descope 1.0.7 → 1.1.0

data/spec/integration/lib.descope/api/v1/auth/enchantedlink_spec.rb

@@ -3,31 +3,25 @@
 require 'spec_helper'
 
 def poll_for_session(descope_client, pending_ref)
-  max_tries = 15
-  i = 0
-  done = false
-  while !done && i < max_tries
+  @client.logger.info('Waiting for session to be created...')
+  
+  SpecUtils.wait_for_condition(max_wait: 60, interval: 3, description: 'enchanted link session') do
     begin
-      i += 1
-      @client.logger.info('waiting 4 seconds for session to be created...')
-      sleep(4)
-      print '.'
       @client.logger.info("Getting session for pending_ref: #{pending_ref}...")
       jwt_response = descope_client.enchanted_link_get_session(pending_ref)
-      done = true
+      
+      if jwt_response
+        @client.logger.info("jwt_response: #{jwt_response}")
+        refresh_token = jwt_response[Descope::Mixins::Common::REFRESH_SESSION_TOKEN_NAME]['jwt']
+        @client.logger.info("refresh_token: #{refresh_token}")
+        return refresh_token
+      end
+      
+      false
     rescue Descope::AuthException, Descope::Unauthorized => e
-      @client.logger.info("Failed pending session, err: #{e}")
-     nil
+      @client.logger.info("Waiting for session, err: #{e}")
+      false
     end
-
-    next unless jwt_response
-
-    @client.logger.info("jwt_response: #{jwt_response}")
-    refresh_token = jwt_response[Descope::Mixins::Common::REFRESH_SESSION_TOKEN_NAME]['jwt']
-
-    @client.logger.info("refresh_token: #{refresh_token}")
-    done = true
-    return refresh_token
   end
 end
 
@@ -62,7 +56,11 @@ describe Descope::Api::V1::Auth::EnchantedLink do
     all_users['users'].each do |user|
       if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
-        @client.delete_user(user['loginIds'][0])
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
       end
     end
   end

data/spec/integration/lib.descope/api/v1/auth/magiclink_spec.rb

@@ -13,7 +13,11 @@ describe Descope::Api::V1::Auth::MagicLink do
     all_users['users'].each do |user|
       if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
-        @client.delete_user(user['loginIds'][0])
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
       end
     end
   end

data/spec/integration/lib.descope/api/v1/auth/otp_spec.rb

@@ -21,7 +21,11 @@ describe Descope::Api::V1::Auth::OTP do
     all_users['users'].each do |user|
       if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
-        @client.delete_user(user['loginIds'][0])
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
       end
     end
   end

data/spec/integration/lib.descope/api/v1/auth/session_spec.rb

@@ -5,6 +5,20 @@ require 'spec_helper'
 describe Descope::Api::V1::Session do
   before(:all) do
     @client = DescopeClient.new(Configuration.config)
+    
+    # Cleanup any existing test users before starting
+    @client.logger.info('Cleaning up any existing test users before starting...')
+    all_users = @client.search_all_users
+    all_users['users'].each do |user|
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
+        @client.logger.info("Deleting existing ruby spec test user #{user['loginIds'][0]}")
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
+      end
+    end
   end
 
   after(:all) do
@@ -13,7 +27,11 @@ describe Descope::Api::V1::Session do
     all_users['users'].each do |user|
       if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
-        @client.delete_user(user['loginIds'][0])
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
       end
     end
   end
@@ -21,9 +39,10 @@ describe Descope::Api::V1::Session do
   context 'test session methods' do
     it 'should refresh session with refresh token' do
       @password = SpecUtils.generate_password
-      user = build(:user)
+      # Add timestamp to ensure unique login_id across multiple test runs
+      user = build(:user, login_id: "session_test_#{Time.now.to_i}_#{SecureRandom.hex(4)}")
 
