standard_id 0.16.0 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e4d6c462fcdc585b2eefb2c5224e92c7b2a9fe276c2a41ccbfd6bf7b1fee162
-  data.tar.gz: 91dde301a0e98b0ec60f704ff5beb03706f5f1dbf36ebdfddfc3e21cf322f5ea
+  metadata.gz: a4eb189901d171ba934268cf6cc834e292b7a007f7124a69c61b073cdc518cf7
+  data.tar.gz: 13e8b7939cfc95e67430d7bd02fecf8705cf2f5c436b719d9cb2a807647a042a
 SHA512:
-  metadata.gz: f01caba2626cf9e4c8f4950aeeece214277492d74701f6359268da79cdf4234853f86a5490d33ab250dfe2cdda04e73c9c86a2896dc7ff76e3ab36e529da3cce
-  data.tar.gz: 519d061ab666d5d7a197819545bc9dcd5c304946074b80eaf89dca57898e7c24d6ccbde1b94155095e2ca382340b9179a62c2d2791331345d572ab826b88c8c7
+  metadata.gz: 8405e9b87e4d67d7632329d5d1a9a0165d1fe5828eeb0e4c82052ee96e61f37edbac90f908f914328acef1a891f245216c9855adef8d1afd9506bd83b809ada2
+  data.tar.gz: f5118fc1300f5f83d21f388778cbf25d4edd41a13c83e9a8fd75274f777e9465ad861439cdbbf8ae761ecaff2fbfef255bddfac96eb187e69e834848a8e340ba

data/app/controllers/concerns/standard_id/set_current_request_details.rb

@@ -4,6 +4,7 @@ module StandardId
 
     included do
       before_action :set_current_request_details
+      after_action  :clear_rails_event_context
     end
 
     private
@@ -14,6 +15,38 @@ module StandardId
       ::Current.request_id = request.request_id if ::Current.respond_to?(:request_id=)
       ::Current.ip_address = StandardId::Utils::IpNormalizer.normalize(request.remote_ip) if ::Current.respond_to?(:ip_address=)
       ::Current.user_agent = request.user_agent if ::Current.respond_to?(:user_agent=)
+
+      set_rails_event_context
+    end
+
+    # Mirror request details into the Rails 8.1+ structured event reporter so
+    # that `Rails.event.notify` calls made during this request automatically
+    # carry request_id / ip_address / user_agent. Feature-detected: on older
+    # Rails versions this is a no-op. Reads straight from `::Current` — setters
+    # and getters on `ActiveSupport::CurrentAttributes` are paired, so the
+    # `respond_to?(:foo=)` checks above also guarantee the getter exists.
+    def set_rails_event_context
+      return unless defined?(::Current) && rails_event_available?
+
+      Rails.event.set_context(
+        request_id: (::Current.request_id if ::Current.respond_to?(:request_id)),
+        ip_address: (::Current.ip_address if ::Current.respond_to?(:ip_address)),
+        user_agent: (::Current.user_agent if ::Current.respond_to?(:user_agent))
+      )
+    end
+
+    # Rails 8.1 clears fiber-local state between requests via middleware, but
+    # thread-pooled servers (Puma, Falcon) can reuse the same fiber across
+    # requests. An explicit clear ensures a denied-upstream value cannot leak
+    # into the next request handled by the same worker.
+    def clear_rails_event_context
+      return unless rails_event_available?
+
+      Rails.event.clear_context
+    end
+
+    def rails_event_available?
+      Rails.respond_to?(:event) && Rails.event.respond_to?(:set_context)
     end
   end
 end

data/app/controllers/standard_id/api/sessions_controller.rb

@@ -26,15 +26,19 @@ module StandardId
 
       private
 
+      # All Session subclasses live on the same STI table and therefore
+      # always respond to these columns — the prior `respond_to?` guards
+      # were defensive overhead that allocated per record. Direct access
+      # is both cheaper and clearer.
       def serialize_session(session)
         {
           id: session.id,
           type: session.type&.demodulize,
           created_at: session.created_at.iso8601,
-          last_refreshed_at: session.respond_to?(:last_refreshed_at) ? session.last_refreshed_at&.iso8601 : nil,
-          ip_address: session.respond_to?(:ip_address) ? session.ip_address : nil,
+          last_refreshed_at: session.last_refreshed_at&.iso8601,
+          ip_address: session.ip_address,
           # user_agent is the API-facing name for the device_agent model attribute
-          user_agent: session.respond_to?(:device_agent) ? session.device_agent : nil
+          user_agent: session.device_agent
         }.compact
       end
     end

