auth0 5.11.0 → 5.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 226246c8ebc3b3a01dfb4729ea30e1f5e348a4fef155287ae7a8d4a050022392
-  data.tar.gz: c720dba1ef6fb9661a981fd5a4603e212d3e9803cd1706bdd0a3b2f961551c3d
+  metadata.gz: cb764cc8daf156b3d3736bff8c65c69c32db6d15757f2e450ea85eb0dca300c0
+  data.tar.gz: b0cfc02df42818062bc5cb609daaffd04806f9ea92f771caf58575b9faa781c8
 SHA512:
-  metadata.gz: ec7dbd4a49e195981a2b13362e3e0ba7867194cc54a4aad4898edc82f57957415805645f2b8f99ccf6c9d3bca3dab729585c99a6aad44cae32fed094899d9795
-  data.tar.gz: 41221c45b0c22f5fb8ae2a31230f77aa49d60b6b1cfd59443d5e172aa8ed8704c9fb59f2c2af83a7213a7ab3ee678a330ba4b5b93bcfc24fa24985a2731a8903
+  metadata.gz: 68c6502714f8c631aa92a0b29d387e662cf06b9ec4e18f4d12e3260a7068a5e754b1f29bc60a76b2defa54763919ee9b6e31ffb5181d1c0d38c584bf4d0186a3
+  data.tar.gz: 26a2e83b7aa49807d45cda688d857d8dc93177bdd4a47b92b0e952561a2dbda2a056a15c537b71a787d22ddebb5ebb4fddb9f7e83fb26ce7e769b1c23a49c221

data/.circleci/config.yml

@@ -1,12 +1,12 @@
 version: 2.1
 orbs:
-  ship: auth0/ship@dev:alpha
+  ship: auth0/ship@0
   codecov: codecov/codecov@3
 
 matrix_ruby_versions: &matrix_ruby_versions
   matrix:
     parameters:
-      ruby_version: ["2.7", "3.0", "3.1", "3.2"]
+      ruby_version: ["3.0", "3.1", "3.2"]
 # Default version of ruby to use for lint and publishing
 default_ruby_version: &default_ruby_version "3.2"
 
@@ -41,7 +41,8 @@ jobs:
             - vendor/bundle
       # Must define DOMAIN, CLIENT_ID, CLIENT_SECRET and MASTER_JWT env
       - run: bundle exec rake test
-      - codecov/upload
+      - codecov/upload:
+        file: /home/circleci/project/coverage/coverage.xml
 
 workflows:
   tests:

data/.semgrepignore

@@ -0,0 +1,6 @@
+.bundle/
+.circleci/
+.devcontainer/
+.github/
+examples/
+spec/

