standard_id 0.1.7 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2878f305d6dfe83c5a1c0851cde68602cbd17899b1a676981afd8166f56995e0
-  data.tar.gz: 4c1802cc0bb54045165eb42289d75dda85db9a8838d61a6c1b4e7a7ff50e7828
+  metadata.gz: acbf22ea3a73945fedbcc5d26da84954f4b4e04de00cf2bac51eb59374231a09
+  data.tar.gz: 063d9c263aa7ca6910602a1a570676ee96348a88b1265a2c2ac5d8c11dacf076
 SHA512:
-  metadata.gz: 8073e2e1f0208261525be8218960ef6481e8a5558f281a56baf2316b4750f9557b37365831b9aa530706e2d52d6c088e3cc3e9c23c4a4ef722d641f2041ea357
-  data.tar.gz: a803c19a19f5fbcc3acae0511f629c6d4b1520d67a54cfa16d062fcc60333083d28cd5149a6658bfb16e37ae3a2ff1d7cdf06d657d16130010a08c67b8c851ff
+  metadata.gz: 8a3e58978c5525de51c16ad46e563567a93790a7ad5a99aeea1d43d3068c01df9120ccc5d0a5694a5e3531fe916906bcc811f2a2dcbce25ec42228ca7ddfa4e5
+  data.tar.gz: 2f3d4beee53b0fa961ed8648eb433a65e751f63c8f20fa10153e10c16bfce50440a5714bbd9b8a8cc4fefe98ff806804c6f49e6e3a79362b10e9780a55d49fce

data/README.md

@@ -413,16 +413,58 @@ This outputs JSON-structured logs for all authentication events:
 
 ### Available Events
 
-| Category | Events |
-|----------|--------|
-| **Authentication** | `authentication.attempt.started`, `authentication.attempt.succeeded`, `authentication.attempt.failed`, `authentication.password.validated`, `authentication.password.failed`, `authentication.otp.validated`, `authentication.otp.failed` |
-| **Session** | `session.creating`, `session.created`, `session.validating`, `session.validated`, `session.expired`, `session.revoked`, `session.refreshed` |
-| **Account** | `account.creating`, `account.created`, `account.verified`, `account.status_changed`, `account.activated`, `account.deactivated`, `account.locked`, `account.unlocked` |
-| **Identifier** | `identifier.created`, `identifier.verification.started`, `identifier.verification.succeeded`, `identifier.verification.failed`, `identifier.linked` |
-| **OAuth** | `oauth.authorization.requested`, `oauth.authorization.granted`, `oauth.authorization.denied`, `oauth.token.issuing`, `oauth.token.issued`, `oauth.token.refreshed`, `oauth.code.consumed` |
-| **Passwordless** | `passwordless.code.requested`, `passwordless.code.generated`, `passwordless.code.sent`, `passwordless.code.verified`, `passwordless.code.failed`, `passwordless.account.created` |
-| **Social** | `social.auth.started`, `social.auth.callback_received`, `social.user_info.fetched`, `social.account.created`, `social.account.linked`, `social.auth.completed` |
-| **Credential** | `credential.password.created`, `credential.password.reset_initiated`, `credential.password.reset_completed`, `credential.password.changed`, `credential.client_secret.created`, `credential.client_secret.rotated` |
+Every StandardId event automatically carries tracing metadata (`event_id`, `timestamp`, and request-scoped fields like `request_id`, `ip_address`, `user_agent`, `current_account` when available). The table below lists the domain-specific payload fields and when each event fires.
+
+| Category | Event | Payload fields | When emitted |
+|----------|-------|----------------|--------------|
+| Authentication | `authentication.attempt.started` | `account_lookup`, `auth_method` | Before credential validation begins |
+|  | `authentication.attempt.succeeded` | `account`, `auth_method`, `session_type` | After authentication succeeds |
+|  | `authentication.attempt.failed` | `account_lookup`, `auth_method`, `error_code`, `error_message` | After authentication fails |
+|  | `authentication.password.failed` | `account_lookup`, `error_code`, `error_message` | After password verification fails |
+|  | `authentication.otp.failed` | `identifier`, `channel`, `error_code`, `error_message` | After OTP verification fails |
+| Session | `session.creating` | `account`, `session_type`, `ip_address`, `user_agent` | Before a session record is created |
+|  | `session.created` | `session`, `account`, `session_type`, `token_issued`, `ip_address`, `user_agent` | After session persistence completes |
+|  | `session.validating` | `session` | Before validating an existing session |
+|  | `session.validated` | `session`, `account` | After a session passes validation |
+|  | `session.expired` | `session`, `account`, `expired_at` | When validation fails because the session expired |
+|  | `session.revoked` | `session`, `account`, `reason` | After a session is explicitly revoked |
+|  | `session.refreshed` | `session`, `account`, `old_expires_at`, `new_expires_at` | After a refresh operation extends a session |
+| Account | `account.creating` | `account_params`, `auth_method` | Before an account record is created |
+|  | `account.created` | `account`, `auth_method`, `source` (signup/passwordless/social) | After an account record is created |
+|  | `account.verified` | `account`, `verified_via` (email/phone) | When an account is marked verified |
+|  | `account.status_changed` | `account`, `old_status`, `new_status`, `changed_by` | When account status transitions (Issue #16) |
+|  | `account.locked` | `account`, `lock_reason`, `locked_by` | When an account is administratively locked (Issue #17) |
+|  | `account.unlocked` | `account`, `unlocked_by` | When an account lock is lifted (Issue #17) |
+| Identifier | `identifier.created` | `identifier`, `account` | After an identifier record is created |
+|  | `identifier.verification.started` | `identifier`, `channel` (email/sms), `code_sent` | After a verification code is issued |
+|  | `identifier.verification.succeeded` | `identifier`, `account`, `verified_at` | After identifier verification succeeds |
+|  | `identifier.verification.failed` | `identifier`, `error_code`, `attempts` | After identifier verification fails |
+|  | `identifier.linked` | `identifier`, `account`, `source` (social/manual) | When an identifier is associated to an account |
