standard_id 0.14.4 → 0.16.0

data/app/controllers/standard_id/web/reset_password/start_controller.rb

@@ -14,7 +14,10 @@ module StandardId
         end
 
         def create
-          form = StandardId::Web::ResetPasswordStartForm.new(email: params[:email])
+          form = StandardId::Web::ResetPasswordStartForm.new(
+            email: params[:email],
+            reset_url_template: build_reset_url_template
+          )
 
           if form.submit
             flash[:notice] = "If an account with that email exists, we've sent password reset instructions."
@@ -24,6 +27,29 @@ module StandardId
             render :show, status: :unprocessable_content
           end
         end
+
+        private
+
+        # Build a password-reset URL template containing a literal "{token}"
+        # placeholder. The async delivery job substitutes the placeholder with
+        # the generated token once the account lookup completes. We build this
+        # here (rather than in the job) so the URL reflects the request's
+        # scheme/host/port — the job has no access to the HTTP request.
+        #
+        # The route helper may be absent if the host app mounts the engine
+        # without the `:password_reset` mechanism, or raise UrlGenerationError
+        # if required params are missing; fall back to a request-derived URL
+        # in those cases. Any other exception should surface normally.
+        def build_reset_url_template
+          base = begin
+            reset_password_confirm_url
+          rescue NameError, NoMethodError, ActionController::UrlGenerationError
+            nil
+          end
+          base ||= "#{request.base_url}/reset_password/confirm"
+          separator = base.include?("?") ? "&" : "?"
+          "#{base}#{separator}token={token}"
+        end
       end
     end
   end

data/app/controllers/standard_id/web/verify_email/start_controller.rb

@@ -32,7 +32,7 @@ module StandardId
             realm: "verification",
             channel: "email",
             target: email,
-            code: generate_otp_code,
+            code: StandardId::Passwordless.generate_otp_code,
             expires_at: 10.minutes.from_now,
             ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
             user_agent: request.user_agent
@@ -42,12 +42,6 @@ module StandardId
 
           redirect_to standard_id_web.login_path, notice: "Verification code sent to your email", status: :see_other
         end
-
-        private
-
-        def generate_otp_code
-          (SecureRandom.random_number(900_000) + 100_000).to_s
-        end
       end
     end
   end

data/app/controllers/standard_id/web/verify_phone/start_controller.rb

@@ -32,7 +32,7 @@ module StandardId
             realm: "verification",
             channel: "sms",
             target: phone,
-            code: generate_otp_code,
+            code: StandardId::Passwordless.generate_otp_code,
             expires_at: 10.minutes.from_now,
             ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
             user_agent: request.user_agent
@@ -42,12 +42,6 @@ module StandardId
 
           redirect_to standard_id_web.login_path, notice: "Verification code sent via SMS", status: :see_other
         end
-
-        private
-
-        def generate_otp_code
-          (SecureRandom.random_number(900_000) + 100_000).to_s
-        end
       end
     end
   end

data/app/forms/standard_id/web/reset_password_start_form.rb

@@ -6,32 +6,33 @@ module StandardId
 
       attribute :email, :string
 
-      attr_reader :password_credential, :token
-
       validates :email, presence: { message: "Please enter your email address" }, format: { with: URI::MailTo::EMAIL_REGEXP }
 
-      def submit
-        return false unless valid?
-
-        if token.present?
-          # TODO: send reset link via email
-        end
-
-        true
+      # Constructor accepts the reset URL template so the form is decoupled
+      # from routing. The controller builds a URL from `reset_password_confirm_url`
+      # (or a request-derived fallback) and appends a literal `?token={token}` (or
+      # `&token={token}`) marker via string concatenation. The delivery job
+      # substitutes that placeholder with the actual token after account lookup.
+      def initialize(attributes = {})
+        @reset_url_template = attributes.delete(:reset_url_template) if attributes.is_a?(Hash)
+        super
       end
 
-      def password_credential
-        @password_credential ||= identifier&.account&.credentials&.where(credentialable_type: "StandardId::PasswordCredential")&.sole&.credentialable
-      end
+      attr_reader :reset_url_template
 
-      def token
-        @token ||= password_credential&.generate_token_for(:password_reset)
-      end
+      def submit
+        return false unless valid?
 
