auth0 5.17.0 → 5.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 001f09f32948583c13fb7a3bf421d34a469ba5cd4b0b8ce080a5febaf2e8369b
-  data.tar.gz: 671271047cdaa71aa6cbf6595d35623b9cfdc79e59aa2a5f9f6e8af59e1d6e52
+  metadata.gz: b8ae1bb70a0b39ac31708c2fdf869efddacfff7f068db020ea65c4a5039b4ff8
+  data.tar.gz: ca7b78cb1d13e258c4881575a672b5ed2ea9d41d66c408839deedb7ae993c632
 SHA512:
-  metadata.gz: 5d95a176bd531635ac2502eb147384da9ac0417020dc17e6e0592ba508ece19c70cd1e7037718ffcfdb4b1bcedb3dd6c2866746923328fe5777c075e542aabb0
-  data.tar.gz: 9e693a863adeabb6940f06832ecfd67c30fbcfb6106108f228c3e3959b1bb0892601cca649a5d3a009ec645b24750f5a467a3942be4202c9c30d353102fb4722
+  metadata.gz: f7f19b4eef6c03108c991ed6db9bdfe6c8c1237685ff2d3651e594c9fde0ac499785fc1b2db2e702c3dfc0b49d386966b482d42f69e7179ab04eb5914fcbd877
+  data.tar.gz: f6b3d618c83c9a0fed4edc11b5046a9170921ad2762bb4c5479558540f20f64367e3fa62bb8a3cd2769da7f22be338cddbfff29c57f9b94862b9c096acef5e65

data/.version

@@ -1 +1 @@
-v5.17.0
+v5.19.0

data/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Change Log
 
+## [v5.19.0](https://github.com/auth0/ruby-auth0/tree/v5.19.0) (2026-05-08)
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.18.1...v5.19.0)
+
+**Added**
+- Make Auth0::Client#get_token public [\#725](https://github.com/auth0/ruby-auth0/pull/725) ([ttstarck](https://github.com/ttstarck))
+
+**Fixed**
+- Ship only runtime files in packaged gem to eliminate scanner false positives [\#721](https://github.com/auth0/ruby-auth0/pull/721) ([tmertens](https://github.com/tmertens))
+
+## [v5.18.1](https://github.com/auth0/ruby-auth0/tree/v5.18.1) (2026-03-13)
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.18.0...v5.18.1)
+
+**Changed**
+- chore(deps): bump zache from 0.15.0 to 0.15.2 [\#691](https://github.com/auth0/ruby-auth0/pull/691) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): bump jwt from 2.9.3 to 2.10.2 [\#682](https://github.com/auth0/ruby-auth0/pull/682) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): bump addressable from 2.8.7 to 2.8.8 [\#686](https://github.com/auth0/ruby-auth0/pull/686) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): bump zache from 0.13.2 to 0.15.0 [\#649](https://github.com/auth0/ruby-auth0/pull/649) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+**Fixed**
+- fix deleting array content when passing an array as payload [\#697](https://github.com/auth0/ruby-auth0/pull/697) ([carlastabile](https://github.com/carlastabile))
+
+**Security**
+- fix(deps): upgrade dev dependencies to resolve Snyk security vulnerab… [\#704](https://github.com/auth0/ruby-auth0/pull/704) ([arpit-jn](https://github.com/arpit-jn))
+
+## [v5.18.0](https://github.com/auth0/ruby-auth0/tree/v5.18.0) (2024-11-25)
+[Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.17.0...v5.18.0)
+
+**Added**
+- Add Refresh Token endpoints for the Auth0 Management API #614 [\#623](https://github.com/auth0/ruby-auth0/pull/623) ([arpit-jn](https://github.com/arpit-jn))
+- Add Management API calls for session API endpoints #613 [\#616](https://github.com/auth0/ruby-auth0/pull/616) ([arpit-jn](https://github.com/arpit-jn))
+
 ## [v5.17.0](https://github.com/auth0/ruby-auth0/tree/v5.17.0) (2024-05-24)
 [Full Changelog](https://github.com/auth0/ruby-auth0/compare/v5.16.0...v5.17.0)
 

data/README.md

@@ -7,11 +7,23 @@ Ruby API client for the [Auth0](https://auth0.com) platform.
 [![codecov](https://codecov.io/gh/auth0/ruby-auth0/branch/master/graph/badge.svg)](https://codecov.io/gh/auth0/ruby-auth0)
 [![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](http://www.rubydoc.info/github/auth0/ruby-auth0/master/frames)
 [![MIT licensed](https://img.shields.io/dub/l/vibe-d.svg?style=flat)](https://github.com/auth0/ruby-auth0/blob/master/LICENSE)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/auth0/ruby-auth0)
 
