standard_id 0.3.0 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9878cd708e3ea39bc8cad97946dd6509c2423a815ade09c726d80c591f72cf7f
-  data.tar.gz: 4ee3cf785da092a4efd199dee423d214c0b99936928cd381e8167650474c9c7b
+  metadata.gz: 0f0a6bc5ee9c7ea15e8f9ea7bee06f7cb080da52fade31a85bb0d0ead5207552
+  data.tar.gz: 8dffbedfccd7f2434fbf77befe544ebb0c2dc55e4bbbbfb105c11254543e8103
 SHA512:
-  metadata.gz: 68cdd5a479a507d7647055b06534744f458546ac81a0a1bf71b0464739316ade506a50303a811fefac56142f223d1d913af4a41fd53243a1678ec64a50f48d5e
-  data.tar.gz: bb8137fb52314263901a3ed6640ef9b327f1397424b68776af4edd4b37be9d0da26e7974d5728252981823b9dd48fc4aec4825f960aec3a3769a20a7cef3ead4
+  metadata.gz: dd96b17327a9468bd2128dea33826450009949e73b6579e36f7c422cd5f9e8aa36a1201de4019e523f79f709539a2cc2e4f8c92dabb15fdef0505488fb3c9cb1
+  data.tar.gz: 74e0c84b638ecb2ab7dbc7f7303617e8b2614fc62f9c8218f33da27136f267f41f6ca676afdff2197395eff5410b538fc186f3c9c9f1c7148cd43bc653b22b57

data/README.md

@@ -787,8 +787,7 @@ class ApplicationController < ActionController::Base
   private
 
   def handle_account_locked(error)
-    # error.account     - The locked account
-    # error.lock_reason - Why the account was locked
+    # error.lock_reason - Why the account was locked (avoid exposing to end users)
     # error.locked_at   - When the account was locked
     redirect_to login_path, alert: "Your account has been locked. Please contact support."
   end

data/app/controllers/concerns/standard_id/api_authentication.rb

@@ -2,6 +2,12 @@ module StandardId
   module ApiAuthentication
     extend ActiveSupport::Concern
 
+    included do
+      if StandardId.config.alias_current_user
+        define_method(:current_user) { current_account }
+      end
+    end
+
     delegate :current_session, :current_account, :revoke_current_session!, to: :session_manager
 
     private

data/app/controllers/concerns/standard_id/audience_verification.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+module StandardId
+  # Per-controller audience verification for API endpoints.
+  #
+  # While StandardId validates that the JWT `aud` claim is in the global
+  # `allowed_audiences` list, this concern provides additional defense-in-depth
+  # by restricting which audiences are accepted by each controller.
+  #
+  # Requires StandardId::ApiAuthentication to be included before this concern
+  # (provides `verify_access_token!` and `current_session`). An error is raised
+  # at include time if ApiAuthentication is missing.
+  #
+  # The caller is responsible for registering `before_action :verify_access_token!`
+  # (typically via ApiAuthentication or a base controller). This concern only adds
+  # the `verify_audience!` callback, which must run after token verification so
+  # that `current_session` is populated. This is consistent with how
+  # `require_scopes!` works in ApiAuthentication.
+  #
+  # @example Single audience
+  #   class AdminController < Api::BaseController
+  #     include StandardId::AudienceVerification
+  #     verify_audience "admin"
+  #   end
+  #
+  # @example Multiple audiences
+  #   class SharedController < Api::BaseController
+  #     include StandardId::AudienceVerification
+  #     verify_audience "admin", "mobile"
+  #   end
+  module AudienceVerification
+    extend ActiveSupport::Concern
+
+    included do
+      unless ancestors.include?(StandardId::ApiAuthentication)
+        raise "#{name || 'Controller'} must include StandardId::ApiAuthentication before StandardId::AudienceVerification"
+      end
+
+      before_action :verify_audience!
+
+      rescue_from StandardId::InvalidAudienceError, with: :handle_invalid_audience
+
+      # Underscore prefix follows Rails class_attribute convention to avoid
+      # collisions with application method names.
+      class_attribute :_required_audiences, instance_writer: false, default: []
+    end
+
+    class_methods do
+      # Declare the allowed audiences for this controller.
+      # The token's `aud` claim must include at least one of these values.
+      #
+      # @param audiences [Array<String>] allowed JWT `aud` claim values
+      def verify_audience(*audiences)
+        self._required_audiences = audiences.flatten.map(&:to_s)
+      end
+    end
+
+    private
+
+    # Verifies the token's `aud` claim contains at least one of the required audiences.
+    # Supports both string and array `aud` claims.
+    #
+    # @raise [StandardId::InvalidAudienceError] when no audience matches
+    def verify_audience!
+      return if _required_audiences.empty?
+
+      # If authentication hasn't run (or token is invalid), let the auth
+      # layer handle 401 — don't mask it with a 403.
+      return unless current_session
+
+      token_audiences = Array(current_session.aud)
+      return if (token_audiences & _required_audiences).any?
+
+      raise StandardId::InvalidAudienceError.new(
+        required: _required_audiences,
+        actual: token_audiences
+      )
+    end
+
+    # Returns 403 Forbidden per RFC 6750 §3.1 (insufficient_scope).
+    # Includes WWW-Authenticate header per spec, consistent with the gem's
+    # 401 handling in Api::BaseController#render_bearer_unauthorized!.
+    #
+    # The header uses a static description rather than interpolating
+    # error.message (which contains raw aud values from the JWT) to
+    # avoid header injection via crafted audience strings.
+    #
+    # Override in your controller for custom error formatting.
+    def handle_invalid_audience(error)
+      response.set_header(
+        "WWW-Authenticate",
+        'Bearer error="insufficient_scope", error_description="The access token audience is not permitted for this resource"'
+      )
+      render json: { error: "insufficient_scope", error_description: error.message }, status: :forbidden
+    end
+  end
+end