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Change Log
 
+## [v5.13.0](https://github.com/auth0/ruby-auth0/tree/v5.13.0) (2023-04-24)
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.12.0...v5.13.0)
+
+**Added**
+- [SDK-4142] Add support for /oauth/par [\#470](https://github.com/auth0/ruby-auth0/pull/470) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Deprecated**
+- Drop support for 2.7 in CI build [\#467](https://github.com/auth0/ruby-auth0/pull/467) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+## [v5.12.0](https://github.com/auth0/ruby-auth0/tree/v5.12.0) (2023-03-13)
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.11.0...v5.12.0)
+
+**Added**
+- [SDK-4014] User Authentication Method management API support [\#450](https://github.com/auth0/ruby-auth0/pull/450) ([stevehobbsdev](https://github.com/stevehobbsdev))
+
+**Fixed**
+- Remove broken FAQ link from README [\#441](https://github.com/auth0/ruby-auth0/pull/441) ([joxxoxo](https://github.com/joxxoxo))
+
 ## [v5.11.0](https://github.com/auth0/ruby-auth0/tree/v5.11.0) (2023-01-27)
 [Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.10.0...v5.11.0)
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    auth0 (5.11.0)
+    auth0 (5.13.0)
       addressable (~> 2.8)
       jwt (~> 2.5)
       rest-client (~> 2.1)
@@ -11,29 +11,29 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.4.2)
-      actionview (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionpack (7.0.4.3)
+      actionview (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       rack (~> 2.0, >= 2.2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionview (7.0.4.3)
+      activesupport (= 7.0.4.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.4.2)
+    activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.4)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     builder (3.2.4)
-    concurrent-ruby (1.2.0)
+    concurrent-ruby (1.2.2)
     coveralls (0.7.1)
       multi_json (~> 1.3)
       rest-client
@@ -65,31 +65,31 @@ GEM
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     io-console (0.6.0)
-    irb (1.6.2)
+    irb (1.6.4)
       reline (>= 0.3.0)
     json (2.6.3)
-    jwt (2.6.0)
-    loofah (2.19.1)
+    jwt (2.7.0)
+    loofah (2.20.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
     mime-types (3.4.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
-    minitest (5.17.0)
+    mime-types-data (3.2023.0218.1)
+    minitest (5.18.0)
     multi_json (1.15.0)
     netrc (0.11.0)
-    nokogiri (1.14.0-x86_64-linux)
+    nokogiri (1.14.3-x86_64-linux)
       racc (~> 1.4)
-    parallel (1.22.1)
-    parser (3.2.0.0)
+    parallel (1.23.0)
+    parser (3.2.2.1)
       ast (~> 2.4.1)
     pp (0.4.0)
       prettyprint
     prettyprint (0.1.1)
     public_suffix (5.0.1)
     racc (1.6.2)
-    rack (2.2.6.2)
+    rack (2.2.6.4)
     rack-test (0.8.3)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -97,17 +97,17 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.5.0)
       loofah (~> 2.19, >= 2.19.1)
-    railties (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    railties (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.6.2)
-    reline (0.3.2)
+    regexp_parser (2.8.0)
+    reline (0.3.3)
       io-console (~> 0.5)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)
@@ -120,32 +120,32 @@ GEM
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
       rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.3)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
-    rubocop (1.44.1)
+    rubocop (1.50.2)
       json (~> 2.3)
       parallel (~> 1.10)
       parser (>= 3.2.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
-    rubocop-rails (2.17.4)
+    rubocop-ast (1.28.0)
+      parser (>= 3.2.1.0)
+    rubocop-rails (2.19.1)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.33.0, < 2.0)
-    ruby-progressbar (1.11.0)
+    ruby-progressbar (1.13.0)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -162,7 +162,7 @@ GEM
     timecop (0.9.6)
     tins (1.32.1)
       sync
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unf (0.1.4)
       unf_ext
@@ -174,7 +174,7 @@ GEM
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     zache (0.12.0)
-    zeitwerk (2.6.6)
+    zeitwerk (2.6.7)
 
 PLATFORMS
   x86_64-linux
@@ -202,4 +202,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.3.26
+   2.4.10

data/README.md

@@ -16,7 +16,6 @@ Ruby API client for the [Auth0](https://auth0.com) platform.
 
 - [API documentation](https://www.rubydoc.info/gems/auth0) - documentation auto-generated from the code comments that explains all the available features
 - [Examples](https://github.com/auth0/ruby-auth0/blob/master/EXAMPLES.md) - examples that demonstrate the different ways in which this SDK can be used
-[FAQ](https://github.com/auth0/ruby-auth0/blob/master/FAQ.md) - frequently asked questions about the SDK
 - [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0
 
 ## Getting Started

data/examples/ruby-api/Gemfile.lock

@@ -8,7 +8,7 @@ GEM
     nio4r (2.5.8)
     puma (5.6.5)
       nio4r (~> 2.0)
-    rack (2.2.6.2)
+    rack (2.2.6.4)
     rack-protection (2.2.3)
       rack
     ruby2_keywords (0.0.5)

data/lib/auth0/api/authentication_endpoints.rb

@@ -323,6 +323,21 @@ module Auth0
         URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
       end
 
+      # Return an authorization URL for PAR requests
+      # @see https://www.rfc-editor.org/rfc/rfc9126.html
+      # @param request_uri [string] The request_uri as obtained by calling `pushed_authorization_request`
+      # @param additional_parameters Any additional parameters to send
+      def par_authorization_url(request_uri)
+        raise Auth0::InvalidParameter, 'Must supply a valid request_uri' if request_uri.to_s.empty?
+
+        request_params = {
+          client_id: @client_id,
+          request_uri: request_uri,
+        }
+
+        URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
+      end
+
       # Returns an Auth0 logout URL with a return URL.
       # @see https://auth0.com/docs/api/authentication#logout
       # @see https://auth0.com/docs/logout
@@ -344,6 +359,28 @@ module Auth0
         )
       end
 