data/app/models/standard_id/refresh_token.rb

@@ -48,34 +48,30 @@ module StandardId
 
     private
 
-    # Find the root of this token's family and return all descendants.
-    # Backward traversal uses a visited set for cycle detection in case
-    # of corrupted data. Forward traversal collects all descendants.
+    # Collect every token in this token's family (all ancestors + all
+    # descendants reachable via previous_token_id) in a single recursive
+    # CTE. Previously we walked the chain in Ruby with one query per
+    # generation — fine for small families, O(depth) under reuse-detection
+    # storms. The CTE is one round trip.
+    #
+    # `UNION` (not `UNION ALL`) deduplicates against the full accumulator
+    # at each step — so a row already emitted earlier in the traversal is
+    # skipped, preventing infinite loops on cyclic data. Supported by
+    # PostgreSQL, SQLite 3.8+, and MySQL 8+.
     def family_tokens
-      root = self
-      visited = Set.new([root.id])
-      while root.previous_token.present?
-        break if visited.include?(root.previous_token_id)
-        visited.add(root.previous_token_id)
-        root = root.previous_token
-      end
-
-      self.class.where(id: collect_family_ids(root.id))
-    end
-
-    def collect_family_ids(root_id)
-      ids = [root_id]
-      current_ids = [root_id]
-
-      loop do
-        next_ids = self.class.where(previous_token_id: current_ids).pluck(:id)
-        break if next_ids.empty?
-
-        ids.concat(next_ids)
-        current_ids = next_ids
-      end
-
-      ids
+      table = self.class.quoted_table_name
+      sql = <<~SQL.squish
+        WITH RECURSIVE family AS (
+          SELECT id, previous_token_id FROM #{table} WHERE id = :id
+          UNION
+          SELECT rt.id, rt.previous_token_id
+          FROM #{table} rt
+          JOIN family f ON rt.id = f.previous_token_id OR rt.previous_token_id = f.id
+        )
+        SELECT id FROM family
+      SQL
+      family_ids = self.class.connection.select_values(self.class.sanitize_sql([sql, { id: id }]))
+      self.class.where(id: family_ids)
     end
   end
 end

data/app/models/standard_id/session.rb

@@ -53,7 +53,14 @@ module StandardId
     end
 
     def generate_token_digest
-      self.token_digest = BCrypt::Password.create(token)
+      configured_cost = StandardId.config.session.token_digest_cost
+      self.token_digest =
+        if configured_cost.nil?
+          BCrypt::Password.create(token)
+        else
+          cost = configured_cost.clamp(BCrypt::Engine::MIN_COST, BCrypt::Engine::MAX_COST)
+          BCrypt::Password.create(token, cost: cost)
+        end
     end
 
     def generate_lookup_hash

data/lib/standard_id/api/authentication_guard.rb

@@ -8,14 +8,14 @@ module StandardId
         if api_session.blank?
           raise StandardId::NotAuthenticatedError, "Invalid or missing access token"
         elsif api_session.respond_to?(:expired?) && api_session.expired?
-          emit_session_expired(api_session)
+          emit_session_expired(api_session, session_manager: session_manager)
           raise StandardId::ExpiredSessionError, "Session has expired"
         elsif api_session.respond_to?(:revoked?) && api_session.revoked?
           session_manager.clear_session!
           raise StandardId::RevokedSessionError, "Session has been revoked"
         end
 
-        emit_session_validated(api_session)
+        emit_session_validated(api_session, session_manager: session_manager)
         api_session
       end
 
@@ -62,34 +62,42 @@ module StandardId
         )
       end
 
-      def emit_session_validated(api_session)
-        account = if api_session.respond_to?(:account)
-                    api_session.account
-        elsif api_session.respond_to?(:account_id)
-                    StandardId.account_class.find_by(id: api_session.account_id)
-        end
-
+      def emit_session_validated(api_session, session_manager: nil)
         StandardId::Events.publish(
           StandardId::Events::SESSION_VALIDATED,
           session: api_session,
-          account: account
+          account: resolve_account(api_session, session_manager)
         )
       end
 
-      def emit_session_expired(api_session)
-        account = if api_session.respond_to?(:account)
-                    api_session.account
-        elsif api_session.respond_to?(:account_id)
-                    StandardId.account_class.find_by(id: api_session.account_id)
-        end
-
+      def emit_session_expired(api_session, session_manager: nil)
         StandardId::Events.publish(
           StandardId::Events::SESSION_EXPIRED,
           session: api_session,
-          account: account,
+          account: resolve_account(api_session, session_manager),
           expired_at: api_session.respond_to?(:expires_at) ? api_session.expires_at : nil
         )
       end
+
+      # Prefer the session_manager's memoized #current_account (resolved once
+      # per request). Fall back to a direct lookup only when a session_manager
+      # isn't available (e.g. older call sites) or the session lacks an
+      # account_id — the cost is kept to a single query per request instead
+      # of one per event.
+      #
+      # NOTE on the fallback: callers that pass no session_manager still pay
+      # the pre-optimization cost — either one AR association load per event
+      # (via `api_session.account`) or one `find_by` query. The in-gem call
+      # site in `require_session!` always passes the session_manager, so the
+      # optimization fires for it. The fallback exists for any external
+      # caller that invokes emit_session_* directly without a session_manager.
+      def resolve_account(api_session, session_manager)
+        return session_manager.current_account if session_manager&.respond_to?(:current_account)
+        return api_session.account if api_session.respond_to?(:account)
+        return unless api_session.respond_to?(:account_id)
+
+        StandardId.account_class.find_by(id: api_session.account_id)
+      end
     end
   end
 end

