stytch 10.42.0 → 11.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/auto-publish.yml +9 -11
- data/.rubocop.yml +2 -0
- data/lib/stytch/b2b_discovery.rb +10 -4
- data/lib/stytch/b2b_impersonation.rb +3 -0
- data/lib/stytch/b2b_magic_links.rb +14 -11
- data/lib/stytch/b2b_oauth.rb +7 -1
- data/lib/stytch/b2b_organizations.rb +2 -3
- data/lib/stytch/b2b_otp.rb +13 -7
- data/lib/stytch/b2b_passwords.rb +37 -18
- data/lib/stytch/b2b_rbac.rb +6 -0
- data/lib/stytch/b2b_scim.rb +6 -6
- data/lib/stytch/b2b_sessions.rb +4 -3
- data/lib/stytch/b2b_sso.rb +11 -8
- data/lib/stytch/connected_apps.rb +12 -2
- data/lib/stytch/m2m.rb +3 -3
- data/lib/stytch/magic_links.rb +22 -12
- data/lib/stytch/otps.rb +10 -10
- data/lib/stytch/passwords.rb +7 -9
- data/lib/stytch/rbac_local.rb +41 -17
- data/lib/stytch/sessions.rb +0 -2
- data/lib/stytch/version.rb +1 -1
- data/lib/stytch/webauthn.rb +12 -8
- data/stytch.gemspec +1 -0
- metadata +16 -2
data/lib/stytch/b2b_sso.rb
CHANGED
|
@@ -178,7 +178,7 @@ module StytchB2B
|
|
|
178
178
|
# locale::
|
|
179
179
|
# If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
|
|
180
180
|
#
|
|
181
|
-
# Parameter is
|
|
181
|
+
# Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
182
182
|
#
|
|
183
183
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
184
184
|
#
|
|
@@ -239,6 +239,9 @@ module StytchB2B
|
|
|
239
239
|
# member_device::
|
|
240
240
|
# If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes.
|
|
241
241
|
# The type of this field is nilable +DeviceInfo+ (+object+).
|
|
242
|
+
# intermediate_session_token_expires_at::
|
|
243
|
+
# (no documentation yet)
|
|
244
|
+
# The type of this field is nilable +String+.
|
|
242
245
|
def authenticate(
|
|
243
246
|
sso_token:,
|
|
244
247
|
pkce_code_verifier: nil,
|
|
@@ -335,7 +338,7 @@ module StytchB2B
|
|
|
335
338
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
336
339
|
# The type of this field is +Integer+.
|
|
337
340
|
# connection::
|
|
338
|
-
# The
|
|
341
|
+
# The [OIDC Connection Object](https://stytch.com/docs/b2b/api/oidc-connection-object).
|
|
339
342
|
# The type of this field is nilable +OIDCConnection+ (+object+).
|
|
340
343
|
#
|
|
341
344
|
# == Method Options:
|
|
@@ -426,7 +429,7 @@ module StytchB2B
|
|
|
426
429
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
427
430
|
# The type of this field is +Integer+.
|
|
428
431
|
# connection::
|
|
429
|
-
# The
|
|
432
|
+
# The [OIDC Connection Object](https://stytch.com/docs/b2b/api/oidc-connection-object).
|
|
430
433
|
# The type of this field is nilable +OIDCConnection+ (+object+).
|
|
431
434
|
# warning::
|
|
432
435
|
# If it is not possible to resolve the well-known metadata document from the OIDC issuer, this field will explain what went wrong if the request is successful otherwise. In other words, even if the overall request succeeds, there could be relevant warnings related to the connection update.