+| OAuth | `oauth.authorization.requested` | `client_id`, `account`, `scope`, `redirect_uri` | Before issuing an authorization code |
+|  | `oauth.authorization.granted` | `authorization_code`, `client_id`, `account`, `scope` | After an authorization code is created |
+|  | `oauth.authorization.denied` | `client_id`, `account`, `reason` | When a user denies authorization |
+|  | `oauth.token.issuing` | `grant_type`, `client_id`, `account`, `scope` | Before generating access/refresh tokens |
+|  | `oauth.token.issued` | `access_token_id`, `grant_type`, `client_id`, `account`, `expires_in` | After tokens are generated |
+|  | `oauth.token.refreshed` | `old_token_id`, `new_token_id`, `client_id`, `account` | After a refresh token is redeemed |
+|  | `oauth.code.consumed` | `authorization_code`, `client_id`, `account` | After an authorization code is exchanged |
+| Passwordless | `passwordless.code.requested` | `identifier`, `channel` (email/sms) | Before generating an OTP |
+|  | `passwordless.code.generated` | `code_challenge`, `identifier`, `channel`, `expires_at` | After an OTP is created |
+|  | `passwordless.code.sent` | `identifier`, `channel`, `delivery_status` | After an OTP is delivered |
+|  | `passwordless.code.verified` | `code_challenge`, `account`, `channel` | After OTP verification succeeds |
+|  | `passwordless.code.failed` | `identifier`, `channel`, `attempts` | After OTP verification fails |
+|  | `passwordless.account.created` | `account`, `channel`, `identifier` | When an account is created via passwordless flow |
+| Social | `social.auth.started` | `provider`, `redirect_uri`, `state` | Before redirecting to a social provider |
+|  | `social.auth.callback_received` | `provider`, `code`, `state` | After the provider redirects back |
+|  | `social.user_info.fetched` | `provider`, `social_info`, `email` | After fetching user info from the provider |
+|  | `social.account.created` | `account`, `provider`, `social_info` | When a social login creates a new account |
+|  | `social.account.linked` | `account`, `provider`, `identifier` | When a social identity links to an existing account |
+|  | `social.auth.completed` | `account`, `provider`, `tokens` | After social login completes |
+| Credential | `credential.password.created` | `credential`, `account` | After a password credential is created |
+|  | `credential.password.reset_initiated` | `credential`, `account`, `reset_token_expires_at` | After a password reset is initiated |
+|  | `credential.password.reset_completed` | `credential`, `account` | After a password reset is confirmed |
+|  | `credential.password.changed` | `credential`, `account`, `changed_by` | After a password is updated |
+|  | `credential.client_secret.created` | `credential`, `client_id` | After a client secret is created |
+|  | `credential.client_secret.rotated` | `credential`, `client_id`, `old_secret_revoked_at` | After a client secret rotation |
 
 ### Subscribing to Events
 
@@ -459,9 +501,7 @@ end
 ```ruby
 # app/subscribers/audit_subscriber.rb
 class AuditSubscriber < StandardId::Events::Subscribers::Base
-  subscribe_to StandardId::Events::AUTHENTICATION_SUCCEEDED
-  subscribe_to StandardId::Events::AUTHENTICATION_FAILED
-  subscribe_to StandardId::Events::SESSION_REVOKED
+  subscribe_to StandardId::Events::SECURITY_EVENTS
 
   def call(event)
     AuditLog.create!(

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -16,12 +16,13 @@ module StandardId
       raise StandardId::InvalidRequestError, e.message
     end
 
-    def get_user_info_from_provider(redirect_uri: nil, flow: :web)
+    def get_user_info_from_provider(redirect_uri: nil, nonce: nil, flow: :web)
       provider_params = {
         code: params[:code],
         id_token: params[:id_token],
         access_token: params[:access_token],
-        redirect_uri: redirect_uri
+        redirect_uri:,
+        nonce:
       }
 
       resolved_params = provider.resolve_params(provider_params, context: { flow: flow })
@@ -100,8 +101,8 @@ module StandardId
       end
     end
 
-    def run_social_callback(provider:, social_info:, provider_tokens:, account:)
-      emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    def run_social_callback(provider:, social_info:, provider_tokens:, account:, original_request_params: {})
+      emit_social_auth_completed(provider, social_info, provider_tokens, account, original_request_params)
     end
 
     def emit_social_user_info_fetched(provider, social_info, email)
@@ -131,13 +132,14 @@ module StandardId
       )
     end
 
-    def emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    def emit_social_auth_completed(provider, social_info, provider_tokens, account, original_request_params)
       StandardId::Events.publish(
         StandardId::Events::SOCIAL_AUTH_COMPLETED,
         account: account,
         provider: provider,
         social_info: social_info,
-        tokens: provider_tokens
+        tokens: provider_tokens,
+        original_request_params: original_request_params
       )
     end
 

data/app/controllers/concerns/standard_id/web/social_login_params.rb

@@ -0,0 +1,87 @@
+module StandardId
+  module Web
+    module SocialLoginParams
+      extend ActiveSupport::Concern
+
+      OAUTH_PENDING_REQUESTS_COOKIE = "oauth_pending_requests".freeze
+      REQUEST_EXPIRY = 10.minutes
+
+      private
+
+      def store_oauth_request(state:, nonce: nil, params:)
+        pending_requests = load_pending_requests || {}
+
+        cleanup_expired_requests!(pending_requests)
+
+        pending_requests[state] = {
+          "params" => params,
+          "nonce" => nonce,
+          "expires_at" => REQUEST_EXPIRY.from_now.to_i
+        }
+
+        save_pending_requests(pending_requests)
+      end
+
+      def consume_oauth_request(state)
+        return nil if state.blank?
