standard_id 0.19.0 → 0.20.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d3af31455bcc5b445cb7398d0d4bc2d4fac8ee7e246bcdc437796419af80284
-  data.tar.gz: 167ef5777acbc1de9bf7ecbb9d9e30f95597094566b6268f48c56d1d462c8d37
+  metadata.gz: 664c61bf0dc0dbcf758fe4d114fad3776d0327777b64dde60f6d9d9f11db14cc
+  data.tar.gz: c87f620480f13c64051a0d915b37e2fd295f224f0a41fe0c4820bb8131321c70
 SHA512:
-  metadata.gz: 68bf2f44b3791c46a08500da1c2c91e0878c4b7b009a810fc761d450aeffdc5c007bf2ecef3e2b1a1193ad09313aac528489925215ec7cb23bdbbdef8df4d3c3
-  data.tar.gz: d5116af139011d0cc8d5955489f751bf3dc8592e5e5474b55ce62178add8d828041e952f272a79a52adf7e20238dac02cadd22a8faa28b49277d789320b5897f
+  metadata.gz: 4531519bbd926a39fda0180809a305f1e7de319cb278d1b75b178616548b586d9b767db3eb9e58e661045bc513efbc6785b5a63fa858b91fd74a832170f96c50
+  data.tar.gz: b7625be363e4f848fdd7c61f51c287ed8153e2671b64e52e0acef48de4e0ff95668529e5099f7408d4713321406728c8a6d1225418bc4ba03444bd0c12916430

data/app/controllers/concerns/standard_id/lifecycle_hooks.rb

@@ -100,6 +100,12 @@ module StandardId
     #   - :profile_type [String, nil] first configured profile type for the scope (back-compat)
     #   - :profile_types [Array<String>, nil] all configured profile types for the scope
     #   - :after_sign_in_path [String, nil] default redirect path for the scope
+    #   - :redirect_uri [String, nil] caller-supplied destination (from the form
+    #     param for password/signup, from the OAuth state cookie for social).
+    #     Hooks that always return a default path should return nil when this is
+    #     present so the originator's URL wins — otherwise upstream OAuth/SSO
+    #     flows that send users to /login?redirect_uri=... will land on the
+    #     hook's default page instead of completing the handshake.
     # @return [String, nil] redirect path override, or nil for default
     # @raise [StandardId::AuthenticationDenied] to reject the sign-in
     def invoke_after_sign_in(account, context)
@@ -118,6 +124,12 @@ module StandardId
         return result if result.present?
       end
 
+      # When the caller supplied a :redirect_uri and the hook returned nil, treat that
+      # as the documented "defer to originator" signal — do NOT shadow it with the
+      # scope's after_sign_in_path (which would silently break OAuth/SSO handshakes
+      # for any host that configures a scope default).
+      return nil if context[:redirect_uri].present?
+
       # When no hook override, use the scope's after_sign_in_path if present
       scope_config&.after_sign_in_path
     end

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -26,6 +26,7 @@ module StandardId
 
             begin
               extract_state_and_nonce => { state_data:, nonce: }
+              caller_redirect_uri = state_data&.dig("redirect_uri").presence
               redirect_uri = callback_url_for
               provider_response = get_user_info_from_provider(redirect_uri:, nonce:)
               social_info = provider_response[:user_info]
@@ -52,10 +53,19 @@ module StandardId
                 original_request_params: state_data
               )
 
-              context = { mechanism: "social", provider: provider_name }
+              context = {
+                mechanism: "social",
+                provider: provider_name,
+                redirect_uri: caller_redirect_uri
+              }
               redirect_override = invoke_after_sign_in(account, context)
 
