descope 1.0.4

data/lib/descope/api/v1/auth/enchantedlink.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+module Descope
+  module Api
+    module V1
+      module Auth
+        # Holds all the password API calls
+        module EnchantedLink
+          include Descope::Mixins::Validation
+          include Descope::Mixins::Common::EndpointsV1
+          include Descope::Mixins::Common::EndpointsV2
+
+          def enchanted_link_sign_in(login_id: nil, uri: nil, login_options: nil, refresh_token: nil)
+            # Sign-in existing user by sending an enchanted link via email.
+            # @see https://docs.descope.com/api/openapi/enchantedlink/operation/SignInEnchantedLinkEmail/
+            validate_login_id(login_id)
+            validate_refresh_token_provided(login_options, refresh_token)
+            body = enchanted_link_compose_signin_body(login_id, uri, login_options)
+            uri = enchanted_link_compose_signin_url
+            post(uri, body, nil, refresh_token)
+          end
+
+          def enchanted_link_sign_up(login_id: nil, uri: nil, user: {})
+            # Sign-up new end user by sending an enchanted link via email
+            # @see https://docs.descope.com/api/openapi/enchantedlink/operation/SignUpEnchantedLink/
+
+            unless adjust_and_verify_delivery_method(Descope::Mixins::Common::DeliveryMethod::EMAIL, login_id, user)
+              raise Descope::ArgumentException.new(
+                'Invalid delivery method',
+                code: 400
+              )
+            end
+
+            body = enchanted_link_compose_signup_body(login_id, uri, user)
+            uri = enchanted_link_compose_signup_url
+            post(uri, body)
+          end
+
+          def enchanted_link_sign_up_or_in(login_id: nil, uri: nil, login_options: nil)
+            # @see https://docs.descope.com/api/openapi/enchantedlink/operation/SignUpOrInEnchantedLinkEmail/
+            body = enchanted_link_compose_signin_body(login_id, uri, login_options)
+            uri = enchanted_link_compose_sign_up_or_in_url
+            post(uri, body)
+          end
+
+          def enchanted_link_update_user_email(login_id: nil, email: nil, uri: nil, add_to_login_ids: nil, on_merge_use_existing: nil, provider_id: nil, template_id: nil, template_options: nil, refresh_token: nil)
+            validate_login_id(login_id)
+            validate_token_not_empty(refresh_token)
+            validate_email(email)
+
+            body = enchanted_link_compose_update_user_email_body(
+              login_id, email, add_to_login_ids, on_merge_use_existing
+            )
+            body[:redirectUrl] = uri
+            body[:providerId] = provider_id if provider_id
+            body[:templateId] = template_id if template_id
+            body[:templateOptions] = template_options if template_options
+            uri = UPDATE_USER_EMAIL_ENCHANTEDLINK_PATH
+            post(uri, body, {}, refresh_token)
+          end
+
+          def enchanted_link_verify_token(token = nil)
+            validate_token_not_empty(token)
+            post(VERIFY_ENCHANTEDLINK_AUTH_PATH, { token: })
+          end
+
+          def enchanted_link_get_session(pending_ref = nil)
+            # @see https://docs.descope.com/api/openapi/enchantedlink/operation/GetEnchantedLinkSession/
+            res = post(GET_SESSION_ENCHANTEDLINK_AUTH_PATH, { pendingRef: pending_ref })
+            generate_jwt_response(response_body: res, refresh_cookie: res['refreshJwt'])
+          end
+
+          private
+
+          def enchanted_link_compose_signin_body(login_id, uri, login_options)
+            login_options ||= {}
+            unless login_options.is_a?(Hash)
+              raise Descope::ArgumentException.new(
+                'Unable to read login_option, not a Hash',
+                code: 400
+              )
+            end
+
+            body = {
+              loginId: login_id,
+              redirectUrl: uri,
+              loginOptions: {}
+            }
+
+            body[:loginOptions][:stepup] = login_options.fetch(:stepup, false)
+            body[:loginOptions][:mfa] = login_options.fetch(:mfa, false)
+            body[:loginOptions][:customClaims] = login_options.fetch(:custom_claims, {})
+            body[:loginOptions][:ssoAppId] = login_options.fetch(:sso_app_id, nil)
+
+            body
+          end
+
+          def enchanted_link_compose_signin_url
+            compose_url(SIGN_IN_AUTH_ENCHANTEDLINK_PATH, Descope::Mixins::Common::DeliveryMethod::EMAIL)
+          end
+
+          def enchanted_link_compose_signup_url
+            compose_url(SIGN_UP_AUTH_ENCHANTEDLINK_PATH, Descope::Mixins::Common::DeliveryMethod::EMAIL)
+          end
+
+          def enchanted_link_compose_sign_up_or_in_url
+            compose_url(SIGN_UP_OR_IN_AUTH_ENCHANTEDLINK_PATH, Descope::Mixins::Common::DeliveryMethod::EMAIL)
+          end
+
+          def enchanted_link_compose_signup_body(login_id, uri, user)
+            body = {
+              loginId: login_id,
+              redirectUrl: uri
+            }
+
+            unless user.nil? || user.empty?
