standard_id 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 112cdb26b4fc96d4be1830bde78fada616b87a79f6d7adff9657df72d8942a57
-  data.tar.gz: 4efeaf6a5f3f5bfdaf3747bebc0f5f9c3ccf22b02642c69e7b59c8a3d4aec74a
+  metadata.gz: 3c621a201633467c0738625eacb1f0c59c0b8ee5b670903cb09b1a1a4f6bfd01
+  data.tar.gz: 2b4b97e69b5b8dba07f1df919fd3d3b5ef4dda4fa6b72ae54c317cfb96bb1320
 SHA512:
-  metadata.gz: eea26565c62749d409acbdf38a282f63edf16ed907872d9673fea58057ede62ea679adb1765cd1e55855a48ca67cdabc5baeb7fa52277529828366c560462e7e
-  data.tar.gz: c250360c48f34dc9d52b6f1391e7816735dd1d3e9be63d7d80a0e8ae9b87d7ee178f8c78867eead4b7c792ac62b6a753ea90be73caf9e1f60e4c94415c57f1fd
+  metadata.gz: 22613e053bfa27512b39c38af4be699686ed8ef83b296efbbd17b131e60f12923fc6efdb8b572833849807c3928fb8cecbaee4d72e1e6da60e0b37b606555a3b
+  data.tar.gz: 36e22ae1dca29a4350350c079eb7f1b4166c341f3d435bcdd666d7603b8f479de0dbee957b75fd807a42f7deeaf272d69badf6fe61d978151dcebb1f48c92401

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -6,6 +6,8 @@ module StandardId
       prepend_before_action :prepare_provider
     end
 
+    VALID_LINK_STRATEGIES = %i[strict trust_provider].freeze
+
     private
 
     attr_reader :provider
@@ -39,13 +41,16 @@ module StandardId
       identifier = StandardId::EmailIdentifier.find_by(value: email)
 
       if identifier.present?
+        validate_social_link!(identifier, provider)
+        identifier.update!(provider: provider.provider_name) if identifier.provider.nil?
         emit_social_account_linked(identifier.account, provider, identifier)
         identifier.account
       else
         account = build_account_from_social(social_info)
         identifier = StandardId::EmailIdentifier.create!(
           account: account,
-          value: email
+          value: email,
+          provider: provider.provider_name
         )
         identifier.verify! if identifier.respond_to?(:verify!) && [true, "true"].include?(social_info[:email_verified])
         emit_social_account_created(account, provider, social_info)
@@ -53,6 +58,32 @@ module StandardId
       end
     end
 
+    def validate_social_link!(identifier, provider)
+      strategy = StandardId.config.social.link_strategy
+
+      unless VALID_LINK_STRATEGIES.include?(strategy)
+        raise ArgumentError, "Invalid social.link_strategy: #{strategy.inspect}. " \
+          "Must be one of: #{VALID_LINK_STRATEGIES.map(&:inspect).join(', ')}"
+      end
+
+      return if strategy == :trust_provider
+      # nil provider means the identifier predates provider tracking — allow
+      # through since we can't retroactively determine its origin.
+      return if identifier.provider.nil?
+      return if identifier.provider == provider.provider_name
+      return if account_has_social_identifier_from?(identifier.account, provider)
+
+      emit_social_link_blocked(identifier, provider)
+      raise StandardId::SocialLinkError.new(
+        email: identifier.value,
+        provider_name: provider.provider_name
+      )
+    end
+
+    def account_has_social_identifier_from?(account, provider)
+      account.identifiers.where(type: StandardId::EmailIdentifier.sti_name, provider: provider.provider_name).exists?
+    end
+
     def build_account_from_social(social_info)
       emit_account_creating_from_social(social_info)
       attrs = resolve_account_attributes(social_info)
@@ -123,6 +154,16 @@ module StandardId
       )
     end
 
+    def emit_social_link_blocked(identifier, provider)
+      StandardId::Events.publish(
+        StandardId::Events::SOCIAL_LINK_BLOCKED,
+        email: identifier.value,
+        provider: provider,
+        identifier: identifier,
+        account: identifier.account
+      )
+    end
+
     def emit_social_account_linked(account, provider, identifier)
       StandardId::Events.publish(
         StandardId::Events::SOCIAL_ACCOUNT_LINKED,

