standard_id 0.1.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a8069c98c5ede27fc1f485806e5a9b150d4f43294d177f59fe89008e11bd289
-  data.tar.gz: e88dae408bce4db81c42c780985d9e4a833b4864636a2d10b5ff979407dc9562
+  metadata.gz: 313792f07d188ad560c11e667abdcb3b7fbfb8d15738d892152beae42b287d65
+  data.tar.gz: 4b1811518c974b8e467987fce6abc153ad05f46dd876a1cfe2f40c88c768516c
 SHA512:
-  metadata.gz: 19f08dcd3da104952f2313669bc7bceb18ef0ce866ff234a0beb966e64d83294cefc76886c2f5e74080b935271444afeae0057deadcbac7bcfda40f6dd0441b4
-  data.tar.gz: 2531fba6a76ea0dd4800cebe0444a86cdea8ab516c64888b40b7d60aa681a957af2f3f4fb9622aebc6cf6f25b44a3caf0b3d03f16dcc673ce2f0a30c79599211
+  metadata.gz: 2a59a7565ac2a591fef01ff9aa90edc505e8383f3b9b3d2ac5e4ae82a3d777a9902934bd63683d1adff0211fa0dbc0687e0fd3c6c64428b3e0833c512b8bf9c5
+  data.tar.gz: 6313c08cd9f375e737563324e2c20a16e9ed3f5f4e25fca793f19c2bd18ad4dff06cba49437b914a5776f164d95d95d33cc880d1b332b74cdaf493e661400e2b

data/README.md

@@ -123,9 +123,11 @@ StandardId.configure do |config|
   # config.use_inertia = true
   # config.inertia_component_namespace = "auth"
 
-  # Passwordless delivery callbacks
-  # config.passwordless_email_sender = ->(email, code) { UserMailer.send_code(email, code).deliver_now }
-  # config.passwordless_sms_sender   = ->(phone, code) { SmsService.send_code(phone, code) }
+  # Session lifetimes
+  # config.session.browser_session_lifetime = 86400      # 24 hours (web sessions)
+  # config.session.browser_session_remember_me_lifetime = 2_592_000 # 30 days (remember me cookies)
+  # config.session.device_session_lifetime = 2_592_000   # 30 days (API device sessions)
+  # config.session.service_session_lifetime = 7_776_000  # 90 days (service-to-service sessions)
 
   # Subset configuration
   # config.password.minimum_length = 12
@@ -186,21 +188,24 @@ StandardId.configure do |config|
       name: social_info[:name] || social_info[:given_name]
     }
   }
-
-  # Optional: run a callback whenever a social login completes
-  config.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
-    AuditLog.social_login(
-      provider: provider,
-      email: social_info[:email],
-      tokens: tokens,
-      account_id: account.id,
-    )
-  }
 end
 ```
 
 `social_info` is an indifferent-access hash containing at least `email`, `name`, and `provider_id`.
 
+To handle social login completion (e.g., for analytics or audit logging), subscribe to the `SOCIAL_AUTH_COMPLETED` event:
+
+```ruby
+# config/initializers/standard_id_events.rb
+StandardId::Events.subscribe(StandardId::Events::SOCIAL_AUTH_COMPLETED) do |event|
+  Analytics.track_social_login(
+    provider: event[:provider],
+    account_id: event[:account].id,
+    tokens: event[:tokens]
+  )
+end
+```
+
 ### Inertia.js Integration
 
 StandardId supports [Inertia.js](https://inertiajs.com/) for modern React, Vue, or Svelte frontends. When enabled, web controllers render Inertia components instead of ERB views.
@@ -355,22 +360,403 @@ end
 
 This will redirect unauthenticated users to the login page using `inertia_location` for Inertia requests, ensuring proper SPA navigation.
 
-### Passwordless Authentication
+### Passwordless Code Delivery
+
+Subscribe to the `PASSWORDLESS_CODE_GENERATED` event to deliver OTP codes:
+
+```ruby
+# config/initializers/standard_id_events.rb
+StandardId::Events.subscribe(StandardId::Events::PASSWORDLESS_CODE_GENERATED) do |event|
+  case event[:channel]
+  when "email"
+    UserMailer.send_code(event[:identifier], event[:code_challenge].code).deliver_now
+  when "sms"
+    SmsService.send_code(event[:identifier], event[:code_challenge].code)
+  end
+end
+```
+
+Event payload includes:
+- `channel` - `"email"` or `"sms"`
+- `identifier` - The email address or phone number
+- `code_challenge` - The code challenge object with `.code` method
+- `expires_at` - When the code expires
+
+> **Note**: If you're using the deprecated `passwordless_email_sender` or `passwordless_sms_sender` callbacks, see the [Migration Guide](docs/MIGRATION_GUIDE.md) for upgrade instructions.
