stytch 10.35.0 → 10.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a21c7819e335e5e1512dd207196f170a535f83abb0cfd2075d1e74c031016e62
-  data.tar.gz: 7241e6caccaaf5a7380b3dd6acca90fd619d5df457a8c368d1c0d8ef667bce8a
+  metadata.gz: 2636f56ed7d78577fb1ff81133a92fc1c0fb2500696f7921dcff85d6e79d7995
+  data.tar.gz: 932c0aa9dcef45bfb75a82516508bceac612f89a4b4a55e1555103017f80ba55
 SHA512:
-  metadata.gz: e0b5df47cb45208d49f4cb9558066e698438905eec30b11febc43b55623b5a81afe90112d4110dcc385ec483ab6a9335b3bf5e43a04e85ea912ffc64babe5048
-  data.tar.gz: 7c513da2af700131f700ba74e2319043e677a2ad295bfe93a0cb22ca5b73ff49060781cccff7e9f86783796975bc0dc65f9bed497ee6f45cccce06a74264292d
+  metadata.gz: 988ed498a5b30318230b13dd477125149ce76ca35bedab317843ce4b77f9ed0857d375f165e0268eb5d0877ae9ddda12f2fca221f2d82d95d14bb7dcf9f7e8e8
+  data.tar.gz: fa274f938a19f3f8241288467d7724e1a63a5c43695fdce8ea7626ce38e005ce76b71a7af799028356660728f8510abfb41d46ec31d3f999049adeea9354b852

data/lib/stytch/b2b_client.rb

@@ -23,6 +23,7 @@ require_relative 'b2b_totps'
 require_relative 'connected_apps'
 require_relative 'debug'
 require_relative 'fraud'
+require_relative 'jwks_cache'
 require_relative 'm2m'
 require_relative 'project'
 require_relative 'rbac_local'
@@ -33,15 +34,18 @@ module StytchB2B
 
     attr_reader :connected_app, :debug, :discovery, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
-    def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
+    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, jwks: nil, &block)
       @api_host = api_host(env, project_id)
       @fraud_api_host = fraud_api_host(fraud_env)
       @project_id = project_id
       @secret = secret
+      @timeout = timeout
       @is_b2b_client = true
 
       create_connection(&block)
 
+      @jwks_cache = Stytch::JWKSCache.new(@connection, @project_id, jwks)
+
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
 
@@ -49,9 +53,9 @@ module StytchB2B
       @debug = Stytch::Debug.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
-      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @impersonation = StytchB2B::Impersonation.new(@connection)
-      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
+      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client, @jwks_cache)
       @magic_links = StytchB2B::MagicLinks.new(@connection)
       @oauth = StytchB2B::OAuth.new(@connection)
       @otps = StytchB2B::OTPs.new(@connection)
@@ -62,7 +66,7 @@ module StytchB2B
       @recovery_codes = StytchB2B::RecoveryCodes.new(@connection)
       @scim = StytchB2B::SCIM.new(@connection)
       @sso = StytchB2B::SSO.new(@connection)
-      @sessions = StytchB2B::Sessions.new(@connection, @project_id, @policy_cache)
+      @sessions = StytchB2B::Sessions.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @totps = StytchB2B::TOTPs.new(@connection)
     end
 
@@ -108,7 +112,7 @@ module StytchB2B
     end
 
     def build_default_connection(builder)
-      builder.options[:timeout] = Stytch::Middleware::NETWORK_TIMEOUT
+      builder.options[:timeout] = Stytch::Middleware.timeout(@timeout)
       builder.headers = Stytch::Middleware::NETWORK_HEADERS
       builder.request :json
       builder.use Stytch::Middleware

data/lib/stytch/b2b_idp.rb

@@ -16,24 +16,13 @@ module StytchB2B
     include Stytch::RequestHelper
     attr_reader :oauth
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @oauth = StytchB2B::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
@@ -199,7 +188,7 @@ module StytchB2B
           true,
           {
             algorithms: ['RS256'],
-            jwks: @jwks_loader,
+            jwks: @jwks_cache.loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }

data/lib/stytch/b2b_sessions.rb

@@ -34,23 +34,12 @@ module StytchB2B
 
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # Retrieves all active Sessions for a Member.
@@ -706,7 +695,7 @@ module StytchB2B
 
       begin
         decoded_token = JWT.decode session_jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
 
         session = decoded_token[0]
         iat_time = Time.at(session['iat']).to_datetime

data/lib/stytch/client.rb

@@ -12,6 +12,7 @@ require_relative 'debug'
 require_relative 'fraud'
 require_relative 'idp'
 require_relative 'impersonation'
+require_relative 'jwks_cache'
 require_relative 'm2m'
 require_relative 'magic_links'
 require_relative 'oauth'
@@ -31,15 +32,18 @@ module Stytch
 
     attr_reader :connected_app, :crypto_wallets, :debug, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn
 
-    def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
+    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, jwks: nil, &block)
       @api_host = api_host(env, project_id)
       @fraud_api_host = fraud_api_host(fraud_env)
       @project_id = project_id
       @secret = secret
+      @timeout = timeout
       @is_b2b_client = false
 
       create_connection(&block)
 