-      private
+        # Enqueue the full lookup + token generation + mailer delivery pipeline
+        # so the controller response time does not depend on whether an account
+        # exists for the submitted email. This closes the user-enumeration
+        # timing side channel.
+        StandardId::PasswordResetDeliveryJob.perform_later(
+          email: email.to_s,
+          reset_url_template: reset_url_template.to_s
+        )
 
-      def identifier
-        @identifier ||= StandardId::EmailIdentifier.find_by(value: email.to_s.strip.downcase)
+        true
       end
     end
   end

data/app/jobs/standard_id/cleanup_expired_authorization_codes_job.rb

@@ -0,0 +1,51 @@
+module StandardId
+  class CleanupExpiredAuthorizationCodesJob < ApplicationJob
+    queue_as :default
+
+    # Delete OAuth authorization codes that are either expired or consumed
+    # beyond the respective grace periods.
+    #
+    # Authorization codes are single-use and short-lived (OAuth 2.1 recommends
+    # a lifetime under 10 minutes). Two grace windows apply:
+    #
+    # - `grace_period_seconds` (default 7 days): how long expired-but-unused
+    #   codes are retained after `expires_at`. Matches the sessions/refresh-
+    #   token cleanup windows so operators only have to reason about one
+    #   default.
+    # - `consumed_grace_period_seconds` (default 1 day): how long consumed
+    #   codes are retained after `consumed_at`. Used codes are useless after
+    #   redemption, so they're pruned faster — keeping them briefly only
+    #   helps with replay-attack forensics in the immediate aftermath of a
+    #   redemption.
+    #
+    # Accepts integer seconds for reliable ActiveJob serialization across all
+    # queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i, consumed_grace_period_seconds: 1.day.to_i)
+      expired_cutoff = grace_period_seconds.seconds.ago
+      consumed_cutoff = consumed_grace_period_seconds.seconds.ago
+
+      # The two windows govern disjoint sets of rows:
+      #   - Unconsumed codes: ruled by `expires_at < expired_cutoff`.
+      #   - Consumed codes:   ruled by `consumed_at < consumed_cutoff`.
+      #
+      # A naive `expires_at < :expired_cutoff OR consumed_at < :consumed_cutoff`
+      # would let the expired arm delete a consumed-12-hours-ago row whose
+      # `expires_at` sits 8 days in the past — defeating the consumed grace
+      # window's whole purpose. Scoping the expired clause to `consumed_at IS
+      # NULL` keeps consumed rows under the consumed window exclusively.
+      deleted = StandardId::AuthorizationCode
+        .where(
+          "(expires_at < :expired_cutoff AND consumed_at IS NULL) " \
+            "OR consumed_at < :consumed_cutoff",
+          expired_cutoff: expired_cutoff,
+          consumed_cutoff: consumed_cutoff
+        )
+        .delete_all
+
+      Rails.logger.info(
+        "[StandardId] Cleaned up #{deleted} authorization codes " \
+        "(expired before #{expired_cutoff}, consumed before #{consumed_cutoff})"
+      )
+    end
+  end
+end

data/app/jobs/standard_id/cleanup_expired_code_challenges_job.rb

@@ -0,0 +1,45 @@
+module StandardId
+  class CleanupExpiredCodeChallengesJob < ApplicationJob
+    queue_as :default
+
+    # Delete code challenges (OTP records) that are either expired or used
+    # beyond the respective grace periods.
+    #
+    # Code challenges back passwordless/OTP flows: rows are short-lived and
+    # single-use. Two grace windows apply:
+    #
+    # - `grace_period_seconds` (default 7 days): how long expired-but-unused
+    #   challenges are retained after `expires_at`. Matches the sessions/
+    #   refresh-token cleanup windows for operational consistency.
+    # - `used_grace_period_seconds` (default 1 day): how long used challenges
+    #   are retained after `used_at`. A used OTP is useless after redemption,
+    #   so prune faster — the short tail only helps with replay-attack
+    #   forensics immediately after use.
+    #
+    # Accepts integer seconds for reliable ActiveJob serialization across all
+    # queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i, used_grace_period_seconds: 1.day.to_i)
+      expired_cutoff = grace_period_seconds.seconds.ago
+      used_cutoff = used_grace_period_seconds.seconds.ago
+
+      # See CleanupExpiredAuthorizationCodesJob for the rationale — the two
+      # windows govern disjoint sets of rows and a naive OR lets the expired
+      # arm prune recently-used challenges out from under the used grace
+      # window. Unused challenges follow `expires_at`; used challenges follow
+      # `used_at`.
+      deleted = StandardId::CodeChallenge
+        .where(
+          "(expires_at < :expired_cutoff AND used_at IS NULL) " \
+            "OR used_at < :used_cutoff",
+          expired_cutoff: expired_cutoff,
+          used_cutoff: used_cutoff
+        )
+        .delete_all
+
+      Rails.logger.info(
+        "[StandardId] Cleaned up #{deleted} code challenges " \
+        "(expired before #{expired_cutoff}, used before #{used_cutoff})"
+      )
+    end
+  end
+end