+
+## Event System
+
+StandardId emits events throughout the authentication lifecycle using `ActiveSupport::Notifications`. This enables decoupled handling of cross-cutting concerns like logging, analytics, audit trails, and webhooks.
+
+### Enabling Event Logging
+
+Enable the built-in structured logging subscriber:
 
 ```ruby
 StandardId.configure do |config|
-  # Email delivery
-  config.passwordless_email_sender = ->(email, code) {
-    UserMailer.send_code(email, code).deliver_now
-  }
+  config.events.enable_logging = true
+end
+```
 
-  # SMS delivery
-  config.passwordless_sms_sender = ->(phone, code) {
-    SmsService.send_code(phone, code)
-  }
+This outputs JSON-structured logs for all authentication events:
+
+```json
+{
+  "subject": "standard_id.authentication.attempt.succeeded",
+  "severity": "info",
+  "duration": 50.25,
+  "account_id": 123,
+  "auth_method": "password",
+  "ip_address": "192.168.1.1"
+}
+```
+
+### Available Events
+
+Every StandardId event automatically carries tracing metadata (`event_id`, `timestamp`, and request-scoped fields like `request_id`, `ip_address`, `user_agent`, `current_account` when available). The table below lists the domain-specific payload fields and when each event fires.
+
+| Category | Event | Payload fields | When emitted |
+|----------|-------|----------------|--------------|
+| Authentication | `authentication.attempt.started` | `account_lookup`, `auth_method` | Before credential validation begins |
+|  | `authentication.attempt.succeeded` | `account`, `auth_method`, `session_type` | After authentication succeeds |
+|  | `authentication.attempt.failed` | `account_lookup`, `auth_method`, `error_code`, `error_message` | After authentication fails |
+|  | `authentication.password.failed` | `account_lookup`, `error_code`, `error_message` | After password verification fails |
+|  | `authentication.otp.failed` | `identifier`, `channel`, `error_code`, `error_message` | After OTP verification fails |
+| Session | `session.creating` | `account`, `session_type`, `ip_address`, `user_agent` | Before a session record is created |
+|  | `session.created` | `session`, `account`, `session_type`, `token_issued`, `ip_address`, `user_agent` | After session persistence completes |
+|  | `session.validating` | `session` | Before validating an existing session |
+|  | `session.validated` | `session`, `account` | After a session passes validation |
+|  | `session.expired` | `session`, `account`, `expired_at` | When validation fails because the session expired |
+|  | `session.revoked` | `session`, `account`, `reason` | After a session is explicitly revoked |
+|  | `session.refreshed` | `session`, `account`, `old_expires_at`, `new_expires_at` | After a refresh operation extends a session |
+| Account | `account.creating` | `account_params`, `auth_method` | Before an account record is created |
+|  | `account.created` | `account`, `auth_method`, `source` (signup/passwordless/social) | After an account record is created |
+|  | `account.verified` | `account`, `verified_via` (email/phone) | When an account is marked verified |
+|  | `account.status_changed` | `account`, `old_status`, `new_status`, `changed_by` | When account status transitions (Issue #16) |
+|  | `account.locked` | `account`, `lock_reason`, `locked_by` | When an account is administratively locked (Issue #17) |
+|  | `account.unlocked` | `account`, `unlocked_by` | When an account lock is lifted (Issue #17) |
+| Identifier | `identifier.created` | `identifier`, `account` | After an identifier record is created |
+|  | `identifier.verification.started` | `identifier`, `channel` (email/sms), `code_sent` | After a verification code is issued |
+|  | `identifier.verification.succeeded` | `identifier`, `account`, `verified_at` | After identifier verification succeeds |
+|  | `identifier.verification.failed` | `identifier`, `error_code`, `attempts` | After identifier verification fails |
+|  | `identifier.linked` | `identifier`, `account`, `source` (social/manual) | When an identifier is associated to an account |
+| OAuth | `oauth.authorization.requested` | `client_id`, `account`, `scope`, `redirect_uri` | Before issuing an authorization code |
+|  | `oauth.authorization.granted` | `authorization_code`, `client_id`, `account`, `scope` | After an authorization code is created |
