descope 1.0.6 → 1.1.0

data/spec/lib.descope/api/v1/management/user_spec.rb

@@ -9,55 +9,69 @@ describe Descope::Api::V1::Management::User do
     @instance = dummy_instance
   end
 
-  context '.create_user' do
+  context '.create_user_and_test_user' do
     it 'is expected to respond to a user create method' do
       expect(@instance).to respond_to(:create_user)
+      expect(@instance).to respond_to(:create_test_user)
     end
 
+    user_tenants_args = [
+      {
+        tenant_id: 'tenant1'
+      },
+      {
+        tenant_id: 'tenant2',
+        role_names: %w[role1 role2]
+      }
+    ]
+
+    params = {
+      loginId: 'name@mail.com',
+      email: 'name@mail.com',
+      phone: '+1-212-669-2542',
+      name: 'name',
+      givenName: 'name',
+      familyName: 'Ruby SDK',
+      userTenants: associated_tenants_to_hash_array(user_tenants_args),
+      test: false,
+      picture: 'https://www.example.com/picture.png',
+      customAttributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
+      additionalIdentifiers: %w[id-1 id-2],
+      password: 's3cr3t',
+      ssoAppIds: %w[app1 app2],
+      invite: false
+    }
+
+    args = {
+      login_id: 'name@mail.com',
+      email: 'name@mail.com',
+      phone: '+1-212-669-2542',
+      name: 'name',
+      given_name: 'name',
+      family_name: 'Ruby SDK',
+      user_tenants: user_tenants_args,
+      picture: 'https://www.example.com/picture.png',
+      custom_attributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
+      additional_identifiers: %w[id-1 id-2],
+      password: 's3cr3t',
+      sso_app_ids: %w[app1 app2]
+    }
+
     it 'is expected to create a user with user data' do
-      user_tenants_args = [
-        {
-          tenant_id: 'tenant1'
-        },
-        {
-          tenant_id: 'tenant2',
-          role_names: %w[role1 role2]
-        }
-      ]
-      expect(@instance).to receive(:post).with(
-        USER_CREATE_PATH, {
-          loginId: 'name@mail.com',
-          email: 'name@mail.com',
-          phone: '+1-212-669-2542',
-          name: 'name',
-          givenName: 'name',
-          familyName: 'Ruby SDK',
-          userTenants: associated_tenants_to_hash_array(user_tenants_args),
-          test: false,
-          picture: 'https://www.example.com/picture.png',
-          customAttributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
-          additionalIdentifiers: %w[id-1 id-2],
-          password: 's3cr3t',
-          ssoAppIds: %w[app1 app2],
-          invite: false
-        }
-      )
+      expect(@instance).to receive(:post).with(USER_CREATE_PATH, params)
 
       expect do
-        @instance.create_user(
-          login_id: 'name@mail.com',
-          email: 'name@mail.com',
-          phone: '+1-212-669-2542',
-          name: 'name',
-          given_name: 'name',
-          family_name: 'Ruby SDK',
-          user_tenants: user_tenants_args,
-          picture: 'https://www.example.com/picture.png',
-          custom_attributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
-          additional_identifiers: %w[id-1 id-2],
-          password: 's3cr3t',
-          sso_app_ids: %w[app1 app2]
-        )
+        @instance.create_user(**args)
+      end.not_to raise_error
+    end
+
+    it 'is expected to create a test user with user data' do
+      params[:test] = true
+      expect(@instance).to receive(:post).with(TEST_USER_CREATE_PATH, params)
+
+      expect do
+        args[:test] = true
+        @instance.create_test_user(**args)
       end.not_to raise_error
     end
   end
@@ -108,14 +122,16 @@ describe Descope::Api::V1::Management::User do
           loginId: 'name@mail.com',
           email: 'name@mail.com',
           test: false,
-          invite: true
+          invite: true,
+          templateId: "tid",
         }
       )
 
       expect do
         @instance.invite_user(
           login_id: 'name@mail.com',
-          email: 'name@mail.com'
+          email: 'name@mail.com',
+          template_id: "tid",
         )
       end.not_to raise_error
     end
@@ -223,6 +239,8 @@ describe Descope::Api::V1::Management::User do
     it 'is expected to respond to a search_all method' do
       expect(@instance).to respond_to(:search_all_users)
 