data/lib/standard_id/config/callable_validator.rb

@@ -18,8 +18,8 @@ module StandardId
     #   runtime.
     #
     # Scope: only validates top-level StandardId.config fields plus the hash
-    # entries under `oauth.claim_resolvers`. Does NOT modify the StandardConfig
-    # DSL (the gem's schema doesn't need to know about this).
+    # entries under `oauth.claim_resolvers`. Does NOT modify the schema
+    # (the gem's schema doesn't need to know about this).
     module CallableValidator
       # Each entry: field_path => { signature: "(a, b, c)", arity: Integer, kind: :positional | :keyword, keywords: [..] }
       # Field path is the method chain on StandardId.config, e.g. "after_sign_in"

data/lib/standard_id/config/schema.rb

@@ -1,9 +1,9 @@
 # Schema definitions for StandardId
 # This file defines the configuration schema structure
 
-require "standard_config"
+require "standard_id/config_schema"
 
-StandardConfig.schema.draw do
+StandardId::ConfigSchema.define do
   scope :base do
     field :account_class_name, type: :string, default: "User"
     field :cache_store, type: :any, default: nil
@@ -147,7 +147,7 @@ StandardConfig.schema.draw do
     #
     # Note: the scope is named `reset_password` rather than `password_reset` to
     # avoid a name collision with the `web.password_reset` boolean feature flag
-    # — StandardConfig resolves unique field names globally.
+    # — StandardId::ConfigSchema resolves unique field names globally.
     field :delivery, type: :symbol, default: :custom
     field :mailer_from, type: :string, default: "noreply@example.com"
     field :mailer_subject, type: :string, default: "Reset your password"
@@ -159,6 +159,20 @@ StandardConfig.schema.draw do
     field :device_session_lifetime, type: :integer, default: 2592000 # 30 days in seconds
     field :service_session_lifetime, type: :integer, default: 7776000 # 90 days in seconds
 
+    # BCrypt cost factor for the session token digest. Default `nil` means
+    # use bcrypt-ruby's built-in default (cost 12 in production, MIN_COST
+    # in the test env). Since session tokens are 256-bit random
+    # (`SecureRandom.urlsafe_base64(32)`), any cost >= 10 is well beyond
+    # realistic brute-force, and dropping from 12 to 10 saves ~200ms of
+    # CPU per session creation. Host apps with many logins-per-second can
+    # set this to `10`; apps that value hash work over login latency can
+    # leave it alone or raise it.
+    #
+    # When set, value is clamped to BCrypt::Engine::MIN_COST..MAX_COST.
+    # Applies only to newly-created sessions; existing token_digests keep
+    # their original cost.
+    field :token_digest_cost, type: :integer, default: nil
+
     # Callable that resolves the session class to create for a given auth flow.
     # Receives keyword arguments (request:, account:, flow:) and must return one of:
     #   StandardId::BrowserSession, StandardId::DeviceSession, StandardId::ServiceSession,

