stytch 6.4.0 → 6.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94327b3a992f3e596ec4c0a5a6bad97d2c78041e15f12a470949819aa5c0994d
-  data.tar.gz: a02935d82c7129002058f425f15d73886b5f373b9f942e35cfb410fd62c7148d
+  metadata.gz: b550936fb7076aad0eb10a1551f50440e8855c5042e6d1173a68d5eaf8df7b7d
+  data.tar.gz: afa5981979e47b49868ce2be6f701d3d94102365f2565e8f1c42889d548b8af5
 SHA512:
-  metadata.gz: c366e0741c92ecf5ce5413beb57917a01f733ecc231540aebfab19c8a51ee75e7ee9deded5d23453b0580fc3556c90f7e2d1b707dfd79fa6aa6fa6b43cf5e152
-  data.tar.gz: 9e2540999fa38c50436ea9409859cff663378d7b4a4d21a9ec15bdc8e36b326ed3ae2d681751739adbcecb57b3bd3a1c578394ba6d9dd2b92a1e9b5863f1a84b
+  metadata.gz: 48fb733f974b3f66b0f11d62aa0215ddf162f8d3f715d63c750e3820c261fffb33a1a04668370b66b28f2fb5d7311bd0608d3b6cc421d48629b93bb287dba814
+  data.tar.gz: 6f05e0e6dad871dd162c45007c2e9cf8a303b721d8a81aa1f74dfbe785f317cf14cabdeedfce2abe2d42523773e260998a372644c4fa8da7f1e362b3f186815c

data/.github/workflows/ruby.yml

@@ -26,3 +26,16 @@ jobs:
           bundler-cache: true
 
       - run: bundle exec rspec
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          # Match the minimum supported Ruby version in the gemspec.
+          ruby-version: '2.7'
+          bundler-cache: true
+
+      - run: bundle exec rubocop

data/.rubocop.yml

@@ -0,0 +1,21 @@
+require:
+ - rubocop-rspec
+
+AllCops:
+  NewCops: disable
+  # The target Ruby version must match the one in stytch.gemspec.
+  TargetRubyVersion: 2.7
+
+Layout/LineLength: { Enabled: false }
+
+Metrics: { Enabled: false }
+
+Style/Documentation: { Enabled: false }
+Style/For: { Enabled: false }
+Style/FrozenStringLiteralComment: { Enabled: false }
+Style/NumericPredicate: { Enabled: false }
+Style/StringConcatenation: { Enabled: false }
+
+RSpec/DescribedClass: { Enabled: false }
+RSpec/ExampleLength: { Enabled: false }
+RSpec/MultipleExpectations: { Enabled: false }

data/DEVELOPMENT.md

@@ -5,7 +5,9 @@ Thanks for contributing to Stytch's Ruby library! If you run into trouble, find
 ## Setup
 
 1. Clone this repo.
-2. To test your changes locally, update your GEMFILE with `gem 'stytch', path: '../stytch'` where `../stytch` is the path to your cloned copy of stytch-ruby.
+2. Install development dependencies using [Bundler]: `bundle install`
+
+To test your changes locally in another project, update your `GEMFILE` with `gem 'stytch', path: '../stytch'` where `../stytch` is the path to your cloned copy of stytch-ruby.
 
 ## Issues and Pull Requests
 
@@ -15,4 +17,5 @@ If you have non-trivial changes you'd like us to incorporate, please open an iss
 
 When you're ready for someone to look at your issue or PR, assign `@stytchauth/client-libraries` (GitHub should do this automatically). If we don't acknowledge it within one business day, please escalate it by tagging `@stytchauth/engineering` in a comment or letting us know in [Slack].
 