-      @client.logger.info('1. Sign up with password')
+      @client.logger.info("1. Sign up with password for user: #{user[:login_id]}")
       res = @client.password_sign_up(login_id: user[:login_id], password: @password, user:)
       @client.logger.info("sign up with password res: #{res}")
       original_refresh_token = res[REFRESH_SESSION_TOKEN_NAME]['jwt']
@@ -32,8 +51,8 @@ describe Descope::Api::V1::Session do
       login_res = @client.password_sign_in(login_id: user[:login_id], password: @password)
       @client.logger.info("sign_in res: #{login_res}")
 
-      @client.logger.info('3. sleep 1 second before calling refresh_session')
-      sleep(1)
+      @client.logger.info('3. Wait briefly to ensure token timestamps differ')
+      sleep(2)  # Wait 2 seconds to ensure new token will have different 'iat' timestamp
 
       @client.logger.info('4. Refresh session')
       refresh_session_res = @client.refresh_session(refresh_token: login_res[REFRESH_SESSION_TOKEN_NAME]['jwt'])

data/spec/integration/lib.descope/api/v1/auth/totp_spec.rb

@@ -14,7 +14,11 @@ describe Descope::Api::V1::Auth::TOTP do
     all_users['users'].each do |user|
       if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" 
         @client.logger.info("Deleting ruby spec test user #{user['loginIds'][0]}")
-        @client.delete_user(user['loginIds'][0])
+        begin
+          @client.delete_user(user['loginIds'][0])
+        rescue Descope::NotFound => e
+          @client.logger.info("User already deleted: #{e.message}")
+        end
       end
     end
   end

data/spec/integration/lib.descope/api/v1/management/access_key_spec.rb

@@ -30,8 +30,16 @@ describe Descope::Api::V1::Management::AccessKey do
       @tenant_id = @client.create_tenant(name: 'some-new-tenant')['id']
       @client.logger.info('creating access key')
       @access_key = @client.create_access_key(name: @key_name, key_tenants: [{ tenant_id: @tenant_id }])
-      @client.logger.info("waiting for access key #{@access_key['key']['id']} to be active 60 seconds")
-      sleep 60
+      @client.logger.info("waiting for access key #{@access_key['key']['id']} to be active")
+      SpecUtils.wait_for_condition(max_wait: 65, interval: 3, description: 'access key to be active') do
+        begin
+          key = @client.load_access_key(@access_key['key']['id'])
+          key['key']['status'] == 'active'
+        rescue StandardError => e
+          @client.logger.info("Waiting for key activation: #{e.message}")
+          false
+        end
+      end
     end
 
     it 'should create the access key and load it' do

data/spec/integration/lib.descope/api/v1/management/authz_spec.rb

@@ -12,7 +12,12 @@ describe Descope::Api::V1::Management::Authz do
 
   context 'authz ops' do
     before(:all) do
-      @client.authz_delete_schema
+      # Instead of deleting the entire schema, we'll work with it
+      # This allows parallel test execution
+      # Only delete schema if we're running in isolation
+      if ENV['AUTHZ_FULL_TEST'] == 'true'
+        @client.authz_delete_schema
+      end
     end
 
     it 'should create a new schema' do
@@ -160,13 +165,17 @@ describe Descope::Api::V1::Management::Authz do
     end
 
     it 'should create a relation between a resource and user' do
+      # Use unique resource name to avoid conflicts between parallel tests
+      unique_resource = "#{SpecUtils.build_prefix}some-doc"
+      unique_user = "#{SpecUtils.build_prefix}user1"
+      
       @client.authz_create_relations(
         [
           {
-            "resource": 'some-doc',
+            "resource": unique_resource,
             "relationDefinition": 'owner',
             "namespace": 'note',
-            "target": 'user1'
+            "target": unique_user
           }
         ]
       )
@@ -176,14 +185,26 @@ describe Descope::Api::V1::Management::Authz do
       relations = @client.authz_has_relations?(
         [
           {
-            "resource": 'some-doc',
+            "resource": unique_resource,
             "relationDefinition": 'viewer',
             "namespace": 'note',
-            "target": 'user1'
+            "target": unique_user
           }
         ]
       )
       expect(relations['relationQueries'][0]['hasRelation']).to be_truthy
+      
+      # Clean up the test relations
+      @client.authz_delete_relations(
+        [
+          {
+            "resource": unique_resource,
+            "relationDefinition": 'owner',
+            "namespace": 'note',
+            "target": unique_user
+          }
+        ]
+      )
     end
   end
 end

