descope 1.0.5 → 1.0.7

data/lib/descope/api/v1/auth/enchantedlink.rb

@@ -67,7 +67,9 @@ module Descope
           def enchanted_link_get_session(pending_ref = nil)
             # @see https://docs.descope.com/api/openapi/enchantedlink/operation/GetEnchantedLinkSession/
             res = post(GET_SESSION_ENCHANTEDLINK_AUTH_PATH, { pendingRef: pending_ref })
-            generate_jwt_response(response_body: res, refresh_cookie: res['refreshJwt'])
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           private

data/lib/descope/api/v1/auth/magiclink.rb

@@ -42,7 +42,9 @@ module Descope
           def magiclink_verify_token(token = nil)
             validate_token_not_empty(token)
             res = post(VERIFY_MAGICLINK_AUTH_PATH, { token: })
-            generate_jwt_response(response_body: res)
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           def magiclink_update_user_email(login_id: nil, email: nil, uri: nil, add_to_login_ids: nil, on_merge_use_existing: nil, provider_id: nil, template_id: nil, template_options: nil, refresh_token: nil)

data/lib/descope/api/v1/auth/otp.rb

@@ -10,10 +10,11 @@ module Descope
           include Descope::Mixins::Common::EndpointsV1
           include Descope::Mixins::Common::EndpointsV2
 
-          def otp_sign_in(method: nil, login_id: nil, login_options: nil, refresh_token: nil,  provider_id: nil,
+          def otp_sign_in(method: nil, login_id: nil, login_options: nil, refresh_token: nil, provider_id: nil,
                           template_id: nil, sso_app_id: nil)
-            # Sign in (log in) an existing user with the unique login_id you provide. (See 'sign_up' function for an explanation of the
-            # login_id field.) Provide the DeliveryMethod required for this user. If the login_id value cannot be used for the
+            # Sign in (log in) an existing user with the unique login_id you provide.
+            # The login_id field is used to identify the user. It can be an email address or a phone number.
+            # Provide the DeliveryMethod required for this user. If the login_id value cannot be used for the
             # DeliverMethod selected (for example, 'login_id = 4567qq445km' and 'DeliveryMethod = email')
             validate_login_id(login_id)
             uri = otp_compose_signin_url(method)
@@ -23,12 +24,15 @@ module Descope
           end
 
           def otp_sign_up(method: nil, login_id: nil, user: {}, provider_id: nil, template_id: nil)
-            #  Sign up (create) a new user using their email or phone number. Choose a delivery method for OTP
-            #  verification, for example email, SMS, or WhatsApp.
+            #  Sign up (create) a new user using their email or phone number.
+            #  The login_id field is used to identify the user. It can be an email address or a phone number.
+            #  Choose a delivery method for OTP verification, for example email, SMS, or Voice.
             #  (optional) Include additional user metadata that you wish to preserve.
-            user ||= {}
+            validate_login_id(login_id)
 
-            raise AuthException unless adjust_and_verify_delivery_method(method, login_id, user)
+            unless adjust_and_verify_delivery_method(method, login_id, user)
+              raise Descope::AuthException.new('Could not verify delivery method', code: 400)
+            end
 
             uri = otp_compose_signup_url(method)
             body = otp_compose_signup_body(method, login_id, user, provider_id, template_id)
@@ -38,9 +42,11 @@ module Descope
 
           def otp_sign_up_or_in(method: nil, login_id: nil, login_options: nil, provider_id: nil, template_id: nil,
                                 sso_app_id: nil)
-            #  Sign_up_or_in lets you handle both sign up and sign in with a single call. Sign-up_or_in will first
-            #  determine if login_id is a new or existing end user. If login_id is new, a new end user user will be
-            #  created and then authenticated using the OTP DeliveryMethod specified.
+            #  Sign_up_or_in lets you handle both sign up and sign in with a single call.
+            #  The login_id field is used to identify the user. It can be an email address or a phone number.
+            #  Sign-up_or_in will first determine if login_id is a new or existing end user.
+            #  If login_id is new, a new end user user will be created and then authenticated using the
+            #  OTP DeliveryMethod specified.
             #  If login_id exists, the end user will be authenticated using the OTP DeliveryMethod specified.
             validate_login_id(login_id)
             uri = otp_compose_sign_up_or_in_url(method)
@@ -57,7 +63,9 @@ module Descope
               code:
             }
             res = post(uri, request_params)
-            generate_jwt_response(response_body: res, refresh_cookie: res.fetch('refreshJwt', {}))
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           def otp_update_user_email(login_id: nil, email: nil, refresh_token: nil, add_to_login_ids: false,
@@ -81,9 +89,10 @@ module Descope
             method: nil, login_id: nil, phone: nil, refresh_token: nil, add_to_login_ids: false,
             on_merge_use_existing: false, provider_id: nil, template_id: nil
           )
-            # Update the phone number of an existing end user, after verifying the authenticity of the end user using OTP.
+            # Update the phone number of an existing end user, after verifying the authenticity of the end user using OTP
             validate_login_id(login_id)
             validate_phone(method, phone)
+
             uri = otp_compose_update_phone_url(method)
             request_params = {
               loginId: login_id,
@@ -127,7 +136,7 @@ module Descope
           # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           def otp_compose_signup_body(method, login_id, user, provider_id, template_id)
             body = {
-              loginId: login_id,
+              loginId: login_id
             }
 
