standard_id 0.2.9 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2452ed8123165d861c0336f59c980b08aad25936f3a1aaee39a2b13f370148b8
-  data.tar.gz: a1390102deff80b924ac9d6ce5f53e260a0daaf0001524486f909c9d64c422d9
+  metadata.gz: 9878cd708e3ea39bc8cad97946dd6509c2423a815ade09c726d80c591f72cf7f
+  data.tar.gz: 4ee3cf785da092a4efd199dee423d214c0b99936928cd381e8167650474c9c7b
 SHA512:
-  metadata.gz: 598e2740f693cc6e1f58c77f02897fe2f39c6bd2c2748c7f40bd729bafe1f15bc80fccc6755daeabe0a1ca2a08c0bb547b5f308f0596a233dc6e7ca81939c68f
-  data.tar.gz: eae44ac9c2cb4d0226547519b8d67ff042b4e3395efd0ffb91cb41ba7b9d8789c2f1a6afbfc4e2f75dcb32aad27ec9414ccbe30906b28d83f5bac842c42fa482
+  metadata.gz: 68cdd5a479a507d7647055b06534744f458546ac81a0a1bf71b0464739316ade506a50303a811fefac56142f223d1d913af4a41fd53243a1678ec64a50f48d5e
+  data.tar.gz: bb8137fb52314263901a3ed6640ef9b327f1397424b68776af4edd4b37be9d0da26e7974d5728252981823b9dd48fc4aec4825f960aec3a3769a20a7cef3ead4

data/README.md

@@ -516,27 +516,71 @@ StandardId::Events.subscribe(/social/) do |event|
 end
 ```
 
-#### Class-based (complex logic)
+### Audit Logging
+
+For production audit trails, use the [standard_audit](https://github.com/rarebit-one/standard_audit) gem. StandardId and StandardAudit have zero direct references to each other — the host application wires them together.
+
+#### Setup
+
+Add both gems to your Gemfile:
 
 ```ruby
-# app/subscribers/audit_subscriber.rb
-class AuditSubscriber < StandardId::Events::Subscribers::Base
-  subscribe_to StandardId::Events::SECURITY_EVENTS
+gem "standard_id"
+gem "standard_audit"
+```
 
-  def call(event)
-    AuditLog.create!(
-      event_type: event.short_name,
-      account_id: event[:account]&.id,
-      ip_address: event[:ip_address],
-      metadata: event.payload
-    )
-  end
+Run the StandardAudit install generator:
+
+```bash
+rails generate standard_audit:install
+rails db:migrate
+```
+
+#### Wiring StandardId events to StandardAudit
+
+Configure StandardAudit to subscribe to StandardId's event namespace and map its payload conventions:
+
+```ruby
+# config/initializers/standard_audit.rb
+StandardAudit.configure do |config|
+  config.subscribe_to /\Astandard_id\./
+
+  # StandardId uses :account and :current_account rather than :actor/:target.
+  # Map them so StandardAudit extracts the right records.
+  config.actor_extractor = ->(payload) {
+    payload[:current_account] || payload[:account]
+  }
+
+  config.target_extractor = ->(payload) {
+    # Only set a target when the actor (current_account) differs from the
+    # account being acted upon — e.g. an admin locking another user.
+    if payload[:current_account]
+      target = payload[:account] || payload[:client_application]
+      target unless target == payload[:current_account]
+    end
+  }
 end
+```
 
-# config/initializers/standard_id_events.rb
-AuditSubscriber.attach
+That's it. Every StandardId authentication event will now be persisted as an audit log entry. No changes are needed inside StandardId itself.
+
+#### Querying audit logs
+
+```ruby
+# All auth events for a user
+StandardAudit::AuditLog.for_actor(user).reverse_chronological
+
+# Failed logins this week
+StandardAudit::AuditLog
+  .by_event_type("standard_id.authentication.attempt.failed")
+  .this_week
+
+# All activity from an IP address
+StandardAudit::AuditLog.from_ip("192.168.1.1")
 ```
 
+See the [StandardAudit README](https://github.com/rarebit-one/standard_audit) for the full query interface, async processing, GDPR compliance, and multi-tenancy support.
+
 ## Account Status (Activation/Deactivation)
 
 StandardId provides an optional `AccountStatus` concern for managing account activation and deactivation. This uses Rails enum with the event system to enforce status checks and handle side effects without modifying core authentication logic.