|
|
@@ -595,7 +598,7 @@ module StytchB2B
|
|
|
595
598
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
596
599
|
# The type of this field is +Integer+.
|
|
597
600
|
# connection::
|
|
598
|
-
# The
|
|
601
|
+
# The [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object)
|
|
599
602
|
# The type of this field is nilable +SAMLConnection+ (+object+).
|
|
600
603
|
#
|
|
601
604
|
# == Method Options:
|
|
@@ -691,7 +694,7 @@ module StytchB2B
|
|
|
691
694
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
692
695
|
# The type of this field is +Integer+.
|
|
693
696
|
# connection::
|
|
694
|
-
# The
|
|
697
|
+
# The [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object)
|
|
695
698
|
# The type of this field is nilable +SAMLConnection+ (+object+).
|
|
696
699
|
#
|
|
697
700
|
# == Method Options:
|
|
@@ -766,7 +769,7 @@ module StytchB2B
|
|
|
766
769
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
767
770
|
# The type of this field is +Integer+.
|
|
768
771
|
# connection::
|
|
769
|
-
# The
|
|
772
|
+
# The [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object)
|
|
770
773
|
# The type of this field is nilable +SAMLConnection+ (+object+).
|
|
771
774
|
#
|
|
772
775
|
# == Method Options:
|
|
@@ -941,7 +944,7 @@ module StytchB2B
|
|
|
941
944
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
942
945
|
# The type of this field is +Integer+.
|
|
943
946
|
# connection::
|
|
944
|
-
# The
|
|
947
|
+
# The [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object).
|
|
945
948
|
# The type of this field is nilable +Connection+ (+object+).
|
|
946
949
|
#
|
|
947
950
|
# == Method Options:
|
|
@@ -1001,7 +1004,7 @@ module StytchB2B
|
|
|
1001
1004
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
1002
1005
|
# The type of this field is +Integer+.
|
|
1003
1006
|
# connection::
|
|
1004
|
-
# The
|
|
1007
|
+
# The [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object).
|
|
1005
1008
|
# The type of this field is nilable +Connection+ (+object+).
|
|
1006
1009
|
#
|
|
1007
1010
|
# == Method Options:
|
|
@@ -92,6 +92,9 @@ module Stytch
|
|
|
92
92
|
# bypass_consent_for_offline_access::
|
|
93
93
|
# Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
|
|
94
94
|
# The type of this field is nilable +Boolean+.
|
|
95
|
+
# id_token_template_content::
|
|
96
|
+
# (no documentation yet)
|
|
97
|
+
# The type of this field is nilable +String+.
|
|
95
98
|
#
|
|
96
99
|
# == Returns:
|
|
97
100
|
# An object with the following fields:
|
|
@@ -115,7 +118,8 @@ module Stytch
|
|
|
115
118
|
access_token_template_content: nil,
|
|
116
119
|
post_logout_redirect_urls: nil,
|
|
117
120
|
logo_url: nil,
|
|
118
|
-
bypass_consent_for_offline_access: nil
|
|
121
|
+
bypass_consent_for_offline_access: nil,
|
|
122
|
+
id_token_template_content: nil
|
|
119
123
|
)
|
|
120
124
|
headers = {}
|
|
121
125
|
request = {}
|
|
@@ -129,6 +133,7 @@ module Stytch
|
|
|
129
133
|
request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
|
|
130
134
|
request[:logo_url] = logo_url unless logo_url.nil?
|
|
131
135
|
request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
|
|
136
|
+
request[:id_token_template_content] = id_token_template_content unless id_token_template_content.nil?
|
|
132
137
|
|
|
133
138
|
put_request("/v1/connected_apps/clients/#{client_id}", request, headers)
|
|
134
139
|
end
|
|
@@ -232,6 +237,9 @@ module Stytch
|
|
|
232
237
|
# bypass_consent_for_offline_access::
|
|
233
238
|
# Valid for first party clients only. If true, the client does not need to request explicit user consent for the `offline_access` scope.
|
|
234
239
|
# The type of this field is nilable +Boolean+.
|
|
240
|
+
# id_token_template_content::
|
|
241
|
+
# (no documentation yet)
|
|
242
|
+
# The type of this field is nilable +String+.
|
|
235
243
|
#
|
|
236
244
|
# == Returns:
|
|
237
245
|
# An object with the following fields:
|
|
@@ -255,7 +263,8 @@ module Stytch
|
|
|
255
263
|
access_token_template_content: nil,
|
|
256
264
|
post_logout_redirect_urls: nil,
|
|
257
265
|
logo_url: nil,
|
|
258
|
-
bypass_consent_for_offline_access: nil
|
|
266
|
+
bypass_consent_for_offline_access: nil,
|
|
267
|
+
id_token_template_content: nil
|
|
259
268
|
)
|
|
260
269
|
headers = {}
|
|
261
270
|
request = {
|
|
@@ -271,6 +280,7 @@ module Stytch
|
|
|
271
280
|
request[:post_logout_redirect_urls] = post_logout_redirect_urls unless post_logout_redirect_urls.nil?
|
|
272
281
|
request[:logo_url] = logo_url unless logo_url.nil?
|
|
273
282
|
request[:bypass_consent_for_offline_access] = bypass_consent_for_offline_access unless bypass_consent_for_offline_access.nil?
|
|
283
|
+
request[:id_token_template_content] = id_token_template_content unless id_token_template_content.nil?
|
|
274
284
|
|
|
275
285
|
post_request('/v1/connected_apps/clients', request, headers)
|
|
276
286
|
end
|
data/lib/stytch/m2m.rb
CHANGED
|
@@ -289,9 +289,9 @@ module Stytch
|
|
|
289
289
|
post_request('/v1/m2m/clients/search', request, headers)
|
|
290
290
|
end
|
|
291
291
|
|
|
292
|
-
# Updates an existing M2M Client. You can use this endpoint to activate or deactivate
|
|
292
|
+
# Updates an existing M2M Client. You can use this endpoint to activate or deactivate an M2M Client by changing its `status`. A deactivated M2M Client will not be allowed to perform future token exchange flows until it is reactivated.