 <div>
 📚 <a href="#documentation">Documentation</a> - 🚀 <a href="#getting-started">Getting started</a> - 💻 <a href="#api-reference">API reference</a> - 💬 <a href="#feedback">Feedback</a>
 </div>
 
+> [!NOTE]
+> **[v6.0.0.beta.0](https://github.com/auth0/ruby-auth0/releases/tag/v6.0.0.beta.0) is now available!** This release features a completely rewritten Management API client, auto-generated from the Auth0 OpenAPI spec using [Fern](https://buildwithfern.com/), with strongly-typed responses, built-in pagination, and automatic token management.
+>
+> ```bash
+> gem install auth0 --pre
+> ```
+>
+> We'd love your feedback - please [open an issue](https://github.com/auth0/ruby-auth0/issues/new) if you encounter any problems.
+>
+> 📖 [Migration Guide](https://github.com/auth0/ruby-auth0/blob/v6/v6_MIGRATION_GUIDE.md) ・ [Changelog](https://github.com/auth0/ruby-auth0/blob/v6/CHANGELOG.md) ・ [API Reference](https://github.com/auth0/ruby-auth0/blob/v6/reference.md)
+
 ## Documentation
 
 - [API documentation](https://www.rubydoc.info/gems/auth0) - documentation auto-generated from the code comments that explains all the available features
@@ -127,4 +139,4 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
 </p>
 <p align="center">
   This project is licensed under the MIT license. See the <a href="https://github.com/auth0/ruby-auth0/blob/master/LICENSE"> LICENSE</a> file for more info.
-</p>
+</p>

data/auth0.gemspec

@@ -11,9 +11,7 @@ Gem::Specification.new do |s|
   s.summary     = 'Auth0 API Client'
   s.description = 'Ruby toolkit for Auth0 API https://auth0.com.'
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.files         = Dir['lib/**/*.rb'] + %w[LICENSE README.md CHANGELOG.md auth0.gemspec .version]
   s.require_paths = ['lib']
 
   s.add_runtime_dependency 'rest-client', '~> 2.1'
@@ -26,7 +24,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rake', '~> 13.0'
   s.add_development_dependency 'fuubar', '~> 2.0'
   s.add_development_dependency 'guard-rspec', '~> 4.5' unless ENV['CIRCLECI']
-  s.add_development_dependency 'dotenv-rails', '~> 2.0'
+  s.add_development_dependency 'dotenv', '~> 3.0'
   s.add_development_dependency 'rspec', '~> 3.11'
   s.add_development_dependency 'simplecov', '~> 0.9'
   s.add_development_dependency 'faker', '~> 2.0'

data/lib/auth0/api/v2/refresh_tokens.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Auth0
+  module Api
+    module V2
+      # Methods to use the Refresh Token endpoints
+      module RefreshTokens
+        # Retrieve refresh token information.
+        # @see https://auth0.com/docs/api/management/v2/refresh-tokens/get-refresh-token
+        # @param id [string] The id of the refresh token to retrieve
+        def refresh_token(id)
+          raise Auth0::InvalidParameter, 'Must supply a valid id' if id.to_s.empty?
+
+          get "#{resource_path}/#{id}"
+        end
+
+        # Delete a refresh token by its ID.
+        # @see https://auth0.com/docs/api/management/v2/refresh-tokens/delete-refresh-token
+        # @param id [string] The id of the refresh token to delete
+        def delete_refresh_token(id)
+          raise Auth0::InvalidParameter, 'Must supply a valid id' if id.to_s.empty?
+
+          delete "#{resource_path}/#{id}"
+        end
+
+        private
+
+        def resource_path
+          @resource_path ||= '/api/v2/refresh-tokens'
+        end
+      end
+    end
+  end
+end

