stytch 10.6.0 → 10.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1fc94b3f2682727e8313774b34312e8e5b621e012a99cf789c956cfc08a43419
-  data.tar.gz: e82cbc5ef8e95c439b0e959c9aeb1b88d123b589e58816be36359654b5c642da
+  metadata.gz: 0dfb80803a3696d1a6f3d7118c859a571b42e52eacd550ad0e8f9450caba75e7
+  data.tar.gz: fb9e341e712dac2eed58d0b99b6281f328aecee8833b3fbd40c62f0b781c65c0
 SHA512:
-  metadata.gz: e37526e4eeef1517b5aa1fc415a7b9f742943ba89fe97c88088ae7059ecb1840b4330dc7c7dffd7c8b822f3a69697ebcafac2965f735e53bfd1b6fc47dd82c68
-  data.tar.gz: 8a84503310f85e276f94d7c8ce7adbc0a3b010669a8d9548256df0c9a8d35a1ec759eb803a74be530dd2226895483f385c0a4fa5e8d1e86e7bc29ddb5f8ce6f5
+  metadata.gz: e97f8ec4d069aa1f39822a2fc2de3ccdaad06e913d80180eb50d24bcfdb116cc61d8b1a5508f3675ef8e3b23ea4abe61391335258e65ed2a0a9701818b8eb673
+  data.tar.gz: 390ed7e78d764da278cd3c2e1ff1071a7f93be2e3a1d2d0905fbfc27e71ea62b2cb6873a70081897b259bed7c7defb7658c62f495f89bdf3f1ec354657ebad23

data/lib/stytch/b2b_impersonation.rb

@@ -19,6 +19,8 @@ module StytchB2B
     # Authenticate an impersonation token to impersonate a. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.
     #
+    # Prior to this step, you can generate an impersonation token by visiting the Stytch dashboard, viewing a member, and clicking the `Impersonate Member` button.
+    #
     # == Parameters:
     # impersonation_token::
     #   The User Impersonation token to authenticate.

data/lib/stytch/b2b_organizations.rb

@@ -161,6 +161,9 @@ module StytchB2B
     # allowed_oauth_tenants::
     #   A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
     #   The type of this field is nilable +object+.
+    # claimed_email_domains::
+    #   A list of email domains that are claimed by the Organization.
+    #   The type of this field is nilable list of +String+.
     #
     # == Returns:
     # An object with the following fields:
@@ -189,7 +192,8 @@ module StytchB2B
       mfa_methods: nil,
       allowed_mfa_methods: nil,
       oauth_tenant_jit_provisioning: nil,
-      allowed_oauth_tenants: nil
+      allowed_oauth_tenants: nil,
+      claimed_email_domains: nil
     )
       headers = {}
       request = {
@@ -210,6 +214,7 @@ module StytchB2B
       request[:allowed_mfa_methods] = allowed_mfa_methods unless allowed_mfa_methods.nil?
       request[:oauth_tenant_jit_provisioning] = oauth_tenant_jit_provisioning unless oauth_tenant_jit_provisioning.nil?
       request[:allowed_oauth_tenants] = allowed_oauth_tenants unless allowed_oauth_tenants.nil?
+      request[:claimed_email_domains] = claimed_email_domains unless claimed_email_domains.nil?
 
       post_request('/v1/b2b/organizations', request, headers)
     end
@@ -389,6 +394,9 @@ module StytchB2B
     #
     # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource.
     #   The type of this field is nilable +object+.
+    # claimed_email_domains::
+    #   A list of email domains that are claimed by the Organization.
+    #   The type of this field is nilable list of +String+.
     #
     # == Returns:
     # An object with the following fields:
@@ -424,6 +432,7 @@ module StytchB2B
       allowed_mfa_methods: nil,
       oauth_tenant_jit_provisioning: nil,
       allowed_oauth_tenants: nil,
+      claimed_email_domains: nil,
       method_options: nil
     )
       headers = {}
@@ -447,6 +456,7 @@ module StytchB2B
       request[:allowed_mfa_methods] = allowed_mfa_methods unless allowed_mfa_methods.nil?
       request[:oauth_tenant_jit_provisioning] = oauth_tenant_jit_provisioning unless oauth_tenant_jit_provisioning.nil?
       request[:allowed_oauth_tenants] = allowed_oauth_tenants unless allowed_oauth_tenants.nil?
+      request[:claimed_email_domains] = claimed_email_domains unless claimed_email_domains.nil?
 