data/app/jobs/standard_id/password_reset_delivery_job.rb

@@ -0,0 +1,42 @@
+module StandardId
+  # Handles the full password-reset email delivery pipeline asynchronously.
+  #
+  # Running this work in a job (rather than inline in the request) eliminates
+  # the timing side-channel that would otherwise leak whether an account
+  # exists for a given email: every request enqueues the same job, so the
+  # synchronous request path is constant-time regardless of account state.
+  class PasswordResetDeliveryJob < ApplicationJob
+    queue_as :default
+
+    # @param email [String] the raw email submitted by the user
+    # @param reset_url_template [String] URL with a literal "{token}" placeholder
+    #   that the job will substitute with the generated reset token
+    def perform(email:, reset_url_template:)
+      normalized = email.to_s.strip.downcase
+      return if normalized.blank?
+
+      identifier = StandardId::EmailIdentifier.find_by(value: normalized)
+      return if identifier.nil?
+
+      password_credential = identifier.account
+        &.credentials
+        &.where(credentialable_type: "StandardId::PasswordCredential")
+        &.first
+        &.credentialable
+      return if password_credential.nil?
+
+      token = password_credential.generate_token_for(:password_reset)
+      return if token.blank?
+
+      reset_url = reset_url_template.to_s.sub("{token}", token)
+
+      StandardId::Events.publish(
+        StandardId::Events::CREDENTIAL_PASSWORD_RESET_INITIATED,
+        account: identifier.account,
+        identifier: normalized,
+        token: token,
+        reset_url: reset_url
+      )
+    end
+  end
+end

data/app/mailers/standard_id/password_reset_mailer.rb

@@ -0,0 +1,16 @@
+module StandardId
+  class PasswordResetMailer < ApplicationMailer
+    layout false
+
+    def reset_email
+      @reset_url = params[:reset_url]
+      @email = params[:email]
+
+      mail(
+        to: @email,
+        from: StandardId.config.reset_password.mailer_from,
+        subject: StandardId.config.reset_password.mailer_subject
+      )
+    end
+  end
+end

data/app/models/concerns/standard_id/account_associations.rb

@@ -12,6 +12,31 @@ module StandardId
       accepts_nested_attributes_for :identifiers
     end
 
+    # Returns the account's StandardId::EmailIdentifier, if any.
+    #
+    # Uses the in-memory collection when identifiers is already loaded to
+    # avoid issuing an extra query (N+1 safety). Falls back to a scoped
+    # query otherwise.
+    #
+    # @return [StandardId::EmailIdentifier, nil]
+    def email_identifier
+      typed_identifier(StandardId::EmailIdentifier)
+    end
+
+    # Returns the account's StandardId::PhoneNumberIdentifier, if any.
+    #
+    # @return [StandardId::PhoneNumberIdentifier, nil]
+    def phone_number_identifier
+      typed_identifier(StandardId::PhoneNumberIdentifier)
+    end
+
+    # Returns the account's StandardId::UsernameIdentifier, if any.
+    #
+    # @return [StandardId::UsernameIdentifier, nil]
+    def username_identifier
+      typed_identifier(StandardId::UsernameIdentifier)
+    end
+
     class_methods do
       def find_or_create_by_verified_email!(email, **account_attributes)
         raise ArgumentError, "email is required" if email.blank?
@@ -54,5 +79,23 @@ module StandardId
         identifier.account
       end
     end
+
+    private
+
+    # Fetch the first identifier of the given STI subclass.
+    #
+    # When the identifiers association is already loaded, filters in memory
+    # to avoid triggering an additional query. Otherwise issues a scoped
+    # query that returns at most one row.
+    #
+    # @param klass [Class] subclass of StandardId::Identifier
+    # @return [StandardId::Identifier, nil]
+    def typed_identifier(klass)
+      if association(:identifiers).loaded?
+        identifiers.detect { |i| i.is_a?(klass) }
+      else
+        identifiers.where(type: klass.sti_name).first
+      end
+    end
   end
 end

