standard_id 0.3.1 → 0.4.0

data/lib/standard_id/testing/factories/identifiers.rb

@@ -0,0 +1,37 @@
+FactoryBot.define do
+  factory :standard_id_email_identifier, class: "StandardId::EmailIdentifier" do
+    sequence(:value) { |n| "user#{n}@example.com" }
+
+    trait :verified do
+      verified_at { Time.current }
+    end
+
+    trait :unverified do
+      verified_at { nil }
+    end
+  end
+
+  factory :standard_id_phone_number_identifier, class: "StandardId::PhoneNumberIdentifier" do
+    sequence(:value) { |n| "+1555#{(n % 10_000_000).to_s.rjust(7, '0')}" }
+
+    trait :verified do
+      verified_at { Time.current }
+    end
+
+    trait :unverified do
+      verified_at { nil }
+    end
+  end
+
+  factory :standard_id_username_identifier, class: "StandardId::UsernameIdentifier" do
+    sequence(:value) { |n| "user_#{n}" }
+
+    trait :verified do
+      verified_at { Time.current }
+    end
+
+    trait :unverified do
+      verified_at { nil }
+    end
+  end
+end

data/lib/standard_id/testing/factories/oauth.rb

@@ -0,0 +1,89 @@
+FactoryBot.define do
+  # ClientApplication requires a polymorphic `owner` association.
+  # The host app must define an `:account` factory for this association to resolve.
+  factory :standard_id_client_application, class: "StandardId::ClientApplication" do
+    association :owner, factory: :account
+    sequence(:name) { |n| "Test App #{n}" }
+    redirect_uris { "https://example.com/callback" }
+    scopes { "openid profile email" }
+    grant_types { "authorization_code refresh_token" }
+    response_types { "code" }
+    client_type { "confidential" }
+    require_pkce { true }
+    code_challenge_methods { "S256" }
+    access_token_lifetime { 3600 }
+    refresh_token_lifetime { 2_592_000 }
+    authorization_code_lifetime { 600 }
+    active { true }
+
+    trait :public_client do
+      client_type { "public" }
+    end
+
+    trait :inactive do
+      active { false }
+      deactivated_at { Time.current }
+    end
+
+    # Replaces the default grant_types value. To combine with other grant types,
+    # set grant_types explicitly: grant_types { "authorization_code client_credentials" }
+    trait :with_client_credentials do
+      grant_types { "client_credentials" }
+    end
+  end
+
+  factory :standard_id_code_challenge, class: "StandardId::CodeChallenge" do
+    realm { "authentication" }
+    channel { "email" }
+    sequence(:target) { |n| "user#{n}@example.com" }
+    code { SecureRandom.random_number(10**6).to_s.rjust(6, "0") }
+    expires_at { 10.minutes.from_now }
+
+    trait :expired do
+      expires_at { 5.minutes.ago }
+    end
+
+    trait :used do
+      used_at { Time.current }
+    end
+
+    trait :for_verification do
+      realm { "verification" }
+    end
+
+    trait :for_sms do
+      channel { "sms" }
+      sequence(:target) { |n| "+1555#{(n % 10_000_000).to_s.rjust(7, '0')}" }
+    end
+  end
+
+  # AuthorizationCode has `belongs_to :account, optional: true`.
+  # client_id is a plain string (no FK to ClientApplication) — intentionally
+  # unlinked so tests can create authorization codes without a full OAuth setup.
+  factory :standard_id_authorization_code, class: "StandardId::AuthorizationCode" do
+    transient do
+      plaintext_code { SecureRandom.hex(20) }
+    end
+
+    association :account, factory: :account
+    code_hash { StandardId::AuthorizationCode.hash_for(plaintext_code) }
+    client_id { SecureRandom.hex(16) }
+    redirect_uri { "https://example.com/callback" }
+    scope { "openid profile" }
+    issued_at { Time.current }
+    expires_at { 10.minutes.from_now }
+
+    trait :expired do
+      expires_at { 5.minutes.ago }
+    end
+
+    trait :consumed do
+      consumed_at { Time.current }
+    end
+
+    trait :with_pkce do
+      code_challenge { SecureRandom.hex(32) }
+      code_challenge_method { "S256" }
+    end
+  end
+end