+      tenant_role_ids = { 'tenant1' => ['roleA', 'roleB'] }
+      tenant_role_names = { 'tenant1' => ['roleName1', 'roleName2'] }
       expect(@instance).to receive(:post).with(
         USERS_SEARCH_PATH, {
           loginId: 'someone@example.com',
@@ -234,7 +252,13 @@ describe Descope::Api::V1::Management::User do
           ssoOnly: false,
           text: 'some text',
           testUsersOnly: false,
-          withTestUser: false
+          withTestUser: false,
+          tenantRoleIds: {
+            'tenant1' => { values: ['roleA', 'roleB'] }
+          },
+          tenantRoleNames: {
+            'tenant1' => { values: ['roleName1', 'roleName2'] }
+          }
         }
       )
 
@@ -248,7 +272,9 @@ describe Descope::Api::V1::Management::User do
           page: 1,
           sso_app_ids: [],
           test_users_only: false,
-          with_test_user: false
+          with_test_user: false,
+          tenant_role_ids: tenant_role_ids,
+          tenant_role_names: tenant_role_names
         )
       end.not_to raise_error
     end
@@ -704,4 +730,66 @@ describe Descope::Api::V1::Management::User do
       end.not_to raise_error
     end
   end
+
+  context '.patch_user' do
+    it 'is expected to respond to a patch user method' do
+      expect(@instance).to respond_to(:patch_user)
+    end
+
+    it 'is expected to respond to a user patch method' do
+      expect(@instance).to receive(:patch).with(
+        USER_PATCH_PATH, {
+          loginId: 'name@mail.com',
+          email: 'name@mail.com',
+          givenName: 'mister',
+          name: 'something else',
+          test: false,
+          invite: false
+        }
+      )
+
+      expect do
+        @instance.patch_user(
+          login_id: 'name@mail.com',
+          email: 'name@mail.com',
+          given_name: 'mister',
+          name: 'something else'
+        )
+      end.not_to raise_error
+    end
+  end
+
+  context '.search_all_test_users' do
+    it 'is expected to respond to a search_all_test_users method' do
+      expect(@instance).to respond_to(:search_all_test_users)
+
+      tenant_role_ids = { 'tenant1' => ['roleA', 'roleB'] }
+      tenant_role_names = { 'tenant1' => ['roleName1', 'roleName2'] }
+      expect(@instance).to receive(:post).with(
+        TEST_USERS_SEARCH_PATH, {
+          tenantIds: %w[t1 t2],
+          roleNames: %w[r1 r2],
+          limit: 0,
+          page: 0,
+          testUsersOnly: true,
+          withTestUser: true,
+          tenantRoleIds: {
+            'tenant1' => { values: ['roleA', 'roleB'] }
+          },
+          tenantRoleNames: {
+            'tenant1' => { values: ['roleName1', 'roleName2'] }
+          }
+        }
+      )
+
+      expect do
+        @instance.search_all_test_users(
+          tenant_ids: %w[t1 t2],
+          role_names: %w[r1 r2],
+          tenant_role_ids: tenant_role_ids,
+          tenant_role_names: tenant_role_names
+        )
+      end.not_to raise_error
+    end
+  end
 end

data/spec/lib.descope/api/v1/session_spec.rb

@@ -31,12 +31,32 @@ describe Descope::Api::V1::Session do
     end
 
     it 'is expected to post refresh session' do
-      jwt_response = { 'fake': 'response' }
-      allow(@instance).to receive(:generate_jwt_response).and_return(jwt_response)
-
-      expect(@instance).to receive(:post).with(REFRESH_TOKEN_PATH, {}, {}, 'refresh_token')
-      allow(@instance).to receive(:validate_token).with('refresh_token', nil).and_return({})
-      expect { @instance.refresh_session(refresh_token: 'refresh_token') }.not_to raise_error
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt',
+        'cookies' => {
+          'refresh_token' => 'fake_refresh_cookie'
+        }
+      }
+      refresh_token = 'refresh_token'
+      audience = nil
+
+      allow(@instance).to receive(:validate_refresh_token_not_nil).with(refresh_token).and_return(true)
+      allow(@instance).to receive(:validate_token).with(refresh_token, audience).and_return(true)
+      allow(@instance).to receive(:post).with(REFRESH_TOKEN_PATH, {}, {}, refresh_token).and_return(jwt_response)
+      refresh_cookie = jwt_response['cookies'][REFRESH_SESSION_COOKIE_NAME] || jwt_response['refreshJwt']
+
+      allow(@instance).to receive(:generate_jwt_response).with(
+        response_body: jwt_response,
+        refresh_cookie:,
+        audience:
+      ).and_return(jwt_response)
+
+      expect { @instance.refresh_session(refresh_token:, audience:) }.not_to raise_error
+
+      # Optionally verify the response if needed
+      result = @instance.refresh_session(refresh_token:, audience:)
+      expect(result).to eq(jwt_response)
     end
   end
 