data/app/models/standard_id/authorization_code.rb

@@ -18,9 +18,22 @@ module StandardId
 
     def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, nonce: nil, metadata: {})
       # Fail fast: reject unsupported PKCE methods at issuance rather than
-      # storing a code that will always fail at redemption time.
+      # storing a code that will always fail at redemption time. When the
+      # client record has PKCE required, defer to the client's configured
+      # `code_challenge_methods`. In all other cases (client lookup missing,
+      # or client opted out of PKCE but still sent a challenge) fall back
+      # to an S256-only belt-and-suspenders check so we never silently
+      # accept a weaker method.
       if code_challenge.present?
-        unless code_challenge_method.to_s.downcase == "s256"
+        client = StandardId::ClientApplication.find_by(client_id: client_id)
+        method_supported =
+          if client&.require_pkce?
+            client.supports_pkce_method?(code_challenge_method)
+          else
+            code_challenge_method.to_s.downcase == "s256"
+          end
+
+        unless method_supported
           raise StandardId::InvalidRequestError, "Unsupported code_challenge_method: only S256 is allowed"
         end
       end

data/app/models/standard_id/client_application.rb

@@ -12,6 +12,7 @@ module StandardId
     validates :name, presence: true, length: { maximum: 255 }
     validates :description, length: { maximum: 1000 }
     validates :redirect_uris, presence: true
+    validate :redirect_uris_must_be_absolute_without_query_or_fragment
     validates :client_type, inclusion: { in: %w[confidential public] }
     validates :grant_types, presence: true
     validates :response_types, presence: true
@@ -22,6 +23,11 @@ module StandardId
     validates :access_token_lifetime, :refresh_token_lifetime, :authorization_code_lifetime,
               presence: true, numericality: { greater_than: 0 }
 
+    # Security: public clients cannot opt out of PKCE. Public clients run in
+    # environments where a client secret cannot be kept confidential, so PKCE
+    # is the only protection against authorization code interception.
+    validate :public_clients_must_require_pkce
+
     # Scopes
     scope :active, -> { where(active: true) }
     scope :confidential, -> { where(client_type: "confidential") }
@@ -75,11 +81,50 @@ module StandardId
 
     def supports_pkce_method?(method)
       return false unless require_pkce?
-      code_challenge_methods_array.include?(method.to_s)
+      normalized = method.to_s.downcase
+      code_challenge_methods_array.any? { |m| m.downcase == normalized }
+    end
+
+    # Validates a redirect_uri presented in an OAuth request against this
+    # client's registered URIs.
+    #
+    # OAuth 2.0 (RFC 6749 §3.1.2) requires the authorization server to compare
+    # the registered redirect URI and the request redirect URI using simple
+    # string comparison, with the exception that the authorization server may
+    # redirect with additional query parameters. We implement a stricter
+    # scheme+host+port+path match: the *request* URI may add query or fragment
+    # segments, but the scheme, host, port, and path must exactly match a
+    # registered URI. This prevents a class of "query-string piggyback" attacks
+    # where a registered callback at /cb is abused with a crafted query string
+    # (or, worse, a different path segment like /cb/evil).
+    #
+    # Subdomain wildcards are NOT supported — host must match exactly.
+    def valid_redirect_uri?(uri)
+      requested = self.class.parse_redirect_uri(uri)
+      return false unless requested
+
+      redirect_uris_array.any? do |registered_uri|
+        registered = self.class.parse_redirect_uri(registered_uri)
+        next false unless registered
+
+        registered.scheme == requested.scheme &&
+          registered.host == requested.host &&
+          registered.port == requested.port &&
+          registered.path == requested.path
+      end
     end
 
-    def valid_redirect_uri?(uri)
-      redirect_uris_array.include?(uri.to_s)
+    # Parse a redirect URI string into a URI object suitable for comparison.
+    # Returns nil for unparseable, relative, or scheme-less URIs.
+    def self.parse_redirect_uri(value)
+      return nil if value.to_s.strip.empty?
+
+      parsed = URI.parse(value.to_s.strip)
+      return nil if parsed.scheme.blank? || parsed.host.blank?
+
+      parsed
+    rescue URI::InvalidURIError
+      nil
     end
 
