standard_id 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f9b8808e874cdc6e89dca4b7ed1bb9636ae510d3947d48eb6f82933d40a6d9d1
+  data.tar.gz: 9fbd9e342e280da87695e011d5d6f031530eee53ced1c9ef93dbba4af072c141
+SHA512:
+  metadata.gz: 1a6264b3b7f1dcf8e0f3f00861eb265d535bc8254352e6dd6c95c64dd59756db7ddf96cace31200ac0a9bb557710316a2306cdf1c52e75b5d13644530c0749e4
+  data.tar.gz: 5c6f5126077d8e8ca4598cf9668001b5517004ad8b444cb1fb04301979790cb2da2ed44b7f8ebeb7d75bbbd50f0ddc0fb758c40a4bbeeb9a453d975b1a66825a

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) Jaryl Sim
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# StandardId
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "standard_id"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install standard_id
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"

data/app/assets/stylesheets/standard_id/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/concerns/standard_id/api_authentication.rb

@@ -0,0 +1,29 @@
+module StandardId
+  module ApiAuthentication
+    extend ActiveSupport::Concern
+
+    delegate :current_session, :current_account, :revoke_current_session!, to: :session_manager
+
+    private
+
+    def authenticated?
+      current_account.present?
+    end
+
+    def verify_access_token!
+      authentication_guard.require_session!(session_manager)
+    end
+
+    def session_manager
+      @session_manager ||= StandardId::Api::SessionManager.new(token_manager, request:)
+    end
+
+    def token_manager
+      @token_manager ||= StandardId::Api::TokenManager.new(request)
+    end
+
+    def authentication_guard
+      @authentication_guard ||= StandardId::Api::AuthenticationGuard.new
+    end
+  end
+end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -0,0 +1,51 @@
+module StandardId
+  module WebAuthentication
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :current_account, :authenticated?
+    end
+
+    delegate :current_session, :current_account, :revoke_current_session!, to: :session_manager
+
+    private
+
+    def authenticated?
+      current_account.present?
+    end
+
+    def require_browser_session!
+      authentication_guard.require_session!(session_manager, session: session, request: request)
+    end
+
+    def after_authentication_url
+      # TODO: add configurable value
+      session.delete(:return_to_after_authenticating) || "/"
+    end
+
+    def sign_in_account(login_params)
+      login = login_params[:email] || login_params[:login] # support both :email and :login keys
+      password = login_params[:password]
+      remember_me = ActiveModel::Type::Boolean.new.cast(login_params[:remember_me])
+
+      StandardId::PasswordCredential.find_by(login:).tap do |password_credential|
+        return nil unless password_credential&.authenticate(password)
+
+        session_manager.sign_in_account(password_credential.account)
+        session_manager.set_remember_cookie(password_credential) if remember_me
+      end
+    end
+
+    def session_manager
+      @session_manager ||= StandardId::Web::SessionManager.new(token_manager, request: request, session: session, cookies: cookies)
+    end
+
+    def token_manager
+      @token_manager ||= StandardId::Web::TokenManager.new(request)
+    end
+
+    def authentication_guard
+      @authentication_guard ||= StandardId::Web::AuthenticationGuard.new
+    end
+  end
+end

data/app/controllers/standard_id/api/authorization_controller.rb

@@ -0,0 +1,73 @@
+module StandardId
+  module Api
+    class AuthorizationController < BaseController
+      include ActionController::Cookies
+
+      skip_before_action :validate_content_type!
+
+      before_action :redirect_to_login, if: :requires_authentication?
+
+      FLOW_STRATEGIES = {
+        "code" => StandardId::Oauth::AuthorizationCodeAuthorizationFlow,
+        "token" => StandardId::Oauth::ImplicitAuthorizationFlow,
+        "token id_token" => StandardId::Oauth::ImplicitAuthorizationFlow
+      }.freeze
+
+      def show
+        response_data = flow_strategy_class.new(flow_strategy_params, request, current_account: current_account).execute
+
+        if response_data[:redirect_to]
+          redirect_to response_data[:redirect_to], status: response_data[:status] || :found, allow_other_host: true
+        else
+          render json: response_data, status: :ok
+        end
+      end
+
+      private
+
+      def response_type
+        @response_type ||= params[:response_type]
+      end
+
+      def flow_strategy_class
+        @flow_strategy_class ||= begin
+          if response_type.blank?
+            raise StandardId::InvalidRequestError, "The response_type parameter is required"
+          end
+
+          klass = FLOW_STRATEGIES[response_type]
+          unless klass
+            raise StandardId::UnsupportedResponseTypeError, "Unsupported response_type: #{response_type}"
+          end
+          klass
+        end
+      end
+
+      def flow_strategy_params
+        @flow_strategy_params ||= expect_and_permit!(flow_strategy_class.expected_params, flow_strategy_class.permitted_params)
+      end
+
+      def requires_authentication?
+        response_type&.include?("token")
+      end
+
+      def redirect_to_login
+        return if current_account.present?
+
+        base_login_url = StandardId.config.login_url.presence || "/login"
+        separator = base_login_url.include?("?") ? "&" : "?"
+        login_url = "#{base_login_url}#{separator}redirect_uri=#{CGI.escape(request.url)}"
+
+        redirect_to login_url, allow_other_host: true, status: :found
+      end
+
+      def current_account
+        @current_account ||= begin
+          token_manager = StandardId::Web::TokenManager.new(request)
+          session_manager = StandardId::Web::SessionManager.new(token_manager, request: request, session: session, cookies: cookies)
+          session_manager.current_account
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/base_controller.rb

