workos 1.3.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82fc158535f666670ec2f6f71edd889c24be6a3c9488ffad6c4822f45b9f6ece
-  data.tar.gz: d613fb8b9284124c6720c5f95320a205a1e061291a353befa629a0ee1f74151b
+  metadata.gz: dd493c247c202074fa3d93d6f4db6f1cb4cffb19b63f140eeb37a3236255be1a
+  data.tar.gz: a266a358383a5242299a2df002b04486d6ef1203f0d3448736b6d5904d657643
 SHA512:
-  metadata.gz: da3e7172612b651a5fd36854deaa480c1bb27032fae2d202bf16eefbfb3914659caa5ce47b1ea8cdac8d8c6cb4995497843ff48f800d870da52ad32f20427323
-  data.tar.gz: ab046cdf757eb36e1711c34a56764bfa74265888c605d40a681e75e6184290198cf8249212e6ae316016e72107f7a34f9135330380ac24394c731cc934f0795b
+  metadata.gz: d05f397238b7e94d6f8e7e513523de96c87da44042c65638dbe8ce947076b5383f38491997a887a30e05a0c47e4193178dd39f0e4c62b5f14ebb1fcfb40b3299
+  data.tar.gz: 28158f92efaff774bbfaaf02e9be76552dd94bfebb996515824e278faf4011b4996846990074e30694f4306ba26c2cb76440294a020e5832b8bf25c3c504ccb3

data/.rubocop.yml

@@ -9,7 +9,7 @@ Layout/LineLength:
     - 'VCR\.use_cassette'
     - '(\A|\s)/.*?/'
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context']
+  ExcludedMethods: ['describe', 'context', 'before']
 Metrics/MethodLength:
   Max: 15
 Metrics/ModuleLength:

data/Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: .
   specs:
-    workos (1.3.0)
+    workos (1.6.0)
       sorbet-runtime (~> 0.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.2)
     codecov (0.2.12)
@@ -60,7 +60,7 @@ GEM
     simplecov_json_formatter (0.1.2)
     sorbet (0.5.6388)
       sorbet-static (= 0.5.6388)
-    sorbet-runtime (0.5.6433)
+    sorbet-runtime (0.5.9094)
     sorbet-static (0.5.6388-universal-darwin-14)
     sorbet-static (0.5.6388-universal-darwin-15)
     sorbet-static (0.5.6388-universal-darwin-16)

data/lib/workos/client.rb

@@ -9,12 +9,9 @@ module WorkOS
 
     sig { returns(Net::HTTP) }
     def client
-      return @client if defined?(@client)
-
-      @client = Net::HTTP.new(WorkOS::API_HOSTNAME, 443)
-      @client.use_ssl = true
-
-      @client
+      Net::HTTP.new(WorkOS::API_HOSTNAME, 443).tap do |http_client|
+        http_client.use_ssl = true
+      end
     end
 
     sig do

data/lib/workos/connection.rb

@@ -10,8 +10,9 @@ module WorkOS
     extend T::Sig
 
     attr_accessor :id, :name, :connection_type, :domains, :organization_id,
-                  :state, :status
+                  :state, :status, :created_at, :updated_at
 
+    # rubocop:disable Metrics/AbcSize
     sig { params(json: String).void }
     def initialize(json)
       raw = parse_json(json)
@@ -23,7 +24,10 @@ module WorkOS
       @organization_id = T.let(raw.organization_id, String)
       @state = T.let(raw.state, String)
       @status = T.let(raw.status, String)
+      @created_at = T.let(raw.created_at, String)
+      @updated_at = T.let(raw.updated_at, String)
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
@@ -34,6 +38,8 @@ module WorkOS
         organization_id: organization_id,
         state: state,
         status: status,
+        created_at: created_at,
+        updated_at: updated_at,
       }
     end
 
@@ -51,6 +57,8 @@ module WorkOS
         organization_id: hash[:organization_id],
         state: hash[:state],
         status: hash[:status],
+        created_at: hash[:created_at],
+        updated_at: hash[:updated_at],
       )
     end
   end

data/lib/workos/directory.rb

@@ -8,8 +8,9 @@ module WorkOS
   class Directory
     extend T::Sig
 
-    attr_accessor :id, :domain, :name, :type, :state, :organization_id
+    attr_accessor :id, :domain, :name, :type, :state, :organization_id, :created_at, :updated_at
 