+              body[:user] = enchantedlink_user_compose_update_body(**user) unless user.empty?
+
+              method_str, val = get_login_id_by_method(method: Descope::Mixins::Common::DeliveryMethod::EMAIL, user:)
+              body[method_str.to_sym] = val
+            end
+
+            body
+          end
+
+          def enchanted_link_compose_update_user_email_body(login_id, email, add_to_login_ids, on_merge_use_existing)
+            body = {
+              loginId: login_id,
+              email:
+            }
+
+            body[:addToLoginIds] = add_to_login_ids if add_to_login_ids
+            body[:onMergeUseExisting] = on_merge_use_existing if on_merge_use_existing
+
+            body
+          end
+
+
+          private
+          def enchantedlink_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil, middle_name: nil, family_name: nil)
+            user = {}
+            user[:loginId] = login_id if login_id
+            user[:name] = name if name
+            user[:phone] = phone if phone
+            user[:email] = email if email
+            user[:givenName] = given_name if given_name
+            user[:middleName] = middle_name if middle_name
+            user[:familyName] = family_name if family_name
+
+            user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/descope/api/v1/auth/magiclink.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+module Descope
+  module Api
+    module V1
+      module Auth
+        # Holds all the password API calls
+        module MagicLink
+          include Descope::Mixins::Validation
+          include Descope::Mixins::Common::EndpointsV1
+          include Descope::Mixins::Common::EndpointsV2
+
+          def magiclink_sign_up(method: nil, login_id: nil, uri: nil, user: {}, provider_id: nil, template_id: nil)
+            # Sign-up new end user by sending a magic link via email
+            # @see https://docs.descope.com/api/openapi/magiclink/operation/SignUpMagicLinkEmail/
+            validate_login_id(login_id)
+
+            body = magiclink_compose_signup_body(login_id, uri, user, method)
+            body[:providerId] = provider_id if provider_id
+            body[:templateId] = template_id if template_id
+            uri = magiclink_compose_signup_url(method)
+            res = post(uri, body)
+            extract_masked_address(res, method)
+          end
+
+          def magiclink_sign_in(method: nil, login_id: nil, uri: nil, login_options: nil, refresh_token: nil)
+            validate_login_id(login_id)
+            validate_refresh_token_provided(login_options, refresh_token)
+            body = magiclink_compose_signin_body(login_id, uri, login_options)
+            uri = magiclink_compose_signin_url(method)
+            res = post(uri, body, {}, refresh_token)
+            extract_masked_address(res, method)
+          end
+
+          def magiclink_sign_up_or_in(method: nil, login_id: nil, uri: nil, login_options: nil)
+            body = magiclink_compose_signin_body(login_id, uri, login_options)
+            uri = magiclink_compose_sign_up_or_in_url(method)
+            res = post(uri, body)
+            extract_masked_address(res, method)
+          end
+
+          def magiclink_verify_token(token = nil)
+            validate_token_not_empty(token)
+            res = post(VERIFY_MAGICLINK_AUTH_PATH, { token: })
+            generate_jwt_response(response_body: res)
+          end
+
+          def magiclink_update_user_email(login_id: nil, email: nil, uri: nil, add_to_login_ids: nil, on_merge_use_existing: nil, provider_id: nil, template_id: nil, template_options: nil, refresh_token: nil)
+            validate_login_id(login_id)
+            validate_token_not_empty(refresh_token)
+            validate_email(email)
+
+            body = magiclink_compose_update_user_email_body(login_id, email, uri, add_to_login_ids, on_merge_use_existing)
+            body[:providerId] = provider_id if provider_id
+            body[:templateId] = template_id if template_id
+            body[:templateOptions] = template_options if template_options
+            uri = UPDATE_USER_EMAIL_MAGICLINK_PATH
+            res = post(uri, body, {}, refresh_token)
+            extract_masked_address(res, Descope::Mixins::Common::DeliveryMethod::EMAIL)
+          end
+
+          def magiclink_update_user_phone(login_id: nil, phone: nil, uri: nil, add_to_login_ids: nil, on_merge_use_existing: nil, provider_id: nil, template_id: nil, template_options: nil, method: nil, refresh_token: nil)