@@ -0,0 +1,61 @@
+module StandardId
+  module Api
+    class BaseController < ActionController::API
+      include StandardId::ApiAuthentication
+
+      before_action :validate_content_type!
+
+      after_action :set_no_store_headers
+
+      rescue_from StandardId::NotAuthenticatedError, with: :handle_not_authenticated
+      rescue_from StandardId::InvalidSessionError, with: :handle_invalid_session
+      rescue_from StandardId::OAuthError, with: :handle_oauth_error
+
+      protected
+
+      def validate_content_type!
+        return if request.media_type&.match?(%r{\Aapplication\/(.+\+)?json\z})
+        raise StandardId::InvalidRequestError, "Content-Type must be application/json or application/*+json"
+      end
+
+      def set_no_store_headers
+        response.headers["Cache-Control"] = "no-store"
+        response.headers["Pragma"] = "no-cache"
+      end
+
+      def expect_and_permit!(expected_keys, permitted_keys)
+        params.expect(expected_keys)
+        params.permit(*permitted_keys)
+      rescue ActionController::ParameterMissing => e
+        raise StandardId::InvalidRequestError, "The #{e.param} parameter is required"
+      end
+
+      def handle_not_authenticated(error)
+        render_bearer_unauthorized!(error_description: error.message.presence || default_invalid_token_message)
+      end
+
+      def handle_invalid_session(error)
+        render_bearer_unauthorized!(error_description: default_invalid_token_message)
+      end
+
+      def handle_oauth_error(error)
+        render json: {
+          error: error.oauth_error_code,
+          error_description: error.message
+        }, status: error.http_status
+      end
+
+      def render_bearer_unauthorized!(error_description: default_invalid_token_message, error_code: "invalid_token")
+        response.set_header(
+          "WWW-Authenticate",
+          %Q(Bearer realm="StandardId", error="#{error_code}", error_description="#{error_description}")
+        )
+        render json: { error: error_code, error_description: error_description }, status: :unauthorized
+      end
+
+      def default_invalid_token_message
+        "The access token is invalid or has expired"
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/oauth/base_controller.rb

@@ -0,0 +1,22 @@
+module StandardId
+  module Api
+    module Oauth
+      class BaseController < StandardId::Api::BaseController
+        rescue_from StandardId::OAuthError, with: :handle_oauth_error
+
+        private
+
+        def handle_oauth_error(exception)
+          error_code = exception.respond_to?(:oauth_error_code) ? exception.oauth_error_code : :invalid_request
+          status = exception.respond_to?(:http_status) ? exception.http_status : :bad_request
+          description = exception.message.presence || "An error occurred processing the request"
+
+          render json: {
+            error: error_code.to_s,
+            error_description: description
+          }, status: status
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/oauth/tokens_controller.rb

@@ -0,0 +1,44 @@
+module StandardId
+  module Api
+    module Oauth
+      class TokensController < BaseController
+        FLOW_STRATEGIES = {
+          "client_credentials" => StandardId::Oauth::ClientCredentialsFlow,
+          "authorization_code" => StandardId::Oauth::AuthorizationCodeFlow,
+          "password" => StandardId::Oauth::PasswordFlow,
+          "refresh_token" => StandardId::Oauth::RefreshTokenFlow,
+          "passwordless_otp" => StandardId::Oauth::PasswordlessOtpFlow
+        }.freeze
+
+        def create
+          response_data = flow_strategy_class.new(flow_strategy_params, request).execute
+          render json: response_data, status: :ok
+        end
+
+        private
+
+        def grant_type
+          @grant_type ||= params[:grant_type]
+        end
+
+        def flow_strategy_class
+          @flow_strategy_class ||= begin
+            if grant_type.blank?
+              raise StandardId::InvalidRequestError, "The grant_type parameter is required"
+            end
+
+            klass = FLOW_STRATEGIES[grant_type]
+            unless klass
+              raise StandardId::UnsupportedGrantTypeError, "Unsupported grant_type: #{grant_type}"
+            end
+            klass
+          end
+        end
+
+        def flow_strategy_params
+          @flow_strategy_params ||= expect_and_permit!(flow_strategy_class.expected_params, flow_strategy_class.permitted_params)
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/oidc/logout_controller.rb

@@ -0,0 +1,50 @@
+module StandardId
+  module Api
+    module Oidc
+      class LogoutController < ::StandardId::Api::BaseController
+        include ActionController::Cookies
+
+        skip_before_action :validate_content_type!
+
+        def show
+          session_manager.revoke_current_session!
+
+          if redirect_uri_with_state.present?
+            redirect_to redirect_uri_with_state, allow_other_host: true, status: :found
+          else
+            render json: { message: "You have been logged out" }, status: :ok
+          end
+        end
+
+        private
+
+        def token_manager
+          @token_manager ||= StandardId::Web::TokenManager.new(request)
+        end
+
+        def session_manager
+          @session_manager ||= StandardId::Web::SessionManager.new(token_manager, request:, session:, cookies:)
+        end
+
+        def redirect_uri_with_state
+          return unless (uri = params[:post_logout_redirect_uri].presence)
+          return unless Array(StandardId.config.allowed_post_logout_redirect_uris).compact.include?(uri)
+
+          if (state = params[:state].presence)
+            begin
+              parsed = URI.parse(uri)
+              params = Rack::Utils.parse_nested_query(parsed.query)
+              params["state"] = state
+              parsed.query = Rack::Utils.build_query(params)
+              parsed.to_s
+            rescue URI::InvalidURIError
+              "#{uri}#{uri.include?('?') ? '&' : '?'}state=#{CGI.escape(state)}"
+            end
+          else
+            uri
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/passwordless_controller.rb

@@ -0,0 +1,38 @@
+module StandardId
+  module Api
+    class PasswordlessController < BaseController
+      STRATEGY_MAP = {
+        "email" => StandardId::Passwordless::EmailStrategy,
+        "sms"   => StandardId::Passwordless::SmsStrategy
+      }.freeze
+
+      def start
+        raise StandardId::InvalidRequestError, "username, email, or phone_number parameter is required" if start_params[:username].blank?
+
+        strategy_for(start_params[:connection]).start!(start_params)
+
+        render json: { message: "Code sent successfully" }, status: :ok
+      end
+
+      private
+
+      def strategy_for(connection)
+        klass = STRATEGY_MAP[connection]
+        raise StandardId::InvalidRequestError, "Unsupported connection type: #{connection}" unless klass
+        klass.new(request)
+      end
+
+      def start_params
+        return @start_params if @start_params.present?
+
+        params.expect(:connection)
+        permitted = params.permit(:connection, :username, :email, :phone_number)
+
+        @start_params = {
+          connection: permitted[:connection],
+          username: permitted[:username] || permitted[:email] || permitted[:phone_number]
+        }
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/providers_controller.rb

