stytch 6.6.0 → 7.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/stytch/b2b_client.rb +9 -3
- data/lib/stytch/b2b_discovery.rb +24 -11
- data/lib/stytch/b2b_magic_links.rb +23 -7
- data/lib/stytch/b2b_oauth.rb +12 -2
- data/lib/stytch/b2b_organizations.rb +259 -40
- data/lib/stytch/b2b_otp.rb +4 -2
- data/lib/stytch/b2b_passwords.rb +34 -8
- data/lib/stytch/b2b_rbac.rb +48 -0
- data/lib/stytch/b2b_sessions.rb +106 -38
- data/lib/stytch/b2b_sso.rb +127 -21
- data/lib/stytch/client.rb +2 -2
- data/lib/stytch/crypto_wallets.rb +4 -2
- data/lib/stytch/errors.rb +14 -0
- data/lib/stytch/m2m.rb +16 -9
- data/lib/stytch/magic_links.rb +12 -6
- data/lib/stytch/method_options.rb +22 -0
- data/lib/stytch/oauth.rb +4 -2
- data/lib/stytch/otps.rb +14 -7
- data/lib/stytch/passwords.rb +16 -8
- data/lib/stytch/rbac_local.rb +58 -0
- data/lib/stytch/request_helper.rb +12 -8
- data/lib/stytch/sessions.rb +24 -11
- data/lib/stytch/totps.rb +8 -4
- data/lib/stytch/users.rb +29 -15
- data/lib/stytch/version.rb +1 -1
- data/lib/stytch/webauthn.rb +39 -24
- metadata +5 -2
data/lib/stytch/otps.rb
CHANGED
|
@@ -101,6 +101,7 @@ module Stytch
|
|
|
101
101
|
session_jwt: nil,
|
|
102
102
|
session_custom_claims: nil
|
|
103
103
|
)
|
|
104
|
+
headers = {}
|
|
104
105
|
request = {
|
|
105
106
|
method_id: method_id,
|
|
106
107
|
code: code
|
|
@@ -112,7 +113,7 @@ module Stytch
|
|
|
112
113
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
113
114
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
114
115
|
|
|
115
|
-
post_request('/v1/otps/authenticate', request)
|
|
116
|
+
post_request('/v1/otps/authenticate', request, headers)
|
|
116
117
|
end
|
|
117
118
|
|
|
118
119
|
class Sms
|
|
@@ -190,6 +191,7 @@ module Stytch
|
|
|
190
191
|
session_token: nil,
|
|
191
192
|
session_jwt: nil
|
|
192
193
|
)
|
|
194
|
+
headers = {}
|
|
193
195
|
request = {
|
|
194
196
|
phone_number: phone_number
|
|
195
197
|
}
|
|
@@ -200,7 +202,7 @@ module Stytch
|
|
|
200
202
|
request[:session_token] = session_token unless session_token.nil?
|
|
201
203
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
202
204
|
|
|
203
|
-
post_request('/v1/otps/sms/send', request)
|
|
205
|
+
post_request('/v1/otps/sms/send', request, headers)
|
|
204
206
|
end
|
|
205
207
|
|
|
206
208
|
# Send a One-Time Passcode (OTP) to a User using their phone number. If the phone number is not associated with a user already, a user will be created.
|
|
@@ -264,6 +266,7 @@ module Stytch
|
|
|
264
266
|
create_user_as_pending: nil,
|
|
265
267
|
locale: nil
|
|
266
268
|
)
|
|
269
|
+
headers = {}
|
|
267
270
|
request = {
|
|
268
271
|
phone_number: phone_number
|
|
269
272
|
}
|
|
@@ -272,7 +275,7 @@ module Stytch
|
|
|
272
275
|
request[:create_user_as_pending] = create_user_as_pending unless create_user_as_pending.nil?
|
|
273
276
|
request[:locale] = locale unless locale.nil?
|
|
274
277
|
|
|
275
|
-
post_request('/v1/otps/sms/login_or_create', request)
|
|
278
|
+
post_request('/v1/otps/sms/login_or_create', request, headers)
|
|
276
279
|
end
|
|
277
280
|
end
|
|
278
281
|
|
|
@@ -349,6 +352,7 @@ module Stytch
|
|
|
349
352
|
session_token: nil,
|
|
350
353
|
session_jwt: nil
|
|
351
354
|
)
|
|
355
|
+
headers = {}
|
|
352
356
|
request = {
|
|
353
357
|
phone_number: phone_number
|
|
354
358
|
}
|
|
@@ -359,7 +363,7 @@ module Stytch
|
|
|
359
363
|
request[:session_token] = session_token unless session_token.nil?
