descope 1.0.5 → 1.0.7

data/lib/descope/mixins/http.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
-require "addressable/uri"
+require 'descope/mixins/common'
+require 'addressable/uri'
 require 'retryable'
 require_relative '../exception'
 
@@ -7,6 +8,7 @@ module Descope
   module Mixins
     # HTTP-related methods
     module HTTP
+      include Descope::Mixins::Common
       attr_accessor :headers, :base_uri, :timeout, :retry_count
 
       DEFAULT_RETRIES = 3
@@ -44,13 +46,61 @@ module Descope
         }
       end
 
-      def safe_parse_json(body)
+      def safe_parse_json(body, cookies: {}, headers: {})
         @logger.debug "response => #{JSON.parse(body.to_s)}"
-        JSON.parse(body.to_s)
+        res = JSON.parse(body.to_s)
+
+        # Handle DS and DSR cookies in response.
+        # First check RestClient's cookies (works for same-domain cookies)
+        extracted_cookies = {}
+        if cookies.key?(SESSION_COOKIE_NAME)
+          extracted_cookies[SESSION_COOKIE_NAME] = cookies[SESSION_COOKIE_NAME]
+        end
+        if cookies.key?(REFRESH_SESSION_COOKIE_NAME)
+          extracted_cookies[REFRESH_SESSION_COOKIE_NAME] = cookies[REFRESH_SESSION_COOKIE_NAME]
+        end
+
+        # If no cookies found via RestClient, parse Set-Cookie headers directly
+        # This handles custom domain cookies that RestClient filters out
+        if extracted_cookies.empty? && headers.respond_to?(:[])
+          set_cookie_headers = headers['set-cookie'] || headers['Set-Cookie'] || []
+          set_cookie_headers = [set_cookie_headers] unless set_cookie_headers.is_a?(Array)
+          
+          set_cookie_headers.each do |cookie_header|
+            next unless cookie_header.is_a?(String)
+            
+            # Parse DS cookie (session token)
+            if cookie_header.include?("#{SESSION_COOKIE_NAME}=")
+              cookie_value = parse_cookie_value(cookie_header, SESSION_COOKIE_NAME)
+              extracted_cookies[SESSION_COOKIE_NAME] = cookie_value if cookie_value
+            end
+            
+            # Parse DSR cookie (refresh token)
+            if cookie_header.include?("#{REFRESH_SESSION_COOKIE_NAME}=")
+              cookie_value = parse_cookie_value(cookie_header, REFRESH_SESSION_COOKIE_NAME)
+              extracted_cookies[REFRESH_SESSION_COOKIE_NAME] = cookie_value if cookie_value
+            end
+          end
+        end
+
+        # Add extracted cookies to response if any were found
+        unless extracted_cookies.empty?
+          res['cookies'] = extracted_cookies
+        end
+
+        res
       rescue JSON::ParserError
         body
       end
 
+      def parse_cookie_value(cookie_header, cookie_name)
+        # Extract cookie value from Set-Cookie header
+        # Format: "cookieName=cookieValue; attribute1=value1; attribute2=value2"
+        # Only match valid cookie value characters (RFC 6265: exclude whitespace, semicolon, comma)
+        match = cookie_header.match(/#{Regexp.escape(cookie_name)}=([^;]+)/)
+        match ? match[1].strip : nil
+      end
+
       def encode_uri(uri)
         encoded_uri = base_uri ? Addressable::URI.parse(uri).normalize : Addressable::URI.escape(uri)
         @logger.debug "will call #{url(encoded_uri)}"
@@ -94,11 +144,12 @@ module Descope
                    call(method, encode_uri(uri), timeout, @headers, body.to_json)
                  end
 
-        raise Descope::Unsupported.new("No response from server", code: 400) unless result && result.respond_to?(:code)
+        raise Descope::Unsupported.new('No response from server', code: 400) unless result.respond_to?(:code)
 