-[Slack]: https://join.slack.com/t/stytch/shared_invite/zt-nil4wo92-jApJ9Cl32cJbEd9esKkvyg
+[Bundler]: https://bundler.io/
+[Slack]: https://join.slack.com/t/stytch/shared_invite/zt-nil4wo92-jApJ9Cl32cJbEd9esKkvyg

data/lib/stytch/b2b_client.rb

@@ -31,7 +31,7 @@ module StytchB2B
       @organizations = StytchB2B::Organizations.new(@connection)
       @passwords = StytchB2B::Passwords.new(@connection)
       @sso = StytchB2B::SSO.new(@connection)
-      @sessions = StytchB2B::Sessions.new(@connection)
+      @sessions = StytchB2B::Sessions.new(@connection, project_id)
     end
 
     private

data/lib/stytch/b2b_organizations.rb

@@ -280,10 +280,7 @@ module StytchB2B
       request[:trusted_metadata] = trusted_metadata unless trusted_metadata.nil?
       request[:sso_default_connection_id] = sso_default_connection_id unless sso_default_connection_id.nil?
       request[:sso_jit_provisioning] = sso_jit_provisioning unless sso_jit_provisioning.nil?
-      unless sso_jit_provisioning_allowed_connections.nil?
-        request[:sso_jit_provisioning_allowed_connections] =
-          sso_jit_provisioning_allowed_connections
-      end
+      request[:sso_jit_provisioning_allowed_connections] = sso_jit_provisioning_allowed_connections unless sso_jit_provisioning_allowed_connections.nil?
       request[:email_allowed_domains] = email_allowed_domains unless email_allowed_domains.nil?
       request[:email_jit_provisioning] = email_jit_provisioning unless email_jit_provisioning.nil?
       request[:email_invites] = email_invites unless email_invites.nil?

data/lib/stytch/b2b_passwords.rb

@@ -180,12 +180,9 @@ module StytchB2B
       post_request('/v1/b2b/passwords/migrate', request)
     end
 
-    # Authenticate a member with their email address and password. This endpoint verifies that the member has a password currently set, and that the entered password is correct. There are two instances where the endpoint will return a reset_password error even if they enter their previous password:
-    # * The member’s credentials appeared in the HaveIBeenPwned dataset.
-    #     * We force a password reset to ensure that the member is the legitimate owner of the email address, and not a malicious actor abusing the compromised credentials.
-    # * A member that has previously authenticated with email/password uses a passwordless authentication method tied to the same email address (e.g. Magic Links) for the first time. Any subsequent email/password authentication attempt will result in this error.
-    #     * We force a password reset in this instance in order to safely deduplicate the account by email address, without introducing the risk of a pre-hijack account takeover attack.
-    #     * Imagine a bad actor creates many accounts using passwords and the known email addresses of their victims. If a victim comes to the site and logs in for the first time with an email-based passwordless authentication method then both the victim and the bad actor have credentials to access to the same account. To prevent this, any further email/password login attempts first require a password reset which can only be accomplished by someone with access to the underlying email address.
+    # Authenticate a member with their email address and password. This endpoint verifies that the member has a password currently set, and that the entered password is correct.
+    #
+    # If you have breach detection during authentication enabled in your [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a `member_reset_password` error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.
     #
     # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
@@ -382,10 +379,7 @@ module StytchB2B
           email_address: email_address
         }
         request[:reset_password_redirect_url] = reset_password_redirect_url unless reset_password_redirect_url.nil?
-        unless reset_password_expiration_minutes.nil?
-          request[:reset_password_expiration_minutes] =
-            reset_password_expiration_minutes
-        end
+        request[:reset_password_expiration_minutes] = reset_password_expiration_minutes unless reset_password_expiration_minutes.nil?
         request[:code_challenge] = code_challenge unless code_challenge.nil?
         request[:login_redirect_url] = login_redirect_url unless login_redirect_url.nil?
         request[:locale] = locale unless locale.nil?
@@ -543,6 +537,32 @@ module StytchB2B
       # session_jwt::
       #   The JSON Web Token (JWT) for a given Stytch Session.
       #   The type of this field is nilable +String+.
+      # session_duration_minutes::
+      #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
+      #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
+      #   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+      #
+      #   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+      #
+      #   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
+      #
+      #   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
+      #   to use the Stytch session product, you can ignore the session fields in the response.
+      #   The type of this field is nilable +Integer+.
+      # session_custom_claims::
+      #   Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
+      #   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
+      #   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored.
+      #   Total custom claims size cannot exceed four kilobytes.
+      #   The type of this field is nilable +object+.
+      # locale::
+      #   Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
+      #
+      # Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese (`"pt-br"`); if no value is provided, the copy defaults to English.
+      #
+      # Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
+      #
+      #   The type of this field is nilable +ResetRequestLocale+ (string enum).
       #
       # == Returns:
       # An object with the following fields:
@@ -558,17 +578,38 @@ module StytchB2B
       # organization::
       #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
       #   The type of this field is +Organization+ (+object+).
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is +String+.
+      # intermediate_session_token::
+      #   The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session.
+      #     The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete an MFA flow;
+      #     the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token;
+      #     or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member.
+      #   The type of this field is +String+.
+      # member_authenticated::
+      #   Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
+      #   The type of this field is +Boolean+.
       # status_code::
       #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
       #   The type of this field is +Integer+.
       # member_session::
       #   The [Session object](https://stytch.com/docs/b2b/api/session-object).
       #   The type of this field is nilable +MemberSession+ (+object+).
+      # mfa_required::
+      #   Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
+      #   The type of this field is nilable +MfaRequired+ (+object+).
       def reset(
         organization_id:,
         password:,
         session_token: nil,
-        session_jwt: nil
+        session_jwt: nil,
+        session_duration_minutes: nil,
+        session_custom_claims: nil,
+        locale: nil
       )
         request = {
           organization_id: organization_id,
@@ -576,6 +617,9 @@ module StytchB2B
         }
         request[:session_token] = session_token unless session_token.nil?
         request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
+        request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+        request[:locale] = locale unless locale.nil?
 