+      # Make a request to the PAR endpoint and receive a `request_uri` to send to the '/authorize' endpoint.
+      # @see https://auth0.com/docs/api/authentication#authorization-code-grant
+      # @param redirect_uri [string] URL to redirect after authorization
+      # @param options [hash] Can contain response_type, connection, state, organization, invitation, and additional_parameters.
+      # @return [url] Authorization URL.
+      def pushed_authorization_request(parameters = {})
+        request_params = {
+          client_id: @client_id,
+          response_type: parameters.fetch(:response_type, 'code'),
+          connection: parameters.fetch(:connection, nil),
+          redirect_uri: parameters.fetch(:redirect_uri, nil),
+          state: parameters.fetch(:state, nil),
+          scope: parameters.fetch(:scope, nil),
+          organization: parameters.fetch(:organization, nil),
+          invitation: parameters.fetch(:invitation, nil)
+        }.merge(parameters.fetch(:additional_parameters, {}))
+
+        populate_client_assertion_or_secret(request_params)
+        
+        request_with_retry(:post_form, '/oauth/par', request_params, {})
+      end
+
       # Return a SAMLP URL.
       # The SAML Request AssertionConsumerServiceURL will be used to POST back
       # the assertion and it must match with the application callback URL.

data/lib/auth0/api/v2/users.rb

@@ -329,6 +329,122 @@ module Auth0
           get "#{users_path}/#{user_id}/organizations"
         end
 
+        # Get the available authentication methods for a user.
+        #
+        # @param user_id [string] The user ID of the authentication methods to get
+        # @param options [hash] A hash of options for getting permissions
+        #   * :per_page [integer] The amount of permissions per page. (optional)
+        #   * :page [integer]  The page number. Zero based. (optional)
+        #   * :include_totals [boolean] True if a query summary must be included in the result. (optional)
+        # @return [json] The user's authentication methods
+        # @see https://auth0.com/docs/api/management/v2#!/Users/get_authentication_methods
+        def user_authentication_methods(user_id, options = {})
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+
+          request_params = {
+            per_page: options.fetch(:per_page, nil),
+            page: options.fetch(:page, nil),
+            include_totals: options.fetch(:include_totals, nil)
+          }
+
+          get "#{users_path}/#{user_id}/authentication-methods", request_params
+        end
+        alias get_user_authentication_methods user_authentication_methods
+
+        # Get a specific authentication method for a user.
+        #
+        # @param user_id [string] The user ID of the authentication methods to get
+        # @param authentication_method_id [string] The ID of the authentication method
+        # @return [json] The user authentication method
+        # @see https://auth0.com/docs/api/management/v2#!/Users/get_authentication_methods_by_authentication_method_id
+        def user_authentication_method(user_id, authentication_method_id)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply a valid authentication_method_id' if authentication_method_id.to_s.empty?
+
+          get "#{users_path}/#{user_id}/authentication-methods/#{authentication_method_id}"
+        end
+        alias get_user_authentication_method user_authentication_method
+
+        # Create an authentication method for a user
+        #
+        # @param user_id [string] The user ID of the authentication methods to get
+        # @param body [hash] The post body content
+        #   * :type [string] "phone" or "email" or "totp" or "webauthn-roaming"
+        #   * :name [string] A human-readable label to identify the authentication method (optional)
+        #   * :totp_secret [string] Base32 encoded secret for TOTP generation (optional)
+        #   * :phone_number [string] Applies to phone authentication methods only. The destination phone number used to send verification codes via text and voice (optional)
+        #   * :email [string] Applies to email authentication methods only. The email address used to send verification messages (optional)
+        #   * :preferred_authentication_method [string] Preferred phone authentication method (optional)
+        #   * :key_id [string] Applies to email webauthn authenticators only. The id of the credential (optional)
+        #   * :public_key [string] Applies to email webauthn authenticators only. The public key (optional)
+        #   * :relying_party_identifier [string] Applies to email webauthn authenticators only. The relying party identifier (optional)
+        # @see https://auth0.com/docs/api/management/v2#!/Users/post_authentication_methods
+        def post_user_authentication_method(user_id, body)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply a body' if body.to_s.empty?
+
+          post "#{users_path}/#{user_id}/authentication-methods", body
+        end
+        alias create_user_authentication_method post_user_authentication_method
+
+        # Updates all authentication methods by replacing them with the given ones
+        #
+        # @param user_id [string] The user ID of the authentication methods to get
+        # @param body [hash array] The mehods to update
+        #   * :type [string] "phone" or "email" or "totp" or "webauthn-roaming"
+        #   * :name [string] A human-readable label to identify the authentication method (optional)
+        #   * :totp_secret [string] Base32 encoded secret for TOTP generation (optional)
+        #   * :phone_number [string] Applies to phone authentication methods only. The destination phone number used to send verification codes via text and voice (optional)
+        #   * :email [string] Applies to email authentication methods only. The email address used to send verification messages (optional)
+        #   * :preferred_authentication_method [string] Preferred phone authentication method (optional)
+        # @see https://auth0.com/docs/api/management/v2#!/Users/put_authentication_methods
+        def put_all_user_authentication_methods(user_id, body)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply a body' if body.to_s.empty?
+
+          put "#{users_path}/#{user_id}/authentication-methods", body
+        end
+        alias update_all_user_authentication_methods put_all_user_authentication_methods
+
+        # Updates a user authentication method
+        #
+        # @param user_id [string] The user ID of the authentication methods to get
+        # @param body [hash array] The mehods to update
+        #   * :name [string] A human-readable label to identify the authentication method (optional)
+        #   * :preferred_authentication_method [string] Preferred phone authentication method (optional)
+        # @see https://auth0.com/docs/api/management/v2#!/Users/put_authentication_methods
+        def patch_user_authentication_method(user_id, authentication_method_id, body)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply an authentication_method_id' if authentication_method_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply a body' if body.to_s.empty?
+
+          patch "#{users_path}/#{user_id}/authentication-methods/#{authentication_method_id}", body
+        end
+        alias update_user_authentication_method patch_user_authentication_method
+
+        # Deletes all of the user's authentication methods
+        #
+        # @param user_id [string] The user ID
+        # @see https://auth0.com/docs/api/management/v2#!/Users/delete_authentication_methods
+        def delete_user_authentication_methods(user_id)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+
+          delete "#{users_path}/#{user_id}/authentication-methods"          
+        end
+ 
+        
+        # Deletes the user's authentication method specified by authentication_method_id
+        #
+        # @param user_id [string] The user ID
+        # @param authentication_method_id [string] The ID of the authentication method
+        # @see https://auth0.com/docs/api/management/v2#!/Users/delete_authentication_methods_by_authentication_method_id
+        def delete_user_authentication_method(user_id, authentication_method_id)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+          raise Auth0::MissingParameter, 'Must supply an authentication_method_id' if authentication_method_id.to_s.empty?
+
+          delete "#{users_path}/#{user_id}/authentication-methods/#{authentication_method_id}"
+        end
+
         private
 