         @logger.info("API Request: [#{method}] #{uri} - Response Code: #{result.code}")
+
         case result.code
-        when 200...226 then safe_parse_json(result.body)
+        when 200...226 then safe_parse_json(result.body, cookies: result.cookies, headers: result.headers)
         when 400       then raise Descope::BadRequest.new(result.body, code: result.code, headers: result.headers)
         when 401       then raise Descope::Unauthorized.new(result.body, code: result.code, headers: result.headers)
         when 403       then raise Descope::AccessDenied.new(result.body, code: result.code, headers: result.headers)
@@ -113,10 +164,10 @@ module Descope
 
       def call(method, url, timeout, headers, body = nil)
         RestClient::Request.execute(
-          method:,
-          url:,
-          timeout:,
-          headers:,
+          method: method,
+          url: url,
+          timeout: timeout,
+          headers: headers,
           payload: body
         )
       rescue RestClient::Exception => e

data/lib/descope/mixins/initializer.rb

@@ -13,10 +13,11 @@ module Descope
         @base_uri = base_url(options)
         @headers = client_headers
         @project_id = options[:project_id] || ENV['DESCOPE_PROJECT_ID'] || ''
+        @headers['x-descope-project-id'] = @project_id
         @public_key = options[:public_key] || ENV['DESCOPE_PUBLIC_KEY']
         @mlock = Mutex.new
         log_level = options[:log_level] || ENV['DESCOPE_LOG_LEVEL'] || 'info'
-        @logger ||= Descope::Mixins::Logging.logger_for(self.class.name, log_level)
+        @logger ||= Descope::Mixins::Logging.logger_for(self.class.name, log_level, @project_id)
 
         @logger.debug("Initializing Descope API with project_id: #{@project_id} and base_uri: #{@base_uri}")
 

data/lib/descope/mixins/logging.rb

@@ -7,21 +7,29 @@ module Descope
 
       def logger
         # This is the magical bit that gets mixed into the other modules
-        @logger ||= Logging.logger_for(self.class.name, 'info')
+        @logger ||= Logging.logger_for(self.class.name, 'info', @project_id)
       end
 
       # Use a hash class-ivar to cache a unique Logger per class:
       @loggers = {}
 
       class << self
-        def logger_for(classname, level)
-          @loggers[classname] ||= configure_logger_for(classname, level)
+        def logger_for(classname, level, project_id = nil)
+          key = "#{classname}-#{project_id}"
+          @loggers[key] ||= configure_logger_for(classname, level, project_id)
         end
 
-        def configure_logger_for(classname, level = 'info')
+        def configure_logger_for(classname, level = 'info', project_id = nil)
           logger = Logger.new(STDOUT)
           logger.level = Object.const_get("Logger::#{level.upcase}")
           logger.progname = classname
+
+          # Adding Custom Formatter for Project ID
+          logger.formatter = proc do |severity, datetime, progname, msg|
+            project_info = project_id ? "PRID: #{project_id}" : ""
+            "[#{datetime}] #{severity} #{project_info} #{progname}: #{msg}\n"
+          end
+
           logger
         end
       end

data/lib/descope/mixins/validation.rb

@@ -1,9 +1,12 @@
 # frozen_string_literal: true
 
+require 'descope/mixins/common'
+
 module Descope
   module Mixins
     # Module to provide validation for specific data structures.
     module Validation
+      include Descope::Mixins::Common
       def validate_tenants(key_tenants)
         raise ArgumentError, 'key_tenants should be an Array of hashes' unless key_tenants.is_a? Array
 