-              destination = redirect_override || state_data["redirect_uri"]
+              # When the hook defers (returns nil), the originator-supplied URL becomes the
+              # destination. Validate it before redirect_to — without this, an attacker who
+              # tricks a victim into clicking /login?connection=google&redirect_uri=<evil>
+              # can steer the post-auth landing page. redirect_override is host-internal so
+              # we trust it; only the fallthrough needs validation.
+              destination = redirect_override || (safe_destination?(caller_redirect_uri) ? caller_redirect_uri : safe_post_signin_default)
               redirect_options = { notice: "Successfully signed in with #{provider_name.humanize}" }
               redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
               redirect_to destination, redirect_options
@@ -124,7 +134,17 @@ module StandardId
                             "Authentication failed"
             end
 
-            redirect_to StandardId::WebEngine.routes.url_helpers.login_path, alert: error_message
+            # Preserve redirect_uri across the bounce-back-to-/login so the user can retry
+            # the OAuth handshake and complete it back to the originator. Symmetric with
+            # the SocialLinkError / OAuthError rescue paths above.
+            redirect_uri = begin
+              extract_state_and_nonce => { state_data: }
+              state_data&.dig("redirect_uri").presence
+            rescue StandardId::InvalidRequestError
+              nil
+            end
+
+            redirect_to StandardId::WebEngine.routes.url_helpers.login_path(redirect_uri: redirect_uri), alert: error_message
           end
 
           def mobile_relay_params

data/app/controllers/standard_id/web/base_controller.rb

@@ -14,6 +14,51 @@ module StandardId
 
       before_action -> { Current.scope = :web if defined?(::Current) }
       before_action :require_browser_session!
+
+      private
+
+      # Read a top-level query/form param expected to be a scalar String, returning
+      # nil for absent/blank values OR if Rails parsed it as an Array/Hash (e.g. from
+      # `?redirect_uri[]=a&redirect_uri[]=b`). Without this guard, `redirect_to` is
+      # called with a non-String and raises ArgumentError → 500 for any caller that
+      # sends a malformed redirect_uri.
+      def string_param(key)
+        value = params[key]
+        value.is_a?(String) ? value.presence : nil
+      end
+
+      # Whether `destination` is safe to redirect a signed-in user to.
+      # - Same-origin paths ("/foo") pass; protocol-relative ("//evil") does not.
+      # - Same-origin absolute URLs ("https://this-host/...") pass — `store_location_for_redirect`
+      #   stashes `request.url` in session, so callers wrapping `after_authentication_url`
+      #   need same-origin URLs accepted.
+      # - Cross-host URLs pass only when the host has explicitly allow-listed the prefix
+      #   via `StandardId.config.allowed_redirect_url_prefixes`.
+      # - Anything else (blank, absolute URL not in the allow-list, protocol-relative,
+      #   opaque scheme) is rejected; callers should fall back to `safe_post_signin_default`.
+      def safe_destination?(destination)
+        return false if destination.blank?
+        return true if destination.start_with?("/") && !destination.start_with?("//")
+        return true if same_origin_url?(destination)
+
+        Array(StandardId.config.allowed_redirect_url_prefixes).any? do |entry|
+          case entry
+          when Regexp then entry.match?(destination)
+          else destination.start_with?(entry.to_s)
+          end
+        end
+      end
+
+      def same_origin_url?(destination)
+        return false unless destination.start_with?("http://", "https://")
+        URI.parse(destination).origin == URI.parse(request.base_url).origin
+      rescue URI::Error, ArgumentError
+        false
+      end
+
+      def safe_post_signin_default
+        "/"
+      end
     end
   end
 end

data/app/controllers/standard_id/web/login_controller.rb

@@ -31,7 +31,7 @@ module StandardId
       before_action :redirect_if_social_login, only: [:create]
 
       def show
-        @redirect_uri = params[:redirect_uri] || after_authentication_url
+        @redirect_uri = string_param(:redirect_uri) || after_authentication_url
         @connection = params[:connection]
 
         render_with_inertia props: auth_page_props(passwordless_enabled: passwordless_enabled?)
@@ -59,9 +59,12 @@ module StandardId
         }
 