+            validate_login_id(login_id)
+            validate_token_not_empty(refresh_token)
+            validate_phone(method, phone)
+
+            body = magiclink_compose_update_user_phone_body(login_id, phone, uri, add_to_login_ids, on_merge_use_existing)
+            body[:providerId] = provider_id if provider_id
+            body[:templateId] = template_id if template_id
+            body[:templateOptions] = template_options if template_options
+            uri = UPDATE_USER_PHONE_MAGICLINK_PATH
+            res = post(uri, body, {}, refresh_token)
+            extract_masked_address(res, Descope::Mixins::Common::DeliveryMethod::SMS)
+          end
+
+          private
+
+          def magiclink_compose_signin_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_IN_AUTH_MAGICLINK_PATH, method)
+          end
+
+          def magiclink_compose_signup_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_UP_AUTH_MAGICLINK_PATH, method)
+          end
+
+          def magiclink_compose_sign_up_or_in_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_UP_OR_IN_AUTH_MAGICLINK_PATH, method)
+          end
+
+          def magiclink_compose_signup_body(login_id, uri, user = nil, method = nil)
+            body = {
+              loginId: login_id,
+              redirectUrl: uri
+            }
+
+            unless user.nil?
+              body[:user] = magiclink_user_compose_update_body(**user) unless user.empty?
+
+              method_str, val = get_login_id_by_method(method:, user:)
+              body[method_str.to_sym] = val
+            end
+
+            body
+          end
+
+          # rubocop:disable Metrics/MethodLength
+          def magiclink_compose_signin_body(login_id, uri, login_options)
+            login_options ||= {}
+            unless login_options.is_a?(Hash)
+              raise Descope::ArgumentException.new(
+                'Unable to read login_option, not a Hash',
+                code: 400
+              )
+            end
+
+            body = {
+              loginId: login_id,
+              redirectUrl: uri,
+              loginOptions: {}
+            }
+
+            body[:loginOptions][:stepup] = login_options.fetch(:stepup, false)
+            body[:loginOptions][:mfa] = login_options.fetch(:mfa, false)
+            body[:loginOptions][:customClaims] = login_options.fetch(:custom_claims, {})
+            body[:loginOptions][:ssoAppId] = login_options.fetch(:sso_app_id, nil)
+
+            body
+          end
+
+          def magiclink_compose_update_user_email_body(login_id, email, uri, add_to_login_ids, on_merge_use_existing)
+            {
+              loginId: login_id,
+              email:,
+              redirectUrl: uri,
+              addToLoginIDs: add_to_login_ids,
+              onMergeUseExisting: on_merge_use_existing
+            }
+          end
+
+          def magiclink_compose_update_user_phone_body(login_id, phone, uri, add_to_login_ids, on_merge_use_existing)
+            {
+              loginId: login_id,
+              phone:,
+              redirectUrl: uri,
+              addToLoginIDs: add_to_login_ids,
+              onMergeUseExisting: on_merge_use_existing
+            }
+          end
+
+          private
+          def magiclink_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil, middle_name: nil, family_name: nil)
+            user = {}
+            user[:loginId] = login_id if login_id
+            user[:name] = name if name
+            user[:phone] = phone if phone
+            user[:email] = email if email
+            user[:givenName] = given_name if given_name
+            user[:middleName] = middle_name if middle_name
+            user[:familyName] = family_name if family_name
+
+            user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/descope/api/v1/auth/oauth.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+require 'cgi'
+
+module Descope
+  module Api
+    module V1
+      module Auth
+        # Holds all the password API calls
+        module OAuth
+          include Descope::Mixins::Validation
+          include Descope::Mixins::Common::EndpointsV1
+          include Descope::Mixins::Common::EndpointsV2
+
+          def oauth_start(provider: nil, return_url: nil, prompt: nil, login_options: nil, refresh_token: nil, template_options: nil)
+            body = compose_start_params(login_options:, template_options:)
+            url = "#{OAUTH_START_PATH}?provider=#{provider}"
+            url += "&redirectUrl=#{CGI.escape(return_url)}" if return_url