data/app/controllers/concerns/standard_id/sentry_context.rb

@@ -0,0 +1,36 @@
+module StandardId
+  # Sets Sentry user context from the current authenticated account.
+  #
+  # This is a standalone concern that host apps can include in their
+  # ApplicationController to automatically set Sentry user context
+  # for each request. It eliminates the need for apps to write
+  # their own SentryContext boilerplate.
+  #
+  # Safe to include even when the Sentry gem is not installed -- the
+  # callback is a no-op if `Sentry` is not defined.
+  #
+  # @example
+  #   class ApplicationController < ActionController::Base
+  #     include StandardId::WebAuthentication
+  #     include StandardId::SentryContext
+  #   end
+  module SentryContext
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :set_standard_id_sentry_context
+    end
+
+    private
+
+    def set_standard_id_sentry_context
+      return unless defined?(Sentry)
+      return unless respond_to?(:current_account, true) && current_account.present?
+
+      context = { id: current_account.id }
+      context[:session_id] = current_session.id if respond_to?(:current_session, true) && current_session.present?
+
+      Sentry.set_user(context)
+    end
+  end
+end

data/app/controllers/concerns/standard_id/set_current_request_details.rb

@@ -12,7 +12,7 @@ module StandardId
       return unless defined?(::Current)
 
       ::Current.request_id = request.request_id if ::Current.respond_to?(:request_id=)
-      ::Current.ip_address = request.remote_ip if ::Current.respond_to?(:ip_address=)
+      ::Current.ip_address = StandardId::Utils::IpNormalizer.normalize(request.remote_ip) if ::Current.respond_to?(:ip_address=)
       ::Current.user_agent = request.user_agent if ::Current.respond_to?(:user_agent=)
     end
   end

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -47,7 +47,7 @@ module StandardId
           account: account,
           value: email
         )
-        identifier.verify! if identifier.respond_to?(:verify!)
+        identifier.verify! if identifier.respond_to?(:verify!) && [true, "true"].include?(social_info[:email_verified])
         emit_social_account_created(account, provider, social_info)
         account
       end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -5,6 +5,11 @@ module StandardId
     included do
       include StandardId::InertiaSupport
       helper_method :current_account, :authenticated?
+
+      if StandardId.config.alias_current_user
+        define_method(:current_user) { current_account }
+        helper_method :current_user
+      end
     end
 
     delegate :current_session, :current_account, :revoke_current_session!, to: :session_manager
@@ -66,7 +71,13 @@ module StandardId
       )
 
       StandardId::PasswordCredential.find_by(login:).tap do |password_credential|
-        unless password_credential&.authenticate(password)
+        authenticated = password_credential&.authenticate(password)
+
+        # Perform a dummy bcrypt comparison when the credential doesn't exist
+        # to prevent user enumeration via response timing differences.
+        BCrypt::Password.new(dummy_password_digest).is_password?(password) unless password_credential
+
+        unless authenticated
           StandardId::Events.publish(
             StandardId::Events::AUTHENTICATION_FAILED,
             account_lookup: login,
@@ -103,6 +114,10 @@ module StandardId
       @token_manager ||= StandardId::Web::TokenManager.new(request)
     end
 