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -107,7 +107,13 @@ module StandardId
     end
 
     def session_manager
-      @session_manager ||= StandardId::Web::SessionManager.new(token_manager, request: request, session: session, cookies: cookies)
+      @session_manager ||= StandardId::Web::SessionManager.new(
+        token_manager,
+        request: request,
+        session: session,
+        cookies: cookies,
+        reset_session: -> { reset_session }
+      )
     end
 
     def token_manager

data/app/forms/standard_id/web/reset_password_confirm_form.rb

@@ -3,6 +3,7 @@ module StandardId
     class ResetPasswordConfirmForm
       include ActiveModel::Model
       include ActiveModel::Attributes
+      include StandardId::PasswordStrength
 
       attribute :password, :string
       attribute :password_confirmation, :string
@@ -11,7 +12,6 @@ module StandardId
 
       validates :password,
         presence: { message: "cannot be blank" },
-        length: { minimum: 8, too_short: "must be at least 8 characters long" },
         confirmation: { message: "confirmation doesn't match" }
 
       def initialize(password_credential, params = {})

data/app/forms/standard_id/web/signup_form.rb

@@ -3,6 +3,7 @@ module StandardId
     class SignupForm
       include ActiveModel::Model
       include ActiveModel::Attributes
+      include StandardId::PasswordStrength
 
       attribute :email, :string
       attribute :password, :string
@@ -11,7 +12,7 @@ module StandardId
       attr_reader :account
 
       validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
-      validates :password, presence: true, length: { minimum: 8 }, confirmation: true
+      validates :password, presence: true, confirmation: true
 
       def submit
         return false unless valid?

data/app/jobs/standard_id/cleanup_expired_refresh_tokens_job.rb

@@ -0,0 +1,16 @@
+module StandardId
+  class CleanupExpiredRefreshTokensJob < ApplicationJob
+    queue_as :default
+
+    # Delete refresh tokens that expired or were revoked more than
+    # `grace_period_seconds` ago.
+    # Accepts integer seconds for reliable ActiveJob serialization across all queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i)
+      cutoff = grace_period_seconds.seconds.ago
+      deleted = StandardId::RefreshToken
+        .where("expires_at < :cutoff OR revoked_at < :cutoff", cutoff: cutoff)
+        .delete_all
+      Rails.logger.info("[StandardId] Cleaned up #{deleted} expired/revoked refresh tokens older than #{cutoff}")
+    end
+  end
+end

data/app/models/concerns/standard_id/account_associations.rb

@@ -6,6 +6,7 @@ module StandardId
       has_many :identifiers, class_name: "StandardId::Identifier", dependent: :restrict_with_exception
       has_many :credentials, class_name: "StandardId::Credential", through: :identifiers, source: :credentials, dependent: :restrict_with_exception
       has_many :sessions, class_name: "StandardId::Session", dependent: :restrict_with_exception
+      has_many :refresh_tokens, class_name: "StandardId::RefreshToken", dependent: :restrict_with_exception
       has_many :client_applications, class_name: "StandardId::ClientApplication", as: :owner, dependent: :restrict_with_exception
 
       accepts_nested_attributes_for :identifiers

data/app/models/concerns/standard_id/password_strength.rb

@@ -0,0 +1,31 @@
+module StandardId
+  module PasswordStrength
+    extend ActiveSupport::Concern
+
+    included do
+      validate :password_meets_strength_requirements, if: -> { password.present? }
+    end
+
+    private
+
+    def password_meets_strength_requirements
+      config = StandardId.config.password
+
+      if password.length < config.minimum_length
+        errors.add(:password, "must be at least #{config.minimum_length} characters long")
+      end
+
+      if config.require_uppercase && password !~ /[A-Z]/
+        errors.add(:password, "must include at least one uppercase letter")
+      end
+
+      if config.require_numbers && password !~ /\d/
+        errors.add(:password, "must include at least one number")
+      end
+
+      if config.require_special_chars && password !~ /[^a-zA-Z0-9]/
+        errors.add(:password, "must include at least one special character")
+      end
+    end
+  end
+end

data/app/models/standard_id/authorization_code.rb

@@ -17,6 +17,20 @@ module StandardId
     before_validation :set_issued_and_expiry, on: :create
 
     def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, nonce: nil, metadata: {})
+      # Fail fast: reject unsupported PKCE methods at issuance rather than
+      # storing a code that will always fail at redemption time.
+      if code_challenge.present?
+        unless code_challenge_method.to_s.downcase == "s256"
+          raise StandardId::InvalidRequestError, "Unsupported code_challenge_method: only S256 is allowed"
+        end
+      end
+
+      # Hash the code_challenge for defense-in-depth (RAR-58).
+      # The stored value is SHA256(S256_challenge), where S256_challenge is
+      # base64url(SHA256(verifier)). This is intentionally a double-hash:
+      # S256 derives the challenge from the verifier, and we hash again for storage.
+      hashed_challenge = code_challenge.present? ? Digest::SHA256.hexdigest(code_challenge) : nil
+
       create!(
         account: account,
         code_hash: hash_for(plaintext_code),
@@ -24,7 +38,7 @@ module StandardId
         redirect_uri: redirect_uri,
         scope: scope,
         audience: audience,
-        code_challenge: code_challenge,
+        code_challenge: hashed_challenge,
         code_challenge_method: code_challenge_method,
         nonce: nonce,
         issued_at: Time.current,
@@ -58,15 +72,20 @@ module StandardId
 
       return false if code_verifier.blank?
 
-      case (code_challenge_method || "plain").downcase
-      when "s256"
-        expected = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).delete("=")
-        ActiveSupport::SecurityUtils.secure_compare(expected, code_challenge)
-      when "plain"
-        ActiveSupport::SecurityUtils.secure_compare(code_verifier, code_challenge)
-      else
-        false
-      end
+      # Only S256 is supported (OAuth 2.1). The "plain" method is rejected
+      # because it transmits the verifier in cleartext, defeating PKCE's purpose.
+      return false unless (code_challenge_method || "").downcase == "s256"
+
+      s256_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).delete("=")
+
+      # New format: stored value is SHA256(S256_challenge)
+      hashed_expected = Digest::SHA256.hexdigest(s256_challenge)
+      return true if ActiveSupport::SecurityUtils.secure_compare(hashed_expected, code_challenge)
+
+      # Legacy fallback: codes issued before RAR-58 store the raw S256 challenge.
+      # This handles in-flight codes during deployment (max 10-minute TTL).
+      # Safe to remove after one deployment cycle.
+      ActiveSupport::SecurityUtils.secure_compare(s256_challenge, code_challenge)
     end
 
     def mark_as_used!

data/app/models/standard_id/password_credential.rb

@@ -1,6 +1,7 @@
 module StandardId
   class PasswordCredential < ApplicationRecord
     include StandardId::Credentiable
+    include StandardId::PasswordStrength
 
     has_secure_password
 
@@ -13,7 +14,7 @@ module StandardId
     end
 
     validates :login, presence: true, uniqueness: true
-    validates :password, length: { minimum: 8 }, confirmation: true, if: :validate_password?
+    validates :password, confirmation: true, if: :validate_password?
 
     private
 

data/app/models/standard_id/refresh_token.rb

@@ -0,0 +1,81 @@
+module StandardId
+  class RefreshToken < ApplicationRecord
+    self.table_name = "standard_id_refresh_tokens"
+
+    belongs_to :account, class_name: StandardId.config.account_class_name
+    belongs_to :session, class_name: "StandardId::Session", optional: true
+    belongs_to :previous_token, class_name: "StandardId::RefreshToken", optional: true
+
+    scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :revoked, -> { where.not(revoked_at: nil) }
+
+    validates :token_digest, presence: true, uniqueness: true
+    validates :expires_at, presence: true
+
+    def self.digest_for(jti)
+      Digest::SHA256.hexdigest(jti)
+    end
+
+    def self.find_by_jti(jti)
+      find_by(token_digest: digest_for(jti))
+    end
+
+    def active?
+      !revoked? && !expired?
+    end
+
+    def expired?
+      expires_at <= Time.current
+    end
+
+    def revoked?
+      revoked_at.present?
+    end
+
+    def revoke!
+      rows = self.class.where(id: id, revoked_at: nil).update_all(revoked_at: Time.current)
+      reload if rows > 0
+    end
+
+    # Revoke this token and all tokens in the same family chain.
+    # A "family" is all tokens linked via previous_token_id.
+    # Only revokes tokens that aren't already revoked, preserving historical
+    # revoked_at timestamps for audit purposes.
+    def revoke_family!
+      family_tokens.where(revoked_at: nil).update_all(revoked_at: Time.current)
+    end
+
+    private
+
+    # Find the root of this token's family and return all descendants.
+    # Backward traversal uses a visited set for cycle detection in case
+    # of corrupted data. Forward traversal collects all descendants.
+    def family_tokens
+      root = self
+      visited = Set.new([root.id])
+      while root.previous_token.present?
+        break if visited.include?(root.previous_token_id)
+        visited.add(root.previous_token_id)
+        root = root.previous_token
+      end
+
+      self.class.where(id: collect_family_ids(root.id))
+    end
+
+    def collect_family_ids(root_id)
+      ids = [root_id]
+      current_ids = [root_id]
+
+      loop do
+        next_ids = self.class.where(previous_token_id: current_ids).pluck(:id)
+        break if next_ids.empty?
+
+        ids.concat(next_ids)
+        current_ids = next_ids
+      end
+
+      ids
+    end
+  end
+end

data/app/models/standard_id/session.rb

@@ -5,6 +5,9 @@ module StandardId
     self.table_name = "standard_id_sessions"
 
     belongs_to :account, class_name: StandardId.config.account_class_name
+    has_many :refresh_tokens, class_name: "StandardId::RefreshToken", dependent: :nullify
+
+    before_destroy :revoke_active_refresh_tokens, prepend: true
 
     scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
     scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -35,7 +38,12 @@ module StandardId
 
     def revoke!(reason: nil)
       @reason = reason
-      update!(revoked_at: Time.current)
+      transaction do
+        update!(revoked_at: Time.current)
+        # Cascade revocation to refresh tokens. Uses update_all for efficiency;
+        # intentionally skips updated_at since revocation is tracked via revoked_at.
+        refresh_tokens.active.update_all(revoked_at: Time.current)
+      end
     end
 
     private
@@ -52,6 +60,12 @@ module StandardId
       self.lookup_hash = Digest::SHA256.hexdigest("#{token}:#{Rails.configuration.secret_key_base}")
     end
 
+    # Revoke any still-active refresh tokens before the session row is deleted,
+    # so tokens don't become orphaned but usable.
+    def revoke_active_refresh_tokens
+      refresh_tokens.active.update_all(revoked_at: Time.current)
+    end
+
     def just_revoked?
       saved_change_to_revoked_at? && revoked?
     end

data/db/migrate/20260311000000_add_provider_to_standard_id_identifiers.rb

@@ -0,0 +1,15 @@
+# Adds provider tracking to identifiers for social login link validation.
+#
+# After running this migration, existing identifiers will have provider=NULL.
+# The strict link strategy treats NULL provider as "pre-migration" and allows
+# linking, so existing users are not blocked. However, this means pre-migration
+# accounts are not fully protected by the strict strategy until their provider
+# is populated — either by logging in again via social, or by running a
+# backfill (e.g. UPDATE standard_id_identifiers SET provider = 'email'
+# WHERE provider IS NULL AND type = 'StandardId::EmailIdentifier').
+class AddProviderToStandardIdIdentifiers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :standard_id_identifiers, :provider, :string
+    add_index :standard_id_identifiers, [:account_id, :provider]
+  end
+end

data/db/migrate/20260311100000_create_standard_id_refresh_tokens.rb

@@ -0,0 +1,20 @@
+class CreateStandardIdRefreshTokens < ActiveRecord::Migration[8.0]
+  def change
+    create_table :standard_id_refresh_tokens, id: primary_key_type do |t|
+      t.references :account, type: primary_key_type, null: false, foreign_key: true, index: true
+      t.references :session, type: primary_key_type, null: true, foreign_key: { to_table: :standard_id_sessions }, index: true
+
+      t.string :token_digest, null: false, index: { unique: true }
+      t.datetime :expires_at, null: false
+      t.datetime :revoked_at
+
+      t.references :previous_token, type: primary_key_type, null: true, foreign_key: { to_table: :standard_id_refresh_tokens }, index: true
+
+      t.timestamps
+
+      t.index [:account_id, :revoked_at], name: "idx_on_account_id_revoked_at_refresh_tokens"
+      t.index [:session_id, :revoked_at], name: "idx_on_session_id_revoked_at_refresh_tokens"
+      t.index [:expires_at, :revoked_at], name: "idx_on_expires_at_revoked_at_refresh_tokens"
+    end
+  end
+end

data/db/migrate/20260311100001_add_nullify_to_refresh_token_previous_token_fk.rb

@@ -0,0 +1,7 @@
+class AddNullifyToRefreshTokenPreviousTokenFk < ActiveRecord::Migration[8.0]
+  def change
+    remove_foreign_key :standard_id_refresh_tokens, column: :previous_token_id
+    add_foreign_key :standard_id_refresh_tokens, :standard_id_refresh_tokens,
+      column: :previous_token_id, on_delete: :nullify
+  end
+end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -114,6 +114,7 @@ StandardId.configure do |c|
   # c.social.apple_team_id        = ENV["APPLE_TEAM_ID"]
   # c.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
   # c.social.available_scopes = ["profile", "email", "offline_access"]
+  # c.social.link_strategy = :strict # :strict (default) or :trust_provider
   # c.social.social_account_attributes = ->(social_info:, provider:) {
   #   {
   #     email: social_info[:email],

data/lib/standard_id/config/schema.rb

@@ -54,9 +54,9 @@ StandardConfig.schema.draw do
 
   scope :password do
     field :minimum_length, type: :integer, default: 8
-    field :require_special_chars, type: :boolean, default: false
-    field :require_uppercase, type: :boolean, default: false
-    field :require_numbers, type: :boolean, default: false
+    field :require_special_chars, type: :boolean, default: true
+    field :require_uppercase, type: :boolean, default: true
+    field :require_numbers, type: :boolean, default: true
   end
 
   scope :session do
@@ -96,6 +96,7 @@ StandardConfig.schema.draw do
     field :social_account_attributes, type: :any, default: nil
     field :allowed_redirect_url_prefixes, type: :array, default: []
     field :available_scopes, type: :array, default: -> { [] }
+    field :link_strategy, type: :symbol, default: :strict
   end
 
   scope :web do

data/lib/standard_id/engine.rb

@@ -2,6 +2,20 @@ module StandardId
   class Engine < ::Rails::Engine
     isolate_namespace StandardId
 
+    initializer "standard_id.filter_parameters" do |app|
+      app.config.filter_parameters += %i[
+        code_verifier
+        code_challenge
+        client_secret
+        id_token
+        refresh_token
+        access_token
+        state
+        nonce
+        authorization_code
+      ]
+    end
+
     config.after_initialize do
       if StandardId.config.events.enable_logging
         StandardId::Events::Subscribers::LoggingSubscriber.attach

data/lib/standard_id/errors.rb

@@ -73,6 +73,24 @@ module StandardId
   # Lifecycle hook errors
   class AuthenticationDenied < StandardError; end
 
+  # Social login errors
+  # NOTE: email and provider_name are exposed as reader attributes for host
+  # apps to build custom error responses. If you report exceptions to an
+  # error tracker (Sentry, etc.), be aware these attributes contain PII.
+  class SocialLinkError < OAuthError
+    attr_reader :email, :provider_name
+
+    def initialize(email:, provider_name:)
+      @email = email
+      @provider_name = provider_name
+      super("This email is already associated with an account. Please sign in first to link this provider.")
+    end
+
+    # Uses standard OAuth :access_denied code since account_link_required is non-standard
+    def oauth_error_code = :access_denied
+    def http_status = :forbidden
+  end
+
   # Audience verification errors
   class InvalidAudienceError < StandardError
     attr_reader :required, :actual

data/lib/standard_id/events/definitions.rb

@@ -40,6 +40,7 @@ module StandardId
       OAUTH_TOKEN_REFRESHED = "oauth.token.refreshed"
       OAUTH_CODE_CONSUMED = "oauth.code.consumed"
       OAUTH_TOKEN_REVOKED = "oauth.token.revoked"
+      OAUTH_REFRESH_TOKEN_REUSE_DETECTED = "oauth.refresh_token.reuse_detected"
 
       PASSWORDLESS_CODE_REQUESTED = "passwordless.code.requested"
       PASSWORDLESS_CODE_GENERATED = "passwordless.code.generated"
@@ -53,6 +54,7 @@ module StandardId
       SOCIAL_USER_INFO_FETCHED = "social.user_info.fetched"
       SOCIAL_ACCOUNT_CREATED = "social.account.created"
       SOCIAL_ACCOUNT_LINKED = "social.account.linked"
+      SOCIAL_LINK_BLOCKED = "social.link.blocked"
       SOCIAL_AUTH_COMPLETED = "social.auth.completed"
 
       CREDENTIAL_PASSWORD_CREATED = "credential.password.created"
@@ -110,7 +112,8 @@ module StandardId
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
         OAUTH_CODE_CONSUMED,
-        OAUTH_TOKEN_REVOKED
+        OAUTH_TOKEN_REVOKED,
+        OAUTH_REFRESH_TOKEN_REUSE_DETECTED
       ].freeze
 
       PASSWORDLESS_EVENTS = [
@@ -128,6 +131,7 @@ module StandardId
         SOCIAL_USER_INFO_FETCHED,
         SOCIAL_ACCOUNT_CREATED,
         SOCIAL_ACCOUNT_LINKED,
+        SOCIAL_LINK_BLOCKED,
         SOCIAL_AUTH_COMPLETED
       ].freeze
 
@@ -167,6 +171,7 @@ module StandardId
         OAUTH_TOKEN_ISSUED,
         OAUTH_TOKEN_REFRESHED,
         OAUTH_TOKEN_REVOKED,
+        OAUTH_REFRESH_TOKEN_REUSE_DETECTED,
         # Passwordless
         PASSWORDLESS_CODE_FAILED,
         PASSWORDLESS_ACCOUNT_CREATED,
@@ -180,7 +185,8 @@ module StandardId
         CREDENTIAL_CLIENT_SECRET_REVOKED,
         # Social
         SOCIAL_ACCOUNT_CREATED,
-        SOCIAL_ACCOUNT_LINKED
+        SOCIAL_ACCOUNT_LINKED,
+        SOCIAL_LINK_BLOCKED
       ].freeze
 
       ALL_EVENTS = (

data/lib/standard_id/http_client.rb

@@ -1,4 +1,7 @@
+require "ipaddr"
 require "net/http"
+require "openssl"
+require "resolv"
 require "uri"
 
 module StandardId
@@ -6,27 +9,70 @@ module StandardId
     OPEN_TIMEOUT = 5
     READ_TIMEOUT = 10
 
+    class SsrfError < StandardError; end
+
+    BLOCKED_IP_RANGES = [
+      IPAddr.new("10.0.0.0/8"),
+      IPAddr.new("172.16.0.0/12"),
+      IPAddr.new("192.168.0.0/16"),
+      IPAddr.new("127.0.0.0/8"),
+      IPAddr.new("169.254.0.0/16"),
+      IPAddr.new("0.0.0.0/8"),
+      IPAddr.new("::1/128"),
+      IPAddr.new("fc00::/7"),
+      IPAddr.new("fe80::/10")
+    ].freeze
+
     class << self
       def post_form(endpoint, params)
-        uri = URI(endpoint)
+        uri, resolved_ip = validate_url!(endpoint)
         request = Net::HTTP::Post.new(uri)
         request.set_form_data(params)
-        start_connection(uri) { |http| http.request(request) }
+        start_connection(uri, resolved_ip:) { |http| http.request(request) }
       end
 
       def get_with_bearer(endpoint, access_token)
-        uri = URI(endpoint)
+        uri, resolved_ip = validate_url!(endpoint)
         request = Net::HTTP::Get.new(uri)
         request["Authorization"] = "Bearer #{access_token}"
-        start_connection(uri) { |http| http.request(request) }
+        start_connection(uri, resolved_ip:) { |http| http.request(request) }
       end
 
       private
 
-      def start_connection(uri, &block)
-        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https",
-                                             open_timeout: OPEN_TIMEOUT,
-                                             read_timeout: READ_TIMEOUT, &block)
+      def validate_url!(url)
+        uri = URI.parse(url.to_s)
+        raise SsrfError, "Only http and https schemes are allowed" unless %w[http https].include?(uri.scheme)
+        raise SsrfError, "Invalid URL: missing host" if uri.host.nil? || uri.host.empty?
+
+        addresses = Resolv.getaddresses(uri.host)
+        raise SsrfError, "Could not resolve host" if addresses.empty?
+
+        addresses.each do |addr|
+          ip = IPAddr.new(addr)
+          if BLOCKED_IP_RANGES.any? { |range| range.include?(ip) }
+            raise SsrfError, "Requests to private/internal addresses are not allowed"
+          end
+        end
+
+        # Return resolved IP to pin connection and prevent DNS rebinding
+        [uri, addresses.first]
+      end
+
+      def start_connection(uri, resolved_ip: nil, &block)
+        host = resolved_ip || uri.host
+        options = {
+          use_ssl: uri.scheme == "https",
+          open_timeout: OPEN_TIMEOUT,
+          read_timeout: READ_TIMEOUT
+        }
+        options[:verify_mode] = OpenSSL::SSL::VERIFY_PEER if options[:use_ssl]
+
+        Net::HTTP.start(host, uri.port, **options) do |http|
+          # Set Host header for virtual hosting when connecting to resolved IP
+          http.instance_variable_set(:@address, uri.host) if resolved_ip
+          yield http
+        end
       end
     end
   end

data/lib/standard_id/jwt_service.rb

@@ -122,8 +122,12 @@ module StandardId
       @jwks_ref.set(nil)
     end
 
-    def self.encode(payload, expires_in: 1.hour)
-      payload[:exp] = expires_in.from_now.to_i
+    def self.encode(payload, expires_in: nil, expires_at: nil)
+      payload[:exp] = if expires_at
+        expires_at.to_i
+      else
+        (expires_in || 1.hour).from_now.to_i
+      end
       payload[:iat] = Time.current.to_i
       payload[:iss] ||= StandardId.config.issuer if StandardId.config.issuer.present?
 

data/lib/standard_id/oauth/refresh_token_flow.rb

@@ -4,6 +4,26 @@ module StandardId
       expect_params :refresh_token, :client_id
       permit_params :client_secret, :scope, :audience
 
+      # authenticate! runs outside the transaction so reuse-detection
+      # revocations (revoke_family!) persist even when the error propagates.
+      # Only the normal rotation path (revoke old + create new) is wrapped
+      # in a transaction for atomicity.
+      def execute
+        authenticate!
+        response = nil
+        StandardId::RefreshToken.transaction do
+          rotate_current_refresh_token!
+          response = generate_token_response
+        end
+
+        # If rotate detected a concurrent reuse (rows==0), the transaction
+        # was rolled back via ActiveRecord::Rollback and response is nil.
+        # Handle family revocation outside the transaction so it persists.
+        handle_concurrent_reuse! unless response
+
+        response
+      end
+
       def authenticate!
         validate_client_secret!(params[:client_id], params[:client_secret]) if params[:client_secret].present?
 