             unless user.nil?
@@ -167,7 +176,8 @@ module Descope
           end
 
           private
-          def otp_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil, middle_name: nil, family_name: nil)
+          def otp_user_compose_update_body(login_id: nil, name: nil, phone: nil, email: nil, given_name: nil,
+                                           middle_name: nil, family_name: nil)
             user = {}
             user[:loginId] = login_id if login_id
             user[:name] = name if name
@@ -176,7 +186,6 @@ module Descope
             user[:givenName] = given_name if given_name
             user[:middleName] = middle_name if middle_name
             user[:familyName] = family_name if family_name
-
             user
           end
         end

data/lib/descope/api/v1/auth/password.rb

@@ -22,7 +22,9 @@ module Descope
 
             request_params[:user] = password_user_compose_update_body(**user) unless user.nil?
             res = post(SIGN_UP_PASSWORD_PATH, request_params)
-            generate_jwt_response(response_body: res)
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           def password_sign_in(login_id: nil, password: nil, sso_app_id: nil)
@@ -38,7 +40,9 @@ module Descope
               ssoAppId: sso_app_id
             }
             res = post(SIGN_IN_PASSWORD_PATH, request_params)
-            generate_jwt_response(response_body: res)
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           def password_replace(login_id: nil, old_password: nil, new_password: nil)

data/lib/descope/api/v1/auth/totp.rb

@@ -17,7 +17,9 @@ module Descope
             uri = VERIFY_TOTP_PATH
             body = totp_compose_signin_body(login_id, code, login_options)
             res = post(uri, body, {}, nil)
-            generate_jwt_response(response_body: res, refresh_cookie: res.fetch('refreshJwt', {}))
+            cookies = res.fetch(COOKIE_DATA_NAME, nil) || res.fetch('cookies', {})
+            refresh_cookie = cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil) || res.fetch('refreshJwt', nil)
+            generate_jwt_response(response_body: res, refresh_cookie:)
           end
 
           def totp_sign_up(login_id: nil, user: nil, sso_app_id: nil)

data/lib/descope/api/v1/auth.rb

@@ -34,7 +34,6 @@ module Descope
           end
 
           jwt_response = generate_auth_info(response_body, refresh_cookie, true, audience)
-          @logger.debug "jwt_response: #{jwt_response}"
           jwt_response['user'] = response_body.key?('user') ? response_body['user'] : {}
           jwt_response['firstSeen'] = response_body.key?('firstSeen') ? response_body['firstSeen'] : true
 
@@ -51,10 +50,10 @@ module Descope
           #     Return value (Hash): returns the session token from the server together with the expiry and key id
           #                          (sessionToken:Hash, keyId:str, expiration:int)
           unless (access_key.is_a?(String) || access_key.nil?) && !access_key.to_s.empty?
-            raise Descope::AuthException, 'Access key should be a string!'
+            raise AuthException.new('Access key should be a string!', code: 400)
           end
 
-          res = post(EXCHANGE_AUTH_ACCESS_KEY_PATH, { loginOptions: login_options, audience: }, {}, access_key)
+          res = post(EXCHANGE_AUTH_ACCESS_KEY_PATH, { loginOptions: login_options, audience: audience }, {}, access_key)
           generate_auth_info(res, nil, false, audience)
         end
 