+    def dummy_password_digest
+      @dummy_password_digest ||= BCrypt::Password.create("").freeze
+    end
+
     def authentication_guard
       @authentication_guard ||= StandardId::Web::AuthenticationGuard.new
     end

data/app/controllers/standard_id/web/verify_email/start_controller.rb

@@ -19,7 +19,7 @@ module StandardId
             target: email,
             code: generate_otp_code,
             expires_at: 10.minutes.from_now,
-            ip_address: request.remote_ip,
+            ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
             user_agent: request.user_agent
           )
 

data/app/controllers/standard_id/web/verify_phone/start_controller.rb

@@ -19,7 +19,7 @@ module StandardId
             target: phone,
             code: generate_otp_code,
             expires_at: 10.minutes.from_now,
-            ip_address: request.remote_ip,
+            ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
             user_agent: request.user_agent
           )
 

data/app/forms/standard_id/web/signup_form.rb

@@ -37,8 +37,8 @@ module StandardId
       rescue ActiveRecord::RecordInvalid => e
         errors.add(:base, e.record.errors.full_messages.join(", "))
         false
-      rescue ActiveRecord::RecordNotUnique => e
-        errors.add(:base, e.message)
+      rescue ActiveRecord::RecordNotUnique
+        errors.add(:base, "Unable to complete registration. If you already have an account, please sign in.")
         false
       end
 

data/app/jobs/standard_id/cleanup_expired_sessions_job.rb

@@ -0,0 +1,15 @@
+module StandardId
+  class CleanupExpiredSessionsJob < ApplicationJob
+    queue_as :default
+
+    # Delete sessions that expired more than `grace_period_seconds` ago.
+    # A grace period avoids deleting sessions that just expired and might
+    # still be referenced in in-flight requests.
+    # Accepts integer seconds for reliable ActiveJob serialization across all queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i)
+      cutoff = grace_period_seconds.seconds.ago
+      deleted = StandardId::Session.where("expires_at < ?", cutoff).delete_all
+      Rails.logger.info("[StandardId] Cleaned up #{deleted} expired sessions older than #{cutoff}")
+    end
+  end
+end

data/lib/standard_id/api/session_manager.rb

@@ -12,9 +12,7 @@ module StandardId
 
       def current_account
         return unless current_session
-        @current_account ||= StandardId.account_class
-          .find_by(id: current_session.account_id)
-          &.tap { |a| a.strict_loading!(false) }
+        @current_account ||= load_current_account
       end
 
       def revoke_current_session!
@@ -28,6 +26,12 @@ module StandardId
 
       private
 
+      def load_current_account
+        scope = StandardId.account_class
+        scope = StandardId.config.account_scope.call(scope) if StandardId.config.account_scope
+        scope.find_by(id: current_session.account_id)&.tap { |a| a.strict_loading!(false) }
+      end
+
       def load_current_session
         return @current_session if @current_session.present?
 

data/lib/standard_id/api/token_manager.rb

@@ -10,7 +10,7 @@ module StandardId
       def create_device_session(account, device_id: nil, device_agent: nil)
         StandardId::DeviceSession.create!(
           account:,
-          ip_address: @request.remote_ip,
+          ip_address: StandardId::Utils::IpNormalizer.normalize(@request.remote_ip),
           device_id: device_id || SecureRandom.uuid,
           device_agent: device_agent || @request.user_agent,
           expires_at: StandardId::DeviceSession.expiry
@@ -21,7 +21,7 @@ module StandardId
         StandardId::ServiceSession.create!(
           account:,
           owner:,
-          ip_address: @request.remote_ip,
+          ip_address: StandardId::Utils::IpNormalizer.normalize(@request.remote_ip),
           service_name:,
           service_version:,
           metadata: metadata || {},
@@ -30,12 +30,9 @@ module StandardId
       end
 
       def bearer_token
-        return @bearer_token if @bearer_token.present?
+        return @bearer_token if defined?(@bearer_token)
 