         post_request('/v1/b2b/passwords/session/reset', request)
       end

data/lib/stytch/b2b_sessions.rb

@@ -6,14 +6,31 @@
 # or your changes may be overwritten later!
 # !!!
 
+require 'jwt'
+require 'json/jwt'
+require_relative 'errors'
 require_relative 'request_helper'
 
 module StytchB2B
   class Sessions
     include Stytch::RequestHelper
 
-    def initialize(connection)
+    def initialize(connection, project_id)
       @connection = connection
+
+      @project_id = project_id
+      @cache_last_update = 0
+      @jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
     end
 
     # Retrieves all active Sessions for a Member.
@@ -290,5 +307,92 @@ module StytchB2B
       request = request_with_query_params("/v1/b2b/sessions/jwks/#{project_id}", query_params)
       get_request(request)
     end
+
+    # MANUAL(Sessions::authenticate_jwt)(SERVICE_METHOD)
+    # ADDIMPORT: require 'jwt'
+    # ADDIMPORT: require 'json/jwt'
+    # ADDIMPORT: require_relative 'errors'
+
+    # Parse a JWT and verify the signature. If max_token_age_seconds is unset, call the API directly
+    # If max_token_age_seconds is set and the JWT was issued (based on the "iat" claim) less than
+    # max_token_age_seconds seconds ago, then just verify locally and don't call the API
+    # To force remote validation for all tokens, set max_token_age_seconds to 0 or call authenticate()
+    def authenticate_jwt(
+      session_jwt,
+      max_token_age_seconds: nil,
+      session_duration_minutes: nil,
+      session_custom_claims: nil
+    )
+      if max_token_age_seconds == 0
+        return authenticate(
+          session_jwt: session_jwt,
+          session_duration_minutes: session_duration_minutes,
+          session_custom_claims: session_custom_claims
+        )
+      end
+
+      decoded_jwt = authenticate_jwt_local(session_jwt)
+      iat_time = Time.at(decoded_jwt['iat']).to_datetime
+      if iat_time + max_token_age_seconds >= Time.now
+        session = marshal_jwt_into_session(decoded_jwt)
+        { 'session' => session }
+      else
+        authenticate(
+          session_jwt: session_jwt,
+          session_duration_minutes: session_duration_minutes,
+          session_custom_claims: session_custom_claims
+        )
+      end
+    rescue StandardError
+      # JWT could not be verified locally. Check with the Stytch API.
+      authenticate(
+        session_jwt: session_jwt,
+        session_duration_minutes: session_duration_minutes,
+        session_custom_claims: session_custom_claims
+      )
+    end
+
+    # Parse a JWT and verify the signature locally (without calling /authenticate in the API)
+    # Uses the cached value to get the JWK but if it is unavailable, it calls the get_jwks()
+    # function to get the JWK
+    # This method never authenticates a JWT directly with the API
+    def authenticate_jwt_local(session_jwt)
+      issuer = 'stytch.com/' + @project_id
+      begin
+        decoded_token = JWT.decode session_jwt, nil, true,
+                                   { jwks: @jwks_loader, iss: issuer, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'] }
+        decoded_token[0]
+      rescue JWT::InvalidIssuerError
+        raise JWTInvalidIssuerError
+      rescue JWT::InvalidAudError
+        raise JWTInvalidAudienceError
+      rescue JWT::ExpiredSignature
+        raise JWTExpiredSignatureError
+      rescue JWT::IncorrectAlgorithm
+        raise JWTIncorrectAlgorithmError
+      end
+    end
+
+    def marshal_jwt_into_session(jwt)
+      stytch_claim = 'https://stytch.com/session'
+      expires_at = jwt[stytch_claim]['expires_at'] || Time.at(jwt['exp']).to_datetime.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+      # The custom claim set is all the claims in the payload except for the standard claims and
+      # the Stytch session claim. The cleanest way to collect those seems to be naming what we want
+      # to omit and filtering the rest to collect the custom claims.
+      reserved_claims = ['aud', 'exp', 'iat', 'iss', 'jti', 'nbf', 'sub', stytch_claim]
+      custom_claims = jwt.reject { |key, _| reserved_claims.include?(key) }
+      {
+        'session_id' => jwt[stytch_claim]['id'],
+        'user_id' => jwt['sub'],
+        'started_at' => jwt[stytch_claim]['started_at'],
+        'last_accessed_at' => jwt[stytch_claim]['last_accessed_at'],
+        # For JWTs that include it, prefer the inner expires_at claim.
+        'expires_at' => expires_at,
+        'attributes' => jwt[stytch_claim]['attributes'],
+        'authentication_factors' => jwt[stytch_claim]['authentication_factors'],
+        'custom_claims' => custom_claims
+      }
+    end
+    # ENDMANUAL(Sessions::authenticate_jwt)
   end
 end

