standard_id 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0a6bc5ee9c7ea15e8f9ea7bee06f7cb080da52fade31a85bb0d0ead5207552
-  data.tar.gz: 8dffbedfccd7f2434fbf77befe544ebb0c2dc55e4bbbbfb105c11254543e8103
+  metadata.gz: 6f6c0f3655d0ae20c828fa745d3c600bcf9b0b11521c1c498eb601d35e24e3e2
+  data.tar.gz: 1f3cca500ec2bf46a4e92b9d8d4a14c7c5fff2d898567a616094b47fd7af5312
 SHA512:
-  metadata.gz: dd96b17327a9468bd2128dea33826450009949e73b6579e36f7c422cd5f9e8aa36a1201de4019e523f79f709539a2cc2e4f8c92dabb15fdef0505488fb3c9cb1
-  data.tar.gz: 74e0c84b638ecb2ab7dbc7f7303617e8b2614fc62f9c8218f33da27136f267f41f6ca676afdff2197395eff5410b538fc186f3c9c9f1c7148cd43bc653b22b57
+  metadata.gz: d9cb2f2cafa4ddfb0af5839168db2566769b968689a3386c5519b0dc0e06bf0a5cd1a1434df57885549000c85e5eabb2b2608b276338f969625833d09de0c118
+  data.tar.gz: 4a382d6268709dfe42bac61e60f969153e5054831345250ada9c08436f0681fe5a4b58454ffbf3c00f506ec40308f031e28ac65acd52c8484f7c1adbd0c88738

data/app/controllers/concerns/standard_id/controller_policy.rb

@@ -0,0 +1,99 @@
+require "monitor"
+require "set"
+
+module StandardId
+  module ControllerPolicy
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_standard_id_auth_policy, instance_writer: false
+    end
+
+    class_methods do
+      # Declares this controller as public (no host-app auth required).
+      def public_controller
+        self._standard_id_auth_policy = :public
+        ControllerPolicy.register(self, :public)
+      end
+
+      # Declares this controller as authenticated (requires host-app
+      # authentication but not authorization).
+      def authenticated_controller
+        self._standard_id_auth_policy = :authenticated
+        ControllerPolicy.register(self, :authenticated)
+      end
+
+      # Auto-register subclasses that inherit a policy declaration.
+      # This ensures controllers like VerifyEmail::ConfirmController
+      # (which inherits from VerifyEmail::BaseController) appear in
+      # the registry and receive AuthorizationBypass skips.
+      def inherited(subclass)
+        super
+        policy = subclass._standard_id_auth_policy
+        ControllerPolicy.register(subclass, policy) if policy
+      end
+    end
+
+    # Monitor instead of Mutex: registry is called from within synchronized
+    # blocks (e.g. register, public_controllers), so we need reentrant locking.
+    LOCK = Monitor.new
+    private_constant :LOCK
+
+    class << self
+      def public_controllers
+        LOCK.synchronize { registry[:public].dup }
+      end
+
+      def authenticated_controllers
+        LOCK.synchronize { registry[:authenticated].dup }
+      end
+
+      def all_controllers
+        LOCK.synchronize { registry[:public] + registry[:authenticated] }
+      end
+
+      # Registers a controller under the given policy. Raises if the
+      # controller is already registered under the opposite policy.
+      # Re-registering under the same policy is a safe no-op (Set semantics).
+      def register(controller, policy)
+        LOCK.synchronize do
+          other = policy == :public ? :authenticated : :public
+          if registry[other].include?(controller)
+            raise ArgumentError, "#{controller} is already registered as #{other}"
+          end
+
+          registry[policy] << controller
+        end
+
+        # If AuthorizationBypass has already been applied, apply skips to this
+        # newly registered controller immediately. This handles dev-mode lazy
+        # loading where controllers register after the initial apply_skips! call.
+        AuthorizationBypass.apply_to_controller(controller, policy) if AuthorizationBypass.applied?
+      end
+
+      # Returns a point-in-time copy of the registry, safe to iterate
+      # without holding the lock.
+      def registry_snapshot
+        LOCK.synchronize do
+          (@registry ||= { public: Set.new, authenticated: Set.new })
+            .transform_values(&:dup)
+        end
+      end
+
+      private
+
+      def registry
+        LOCK.synchronize { @registry ||= { public: Set.new, authenticated: Set.new } }
+      end
+
+      public
+
+      # @api private — intended for test isolation only.
+      def reset_registry!
+        LOCK.synchronize do
+          @registry = { public: Set.new, authenticated: Set.new }
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/authorization_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class AuthorizationController < BaseController
+      public_controller
+
       include ActionController::Cookies
 
       skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/base_controller.rb

@@ -1,6 +1,7 @@
 module StandardId
   module Api
     class BaseController < ActionController::API
+      include StandardId::ControllerPolicy
       include StandardId::ApiAuthentication
       include StandardId::SetCurrentRequestDetails
 