+
+        pending_requests = load_pending_requests
+        return nil if pending_requests.nil?
+
+        cleanup_expired_requests!(pending_requests)
+
+        request_data = pending_requests[state]
+        return nil if request_data.nil?
+
+        # Remove this specific request from pending requests
+        pending_requests.delete(state)
+
+        # Update the cookie with remaining requests
+        if pending_requests.empty?
+          cookies.delete(OAUTH_PENDING_REQUESTS_COOKIE)
+        else
+          save_pending_requests(pending_requests)
+        end
+
+        request_data.slice("params", "nonce")
+      rescue JSON::ParserError => e
+        StandardId.logger.error({
+          subject: "standard_id.consume_oauth_request.error",
+          error: e.message
+        })
+        nil
+      end
+
+      def load_pending_requests
+        cookie_value = cookies.encrypted[OAUTH_PENDING_REQUESTS_COOKIE]
+        return nil if cookie_value.nil?
+
+        JSON.parse(cookie_value)
+      rescue JSON::ParserError
+        nil
+      end
+
+      def save_pending_requests(pending_requests)
+        cookie_options = {
+          value: pending_requests.to_json,
+          expires: REQUEST_EXPIRY.from_now,
+          httponly: true
+        }
+
+        if request.ssl?
+          cookie_options[:secure] = true
+          cookie_options[:same_site] = :none
+        else
+          cookie_options[:same_site] = :lax
+        end
+
+        cookies.encrypted[OAUTH_PENDING_REQUESTS_COOKIE] = cookie_options
+      end
+
+      def cleanup_expired_requests!(pending_requests)
+        current_time = Time.now.to_i
+        pending_requests.delete_if { |_state, data| data["expires_at"] && data["expires_at"] < current_time }
+      end
+    end
+  end
+end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -36,6 +36,16 @@ module StandardId
     # Redirect to login page, handling both Inertia and standard requests
     def redirect_to_login
       login_path = StandardId.config.login_url.presence || "/login"
+
+      # Add redirect_uri parameter to preserve the original destination
+      if request.get?
+        uri = URI.parse(login_path)
+        params = Rack::Utils.parse_nested_query(uri.query)
+        params["redirect_uri"] = request.fullpath
+        uri.query = params.to_query.presence
+        login_path = uri.to_s
+      end
+
       redirect_with_inertia login_path
     end
 

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -7,7 +7,6 @@ module StandardId
         skip_before_action :validate_content_type!
 
         def callback
-          original_params = decode_state_params
           provider_response = get_user_info_from_provider(flow: resolve_flow_for(provider.provider_name))
           social_info = provider_response[:user_info]
           provider_tokens = provider_response[:tokens]
@@ -16,35 +15,22 @@ module StandardId
           flow = StandardId::Oauth::SocialFlow.new(
             params,
             request,
-            account: account,
-            connection: provider.provider_name,
-            original_params: original_params
+            account:,
+            connection: provider.provider_name
           )
 
           token_response = flow.execute
           run_social_callback(
             provider: provider.provider_name,
-            social_info: social_info,
-            provider_tokens: provider_tokens,
-            account: account,
+            social_info:,
+            provider_tokens:,
+            account:
           )
           render json: token_response, status: :ok
         end
 
         private
 
-        def decode_state_params
-          encoded_state = params[:state]
-
-          return {} if encoded_state.blank?
-
-          begin
-            JSON.parse(Base64.urlsafe_decode64(encoded_state))
-          rescue JSON::ParserError, ArgumentError
-            raise StandardId::InvalidRequestError, "Invalid state parameter"
-          end
-        end
-
         def resolve_flow_for(connection)
           return :mobile unless connection == "apple"
 

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -5,6 +5,7 @@ module StandardId
         class ProvidersController < StandardId::Web::BaseController
           include StandardId::WebAuthentication
           include StandardId::SocialAuthentication
+          include StandardId::Web::SocialLoginParams
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
@@ -20,9 +21,9 @@ module StandardId
             state_data = nil
 
             begin
-              state_data = decode_state_params
+              extract_state_and_nonce => { state_data:, nonce: }
               redirect_uri = callback_url_for
-              provider_response = get_user_info_from_provider(redirect_uri: redirect_uri)
+              provider_response = get_user_info_from_provider(redirect_uri:, nonce:)
               social_info = provider_response[:user_info]
               provider_tokens = provider_response[:tokens]
               account = find_or_create_account_from_social(social_info)
@@ -33,6 +34,7 @@ module StandardId
                 social_info: social_info,
                 provider_tokens: provider_tokens,
                 account: account,
+                original_request_params: state_data
               )
 
               destination = state_data["redirect_uri"]
@@ -49,7 +51,7 @@ module StandardId
               raise StandardId::InvalidRequestError, "Provider #{provider.provider_name} does not support mobile callback"
             end
 
-            state_data = decode_state_params
+            extract_state_and_nonce => { state_data: }
             destination = state_data["redirect_uri"]
 
             unless allow_other_host_redirect?(destination)
@@ -73,15 +75,17 @@ module StandardId
             provider.skip_csrf?
           end
 
-          def decode_state_params
-            encoded_state = params[:state]
-            raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
+          def extract_state_and_nonce
+            state_token = params[:state]
+            raise StandardId::InvalidRequestError, "Missing state parameter" if state_token.blank?