data/lib/stytch/magic_links.rb

@@ -23,7 +23,11 @@ module Stytch
     #
     # == Parameters:
     # token::
-    #   The token to authenticate.
+    #   The Magic Link `token` from the `?token=` query parameter in the URL.
+    #
+    #       The redirect URL will look like `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7`
+    #
+    #       In the redirect URL, the `stytch_token_type` will be `magic_link`. See [here](https://stytch.com/docs/guides/dashboard/redirect-urls) for more detail.
     #   The type of this field is +String+.
     # attributes::
     #   Provided attributes help with fraud detection.
@@ -167,9 +171,7 @@ module Stytch
       # Send a magic link to an existing Stytch user using their email address. If you'd like to create a user and send them a magic link by email with one request, use our [log in or create endpoint](https://stytch.com/docs/api/log-in-or-create-user-by-email).
       #
       # ### Add an email to an existing user
-      # This endpoint also allows you to add a new email to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in the request will add the email to the pre-existing Stytch User upon successful authentication.
-      #
-      # Adding a new email to an existing Stytch User requires the user to be present and validate the email via magic link. This requirement is in place to prevent account takeover attacks.
+      # This endpoint also allows you to add a new email address to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in your Send Magic Link by email request will add the new, unverified email address to the existing Stytch User. If the user successfully authenticates within 5 minutes, the new email address will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that email address will create a new User.
       #
       # ### Next steps
       # The user is emailed a magic link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters, and call [Authenticate magic link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
@@ -271,7 +273,7 @@ module Stytch
       # Send either a login or signup Magic Link to the User based on if the email is associated with a User already. A new or pending User will receive a signup Magic Link. An active User will receive a login Magic Link. For more information on how to control the status your Users are created in see the `create_user_as_pending` flag.
       #
       # ### Next steps
-      # The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/magic-links#email-magic-links_redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
+      # The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
       #
       # == Parameters:
       # email::
@@ -367,7 +369,7 @@ module Stytch
       # Create a User and send an invite Magic Link to the provided `email`. The User will be created with a `pending` status until they click the Magic Link in the invite email.
       #
       # ### Next steps
-      # The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/magic-links#email-magic-links_redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
+      # The User is emailed a Magic Link which redirects them to the provided [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect the `token` from the URL query parameters and call [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete authentication.
       #
       # == Parameters:
       # email::

