standard_id 0.1.7 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2878f305d6dfe83c5a1c0851cde68602cbd17899b1a676981afd8166f56995e0
-  data.tar.gz: 4c1802cc0bb54045165eb42289d75dda85db9a8838d61a6c1b4e7a7ff50e7828
+  metadata.gz: 313792f07d188ad560c11e667abdcb3b7fbfb8d15738d892152beae42b287d65
+  data.tar.gz: 4b1811518c974b8e467987fce6abc153ad05f46dd876a1cfe2f40c88c768516c
 SHA512:
-  metadata.gz: 8073e2e1f0208261525be8218960ef6481e8a5558f281a56baf2316b4750f9557b37365831b9aa530706e2d52d6c088e3cc3e9c23c4a4ef722d641f2041ea357
-  data.tar.gz: a803c19a19f5fbcc3acae0511f629c6d4b1520d67a54cfa16d062fcc60333083d28cd5149a6658bfb16e37ae3a2ff1d7cdf06d657d16130010a08c67b8c851ff
+  metadata.gz: 2a59a7565ac2a591fef01ff9aa90edc505e8383f3b9b3d2ac5e4ae82a3d777a9902934bd63683d1adff0211fa0dbc0687e0fd3c6c64428b3e0833c512b8bf9c5
+  data.tar.gz: 6313c08cd9f375e737563324e2c20a16e9ed3f5f4e25fca793f19c2bd18ad4dff06cba49437b914a5776f164d95d95d33cc880d1b332b74cdaf493e661400e2b

data/README.md

@@ -413,16 +413,58 @@ This outputs JSON-structured logs for all authentication events:
 
 ### Available Events
 
-| Category | Events |
-|----------|--------|
-| **Authentication** | `authentication.attempt.started`, `authentication.attempt.succeeded`, `authentication.attempt.failed`, `authentication.password.validated`, `authentication.password.failed`, `authentication.otp.validated`, `authentication.otp.failed` |
-| **Session** | `session.creating`, `session.created`, `session.validating`, `session.validated`, `session.expired`, `session.revoked`, `session.refreshed` |
-| **Account** | `account.creating`, `account.created`, `account.verified`, `account.status_changed`, `account.activated`, `account.deactivated`, `account.locked`, `account.unlocked` |
-| **Identifier** | `identifier.created`, `identifier.verification.started`, `identifier.verification.succeeded`, `identifier.verification.failed`, `identifier.linked` |
-| **OAuth** | `oauth.authorization.requested`, `oauth.authorization.granted`, `oauth.authorization.denied`, `oauth.token.issuing`, `oauth.token.issued`, `oauth.token.refreshed`, `oauth.code.consumed` |
-| **Passwordless** | `passwordless.code.requested`, `passwordless.code.generated`, `passwordless.code.sent`, `passwordless.code.verified`, `passwordless.code.failed`, `passwordless.account.created` |
-| **Social** | `social.auth.started`, `social.auth.callback_received`, `social.user_info.fetched`, `social.account.created`, `social.account.linked`, `social.auth.completed` |
-| **Credential** | `credential.password.created`, `credential.password.reset_initiated`, `credential.password.reset_completed`, `credential.password.changed`, `credential.client_secret.created`, `credential.client_secret.rotated` |
+Every StandardId event automatically carries tracing metadata (`event_id`, `timestamp`, and request-scoped fields like `request_id`, `ip_address`, `user_agent`, `current_account` when available). The table below lists the domain-specific payload fields and when each event fires.
+
+| Category | Event | Payload fields | When emitted |
+|----------|-------|----------------|--------------|
+| Authentication | `authentication.attempt.started` | `account_lookup`, `auth_method` | Before credential validation begins |
+|  | `authentication.attempt.succeeded` | `account`, `auth_method`, `session_type` | After authentication succeeds |
+|  | `authentication.attempt.failed` | `account_lookup`, `auth_method`, `error_code`, `error_message` | After authentication fails |
+|  | `authentication.password.failed` | `account_lookup`, `error_code`, `error_message` | After password verification fails |
+|  | `authentication.otp.failed` | `identifier`, `channel`, `error_code`, `error_message` | After OTP verification fails |
+| Session | `session.creating` | `account`, `session_type`, `ip_address`, `user_agent` | Before a session record is created |
+|  | `session.created` | `session`, `account`, `session_type`, `token_issued`, `ip_address`, `user_agent` | After session persistence completes |
+|  | `session.validating` | `session` | Before validating an existing session |
+|  | `session.validated` | `session`, `account` | After a session passes validation |
+|  | `session.expired` | `session`, `account`, `expired_at` | When validation fails because the session expired |
+|  | `session.revoked` | `session`, `account`, `reason` | After a session is explicitly revoked |
+|  | `session.refreshed` | `session`, `account`, `old_expires_at`, `new_expires_at` | After a refresh operation extends a session |
+| Account | `account.creating` | `account_params`, `auth_method` | Before an account record is created |
+|  | `account.created` | `account`, `auth_method`, `source` (signup/passwordless/social) | After an account record is created |
+|  | `account.verified` | `account`, `verified_via` (email/phone) | When an account is marked verified |
+|  | `account.status_changed` | `account`, `old_status`, `new_status`, `changed_by` | When account status transitions (Issue #16) |
+|  | `account.locked` | `account`, `lock_reason`, `locked_by` | When an account is administratively locked (Issue #17) |
+|  | `account.unlocked` | `account`, `unlocked_by` | When an account lock is lifted (Issue #17) |
+| Identifier | `identifier.created` | `identifier`, `account` | After an identifier record is created |
+|  | `identifier.verification.started` | `identifier`, `channel` (email/sms), `code_sent` | After a verification code is issued |
+|  | `identifier.verification.succeeded` | `identifier`, `account`, `verified_at` | After identifier verification succeeds |
+|  | `identifier.verification.failed` | `identifier`, `error_code`, `attempts` | After identifier verification fails |
+|  | `identifier.linked` | `identifier`, `account`, `source` (social/manual) | When an identifier is associated to an account |
+| OAuth | `oauth.authorization.requested` | `client_id`, `account`, `scope`, `redirect_uri` | Before issuing an authorization code |
+|  | `oauth.authorization.granted` | `authorization_code`, `client_id`, `account`, `scope` | After an authorization code is created |
+|  | `oauth.authorization.denied` | `client_id`, `account`, `reason` | When a user denies authorization |
+|  | `oauth.token.issuing` | `grant_type`, `client_id`, `account`, `scope` | Before generating access/refresh tokens |
+|  | `oauth.token.issued` | `access_token_id`, `grant_type`, `client_id`, `account`, `expires_in` | After tokens are generated |
+|  | `oauth.token.refreshed` | `old_token_id`, `new_token_id`, `client_id`, `account` | After a refresh token is redeemed |
+|  | `oauth.code.consumed` | `authorization_code`, `client_id`, `account` | After an authorization code is exchanged |
+| Passwordless | `passwordless.code.requested` | `identifier`, `channel` (email/sms) | Before generating an OTP |
+|  | `passwordless.code.generated` | `code_challenge`, `identifier`, `channel`, `expires_at` | After an OTP is created |
+|  | `passwordless.code.sent` | `identifier`, `channel`, `delivery_status` | After an OTP is delivered |
+|  | `passwordless.code.verified` | `code_challenge`, `account`, `channel` | After OTP verification succeeds |
+|  | `passwordless.code.failed` | `identifier`, `channel`, `attempts` | After OTP verification fails |
+|  | `passwordless.account.created` | `account`, `channel`, `identifier` | When an account is created via passwordless flow |
+| Social | `social.auth.started` | `provider`, `redirect_uri`, `state` | Before redirecting to a social provider |
+|  | `social.auth.callback_received` | `provider`, `code`, `state` | After the provider redirects back |
+|  | `social.user_info.fetched` | `provider`, `social_info`, `email` | After fetching user info from the provider |
+|  | `social.account.created` | `account`, `provider`, `social_info` | When a social login creates a new account |
+|  | `social.account.linked` | `account`, `provider`, `identifier` | When a social identity links to an existing account |
+|  | `social.auth.completed` | `account`, `provider`, `tokens` | After social login completes |
+| Credential | `credential.password.created` | `credential`, `account` | After a password credential is created |
+|  | `credential.password.reset_initiated` | `credential`, `account`, `reset_token_expires_at` | After a password reset is initiated |
+|  | `credential.password.reset_completed` | `credential`, `account` | After a password reset is confirmed |
+|  | `credential.password.changed` | `credential`, `account`, `changed_by` | After a password is updated |
+|  | `credential.client_secret.created` | `credential`, `client_id` | After a client secret is created |
+|  | `credential.client_secret.rotated` | `credential`, `client_id`, `old_secret_revoked_at` | After a client secret rotation |
 
 ### Subscribing to Events
 
@@ -459,9 +501,7 @@ end
 ```ruby
 # app/subscribers/audit_subscriber.rb
 class AuditSubscriber < StandardId::Events::Subscribers::Base
-  subscribe_to StandardId::Events::AUTHENTICATION_SUCCEEDED
-  subscribe_to StandardId::Events::AUTHENTICATION_FAILED
-  subscribe_to StandardId::Events::SESSION_REVOKED
+  subscribe_to StandardId::Events::SECURITY_EVENTS
 
   def call(event)
     AuditLog.create!(

data/lib/standard_config/manager.rb

@@ -1,11 +1,13 @@
 require "ostruct"
+require "concurrent/map"
 require "standard_config/config_provider"
 
 module StandardConfig
   class Manager
     def initialize(schema)
       @schema = schema
-      @providers = {}
+      @providers = Concurrent::Map.new
+      @static_configs = Concurrent::Map.new
     end
 
     # Register a configuration provider for a scope
@@ -36,8 +38,10 @@ module StandardConfig
         scopes = @schema.scopes_with_field(field)
         if scopes.size == 1
           s = scopes.first
-          register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
-          @providers[s].public_send(method_name, *args)
+          provider = @providers.compute_if_absent(s) do
+            ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
+          end
+          provider.public_send(method_name, *args)
           return args.first
         end
       end
@@ -46,19 +50,21 @@ module StandardConfig
       scopes = @schema.scopes_with_field(scope_name)
       if scopes.size == 1
         s = scopes.first
-        register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
-        return @providers[s].get_field(scope_name)
+        provider = @providers.compute_if_absent(s) do
+          ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
+        end
+        return provider.get_field(scope_name)
       end
 
       # Handle scope access
-      if @providers.key?(scope_name)
-        return @providers[scope_name]
-      end
+      provider = @providers[scope_name]
+      return provider if provider
 
       # Create static provider for valid scopes on first access
       if @schema.valid_scope?(scope_name)
-        register(scope_name, -> { create_static_config_for_scope(scope_name) })
-        return @providers[scope_name]
+        return @providers.compute_if_absent(scope_name) do
+          ConfigProvider.new(scope_name, -> { create_static_config_for_scope(scope_name) }, @schema)
+        end
       end
 
       super
@@ -75,10 +81,11 @@ module StandardConfig
     private
 
     def create_static_config_for_scope(scope_name)
-      @static_configs ||= {}
-      @static_configs[scope_name] ||= OpenStruct.new.tap do |config|
-        @schema.scopes[scope_name].fields.each do |field_name, field_def|
-          config.send("#{field_name}=", field_def.default_value)
+      @static_configs.compute_if_absent(scope_name) do
+        OpenStruct.new.tap do |config|
+          @schema.scopes[scope_name].fields.each do |field_name, field_def|
+            config.send("#{field_name}=", field_def.default_value)
+          end
         end
       end
     end

data/lib/standard_config/schema.rb

@@ -1,7 +1,9 @@
+require "concurrent/map"
+
 module StandardConfig
   class Schema
     def initialize
-      @scopes = {}
+      @scopes = Concurrent::Map.new
     end
 
     # DSL entry
@@ -16,7 +18,7 @@ module StandardConfig
 
     def scope(name, &block)
       name_sym = name.to_sym
-      builder = scopes[name_sym] ||= ScopeBuilder.new(name_sym)
+      builder = scopes.compute_if_absent(name_sym) { ScopeBuilder.new(name_sym) }
       builder.instance_eval(&block) if block_given?
       builder
     end
@@ -73,7 +75,7 @@ module StandardConfig
 
       def initialize(name)
         @name = name.to_sym
-        @fields = {}
+        @fields = Concurrent::Map.new
       end
 
       def field(name, type: :string, default: nil, readonly: false)

data/lib/standard_config.rb

@@ -3,14 +3,21 @@ require "standard_config/config_provider"
 require "standard_config/manager"
 require "standard_config/schema"
 
+require "concurrent/delay"
+
 module StandardConfig
+  SCHEMA = Concurrent::Delay.new { Schema.new }
+  MANAGER = Concurrent::Delay.new { Manager.new(SCHEMA.value) }
+
   class << self
     def schema
-      @schema ||= Schema.new
+      SCHEMA.value
     end
 
     def configure(&block)
-      config.register(:base, block) unless config.registered?(:base) if block_given? && block.arity == 0
+      if block_given? && block.arity.zero? && !config.registered?(:base)
+        config.register(:base, block)
+      end
 
       yield config if block_given?