+            url += "&prompt=#{CGI.escape(prompt)}" if prompt
+            post(url, body, {}, refresh_token)
+          end
+
+          def oauth_exchange_token(code = nil)
+            exchange_token(OAUTH_EXCHANGE_TOKEN_PATH, code)
+          end
+
+          def oauth_create_redirect_url_for_sign_in_request(stepup: false, custom_claims: {}, mfa: false,
+                                                            sso_app_id: nil)
+            request_params = {
+              stepup:,
+              customClaims: custom_claims,
+              mfa:,
+              ssoAppId: sso_app_id
+            }
+            post(OAUTH_CREATE_REDIRECT_URL_FOR_SIGN_IN_REQUEST_PATH, request_params)
+          end
+
+          def oauth_create_redirect_url_for_sign_up_request(stepup: false, custom_claims: {}, mfa: false,
+                                                            sso_app_id: nil)
+            request_params = {
+              stepup:,
+              customClaims: custom_claims,
+              mfa:,
+              ssoAppId: sso_app_id
+            }
+            post(OAUTH_CREATE_REDIRECT_URL_FOR_SIGN_UP_REQUEST_PATH, request_params)
+          end
+
+          private
+
+          def compose_start_params(login_options: nil, template_options: nil)
+            login_options ||= {}
+
+            unless login_options.is_a?(Hash)
+              raise Descope::ArgumentException.new(
+                'Unable to read login_options, not a Hash',
+                code: 400
+              )
+            end
+
+            body = {}
+            body[:stepup] = login_options.fetch(:stepup, false)
+            body[:mfa] = login_options.fetch(:mfa, false)
+            body[:customClaims] = login_options.fetch(:custom_claims, {})
+            body[:ssoAppId] = login_options.fetch(:sso_app_id, nil) if login_options.key?(:sso_app_id)
+            body[:templateOptions] = template_options unless template_options.nil?
+            body
+          end
+        end
+      end
+    end
+  end
+end

data/lib/descope/api/v1/auth/otp.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module Descope
+  module Api
+    module V1
+      module Auth
+        # Holds all the password API calls
+        module OTP
+          include Descope::Mixins::Validation
+          include Descope::Mixins::Common::EndpointsV1
+          include Descope::Mixins::Common::EndpointsV2
+
+          def otp_sign_in(method: nil, login_id: nil, login_options: nil, refresh_token: nil,  provider_id: nil,
+                          template_id: nil, sso_app_id: nil)
+            # Sign in (log in) an existing user with the unique login_id you provide. (See 'sign_up' function for an explanation of the
+            # login_id field.) Provide the DeliveryMethod required for this user. If the login_id value cannot be used for the
+            # DeliverMethod selected (for example, 'login_id = 4567qq445km' and 'DeliveryMethod = email')
+            validate_login_id(login_id)
+            uri = otp_compose_signin_url(method)
+            body = otp_compose_signin_body(login_id, login_options, provider_id, template_id, sso_app_id)
+            res = post(uri, body, {}, refresh_token)
+            extract_masked_address(res, method)
+          end
+
+          def otp_sign_up(method: nil, login_id: nil, user: {}, provider_id: nil, template_id: nil)
+            #  Sign up (create) a new user using their email or phone number. Choose a delivery method for OTP
+            #  verification, for example email, SMS, or WhatsApp.
+            #  (optional) Include additional user metadata that you wish to preserve.
+            user ||= {}
+
+            raise AuthException unless adjust_and_verify_delivery_method(method, login_id, user)
+
+            uri = otp_compose_signup_url(method)
+            body = otp_compose_signup_body(method, login_id, user, provider_id, template_id)
+            res = post(uri, body)
+            extract_masked_address(res, method)
+          end
+
+          def otp_sign_up_or_in(method: nil, login_id: nil, login_options: nil, provider_id: nil, template_id: nil,
+                                sso_app_id: nil)
+            #  Sign_up_or_in lets you handle both sign up and sign in with a single call. Sign-up_or_in will first
+            #  determine if login_id is a new or existing end user. If login_id is new, a new end user user will be
+            #  created and then authenticated using the OTP DeliveryMethod specified.
