Class: StandardId::Api::TokenManager

Inherits:
Object
  • Object
show all
Defined in:
lib/standard_id/api/token_manager.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(request) ⇒ TokenManager

Returns a new instance of TokenManager.



6
7
8
 
# File 'lib/standard_id/api/token_manager.rb', line 6

def initialize(request)
  @request = request
end

Instance Attribute Details

#requestObject (readonly)

Returns the value of attribute request.



4
5
6
 
# File 'lib/standard_id/api/token_manager.rb', line 4

def request
  @request
end

Instance Method Details

#bearer_tokenObject 



50
51
52
53
54
 
# File 'lib/standard_id/api/token_manager.rb', line 50

def bearer_token
  return @bearer_token if defined?(@bearer_token)

  @bearer_token = StandardId::BearerTokenExtraction.extract(@request.headers["Authorization"])
end

#create_device_session(account, device_id: nil, device_agent: nil) ⇒ Object 



10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
# File 'lib/standard_id/api/token_manager.rb', line 10

def create_device_session(, device_id: nil, device_agent: nil)
  session_class = StandardId::SessionTypeResolver.resolve!(
    request: @request,
    account: ,
    flow: :api_device_auth
  )

  create_session_for(
    session_class,
    account: ,
    device_id: device_id,
    device_agent: device_agent
  )
end

#create_service_session(account, service_name:, service_version:, owner:, metadata: {}) ⇒ Object 



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'lib/standard_id/api/token_manager.rb', line 25

def create_service_session(, service_name:, service_version:, owner:, metadata: {})
  session_class = StandardId::SessionTypeResolver.resolve!(
    request: @request,
    account: ,
    flow: :api_service_auth
  )

  unless session_class == StandardId::ServiceSession
    raise StandardId::ConfigurationError,
      "session_type_resolver returned #{session_class.name} for flow :api_service_auth, " \
      "but service-session creation requires StandardId::ServiceSession " \
      "(service_name / service_version / owner are not applicable to other session types)."
  end

  StandardId::ServiceSession.create!(
    account: ,
    owner: owner,
    ip_address: StandardId::Utils::IpNormalizer.normalize(@request.remote_ip),
    service_name: service_name,
    service_version: service_version,
    metadata: metadata || {},
    expires_at: StandardId::ServiceSession.default_expiry
  )
end

#generate_lookup_hash(token) ⇒ Object 



75
76
77
 
# File 'lib/standard_id/api/token_manager.rb', line 75

def generate_lookup_hash(token)
  Digest::SHA256.hexdigest("#{token}:#{Rails.application.secret_key_base}")
end

#verify_jwt_token(token: bearer_token) ⇒ Object

Verifies the bearer JWT and returns a decoded session.

When ‘StandardId.config.oauth.allowed_audiences` is non-empty, the token’s ‘aud` claim is enforced against that list at decode time. A mismatch raises `StandardId::InvalidAudienceError`, which is caught and treated as an invalid token (returns nil) so the downstream 401 path in `Api::BaseController` handles it identically to signature/expiry failures.

When the config is empty (default), no audience enforcement is applied here — behavior is unchanged vs pre-threading releases. Per-controller ‘AudienceVerification` concern still applies on top for tighter endpoint-specific restrictions.



69
70
71
72
73
 
# File 'lib/standard_id/api/token_manager.rb', line 69

def verify_jwt_token(token: bearer_token)
  StandardId::JwtService.decode_session(token, allowed_audiences: configured_allowed_audiences)
rescue StandardId::InvalidAudienceError
  nil
end