         if result
-          context = { mechanism: "password", provider: nil }
+          redirect_uri = string_param(:redirect_uri)
+          context = { mechanism: "password", provider: nil, redirect_uri: redirect_uri }
           redirect_override = invoke_after_sign_in(current_account, context)
-          destination = redirect_override || params[:redirect_uri] || after_authentication_url
+          fallback = after_authentication_url
+          fallback = safe_post_signin_default unless safe_destination?(fallback)
+          destination = redirect_override || (safe_destination?(redirect_uri) ? redirect_uri : nil) || fallback
           redirect_to destination, status: :see_other, notice: "Successfully signed in"
         else
           flash.now[:alert] = "Invalid email or password"
@@ -95,7 +98,11 @@ module StandardId
           expires_in: code_ttl.seconds
         )
         session[:standard_id_otp_payload] = signed_payload
-        session[:return_to_after_authenticating] = params[:redirect_uri] if params[:redirect_uri].present?
+        # Use string_param to reject Array/Hash-shaped values — login_verify_controller
+        # consumes this via after_authentication_url and passes it to redirect_to;
+        # storing a non-String here would crash that flow with ArgumentError.
+        redirect_uri = string_param(:redirect_uri)
+        session[:return_to_after_authenticating] = redirect_uri if redirect_uri
 
         redirect_to login_verify_path, status: :see_other
       end

data/app/controllers/standard_id/web/login_verify_controller.rb

@@ -60,12 +60,24 @@ module StandardId
           invoke_after_account_created(account, { mechanism: "passwordless", provider: nil })
         end
 
-        context = { mechanism: "passwordless", provider: nil }
+        # Peek (don't pop) session[:return_to_after_authenticating] — after_authentication_url
+        # consumes it below when redirect_override is nil, so deleting it here would lose the
+        # destination for hosts whose after_sign_in hook defers to the originator's redirect_uri.
+        context = {
+          mechanism: "passwordless",
+          provider: nil,
+          redirect_uri: session[:return_to_after_authenticating]
+        }
         redirect_override = invoke_after_sign_in(account, context)
 
         session.delete(:standard_id_otp_payload)
 
-        destination = redirect_override || after_authentication_url
+        # after_authentication_url returns whatever was stashed in
+        # session[:return_to_after_authenticating] — which could be an attacker-controlled
+        # URL set by handle_passwordless_login from params[:redirect_uri]. string_param
+        # blocks Array/Hash but not "https://evil.com/phish". Validate before redirect.
+        fallback = after_authentication_url
+        destination = redirect_override || (safe_destination?(fallback) ? fallback : safe_post_signin_default)
         redirect_to destination, status: :see_other, notice: "Successfully signed in"
       rescue StandardId::AuthenticationDenied => e
         session.delete(:standard_id_otp_payload)

data/app/controllers/standard_id/web/logout_controller.rb

@@ -14,13 +14,18 @@ module StandardId
 
       def create
         revoke_current_session!
-        redirect_to params[:redirect_uri] || root_path, notice: "Successfully signed out"
+        redirect_to logout_destination, notice: "Successfully signed out"
       end
 
       private
 
       def redirect_if_not_authenticated
-        redirect_to params[:redirect_uri] || root_path unless authenticated?
+        redirect_to logout_destination unless authenticated?
+      end
+
+      def logout_destination
+        redirect_uri = string_param(:redirect_uri)
+        safe_destination?(redirect_uri) ? redirect_uri : root_path
       end
     end
   end

data/app/controllers/standard_id/web/signup_controller.rb

@@ -15,7 +15,7 @@ module StandardId
       before_action :redirect_if_social_login, only: [:create]
 
       def show
-        @redirect_uri = params[:redirect_uri] || after_authentication_url
+        @redirect_uri = string_param(:redirect_uri) || after_authentication_url
         @connection = params[:connection] # For social login detection
 
         render_with_inertia props: auth_page_props
@@ -43,12 +43,15 @@ module StandardId
           session_manager.sign_in_account(form.account, scope_name: request.path_parameters[:scope])
           invoke_after_account_created(form.account, { mechanism: "signup", provider: nil })
 