       put_request("/v1/b2b/organizations/#{organization_id}", request, headers)
     end

data/lib/stytch/b2b_passwords.rb

@@ -596,18 +596,18 @@ module StytchB2B
       #
       # == Returns:
       # An object with the following fields:
-      # member::
-      #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
-      #   The type of this field is +Member+ (+object+).
-      # organization::
-      #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
-      #   The type of this field is +Organization+ (+object+).
       # status_code::
       #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
       #   The type of this field is +Integer+.
       # member_id::
       #   Globally unique UUID that identifies a specific Member.
       #   The type of this field is nilable +String+.
+      # member::
+      #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+      #   The type of this field is nilable +Member+ (+object+).
+      # organization::
+      #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+      #   The type of this field is nilable +Organization+ (+object+).
       #
       # == Method Options:
       # This method supports an optional +StytchB2B::Passwords::Email::RequireResetRequestOptions+ object which will modify the headers sent in the HTTP request.

data/lib/stytch/b2b_sessions.rb

@@ -341,6 +341,77 @@ module StytchB2B
       post_request('/v1/b2b/sessions/exchange', request, headers)
     end
 
+    # Use this endpoint to exchange a Connected Apps Access Token back into a Member Session for the underlying Member.
+    # This session can be used with the Stytch SDKs and APIs.
+    #
+    # The Access Token must contain the `full_access` scope and must not be more than 5 minutes old. Access Tokens may only be exchanged a single time.
+    #
+    # Because the Member previously completed MFA and satisfied all Organization authentication requirements at the time of the original Access Token issuance, this endpoint will never return an `intermediate_session_token` or require MFA.
+    #
+    # == Parameters:
+    # access_token::
+    #   The access token to exchange for a Stytch Session. Must be granted the `full_access` scope.
+    #   The type of this field is +String+.
+    # session_duration_minutes::
+    #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
+    #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
+    #   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+    #
+    #   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+    #
+    #   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
+    #
+    #   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
+    #   to use the Stytch session product, you can ignore the session fields in the response.
+    #   The type of this field is nilable +Integer+.
+    # session_custom_claims::
+    #   Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
+    #   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
+    #   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored.
+    #   Total custom claims size cannot exceed four kilobytes.
+    #   The type of this field is nilable +object+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # request_id::
+    #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+    #   The type of this field is +String+.
+    # member_id::
+    #   Globally unique UUID that identifies a specific Member.
+    #   The type of this field is +String+.
+    # session_token::
+    #   A secret token for a given Stytch Session.
+    #   The type of this field is +String+.
+    # session_jwt::
+    #   The JSON Web Token (JWT) for a given Stytch Session.
+    #   The type of this field is +String+.
+    # member::
+    #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+    #   The type of this field is +Member+ (+object+).
+    # organization::
+    #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+    #   The type of this field is +Organization+ (+object+).
+    # status_code::
+    #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+    #   The type of this field is +Integer+.
+    # member_session::
+    #   The [Session object](https://stytch.com/docs/b2b/api/session-object).
+    #   The type of this field is nilable +MemberSession+ (+object+).
+    def exchange_access_token(
+      access_token:,
+      session_duration_minutes: nil,
+      session_custom_claims: nil
+    )
+      headers = {}
+      request = {
+        access_token: access_token
+      }
+      request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
+      request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+
+      post_request('/v1/b2b/sessions/exchange_access_token', request, headers)
+    end
+
     # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing in your and create a Stytch Session. You will need to create the member before using this endpoint.
     #
     # == Parameters:

data/lib/stytch/fraud.rb

@@ -94,31 +94,37 @@ module Stytch
         @connection = connection
       end
 
-      # Set a rule for a particular `visitor_id`, `browser_id`, `visitor_fingerprint`, `browser_fingerprint`, `hardware_fingerprint`, or `network_fingerprint`. This is helpful in cases where you want to allow or block a specific user or fingerprint. You should be careful when setting rules for `browser_fingerprint`, `hardware_fingerprint`, or `network_fingerprint` as they can be shared across multiple users, and you could affect more users than intended.
+      # Set a rule for a particular `visitor_id`, `browser_id`, `visitor_fingerprint`, `browser_fingerprint`, `hardware_fingerprint`, `network_fingerprint`, `cidr_block`, `asn`, or `country_code`. This is helpful in cases where you want to allow or block a specific user or fingerprint. You should be careful when setting rules for `browser_fingerprint`, `hardware_fingerprint`, or `network_fingerprint` as they can be shared across multiple users, and you could affect more users than intended.
+      #
+      # You may not set an `ALLOW` rule for a `country_code`.
       #
       # Rules are applied in the order specified above. For example, if an end user has an `ALLOW` rule set for their `visitor_id` but a `BLOCK` rule set for their `hardware_fingerprint`, they will receive an `ALLOW` verdict because the `visitor_id` rule takes precedence.
       #
+      # If there are conflicts between multiple `cidr_block` rules (for example, if the `ip_address` of the end user overlaps with multiple CIDR blocks that have rules set), the conflicts are resolved as follows:
+      # - The smallest block size takes precedence. For example, if an `ip_address` overlaps with a `cidr_block` rule of `ALLOW` for a block with a prefix of `/32` and a `cidr_block` rule of `BLOCK` with a prefix of `/24`, the rule match verdict will be `ALLOW`.
+      # - Among equivalent size blocks, `BLOCK` takes precedence over `CHALLENGE`, which takes precedence over `ALLOW`. For example, if an `ip_address` overlaps with two `cidr_block` rules with blocks of the same size that return `CHALLENGE` and `ALLOW`, the rule match verdict will be `CHALLENGE`.
+      #
       # == Parameters:
       # action::
-      #   The action that should be returned by a fingerprint lookup for that fingerprint or ID with a `RULE_MATCH` reason. The following values are valid: `ALLOW`, `BLOCK`, `CHALLENGE`, or `NONE`. If a `NONE` action is specified, it will clear the stored rule.
+      #   The action that should be returned by a fingerprint lookup for that identifier with a `RULE_MATCH` reason. The following values are valid: `ALLOW`, `BLOCK`, `CHALLENGE`, or `NONE`. For country codes, `ALLOW` actions are not allowed. If a `NONE` action is specified, it will clear the stored rule.
       #   The type of this field is +RuleAction+ (string enum).
       # visitor_id::
-      #   The visitor ID we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The visitor ID we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # browser_id::
-      #   The browser ID we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The browser ID we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # visitor_fingerprint::
-      #   The visitor fingerprint we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The visitor fingerprint we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # browser_fingerprint::
-      #   The browser fingerprint we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The browser fingerprint we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # hardware_fingerprint::
-      #   The hardware fingerprint we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The hardware fingerprint we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # network_fingerprint::
-      #   The network fingerprint we want to set a rule for. Only one fingerprint or ID can be specified in the request.
+      #   The network fingerprint we want to set a rule for. Only one identifier can be specified in the request.
       #   The type of this field is nilable +String+.
       # expires_in_minutes::
       #   The number of minutes until this rule expires. If no `expires_in_minutes` is specified, then the rule is kept permanently.
@@ -126,6 +132,15 @@ module Stytch
       # description::
       #   An optional description for the rule.
       #   The type of this field is nilable +String+.
+      # cidr_block::
+      #   The CIDR block we want to set a rule for. You may pass either an IP address or a CIDR block. The CIDR block prefix must be between 16 and 32, inclusive. If an end user's IP address is within this CIDR block, this rule will be applied. Only one identifier can be specified in the request.
+      #   The type of this field is nilable +String+.
+      # country_code::
+      #   The country code we want to set a rule for. The country code must be a valid ISO 3166-1 alpha-2 code. You may not set `ALLOW` rules for country codes. Only one identifier can be specified in the request.
+      #   The type of this field is nilable +String+.
+      # asn::
+      #   The ASN we want to set a rule for. The ASN must be the string representation of an integer between 0 and 4294967295, inclusive. Only one identifier can be specified in the request.
+      #   The type of this field is nilable +String+.
       #
       # == Returns:
       # An object with the following fields:
@@ -139,26 +154,35 @@ module Stytch
       #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
       #   The type of this field is +Integer+.
       # visitor_id::
-      #   The cookie stored on the user's device that uniquely identifies them.
+      #   The visitor ID that a rule was set for.
       #   The type of this field is nilable +String+.
       # browser_id::
-      #   Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser.
+      #   The browser ID that a rule was set for.
       #   The type of this field is nilable +String+.
       # visitor_fingerprint::
-      #   Cookie-less way of identifying a unique user.
+      #   The visitor fingerprint that a rule was set for.
       #   The type of this field is nilable +String+.
       # browser_fingerprint::
-      #   Combination of signals to identify a browser and its specific version.
+      #   The browser fingerprint that a rule was set for.
       #   The type of this field is nilable +String+.
       # hardware_fingerprint::
-      #   Combinations of signals to identify an operating system and architecture.
+      #   The hardware fingerprint that a rule was set for.
       #   The type of this field is nilable +String+.
       # network_fingerprint::
-      #   Combination of signals associated with a specific network commonly known as TLS fingerprinting.
+      #   The network fingerprint that a rule was set for.
       #   The type of this field is nilable +String+.
       # expires_at::
       #   The timestamp when the rule expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
       #   The type of this field is nilable +String+.
+      # cidr_block::
+      #   The CIDR block that a rule was set for. If an end user's IP address is within this CIDR block, this rule will be applied.
+      #   The type of this field is nilable +String+.
+      # country_code::
+      #   The country code that a rule was set for.
+      #   The type of this field is nilable +String+.
+      # asn::
+      #   The ASN that a rule was set for.
+      #   The type of this field is nilable +String+.
       def set(
         action:,
         visitor_id: nil,
@@ -168,7 +192,10 @@ module Stytch
         hardware_fingerprint: nil,
         network_fingerprint: nil,
         expires_in_minutes: nil,
-        description: nil
+        description: nil,
+        cidr_block: nil,
+        country_code: nil,
+        asn: nil
       )
         headers = {}
         request = {
@@ -182,6 +209,9 @@ module Stytch
         request[:network_fingerprint] = network_fingerprint unless network_fingerprint.nil?
         request[:expires_in_minutes] = expires_in_minutes unless expires_in_minutes.nil?
         request[:description] = description unless description.nil?
+        request[:cidr_block] = cidr_block unless cidr_block.nil?
+        request[:country_code] = country_code unless country_code.nil?
+        request[:asn] = asn unless asn.nil?
 