data/lib/stytch/oauth.rb

@@ -67,7 +67,11 @@ module Stytch
     #
     # == Parameters:
     # token::
-    #   The token to authenticate.
+    #   The OAuth `token` from the `?token=` query parameter in the URL.
+    #
+    #       The redirect URL will look like `https://example.com/authenticate?stytch_token_type=oauth&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7`
+    #
+    #       In the redirect URL, the `stytch_token_type` will be `oauth`. See [here](https://stytch.com/docs/guides/dashboard/redirect-urls) for more detail.
     #   The type of this field is +String+.
     # session_token::
     #   Reuse an existing session instead of creating a new one. If you provide us with a `session_token`, then we'll update the session represented by this session token with this OAuth factor. If this `session_token` belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both `session_token` and `session_jwt` are provided.

data/lib/stytch/otps.rb

@@ -131,9 +131,7 @@ module Stytch
       #
       # ### Add a phone number to an existing user
       #
-      # This endpoint also allows you to add a new phone number to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in the request will add the phone number to the pre-existing Stytch User upon successful authentication.
-      #
-      # Adding a new phone number to an existing Stytch User requires the user to be present and validate the phone number via OTP. This requirement is in place to prevent account takeover attacks.
+      # This endpoint also allows you to add a new phone number to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in your Send one-time passcode by SMS request will add the new, unverified phone number to the existing Stytch User. If the user successfully authenticates within 5 minutes, the new phone number will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that phone number will create a new User.
       #
       # ### Next steps
       #
@@ -289,9 +287,7 @@ module Stytch
       #
       # ### Add a phone number to an existing user
       #
-      # This endpoint also allows you to add a new phone number to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in the request will add the phone number to the pre-existing Stytch User upon successful authentication.
-      #
-      # Adding a new phone number to an existing Stytch User requires the user to be present and validate the phone number via OTP. This requirement is in place to prevent account takeover attacks.
+      # This endpoint also allows you to add a new phone number to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in your Send one-time passcode by WhatsApp request will add the new, unverified phone number to the existing Stytch User. If the user successfully authenticates within 5 minutes, the new phone number will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that phone number will create a new User.
       #
       # ### Next steps
       #
@@ -442,9 +438,7 @@ module Stytch
       # Send a One-Time Passcode (OTP) to a User using their email. If you'd like to create a user and send them a passcode with one request, use our [log in or create endpoint](https://stytch.com/docs/api/log-in-or-create-user-by-email-otp).
       #
       # ### Add an email to an existing user
-      # This endpoint also allows you to add a new email to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in the request will add the email to the pre-existing Stytch User upon successful authentication.
-      #
-      # Adding a new email to an existing Stytch User requires the User to be present and validate the email via OTP. This requirement is in place to prevent account takeover attacks.
+      # This endpoint also allows you to add a new email address to an existing Stytch User. Including a `user_id`, `session_token`, or `session_jwt` in your Send one-time passcode by email request will add the new, unverified email address to the existing Stytch User. If the user successfully authenticates within 5 minutes, the new email address will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that email address will create a new User.
       #
       # ### Next steps
       # Collect the OTP which was delivered to the user. Call [Authenticate OTP](https://stytch.com/docs/api/authenticate-otp) using the OTP `code` along with the `phone_id` found in the response as the `method_id`.

data/lib/stytch/passwords.rb

@@ -419,10 +419,7 @@ module Stytch
           email: email
         }
         request[:reset_password_redirect_url] = reset_password_redirect_url unless reset_password_redirect_url.nil?
-        unless reset_password_expiration_minutes.nil?
-          request[:reset_password_expiration_minutes] =
-            reset_password_expiration_minutes
-        end
+        request[:reset_password_expiration_minutes] = reset_password_expiration_minutes unless reset_password_expiration_minutes.nil?
         request[:code_challenge] = code_challenge unless code_challenge.nil?
         request[:attributes] = attributes unless attributes.nil?
         request[:login_redirect_url] = login_redirect_url unless login_redirect_url.nil?
@@ -436,9 +433,15 @@ module Stytch
       #
       # The provided password needs to meet our password strength requirements, which can be checked in advance with the password strength endpoint. If the token and password are accepted, the password is securely stored for future authentication and the user is authenticated.
       #
+      # Note that a successful password reset by email will revoke all active sessions for the `user_id`.
+      #
       # == Parameters:
       # token::
-      #   The token to authenticate.
+      #   The Passwords `token` from the `?token=` query parameter in the URL.
+      #
+      #       In the redirect URL, the `stytch_token_type` will be `login` or `reset_password`.
+      #
+      #       See examples and read more about redirect URLs [here](https://stytch.com/docs/guides/dashboard/redirect-urls).
       #   The type of this field is +String+.
       # password::
       #   The password of the user
@@ -537,6 +540,8 @@ module Stytch
 
