standard_id 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 313792f07d188ad560c11e667abdcb3b7fbfb8d15738d892152beae42b287d65
-  data.tar.gz: 4b1811518c974b8e467987fce6abc153ad05f46dd876a1cfe2f40c88c768516c
+  metadata.gz: ff3da0872b1957015180ea523a6ece07c7e5182415627edefd1b7cb204123555
+  data.tar.gz: 1b18e14597e237f2a6082df2210174f97b05f4febd02a729cad2509ffaf9dd60
 SHA512:
-  metadata.gz: 2a59a7565ac2a591fef01ff9aa90edc505e8383f3b9b3d2ac5e4ae82a3d777a9902934bd63683d1adff0211fa0dbc0687e0fd3c6c64428b3e0833c512b8bf9c5
-  data.tar.gz: 6313c08cd9f375e737563324e2c20a16e9ed3f5f4e25fca793f19c2bd18ad4dff06cba49437b914a5776f164d95d95d33cc880d1b332b74cdaf493e661400e2b
+  metadata.gz: 258469a8242bd871aef309f677077daca3c5e36cb6c62c748d698dc420b5997738adefe404da90928e2e98514d775f2fc1caf7f71ee1f40d3fa1228ac5346dc8
+  data.tar.gz: 41e96e5bf1aec93e33f36f3a97b81ba26609d2c854e3cc4887186c6cd4717dd8fb2fe73eaf0ac57c03a0097fc47381494bec33497cff8880e3a55ba822fc75ac

data/README.md

@@ -101,6 +101,26 @@ class ApiController < ActionController::API
 end
 ```
 
+### 5. Action Cable Authentication
+
+- Include in Your Connection Class
+```ruby
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+    include StandardId::CableAuthentication
+  end
+end
+```
+
+- Access Current Account in Channels
+```ruby
+class ChatChannel < ApplicationCable::Channel
+  def subscribed
+    stream_for current_account
+  end
+end
+```
+
 ## Configuration
 
 ### Basic Configuration

data/app/channels/concerns/standard_id/cable_authentication.rb

@@ -0,0 +1,33 @@
+module StandardId
+  module CableAuthentication
+    extend ActiveSupport::Concern
+
+    included do
+      identified_by :current_account
+    end
+
+    def connect
+      self.current_account = find_verified_account
+    end
+
+    private
+
+    def find_verified_account
+      if verified_account = find_account_from_session_token
+        verified_account
+      else
+        reject_unauthorized_connection
+      end
+    end
+
+    def find_account_from_session_token
+      session_token = cookies.encrypted[:session_token] || request.session[:session_token]
+      return nil if session_token.blank?
+
+      browser_session = StandardId::BrowserSession.eager_load(:account).by_token(session_token).first
+      return nil unless browser_session&.active?
+
+      browser_session.account
+    end
+  end
+end

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -16,12 +16,13 @@ module StandardId
       raise StandardId::InvalidRequestError, e.message
     end
 
-    def get_user_info_from_provider(redirect_uri: nil, flow: :web)
+    def get_user_info_from_provider(redirect_uri: nil, nonce: nil, flow: :web)
       provider_params = {
         code: params[:code],
         id_token: params[:id_token],
         access_token: params[:access_token],
-        redirect_uri: redirect_uri
+        redirect_uri:,
+        nonce:
       }
 
       resolved_params = provider.resolve_params(provider_params, context: { flow: flow })
@@ -100,8 +101,8 @@ module StandardId
       end
     end
 
-    def run_social_callback(provider:, social_info:, provider_tokens:, account:)
-      emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    def run_social_callback(provider:, social_info:, provider_tokens:, account:, original_request_params: {})
+      emit_social_auth_completed(provider, social_info, provider_tokens, account, original_request_params)
     end
 
     def emit_social_user_info_fetched(provider, social_info, email)
@@ -131,13 +132,14 @@ module StandardId
       )
     end
 
-    def emit_social_auth_completed(provider, social_info, provider_tokens, account)
+    def emit_social_auth_completed(provider, social_info, provider_tokens, account, original_request_params)
       StandardId::Events.publish(
         StandardId::Events::SOCIAL_AUTH_COMPLETED,
         account: account,
         provider: provider,
         social_info: social_info,
-        tokens: provider_tokens
+        tokens: provider_tokens,
+        original_request_params: original_request_params
       )
     end
 

data/app/controllers/concerns/standard_id/web/social_login_params.rb

@@ -0,0 +1,87 @@
+module StandardId
+  module Web
+    module SocialLoginParams
+      extend ActiveSupport::Concern
+
+      OAUTH_PENDING_REQUESTS_COOKIE = "oauth_pending_requests".freeze
+      REQUEST_EXPIRY = 10.minutes
+
+      private
+
+      def store_oauth_request(state:, nonce: nil, params:)
+        pending_requests = load_pending_requests || {}
+
+        cleanup_expired_requests!(pending_requests)
+
+        pending_requests[state] = {
+          "params" => params,
+          "nonce" => nonce,
+          "expires_at" => REQUEST_EXPIRY.from_now.to_i
+        }
+
+        save_pending_requests(pending_requests)
+      end
+
+      def consume_oauth_request(state)
+        return nil if state.blank?