-        auth_header = @request.headers["Authorization"]
-        return unless auth_header&.start_with?("Bearer ")
-
-        @bearer_token = auth_header.split(" ", 2).last
+        @bearer_token = StandardId::BearerTokenExtraction.extract(@request.headers["Authorization"])
       end
 
       def verify_jwt_token(token: bearer_token)

data/lib/standard_id/bearer_token_extraction.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module StandardId
+  # Bearer token extraction utility.
+  #
+  # This module serves two roles:
+  #
+  # 1. **Class method** (`BearerTokenExtraction.extract`) — pure extraction
+  #    logic used by TokenManager in lib/. Lives in lib/ so there is no
+  #    cross-layer dependency on app/ autoloading.
+  #
+  # 2. **Controller mixin** (`include StandardId::BearerTokenExtraction`) —
+  #    provides `extract_bearer_token` as a private instance method.
+  #    Conventionally, controller concerns live under app/controllers/concerns/,
+  #    but this module is co-located with the utility to keep the extraction
+  #    logic in a single file and avoid the same-constant-name conflict
+  #    between lib/ and app/ autoloading.
+  #
+  # Does not use ActiveSupport::Concern because it has no `included` or
+  # `class_methods` blocks — it is a plain Ruby module.
+  #
+  # Controllers that include StandardId::ApiAuthentication do NOT need this —
+  # token extraction is handled internally by the TokenManager.
+  #
+  # @example As a controller concern
+  #   class McpController < ActionController::API
+  #     include StandardId::BearerTokenExtraction
+  #
+  #     def authenticate!
+  #       token = extract_bearer_token
+  #       # validate token...
+  #     end
+  #   end
+  #
+  # @example Direct class method (used by TokenManager)
+  #   StandardId::BearerTokenExtraction.extract(auth_header)
+  module BearerTokenExtraction
+    # Extracts the Bearer token from a raw Authorization header value.
+    #
+    # Note: prior to the introduction of this module, TokenManager#bearer_token
+    # returned "" for a bare "Bearer " header. This now returns nil via .presence,
+    # which is the correct behavior — downstream JWT parsing receives nil instead
+    # of attempting to decode an empty string.
+    #
+    # @param auth_header [String, nil] the raw Authorization header value
+    # @return [String, nil] the bearer token, or nil if not present/empty
+    def self.extract(auth_header)
+      return unless auth_header&.start_with?("Bearer ")
+
+      auth_header.split(" ", 2).last.presence
+    end
+
+    private
+
+    # Extracts the token from an "Authorization: Bearer <token>" header.
+    # Result is memoized for the lifetime of the controller instance.
+    #
+    # @return [String, nil] the bearer token, or nil if not present
+    def extract_bearer_token
+      return @_bearer_token if defined?(@_bearer_token)
+
+      @_bearer_token = StandardId::BearerTokenExtraction.extract(request.headers["Authorization"])
+    end
+  end
+end

data/lib/standard_id/config/schema.rb

@@ -14,8 +14,10 @@ StandardConfig.schema.draw do
     field :issuer, type: :string, default: nil
     field :login_url, type: :string, default: nil
     field :allowed_post_logout_redirect_uris, type: :array, default: []
+    field :account_scope, type: :any, default: nil
     field :use_inertia, type: :boolean, default: false
     field :inertia_component_namespace, type: :string, default: "standard_id"
+    field :alias_current_user, type: :boolean, default: false
   end
 
   scope :events do

data/lib/standard_id/engine.rb

@@ -9,6 +9,11 @@ module StandardId
 
       StandardId::Events::Subscribers::AccountStatusSubscriber.attach
       StandardId::Events::Subscribers::AccountLockingSubscriber.attach
+
+      if StandardId.config.issuer.blank?
+        Rails.logger.warn("[StandardId] No issuer configured. JWT tokens will not include or verify the 'iss' claim. " \
+                          "Set StandardId.config.issuer in your initializer for production use.")
+      end
     end
   end
 end

data/lib/standard_id/errors.rb

@@ -1,22 +1,27 @@
 module StandardId
+  # Session errors
   class NotAuthenticatedError < StandardError; end
 
   class InvalidSessionError < StandardError; end
   class ExpiredSessionError < InvalidSessionError; end
   class RevokedSessionError < InvalidSessionError; end
+
+  # Account errors
   class AccountDeactivatedError < StandardError; end
 
   class AccountLockedError < StandardError
-    attr_reader :account, :lock_reason, :locked_at
+    # lock_reason and locked_at are available for logging and admin use.
+    # Avoid surfacing lock_reason in user-facing responses.
+    attr_reader :lock_reason, :locked_at
 
     def initialize(account)
-      @account = account
       @lock_reason = account.lock_reason
       @locked_at = account.locked_at
-      super("Account has been locked#{lock_reason ? ": #{lock_reason}" : ""}")
+      super("Account has been locked")
     end
   end
 