 
-            state = JSON.parse(Base64.urlsafe_decode64(encoded_state))
-            state["redirect_uri"] ||= after_authentication_url
-            state
-          rescue JSON::ParserError, ArgumentError
-            raise StandardId::InvalidRequestError, "Invalid state parameter"
+            oauth_state = consume_oauth_request(state_token)
+            raise StandardId::InvalidRequestError, "Invalid or expired state parameter" if oauth_state.nil?
+
+            {
+              state_data: oauth_state["params"],
+              nonce: oauth_state["nonce"]
+            }
           end
 
           def handle_callback_error

data/app/controllers/standard_id/web/login_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     class LoginController < BaseController
       include StandardId::InertiaRendering
+      include StandardId::Web::SocialLoginParams
+
 
       layout "public"
 
@@ -33,26 +35,53 @@ module StandardId
       end
 
       def redirect_if_social_login
-        redirect_with_inertia social_login_url, allow_other_host: true if params[:connection].present?
-      end
+        return unless params[:connection].present?
+
+        provider = StandardId::ProviderRegistry.get(params[:connection].to_s)
+
+        state = generate_oauth_token
+        nonce = provider_supports_nonce?(provider) ? generate_oauth_token : nil
 
-      def social_login_url
-        connection = params[:connection]
-        provider = StandardId::ProviderRegistry.get(connection)
+        store_oauth_request(
+          state:,
+          nonce:,
+          params: extract_social_login_params
+        )
+
+        callback_url = "#{request.base_url}#{provider.callback_path}"
+        extra_params = extract_oauth_params(provider)
 
-        provider.authorization_url(
-          state: encode_state,
-          redirect_uri: "#{request.base_url}#{provider.callback_path}"
+        # Add nonce to OAuth params if provider supports it
+        extra_params[:nonce] = nonce if nonce.present?
+
+        url = provider.authorization_url(
+          state:,
+          redirect_uri: callback_url,
+          **extra_params.compact
         )
+
+        redirect_with_inertia url, allow_other_host: true
       rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
         raise StandardId::InvalidRequestError, e.message
       end
 
-      def encode_state
-        Base64.urlsafe_encode64({
-          redirect_uri: params[:redirect_uri] || after_authentication_url,
-          timestamp: Time.current.to_i
-        }.compact.to_json)
+      def extract_social_login_params
+        request.parameters.except("controller", "action", "format", "authenticity_token", "commit", "login").to_h.deep_dup
+      end
+
+      def extract_oauth_params(provider)
+        supported_params = provider.try(:supported_authorization_params)
+        return {} if supported_params.blank?
+
+        params.permit(*supported_params).to_h.compact.symbolize_keys
+      end
+
+      def generate_oauth_token
+        SecureRandom.urlsafe_base64(32)
+      end
+
+      def provider_supports_nonce?(provider)
+        provider.supported_authorization_params.include?(:nonce)
       end
 
       def login_params

data/lib/standard_config/manager.rb

@@ -1,11 +1,13 @@
 require "ostruct"
+require "concurrent/map"
 require "standard_config/config_provider"
 
 module StandardConfig
   class Manager
     def initialize(schema)
       @schema = schema
-      @providers = {}
+      @providers = Concurrent::Map.new
+      @static_configs = Concurrent::Map.new
     end
 
     # Register a configuration provider for a scope
@@ -36,8 +38,10 @@ module StandardConfig
         scopes = @schema.scopes_with_field(field)
         if scopes.size == 1
           s = scopes.first
-          register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
-          @providers[s].public_send(method_name, *args)
+          provider = @providers.compute_if_absent(s) do
+            ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
+          end
+          provider.public_send(method_name, *args)
           return args.first
         end
       end
@@ -46,19 +50,21 @@ module StandardConfig
       scopes = @schema.scopes_with_field(scope_name)
       if scopes.size == 1
         s = scopes.first
-        register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
-        return @providers[s].get_field(scope_name)
+        provider = @providers.compute_if_absent(s) do
+          ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
+        end
+        return provider.get_field(scope_name)
       end
 
       # Handle scope access
-      if @providers.key?(scope_name)
-        return @providers[scope_name]
-      end
+      provider = @providers[scope_name]
+      return provider if provider
 
       # Create static provider for valid scopes on first access
       if @schema.valid_scope?(scope_name)
-        register(scope_name, -> { create_static_config_for_scope(scope_name) })
-        return @providers[scope_name]
+        return @providers.compute_if_absent(scope_name) do
+          ConfigProvider.new(scope_name, -> { create_static_config_for_scope(scope_name) }, @schema)
+        end
       end
 
       super
@@ -75,10 +81,11 @@ module StandardConfig
     private
 
     def create_static_config_for_scope(scope_name)
-      @static_configs ||= {}
-      @static_configs[scope_name] ||= OpenStruct.new.tap do |config|
-        @schema.scopes[scope_name].fields.each do |field_name, field_def|
-          config.send("#{field_name}=", field_def.default_value)
+      @static_configs.compute_if_absent(scope_name) do
+        OpenStruct.new.tap do |config|
+          @schema.scopes[scope_name].fields.each do |field_name, field_def|
+            config.send("#{field_name}=", field_def.default_value)
+          end
         end
       end
     end

data/lib/standard_config/schema.rb

@@ -1,7 +1,9 @@
+require "concurrent/map"
+
 module StandardConfig
   class Schema
     def initialize
-      @scopes = {}
+      @scopes = Concurrent::Map.new
     end
 
     # DSL entry
@@ -16,7 +18,7 @@ module StandardConfig
 
     def scope(name, &block)
       name_sym = name.to_sym
-      builder = scopes[name_sym] ||= ScopeBuilder.new(name_sym)
+      builder = scopes.compute_if_absent(name_sym) { ScopeBuilder.new(name_sym) }
       builder.instance_eval(&block) if block_given?
