standard_id 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 70f439b35a454065b4a2e45dfedc85b7316b26b0140d6f005930fc909ac78efd
-  data.tar.gz: bbf731529fdb2c0cb979e6fecfa711e83daaa1fddfd111263d44618b38bd8fa4
+  metadata.gz: 69b5bf55ec553e3b3708be74454f71c489125cfbf940f08b72e0225f3999a785
+  data.tar.gz: '0908e70df1d46b755d5b00db7b2d1607e6982b10d04f07e47315063934dbe3a2'
 SHA512:
-  metadata.gz: f1d1c0de85827c32f47680adad39da9457528b24376079c154aced6bd46fe40fbe72918df27a9290f54ef6df58e862b251dad7568d16d1abe5dd45c2b477bd45
-  data.tar.gz: 8d3a5b5c14e42b1850969b6268728ff47c0b78eb5e482f94b0ad4e2b752e98addc52267588adac384d82d01a207047b1e15b25bc9640c56282d5f67c0f297bd0
+  metadata.gz: dc37d401a1ec647be6750b5ec05f23b633e752704c00e69e8e721230070c574ebf5c52b0f3d515808c4aa59c12172b815f2c6cb20ff0b7c38775e5d7e721ae6f
+  data.tar.gz: 1987f39eeb1b7fe3924de437ad6de02d05650a84964c3cbb20ac9733dec5a75c5d7a4a288ae543443cd34c16d8eefb00569d85a38679d4693531ff9ae9815418

data/README.md

@@ -163,13 +163,35 @@ StandardId.configure do |config|
   config.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
 
   # Apple Sign In
+  config.social.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"]
   config.social.apple_client_id = ENV["APPLE_CLIENT_ID"]
   config.social.apple_private_key = ENV["APPLE_PRIVATE_KEY"]
   config.social.apple_key_id = ENV["APPLE_KEY_ID"]
   config.social.apple_team_id = ENV["APPLE_TEAM_ID"]
+  config.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
+
+  # Optional: adjust which attributes are persisted during social signup
+  config.social.social_account_attributes = ->(social_info:, provider:) {
+    {
+      email: social_info[:email],
+      name: social_info[:name] || social_info[:given_name]
+    }
+  }
+
+  # Optional: run a callback whenever a social login completes
+  config.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
+    AuditLog.social_login(
+      provider: provider,
+      email: social_info[:email],
+      tokens: tokens,
+      account_id: account.id,
+    )
+  }
 end
 ```
 
+`social_info` is an indifferent-access hash containing at least `email`, `name`, and `provider_id`.
+
 ### Passwordless Authentication
 
 ```ruby
@@ -222,7 +244,7 @@ redirect_to "/api/authorize?" + {
   response_type: "code",
   client_id: "your_client_id",
   redirect_uri: "https://your-app.com/callback",
-  connection: "google-oauth2"
+  connection: "google"
 }.to_query
 
 # Apple login

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -0,0 +1,105 @@
+module StandardId
+  module SocialAuthentication
+    extend ActiveSupport::Concern
+
+    private
+
+    def get_user_info_from_provider(connection, redirect_uri: nil, flow: :web)
+      case connection
+      when "google"
+        StandardId::SocialProviders::Google.get_user_info(
+          code: params[:code],
+          id_token: params[:id_token],
+          access_token: params[:access_token],
+          redirect_uri: redirect_uri
+        )
+      when "apple"
+        StandardId::SocialProviders::Apple.get_user_info(
+        code: params[:code],
+          id_token: params[:id_token],
+          redirect_uri: redirect_uri,
+          client_id: apple_client_id_for_flow(flow)
+        )
+      else
+        raise StandardId::InvalidRequestError, "Unsupported provider: #{connection}"
+      end
+    end
+
+    def apple_client_id_for_flow(flow)
+      flow == :web ? StandardId.config.apple_client_id : StandardId.config.apple_mobile_client_id
+    end
+
+    def find_or_create_account_from_social(raw_social_info, provider)
+      social_info = raw_social_info.to_h.with_indifferent_access
+      email = social_info[:email]
+      raise StandardId::InvalidRequestError, "No email provided by #{provider}" if email.blank?
+
+      identifier = StandardId::EmailIdentifier.find_by(value: email)
+
+      if identifier.present?
+        identifier.account
+      else
+        account = build_account_from_social(social_info, provider)
+        identifier = StandardId::EmailIdentifier.create!(
+          account: account,
+          value: email
+        )
+        identifier.verify! if identifier.respond_to?(:verify!)
+        account
+      end
+    end
+
+    def build_account_from_social(social_info, provider)
+      attrs = resolve_account_attributes(social_info, provider)
+      StandardId.account_class.create!(attrs)
+    end
+
+    def resolve_account_attributes(social_info, provider)
+      resolver = StandardId.config.social_account_attributes
+      attrs = if resolver.respond_to?(:call)
+                resolver.call(social_info: social_info, provider: provider)
+      else
+                {
+                  email: social_info[:email],
+                  name: social_info[:name].presence || social_info[:given_name].presence || social_info[:email]
+                }
+      end
+
+      unless attrs.is_a?(Hash)
+        raise StandardId::InvalidRequestError, "Social account attribute resolver must return a hash"
+      end
+
+      attrs.symbolize_keys
+    end
+
+    def allow_other_host_redirect?(redirect_uri)
+      return false if redirect_uri.blank?
+
+      allowed = Array(StandardId.config.allowed_redirect_url_prefixes)
+      return false if allowed.blank?
+
+      allowed.any? do |entry|
+        case entry
+        when Regexp
+          entry.match?(redirect_uri)
+        else
+          redirect_uri.start_with?(entry.to_s)
+        end
+      end
+    end
+
+    def run_social_callback(provider:, social_info:, provider_tokens:, account:)
+      callback = StandardId.config.social_callback
+
+      payload = {
+        provider: provider,
+        social_info: social_info,
+        tokens: provider_tokens.presence,
+        account: account
+      }
+
+      filtered_payload = StandardId::Utils::CallableParameterFilter.filter(callback, payload)
+      callback.call(**filtered_payload.symbolize_keys)
+    end
+  end
+end