-          context = { mechanism: "password", provider: nil }
+          redirect_uri = string_param(:redirect_uri)
+          context = { mechanism: "password", provider: nil, redirect_uri: redirect_uri }
           redirect_override = invoke_after_sign_in(form.account, context)
-          destination = redirect_override || params[:redirect_uri] || after_authentication_url
+          fallback = after_authentication_url
+          fallback = safe_post_signin_default unless safe_destination?(fallback)
+          destination = redirect_override || (safe_destination?(redirect_uri) ? redirect_uri : nil) || fallback
           redirect_to destination, notice: "Account created successfully"
         else
-          @redirect_uri = params[:redirect_uri] || after_authentication_url
+          @redirect_uri = string_param(:redirect_uri) || after_authentication_url
           @connection = params[:connection]
           flash.now[:alert] = form.errors.full_messages.join(", ")
           render_with_inertia action: :show, props: auth_page_props(errors: form.errors.to_hash), status: :unprocessable_content
@@ -79,7 +82,7 @@ module StandardId
 
       def encode_state
         Base64.urlsafe_encode64({
-          redirect_uri: params[:redirect_uri] || after_authentication_url,
+          redirect_uri: string_param(:redirect_uri) || after_authentication_url,
           timestamp: Time.current.to_i
         }.to_json)
       end

data/lib/standard_id/errors.rb

@@ -58,6 +58,46 @@ module StandardId
     def oauth_error_code = :invalid_grant
   end
 
+  # Raised at mint time when an account has no profile of the type bound
+  # to the requested audience via `c.oauth.audience_profile_types`.
+  #
+  # Subclass of `InvalidGrantError` so existing OAuth error handling
+  # (which renders OAuthError as RFC 6749 error responses) treats this
+  # as `invalid_grant`. The audience and expected profile types are
+  # surfaced via readers for audit logging only — operators MUST NOT
+  # interpolate them into client-facing error responses, since the
+  # configured profile-type taxonomy is internal-only information.
+  class NoBoundProfileError < InvalidGrantError
+    attr_reader :audience, :expected_profile_types
+
+    def initialize(audience:, expected_profile_types:)
+      @audience = audience
+      @expected_profile_types = Array(expected_profile_types)
+      super("No profile of type [#{@expected_profile_types.join(', ')}] " \
+            "for audience '#{audience}'")
+    end
+  end
+
+  # Raised at mint time when an account has more than one active profile
+  # of the type bound to the requested audience. Selecting one silently
+  # would be non-deterministic and unauditable, so we fail closed and let
+  # the host app resolve the ambiguity (deactivate duplicates, or pass an
+  # explicit `profile_id` once that grant parameter is supported).
+  #
+  # Same audit-only/PII rules as `NoBoundProfileError`: do NOT surface
+  # profile_ids in client-facing responses.
+  class AmbiguousProfileError < InvalidGrantError
+    attr_reader :audience, :expected_profile_types, :profile_ids
+
+    def initialize(audience:, expected_profile_types:, profile_ids:)
+      @audience = audience
+      @expected_profile_types = Array(expected_profile_types)
+      @profile_ids = Array(profile_ids)
+      super("Multiple active profiles of type [#{@expected_profile_types.join(', ')}] " \
+            "for audience '#{audience}' (#{@profile_ids.length} profile(s))")
+    end
+  end
+
   class InvalidScopeError < OAuthError
     def oauth_error_code = :invalid_scope
   end

data/lib/standard_id/oauth/audience_profile_resolver.rb

@@ -59,6 +59,48 @@ module StandardId
           profile_types_for(audience).any?
         end
 
