standard_id 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7f12cdcd431146c994f1ae5b1bf0919357fc7abf8e3668d13363e22eb421fe0
-  data.tar.gz: 2017963a39eb1430206fdc8ebf8354c12fc9fa46b755a7706452cb06ac6352b1
+  metadata.gz: f8e7433ee5b0ef4a2da21afc993c2106cac0d69d03af4fb842f5ab2d8cf2e71b
+  data.tar.gz: 7a4eb0f649f83157a77a1200d249eb79391de044470caad81c2bbbd2cc0906b1
 SHA512:
-  metadata.gz: 61b5e5a16dca753e8128300fb88b37e931252f05e73cfccc5fbc7467e4c58eca7435bc004877eca56c59305310de40c56b0491856cc173cddd5c815bf72b42c9
-  data.tar.gz: 1af3914e27993f6a51bb15fc821f40c8bd2095744e0187b107a2273ca70ab006e4c9a5522c3001db6f7f1240345e744fc7805ba5970410f2f263382bbb8c36cd
+  metadata.gz: fd06a2fa4d70147dadaa175cfd371861a0d723ec38b79cf4991c5d7dab0fb29667f08378654ec17a382673575af501b53d7bd84a1dc750766985e58326639abb
+  data.tar.gz: 6686d5ced7aad0df56e585b454e614bb1ddb941a97c7843c97907dfa3ad05682e699a610ee25c31242b2dc8347827991c8e5f41b3a226e2a0c3c314d7bd5ff47

data/app/controllers/standard_id/api/oauth/revocations_controller.rb

@@ -0,0 +1,48 @@
+module StandardId
+  module Api
+    module Oauth
+      class RevocationsController < BaseController
+        public_controller
+
+        skip_before_action :validate_content_type!
+
+        # POST /oauth/revoke
+        # RFC 7009 - OAuth 2.0 Token Revocation
+        #
+        # Accepts a token and optional token_type_hint parameter.
+        # Always responds with 200 OK regardless of whether the token
+        # was valid or revocation was successful (per RFC 7009 Section 2.1).
+        def create
+          token = params[:token]
+          head :ok and return if token.blank?
+
+          payload = StandardId::JwtService.decode(token)
+          head :ok and return unless payload&.dig(:sub)
+
+          account_id = payload[:sub]
+
+          sessions = StandardId::DeviceSession
+            .where(account_id: account_id)
+            .active
+
+          # token_type_hint is accepted but ignored — we always attempt
+          # revocation via sub claim regardless of token type (RFC 7009 §2.1)
+          revoked_sessions = sessions.to_a
+          if revoked_sessions.any?
+            ActiveRecord::Base.transaction do
+              revoked_sessions.each { |session| session.revoke!(reason: "token_revocation") }
+            end
+
+            StandardId::Events.publish(
+              StandardId::Events::OAUTH_TOKEN_REVOKED,
+              account_id: account_id,
+              sessions_revoked: revoked_sessions.size
+            )
+          end
+
+          head :ok
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/sessions_controller.rb

@@ -0,0 +1,42 @@
+module StandardId
+  module Api
+    class SessionsController < BaseController
+      authenticated_controller
+
+      skip_before_action :validate_content_type!
+      before_action :verify_access_token!
+
+      def index
+        sessions = current_account.sessions.active.order(created_at: :desc)
+
+        render json: sessions.map { |session| serialize_session(session) }
+      end
+
+      def destroy
+        session = current_account.sessions.find_by(id: params[:id])
+
+        unless session
+          render json: { error: "not_found", error_description: "Session not found" }, status: :not_found
+          return
+        end
+
+        session.revoke!(reason: "api_revocation")
+        head :no_content
+      end
+
+      private
+
+      def serialize_session(session)
+        {
+          id: session.id,
+          type: session.type&.demodulize,
+          created_at: session.created_at.iso8601,
+          last_refreshed_at: session.respond_to?(:last_refreshed_at) ? session.last_refreshed_at&.iso8601 : nil,
+          ip_address: session.respond_to?(:ip_address) ? session.ip_address : nil,
+          # user_agent is the API-facing name for the device_agent model attribute
+          user_agent: session.respond_to?(:device_agent) ? session.device_agent : nil
+        }.compact
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/well_known/openid_configuration_controller.rb

@@ -0,0 +1,42 @@
+module StandardId
+  module Api
+    module WellKnown
+      class OpenidConfigurationController < ActionController::API
+        include StandardId::ControllerPolicy
+        public_controller
+
+        def show
+          issuer = StandardId.config.issuer
+
+          unless issuer.present?
+            render json: { error: "Issuer not configured" }, status: :not_found
+            return
+          end
+
+          response.headers["Cache-Control"] = "public, max-age=3600"
+          render json: discovery_document(issuer)
+        end
+
+        private
+
+        def discovery_document(issuer)
+          base = issuer.chomp("/")
+
+          {
+            issuer: issuer,
+            authorization_endpoint: "#{base}/authorize",
+            token_endpoint: "#{base}/oauth/token",
+            revocation_endpoint: "#{base}/oauth/revoke",
+            userinfo_endpoint: "#{base}/userinfo",
+            jwks_uri: "#{base}/.well-known/jwks.json",
+            response_types_supported: %w[code],
+            grant_types_supported: %w[authorization_code refresh_token client_credentials],
+            subject_types_supported: %w[public],
+            id_token_signing_alg_values_supported: [StandardId.config.oauth.signing_algorithm.to_s.upcase],
+            token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post]
+          }
+        end
+      end
+    end
+  end
+end