data/lib/standard_id/config_schema.rb

@@ -0,0 +1,211 @@
+require "active_support/ordered_options"
+require "concurrent/map"
+
+module StandardId
+  # Lightweight configuration schema backed by ActiveSupport::OrderedOptions.
+  # Replaces the vendored `StandardConfig` DSL/manager. Fields are declared
+  # per scope; the resulting top-level config exposes each scope as a nested
+  # OrderedOptions and routes any field whose name is unique across scopes
+  # to the owning scope (so host apps can read base-scope fields like
+  # `config.account_class_name` without the `base.` prefix).
+  class ConfigSchema
+    Field = Struct.new(:name, :type, :default) do
+      def default_value
+        return default.call if default.respond_to?(:call)
+        return default.dup if default.is_a?(Array) || default.is_a?(Hash)
+        default
+      end
+    end
+
+    class << self
+      def instance = (@instance ||= new)
+      def define(&block) = instance.define(&block)
+      def add_field(**kwargs) = instance.add_field(**kwargs)
+      def build = instance.apply(Config.new)
+    end
+
+    def initialize = @scopes = Concurrent::Map.new
+    def scopes = @scopes
+    def scope?(name) = @scopes.key?(name.to_sym)
+    def field?(scope_name, field_name) = !!@scopes[scope_name.to_sym]&.key?(field_name.to_sym)
+    def field_for(scope_name, field_name) = @scopes[scope_name.to_sym]&.[](field_name.to_sym)
+
+    def define(&block)
+      DSL.new(self).instance_eval(&block) if block
+      self
+    end
+
+    def add_field(scope:, name:, type: :string, default: nil)
+      fields = ensure_scope(scope)
+      fields.compute_if_absent(name.to_sym) { Field.new(name.to_sym, type, default) }
+    end
+
+    # Register a scope without adding a field. Allows `define { scope :foo }` so
+    # provider gems can later `add_field(scope: :foo, ...)` against an existing scope.
+    def ensure_scope(name)
+      @scopes.compute_if_absent(name.to_sym) { Concurrent::Map.new }
+    end
+
+    # Scopes that declare a field with the given name (used for top-level routing).
+    def scopes_with_field(field_name)
+      sym = field_name.to_sym
+      @scopes.each_pair.with_object([]) { |(s, fs), acc| acc << s if fs.key?(sym) }
+    end
+
+    # Populate the given Config with scope sub-options + defaults. Re-apply is safe;
+    # values already set in a Scope are preserved (so provider gems can register
+    # fields after host apps have set base values).
+    def apply(config)
+      config.__schema__ = self
+      @scopes.each_pair do |scope_name, fields|
+        opts = (config.key?(scope_name) && config[scope_name].is_a?(Scope)) ? config[scope_name] : Scope.new(self, scope_name)
+        fields.each_value { |f| opts.write_default(f.name, f.default_value) }
+        config.write_raw(scope_name, opts)
+      end
+      config
+    end
+
+    def cast(value, type)
+      return value if value.nil?
+      case type
+      when :any     then value
+      when :symbol  then value.is_a?(Symbol) ? value : value.to_sym
+      when :string  then value.to_s
+      when :integer then value.to_i
+      when :float   then value.to_f
+      when :array   then Array(value)
+      when :hash    then value.is_a?(Hash) ? value : {}
+      when :boolean
+        case value
+        when true, false then value
+        when "true", "1", 1 then true
+        when "false", "0", 0 then false
+        else !!value
+        end
+      else value
+      end
+    end
+
+    # DSL: `define { scope :base do field :foo, type: :string, default: "x" end }`.
+    # Anonymous-class form keeps both levels in one place; #scope yields a sub-DSL
+    # that closes over the parent schema + scope name.
+    class DSL
+      def initialize(schema, scope_name = nil)
+        @schema = schema
+        @scope_name = scope_name
+      end
+
+      def scope(name, &block)
+        @schema.ensure_scope(name)
+        DSL.new(@schema, name.to_sym).instance_eval(&block) if block
+      end
+
+      def field(name, type: :string, default: nil, **)
+        @schema.add_field(scope: @scope_name, name: name, type: type, default: default)
+      end
+    end
+
+    # Per-scope OrderedOptions. Validates writes, casts and dups Array/Hash values
+    # on read. When `resolver` is set (via `Config#register`), reads delegate to
+    # the resolver-returned hash for dynamic / multi-tenant configuration.
+    class Scope < ActiveSupport::OrderedOptions
+      RAW_SET = ActiveSupport::OrderedOptions.instance_method(:[]=)
+      private_constant :RAW_SET
+
+      attr_accessor :resolver
+
+      def initialize(schema, scope_name)
+        super()
+        @schema = schema
+        @scope_name = scope_name
+      end
+
+      def []=(key, value)
+        validate!(key)
+        super(key.to_sym, value)
+      end
+
+      def [](key)
+        sym = key.to_sym
+        validate!(sym) unless key?(sym) || resolver
+        raw = if resolver
+                hash = resolver.call || {}
+                if hash.respond_to?(:key?) && hash.respond_to?(:[])
+                  hash.key?(sym) ? hash[sym] : hash[sym.to_s]
+                end
+        elsif key?(sym)
+                super(sym)
+        else
+                @schema.field_for(@scope_name, sym)&.default_value
+        end
+        cast_read(sym, raw)
+      end
+
+      def write_default(key, value)
+        return if key?(key.to_sym)
+        RAW_SET.bind_call(self, key.to_sym, value)
+      end
+
+      private
+
+      def validate!(key)
+        return if @schema.field?(@scope_name, key)
+        raise StandardId::ConfigurationError,
+          "Unknown field '#{key}' for scope '#{@scope_name}'. Valid fields: #{@schema.scopes[@scope_name]&.keys}"
+      end
+
+      def cast_read(key, value)
+        field = @schema.field_for(@scope_name, key)
+        return value unless field
+        casted = @schema.cast(value, field.type)
+        casted.is_a?(Array) || casted.is_a?(Hash) ? casted.dup : casted
+      end
+    end
+
+    # Top-level config: routes unqualified field reads/writes to the owning scope
+    # when the name is unique across scopes.
+    class Config < ActiveSupport::OrderedOptions
+      RAW_SET = ActiveSupport::OrderedOptions.instance_method(:[]=)
+      private_constant :RAW_SET
+
+      attr_accessor :__schema__
+
+      def register(scope_name, resolver)
+        sym = scope_name.to_sym
+        unless __schema__&.scope?(sym)
+          raise ArgumentError, "Unknown configuration scope: #{sym}. Valid scopes: #{__schema__&.scopes&.keys}"
+        end
+        self[sym].resolver = resolver
+        self
+      end
+
+      def registered?(scope_name) = !!self[scope_name.to_sym]&.resolver
+
+      def [](key)
+        sym = key.to_sym
+        return super if key?(sym) || __schema__.nil? || __schema__.scope?(sym)
+        target = unique_scope_for(sym)
+        target ? self[target][sym] : super
+      end
+
+      def []=(key, value)
+        sym = key.to_sym
+        if __schema__ && !__schema__.scope?(sym) && !key?(sym) && (target = unique_scope_for(sym))
+          self[target][sym] = value
+        else
+          super(sym, value)
+        end
+      end
+
+      # Bypass routing — used by the schema applier.
+      def write_raw(key, value) = RAW_SET.bind_call(self, key.to_sym, value)
+
+      private
+
+      def unique_scope_for(name)
+        matches = __schema__.scopes_with_field(name)
+        matches.size == 1 ? matches.first : nil
+      end
+    end
+  end
+end