     def confidential?
@@ -127,6 +172,36 @@ module StandardId
 
     private
 
+    # Registered redirect URIs must be absolute (include scheme + host) and
+    # must NOT carry a query string or fragment. Allowing either would turn
+    # the whitelist into a prefix match and enable "query-param piggyback"
+    # attacks where a registered callback is reused with attacker-controlled
+    # parameters.
+    def redirect_uris_must_be_absolute_without_query_or_fragment
+      redirect_uris_array.each do |value|
+        parsed = self.class.parse_redirect_uri(value)
+        if parsed.nil?
+          errors.add(:redirect_uris, "contains an invalid URI (#{value.inspect}). Redirect URIs must be absolute (scheme + host)")
+          next
+        end
+
+        if parsed.query.present?
+          errors.add(:redirect_uris, "must not contain a query string (#{value.inspect}). Register the base URI only; OAuth adds query params at runtime")
+        end
+
+        if parsed.fragment.present?
+          errors.add(:redirect_uris, "must not contain a fragment (#{value.inspect})")
+        end
+      end
+    end
+
+    def public_clients_must_require_pkce
+      return unless client_type == "public"
+      return if require_pkce?
+
+      errors.add(:require_pkce, "public clients must have require_pkce enabled")
+    end
+
     def generate_client_id
       self.client_id ||= SecureRandom.hex(16)
     end

data/app/models/standard_id/code_challenge.rb

@@ -2,10 +2,15 @@ module StandardId
   class CodeChallenge < ApplicationRecord
     self.table_name = "standard_id_code_challenges"
 
+    # Well-known realms used by the engine itself. Host apps may create
+    # challenges in any realm (see StandardId::Otp) — realm is a free-form
+    # string that partitions challenges by purpose (e.g. "authentication",
+    # "verification", "custom_widget"). Only presence is validated so
+    # consumers can define their own realms without the engine knowing.
     REALMS = %w[authentication verification].freeze
     CHANNELS = %w[email sms].freeze
 
-    validates :realm, presence: true, inclusion: { in: REALMS }
+    validates :realm, presence: true
     validates :channel, presence: true, inclusion: { in: CHANNELS }
     validates :target, presence: true
     validates :code, presence: true

data/app/views/standard_id/password_reset_mailer/reset_email.html.erb

@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; background-color: #f5f5f5; margin: 0; padding: 0; }
+    .container { max-width: 480px; margin: 40px auto; background-color: #ffffff; border-radius: 8px; padding: 40px; }
+    .button { display: inline-block; padding: 12px 24px; background-color: #111111; color: #ffffff !important; text-decoration: none; border-radius: 6px; font-weight: 600; }
+    .footer { margin-top: 32px; font-size: 13px; color: #888888; text-align: center; }
+    .fallback { margin-top: 16px; font-size: 13px; color: #555555; word-break: break-all; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <p>Hi,</p>
+    <p>We received a request to reset the password for the account associated with this email address. Click the button below to choose a new password:</p>
+    <p style="text-align: center; margin: 24px 0;">
+      <a class="button" href="<%= @reset_url %>">Reset your password</a>
+    </p>
+    <p class="fallback">If the button doesn't work, paste this link into your browser: <%= @reset_url %></p>
+    <p>If you did not request a password reset, you can safely ignore this email.</p>
+    <div class="footer">
+      <p>This is an automated message. Please do not reply.</p>
+    </div>
+  </div>
+</body>
+</html>

data/app/views/standard_id/password_reset_mailer/reset_email.text.erb

@@ -0,0 +1,12 @@
+Hi,
+
+We received a request to reset the password for the account associated with this email address.
+
+Use the link below to choose a new password:
+
+<%= @reset_url %>
+
+If you did not request a password reset, you can safely ignore this email.
+
+--
+This is an automated message. Please do not reply.

data/db/migrate/20260416180511_add_partial_indexes_for_active_session_and_challenge_lookups.rb