+        # Strict variant of `.call` for mint-time enforcement: returns the
+        # uniquely matching active profile, or raises a typed error so the
+        # token grant flow can fail closed.
+        #
+        # Resolution rules (deterministic, no silent fallbacks):
+        #   - 0 matching active profiles → raises `NoBoundProfileError`
+        #     (NB: an inactive-only match is still 0 active matches and
+        #     fails closed — inactive profiles cannot mint tokens)
+        #   - exactly 1 matching active profile → returns it
+        #   - >1 matching active profile → raises `AmbiguousProfileError`
+        #
+        # The legacy `.call` API preserves its "first active else first match"
+        # behavior, since it is wired into the decode-time concern and host
+        # apps may have grown to depend on its tolerance. Migrating that path
+        # to strict mode is a separate change.
+        #
+        # @raise [StandardId::NoBoundProfileError]
+        # @raise [StandardId::AmbiguousProfileError]
+        def resolve!(account:, audience:)
+          types = profile_types_for(audience)
+          raise ArgumentError, "audience #{audience.inspect} has no profile binding" if types.empty?
+
+          # Custom resolver path: trust the host app's result. It's expected
+          # to enforce its own determinism — if it returns nil we still fail
+          # closed; if it returns a profile we use it as-is.
+          resolver = StandardId.config.oauth.audience_profile_resolver
+          if resolver.respond_to?(:call)
+            filtered = StandardId::Utils::CallableParameterFilter.filter(
+              resolver,
+              { account: account, audience: audience, profile_types: types }
+            )
+            resolved = resolver.call(**filtered)
+            return resolved if resolved
+            raise StandardId::NoBoundProfileError.new(
+              audience: audience,
+              expected_profile_types: types
+            )
+          end
+
+          strict_default_lookup(account, audience, types)
+        end
+
         private
 
         def default_lookup(account, types)
@@ -78,6 +120,44 @@ module StandardId
           active || matches.first
         end
 
+        # Strict default lookup — counterpart to `default_lookup` for mint.
+        #
+        # "Active" semantics:
+        #   - if a profile responds to `active?`, only `active? == true`
+        #     counts toward the match set
+        #   - if it does not, treat it as active (back-compat: not all host
+        #     apps have an activity predicate)
+        def strict_default_lookup(account, audience, types)
+          unless account.respond_to?(:profiles)
+            raise StandardId::NoBoundProfileError.new(
+              audience: audience,
+              expected_profile_types: types
+            )
+          end
+
+          candidates = account.profiles
+          candidates = candidates.to_a unless candidates.is_a?(Array)
+
+          matches = candidates.select { |p| types.include?(profile_type_for(p)) }
+          active_matches = matches.select { |p| !p.respond_to?(:active?) || p.active? }
+
+          case active_matches.length
+          when 0
+            raise StandardId::NoBoundProfileError.new(
+              audience: audience,
+              expected_profile_types: types
+            )
+          when 1
+            active_matches.first
+          else
+            raise StandardId::AmbiguousProfileError.new(
+              audience: audience,
+              expected_profile_types: types,
+              profile_ids: active_matches.map { |p| p.respond_to?(:id) ? p.id : nil }.compact
+            )
+          end
+        end
+
         def profile_type_for(profile)
           if profile.respond_to?(:profileable_type)
             profile.profileable_type.to_s

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -36,9 +36,13 @@ module StandardId
 
       def generate_token_response
         validate_audience!
+        enforce_audience_profile_binding!
         emit_token_issuing
         expires_in = token_expiry
         payload = build_jwt_payload(expires_in)
+        # Pre-generate jti so we can include it in the OAUTH_TOKEN_ISSUED
+        # event payload without re-decoding the encoded JWT.
+        @issued_jti = payload[:jti] ||= SecureRandom.uuid
         access_token = StandardId::JwtService.encode(payload, expires_in: expires_in)
 
