standard_id 0.25.0 → 0.26.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +11 -1
- data/app/controllers/concerns/standard_id/rate_limit_handling.rb +8 -1
- data/app/controllers/standard_id/web/base_controller.rb +1 -0
- data/app/helpers/standard_id/application_helper.rb +6 -0
- data/app/views/standard_id/web/login_verify/show.html.erb +1 -1
- data/lib/standard_id/config/schema.rb +16 -2
- data/lib/standard_id/oauth/discovery_document.rb +8 -1
- data/lib/standard_id/passwordless/verification_service.rb +12 -1
- data/lib/standard_id/version.rb +1 -1
- data/lib/standard_id/web/session_manager.rb +6 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6b1486a551a57501f794685296e6d40c7c356917168fce7a515c7d869c887c1c
|
|
4
|
+
data.tar.gz: 9520bd31e28f591e0e5b65e95e4b8861c7fedc233471914740304984da666f6c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a2122cccd43faf84a5a332788f10f02a6a91928dfcc9452e080fb27704951da83dcaaffc02e0e91d7b1668b9f5696c0142b7744924908a5e03ac74c539bada1e
|
|
7
|
+
data.tar.gz: b287c31906e30d58e977ce778a9daa77010a346eaa355a343b0952ec82865ece850e6686b622af9f228e5f69010efd2d9e8914fbb56bd6fe7c4b497976ebb2a6
|
data/README.md
CHANGED
|
@@ -450,7 +450,17 @@ end
|
|
|
450
450
|
|
|
451
451
|
**Realm isolation.** `realm:` is a free-form string that partitions challenges by purpose. A code issued for realm `"widget_contact_verification"` cannot be used to verify against realm `"authentication"` (or any other realm) — even for the same `target`. Choose a stable string per flow.
|
|
452
452
|
|
|
453
|
-
**Bypass code (E2E testing).** When `StandardId.config.passwordless.bypass_code` is set (and
|
|
453
|
+
**Bypass code (E2E testing).** When `StandardId.config.passwordless.bypass_code` is set (and the deploy is not production), `Otp.verify` accepts the bypass code for **any realm**. This replaces per-app bypass ENV checks and works consistently across `Otp.verify` and the built-in passwordless login flow. Never set `bypass_code` in production — it will raise if you try.
|
|
454
|
+
|
|
455
|
+
By default "production" means `Rails.env.production?`. Apps that distinguish a physical deploy environment from `RAILS_ENV` (e.g. a staging box that still runs `RAILS_ENV=production`) can override the decision with a callable:
|
|
456
|
+
|
|
457
|
+
```ruby
|
|
458
|
+
# Allow the bypass code on a physically-staging box, still refused on real prod.
|
|
459
|
+
c.passwordless.production_env_detector = -> { AppEnv.production? }
|
|
460
|
+
c.passwordless.bypass_code = ENV["STANDARD_ID_BYPASS_CODE"] unless AppEnv.production?
|
|
461
|
+
```
|
|
462
|
+
|
|
463
|
+
`production_env_detector` takes no arguments and returns a boolean; when `nil` (the default) the gem falls back to `Rails.env.production?`, so existing consumers are unaffected.
|
|
454
464
|
|
|
455
465
|
**Back-compat.** The existing passwordless authentication flow continues to work unchanged. `Otp.issue`/`Otp.verify` are a new addition — you can migrate direct `CodeChallenge.create!` calls at your own pace.
|
|
456
466
|
|
|
@@ -20,7 +20,14 @@ module StandardId
|
|
|
20
20
|
}, status: :too_many_requests
|
|
21
21
|
else
|
|
22
22
|
flash[:alert] = "Too many requests. Please try again later."