@@ -0,0 +1,117 @@
+class AddPartialIndexesForActiveSessionAndChallengeLookups < ActiveRecord::Migration[8.0]
+  # Run indexes CONCURRENTLY on Postgres so we don't take a long write lock on
+  # busy tables. SQLite (dummy app, some host setups) ignores algorithm:; we
+  # only pass :concurrently when the adapter is Postgres.
+  #
+  # StrongMigrations note: every change here is additive and non-destructive
+  # except for the GIN drop in step 3. We guard that drop with an `if_exists`
+  # check so StrongMigrations/host apps that never ran the creating migration
+  # (e.g. SQLite dummies) don't error. StrongMigrations considers partial-
+  # index-add and remove_index safe when concurrently + if_exists are used, so
+  # no ignore comment is needed.
+  #
+  # Split into def up / def down because `remove_index :table, name: "..."`
+  # (name-only, no column list) is not auto-reversible via def change — Rails
+  # raises ActiveRecord::IrreversibleMigration on rollback. The explicit down
+  # path re-adds the GIN index using the same column + opclass the creating
+  # migration used (t.index :metadata, using: :gin).
+  disable_ddl_transaction!
+
+  def up
+    pg = connection.adapter_name.downcase.include?("postgres")
+    concurrent = pg ? { algorithm: :concurrently } : {}
+
+    # ── D3: Partial indexes on hot "active session" lookups ────────────────
+    # The existing [:expires_at, :revoked_at] indexes include revoked rows.
+    # Most of our hot paths (SessionManager#find_active, cleanup jobs, the
+    # revocation controller) only care about revoked_at IS NULL rows, and a
+    # partial index on expires_at WHERE revoked_at IS NULL is both smaller
+    # and lets Postgres short-circuit the revoked_at check in the plan.
+    add_index :standard_id_sessions,
+      :expires_at,
+      where: "revoked_at IS NULL",
+      name: "index_standard_id_sessions_on_expires_at_where_active",
+      if_not_exists: true,
+      **concurrent
+
+    add_index :standard_id_refresh_tokens,
+      :expires_at,
+      where: "revoked_at IS NULL",
+      name: "index_standard_id_refresh_tokens_on_expires_at_where_active",
+      if_not_exists: true,
+      **concurrent
+
+    # ── D4: code_challenges index rework ───────────────────────────────────
+    # The hot-path consumer is Passwordless::VerificationService#find_active_challenge:
+    #
+    #   CodeChallenge.active
+    #     .where(realm:, channel:, target:)
+    #     .order(created_at: :desc).first
+    #
+    # where `active` = used_at IS NULL AND expires_at > NOW(). We can't put
+    # `expires_at > NOW()` into a partial index predicate (NOW() isn't
+    # immutable), but `used_at IS NULL` is safe and eliminates consumed OTPs.
+    #
+    # The existing [:realm, :channel, :target, :created_at] index works but
+    # covers every row, including long-since-consumed ones. A partial variant
+    # stays tiny (only live challenges) and matches the exact query shape.
+    add_index :standard_id_code_challenges,
+      [:realm, :channel, :target, :created_at],
+      where: "used_at IS NULL",
+      name: "index_code_challenges_on_active_target_created_at",
+      if_not_exists: true,
+      **concurrent
+
+    # Drop the GIN metadata index on Postgres: metadata is only written to
+    # (record_failed_attempt bumps `attempts`), never queried with containment
+    # (@>, ?, ?|, ?&) operators, so the GIN index is pure write overhead.
+    # SQLite never had a GIN index to drop.
+    if pg
+      remove_index :standard_id_code_challenges,
+        name: "index_standard_id_code_challenges_on_metadata",
+        if_exists: true,
+        **concurrent
+    end
+
+    # ── D5: skipped intentionally ──────────────────────────────────────────
+    # standard_id_credentials already has a composite
+    # (credentialable_type, credentialable_id) index via `t.references
+    # :credentialable, polymorphic: true, index: true`. A search of the
+    # codebase shows no queries filtering by credentialable_id alone (callers
+    # always know the credentialable_type because Credential uses
+    # delegated_type). Adding a single-column credentialable_id index would
+    # only add write overhead with no matching read pattern, so we skip it.
+  end
+
+  def down
+    pg = connection.adapter_name.downcase.include?("postgres")
+    concurrent = pg ? { algorithm: :concurrently } : {}
+
+    # Re-create the GIN metadata index first (mirrors the creating migration:
+    # `t.index :metadata, using: :gin` on standard_id_code_challenges).
+    # SQLite never had a GIN index, so this is Postgres-only.
+    if pg
+      add_index :standard_id_code_challenges,
+        :metadata,
+        using: :gin,
+        name: "index_standard_id_code_challenges_on_metadata",
+        if_not_exists: true,
+        **concurrent
+    end
+
+    remove_index :standard_id_code_challenges,
+      name: "index_code_challenges_on_active_target_created_at",
+      if_exists: true,
+      **concurrent
+
+    remove_index :standard_id_refresh_tokens,
+      name: "index_standard_id_refresh_tokens_on_expires_at_where_active",
+      if_exists: true,
+      **concurrent
+
+    remove_index :standard_id_sessions,
+      name: "index_standard_id_sessions_on_expires_at_where_active",
+      if_exists: true,
+      **concurrent
+  end
+end