|
|
360
364
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
361
365
|
|
|
362
|
-
post_request('/v1/otps/whatsapp/send', request)
|
|
366
|
+
post_request('/v1/otps/whatsapp/send', request, headers)
|
|
363
367
|
end
|
|
364
368
|
|
|
365
369
|
# Send a one-time passcode (OTP) to a User's WhatsApp using their phone number. If the phone number is not associated with a User already, a User will be created.
|
|
@@ -421,6 +425,7 @@ module Stytch
|
|
|
421
425
|
create_user_as_pending: nil,
|
|
422
426
|
locale: nil
|
|
423
427
|
)
|
|
428
|
+
headers = {}
|
|
424
429
|
request = {
|
|
425
430
|
phone_number: phone_number
|
|
426
431
|
}
|
|
@@ -429,7 +434,7 @@ module Stytch
|
|
|
429
434
|
request[:create_user_as_pending] = create_user_as_pending unless create_user_as_pending.nil?
|
|
430
435
|
request[:locale] = locale unless locale.nil?
|
|
431
436
|
|
|
432
|
-
post_request('/v1/otps/whatsapp/login_or_create', request)
|
|
437
|
+
post_request('/v1/otps/whatsapp/login_or_create', request, headers)
|
|
433
438
|
end
|
|
434
439
|
end
|
|
435
440
|
|
|
@@ -507,6 +512,7 @@ module Stytch
|
|
|
507
512
|
login_template_id: nil,
|
|
508
513
|
signup_template_id: nil
|
|
509
514
|
)
|
|
515
|
+
headers = {}
|
|
510
516
|
request = {
|
|
511
517
|
email: email
|
|
512
518
|
}
|
|
@@ -519,7 +525,7 @@ module Stytch
|
|
|
519
525
|
request[:login_template_id] = login_template_id unless login_template_id.nil?
|
|
520
526
|
request[:signup_template_id] = signup_template_id unless signup_template_id.nil?
|
|
521
527
|
|
|
522
|
-
post_request('/v1/otps/email/send', request)
|
|
528
|
+
post_request('/v1/otps/email/send', request, headers)
|
|
523
529
|
end
|
|
524
530
|
|
|
525
531
|
# Send a one-time passcode (OTP) to a User using their email. If the email is not associated with a User already, a User will be created.
|
|
@@ -586,6 +592,7 @@ module Stytch
|
|
|
586
592
|
login_template_id: nil,
|
|
587
593
|
signup_template_id: nil
|
|
588
594
|
)
|
|
595
|
+
headers = {}
|
|
589
596
|
request = {
|
|
590
597
|
email: email
|
|
591
598
|
}
|
|
@@ -596,7 +603,7 @@ module Stytch
|
|
|
596
603
|
request[:login_template_id] = login_template_id unless login_template_id.nil?
|
|
597
604
|
request[:signup_template_id] = signup_template_id unless signup_template_id.nil?
|
|
598
605
|
|
|
599
|
-
post_request('/v1/otps/email/login_or_create', request)
|
|
606
|
+
post_request('/v1/otps/email/login_or_create', request, headers)
|
|
600
607
|
end
|
|
601
608
|
end
|
|
602
609
|
end
|
data/lib/stytch/passwords.rb
CHANGED
|
@@ -100,6 +100,7 @@ module Stytch
|
|
|
100
100
|
untrusted_metadata: nil,
|
|
101
101
|
name: nil
|
|
102
102
|
)
|
|
103
|
+
headers = {}
|
|
103
104
|
request = {
|
|
104
105
|
email: email,
|
|
105
106
|
password: password
|
|
@@ -110,7 +111,7 @@ module Stytch
|
|
|
110
111
|
request[:untrusted_metadata] = untrusted_metadata unless untrusted_metadata.nil?
|
|
111
112
|
request[:name] = name unless name.nil?
|
|
112
113
|
|
|
113
|
-
post_request('/v1/passwords', request)
|
|
114
|
+
post_request('/v1/passwords', request, headers)
|
|
114
115
|
end
|
|
115
116
|
|
|
116
117
|
# Authenticate a user with their email address and password. This endpoint verifies that the user has a password currently set, and that the entered password is correct. There are two instances where the endpoint will return a `reset_password` error even if they enter their previous password:
|
|
@@ -185,6 +186,7 @@ module Stytch
|
|
|
185
186
|
session_jwt: nil,
|
|
186
187
|
session_custom_claims: nil
|
|
187
188
|
)
|
|
189
|
+
headers = {}
|
|
188
190
|
request = {
|
|
189
191
|
email: email,
|
|
190
192
|
password: password
|
|
@@ -194,7 +196,7 @@ module Stytch
|
|
|
194
196
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
195
197
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
196
198
|
|
|
197
|
-
post_request('/v1/passwords/authenticate', request)
|
|
199
|
+
post_request('/v1/passwords/authenticate', request, headers)
|
|
198
200
|
end
|
|
199
201
|
|
|
200
202
|
# This API allows you to check whether or not the user’s provided password is valid, and to provide feedback to the user on how to increase the strength of their password.