data/app/controllers/concerns/standard_id/passwordless_strategy.rb

@@ -0,0 +1,18 @@
+module StandardId
+  module PasswordlessStrategy
+    extend ActiveSupport::Concern
+
+    STRATEGY_MAP = {
+      "email" => StandardId::Passwordless::EmailStrategy,
+      "sms"   => StandardId::Passwordless::SmsStrategy
+    }.freeze
+
+    private
+
+    def strategy_for(connection)
+      klass = STRATEGY_MAP[connection]
+      raise StandardId::InvalidRequestError, "Unsupported connection type: #{connection}" unless klass
+      klass.new(request)
+    end
+  end
+end

data/app/controllers/standard_id/api/passwordless_controller.rb

@@ -1,10 +1,7 @@
 module StandardId
   module Api
     class PasswordlessController < BaseController
-      STRATEGY_MAP = {
-        "email" => StandardId::Passwordless::EmailStrategy,
-        "sms"   => StandardId::Passwordless::SmsStrategy
-      }.freeze
+      include StandardId::PasswordlessStrategy
 
       def start
         raise StandardId::InvalidRequestError, "username, email, or phone_number parameter is required" if start_params[:username].blank?
@@ -16,12 +13,6 @@ module StandardId
 
       private
 
-      def strategy_for(connection)
-        klass = STRATEGY_MAP[connection]
-        raise StandardId::InvalidRequestError, "Unsupported connection type: #{connection}" unless klass
-        klass.new(request)
-      end
-
       def start_params
         return @start_params if @start_params.present?
 

data/app/controllers/standard_id/web/login_controller.rb

@@ -3,7 +3,7 @@ module StandardId
     class LoginController < BaseController
       include StandardId::InertiaRendering
       include StandardId::Web::SocialLoginParams
-
+      include StandardId::PasswordlessStrategy
 
       layout "public"
 
@@ -16,19 +16,62 @@ module StandardId
         @redirect_uri = params[:redirect_uri] || after_authentication_url
         @connection = params[:connection]
 
-        render_with_inertia props: auth_page_props
+        render_with_inertia props: auth_page_props(passwordless_enabled: passwordless_enabled?)
       end
 
       def create
+        if passwordless_enabled?
+          handle_passwordless_login
+        else
+          handle_password_login
+        end
+      end
+
+      private
+
+      def passwordless_enabled?
+        StandardId.config.passwordless.enabled
+      end
+
+      def handle_password_login
         if sign_in_account(login_params)
           redirect_to params[:redirect_uri] || after_authentication_url, status: :see_other, notice: "Successfully signed in"
         else
           flash.now[:alert] = "Invalid email or password"
-          render_with_inertia action: :show, props: auth_page_props, status: :unprocessable_content
+          render_with_inertia action: :show, props: auth_page_props(passwordless_enabled: passwordless_enabled?), status: :unprocessable_content
         end
       end
 
-      private
+      def handle_passwordless_login
+        email = login_params[:email].to_s.strip.downcase
+        connection = StandardId.config.passwordless.connection
+
+        if email.blank?
+          flash.now[:alert] = "Please enter your email address"
+          render_with_inertia action: :show, props: auth_page_props(passwordless_enabled: passwordless_enabled?), status: :unprocessable_content
+          return
+        end
+
+        strategy = strategy_for(connection)
+
+        begin
+          strategy.start!(username: email, connection: connection)
+        rescue StandardId::InvalidRequestError => e
+          flash.now[:alert] = e.message
+          render_with_inertia action: :show, props: auth_page_props(passwordless_enabled: passwordless_enabled?), status: :unprocessable_content
+          return
+        end
+
+        code_ttl = StandardId.config.passwordless.code_ttl
+        signed_payload = Rails.application.message_verifier(:otp).generate(
+          { username: email, connection: connection },
+          expires_in: code_ttl.seconds
+        )
+        session[:standard_id_otp_payload] = signed_payload
+        session[:return_to_after_authenticating] = params[:redirect_uri] if params[:redirect_uri].present?
+
+        redirect_to login_verify_path, status: :see_other
+      end
 
       def redirect_if_authenticated
         redirect_to after_authentication_url, status: :see_other, notice: "You are already signed in" if authenticated?

data/app/controllers/standard_id/web/login_verify_controller.rb

@@ -0,0 +1,170 @@
+module StandardId
+  module Web
+    class LoginVerifyController < BaseController
+      include StandardId::InertiaRendering
+      include StandardId::PasswordlessStrategy
+
+      class OtpVerificationFailed < StandardError; end
+
+      layout "public"
+
+      skip_before_action :require_browser_session!, only: [:show, :update]
+
+      before_action :ensure_passwordless_enabled!