         # Users API path

data/lib/auth0/mixins/httpproxy.rb

@@ -16,7 +16,7 @@ module Auth0
       BASE_DELAY = 100
 
       # proxying requests from instance methods to HTTP class methods
-      %i(get post post_file put patch delete delete_with_body).each do |method|
+      %i(get post post_file post_form put patch delete delete_with_body).each do |method|
         define_method(method) do |uri, body = {}, extra_headers = {}|
           body = body.delete_if { |_, v| v.nil? }
           token = get_token()
@@ -85,9 +85,12 @@ module Auth0
         elsif method == :post_file
           body.merge!(multipart: true)
           # Ignore the default Content-Type headers and let the HTTP client define them
-          post_file_headers = headers.slice(*headers.keys - ['Content-Type'])
+          post_file_headers = headers.except('Content-Type') if headers != nil
           # Actual call with the altered headers
           call(:post, encode_uri(uri), timeout, post_file_headers, body)
+        elsif method == :post_form
+          form_post_headers = headers.except('Content-Type') if headers != nil
+          call(:post, encode_uri(uri), timeout, form_post_headers, body.compact)
         else
           call(method, encode_uri(uri), timeout, headers, body.to_json)
         end

data/lib/auth0/version.rb

@@ -1,4 +1,4 @@
 # current version of gem
 module Auth0
-  VERSION = '5.11.0'.freeze
+  VERSION = '5.13.0'.freeze
 end

data/spec/lib/auth0/api/authentication_endpoints_spec.rb

@@ -6,6 +6,7 @@ describe Auth0::Api::AuthenticationEndpoints do
   let(:client_secret) { 'test-client-secret' }
   let(:api_identifier) { 'test-audience' }
   let(:domain) { 'samples.auth0.com' }
+  let(:request_uri) { 'urn:ietf:params:oauth:request_uri:the.request.uri' }
 
   let(:client_secret_config) { { 
     domain: domain,
@@ -237,7 +238,7 @@ describe Auth0::Api::AuthenticationEndpoints do
       end
     end
 
-    context 'exchange_sms_otp_for_tokens', focus: true do
+    context 'exchange_sms_otp_for_tokens' do
       it 'requests the tokens using an OTP from SMS' do
         expect(RestClient::Request).to receive(:execute) do |arg|
           expect(arg).to match(
@@ -335,7 +336,7 @@ describe Auth0::Api::AuthenticationEndpoints do
       end
     end
 