@@ -46,11 +49,18 @@ module Descope
       end
 
       def validate_phone(method, phone)
+        phone_number_is_invalid = !phone.match?(PHONE_REGEX) unless phone.nil?
+
         raise AuthException.new('Phone number cannot be empty', code: 400) unless phone.is_a?(String) && !phone.empty?
-        raise AuthException.new('Invalid phone number', code: 400) unless phone.match?(PHONE_REGEX)
-        raise AuthException.new('Invalid delivery method', code: 400) unless [
-          DeliveryMethod::WHATSAPP, DeliveryMethod::SMS
-        ].include?(method)
+        raise AuthException.new("Invalid pattern for phone number: #{phone}", code: 400) if phone_number_is_invalid
+
+        valid_methods = DeliveryMethod.constants.map { |constant| DeliveryMethod.const_get(constant) }
+
+        # rubocop:disable Style/LineLength
+        unless valid_methods.include?(method)
+          valid_methods_names = valid_methods.map { |m| "DeliveryMethod::#{DeliveryMethod.constants[valid_methods.index(m)]}" }.join(', ')
+          raise AuthException.new("Delivery method should be one of the following: #{valid_methods_names}", code: 400)
+        end
       end
 
       def verify_provider(oauth_provider)
@@ -64,7 +74,9 @@ module Descope
       end
 
       def validate_redirect_url(return_url)
-        raise AuthException.new('Return_url cannot be empty', code: 400) unless return_url.is_a?(String) && !return_url.empty?
+        return if return_url.is_a?(String) && !return_url.empty?
+
+        raise AuthException.new('Return_url cannot be empty', code: 400)
       end
 
       def validate_code(code)
@@ -72,7 +84,10 @@ module Descope
       end
 
       def validate_scim_group_id(group_id)
-        raise AuthException.new('SCIM Group ID cannot be empty', code: 400) unless group_id.is_a?(String) && !group_id.empty?
+        return if group_id.is_a?(String) && !group_id.empty?
+
+        raise AuthException.new('SCIM Group ID cannot be empty', code: 400)
+
       end
     end
   end

data/lib/descope/version.rb

@@ -2,6 +2,6 @@
 
 # Current version of gem
 module Descope
-  VERSION = '1.0.5'
+  VERSION = '1.0.7'
   SDK_VERSION = '1.0.0'
 end

data/spec/descope/api/v1/auth_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Descope::Api::V1::Auth do
+  let(:client) { Class.new { include Descope::Api::V1::Auth }.new }
+  let(:valid_token) { 'valid_token' }
+  let(:refresh_token) { 'refresh_token' }
+
+  describe 'token extraction with empty strings' do
+    it 'handles empty string tokens correctly' do
+      response_body = {
+        'sessionJwt' => '',
+        'refreshJwt' => '',
+        'cookies' => {
+          'DS' => valid_token,
+          'DSR' => refresh_token
+        }
+      }
+
+      allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+      result = client.generate_jwt_response(response_body: response_body)
+
+      expect(result).to have_key('sessionToken')
+      expect(result).to have_key('refreshSessionToken')
+    end
+  end
+end