|
|
293
293
|
#
|
|
294
|
-
# **Important:** Deactivating
|
|
294
|
+
# **Important:** Deactivating an M2M Client will not invalidate any existing JWTs issued to the client, only prevent it from receiving new ones.
|
|
295
295
|
# To protect more-sensitive routes, pass a lower `max_token_age` value when[authenticating the token](https://stytch.com/docs/b2b/api/authenticate-m2m-token)[authenticating the token](https://stytch.com/docs/api/authenticate-m2m-token).
|
|
296
296
|
#
|
|
297
297
|
# == Parameters:
|
|
@@ -346,7 +346,7 @@ module Stytch
|
|
|
346
346
|
|
|
347
347
|
# Deletes the M2M Client.
|
|
348
348
|
#
|
|
349
|
-
# **Important:** Deleting
|
|
349
|
+
# **Important:** Deleting an M2M Client will not invalidate any existing JWTs issued to the client, only prevent it from receiving new ones.
|
|
350
350
|
# To protect more-sensitive routes, pass a lower `max_token_age` value when[authenticating the token](https://stytch.com/docs/b2b/api/authenticate-m2m-token)[authenticating the token](https://stytch.com/docs/api/authenticate-m2m-token).
|
|
351
351
|
#
|
|
352
352
|
# == Parameters:
|
data/lib/stytch/magic_links.rb
CHANGED
|
@@ -126,12 +126,22 @@ module Stytch
|
|
|
126
126
|
post_request('/v1/magic_links/authenticate', request, headers)
|
|
127
127
|
end
|
|
128
128
|
|
|
129
|
-
# Create an Embeddable Magic Link token for a User.
|
|
129
|
+
# Create an Embeddable Magic Link token for a User.
|
|
130
130
|
#
|
|
131
|
-
# ###
|
|
132
|
-
# Send the returned `token` value to the end user in a link which directs to your application. When the end user follows your link, collect the token, and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
|
|
131
|
+
# ### Important usage notes
|
|
133
132
|
#
|
|
134
|
-
#
|
|
133
|
+
# Carefully review the following notes before using Embeddable Magic Links:
|
|
134
|
+
#
|
|
135
|
+
# * Embeddable Magic Link tokens are **sensitive values**. You should handle and store them securely.
|
|
136
|
+
# * Authenticating an Embeddable Magic Link token will not mark any of a user's delivery factors (email address or phone number) as verified, since we cannot confirm how the token was sent to the user.
|
|
137
|
+
# * Embeddable Magic Links are only available in our Consumer API, and not our B2B API.
|
|
138
|
+
#
|
|
139
|
+
# When sending Embeddable Magic Links via email:
|
|
140
|
+
#
|
|
141
|
+
# * Deliverability is paramount. Carefully test your email copy to ensure it reaches your users' inboxes. Small changes can result in your emails being sent to spam.
|
|
142
|
+
# * In some cases, email security bots may follow links within incoming emails before your users open them. This consumes the Embeddable Magic Link token, preventing the user from logging in when they later click the link. Our Email Magic Links product automatically prevents this (details [here](https://stytch.com/docs/consumer-auth/authentication/magic-links/redirect-routing)). However, when sending your own emails containing Embeddable Magic Links, you'll be responsible for detecting and stopping bot traffic using tools like CAPTCHA or [Device Fingerprinting](https://stytch.com/docs/fraud-risk/device-fingerprinting/overview).
|
|
143
|
+
#
|
|
144
|
+
# We also recommend checking out our [Trusted Auth Tokens](https://stytch.com/docs/consumer-auth/authentication/trusted-auth-tokens/overview) product, which is available in both our Consumer and B2B APIs and can be a better fit for some use cases.
|
|
135
145
|
#
|
|
136
146
|
# == Parameters:
|
|
137
147
|
# user_id::
|
|
@@ -193,7 +203,7 @@ module Stytch
|
|
|
193
203
|
# The email address of the User to send the Magic Link to.
|
|
194
204
|
# The type of this field is +String+.
|
|
195
205
|
# login_template_id::
|
|
196
|
-
# Use a custom template for login emails. By default, it will use your default email template.
|
|
206
|
+
# Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”.