data/lib/auth0/api/v2/sessions.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Auth0
+  module Api
+    module V2
+      # Methods to use the Session endpoints
+      module Sessions
+        # Retrieve session information by id
+        # @see https://auth0.com/docs/api/management/v2/sessions/get-session
+        # @param id [string] The id of the session to retrieve.
+        def session(session_id)
+          raise Auth0::InvalidParameter, 'Must supply a valid session_id' if session_id.to_s.empty?
+
+          get "#{sessions_path}/#{session_id}"
+        end
+
+        # Deletes a session by id
+        # @see https://auth0.com/docs/api/management/v2/sessions/delete-session
+        # @param id [string] The id of the session to delete.
+        def delete_session(session_id)
+          raise Auth0::InvalidParameter, 'Must supply a valid session_id' if session_id.to_s.empty?
+
+          delete "#{sessions_path}/#{session_id}"
+        end
+
+        # Revokes a session by ID and all associated refresh tokens
+        # @see https://auth0.com/docs/api/management/v2/sessions/revoke-session
+        # @param id [string] The ID of the session to revoke
+        def revoke_session(session_id)
+          raise Auth0::InvalidParameter, 'Must supply a valid session_id' if session_id.to_s.empty?
+
+          post "#{sessions_path}/#{session_id}/revoke"
+        end
+
+        private
+
+        def sessions_path
+          @sessions_path ||= '/api/v2/sessions'
+        end
+      end
+    end
+  end
+end

data/lib/auth0/api/v2/users.rb

@@ -1,7 +1,7 @@
 module Auth0
   module Api
     module V2
-      # Methods to use the users endpoints
+      # Methods to use the users' endpoints
       module Users
         include Auth0::Mixins::Validation
 
@@ -94,10 +94,10 @@ module Auth0
         # Some considerations:
         # The properties of the new object will replace the old ones.
         # The metadata fields are an exception to this rule (user_metadata and app_metadata). These properties are
-        # merged instead of being replaced but be careful, the merge only occurs on the first level.
+        # merged instead of being replaced, but be careful, the merge only occurs on the first level.
         # If you are updating email_verified, phone_verified, username or password you need to specify the connection
         # property too.
-        # If your are updating email or phone_number you need to specify the connection and the client_id properties.
+        # If you are updating email or phone_number you need to specify the connection and the client_id properties.
         # @see https://auth0.com/docs/api/v2#!/Users/patch_users_by_id
         # @param user_id [string] The user_id of the user to update.
         # @param body [hash] The optional parameters to update.
@@ -137,7 +137,7 @@ module Auth0
         # update:current_user_identities scope. In this case only the link_with param is required in the body,
         # containing the JWT obtained upon the secondary account's authentication.
         # 2. With an API V2 generated token with update:users scope. In this case you need to send provider and user_id
-        # in the body. Optionally you can also send the connection_id param which is suitable for identifying a
+        # in the body. Optionally, you can also send the connection_id param, which is suitable for identifying a
         # particular database connection for the 'auth0' provider.
         # @see https://auth0.com/docs/api/v2#!/Users/post_identities
         # @param user_id [string] The user_id of the primary identity where you are linking the secondary account to.
@@ -465,13 +465,45 @@ module Auth0
           get "#{users_path}/#{user_id}/sessions"
         end
 
+        # Retrieve details for a user's refresh tokens.
+        # @see https://auth0.com/docs/api/management/v2/users/get-refresh-tokens-for-user
+        #
+        # @param use_id [String] The user ID
+        # @param options [hash] A hash of options for getting permissions
+        #   * :take [Integer] Number of results per page. Defaults to 50.
+        #   * :from [String] Optional token ID from which to start selection (exclusive).
+        #   * :include_totals [boolean] Return results inside an object that contains the total result count (true)
+        #     or as a direct array of results (false, default)
+        #
+        # @return [json] Returns refresh tokens for the given user_id.
+        def user_refresh_tokens(user_id, options = {})
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+
+          request_params = {
+            take: options.fetch(:take, nil),
+            from: options.fetch(:from, nil),
+            include_totals: options.fetch(:include_totals, nil)
+          }
+
+          get "#{users_path}/#{user_id}/refresh-tokens", request_params
+        end
+
+        # Delete all refresh tokens for a user.
+        #
+        # @param user_id [String] ID of the user to get remove refresh tokens for
+        # @see https://auth0.com/docs/api/management/v2/users/delete-refresh-tokens-for-user
+        def delete_user_refresh_tokens(user_id)
+          raise Auth0::MissingUserId, 'Must supply a valid user_id' if user_id.to_s.empty?
+
+          delete "#{users_path}/#{user_id}/refresh-tokens"
+        end
+
         private
 