       builder
     end
@@ -73,7 +75,7 @@ module StandardConfig
 
       def initialize(name)
         @name = name.to_sym
-        @fields = {}
+        @fields = Concurrent::Map.new
       end
 
       def field(name, type: :string, default: nil, readonly: false)

data/lib/standard_config.rb

@@ -3,14 +3,21 @@ require "standard_config/config_provider"
 require "standard_config/manager"
 require "standard_config/schema"
 
+require "concurrent/delay"
+
 module StandardConfig
+  SCHEMA = Concurrent::Delay.new { Schema.new }
+  MANAGER = Concurrent::Delay.new { Manager.new(SCHEMA.value) }
+
   class << self
     def schema
-      @schema ||= Schema.new
+      SCHEMA.value
     end
 
     def configure(&block)
-      config.register(:base, block) unless config.registered?(:base) if block_given? && block.arity == 0
+      if block_given? && block.arity.zero? && !config.registered?(:base)
+        config.register(:base, block)
+      end
 
       yield config if block_given?
 
@@ -18,7 +25,7 @@ module StandardConfig
     end
 
     def config
-      @manager ||= Manager.new(schema)
+      MANAGER.value
     end
 
     private

data/lib/standard_id/events/definitions.rb

@@ -139,6 +139,47 @@ module StandardId
         CREDENTIAL_CLIENT_SECRET_REVOKED
       ].freeze
 
+      SECURITY_EVENTS = [
+        # Authentication
+        AUTHENTICATION_SUCCEEDED,
+        AUTHENTICATION_FAILED,
+        PASSWORD_VALIDATION_FAILED,
+        OTP_VALIDATION_FAILED,
+        # Session
+        SESSION_CREATED,
+        SESSION_REVOKED,
+        SESSION_EXPIRED,
+        # Account
+        ACCOUNT_CREATED,
+        ACCOUNT_VERIFIED,
+        ACCOUNT_STATUS_CHANGED,
+        ACCOUNT_ACTIVATED,
+        ACCOUNT_DEACTIVATED,
+        ACCOUNT_LOCKED,
+        ACCOUNT_UNLOCKED,
+        # Identifier
+        IDENTIFIER_VERIFICATION_FAILED,
+        # OAuth
+        OAUTH_AUTHORIZATION_GRANTED,
+        OAUTH_AUTHORIZATION_DENIED,
+        OAUTH_TOKEN_ISSUED,
+        OAUTH_TOKEN_REFRESHED,
+        # Passwordless
+        PASSWORDLESS_CODE_FAILED,
+        PASSWORDLESS_ACCOUNT_CREATED,
+        # Credential
+        CREDENTIAL_PASSWORD_CREATED,
+        CREDENTIAL_PASSWORD_RESET_INITIATED,
+        CREDENTIAL_PASSWORD_RESET_COMPLETED,
+        CREDENTIAL_PASSWORD_CHANGED,
+        CREDENTIAL_CLIENT_SECRET_CREATED,
+        CREDENTIAL_CLIENT_SECRET_ROTATED,
+        CREDENTIAL_CLIENT_SECRET_REVOKED,
+        # Social
+        SOCIAL_ACCOUNT_CREATED,
+        SOCIAL_ACCOUNT_LINKED
+      ].freeze
+
       ALL_EVENTS = (
         AUTHENTICATION_EVENTS +
         SESSION_EVENTS +

data/lib/standard_id/events.rb

@@ -128,6 +128,7 @@ module StandardId
           enriched[:request_id] = ::Current.request_id if ::Current.request_id.present?
           enriched[:ip_address] ||= ::Current.ip_address if ::Current.respond_to?(:ip_address) && ::Current.ip_address.present?
           enriched[:user_agent] ||= ::Current.user_agent if ::Current.respond_to?(:user_agent) && ::Current.user_agent.present?