@@ -114,4 +134,97 @@ describe Descope::Api::V1::Session do
       expect { @instance.validate_and_refresh_session(session_token: 'session_token', refresh_token: 'refresh_token') }.to_not raise_error
     end
   end
+
+  context 'cookie domain fix for refresh_session' do
+    let(:refresh_token) { 'test_refresh_token' }
+    let(:session_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.signature' }
+    let(:refresh_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.refresh_sig' }
+
+    context 'when using cookie-only tokens with custom domain' do
+      let(:cookie_only_response) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com',
+          'cookies' => {
+            'DS' => session_jwt,
+            'DSR' => refresh_jwt
+          }
+        }
+      end
+
+      it 'extracts tokens from cookies when not in response body' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(cookie_only_response)
+        allow(@instance).to receive(:generate_jwt_response).and_return(cookie_only_response)
+
+        expect { @instance.refresh_session(refresh_token: refresh_token) }.not_to raise_error
+        
+        result = @instance.refresh_session(refresh_token: refresh_token)
+        expect(result).to eq(cookie_only_response)
+      end
+
+      it 'passes correct refresh_cookie to generate_jwt_response' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(cookie_only_response)
+
+        # Verify that refresh_cookie is extracted correctly from cookies
+        expected_refresh_cookie = refresh_jwt
+        expect(@instance).to receive(:generate_jwt_response).with(
+          response_body: cookie_only_response,
+          refresh_cookie: expected_refresh_cookie,
+          audience: nil
+        ).and_return(cookie_only_response)
+
+        @instance.refresh_session(refresh_token: refresh_token)
+      end
+    end
+
+    context 'when using mixed configuration (some tokens in body, some in cookies)' do
+      let(:mixed_response) do
+        {
+          'sessionJwt' => session_jwt,  # Session token in response body
+          'userId' => 'test123',
+          'cookies' => {
+            'DSR' => refresh_jwt        # Refresh token in cookies only
+          }
+        }
+      end
+
+      it 'handles mixed token locations correctly' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(mixed_response)
+        allow(@instance).to receive(:generate_jwt_response).and_return(mixed_response)
+
+        expect { @instance.refresh_session(refresh_token: refresh_token) }.not_to raise_error
+      end
+    end
+
+    context 'backward compatibility with traditional response body tokens' do
+      let(:traditional_response) do
+        {
+          'sessionJwt' => session_jwt,
+          'refreshJwt' => refresh_jwt,
+          'userId' => 'test123'
+        }
+      end
+
+      it 'continues to work with response body tokens' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(traditional_response)
+        
+        expect(@instance).to receive(:generate_jwt_response).with(
+          response_body: traditional_response,
+          refresh_cookie: refresh_jwt,  # Should use refreshJwt from response body
+          audience: nil
+        ).and_return(traditional_response)
+
+        @instance.refresh_session(refresh_token: refresh_token)
+      end
+    end
+  end
 end

