standard_id 0.8.0 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 112cdb26b4fc96d4be1830bde78fada616b87a79f6d7adff9657df72d8942a57
-  data.tar.gz: 4efeaf6a5f3f5bfdaf3747bebc0f5f9c3ccf22b02642c69e7b59c8a3d4aec74a
+  metadata.gz: a6e84ca4e7d4d01aa3957ed1371ef774fc1203b9006da7591b99e20fadb343b4
+  data.tar.gz: cc74bfcf5f471d4bf7b76d621497598fac95fa0f833b256a74c3a4374456850b
 SHA512:
-  metadata.gz: eea26565c62749d409acbdf38a282f63edf16ed907872d9673fea58057ede62ea679adb1765cd1e55855a48ca67cdabc5baeb7fa52277529828366c560462e7e
-  data.tar.gz: c250360c48f34dc9d52b6f1391e7816735dd1d3e9be63d7d80a0e8ae9b87d7ee178f8c78867eead4b7c792ac62b6a753ea90be73caf9e1f60e4c94415c57f1fd
+  metadata.gz: 21932b0dd06f986340284587ccfae60cfea9b0e5075cdc670ff297e23412c0440d0e434e3974f98f65b9071fb15a118c3c36920e08b8887e9857fa612318e857
+  data.tar.gz: 7acf89c15d302da9e25da25de4c786441df085f65950a02e8b6fec71b4a90cf3f72c3167929371018869cc4787e6476d5df78036e3b2dde4833525d5c260045f

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -6,6 +6,8 @@ module StandardId
       prepend_before_action :prepare_provider
     end
 
+    VALID_LINK_STRATEGIES = %i[strict trust_provider].freeze
+
     private
 
     attr_reader :provider
@@ -39,13 +41,16 @@ module StandardId
       identifier = StandardId::EmailIdentifier.find_by(value: email)
 
       if identifier.present?
+        validate_social_link!(identifier, provider)
+        identifier.update!(provider: provider.provider_name) if identifier.provider.nil?
         emit_social_account_linked(identifier.account, provider, identifier)
         identifier.account
       else
         account = build_account_from_social(social_info)
         identifier = StandardId::EmailIdentifier.create!(
           account: account,
-          value: email
+          value: email,
+          provider: provider.provider_name
         )
         identifier.verify! if identifier.respond_to?(:verify!) && [true, "true"].include?(social_info[:email_verified])
         emit_social_account_created(account, provider, social_info)
@@ -53,6 +58,32 @@ module StandardId
       end
     end
 
+    def validate_social_link!(identifier, provider)
+      strategy = StandardId.config.social.link_strategy
+
+      unless VALID_LINK_STRATEGIES.include?(strategy)
+        raise ArgumentError, "Invalid social.link_strategy: #{strategy.inspect}. " \
+          "Must be one of: #{VALID_LINK_STRATEGIES.map(&:inspect).join(', ')}"
+      end
+
+      return if strategy == :trust_provider
+      # nil provider means the identifier predates provider tracking — allow
+      # through since we can't retroactively determine its origin.
+      return if identifier.provider.nil?
+      return if identifier.provider == provider.provider_name
+      return if account_has_social_identifier_from?(identifier.account, provider)
+
+      emit_social_link_blocked(identifier, provider)
+      raise StandardId::SocialLinkError.new(
+        email: identifier.value,
+        provider_name: provider.provider_name
+      )
+    end
+
+    def account_has_social_identifier_from?(account, provider)
+      account.identifiers.where(type: StandardId::EmailIdentifier.sti_name, provider: provider.provider_name).exists?
+    end
+
     def build_account_from_social(social_info)
       emit_account_creating_from_social(social_info)
       attrs = resolve_account_attributes(social_info)
@@ -123,6 +154,16 @@ module StandardId
       )
     end
 
+    def emit_social_link_blocked(identifier, provider)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_LINK_BLOCKED,
+        email: identifier.value,
+        provider: provider,
+        identifier: identifier,
+        account: identifier.account
+      )
+    end
+
     def emit_social_account_linked(account, provider, identifier)
       StandardId::Events.publish(
         StandardId::Events::SOCIAL_ACCOUNT_LINKED,