@@ -62,6 +61,8 @@ module Descope
           validate_refresh_token_not_nil(refresh_token)
           res = post(SELECT_TENANT_PATH, { tenantId: tenant_id }, {}, refresh_token)
           @logger.debug "select_tenant response: #{res}"
+          cookies = res.fetch('cookies')
+          generate_jwt_response(response_body: res, refresh_cookie: cookies.fetch(REFRESH_SESSION_COOKIE_NAME, nil))
           generate_jwt_response(
             response_body: res,
             refresh_cookie: res['refreshJwt']
@@ -71,7 +72,7 @@ module Descope
         def validate_permissions(jwt_response: nil, permissions: nil)
           # Validate that a jwt_response has been granted the specified permissions.
           # For a multi-tenant environment use validate_tenant_permissions function
-          validate_tenant_permissions(jwt_response:, permissions:)
+          validate_tenant_permissions(jwt_response: jwt_response, permissions: permissions)
         end
 
         # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/MethodLength
@@ -122,7 +123,7 @@ module Descope
         def validate_roles(jwt_response: nil, roles: nil)
           # Validate that a jwt_response has been granted the specified roles.
           # For a multi-tenant environment use validate_tenant_roles function
-          validate_tenant_roles(jwt_response:, tenant: '', roles:)
+          validate_tenant_roles(jwt_response: jwt_response, tenant: '', roles: roles)
         end
 
         def validate_tenant_roles(jwt_response: nil, tenant: nil, roles: nil)
@@ -231,24 +232,58 @@ module Descope
         private
 
         def generate_auth_info(response_body, refresh_token, user_jwt, audience = nil)
-          @logger.debug "generating auth info: #{response_body}, #{refresh_token}, #{user_jwt}, #{audience}"
+          @logger.debug "generating auth info: response_body: #{response_body}, refresh_token: #{refresh_token}, user_jwt: #{user_jwt}, audience: #{audience}"
           jwt_response = {}
 
           # validate the session token if sessionJwt is not empty
           st_jwt = response_body.fetch('sessionJwt', '')
           unless st_jwt.empty?
-            @logger.debug "validating session token with refresh_token: #{refresh_token}" if st_jwt
-            jwt_response[SESSION_TOKEN_NAME] = validate_token(st_jwt, audience) if st_jwt
+            @logger.debug 'found sessionJwt in response body, adding to jwt_response'
+            jwt_response[SESSION_TOKEN_NAME] = validate_token(st_jwt, audience)
+          end
+
+          # Check for session token in cookies if not found in response body
+          cookies = response_body.fetch('cookies', {})
+          if jwt_response[SESSION_TOKEN_NAME].nil?
+            cookies.each do |cookie_name, cookie_value|
+              if cookie_name == SESSION_COOKIE_NAME
+                @logger.debug "found session token in cookies with name #{cookie_name}, adding to jwt_response"
+                jwt_response[SESSION_TOKEN_NAME] = validate_token(cookie_value, audience)
+                break
+              end
+            end
           end
 
           # validate refresh token if refresh_token was passed or if refreshJwt is not empty
           rt_jwt = response_body.fetch('refreshJwt', '')
 
-          if !refresh_token.nil? || !refresh_token.to_s.empty?
-            @logger.debug "validating refresh token: #{refresh_token}" if refresh_token
-            jwt_response[REFRESH_SESSION_TOKEN_NAME] = validate_token(refresh_token, audience)
-          elsif !rt_jwt.empty?
+          if !rt_jwt.empty?
+            @logger.debug 'found refreshJwt in response body, adding to jwt_response'
+            @logger.debug 'validating refreshJwt token...'
             jwt_response[REFRESH_SESSION_TOKEN_NAME] = validate_token(rt_jwt, audience)
+          else
+            # Check cookies for refresh token
+            refresh_cookie_found = false
+            cookies.each do |cookie_name, cookie_value|
+              if cookie_name == REFRESH_SESSION_COOKIE_NAME && !cookie_value.to_s.empty?
+                @logger.debug "found refresh token in cookies with name #{cookie_name}, adding to jwt_response"
+                jwt_response[REFRESH_SESSION_TOKEN_NAME] = validate_token(cookie_value, audience)
+                refresh_cookie_found = true
+                break
+              end
+            end
+            
+            # If not found in cookies, check if refresh_token parameter was passed
+            if !refresh_cookie_found && refresh_token && !refresh_token.to_s.empty?
+              @logger.debug 'refresh token not found in cookies, but refresh_token was passed, adding to jwt_response'
+              @logger.debug 'validating passed-in refresh token...'
+              jwt_response[REFRESH_SESSION_TOKEN_NAME] = validate_token(refresh_token, audience)
+            end
+          end
+
+          if jwt_response[REFRESH_SESSION_TOKEN_NAME].nil?
+            @logger.debug "Error: Could not find refreshJwt in response body: #{response_body} / cookies: #{cookies} / passed in refresh_token ->#{refresh_token}<-"
+            raise Descope::AuthException.new('Could not find refreshJwt in response body / cookies / passed in refresh_token', code: 500)
           end
 
           jwt_response = adjust_properties(jwt_response, user_jwt)
@@ -407,6 +442,7 @@ module Descope
           login_id = {
             DeliveryMethod::WHATSAPP => ['whatsapp', user.fetch(:phone, '')],
             DeliveryMethod::SMS => ['phone', user.fetch(:phone, '')],
+            DeliveryMethod::VOICE => ['phone', user.fetch(:phone, '')],
             DeliveryMethod::EMAIL => ['email', user.fetch(:email, '')]
           }[method]
 