|
|
@@ -248,12 +250,13 @@ module Stytch
|
|
|
248
250
|
password:,
|
|
249
251
|
email: nil
|
|
250
252
|
)
|
|
253
|
+
headers = {}
|
|
251
254
|
request = {
|
|
252
255
|
password: password
|
|
253
256
|
}
|
|
254
257
|
request[:email] = email unless email.nil?
|
|
255
258
|
|
|
256
|
-
post_request('/v1/passwords/strength_check', request)
|
|
259
|
+
post_request('/v1/passwords/strength_check', request, headers)
|
|
257
260
|
end
|
|
258
261
|
|
|
259
262
|
# Adds an existing password to a User's email that doesn't have a password yet. We support migrating users from passwords stored with `bcrypt`, `scrypt`, `argon2`, `MD-5`, `SHA-1`, or `PBKDF2`. This endpoint has a rate limit of 100 requests per second.
|
|
@@ -326,6 +329,7 @@ module Stytch
|
|
|
326
329
|
untrusted_metadata: nil,
|
|
327
330
|
name: nil
|
|
328
331
|
)
|
|
332
|
+
headers = {}
|
|
329
333
|
request = {
|
|
330
334
|
email: email,
|
|
331
335
|
hash: hash,
|
|
@@ -340,7 +344,7 @@ module Stytch
|
|
|
340
344
|
request[:untrusted_metadata] = untrusted_metadata unless untrusted_metadata.nil?
|
|
341
345
|
request[:name] = name unless name.nil?
|
|
342
346
|
|
|
343
|
-
post_request('/v1/passwords/migrate', request)
|
|
347
|
+
post_request('/v1/passwords/migrate', request, headers)
|
|
344
348
|
end
|
|
345
349
|
|
|
346
350
|
class Email
|
|
@@ -415,6 +419,7 @@ module Stytch
|
|
|
415
419
|
locale: nil,
|
|
416
420
|
reset_password_template_id: nil
|
|
417
421
|
)
|
|
422
|
+
headers = {}
|
|
418
423
|
request = {
|
|
419
424
|
email: email
|
|
420
425
|
}
|
|
@@ -426,7 +431,7 @@ module Stytch
|
|
|
426
431
|
request[:locale] = locale unless locale.nil?
|
|
427
432
|
request[:reset_password_template_id] = reset_password_template_id unless reset_password_template_id.nil?
|
|
428
433
|
|
|
429
|
-
post_request('/v1/passwords/email/reset/start', request)
|
|
434
|
+
post_request('/v1/passwords/email/reset/start', request, headers)
|
|
430
435
|
end
|
|
431
436
|
|
|
432
437
|
# Reset the user’s password and authenticate them. This endpoint checks that the magic link `token` is valid, hasn’t expired, or already been used – and can optionally require additional security settings, such as the IP address and user agent matching the initial reset request.
|
|
@@ -515,6 +520,7 @@ module Stytch
|
|
|
515
520
|
attributes: nil,
|
|
516
521
|
options: nil
|
|
517
522
|
)
|
|
523
|
+
headers = {}
|
|
518
524
|
request = {
|
|
519
525
|
token: token,
|
|
520
526
|
password: password
|
|
@@ -527,7 +533,7 @@ module Stytch
|
|
|
527
533
|
request[:attributes] = attributes unless attributes.nil?
|
|
528
534
|
request[:options] = options unless options.nil?