         post_request('/v1/rules/set', request, headers)
       end

data/lib/stytch/impersonation.rb

@@ -19,6 +19,8 @@ module Stytch
     # Authenticate an impersonation token to impersonate a User. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated user with a 60 minute duration. Impersonated sessions cannot be extended.
     #
+    # Prior to this step, you can generate an impersonation token by visiting the Stytch dashboard, viewing a user, and clicking the `Impersonate User` button.
+    #
     # == Parameters:
     # impersonation_token::
     #   The User Impersonation token to authenticate.

data/lib/stytch/m2m.rb

@@ -443,8 +443,7 @@ module Stytch
           @connection = connection
         end
 
-        # Initiate the rotation of an M2M client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the [Rotate Secret Endpoint](https://stytch.com/docs/b2b/api/m2m-rotate-secret)[Rotate Secret Endpoint](https://stytch.com/docs/api/m2m-rotate-secret) to complete the flow.
-        # Secret rotation can be cancelled using the [Rotate Cancel Endpoint](https://stytch.com/docs/b2b/api/m2m-rotate-secret-cancel)[Rotate Cancel Endpoint](https://stytch.com/docs/api/m2m-rotate-secret-cancel).
+        # Initiate the rotation of an M2M client secret. After this endpoint is called, both the client's `client_secret` and `next_client_secret` will be valid. To complete the secret rotation flow, update all usages of `client_secret` to `next_client_secret` and call the [Rotate Secret Endpoint](https://stytch.com/docs/b2b/api/m2m-rotate-secret)[Rotate Secret Endpoint](https://stytch.com/docs/api/m2m-rotate-secret) to complete the flow.Secret rotation can be cancelled using the [Rotate Cancel Endpoint](https://stytch.com/docs/b2b/api/m2m-rotate-secret-cancel)[Rotate Cancel Endpoint](https://stytch.com/docs/api/m2m-rotate-secret-cancel).
         #
         # **Important:** This is the only time you will be able to view the generated `next_client_secret` in the API response. Stytch stores a hash of the `next_client_secret` and cannot recover the value if lost. Be sure to persist the `next_client_secret` in a secure location. If the `next_client_secret` is lost, you will need to trigger a secret rotation flow to receive another one.
         #

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.6.0'
+  VERSION = '10.8.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.6.0
+  version: 10.8.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-02-19 00:00:00.000000000 Z
+date: 2025-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday