standard_id 0.8.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a6e84ca4e7d4d01aa3957ed1371ef774fc1203b9006da7591b99e20fadb343b4
-  data.tar.gz: cc74bfcf5f471d4bf7b76d621497598fac95fa0f833b256a74c3a4374456850b
+  metadata.gz: 7ad192cf3b1bad92d1ec8322e203804401d8c10e54ebfcde4340f7840fa624bd
+  data.tar.gz: 0eb0cc7c613bd3fdd981818c6d4fd359f809003da34d6e15f5e2fea9fd0eab74
 SHA512:
-  metadata.gz: 21932b0dd06f986340284587ccfae60cfea9b0e5075cdc670ff297e23412c0440d0e434e3974f98f65b9071fb15a118c3c36920e08b8887e9857fa612318e857
-  data.tar.gz: 7acf89c15d302da9e25da25de4c786441df085f65950a02e8b6fec71b4a90cf3f72c3167929371018869cc4787e6476d5df78036e3b2dde4833525d5c260045f
+  metadata.gz: 478082fd5a80a66ded10834c7bd1db32912a222086f5fc8db521a90acceb1459418492581d89ca90d5a7d8fb438b3c74845372fe551d52eb892c297136acc002
+  data.tar.gz: bca63014a4ca013f152bb5bd9112f3649d0e7848d22b7d1114e9bd2715e2847369610e735b83f20bda3aad3fca45936d0f7452438f2a8144d24ddba7b3cb2c07

data/app/controllers/concerns/standard_id/inertia_rendering.rb

@@ -57,7 +57,8 @@ module StandardId
         password_reset: web.password_reset,
         email_verification: web.email_verification,
         phone_verification: web.phone_verification,
-        sessions_management: web.sessions_management
+        sessions_management: web.sessions_management,
+        passwordless_registration: web.passwordless_registration
       }
     end
   end

data/app/controllers/concerns/standard_id/rate_limit_handling.rb

@@ -0,0 +1,27 @@
+module StandardId
+  module RateLimitHandling
+    extend ActiveSupport::Concern
+
+    RATE_LIMIT_STORE = StandardId::RateLimitStore.new
+
+    included do
+      rescue_from ActionController::TooManyRequests, with: :handle_rate_limited
+    end
+
+    private
+
+    def handle_rate_limited(_exception)
+      response.set_header("Retry-After", 15.minutes.to_i.to_s)
+
+      if self.class.ancestors.include?(ActionController::API)
+        render json: {
+          error: "rate_limit_exceeded",
+          error_description: "Too many requests. Please try again later."
+        }, status: :too_many_requests
+      else
+        flash[:alert] = "Too many requests. Please try again later."
+        redirect_to request.referer || main_app.root_path, status: :see_other
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/base_controller.rb

@@ -1,9 +1,11 @@
 module StandardId
   module Api
     class BaseController < ActionController::API
+      include ActionController::RateLimiting
       include StandardId::ControllerPolicy
       include StandardId::ApiAuthentication
       include StandardId::SetCurrentRequestDetails
+      include StandardId::RateLimitHandling
 
       before_action -> { Current.scope = :api if defined?(::Current) }
       before_action :validate_content_type!

data/app/controllers/standard_id/api/oauth/tokens_controller.rb

@@ -6,6 +6,12 @@ module StandardId
 
         skip_before_action :validate_content_type!
 
+        # RAR-51/RAR-60: Rate limit token requests by IP (30 per 15 minutes)
+        rate_limit to: StandardId.config.rate_limits.api_token_per_ip,
+                   within: 15.minutes,
+                   only: :create,
+                   store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
         FLOW_STRATEGIES = {
           "client_credentials" => StandardId::Oauth::ClientCredentialsFlow,
           "authorization_code" => StandardId::Oauth::AuthorizationCodeFlow,

data/app/controllers/standard_id/api/passwordless_controller.rb

@@ -5,6 +5,21 @@ module StandardId
 
       include StandardId::PasswordlessStrategy
 
+      # RAR-60: Rate limit OTP initiation by IP (10 per hour)
+      rate_limit to: StandardId.config.rate_limits.api_passwordless_start_per_ip,
+                 within: 1.hour,
+                 name: "passwordless-ip",
+                 only: :start,
+                 store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
+      # RAR-60: Rate limit OTP initiation by target (5 per 15 minutes)
+      rate_limit to: StandardId.config.rate_limits.api_passwordless_start_per_target,
+                 within: 15.minutes,
+                 by: -> { "api-passwordless:#{(params[:username] || params[:email] || params[:phone_number]).to_s.strip.downcase}" },
+                 name: "passwordless-target",
+                 only: :start,
+                 store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
       def start
         raise StandardId::InvalidRequestError, "username, email, or phone_number parameter is required" if start_params[:username].blank?
 

data/app/controllers/standard_id/web/base_controller.rb

@@ -5,6 +5,7 @@ module StandardId
       include StandardId::WebAuthentication
       include StandardId::SetCurrentRequestDetails
       include StandardId::WebMechanismGate
+      include StandardId::RateLimitHandling
 
       include StandardId::WebEngine.routes.url_helpers
       helper StandardId::WebEngine.routes.url_helpers

data/app/controllers/standard_id/web/login_controller.rb

@@ -10,6 +10,21 @@ module StandardId
 
       layout "public"
 
+      # RAR-51: Rate limit login attempts by IP (20 per 15 minutes)
+      rate_limit to: StandardId.config.rate_limits.password_login_per_ip,
+                 within: 15.minutes,
+                 name: "login-ip",
+                 only: :create,
+                 store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
+      # RAR-51: Rate limit login attempts by email target (5 per 15 minutes)
+      rate_limit to: StandardId.config.rate_limits.password_login_per_email,
+                 within: 15.minutes,
+                 by: -> { "login-email:#{params.dig(:login, :email).to_s.strip.downcase}" },
+                 name: "login-email",
+                 only: :create,
+                 store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
       skip_before_action :require_browser_session!, only: [:show, :create]
 
       before_action :redirect_if_authenticated, only: [:show]

data/app/controllers/standard_id/web/login_verify_controller.rb

@@ -9,6 +9,13 @@ module StandardId
 
       layout "public"
 
+      # RAR-60: Rate limit OTP verification attempts by IP (20 per 15 minutes)
+      rate_limit to: StandardId.config.rate_limits.otp_verify_per_ip,
+                 within: 15.minutes,
+                 name: "otp-verify-ip",
+                 only: :update,
+                 store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
       skip_before_action :require_browser_session!, only: [:show, :update]
       before_action :redirect_if_authenticated, only: [:show]
       before_action :require_otp_payload!
@@ -26,11 +33,12 @@ module StandardId
           return
         end
 
-        result = StandardId::Passwordless::VerificationService.verify(
-          connection: @otp_data[:connection],
+        result = StandardId::Passwordless.verify(
           username: @otp_data[:username],
           code: code,
-          request: request
+          connection: @otp_data[:connection],
+          request: request,
+          allow_registration: passwordless_registration_enabled?
         )
 
         unless result.success?
@@ -45,7 +53,10 @@ module StandardId
         session_manager.sign_in_account(account)
         emit_authentication_succeeded(account)
 
-        invoke_after_account_created(account, { mechanism: "passwordless", provider: nil }) if newly_created
+        if newly_created
+          emit_passwordless_account_created(account)
+          invoke_after_account_created(account, { mechanism: "passwordless", provider: nil })
+        end
 
         context = { connection: @otp_data[:connection], provider: nil }
         redirect_override = invoke_after_sign_in(account, context)
@@ -81,6 +92,19 @@ module StandardId
         end
       end
 
+      def passwordless_registration_enabled?
+        StandardId.config.web.passwordless_registration
+      end
+
+      def emit_passwordless_account_created(account)
+        StandardId::Events.publish(
+          StandardId::Events::PASSWORDLESS_ACCOUNT_CREATED,
+          account: account,
+          channel: @otp_data[:connection],
+          identifier: @otp_data[:username]
+        )
+      end
+
       def emit_authentication_succeeded(account)
         StandardId::Events.publish(
           StandardId::Events::AUTHENTICATION_SUCCEEDED,

data/app/controllers/standard_id/web/verify_email/start_controller.rb

@@ -2,6 +2,21 @@ module StandardId
   module Web
     module VerifyEmail
       class StartController < BaseController
+        # RAR-56: Rate limit verification code generation by IP (10 per hour)
+        rate_limit to: StandardId.config.rate_limits.verification_start_per_ip,
+                   within: 1.hour,
+                   name: "verify-email-ip",
+                   only: :create,
+                   store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
+        # RAR-56: Rate limit verification code generation by email target (3 per 15 minutes)
+        rate_limit to: StandardId.config.rate_limits.verification_start_per_target,
+                   within: 15.minutes,
+                   by: -> { "verify-email:#{params[:email].to_s.strip.downcase}" },
+                   name: "verify-email-target",
+                   only: :create,
+                   store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
         def show
           render plain: "verify email start", status: :ok
         end

data/app/controllers/standard_id/web/verify_phone/start_controller.rb

@@ -2,6 +2,21 @@ module StandardId
   module Web
     module VerifyPhone
       class StartController < BaseController
+        # RAR-56: Rate limit verification code generation by IP (10 per hour)
+        rate_limit to: StandardId.config.rate_limits.verification_start_per_ip,
+                   within: 1.hour,
+                   name: "verify-phone-ip",
+                   only: :create,
+                   store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
+        # RAR-56: Rate limit verification code generation by phone target (3 per 15 minutes)
+        rate_limit to: StandardId.config.rate_limits.verification_start_per_target,
+                   within: 15.minutes,
+                   by: -> { "verify-phone:#{params[:phone_number].to_s.strip}" },
+                   name: "verify-phone-target",
+                   only: :create,
+                   store: StandardId::RateLimitHandling::RATE_LIMIT_STORE
+
         def show
           render plain: "verify phone start", status: :ok
         end

data/app/forms/standard_id/web/reset_password_confirm_form.rb

@@ -3,6 +3,7 @@ module StandardId
     class ResetPasswordConfirmForm
       include ActiveModel::Model
       include ActiveModel::Attributes
+      include StandardId::PasswordStrength
 
       attribute :password, :string
       attribute :password_confirmation, :string
@@ -11,7 +12,6 @@ module StandardId
 
       validates :password,
         presence: { message: "cannot be blank" },
-        length: { minimum: 8, too_short: "must be at least 8 characters long" },
         confirmation: { message: "confirmation doesn't match" }
 
       def initialize(password_credential, params = {})

data/app/forms/standard_id/web/signup_form.rb

@@ -3,6 +3,7 @@ module StandardId
     class SignupForm
       include ActiveModel::Model
       include ActiveModel::Attributes
+      include StandardId::PasswordStrength
 
       attribute :email, :string
       attribute :password, :string
@@ -11,7 +12,7 @@ module StandardId
       attr_reader :account
 
       validates :email, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP }
-      validates :password, presence: true, length: { minimum: 8 }, confirmation: true
+      validates :password, presence: true, confirmation: true
 
       def submit
         return false unless valid?

data/app/mailers/standard_id/passwordless_mailer.rb

@@ -0,0 +1,16 @@
+module StandardId
+  class PasswordlessMailer < ApplicationMailer
+    layout false
+
+    def otp_email
+      @otp_code = params[:otp_code]
+      @email = params[:email]
+
+      mail(
+        to: @email,
+        from: StandardId.config.passwordless.mailer_from,
+        subject: StandardId.config.passwordless.mailer_subject
+      )
+    end
+  end
+end

data/app/models/concerns/standard_id/password_strength.rb

@@ -0,0 +1,31 @@
+module StandardId
+  module PasswordStrength
+    extend ActiveSupport::Concern
+
+    included do
+      validate :password_meets_strength_requirements, if: -> { password.present? }
+    end
+
+    private
+
+    def password_meets_strength_requirements
+      config = StandardId.config.password
+
+      if password.length < config.minimum_length
+        errors.add(:password, "must be at least #{config.minimum_length} characters long")
+      end
+
+      if config.require_uppercase && password !~ /[A-Z]/
+        errors.add(:password, "must include at least one uppercase letter")
+      end
+
+      if config.require_numbers && password !~ /\d/
+        errors.add(:password, "must include at least one number")
+      end
+
+      if config.require_special_chars && password !~ /[^a-zA-Z0-9]/
+        errors.add(:password, "must include at least one special character")
+      end
+    end
+  end
+end

data/app/models/standard_id/authorization_code.rb

@@ -17,6 +17,20 @@ module StandardId
     before_validation :set_issued_and_expiry, on: :create
 
     def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, nonce: nil, metadata: {})
+      # Fail fast: reject unsupported PKCE methods at issuance rather than
+      # storing a code that will always fail at redemption time.
+      if code_challenge.present?
+        unless code_challenge_method.to_s.downcase == "s256"
+          raise StandardId::InvalidRequestError, "Unsupported code_challenge_method: only S256 is allowed"
+        end
+      end
+
+      # Hash the code_challenge for defense-in-depth (RAR-58).
+      # The stored value is SHA256(S256_challenge), where S256_challenge is
+      # base64url(SHA256(verifier)). This is intentionally a double-hash:
+      # S256 derives the challenge from the verifier, and we hash again for storage.
+      hashed_challenge = code_challenge.present? ? Digest::SHA256.hexdigest(code_challenge) : nil
+
       create!(
         account: account,
         code_hash: hash_for(plaintext_code),
@@ -24,7 +38,7 @@ module StandardId
         redirect_uri: redirect_uri,
         scope: scope,
         audience: audience,
-        code_challenge: code_challenge,
+        code_challenge: hashed_challenge,
         code_challenge_method: code_challenge_method,
         nonce: nonce,
         issued_at: Time.current,
@@ -58,15 +72,20 @@ module StandardId
 
       return false if code_verifier.blank?
 
-      case (code_challenge_method || "plain").downcase
-      when "s256"
-        expected = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).delete("=")
-        ActiveSupport::SecurityUtils.secure_compare(expected, code_challenge)
-      when "plain"
-        ActiveSupport::SecurityUtils.secure_compare(code_verifier, code_challenge)
-      else
-        false
-      end
+      # Only S256 is supported (OAuth 2.1). The "plain" method is rejected
+      # because it transmits the verifier in cleartext, defeating PKCE's purpose.
+      return false unless (code_challenge_method || "").downcase == "s256"
+
+      s256_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).delete("=")
+
+      # New format: stored value is SHA256(S256_challenge)
+      hashed_expected = Digest::SHA256.hexdigest(s256_challenge)
+      return true if ActiveSupport::SecurityUtils.secure_compare(hashed_expected, code_challenge)
+
+      # Legacy fallback: codes issued before RAR-58 store the raw S256 challenge.
+      # This handles in-flight codes during deployment (max 10-minute TTL).
+      # Safe to remove after one deployment cycle.
+      ActiveSupport::SecurityUtils.secure_compare(s256_challenge, code_challenge)
     end
 
     def mark_as_used!

data/app/models/standard_id/password_credential.rb

@@ -1,6 +1,7 @@
 module StandardId
   class PasswordCredential < ApplicationRecord
     include StandardId::Credentiable
+    include StandardId::PasswordStrength
 
     has_secure_password
 
@@ -13,7 +14,7 @@ module StandardId
     end
 
     validates :login, presence: true, uniqueness: true
-    validates :password, length: { minimum: 8 }, confirmation: true, if: :validate_password?
+    validates :password, confirmation: true, if: :validate_password?
 
     private
 

data/app/models/standard_id/refresh_token.rb

@@ -34,7 +34,8 @@ module StandardId
     end
 
     def revoke!
-      update!(revoked_at: Time.current) unless revoked?
+      rows = self.class.where(id: id, revoked_at: nil).update_all(revoked_at: Time.current)
+      reload if rows > 0
     end
 
     # Revoke this token and all tokens in the same family chain.
@@ -45,22 +46,18 @@ module StandardId
       family_tokens.where(revoked_at: nil).update_all(revoked_at: Time.current)
     end
 
-    # Max depth guard to prevent unbounded traversal in case of
-    # corrupted data or extremely long-lived token chains.
-    MAX_FAMILY_DEPTH = 50
-
     private
 
     # Find the root of this token's family and return all descendants.
-    # Uses iterative queries (one per generation) bounded by MAX_FAMILY_DEPTH.
-    # For typical token chain lengths (<10) this is fine; a recursive CTE
-    # would collapse to a single query if performance becomes a concern.
+    # Backward traversal uses a visited set for cycle detection in case
+    # of corrupted data. Forward traversal collects all descendants.
     def family_tokens
       root = self
-      depth = 0
-      while root.previous_token.present? && depth < MAX_FAMILY_DEPTH
+      visited = Set.new([root.id])
+      while root.previous_token.present?
+        break if visited.include?(root.previous_token_id)
+        visited.add(root.previous_token_id)
         root = root.previous_token
-        depth += 1
       end
 
       self.class.where(id: collect_family_ids(root.id))
@@ -69,15 +66,13 @@ module StandardId
     def collect_family_ids(root_id)
       ids = [root_id]
       current_ids = [root_id]
-      depth = 0
 
-      while depth < MAX_FAMILY_DEPTH
+      loop do
         next_ids = self.class.where(previous_token_id: current_ids).pluck(:id)
         break if next_ids.empty?
 
         ids.concat(next_ids)
         current_ids = next_ids
-        depth += 1
       end
 
       ids

data/app/models/standard_id/session.rb

@@ -7,7 +7,7 @@ module StandardId
     belongs_to :account, class_name: StandardId.config.account_class_name
     has_many :refresh_tokens, class_name: "StandardId::RefreshToken", dependent: :nullify
 
-    before_destroy :revoke_active_refresh_tokens
+    before_destroy :revoke_active_refresh_tokens, prepend: true
 
     scope :active, -> { where(revoked_at: nil).where("expires_at > ?", Time.current) }
     scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -38,10 +38,12 @@ module StandardId
 
     def revoke!(reason: nil)
       @reason = reason
-      update!(revoked_at: Time.current)
-      # Cascade revocation to refresh tokens. Uses update_all for efficiency;
-      # intentionally skips updated_at since revocation is tracked via revoked_at.
-      refresh_tokens.active.update_all(revoked_at: Time.current)
+      transaction do
+        update!(revoked_at: Time.current)
+        # Cascade revocation to refresh tokens. Uses update_all for efficiency;
+        # intentionally skips updated_at since revocation is tracked via revoked_at.
+        refresh_tokens.active.update_all(revoked_at: Time.current)
+      end
     end
 
     private

data/app/views/standard_id/passwordless_mailer/otp_email.html.erb

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; background-color: #f5f5f5; margin: 0; padding: 0; }
+    .container { max-width: 480px; margin: 40px auto; background-color: #ffffff; border-radius: 8px; padding: 40px; }
+    .code { font-size: 32px; font-weight: bold; letter-spacing: 8px; text-align: center; padding: 20px; background-color: #f0f0f0; border-radius: 6px; margin: 24px 0; font-family: monospace; }
+    .footer { margin-top: 32px; font-size: 13px; color: #888888; text-align: center; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <p>Hi,</p>
+    <p>Use the following code to sign in:</p>
+    <div class="code"><%= @otp_code %></div>
+    <p>This code will expire in <%= StandardId.config.passwordless.code_ttl / 60 %> minutes.</p>
+    <p>If you did not request this code, you can safely ignore this email.</p>
+    <div class="footer">
+      <p>This is an automated message. Please do not reply.</p>
+    </div>
+  </div>
+</body>
+</html>

data/app/views/standard_id/passwordless_mailer/otp_email.text.erb

@@ -0,0 +1,12 @@
+Hi,
+
+Use the following code to sign in:
+
+  <%= @otp_code %>
+
+This code will expire in <%= StandardId.config.passwordless.code_ttl / 60 %> minutes.
+
+If you did not request this code, you can safely ignore this email.
+
+--
+This is an automated message. Please do not reply.

data/db/migrate/20260311100001_add_nullify_to_refresh_token_previous_token_fk.rb

@@ -0,0 +1,7 @@
+class AddNullifyToRefreshTokenPreviousTokenFk < ActiveRecord::Migration[8.0]
+  def change
+    remove_foreign_key :standard_id_refresh_tokens, column: :previous_token_id
+    add_foreign_key :standard_id_refresh_tokens, :standard_id_refresh_tokens,
+      column: :previous_token_id, on_delete: :nullify
+  end
+end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -54,6 +54,11 @@ StandardId.configure do |c|
   #   }
   # }
   # c.oauth.allowed_audiences = %w[web mobile admin] # Empty = no validation
+  #
+  # Custom claims added to every access token (independent of scopes).
+  # Receives keyword arguments: account:, client:, request:, audience:
+  # Must return a Hash. Reserved JWT keys (sub, exp, iat, etc.) are excluded.
+  # c.oauth.custom_claims = ->(account:, **) { { channel_id: account.channel_id } }
 