+
+        pending_requests = load_pending_requests
+        return nil if pending_requests.nil?
+
+        cleanup_expired_requests!(pending_requests)
+
+        request_data = pending_requests[state]
+        return nil if request_data.nil?
+
+        # Remove this specific request from pending requests
+        pending_requests.delete(state)
+
+        # Update the cookie with remaining requests
+        if pending_requests.empty?
+          cookies.delete(OAUTH_PENDING_REQUESTS_COOKIE)
+        else
+          save_pending_requests(pending_requests)
+        end
+
+        request_data.slice("params", "nonce")
+      rescue JSON::ParserError => e
+        StandardId.logger.error({
+          subject: "standard_id.consume_oauth_request.error",
+          error: e.message
+        })
+        nil
+      end
+
+      def load_pending_requests
+        cookie_value = cookies.encrypted[OAUTH_PENDING_REQUESTS_COOKIE]
+        return nil if cookie_value.nil?
+
+        JSON.parse(cookie_value)
+      rescue JSON::ParserError
+        nil
+      end
+
+      def save_pending_requests(pending_requests)
+        cookie_options = {
+          value: pending_requests.to_json,
+          expires: REQUEST_EXPIRY.from_now,
+          httponly: true
+        }
+
+        if request.ssl?
+          cookie_options[:secure] = true
+          cookie_options[:same_site] = :none
+        else
+          cookie_options[:same_site] = :lax
+        end
+
+        cookies.encrypted[OAUTH_PENDING_REQUESTS_COOKIE] = cookie_options
+      end
+
+      def cleanup_expired_requests!(pending_requests)
+        current_time = Time.now.to_i
+        pending_requests.delete_if { |_state, data| data["expires_at"] && data["expires_at"] < current_time }
+      end
+    end
+  end
+end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -36,6 +36,16 @@ module StandardId
     # Redirect to login page, handling both Inertia and standard requests
     def redirect_to_login
       login_path = StandardId.config.login_url.presence || "/login"
+
+      # Add redirect_uri parameter to preserve the original destination
+      if request.get?
+        uri = URI.parse(login_path)
+        params = Rack::Utils.parse_nested_query(uri.query)
+        params["redirect_uri"] = request.fullpath
+        uri.query = params.to_query.presence
+        login_path = uri.to_s
+      end
+
       redirect_with_inertia login_path
     end
 

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -7,7 +7,6 @@ module StandardId
         skip_before_action :validate_content_type!
 
         def callback
-          original_params = decode_state_params
           provider_response = get_user_info_from_provider(flow: resolve_flow_for(provider.provider_name))
           social_info = provider_response[:user_info]
           provider_tokens = provider_response[:tokens]
@@ -16,35 +15,22 @@ module StandardId
           flow = StandardId::Oauth::SocialFlow.new(
             params,
             request,
-            account: account,
-            connection: provider.provider_name,
-            original_params: original_params
+            account:,
+            connection: provider.provider_name
           )
 
           token_response = flow.execute
           run_social_callback(
             provider: provider.provider_name,
-            social_info: social_info,
-            provider_tokens: provider_tokens,
-            account: account,
+            social_info:,
+            provider_tokens:,
+            account:
           )
           render json: token_response, status: :ok
         end
 
         private
 
-        def decode_state_params
-          encoded_state = params[:state]
-
-          return {} if encoded_state.blank?