data/spec/descope/api/v1/auth_token_extraction_spec.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Descope::Api::V1::Auth do
+  let(:client) { Descope::Client.new(project_id: 'test_project_id', management_key: 'test_key') }
+  let(:valid_session_token) { 'valid.session.token' }
+  let(:valid_refresh_token) { 'valid.refresh.token' }
+
+  describe '#generate_auth_info (private method)' do
+    context 'session token extraction' do
+      it 'extracts session token from sessionJwt field' do
+        response_body = {
+          'sessionJwt' => valid_session_token,
+          'refreshJwt' => valid_refresh_token,
+          'cookies' => {}
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, nil, true, nil)
+
+        expect(result).to have_key('sessionToken')
+      end
+
+      it 'extracts session token from cookies with DS name' do
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => valid_refresh_token,
+          'cookies' => {
+            'DS' => valid_session_token
+          }
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, nil, true, nil)
+
+        expect(result).to have_key('sessionToken')
+      end
+
+      it 'extracts session token from cookies with SESSION_COOKIE_NAME' do
+        stub_const('Descope::Api::V1::Auth::SESSION_COOKIE_NAME', 'CustomSession')
+        
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => valid_refresh_token,
+          'cookies' => {
+            'CustomSession' => valid_session_token
+          }
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, nil, true, nil)
+
+        expect(result).to have_key('sessionToken')
+      end
+    end
+
+    context 'refresh token extraction' do
+      it 'extracts refresh token from refreshJwt field' do
+        response_body = {
+          'sessionJwt' => valid_session_token,
+          'refreshJwt' => valid_refresh_token,
+          'cookies' => {}
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, nil, true, nil)
+
+        expect(result).to have_key('refreshSessionToken')
+      end
+
+      it 'extracts refresh token from cookies when refreshJwt is empty' do
+        stub_const('Descope::Api::V1::Auth::REFRESH_SESSION_COOKIE_NAME', 'DSR')
+        
+        response_body = {
+          'sessionJwt' => valid_session_token,
+          'refreshJwt' => '',
+          'cookies' => {
+            'DSR' => valid_refresh_token
+          }
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, nil, true, nil)
+
+        expect(result).to have_key('refreshSessionToken')
+      end
+
+      it 'falls back to parameter refresh token when cookie has empty string' do
+        response_body = {
+          'sessionJwt' => valid_session_token,
+          'refreshJwt' => '',
+          'cookies' => {
+            'DSR' => ''
+          }
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        result = client.send(:generate_auth_info, response_body, valid_refresh_token, true, nil)
+
+        expect(result).to have_key('refreshSessionToken')
+        expect(client).to have_received(:validate_token).with(valid_refresh_token, nil)
+      end
+
+      it 'raises error when no refresh token is available' do
+        response_body = {
+          'sessionJwt' => valid_session_token,
+          'refreshJwt' => '',
+          'cookies' => {}
+        }
+
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123', 'iss' => 'test_project_id' })
+
+        expect {
+          client.send(:generate_auth_info, response_body, nil, true, nil)
+        }.to raise_error(Descope::AuthException, /Could not find refresh token/)
+      end
+    end
+  end
+end

data/spec/descope/api/v1/session_refresh_spec.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Descope::Api::V1::Session do
+  let(:client) { Descope::Client.new(project_id: 'test_project_id', management_key: 'test_key') }
+  let(:valid_token) { 'valid.jwt.token' }
+  let(:refresh_token) { 'refresh.jwt.token' }
+
+  describe '#refresh_session' do
+    context 'when refresh token is in cookie' do
+      it 'uses the cookie refresh token' do
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => '',
+          'cookieData' => {
+            'DSR' => refresh_token
+          },
+          'cookies' => {
+            'DS' => valid_token
+          }
+        }
+
+        allow(client).to receive(:post).and_return(response_body)
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123' })
+
+        result = client.refresh_session(refresh_token: refresh_token)
+
+        expect(result).to be_a(Hash)
+        expect(client).to have_received(:validate_token).with(refresh_token, nil)
+      end
+    end
+
+    context 'when refresh token is in response body' do
+      it 'uses the refreshJwt from response body' do
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => refresh_token,
+          'cookieData' => {},
+          'cookies' => {
+            'DS' => valid_token
+          }
+        }
+
+        allow(client).to receive(:post).and_return(response_body)
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123' })
+
+        result = client.refresh_session(refresh_token: 'old_refresh_token')
+
+        expect(result).to be_a(Hash)
+      end
+    end
+
+    context 'when refresh token is only in parameter' do
+      it 'falls back to the parameter refresh token' do
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => '',
+          'cookieData' => {},
+          'cookies' => {
+            'DS' => valid_token
+          }
+        }
+
+        allow(client).to receive(:post).and_return(response_body)
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123' })
+
+        result = client.refresh_session(refresh_token: refresh_token)
+
+        expect(result).to be_a(Hash)
+        expect(client).to have_received(:validate_token).with(refresh_token, nil).at_least(:once)
+      end
+    end
+
+    context 'when refresh token values are empty strings' do
+      it 'falls back to parameter refresh token when cookie and body have empty strings' do
+        response_body = {
+          'sessionJwt' => '',
+          'refreshJwt' => '',
+          'cookieData' => {
+            'DSR' => ''
+          },
+          'cookies' => {
+            'DS' => valid_token
+          }
+        }
+
+        allow(client).to receive(:post).and_return(response_body)
+        allow(client).to receive(:validate_token).and_return({ 'sub' => 'user123' })
+
+        result = client.refresh_session(refresh_token: refresh_token)
+
+        expect(result).to be_a(Hash)
+        expect(client).to have_received(:validate_token).with(refresh_token, nil).at_least(:once)
+      end
+    end
+  end
+end