|
|
529
535
|
|
|
530
|
-
post_request('/v1/passwords/email/reset', request)
|
|
536
|
+
post_request('/v1/passwords/email/reset', request, headers)
|
|
531
537
|
end
|
|
532
538
|
end
|
|
533
539
|
|
|
@@ -610,6 +616,7 @@ module Stytch
|
|
|
610
616
|
session_jwt: nil,
|
|
611
617
|
session_custom_claims: nil
|
|
612
618
|
)
|
|
619
|
+
headers = {}
|
|
613
620
|
request = {
|
|
614
621
|
email: email,
|
|
615
622
|
existing_password: existing_password,
|
|
@@ -620,7 +627,7 @@ module Stytch
|
|
|
620
627
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
621
628
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
622
629
|
|
|
623
|
-
post_request('/v1/passwords/existing_password/reset', request)
|
|
630
|
+
post_request('/v1/passwords/existing_password/reset', request, headers)
|
|
624
631
|
end
|
|
625
632
|
end
|
|
626
633
|
|
|
@@ -695,6 +702,7 @@ module Stytch
|
|
|
695
702
|
session_duration_minutes: nil,
|
|
696
703
|
session_custom_claims: nil
|
|
697
704
|
)
|
|
705
|
+
headers = {}
|
|
698
706
|
request = {
|
|
699
707
|
password: password
|
|
700
708
|
}
|
|
@@ -703,7 +711,7 @@ module Stytch
|
|
|
703
711
|
request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
|
|
704
712
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
705
713
|
|
|
706
|
-
post_request('/v1/passwords/session/reset', request)
|
|
714
|
+
post_request('/v1/passwords/session/reset', request, headers)
|
|
707
715
|
end
|
|
708
716
|
end
|
|
709
717
|
end
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative 'errors'
|
|
4
|
+
require_relative 'request_helper'
|
|
5
|
+
|
|
6
|
+
module StytchB2B
|
|
7
|
+
class PolicyCache
|
|
8
|
+
def initialize(rbac_client:)
|
|
9
|
+
@rbac_client = rbac_client
|
|
10
|
+
@policy_last_update = 0
|
|
11
|
+
@cached_policy = nil
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def reload_policy
|
|
15
|
+
@cached_policy = @rbac_client.policy['policy']
|
|
16
|
+
@policy_last_update = Time.now.to_i
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def get_policy(invalidate: false)
|
|
20
|
+
reload_policy if invalidate || @cached_policy.nil? || @policy_last_update < Time.now.to_i - 300
|
|
21
|
+
@cached_policy
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Performs an authorization check against the project's policy and a set of roles. If the
|
|
25
|
+
# check succeeds, this method will return. If the check fails, a PermissionError
|
|
26
|
+
# will be raised. It's also possible for a TenancyError to be raised if the
|
|
27
|
+
# subject_org_id does not match the authZ request organization_id.
|
|
28
|
+
# authorization_check is an object with keys 'action', 'resource_id', and 'organization_id'
|
|
29
|
+
def perform_authorization_check(
|
|
30
|
+
subject_roles:,
|
|
31
|
+
subject_org_id:,
|
|
32
|
+
authorization_check:
|
|
33
|
+
)
|
|
34
|
+
request_org_id = authorization_check['organization_id']
|
|
35
|
+
raise Stytch::TenancyError.new(subject_org_id, request_org_id) if request_org_id != subject_org_id
|
|
36
|
+
|
|
37
|
+
policy = get_policy
|
|
38
|
+
|
|
39
|
+
for role in policy['roles']
|
|
40
|
+
next unless subject_roles.include?(role['role_id'])
|
|
41
|
+
|
|
42
|
+
for permission in role['permissions']
|
|
43
|
+
actions = permission['actions']
|
|
44
|
+
resource = permission['resource_id']
|
|
45
|
+
has_matching_action = actions.include?('*') || actions.include?(authorization_check['action'])
|
|
46
|
+
has_matching_resource = resource == authorization_check['resource_id']
|
|
47
|
+
if has_matching_action && has_matching_resource
|
|
48
|
+
# All good
|
|
49
|
+
return
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
# If we get here, we didn't find a matching permission
|
|
55
|
+
raise Stytch::PermissionError, authorization_check
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
@@ -2,29 +2,33 @@
|
|
|
2
2
|
|
|
3
3
|
module Stytch
|
|
4
4
|
module RequestHelper
|
|
5
|
-
def get_request(path)
|
|
5
|
+
def get_request(path, headers)
|
|
6
6
|
@connection.get(
|
|
7
|
-
path
|
|
7
|
+
path,
|
|
8
|
+
headers
|
|
8
9
|
).body
|
|
9
10
|
end
|
|
10
11
|
|
|
11
|
-
def post_request(path, payload)
|
|
12
|
+
def post_request(path, payload, headers)
|
|
12
13
|
@connection.post(
|
|
13
14
|
path,
|
|
14
|
-
payload
|
|
15
|
+
payload,
|
|
16
|
+
headers
|
|
15
17
|
).body
|
|
16
18
|
end
|
|
17
19
|
|
|
18
|
-
def put_request(path, payload)
|
|
20
|
+
def put_request(path, payload, headers)
|
|
19
21
|
@connection.put(
|
|
20
22
|
path,
|
|
21
|
-
payload
|
|
23
|
+
payload,
|
|
24
|
+
headers
|
|
22
25
|
).body
|
|
23
26
|
end
|
|
24
27
|
|
|
25
|
-
def delete_request(path)
|
|
28
|
+
def delete_request(path, headers)
|
|
26
29
|
@connection.delete(
|
|
27
|
-
path
|
|
30
|
+
path,
|
|
31
|
+
headers
|
|
28
32
|
).body
|
|
29
33
|
end
|
|
30
34
|
|
data/lib/stytch/sessions.rb
CHANGED
|
@@ -54,11 +54,12 @@ module Stytch
|
|
|
54
54
|
def get(
|
|
55
55
|
user_id:
|
|
56
56
|
)
|
|
57
|
+
headers = {}
|
|
57
58
|
query_params = {
|
|
58
59
|
user_id: user_id
|
|
59
60
|
}
|
|
60
61
|
request = request_with_query_params('/v1/sessions', query_params)
|
|
61
|
-
get_request(request)
|
|
62
|
+
get_request(request, headers)
|
|
62
63
|
end
|
|
63
64
|
|
|
64
65
|
# Authenticate a session token and retrieve associated session data. If `session_duration_minutes` is included, update the lifetime of the session to be that many minutes from now. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`. This endpoint requires exactly one `session_jwt` or `session_token` as part of the request. If both are included you will receive a `too_many_session_arguments` error.
