Add secure OAuth2-based mobile authentication

- Replace API keys with OAuth2 tokens for mobile apps - Add device tracking and management for mobile sessions - Implement 30-day token expiration with refresh tokens - Add MFA/2FA support for mobile login - Create dedicated auth endpoints (signup/login/refresh) - Skip CSRF protection for API endpoints - Return plaintext tokens (not hashed) in responses - Track devices with unique IDs and metadata - Enable seamless native mobile experience without OAuth redirects This provides enterprise-grade security for the iOS/Android apps while maintaining a completely native authentication flow. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-05 13:35:21 +02:00 · 2025-06-18 08:20:22 -05:00 · 2025-06-18 08:20:22 -05:00 · 9336719242
commit 9336719242
parent cba0bdf0e2
15 changed files with 761 additions and 6 deletions
--- a/db/migrate/20250618104425_add_source_to_api_keys.rb
+++ b/db/migrate/20250618104425_add_source_to_api_keys.rb
@ -0,0 +1,6 @@
+class AddSourceToApiKeys < ActiveRecord::Migration[7.2]
+  def change
+    add_column :api_keys, :source, :string, default: "web"
+    add_index :api_keys, [:user_id, :source]
+  end
+end
--- a/db/migrate/20250618110104_create_mobile_devices.rb
+++ b/db/migrate/20250618110104_create_mobile_devices.rb
@ -0,0 +1,17 @@
+class CreateMobileDevices < ActiveRecord::Migration[7.2]
+  def change
+    create_table :mobile_devices, id: :uuid do |t|
+      t.references :user, null: false, foreign_key: true, type: :uuid
+      t.string :device_id
+      t.string :device_name
+      t.string :device_type
+      t.string :os_version
+      t.string :app_version
+      t.datetime :last_seen_at
+
+      t.timestamps
+    end
+    add_index :mobile_devices, :device_id, unique: true
+    add_index :mobile_devices, [:user_id, :device_id], unique: true
+  end
+end
--- a/db/migrate/20250618110736_add_owner_to_oauth_applications.rb
+++ b/db/migrate/20250618110736_add_owner_to_oauth_applications.rb
@ -0,0 +1,7 @@
+class AddOwnerToOauthApplications < ActiveRecord::Migration[7.2]
+  def change
+    add_column :oauth_applications, :owner_id, :uuid
+    add_column :oauth_applications, :owner_type, :string
+    add_index :oauth_applications, [:owner_id, :owner_type]
+  end
+end
--- a/db/migrate/20250618120703_add_oauth_application_to_mobile_devices.rb
+++ b/db/migrate/20250618120703_add_oauth_application_to_mobile_devices.rb
@ -0,0 +1,6 @@
+class AddOauthApplicationToMobileDevices < ActiveRecord::Migration[7.2]
+  def change
+    add_column :mobile_devices, :oauth_application_id, :integer
+    add_index :mobile_devices, :oauth_application_id
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.2].define(version: 2025_06_13_152743) do
+ActiveRecord::Schema[7.2].define(version: 2025_06_18_110736) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "pgcrypto"
  enable_extension "plpgsql"
@ -98,8 +98,10 @@ ActiveRecord::Schema[7.2].define(version: 2025_06_13_152743) do
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.string "display_key", null: false
+    t.string "source", default: "web"
    t.index ["display_key"], name: "index_api_keys_on_display_key", unique: true
    t.index ["revoked_at"], name: "index_api_keys_on_revoked_at"
+    t.index ["user_id", "source"], name: "index_api_keys_on_user_id_and_source"
    t.index ["user_id"], name: "index_api_keys_on_user_id"
  end

@ -429,6 +431,21 @@ ActiveRecord::Schema[7.2].define(version: 2025_06_13_152743) do
    t.index ["chat_id"], name: "index_messages_on_chat_id"
  end

+  create_table "mobile_devices", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.uuid "user_id", null: false
+    t.string "device_id"
+    t.string "device_name"
+    t.string "device_type"
+    t.string "os_version"
+    t.string "app_version"
+    t.datetime "last_seen_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["device_id"], name: "index_mobile_devices_on_device_id", unique: true
+    t.index ["user_id", "device_id"], name: "index_mobile_devices_on_user_id_and_device_id", unique: true
+    t.index ["user_id"], name: "index_mobile_devices_on_user_id"
+  end
+
  create_table "oauth_access_grants", force: :cascade do |t|
    t.string "resource_owner_id", null: false
    t.bigint "application_id", null: false
@ -468,6 +485,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_06_13_152743) do
    t.boolean "confidential", default: true, null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
+    t.uuid "owner_id"
+    t.string "owner_type"
+    t.index ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type"
    t.index ["uid"], name: "index_oauth_applications_on_uid", unique: true
  end

@ -802,6 +822,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_06_13_152743) do
  add_foreign_key "invitations", "users", column: "inviter_id"
  add_foreign_key "merchants", "families"
  add_foreign_key "messages", "chats"
+  add_foreign_key "mobile_devices", "users"
  add_foreign_key "oauth_access_grants", "oauth_applications", column: "application_id"
  add_foreign_key "oauth_access_tokens", "oauth_applications", column: "application_id"
  add_foreign_key "plaid_accounts", "plaid_items"