
+      @reason = reason
       update!(revoked_at: Time.current)
     end
 
@@ -50,5 +51,18 @@ module StandardId
     def generate_lookup_hash
       self.lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
     end
+
+    def just_revoked?
+      saved_change_to_revoked_at? && revoked?
+    end
+
+    def emit_session_revoked_event
+      StandardId::Events.publish(
+        StandardId::Events::SESSION_REVOKED,
+        session: self,
+        account:,
+        reason: @reason
+      )
+    end
   end
 end

data/app/views/standard_id/web/auth/callback/providers/{apple_mobile.html.erb → mobile_callback.html.erb}

@@ -2,7 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8" />
-    <title>Continuing Sign in with Apple…</title>
+    <title>Continuing Sign in with <% @provider.provider_name.humanize %> …</title>
     <style>
       body {
         font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;

data/config/routes/api.rb

@@ -16,8 +16,7 @@ StandardId::ApiEngine.routes.draw do
       resource :token, only: [:create]
 
       namespace :callback do
-        post :google, to: "providers#google"
-        post :apple, to: "providers#apple"
+        post ":provider", to: "providers#callback", as: :provider
       end
     end
   end

data/config/routes/web.rb

@@ -7,10 +7,11 @@ StandardId::WebEngine.routes.draw do
 
     # Social authentication callbacks (web flow)
     namespace :auth do
+      post "callback_mobile/:provider", to: "callback/providers#mobile_callback", as: :callback_mobile
+
       namespace :callback do
-        get :google, to: "providers#google"
-        post :apple, to: "providers#apple"
-        post :apple_mobile, to: "providers#apple_mobile"
+        get ":provider", to: "providers#callback", as: :provider
+        post ":provider", to: "providers#callback"
       end
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -15,6 +15,13 @@ StandardId.configure do |c|
   # c.use_inertia = true
   # c.inertia_component_namespace = "auth" # Component path prefix (e.g., "auth/login/show")
 
+  # Session lifetimes (in seconds)
+  # c.session.browser_session_lifetime = 86400      # 24 hours (web sessions)
+  # c.session.browser_session_remember_me_lifetime = 2_592_000 # 30 days (remember me cookies)
+  # c.session.device_session_lifetime = 2_592_000   # 30 days (API device sessions)
+  # c.session.service_session_lifetime = 7_776_000  # 90 days (service-to-service sessions)
+
+  # Passwordless authentication delivery (DEPRECATED - use event subscriptions instead)
   # c.passwordless_email_sender = ->(email, code) { PasswordlessMailer.with(code: code, to: email).deliver_later }
   # c.passwordless_sms_sender   = ->(phone, code) { SmsProvider.send_code(phone: phone, code: code) }
 
@@ -40,6 +47,10 @@ StandardId.configure do |c|
   #   }
   # }
 
+  # Events
+  # Enable or disable logging emitted via the internal event system
+  # c.events.enable_logging = false
+
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]
   # c.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
@@ -55,14 +66,6 @@ StandardId.configure do |c|
   #     name: social_info[:name] || social_info[:given_name]
   #   }
   # }
-  # c.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
-  #   Analytics.track_social_login(
-  #     provider: provider,
-  #     email: social_info[:email],
-  #     tokens: tokens,
-  #     account_id: account.id
-  #   )
-  # }
 
   # OIDC Logout allow list
   # c.allowed_post_logout_redirect_uris = [

data/lib/standard_config/config.rb

@@ -23,13 +23,10 @@ module StandardConfig
     # If set, Authorization endpoints can redirect to this path with a redirect_uri param
     attr_accessor :login_url
 
-    # Social login provider credentials and hooks
-    attr_accessor :google_client_id, :google_client_secret
-    attr_accessor :apple_client_id, :apple_client_secret, :apple_private_key, :apple_key_id, :apple_team_id
-    attr_accessor :social_account_attributes, :social_callback
+    # Social login hooks
+    attr_accessor :social_account_attributes
 
-    # Passwordless authentication callbacks
-    # These should be callable objects (procs/lambdas) that accept (recipient, code) parameters
+    # Passwordless authentication delivery callbacks (deprecated - use events instead)
     attr_accessor :passwordless_email_sender, :passwordless_sms_sender
 