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -107,7 +107,13 @@ module StandardId
     end
 
     def session_manager
-      @session_manager ||= StandardId::Web::SessionManager.new(token_manager, request: request, session: session, cookies: cookies)
+      @session_manager ||= StandardId::Web::SessionManager.new(
+        token_manager,
+        request: request,
+        session: session,
+        cookies: cookies,
+        reset_session: -> { reset_session }
+      )
     end
 
     def token_manager

data/app/jobs/standard_id/cleanup_expired_refresh_tokens_job.rb

@@ -0,0 +1,16 @@
+module StandardId
+  class CleanupExpiredRefreshTokensJob < ApplicationJob
+    queue_as :default
+
+    # Delete refresh tokens that expired or were revoked more than
+    # `grace_period_seconds` ago.
+    # Accepts integer seconds for reliable ActiveJob serialization across all queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i)
+      cutoff = grace_period_seconds.seconds.ago
+      deleted = StandardId::RefreshToken
+        .where("expires_at < :cutoff OR revoked_at < :cutoff", cutoff: cutoff)
+        .delete_all
+      Rails.logger.info("[StandardId] Cleaned up #{deleted} expired/revoked refresh tokens older than #{cutoff}")
+    end
+  end
+end

data/app/models/concerns/standard_id/account_associations.rb

@@ -6,6 +6,7 @@ module StandardId
       has_many :identifiers, class_name: "StandardId::Identifier", dependent: :restrict_with_exception
       has_many :credentials, class_name: "StandardId::Credential", through: :identifiers, source: :credentials, dependent: :restrict_with_exception
       has_many :sessions, class_name: "StandardId::Session", dependent: :restrict_with_exception
+      has_many :refresh_tokens, class_name: "StandardId::RefreshToken", dependent: :restrict_with_exception
       has_many :client_applications, class_name: "StandardId::ClientApplication", as: :owner, dependent: :restrict_with_exception
 
       accepts_nested_attributes_for :identifiers

data/app/models/standard_id/refresh_token.rb

@@ -0,0 +1,86 @@
+module StandardId
+  class RefreshToken < ApplicationRecord
+    self.table_name = "standard_id_refresh_tokens"
+
+    belongs_to :account, class_name: StandardId.config.account_class_name
+    belongs_to :session, class_name: "StandardId::Session", optional: true
+    belongs_to :previous_token, class_name: "StandardId::RefreshToken", optional: true
+
+    scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :revoked, -> { where.not(revoked_at: nil) }
+
+    validates :token_digest, presence: true, uniqueness: true
+    validates :expires_at, presence: true
+
+    def self.digest_for(jti)
+      Digest::SHA256.hexdigest(jti)
+    end
+
+    def self.find_by_jti(jti)
+      find_by(token_digest: digest_for(jti))
+    end
+
+    def active?
+      !revoked? && !expired?
+    end
+
+    def expired?
+      expires_at <= Time.current
+    end
+
+    def revoked?
+      revoked_at.present?
+    end
+
+    def revoke!
+      update!(revoked_at: Time.current) unless revoked?
+    end
+
+    # Revoke this token and all tokens in the same family chain.
+    # A "family" is all tokens linked via previous_token_id.
+    # Only revokes tokens that aren't already revoked, preserving historical
+    # revoked_at timestamps for audit purposes.
+    def revoke_family!
+      family_tokens.where(revoked_at: nil).update_all(revoked_at: Time.current)
+    end
+
+    # Max depth guard to prevent unbounded traversal in case of
+    # corrupted data or extremely long-lived token chains.
+    MAX_FAMILY_DEPTH = 50
+
+    private
+
+    # Find the root of this token's family and return all descendants.
+    # Uses iterative queries (one per generation) bounded by MAX_FAMILY_DEPTH.
+    # For typical token chain lengths (<10) this is fine; a recursive CTE
+    # would collapse to a single query if performance becomes a concern.
+    def family_tokens
+      root = self
+      depth = 0
+      while root.previous_token.present? && depth < MAX_FAMILY_DEPTH
+        root = root.previous_token
+        depth += 1
+      end
+
+      self.class.where(id: collect_family_ids(root.id))
+    end
+
+    def collect_family_ids(root_id)
+      ids = [root_id]
+      current_ids = [root_id]
+      depth = 0
+
+      while depth < MAX_FAMILY_DEPTH
+        next_ids = self.class.where(previous_token_id: current_ids).pluck(:id)
+        break if next_ids.empty?
+
+        ids.concat(next_ids)
+        current_ids = next_ids
+        depth += 1
+      end
+
+      ids
+    end
+  end
+end