         # Users API path
         def users_path
           @users_path ||= '/api/v2/users'
         end
-
       end
     end
   end

data/lib/auth0/api/v2.rb

@@ -11,6 +11,7 @@ require 'auth0/api/v2/emails'
 require 'auth0/api/v2/jobs'
 require 'auth0/api/v2/prompts'
 require 'auth0/api/v2/organizations'
+require 'auth0/api/v2/refresh_tokens'
 require 'auth0/api/v2/rules'
 require 'auth0/api/v2/roles'
 require 'auth0/api/v2/stats'
@@ -24,6 +25,7 @@ require 'auth0/api/v2/log_streams'
 require 'auth0/api/v2/resource_servers'
 require 'auth0/api/v2/guardian'
 require 'auth0/api/v2/attack_protection'
+require 'auth0/api/v2/sessions'
 
 module Auth0
   module Api
@@ -45,6 +47,7 @@ module Auth0
       include Auth0::Api::V2::LogStreams
       include Auth0::Api::V2::Prompts
       include Auth0::Api::V2::Organizations
+      include Auth0::Api::V2::RefreshTokens
       include Auth0::Api::V2::Rules
       include Auth0::Api::V2::Roles
       include Auth0::Api::V2::Stats
@@ -55,6 +58,7 @@ module Auth0
       include Auth0::Api::V2::Tenants
       include Auth0::Api::V2::Tickets
       include Auth0::Api::V2::AttackProtection
+      include Auth0::Api::V2::Sessions
     end
   end
 end

data/lib/auth0/mixins/httpproxy.rb

@@ -1,6 +1,8 @@
-require "addressable/uri"
-require "retryable"
-require_relative "../exception.rb"
+# frozen_string_literal: true
+
+require 'addressable/uri'
+require 'retryable'
+require_relative '../exception'
 
 module Auth0
   module Mixins
@@ -8,6 +10,7 @@ module Auth0
     # for now, if you want to feel free to use your own http client
     module HTTPProxy
       attr_accessor :headers, :base_uri, :timeout, :retry_count
+
       DEFAULT_RETRIES = 3
       MAX_ALLOWED_RETRIES = 10
       MAX_REQUEST_RETRY_JITTER = 250
@@ -16,10 +19,10 @@ module Auth0
       BASE_DELAY = 100
 
       # proxying requests from instance methods to HTTP class methods
-      %i(get post post_file post_form put patch delete delete_with_body).each do |method|
+      %i[get post post_file post_form put patch delete delete_with_body].each do |method|
         define_method(method) do |uri, body = {}, extra_headers = {}|
-          body = body.delete_if { |_, v| v.nil? }
-          token = get_token()
+          body = safe_merge_body(body, extra_headers)
+          token = get_token
           authorization_header(token) unless token.nil?
           request_with_retry(method, uri, body, extra_headers)
         end
@@ -27,8 +30,8 @@ module Auth0
 
       def retry_options
         sleep_timer = lambda do |attempt|
-          wait = BASE_DELAY * (2**attempt-1) # Exponential delay with each subsequent request attempt.
-          wait += rand(wait+1..wait+MAX_REQUEST_RETRY_JITTER) # Add jitter to the delay window.
+          wait = BASE_DELAY * (2**attempt - 1) # Exponential delay with each subsequent request attempt.
+          wait += rand(wait + 1..wait + MAX_REQUEST_RETRY_JITTER) # Add jitter to the delay window.
           wait = [MAX_REQUEST_RETRY_DELAY, wait].min # Cap delay at MAX_REQUEST_RETRY_DELAY.
           wait = [MIN_REQUEST_RETRY_DELAY, wait].max # Ensure delay is no less than MIN_REQUEST_RETRY_DELAY.
           wait / 1000.to_f.round(2) # convert ms to seconds
@@ -55,6 +58,7 @@ module Auth0
 
       def add_headers(h = {})
         raise ArgumentError, 'Headers must be an object which responds to #to_hash' unless h.respond_to?(:to_hash)
+
         @headers ||= {}
         @headers.merge!(h.to_hash)
       end
@@ -72,28 +76,29 @@ module Auth0
       end
 