+|  | `oauth.authorization.denied` | `client_id`, `account`, `reason` | When a user denies authorization |
+|  | `oauth.token.issuing` | `grant_type`, `client_id`, `account`, `scope` | Before generating access/refresh tokens |
+|  | `oauth.token.issued` | `access_token_id`, `grant_type`, `client_id`, `account`, `expires_in` | After tokens are generated |
+|  | `oauth.token.refreshed` | `old_token_id`, `new_token_id`, `client_id`, `account` | After a refresh token is redeemed |
+|  | `oauth.code.consumed` | `authorization_code`, `client_id`, `account` | After an authorization code is exchanged |
+| Passwordless | `passwordless.code.requested` | `identifier`, `channel` (email/sms) | Before generating an OTP |
+|  | `passwordless.code.generated` | `code_challenge`, `identifier`, `channel`, `expires_at` | After an OTP is created |
+|  | `passwordless.code.sent` | `identifier`, `channel`, `delivery_status` | After an OTP is delivered |
+|  | `passwordless.code.verified` | `code_challenge`, `account`, `channel` | After OTP verification succeeds |
+|  | `passwordless.code.failed` | `identifier`, `channel`, `attempts` | After OTP verification fails |
+|  | `passwordless.account.created` | `account`, `channel`, `identifier` | When an account is created via passwordless flow |
+| Social | `social.auth.started` | `provider`, `redirect_uri`, `state` | Before redirecting to a social provider |
+|  | `social.auth.callback_received` | `provider`, `code`, `state` | After the provider redirects back |
+|  | `social.user_info.fetched` | `provider`, `social_info`, `email` | After fetching user info from the provider |
+|  | `social.account.created` | `account`, `provider`, `social_info` | When a social login creates a new account |
+|  | `social.account.linked` | `account`, `provider`, `identifier` | When a social identity links to an existing account |
+|  | `social.auth.completed` | `account`, `provider`, `tokens` | After social login completes |
+| Credential | `credential.password.created` | `credential`, `account` | After a password credential is created |
+|  | `credential.password.reset_initiated` | `credential`, `account`, `reset_token_expires_at` | After a password reset is initiated |
+|  | `credential.password.reset_completed` | `credential`, `account` | After a password reset is confirmed |
+|  | `credential.password.changed` | `credential`, `account`, `changed_by` | After a password is updated |
+|  | `credential.client_secret.created` | `credential`, `client_id` | After a client secret is created |
+|  | `credential.client_secret.rotated` | `credential`, `client_id`, `old_secret_revoked_at` | After a client secret rotation |
+
+### Subscribing to Events
+
+#### Block-based (simple)
+
+```ruby
+# config/initializers/standard_id_events.rb
+StandardId::Events.subscribe(StandardId::Events::AUTHENTICATION_SUCCEEDED) do |event|
+  Analytics.track_login(
+    account_id: event[:account].id,
+    method: event[:auth_method],
+    ip: event[:ip_address]
+  )
+end
+
+# Subscribe to multiple events at once
+StandardId::Events.subscribe(
+  StandardId::Events::SESSION_CREATING,
+  StandardId::Events::SESSION_VALIDATING,
+  StandardId::Events::OAUTH_TOKEN_ISSUING
+) do |event|
+  # Handle all three events with the same block
+  check_rate_limit(event[:account], event[:ip_address])
+end
+
+# Subscribe to events with pattern matching
+StandardId::Events.subscribe(/social/) do |event|
+  Rails.logger.info("Social event: #{event.name}")
+end
+```
+
+#### Class-based (complex logic)
+
+```ruby
+# app/subscribers/audit_subscriber.rb
+class AuditSubscriber < StandardId::Events::Subscribers::Base
+  subscribe_to StandardId::Events::SECURITY_EVENTS
+
+  def call(event)
+    AuditLog.create!(
+      event_type: event.short_name,
+      account_id: event[:account]&.id,
+      ip_address: event[:ip_address],
+      metadata: event.payload
+    )
+  end
+end
+
+# config/initializers/standard_id_events.rb
+AuditSubscriber.attach
+```
+
+## Account Status (Activation/Deactivation)
+
+StandardId provides an optional `AccountStatus` concern for managing account activation and deactivation. This uses Rails enum with the event system to enforce status checks and handle side effects without modifying core authentication logic.