 
@@ -18,7 +25,7 @@ module StandardConfig
     end
 
     def config
-      @manager ||= Manager.new(schema)
+      MANAGER.value
     end
 
     private

data/lib/standard_id/events/definitions.rb

@@ -139,6 +139,47 @@ module StandardId
         CREDENTIAL_CLIENT_SECRET_REVOKED
       ].freeze
 
+      SECURITY_EVENTS = [
+        # Authentication
+        AUTHENTICATION_SUCCEEDED,
+        AUTHENTICATION_FAILED,
+        PASSWORD_VALIDATION_FAILED,
+        OTP_VALIDATION_FAILED,
+        # Session
+        SESSION_CREATED,
+        SESSION_REVOKED,
+        SESSION_EXPIRED,
+        # Account
+        ACCOUNT_CREATED,
+        ACCOUNT_VERIFIED,
+        ACCOUNT_STATUS_CHANGED,
+        ACCOUNT_ACTIVATED,
+        ACCOUNT_DEACTIVATED,
+        ACCOUNT_LOCKED,
+        ACCOUNT_UNLOCKED,
+        # Identifier
+        IDENTIFIER_VERIFICATION_FAILED,
+        # OAuth
+        OAUTH_AUTHORIZATION_GRANTED,
+        OAUTH_AUTHORIZATION_DENIED,
+        OAUTH_TOKEN_ISSUED,
+        OAUTH_TOKEN_REFRESHED,
+        # Passwordless
+        PASSWORDLESS_CODE_FAILED,
+        PASSWORDLESS_ACCOUNT_CREATED,
+        # Credential
+        CREDENTIAL_PASSWORD_CREATED,
+        CREDENTIAL_PASSWORD_RESET_INITIATED,
+        CREDENTIAL_PASSWORD_RESET_COMPLETED,
+        CREDENTIAL_PASSWORD_CHANGED,
+        CREDENTIAL_CLIENT_SECRET_CREATED,
+        CREDENTIAL_CLIENT_SECRET_ROTATED,
+        CREDENTIAL_CLIENT_SECRET_REVOKED,
+        # Social
+        SOCIAL_ACCOUNT_CREATED,
+        SOCIAL_ACCOUNT_LINKED
+      ].freeze
+
       ALL_EVENTS = (
         AUTHENTICATION_EVENTS +
         SESSION_EVENTS +

data/lib/standard_id/events.rb

@@ -128,6 +128,7 @@ module StandardId
           enriched[:request_id] = ::Current.request_id if ::Current.request_id.present?
           enriched[:ip_address] ||= ::Current.ip_address if ::Current.respond_to?(:ip_address) && ::Current.ip_address.present?
           enriched[:user_agent] ||= ::Current.user_agent if ::Current.respond_to?(:user_agent) && ::Current.user_agent.present?
+          enriched[:current_account] ||= ::Current.account if ::Current.respond_to?(:account) && ::Current.account.present?
         end
 
         enriched.merge(payload)

data/lib/standard_id/jwt_service.rb

@@ -1,4 +1,5 @@
 require "jwt"
+require "concurrent/delay"
 
 module StandardId
   class JwtService
@@ -6,7 +7,7 @@ module StandardId
     RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
     BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type]
 
-    def self.session_class
+    SESSION_CLASS = Concurrent::Delay.new do
       Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
         def active?