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -0,0 +1,68 @@
+module StandardId
+  module Api::Oauth
+    module Callback
+      class ProvidersController < BaseController
+        include StandardId::SocialAuthentication
+
+        skip_before_action :validate_content_type!
+
+        def google
+          expect_and_permit!([], [:id_token, :code])
+          handle_social_callback("google")
+        end
+
+        def apple
+          expect_and_permit!([], [:id_token, :code, :state, :flow])
+          handle_social_callback("apple")
+        end
+
+        private
+
+        def handle_social_callback(connection)
+          original_params = decode_state_params
+          flow = resolve_flow_for(connection)
+          provider_response = get_user_info_from_provider(connection, flow: flow)
+          social_info = provider_response[:user_info]
+          provider_tokens = provider_response[:tokens]
+          account = find_or_create_account_from_social(social_info, connection)
+
+          flow = StandardId::Oauth::SocialFlow.new(
+            params,
+            request,
+            account: account,
+            connection: connection,
+            original_params: original_params
+          )
+
+          token_response = flow.execute
+          run_social_callback(
+            provider: connection,
+            social_info: social_info,
+            provider_tokens: provider_tokens,
+            account: account,
+          )
+          render json: token_response, status: :ok
+        end
+
+        def decode_state_params
+          encoded_state = params[:state]
+
+          return {} if encoded_state.blank?
+
+          begin
+            JSON.parse(Base64.urlsafe_decode64(encoded_state))
+          rescue JSON::ParserError, ArgumentError
+            raise StandardId::InvalidRequestError, "Invalid state parameter"
+          end
+        end
+
+        def resolve_flow_for(connection)
+          return :mobile unless connection == "apple"
+
+          flow_param = params[:flow].to_s.downcase
+          flow_param == "web" ? :web : :mobile
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -4,107 +4,88 @@ module StandardId
       module Callback
         class ProvidersController < StandardId::Web::BaseController
           include StandardId::WebAuthentication
+          include StandardId::SocialAuthentication
 
           # Social callbacks must be accessible without an existing browser session
           # because they create/sign-in the session upon successful callback.
-          skip_before_action :require_browser_session!, only: [:google, :apple]
+          skip_before_action :require_browser_session!, only: [:google, :apple, :apple_mobile]
+          skip_before_action :verify_authenticity_token, only: [:apple, :apple_mobile]
 
           def google
-            handle_social_callback("google-oauth2")
+            handle_social_callback("google")
           end
 
           def apple
             handle_social_callback("apple")
           end
 
-          private
+          def apple_mobile
+            state_data = decode_state_params
+            destination = state_data["redirect_uri"]
+
+            unless allow_other_host_redirect?(destination)
+              raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
+            end
 