data/spec/integration/lib.descope/api/v1/management/permissions_spec.rb

@@ -7,16 +7,34 @@ describe Descope::Api::V1::Management::Permission do
     raise 'DESCOPE_MANAGEMENT_KEY is not set' if ENV['DESCOPE_MANAGEMENT_KEY'].nil?
 
     @client = DescopeClient.new(Configuration.config)
+    @test_description = "#{SpecUtils.build_prefix} Ruby SDK"
+    
+    # Cleanup any leftover permissions from previous failed runs
     @client.load_all_permissions['permissions'].each do |perm|
-      if perm['description'] == "#{SpecUtils.build_prefix} Ruby SDK"
+      if perm['description'] == @test_description
         puts "Deleting permission: #{perm['name']}"
         @client.delete_permission(perm['name'])
       end
     end
   end
+  
+  after(:all) do
+    # Safety cleanup to ensure no test permissions are left behind
+    @client.logger.info('Cleaning up test permissions...')
+    begin
+      @client.load_all_permissions['permissions'].each do |perm|
+        if perm['description'] == @test_description
+          @client.logger.info("Deleting leftover permission: #{perm['name']}")
+          @client.delete_permission(perm['name'])
+        end
+      end
+    rescue StandardError => e
+      @client.logger.info("Error during permission cleanup: #{e.message}")
+    end
+  end
 
   it 'should create update and delete a permission' do
-    @client.create_permission(name: 'test_permission', description: "#{SpecUtils.build_prefix} Ruby SDK")
+    @client.create_permission(name: 'test_permission', description: @test_description)
     all_permissions = @client.load_all_permissions['permissions']
     expect(all_permissions.any? { |perm| perm['name'] == 'test_permission' }).to eq(true)
     @client.update_permission(name: 'test_permission', new_name: 'test_permission_2')

data/spec/integration/lib.descope/api/v1/management/project_spec.rb

@@ -8,15 +8,29 @@ describe Descope::Api::V1::Management::Project do
 
     @client = DescopeClient.new(Configuration.config)
     @export_output = @client.export_project
+    @original_project_name = nil
   end
 
   context 'Test project methods' do
+    before(:all) do
+      # Get the current project name before we modify it
+      # Store it so we can restore it later
+      begin
+        @original_project_name = @client.export_project['project']['name']
+      rescue StandardError
+        @original_project_name = 'Ruby-SDK-Prod'
+      end
+    end
+
     after(:all) do
-      @client.rename_project('Ruby-SDK-Prod')
+      # Restore the original project name
+      @client.rename_project(@original_project_name) if @original_project_name
     end
 
     it 'should rename a project' do
-      @client.rename_project('TEST-Ruby-SDK-Prod')
+      # Use a unique name based on build prefix to avoid conflicts
+      unique_name = "#{SpecUtils.build_prefix}TEST-Ruby-SDK-Prod"
+      @client.rename_project(unique_name)
     end
 
     it 'should export a project' do

data/spec/integration/lib.descope/api/v1/management/roles_spec.rb

@@ -7,74 +7,144 @@ describe Descope::Api::V1::Management::Role do
     raise 'DESCOPE_MANAGEMENT_KEY is not set' if ENV['DESCOPE_MANAGEMENT_KEY'].nil?
 