+          enriched[:current_account] ||= ::Current.account if ::Current.respond_to?(:account) && ::Current.account.present?
         end
 
         enriched.merge(payload)

data/lib/standard_id/jwt_service.rb

@@ -1,4 +1,5 @@
 require "jwt"
+require "concurrent/delay"
 
 module StandardId
   class JwtService
@@ -6,7 +7,7 @@ module StandardId
     RESERVED_JWT_KEYS = %i[sub client_id scope grant_type exp iat aud iss nbf jti]
     BASE_SESSION_FIELDS = %i[account_id client_id scopes grant_type]
 
-    def self.session_class
+    SESSION_CLASS = Concurrent::Delay.new do
       Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
         def active?
           true
@@ -14,6 +15,10 @@ module StandardId
       end
     end
 
+    def self.session_class
+      SESSION_CLASS.value
+    end
+
     def self.encode(payload, expires_in: 1.hour)
       payload[:exp] = expires_in.from_now.to_i
       payload[:iat] = Time.current.to_i

data/lib/standard_id/oauth/social_flow.rb

@@ -3,11 +3,10 @@ module StandardId
     class SocialFlow < TokenGrantFlow
       attr_reader :account, :connection, :original_params
 
-      def initialize(params, request, account:, connection:, original_params: {})
+      def initialize(params, request, account:, connection:)
         super(params, request)
         @account = account
         @connection = connection
-        @original_params = original_params
       end
 
       def authenticate!
@@ -21,21 +20,17 @@ module StandardId
       end
 
       def client_id
-        @original_params["client_id"]
+        nil
       end
 
       def token_scope
-        @original_params["scope"]
+        nil
       end
 
       def grant_type
         "social"
       end
 
-      def audience
-        @original_params["audience"]
-      end
-
       def supports_refresh_token?
         true
       end

data/lib/standard_id/provider_registry.rb

@@ -1,17 +1,23 @@
+require "concurrent/map"
+
 module StandardId
   class ProviderRegistry
     class ProviderNotFoundError < StandardError; end
     class InvalidProviderError < StandardError; end
 
-    @providers = {}
+    @providers = Concurrent::Map.new
 
     class << self
+      def providers
+        @providers
+      end
+
       # Register a provider
       # @param name [Symbol, String] Provider identifier
       # @param provider_class [Class] Provider implementation class
       def register(name, provider_class)
         validate_provider!(provider_class)
-        @providers[name.to_s] = provider_class
+        providers[name.to_s] = provider_class
         register_config_schema(provider_class)
         provider_class.setup if provider_class.respond_to?(:setup)
         provider_class
@@ -22,9 +28,9 @@ module StandardId
       # @return [Class] Provider class
       # @raise [ProviderNotFoundError] if provider not found
       def get(name)
-        @providers[name.to_s] || raise(
+        providers[name.to_s] || raise(
           ProviderNotFoundError,
-          "Unknown provider: #{name}. Available providers: #{@providers.keys.join(', ')}"
+          "Unknown provider: #{name}. Available providers: #{providers.keys.join(', ')}"
         )
       end
 
@@ -32,14 +38,14 @@ module StandardId
       # Get all registered providers
       # @return [Hash] Provider name => class mapping
       def all
-        @providers.dup
+        providers.each_pair.to_h
       end
 
       # Check if provider is registered
       # @param name [Symbol, String] Provider identifier
       # @return [Boolean]
       def registered?(name)
-        @providers.key?(name.to_s)
+        providers.key?(name.to_s)
       end
 
       private

data/lib/standard_id/providers/base.rb

@@ -209,6 +209,22 @@ module StandardId
           false
         end
 
+        # Returns list of supported authorization parameters for this provider.
+        #
+        # Include :nonce in this list for OIDC providers to enable nonce validation.
+        # Nonce provides replay attack protection for ID tokens.
+        #
+        # @return [Array<Symbol>] List of supported parameters
+        #
+        # @example
+        #   def supported_authorization_params
+        #     [:scope, :prompt, :nonce]
+        #   end
+        #
+        def supported_authorization_params
+          []
+        end
+
         # Optional setup hook called when provider is registered.
         #
         # Override this method to perform initialization tasks like:

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.1.7"
+  VERSION = "0.2.1"
 end

data/lib/standard_id.rb

@@ -40,13 +40,16 @@ require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
 require "standard_id/utils/callable_parameter_filter"
 
+require "concurrent/delay"
+
 require "standard_id/providers/base"
 require "standard_id/provider_registry"
-require "standard_id/providers/google"
-require "standard_id/providers/apple"
 
 module StandardId
   class << self
+    CACHE_STORE = Concurrent::Delay.new { config.cache_store || Rails.cache }
+    LOGGER = Concurrent::Delay.new { config.logger || Rails.logger }
+
     def configure(&block)
       StandardConfig.configure(&block)
     end
@@ -60,11 +63,11 @@ module StandardId
     end
 
     def cache_store
-      @cache_store ||= config.cache_store || Rails.cache
+      CACHE_STORE.value
     end
 
     def logger
-      @logger ||= config.logger || Rails.logger
+      LOGGER.value
     end
 
     def account_class

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.1
 platform: ruby
 authors:
 - Jaryl Sim
@@ -69,6 +69,7 @@ files:
 - app/controllers/concerns/standard_id/inertia_support.rb
 - app/controllers/concerns/standard_id/set_current_request_details.rb
 - app/controllers/concerns/standard_id/social_authentication.rb
+- app/controllers/concerns/standard_id/web/social_login_params.rb
 - app/controllers/concerns/standard_id/web_authentication.rb
 - app/controllers/standard_id/api/authorization_controller.rb
 - app/controllers/standard_id/api/base_controller.rb
@@ -182,9 +183,7 @@ files:
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb
 - lib/standard_id/provider_registry.rb
-- lib/standard_id/providers/apple.rb
 - lib/standard_id/providers/base.rb
-- lib/standard_id/providers/google.rb
 - lib/standard_id/utils/callable_parameter_filter.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb

data/lib/standard_id/providers/apple.rb

@@ -1,223 +0,0 @@
-require "uri"
-require "net/http"
-require "json"
-require "jwt"
-require_relative "base"
-
-module StandardId
-  module Providers
-    class Apple < Base
-      ISSUER = "https://appleid.apple.com".freeze
-      AUTH_ENDPOINT = "#{ISSUER}/auth/authorize".freeze
-      TOKEN_ENDPOINT = "#{ISSUER}/auth/token".freeze
-      JWKS_URI = "#{ISSUER}/auth/keys".freeze
-      DEFAULT_SCOPE = "name email".freeze
-      DEFAULT_RESPONSE_MODE = "form_post".freeze
-
-      class << self
-        def provider_name
-          "apple"
-        end
-
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          response_mode = options[:response_mode] || DEFAULT_RESPONSE_MODE
-
-          ensure_basic_credentials!