+    # rubocop:disable Metrics/AbcSize
     sig { params(json: String).void }
     def initialize(json)
       raw = parse_json(json)
@@ -20,7 +21,10 @@ module WorkOS
       @type = T.let(raw.type, String)
       @state = T.let(raw.state, String)
       @organization_id = T.let(raw.organization_id, String)
+      @created_at = T.let(raw.created_at, String)
+      @updated_at = T.let(raw.updated_at, String)
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
@@ -30,6 +34,8 @@ module WorkOS
         type: type,
         state: state,
         organization_id: organization_id,
+        created_at: created_at,
+        updated_at: updated_at,
       }
     end
 
@@ -50,6 +56,8 @@ module WorkOS
         type: hash[:type],
         state: hash[:state],
         organization_id: hash[:organization_id],
+        created_at: hash[:created_at],
+        updated_at: hash[:updated_at],
       )
     end
   end

data/lib/workos/directory_user.rb

@@ -9,7 +9,7 @@ module WorkOS
     extend T::Sig
 
     attr_accessor :id, :idp_id, :emails, :first_name, :last_name, :username, :state,
-                  :groups, :raw_attributes
+                  :groups, :custom_attributes, :raw_attributes
 
     # rubocop:disable Metrics/AbcSize
     sig { params(json: String).void }
@@ -24,6 +24,7 @@ module WorkOS
       @username = raw.username
       @state = raw.state
       @groups = T.let(raw.groups, Array)
+      @custom_attributes = raw.custom_attributes
       @raw_attributes = raw.raw_attributes
     end
     # rubocop:enable Metrics/AbcSize
@@ -38,6 +39,7 @@ module WorkOS
         username: username,
         state: state,
         groups: groups,
+        custom_attributes: custom_attributes,
         raw_attributes: raw_attributes,
       }
     end
@@ -61,6 +63,7 @@ module WorkOS
         username: hash[:username],
         state: hash[:state],
         groups: hash[:groups],
+        custom_attributes: hash[:custom_attributes],
         raw_attributes: hash[:raw_attributes],
       )
     end

data/lib/workos/errors.rb

@@ -55,4 +55,8 @@ module WorkOS
   # InvalidRequestError is raised when a request is initiated with invalid
   # parameters.
   class InvalidRequestError < WorkOSError; end
+
+  # SignatureVerificationError is raised when the signature verification for a
+  # webhook fails
+  class SignatureVerificationError < WorkOSError; end
 end

data/lib/workos/organization.rb

@@ -8,7 +8,7 @@ module WorkOS
   class Organization
     extend T::Sig
 
-    attr_accessor :id, :domains, :name
+    attr_accessor :id, :domains, :name, :allow_profiles_outside_organization, :created_at, :updated_at
 
     sig { params(json: String).void }
     def initialize(json)
@@ -16,14 +16,20 @@ module WorkOS
 
       @id = T.let(raw.id, String)
       @name = T.let(raw.name, String)
+      @allow_profiles_outside_organization = T.let(raw.allow_profiles_outside_organization, T::Boolean)
       @domains = T.let(raw.domains, Array)
+      @created_at = T.let(raw.created_at, String)
+      @updated_at = T.let(raw.updated_at, String)
     end
 
     def to_json(*)
       {
         id: id,
         name: name,
+        allow_profiles_outside_organization: allow_profiles_outside_organization,
         domains: domains,
+        created_at: created_at,
+        updated_at: updated_at,
       }
     end
 
@@ -40,7 +46,10 @@ module WorkOS
       WorkOS::Types::OrganizationStruct.new(
         id: hash[:id],
         name: hash[:name],
+        allow_profiles_outside_organization: hash[:allow_profiles_outside_organization],
         domains: hash[:domains],
+        created_at: hash[:created_at],
+        updated_at: hash[:updated_at],
       )
     end
   end

data/lib/workos/organizations.rb

@@ -80,16 +80,23 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def create_organization(domains:, name:)
+      def create_organization(domains:, name:, allow_profiles_outside_organization: nil)
         request = post_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: '/organizations',
         )
 