-          def handle_social_callback(provider)
-            # This handles the callback from social providers in web context
-            # After successful social auth, we need to:
-            # 1. Extract user info from the callback
-            # 2. Create/find account
-            # 3. Sign in the user with web session
-            # 4. Redirect to original destination
+            relay_params = mobile_relay_params
+            @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
+            render :apple_mobile, layout: false
+          rescue StandardId::InvalidRequestError => e
+            render plain: e.message, status: :unprocessable_entity
+          end
 
+          private
+
+          def handle_social_callback(connection)
             if params[:error].present?
               handle_callback_error
               return
             end
 
+            state_data = nil
+
             begin
-              user_info = extract_user_info(provider)
-              account = find_or_create_account_from_social(user_info, provider)
+              state_data = decode_state_params
+              redirect_uri = connection == "apple" ? apple_callback_url : google_callback_url
+              provider_response = get_user_info_from_provider(connection, redirect_uri: redirect_uri)
+              social_info = provider_response[:user_info]
+              provider_tokens = provider_response[:tokens]
+              account = find_or_create_account_from_social(social_info, connection)
               session_manager.sign_in_account(account)
 
-              redirect_to decode_redirect_uri, notice: "Successfully signed in with #{provider.humanize}"
-            rescue StandardId::OAuthError => e
-              redirect_to login_path, alert: "Authentication failed: #{e.message}"
-            end
-          end
+              run_social_callback(
+                provider: connection,
+                social_info: social_info,
+                provider_tokens: provider_tokens,
+                account: account,
+              )
 
-          def extract_user_info(provider)
-            case provider
-            when "google-oauth2"
-              extract_google_user_info
-            when "apple"
-              extract_apple_user_info
-            else
-              raise StandardId::InvalidRequestError, "Unsupported connection/provider: #{provider}"
+              destination = state_data["redirect_uri"]
+              redirect_options = { notice: "Successfully signed in with #{connection.humanize}" }
+              redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
+              redirect_to destination, redirect_options
+            rescue StandardId::OAuthError => e
+              redirect_to StandardId::WebEngine.routes.url_helpers.login_path(redirect_uri: state_data&.dig("redirect_uri")), alert: "Authentication failed: #{e.message}"
             end
           end
 
-          def extract_google_user_info
-            # Exchange code for Google user info
-            # This would integrate with Google OAuth API
-            {
-              email: params[:email] || "user@example.com", # Placeholder
-              name: params[:name] || "Google User",
-              provider: "google-oauth2",
-              provider_id: params[:sub] || "google_123"
-            }
+          def google_callback_url
+            auth_callback_google_url
           end
 
-          def extract_apple_user_info
-            # Extract user info from Apple Sign In callback
-            # This would decode the Apple ID token
-            {
-              email: params[:email] || "user@privaterelay.appleid.com", # Placeholder
-              name: params[:name] || "Apple User",
-              provider: "apple",
-              provider_id: params[:sub] || "apple_123"
-            }
+          def apple_callback_url
+            auth_callback_apple_url
           end
 
-          def find_or_create_account_from_social(user_info, provider)
-            # Find existing account by email or create new one
-            identifier = StandardId::EmailIdentifier.find_by(value: user_info[:email])
+          def decode_state_params
+            encoded_state = params[:state]
+            raise StandardId::InvalidRequestError, "Missing state parameter" if encoded_state.blank?
 
-            if identifier
-              identifier.account
-            else
-              # Create new account with social login
-              account = ::Account.create!(
-                email: user_info[:email],
-                name: user_info[:name].presence || "User"
-              )
-              StandardId::EmailIdentifier.create!(
-                account: account,
-                value: user_info[:email]
-              )
-              account
-            end
-          end
-
-          def decode_redirect_uri
-            return "/" unless params[:state].present?
-
-            begin
-              state_data = JSON.parse(Base64.urlsafe_decode64(params[:state]))
-              state_data["redirect_uri"] || "/"
-            rescue JSON::ParserError, ArgumentError
-              "/"
-            end
+            state = JSON.parse(Base64.urlsafe_decode64(encoded_state))
+            state["redirect_uri"] ||= after_authentication_url
+            state
+          rescue JSON::ParserError, ArgumentError
+            raise StandardId::InvalidRequestError, "Invalid state parameter"
           end
 
           def handle_callback_error
@@ -117,7 +98,21 @@ module StandardId
                             "Authentication failed"
             end
 