+      @jwks_cache = Stytch::JWKSCache.new(@connection, @project_id, jwks)
+
       rbac = Stytch::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
 
@@ -47,16 +51,16 @@ module Stytch
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @debug = Stytch::Debug.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
-      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
+      @idp = Stytch::IDP.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @impersonation = Stytch::Impersonation.new(@connection)
-      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
+      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client, @jwks_cache)
       @magic_links = Stytch::MagicLinks.new(@connection)
       @oauth = Stytch::OAuth.new(@connection)
       @otps = Stytch::OTPs.new(@connection)
       @passwords = Stytch::Passwords.new(@connection)
       @project = Stytch::Project.new(@connection)
       @rbac = Stytch::RBAC.new(@connection)
-      @sessions = Stytch::Sessions.new(@connection, @project_id, @policy_cache)
+      @sessions = Stytch::Sessions.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @totps = Stytch::TOTPs.new(@connection)
       @users = Stytch::Users.new(@connection)
       @webauthn = Stytch::WebAuthn.new(@connection)
@@ -104,7 +108,7 @@ module Stytch
     end
 
     def build_default_connection(builder)
-      builder.options[:timeout] = Stytch::Middleware::NETWORK_TIMEOUT
+      builder.options[:timeout] = Stytch::Middleware.timeout(@timeout)
       builder.headers = Stytch::Middleware::NETWORK_HEADERS
       builder.request :json
       builder.use Stytch::Middleware

data/lib/stytch/idp.rb

@@ -16,24 +16,13 @@ module Stytch
     include Stytch::RequestHelper
     attr_reader :oauth
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @oauth = Stytch::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
@@ -188,7 +177,7 @@ module Stytch
           true,
           {
             algorithms: ['RS256'],
-            jwks: @jwks_loader,
+            jwks: @jwks_cache.loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }

data/lib/stytch/jwks_cache.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative 'request_helper'
+
+module Stytch
+  # JWKSCache handles caching and refreshing of JSON Web Key Sets (JWKS)
+  # for JWT signature verification. It can be initialized with pre-cached
+  # keys or will fetch them on-demand from the Stytch API.
+  class JWKSCache
+    include Stytch::RequestHelper
+
+    CACHE_EXPIRY_SECONDS = 300 # 5 minutes
+
+    def initialize(connection, project_id, jwks = nil)
+      @connection = connection
+      @project_id = project_id
+      @cache_last_update = 0
+
+      # If jwks are provided during initialization, use them directly
+      return unless jwks
+
+      @cached_keys = { keys: jwks }
+      @cache_last_update = Time.now.to_i
+    end
+
+    # Returns a lambda suitable for use with JWT.decode
+    def loader
+      lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - CACHE_EXPIRY_SECONDS
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
+    end
+
+    # Fetches JWKS from the Stytch API
+    def get_jwks(project_id:)
+      request_with_query_params(
+        @connection,
+        '/v1/sessions/jwks/%<project_id>s',
+        {
+          project_id: project_id
+        }
+      )
+    end
+  end
+end

data/lib/stytch/m2m.rb

@@ -13,24 +13,13 @@ module Stytch
     include Stytch::RequestHelper
     attr_reader :clients
 
-    def initialize(connection, project_id, is_b2b_client)
+    def initialize(connection, project_id, is_b2b_client, jwks_cache)
       @connection = connection
 
       @clients = Stytch::M2M::Clients.new(@connection)
       @project_id = project_id
-      @cache_last_update = 0
+      @jwks_cache = jwks_cache
       @is_b2b_client = is_b2b_client
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
     end
 
     # MANUAL(M2M::get_jwks)(SERVICE_METHOD)
@@ -190,7 +179,7 @@ module Stytch
 
       begin
         decoded_token = JWT.decode jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
         decoded_token[0]
       rescue JWT::InvalidIssuerError
         raise JWTInvalidIssuerError

data/lib/stytch/middleware.rb

@@ -13,6 +13,10 @@ module Stytch
       'Content-Type' => 'application/json'
     }.freeze
 
-    NETWORK_TIMEOUT = 300
+    NETWORK_TIMEOUT = 31
+
+    def self.timeout(custom_timeout = nil)
+      custom_timeout || NETWORK_TIMEOUT
+    end
   end
 end

data/lib/stytch/sessions.rb

@@ -15,23 +15,12 @@ module Stytch
   class Sessions
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # List all active Sessions for a given `user_id`. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
@@ -514,7 +503,7 @@ module Stytch
 
       begin
         decoded_token = JWT.decode session_jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
 
         session = decoded_token[0]
         iat_time = Time.at(session['iat']).to_datetime

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.35.0'
+  VERSION = '10.37.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.35.0
+  version: 10.37.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-26 00:00:00.000000000 Z
+date: 2025-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -147,6 +147,7 @@ files:
 - lib/stytch/fraud.rb
 - lib/stytch/idp.rb
 - lib/stytch/impersonation.rb
+- lib/stytch/jwks_cache.rb
 - lib/stytch/m2m.rb
 - lib/stytch/magic_links.rb
 - lib/stytch/method_options.rb