Class: StandardId::Web::Auth::Callback::ProvidersController

Inherits:

BaseController

• Object
• ApplicationController
• BaseController
• StandardId::Web::Auth::Callback::ProvidersController

Includes:

LifecycleHooks, SocialAuthentication, SocialLoginParams, StandardId::WebAuthentication

Defined in:

app/controllers/standard_id/web/auth/callback/providers_controller.rb

Constant Summary

Constants included from LifecycleHooks

LifecycleHooks::DEFAULT_PROFILE_RESOLVER, LifecycleHooks::DEFAULT_SCOPE_RESOLVER

Constants included from SocialLoginParams

SocialLoginParams::OAUTH_PENDING_REQUESTS_COOKIE, SocialLoginParams::REQUEST_EXPIRY

Constants included from SocialAuthentication

SocialAuthentication::VALID_LINK_STRATEGIES

Constants included from RateLimitHandling

RateLimitHandling::RATE_LIMIT_STORE

Instance Method Summary

• #callback ⇒ Object
• #mobile_callback ⇒ Object

Methods included from StandardId::WebAuthentication

#current_account, #current_scope_names, #current_session, #revoke_current_session!

Methods included from ControllerPolicy

all_controllers, authenticated_controllers, public_controllers, register, registry_snapshot, reset_registry!

Instance Method Details

#callback ⇒ Object

# File 'app/controllers/standard_id/web/auth/callback/providers_controller.rb', line 19

def callback
  if params[:error].present?
    handle_callback_error
    return
  end

  state_data = nil

  begin
    extract_state_and_nonce => { state_data:, nonce: }
    caller_redirect_uri = state_data&.dig("redirect_uri").presence
    redirect_uri = callback_url_for
    provider_response = get_user_info_from_provider(redirect_uri:, nonce:)
    social_info = provider_response[:user_info]
    provider_tokens = provider_response[:tokens]
    begin
      account = find_or_create_account_from_social(social_info)
    rescue ActiveRecord::RecordNotUnique
      # Race condition: concurrent request created the account first — retry to find it
      account = find_or_create_account_from_social(social_info)
    end
    newly_created = account.previously_new_record?

    invoke_before_sign_in(account, { mechanism: "social", provider: provider.provider_name })
    session_manager.sign_in_account(account, scope_name: state_data&.dig("scope"))

    provider_name = provider.provider_name
    invoke_after_account_created(account, { mechanism: "social", provider: provider_name }) if newly_created

    run_social_callback(
      provider: provider_name,
      social_info: social_info,
      provider_tokens: provider_tokens,
      account: account,
      original_request_params: state_data
    )

    context = {
      mechanism: "social",
      provider: provider_name,
      redirect_uri: caller_redirect_uri
    }
    redirect_override = invoke_after_sign_in(account, context)

    # When the hook defers (returns nil), the originator-supplied URL becomes the
    # destination. Validate it before redirect_to — without this, an attacker who
    # tricks a victim into clicking /login?connection=google&redirect_uri=<evil>
    # can steer the post-auth landing page. redirect_override is host-internal so
    # we trust it; only the fallthrough needs validation.
    destination = redirect_override || (safe_destination?(caller_redirect_uri) ? caller_redirect_uri : safe_post_signin_default)
    redirect_options = { notice: "Successfully signed in with #{provider_name.humanize}" }
    redirect_options[:allow_other_host] = true if allow_other_host_redirect?(destination)
    redirect_to destination, redirect_options
  rescue StandardId::AuthenticationDenied => e
    handle_authentication_denied(e, account: account, newly_created: newly_created)
  rescue StandardId::SocialLinkError => e
    # Policy/link error — SOCIAL_LINK_BLOCKED has already been emitted
    # by validate_social_link!, so do not also emit SOCIAL_AUTH_FAILED
    # (which is reserved for infrastructure-level failures).
    redirect_to StandardId::WebEngine.routes.url_helpers.login_path(redirect_uri: state_data&.dig("redirect_uri")), alert: "Authentication failed: #{e.message}"
  rescue StandardId::OAuthError => e
    emit_social_auth_failed(e, account: account)
    redirect_to StandardId::WebEngine.routes.url_helpers.login_path(redirect_uri: state_data&.dig("redirect_uri")), alert: "Authentication failed: #{e.message}"
  end
end

#mobile_callback ⇒ Object

# File 'app/controllers/standard_id/web/auth/callback/providers_controller.rb', line 85

def mobile_callback
  unless provider.supports_mobile_callback?
    raise StandardId::InvalidRequestError, "Provider #{provider.provider_name} does not support mobile callback"
  end

  extract_state_and_nonce => { state_data: }
  destination = state_data["redirect_uri"]

  unless allow_other_host_redirect?(destination)
    raise StandardId::InvalidRequestError, "Redirect URI is not allowed"
  end

  relay_params = mobile_relay_params
  @mobile_redirect_url = build_mobile_redirect(destination, relay_params)
  render :mobile_callback, layout: false
rescue StandardId::InvalidRequestError => e
  render plain: e.message, status: :unprocessable_entity
end