data/lib/standard_id/engine.rb

@@ -59,8 +59,18 @@ module StandardId
     # We warn (not raise) to avoid breaking apps that intentionally short-
     # circuit boot (e.g., `assets:precompile` rake tasks with no secrets
     # available). A hard failure would be hostile to those workflows.
+    #
+    # IMPORTANT: we must NOT call `app.secret_key_base` directly. Rails 8.1's
+    # getter runs the "generate + persist" path on first read, which in turn
+    # invokes the setter — and the setter raises when the resolved value is
+    # blank (which is exactly the case this check is meant to warn about).
+    # So calling the getter here would turn a soft warning into a hard boot
+    # failure under parallel workers (e.g. parallel_rspec's `parallel:create`)
+    # that don't share a generated key between processes. Instead we read
+    # the same underlying sources Rails resolves from (ENV, then credentials)
+    # without triggering the write path.
     def self.verify_host_cookie_encryption!(app)
-      secret = app.respond_to?(:secret_key_base) ? app.secret_key_base : nil
+      secret = host_secret_key_base(app)
 
       if secret.blank?
         Rails.logger.warn(
@@ -73,6 +83,27 @@ module StandardId
       end
     end
 
+    # Probe secret_key_base sources without touching the memoizing setter.
+    # Mirrors Rails' own resolution order (ENV -> credentials), stopping on
+    # the first present value. Returns nil when neither is set — the caller
+    # logs a warning in that case.
+    def self.host_secret_key_base(app)
+      return ENV["SECRET_KEY_BASE"] if ENV["SECRET_KEY_BASE"].present?
+
+      credentials = app.respond_to?(:credentials) ? app.credentials : nil
+      return nil unless credentials&.respond_to?(:secret_key_base)
+
+      credentials.secret_key_base
+    rescue StandardError
+      # A broken credentials file or missing master key raises during read.
+      # That's the host app's problem to surface elsewhere — here we just
+      # want the cookie-encryption warning to fire, so we treat "could not
+      # probe" as "not configured" and let Rails error loudly on its own
+      # path if the app genuinely needs the secret.
+      nil
+    end
+    private_class_method :host_secret_key_base
+
     # Logs a production-only warning when no global audience allow-list is
     # configured. With `allowed_audiences` empty, the API token manager
     # skips decode-time aud enforcement, leaving cross-audience JWT replay

data/lib/standard_id/provider_registry.rb

@@ -34,7 +34,6 @@ module StandardId
         )
       end
 
-
       # Get all registered providers
       # @return [Hash] Provider name => class mapping
       def all
@@ -50,16 +49,15 @@ module StandardId
 
       private
 
-      # Register provider's config schema fields with StandardConfig
+      # Register provider's config schema fields with the StandardId schema.
+      # Thread-safe and idempotent — adding the same field twice is a no-op.
       # @param provider_class [Class] Provider implementation class
       def register_config_schema(provider_class)
         schema = provider_class.config_schema
         return if schema.nil? || schema.empty?
 
-        StandardConfig.schema.scope(:social) do
-          schema.each do |field_name, options|
-            field field_name, **options
-          end
+        schema.each do |field_name, options|
+          StandardId::ConfigSchema.add_field(scope: :social, name: field_name, **options)
         end
       end
 

data/lib/standard_id/providers/base.rb

@@ -106,7 +106,7 @@ module StandardId
 
         # Define configuration schema fields for this provider.
         #
-        # Returns a hash of field definitions compatible with StandardConfig schema DSL.
+        # Returns a hash of field definitions compatible with the StandardId::ConfigSchema DSL.
         # These fields will be registered under the :social configuration scope.
         #
         # @return [Hash] Field definitions with types and defaults