-    context 'exchange_email_otp_for_tokens', focus: true do
+    context 'exchange_email_otp_for_tokens' do
       it 'requests the tokens using email OTP' do
         expect(RestClient::Request).to receive(:execute) do |arg|
           expect(arg).to match(
@@ -628,5 +629,94 @@ describe Auth0::Api::AuthenticationEndpoints do
         client_assertion_instance.send :start_passwordless_sms_flow, '123456789'
       end
     end
+
+    context 'par_authorization_url' do
+      it 'throws an exception if request_uri is nil' do
+        expect { client_secret_instance.send :par_authorization_url, nil}.to raise_error Auth0::InvalidParameter
+      end
+
+      it 'throws an exception if request_uri is empty' do
+        expect { client_secret_instance.send :par_authorization_url, ''}.to raise_error Auth0::InvalidParameter
+      end
+      
+      it 'builds a URL containing the request_uri' do
+        url = client_secret_instance.send :par_authorization_url, request_uri
+        expect(CGI.unescape(url.to_s)).to eq("https://samples.auth0.com/authorize?client_id=#{client_id}&request_uri=#{request_uri}")
+      end
+    end
+
+    context 'pushed_authorization_request' do
+      it 'sends the request as a form post' do
+        expect(RestClient::Request).to receive(:execute) do |arg|
+          expect(arg[:url]).to eq('https://samples.auth0.com/oauth/par')
+          expect(arg[:method]).to eq(:post)
+          
+          expect(arg[:payload]).to eq({
+            client_id: client_id,
+            client_secret: client_secret,
+            response_type: 'code',
+          })
+
+          StubResponse.new({}, true, 200)
+        end
+
+        client_secret_instance.send :pushed_authorization_request
+      end
+
+      it 'allows the RestClient to handle the correct header defaults' do
+        expect(RestClient::Request).to receive(:execute) do |arg|
+          expect(arg[:headers]).not_to have_key('Content-Type')
+
+          StubResponse.new({}, true, 200)
+        end
+
+        client_secret_instance.headers['Content-Type'] = 'application/x-www-form-urlencoded'
+        client_secret_instance.send :pushed_authorization_request
+      end
+
+      it 'sends the request as a form post with all known overrides' do
+        expect(RestClient::Request).to receive(:execute) do |arg|
+          expect(arg[:url]).to eq('https://samples.auth0.com/oauth/par')
+          expect(arg[:method]).to eq(:post)
+          
+          expect(arg[:payload]).to eq({
+            client_id: client_id,
+            client_secret: client_secret,
+            connection: 'google-oauth2',
+            organization: 'org_id',
+            invitation: 'http://invite.url',
+            redirect_uri: 'http://localhost:3000',
+            response_type: 'id_token',
+            scope: 'openid',
+            state: 'random_value'
+          })
+
+          StubResponse.new({}, true, 200)
+        end
+
+        client_secret_instance.send(:pushed_authorization_request,
+          response_type: 'id_token',
+          redirect_uri: 'http://localhost:3000',
+          organization: 'org_id',
+          invitation: 'http://invite.url',
+          scope: 'openid',
+          state: 'random_value',
+          connection: 'google-oauth2')
+      end
+
+      it 'sends the request as a form post using client assertion' do
+        expect(RestClient::Request).to receive(:execute) do |arg|
+          expect(arg[:url]).to eq('https://samples.auth0.com/oauth/par')
+          expect(arg[:method]).to eq(:post)
+          expect(arg[:payload][:client_secret]).to be_nil
+          expect(arg[:payload][:client_assertion]).not_to be_nil
+          expect(arg[:payload][:client_assertion_type]).to eq Auth0::ClientAssertion::CLIENT_ASSERTION_TYPE
+  
+          StubResponse.new({}, true, 200)
+        end
+  
+        client_assertion_instance.send :pushed_authorization_request
+      end
+    end
   end
 end