+      before_action :redirect_if_authenticated, only: [:show]
+      before_action :require_otp_payload!
+
+      def show
+        render_with_inertia props: verify_page_props
+      end
+
+      def update
+        code = params[:code].to_s.strip
+
+        if code.blank?
+          flash.now[:alert] = "Please enter the verification code"
+          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
+          return
+        end
+
+        # Record failed attempts outside the main transaction so they persist
+        challenge = find_active_challenge
+        attempts = record_attempt(challenge, code)
+
+        if challenge.blank? || !ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
+          emit_otp_validation_failed(attempts) if challenge.present?
+
+          flash.now[:alert] = "Invalid or expired verification code"
+          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
+          return
+        end
+
+        strategy = strategy_for(@otp_data[:connection])
+
+        begin
+          ActiveRecord::Base.transaction do
+            # Re-fetch with lock inside transaction to prevent concurrent use
+            locked_challenge = StandardId::CodeChallenge.lock.find(challenge.id)
+            raise OtpVerificationFailed unless locked_challenge.active?
+
+            account = strategy.find_or_create_account(@otp_data[:username])
+            locked_challenge.use!
+
+            emit_otp_validated(account, locked_challenge)
+            session_manager.sign_in_account(account)
+            emit_authentication_succeeded(account)
+          end
+        rescue OtpVerificationFailed
+          flash.now[:alert] = "Invalid or expired verification code"
+          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
+          return
+        rescue ActiveRecord::RecordInvalid => e
+          flash.now[:alert] = "Unable to complete sign in: #{e.record.errors.full_messages.to_sentence}"
+          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
+          return
+        end
+
+        session.delete(:standard_id_otp_payload)
+
+        redirect_to after_authentication_url, status: :see_other, notice: "Successfully signed in"
+      end
+
+      private
+
+      def ensure_passwordless_enabled!
+        return if StandardId.config.passwordless.enabled
+
+        session.delete(:standard_id_otp_payload)
+        redirect_to login_path, alert: "Passwordless login is not available"
+      end
+
+      def redirect_if_authenticated
+        redirect_to after_authentication_url, status: :see_other if authenticated?
+      end
+
+      def require_otp_payload!
+        signed_payload = session[:standard_id_otp_payload]
+
+        if signed_payload.blank?
+          redirect_to login_path, alert: "Please start the login process"
+          return
+        end
+
+        begin
+          @otp_data = Rails.application.message_verifier(:otp).verify(signed_payload).symbolize_keys
+        rescue ActiveSupport::MessageVerifier::InvalidSignature
+          session.delete(:standard_id_otp_payload)
+          redirect_to login_path, alert: "Your verification session has expired. Please try again."
+        end
+      end
+
+      def find_active_challenge
+        StandardId::CodeChallenge.active.find_by(
+          realm: "authentication",
+          channel: @otp_data[:connection],
+          target: @otp_data[:username]
+        )
+      end
+
+      def record_attempt(challenge, code)
+        return 0 if challenge.blank?
+        return 0 if ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
+
+        attempts = (challenge.metadata["attempts"] || 0) + 1
+        challenge.update!(metadata: challenge.metadata.merge("attempts" => attempts))
+
+        max_attempts = StandardId.config.passwordless.max_attempts
+        challenge.use! if attempts >= max_attempts
+
+        attempts
+      end
+
+      def emit_otp_validated(account, challenge)
+        StandardId::Events.publish(
+          StandardId::Events::OTP_VALIDATED,
+          account: account,
+          channel: @otp_data[:connection]
+        )
+        StandardId::Events.publish(
+          StandardId::Events::PASSWORDLESS_CODE_VERIFIED,
+          code_challenge: challenge,
+          account: account,
+          channel: @otp_data[:connection]
+        )
+      end
+
+      def emit_otp_validation_failed(attempts)
+        StandardId::Events.publish(
+          StandardId::Events::OTP_VALIDATION_FAILED,
+          identifier: @otp_data[:username],
+          channel: @otp_data[:connection],
+          attempts: attempts
+        )
+        StandardId::Events.publish(
+          StandardId::Events::PASSWORDLESS_CODE_FAILED,
+          identifier: @otp_data[:username],
+          channel: @otp_data[:connection],
+          attempts: attempts
+        )
+      end
+
+      def emit_authentication_succeeded(account)