|
|
@@ -108,13 +109,14 @@ module Stytch
|
|
|
108
109
|
session_jwt: nil,
|
|
109
110
|
session_custom_claims: nil
|
|
110
111
|
)
|
|
112
|
+
headers = {}
|
|
111
113
|
request = {}
|
|
112
114
|
request[:session_token] = session_token unless session_token.nil?
|
|
113
115
|
request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
|
|
114
116
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
115
117
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
116
118
|
|
|
117
|
-
post_request('/v1/sessions/authenticate', request)
|
|
119
|
+
post_request('/v1/sessions/authenticate', request, headers)
|
|
118
120
|
end
|
|
119
121
|
|
|
120
122
|
# Revoke a Session, immediately invalidating all of its session tokens. You can revoke a session in three ways: using its ID, or using one of its session tokens, or one of its JWTs. This endpoint requires exactly one of those to be included in the request. It will return an error if multiple are present.
|
|
@@ -143,12 +145,13 @@ module Stytch
|
|
|
143
145
|
session_token: nil,
|
|
144
146
|
session_jwt: nil
|
|
145
147
|
)
|
|
148
|
+
headers = {}
|
|
146
149
|
request = {}
|
|
147
150
|
request[:session_id] = session_id unless session_id.nil?
|
|
148
151
|
request[:session_token] = session_token unless session_token.nil?
|
|
149
152
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
150
153
|
|
|
151
|
-
post_request('/v1/sessions/revoke', request)
|
|
154
|
+
post_request('/v1/sessions/revoke', request, headers)
|
|
152
155
|
end
|
|
153
156
|
|
|
154
157
|
# Get the JSON Web Key Set (JWKS) for a project.
|
|
@@ -180,9 +183,10 @@ module Stytch
|
|
|
180
183
|
def get_jwks(
|
|
181
184
|
project_id:
|
|
182
185
|
)
|
|
186
|
+
headers = {}
|
|
183
187
|
query_params = {}
|
|
184
188
|
request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
|
|
185
|
-
get_request(request)
|
|
189
|
+
get_request(request, headers)
|
|
186
190
|
end
|
|
187
191
|
|
|
188
192
|
# MANUAL(Sessions::authenticate_jwt)(SERVICE_METHOD)
|
|
@@ -194,12 +198,15 @@ module Stytch
|
|
|
194
198
|
# If max_token_age_seconds is set and the JWT was issued (based on the "iat" claim) less than
|
|
195
199
|
# max_token_age_seconds seconds ago, then just verify locally and don't call the API
|
|
196
200
|
# To force remote validation for all tokens, set max_token_age_seconds to 0 or call authenticate()
|
|
201
|
+
# If max_token_age_seconds is not supplied 300 seconds will be used as the default.
|
|
197
202
|
def authenticate_jwt(
|
|
198
203
|
session_jwt,
|
|
199
204
|
max_token_age_seconds: nil,
|
|
200
205
|
session_duration_minutes: nil,
|
|
201
206
|
session_custom_claims: nil
|
|
202
207
|
)
|
|
208
|
+
max_token_age_seconds = 300 if max_token_age_seconds.nil?
|
|
209
|
+
|
|
203
210
|
if max_token_age_seconds == 0
|
|
204
211
|
return authenticate(
|
|
205
212
|
session_jwt: session_jwt,
|
|
@@ -208,10 +215,8 @@ module Stytch
|
|
|
208
215
|
)
|
|
209
216
|
end
|
|
210
217
|
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
if iat_time + max_token_age_seconds >= Time.now
|
|
214
|
-
session = marshal_jwt_into_session(decoded_jwt)
|
|
218
|
+
session = authenticate_jwt_local(session_jwt)
|
|
219
|
+
if !session.nil?