+
+### Setup
+
+1. Add a migration for the status column. For PostgreSQL (recommended), use a native enum type:
+
+```ruby
+# PostgreSQL with native enum (recommended)
+class AddStatusToUsers < ActiveRecord::Migration[8.0]
+  def up
+    create_enum :account_status, %w[active inactive]
+
+    add_column :users, :status, :enum, enum_type: :account_status, default: "active", null: false
+    add_column :users, :activated_at, :datetime
+    add_column :users, :deactivated_at, :datetime
+  end
+
+  def down
+    remove_column :users, :status
+    remove_column :users, :activated_at
+    remove_column :users, :deactivated_at
+
+    drop_enum :account_status
+  end
+end
+```
+
+For other databases (MySQL, SQLite), use a string column:
+
+```ruby
+# String column (MySQL, SQLite)
+class AddStatusToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :status, :string, default: "active", null: false
+    add_column :users, :activated_at, :datetime
+    add_column :users, :deactivated_at, :datetime
+    add_index :users, :status
+  end
+end
+```
+
+2. Include the concern in your account model:
+
+```ruby
+class User < ApplicationRecord
+  include StandardId::AccountStatus
+  # ...
+end
+```
+
+The concern works with both PostgreSQL enum and string columns - Rails enum handles both transparently.
+
+### Usage
+
+```ruby
+# Deactivate an account
+user.deactivate!
+# => Emits ACCOUNT_DEACTIVATED event
+# => All active sessions are automatically revoked
+
+# Reactivate an account
+user.activate!
+# => Emits ACCOUNT_ACTIVATED event
+# => User can log in again
+
+# Check status
+user.active?    # => true/false
+user.inactive?  # => true/false
+
+# Query scopes
+User.active     # => Users with status 'active'
+User.inactive   # => Users with status 'inactive'
+```
+
+### Handling AccountDeactivatedError
+
+When an inactive account attempts to authenticate, `StandardId::AccountDeactivatedError` is raised. You need to handle this error in your application controller:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include StandardId::WebAuthentication
+
+  rescue_from StandardId::AccountDeactivatedError, with: :handle_account_deactivated
+
+  private
+
+  def handle_account_deactivated
+    # For web requests, redirect with a message
+    redirect_to login_path, alert: "Your account has been deactivated. Please contact support."
+  end
+end
+```
+
+For API controllers:
+
+```ruby
+# app/controllers/api/base_controller.rb
+class Api::BaseController < ActionController::API
+  include StandardId::ApiAuthentication
+
+  rescue_from StandardId::AccountDeactivatedError, with: :handle_account_deactivated
+
+  private
+
+  def handle_account_deactivated
+    render json: {
+      error: "account_deactivated",
+      message: "Your account has been deactivated"
+    }, status: :forbidden
+  end
 end
 ```
 
+## Account Locking (Administrative Security)
+
+StandardId provides an optional `AccountLocking` concern for administrative account locking. This is distinct from account deactivation - locking is for security enforcement by administrators, while deactivation is for lifecycle management.
+
+### Key Differences from Account Deactivation
+
+| Feature | Account Status | Account Locking |
+|---------|---------------|-----------------|
+| **Purpose** | Lifecycle management | Security enforcement |
+| **Who Controls** | System/User | Admin/Staff only |
+| **User Reversible** | Yes (future) | No |
+| **Use Cases** | Inactivity, user choice | Policy violation, security incident, fraud |
+
+An account can be in any combination:
+- Active + Unlocked ✅ (normal operation)
+- Active + Locked ⚠️ (admin locked for security)
+- Inactive + Unlocked ⚠️ (deactivated but not locked)
+- Inactive + Locked 🚫 (both restrictions apply)
+
+### Setup
+
+1. Add a migration for the locking columns:
+
+```ruby
+class AddLockingToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :locked, :boolean, default: false, null: false
+    add_column :users, :locked_at, :datetime
+    add_column :users, :lock_reason, :string
+    add_column :users, :locked_by_id, :integer
+    add_column :users, :locked_by_type, :string
+    add_column :users, :unlocked_at, :datetime
+    add_column :users, :unlocked_by_id, :integer
+    add_column :users, :unlocked_by_type, :string
+
+    add_index :users, :locked
+    add_index :users, [:locked_by_type, :locked_by_id]
+  end
+end
+```
+
+2. Include the concern in your account model:
+
+```ruby
+class User < ApplicationRecord
+  include StandardId::AccountLocking  # For admin locking
+  include StandardId::AccountStatus   # Optional: for activation/deactivation
+  # ...