data/lib/standard_id/testing/factories/sessions.rb

@@ -0,0 +1,112 @@
+FactoryBot.define do
+  # BrowserSession requires an `account` association (belongs_to :account).
+  # The host app must define an `:account` factory for this association to resolve.
+  factory :standard_id_browser_session, class: "StandardId::BrowserSession" do
+    association :account, factory: :account
+    user_agent { "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0" }
+    sequence(:ip_address) { |n| "192.168.1.#{(n % 254) + 1}" }
+    expires_at { StandardId::BrowserSession.expiry }
+
+    trait :active do
+      revoked_at { nil }
+    end
+
+    trait :expired do
+      expires_at { 2.days.ago }
+      revoked_at { nil }
+    end
+
+    trait :revoked do
+      revoked_at { 1.day.ago }
+    end
+
+    trait :chrome do
+      user_agent { "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0" }
+    end
+
+    trait :firefox do
+      user_agent { "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/121.0" }
+    end
+
+    trait :safari do
+      user_agent { "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Safari/17.2" }
+    end
+
+    trait :edge do
+      user_agent { "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Edg/120.0" }
+    end
+  end
+
+  # DeviceSession requires an `account` association (belongs_to :account).
+  # The host app must define an `:account` factory for this association to resolve.
+  factory :standard_id_device_session, class: "StandardId::DeviceSession" do
+    association :account, factory: :account
+    device_agent { "App/1.0 (iPhone; iOS 17.2)" }
+    sequence(:device_id) { |n| "device_#{n}" }
+    sequence(:ip_address) { |n| "10.0.0.#{(n % 254) + 1}" }
+    expires_at { StandardId::DeviceSession.expiry }
+    last_refreshed_at { 30.minutes.ago }
+
+    trait :active do
+      revoked_at { nil }
+      last_refreshed_at { 30.minutes.ago }
+    end
+
+    trait :expired do
+      expires_at { 15.days.ago }
+      revoked_at { nil }
+    end
+
+    trait :revoked do
+      expires_at { 30.days.from_now }
+      revoked_at { 5.days.ago }
+    end
+
+    trait :stale do
+      expires_at { 30.days.from_now }
+      revoked_at { nil }
+      last_refreshed_at { 2.hours.ago }
+    end
+
+    trait :iphone do
+      device_agent { "App/1.0 (iPhone; iOS 17.2)" }
+    end
+
+    trait :android do
+      device_agent { "App/1.0 (Android; Samsung Galaxy S24)" }
+    end
+
+    trait :ipad do
+      device_agent { "App/1.0 (iPad; iPadOS 17.2)" }
+    end
+  end
+
+  # NOTE: ServiceSession inherits `belongs_to :account` from Session and adds
+  # `belongs_to :owner` (polymorphic). Both are required.
+  # By default, account and owner are distinct :account instances. Override one
+  # or both if your test needs them to be the same object.
+  # The host app must define an `:account` factory for these associations to resolve.
+  factory :standard_id_service_session, class: "StandardId::ServiceSession" do
+    association :account, factory: :account
+    association :owner, factory: :account
+    service_name { "test-service" }
+    service_version { "1.0.0" }
+    ip_address { "10.0.0.1" }
+    user_agent { "ServiceClient/1.0" }
+    expires_at { StandardId::ServiceSession.default_expiry }
+
+    trait :active do
+      revoked_at { nil }
+    end
+
+    trait :expired do
+      expires_at { 30.days.ago }
+      revoked_at { nil }
+    end
+
+    trait :revoked do
+      expires_at { 90.days.from_now }
+      revoked_at { 1.day.ago }
+    end
+  end
+end

data/lib/standard_id/testing/factory_bot.rb

@@ -0,0 +1,7 @@
+require "factory_bot"
+
+# Factories are loaded alphabetically via glob. FactoryBot resolves associations
+# lazily, so load order does not affect correctness. If adding a factory file
+# with an explicit dependency on another, use require_relative instead.
+factory_paths = Dir[File.join(__dir__, "factories", "*.rb")]
+factory_paths.each { |f| require f }