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.16.0"
+  VERSION = "0.17.0"
 end

data/lib/standard_id.rb

@@ -3,6 +3,7 @@ require "standard_id/current_attributes"
 require "standard_id/engine"
 require "standard_id/web_engine"
 require "standard_id/api_engine"
+require "standard_id/config_schema"
 require "standard_id/config/schema"
 require "standard_id/scope_config"
 require "standard_id/errors"
@@ -59,20 +60,23 @@ require "standard_id/providers/base"
 require "standard_id/provider_registry"
 
 module StandardId
+  CONFIG = Concurrent::Delay.new { ConfigSchema.build }
+
   class << self
     CACHE_STORE = Concurrent::Delay.new { config.cache_store || Rails.cache }
     LOGGER = Concurrent::Delay.new { config.logger || Rails.logger }
 
     def configure(&block)
-      StandardConfig.configure(&block)
+      yield config if block_given?
+      config
     end
 
     def register(scope_name, resolver_proc)
-      StandardConfig.config.register(scope_name, resolver_proc)
+      config.register(scope_name, resolver_proc)
     end
 
     def config
-      StandardConfig.config
+      CONFIG.value
     end
 
     def cache_store

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.17.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -13,14 +13,14 @@ dependencies:
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '8.0'
 - !ruby/object:Gem::Dependency
@@ -215,11 +215,6 @@ files:
 - db/migrate/20260416180511_add_partial_indexes_for_active_session_and_challenge_lookups.rb
 - lib/generators/standard_id/install/install_generator.rb
 - lib/generators/standard_id/install/templates/standard_id.rb
-- lib/standard_config.rb
-- lib/standard_config/config.rb
-- lib/standard_config/config_provider.rb
-- lib/standard_config/manager.rb
-- lib/standard_config/schema.rb
 - lib/standard_id.rb
 - lib/standard_id/account_locking.rb
 - lib/standard_id/account_status.rb
@@ -232,6 +227,7 @@ files:
 - lib/standard_id/config/callable_validator.rb
 - lib/standard_id/config/schema.rb
 - lib/standard_id/config/scope_claims_validator.rb
+- lib/standard_id/config_schema.rb
 - lib/standard_id/current_attributes.rb
 - lib/standard_id/engine.rb
 - lib/standard_id/errors.rb
@@ -305,7 +301,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.2'
+      version: '4.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/standard_config/config.rb

@@ -1,73 +0,0 @@
-module StandardConfig
-  # Manages configuration for the StandardId engine
-  #
-  # Usage:
-  #   StandardId.configure do |config|
-  #     config.account_class_name = "User"
-  #     config.cache_store = ActiveSupport::Cache::MemoryStore.new
-  #     config.logger = Rails.logger
-  #     config.allowed_post_logout_redirect_uris = ["https://example.com/logout"]
-  #   end
-  class Config
-    # The name of the Account model class as a String, e.g. "User" or "Account"
-    attr_accessor :account_class_name
-
-    # Optional cache store and logger, used by StandardId.cache_store and StandardId.logger
-    attr_accessor :cache_store, :logger
-
-    # OAuth issuer identifier for ID tokens
-    attr_accessor :issuer
-
-    # Optional login URL for redirecting unauthenticated browser requests
-    # Example: "/login" or a full URL like "https://app.example.com/login"
-    # If set, Authorization endpoints can redirect to this path with a redirect_uri param
-    attr_accessor :login_url
-
-    # Social login hooks
-    attr_accessor :social_account_attributes
-
-    # Passwordless authentication delivery callbacks (deprecated - use events instead)
-    attr_accessor :passwordless_email_sender, :passwordless_sms_sender
-
-    # Allowed post-logout redirect URIs for OIDC logout endpoint
-    # If empty or nil, no redirects are allowed and the endpoint will return a JSON message
-    # If provided, the post_logout_redirect_uri must exactly match one of the values in this list
-    attr_accessor :allowed_post_logout_redirect_uris
-
-    # Layout name to use for StandardId Web controllers.
-    # If nil, controllers should default to "application" (host app or dummy app).
-    # Examples: "application", "standard_id/web/application", "my_custom_layout"
-    attr_accessor :web_layout
-
-    # Enable Inertia.js rendering for StandardId Web controllers
-    # When true and inertia_rails gem is available, controllers will render Inertia components
-    attr_accessor :use_inertia
-
-    # Namespace prefix for Inertia component paths
-    # Example: "Auth" will generate component paths like "Auth/Login/show"
-    attr_accessor :inertia_component_namespace
-
-    def initialize
-      @account_class_name = nil
-      @cache_store = nil
-      @logger = nil
-      @issuer = nil
-      @login_url = nil
-      @apple_key_id = nil
-      @apple_team_id = nil
-      @social_account_attributes = nil
-      @passwordless_email_sender = nil
-      @passwordless_sms_sender = nil
-      @allowed_post_logout_redirect_uris = []
-      @web_layout = nil
-      @use_inertia = nil
-      @inertia_component_namespace = nil
-    end
-
-    def account_class
-      account_class_name.constantize
-    rescue NameError
-      raise NameError, "Could not find account class: #{account_class_name}. Please set a valid class name using `StandardId.configure { |c| c.account_class_name = 'YourAccountClass' }`"
-    end
-  end
-end