|
|
197
207
|
# The type of this field is nilable +String+.
|
|
198
208
|
# attributes::
|
|
199
209
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
@@ -223,7 +233,7 @@ module Stytch
|
|
|
223
233
|
# The `session_jwt` of the user to associate the email with.
|
|
224
234
|
# The type of this field is nilable +String+.
|
|
225
235
|
# locale::
|
|
226
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
236
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
227
237
|
#
|
|
228
238
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
229
239
|
#
|
|
@@ -231,7 +241,7 @@ module Stytch
|
|
|
231
241
|
#
|
|
232
242
|
# The type of this field is nilable +SendRequestLocale+ (string enum).
|
|
233
243
|
# signup_template_id::
|
|
234
|
-
# Use a custom template for sign-up emails. By default, it will use your default email template.
|
|
244
|
+
# Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”.
|
|
235
245
|
# The type of this field is nilable +String+.
|
|
236
246
|
#
|
|
237
247
|
# == Returns:
|
|
@@ -305,10 +315,10 @@ module Stytch
|
|
|
305
315
|
# Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).
|
|
306
316
|
# The type of this field is nilable +Integer+.
|
|
307
317
|
# login_template_id::
|
|
308
|
-
# Use a custom template for login emails. By default, it will use your default email template.
|
|
318
|
+
# Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”.
|
|
309
319
|
# The type of this field is nilable +String+.
|
|
310
320
|
# signup_template_id::
|
|
311
|
-
# Use a custom template for sign-up emails. By default, it will use your default email template.
|
|
321
|
+
# Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”.
|
|
312
322
|
# The type of this field is nilable +String+.
|
|
313
323
|
# attributes::
|
|
314
324
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
@@ -324,7 +334,7 @@ module Stytch
|
|
|
324
334
|
# A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device.
|
|
325
335
|
# The type of this field is nilable +String+.
|
|
326
336
|
# locale::
|
|
327
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
337
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
328
338
|
#
|
|
329
339
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
330
340
|
#
|
|
@@ -390,7 +400,7 @@ module Stytch
|
|
|
390
400
|
# The email address of the User to send the invite Magic Link to.
|
|
391
401
|
# The type of this field is +String+.
|
|
392
402
|
# invite_template_id::
|
|
393
|
-
# Use a custom template for invite emails. By default, it will use your default email template.
|
|
403
|
+
# Use a custom template for invite emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Invite”.
|
|
394
404
|
# The type of this field is nilable +String+.
|
|
395
405
|
# attributes::
|
|
396
406
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
@@ -405,7 +415,7 @@ module Stytch
|
|
|
405
415
|
# Set the expiration for the email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).
|
|
406
416
|
# The type of this field is nilable +Integer+.
|
|
407
417
|
# locale::
|
|
408
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
418
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
409
419
|
#
|
|
410
420
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
411
421
|
#
|
data/lib/stytch/otps.rb
CHANGED
|
@@ -161,7 +161,7 @@ module Stytch
|
|
|
161
161
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
162
162
|
# The type of this field is nilable +Attributes+ (+object+).
|
|
163
163
|
# locale::
|
|
164
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
164
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
165
165
|
#
|
|
166
166
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
167
167
|
#
|
|
@@ -246,7 +246,7 @@ module Stytch
|
|
|
246
246
|
# an account for them.
|
|
247
247
|
# The type of this field is nilable +Boolean+.
|
|
248
248
|
# locale::
|
|
249
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
249
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
250
250
|
#
|
|
251
251
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
252
252
|
#
|
|
@@ -324,7 +324,7 @@ module Stytch
|
|
|
324
324
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
325
325
|
# The type of this field is nilable +Attributes+ (+object+).
|
|
326
326
|
# locale::
|
|
327
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
327
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
328
328
|
#
|
|
329
329
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
330
330
|
#
|
|
@@ -405,7 +405,7 @@ module Stytch
|
|
|
405
405
|
# an account for them.
|
|
406
406
|
# The type of this field is nilable +Boolean+.
|
|
407
407
|
# locale::
|
|
408
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
408
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
409
409
|
#
|
|
410
410
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
411
411
|
#
|
|
@@ -476,7 +476,7 @@ module Stytch
|
|
|
476
476
|
# Provided attributes to help with fraud detection. These values are pulled and passed into Stytch endpoints by your application.
|
|
477
477
|
# The type of this field is nilable +Attributes+ (+object+).
|
|
478
478
|
# locale::
|
|
479
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
479
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
480
480
|
#
|
|
481
481
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
482
482
|
#
|
|
@@ -493,10 +493,10 @@ module Stytch
|
|
|
493
493
|
# The `session_jwt` associated with a User's existing Session.
|
|
494
494
|
# The type of this field is nilable +String+.
|
|
495
495
|
# login_template_id::
|
|
496
|
-
# Use a custom template for login emails. By default, it will use your default email template.
|
|
496
|
+
# Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Login”.
|
|
497
497
|
# The type of this field is nilable +String+.
|
|
498
498
|
# signup_template_id::
|
|
499
|
-
# Use a custom template for sign-up emails. By default, it will use your default email template.
|
|
499
|
+
# Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “OTP - Sign-up”.