@@ -14,11 +34,76 @@ module StandardId
           raise StandardId::InvalidGrantError, "Refresh token was not issued to this client"
         end
 
+        validate_refresh_token_record!
         validate_scope_narrowing!
       end
 
       private
 
+      def validate_refresh_token_record!
+        jti = @refresh_payload[:jti]
+        # Legacy tokens minted before jti tracking was added cannot be looked
+        # up or revoked through the RefreshToken model. This shim can be removed
+        # once all pre-jti tokens have expired (refresh_token_lifetime after deploy).
+        return if jti.blank?
+
+        @current_refresh_token_record = StandardId::RefreshToken.find_by_jti(jti)
+
+        unless @current_refresh_token_record
+          raise StandardId::InvalidGrantError, "Refresh token not found"
+        end
+
+        if @current_refresh_token_record.revoked?
+          # Reuse detected: this token was already rotated. Revoke entire family.
+          @current_refresh_token_record.revoke_family!
+          emit_reuse_detected_event
+          raise StandardId::InvalidGrantError, "Refresh token reuse detected"
+        end
+
+        unless @current_refresh_token_record.active?
+          raise StandardId::InvalidGrantError, "Refresh token is no longer valid"
+        end
+      end
+
+      # Atomically revoke the current token as part of rotation.
+      # Uses a conditional UPDATE to prevent TOCTOU race conditions — only one
+      # concurrent request can successfully revoke and proceed.
+      # Called inside a transaction with new-token creation so both succeed or
+      # both roll back.
+      def rotate_current_refresh_token!
+        return unless @current_refresh_token_record
+
+        rows = StandardId::RefreshToken
+          .where(id: @current_refresh_token_record.id, revoked_at: nil)
+          .update_all(revoked_at: Time.current)
+
+        return if rows > 0
+
+        # A concurrent request won the race. Roll back this transaction
+        # (no new token should be issued). Reuse handling happens outside
+        # the transaction in handle_concurrent_reuse! so revocations persist.
+        raise ActiveRecord::Rollback
+      end
+
+      def handle_concurrent_reuse!
+        @current_refresh_token_record&.reload
+        if @current_refresh_token_record&.revoked?
+          @current_refresh_token_record.revoke_family!
+          emit_reuse_detected_event
+          raise StandardId::InvalidGrantError, "Refresh token reuse detected"
+        end
+        raise StandardId::InvalidGrantError, "Refresh token is no longer valid"
+      end
+
+      def emit_reuse_detected_event
+        StandardId::Events.publish(
+          StandardId::Events::OAUTH_REFRESH_TOKEN_REUSE_DETECTED,
+          account_id: @refresh_payload[:sub],
+          client_id: @refresh_payload[:client_id],
+          refresh_token_id: @current_refresh_token_record.id
+        )
+      end
+
       def subject_id
         @refresh_payload[:sub]
       end
@@ -46,6 +131,17 @@ module StandardId
         @refresh_payload[:aud]
       end
 
+      def refresh_token_session_id
+        @current_refresh_token_record&.session_id
+      end
+
+      # Returns the (now-revoked) token record so it can be linked as
+      # previous_token on the newly minted refresh token, maintaining the
+      # family chain for reuse detection.
+      def previous_refresh_token_record
+        @current_refresh_token_record
+      end
+
       def validate_scope_narrowing!
         return unless params[:scope].present?
 

data/lib/standard_id/oauth/token_grant_flow.rb

@@ -74,14 +74,43 @@ module StandardId
       end
 
       def generate_refresh_token
+        jti = SecureRandom.uuid
         payload = {
           sub: subject_id,
           client_id: client_id,
           scope: token_scope,
           aud: audience,
-          grant_type: "refresh_token"
+          grant_type: "refresh_token",
+          jti: jti
         }.compact
-        StandardId::JwtService.encode(payload, expires_in: refresh_token_expiry)
+
+        expiry = refresh_token_expiry
+        # Capture expires_at once so the JWT exp and DB record are consistent
+        expires_at = expiry.from_now
+
+        # Persist the DB record first so we never hand out a signed JWT
+        # that has no backing record (e.g. if the INSERT were to fail).
+        persist_refresh_token!(jti: jti, expires_at: expires_at)
+
+        StandardId::JwtService.encode(payload, expires_at: expires_at)
+      end
+
+      def persist_refresh_token!(jti:, expires_at:)
+        StandardId::RefreshToken.create!(
+          account_id: subject_id,
+          session_id: refresh_token_session_id,
+          token_digest: StandardId::RefreshToken.digest_for(jti),
+          expires_at: expires_at,
+          previous_token: previous_refresh_token_record
+        )
+      end
+
+      def refresh_token_session_id
+        nil
+      end
+
+      def previous_refresh_token_record
+        nil
       end
 