       # Reset the User’s password using their existing password.
       #
+      # Note that a successful password reset via an existing password will revoke all active sessions for the `user_id`.
+      #
       # == Parameters:
       # email::
       #   The email address of the end user.
@@ -628,6 +633,8 @@ module Stytch
 
       # Reset the user’s password using their existing session. The endpoint will error if the session does not have a password, email magic link, or email OTP authentication factor that has been issued within the last 5 minutes. This endpoint requires either a `session_jwt` or `session_token` be included in the request.
       #
+      # Note that a successful password reset via an existing session will revoke all active sessions for the `user_id`, except for the one used during the reset flow.
+      #
       # == Parameters:
       # password::
       #   The password of the user
@@ -638,6 +645,22 @@ module Stytch
       # session_jwt::
       #   The `session_jwt` associated with a User's existing Session.
       #   The type of this field is nilable +String+.
+      # session_duration_minutes::
+      #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
+      #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
+      #   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+      #
+      #   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+      #
+      #   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.
+      #
+      #   If the `session_duration_minutes` parameter is not specified, a Stytch session will not be created.
+      #   The type of this field is nilable +Integer+.
+      # session_custom_claims::
+      #   Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.
+      #
+      #   Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
+      #   The type of this field is nilable +object+.
       #
       # == Returns:
       # An object with the following fields:
@@ -650,6 +673,12 @@ module Stytch
       # user::
       #   The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details.
       #   The type of this field is +User+ (+object+).
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is +String+.
       # status_code::
       #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
       #   The type of this field is +Integer+.
@@ -662,13 +691,17 @@ module Stytch
       def reset(
         password:,
         session_token: nil,
-        session_jwt: nil
+        session_jwt: nil,
+        session_duration_minutes: nil,
+        session_custom_claims: nil
       )
         request = {
           password: password
         }
         request[:session_token] = session_token unless session_token.nil?
         request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
+        request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
 
         post_request('/v1/passwords/session/reset', request)
       end

data/lib/stytch/users.rb

@@ -196,7 +196,7 @@ module Stytch
 
     # Update a User's attributes.
     #
-    # **Note:** In order to add a new email address or phone number to an existing User object, pass the new email address or phone number into the respective `/send` endpoint for the authentication method of your choice. If you specify the existing User's `user_id` while calling the `/send` endpoint, the new email address or phone number will be added to the existing User object upon successful authentication. We require this process to guard against an account takeover vulnerability.
+    # **Note:** In order to add a new email address or phone number to an existing User object, pass the new email address or phone number into the respective `/send` endpoint for the authentication method of your choice. If you specify the existing User's `user_id` while calling the `/send` endpoint, the new, unverified email address or phone number will be added to the existing User object. If the user successfully authenticates within 5 minutes of the `/send` request, the new email address or phone number will be marked as verified and remain permanently on the existing Stytch User. Otherwise, it will be removed from the User object, and any subsequent login requests using that phone number will create a new User. We require this process to guard against an account takeover vulnerability.
     #
     # == Parameters:
     # user_id::

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '6.4.0'
+  VERSION = '6.5.1'
 end

data/stytch.gemspec

@@ -30,4 +30,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'jwt', '>= 2.3.0'
 
   spec.add_development_dependency 'rspec', '~> 3.11.0'
+  spec.add_development_dependency 'rubocop', '1.56.3'
+  spec.add_development_dependency 'rubocop-rspec', '2.24.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 6.4.0
+  version: 6.5.1
 platform: ruby
 authors:
 - stytch
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-08-24 00:00:00.000000000 Z
+date: 2023-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -72,6 +72,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.11.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.56.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.56.3
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.24.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.24.0
 description: 
 email:
 - support@stytch.com
@@ -84,6 +112,7 @@ files:
 - ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
 - CODEOWNERS
 - CODE_OF_CONDUCT.md