data/lib/standard_id/testing/request_helpers.rb

@@ -0,0 +1,60 @@
+module StandardId
+  module Testing
+    # Integration test helpers for signing in accounts and making authenticated requests.
+    #
+    # Usage in rails_helper.rb:
+    #
+    #   require "standard_id/testing"
+    #
+    #   RSpec.configure do |config|
+    #     config.include StandardId::Testing::RequestHelpers, type: :request
+    #   end
+    #
+    module RequestHelpers
+      # Create a browser session record for integration tests.
+      #
+      # For a simpler approach, use stub_web_authentication from AuthenticationHelpers instead.
+      #
+      # @param account [Object] the account to sign in
+      # @param user_agent [String] the user agent string (default: "RSpec")
+      # @return [StandardId::BrowserSession] the created session
+      #
+      def create_browser_session(account, user_agent: "RSpec")
+        StandardId::BrowserSession.create!(
+          account: account,
+          ip_address: "127.0.0.1",
+          user_agent: user_agent,
+          expires_at: StandardId::BrowserSession.expiry
+        )
+      end
+
+      # Build a JWT token for API/service authentication.
+      #
+      # @param account [Object, nil] account (uses account.id as sub claim)
+      # @param sub [String, nil] explicit subject claim (overrides account.id)
+      # @param client_id [String] OAuth client ID
+      # @param scope [String] space-separated scopes
+      # @param grant_type [String] OAuth grant type
+      # @param extra [Hash] additional JWT claims
+      # @return [String] encoded JWT token
+      #
+      def build_jwt(account: nil, sub: nil, client_id: "test-client",
+                    scope: "openid", grant_type: "authorization_code", extra: {})
+        sub ||= account&.id
+        raise ArgumentError, "account or sub must be provided" if sub.nil?
+
+        claims = { sub: sub, client_id: client_id, scope: scope, grant_type: grant_type }.merge(extra)
+        StandardId::JwtService.encode(claims)
+      end
+
+      # Returns an Authorization header hash for Bearer token authentication.
+      #
+      # @param token [String] the JWT token
+      # @return [Hash] header hash
+      #
+      def bearer_auth_header(token)
+        { "Authorization" => "Bearer #{token}" }
+      end
+    end
+  end
+end

data/lib/standard_id/testing.rb

@@ -0,0 +1,26 @@
+require "standard_id/testing/authentication_helpers"
+require "standard_id/testing/request_helpers"
+
+module StandardId
+  module Testing
+    # Load StandardId's FactoryBot factory definitions.
+    #
+    # Requires the `factory_bot` (or `factory_bot_rails`) gem in the host app's
+    # Gemfile under the :test group.
+    #
+    # Recommended usage in rails_helper.rb:
+    #
+    #   require "standard_id/testing"
+    #   StandardId::Testing.setup_factory_bot!
+    #
+    def self.setup_factory_bot!
+      require "standard_id/testing/factory_bot"
+    rescue LoadError => e
+      raise unless e.message.include?("factory_bot")
+
+      raise LoadError,
+        "StandardId::Testing.setup_factory_bot! requires the `factory_bot` gem. " \
+        "Add `gem 'factory_bot_rails'` (or `gem 'factory_bot'`) to your Gemfile's :test group."
+    end
+  end
+end

data/lib/standard_id/utils/ip_normalizer.rb

@@ -0,0 +1,16 @@
+module StandardId
+  module Utils
+    class IpNormalizer
+      IPV6_LOCALHOST = "::1"
+      IPV4_LOCALHOST = "127.0.0.1"
+
+      class << self
+        def normalize(ip)
+          return ip unless ip == IPV6_LOCALHOST
+
+          IPV4_LOCALHOST
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

data/lib/standard_id/web/session_manager.rb

@@ -15,7 +15,7 @@ module StandardId
       end
 
       def current_account
-        Current.account ||= current_session&.account&.tap { |a| a.strict_loading!(false) }
+        Current.account ||= load_current_account
       end
 