@@ -105,17 +112,24 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           organization: String,
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def update_organization(organization:, domains:, name:)
+      def update_organization(organization:, domains:, name:, allow_profiles_outside_organization: nil)
         request = put_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: "/organizations/#{organization}",
         )
 

data/lib/workos/profile.rb

@@ -11,9 +11,10 @@ module WorkOS
     extend T::Sig
 
     sig { returns(String) }
-    attr_accessor :id, :email, :first_name, :last_name, :connection_id,
-                  :connection_type, :idp_id, :raw_attributes
+    attr_accessor :id, :email, :first_name, :last_name, :organization_id,
+                  :connection_id, :connection_type, :idp_id, :raw_attributes
 
+    # rubocop:disable Metrics/AbcSize
     sig { params(profile_json: String).void }
     def initialize(profile_json)
       raw = parse_json(profile_json)
@@ -22,11 +23,13 @@ module WorkOS
       @email = T.let(raw.email, String)
       @first_name = raw.first_name
       @last_name = raw.last_name
+      @organization_id = T.let(raw.organization_id, String)
       @connection_id = T.let(raw.connection_id, String)
       @connection_type = T.let(raw.connection_type, String)
       @idp_id = raw.idp_id
       @raw_attributes = raw.raw_attributes
     end
+    # rubocop:enable Metrics/AbcSize
 
     sig { returns(String) }
     def full_name
@@ -39,6 +42,7 @@ module WorkOS
         email: email,
         first_name: first_name,
         last_name: last_name,
+        organization_id: organization_id,
         connection_id: connection_id,
         connection_type: connection_type,
         idp_id: idp_id,
@@ -57,6 +61,7 @@ module WorkOS
         email: hash[:email],
         first_name: hash[:first_name],
         last_name: hash[:last_name],
+        organization_id: hash[:organization_id],
         connection_id: hash[:connection_id],
         connection_type: hash[:connection_type],
         idp_id: hash[:idp_id],

data/lib/workos/types/connection_struct.rb

@@ -13,6 +13,8 @@ module WorkOS
       const :organization_id, String
       const :state, String
       const :status, String
+      const :created_at, String
+      const :updated_at, String
     end
   end
 end

data/lib/workos/types/directory_struct.rb

@@ -12,6 +12,8 @@ module WorkOS
       const :type, String
       const :state, String
       const :organization_id, String
+      const :created_at, String
+      const :updated_at, String
     end
   end
 end

data/lib/workos/types/directory_user_struct.rb

@@ -14,6 +14,7 @@ module WorkOS
       const :username, T.nilable(String)
       const :state, T.nilable(String)
       const :groups, T::Array[T.untyped]
+      const :custom_attributes, T::Hash[Symbol, T.untyped]
       const :raw_attributes, T::Hash[Symbol, Object]
     end
   end

data/lib/workos/types/organization_struct.rb

@@ -8,7 +8,10 @@ module WorkOS
     class OrganizationStruct < T::Struct
       const :id, String
       const :name, String
+      const :allow_profiles_outside_organization, T::Boolean
       const :domains, T::Array[T.untyped]
+      const :created_at, String
+      const :updated_at, String
     end
   end
 end

data/lib/workos/types/profile_struct.rb

@@ -10,6 +10,7 @@ module WorkOS
       const :email, String
       const :first_name, T.nilable(String)
       const :last_name, T.nilable(String)
+      const :organization_id, String
       const :connection_id, String
       const :connection_type, String
       const :idp_id, T.nilable(String)

data/lib/workos/types/provider_enum.rb

@@ -8,6 +8,7 @@ module WorkOS
     class Provider < T::Enum
       enums do
         Google = new('GoogleOAuth')
+        Microsoft = new('MicrosoftOAuth')
       end
     end
   end

data/lib/workos/types/webhook_struct.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+# typed: strict
+
+module WorkOS
+  module Types
+    # This WebhookStruct acts as a typed interface
+    # for the Webhook class
+    class WebhookStruct < T::Struct
+      const :id, String
+      const :event, String
+      const :data, T::Hash[Symbol, Object]
+    end
+  end
+end

data/lib/workos/types.rb

@@ -15,5 +15,6 @@ module WorkOS
     require_relative 'types/profile_struct'
     require_relative 'types/provider_enum'
     require_relative 'types/directory_user_struct'
+    require_relative 'types/webhook_struct'
   end
 end