|
|
500
500
|
# The type of this field is nilable +String+.
|
|
501
501
|
#
|
|
502
502
|
# == Returns:
|
|
@@ -564,7 +564,7 @@ module Stytch
|
|
|
564
564
|
# an account for them.
|
|
565
565
|
# The type of this field is nilable +Boolean+.
|
|
566
566
|
# locale::
|
|
567
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
567
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
568
568
|
#
|
|
569
569
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
570
570
|
#
|
|
@@ -572,10 +572,10 @@ module Stytch
|
|
|
572
572
|
#
|
|
573
573
|
# The type of this field is nilable +LoginOrCreateRequestLocale+ (string enum).
|
|
574
574
|
# login_template_id::
|
|
575
|
-
# Use a custom template for login emails. By default, it will use your default email template.
|
|
575
|
+
# Use a custom template for login emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Login”.
|
|
576
576
|
# The type of this field is nilable +String+.
|
|
577
577
|
# signup_template_id::
|
|
578
|
-
# Use a custom template for sign-up emails. By default, it will use your default email template.
|
|
578
|
+
# Use a custom template for sign-up emails. By default, it will use your default email template. Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Magic links - Sign-up”.
|
|
579
579
|
# The type of this field is nilable +String+.
|
|
580
580
|
#
|
|
581
581
|
# == Returns:
|
data/lib/stytch/passwords.rb
CHANGED
|
@@ -242,7 +242,7 @@ module Stytch
|
|
|
242
242
|
# Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
|
|
243
243
|
# The type of this field is +String+.
|
|
244
244
|
# valid_password::
|
|
245
|
-
# Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/guides/passwords/strength-policy). If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
|
|
245
|
+
# Returns `true` if the password passes our password validation. We offer two validation options, [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication. We also offer [LUDS](https://stytch.com/docs/guides/passwords/strength-policy) which is less sophisticated but easier to understand. If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/).
|
|
246
246
|
# The type of this field is +Boolean+.
|
|
247
247
|
# score::
|
|
248
248
|
# The score of the password determined by [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between 1 and 4, a 3 or greater is required to pass validation.
|
|
@@ -254,7 +254,7 @@ module Stytch
|
|
|
254
254
|
# The strength policy type enforced, either `zxcvbn` or `luds`.
|
|
255
255
|
# The type of this field is +String+.
|
|
256
256
|
# breach_detection_on_create::
|
|
257
|
-
# Will return `true` if breach detection will be evaluated. By default this option is enabled. This option can be disabled
|
|
257
|
+
# Will return `true` if breach detection will be evaluated. By default this option is enabled. This option can be disabled in the [dashboard](https://stytch.com/dashboard/password-strength-config#breach-detection). If this value is `false` then `breached_password` will always be `false` as well.
|
|
258
258
|
# The type of this field is +Boolean+.
|
|
259
259
|
# status_code::
|
|
260
260
|
# The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
|
|
@@ -411,11 +411,9 @@ module Stytch
|
|
|
411
411
|
# The email of the User that requested the password reset.
|
|
412
412
|
# The type of this field is +String+.
|
|
413
413
|
# reset_password_redirect_url::
|
|
414
|
-
# The
|
|
415
|
-
#
|
|
416
|
-
#
|
|
417
|
-
# If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used.
|
|
418
|
-
# If you have not set a default reset password redirect URL, an error is returned.
|
|
414
|
+
# The URL that the User is redirected to from the reset password magic link. This URL should display your application's reset password page.
|
|
415
|
+
# Before rendering the reset page, extract the `token` from the query parameters. On the reset page, collect the new password and complete the flow by calling the corresponding Password Reset by Email endpoint.
|
|
416
|
+
# If this parameter is not specified, the default Reset Password redirect URL configured in the Dashboard will be used. If you have not set a default Reset Password redirect URL, an error is returned.
|
|
419
417
|
# The type of this field is nilable +String+.
|
|
420
418
|
# reset_password_expiration_minutes::
|
|
421
419
|
# Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes.
|
|
@@ -433,7 +431,7 @@ module Stytch
|
|
|
433
431
|
# After Users are redirected to the login redirect URL, your application should retrieve the `token` value from the URL parameters and call the [Magic Link Authenticate endpoint](https://stytch.com/docs/api/authenticate-magic-link) to log the User in without requiring a password reset. If this value is not provided, your project's default login redirect URL will be used. If you have not set a default login redirect URL, an error will be returned.