     @client = DescopeClient.new(Configuration.config)
-    @client.logger.info('Staring cleanup before tests...')
-    @client.logger.info('Deleting all permissions for Ruby SDK...')
+    @test_prefix = SpecUtils.build_prefix
+    @client.logger.info("Starting cleanup before tests with prefix: #{@test_prefix}...")
+    
+    # Define resource names with unique prefix for parallel execution
+    @permission_viewer = "#{@test_prefix}viewer"
+    @permission_editor = "#{@test_prefix}editor"
+    @permission_admin = "#{@test_prefix}admin"
+    @role_viewer = "#{@test_prefix}Ruby-SDK-test-viewer"
+    @role_editor = "#{@test_prefix}Ruby-SDK-test-editor"
+    @role_admin = "#{@test_prefix}Ruby-SDK-test-admin"
+    @tenant_name = "#{@test_prefix}Ruby-SDK-test"
+    @description = "#{@test_prefix}Ruby SDK"
+    
+    # Cleanup any leftover resources from previous failed runs
+    @client.logger.info('Deleting all permissions for this test run...')
     @client.load_all_permissions['permissions'].each do |perm|
-      if perm['description'] =~ /Ruby SDK/
+      if perm['description'] == @description
         @client.logger.info("Deleting permission: #{perm['name']}")
         @client.delete_permission(perm['name'])
       end
     end
 
-    @client.logger.info('Deleting all roles for Ruby SDK...')
+    @client.logger.info('Deleting all roles for this test run...')
     @client.load_all_roles['roles'].each do |role|
-      puts "got role: #{role}"
-      if role['description'] == 'Ruby SDK'
+      if role['description'] == @description
         @client.logger.info("Deleting role: #{role['name']}")
         @client.delete_role(name: role['name'], tenant_id: role['tenantId'])
       end
     end
 
-    @client.logger.info('Deleting all tenants for Ruby SDK...')
-    @client.search_all_tenants(names: ['Ruby-SDK-test'])['tenants'].each do |tenant|
+    @client.logger.info('Deleting all tenants for this test run...')
+    @client.search_all_tenants(names: [@tenant_name])['tenants'].each do |tenant|
       @client.logger.info("Deleting tenant: #{tenant['name']}")
       @client.delete_tenant(tenant['id'])
     end
     @client.logger.info('Cleanup completed. Starting tests...')
   end
+  
+  after(:all) do
+    # Cleanup after tests to ensure no resources are left behind
+    @client.logger.info('Cleaning up test resources...')
+    
+    begin
+      @client.delete_permission(@permission_viewer) if defined?(@permission_viewer)
+    rescue StandardError => e
+      @client.logger.info("Permission #{@permission_viewer} already deleted or doesn't exist: #{e.message}")
+    end
+    
+    begin
+      @client.delete_permission(@permission_editor) if defined?(@permission_editor)
+    rescue StandardError => e
+      @client.logger.info("Permission #{@permission_editor} already deleted or doesn't exist: #{e.message}")
+    end
+    
+    begin
+      @client.delete_permission(@permission_admin) if defined?(@permission_admin)
+    rescue StandardError => e
+      @client.logger.info("Permission #{@permission_admin} already deleted or doesn't exist: #{e.message}")
+    end
+    
+    # Delete any roles with our test description
+    begin
+      @client.load_all_roles['roles'].each do |role|
+        if role['description'] == @description
+          @client.delete_role(name: role['name'], tenant_id: role['tenantId'])
+        end
+      end
+    rescue StandardError => e
+      @client.logger.info("Error cleaning up roles: #{e.message}")
+    end
+    
+    # Delete tenant
+    begin
+      @client.search_all_tenants(names: [@tenant_name])['tenants'].each do |tenant|
+        @client.delete_tenant(tenant['id'])
+      end
+    rescue StandardError => e
+      @client.logger.info("Error cleaning up tenant: #{e.message}")
+    end
+    
+    @client.logger.info('Cleanup completed.')
+  end
 
   it 'should create update and delete a role' do
     @client.logger.info('Testing role creation, update, deletion and search...')
 