+  # OAuth errors
   class OAuthError < StandardError
     def oauth_error_code
       :invalid_request
@@ -64,4 +69,15 @@ module StandardId
   class UnsupportedResponseTypeError < OAuthError
     def oauth_error_code = :unsupported_response_type
   end
+
+  # Audience verification errors
+  class InvalidAudienceError < StandardError
+    attr_reader :required, :actual
+
+    def initialize(required:, actual:)
+      @required = required
+      @actual = actual
+      super("Token audience [#{actual.join(', ')}] does not match required audiences: #{required.join(', ')}")
+    end
+  end
 end

data/lib/standard_id/http_client.rb

@@ -3,19 +3,30 @@ require "uri"
 
 module StandardId
   class HttpClient
+    OPEN_TIMEOUT = 5
+    READ_TIMEOUT = 10
+
     class << self
       def post_form(endpoint, params)
         uri = URI(endpoint)
-        Net::HTTP.post_form(uri, params)
+        request = Net::HTTP::Post.new(uri)
+        request.set_form_data(params)
+        start_connection(uri) { |http| http.request(request) }
       end
 
       def get_with_bearer(endpoint, access_token)
         uri = URI(endpoint)
         request = Net::HTTP::Get.new(uri)
         request["Authorization"] = "Bearer #{access_token}"
-        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
-          http.request(request)
-        end
+        start_connection(uri) { |http| http.request(request) }
+      end
+
+      private
+
+      def start_connection(uri, &block)
+        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https",
+                                             open_timeout: OPEN_TIMEOUT,
+                                             read_timeout: READ_TIMEOUT, &block)
       end
     end
   end

data/lib/standard_id/oauth/password_flow.rb

@@ -76,6 +76,10 @@ module StandardId
           .includes(credential: :account)
           .find_by(login: username)
 
+        # Perform a dummy bcrypt comparison when the credential doesn't exist
+        # to prevent user enumeration via response timing differences.
+        BCrypt::Password.new(dummy_password_digest).is_password?(password) unless @credential
+
         @credential&.authenticate(password)&.account
       end
 
@@ -90,6 +94,10 @@ module StandardId
         end
       end
 
+      def dummy_password_digest
+        @dummy_password_digest ||= BCrypt::Password.create("").freeze
+      end
+
       def default_scope
         "read"
       end

data/lib/standard_id/oauth/token_lifetime_resolver.rb

@@ -1,17 +1,21 @@
 module StandardId
   module Oauth
     class TokenLifetimeResolver
-      class << self
-        DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
-        DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+      DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
+      DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+      MAX_ACCESS_TOKEN_LIFETIME = 24.hours.to_i
+      MAX_REFRESH_TOKEN_LIFETIME = 90.days.to_i
 
+      class << self
         def access_token_for(flow_key)
           configured = lookup_token_lifetime(flow_key)
-          positive_seconds(configured, default_access_token_lifetime)
+          lifetime = positive_seconds(configured, default_access_token_lifetime)
+          clamp_seconds(lifetime, MAX_ACCESS_TOKEN_LIFETIME)
         end
 
         def refresh_token_lifetime
-          positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+          lifetime = positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+          clamp_seconds(lifetime, MAX_REFRESH_TOKEN_LIFETIME)
         end
 
         private
@@ -41,6 +45,16 @@ module StandardId
           (normalized_value.positive? ? normalized_value : fallback_value).seconds
         end
 
+        def clamp_seconds(duration, max)
+          seconds = duration.to_i
+          if seconds > max
+            Rails.logger.warn { "[StandardId] Token lifetime #{seconds}s exceeds maximum #{max}s, clamping to #{max}s" }
+            max.seconds
+          else
+            duration
+          end
+        end
+
         def oauth_config
           StandardId.config.oauth
         end

data/lib/standard_id/passwordless/base_strategy.rb

@@ -35,7 +35,7 @@ module StandardId
           target: username,
           code: code,
           expires_at: StandardId.config.passwordless.code_ttl.seconds.from_now,
-          ip_address: request.remote_ip,
+          ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
           user_agent: request.user_agent
         )
         cc