|
|
434
432
|
# The type of this field is nilable +String+.
|
|
435
433
|
# locale::
|
|
436
|
-
# Used to determine which language to use when sending the user this delivery method. Parameter is
|
|
434
|
+
# Used to determine which language to use when sending the user this delivery method. Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
|
|
437
435
|
#
|
|
438
436
|
# Currently supported languages are English (`"en"`), Spanish (`"es"`), French (`"fr"`) and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
|
|
439
437
|
#
|
|
@@ -442,7 +440,7 @@ module Stytch
|
|
|
442
440
|
# The type of this field is nilable +ResetStartRequestLocale+ (string enum).
|
|
443
441
|
# reset_password_template_id::
|
|
444
442
|
# Use a custom template for password reset emails. By default, it will use your default email template.
|
|
445
|
-
#
|
|
443
|
+
# Templates can be added in the [Stytch dashboard](https://stytch.com/dashboard/templates) using our built-in customization options or custom HTML templates with type “Passwords - Password reset”.
|
|
446
444
|
# The type of this field is nilable +String+.
|
|
447
445
|
#
|
|
448
446
|
# == Returns:
|
data/lib/stytch/rbac_local.rb
CHANGED
|
@@ -9,6 +9,10 @@ module Stytch
|
|
|
9
9
|
@rbac_client = rbac_client
|
|
10
10
|
@policy_last_update = 0
|
|
11
11
|
@cached_policy = nil
|
|
12
|
+
@cached_org_policies = {}
|
|
13
|
+
# TTL, in seconds, before a cached policy is considered stale
|
|
14
|
+
# and should be refreshed. Amounts to 5 minutes.
|
|
15
|
+
@cache_ttl = 300
|
|
12
16
|
end
|
|
13
17
|
|
|
14
18
|
def reload_policy
|
|
@@ -16,11 +20,27 @@ module Stytch
|
|
|
16
20
|
@policy_last_update = Time.now.to_i
|
|
17
21
|
end
|
|
18
22
|
|
|
23
|
+
def reload_org_policy(organization_id:)
|
|
24
|
+
@cached_org_policies[organization_id] = CachedOrgPolicy.new(
|
|
25
|
+
org_policy: @rbac_client.organizations.get_org_policy(organization_id: organization_id)
|
|
26
|
+
)
|
|
27
|
+
end
|
|
28
|
+
|
|
19
29
|
def get_policy(invalidate: false)
|
|
20
|
-
reload_policy if invalidate || @cached_policy.nil? || @policy_last_update < Time.now.to_i -
|
|
30
|
+
reload_policy if invalidate || @cached_policy.nil? || @policy_last_update < Time.now.to_i - @cache_ttl
|
|
21
31
|
@cached_policy
|
|
22
32
|
end
|
|
23
33
|
|
|
34
|
+
def get_org_policy(organization_id:, invalidate: false)
|
|
35
|
+
is_missing = @cached_org_policies[organization_id].nil?
|
|
36
|
+
is_stale = !is_missing && @cached_org_policies[organization_id].last_update < Time.now.to_i - @cache_ttl
|
|
37
|
+
reload_org_policy(organization_id: organization_id) if invalidate || is_missing || is_stale
|
|
38
|
+
|
|
39
|
+
return { 'roles' => [] } if @cached_org_policies[organization_id].nil?
|
|
40
|
+
|
|
41
|
+
@cached_org_policies[organization_id].org_policy
|
|
42
|
+
end
|
|
43
|
+
|
|
24
44
|
# Performs an authorization check against the project's policy and a set of roles. If the
|
|
25
45
|
# check succeeds, this method will return. If the check fails, a PermissionError
|
|
26
46
|
# will be raised. It's also possible for a TenancyError to be raised if the
|
|
@@ -34,19 +54,18 @@ module Stytch
|
|
|
34
54
|
raise Stytch::TenancyError.new(subject_org_id, authorization_check['organization_id']) if subject_org_id != authorization_check['organization_id']
|
|
35
55
|
|
|
36
56
|
policy = get_policy
|
|
57
|
+
org_policy = get_org_policy(organization_id: subject_org_id)
|
|
58
|
+
all_roles = policy['roles'].concat(org_policy['roles'])
|
|
37
59
|
|
|
38
|
-
|
|
60
|
+
return if all_roles.any? do |role|
|
|
39
61
|
next unless subject_roles.include?(role['role_id'])
|
|
40
62
|
|
|
41
|
-
|
|
63
|
+
role['permissions'].any? do |permission|
|
|
42
64
|
actions = permission['actions']
|
|
43
65
|
resource = permission['resource_id']
|
|
44
66
|
has_matching_action = actions.include?('*') || actions.include?(authorization_check['action'])
|
|
45
67
|
has_matching_resource = resource == authorization_check['resource_id']
|
|
46
|
-
|
|
47
|
-
# All good
|
|
48
|
-
return
|
|
49
|
-
end
|
|
68
|
+
has_matching_action && has_matching_resource
|
|
50
69
|
end
|
|
51
70
|
end
|
|
52
71
|
|
|
@@ -64,17 +83,15 @@ module Stytch