     # Create permissions
     @client.logger.info('creating viewer permission for role')
-    @client.create_permission(name: 'viewer', description: 'Viewer Permission Ruby SDK')
+    @client.create_permission(name: @permission_viewer, description: @description)
 
     @client.logger.info('creating editor permission for role')
-    @client.create_permission(name: 'editor', description: 'Editor Permission Ruby SDK')
+    @client.create_permission(name: @permission_editor, description: @description)
 
     @client.logger.info('creating admin permission for role')
-    @client.create_permission(name: 'admin', description: 'Admin Permission Ruby SDK')
+    @client.create_permission(name: @permission_admin, description: @description)
 
     # Create tenants
-    @client.logger.info('creating Ruby-SDK-test tenant')
-    tenant_id = @client.create_tenant(name: 'Ruby-SDK-test')['id']
+    @client.logger.info("creating #{@tenant_name} tenant")
+    tenant_id = @client.create_tenant(name: @tenant_name)['id']
+    @client.logger.info("Created tenant with id: #{tenant_id}")
+    
+    # Wait for tenant to be available (polling, up to 5 seconds)
+    timeout = 5.0
+    interval = 0.1
+    waited = 0.0
+    loop do
+      tenants = @client.search_all_tenants(names: [@tenant_name])['tenants']
+      break if tenants.any? { |t| t['id'] == tenant_id }
+      raise "Tenant #{@tenant_name} not available after #{timeout} seconds" if waited >= timeout
+      sleep(interval)
+      waited += interval
+    end
 
     # Create roles
-    @client.logger.info('creating Ruby-SDK-test role')
-    @client.create_role(name: 'Ruby-SDK-test-viewer', description: 'Ruby SDK', permission_names: ['viewer'])
-    @client.logger.info('creating Ruby-SDK-test-admin role')
-    @client.create_role(name: 'Ruby-SDK-test-admin', description: 'Ruby SDK', permission_names: ['admin'], tenant_id:)
+    @client.logger.info("creating #{@role_viewer} role")
+    @client.create_role(name: @role_viewer, description: @description, permission_names: [@permission_viewer])
+    @client.logger.info("creating #{@role_admin} role")
+    @client.create_role(name: @role_admin, description: @description, permission_names: [@permission_admin], tenant_id:)
 
     # check all roles matching the correct permission
     @client.logger.info('check all roles matching the correct permission (load roles)')
     roles = @client.load_all_roles['roles']
     roles.each do |role|
-      expect(role['permissionNames']).to include('viewer') if role['name'] == 'Ruby-SDK-test-viewer'
-      expect(role['permissionNames']).to include('admin') if role['name'] == 'Ruby-SDK-test-admin'
+      expect(role['permissionNames']).to include(@permission_viewer) if role['name'] == @role_viewer
+      expect(role['permissionNames']).to include(@permission_admin) if role['name'] == @role_admin
     end
 
     @client.logger.info('updating role')
     @client.update_role(
-      name: 'Ruby-SDK-test-viewer',
-      new_name: 'Ruby-SDK-test-editor',
-      description: 'Ruby SDK',
-      permission_names: ['editor']
+      name: @role_viewer,
+      new_name: @role_editor,
+      description: @description,
+      permission_names: [@permission_editor]
     )
 
     @client.logger.info('searching for roles by role names...')
-    all_roles = @client.search_roles(role_names: %w[Ruby-SDK-test-admin Ruby-SDK-test-editor])['roles']
-    expected_roles = %w[Ruby-SDK-test-editor Ruby-SDK-test-admin]
+    all_roles = @client.search_roles(role_names: [@role_admin, @role_editor])['roles']
+    expected_roles = [@role_editor, @role_admin]
     role_count = 0
     expected_roles.each do |expected_role|
       expect(all_roles.map { |role| role['name'] }).to include(expected_role)
@@ -83,8 +153,8 @@ describe Descope::Api::V1::Management::Role do
     expect(role_count).to eq(2)
 