       def request(method, uri, body = {}, extra_headers = {})
-        result = if method == :get
-          @headers ||= {}
-          get_headers = @headers.merge({params: body}).merge(extra_headers)
-          call(:get, encode_uri(uri), timeout, get_headers)
-        elsif method == :delete
-          @headers ||= {}
-          delete_headers = @headers.merge({ params: body })
-          call(:delete, encode_uri(uri), timeout, delete_headers)
-        elsif method == :delete_with_body
-          call(:delete, encode_uri(uri), timeout, headers, body.to_json)
-        elsif method == :post_file
-          body.merge!(multipart: true)
-          # Ignore the default Content-Type headers and let the HTTP client define them
-          post_file_headers = headers.except('Content-Type') if headers != nil
-          # Actual call with the altered headers
-          call(:post, encode_uri(uri), timeout, post_file_headers, body)
-        elsif method == :post_form
-          form_post_headers = headers.except('Content-Type') if headers != nil
-          call(:post, encode_uri(uri), timeout, form_post_headers, body.compact)
-        else
-          call(method, encode_uri(uri), timeout, headers, body.to_json)
-        end
+        result = case method
+                 when :get
+                   @headers ||= {}
+                   get_headers = @headers.merge({ params: body }).merge(extra_headers)
+                   call(:get, encode_uri(uri), timeout, get_headers)
+                 when :delete
+                   @headers ||= {}
+                   delete_headers = @headers.merge({ params: body })
+                   call(:delete, encode_uri(uri), timeout, delete_headers)
+                 when :delete_with_body
+                   call(:delete, encode_uri(uri), timeout, headers, body.to_json)
+                 when :post_file
+                   body.merge!(multipart: true)
+                   # Ignore the default Content-Type headers and let the HTTP client define them
+                   post_file_headers = headers.except('Content-Type') unless headers.nil?
+                   # Actual call with the altered headers
+                   call(:post, encode_uri(uri), timeout, post_file_headers, body)
+                 when :post_form
+                   form_post_headers = headers.except('Content-Type') unless headers.nil?
+                   call(:post, encode_uri(uri), timeout, form_post_headers, body.compact)
+                 else
+                   call(method, encode_uri(uri), timeout, headers, body.to_json)
+                 end
 
         case result.code
         when 200...226 then safe_parse_json(result.body)
@@ -101,7 +106,8 @@ module Auth0
         when 401       then raise Auth0::Unauthorized.new(result.body, code: result.code, headers: result.headers)
         when 403       then raise Auth0::AccessDenied.new(result.body, code: result.code, headers: result.headers)
         when 404       then raise Auth0::NotFound.new(result.body, code: result.code, headers: result.headers)
-        when 429       then raise Auth0::RateLimitEncountered.new(result.body, code: result.code, headers: result.headers)
+        when 429       then raise Auth0::RateLimitEncountered.new(result.body, code: result.code,
+                                                                               headers: result.headers)
         when 500       then raise Auth0::ServerError.new(result.body, code: result.code, headers: result.headers)
         else           raise Auth0::Unsupported.new(result.body, code: result.code, headers: result.headers)
         end
@@ -118,11 +124,19 @@ module Auth0
       rescue RestClient::Exception => e
         case e
         when RestClient::RequestTimeout
-          raise Auth0::RequestTimeout.new(e.message)
+          raise Auth0::RequestTimeout, e.message
         else
-          return e.response
+          e.response
         end
       end
+
+      private
+      
+      def safe_merge_body(body, extra = {})
+        return body unless body.is_a?(Hash)
+        merged = extra.any? ? body.merge(extra) : body
+        merged.compact
+      end
     end
   end
 end

data/lib/auth0/mixins/token_management.rb

@@ -1,22 +1,14 @@
 module Auth0
   module Mixins
     module TokenManagement
-      
-      private
-
-      def initialize_token(options)
-        @token = options[:access_token] || options[:token]
-        # default expiry to an hour if a token was given but no expires_at
-        @token_expires_at = @token ? options[:token_expires_at] || Time.now.to_i + 3600 : nil 
-
-        @audience = options[:api_identifier] || "https://#{@domain}/api/v2/"
-        get_token() if @token.nil?
-      end
 
+      # Get the Client's api token (or generate a new one if it has expired).
+      #
+      # @note This method may perform a network request to refresh an expired token. It is not thread-safe.
+      # @return [String] the api token
       def get_token
-        # pp @token_expires_at
         has_expired = @token && @token_expires_at ? @token_expires_at < (Time.now.to_i + 10) : false
-        
+
         if (@token.nil? || has_expired) && @client_id && (@client_secret || @client_assertion_signing_key)
           response = api_token(audience: @audience)
           @token = response.token
@@ -27,6 +19,17 @@ module Auth0
           @token
         end
       end
+
+      private
+
+      def initialize_token(options)
+        @token = options[:access_token] || options[:token]
+        # default expiry to an hour if a token was given but no expires_at
+        @token_expires_at = @token ? options[:token_expires_at] || Time.now.to_i + 3600 : nil
+
+        @audience = options[:api_identifier] || "https://#{@domain}/api/v2/"
+        get_token() if @token.nil?
+      end
     end
   end
-end
+end

data/lib/auth0/version.rb

@@ -1,4 +1,4 @@
 # current version of gem
 module Auth0
-  VERSION = '5.17.0'.freeze
+  VERSION = '5.19.0'.freeze
 end