-
-          query = {
-            client_id: StandardId.config.apple_client_id,
-            redirect_uri: redirect_uri,
-            response_type: "code",
-            scope: scope,
-            response_mode: response_mode,
-            state: state
-          }
-
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
-        end
-
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
-          client_id = options[:client_id] || StandardId.config.apple_client_id
-
-          if id_token.present?
-            build_response(
-              verify_id_token(id_token: id_token, client_id: client_id),
-              tokens: { id_token: id_token }
-            )
-          elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
-          else
-            raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
-          end
-        end
-
-        def config_schema
-          {
-            apple_client_id: { type: :string, default: nil },
-            apple_mobile_client_id: { type: :string, default: nil },
-            apple_private_key: { type: :string, default: nil },
-            apple_key_id: { type: :string, default: nil },
-            apple_team_id: { type: :string, default: nil }
-          }
-        end
-
-        def default_scope
-          DEFAULT_SCOPE
-        end
-
-        def skip_csrf?
-          true
-        end
-
-        def supports_mobile_callback?
-          true
-        end
-
-        def resolve_params(params, context: {})
-          flow = context[:flow] || :web
-          client_id = flow == :mobile ? StandardId.config.apple_mobile_client_id : StandardId.config.apple_client_id
-
-          params.merge(client_id: client_id)
-        end
-
-        def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
-          ensure_full_credentials!(client_id: client_id)
-          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
-
-          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
-            client_id: client_id,
-            client_secret: generate_client_secret(client_id: client_id),
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: redirect_uri
-          })
-
-          unless token_response.is_a?(Net::HTTPSuccess)
-            error_body = JSON.parse(token_response.body) rescue {}
-            raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body['error']}"
-          end
-
-          parsed_token = JSON.parse(token_response.body)
-          id_token = parsed_token["id_token"]
-          raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?
-
-          tokens = extract_token_payload(parsed_token)
-          user_info = verify_id_token(id_token: id_token, client_id: client_id)
-
-          build_response(user_info, tokens: tokens)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
-          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
-          if client_id.blank?
-            raise StandardId::InvalidRequestError, "Apple client_id is not configured"
-          end
-
-          decoded_token = JWT.decode(id_token, nil, false)
-          header = decoded_token[1]
-
-          jwk = fetch_jwk(kid: header["kid"])
-
-          verified_payload, = JWT.decode(
-            id_token,
-            jwk.public_key,
-            true,
-            algorithm: "RS256",
-            iss: ISSUER,
-            verify_iss: true,
-            aud: client_id,
-            verify_aud: true
-          )
-
-          {
-            "sub" => verified_payload["sub"],
-            "email" => verified_payload["email"],
-            "email_verified" => verified_payload["email_verified"],
-            "is_private_email" => verified_payload["is_private_email"]
-          }.compact
-        rescue JWT::InvalidAudError => e
-          raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
-        rescue JWT::DecodeError => e
-          raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        private
-
-        def ensure_basic_credentials!(client_id: StandardId.config.apple_client_id)
-          if client_id.blank?
-            raise StandardId::InvalidRequestError, "Apple OAuth is not configured"
-          end
-        end
-
-        def ensure_full_credentials!(client_id: nil)
-          ensure_basic_credentials!(client_id: client_id)
-
-          required = [
-            StandardId.config.apple_private_key,
-            StandardId.config.apple_key_id,
-            StandardId.config.apple_team_id
-          ]
-
-          if required.any?(&:blank?)
