standard_id 0.16.0 → 0.16.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e4d6c462fcdc585b2eefb2c5224e92c7b2a9fe276c2a41ccbfd6bf7b1fee162
-  data.tar.gz: 91dde301a0e98b0ec60f704ff5beb03706f5f1dbf36ebdfddfc3e21cf322f5ea
+  metadata.gz: 1cc415579c94e298230fc9d647869d7c2ea2b422b1130eac38bd05bba262956a
+  data.tar.gz: 653d1cd02170d5ba6933973635cb50d62729be158b0037812da8b2f832fb0c0e
 SHA512:
-  metadata.gz: f01caba2626cf9e4c8f4950aeeece214277492d74701f6359268da79cdf4234853f86a5490d33ab250dfe2cdda04e73c9c86a2896dc7ff76e3ab36e529da3cce
-  data.tar.gz: 519d061ab666d5d7a197819545bc9dcd5c304946074b80eaf89dca57898e7c24d6ccbde1b94155095e2ca382340b9179a62c2d2791331345d572ab826b88c8c7
+  metadata.gz: 16fa94e1dde5fa46e92999ef2fb24b5bb683ff5f5ab3e6549e91f8c738e4cdd42d8e872ab0d13705659ec6ab2bb4c4e184f4947c1d95bf5e00afbc3b9dfe0328
+  data.tar.gz: b730ef767275f8d71aa9b93a8c8fca55a1935c84e1e4e6eaf022ec935d2d152d7b72e99576b5075e3dffba8269b07be66abf43f4fd96e1f7728858d64244f7e2

data/app/controllers/concerns/standard_id/set_current_request_details.rb

@@ -4,6 +4,7 @@ module StandardId
 
     included do
       before_action :set_current_request_details
+      after_action  :clear_rails_event_context
     end
 
     private
@@ -14,6 +15,38 @@ module StandardId
       ::Current.request_id = request.request_id if ::Current.respond_to?(:request_id=)
       ::Current.ip_address = StandardId::Utils::IpNormalizer.normalize(request.remote_ip) if ::Current.respond_to?(:ip_address=)
       ::Current.user_agent = request.user_agent if ::Current.respond_to?(:user_agent=)
+
+      set_rails_event_context
+    end
+
+    # Mirror request details into the Rails 8.1+ structured event reporter so
+    # that `Rails.event.notify` calls made during this request automatically
+    # carry request_id / ip_address / user_agent. Feature-detected: on older
+    # Rails versions this is a no-op. Reads straight from `::Current` — setters
+    # and getters on `ActiveSupport::CurrentAttributes` are paired, so the
+    # `respond_to?(:foo=)` checks above also guarantee the getter exists.
+    def set_rails_event_context
+      return unless defined?(::Current) && rails_event_available?
+
+      Rails.event.set_context(
+        request_id: (::Current.request_id if ::Current.respond_to?(:request_id)),
+        ip_address: (::Current.ip_address if ::Current.respond_to?(:ip_address)),
+        user_agent: (::Current.user_agent if ::Current.respond_to?(:user_agent))
+      )
+    end
+
+    # Rails 8.1 clears fiber-local state between requests via middleware, but
+    # thread-pooled servers (Puma, Falcon) can reuse the same fiber across
+    # requests. An explicit clear ensures a denied-upstream value cannot leak
+    # into the next request handled by the same worker.
+    def clear_rails_event_context
+      return unless rails_event_available?
+
+      Rails.event.clear_context
+    end
+
+    def rails_event_available?
+      Rails.respond_to?(:event) && Rails.event.respond_to?(:set_context)
     end
   end
 end