-            redirect_to login_path, alert: error_message
+            redirect_to StandardId::WebEngine.routes.url_helpers.login_path, alert: error_message
+          end
+
+          def mobile_relay_params
+            params.permit(:code, :state, :user, :userIdentifier, :id_token, :identity_token, :nonce).to_h.compact
+          end
+
+          def build_mobile_redirect(destination, extra_params)
+            uri = URI.parse(destination)
+            existing = Rack::Utils.parse_nested_query(uri.query)
+            merged = existing.merge(extra_params)
+            uri.query = merged.to_query.presence
+            uri.to_s
+          rescue URI::InvalidURIError
+            destination
           end
         end
       end

data/app/controllers/standard_id/web/login_controller.rb

@@ -33,32 +33,35 @@ module StandardId
       end
 
       def social_login_url
-        uri = URI.parse("/api/authorize")
-        query = {
-          response_type: "code",
-          client_id: StandardId.config.default_client_id,
-          redirect_uri: callback_url,
-          connection: params[:connection],
-          state: encode_state
-        }.to_query
-        uri.query = query
-        uri.to_s
-      end
-
-      def callback_url
         case params[:connection]
-        when "google-oauth2"
-          auth_callback_google_path
+        when "google"
+          google_authorization_url
         when "apple"
-          auth_callback_apple_path
+          apple_authorization_url
+        else
+          raise StandardId::InvalidRequestError, "Unsupported social connection: #{connection}"
         end
       end
 
+      def google_authorization_url
+        StandardId::SocialProviders::Google.authorization_url(
+          state: encode_state,
+          redirect_uri: auth_callback_google_url
+        )
+      end
+
+      def apple_authorization_url
+        StandardId::SocialProviders::Apple.authorization_url(
+          state: encode_state,
+          redirect_uri: auth_callback_apple_url
+        )
+      end
+
       def encode_state
         Base64.urlsafe_encode64({
           redirect_uri: params[:redirect_uri] || after_authentication_url,
           timestamp: Time.current.to_i
-        }.to_json)
+        }.compact.to_json)
       end
 
       def login_params

data/app/controllers/standard_id/web/signup_controller.rb

@@ -56,7 +56,7 @@ module StandardId
 
       def callback_url
         case params[:connection]
-        when "google-oauth2"
+        when "google"
           auth_callback_google_url
         when "apple"
           auth_callback_apple_url

data/app/views/standard_id/web/auth/callback/providers/apple_mobile.html.erb

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Continuing Sign in with Apple…</title>
+    <style>
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+        margin: 0;
+        padding: 2rem;
+        text-align: center;
+        color: #111;
+        background: #f8f8f8;
+      }
+
+      .card {
+        margin: 0 auto;
+        max-width: 420px;
+        padding: 2rem;
+        background: #fff;
+        border-radius: 12px;
+        box-shadow: 0 10px 30px rgba(0, 0, 0, 0.08);
+      }
+
+      h1 {
+        font-size: 1.3rem;
+        margin-bottom: 0.5rem;
+      }
+
+      p {
+        margin: 0;
+        color: #555;
+      }
+    </style>
+    <script>
+      document.addEventListener("DOMContentLoaded", function () {
+        var target = "<%= j @mobile_redirect_url %>";
+        if (target) {
+          window.location.replace(target);
+        }
+      });
+    </script>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Returning to your app…</h1>
+      <p>You can close this window if it doesn't redirect automatically.</p>
+    </div>
+  </body>
+</html>

data/app/views/standard_id/web/login/show.html.erb

@@ -68,8 +68,8 @@
 
           <div class="mt-6 grid grid-cols-2 gap-4">
             <% if StandardId.config.google_client_id.present? %>
-              <%= form_with url: login_path, method: :post, local: true do |form| %>
-                <%= form.hidden_field :connection, value: "google-oauth2" %>
+              <%= form_with url: login_path, method: :post, local: true, data: { turbo: false } do |form| %>
+                <%= form.hidden_field :connection, value: "google" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">
                   <svg viewBox="0 0 24 24" aria-hidden="true" class="h-5 w-5">
@@ -84,7 +84,7 @@
             <% end %>
 
             <% if StandardId.config.apple_client_id.present? %>
-              <%= form_with url: login_path, method: :post, local: true do |form| %>
+              <%= form_with url: login_path, method: :post, local: true, data: { turbo: false } do |form| %>
                 <%= form.hidden_field :connection, value: "apple" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">

data/app/views/standard_id/web/signup/show.html.erb

@@ -57,7 +57,7 @@
           <div class="mt-6 grid grid-cols-2 gap-4">
             <% if StandardId.config.google_client_id.present? %>
               <%= form_with url: signup_path, method: :post, local: true do |form| %>
-                <%= form.hidden_field :connection, value: "google-oauth2" %>
+                <%= form.hidden_field :connection, value: "google" %>
                 <%= form.hidden_field :redirect_uri, value: @redirect_uri %>
                 <button type="submit" class="flex w-full items-center justify-center gap-3 rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:ring-transparent dark:bg-white/10 dark:text-white dark:shadow-none dark:ring-white/5 dark:hover:bg-white/20">
                   <svg viewBox="0 0 24 24" aria-hidden="true" class="h-5 w-5">