         response = {
@@ -212,6 +216,51 @@ module StandardId
         end
       end
 
+      # Fail closed when the requested audience has a profile-type binding
+      # configured (`c.oauth.audience_profile_types`) but the account holds
+      # no matching active profile.
+      #
+      # Before this check existed, mints silently succeeded with `gid` (or
+      # any other profile-derived claim) resolving to `nil`. Downstream
+      # services then received a syntactically-valid bearer that pointed at
+      # nothing — a classic "fail open" foot-gun. Now: the mint raises
+      # `InvalidGrantError` (via `NoBoundProfileError` / `AmbiguousProfileError`),
+      # which the OAuth error handler renders as RFC 6749 `invalid_grant`.
+      #
+      # The resolved profile is stashed in `@resolved_profile` for two
+      # downstream uses:
+      #   1. Inclusion in the OAUTH_TOKEN_ISSUED audit event payload
+      #      (so operators can correlate mints to profiles).
+      #   2. Use by host-app claim resolvers via `claim_resolvers_context`,
+      #      eliminating a redundant DB lookup (and the race window in
+      #      which the profile might be deactivated between lookup and use).
+      #
+      # No-op when audience is unset or no binding is configured for any of
+      # the requested audiences — preserves existing behavior for endpoints
+      # that haven't opted into the audience→profile binding feature.
+      def enforce_audience_profile_binding!
+        requested = Array(audience).reject(&:blank?)
+        return if requested.empty?
+
+        bound = requested.select { |a| StandardId::Oauth::AudienceProfileResolver.configured_for?(a) }
+        return if bound.empty?
+
+        # Multiple bound audiences in one token would imply the holder is
+        # cleared for multiple distinct profile-type contexts simultaneously
+        # — there's no coherent answer for which profile to bind. Reject
+        # rather than silently picking one. Host apps that need cross-
+        # audience tokens should issue separate tokens per audience.
+        if bound.length > 1
+          raise StandardId::InvalidGrantError,
+            "Cannot bind a single token to multiple profile-bound audiences: #{bound.join(', ')}"
+        end
+
+        @resolved_profile = StandardId::Oauth::AudienceProfileResolver.resolve!(
+          account: token_account,
+          audience: bound.first
+        )
+      end
+
       def claims_from_custom_claims
         callable = StandardId.config.oauth.custom_claims
         return {} unless callable.respond_to?(:call)
@@ -253,12 +302,13 @@ module StandardId
       end
 
       def token_account
-        return nil if subject_id.blank?
+        return @token_account if defined?(@token_account)
+        return (@token_account = nil) if subject_id.blank?
 
         account_class = StandardId.account_class
-        return nil unless account_class.respond_to?(:find_by)
+        return (@token_account = nil) unless account_class.respond_to?(:find_by)
 
-        account_class.find_by(id: subject_id)
+        @token_account = account_class.find_by(id: subject_id)
       end
 
       def token_client
@@ -270,7 +320,13 @@ module StandardId
           client: token_client,
           account: token_account,
           request: request,
-          audience: audience
+          audience: audience,
+          # Pre-resolved profile (when the requested audience has a binding).
+          # Host-app claim resolvers that previously looked up the profile by
+          # account+type can now accept this directly via keyword filtering,
+          # avoiding both an extra query and the race in which the profile
+          # is deactivated between resolver lookup and use.
+          profile: @resolved_profile
         }
       end
 
@@ -295,7 +351,16 @@ module StandardId
           grant_type: grant_type,
           client_id: client_id,
           account: token_account,
-          expires_in: expires_in
+          expires_in: expires_in,
+          # Audit enrichment — without these, downstream subscribers
+          # (SIEM, audit log, anomaly detection) cannot meaningfully
+          # correlate a successful mint to the entity it authorizes,
+          # the resource server it targets, the specific token (jti)
+          # for revocation, or the scopes the client requested.
+          profile_id: @resolved_profile&.id,
+          audience: audience,
+          jti: @issued_jti,
+          requested_scopes: current_scopes
         )
       end
     end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.19.0"
+  VERSION = "0.20.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.20.1
 platform: ruby
 authors:
 - Jaryl Sim