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Api::Oauth
     module Callback
       class ProvidersController < BaseController
+        public_controller
+
         include StandardId::SocialAuthentication
 
         skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/oauth/tokens_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Api
     module Oauth
       class TokensController < BaseController
+        public_controller
+
         skip_before_action :validate_content_type!
 
         FLOW_STRATEGIES = {

data/app/controllers/standard_id/api/oidc/logout_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Api
     module Oidc
       class LogoutController < ::StandardId::Api::BaseController
+        public_controller
+
         include ActionController::Cookies
 
         skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/passwordless_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class PasswordlessController < BaseController
+      public_controller
+
       include StandardId::PasswordlessStrategy
 
       def start

data/app/controllers/standard_id/api/userinfo_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class UserinfoController < BaseController
+      authenticated_controller
+
       skip_before_action :validate_content_type!
 
       def show

data/app/controllers/standard_id/api/well_known/jwks_controller.rb

@@ -3,7 +3,13 @@
 module StandardId
   module Api
     module WellKnown
+      # Inherits from ActionController::API (not Api::BaseController) to avoid
+      # content-type validation and no-store cache headers — JWKS is a public,
+      # cacheable endpoint. Includes ControllerPolicy directly as a result.
       class JwksController < ActionController::API
+        include StandardId::ControllerPolicy
+        public_controller
+
         def show
           jwks = StandardId::JwtService.jwks
 

data/app/controllers/standard_id/web/account_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class AccountController < BaseController
+      authenticated_controller
+
       def show
         @account = current_account
         @sessions = current_account.sessions.active.order(created_at: :desc)

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb

@@ -3,6 +3,8 @@ module StandardId
     module Auth
       module Callback
         class ProvidersController < StandardId::Web::BaseController
+          public_controller
+
           include StandardId::WebAuthentication
           include StandardId::SocialAuthentication
           include StandardId::Web::SocialLoginParams

data/app/controllers/standard_id/web/base_controller.rb

@@ -1,6 +1,7 @@
 module StandardId
   module Web
     class BaseController < ApplicationController
+      include StandardId::ControllerPolicy
       include StandardId::WebAuthentication
       include StandardId::SetCurrentRequestDetails
 

data/app/controllers/standard_id/web/login_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class LoginController < BaseController
+      public_controller
+
       include StandardId::InertiaRendering
       include StandardId::Web::SocialLoginParams
       include StandardId::PasswordlessStrategy

data/app/controllers/standard_id/web/login_verify_controller.rb

@@ -1,10 +1,9 @@
 module StandardId
   module Web
     class LoginVerifyController < BaseController
-      include StandardId::InertiaRendering
-      include StandardId::PasswordlessStrategy
+      public_controller
 
-      class OtpVerificationFailed < StandardError; end
+      include StandardId::InertiaRendering
 
       layout "public"
 
@@ -27,42 +26,21 @@ module StandardId
           return
         end
 
-        # Record failed attempts outside the main transaction so they persist
-        challenge = find_active_challenge
-        attempts = record_attempt(challenge, code)
-
-        if challenge.blank? || !ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
-          emit_otp_validation_failed(attempts) if challenge.present?
+        result = StandardId::Passwordless::VerificationService.verify(
+          connection: @otp_data[:connection],
+          username: @otp_data[:username],
+          code: code,
+          request: request
+        )
 
-          flash.now[:alert] = "Invalid or expired verification code"
+        unless result.success?
+          flash.now[:alert] = result.error
           render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
           return
         end
 