-            raise StandardId::InvalidRequestError, "Apple OAuth credentials are incomplete"
-          end
-        end
-
-        def generate_client_secret(client_id: StandardId.config.apple_client_id)
-          header = {
-            alg: "ES256",
-            kid: StandardId.config.apple_key_id
-          }
-
-          payload = {
-            iss: StandardId.config.apple_team_id,
-            iat: Time.current.to_i,
-            exp: Time.current.to_i + 3600,
-            aud: ISSUER,
-            sub: client_id
-          }
-
-          private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
-          JWT.encode(payload, private_key, "ES256", header)
-        end
-
-        def fetch_jwk(kid:)
-          uri = URI(JWKS_URI)
-          jwks_response = Net::HTTP.get_response(uri)
-
-          unless jwks_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to fetch Apple JWKS"
-          end
-
-          jwks_data = JSON.parse(jwks_response.body)
-          jwk_data = jwks_data["keys"].find { |key| key["kid"] == kid }
-
-          raise StandardId::InvalidRequestError, "JWK with kid '#{kid}' not found in Apple's JWKS" unless jwk_data
-
-          JWT::JWK.import(jwk_data)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, "Failed to fetch JWK: #{e.message}"
-        end
-
-        def extract_token_payload(parsed_token)
-          {
-            access_token: parsed_token["access_token"],
-            refresh_token: parsed_token["refresh_token"],
-            id_token: parsed_token["id_token"]
-          }.compact
-        end
-      end
-    end
-  end
-end
-
-# Auto-register with the provider registry
-StandardId::ProviderRegistry.register(:apple, StandardId::Providers::Apple)

data/lib/standard_id/providers/google.rb

@@ -1,187 +0,0 @@
-require_relative "base"
-
-module StandardId
-  module Providers
-    class Google < Base
-      AUTH_ENDPOINT = "https://accounts.google.com/o/oauth2/v2/auth".freeze
-      TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token".freeze
-      USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo".freeze
-      TOKEN_INFO_ENDPOINT = "https://oauth2.googleapis.com/tokeninfo".freeze
-      DEFAULT_SCOPE = "openid email profile".freeze
-
-      class << self
-        def provider_name
-          "google"
-        end
-
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          prompt = options[:prompt]
-
-          query = {
-            client_id: credentials[:client_id],
-            redirect_uri: redirect_uri,
-            response_type: "code",
-            scope: scope,
-            state: state
-          }
-
-          query[:prompt] = prompt if prompt.present?
-
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
-        end
-
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **options)
-          if id_token.present?
-            build_response(
-              verify_id_token(id_token: id_token),
-              tokens: { id_token: id_token }
-            )
-          elsif access_token.present?
-            build_response(
-              fetch_user_info(access_token: access_token),
-              tokens: { access_token: access_token }
-            )
-          elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri)
-          else
-            raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
-          end
-        end
-
-        def config_schema
-          {
-            google_client_id: { type: :string, default: nil },
-            google_client_secret: { type: :string, default: nil }
-          }
-        end
-
-        def default_scope
-          DEFAULT_SCOPE
-        end
-
-        def exchange_code_for_user_info(code:, redirect_uri:)
-          raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
-
-          token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
-            client_id: credentials[:client_id],
-            client_secret: credentials[:client_secret],
-            code: code,
-            grant_type: "authorization_code",
-            redirect_uri: redirect_uri
-          }.compact)
-
-          unless token_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to exchange Google authorization code"
-          end
-
-          parsed_token = JSON.parse(token_response.body)
-          access_token = parsed_token["access_token"]
-          raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?
-
-          tokens = extract_token_payload(parsed_token)
-          user_info = fetch_user_info(access_token: access_token)
-
-          build_response(user_info, tokens: tokens)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def verify_id_token(id_token:)
-          raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
-
-          response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)
-
-          unless response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Invalid or expired id_token"
-          end
-
-          token_info = JSON.parse(response.body)
-
-          unless token_info["aud"] == credentials[:client_id]
-            raise StandardId::InvalidRequestError, "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
-          end
-
-          unless ["accounts.google.com", "https://accounts.google.com"].include?(token_info["iss"])
-            raise StandardId::InvalidRequestError, "ID token issuer invalid. Expected Google, got: #{token_info['iss']}"
-          end
-
-          {
-            "sub" => token_info["sub"],
-            "email" => token_info["email"],
-            "email_verified" => token_info["email_verified"],
-            "name" => token_info["name"],
-            "given_name" => token_info["given_name"],
-            "family_name" => token_info["family_name"],
-            "picture" => token_info["picture"],
-            "locale" => token_info["locale"]
-          }.compact
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        def fetch_user_info(access_token:)
-          raise StandardId::InvalidRequestError, "Missing access token" if access_token.blank?
-
-          verify_token(access_token)
-          user_response = HttpClient.get_with_bearer(USERINFO_ENDPOINT, access_token)
-
-          unless user_response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Failed to fetch Google user info"
-          end
-
-          JSON.parse(user_response.body)
-        rescue StandardError => e
-          raise e if e.is_a?(StandardId::OAuthError)
-          raise StandardId::OAuthError, e.message, cause: e
-        end
-
-        private
-
-        def credentials
-          @credentials ||= begin
-            if StandardId.config.google_client_id.blank? || StandardId.config.google_client_secret.blank?
-              raise StandardId::InvalidRequestError, "Google provider is not configured"
-            end
-
-            {
-              client_id: StandardId.config.google_client_id,
-              client_secret: StandardId.config.google_client_secret
-            }
-          end
-        end
-
-        def verify_token(access_token)
-          token_info_uri = "https://www.googleapis.com/oauth2/v3/tokeninfo"
-
-          response = HttpClient.post_form(token_info_uri, access_token: access_token)
-
-          unless response.is_a?(Net::HTTPSuccess)
-            raise StandardId::InvalidRequestError, "Invalid or expired access token"
-          end
-
-          token_info = JSON.parse(response.body)
-
-          unless token_info["aud"] == credentials[:client_id]
-            raise StandardId::InvalidRequestError, "Access token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info['aud']}"
-          end
-
-          token_info
-        end
-
-        def extract_token_payload(parsed_token)
-          {
-            access_token: parsed_token["access_token"],
-            refresh_token: parsed_token["refresh_token"],
-            id_token: parsed_token["id_token"]
-          }.compact
-        end
-      end
-    end
-  end
-end
-
-# Auto-register with the provider registry
-StandardId::ProviderRegistry.register(:google, StandardId::Providers::Google)