data/app/models/standard_id/session.rb

@@ -5,6 +5,9 @@ module StandardId
     self.table_name = "standard_id_sessions"
 
     belongs_to :account, class_name: StandardId.config.account_class_name
+    has_many :refresh_tokens, class_name: "StandardId::RefreshToken", dependent: :nullify
+
+    before_destroy :revoke_active_refresh_tokens
 
     scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
     scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -36,6 +39,9 @@ module StandardId
     def revoke!(reason: nil)
       @reason = reason
       update!(revoked_at: Time.current)
+      # Cascade revocation to refresh tokens. Uses update_all for efficiency;
+      # intentionally skips updated_at since revocation is tracked via revoked_at.
+      refresh_tokens.active.update_all(revoked_at: Time.current)
     end
 
     private
@@ -52,6 +58,12 @@ module StandardId
       self.lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
     end
 
+    # Revoke any still-active refresh tokens before the session row is deleted,
+    # so tokens don't become orphaned but usable.
+    def revoke_active_refresh_tokens
+      refresh_tokens.active.update_all(revoked_at: Time.current)
+    end
+
     def just_revoked?
       saved_change_to_revoked_at? && revoked?
     end

data/db/migrate/20260311000000_add_provider_to_standard_id_identifiers.rb

@@ -0,0 +1,15 @@
+# Adds provider tracking to identifiers for social login link validation.
+#
+# After running this migration, existing identifiers will have provider=NULL.
+# The strict link strategy treats NULL provider as "pre-migration" and allows
+# linking, so existing users are not blocked. However, this means pre-migration
+# accounts are not fully protected by the strict strategy until their provider
+# is populated — either by logging in again via social, or by running a
+# backfill (e.g. UPDATE standard_id_identifiers SET provider = 'email'
+# WHERE provider IS NULL AND type = 'StandardId::EmailIdentifier').
+class AddProviderToStandardIdIdentifiers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :standard_id_identifiers, :provider, :string
+    add_index :standard_id_identifiers, [:account_id, :provider]
+  end
+end

data/db/migrate/20260311000000_create_standard_id_refresh_tokens.rb

@@ -0,0 +1,20 @@
+class CreateStandardIdRefreshTokens < ActiveRecord::Migration[8.0]
+  def change
+    create_table :standard_id_refresh_tokens, id: primary_key_type do |t|
+      t.references :account, type: primary_key_type, null: false, foreign_key: true, index: true
+      t.references :session, type: primary_key_type, null: true, foreign_key: { to_table: :standard_id_sessions }, index: true
+
+      t.string :token_digest, null: false, index: { unique: true }
+      t.datetime :expires_at, null: false
+      t.datetime :revoked_at
+
+      t.references :previous_token, type: primary_key_type, null: true, foreign_key: { to_table: :standard_id_refresh_tokens }, index: true
+
+      t.timestamps
+
+      t.index [:account_id, :revoked_at], name: "idx_on_account_id_revoked_at_refresh_tokens"
+      t.index [:session_id, :revoked_at], name: "idx_on_session_id_revoked_at_refresh_tokens"
+      t.index [:expires_at, :revoked_at], name: "idx_on_expires_at_revoked_at_refresh_tokens"
+    end
+  end
+end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -114,6 +114,7 @@ StandardId.configure do |c|
   # c.social.apple_team_id        = ENV["APPLE_TEAM_ID"]
   # c.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
   # c.social.available_scopes = ["profile", "email", "offline_access"]
+  # c.social.link_strategy = :strict # :strict (default) or :trust_provider
   # c.social.social_account_attributes = ->(social_info:, provider:) {
   #   {
   #     email: social_info[:email],