     @client.logger.info('searching for roles with role name like...')
-    all_roles = @client.search_roles(role_name_like: 'Ruby-SDK-test')['roles']
-    expected_roles = %w[Ruby-SDK-test-editor Ruby-SDK-test-admin]
+    all_roles = @client.search_roles(role_name_like: "#{@test_prefix}Ruby-SDK-test")['roles']
+    expected_roles = [@role_editor, @role_admin]
     role_count = 0
     expected_roles.each do |expected_role|
       expect(all_roles.map { |role| role['name'] }).to include(expected_role)
@@ -94,25 +164,33 @@ describe Descope::Api::V1::Management::Role do
     expect(role_count).to eq(2)
 
     @client.logger.info('searching for roles with permission names...')
-    all_roles = @client.search_roles(permission_names: %w[admin])['roles']
-    expect(all_roles.map { |role| role['name'] }).to include('Ruby-SDK-test-admin')
+    all_roles = @client.search_roles(permission_names: [@permission_admin])['roles']
+    expect(all_roles.map { |role| role['name'] }).to include(@role_admin)
 
     @client.logger.info('searching for roles with tenant ids...')
-    all_roles = @client.search_roles(role_name_like: 'Ruby-SDK-test', tenant_ids: [tenant_id])['roles']
-    expect(all_roles.map { |role| role['name'] }).to include('Ruby-SDK-test-admin')
+    all_roles = @client.search_roles(role_name_like: "#{@test_prefix}Ruby-SDK-test", tenant_ids: [tenant_id])['roles']
+    expect(all_roles.map { |role| role['name'] }).to include(@role_admin)
 
     @client.logger.info('deleting permission')
 
-    @client.delete_permission('editor')
-    @client.delete_permission('admin')
+    @client.delete_permission(@permission_editor)
+    @client.delete_permission(@permission_admin)
 
     @client.logger.info('deleting editor role')
-    @client.delete_role(name: 'Ruby-SDK-test-editor')
+    @client.delete_role(name: @role_editor)
 
     @client.logger.info('deleting admin role')
-    @client.delete_role(name: 'Ruby-SDK-test-admin', tenant_id:)
+    begin
+      @client.delete_role(name: @role_admin, tenant_id:)
+    rescue Descope::Unauthorized, Descope::NotFound => e
+      @client.logger.info("Admin role already deleted or tenant invalid: #{e.message}")
+    end
 
     @client.logger.info('deleting tenant')
-    @client.delete_tenant(tenant_id)
+    begin
+      @client.delete_tenant(tenant_id)
+    rescue Descope::NotFound => e
+      @client.logger.info("Tenant already deleted: #{e.message}")
+    end
   end
 end

data/spec/integration/lib.descope/api/v1/management/user_spec.rb

@@ -102,7 +102,17 @@ describe Descope::Api::V1::Management::User do
     created_user = @client.create_user(**user)['user']
     loaded_user = @client.load_user(created_user['loginIds'][0])['user']
     expect(loaded_user['loginIds']).to eq(created_user['loginIds'])
-    sleep 10
+    
+    # Wait for user to be fully propagated before deletion
+    SpecUtils.wait_for_condition(max_wait: 15, interval: 2, description: 'user to be ready for deletion') do
+      begin
+        @client.load_user(created_user['loginIds'][0])
+        true
+      rescue StandardError => e
+        @client.logger.info("Waiting for user propagation: #{e.message}")
+        false
+      end
+    end
 
     @client.delete_user(created_user['loginIds'][0])
     begin
@@ -115,8 +125,10 @@ describe Descope::Api::V1::Management::User do
   it 'should search all users' do
     users = FactoryBot.build_list(:user, 5)
     @client.create_batch_users(users)
+    # Wait for batch creation to propagate
+    sleep 1.0
     all_users = @client.search_all_users
-    sdk_users = all_users['users'].select { |user| user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" }
+    sdk_users = all_users['users'].select { |user| user['middleName']&.include?('Ruby-SDK-User') }
     expect(sdk_users.length).to be >= 5
   end
 
