stytch 10.25.0 → 10.27.0

data/lib/stytch/rbac_local.rb

@@ -3,7 +3,7 @@
 require_relative 'errors'
 require_relative 'request_helper'
 
-module StytchB2B
+module Stytch
   class PolicyCache
     def initialize(rbac_client:)
       @rbac_client = rbac_client
@@ -31,8 +31,7 @@ module StytchB2B
       subject_org_id:,
       authorization_check:
     )
-      request_org_id = authorization_check['organization_id']
-      raise Stytch::TenancyError.new(subject_org_id, request_org_id) if request_org_id != subject_org_id
+      raise Stytch::TenancyError.new(subject_org_id, authorization_check['organization_id']) if subject_org_id != authorization_check['organization_id']
 
       policy = get_policy
 
@@ -54,5 +53,69 @@ module StytchB2B
       # If we get here, we didn't find a matching permission
       raise Stytch::PermissionError, authorization_check
     end
+
+    # Performs an authorization check against the project's policy and a set of roles. If the
+    # check succeeds, this method will return. If the check fails, a PermissionError
+    # will be raised. This is used for role based authorization.
+    def perform_consumer_authorization_check(
+      subject_roles:,
+      authorization_check:
+    )
+      policy = get_policy
+
+      # For consumer authorization, we check roles without tenancy validation
+      for role in policy['roles']
+        next unless subject_roles.include?(role['role_id'])
+
+        for permission in role['permissions']
+          actions = permission['actions']
+          resource = permission['resource_id']
+          has_matching_action = actions.include?('*') || actions.include?(authorization_check['action'])
+          has_matching_resource = resource == authorization_check['resource_id']
+          if has_matching_action && has_matching_resource
+            return # Permission granted
+          end
+        end
+      end
+
+      # If we get here, we didn't find a matching permission
+      raise Stytch::PermissionError, authorization_check
+    end
+
+    # Performs an authorization check against the project's policy and a set of scopes. If the
+    # check succeeds, this method will return. If the check fails, a PermissionError
+    # will be raised. This is used for OAuth-style scope-based authorization.
+    # authorization_check is an object with keys 'action' and 'resource_id'
+    def perform_scope_authorization_check(
+      token_scopes:,
+      authorization_check:
+    )
+      policy = get_policy
+
+      # For scope-based authorization, we check if any of the token scopes match policy scopes
+      # and if those scopes grant permission for the requested action/resource
+      action = authorization_check['action']
+      resource_id = authorization_check['resource_id']
+
+      # Check if any of the token scopes grant permission for this action/resource
+      for scope_obj in policy['scopes']
+        scope_name = scope_obj['scope']
+        next unless token_scopes.include?(scope_name)
+
+        # Check if this scope grants permission for the requested action/resource
+        for permission in scope_obj['permissions']
+          actions = permission['actions']
+          resource = permission['resource_id']
+          has_matching_action = actions.include?('*') || actions.include?(action)
+          has_matching_resource = resource == resource_id
+          if has_matching_action && has_matching_resource
+            return # Permission granted
+          end
+        end
+      end
+
+      # If we get here, we didn't find a matching permission
+      raise Stytch::PermissionError, authorization_check
+    end
   end
 end

data/lib/stytch/sessions.rb

@@ -15,9 +15,10 @@ module Stytch
   class Sessions
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id)
+    def initialize(connection, project_id, policy_cache)
       @connection = connection
 
+      @policy_cache = policy_cache
       @project_id = project_id
       @cache_last_update = 0
       @jwks_loader = lambda do |options|
@@ -81,6 +82,13 @@ module Stytch
     #
     #   Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
+    # authorization_check::
+    #   If an `authorization_check` object is passed in, this endpoint will also check if the User is
+    #   authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions.
+    #
+    #   If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown.
+    #   Otherwise, the response will contain a list of Roles that satisfied the authorization check.
+    #   The type of this field is nilable +AuthorizationCheck+ (+object+).
     #
     # == Returns:
     # An object with the following fields:
@@ -105,11 +113,16 @@ module Stytch
     # status_code::
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
+    # verdict::
+    #   If an `authorization_check` is provided in the request and the check succeeds, this field will return
+    #   information about why the User was granted permission.
+    #   The type of this field is nilable +AuthorizationVerdict+ (+object+).
     def authenticate(
       session_token: nil,
       session_duration_minutes: nil,
       session_jwt: nil,
-      session_custom_claims: nil
+      session_custom_claims: nil,
+      authorization_check: nil
     )
       headers = {}
       request = {}
@@ -117,6 +130,7 @@ module Stytch
       request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
       request[:session_jwt] = session_jwt unless session_jwt.nil?
       request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+      request[:authorization_check] = authorization_check unless authorization_check.nil?
 