data/lib/standard_id/config/schema.rb

@@ -96,6 +96,7 @@ StandardConfig.schema.draw do
     field :social_account_attributes, type: :any, default: nil
     field :allowed_redirect_url_prefixes, type: :array, default: []
     field :available_scopes, type: :array, default: -> { [] }
+    field :link_strategy, type: :symbol, default: :strict
   end
 
   scope :web do

data/lib/standard_id/engine.rb

@@ -2,6 +2,20 @@ module StandardId
   class Engine < ::Rails::Engine
     isolate_namespace StandardId
 
+    initializer "standard_id.filter_parameters" do |app|
+      app.config.filter_parameters += %i[
+        code_verifier
+        code_challenge
+        client_secret
+        id_token
+        refresh_token
+        access_token
+        state
+        nonce
+        authorization_code
+      ]
+    end
+
     config.after_initialize do
       if StandardId.config.events.enable_logging
         StandardId::Events::Subscribers::LoggingSubscriber.attach

data/lib/standard_id/errors.rb

@@ -73,6 +73,24 @@ module StandardId
   # Lifecycle hook errors
   class AuthenticationDenied < StandardError; end
 
+  # Social login errors
+  # NOTE: email and provider_name are exposed as reader attributes for host
+  # apps to build custom error responses. If you report exceptions to an
+  # error tracker (Sentry, etc.), be aware these attributes contain PII.
+  class SocialLinkError < OAuthError
+    attr_reader :email, :provider_name
+
+    def initialize(email:, provider_name:)
+      @email = email
+      @provider_name = provider_name
+      super("This email is already associated with an account. Please sign in first to link this provider.")
+    end
+
+    # Uses standard OAuth :access_denied code since account_link_required is non-standard
+    def oauth_error_code = :access_denied
+    def http_status = :forbidden
+  end
+
   # Audience verification errors
   class InvalidAudienceError < StandardError
     attr_reader :required, :actual

data/lib/standard_id/events/definitions.rb

@@ -40,6 +40,7 @@ module StandardId
       OAUTH_TOKEN_REFRESHED = "oauth.token.refreshed"
       OAUTH_CODE_CONSUMED = "oauth.code.consumed"
       OAUTH_TOKEN_REVOKED = "oauth.token.revoked"
+      OAUTH_REFRESH_TOKEN_REUSE_DETECTED = "oauth.refresh_token.reuse_detected"
 
       PASSWORDLESS_CODE_REQUESTED = "passwordless.code.requested"
       PASSWORDLESS_CODE_GENERATED = "passwordless.code.generated"
@@ -53,6 +54,7 @@ module StandardId
       SOCIAL_USER_INFO_FETCHED = "social.user_info.fetched"
       SOCIAL_ACCOUNT_CREATED = "social.account.created"
       SOCIAL_ACCOUNT_LINKED = "social.account.linked"
+      SOCIAL_LINK_BLOCKED = "social.link.blocked"
       SOCIAL_AUTH_COMPLETED = "social.auth.completed"
 
       CREDENTIAL_PASSWORD_CREATED = "credential.password.created"
@@ -110,7 +112,8 @@ module StandardId
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
         OAUTH_CODE_CONSUMED,
-        OAUTH_TOKEN_REVOKED
+        OAUTH_TOKEN_REVOKED,
+        OAUTH_REFRESH_TOKEN_REUSE_DETECTED
       ].freeze
 
       PASSWORDLESS_EVENTS = [
@@ -128,6 +131,7 @@ module StandardId
         SOCIAL_USER_INFO_FETCHED,
         SOCIAL_ACCOUNT_CREATED,
         SOCIAL_ACCOUNT_LINKED,
+        SOCIAL_LINK_BLOCKED,
         SOCIAL_AUTH_COMPLETED
       ].freeze
 