@@ -128,7 +140,12 @@ describe Descope::Api::V1::Management::User do
     all_roles['roles'].each do |role|
       @client.delete_role(name: role['name']) if role['name'] == role_name
     end
-    sleep 5
+    
+    # Wait for role deletion to propagate
+    SpecUtils.wait_for_condition(max_wait: 10, interval: 1, description: 'role deletion to propagate') do
+      all_roles = @client.load_all_roles
+      all_roles['roles'].none? { |role| role['name'] == role_name }
+    end
 
     user_args = build(:user)
     test_user = @client.create_test_user(**user_args)['user']

data/spec/lib.descope/mixins/http_spec.rb

@@ -94,6 +94,17 @@ describe Descope::Mixins::HTTP do
         expect(result['cookies']['DSR']).to eq('refresh_jwt_token')
       end
 
+      it 'parses cookies from Set-Cookie headers with symbol key (real RestClient behavior)' do
+        # RestClient returns headers with symbol keys like :set_cookie, not string keys
+        mock_headers = { set_cookie: set_cookie_headers }
+
+        result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
+
+        expect(result['cookies']).to_not be_nil
+        expect(result['cookies']['DS']).to eq('session_jwt_token')
+        expect(result['cookies']['DSR']).to eq('refresh_jwt_token')
+      end
+
       it 'parses cookies from Set-Cookie header when headers is a string' do
         mock_headers = { 'Set-Cookie' => set_cookie_headers.first }
 
@@ -120,7 +131,7 @@ describe Descope::Mixins::HTTP do
           "DS=#{jwt_session}; Path=/; Domain=custom.example.com; HttpOnly; Secure; SameSite=None",
           "DSR=#{jwt_refresh}; Path=/; Domain=custom.example.com; HttpOnly; Secure; SameSite=None; Max-Age=2592000"
         ]
-        mock_headers = { 'set-cookie' => complex_headers }
+        mock_headers = { set_cookie: complex_headers }
 
         result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
         
@@ -134,7 +145,7 @@ describe Descope::Mixins::HTTP do
           'CLOUDFLARE_SESSION=cf_token; Path=/; Domain=.example.com; HttpOnly',
           'DSR=refresh_token; Path=/; Domain=dev.example.com; HttpOnly'
         ]
-        mock_headers = { 'set-cookie' => mixed_headers }
+        mock_headers = { set_cookie: mixed_headers }
 
         result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
         
@@ -175,7 +186,7 @@ describe Descope::Mixins::HTTP do
           'DS=; Path=/; Domain=example.com',  # Empty value
           '=value_without_name; Path=/',       # No name
         ]
-        mock_headers = { 'set-cookie' => malformed_headers }
+        mock_headers = { set_cookie: malformed_headers }
 
         result = @instance.safe_parse_json(mock_body, cookies: {}, headers: mock_headers)
         
@@ -186,7 +197,7 @@ describe Descope::Mixins::HTTP do
       it 'prefers RestClient cookies over Set-Cookie headers when both available' do
         mock_cookies = { 'DS' => 'restclient_token' }
         set_cookie_headers = ['DS=header_token; Path=/; Domain=example.com']
-        mock_headers = { 'set-cookie' => set_cookie_headers }
+        mock_headers = { set_cookie: set_cookie_headers }
 
         result = @instance.safe_parse_json(mock_body, cookies: mock_cookies, headers: mock_headers)
         
@@ -204,7 +215,7 @@ describe Descope::Mixins::HTTP do
       allow(mock_response).to receive(:body).and_return('{"success": true}')
       allow(mock_response).to receive(:cookies).and_return({})
       allow(mock_response).to receive(:headers).and_return({
-        'set-cookie' => ['DS=test_token; Domain=custom.example.com']
+        set_cookie: ['DS=test_token; Domain=custom.example.com']
       })
 
       allow(@instance).to receive(:call).and_return(mock_response)
@@ -215,4 +226,4 @@ describe Descope::Mixins::HTTP do
       expect(result['cookies']['DS']).to eq('test_token')
     end
   end
-end
+end