+        StandardId::Events.publish(
+          StandardId::Events::AUTHENTICATION_SUCCEEDED,
+          account: account,
+          auth_method: "passwordless_otp",
+          session_type: "browser"
+        )
+      end
+
+      def verify_page_props
+        {
+          flash: {
+            notice: flash[:notice],
+            alert: flash[:alert]
+          }.compact
+        }
+      end
+    end
+  end
+end

data/app/views/standard_id/web/login_verify/show.html.erb

@@ -0,0 +1,35 @@
+<%# ERB fallback for non-Inertia rendering. Flash is read directly here;
+    Inertia clients receive structured flash via verify_page_props instead. %>
+<% content_for :title, "Verify Code" %>
+
+<div class="flex min-h-full flex-col justify-center py-12 sm:px-6 lg:px-8">
+  <div class="sm:mx-auto sm:w-full sm:max-w-md">
+    <h2 class="mt-6 text-center text-2xl/9 font-bold tracking-tight text-gray-900 dark:text-white">Enter verification code</h2>
+    <p class="mt-2 text-center text-sm text-gray-500 dark:text-gray-400">We sent you a verification code.</p>
+  </div>
+
+  <div class="mt-10 sm:mx-auto sm:w-full sm:max-w-[480px]">
+    <div class="bg-white px-6 py-12 shadow sm:rounded-lg sm:px-12 dark:bg-gray-800/50 dark:shadow-none dark:outline dark:outline-1 dark:-outline-offset-1 dark:outline-white/10">
+
+      <% if flash[:alert].present? %>
+        <div class="mb-4 rounded-md bg-red-50 p-4 text-sm text-red-700 dark:bg-red-900/20 dark:text-red-300"><%= flash[:alert] %></div>
+      <% end %>
+      <% if flash[:notice].present? %>
+        <div class="mb-4 rounded-md bg-green-50 p-4 text-sm text-green-700 dark:bg-green-900/20 dark:text-green-300"><%= flash[:notice] %></div>
+      <% end %>
+
+      <%= form_with url: login_verify_path, method: :patch, local: true, html: { class: "space-y-6" } do |form| %>
+        <div>
+          <%= form.label :code, "Verification code", class: "block text-sm/6 font-medium text-gray-900 dark:text-white" %>
+          <div class="mt-2">
+            <%= form.text_field :code, required: true, autofocus: true, autocomplete: "one-time-code", inputmode: "numeric", maxlength: 6, class: "block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6 dark:bg-white/5 dark:text-white dark:outline-white/10 dark:placeholder:text-gray-500 dark:focus:outline-indigo-500" %>
+          </div>
+        </div>
+
+        <div>
+          <%= form.submit "Verify", class: "flex w-full justify-center rounded-md bg-indigo-600 px-3 py-1.5 text-sm/6 font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600 dark:bg-indigo-500 dark:shadow-none dark:hover:bg-indigo-400 dark:focus-visible:outline-indigo-500" %>
+        </div>
+      <% end %>
+    </div>
+  </div>
+</div>

data/config/brakeman.ignore

@@ -0,0 +1,30 @@
+{
+  "ignored_warnings": [
+    {
+      "fingerprint": "24fc02735a2ad863d6bf1171a4a329b208e9e7c41841fa0149d8e6878d4ce299",
+      "note": "Auth engine intentionally redirects to params[:redirect_uri] after signup for OAuth/post-auth flow"
+    },
+    {
+      "fingerprint": "6b35e9906d62a9b9cd0dff9cf53924d40e74bc4f96cfccf27e67e93551113243",
+      "note": "Auth engine intentionally redirects to params[:redirect_uri] after logout for OAuth/post-auth flow"
+    },
+    {
+      "fingerprint": "8fddb7968577ac46fdda8e799f476c3eced60cc585da9c30fa61117f91e04ab9",
+      "note": "HEAD vs GET distinction is inconsequential here; redirect_to_login adding redirect_uri param on GET-only is safe"
+    },
+    {
+      "fingerprint": "bdbc72619da2ba771b1185ccf16acce801066689bf51adf116eab8c8714b39af",
+      "note": "HEAD vs GET distinction is inconsequential here; storing return URL on GET-only is safe"
+    },
+    {
+      "fingerprint": "16bd6ec7c3fa130eb80c15fc90c87f9859d89b37258807bfaffe4101366611a6",
+      "note": "Auth engine intentionally redirects to params[:redirect_uri] after login for OAuth/post-auth flow"
+    },
+    {
+      "fingerprint": "e4f96cb212c73c3165c3db6eaa6368c29d362b61264f034e80c9fa6705d72e5b",
+      "note": "Auth engine intentionally redirects to params[:redirect_uri] when user is not authenticated"
+    }
+  ],
+  "updated": "2026-02-27",
+  "brakeman_version": "8.0.2"
+}

data/config/routes/web.rb

@@ -2,6 +2,7 @@ StandardId::WebEngine.routes.draw do
   scope module: :web do
     # Authentication flows
     resource :login, only: [:show, :create], controller: :login
+    resource :login_verify, only: [:show, :update], controller: :login_verify
     resource :logout, only: [:create], controller: :logout
     resource :signup, only: [:show, :create], controller: :signup
 

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -101,6 +101,8 @@ StandardId.configure do |c|
   # Events
   # Enable or disable logging emitted via the internal event system
   # c.events.enable_logging = false
+  #
+  # For audit logging, use the standard_audit gem. See the README for wiring instructions.