+end
+```
+
+### Usage
+
+```ruby
+# Lock an account (revokes all active sessions immediately)
+user.lock!(reason: "Suspicious activity detected", locked_by: current_admin)
+# => Emits ACCOUNT_LOCKED event
+# => All active sessions (browser, device, service) are revoked
+
+# Unlock an account (user must log in again)
+user.unlock!(unlocked_by: current_admin)
+# => Emits ACCOUNT_UNLOCKED event
+# => User can log in again
+
+# Check lock status
+user.locked?    # => true/false
+user.unlocked?  # => true/false
+
+# Query scopes
+User.locked     # => Users with locked = true
+User.unlocked   # => Users with locked = false
+
+# Combine with AccountStatus scopes
+User.unlocked.active  # => Users who can log in
+```
+
+### Handling AccountLockedError
+
+When a locked account attempts to authenticate, `StandardId::AccountLockedError` is raised. The error includes metadata about the lock:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include StandardId::WebAuthentication
+
+  rescue_from StandardId::AccountLockedError, with: :handle_account_locked
+
+  private
+
+  def handle_account_locked(error)
+    # error.account     - The locked account
+    # error.lock_reason - Why the account was locked
+    # error.locked_at   - When the account was locked
+    redirect_to login_path, alert: "Your account has been locked. Please contact support."
+  end
+end
+```
+
+For API controllers:
+
+```ruby
+# app/controllers/api/base_controller.rb
+class Api::BaseController < ActionController::API
+  include StandardId::ApiAuthentication
+
+  rescue_from StandardId::AccountLockedError, with: :handle_account_locked
+
+  private
+
+  def handle_account_locked(error)
+    render json: {
+      error: "account_locked",
+      message: "Your account has been locked. Please contact support.",
+      locked_at: error.locked_at&.iso8601
+      # Note: Consider not exposing lock_reason to end users for security
+    }, status: :forbidden
+  end
+end
+```
+
+### Event Subscriptions
+
+Both `AccountStatus` and `AccountLocking` subscribe to the same events (`OAUTH_TOKEN_ISSUING`, `SESSION_CREATING`, `SESSION_VALIDATING`). The lock check runs alongside the status check - authentication fails if either condition prevents access.
+
 ## Usage Examples
 
 ### Web Authentication

data/app/controllers/concerns/standard_id/set_current_request_details.rb

@@ -0,0 +1,19 @@
+module StandardId
+  module SetCurrentRequestDetails
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :set_current_request_details
+    end
+
+    private
+
+    def set_current_request_details
+      return unless defined?(::Current)
+
+      ::Current.request_id = request.request_id if ::Current.respond_to?(:request_id=)
+      ::Current.ip_address = request.remote_ip if ::Current.respond_to?(:ip_address=)
+      ::Current.user_agent = request.user_agent if ::Current.respond_to?(:user_agent=)
+    end
+  end
+end

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -2,64 +2,70 @@ module StandardId
   module SocialAuthentication
     extend ActiveSupport::Concern
 
+    included do
+      prepend_before_action :prepare_provider
+    end
+
     private
 
-    def get_user_info_from_provider(connection, redirect_uri: nil, flow: :web)
-      case connection
-      when "google"
-        StandardId::SocialProviders::Google.get_user_info(
-          code: params[:code],
-          id_token: params[:id_token],
-          access_token: params[:access_token],
-          redirect_uri: redirect_uri
-        )
-      when "apple"
-        StandardId::SocialProviders::Apple.get_user_info(
-        code: params[:code],
-          id_token: params[:id_token],
-          redirect_uri: redirect_uri,
-          client_id: apple_client_id_for_flow(flow)
-        )
-      else
-        raise StandardId::InvalidRequestError, "Unsupported provider: #{connection}"
-      end
+    attr_reader :provider
+
+    def prepare_provider
+      @provider = StandardId::ProviderRegistry.get(params[:provider])
+    rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
+      raise StandardId::InvalidRequestError, e.message
     end
 
-    def apple_client_id_for_flow(flow)
-      flow == :web ? StandardId.config.apple_client_id : StandardId.config.apple_mobile_client_id
+    def get_user_info_from_provider(redirect_uri: nil, flow: :web)
+      provider_params = {
+        code: params[:code],
+        id_token: params[:id_token],
+        access_token: params[:access_token],
+        redirect_uri: redirect_uri
+      }
+
+      resolved_params = provider.resolve_params(provider_params, context: { flow: flow })
+      provider.get_user_info(**resolved_params.compact)
     end
 
-    def find_or_create_account_from_social(raw_social_info, provider)
+    def find_or_create_account_from_social(raw_social_info)
       social_info = raw_social_info.to_h.with_indifferent_access
       email = social_info[:email]
-      raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
+      raise StandardId::InvalidRequestError, "No email provided by #{provider.provider_name}" if email.blank?
