Class: StandardId::Engine

Inherits:

Rails::Engine

• Object
• Rails::Engine
• StandardId::Engine

Defined in:

lib/standard_id/engine.rb

Class Method Summary

• .verify_host_cookie_encryption!(app) ⇒ Object

  Defensive check: StandardId’s Web::SessionManager stores session tokens in ‘cookies.encrypted` in addition to `session`.

• .warn_if_allowed_audiences_empty_in_production! ⇒ Object

  Logs a production-only warning when no global audience allow-list is configured.

Class Method Details

.verify_host_cookie_encryption!(app) ⇒ Object

Defensive check: StandardId’s Web::SessionManager stores session tokens in ‘cookies.encrypted` in addition to `session`. If the host app is somehow missing a secret_key_base, encrypted cookies fall back to plaintext and session tokens leak to the client. Rails 8 apps always have a secret_key_base, but this check catches misconfigured test harnesses, custom boot sequences, and host apps that blank it out.

We warn (not raise) to avoid breaking apps that intentionally short- circuit boot (e.g., ‘assets:precompile` rake tasks with no secrets available). A hard failure would be hostile to those workflows.

# File 'lib/standard_id/engine.rb', line 62

def self.verify_host_cookie_encryption!(app)
  secret = app.respond_to?(:secret_key_base) ? app.secret_key_base : nil

  if secret.blank?
    Rails.logger.warn(
      "[StandardId] Host application has no secret_key_base configured. " \
      "Encrypted cookies will not be available and session tokens stored in " \
      "cookies.encrypted will be persisted in plaintext. Configure " \
      "Rails.application.credentials.secret_key_base (or ENV['SECRET_KEY_BASE']) " \
      "before running in production."
    )
  end
end

.warn_if_allowed_audiences_empty_in_production! ⇒ Object

Logs a production-only warning when no global audience allow-list is configured. With ‘allowed_audiences` empty, the API token manager skips decode-time aud enforcement, leaving cross-audience JWT replay mitigation dependent on per-controller `AudienceVerification` inclusion. Extracted to a module method so specs can exercise it directly without booting a second Rails app.

# File 'lib/standard_id/engine.rb', line 82

def self.warn_if_allowed_audiences_empty_in_production!
  return unless Rails.env.production?
  return if StandardId.config.oauth.allowed_audiences.present?

  Rails.logger.warn(
    "StandardId: config.oauth.allowed_audiences is empty in production — " \
    "JWT audience is not enforced globally. Set this to your expected " \
    "audiences (e.g., ['web', 'api']) to close cross-audience replay vectors."
  )
end