data/app/controllers/standard_id/api/sessions_controller.rb

@@ -26,15 +26,19 @@ module StandardId
 
       private
 
+      # All Session subclasses live on the same STI table and therefore
+      # always respond to these columns — the prior `respond_to?` guards
+      # were defensive overhead that allocated per record. Direct access
+      # is both cheaper and clearer.
       def serialize_session(session)
         {
           id: session.id,
           type: session.type&.demodulize,
           created_at: session.created_at.iso8601,
-          last_refreshed_at: session.respond_to?(:last_refreshed_at) ? session.last_refreshed_at&.iso8601 : nil,
-          ip_address: session.respond_to?(:ip_address) ? session.ip_address : nil,
+          last_refreshed_at: session.last_refreshed_at&.iso8601,
+          ip_address: session.ip_address,
           # user_agent is the API-facing name for the device_agent model attribute
-          user_agent: session.respond_to?(:device_agent) ? session.device_agent : nil
+          user_agent: session.device_agent
         }.compact
       end
     end

data/app/models/standard_id/refresh_token.rb

@@ -48,34 +48,30 @@ module StandardId
 
     private
 
-    # Find the root of this token's family and return all descendants.
-    # Backward traversal uses a visited set for cycle detection in case
-    # of corrupted data. Forward traversal collects all descendants.
+    # Collect every token in this token's family (all ancestors + all
+    # descendants reachable via previous_token_id) in a single recursive
+    # CTE. Previously we walked the chain in Ruby with one query per
+    # generation — fine for small families, O(depth) under reuse-detection
+    # storms. The CTE is one round trip.
+    #
+    # `UNION` (not `UNION ALL`) deduplicates against the full accumulator
+    # at each step — so a row already emitted earlier in the traversal is
+    # skipped, preventing infinite loops on cyclic data. Supported by
+    # PostgreSQL, SQLite 3.8+, and MySQL 8+.
     def family_tokens
-      root = self
-      visited = Set.new([root.id])
-      while root.previous_token.present?
-        break if visited.include?(root.previous_token_id)
-        visited.add(root.previous_token_id)
-        root = root.previous_token
-      end
-
-      self.class.where(id: collect_family_ids(root.id))
-    end
-
-    def collect_family_ids(root_id)
-      ids = [root_id]
-      current_ids = [root_id]
-
-      loop do
-        next_ids = self.class.where(previous_token_id: current_ids).pluck(:id)
-        break if next_ids.empty?
-
-        ids.concat(next_ids)
-        current_ids = next_ids
-      end
-
-      ids
+      table = self.class.quoted_table_name
+      sql = <<~SQL.squish
+        WITH RECURSIVE family AS (
+          SELECT id, previous_token_id FROM #{table} WHERE id = :id
+          UNION
+          SELECT rt.id, rt.previous_token_id
+          FROM #{table} rt
+          JOIN family f ON rt.id = f.previous_token_id OR rt.previous_token_id = f.id
+        )
+        SELECT id FROM family
+      SQL
+      family_ids = self.class.connection.select_values(self.class.sanitize_sql([sql, { id: id }]))
+      self.class.where(id: family_ids)
     end
   end
 end

data/app/models/standard_id/session.rb

@@ -53,7 +53,14 @@ module StandardId
     end
 
     def generate_token_digest
-      self.token_digest = BCrypt::Password.create(token)
+      configured_cost = StandardId.config.session.token_digest_cost
+      self.token_digest =
+        if configured_cost.nil?
+          BCrypt::Password.create(token)
+        else
+          cost = configured_cost.clamp(BCrypt::Engine::MIN_COST, BCrypt::Engine::MAX_COST)
+          BCrypt::Password.create(token, cost: cost)
+        end
     end
 
     def generate_lookup_hash

data/lib/standard_id/api/authentication_guard.rb

@@ -8,14 +8,14 @@ module StandardId
         if api_session.blank?
           raise StandardId::NotAuthenticatedError, "Invalid or missing access token"
         elsif api_session.respond_to?(:expired?) && api_session.expired?
-          emit_session_expired(api_session)
+          emit_session_expired(api_session, session_manager: session_manager)
           raise StandardId::ExpiredSessionError, "Session has expired"
         elsif api_session.respond_to?(:revoked?) && api_session.revoked?
           session_manager.clear_session!
           raise StandardId::RevokedSessionError, "Session has been revoked"
         end
 
