standard_id 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ad192cf3b1bad92d1ec8322e203804401d8c10e54ebfcde4340f7840fa624bd
-  data.tar.gz: 0eb0cc7c613bd3fdd981818c6d4fd359f809003da34d6e15f5e2fea9fd0eab74
+  metadata.gz: ebaef83f7c6b587f981d1eddf7b56638760d59e667b1c23f5cbb75d26e98db34
+  data.tar.gz: d1476d41140b17b43c745b92d63b64c1e2651be30c9e6714cf22971a04f99e26
 SHA512:
-  metadata.gz: 478082fd5a80a66ded10834c7bd1db32912a222086f5fc8db521a90acceb1459418492581d89ca90d5a7d8fb438b3c74845372fe551d52eb892c297136acc002
-  data.tar.gz: bca63014a4ca013f152bb5bd9112f3649d0e7848d22b7d1114e9bd2715e2847369610e735b83f20bda3aad3fca45936d0f7452438f2a8144d24ddba7b3cb2c07
+  metadata.gz: a163de182358974e8e5168194dc9af3e5f084a0de5c5dde0b663048918dbd22bbf326b0708fb5cc5c0ba0c5d92953baaf7b8ea4fd319225170164e762e663091
+  data.tar.gz: '068d45f4edce5e084b3f35e038dc0c4dbb377efa16dcb6dc4c29c1f0a15f0a5c319f110684d6ecb820cbb11a3e5fa4ef61198e4c5385e15513b9fc1f69d059bd'

data/app/controllers/concerns/standard_id/lifecycle_hooks.rb

@@ -4,20 +4,46 @@ module StandardId
 
     private
 
+    # Invoke the before_sign_in hook if configured.
+    # Called after credential verification, BEFORE session creation.
+    #
+    # @param account [Object] the authenticated account
+    # @param context [Hash] context about the sign-in
+    #   - :mechanism [String] "password", "passwordless", or "social"
+    #   - :provider [String, nil] e.g. "google", "apple", or nil
+    #   - :first_sign_in [Boolean] whether this is the account's first browser session
+    # @return [void]
+    # @raise [StandardId::AuthenticationDenied] when hook returns { error: "..." }
+    def invoke_before_sign_in(account, context)
+      hook = StandardId.config.before_sign_in
+      return unless hook.respond_to?(:call)
+
+      context = context.merge(first_sign_in: first_sign_in?(account, session_created: false))
+      result = hook.call(account, request, context)
+
+      if result.is_a?(Hash) && result[:error].present?
+        raise StandardId::AuthenticationDenied, result[:error]
+      end
+    end
+
     # Invoke the after_sign_in hook if configured.
     #
     # @param account [Object] the authenticated account
     # @param context [Hash] context about the sign-in
-    #   - :connection [String] "email", "password", or "social"
+    #   - :mechanism [String] "password", "passwordless", or "social"
     #   - :provider [String, nil] e.g. "google", "apple", or nil
     #   - :first_sign_in [Boolean] whether this is the account's first browser session
+    #   - :session [StandardId::Session] the session that was just created
     # @return [String, nil] redirect path override, or nil for default
     # @raise [StandardId::AuthenticationDenied] to reject the sign-in
     def invoke_after_sign_in(account, context)
       hook = StandardId.config.after_sign_in
       return nil unless hook.respond_to?(:call)
 
-      context = context.merge(first_sign_in: first_sign_in?(account))
+      context = context.merge(
+        first_sign_in: first_sign_in?(account, session_created: true),
+        session: session_manager.current_session
+      )
       hook.call(account, request, context)
     end
 
@@ -36,9 +62,12 @@ module StandardId
     end
 
     # Determine if this is the account's first browser session.
-    # A count of 1 means the session just created is the only one.
-    def first_sign_in?(account)
-      account.sessions.where(type: "StandardId::BrowserSession").active.count <= 1
+    # When called before session creation (before_sign_in), count == 0 means first.
+    # When called after session creation (after_sign_in), count <= 1 means first
+    # (the just-created session is the only one).
+    def first_sign_in?(account, session_created: true)
+      active_count = account.sessions.where(type: "StandardId::BrowserSession").active.count
+      session_created ? active_count <= 1 : active_count == 0
     end
 
     # Handle AuthenticationDenied by revoking the session and redirecting to login.
@@ -48,7 +77,7 @@ module StandardId
     # @param account [Object, nil] the account to clean up if newly created
     # @param newly_created [Boolean] whether the account was created during this request
     def handle_authentication_denied(error, account: nil, newly_created: false)
-      session_manager.revoke_current_session!
+      session_manager.revoke_current_session! if session_manager.current_session.present?
       destroy_newly_created_account(account) if newly_created
       message = error.message
       # When raised without arguments, StandardError#message returns the class name

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -59,7 +59,7 @@ module StandardId
       session.delete(:return_to_after_authenticating) || "/"
     end
 
-    def sign_in_account(login_params)
+    def sign_in_account(login_params, &before_session)
       login = login_params[:email] || login_params[:login] # support both :email and :login keys
       password = login_params[:password]
       remember_me = ActiveModel::Type::Boolean.new.cast(login_params[:remember_me])
@@ -94,6 +94,10 @@ module StandardId
           credential_id: password_credential.id
         )
 
+        # Allow callers to run before_sign_in hooks after credential verification
+        # but before session creation. The block may raise AuthenticationDenied.
+        before_session&.call(password_credential.account)
+
         session_manager.sign_in_account(password_credential.account)
         session_manager.set_remember_cookie(password_credential) if remember_me
 

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -37,6 +37,8 @@ module StandardId
                 account = find_or_create_account_from_social(social_info)
               end
               newly_created = account.previously_new_record?
+
+              invoke_before_sign_in(account, { mechanism: "social", provider: provider.provider_name })
               session_manager.sign_in_account(account)
 
               provider_name = provider.provider_name
@@ -50,7 +52,7 @@ module StandardId
                 original_request_params: state_data
               )
 
-              context = { connection: "social", provider: provider_name }
+              context = { mechanism: "social", provider: provider_name }
               redirect_override = invoke_after_sign_in(account, context)
 
               destination = redirect_override || state_data["redirect_uri"]

data/app/controllers/standard_id/web/login_controller.rb

@@ -54,8 +54,12 @@ module StandardId
       def handle_password_login
         return head(:not_found) unless StandardId.config.web.password_login
 
-        if sign_in_account(login_params)
-          context = { connection: "password", provider: nil }
+        result = sign_in_account(login_params) { |account|
+          invoke_before_sign_in(account, { mechanism: "password", provider: nil })
+        }
+
+        if result
+          context = { mechanism: "password", provider: nil }
           redirect_override = invoke_after_sign_in(current_account, context)
           destination = redirect_override || params[:redirect_uri] || after_authentication_url
           redirect_to destination, status: :see_other, notice: "Successfully signed in"

data/app/controllers/standard_id/web/login_verify_controller.rb

@@ -50,6 +50,8 @@ module StandardId
         account = result.account
         newly_created = account.previously_new_record?
 
+        invoke_before_sign_in(account, { mechanism: "passwordless", provider: nil })
+
         session_manager.sign_in_account(account)
         emit_authentication_succeeded(account)
 
@@ -58,7 +60,7 @@ module StandardId
           invoke_after_account_created(account, { mechanism: "passwordless", provider: nil })
         end
 
-        context = { connection: @otp_data[:connection], provider: nil }
+        context = { mechanism: "passwordless", provider: nil }
         redirect_override = invoke_after_sign_in(account, context)
 
         session.delete(:standard_id_otp_payload)

data/app/controllers/standard_id/web/signup_controller.rb

@@ -39,10 +39,11 @@ module StandardId
         form = StandardId::Web::SignupForm.new(signup_params)
 
         if form.submit
+          invoke_before_sign_in(form.account, { mechanism: "password", provider: nil })
           session_manager.sign_in_account(form.account)
           invoke_after_account_created(form.account, { mechanism: "signup", provider: nil })
 
-          context = { connection: "password", provider: nil }
+          context = { mechanism: "password", provider: nil }
           redirect_override = invoke_after_sign_in(form.account, context)
           destination = redirect_override || params[:redirect_uri] || after_authentication_url
           redirect_to destination, notice: "Account created successfully"

data/config/brakeman.ignore

@@ -17,11 +17,11 @@
       "note": "Auth engine intentionally redirects to params[:redirect_uri] when user is not authenticated"
     },
     {
-      "fingerprint": "68be03a57d3ef2cfb68582fc78ac2eb6b96aaa0a9897a9a975c24b889fdbb2aa",
+      "fingerprint": "1fe5fcac2c90d0480ef08f002ad04041eec2b95caabbc4e8b5d6cccc23c9283f",
       "note": "after_sign_in hook redirect is controlled by the host app configuration, not user input"
     },
     {
-      "fingerprint": "277cf277d1c94f46d0abaeba9c51312d1d17e6f62c2e8d457dda47a6aad422aa",
+      "fingerprint": "413b5740add2c365198a540734a9e8c12b1c0483f521e2db145a80f3d582a4cc",
       "note": "after_sign_in hook redirect is controlled by the host app configuration, not user input"
     }
   ],

data/lib/standard_id/config/schema.rb

@@ -24,17 +24,26 @@ StandardConfig.schema.draw do
 
     # Post-authentication lifecycle hooks (synchronous, WebEngine only)
     #
+    # after_account_created: Called after a new account is created via any mechanism.
+    #   Receives: (account, request, context)
+    #   Context: { mechanism: "passwordless"/"social"/"signup", provider: nil/"google"/"apple" }
+    field :after_account_created, type: :any, default: nil
+
+    # before_sign_in: Called after credential verification, BEFORE session creation.
+    #   Receives: (account, request, context)
+    #   Context: { mechanism: "password"/"passwordless"/"social", provider: nil/"google"/"apple",
+    #              first_sign_in: bool }
+    #   Return: nil or truthy to proceed with sign-in.
+    #   Return { error: "message" } Hash to reject sign-in (error message is passed to the error flow).
+    field :before_sign_in, type: :any, default: nil
+
     # after_sign_in: Called after successful sign-in, before redirect.
     #   Receives: (account, request, context)
-    #   Context: { first_sign_in: bool, connection: "email"/"password"/"social", provider: nil/"google"/"apple" }
+    #   Context: { first_sign_in: bool, mechanism: "password"/"passwordless"/"social",
+    #              provider: nil/"google"/"apple", session: StandardId::Session }
     #   Return: nil (default redirect) or a path string (override redirect)
     #   Raise StandardId::AuthenticationDenied.new("message") to reject sign-in.
     field :after_sign_in, type: :any, default: nil
-
-    # after_account_created: Called after a new account is created via any mechanism.
-    #   Receives: (account, request, context)
-    #   Context: { mechanism: "passwordless"/"social"/"signup", provider: nil/"google"/"apple" }
-    field :after_account_created, type: :any, default: nil
   end
 
   scope :events do

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.10.0"
+  VERSION = "0.11.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Jaryl Sim