|
|
215
220
|
{ 'session' => session }
|
|
216
221
|
else
|
|
217
222
|
authenticate(
|
|
@@ -232,13 +237,19 @@ module Stytch
|
|
|
232
237
|
# Parse a JWT and verify the signature locally (without calling /authenticate in the API)
|
|
233
238
|
# Uses the cached value to get the JWK but if it is unavailable, it calls the get_jwks()
|
|
234
239
|
# function to get the JWK
|
|
235
|
-
#
|
|
236
|
-
def authenticate_jwt_local(session_jwt)
|
|
240
|
+
# If max_token_age_seconds is not supplied 300 seconds will be used as the default.
|
|
241
|
+
def authenticate_jwt_local(session_jwt, max_token_age_seconds: nil)
|
|
242
|
+
max_token_age_seconds = 300 if max_token_age_seconds.nil?
|
|
243
|
+
|
|
237
244
|
issuer = 'stytch.com/' + @project_id
|
|
238
245
|
begin
|
|
239
246
|
decoded_token = JWT.decode session_jwt, nil, true,
|
|
240
247
|
{ jwks: @jwks_loader, iss: issuer, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'] }
|
|
241
|
-
decoded_token[0]
|
|
248
|
+
session = decoded_token[0]
|
|
249
|
+
iat_time = Time.at(session['iat']).to_datetime
|
|
250
|
+
return nil unless iat_time + max_token_age_seconds >= Time.now
|
|
251
|
+
|
|
252
|
+
session = marshal_jwt_into_session(session)
|
|
242
253
|
rescue JWT::InvalidIssuerError
|
|
243
254
|
raise JWTInvalidIssuerError
|
|
244
255
|
rescue JWT::InvalidAudError
|
|
@@ -248,6 +259,8 @@ module Stytch
|
|
|
248
259
|
rescue JWT::IncorrectAlgorithm
|
|
249
260
|
raise JWTIncorrectAlgorithmError
|
|
250
261
|
end
|
|
262
|
+
|
|
263
|
+
session
|
|
251
264
|
end
|
|
252
265
|
|
|
253
266
|
def marshal_jwt_into_session(jwt)
|
data/lib/stytch/totps.rb
CHANGED
|
@@ -56,12 +56,13 @@ module Stytch
|
|
|
56
56
|
user_id:,
|
|
57
57
|
expiration_minutes: nil
|
|
58
58
|
)
|
|
59
|
+
headers = {}
|
|
59
60
|
request = {
|
|
60
61
|
user_id: user_id
|
|
61
62
|
}
|
|
62
63
|
request[:expiration_minutes] = expiration_minutes unless expiration_minutes.nil?
|
|
63
64
|
|
|
64
|
-
post_request('/v1/totps', request)
|
|
65
|
+
post_request('/v1/totps', request, headers)
|
|
65
66
|
end
|
|
66
67
|
|
|
67
68
|
# Authenticate a TOTP code entered by a user.
|
|
@@ -133,6 +134,7 @@ module Stytch
|
|
|
133
134
|
session_jwt: nil,
|
|
134
135
|
session_custom_claims: nil
|
|
135
136
|
)
|
|
137
|
+
headers = {}
|
|
136
138
|
request = {
|
|
137
139
|
user_id: user_id,
|
|
138
140
|
totp_code: totp_code
|
|
@@ -142,7 +144,7 @@ module Stytch
|
|
|
142
144
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
143
145
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
144
146
|
|
|
145
|
-
post_request('/v1/totps/authenticate', request)
|
|
147
|
+
post_request('/v1/totps/authenticate', request, headers)
|
|
146
148
|
end
|
|
147
149
|
|
|
148
150
|
# Retrieve the recovery codes for a TOTP instance tied to a User.
|
|
@@ -169,11 +171,12 @@ module Stytch
|
|
|
169
171
|
def recovery_codes(
|
|
170
172
|
user_id:
|
|
171
173
|
)
|
|
174
|
+
headers = {}
|
|
172
175
|
request = {
|
|
173
176
|
user_id: user_id
|
|
174
177
|
}
|
|
175
178
|
|
|
176
|
-
post_request('/v1/totps/recovery_codes', request)
|
|
179
|
+
post_request('/v1/totps/recovery_codes', request, headers)
|
|
177
180
|
end
|
|
178
181
|
|
|
179
182
|
# Authenticate a recovery code for a TOTP instance.
|
|
@@ -245,6 +248,7 @@ module Stytch
|
|
|
245
248
|
session_jwt: nil,
|
|
246
249
|
session_custom_claims: nil
|
|
247
250
|
)
|
|
251
|
+
headers = {}
|
|
248
252
|
request = {
|
|
249
253
|
user_id: user_id,
|
|
250
254
|
recovery_code: recovery_code
|
|
@@ -254,7 +258,7 @@ module Stytch
|
|
|
254
258
|
request[:session_jwt] = session_jwt unless session_jwt.nil?