|
|
|
64
83
|
policy = get_policy
|
|
65
84
|
|
|
66
85
|
# For consumer authorization, we check roles without tenancy validation
|
|
67
|
-
|
|
86
|
+
return if policy['roles'].any? do |role|
|
|
68
87
|
next unless subject_roles.include?(role['role_id'])
|
|
69
88
|
|
|
70
|
-
|
|
89
|
+
role['permissions'].any? do |permission|
|
|
71
90
|
actions = permission['actions']
|
|
72
91
|
resource = permission['resource_id']
|
|
73
92
|
has_matching_action = actions.include?('*') || actions.include?(authorization_check['action'])
|
|
74
93
|
has_matching_resource = resource == authorization_check['resource_id']
|
|
75
|
-
|
|
76
|
-
return # Permission granted
|
|
77
|
-
end
|
|
94
|
+
has_matching_action && has_matching_resource
|
|
78
95
|
end
|
|
79
96
|
end
|
|
80
97
|
|
|
@@ -98,19 +115,17 @@ module Stytch
|
|
|
98
115
|
resource_id = authorization_check['resource_id']
|
|
99
116
|
|
|
100
117
|
# Check if any of the token scopes grant permission for this action/resource
|
|
101
|
-
|
|
118
|
+
return if policy['scopes'].any? do |scope_obj|
|
|
102
119
|
scope_name = scope_obj['scope']
|
|
103
120
|
next unless token_scopes.include?(scope_name)
|
|
104
121
|
|
|
105
122
|
# Check if this scope grants permission for the requested action/resource
|
|
106
|
-
|
|
123
|
+
scope_obj['permissions'].any? do |permission|
|
|
107
124
|
actions = permission['actions']
|
|
108
125
|
resource = permission['resource_id']
|
|
109
126
|
has_matching_action = actions.include?('*') || actions.include?(action)
|
|
110
127
|
has_matching_resource = resource == resource_id
|
|
111
|
-
|
|
112
|
-
return # Permission granted
|
|
113
|
-
end
|
|
128
|
+
has_matching_action && has_matching_resource
|
|
114
129
|
end
|
|
115
130
|
end
|
|
116
131
|
|
|
@@ -118,4 +133,13 @@ module Stytch
|
|
|
118
133
|
raise Stytch::PermissionError, authorization_check
|
|
119
134
|
end
|
|
120
135
|
end
|
|
136
|
+
|
|
137
|
+
class CachedOrgPolicy
|
|
138
|
+
def initialize(org_policy:)
|
|
139
|
+
@org_policy = org_policy['org_policy']
|
|
140
|
+
@last_update = Time.now.to_i
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
attr_reader :org_policy, :last_update
|
|
144
|
+
end
|
|
121
145
|
end
|
data/lib/stytch/sessions.rb
CHANGED
|
@@ -234,8 +234,6 @@ module Stytch
|
|
|
234
234
|
# Use this endpoint to exchange a Connected Apps Access Token back into a Stytch Session for the underlying User.
|
|
235
235
|
# This session can be used with the Stytch SDKs and APIs.
|
|
236
236
|
#
|
|
237
|
-
# The Session returned will be the same Session that was active in your application (the authorizing party) during the initial authorization flow.
|
|
238
|
-
#
|
|
239
237
|
# The Access Token must contain the `full_access` scope (only available to First Party clients) and must not be more than 5 minutes old. Access Tokens may only be exchanged a single time.
|
|
240
238
|
#
|
|
241
239
|
# == Parameters:
|
data/lib/stytch/version.rb
CHANGED
data/lib/stytch/webauthn.rb
CHANGED
|
@@ -20,9 +20,11 @@ module Stytch
|
|
|
20
20
|
#
|
|
21
21
|
# To optimize for Passkeys, set the `return_passkey_credential_options` field to `true`.
|
|
22
22
|
#
|
|
23
|
-
# After calling this endpoint, the browser will need to call [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) with the data from [public_key_credential_creation_options](https://w3c.github.io/webauthn/#dictionary-makecredentialoptions) passed to the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) request via the public key argument.
|
|
23
|
+
# After calling this endpoint, the browser will need to call [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) with the data from [public_key_credential_creation_options](https://w3c.github.io/webauthn/#dictionary-makecredentialoptions) passed to the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) request via the public key argument.
|
|
24
24
|
#
|
|
25
|
-
#
|
|
25
|
+
# When using built-in browser methods like `navigator.credentials.create()`, set the `use_base64_url_encoding` option to `true`.
|
|
26
|
+
#
|
|
27
|
+
# See our [WebAuthn setup guide](https://stytch.com/docs/guides/webauthn/api) for additional usage instructions and example code.