data/lib/standard_config/config_provider.rb

@@ -1,82 +0,0 @@
-require "ostruct"
-
-module StandardConfig
-  class ConfigProvider
-    def initialize(scope_name, resolver_proc, schema = nil)
-      @scope_name = scope_name
-      @resolver_proc = resolver_proc
-      @schema = schema
-    end
-
-    def method_missing(method_name, *args)
-      if method_name.to_s.end_with?("=")
-        # Setter - only works for static configs (OpenStruct objects)
-        field_name = method_name.to_s.chomp("=").to_sym
-        validate_field!(field_name)
-
-        config_object = @resolver_proc.call
-        if config_object.respond_to?(method_name)
-          config_object.send(method_name, args.first)
-        elsif config_object.respond_to?(:[]=)
-          # Support hash-like providers
-          value = args.first
-          config_object[field_name] = value
-          # Also set string key for convenience if symbol not used by provider
-          begin
-            config_object[field_name.to_s] = value
-          rescue StandardError
-            # ignore if provider doesn't accept string keys
-          end
-        else
-          raise NoMethodError, "Configuration object doesn't support setting #{field_name}"
-        end
-      else
-        # Getter
-        get_field(method_name)
-      end
-    end
-
-    def get_field(field_name)
-      validate_field!(field_name)
-
-      config_object = @resolver_proc.call
-      raw_value = if config_object.respond_to?(field_name)
-                    config_object.send(field_name)
-      elsif config_object.respond_to?(:[])
-                    config_object[field_name] || config_object[field_name.to_s]
-      else
-                    nil
-      end
-
-      # Cast the value according to schema
-      field_def = @schema&.field_definition(@scope_name, field_name)
-      return raw_value unless field_def
-
-      casted = @schema&.cast_value(raw_value, field_def.type) || raw_value
-      # Return dup for mutable structures to prevent accidental mutation of shared defaults
-      if casted.is_a?(Array)
-        casted.dup
-      elsif casted.is_a?(Hash)
-        casted.dup
-      else
-        casted
-      end
-    end
-
-    def respond_to_missing?(method_name, include_private = false)
-      field_name = method_name.to_s.end_with?("=") ? method_name.to_s.chomp("=").to_sym : method_name.to_sym
-      @schema&.valid_field?(@scope_name, field_name) || super
-    end
-
-    private
-
-    def validate_field!(field_name)
-      return unless @schema # Skip validation if no schema provided
-
-      unless @schema.valid_field?(@scope_name, field_name)
-        valid_fields = @schema.scopes[@scope_name]&.fields&.keys || []
-        raise ArgumentError, "Unknown field '#{field_name}' for scope '#{@scope_name}'. Valid fields: #{valid_fields}"
-      end
-    end
-  end
-end

data/lib/standard_config/manager.rb

@@ -1,93 +0,0 @@
-require "ostruct"
-require "concurrent/map"
-require "standard_config/config_provider"
-
-module StandardConfig
-  class Manager
-    def initialize(schema)
-      @schema = schema
-      @providers = Concurrent::Map.new
-      @static_configs = Concurrent::Map.new
-    end
-
-    # Register a configuration provider for a scope
-    def register(scope_name, resolver_proc)
-      scope_name = scope_name.to_sym
-
-      # Validate scope exists in schema
-      unless @schema.valid_scope?(scope_name)
-        raise ArgumentError, "Unknown configuration scope: #{scope_name}. Valid scopes: #{@schema.scopes.keys}"
-      end
-
-      @providers[scope_name] = ConfigProvider.new(scope_name, resolver_proc, @schema)
-      self
-    end
-
-    def registered?(scope_name)
-      @providers.key?(scope_name.to_sym)
-    end
-
-    # Access configuration scopes via method calls
-    def method_missing(method_name, *args)
-      method_str = method_name.to_s
-      scope_name = method_str.end_with?("=") ? method_str.chomp("=").to_sym : method_name.to_sym
-
-      # Handle field setter via unique scope resolution
-      if method_str.end_with?("=")
-        field = scope_name
-        scopes = @schema.scopes_with_field(field)
-        if scopes.size == 1
-          s = scopes.first
-          provider = @providers.compute_if_absent(s) do
-            ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
-          end
-          provider.public_send(method_name, *args)
-          return args.first
-        end
-      end
-
-      # Handle field getter via unique scope resolution
-      scopes = @schema.scopes_with_field(scope_name)
-      if scopes.size == 1
-        s = scopes.first
-        provider = @providers.compute_if_absent(s) do
-          ConfigProvider.new(s, -> { create_static_config_for_scope(s) }, @schema)
-        end
-        return provider.get_field(scope_name)
-      end
-
-      # Handle scope access
-      provider = @providers[scope_name]
-      return provider if provider
-
-      # Create static provider for valid scopes on first access
-      if @schema.valid_scope?(scope_name)
-        return @providers.compute_if_absent(scope_name) do
-          ConfigProvider.new(scope_name, -> { create_static_config_for_scope(scope_name) }, @schema)
-        end
-      end
-
-      super
-    end
-
-    def respond_to_missing?(method_name, include_private = false)
-      method_str = method_name.to_s
-      scope_name = method_str.end_with?("=") ? method_str.chomp("=").to_sym : method_name.to_sym
-      @schema.valid_scope?(scope_name) ||
-        @schema.scopes_with_field(scope_name).any? ||
-        super
-    end
-
-    private
-
-    def create_static_config_for_scope(scope_name)
-      @static_configs.compute_if_absent(scope_name) do
-        OpenStruct.new.tap do |config|
-          @schema.scopes[scope_name].fields.each do |field_name, field_def|
-            config.send("#{field_name}=", field_def.default_value)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/standard_config/schema.rb