-
-          begin
-            JSON.parse(Base64.urlsafe_decode64(encoded_state))
-          rescue JSON::ParserError, ArgumentError
-            raise StandardId::InvalidRequestError, "Invalid state parameter"
-          end
-        end
-
         def resolve_flow_for(connection)
           return :mobile unless connection == "apple"
 

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -5,6 +5,7 @@ module StandardId
         class ProvidersController < StandardId::Web::BaseController
           include StandardId::WebAuthentication
           include StandardId::SocialAuthentication
+          include StandardId::Web::SocialLoginParams
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
@@ -20,9 +21,9 @@ module StandardId
             state_data = nil
 
             begin
-              state_data = decode_state_params
+              extract_state_and_nonce => { state_data:, nonce: }
               redirect_uri = callback_url_for
-              provider_response = get_user_info_from_provider(redirect_uri: redirect_uri)
+              provider_response = get_user_info_from_provider(redirect_uri:, nonce:)
               social_info = provider_response[:user_info]
               provider_tokens = provider_response[:tokens]
               account = find_or_create_account_from_social(social_info)
@@ -33,6 +34,7 @@ module StandardId
                 social_info: social_info,
                 provider_tokens: provider_tokens,
                 account: account,
+                original_request_params: state_data
               )
 
               destination = state_data["redirect_uri"]
@@ -49,7 +51,7 @@ module StandardId
               raise StandardId::InvalidRequestError, "Provider #{provider.provider_name} does not support mobile callback"
             end
 
-            state_data = decode_state_params
+            extract_state_and_nonce => { state_data: }
             destination = state_data["redirect_uri"]
 
             unless allow_other_host_redirect?(destination)
@@ -73,15 +75,17 @@ module StandardId
             provider.skip_csrf?
           end
 
-          def decode_state_params
-            encoded_state = params[:state]
-            raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
+          def extract_state_and_nonce
+            state_token = params[:state]
+            raise StandardId::InvalidRequestError, "Missing state parameter" if state_token.blank?
 
-            state = JSON.parse(Base64.urlsafe_decode64(encoded_state))
-            state["redirect_uri"] ||= after_authentication_url
-            state
-          rescue JSON::ParserError, ArgumentError
-            raise StandardId::InvalidRequestError, "Invalid state parameter"
+            oauth_state = consume_oauth_request(state_token)
+            raise StandardId::InvalidRequestError, "Invalid or expired state parameter" if oauth_state.nil?
+
+            {
+              state_data: oauth_state["params"],
+              nonce: oauth_state["nonce"]
+            }
           end
 
           def handle_callback_error

data/app/controllers/standard_id/web/login_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     class LoginController < BaseController
       include StandardId::InertiaRendering
+      include StandardId::Web::SocialLoginParams
+
 
       layout "public"
 
@@ -33,26 +35,53 @@ module StandardId
       end
 
       def redirect_if_social_login
-        redirect_with_inertia social_login_url, allow_other_host: true if params[:connection].present?
-      end
+        return unless params[:connection].present?
+
+        provider = StandardId::ProviderRegistry.get(params[:connection].to_s)
+
+        state = generate_oauth_token
+        nonce = provider_supports_nonce?(provider) ? generate_oauth_token : nil
 
-      def social_login_url
-        connection = params[:connection]
-        provider = StandardId::ProviderRegistry.get(connection)
+        store_oauth_request(
+          state:,
+          nonce:,
+          params: extract_social_login_params
+        )
+
+        callback_url = "#{request.base_url}#{provider.callback_path}"
+        extra_params = extract_oauth_params(provider)
 
-        provider.authorization_url(
-          state: encode_state,
-          redirect_uri: "#{request.base_url}#{provider.callback_path}"
+        # Add nonce to OAuth params if provider supports it
+        extra_params[:nonce] = nonce if nonce.present?
+
+        url = provider.authorization_url(
+          state:,
+          redirect_uri: callback_url,
+          **extra_params.compact
         )
+
+        redirect_with_inertia url, allow_other_host: true
       rescue StandardId::ProviderRegistry::ProviderNotFoundError => e
         raise StandardId::InvalidRequestError, e.message
       end
 
-      def encode_state
-        Base64.urlsafe_encode64({
-          redirect_uri: params[:redirect_uri] || after_authentication_url,
-          timestamp: Time.current.to_i
-        }.compact.to_json)
+      def extract_social_login_params
+        request.parameters.except("controller", "action", "format", "authenticity_token", "commit", "login").to_h.deep_dup
+      end
+
+      def extract_oauth_params(provider)
+        supported_params = provider.try(:supported_authorization_params)
+        return {} if supported_params.blank?