           true
@@ -14,6 +15,10 @@ module StandardId
       end
     end
 
+    def self.session_class
+      SESSION_CLASS.value
+    end
+
     def self.encode(payload, expires_in: 1.hour)
       payload[:exp] = expires_in.from_now.to_i
       payload[:iat] = Time.current.to_i

data/lib/standard_id/provider_registry.rb

@@ -1,17 +1,23 @@
+require "concurrent/map"
+
 module StandardId
   class ProviderRegistry
     class ProviderNotFoundError < StandardError; end
     class InvalidProviderError < StandardError; end
 
-    @providers = {}
+    @providers = Concurrent::Map.new
 
     class << self
+      def providers
+        @providers
+      end
+
       # Register a provider
       # @param name [Symbol, String] Provider identifier
       # @param provider_class [Class] Provider implementation class
       def register(name, provider_class)
         validate_provider!(provider_class)
-        @providers[name.to_s] = provider_class
+        providers[name.to_s] = provider_class
         register_config_schema(provider_class)
         provider_class.setup if provider_class.respond_to?(:setup)
         provider_class
@@ -22,9 +28,9 @@ module StandardId
       # @return [Class] Provider class
       # @raise [ProviderNotFoundError] if provider not found
       def get(name)
-        @providers[name.to_s] || raise(
+        providers[name.to_s] || raise(
           ProviderNotFoundError,
-          "Unknown provider: #{name}. Available providers: #{@providers.keys.join(', ')}"
+          "Unknown provider: #{name}. Available providers: #{providers.keys.join(', ')}"
         )
       end
 
@@ -32,14 +38,14 @@ module StandardId
       # Get all registered providers
       # @return [Hash] Provider name => class mapping
       def all
-        @providers.dup
+        providers.each_pair.to_h
       end
 
       # Check if provider is registered
       # @param name [Symbol, String] Provider identifier
       # @return [Boolean]
       def registered?(name)
-        @providers.key?(name.to_s)
+        providers.key?(name.to_s)
       end
 
       private

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.7"
+  VERSION = "0.2.0"
 end

data/lib/standard_id.rb

@@ -40,13 +40,16 @@ require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
 require "standard_id/utils/callable_parameter_filter"
 
+require "concurrent/delay"
+
 require "standard_id/providers/base"
 require "standard_id/provider_registry"
-require "standard_id/providers/google"
-require "standard_id/providers/apple"
 
 module StandardId
   class << self
+    CACHE_STORE = Concurrent::Delay.new { config.cache_store || Rails.cache }
+    LOGGER = Concurrent::Delay.new { config.logger || Rails.logger }
+
     def configure(&block)
       StandardConfig.configure(&block)
     end
@@ -60,11 +63,11 @@ module StandardId
     end
 
     def cache_store
-      @cache_store ||= config.cache_store || Rails.cache
+      CACHE_STORE.value
     end
 
     def logger
-      @logger ||= config.logger || Rails.logger
+      LOGGER.value
     end
 
     def account_class

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -182,9 +182,7 @@ files:
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb
 - lib/standard_id/provider_registry.rb
-- lib/standard_id/providers/apple.rb
 - lib/standard_id/providers/base.rb
-- lib/standard_id/providers/google.rb
 - lib/standard_id/utils/callable_parameter_filter.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb

data/lib/standard_id/providers/apple.rb

@@ -1,223 +0,0 @@
-require "uri"
-require "net/http"
-require "json"
-require "jwt"
-require_relative "base"
-
-module StandardId
-  module Providers
-    class Apple < Base
-      ISSUER = "https://appleid.apple.com".freeze
-      AUTH_ENDPOINT = "#{ISSUER}/auth/authorize".freeze
-      TOKEN_ENDPOINT = "#{ISSUER}/auth/token".freeze
-      JWKS_URI = "#{ISSUER}/auth/keys".freeze
-      DEFAULT_SCOPE = "name email".freeze
-      DEFAULT_RESPONSE_MODE = "form_post".freeze
-
-      class << self
-        def provider_name
-          "apple"
-        end
-
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          response_mode = options[:response_mode] || DEFAULT_RESPONSE_MODE
-
-          ensure_basic_credentials!
-
-          query = {
-            client_id: StandardId.config.apple_client_id,
-            redirect_uri: redirect_uri,
-            response_type: "code",
-            scope: scope,
-            response_mode: response_mode,
-            state: state
-          }
-
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
-        end
-
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
-          client_id = options[:client_id] || StandardId.config.apple_client_id
-
-          if id_token.present?
-            build_response(
-              verify_id_token(id_token: id_token, client_id: client_id),
-              tokens: { id_token: id_token }
-            )
-          elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
-          else
-            raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
-          end
-        end
-
-        def config_schema
-          {
-            apple_client_id: { type: :string, default: nil },
-            apple_mobile_client_id: { type: :string, default: nil },
-            apple_private_key: { type: :string, default: nil },
-            apple_key_id: { type: :string, default: nil },
-            apple_team_id: { type: :string, default: nil }
-          }
-        end
-
-        def default_scope
-          DEFAULT_SCOPE
-        end
-
-        def skip_csrf?