+
+      emit_social_user_info_fetched(provider, social_info, email)
 
       identifier = StandardId::EmailIdentifier.find_by(value: email)
 
       if identifier.present?
+        emit_social_account_linked(identifier.account, provider, identifier)
         identifier.account
       else
-        account = build_account_from_social(social_info, provider)
+        account = build_account_from_social(social_info)
         identifier = StandardId::EmailIdentifier.create!(
           account: account,
           value: email
         )
         identifier.verify! if identifier.respond_to?(:verify!)
+        emit_social_account_created(account, provider, social_info)
         account
       end
     end
 
-    def build_account_from_social(social_info, provider)
-      attrs = resolve_account_attributes(social_info, provider)
-      StandardId.account_class.create!(attrs)
+    def build_account_from_social(social_info)
+      emit_account_creating_from_social(social_info)
+      attrs = resolve_account_attributes(social_info)
+      account = StandardId.account_class.create!(attrs)
+      emit_account_created_from_social(account)
+      account
     end
 
-    def resolve_account_attributes(social_info, provider)
+    def resolve_account_attributes(social_info)
       resolver = StandardId.config.social_account_attributes
       attrs = if resolver.respond_to?(:call)
                 payload = {
                   social_info: social_info,
-                  provider: provider
+                  provider: provider.provider_name
                 }
 
                 filtered_payload = StandardId::Utils::CallableParameterFilter.filter(resolver, payload)
@@ -95,18 +101,61 @@ module StandardId
     end
 
     def run_social_callback(provider:, social_info:, provider_tokens:, account:)
-      callback = StandardId.config.social_callback
-      return if callback.blank?
+      emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    end
 
-      payload = {
+    def emit_social_user_info_fetched(provider, social_info, email)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_USER_INFO_FETCHED,
         provider: provider,
         social_info: social_info,
-        tokens: provider_tokens.presence,
-        account: account
-      }
+        email: email
+      )
+    end
+
+    def emit_social_account_created(account, provider, social_info)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_ACCOUNT_CREATED,
+        account: account,
+        provider: provider,
+        social_info: social_info
+      )
+    end
+
+    def emit_social_account_linked(account, provider, identifier)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_ACCOUNT_LINKED,
+        account: account,
+        provider: provider,
+        identifier: identifier
+      )
+    end
+
+    def emit_social_auth_completed(provider, social_info, provider_tokens, account)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_AUTH_COMPLETED,
+        account: account,
+        provider: provider,
+        social_info: social_info,
+        tokens: provider_tokens
+      )
+    end
+
+    def emit_account_creating_from_social(social_info)
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_CREATING,
+        account_params: resolve_account_attributes(social_info),
+        auth_method: "social:#{provider.provider_name}"
+      )
+    end
 
-      filtered_payload = StandardId::Utils::CallableParameterFilter.filter(callback, payload)
-      callback.call(**filtered_payload.symbolize_keys)
+    def emit_account_created_from_social(account)
+      StandardId::Events.publish(
+        StandardId::Events::ACCOUNT_CREATED,
+        account: account,
+        auth_method: "social:#{provider.provider_name}",
+        source: "social"
+      )
     end
   end
 end