       post_request('/v1/sessions/authenticate', request, headers)
     end
@@ -156,7 +170,7 @@ module Stytch
       post_request('/v1/sessions/revoke', request, headers)
     end
 
-    # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint.
+    # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint.
     #
     # == Parameters:
     # session_token::
@@ -326,7 +340,7 @@ module Stytch
       get_request(request, headers)
     end
 
-    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
+    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
     #
     # == Parameters:
     # profile_id::
@@ -421,7 +435,8 @@ module Stytch
       max_token_age_seconds: nil,
       session_duration_minutes: nil,
       session_custom_claims: nil,
-      clock_tolerance_seconds: nil
+      clock_tolerance_seconds: nil,
+      authorization_check: nil
     )
       max_token_age_seconds = 300 if max_token_age_seconds.nil?
       clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
@@ -430,28 +445,32 @@ module Stytch
         return authenticate(
           session_jwt: session_jwt,
           session_duration_minutes: session_duration_minutes,
-          session_custom_claims: session_custom_claims
+          session_custom_claims: session_custom_claims,
+          authorization_check: authorization_check
         )
       end
 
       session = authenticate_jwt_local(
         session_jwt,
         max_token_age_seconds: max_token_age_seconds,
-        clock_tolerance_seconds: clock_tolerance_seconds
+        clock_tolerance_seconds: clock_tolerance_seconds,
+        authorization_check: authorization_check
       )
       return session unless session.nil?
 
       authenticate(
         session_jwt: session_jwt,
         session_duration_minutes: session_duration_minutes,
-        session_custom_claims: session_custom_claims
+        session_custom_claims: session_custom_claims,
+        authorization_check: authorization_check
       )
     rescue StandardError
       # JWT could not be verified locally. Check with the Stytch API.
       authenticate(
         session_jwt: session_jwt,
         session_duration_minutes: session_duration_minutes,
-        session_custom_claims: session_custom_claims
+        session_custom_claims: session_custom_claims,
+        authorization_check: authorization_check
       )
     end
 
@@ -461,7 +480,7 @@ module Stytch
     # This method never authenticates a JWT directly with the API
     # If max_token_age_seconds is not supplied 300 seconds will be used as the default.
     # If clock_tolerance_seconds is not supplied 0 seconds will be used as the default.
-    def authenticate_jwt_local(session_jwt, max_token_age_seconds: nil, clock_tolerance_seconds: nil)
+    def authenticate_jwt_local(session_jwt, max_token_age_seconds: nil, clock_tolerance_seconds: nil, authorization_check: nil)
       max_token_age_seconds = 300 if max_token_age_seconds.nil?
       clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
 
@@ -488,6 +507,14 @@ module Stytch
         raise JWTIncorrectAlgorithmError
       end
 
+      # Do the auth check - intentionally don't rescue errors from here
+      if authorization_check
+        @policy_cache.perform_consumer_authorization_check(
+          subject_roles: session['roles'],
+          authorization_check: authorization_check
+        )
+      end
+
       session
     end
 

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.25.0'
+  VERSION = '10.27.0'
 end

data/lib/stytch.rb

@@ -4,6 +4,7 @@ require 'faraday'
 
 require_relative 'stytch/b2b_client'
 require_relative 'stytch/client'
+require_relative 'stytch/idp'
 require_relative 'stytch/method_options'
 require_relative 'stytch/middleware'
 require_relative 'stytch/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.25.0
+  version: 10.27.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-07-16 00:00:00.000000000 Z
+date: 2025-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -126,6 +126,7 @@ files:
 - lib/stytch.rb
 - lib/stytch/b2b_client.rb
 - lib/stytch/b2b_discovery.rb
+- lib/stytch/b2b_idp.rb
 - lib/stytch/b2b_impersonation.rb
 - lib/stytch/b2b_magic_links.rb
 - lib/stytch/b2b_oauth.rb
@@ -143,6 +144,7 @@ files:
 - lib/stytch/crypto_wallets.rb
 - lib/stytch/errors.rb
 - lib/stytch/fraud.rb
+- lib/stytch/idp.rb
 - lib/stytch/impersonation.rb
 - lib/stytch/m2m.rb
 - lib/stytch/magic_links.rb
@@ -152,6 +154,7 @@ files:
 - lib/stytch/otps.rb
 - lib/stytch/passwords.rb
 - lib/stytch/project.rb
+- lib/stytch/rbac.rb
 - lib/stytch/rbac_local.rb
 - lib/stytch/request_helper.rb
 - lib/stytch/sessions.rb