   # JWT Signing Configuration (Asymmetric Algorithms)
   # By default, JWTs are signed with HS256 using Rails.application.secret_key_base.

data/lib/standard_id/config/schema.rb

@@ -50,13 +50,27 @@ StandardConfig.schema.draw do
     field :max_attempts, type: :integer, default: 3
     field :retry_delay, type: :integer, default: 30 # 30 seconds
     field :bypass_code, type: :string, default: nil # E2E testing only — NEVER set in production
+
+    # Custom account factory for passwordless registration.
+    # When set, replaces the default find_or_create_account! logic in strategies.
+    # Must be a callable (lambda/proc) that receives (identifier:, params:, request:)
+    # and returns an Account (or account-like) record.
+    # When nil (default), uses the built-in strategy behavior.
+    field :account_factory, type: :any, default: nil
+
+    # OTP email delivery mode:
+    #   :custom   — (default) host app handles delivery via event subscriber
+    #   :built_in — engine sends OTP emails automatically using PasswordlessMailer
+    field :delivery, type: :symbol, default: :custom
+    field :mailer_from, type: :string, default: "noreply@example.com"
+    field :mailer_subject, type: :string, default: "Your sign-in code"
   end
 
   scope :password do
     field :minimum_length, type: :integer, default: 8
-    field :require_special_chars, type: :boolean, default: false
-    field :require_uppercase, type: :boolean, default: false
-    field :require_numbers, type: :boolean, default: false
+    field :require_special_chars, type: :boolean, default: true
+    field :require_uppercase, type: :boolean, default: true
+    field :require_numbers, type: :boolean, default: true
   end
 
   scope :session do
@@ -90,6 +104,12 @@ StandardConfig.schema.draw do
     # Asymmetric (RSA): :rs256, :rs384, :rs512
     # Asymmetric (ECDSA): :es256, :es384, :es512
     field :signing_algorithm, type: :symbol, default: :hs256
+
+    # Custom claims callable for encoding additional claims into JWT access tokens.
+    # Receives keyword arguments: account:, client:, request:, audience:
+    # Must return a Hash of custom claims to merge into the JWT payload.
+    # Example: ->(account:, **) { { channel_id: account.channel_id } }
+    field :custom_claims, type: :any, default: nil
   end
 
   scope :social do
@@ -108,5 +128,25 @@ StandardConfig.schema.draw do
     field :email_verification, type: :boolean, default: true
     field :phone_verification, type: :boolean, default: true
     field :sessions_management, type: :boolean, default: true
+    field :passwordless_registration, type: :boolean, default: false
+  end
+
+  # Rate limiting defaults (used by Rails 8 built-in rate_limit DSL)
+  scope :rate_limits do
+    # RAR-51: Password login
+    field :password_login_per_ip, type: :integer, default: 20        # per 15 minutes
+    field :password_login_per_email, type: :integer, default: 5      # per 15 minutes
+
+    # RAR-60: OTP verification
+    field :otp_verify_per_ip, type: :integer, default: 20            # per 15 minutes
+
+    # RAR-56: Email/phone verification code generation
+    field :verification_start_per_target, type: :integer, default: 3 # per 15 minutes
+    field :verification_start_per_ip, type: :integer, default: 10    # per hour
+
+    # API equivalents
+    field :api_passwordless_start_per_ip, type: :integer, default: 10    # per hour
+    field :api_passwordless_start_per_target, type: :integer, default: 5 # per 15 minutes
+    field :api_token_per_ip, type: :integer, default: 30                 # per 15 minutes
   end
 end

data/lib/standard_id/engine.rb

@@ -23,6 +23,7 @@ module StandardId
 
       StandardId::Events::Subscribers::AccountStatusSubscriber.attach
       StandardId::Events::Subscribers::AccountLockingSubscriber.attach
+      StandardId::Events::Subscribers::PasswordlessDeliverySubscriber.attach
 
       if StandardId.config.issuer.blank?
         Rails.logger.warn("[StandardId] No issuer configured. JWT tokens will not include or verify the 'iss' claim. " \