standard_id 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9878cd708e3ea39bc8cad97946dd6509c2423a815ade09c726d80c591f72cf7f
-  data.tar.gz: 4ee3cf785da092a4efd199dee423d214c0b99936928cd381e8167650474c9c7b
+  metadata.gz: a164420e3b36d754be94711721ead8cb4d29efed42fd6e75b0060e1c8c7c3bce
+  data.tar.gz: cded0bf7e847cc77ed0f6aa7c69647435c847d62ae02c2af1466778a507f88f4
 SHA512:
-  metadata.gz: 68cdd5a479a507d7647055b06534744f458546ac81a0a1bf71b0464739316ade506a50303a811fefac56142f223d1d913af4a41fd53243a1678ec64a50f48d5e
-  data.tar.gz: bb8137fb52314263901a3ed6640ef9b327f1397424b68776af4edd4b37be9d0da26e7974d5728252981823b9dd48fc4aec4825f960aec3a3769a20a7cef3ead4
+  metadata.gz: 0b9b506d8014bd8d8cd380b1f5300a87d2d6825e073e8b959c67cbfeac3eb577abe671c9dac330833c8d27ee010b87786f533ac4e247459d691dd956d5053faf
+  data.tar.gz: ec1a9973e61d08fff4579099dbcac25ad8355d140994c51c2621559d4aed39486d2fdd891b451ade775799f792c3db19916d555d3a50f3bc84d07ed77c1f0a52

data/README.md

@@ -787,8 +787,7 @@ class ApplicationController < ActionController::Base
   private
 
   def handle_account_locked(error)
-    # error.account     - The locked account
-    # error.lock_reason - Why the account was locked
+    # error.lock_reason - Why the account was locked (avoid exposing to end users)
     # error.locked_at   - When the account was locked
     redirect_to login_path, alert: "Your account has been locked. Please contact support."
   end

data/app/controllers/concerns/standard_id/audience_verification.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+module StandardId
+  # Per-controller audience verification for API endpoints.
+  #
+  # While StandardId validates that the JWT `aud` claim is in the global
+  # `allowed_audiences` list, this concern provides additional defense-in-depth
+  # by restricting which audiences are accepted by each controller.
+  #
+  # Requires StandardId::ApiAuthentication to be included before this concern
+  # (provides `verify_access_token!` and `current_session`). An error is raised
+  # at include time if ApiAuthentication is missing.
+  #
+  # The caller is responsible for registering `before_action :verify_access_token!`
+  # (typically via ApiAuthentication or a base controller). This concern only adds
+  # the `verify_audience!` callback, which must run after token verification so
+  # that `current_session` is populated. This is consistent with how
+  # `require_scopes!` works in ApiAuthentication.
+  #
+  # @example Single audience
+  #   class AdminController < Api::BaseController
+  #     include StandardId::AudienceVerification
+  #     verify_audience "admin"
+  #   end
+  #
+  # @example Multiple audiences
+  #   class SharedController < Api::BaseController
+  #     include StandardId::AudienceVerification
+  #     verify_audience "admin", "mobile"
+  #   end
+  module AudienceVerification
+    extend ActiveSupport::Concern
+
+    included do
+      unless ancestors.include?(StandardId::ApiAuthentication)
+        raise "#{name || 'Controller'} must include StandardId::ApiAuthentication before StandardId::AudienceVerification"
+      end
+
+      before_action :verify_audience!
+
+      rescue_from StandardId::InvalidAudienceError, with: :handle_invalid_audience
+
+      # Underscore prefix follows Rails class_attribute convention to avoid
+      # collisions with application method names.
+      class_attribute :_required_audiences, instance_writer: false, default: []
+    end
+
+    class_methods do
+      # Declare the allowed audiences for this controller.
+      # The token's `aud` claim must include at least one of these values.
+      #
+      # @param audiences [Array<String>] allowed JWT `aud` claim values
+      def verify_audience(*audiences)
+        self._required_audiences = audiences.flatten.map(&:to_s)
+      end
+    end
+
+    private
+
+    # Verifies the token's `aud` claim contains at least one of the required audiences.
+    # Supports both string and array `aud` claims.
+    #
+    # @raise [StandardId::InvalidAudienceError] when no audience matches
+    def verify_audience!
+      return if _required_audiences.empty?
+
+      # If authentication hasn't run (or token is invalid), let the auth
+      # layer handle 401 — don't mask it with a 403.
+      return unless current_session
+
+      token_audiences = Array(current_session.aud)
+      return if (token_audiences & _required_audiences).any?
+
+      raise StandardId::InvalidAudienceError.new(
+        required: _required_audiences,
+        actual: token_audiences
+      )
+    end
+
+    # Returns 403 Forbidden per RFC 6750 §3.1 (insufficient_scope).
+    # Includes WWW-Authenticate header per spec, consistent with the gem's
+    # 401 handling in Api::BaseController#render_bearer_unauthorized!.
+    #
+    # The header uses a static description rather than interpolating
+    # error.message (which contains raw aud values from the JWT) to
+    # avoid header injection via crafted audience strings.
+    #
+    # Override in your controller for custom error formatting.
+    def handle_invalid_audience(error)
+      response.set_header(
+        "WWW-Authenticate",
+        'Bearer error="insufficient_scope", error_description="The access token audience is not permitted for this resource"'
+      )
+      render json: { error: "insufficient_scope", error_description: error.message }, status: :forbidden
+    end
+  end
+end