data/spec/lib.descope/mixins/http_spec.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Descope::Mixins::HTTP do
+  before(:all) do
+    dummy_instance = DummyClass.new
+    dummy_instance.extend(Descope::Mixins::HTTP)
+    @instance = dummy_instance
+  end
+
+  describe '#parse_cookie_value' do
+    it 'extracts cookie value from Set-Cookie header' do
+      cookie_header = 'DS=jwt_token_value; Path=/; Domain=example.com; HttpOnly; Secure'
+      result = @instance.parse_cookie_value(cookie_header, 'DS')
+      expect(result).to eq('jwt_token_value')
+    end
+
+    it 'extracts cookie value with complex JWT token' do
+      jwt_token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbS9QMmFiY2RlMTIzNDUifQ.signature'
+      cookie_header = "DSR=#{jwt_token}; Path=/; Domain=dev.example.com; HttpOnly; Secure; Max-Age=2592000"
+      result = @instance.parse_cookie_value(cookie_header, 'DSR')
+      expect(result).to eq(jwt_token)
+    end
+
+    it 'returns nil when cookie name is not found' do
+      cookie_header = 'OTHER=value; Path=/; Domain=example.com'
+      result = @instance.parse_cookie_value(cookie_header, 'DS')
+      expect(result).to be_nil
+    end
+
+    it 'handles cookie value with special characters' do
+      cookie_header = 'DS=token.with-special_chars123; Path=/; Domain=example.com'
+      result = @instance.parse_cookie_value(cookie_header, 'DS')
+      expect(result).to eq('token.with-special_chars123')
+    end
+
+    it 'handles cookie header with spaces around value' do
+      cookie_header = 'DS= spaced_token ; Path=/; Domain=example.com'
+      result = @instance.parse_cookie_value(cookie_header, 'DS')
+      expect(result).to eq('spaced_token')
+    end
+  end
+
+  describe '#safe_parse_json with cookie handling' do
+    let(:mock_body) do
+      {
+        'userId' => 'test123',
+        'cookieExpiration' => 1640704758,
+        'cookieDomain' => 'dev.example.com'
+      }.to_json
+    end
+
+    context 'when RestClient cookies are available (same domain)' do
+      it 'uses RestClient cookies when available' do
+        mock_cookies = {
+          'DS' => 'session_token_from_restclient',
+          'DSR' => 'refresh_token_from_restclient'
+        }
+
+        result = @instance.safe_parse_json(mock_body, cookies: mock_cookies, headers: {})
+        
+        expect(result['cookies']).to eq(mock_cookies)
+        expect(result['cookies']['DS']).to eq('session_token_from_restclient')
+        expect(result['cookies']['DSR']).to eq('refresh_token_from_restclient')
+      end
+
+      it 'handles only refresh token in RestClient cookies' do
+        mock_cookies = { 'DSR' => 'refresh_token_only' }
+
+        result = @instance.safe_parse_json(mock_body, cookies: mock_cookies, headers: {})
+        
+        expect(result['cookies']).to eq(mock_cookies)
+        expect(result['cookies']['DSR']).to eq('refresh_token_only')
+        expect(result['cookies']['DS']).to be_nil
+      end
+    end
+
+    context 'when RestClient cookies are empty (custom domain)' do
+      let(:set_cookie_headers) do
+        [
+          'DS=session_jwt_token; Path=/; Domain=dev.example.com; HttpOnly; Secure; SameSite=None',
+          'DSR=refresh_jwt_token; Path=/; Domain=dev.example.com; HttpOnly; Secure; SameSite=None; Max-Age=2592000'
+        ]
+      end
+
+      it 'parses cookies from Set-Cookie headers when RestClient cookies are empty' do
+        mock_headers = { 'set-cookie' => set_cookie_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result['cookies']).to_not be_nil
+        expect(result['cookies']['DS']).to eq('session_jwt_token')
+        expect(result['cookies']['DSR']).to eq('refresh_jwt_token')
+      end
+
+      it 'parses cookies from Set-Cookie headers with symbol key (real RestClient behavior)' do
+        # RestClient returns headers with symbol keys like :set_cookie, not string keys
+        mock_headers = { set_cookie: set_cookie_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+
+        expect(result['cookies']).to_not be_nil
+        expect(result['cookies']['DS']).to eq('session_jwt_token')
+        expect(result['cookies']['DSR']).to eq('refresh_jwt_token')
+      end
+
+      it 'parses cookies from Set-Cookie header when headers is a string' do
+        mock_headers = { 'Set-Cookie' => set_cookie_headers.first }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result['cookies']).to_not be_nil
+        expect(result['cookies']['DS']).to eq('session_jwt_token')
+      end
+
+      it 'handles case-insensitive Set-Cookie header names' do
+        mock_headers = { 'Set-Cookie' => set_cookie_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result['cookies']['DS']).to eq('session_jwt_token')
+        expect(result['cookies']['DSR']).to eq('refresh_jwt_token')
+      end
+
+      it 'handles complex JWT tokens in Set-Cookie headers' do
+        jwt_session = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbSJ9.session_sig'
+        jwt_refresh = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbSJ9.refresh_sig'
+        
+        complex_headers = [
+          "DS=#{jwt_session}; Path=/; Domain=custom.example.com; HttpOnly; Secure; SameSite=None",
+          "DSR=#{jwt_refresh}; Path=/; Domain=custom.example.com; HttpOnly; Secure; SameSite=None; Max-Age=2592000"
+        ]
+        mock_headers = { set_cookie: complex_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result['cookies']['DS']).to eq(jwt_session)
+        expect(result['cookies']['DSR']).to eq(jwt_refresh)
+      end
+
+      it 'ignores non-Descope cookies in Set-Cookie headers' do
+        mixed_headers = [
+          'DS=session_token; Path=/; Domain=dev.example.com; HttpOnly',
+          'CLOUDFLARE_SESSION=cf_token; Path=/; Domain=.example.com; HttpOnly',
+          'DSR=refresh_token; Path=/; Domain=dev.example.com; HttpOnly'
+        ]
+        mock_headers = { set_cookie: mixed_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result['cookies']['DS']).to eq('session_token')
+        expect(result['cookies']['DSR']).to eq('refresh_token')
+        expect(result['cookies']['CLOUDFLARE_SESSION']).to be_nil
+      end
+    end
+
+    context 'when no cookies are available anywhere' do
+      it 'does not add cookies key to response' do
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: {})
+        
+        expect(result).not_to have_key('cookies')
+      end
+
+      it 'handles missing Set-Cookie headers gracefully' do
+        mock_headers = { 'content-type' => 'application/json' }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        expect(result).not_to have_key('cookies')
+        expect(result['userId']).to eq('test123')
+      end
+
+      it 'handles nil headers gracefully' do
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: nil)
+        
+        expect(result).not_to have_key('cookies')
+        expect(result['userId']).to eq('test123')
+      end
+    end
+
+    context 'edge cases' do
+      it 'handles malformed Set-Cookie headers' do
+        malformed_headers = [
+          'MALFORMED_COOKIE_NO_EQUALS',
+          'DS=; Path=/; Domain=example.com',  # Empty value
+          '=value_without_name; Path=/',       # No name
+        ]
+        mock_headers = { set_cookie: malformed_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+        
+        # Should handle gracefully and not crash
+        expect(result['userId']).to eq('test123')
+      end
+
+      it 'prefers RestClient cookies over Set-Cookie headers when both available' do
+        mock_cookies = { 'DS' => 'restclient_token' }
+        set_cookie_headers = ['DS=header_token; Path=/; Domain=example.com']
+        mock_headers = { set_cookie: set_cookie_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: mock_cookies, headers: mock_headers)
+        
+        # Should prefer RestClient cookies
+        expect(result['cookies']['DS']).to eq('restclient_token')
+      end
+    end
+  end
+
+  describe 'integration with request method' do
+    it 'passes headers parameter to safe_parse_json' do
+      # Mock RestClient response with custom domain cookies
+      mock_response = double('response')
+      allow(mock_response).to receive(:code).and_return(200)
+      allow(mock_response).to receive(:body).and_return('{"success": true}')
+      allow(mock_response).to receive(:cookies).and_return({})
+      allow(mock_response).to receive(:headers).and_return({
+        set_cookie: ['DS=test_token; Domain=custom.example.com']
+      })
+
+      allow(@instance).to receive(:call).and_return(mock_response)
+
+      result = @instance.request(:get, '/test', {}, {})
+      
+      expect(result['cookies']).to_not be_nil
+      expect(result['cookies']['DS']).to eq('test_token')
+    end
+  end
+end