     # Allowed post-logout redirect URIs for OIDC logout endpoint
@@ -56,15 +53,9 @@ module StandardConfig
       @logger = nil
       @issuer = nil
       @login_url = nil
-      @google_client_id = nil
-      @google_client_secret = nil
-      @apple_client_id = nil
-      @apple_client_secret = nil
-      @apple_private_key = nil
       @apple_key_id = nil
       @apple_team_id = nil
       @social_account_attributes = nil
-      @social_callback = nil
       @passwordless_email_sender = nil
       @passwordless_sms_sender = nil
       @allowed_post_logout_redirect_uris = []

data/lib/standard_config/config_provider.rb

@@ -9,9 +9,9 @@ module StandardConfig
     end
 
     def method_missing(method_name, *args)
-      if method_name.to_s.end_with?('=')
+      if method_name.to_s.end_with?("=")
         # Setter - only works for static configs (OpenStruct objects)
-        field_name = method_name.to_s.chomp('=').to_sym
+        field_name = method_name.to_s.chomp("=").to_sym
         validate_field!(field_name)
 
         config_object = @resolver_proc.call
@@ -42,11 +42,11 @@ module StandardConfig
       config_object = @resolver_proc.call
       raw_value = if config_object.respond_to?(field_name)
                     config_object.send(field_name)
-                  elsif config_object.respond_to?(:[])
+      elsif config_object.respond_to?(:[])
                     config_object[field_name] || config_object[field_name.to_s]
-                  else
+      else
                     nil
-                  end
+      end
 
       # Cast the value according to schema
       field_def = @schema&.field_definition(@scope_name, field_name)
@@ -64,7 +64,7 @@ module StandardConfig
     end
 
     def respond_to_missing?(method_name, include_private = false)
-      field_name = method_name.to_s.end_with?('=') ? method_name.to_s.chomp('=').to_sym : method_name.to_sym
+      field_name = method_name.to_s.end_with?("=") ? method_name.to_s.chomp("=").to_sym : method_name.to_sym
       @schema&.valid_field?(@scope_name, field_name) || super
     end
 

data/lib/standard_config/schema.rb

@@ -55,8 +55,8 @@ module StandardConfig
       when :boolean
         case value
         when true, false then value
-        when 'true', '1', 1 then true
-        when 'false', '0', 0 then false
+        when "true", "1", 1 then true
+        when "false", "0", 0 then false
         else !!value
         end
       when :array

data/lib/standard_id/account_locking.rb

@@ -0,0 +1,86 @@
+module StandardId
+  module AccountLocking
+    extend ActiveSupport::Concern
+
+    included do
+      belongs_to :locked_by, polymorphic: true, optional: true
+      belongs_to :unlocked_by, polymorphic: true, optional: true
+
+      scope :locked, -> { where(locked: true) }
+      scope :unlocked, -> { where(locked: false) }
+
+      after_commit :emit_account_locked_event, on: :update, if: :just_locked?
+      after_commit :emit_account_unlocked_event, on: :update, if: :just_unlocked?
+
+      # Subscribe to events to enforce lock status
+      # Lock check runs BEFORE status check (more restrictive first)
+      StandardId::Events.subscribe(
+        StandardId::Events::OAUTH_TOKEN_ISSUING,
+        StandardId::Events::SESSION_CREATING,
+        StandardId::Events::SESSION_VALIDATING
+      ) do |event|
+        account = event[:account]
+        if account&.locked?
+          raise StandardId::AccountLockedError.new(account)
+        end
+      end
+    end
+
+    def locked?
+      locked == true
+    end
+
+    def unlocked?
+      !locked?
+    end
+
+    def lock!(reason:, locked_by: nil)
+      return true if locked?
+
+      update!(
+        locked: true,
+        locked_at: Time.current,
+        lock_reason: reason,
+        locked_by: locked_by
+      )
+    end
+
+    def unlock!(unlocked_by: nil)
+      return true if unlocked?
+
+      update!(
+        locked: false,
+        unlocked_at: Time.current,
+        unlocked_by: unlocked_by,
+        lock_reason: nil
+      )
+    end
+
+    private
+
+    def just_locked?
+      locked_previously_changed? && locked?
+    end
+
+    def just_unlocked?
+      locked_previously_changed? && unlocked?
+    end
+
+    def emit_account_locked_event
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_LOCKED,
+        account: self,
+        reason: lock_reason,
+        locked_by:
+      )
+    end
+
+    def emit_account_unlocked_event
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_UNLOCKED,
+        account: self,
+        unlocked_by:
+      )
+    end
+  end
+end