data/spec/lib/auth0/api/v2/users_spec.rb

@@ -583,4 +583,222 @@ describe Auth0::Api::V2::Users do
       end.not_to raise_error
     end
   end
+
+  context '.get_user_authentication_methods' do
+    it 'is expected to respond to user_authentication_methods method' do
+      expect(@instance).to respond_to(:user_authentication_methods)
+    end
+    
+    it 'is expected to respond to get_user_authentication_methods method' do
+      expect(@instance).to respond_to(:get_user_authentication_methods)
+    end
+
+    it 'is expected to raise an exception when the user ID is empty' do
+      expect { @instance.user_authentication_methods(nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to get user authentication methods' do
+      expect(@instance).to receive(:get).with(
+        '/api/v2/users/USER_ID/authentication-methods', {
+        per_page: nil,
+        page: nil,
+        include_totals: nil
+        }
+      )
+
+      expect do
+        @instance.user_authentication_methods('USER_ID')
+      end.not_to raise_error
+    end
+
+    it 'is expected to get user authentication methods with paging' do
+      expect(@instance).to receive(:get).with(
+        '/api/v2/users/USER_ID/authentication-methods', {
+        per_page: 1,
+        page: 2,
+        include_totals: true
+        }
+      )
+
+      expect do
+        @instance.user_authentication_methods('USER_ID', per_page: 1, page: 2, include_totals: true)
+      end.not_to raise_error
+    end
+  end
+
+  context '.get_user_authentication_method' do
+    it 'is expected to respond to get_user_authentication_method' do
+      expect(@instance).to respond_to :user_authentication_method
+    end
+    
+    it 'is expected to respond to get_user_authentication_method' do
+      expect(@instance).to respond_to :get_user_authentication_method
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.user_authentication_method(nil, nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to raise an exception for a missing authentication method ID' do
+      expect { @instance.user_authentication_method('USER_ID', nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to GET a user authentication method' do
+      expect(@instance).to receive(:get).with(
+        '/api/v2/users/USER_ID/authentication-methods/AUTH_METHOD_ID'
+      )
+
+      expect do
+        @instance.user_authentication_method('USER_ID', 'AUTH_METHOD_ID')
+      end.not_to raise_error
+
+    end
+  end
+
+  context '.create_user_authentication_method' do
+    it 'is expected to respond to create_user_authentication_method' do
+      expect(@instance).to respond_to :create_user_authentication_method
+    end
+
+    it 'is expected to respond to post_user_authentication_method' do
+      expect(@instance).to respond_to :post_user_authentication_method
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.create_user_authentication_method(nil, nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to raise an exception for a missing body' do
+      expect { @instance.create_user_authentication_method('USER_ID', nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to send the body to the endpoint' do
+      body = {
+        type: 'phone'
+      }
+
+      expect(@instance).to receive(:post).with(
+        '/api/v2/users/USER_ID/authentication-methods',
+        body
+      )
+
+      expect do
+        @instance.create_user_authentication_method 'USER_ID', body
+      end.not_to raise_error
+    end
+  end
+
+  context '.put_all_user_authentication_methods' do
+    it 'is expected to respond to put_all_user_authentication_methods' do
+      expect(@instance).to respond_to(:put_all_user_authentication_methods)
+    end
+
+    it 'is expected to respond to update_all_user_authentication_methods' do
+      expect(@instance).to respond_to(:update_all_user_authentication_methods)
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.put_all_user_authentication_methods(nil, nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to raise an exception for a missing body' do
+      expect { @instance.put_all_user_authentication_methods('USER_ID', nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to send the body to the endpoint' do
+      body = {
+        type: 'phone'
+      }
+      
+      expect(@instance).to receive(:put).with(
+        '/api/v2/users/USER_ID/authentication-methods',
+        [body]
+      )
+
+      expect do
+        @instance.put_all_user_authentication_methods 'USER_ID', [body]
+      end.to_not raise_error
+    end
+  end
+
+  context '.patch_user_authentication_method' do
+    it 'is expected to respond to patch_user_authentication_method' do
+      expect(@instance).to respond_to(:patch_user_authentication_method)
+    end
+
+    it 'is expected to respond to update_user_authentication_method' do
+      expect(@instance).to respond_to(:update_user_authentication_method)
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.patch_user_authentication_method(nil, nil, nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to raise an exception for a missing authentication_method_id' do
+      expect { @instance.patch_user_authentication_method('USER_ID', nil, nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to raise an exception for a missing body' do
+      expect { @instance.patch_user_authentication_method('USER_ID', 'AUTH_METHOD_ID', nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to send the body to the endpoint' do
+      body = {
+        name: 'auth method name'
+      }
+
+      expect(@instance).to receive(:patch).with(
+        '/api/v2/users/USER_ID/authentication-methods/AUTH_METHOD_ID',
+        body
+      )
+
+      expect do
+        @instance.patch_user_authentication_method 'USER_ID', 'AUTH_METHOD_ID', body
+      end.to_not raise_error
+    end
+  end
+  
+  context '.delete_user_authentication_methods' do
+    it 'is expected to respond to delete_user_authentication_methods' do
+      expect(@instance).to respond_to(:delete_user_authentication_methods)
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.delete_user_authentication_methods(nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to call the endpoint' do
+      expect(@instance).to receive(:delete).with(
+        '/api/v2/users/USER_ID/authentication-methods'
+      )
+
+      expect do
+        @instance.delete_user_authentication_methods 'USER_ID'
+      end.to_not raise_error
+    end
+  end
+
+  context '.delete_user_authentication_method' do
+    it 'is expected to respond to delete_user_authentication_method' do
+      expect(@instance).to respond_to(:delete_user_authentication_method)
+    end
+
+    it 'is expected to raise an exception for a missing user ID' do
+      expect { @instance.delete_user_authentication_method(nil, nil) }.to raise_exception(Auth0::MissingUserId)
+    end
+
+    it 'is expected to raise an exception for a missing authentication_method_id' do
+      expect { @instance.delete_user_authentication_method('USER_ID', nil) }.to raise_exception(Auth0::MissingParameter)
+    end
+
+    it 'is expected to call the endpoint' do
+      expect(@instance).to receive(:delete).with(
+        '/api/v2/users/USER_ID/authentication-methods/AUTH_METHOD_ID'
+      )
+
+      expect do
+        @instance.delete_user_authentication_method 'USER_ID', 'AUTH_METHOD_ID'
+      end.to_not raise_error
+    end
+  end
 end