@@ -416,34 +452,30 @@ module Descope
         end
 
         def adjust_and_verify_delivery_method(method, login_id, user)
-          return false if login_id.nil?
+          @logger.debug("adjust_and_verify_delivery_method:  method: #{method}, login_id: #{login_id}, user: #{user}")
+          raise AuthException.new("Could not verify delivery method for method: #{method}", code: 400) if method.nil?
+          raise AuthException.new('Could not verify delivery method without login_id', code: 400) if login_id.nil?
 
-          return false unless user.is_a?(Hash)
+          unless user.is_a?(Hash)
+            raise AuthException.new('Could not verify delivery method, user is not a Hash', code: 400)
+          end
 
           case method
           when DeliveryMethod::EMAIL
-            user[:email] ||= login_id
-            begin
-              validate_email(user[:email])
-              return true
-            rescue AuthException
-              return false
-            end
-          when DeliveryMethod::SMS
-            user[:phone] ||= login_id
-            return false unless /^#{PHONE_REGEX}$/.match(user[:phone])
-          when DeliveryMethod::WHATSAPP
-            user[:phone] ||= login_id
-            return false unless /^#{PHONE_REGEX}$/.match(user[:phone])
+            validate_email(login_id)
+            @logger.debug("email: #{login_id} is valid")
+            true
+          when DeliveryMethod::SMS, DeliveryMethod::WHATSAPP, DeliveryMethod::VOICE
+            validate_phone(method, login_id)
+            @logger.debug("phone number (login_id): #{login_id} is valid")
+            true
           else
-            return false
+            false
           end
-
-          true
         end
 
         def extract_masked_address(response, method)
-          if [DeliveryMethod::SMS, DeliveryMethod::WHATSAPP].include?(method)
+          if [DeliveryMethod::SMS, DeliveryMethod::WHATSAPP, DeliveryMethod::VOICE].include?(method)
             response['maskedPhone']
           elsif method == DeliveryMethod::EMAIL
             response['maskedEmail']
@@ -455,7 +487,7 @@ module Descope
         def exchange_token(uri, code)
           raise Descope::ArgumentException.new("Code can't be empty", code: 400) if code.nil? || code.empty?
 
-          res = post(uri, { code: })
+          res = post(uri, { code: code })
           generate_jwt_response(
             response_body: res,
             refresh_cookie: res['refreshJwt']

data/lib/descope/api/v1/management/audit.rb

@@ -58,6 +58,30 @@ module Descope
             { 'audits' => res['audits'].map { |audit| convert_audit_record(audit) } }
           end
 
+          def audit_create_event(action: nil, type: nil, data: nil, user_id: nil, actor_id: nil, tenant_id: nil)
+            # Create an audit event
+            unless %w[info warn error].include?(type)
+              raise Descope::AuthException, 'type must be either info, warn or error'
+            end
+
+            # validation
+            raise Descope::AuthException, 'data must be provided as a key, value Hash' unless data.is_a?(Hash)
+            raise Descope::AuthException, 'action must be provided' if action.nil?
+            raise Descope::AuthException, 'actor_id must be provided' if actor_id.nil?
+            raise Descope::AuthException, 'tenant_id must be provided' if tenant_id.nil?
+
+            request_params = {
+              action:,
+              tenantId: tenant_id,
+              type:,
+              actorId: actor_id,
+              data:
+            }
+            request_params[:userId] = user_id unless user_id.nil?
+
+            post(AUDIT_CREATE_EVENT, request_params)
+          end
+
           private
 
           def convert_audit_record(audit)