|
|
255
259
|
request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
|
|
256
260
|
|
|
257
|
-
post_request('/v1/totps/recover', request)
|
|
261
|
+
post_request('/v1/totps/recover', request, headers)
|
|
258
262
|
end
|
|
259
263
|
end
|
|
260
264
|
end
|
data/lib/stytch/users.rb
CHANGED
|
@@ -77,6 +77,7 @@ module Stytch
|
|
|
77
77
|
trusted_metadata: nil,
|
|
78
78
|
untrusted_metadata: nil
|
|
79
79
|
)
|
|
80
|
+
headers = {}
|
|
80
81
|
request = {}
|
|
81
82
|
request[:email] = email unless email.nil?
|
|
82
83
|
request[:name] = name unless name.nil?
|
|
@@ -86,7 +87,7 @@ module Stytch
|
|
|
86
87
|
request[:trusted_metadata] = trusted_metadata unless trusted_metadata.nil?
|
|
87
88
|
request[:untrusted_metadata] = untrusted_metadata unless untrusted_metadata.nil?
|
|
88
89
|
|
|
89
|
-
post_request('/v1/users', request)
|
|
90
|
+
post_request('/v1/users', request, headers)
|
|
90
91
|
end
|
|
91
92
|
|
|
92
93
|
# Get information about a specific User.
|
|
@@ -114,7 +115,7 @@ module Stytch
|
|
|
114
115
|
# An array of phone number objects linked to the User.
|
|
115
116
|
# The type of this field is list of +PhoneNumber+ (+object+).
|
|
116
117
|
# webauthn_registrations::
|
|
117
|
-
# An array that contains a list of all WebAuthn registrations for a given User in the Stytch API.
|
|
118
|
+
# An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.
|
|
118
119
|
# The type of this field is list of +WebAuthnRegistration+ (+object+).
|
|
119
120
|
# providers::
|
|
120
121
|
# An array of OAuth `provider` objects linked to the User.
|
|
@@ -149,9 +150,10 @@ module Stytch
|
|
|
149
150
|
def get(
|
|
150
151
|
user_id:
|
|
151
152
|
)
|
|
153
|
+
headers = {}
|
|
152
154
|
query_params = {}
|
|
153
155
|
request = request_with_query_params("/v1/users/#{user_id}", query_params)
|
|
154
|
-
get_request(request)
|
|
156
|
+
get_request(request, headers)
|
|
155
157
|
end
|
|
156
158
|
|
|
157
159
|
# Search for Users within your Stytch Project. Submit an empty `query` in the request to return all Users.
|
|
@@ -186,12 +188,13 @@ module Stytch
|
|
|
186
188
|
limit: nil,
|
|
187
189
|
query: nil
|
|
188
190
|
)
|
|
191
|
+
headers = {}
|
|
189
192
|
request = {}
|
|
190
193
|
request[:cursor] = cursor unless cursor.nil?
|
|
191
194
|
request[:limit] = limit unless limit.nil?
|
|
192
195
|
request[:query] = query unless query.nil?
|
|
193
196
|
|
|
194
|
-
post_request('/v1/users/search', request)
|
|
197
|
+
post_request('/v1/users/search', request, headers)
|
|
195
198
|
end
|
|
196
199
|
|
|
197
200
|
# Update a User's attributes.
|
|
@@ -245,13 +248,14 @@ module Stytch
|
|
|
245
248
|
trusted_metadata: nil,
|
|
246
249
|
untrusted_metadata: nil
|
|
247
250
|
)
|
|
251
|
+
headers = {}
|
|
248
252
|
request = {}
|
|
249
253
|
request[:name] = name unless name.nil?
|
|
250
254
|
request[:attributes] = attributes unless attributes.nil?
|
|
251
255
|
request[:trusted_metadata] = trusted_metadata unless trusted_metadata.nil?
|
|
252
256
|
request[:untrusted_metadata] = untrusted_metadata unless untrusted_metadata.nil?
|
|
253
257
|
|
|
254
|
-
put_request("/v1/users/#{user_id}", request)
|
|
258
|
+
put_request("/v1/users/#{user_id}", request, headers)
|
|
255
259
|
end
|
|
256
260
|
|
|
257
261
|
# Exchange a user's email address or phone number for another.
|
|
@@ -292,11 +296,12 @@ module Stytch
|
|
|
292
296
|
email_address: nil,
|
|
293
297
|
phone_number: nil
|
|
294
298
|
)
|
|
299
|
+
headers = {}
|
|
295
300
|
request = {}
|
|
296
301
|
request[:email_address] = email_address unless email_address.nil?