 
   # Social login credentials (if enabled in your app)
   # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]

data/lib/standard_id/api/session_manager.rb

@@ -12,7 +12,9 @@ module StandardId
 
       def current_account
         return unless current_session
-        @current_account ||= StandardId.account_class.find_by(id: current_session.account_id)
+        @current_account ||= StandardId.account_class
+          .find_by(id: current_session.account_id)
+          &.tap { |a| a.strict_loading!(false) }
       end
 
       def revoke_current_session!

data/lib/standard_id/config/schema.rb

@@ -23,6 +23,8 @@ StandardConfig.schema.draw do
   end
 
   scope :passwordless do
+    field :enabled, type: :boolean, default: false
+    field :connection, type: :string, default: "email"
     field :code_ttl, type: :integer, default: 600 # 10 minutes in seconds
     field :max_attempts, type: :integer, default: 3
     field :retry_delay, type: :integer, default: 30 # 30 seconds

data/lib/standard_id/passwordless/base_strategy.rb

@@ -34,7 +34,7 @@ module StandardId
           channel: connection_type,
           target: username,
           code: code,
-          expires_at: 10.minutes.from_now,
+          expires_at: StandardId.config.passwordless.code_ttl.seconds.from_now,
           ip_address: request.remote_ip,
           user_agent: request.user_agent
         )

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.2.9"
+  VERSION = "0.3.0"
 end

data/lib/standard_id/web/session_manager.rb

@@ -15,7 +15,7 @@ module StandardId
       end
 
       def current_account
-        Current.account ||= current_session&.account
+        Current.account ||= current_session&.account&.tap { |a| a.strict_loading!(false) }
       end
 
       def sign_in_account(account)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.2.9
+  version: 0.3.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -51,6 +51,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: StandardId is an authentication engine that provides a complete, secure-by-default
   solution for identity management, reducing boilerplate and eliminating common security
   pitfalls.
@@ -68,6 +82,7 @@ files:
 - app/controllers/concerns/standard_id/api_authentication.rb
 - app/controllers/concerns/standard_id/inertia_rendering.rb
 - app/controllers/concerns/standard_id/inertia_support.rb
+- app/controllers/concerns/standard_id/passwordless_strategy.rb
 - app/controllers/concerns/standard_id/set_current_request_details.rb
 - app/controllers/concerns/standard_id/social_authentication.rb
 - app/controllers/concerns/standard_id/web/social_login_params.rb
@@ -85,6 +100,7 @@ files:
 - app/controllers/standard_id/web/auth/callback/providers_controller.rb
 - app/controllers/standard_id/web/base_controller.rb
 - app/controllers/standard_id/web/login_controller.rb
+- app/controllers/standard_id/web/login_verify_controller.rb
 - app/controllers/standard_id/web/logout_controller.rb
 - app/controllers/standard_id/web/reset_password/confirm_controller.rb
 - app/controllers/standard_id/web/reset_password/start_controller.rb
@@ -123,10 +139,12 @@ files:
 - app/views/standard_id/web/account/show.html.erb
 - app/views/standard_id/web/auth/callback/providers/mobile_callback.html.erb
 - app/views/standard_id/web/login/show.html.erb
+- app/views/standard_id/web/login_verify/show.html.erb
 - app/views/standard_id/web/reset_password/confirm/show.html.erb
 - app/views/standard_id/web/reset_password/start/show.html.erb
 - app/views/standard_id/web/sessions/index.html.erb
 - app/views/standard_id/web/signup/show.html.erb
+- config/brakeman.ignore
 - config/initializers/generators.rb
 - config/initializers/migration_helpers.rb
 - config/routes/api.rb
@@ -214,7 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.3
 specification_version: 4
 summary: A comprehensive authentication engine for Rails, built on the security primitives
   introduced in Rails 7/8.