data/spec/lib/auth0/mixins/httpproxy_spec.rb

@@ -250,25 +250,37 @@ describe Auth0::Mixins::HTTPProxy do
     end
   end
 
-  %i(post put patch).each do |http_method|
+  def expected_payload(method, overrides = {})
+    if method == :post_form
+      {
+        method: :post,
+        url: 'https://auth0.com/test',
+        timeout: nil,
+        headers: nil,
+        payload: {}
+      }.merge(overrides)
+    else 
+      {
+        method: method,
+        url: 'https://auth0.com/test',
+        timeout: nil,
+        headers: nil,
+        payload: '{}'
+      }.merge(overrides)
+    end
+  end
+
+  %i(post post_form put patch).each do |http_method|
     context ".#{http_method}" do
       it { expect(@instance).to respond_to(http_method.to_sym) }
-      it "should call send http #{http_method} method to path defined through HTTP" do
-        expect(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/test',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+      it "should call send http #{http_method} method to path defined through HTTP"do
+        expect(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_return(StubResponse.new({}, true, 200))
         expect { @instance.send(http_method, '/test') }.not_to raise_error
       end
 
       it 'should not raise exception if data returned not in json format (should be fixed in v2)' do
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_return(StubResponse.new('Some random text here', true, 200))
         expect { @instance.send(http_method, '/test') }.not_to raise_error
         expect(@instance.send(http_method, '/test')).to eql('Some random text here')
@@ -277,11 +289,7 @@ describe Auth0::Mixins::HTTPProxy do
       it "should raise Auth0::Unauthorized on send http #{http_method} method
         to path defined through HTTP when 401 status received" do
         @exception.response = StubResponse.new({}, false, 401)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::Unauthorized)
       end
@@ -294,11 +302,7 @@ describe Auth0::Mixins::HTTPProxy do
           :x_ratelimit_reset     => 1560564149
         }
         @exception.response = StubResponse.new({}, false, 429,headers)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error { |error|
           expect(error).to be_a(Auth0::RateLimitEncountered)
@@ -317,11 +321,7 @@ describe Auth0::Mixins::HTTPProxy do
       it "should raise Auth0::NotFound on send http #{http_method} method
         to path defined through HTTP when 404 status received" do
         @exception.response = StubResponse.new({}, false, 404)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::NotFound)
       end
@@ -329,22 +329,14 @@ describe Auth0::Mixins::HTTPProxy do
       it "should raise Auth0::Unsupported on send http #{http_method} method
         to path defined through HTTP when 418 or other unknown status received" do
         @exception.response = StubResponse.new({}, false, 418)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::Unsupported)
       end
 