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 # typed: strong
 
 module WorkOS
-  VERSION = '1.3.0'
+  VERSION = '1.6.0'
 end

data/lib/workos/webhook.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+# typed: true
+
+module WorkOS
+  # The Webhook class provides a lightweight wrapper around
+  # a WorkOS Webhook resource. This class is not meant to be instantiated
+  # in user space, and is instantiated internally but exposed.
+  class Webhook
+    extend T::Sig
+
+    attr_accessor :id, :event, :data
+
+    sig { params(json: String).void }
+    def initialize(json)
+      raw = parse_json(json)
+
+      @id = T.let(raw.id, String)
+      @event = T.let(raw.event, String)
+      @data = raw.data
+    end
+
+    def to_json(*)
+      {
+        id: id,
+        event: event,
+        data: data,
+      }
+    end
+
+    private
+
+    sig do
+      params(
+        json_string: String,
+      ).returns(WorkOS::Types::WebhookStruct)
+    end
+    def parse_json(json_string)
+      hash = JSON.parse(json_string, symbolize_names: true)
+
+      WorkOS::Types::WebhookStruct.new(
+        id: hash[:id],
+        event: hash[:event],
+        data: hash[:data],
+      )
+    end
+  end
+end

data/lib/workos/webhooks.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+# typed: true
+
+require 'openssl'
+
+module WorkOS
+  # The Webhooks module provides convenience methods for working with the WorkOS webhooks.
+  # You'll need to extract the signature header and payload from the webhook request
+  # sig_header = request.headers['WorkOS-Signature']
+  # payload = request.body.read
+  #
+  # The secret is the Webhook Secret from your WorkOS Dashboard
+  # The tolerance is for the timestamp validation
+  #
+  module Webhooks
+    class << self
+      extend T::Sig
+
+      DEFAULT_TOLERANCE = 180
+
+      # Initializes an Event object from a JSON payload
+      # rubocop:disable Layout/LineLength
+      #
+      # @param [String] payload The payload from the webhook sent by WorkOS. This is the RAW_POST_DATA of the request.
+      # @param [String] sig_header The signature from the webhook sent by WorkOS.
+      # @param [String] secret The webhook secret from the WorkOS dashboard.
+      # @param [Integer] tolerance The time tolerance in seconds for the webhook.
+      #
+      # @example
+      #   WorkOS::Webhooks.construct_event(
+      #     payload: "{"id": "wh_123","data":{"id":"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG","state":"active","emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"idp_id":"00u1e8mutl6wlH3lL4x7","object":"directory_user","username":"blair@foo-corp.com","last_name":"Lunceford","first_name":"Blair","directory_id":"directory_01F9M7F68PZP8QXP8G7X5QRHS7","raw_attributes":{"name":{"givenName":"Blair","familyName":"Lunceford","middleName":"Elizabeth","honorificPrefix":"Ms."},"title":"Developer Success Engineer","active":true,"emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"groups":[],"locale":"en-US","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"blair@foo-corp.com","addresses":[{"region":"CO","primary":true,"locality":"Steamboat Springs","postalCode":"80487"}],"externalId":"00u1e8mutl6wlH3lL4x7","displayName":"Blair Lunceford","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"2","displayName":"Kathleen Chung"},"division":"Engineering","department":"Customer Success"}}},"event":"dsync.user.created"}",
+      #     sig_header: 't=1626125972272, v1=80f7ab7efadc306eb5797c588cee9410da9be4416782b497bf1e1bf4175fb928',
+      #     secret: 'LJlTiC19GmCKWs8AE0IaOQcos',
+      #   )
+      #