+
+        params.permit(*supported_params).to_h.compact.symbolize_keys
+      end
+
+      def generate_oauth_token
+        SecureRandom.urlsafe_base64(32)
+      end
+
+      def provider_supports_nonce?(provider)
+        provider.supported_authorization_params.include?(:nonce)
       end
 
       def login_params

data/lib/standard_id/oauth/social_flow.rb

@@ -3,11 +3,10 @@ module StandardId
     class SocialFlow < TokenGrantFlow
       attr_reader :account, :connection, :original_params
 
-      def initialize(params, request, account:, connection:, original_params: {})
+      def initialize(params, request, account:, connection:)
         super(params, request)
         @account = account
         @connection = connection
-        @original_params = original_params
       end
 
       def authenticate!
@@ -21,21 +20,17 @@ module StandardId
       end
 
       def client_id
-        @original_params["client_id"]
+        nil
       end
 
       def token_scope
-        @original_params["scope"]
+        nil
       end
 
       def grant_type
         "social"
       end
 
-      def audience
-        @original_params["audience"]
-      end
-
       def supports_refresh_token?
         true
       end

data/lib/standard_id/providers/base.rb

@@ -209,6 +209,22 @@ module StandardId
           false
         end
 
+        # Returns list of supported authorization parameters for this provider.
+        #
+        # Include :nonce in this list for OIDC providers to enable nonce validation.
+        # Nonce provides replay attack protection for ID tokens.
+        #
+        # @return [Array<Symbol>] List of supported parameters
+        #
+        # @example
+        #   def supported_authorization_params
+        #     [:scope, :prompt, :nonce]
+        #   end
+        #
+        def supported_authorization_params
+          []
+        end
+
         # Optional setup hook called when provider is registered.
         #
         # Override this method to perform initialization tasks like:

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.2.0"
+  VERSION = "0.2.2"
 end

data/lib/standard_id/web/session_manager.rb

@@ -21,7 +21,10 @@ module StandardId
       def sign_in_account(account)
         emit_session_creating(account, "browser")
         token_manager.create_browser_session(account).tap do |browser_session|
+          # Store in both session and encrypted cookie for backward compatibility
+          # Action Cable will use the encrypted cookie
           session[:session_token] = browser_session.token
+          cookies.encrypted[:session_token] = browser_session.token
           Current.session = browser_session
           emit_session_created(browser_session, account, "browser")
         end
@@ -39,6 +42,7 @@ module StandardId
       def clear_session!
         # TODO: make token key names configurable
         session.delete(:session_token)
+        cookies.encrypted[:session_token] = nil
         cookies.delete(:remember_token)
 
         Current.session = nil
@@ -65,7 +69,9 @@ module StandardId
       end
 
       def load_session_from_session_token
-        StandardId::BrowserSession.eager_load(:account).by_token(session[:session_token]).first
+        # Try encrypted cookie first (for Action Cable), then fall back to session (for backward compatibility)
+        session_token = cookies.encrypted[:session_token] || session[:session_token]
+        StandardId::BrowserSession.eager_load(:account).by_token(session_token).first
       end
 
       def load_session_from_remember_token
@@ -73,7 +79,9 @@ module StandardId
         return if password_credential.blank?
 
         token_manager.create_browser_session(password_credential.account, remember_me: true).tap do |browser_session|
+          # Store in both session and encrypted cookie for backward compatibility
           session[:session_token] = browser_session.token
+          cookies.encrypted[:session_token] = browser_session.token
           cookies[:remember_token] = token_manager.create_remember_token(password_credential)
         end
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Jaryl Sim
@@ -64,11 +64,13 @@ files:
 - README.md
 - Rakefile
 - app/assets/stylesheets/standard_id/application.css
+- app/channels/concerns/standard_id/cable_authentication.rb
 - app/controllers/concerns/standard_id/api_authentication.rb
 - app/controllers/concerns/standard_id/inertia_rendering.rb
 - app/controllers/concerns/standard_id/inertia_support.rb
 - app/controllers/concerns/standard_id/set_current_request_details.rb
 - app/controllers/concerns/standard_id/social_authentication.rb
+- app/controllers/concerns/standard_id/web/social_login_params.rb
 - app/controllers/concerns/standard_id/web_authentication.rb
 - app/controllers/standard_id/api/authorization_controller.rb
 - app/controllers/standard_id/api/base_controller.rb