data/app/controllers/concerns/standard_id/social_authentication.rb

@@ -47,7 +47,7 @@ module StandardId
           account: account,
           value: email
         )
-        identifier.verify! if identifier.respond_to?(:verify!)
+        identifier.verify! if identifier.respond_to?(:verify!) && [true, "true"].include?(social_info[:email_verified])
         emit_social_account_created(account, provider, social_info)
         account
       end

data/app/controllers/concerns/standard_id/web_authentication.rb

@@ -66,7 +66,13 @@ module StandardId
       )
 
       StandardId::PasswordCredential.find_by(login:).tap do |password_credential|
-        unless password_credential&.authenticate(password)
+        authenticated = password_credential&.authenticate(password)
+
+        # Perform a dummy bcrypt comparison when the credential doesn't exist
+        # to prevent user enumeration via response timing differences.
+        BCrypt::Password.new(dummy_password_digest).is_password?(password) unless password_credential
+
+        unless authenticated
           StandardId::Events.publish(
             StandardId::Events::AUTHENTICATION_FAILED,
             account_lookup: login,
@@ -103,6 +109,10 @@ module StandardId
       @token_manager ||= StandardId::Web::TokenManager.new(request)
     end
 
+    def dummy_password_digest
+      @dummy_password_digest ||= BCrypt::Password.create("").freeze
+    end
+
     def authentication_guard
       @authentication_guard ||= StandardId::Web::AuthenticationGuard.new
     end

data/app/forms/standard_id/web/signup_form.rb

@@ -37,8 +37,8 @@ module StandardId
       rescue ActiveRecord::RecordInvalid => e
         errors.add(:base, e.record.errors.full_messages.join(", "))
         false
-      rescue ActiveRecord::RecordNotUnique => e
-        errors.add(:base, e.message)
+      rescue ActiveRecord::RecordNotUnique
+        errors.add(:base, "Unable to complete registration. If you already have an account, please sign in.")
         false
       end
 

data/app/jobs/standard_id/cleanup_expired_sessions_job.rb

@@ -0,0 +1,15 @@
+module StandardId
+  class CleanupExpiredSessionsJob < ApplicationJob
+    queue_as :default
+
+    # Delete sessions that expired more than `grace_period_seconds` ago.
+    # A grace period avoids deleting sessions that just expired and might
+    # still be referenced in in-flight requests.
+    # Accepts integer seconds for reliable ActiveJob serialization across all queue adapters.
+    def perform(grace_period_seconds: 7.days.to_i)
+      cutoff = grace_period_seconds.seconds.ago
+      deleted = StandardId::Session.where("expires_at < ?", cutoff).delete_all
+      Rails.logger.info("[StandardId] Cleaned up #{deleted} expired sessions older than #{cutoff}")
+    end
+  end
+end

data/lib/standard_id/api/token_manager.rb

@@ -30,12 +30,9 @@ module StandardId
       end
 
       def bearer_token
-        return @bearer_token if @bearer_token.present?
+        return @bearer_token if defined?(@bearer_token)
 
-        auth_header = @request.headers["Authorization"]
-        return unless auth_header&.start_with?("Bearer ")
-
-        @bearer_token = auth_header.split(" ", 2).last
+        @bearer_token = StandardId::BearerTokenExtraction.extract(@request.headers["Authorization"])
       end
 
       def verify_jwt_token(token: bearer_token)