@@ -1,139 +0,0 @@
-require "concurrent/map"
-
-module StandardConfig
-  class Schema
-    def initialize
-      @scopes = Concurrent::Map.new
-    end
-
-    # DSL entry
-    def draw(&block)
-      Drawer.new(self).instance_eval(&block) if block_given?
-      self
-    end
-
-    def scopes
-      @scopes
-    end
-
-    def scope(name, &block)
-      name_sym = name.to_sym
-      builder = scopes.compute_if_absent(name_sym) { ScopeBuilder.new(name_sym) }
-      builder.instance_eval(&block) if block_given?
-      builder
-    end
-
-    def valid_scope?(name)
-      scopes.key?(name.to_sym)
-    end
-
-    def valid_field?(scope_name, field_name)
-      return false unless valid_scope?(scope_name)
-      scopes[scope_name.to_sym].fields.key?(field_name.to_sym)
-    end
-
-    def field_definition(scope_name, field_name)
-      return nil unless valid_scope?(scope_name)
-      scopes[scope_name.to_sym].fields[field_name.to_sym]
-    end
-
-    # Return an array of scope names that define the given field
-    def scopes_with_field(field_name)
-      scopes.keys.select { |s| scopes[s].fields.key?(field_name.to_sym) }
-    end
-
-    def cast_value(value, type)
-      return value if value.nil?
-
-      case type
-      when :any
-        value
-      when :string
-        value.to_s
-      when :integer
-        value.to_i
-      when :float
-        value.to_f
-      when :boolean
-        case value
-        when true, false then value
-        when "true", "1", 1 then true
-        when "false", "0", 0 then false
-        else !!value
-        end
-      when :array
-        Array(value)
-      when :hash
-        value.is_a?(Hash) ? value : {}
-      else
-        value
-      end
-    end
-
-    class ScopeBuilder
-      attr_reader :name, :fields
-
-      def initialize(name)
-        @name = name.to_sym
-        @fields = Concurrent::Map.new
-      end
-
-      def field(name, type: :string, default: nil, readonly: false)
-        key = name.to_sym
-        if @fields.key?(key)
-          Kernel.warn("[StandardId::Configuration] Redefining field '#{key}' in scope '#{@name}'. Last definition wins.")
-        end
-        @fields[key] = FieldDefinition.new(name, type: type, default: default, readonly: readonly)
-      end
-    end
-
-    class FieldDefinition
-      attr_reader :name, :type, :default, :readonly
-
-      def initialize(name, type: :string, default: nil, readonly: false)
-        @name = name.to_sym
-        @type = type
-        @default = default
-        @readonly = readonly
-      end
-
-      def default_value
-        if @default.respond_to?(:call)
-          @default.call
-        elsif @default.is_a?(Array)
-          @default.dup
-        else
-          @default
-        end
-      end
-    end
-
-    # Internal DSL driver
-    class Drawer
-      def initialize(schema)
-        @schema = schema
-      end
-
-      # scope :base do ... end OR scope :passwordless do ... end
-      def scope(name, &block)
-        name_sym = name.to_sym
-        # Ensure scope exists, then evaluate the block in a scoped context
-        @schema.scope(name_sym)
-        ScopedScope.new(@schema, name_sym).instance_eval(&block) if block_given?
-      end
-    end
-
-    class ScopedScope
-      def initialize(schema, scope_name)
-        @schema = schema
-        @scope_name = scope_name
-      end
-
-      def field(name, type: :string, default: nil, readonly: false)
-        # Add field to the last declared scope by using ScopeBuilder within @schema.scope
-        # This method will be called inside Schema.scope block via Drawer
-        @schema.scopes[@scope_name].field(name, type: type, default: default, readonly: readonly)
-      end
-    end
-  end
-end

data/lib/standard_config.rb

@@ -1,45 +0,0 @@
-require "standard_config/config"
-require "standard_config/config_provider"
-require "standard_config/manager"
-require "standard_config/schema"
-
-require "concurrent/delay"
-
-module StandardConfig
-  SCHEMA = Concurrent::Delay.new { Schema.new }
-  MANAGER = Concurrent::Delay.new { Manager.new(SCHEMA.value) }
-
-  class << self
-    def schema
-      SCHEMA.value
-    end
-
-    def configure(&block)
-      if block_given? && block.arity.zero? && !config.registered?(:base)
-        config.register(:base, block)
-      end
-
-      yield config if block_given?
-
-      config
-    end
-
-    def config
-      MANAGER.value
-    end
-
-    private
-
-    def create_default_config
-      require "ostruct"
-      static_config = OpenStruct.new
-      base_scope = schema.scopes[:base]
-      if base_scope
-        base_scope.fields.each do |field_name, field_def|
-          static_config.send("#{field_name}=", field_def.default_value)
-        end
-      end
-      static_config
-    end
-  end
-end