data/lib/standard_id/utils/ip_normalizer.rb

@@ -0,0 +1,16 @@
+module StandardId
+  module Utils
+    class IpNormalizer
+      IPV6_LOCALHOST = "::1"
+      IPV4_LOCALHOST = "127.0.0.1"
+
+      class << self
+        def normalize(ip)
+          return ip unless ip == IPV6_LOCALHOST
+
+          IPV4_LOCALHOST
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.3.0"
+  VERSION = "0.3.2"
 end

data/lib/standard_id/web/session_manager.rb

@@ -15,7 +15,7 @@ module StandardId
       end
 
       def current_account
-        Current.account ||= current_session&.account&.tap { |a| a.strict_loading!(false) }
+        Current.account ||= load_current_account
       end
 
       def sign_in_account(account)
@@ -50,6 +50,19 @@ module StandardId
 
       private
 
+      def load_current_account
+        if StandardId.config.account_scope
+          account_id = current_session&.account_id
+          return unless account_id
+
+          scope = StandardId.account_class
+          scope = StandardId.config.account_scope.call(scope)
+          scope.find_by(id: account_id)&.tap { |a| a.strict_loading!(false) }
+        else
+          current_session&.account&.tap { |a| a.strict_loading!(false) }
+        end
+      end
+
       def load_current_session
         Current.session ||= load_session_from_session_token
         Current.session ||= load_session_from_remember_token

data/lib/standard_id/web/token_manager.rb

@@ -10,7 +10,7 @@ module StandardId
       def create_browser_session(account)
         StandardId::BrowserSession.create!(
           account: account,
-          ip_address: request.remote_ip,
+          ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
           user_agent: request.user_agent,
           expires_at: StandardId::BrowserSession.expiry
         )

data/lib/standard_id.rb

@@ -13,6 +13,7 @@ require "standard_id/events/subscribers/account_locking_subscriber"
 require "standard_id/account_status"
 require "standard_id/account_locking"
 require "standard_id/http_client"
+require "standard_id/bearer_token_extraction"
 require "standard_id/jwt_service"
 require "standard_id/web/session_manager"
 require "standard_id/web/token_manager"
@@ -39,6 +40,7 @@ require "standard_id/passwordless/base_strategy"
 require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
 require "standard_id/utils/callable_parameter_filter"
+require "standard_id/utils/ip_normalizer"
 
 require "concurrent/delay"
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.2
 platform: ruby
 authors:
 - Jaryl Sim
@@ -80,9 +80,11 @@ files:
 - app/assets/stylesheets/standard_id/application.css
 - app/channels/concerns/standard_id/cable_authentication.rb
 - app/controllers/concerns/standard_id/api_authentication.rb
+- app/controllers/concerns/standard_id/audience_verification.rb
 - app/controllers/concerns/standard_id/inertia_rendering.rb
 - app/controllers/concerns/standard_id/inertia_support.rb
 - app/controllers/concerns/standard_id/passwordless_strategy.rb
+- app/controllers/concerns/standard_id/sentry_context.rb
 - app/controllers/concerns/standard_id/set_current_request_details.rb
 - app/controllers/concerns/standard_id/social_authentication.rb
 - app/controllers/concerns/standard_id/web/social_login_params.rb
@@ -117,6 +119,7 @@ files:
 - app/forms/standard_id/web/signup_form.rb
 - app/helpers/standard_id/application_helper.rb
 - app/jobs/standard_id/application_job.rb
+- app/jobs/standard_id/cleanup_expired_sessions_job.rb
 - app/mailers/standard_id/application_mailer.rb
 - app/models/concerns/standard_id/account_associations.rb
 - app/models/concerns/standard_id/credentiable.rb
@@ -171,6 +174,7 @@ files:
 - lib/standard_id/api/session_manager.rb
 - lib/standard_id/api/token_manager.rb
 - lib/standard_id/api_engine.rb
+- lib/standard_id/bearer_token_extraction.rb
 - lib/standard_id/config/schema.rb
 - lib/standard_id/current_attributes.rb
 - lib/standard_id/engine.rb
@@ -205,6 +209,7 @@ files:
 - lib/standard_id/provider_registry.rb
 - lib/standard_id/providers/base.rb
 - lib/standard_id/utils/callable_parameter_filter.rb
+- lib/standard_id/utils/ip_normalizer.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb
 - lib/standard_id/web/session_manager.rb