+            #  If login_id exists, the end user will be authenticated using the OTP DeliveryMethod specified.
+            validate_login_id(login_id)
+            uri = otp_compose_sign_up_or_in_url(method)
+            body = otp_compose_signin_body(login_id, login_options, provider_id, template_id, sso_app_id)
+            res = post(uri, body)
+            extract_masked_address(res, method)
+          end
+
+          def otp_verify_code(method: nil, login_id: nil, code: nil)
+            validate_login_id(login_id)
+            uri = otp_compose_verify_code_url(method)
+            request_params = {
+              loginId: login_id,
+              code:
+            }
+            res = post(uri, request_params)
+            generate_jwt_response(response_body: res, refresh_cookie: res.fetch('refreshJwt', {}))
+          end
+
+          def otp_update_user_email(login_id: nil, email: nil, refresh_token: nil, add_to_login_ids: false,
+                                    on_merge_use_existing: false, provider_id: nil, template_id: nil)
+            # Update the email address of an end user, after verifying the authenticity of the end user using OTP.
+            validate_login_id(login_id)
+            validate_email(email)
+            request_params = {
+              loginId: login_id,
+              email:,
+              addToLoginIDs: add_to_login_ids,
+              onMergeUseExisting: on_merge_use_existing
+            }
+            request_params[:providerId] = provider_id if provider_id
+            request_params[:templateId] = template_id if template_id
+            res = post(UPDATE_USER_EMAIL_OTP_PATH, request_params, {}, refresh_token)
+            extract_masked_address(res, DeliveryMethod::EMAIL)
+          end
+
+          def otp_update_user_phone(
+            method: nil, login_id: nil, phone: nil, refresh_token: nil, add_to_login_ids: false,
+            on_merge_use_existing: false, provider_id: nil, template_id: nil
+          )
+            # Update the phone number of an existing end user, after verifying the authenticity of the end user using OTP.
+            validate_login_id(login_id)
+            validate_phone(method, phone)
+            uri = otp_compose_update_phone_url(method)
+            request_params = {
+              loginId: login_id,
+              phone:,
+              addToLoginIDs: add_to_login_ids,
+              onMergeUseExisting: on_merge_use_existing
+            }
+            request_params[:providerId] = provider_id if provider_id
+            request_params[:templateId] = template_id if template_id
+            res = post(uri, request_params, {}, refresh_token)
+            extract_masked_address(res, method)
+          end
+
+          private
+
+          def otp_compose_signin_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_IN_AUTH_OTP_PATH, method)
+          end
+
+          def otp_compose_signup_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_UP_AUTH_OTP_PATH, method)
+          end
+
+          def otp_compose_sign_up_or_in_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(SIGN_UP_OR_IN_AUTH_OTP_PATH, method)
+          end
+
+          def otp_compose_verify_code_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::EMAIL if method.nil?
+            compose_url(VERIFY_CODE_AUTH_PATH, method)
+          end
+
+          def otp_compose_update_phone_url(method = nil)
+            method = Descope::Mixins::Common::DeliveryMethod::SMS if method.nil?
+            compose_url(UPDATE_USER_PHONE_OTP_PATH, method)
+          end
+
+          # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+          def otp_compose_signup_body(method, login_id, user, provider_id, template_id)
+            body = {
+              loginId: login_id,
+            }
+
+            unless user.nil?
+              body[:user] = otp_user_compose_update_body(**user) unless user.empty?
+              method_str, val = get_login_id_by_method(method:, user:)
+              body[method_str.to_sym] = val
+            end
+
+            body[:provider_id] = provider_id if provider_id
+            body[:template_id] = template_id if template_id
+
+            body
+          end
+
+          def otp_compose_signin_body(login_id, login_options, provider_id, template_id, sso_app_id)
+            login_options ||= {}
+            unless login_options.is_a?(Hash)
+              raise Descope::ArgumentException.new(
+                'Unable to read login_option, not a Hash',
+                code: 400
+              )
+            end
+
+            body = {
+              loginId: login_id,
+              loginOptions: {}
+            }
+            body[:providerId] = provider_id if provider_id
+            body[:templateId] = template_id if template_id
+            body[:ssoAppId] = sso_app_id if sso_app_id
+            body[:loginOptions][:stepup] = login_options.fetch(:stepup, false)
+            body[:loginOptions][:mfa] = login_options.fetch(:mfa, false)
+            body[:loginOptions][:customClaims] = login_options.fetch(:custom_claims, {})
+            body[:loginOptions][:ssoAppId] = login_options.fetch(:sso_app_id, nil)
+
+            body
+          end
+
+          private
+          def otp_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil, middle_name: nil, family_name: nil)
+            user = {}
+            user[:loginId] = login_id if login_id
+            user[:name] = name if name
+            user[:phone] = phone if phone
+            user[:email] = email if email
+            user[:givenName] = given_name if given_name
+            user[:middleName] = middle_name if middle_name
+            user[:familyName] = family_name if family_name
+
+            user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/descope/api/v1/auth/password.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Descope
+  module Api
+    module V1
+      module Auth
+        # Holds all the password API calls
+        module Password
+          include Descope::Mixins::Validation
+          include Descope::Mixins::Common::EndpointsV1
+          include Descope::Mixins::Common::EndpointsV2
+
+          def password_sign_up(login_id: nil, password: nil, user: nil)
+            # Sign up (create) a new user using a login ID and password.
+            # (optional) Include additional user metadata that you wish to save.
+            validate_login_id(login_id)
+            validate_password(password)
+            request_params = {
+              loginId: login_id,
+              password:
+            }
+
+            request_params[:user] = password_user_compose_update_body(**user) unless user.nil?
+            res = post(SIGN_UP_PASSWORD_PATH, request_params)
+            generate_jwt_response(response_body: res)
+          end
+
+          def password_sign_in(login_id: nil, password: nil, sso_app_id: nil)
+            # Sign-In an existing user utilizing password authentication. This endpoint will return the user's JWT..
+            # Return dict in the format
+            #  {"jwts": [], "user": "", "firstSeen": "", "error": ""}
+            # Includes all the jwts tokens (session token, refresh token), token claims, and user information
+            validate_login_id(login_id)
+            validate_password(password)
+            request_params = {
+              loginId: login_id,
+              password:,
+              ssoAppId: sso_app_id
+            }
+            res = post(SIGN_IN_PASSWORD_PATH, request_params)
+            generate_jwt_response(response_body: res)
+          end
+
+          def password_replace(login_id: nil, old_password: nil, new_password: nil)
+            # Replace an existing user's password with a new password.
+            validate_login_id(login_id)
+            validate_password(old_password)
+            validate_password(new_password)
+            request_params = {
+              loginId: login_id,
+              oldPassword: old_password,
+              newPassword: new_password
+            }
+            post(REPLACE_PASSWORD_PATH, request_params)
+          end
+
+          def password_update(login_id: nil, new_password: nil, refresh_token: nil)
+            # Update an existing user's password with a new password.
+            validate_login_id(login_id)
+            validate_password(new_password)
+            validate_refresh_token_not_nil(refresh_token)
+            request_params = {
+              loginId: login_id,
+              newPassword: new_password
+            }
+            post(UPDATE_PASSWORD_PATH, request_params, {}, refresh_token)
+          end
+
+          def get_password_policy(refresh_token = nil)
+            # Get the configured password policy for the project.
+            get(PASSWORD_POLICY_PATH, {}, {}, refresh_token)
+          end
+
+          def password_reset(login_id: nil, redirect_url: nil, provider_id: nil, template_id: nil)
+            #  Sends a password reset prompt to the user with the given
+            #  login_id according to the password settings defined in the Descope console.
+            # NOTE: The user must be verified according to the configured password reset method.
+            validate_login_id(login_id)
+            post(SEND_RESET_PASSWORD_PATH,
+                 loginId: login_id, redirectUrl: redirect_url, providerId: provider_id, templateId: template_id)
+          end
+
+          private
+          def password_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil, middle_name: nil, family_name: nil)
+            user = {}
+            user[:loginId] = login_id if login_id
+            user[:name] = name if name
+            user[:phone] = phone if phone
+            user[:email] = email if email
+            user[:givenName] = given_name if given_name
+            user[:middleName] = middle_name if middle_name
+            user[:familyName] = family_name if family_name
+
+            user
+          end
+        end
+      end
+    end
+  end
+end