data/spec/support/client_config.rb

@@ -5,7 +5,6 @@ module Configuration
   module_function
 
   def config
-    raise 'DESCOPE_MANAGEMENT_KEY is not set' if ENV['DESCOPE_MANAGEMENT_KEY'].nil?
     raise 'DESCOPE_PROJECT_ID is not set' if ENV['DESCOPE_PROJECT_ID'].nil?
 
     {

data/spec/support/utils.rb

@@ -29,4 +29,25 @@ module SpecUtils
       value.each { |v| deep_stringify_keys(v) if v.is_a? Hash } if value.is_a? Array
     end
   end
+
+  def build_prefix
+    # Use GITHUB_RUN_NUMBER as the primary identifier, fall back to a timestamp if not available
+    prefix = ENV['GITHUB_RUN_NUMBER'] || ENV['GITHUB_RUN_ID']
+    prefix ? "build#{prefix}-" : "local-#{Time.now.to_i}-"
+  end
+
+  def wait_for_condition(max_wait: 60, interval: 2, description: 'condition')
+    start = Time.now
+    loop do
+      result = yield
+      return result if result
+
+      elapsed = Time.now - start
+      if elapsed > max_wait
+        raise "Timeout after #{max_wait}s waiting for #{description}"
+      end
+
+      sleep interval
+    end
+  end
 end