@@ -167,6 +171,7 @@ module StandardId
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
         OAUTH_TOKEN_REVOKED,
+        OAUTH_REFRESH_TOKEN_REUSE_DETECTED,
         # Passwordless
         PASSWORDLESS_CODE_FAILED,
         PASSWORDLESS_ACCOUNT_CREATED,
@@ -180,7 +185,8 @@ module StandardId
         CREDENTIAL_CLIENT_SECRET_REVOKED,
         # Social
         SOCIAL_ACCOUNT_CREATED,
-        SOCIAL_ACCOUNT_LINKED
+        SOCIAL_ACCOUNT_LINKED,
+        SOCIAL_LINK_BLOCKED
       ].freeze
 
       ALL_EVENTS = (

data/lib/standard_id/http_client.rb

@@ -1,4 +1,7 @@
+require "ipaddr"
 require "net/http"
+require "openssl"
+require "resolv"
 require "uri"
 
 module StandardId
@@ -6,27 +9,70 @@ module StandardId
     OPEN_TIMEOUT = 5
     READ_TIMEOUT = 10
 
+    class SsrfError < StandardError; end
+
+    BLOCKED_IP_RANGES = [
+      IPAddr.new("10.0.0.0/8"),
+      IPAddr.new("172.16.0.0/12"),
+      IPAddr.new("192.168.0.0/16"),
+      IPAddr.new("127.0.0.0/8"),
+      IPAddr.new("169.254.0.0/16"),
+      IPAddr.new("0.0.0.0/8"),
+      IPAddr.new("::1/128"),
+      IPAddr.new("fc00::/7"),
+      IPAddr.new("fe80::/10")
+    ].freeze
+
     class << self
       def post_form(endpoint, params)
-        uri = URI(endpoint)
+        uri, resolved_ip = validate_url!(endpoint)
         request = Net::HTTP::Post.new(uri)
         request.set_form_data(params)
-        start_connection(uri) { |http| http.request(request) }
+        start_connection(uri, resolved_ip:) { |http| http.request(request) }
       end
 
       def get_with_bearer(endpoint, access_token)
-        uri = URI(endpoint)
+        uri, resolved_ip = validate_url!(endpoint)
         request = Net::HTTP::Get.new(uri)
         request["Authorization"] = "Bearer #{access_token}"
-        start_connection(uri) { |http| http.request(request) }
+        start_connection(uri, resolved_ip:) { |http| http.request(request) }
       end
 
       private
 
-      def start_connection(uri, &block)
-        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https",
-                                             open_timeout: OPEN_TIMEOUT,
-                                             read_timeout: READ_TIMEOUT, &block)
+      def validate_url!(url)
+        uri = URI.parse(url.to_s)
+        raise SsrfError, "Only http and https schemes are allowed" unless %w[http https].include?(uri.scheme)
+        raise SsrfError, "Invalid URL: missing host" if uri.host.nil? || uri.host.empty?
+
+        addresses = Resolv.getaddresses(uri.host)
+        raise SsrfError, "Could not resolve host" if addresses.empty?
+
+        addresses.each do |addr|
+          ip = IPAddr.new(addr)
+          if BLOCKED_IP_RANGES.any? { |range| range.include?(ip) }
+            raise SsrfError, "Requests to private/internal addresses are not allowed"
+          end
+        end
+
+        # Return resolved IP to pin connection and prevent DNS rebinding
+        [uri, addresses.first]
+      end
+
+      def start_connection(uri, resolved_ip: nil, &block)
+        host = resolved_ip || uri.host
+        options = {
+          use_ssl: uri.scheme == "https",
+          open_timeout: OPEN_TIMEOUT,
+          read_timeout: READ_TIMEOUT
+        }
+        options[:verify_mode] = OpenSSL::SSL::VERIFY_PEER if options[:use_ssl]
+
+        Net::HTTP.start(host, uri.port, **options) do |http|
+          # Set Host header for virtual hosting when connecting to resolved IP
+          http.instance_variable_set(:@address, uri.host) if resolved_ip
+          yield http
+        end
       end
     end
   end

data/lib/standard_id/jwt_service.rb

@@ -122,8 +122,12 @@ module StandardId
       @jwks_ref.set(nil)
     end
 
-    def self.encode(payload, expires_in: 1.hour)
-      payload[:exp] = expires_in.from_now.to_i
+    def self.encode(payload, expires_in: nil, expires_at: nil)
+      payload[:exp] = if expires_at
+        expires_at.to_i
+      else
+        (expires_in || 1.hour).from_now.to_i
+      end
       payload[:iat] = Time.current.to_i
       payload[:iss] ||= StandardId.config.issuer if StandardId.config.issuer.present?
 

data/lib/standard_id/oauth/refresh_token_flow.rb

@@ -14,11 +14,66 @@ module StandardId
           raise StandardId::InvalidGrantError, "Refresh token was not issued to this client"
         end
 
+        validate_refresh_token_record!
         validate_scope_narrowing!
       end
 
       private
 
+      def validate_refresh_token_record!
+        jti = @refresh_payload[:jti]
+        # Legacy tokens minted before jti tracking was added cannot be looked
+        # up or revoked through the RefreshToken model. This shim can be removed
+        # once all pre-jti tokens have expired (refresh_token_lifetime after deploy).
+        return if jti.blank?
+
+        @current_refresh_token_record = StandardId::RefreshToken.find_by_jti(jti)
+
+        unless @current_refresh_token_record
+          raise StandardId::InvalidGrantError, "Refresh token not found"
+        end
+
+        if @current_refresh_token_record.revoked?
+          # Reuse detected: this token was already rotated. Revoke entire family.
+          @current_refresh_token_record.revoke_family!
+          StandardId::Events.publish(
+            StandardId::Events::OAUTH_REFRESH_TOKEN_REUSE_DETECTED,
+            account_id: @refresh_payload[:sub],
+            client_id: @refresh_payload[:client_id],
+            refresh_token_id: @current_refresh_token_record.id
+          )
+          raise StandardId::InvalidGrantError, "Refresh token reuse detected"
+        end
+
+        unless @current_refresh_token_record.active?
+          raise StandardId::InvalidGrantError, "Refresh token is no longer valid"
+        end
+
+        # Atomically revoke the current token as part of rotation.
+        # Uses a conditional UPDATE to prevent TOCTOU race conditions — only one
+        # concurrent request can successfully revoke and proceed.
+        rows = StandardId::RefreshToken
+          .where(id: @current_refresh_token_record.id, revoked_at: nil)
+          .update_all(revoked_at: Time.current)
+
+        if rows == 0
+          # A concurrent request revoked the token between the revoked? check
+          # and the UPDATE. Re-load to determine whether this is a reuse scenario.
+          @current_refresh_token_record.reload
+          if @current_refresh_token_record.revoked?
+            @current_refresh_token_record.revoke_family!
+            StandardId::Events.publish(
+              StandardId::Events::OAUTH_REFRESH_TOKEN_REUSE_DETECTED,
+              account_id: @refresh_payload[:sub],
+              client_id: @refresh_payload[:client_id],
+              refresh_token_id: @current_refresh_token_record.id
+            )
+            raise StandardId::InvalidGrantError, "Refresh token reuse detected"
+          end
+          raise StandardId::InvalidGrantError, "Refresh token is no longer valid"
+        end
+      end
+
       def subject_id
         @refresh_payload[:sub]
       end
@@ -46,6 +101,17 @@ module StandardId
         @refresh_payload[:aud]
       end
 
+      def refresh_token_session_id
+        @current_refresh_token_record&.session_id
+      end
+
+      # Returns the (now-revoked) token record so it can be linked as
+      # previous_token on the newly minted refresh token, maintaining the
+      # family chain for reuse detection.
+      def previous_refresh_token_record
+        @current_refresh_token_record
+      end
+
       def validate_scope_narrowing!
         return unless params[:scope].present?
 

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -74,14 +74,43 @@ module StandardId
       end
 
       def generate_refresh_token
+        jti = SecureRandom.uuid
         payload = {
           sub: subject_id,
           client_id: client_id,
           scope: token_scope,
           aud: audience,
-          grant_type: "refresh_token"
+          grant_type: "refresh_token",
+          jti: jti
         }.compact
-        StandardId::JwtService.encode(payload, expires_in: refresh_token_expiry)
+
+        expiry = refresh_token_expiry
+        # Capture expires_at once so the JWT exp and DB record are consistent
+        expires_at = expiry.from_now
+
+        # Persist the DB record first so we never hand out a signed JWT
+        # that has no backing record (e.g. if the INSERT were to fail).
+        persist_refresh_token!(jti: jti, expires_at: expires_at)
+
+        StandardId::JwtService.encode(payload, expires_at: expires_at)
+      end
+
+      def persist_refresh_token!(jti:, expires_at:)
+        StandardId::RefreshToken.create!(
+          account_id: subject_id,
+          session_id: refresh_token_session_id,
+          token_digest: StandardId::RefreshToken.digest_for(jti),
+          expires_at: expires_at,
+          previous_token: previous_refresh_token_record
+        )
+      end
+
+      def refresh_token_session_id
+        nil
+      end
+
+      def previous_refresh_token_record
+        nil
       end
 
       def refresh_token_expiry

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.8.0"
+  VERSION = "0.8.1"
 end

data/lib/standard_id/web/session_manager.rb

@@ -3,11 +3,12 @@ module StandardId
     class SessionManager
       attr_reader :token_manager, :request, :session, :cookies
 
-      def initialize(token_manager, request:, session:, cookies:)
+      def initialize(token_manager, request:, session:, cookies:, reset_session: nil)
         @token_manager = token_manager
         @request = request
         @session = session
         @cookies = cookies
+        @reset_session = reset_session
       end
 
       def current_session
@@ -20,6 +21,14 @@ module StandardId
 
       def sign_in_account(account)
         emit_session_creating(account, "browser")
+
+        # Prevent session fixation by resetting the Rails session before
+        # creating an authenticated session (Rails Security Guide §2.5).
+        # Preserve return_to URL across the reset so post-login redirect works.
+        return_to = session[:return_to_after_authenticating]
+        @reset_session&.call
+        session[:return_to_after_authenticating] = return_to if return_to
+
         token_manager.create_browser_session(account).tap do |browser_session|
           # Store in both session and encrypted cookie for backward compatibility
           # Action Cable will use the encrypted cookie
@@ -91,6 +100,9 @@ module StandardId
         password_credential = StandardId::PasswordCredential.find_by_token_for(:remember_me, cookies[:remember_token])
         return if password_credential.blank?
 
+        # Prevent session fixation on returning-user remember-me flow
+        @reset_session&.call
+
         token_manager.create_browser_session(password_credential.account, remember_me: true).tap do |browser_session|
           # Store in both session and encrypted cookie for backward compatibility
           session[:session_token] = browser_session.token

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.1
 platform: ruby
 authors:
 - Jaryl Sim
@@ -153,6 +153,7 @@ files:
 - app/forms/standard_id/web/signup_form.rb
 - app/helpers/standard_id/application_helper.rb
 - app/jobs/standard_id/application_job.rb
+- app/jobs/standard_id/cleanup_expired_refresh_tokens_job.rb
 - app/jobs/standard_id/cleanup_expired_sessions_job.rb
 - app/mailers/standard_id/application_mailer.rb
 - app/models/concerns/standard_id/account_associations.rb
@@ -169,6 +170,7 @@ files:
 - app/models/standard_id/identifier.rb
 - app/models/standard_id/password_credential.rb
 - app/models/standard_id/phone_number_identifier.rb
+- app/models/standard_id/refresh_token.rb
 - app/models/standard_id/service_session.rb
 - app/models/standard_id/session.rb
 - app/models/standard_id/username_identifier.rb
@@ -194,6 +196,8 @@ files:
 - db/migrate/20250901134520_create_standard_id_client_secret_credentials.rb
 - db/migrate/20250903063000_create_standard_id_authorization_codes.rb
 - db/migrate/20250907090000_create_standard_id_code_challenges.rb
+- db/migrate/20260311000000_add_provider_to_standard_id_identifiers.rb
+- db/migrate/20260311000000_create_standard_id_refresh_tokens.rb
 - lib/generators/standard_id/install/install_generator.rb
 - lib/generators/standard_id/install/templates/standard_id.rb
 - lib/standard_config.rb