data/spec/factories/user.rb

@@ -10,7 +10,7 @@ FactoryBot.define do
     phone { "+1#{Faker::Number.number(digits: 10)}" }
     name { Faker::Name.name }
     given_name { Faker::Name.first_name }
-    middle_name { 'Ruby SDK User' }
+    middle_name { "#{SpecUtils.build_prefix}Ruby-SDK-User" }
     family_name { Faker::Name.last_name }
   end
 end

data/spec/integration/lib.descope/api/v1/auth/enchantedlink_spec.rb

@@ -60,7 +60,7 @@ describe Descope::Api::V1::Auth::EnchantedLink do
     @client.logger.info('Cleaning up test users...')
     all_users = @client.search_all_users
     all_users['users'].each do |user|
-      if user['middleName'] == 'Ruby SDK User'
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
         @client.delete_user(user['loginIds'][0])
       end

data/spec/integration/lib.descope/api/v1/auth/magiclink_spec.rb

@@ -11,7 +11,7 @@ describe Descope::Api::V1::Auth::MagicLink do
     @client.logger.info('Cleaning up test users...')
     all_users = @client.search_all_users
     all_users['users'].each do |user|
-      if user['middleName'] == 'Ruby SDK User'
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
         @client.delete_user(user['loginIds'][0])
       end

data/spec/integration/lib.descope/api/v1/auth/otp_spec.rb

@@ -5,34 +5,99 @@ require 'spec_helper'
 describe Descope::Api::V1::Auth::OTP do
   before(:all) do
     @client = DescopeClient.new(Configuration.config)
+
+    dummy_instance = DummyClass.new
+    dummy_instance.extend(Descope::Api::V1::Session)
+    dummy_instance.extend(Descope::Api::V1::Auth::OTP)
+    @instance = dummy_instance
+    @user = build(:user)
+    @test_user = @client.create_test_user(**@user)['user']
+    @client.create_test_user(**@user)
   end
 
   after(:all) do
     @client.logger.info('Cleaning up test users...')
     all_users = @client.search_all_users
     all_users['users'].each do |user|
-      if user['middleName'] == 'Ruby SDK User'
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
         @client.delete_user(user['loginIds'][0])
       end
     end
   end
 