|
|
23
|
-
|
|
23
|
+
# Bounce back to the rate-limited form's own GET action. Previously this
|
|
24
|
+
# used `request.referer || main_app.root_path`, which raised (→ 500) for
|
|
25
|
+
# two real cases: a host app that doesn't define a root route (e.g. an
|
|
26
|
+
# API/control-plane that only mounts the engine — `main_app.root_path`
|
|
27
|
+
# then doesn't exist), and a cross-origin `Referer` (Rails refuses the
|
|
28
|
+
# redirect as unsafe). `request.path` is always a valid, same-origin GET
|
|
29
|
+
# for every rate-limited action here, so it degrades gracefully.
|
|
30
|
+
redirect_to request.path, status: :see_other
|
|
24
31
|
end
|
|
25
32
|
end
|
|
26
33
|
end
|
|
@@ -1,4 +1,10 @@
|
|
|
1
1
|
module StandardId
|
|
2
2
|
module ApplicationHelper
|
|
3
|
+
# The configured OTP code length, clamped to the engine's supported range
|
|
4
|
+
# (4..10). Views use this so the verification-code input's `maxlength`
|
|
5
|
+
# stays in sync with the length of codes the generator actually produces.
|
|
6
|
+
def otp_code_length
|
|
7
|
+
StandardId::Passwordless.otp_code_length
|
|
8
|
+
end
|
|
3
9
|
end
|
|
4
10
|
end
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
<div>
|
|
23
23
|
<%= form.label :code, "Verification code", class: "block text-sm/6 font-medium text-gray-900 dark:text-white" %>
|
|
24
24
|
<div class="mt-2">
|
|
25
|
-
<%= form.text_field :code, required: true, autofocus: true, autocomplete: "one-time-code", inputmode: "numeric", maxlength:
|
|
25
|
+
<%= form.text_field :code, required: true, autofocus: true, autocomplete: "one-time-code", inputmode: "numeric", maxlength: otp_code_length, class: "block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6 dark:bg-white/5 dark:text-white dark:outline-white/10 dark:placeholder:text-gray-500 dark:focus:outline-indigo-500" %>