-          true
-        end
-
-        def supports_mobile_callback?
-          true
-        end
-
-        def resolve_params(params, context: {})
-          flow = context[:flow] || :web
-          client_id = flow == :mobile ? StandardId.config.apple_mobile_client_id : StandardId.config.apple_client_id
-
-          params.merge(client_id: client_id)
-        end
-
-        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
-          ensure_full_credentials!(client_id: client_id)
-          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
-
-          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
-            client_id: client_id,
-            client_secret: generate_client_secret(client_id: client_id),
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: redirect_uri
-          })
-
-          unless token_response.is_a?(Net::HTTPSuccess)
-            error_body = JSON.parse(token_response.body) rescue {}
-            raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body['error']}"
-          end
-
-          parsed_token = JSON.parse(token_response.body)
-          id_token = parsed_token["id_token"]
-          raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
-
-          tokens = extract_token_payload(parsed_token)
-          user_info = verify_id_token(id_token: id_token, client_id: client_id)
-
-          build_response(user_info, tokens: tokens)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
-          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
-          if client_id.blank?
-            raise StandardId::InvalidRequestError, "Apple client_id is not configured"
-          end
-
-          decoded_token = JWT.decode(id_token, nil, false)
-          header = decoded_token[1]
-
-          jwk = fetch_jwk(kid: header["kid"])
-
-          verified_payload, = JWT.decode(
-            id_token,
-            jwk.public_key,
-            true,
-            algorithm: "RS256",
-            iss: ISSUER,
-            verify_iss: true,
-            aud: client_id,
-            verify_aud: true
-          )
-
-          {
-            "sub" => verified_payload["sub"],
-            "email" => verified_payload["email"],
-            "email_verified" => verified_payload["email_verified"],
-            "is_private_email" => verified_payload["is_private_email"]
-          }.compact
-        rescue JWT::InvalidAudError => e
-          raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
-        rescue JWT::DecodeError => e
-          raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        private
-
-        def ensure_basic_credentials!(client_id: StandardId.config.apple_client_id)
-          if client_id.blank?
-            raise StandardId::InvalidRequestError, "Apple OAuth is not configured"
-          end
-        end
-
-        def ensure_full_credentials!(client_id: nil)
-          ensure_basic_credentials!(client_id: client_id)
-
-          required = [
-            StandardId.config.apple_private_key,
-            StandardId.config.apple_key_id,
-            StandardId.config.apple_team_id
-          ]
-
-          if required.any?(&:blank?)
-            raise StandardId::InvalidRequestError, "Apple OAuth credentials are incomplete"
-          end
-        end
-
-        def generate_client_secret(client_id: StandardId.config.apple_client_id)
-          header = {
-            alg: "ES256",
-            kid: StandardId.config.apple_key_id
-          }
-
-          payload = {
-            iss: StandardId.config.apple_team_id,
-            iat: Time.current.to_i,
-            exp: Time.current.to_i + 3600,
-            aud: ISSUER,
-            sub: client_id
-          }
-
-          private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
-          JWT.encode(payload, private_key, "ES256", header)
-        end
-
-        def fetch_jwk(kid:)
-          uri = URI(JWKS_URI)
-          jwks_response = Net::HTTP.get_response(uri)
-
-          unless jwks_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to fetch Apple JWKS"
-          end
-
-          jwks_data = JSON.parse(jwks_response.body)
-          jwk_data = jwks_data["keys"].find { |key| key["kid"] == kid }
-
-          raise StandardId::InvalidRequestError, "JWK with kid '#{kid}' not found in Apple's JWKS" unless jwk_data
-
-          JWT::JWK.import(jwk_data)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, "Failed to fetch JWK: #{e.message}"
-        end
-
-        def extract_token_payload(parsed_token)
-          {
-            access_token: parsed_token["access_token"],
-            refresh_token: parsed_token["refresh_token"],
-            id_token: parsed_token["id_token"]
-          }.compact
-        end
-      end
-    end
-  end
-end
-
-# Auto-register with the provider registry
-StandardId::ProviderRegistry.register(:apple, StandardId::Providers::Apple)

data/lib/standard_id/providers/google.rb

@@ -1,187 +0,0 @@
-require_relative "base"
-
-module StandardId
-  module Providers
-    class Google < Base
-      AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth".freeze
-      TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token".freeze
-      USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo".freeze
-      TOKEN_INFO_ENDPOINT = "https://oauth2.googleapis.com/tokeninfo".freeze
-      DEFAULT_SCOPE = "openid email profile".freeze
-
-      class << self
-        def provider_name
-          "google"
-        end
-
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          prompt = options[:prompt]
-
-          query = {
-            client_id: credentials[:client_id],
-            redirect_uri: redirect_uri,
-            response_type: "code",
-            scope: scope,
-            state: state
-          }
-
-          query[:prompt] = prompt if prompt.present?