-        strategy = strategy_for(@otp_data[:connection])
-
-        begin
-          ActiveRecord::Base.transaction do
-            # Re-fetch with lock inside transaction to prevent concurrent use
-            locked_challenge = StandardId::CodeChallenge.lock.find(challenge.id)
-            raise OtpVerificationFailed unless locked_challenge.active?
-
-            account = strategy.find_or_create_account(@otp_data[:username])
-            locked_challenge.use!
-
-            emit_otp_validated(account, locked_challenge)
-            session_manager.sign_in_account(account)
-            emit_authentication_succeeded(account)
-          end
-        rescue OtpVerificationFailed
-          flash.now[:alert] = "Invalid or expired verification code"
-          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
-          return
-        rescue ActiveRecord::RecordInvalid => e
-          flash.now[:alert] = "Unable to complete sign in: #{e.record.errors.full_messages.to_sentence}"
-          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
-          return
-        end
+        session_manager.sign_in_account(result.account)
+        emit_authentication_succeeded(result.account)
 
         session.delete(:standard_id_otp_payload)
 
@@ -98,56 +76,6 @@ module StandardId
         end
       end
 
-      def find_active_challenge
-        StandardId::CodeChallenge.active.find_by(
-          realm: "authentication",
-          channel: @otp_data[:connection],
-          target: @otp_data[:username]
-        )
-      end
-
-      def record_attempt(challenge, code)
-        return 0 if challenge.blank?
-        return 0 if ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
-
-        attempts = (challenge.metadata["attempts"] || 0) + 1
-        challenge.update!(metadata: challenge.metadata.merge("attempts" => attempts))
-
-        max_attempts = StandardId.config.passwordless.max_attempts
-        challenge.use! if attempts >= max_attempts
-
-        attempts
-      end
-
-      def emit_otp_validated(account, challenge)
-        StandardId::Events.publish(
-          StandardId::Events::OTP_VALIDATED,
-          account: account,
-          channel: @otp_data[:connection]
-        )
-        StandardId::Events.publish(
-          StandardId::Events::PASSWORDLESS_CODE_VERIFIED,
-          code_challenge: challenge,
-          account: account,
-          channel: @otp_data[:connection]
-        )
-      end
-
-      def emit_otp_validation_failed(attempts)
-        StandardId::Events.publish(
-          StandardId::Events::OTP_VALIDATION_FAILED,
-          identifier: @otp_data[:username],
-          channel: @otp_data[:connection],
-          attempts: attempts
-        )
-        StandardId::Events.publish(
-          StandardId::Events::PASSWORDLESS_CODE_FAILED,
-          identifier: @otp_data[:username],
-          channel: @otp_data[:connection],
-          attempts: attempts
-        )
-      end
-
       def emit_authentication_succeeded(account)
         StandardId::Events.publish(
           StandardId::Events::AUTHENTICATION_SUCCEEDED,

data/app/controllers/standard_id/web/logout_controller.rb

@@ -1,6 +1,13 @@
 module StandardId
   module Web
     class LogoutController < BaseController
+      # Classified as authenticated (not public) because logout requires
+      # host-app authentication. The controller handles unauthenticated
+      # users gracefully via redirect_if_not_authenticated rather than
+      # raising, and skips require_browser_session! to allow session
+      # revocation even with an expired browser session.
+      authenticated_controller
+
       skip_before_action :require_browser_session!, only: [:create]
 
       before_action :redirect_if_not_authenticated

data/app/controllers/standard_id/web/reset_password/confirm_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module ResetPassword
       class ConfirmController < BaseController
+        public_controller
+
         layout "public"
 
         skip_before_action :require_browser_session!, only: [:show, :update]

data/app/controllers/standard_id/web/reset_password/start_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module ResetPassword
       class StartController < BaseController
+        public_controller
+
         layout "public"
 
         skip_before_action :require_browser_session!, only: [:show, :create]

data/app/controllers/standard_id/web/sessions_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class SessionsController < BaseController
+      authenticated_controller
+
       def index
         @sessions = current_account.sessions.active.order(created_at: :desc)
         @current_session = current_session

data/app/controllers/standard_id/web/signup_controller.rb

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class SignupController < BaseController
+      public_controller
+
       include StandardId::InertiaRendering
 
       layout "public"

data/app/controllers/standard_id/web/verify_email/base_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module VerifyEmail
       class BaseController < StandardId::Web::BaseController
+        public_controller
+
         skip_before_action :require_browser_session!
       end
     end

data/app/controllers/standard_id/web/verify_phone/base_controller.rb

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module VerifyPhone
       class BaseController < StandardId::Web::BaseController
+        public_controller
+
         skip_before_action :require_browser_session!
       end
     end