       def refresh_token_expiry

data/lib/standard_id/testing/factories/credentials.rb

@@ -1,8 +1,8 @@
 FactoryBot.define do
   factory :standard_id_password_credential, class: "StandardId::PasswordCredential" do
     sequence(:login) { |n| "user#{n}@example.com" }
-    password { "password123" }
-    password_confirmation { "password123" }
+    password { "Password1!" }
+    password_confirmation { "Password1!" }
   end
 
   factory :standard_id_credential, class: "StandardId::Credential" do

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.8.0"
+  VERSION = "0.9.0"
 end

data/lib/standard_id/web/session_manager.rb

@@ -3,11 +3,12 @@ module StandardId
     class SessionManager
       attr_reader :token_manager, :request, :session, :cookies
 
-      def initialize(token_manager, request:, session:, cookies:)
+      def initialize(token_manager, request:, session:, cookies:, reset_session: nil)
         @token_manager = token_manager
         @request = request
         @session = session
         @cookies = cookies
+        @reset_session = reset_session
       end
 
       def current_session
@@ -20,6 +21,14 @@ module StandardId
 
       def sign_in_account(account)
         emit_session_creating(account, "browser")
+
+        # Prevent session fixation by resetting the Rails session before
+        # creating an authenticated session (Rails Security Guide §2.5).
+        # Preserve return_to URL across the reset so post-login redirect works.
+        return_to = session[:return_to_after_authenticating]
+        @reset_session&.call
+        session[:return_to_after_authenticating] = return_to if return_to
+
         token_manager.create_browser_session(account).tap do |browser_session|
           # Store in both session and encrypted cookie for backward compatibility
           # Action Cable will use the encrypted cookie
@@ -91,6 +100,9 @@ module StandardId
         password_credential = StandardId::PasswordCredential.find_by_token_for(:remember_me, cookies[:remember_token])
         return if password_credential.blank?
 
+        # Prevent session fixation on returning-user remember-me flow
+        @reset_session&.call
+
         token_manager.create_browser_session(password_credential.account, remember_me: true).tap do |browser_session|
           # Store in both session and encrypted cookie for backward compatibility
           session[:session_token] = browser_session.token

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -153,10 +153,12 @@ files:
 - app/forms/standard_id/web/signup_form.rb
 - app/helpers/standard_id/application_helper.rb
 - app/jobs/standard_id/application_job.rb
+- app/jobs/standard_id/cleanup_expired_refresh_tokens_job.rb
 - app/jobs/standard_id/cleanup_expired_sessions_job.rb
 - app/mailers/standard_id/application_mailer.rb
 - app/models/concerns/standard_id/account_associations.rb
 - app/models/concerns/standard_id/credentiable.rb
+- app/models/concerns/standard_id/password_strength.rb
 - app/models/standard_id/application_record.rb
 - app/models/standard_id/authorization_code.rb
 - app/models/standard_id/browser_session.rb
@@ -169,6 +171,7 @@ files:
 - app/models/standard_id/identifier.rb
 - app/models/standard_id/password_credential.rb
 - app/models/standard_id/phone_number_identifier.rb
+- app/models/standard_id/refresh_token.rb
 - app/models/standard_id/service_session.rb
 - app/models/standard_id/session.rb
 - app/models/standard_id/username_identifier.rb
@@ -194,6 +197,9 @@ files:
 - db/migrate/20250901134520_create_standard_id_client_secret_credentials.rb
 - db/migrate/20250903063000_create_standard_id_authorization_codes.rb
 - db/migrate/20250907090000_create_standard_id_code_challenges.rb
+- db/migrate/20260311000000_add_provider_to_standard_id_identifiers.rb
+- db/migrate/20260311100000_create_standard_id_refresh_tokens.rb
+- db/migrate/20260311100001_add_nullify_to_refresh_token_previous_token_fk.rb
 - lib/generators/standard_id/install/install_generator.rb
 - lib/generators/standard_id/install/templates/standard_id.rb
 - lib/standard_config.rb