       it "should raise Auth0::RequestTimeout on send http #{http_method} method
         to path defined through HTTP when RestClient::RequestTimeout received" do
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(RestClient::Exceptions::OpenTimeout.new)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::RequestTimeout)
       end
@@ -352,11 +344,7 @@ describe Auth0::Mixins::HTTPProxy do
       it "should raise Auth0::BadRequest on send http #{http_method} method
         to path defined through HTTP when 400 status received" do
         @exception.response = StubResponse.new({}, false, 400)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                             url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::BadRequest)
       end
@@ -364,20 +352,13 @@ describe Auth0::Mixins::HTTPProxy do
       it "should raise Auth0::ServerError on send http #{http_method} method
         to path defined through HTTP when 500 received" do
         @exception.response = StubResponse.new({}, false, 500)
-        allow(RestClient::Request).to receive(:execute).with(method: http_method, url: 'https://auth0.com/test',
-                                                             timeout: nil,
-                                                             headers: nil,
-                                                             payload: '{}')
+        allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_raise(@exception)
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::ServerError)
       end
 
       it 'should normalize path with Addressable::URI' do
-        expect(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/te%20st',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+        expect(RestClient::Request).to receive(:execute).with(expected_payload(http_method, url: 'https://auth0.com/te%20st'))
           .and_return(StubResponse.new({}, true, 200))
         expect { @instance.send(http_method, '/te st') }.not_to raise_error
       end
@@ -388,11 +369,7 @@ describe Auth0::Mixins::HTTPProxy do
                             'message' => "Path validation error: 'String does not match pattern ^.+\\|.+$:
                                             3241312' on property id (The user_id of the user to retrieve).",
                             'errorCode' => 'invalid_uri')
-        expect(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/test',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+        expect(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
           .and_return(StubResponse.new(res, true, 404))
         expect { @instance.send(http_method, '/test') }.to raise_error(Auth0::NotFound, res)
       end
@@ -404,11 +381,7 @@ describe Auth0::Mixins::HTTPProxy do
           retry_instance.base_uri = "https://auth0.com"
 
           @exception.response = StubResponse.new({}, false, 429)
-          allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/test',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+          allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
             .and_raise(@exception)
           expect(RestClient::Request).to receive(:execute).exactly(4).times
 
@@ -424,11 +397,7 @@ describe Auth0::Mixins::HTTPProxy do
           retry_instance.retry_count = 2
 
           @exception.response = StubResponse.new({}, false, 429)
-          allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/test',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+          allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
             .and_raise(@exception)
           expect(RestClient::Request).to receive(:execute).exactly(3).times
 
@@ -445,11 +414,7 @@ describe Auth0::Mixins::HTTPProxy do
 
           @exception.response = StubResponse.new({}, false, 429)
 
-          allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                              url: 'https://auth0.com/test',
-                                                              timeout: nil,
-                                                              headers: nil,
-                                                              payload: '{}')
+          allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method))
             .and_raise(@exception)
           
           expect(RestClient::Request).to receive(:execute).exactly(1).times
@@ -467,11 +432,7 @@ describe Auth0::Mixins::HTTPProxy do
           @time_start
 
           @exception.response = StubResponse.new({}, false, 429)
-          allow(RestClient::Request).to receive(:execute).with(method: http_method,
-                                                               url: 'https://auth0.com/test',
-                                                               timeout: nil,
-                                                               headers: nil,
-                                                               payload: '{}') do
+          allow(RestClient::Request).to receive(:execute).with(expected_payload(http_method)) do
 
             time_entries.push(Time.now.to_f - @time_start.to_f)
             @time_start = Time.now.to_f # restart the clock
@@ -492,6 +453,7 @@ describe Auth0::Mixins::HTTPProxy do
       end
     end
   end
+end
 
   context "Renewing tokens" do
     let(:httpproxy_instance) {
@@ -546,7 +508,6 @@ describe Auth0::Mixins::HTTPProxy do
         end
       end
     end
-  end
 
   context "Using cached tokens" do
     let(:httpproxy_instance) {

data/spec/support/dummy_class_for_tokens.rb

@@ -15,5 +15,6 @@ class DummyClassForTokens
     @token_expires_at = config[:token_expires_at]
     @client_assertion_signing_key = config[:client_assertion_signing_key]
     @client_assertion_signing_alg = config[:client_assertion_signing_alg] || 'RS256'
+    @headers ||= {}
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: auth0
 version: !ruby/object:Gem::Version
-  version: 5.11.0
+  version: 5.13.0
 platform: ruby
 authors:
 - Auth0
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-27 00:00:00.000000000 Z
+date: 2023-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -248,6 +248,7 @@ files:
 - ".rspec"
 - ".rubocop.yml"
 - ".rubocop_todo.yml"
+- ".semgrepignore"
 - ".shiprc"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -614,7 +615,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.10
 signing_key: 
 specification_version: 4
 summary: Auth0 API Client