data/config/routes/api.rb

@@ -4,6 +4,8 @@ StandardId::ApiEngine.routes.draw do
 
     resource :userinfo, only: [:show], controller: :userinfo
 
+    resources :sessions, only: [:index, :destroy]
+
     resource :passwordless, only: [], controller: :passwordless do
       post :start
     end
@@ -14,6 +16,7 @@ StandardId::ApiEngine.routes.draw do
 
     namespace :oauth do
       resource :token, only: [:create]
+      resource :revoke, only: [:create], controller: :revocations
 
       namespace :callback do
         post ":provider", to: "providers#callback", as: :provider
@@ -22,6 +25,7 @@ StandardId::ApiEngine.routes.draw do
 
     scope ".well-known", module: :well_known do
       get "jwks.json", to: "jwks#show", as: :jwks
+      get "openid-configuration", to: "openid_configuration#show", as: :openid_configuration
     end
   end
 end

data/lib/standard_id/config/schema.rb

@@ -33,6 +33,7 @@ StandardConfig.schema.draw do
     field :code_ttl, type: :integer, default: 600 # 10 minutes in seconds
     field :max_attempts, type: :integer, default: 3
     field :retry_delay, type: :integer, default: 30 # 30 seconds
+    field :bypass_code, type: :string, default: nil
   end
 
   scope :password do

data/lib/standard_id/events/definitions.rb

@@ -39,6 +39,7 @@ module StandardId
       OAUTH_TOKEN_ISSUED = "oauth.token.issued"
       OAUTH_TOKEN_REFRESHED = "oauth.token.refreshed"
       OAUTH_CODE_CONSUMED = "oauth.code.consumed"
+      OAUTH_TOKEN_REVOKED = "oauth.token.revoked"
 
       PASSWORDLESS_CODE_REQUESTED = "passwordless.code.requested"
       PASSWORDLESS_CODE_GENERATED = "passwordless.code.generated"
@@ -108,7 +109,8 @@ module StandardId
         OAUTH_TOKEN_ISSUING,
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
-        OAUTH_CODE_CONSUMED
+        OAUTH_CODE_CONSUMED,
+        OAUTH_TOKEN_REVOKED
       ].freeze
 
       PASSWORDLESS_EVENTS = [
@@ -164,6 +166,7 @@ module StandardId
         OAUTH_AUTHORIZATION_DENIED,
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
+        OAUTH_TOKEN_REVOKED,
         # Passwordless
         PASSWORDLESS_CODE_FAILED,
         PASSWORDLESS_ACCOUNT_CREATED,

data/lib/standard_id/passwordless/verification_service.rb

@@ -83,6 +83,9 @@ module StandardId
           return failure("Code is required")
         end
 
+        bypass_result = try_bypass
+        return bypass_result if bypass_result
+
         challenge = find_active_challenge
         code_matches = challenge.present? && secure_compare(challenge.code, @code)
         attempts = record_failed_attempt(challenge, code_matches)
@@ -127,6 +130,20 @@ module StandardId
 
       private
 
+      # When a bypass_code is configured and the submitted code matches,
+      # skip the CodeChallenge lookup entirely. This allows E2E testing
+      # tools (e.g. Playwright) to verify OTPs without a real challenge.
+      def try_bypass
+        bypass_code = StandardId.config.passwordless.bypass_code
+        return unless bypass_code.present?
+        return unless secure_compare(bypass_code, @code)
+
+        strategy = strategy_for(@channel)
+        account = strategy.find_or_create_account(@target)
+
+        success(account: account, challenge: nil)
+      end
+
       def resolve_target_and_channel!(email, phone)
         if email.present?
           @target = email.to_s.strip

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.6.0"
+  VERSION = "0.7.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -122,11 +122,14 @@ files:
 - app/controllers/standard_id/api/base_controller.rb
 - app/controllers/standard_id/api/oauth/base_controller.rb
 - app/controllers/standard_id/api/oauth/callback/providers_controller.rb
+- app/controllers/standard_id/api/oauth/revocations_controller.rb
 - app/controllers/standard_id/api/oauth/tokens_controller.rb
 - app/controllers/standard_id/api/oidc/logout_controller.rb
 - app/controllers/standard_id/api/passwordless_controller.rb
+- app/controllers/standard_id/api/sessions_controller.rb
 - app/controllers/standard_id/api/userinfo_controller.rb
 - app/controllers/standard_id/api/well_known/jwks_controller.rb
+- app/controllers/standard_id/api/well_known/openid_configuration_controller.rb
 - app/controllers/standard_id/web/account_controller.rb
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
 - app/controllers/standard_id/web/base_controller.rb