data/lib/standard_id/bearer_token_extraction.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module StandardId
+  # Bearer token extraction utility.
+  #
+  # This module serves two roles:
+  #
+  # 1. **Class method** (`BearerTokenExtraction.extract`) — pure extraction
+  #    logic used by TokenManager in lib/. Lives in lib/ so there is no
+  #    cross-layer dependency on app/ autoloading.
+  #
+  # 2. **Controller mixin** (`include StandardId::BearerTokenExtraction`) —
+  #    provides `extract_bearer_token` as a private instance method.
+  #    Conventionally, controller concerns live under app/controllers/concerns/,
+  #    but this module is co-located with the utility to keep the extraction
+  #    logic in a single file and avoid the same-constant-name conflict
+  #    between lib/ and app/ autoloading.
+  #
+  # Does not use ActiveSupport::Concern because it has no `included` or
+  # `class_methods` blocks — it is a plain Ruby module.
+  #
+  # Controllers that include StandardId::ApiAuthentication do NOT need this —
+  # token extraction is handled internally by the TokenManager.
+  #
+  # @example As a controller concern
+  #   class McpController < ActionController::API
+  #     include StandardId::BearerTokenExtraction
+  #
+  #     def authenticate!
+  #       token = extract_bearer_token
+  #       # validate token...
+  #     end
+  #   end
+  #
+  # @example Direct class method (used by TokenManager)
+  #   StandardId::BearerTokenExtraction.extract(auth_header)
+  module BearerTokenExtraction
+    # Extracts the Bearer token from a raw Authorization header value.
+    #
+    # Note: prior to the introduction of this module, TokenManager#bearer_token
+    # returned "" for a bare "Bearer " header. This now returns nil via .presence,
+    # which is the correct behavior — downstream JWT parsing receives nil instead
+    # of attempting to decode an empty string.
+    #
+    # @param auth_header [String, nil] the raw Authorization header value
+    # @return [String, nil] the bearer token, or nil if not present/empty
+    def self.extract(auth_header)
+      return unless auth_header&.start_with?("Bearer ")
+
+      auth_header.split(" ", 2).last.presence
+    end
+
+    private
+
+    # Extracts the token from an "Authorization: Bearer <token>" header.
+    # Result is memoized for the lifetime of the controller instance.
+    #
+    # @return [String, nil] the bearer token, or nil if not present
+    def extract_bearer_token
+      return @_bearer_token if defined?(@_bearer_token)
+
+      @_bearer_token = StandardId::BearerTokenExtraction.extract(request.headers["Authorization"])
+    end
+  end
+end

data/lib/standard_id/engine.rb

@@ -9,6 +9,11 @@ module StandardId
 
       StandardId::Events::Subscribers::AccountStatusSubscriber.attach
       StandardId::Events::Subscribers::AccountLockingSubscriber.attach
+
+      if StandardId.config.issuer.blank?
+        Rails.logger.warn("[StandardId] No issuer configured. JWT tokens will not include or verify the 'iss' claim. " \
+                          "Set StandardId.config.issuer in your initializer for production use.")
+      end
     end
   end
 end

data/lib/standard_id/errors.rb

@@ -1,22 +1,27 @@
 module StandardId
+  # Session errors
   class NotAuthenticatedError < StandardError; end
 
   class InvalidSessionError < StandardError; end
   class ExpiredSessionError < InvalidSessionError; end
   class RevokedSessionError < InvalidSessionError; end
+
+  # Account errors
   class AccountDeactivatedError < StandardError; end
 
   class AccountLockedError < StandardError
-    attr_reader :account, :lock_reason, :locked_at
+    # lock_reason and locked_at are available for logging and admin use.
+    # Avoid surfacing lock_reason in user-facing responses.
+    attr_reader :lock_reason, :locked_at
 
     def initialize(account)
-      @account = account
       @lock_reason = account.lock_reason
       @locked_at = account.locked_at
-      super("Account has been locked#{lock_reason ? ": #{lock_reason}" : ""}")
+      super("Account has been locked")
     end
   end
 
+  # OAuth errors
   class OAuthError < StandardError
     def oauth_error_code
       :invalid_request
@@ -64,4 +69,15 @@ module StandardId
   class UnsupportedResponseTypeError < OAuthError
     def oauth_error_code = :unsupported_response_type
   end
+
+  # Audience verification errors
+  class InvalidAudienceError < StandardError
+    attr_reader :required, :actual
+
+    def initialize(required:, actual:)
+      @required = required
+      @actual = actual
+      super("Token audience [#{actual.join(', ')}] does not match required audiences: #{required.join(', ')}")
+    end
+  end
 end

data/lib/standard_id/http_client.rb

@@ -3,19 +3,30 @@ require "uri"
 
 module StandardId
   class HttpClient
+    OPEN_TIMEOUT = 5
+    READ_TIMEOUT = 10
+
     class << self
       def post_form(endpoint, params)
         uri = URI(endpoint)
-        Net::HTTP.post_form(uri, params)
+        request = Net::HTTP::Post.new(uri)
+        request.set_form_data(params)
+        start_connection(uri) { |http| http.request(request) }
       end
 
       def get_with_bearer(endpoint, access_token)
         uri = URI(endpoint)
         request = Net::HTTP::Get.new(uri)
         request["Authorization"] = "Bearer #{access_token}"
-        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") do |http|
-          http.request(request)
-        end
+        start_connection(uri) { |http| http.request(request) }
+      end
+
+      private
+
+      def start_connection(uri, &block)
+        Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https",
+                                             open_timeout: OPEN_TIMEOUT,
+                                             read_timeout: READ_TIMEOUT, &block)
       end
     end
   end

data/lib/standard_id/oauth/password_flow.rb

@@ -76,6 +76,10 @@ module StandardId
           .includes(credential: :account)
           .find_by(login: username)
 
+        # Perform a dummy bcrypt comparison when the credential doesn't exist
+        # to prevent user enumeration via response timing differences.
+        BCrypt::Password.new(dummy_password_digest).is_password?(password) unless @credential
+
         @credential&.authenticate(password)&.account
       end
 
@@ -90,6 +94,10 @@ module StandardId
         end
       end
 
+      def dummy_password_digest
+        @dummy_password_digest ||= BCrypt::Password.create("").freeze
+      end
+
       def default_scope
         "read"
       end

data/lib/standard_id/oauth/token_lifetime_resolver.rb

@@ -1,17 +1,21 @@
 module StandardId
   module Oauth
     class TokenLifetimeResolver
-      class << self
-        DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
-        DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+      DEFAULT_ACCESS_TOKEN_LIFETIME = 1.hour.to_i
+      DEFAULT_REFRESH_TOKEN_LIFETIME = 30.days.to_i
+      MAX_ACCESS_TOKEN_LIFETIME = 24.hours.to_i
+      MAX_REFRESH_TOKEN_LIFETIME = 90.days.to_i
 
+      class << self
         def access_token_for(flow_key)
           configured = lookup_token_lifetime(flow_key)
-          positive_seconds(configured, default_access_token_lifetime)
+          lifetime = positive_seconds(configured, default_access_token_lifetime)
+          clamp_seconds(lifetime, MAX_ACCESS_TOKEN_LIFETIME)
         end
 
         def refresh_token_lifetime
-          positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+          lifetime = positive_seconds(oauth_config.refresh_token_lifetime, DEFAULT_REFRESH_TOKEN_LIFETIME)
+          clamp_seconds(lifetime, MAX_REFRESH_TOKEN_LIFETIME)
         end
 
         private
@@ -41,6 +45,16 @@ module StandardId
           (normalized_value.positive? ? normalized_value : fallback_value).seconds
         end
 
+        def clamp_seconds(duration, max)
+          seconds = duration.to_i
+          if seconds > max
+            Rails.logger.warn { "[StandardId] Token lifetime #{seconds}s exceeds maximum #{max}s, clamping to #{max}s" }
+            max.seconds
+          else
+            duration
+          end
+        end
+
         def oauth_config
           StandardId.config.oauth
         end

data/lib/standard_id/version.rb

@@ -1,3 +1,3 @@
 module StandardId
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

data/lib/standard_id.rb

@@ -13,6 +13,7 @@ require "standard_id/events/subscribers/account_locking_subscriber"
 require "standard_id/account_status"
 require "standard_id/account_locking"
 require "standard_id/http_client"
+require "standard_id/bearer_token_extraction"
 require "standard_id/jwt_service"
 require "standard_id/web/session_manager"
 require "standard_id/web/token_manager"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Jaryl Sim
@@ -80,6 +80,7 @@ files:
 - app/assets/stylesheets/standard_id/application.css
 - app/channels/concerns/standard_id/cable_authentication.rb
 - app/controllers/concerns/standard_id/api_authentication.rb
+- app/controllers/concerns/standard_id/audience_verification.rb
 - app/controllers/concerns/standard_id/inertia_rendering.rb
 - app/controllers/concerns/standard_id/inertia_support.rb
 - app/controllers/concerns/standard_id/passwordless_strategy.rb
@@ -117,6 +118,7 @@ files:
 - app/forms/standard_id/web/signup_form.rb
 - app/helpers/standard_id/application_helper.rb
 - app/jobs/standard_id/application_job.rb
+- app/jobs/standard_id/cleanup_expired_sessions_job.rb
 - app/mailers/standard_id/application_mailer.rb
 - app/models/concerns/standard_id/account_associations.rb
 - app/models/concerns/standard_id/credentiable.rb
@@ -171,6 +173,7 @@ files:
 - lib/standard_id/api/session_manager.rb
 - lib/standard_id/api/token_manager.rb
 - lib/standard_id/api_engine.rb
+- lib/standard_id/bearer_token_extraction.rb
 - lib/standard_id/config/schema.rb
 - lib/standard_id/current_attributes.rb
 - lib/standard_id/engine.rb