data/lib/descope/api/v1/management/common.rb

@@ -17,6 +17,7 @@ module Descope
 
           # user
           USER_CREATE_PATH = '/v1/mgmt/user/create'
+          TEST_USER_CREATE_PATH = '/v1/mgmt/user/create/test'
           USER_CREATE_BATCH_PATH = '/v1/mgmt/user/create/batch'
           USER_UPDATE_PATH = '/v1/mgmt/user/update'
           USER_DELETE_PATH = '/v1/mgmt/user/delete'
@@ -37,6 +38,8 @@ module Descope
           USER_SET_TEMPORARY_PASSWORD_PATH = '/v1/mgmt/user/password/set/temporary'
           USER_SET_ACTIVE_PASSWORD_PATH = '/v1/mgmt/user/password/set/active'
           USER_SET_PASSWORD_PATH = '/v1/mgmt/user/password/set'
+          USER_SEARCH_PATH = "/v2/mgmt/user/search"
+          TEST_USERS_SEARCH_PATH = "/v2/mgmt/user/search/test"
           USER_EXPIRE_PASSWORD_PATH = '/v1/mgmt/user/password/expire'
           USER_ADD_TENANT_PATH = '/v1/mgmt/user/update/tenant/add'
           USER_REMOVE_TENANT_PATH = '/v1/mgmt/user/update/tenant/remove'
@@ -44,6 +47,7 @@ module Descope
           USER_GENERATE_MAGIC_LINK_FOR_TEST_PATH = '/v1/mgmt/tests/generate/magiclink'
           USER_GENERATE_ENCHANTED_LINK_FOR_TEST_PATH = '/v1/mgmt/tests/generate/enchantedlink'
           USER_GENERATE_EMBEDDED_LINK_PATH = '/v1/mgmt/user/signin/embeddedlink'
+          USER_PATCH_PATH = '/v1/mgmt/user/patch'
 
           # access key
           ACCESS_KEY_CREATE_PATH = '/v1/mgmt/accesskey/create'
@@ -54,13 +58,24 @@ module Descope
           ACCESS_KEY_ACTIVATE_PATH = '/v1/mgmt/accesskey/activate'
           ACCESS_KEY_DELETE_PATH = '/v1/mgmt/accesskey/delete'
 
-          # sso
+          # sso application
+          SSO_APPLICATION_OIDC_CREATE_PATH = '/v1/mgmt/sso/idp/app/oidc/create'
+          SSO_APPLICATION_SAML_CREATE_PATH = '/v1/mgmt/sso/idp/app/saml/create'
+          SSO_APPLICATION_OIDC_UPDATE_PATH = '/v1/mgmt/sso/idp/app/oidc/update'
+          SSO_APPLICATION_SAML_UPDATE_PATH = '/v1/mgmt/sso/idp/app/saml/update'
+          SSO_APPLICATION_DELETE_PATH = '/v1/mgmt/sso/idp/app/delete'
+          SSO_APPLICATION_LOAD_PATH = '/v1/mgmt/sso/idp/app/load'
+          SSO_APPLICATION_LOAD_ALL_PATH = '/v1/mgmt/sso/idp/apps/load'
+
+          # sso settings
           SSO_SETTINGS_PATH = '/v2/mgmt/sso/settings'
+          SSO_METADATA_PATH = '/v1/mgmt/sso/metadata'
+          SSO_MAPPING_PATH = '/v1/mgmt/sso/mapping'
+          SSO_LOAD_SETTINGS_PATH = '/v2/mgmt/sso/settings' # v2 only
           SSO_OIDC_PATH = '/v1/mgmt/sso/oidc' # configure ssp settings via oidc
-          SSO_OIDC_CREATE_APP_PATH = '/v1/mgmt/sso/idp/app/oidc/create'
-          SSO_OIDC_UPDATE_APP_PATH = '/v1/mgmt/sso/idp/app/oidc/create'
-          SSO_SAML_PATH = '/v1/mgmt/sso/saml' # configure ssp settings via saml
-          SSO_SAML_METADATA_PATH = '/v1/mgmt/sso/saml/metadata' # configure ssp settings via saml metadata
+          SSO_CONFIGURE_OIDC_SETTINGS_PATH = '/v1/mgmt/sso/oidc'
+          SSO_CONFIGURE_SAML_SETTINGS_PATH = '/v1/mgmt/sso/saml'
+          SSO_CONFIGURE_SAML_METADATA_PATH = '/v1/mgmt/sso/saml/metadata'
 
           # SCIM
           SCIM_GROUPS_PATH = '/scim/v2/Groups'
@@ -100,6 +115,7 @@ module Descope
 
           # Audit
           AUDIT_SEARCH = '/v1/mgmt/audit/search'
+          AUDIT_CREATE_EVENT = '/v1/mgmt/audit/event'
 
           # Authz ReBAC
           AUTHZ_SCHEMA_SAVE = '/v1/mgmt/authz/schema/save'