|
|
297
302
|
request[:phone_number] = phone_number unless phone_number.nil?
|
|
298
303
|
|
|
299
|
-
put_request("/v1/users/#{user_id}/exchange_primary_factor", request)
|
|
304
|
+
put_request("/v1/users/#{user_id}/exchange_primary_factor", request, headers)
|
|
300
305
|
end
|
|
301
306
|
|
|
302
307
|
# Delete a User from Stytch.
|
|
@@ -320,7 +325,8 @@ module Stytch
|
|
|
320
325
|
def delete(
|
|
321
326
|
user_id:
|
|
322
327
|
)
|
|
323
|
-
|
|
328
|
+
headers = {}
|
|
329
|
+
delete_request("/v1/users/#{user_id}", headers)
|
|
324
330
|
end
|
|
325
331
|
|
|
326
332
|
# Delete an email from a User.
|
|
@@ -347,7 +353,8 @@ module Stytch
|
|
|
347
353
|
def delete_email(
|
|
348
354
|
email_id:
|
|
349
355
|
)
|
|
350
|
-
|
|
356
|
+
headers = {}
|
|
357
|
+
delete_request("/v1/users/emails/#{email_id}", headers)
|
|
351
358
|
end
|
|
352
359
|
|
|
353
360
|
# Delete a phone number from a User.
|
|
@@ -374,7 +381,8 @@ module Stytch
|
|
|
374
381
|
def delete_phone_number(
|
|
375
382
|
phone_id:
|
|
376
383
|
)
|
|
377
|
-
|
|
384
|
+
headers = {}
|
|
385
|
+
delete_request("/v1/users/phone_numbers/#{phone_id}", headers)
|
|
378
386
|
end
|
|
379
387
|
|
|
380
388
|
# Delete a WebAuthn registration from a User.
|
|
@@ -401,7 +409,8 @@ module Stytch
|
|
|
401
409
|
def delete_webauthn_registration(
|
|
402
410
|
webauthn_registration_id:
|
|
403
411
|
)
|
|
404
|
-
|
|
412
|
+
headers = {}
|
|
413
|
+
delete_request("/v1/users/webauthn_registrations/#{webauthn_registration_id}", headers)
|
|
405
414
|
end
|
|
406
415
|
|
|
407
416
|
# Delete a biometric registration from a User.
|
|
@@ -428,7 +437,8 @@ module Stytch
|
|
|
428
437
|
def delete_biometric_registration(
|
|
429
438
|
biometric_registration_id:
|
|
430
439
|
)
|
|
431
|
-
|
|
440
|
+
headers = {}
|
|
441
|
+
delete_request("/v1/users/biometric_registrations/#{biometric_registration_id}", headers)
|
|
432
442
|
end
|
|
433
443
|
|
|
434
444
|
# Delete a TOTP from a User.
|
|
@@ -455,7 +465,8 @@ module Stytch
|
|
|
455
465
|
def delete_totp(
|
|
456
466
|
totp_id:
|
|
457
467
|
)
|
|
458
|
-
|
|
468
|
+
headers = {}
|
|
469
|
+
delete_request("/v1/users/totps/#{totp_id}", headers)
|
|
459
470
|
end
|
|
460
471
|
|
|
461
472
|
# Delete a crypto wallet from a User.
|
|
@@ -482,7 +493,8 @@ module Stytch
|
|
|
482
493
|
def delete_crypto_wallet(
|
|
483
494
|
crypto_wallet_id:
|
|
484
495
|
)
|
|
485
|
-
|
|
496
|
+
headers = {}
|
|
497
|
+
delete_request("/v1/users/crypto_wallets/#{crypto_wallet_id}", headers)
|
|
486
498
|
end
|
|
487
499
|
|
|
488
500
|
# Delete a password from a User.
|
|
@@ -509,7 +521,8 @@ module Stytch
|
|
|
509
521
|
def delete_password(
|
|
510
522
|
password_id:
|
|
511
523
|
)
|
|
512
|
-
|
|
524
|
+
headers = {}
|
|
525
|
+
delete_request("/v1/users/passwords/#{password_id}", headers)
|
|
513
526
|
end
|
|
514
527
|
|
|
515
528
|
# Delete an OAuth registration from a User.
|
|
@@ -536,7 +549,8 @@ module Stytch
|
|
|
536
549
|
def delete_oauth_registration(
|
|
537
550
|
oauth_user_registration_id:
|
|
538
551
|
)
|
|
539
|
-
|
|
552
|
+
headers = {}
|
|
553
|
+
delete_request("/v1/users/oauth/#{oauth_user_registration_id}", headers)
|
|
540
554
|
end
|
|
541
555
|
end
|
|
542
556
|
end
|