-        emit_session_validated(api_session)
+        emit_session_validated(api_session, session_manager: session_manager)
         api_session
       end
 
@@ -62,34 +62,42 @@ module StandardId
         )
       end
 
-      def emit_session_validated(api_session)
-        account = if api_session.respond_to?(:account)
-                    api_session.account
-        elsif api_session.respond_to?(:account_id)
-                    StandardId.account_class.find_by(id: api_session.account_id)
-        end
-
+      def emit_session_validated(api_session, session_manager: nil)
         StandardId::Events.publish(
           StandardId::Events::SESSION_VALIDATED,
           session: api_session,
-          account: account
+          account: resolve_account(api_session, session_manager)
         )
       end
 
-      def emit_session_expired(api_session)
-        account = if api_session.respond_to?(:account)
-                    api_session.account
-        elsif api_session.respond_to?(:account_id)
-                    StandardId.account_class.find_by(id: api_session.account_id)
-        end
-
+      def emit_session_expired(api_session, session_manager: nil)
         StandardId::Events.publish(
           StandardId::Events::SESSION_EXPIRED,
           session: api_session,
-          account: account,
+          account: resolve_account(api_session, session_manager),
           expired_at: api_session.respond_to?(:expires_at) ? api_session.expires_at : nil
         )
       end
+
+      # Prefer the session_manager's memoized #current_account (resolved once
+      # per request). Fall back to a direct lookup only when a session_manager
+      # isn't available (e.g. older call sites) or the session lacks an
+      # account_id — the cost is kept to a single query per request instead
+      # of one per event.
+      #
+      # NOTE on the fallback: callers that pass no session_manager still pay
+      # the pre-optimization cost — either one AR association load per event
+      # (via `api_session.account`) or one `find_by` query. The in-gem call
+      # site in `require_session!` always passes the session_manager, so the
+      # optimization fires for it. The fallback exists for any external
+      # caller that invokes emit_session_* directly without a session_manager.
+      def resolve_account(api_session, session_manager)
+        return session_manager.current_account if session_manager&.respond_to?(:current_account)
+        return api_session.account if api_session.respond_to?(:account)
+        return unless api_session.respond_to?(:account_id)
+
+        StandardId.account_class.find_by(id: api_session.account_id)
+      end
     end
   end
 end

data/lib/standard_id/config/schema.rb

@@ -159,6 +159,20 @@ StandardConfig.schema.draw do
     field :device_session_lifetime, type: :integer, default: 2592000 # 30 days in seconds
     field :service_session_lifetime, type: :integer, default: 7776000 # 90 days in seconds
 
+    # BCrypt cost factor for the session token digest. Default `nil` means
+    # use bcrypt-ruby's built-in default (cost 12 in production, MIN_COST
+    # in the test env). Since session tokens are 256-bit random
+    # (`SecureRandom.urlsafe_base64(32)`), any cost >= 10 is well beyond
+    # realistic brute-force, and dropping from 12 to 10 saves ~200ms of
+    # CPU per session creation. Host apps with many logins-per-second can
+    # set this to `10`; apps that value hash work over login latency can
+    # leave it alone or raise it.
+    #
+    # When set, value is clamped to BCrypt::Engine::MIN_COST..MAX_COST.
+    # Applies only to newly-created sessions; existing token_digests keep
+    # their original cost.
+    field :token_digest_cost, type: :integer, default: nil
+
     # Callable that resolves the session class to create for a given auth flow.
     # Receives keyword arguments (request:, account:, flow:) and must return one of:
     #   StandardId::BrowserSession, StandardId::DeviceSession, StandardId::ServiceSession,

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.16.0"
+  VERSION = "0.16.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.16.1
 platform: ruby
 authors:
 - Jaryl Sim