data/lib/standard_id/authorization_bypass.rb

@@ -0,0 +1,121 @@
+module StandardId
+  module AuthorizationBypass
+    FRAMEWORK_CALLBACKS = {
+      action_policy: :verify_authorized,
+      pundit: :verify_authorized,
+      cancancan: :check_authorization
+    }.freeze
+
+    MUTEX = Mutex.new
+    private_constant :MUTEX
+
+    class << self
+      # Skips the host app's authorization callback on all engine controllers,
+      # and also skips authenticate_account! on public controllers (login,
+      # signup, callbacks, etc.) since those must be accessible without a session.
+      #
+      # In production (eager_load=true), controllers are already loaded when
+      # this runs so the registry is populated. In development (eager_load=false),
+      # controllers are loaded lazily on first request; newly registered
+      # controllers receive skips immediately via apply_to_controller (called
+      # from ControllerPolicy.register). The to_prepare block handles class
+      # reloading — after Zeitwerk unloads/reloads classes, the freshly loaded
+      # controllers re-register and receive skips again.
+      def apply(framework: nil, callback: nil)
+        if framework && callback
+          raise ArgumentError, "Provide framework: or callback:, not both"
+        end
+
+        register_prepare = false
+
+        MUTEX.synchronize do
+          # Guard against duplicate to_prepare registrations if called more than
+          # once (e.g. in tests or misconfigured initializers). skip_before_action
+          # is idempotent so duplicates are harmless, but this keeps things tidy.
+          return if @callback_name
+
+          @callback_name = resolve_callback(framework, callback)
+          # @prepared is intentionally NOT cleared by reset!. This ensures
+          # at most one to_prepare block is registered per process lifetime.
+          # Trade-off: after reset! + apply (e.g. in tests switching
+          # frameworks), the to_prepare code path is not re-registered, so
+          # it can only be verified by the first test that calls apply.
+          register_prepare = !@prepared
+          @prepared = true
+        end
+
+        apply_skips!
+
+        # Re-apply after class reloading in development. In dev (eager_load=false),
+        # reset_registry! + apply_skips! is effectively a no-op because the
+        # registry is empty at this point — lazy-loaded controllers haven't
+        # registered yet. The real work for lazy-loaded controllers is done by
+        # apply_to_controller (called from ControllerPolicy.register). This
+        # block is still needed because after a Zeitwerk reload, controllers
+        # re-register and apply_to_controller fires again for each one, but the
+        # reset_registry! here clears stale references to the old class objects
+        # to prevent memory leaks in long dev sessions.
+        return unless register_prepare
+
+        Rails.application.config.to_prepare do
+          StandardId::ControllerPolicy.reset_registry!
+          StandardId::AuthorizationBypass.apply_skips!
+        end
+      end
+
+      # Whether apply has been called. Used by ControllerPolicy.register to
+      # decide if newly loaded controllers need immediate skip_before_action.
+      def applied?
+        MUTEX.synchronize { !@callback_name.nil? }
+      end
+
+      # Apply skips to a single controller. Called by ControllerPolicy.register
+      # when a controller is lazily loaded after apply has already been called.
+      def apply_to_controller(controller, policy)
+        callback = MUTEX.synchronize { @callback_name }
+        return unless callback
+
+        controller.skip_before_action callback, raise: false
+        if policy == :public
+          # authenticate_account! is defined in WebAuthentication, not on API
+          # controllers. raise: false ensures this is a safe no-op for API
+          # controllers that don't have the callback.
+          controller.skip_before_action :authenticate_account!, raise: false
+        end
+      end
+
+      # @api private — called internally by apply and the to_prepare block.
+      # Must remain public because it is invoked from a to_prepare lambda
+      # registered in apply, which executes outside this module's scope.
+      def apply_skips!
+        StandardId::ControllerPolicy.registry_snapshot.each do |policy, controllers|
+          controllers.each { |controller| apply_to_controller(controller, policy) }
+        end
+      end
+
+      # @api private — intended for test isolation only.
+      # NOTE: This clears @callback_name (so applied? returns false and apply
+      # can be called again with a different framework) but intentionally does
+      # NOT clear @prepared, so no additional to_prepare block is registered.
+      def reset!
+        MUTEX.synchronize { @callback_name = nil }
+      end
+
+      private
+
+      def resolve_callback(framework, callback)
+        if callback
+          callback.to_sym
+        elsif framework
+          FRAMEWORK_CALLBACKS.fetch(framework.to_sym) do
+            raise ArgumentError, "Unknown framework: #{framework}. " \
+              "Supported: #{FRAMEWORK_CALLBACKS.keys.join(', ')}. " \
+              "Or pass callback: :your_callback_name instead."
+          end
+        else
+          raise ArgumentError, "Provide either framework: or callback:"
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/jwt_service.rb