-  context 'test otp sign-in with test user' do
-    it 'should sign in with otp' do
-      user = build(:user)
-      test_user = @client.create_test_user(**user)['user']
-      @client.create_test_user(**user)
+  # SIGN INs
+  context 'test otp sign-in methods' do
+    it 'should sign in a new test user with otp via EMAIL' do
       res = @client.generate_otp_for_test_user(
         method: Descope::Mixins::Common::DeliveryMethod::EMAIL,
-        login_id: test_user['loginIds'][0]
+        login_id: @test_user['loginIds'][0]
       )
       @client.logger.info("res: #{res}")
       @client.otp_verify_code(
         method: Descope::Mixins::Common::DeliveryMethod::EMAIL,
-        login_id: user[:login_id],
+        login_id: @user[:login_id],
+        code: res['code']
+      )
+    end
+
+    it 'should sign in a new test user with otp via SMS' do
+      res = @client.generate_otp_for_test_user(
+        method: Descope::Mixins::Common::DeliveryMethod::SMS,
+        login_id: @test_user['loginIds'][0]
+      )
+      @client.logger.info("res: #{res}")
+      @client.otp_verify_code(
+        method: Descope::Mixins::Common::DeliveryMethod::SMS,
+        login_id: @user[:login_id],
         code: res['code']
       )
     end
   end
+
+  # SIGN UPs
+  context 'test otp sign-up methods' do
+    it 'should sign up with otp via email' do
+      email = 'someone@example.com'
+      allow_any_instance_of(Descope::Api::V1::Auth).to receive(:extract_masked_address).and_return({})
+      expect(@instance).to receive(:post).with(
+        otp_compose_signup_url, { loginId: email, email: '' }
+      )
+
+      expect do
+        @instance.otp_sign_up(method: Descope::Mixins::Common::DeliveryMethod::EMAIL, login_id: email)
+      end.not_to raise_error
+    end
+
+    it 'should sign up with otp via SMS' do
+      phone = '+12123354465'
+      allow_any_instance_of(Descope::Api::V1::Auth).to receive(:extract_masked_address).and_return({})
+      expect(@instance).to receive(:post).with(
+        otp_compose_signup_url(Descope::Mixins::Common::DeliveryMethod::SMS), { loginId: phone, phone: '' }
+      )
+
+      expect do
+        @instance.otp_sign_up(method: Descope::Mixins::Common::DeliveryMethod::SMS, login_id: phone)
+      end.not_to raise_error
+    end
+
+    it 'should sign up with otp via voice' do
+      phone = '+12123354465'
+      allow_any_instance_of(Descope::Api::V1::Auth).to receive(:extract_masked_address).and_return({})
+      expect(@instance).to receive(:post).with(
+        otp_compose_signup_url(Descope::Mixins::Common::DeliveryMethod::VOICE), { loginId: phone, phone: '' }
+      )
+
+      expect do
+        @instance.otp_sign_up(method: Descope::Mixins::Common::DeliveryMethod::VOICE, login_id: phone)
+      end.not_to raise_error
+    end
+
+    it 'should fail to signup with invalid phone number via SMS' do
+      phone = '1$234.90'
+      expect do
+        @instance.otp_sign_up(method: Descope::Mixins::Common::DeliveryMethod::SMS, login_id: phone)
+      end.to raise_error(Descope::AuthException, "Invalid pattern for phone number: #{phone}")
+    end
+  end
 end

data/spec/integration/lib.descope/api/v1/auth/session_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Descope::Api::V1::Session do
+  before(:all) do
+    @client = DescopeClient.new(Configuration.config)
+  end
+
+  after(:all) do
+    @client.logger.info('Cleaning up test users...')
+    all_users = @client.search_all_users
+    all_users['users'].each do |user|
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
+        @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
+        @client.delete_user(user['loginIds'][0])
+      end
+    end
+  end
+
+  context 'test session methods' do
+    it 'should refresh session with refresh token' do
+      @password = SpecUtils.generate_password
+      user = build(:user)
+
+      @client.logger.info('1. Sign up with password')
+      res = @client.password_sign_up(login_id: user[:login_id], password: @password, user:)
+      @client.logger.info("sign up with password res: #{res}")
+      original_refresh_token = res[REFRESH_SESSION_TOKEN_NAME]['jwt']
+
+      @client.logger.info('2. Sign in with password')
+      login_res = @client.password_sign_in(login_id: user[:login_id], password: @password)
+      @client.logger.info("sign_in res: #{login_res}")
+
+      @client.logger.info('3. sleep 1 second before calling refresh_session')
+      sleep(1)
+
+      @client.logger.info('4. Refresh session')
+      refresh_session_res = @client.refresh_session(refresh_token: login_res[REFRESH_SESSION_TOKEN_NAME]['jwt'])
+      @client.logger.info("refresh_session_res: #{refresh_session_res}")
+
+      new_refresh_token = refresh_session_res[REFRESH_SESSION_TOKEN_NAME]['jwt']
+      @client.logger.info("new_refresh_token: #{new_refresh_token}")
+
+      @client.logger.info('5. Check new refresh token is not the same as the original one')
+      expect(original_refresh_token).not_to eq(new_refresh_token)
+    end
+  end
+end