|
|
26
26
|
</div>
|
|
27
27
|
</div>
|
|
28
28
|
|
|
@@ -102,13 +102,27 @@ StandardId::ConfigSchema.define do
|
|
|
102
102
|
field :max_attempts_per_challenge, type: :integer, default: nil
|
|
103
103
|
|
|
104
104
|
field :retry_delay, type: :integer, default: 30 # 30 seconds
|
|
105
|
-
# Bypass code for E2E testing —
|
|
106
|
-
# When set and
|
|
105
|
+
# Bypass code for E2E testing — refused on production deploys (raises).
|
|
106
|
+
# When set and the deploy is *not* production, this code is accepted by
|
|
107
107
|
# both the built-in passwordless login and by StandardId::Otp.verify
|
|
108
108
|
# for *any* realm. Use a long, non-guessable value and unset it
|
|
109
109
|
# outside test environments.
|
|
110
|
+
#
|
|
111
|
+
# "Production" is decided by production_env_detector below (default
|
|
112
|
+
# Rails.env.production?), so host apps that distinguish a physical deploy
|
|
113
|
+
# environment from RAILS_ENV can still gate this correctly.
|
|
110
114
|
field :bypass_code, type: :string, default: nil
|
|
111
115
|
|
|
116
|
+
# Optional callable deciding whether the current deploy is "production"
|
|
117
|
+
# for the purpose of the bypass-code guard. Takes no args, returns a
|
|
118
|
+
# boolean. When nil (default), falls back to Rails.env.production? — so
|
|
119
|
+
# existing consumers are unchanged. Host apps that distinguish a physical
|
|
120
|
+
# deploy environment from RAILS_ENV (e.g. APP_ENVIRONMENT, which stays
|
|
121
|
+
# RAILS_ENV=production on a physically-staging box) can supply
|
|
122
|
+
# `-> { AppEnv.production? }` to allow a bypass code on staging while it
|
|
123
|
+
# stays refused on real production.
|
|
124
|
+
field :production_env_detector, type: :any, default: nil
|
|
125
|
+
|
|
112
126
|
# Custom username validator for passwordless flows.
|
|
113
127
|
# When set, called before OTP generation to validate the recipient address.
|
|
114
128
|
# Must be a callable (lambda/proc) that receives (username, connection_type)
|
|
@@ -34,7 +34,6 @@ module StandardId
|
|
|
34
34
|
token_endpoint: "#{base}/oauth/token",
|
|
35
35
|
revocation_endpoint: "#{base}/oauth/revoke",
|
|
36
36
|
userinfo_endpoint: "#{base}/userinfo",
|
|
37
|
-
jwks_uri: "#{base}/.well-known/jwks.json",
|
|
38
37
|
response_types_supported: %w[code],
|
|
39
38
|
grant_types_supported: %w[authorization_code refresh_token client_credentials],
|
|
40
39
|
subject_types_supported: %w[public],
|
|
@@ -47,6 +46,14 @@ module StandardId
|
|
|
47
46
|
code_challenge_methods_supported: %w[S256]
|
|
48
47
|
}
|
|
49
48
|
|
|
49
|
+
# Only advertise jwks_uri when signing is asymmetric. With symmetric
|
|
50
|
+
# (HS256/384/512) signing there are no public keys to publish, so the
|
|
51
|
+
# jwks endpoint deliberately returns 404 — advertising it would point
|
|
52
|
+
# clients at a dead URL. HS-signed tokens are verified with the shared
|
|
53
|
+
# secret, not JWKS. (RFC 8414 makes jwks_uri optional; an OIDC client
|
|
54
|
+
# using HS256 id_tokens verifies them with the client_secret.)
|
|
55
|
+
doc[:jwks_uri] = "#{base}/.well-known/jwks.json" if StandardId::JwtService.asymmetric?
|
|
56
|
+
|
|
50
57
|
doc[:registration_endpoint] = "#{base}/oauth/register" if registration_enabled
|
|
51
58
|
|
|
52
59
|
doc
|
|
@@ -204,7 +204,7 @@ module StandardId
|
|
|
204
204
|
bypass_code = StandardId.config.passwordless.bypass_code
|
|
205
205
|
return unless bypass_code.present?
|
|
206
206
|
|
|
207
|
-
if
|
|
207
|
+
if bypass_production_deploy?
|
|
208
208
|
raise "STANDARD_ID_BYPASS_CODE must not be set in production"
|
|
209
209
|
end
|
|
210
210
|
|
|
@@ -246,6 +246,17 @@ module StandardId
|
|
|
246
246
|
end
|
|
247
247
|
end
|
|
248
248
|
|
|
249
|
+
# Whether the bypass code is forbidden because this is a production
|
|
250
|
+
# deploy. Defers to config.passwordless.production_env_detector when set
|
|
251
|
+
# (host apps that distinguish a physical deploy env from RAILS_ENV), else
|
|
252
|
+
# falls back to Rails.env.production?.
|
|
253
|
+
def bypass_production_deploy?
|
|
254
|
+
detector = StandardId.config.passwordless.production_env_detector
|
|
255
|
+
return !!detector.call if detector
|
|
256
|
+
|
|
257
|
+
defined?(Rails) && Rails.env.production?
|
|
258
|
+
end
|
|
259
|
+
|
|
249
260
|
def resolve_target_and_channel!(email, phone)
|
|
250
261
|
if email.present?
|
|
251
262
|
@target = email.to_s.strip
|
data/lib/standard_id/version.rb
CHANGED
|
@@ -63,7 +63,12 @@ module StandardId
|
|
|
63
63
|
# TODO: make token key names configurable
|
|
64
64
|
session.delete(:session_token)
|
|
65
65
|
session.delete(:standard_id_scopes)
|
|
66
|
-
cookies.encrypted[:session_token] = nil
|
|
66
|
+
# Delete the cookie outright. Assigning `cookies.encrypted[:session_token] = nil`
|
|
67
|
+
# writes a fresh encrypted blob through the jar's default options (no httponly)
|
|
68
|
+
# on every unauthenticated request, leaving a confusing non-HttpOnly
|
|
69
|
+
# `session_token` cookie that carries no real token. `cookies.delete` removes it
|
|
70
|
+
# cleanly — the token-bearing write (write_session_cookie) keeps httponly: true.
|
|
71
|
+
cookies.delete(:session_token)
|
|
67
72
|
cookies.delete(:remember_token)
|
|
68
73
|
|
|
69
74
|
Current.session = nil
|