@@ -1,5 +1,6 @@
 require "jwt"
 require "concurrent/delay"
+require "concurrent/atomic/atomic_reference"
 require "openssl"
 require "digest"
 
@@ -34,6 +35,11 @@ module StandardId
       end
     end
 
+    @signing_key_ref = Concurrent::AtomicReference.new
+    @key_id_ref = Concurrent::AtomicReference.new
+    @previous_keys_ref = Concurrent::AtomicReference.new
+    @jwks_ref = Concurrent::AtomicReference.new
+
     def self.session_class
       SESSION_CLASS.value
     end
@@ -52,7 +58,11 @@ module StandardId
 
     def self.signing_key
       if asymmetric?
-        @signing_key_cache ||= parse_private_key(StandardId.config.oauth.signing_key)
+        @signing_key_ref.get || begin
+          computed = parse_private_key(StandardId.config.oauth.signing_key)
+          @signing_key_ref.compare_and_set(nil, computed)
+          @signing_key_ref.get
+        end
       else
         Rails.application.secret_key_base
       end
@@ -74,16 +84,24 @@ module StandardId
 
       # Generate stable key ID from public key fingerprint
       # Use public_to_pem which works for both RSA and EC keys
-      @key_id ||= Digest::SHA256.hexdigest(signing_key.public_to_pem)[0..7]
+      @key_id_ref.get || begin
+        computed = Digest::SHA256.hexdigest(signing_key.public_to_pem)[0..7]
+        @key_id_ref.compare_and_set(nil, computed)
+        @key_id_ref.get
+      end
     end
 
     def self.previous_keys
       return [] unless asymmetric?
 
-      @previous_keys_cache ||= Array(StandardId.config.oauth.previous_signing_keys).filter_map do |entry|
-        parse_previous_key_entry(entry)
-      rescue StandardError
-        nil
+      @previous_keys_ref.get || begin
+        computed = Array(StandardId.config.oauth.previous_signing_keys).filter_map do |entry|
+          parse_previous_key_entry(entry)
+        rescue StandardError
+          nil
+        end
+        @previous_keys_ref.compare_and_set(nil, computed)
+        @previous_keys_ref.get
       end
     end
 
@@ -93,11 +111,15 @@ module StandardId
       [{ kid: key_id, key: verification_key, algorithm: algorithm }] + previous_keys
     end
 
+    # NOTE: Individual resets are atomic but the group is not — a concurrent
+    # reader between two .set(nil) calls may see a mix of old and new values.
+    # This is acceptable: key rotation is an infrequent operator action and
+    # the worst case is one request using a stale (but still valid) key.
     def self.reset_cached_key!
-      @key_id = nil
-      @signing_key_cache = nil
-      @previous_keys_cache = nil
-      @jwks = nil
+      @key_id_ref.set(nil)
+      @signing_key_ref.set(nil)
+      @previous_keys_ref.set(nil)
+      @jwks_ref.set(nil)
     end
 
     def self.encode(payload, expires_in: 1.hour)
@@ -168,12 +190,16 @@ module StandardId
     def self.jwks
       return nil unless asymmetric?
 
-      @jwks ||= begin
-        exported_keys = all_verification_keys.map do |entry|
-          jwk = JWT::JWK.new(entry[:key], kid: entry[:kid]).export
-          jwk.merge(alg: entry[:algorithm], use: "sig")
+      @jwks_ref.get || begin
+        computed = begin
+          exported_keys = all_verification_keys.map do |entry|
+            jwk = JWT::JWK.new(entry[:key], kid: entry[:kid]).export
+            jwk.merge(alg: entry[:algorithm], use: "sig")
+          end
+          { keys: exported_keys }
         end
-        { keys: exported_keys }
+        @jwks_ref.compare_and_set(nil, computed)
+        @jwks_ref.get
       end
     end