|
|
26
28
|
#
|
|
27
29
|
# == Parameters:
|
|
28
30
|
# user_id::
|
|
@@ -51,7 +53,7 @@ module Stytch
|
|
|
51
53
|
# (no documentation yet)
|
|
52
54
|
# The type of this field is nilable +String+.
|
|
53
55
|
# use_base64_url_encoding::
|
|
54
|
-
#
|
|
56
|
+
# If true, values in the `public_key_credential_creation_options` will be base64 URL encoded. Set this option to true when using built-in browser methods like `navigator.credentials.create` and `navigator.credentials.get`.
|
|
55
57
|
# The type of this field is nilable +Boolean+.
|
|
56
58
|
#
|
|
57
59
|
# == Returns:
|
|
@@ -97,7 +99,7 @@ module Stytch
|
|
|
97
99
|
|
|
98
100
|
# Complete the creation of a WebAuthn registration by passing the response from the [navigator.credentials.create()](https://www.w3.org/TR/webauthn-2/#sctn-createCredential) request to this endpoint as the `public_key_credential` parameter.
|
|
99
101
|
#
|
|
100
|
-
#
|
|
102
|
+
# See our [WebAuthn setup guide](https://stytch.com/docs/guides/webauthn/api) for additional usage instructions and example code.
|
|
101
103
|
#
|
|
102
104
|
# == Parameters:
|
|
103
105
|
# user_id::
|
|
@@ -191,9 +193,11 @@ module Stytch
|
|
|
191
193
|
#
|
|
192
194
|
# To optimize for Passkeys, set the `return_passkey_credential_options` field to `true`.
|
|
193
195
|
#
|
|
194
|
-
# After calling this endpoint, the browser will need to call [navigator.credentials.get()](https://www.w3.org/TR/webauthn-2/#sctn-getAssertion) with the data from `public_key_credential_request_options` passed to the [navigator.credentials.get()](https://www.w3.org/TR/webauthn-2/#sctn-getAssertion) request via the public key argument.
|
|
196
|
+
# After calling this endpoint, the browser will need to call [navigator.credentials.get()](https://www.w3.org/TR/webauthn-2/#sctn-getAssertion) with the data from `public_key_credential_request_options` passed to the [navigator.credentials.get()](https://www.w3.org/TR/webauthn-2/#sctn-getAssertion) request via the public key argument.
|
|
195
197
|
#
|
|
196
|
-
#
|
|
198
|
+
# When using built-in browser methods like `navigator.credentials.get()`, set the `use_base64_url_encoding` option to `true`.
|
|
199
|
+
#
|
|
200
|
+
# See our [WebAuthn setup guide](https://stytch.com/docs/guides/webauthn/api) for additional usage instructions and example code.
|
|
197
201
|
#
|
|
198
202
|
# == Parameters:
|
|
199
203
|
# domain::
|
|
@@ -207,7 +211,7 @@ module Stytch
|
|
|
207
211
|
#
|
|
208
212
|
# The type of this field is nilable +Boolean+.
|
|
209
213
|
# use_base64_url_encoding::
|
|
210
|
-
#
|
|
214
|
+
# If true, values in the `public_key_credential_creation_options` will be base64 URL encoded. Set this option to true when using built-in browser methods like `navigator.credentials.create` and `navigator.credentials.get`.
|
|
211
215
|
# The type of this field is nilable +Boolean+.
|
|
212
216
|
#
|
|
213
217
|
# == Returns:
|
|
@@ -243,7 +247,7 @@ module Stytch
|
|
|
243
247
|
|
|
244
248
|
# Complete the authentication of a Passkey or WebAuthn registration by passing the response from the [navigator.credentials.get()](https://www.w3.org/TR/webauthn-2/#sctn-getAssertion) request to the authenticate endpoint.
|
|
245
249
|
#
|
|
246
|
-
#
|
|
250
|
+
# See our [WebAuthn setup guide](https://stytch.com/docs/guides/webauthn/api) for additional usage instructions and example code.
|
|
247
251
|
#
|
|
248
252
|
# == Parameters:
|
|
249
253
|
# public_key_credential::
|
data/stytch.gemspec
CHANGED
|
@@ -29,6 +29,7 @@ Gem::Specification.new do |spec|
|
|
|
29
29
|
spec.add_dependency 'json-jwt', '>= 1.13.0'
|
|
30
30
|
spec.add_dependency 'jwt', '>= 2.3.0'
|
|
31
31
|
|
|
32
|
+
spec.add_development_dependency 'prism', '~> 1.8.0'
|
|
32
33
|
spec.add_development_dependency 'rspec', '~> 3.11.0'
|
|
33
34
|
spec.add_development_dependency 'rubocop', '1.64.1'
|
|
34
35
|
spec.add_development_dependency 'rubocop-rspec', '2.24.0'
|