@@ -0,0 +1,175 @@
+module StandardId
+  module Api
+    class ProvidersController < BaseController
+      skip_before_action :validate_content_type!
+
+      def google
+        expect_and_permit!([:state, :code], [:state, :code])
+        handle_social_callback("google-oauth2")
+      end
+
+      def apple
+        expect_and_permit!([:state, :code], [:state, :code])
+        handle_social_callback("apple")
+      end
+
+      private
+
+      def handle_social_callback(provider)
+        original_params = decode_state_params
+        user_info = exchange_social_code_for_user_info(provider, params[:code])
+        account = find_or_create_account_from_social(user_info, provider)
+
+        authorization_code = generate_authorization_code
+        store_authorization_code(authorization_code, original_params, account, provider)
+
+        redirect_params = {
+          code: authorization_code,
+          state: original_params["state"]
+        }.compact
+
+        redirect_url = build_redirect_uri(original_params["redirect_uri"], redirect_params)
+        redirect_to redirect_url, allow_other_host: true, status: :found
+      end
+
+      def decode_state_params
+        encoded_state = params[:state]
+        raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
+
+        begin
+          JSON.parse(Base64.urlsafe_decode64(encoded_state))
+        rescue JSON::ParserError, ArgumentError
+          raise StandardId::InvalidRequestError, "Invalid state parameter"
+        end
+      end
+
+      def exchange_social_code_for_user_info(provider, code)
+        case provider
+        when "google-oauth2"
+          exchange_google_code(code)
+        when "apple"
+          exchange_apple_code(code)
+        else
+          raise StandardId::InvalidRequestError, "Unsupported provider: #{provider}"
+        end
+      end
+
+      def exchange_google_code(code)
+        token_response = HTTParty.post("https://oauth2.googleapis.com/token", {
+          body: {
+            client_id: StandardId.config.google_client_id,
+            client_secret: StandardId.config.google_client_secret,
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: "#{request.base_url}/api/oauth/callback/google"
+          },
+          headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+        })
+
+        raise StandardId::InvalidRequestError, "Failed to exchange Google code" unless token_response.success?
+
+        access_token = token_response.parsed_response["access_token"]
+
+        user_response = HTTParty.get("https://www.googleapis.com/oauth2/v2/userinfo", {
+          headers: { "Authorization" => "Bearer #{access_token}" }
+        })
+
+        raise StandardId::InvalidRequestError, "Failed to get Google user info" unless user_response.success?
+
+        user_response.parsed_response
+      end
+
+      def exchange_apple_code(code)
+        client_secret = generate_apple_client_secret
+
+        token_response = HTTParty.post("https://appleid.apple.com/auth/token", {
+          body: {
+            client_id: StandardId.config.apple_client_id,
+            client_secret: client_secret,
+            code: code,
+            grant_type: "authorization_code",
+            redirect_uri: "#{request.base_url}/api/oauth/callback/apple"
+          },
+          headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+        })
+
+        raise StandardId::InvalidRequestError, "Failed to exchange Apple code" unless token_response.success?
+
+        id_token = token_response.parsed_response["id_token"]
+        JWT.decode(id_token, nil, false)[0]
+      end
+
+      def generate_apple_client_secret
+        header = {
+          alg: "ES256",
+          kid: StandardId.config.apple_key_id
+        }
+
+        payload = {
+          iss: StandardId.config.apple_team_id,
+          iat: Time.current.to_i,
+          exp: Time.current.to_i + 3600,
+          aud: "https://appleid.apple.com",
+          sub: StandardId.config.apple_client_id
+        }
+
+        private_key = OpenSSL::PKey::EC.new(StandardId.config.apple_private_key)
+        JWT.encode(payload, private_key, "ES256", header)
+      end
+
+      def find_or_create_account_from_social(user_info, provider)
+        email = user_info["email"]
+        raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
+
+        identifier = StandardId::EmailIdentifier.find_by(value: email)
+
+        if identifier
+          identifier.account
+        else
+          account = Account.create!(
+            name: (user_info["name"] || user_info["given_name"] || email),
+            email: email
+          )
+
+          StandardId::EmailIdentifier.create!(
+            account: account,
+            value: email,
+            verified_at: Time.current
+          )
+
+          account
+        end
+      end
+
+      def generate_authorization_code
+        SecureRandom.urlsafe_base64(32)
+      end
+
+      def store_authorization_code(code, original_params, account, provider)
+        StandardId::AuthorizationCode.issue!(
+          plaintext_code: code,
+          client_id: original_params["client_id"],
+          redirect_uri: original_params["redirect_uri"],
+          scope: original_params["scope"],
+          audience: original_params["audience"],
+          account: account,
+          code_challenge: original_params["code_challenge"],
+          code_challenge_method: original_params["code_challenge_method"],
+          metadata: { state: original_params["state"], provider: provider }.compact
+        )
+      end
+
+      def build_redirect_uri(base_uri, params_hash)
+        uri = URI.parse(base_uri)
+        query_params = URI.decode_www_form(uri.query || "")
+
+        params_hash.each do |key, value|
+          query_params << [key.to_s, value.to_s] if value.present?
+        end
+
+        uri.query = URI.encode_www_form(query_params)
+        uri.to_s
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/userinfo_controller.rb

@@ -0,0 +1,36 @@
+module StandardId
+  module Api
+    class UserinfoController < BaseController
+      skip_before_action :validate_content_type!
+
+      def show
+        verify_access_token!
+        account = current_account
+        raise StandardId::NotAuthenticatedError unless account
+
+        render json: build_userinfo_response(account), status: :ok
+      end
+
+      private
+
+      def build_userinfo_response(account)
+        {
+          sub: account_sub(account),
+          name: account.name,
+          email: account.email,
+          email_verified: email_verified?(account),
+          updated_at: account.respond_to?(:updated_at) ? account.updated_at&.to_i : nil
+        }.compact
+      end
+
+      def account_sub(account)
+        account.id.to_s
+      end
+
+      def email_verified?(account)
+        identifier = StandardId::EmailIdentifier.find_by(value: account.email)
+        identifier&.verified_at.present?
+      end
+    end
+  end
+end