-
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
-        end
-
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
-          if id_token.present?
-            build_response(
-              verify_id_token(id_token: id_token),
-              tokens: { id_token: id_token }
-            )
-          elsif access_token.present?
-            build_response(
-              fetch_user_info(access_token: access_token),
-              tokens: { access_token: access_token }
-            )
-          elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri)
-          else
-            raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
-          end
-        end
-
-        def config_schema
-          {
-            google_client_id: { type: :string, default: nil },
-            google_client_secret: { type: :string, default: nil }
-          }
-        end
-
-        def default_scope
-          DEFAULT_SCOPE
-        end
-
-        def exchange_code_for_user_info(code:, redirect_uri:)
-          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
-
-          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
-            client_id: credentials[:client_id],
-            client_secret: credentials[:client_secret],
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: redirect_uri
-          }.compact)
-
-          unless token_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to exchange Google authorization code"
-          end
-
-          parsed_token = JSON.parse(token_response.body)
-          access_token = parsed_token["access_token"]
-          raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?
-
-          tokens = extract_token_payload(parsed_token)
-          user_info = fetch_user_info(access_token: access_token)
-
-          build_response(user_info, tokens: tokens)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def verify_id_token(id_token:)
-          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
-
-          response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)
-
-          unless response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Invalid or expired id_token"
-          end
-
-          token_info = JSON.parse(response.body)
-
-          unless token_info["aud"] == credentials[:client_id]
-            raise StandardId::InvalidRequestError, "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
-          end
-
-          unless ["accounts.google.com", "https://accounts.google.com"].include?(token_info["iss"])
-            raise StandardId::InvalidRequestError, "ID token issuer invalid. Expected Google, got: #{token_info['iss']}"
-          end
-
-          {
-            "sub" => token_info["sub"],
-            "email" => token_info["email"],
-            "email_verified" => token_info["email_verified"],
-            "name" => token_info["name"],
-            "given_name" => token_info["given_name"],
-            "family_name" => token_info["family_name"],
-            "picture" => token_info["picture"],
-            "locale" => token_info["locale"]
-          }.compact
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def fetch_user_info(access_token:)
-          raise StandardId::InvalidRequestError, "Missing access token" if access_token.blank?
-
-          verify_token(access_token)
-          user_response = HttpClient.get_with_bearer(USERINFO_ENDPOINT, access_token)
-
-          unless user_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to fetch Google user info"
-          end
-
-          JSON.parse(user_response.body)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        private
-
-        def credentials
-          @credentials ||= begin
-            if StandardId.config.google_client_id.blank? || StandardId.config.google_client_secret.blank?
-              raise StandardId::InvalidRequestError, "Google provider is not configured"
-            end
-
-            {
-              client_id: StandardId.config.google_client_id,
-              client_secret: StandardId.config.google_client_secret
-            }
-          end
-        end
-
-        def verify_token(access_token)
-          token_info_uri = "https://www.googleapis.com/oauth2/v3/tokeninfo"
-
-          response = HttpClient.post_form(token_info_uri, access_token: access_token)
-
-          unless response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Invalid or expired access token"
-          end
-
-          token_info = JSON.parse(response.body)
-
-          unless token_info["aud"] == credentials[:client_id]
-            raise StandardId::InvalidRequestError, "Access token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
-          end
-
-          token_info
-        end
-
-        def extract_token_payload(parsed_token)
-          {
-            access_token: parsed_token["access_token"],
-            refresh_token: parsed_token["refresh_token"],
-            id_token: parsed_token["id_token"]
-          }.compact
-        end
-      end
-    end
-  end
-end
-
-# Auto-register with the provider registry
-StandardId::ProviderRegistry.register(:google, StandardId::Providers::Google)