data/config/routes/api.rb

@@ -16,7 +16,7 @@ StandardId::ApiEngine.routes.draw do
       resource :token, only: [:create]
 
       namespace :callback do
-        get :google, to: "providers#google"
+        post :google, to: "providers#google"
         post :apple, to: "providers#apple"
       end
     end

data/config/routes/web.rb

@@ -10,6 +10,7 @@ StandardId::WebEngine.routes.draw do
       namespace :callback do
         get :google, to: "providers#google"
         post :apple, to: "providers#apple"
+        post :apple_mobile, to: "providers#apple_mobile"
       end
     end
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -20,6 +20,7 @@ StandardId.configure do |c|
   # c.oauth.token_lifetimes = {
   #   password: 8.hours,
   #   client_credentials: 24.hours
+  #   social: 24.hours
   # }
   # c.oauth.scope_claims = {
   #   profile: %i[email display_name]
@@ -34,10 +35,26 @@ StandardId.configure do |c|
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]
   # c.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
+  # c.social.apple_mobile_client_id = ENV["APPLE_MOBILE_CLIENT_ID"]
   # c.social.apple_client_id      = ENV["APPLE_CLIENT_ID"]
   # c.social.apple_private_key    = ENV["APPLE_PRIVATE_KEY"]
   # c.social.apple_key_id         = ENV["APPLE_KEY_ID"]
   # c.social.apple_team_id        = ENV["APPLE_TEAM_ID"]
+  # c.social.allowed_redirect_url_prefixes = ["sidekicklabs://"]
+  # c.social.social_account_attributes = ->(social_info:, provider:) {
+  #   {
+  #     email: social_info[:email],
+  #     name: social_info[:name] || social_info[:given_name]
+  #   }
+  # }
+  # c.social.social_callback = ->(social_info:, provider:, tokens:, account:) {
+  #   Analytics.track_social_login(
+  #     provider: provider,
+  #     email: social_info[:email],
+  #     tokens: tokens,
+  #     account_id: account.id
+  #   )
+  # }
 
   # OIDC Logout allow list
   # c.allowed_post_logout_redirect_uris = [

data/lib/standard_config/config.rb

@@ -23,9 +23,10 @@ module StandardConfig
     # If set, Authorization endpoints can redirect to this path with a redirect_uri param
     attr_accessor :login_url
 
-    # Social login provider credentials
+    # Social login provider credentials and hooks
     attr_accessor :google_client_id, :google_client_secret
     attr_accessor :apple_client_id, :apple_client_secret, :apple_private_key, :apple_key_id, :apple_team_id
+    attr_accessor :social_account_attributes, :social_callback
 
     # Passwordless authentication callbacks
     # These should be callable objects (procs/lambdas) that accept (recipient, code) parameters
@@ -54,6 +55,8 @@ module StandardConfig
       @apple_private_key = nil
       @apple_key_id = nil
       @apple_team_id = nil
+      @social_account_attributes = nil
+      @social_callback = nil
       @passwordless_email_sender = nil
       @passwordless_sms_sender = nil
       @allowed_post_logout_redirect_uris = []

data/lib/standard_id/config/schema.rb

@@ -47,5 +47,9 @@ StandardConfig.schema.draw do
     field :apple_private_key, type: :string, default: nil
     field :apple_key_id, type: :string, default: nil
     field :apple_team_id, type: :string, default: nil
+    field :apple_mobile_client_id, type: :string, default: nil
+    field :social_account_attributes, type: :any, default: nil
+    field :allowed_redirect_url_prefixes, type: :array, default: []
+    field :social_callback, type: :any, default: nil
   end
 end

data/lib/standard_id/http_client.rb

@@ -0,0 +1,22 @@
+require "net/http"
+require "uri"
+
+module StandardId
+  class HttpClient
+    class << self
+      def post_form(endpoint, params)
+        uri = URI(endpoint)
+        Net::HTTP.post_form(uri, params)
+      end
+
+      def get_with_bearer(endpoint, access_token)
+        uri = URI(endpoint)
+        request = Net::HTTP::Get.new(uri)
+        request["Authorization"] = "Bearer #{access_token}"
+        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
+          http.request(request)
+        end
+      end
+    end
+  end
+end