       def sign_in_account(account)
@@ -50,6 +50,19 @@ module StandardId
 
       private
 
+      def load_current_account
+        if StandardId.config.account_scope
+          account_id = current_session&.account_id
+          return unless account_id
+
+          scope = StandardId.account_class
+          scope = StandardId.config.account_scope.call(scope)
+          scope.find_by(id: account_id)&.tap { |a| a.strict_loading!(false) }
+        else
+          current_session&.account&.tap { |a| a.strict_loading!(false) }
+        end
+      end
+
       def load_current_session
         Current.session ||= load_session_from_session_token
         Current.session ||= load_session_from_remember_token

data/lib/standard_id/web/token_manager.rb

@@ -10,7 +10,7 @@ module StandardId
       def create_browser_session(account)
         StandardId::BrowserSession.create!(
           account: account,
-          ip_address: request.remote_ip,
+          ip_address: StandardId::Utils::IpNormalizer.normalize(request.remote_ip),
           user_agent: request.user_agent,
           expires_at: StandardId::BrowserSession.expiry
         )

data/lib/standard_id.rb

@@ -39,7 +39,10 @@ require "standard_id/oauth/passwordless_otp_flow"
 require "standard_id/passwordless/base_strategy"
 require "standard_id/passwordless/email_strategy"
 require "standard_id/passwordless/sms_strategy"
+require "standard_id/passwordless/verification_service"
+require "standard_id/authorization_bypass"
 require "standard_id/utils/callable_parameter_filter"
+require "standard_id/utils/ip_normalizer"
 
 require "concurrent/delay"
 
@@ -74,5 +77,9 @@ module StandardId
     def account_class
       config.account_class_name.constantize
     end
+
+    def skip_host_authorization(framework: nil, callback: nil)
+      AuthorizationBypass.apply(framework: framework, callback: callback)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -65,6 +65,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: factory_bot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.5'
 description: StandardId is an authentication engine that provides a complete, secure-by-default
   solution for identity management, reducing boilerplate and eliminating common security
   pitfalls.
@@ -81,9 +109,11 @@ files:
 - app/channels/concerns/standard_id/cable_authentication.rb
 - app/controllers/concerns/standard_id/api_authentication.rb
 - app/controllers/concerns/standard_id/audience_verification.rb
+- app/controllers/concerns/standard_id/controller_policy.rb
 - app/controllers/concerns/standard_id/inertia_rendering.rb
 - app/controllers/concerns/standard_id/inertia_support.rb
 - app/controllers/concerns/standard_id/passwordless_strategy.rb
+- app/controllers/concerns/standard_id/sentry_context.rb
 - app/controllers/concerns/standard_id/set_current_request_details.rb
 - app/controllers/concerns/standard_id/social_authentication.rb
 - app/controllers/concerns/standard_id/web/social_login_params.rb
@@ -173,6 +203,7 @@ files:
 - lib/standard_id/api/session_manager.rb
 - lib/standard_id/api/token_manager.rb
 - lib/standard_id/api_engine.rb
+- lib/standard_id/authorization_bypass.rb
 - lib/standard_id/bearer_token_extraction.rb
 - lib/standard_id/config/schema.rb
 - lib/standard_id/current_attributes.rb
@@ -205,9 +236,19 @@ files:
 - lib/standard_id/passwordless/base_strategy.rb
 - lib/standard_id/passwordless/email_strategy.rb
 - lib/standard_id/passwordless/sms_strategy.rb
+- lib/standard_id/passwordless/verification_service.rb
 - lib/standard_id/provider_registry.rb
 - lib/standard_id/providers/base.rb
+- lib/standard_id/testing.rb
+- lib/standard_id/testing/authentication_helpers.rb
+- lib/standard_id/testing/factories/credentials.rb
+- lib/standard_id/testing/factories/identifiers.rb
+- lib/standard_id/testing/factories/oauth.rb
+- lib/standard_id/testing/factories/sessions.rb
+- lib/standard_id/testing/factory_bot.rb
+- lib/standard_id/testing/request_helpers.rb
 - lib/standard_id/utils/callable_parameter_filter.rb
+- lib/standard_id/utils/ip_normalizer.rb
 - lib/standard_id/version.rb
 - lib/standard_id/web/authentication_guard.rb
 - lib/standard_id/web/session_manager.rb