+      #   => #<WorkOS::Webhook:0x00007fa64b980910 @event="dsync.user.created", @data={:id=>"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG", :state=>"active", :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :idp_id=>"00u1e8mutl6wlH3lL4x7", :object=>"directory_user", :username=>"blair@foo-corp.com", :last_name=>"Lunceford", :first_name=>"Blair", :directory_id=>"directory_01F9M7F68PZP8QXP8G7X5QRHS7", :raw_attributes=>{:name=>{:givenName=>"Blair", :familyName=>"Lunceford", :middleName=>"Elizabeth", :honorificPrefix=>"Ms."}, :title=>"Developer Success Engineer", :active=>true, :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :groups=>[], :locale=>"en-US", :schemas=>["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], :userName=>"blair@foo-corp.com", :addresses=>[{:region=>"CO", :primary=>true, :locality=>"Steamboat Springs", :postalCode=>"80487"}], :externalId=>"00u1e8mutl6wlH3lL4x7", :displayName=>"Blair Lunceford", :"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"=>{:manager=>{:value=>"2", :displayName=>"Kathleen Chung"}, :division=>"Engineering", :department=>"Customer Success"}}}>
+      #
+      # @return [WorkOS::Webhook]
+      # rubocop:enable Layout/LineLength
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(WorkOS::Webhook)
+      end
+      def construct_event(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        verify_header(payload: payload, sig_header: sig_header, secret: secret, tolerance: tolerance)
+        WorkOS::Webhook.new(payload)
+      end
+
+      private
+
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(T::Boolean)
+      end
+      # rubocop:disable Metrics/MethodLength
+      def verify_header(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        begin
+          timestamp, signature_hash = get_timestamp_and_signature_hash(sig_header: sig_header)
+        rescue StandardError
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        if signature_hash.empty?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'No signature hash found with expected scheme v1',
+          )
+        end
+
+        if timestamp < Time.now - tolerance
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Timestamp outside the tolerance zone',
+          )
+        end
+
+        expected_sig = compute_signature(timestamp: timestamp, payload: payload, secret: secret)
+        unless secure_compare(str_a: expected_sig, str_b: signature_hash)
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Signature hash does not match the expected signature hash for payload',
+          )
+        end
+
+        true
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      sig do
+        params(
+          sig_header: String,
+        ).returns(T::Array[T.untyped])
+      end
+      def get_timestamp_and_signature_hash(
+        sig_header:
+      )
+        timestamp, signature_hash = sig_header.split(', ')
+
+        if timestamp.nil? || signature_hash.nil?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        timestamp = timestamp.sub('t=', '')
+        signature_hash = signature_hash.sub('v1=', '')
+
+        [Time.at(timestamp.to_i), signature_hash]
+      end
+
+      sig do
+        params(
+          timestamp: Time,
+          payload: String,
+          secret: String,
+        ).returns(String)
+      end
+      def compute_signature(
+        timestamp:,
+        payload:,
+        secret:
+      )
+        unhashed_string = "#{timestamp.to_i}.#{payload}"
+        digest = OpenSSL::Digest.new('sha256')
+        OpenSSL::HMAC.hexdigest(digest, secret, unhashed_string)
+      end
+
+      # Constant time string comparison to prevent timing attacks
+      # Code borrowed from ActiveSupport
+      sig do
+        params(
+          str_a: String,
+          str_b: String,
+        ).returns(T::Boolean)
+      end
+      def secure_compare(
+        str_a:,
+        str_b:
+      )
+        return false unless str_a.bytesize == str_b.bytesize
+
+        l = T.unsafe(str_a.unpack("C#{str_a.bytesize}"))
+
+        res = 0
+        str_b.each_byte { |byte| res |= byte ^ l.shift }
+
+        res.zero?
+      end
+    end
+  end
+end

data/lib/workos.rb

@@ -42,11 +42,14 @@ module WorkOS
   autoload :ProfileAndToken, 'workos/profile_and_token'
   autoload :SSO, 'workos/sso'
   autoload :DirectoryUser, 'workos/directory_user'
+  autoload :Webhook, 'workos/webhook'
+  autoload :Webhooks, 'workos/webhooks'
 
   # Errors
   autoload :APIError, 'workos/errors'
   autoload :AuthenticationError, 'workos/errors'
   autoload :InvalidRequestError, 'workos/errors'
+  autoload :SignatureVerificationError, 'workos/errors'
 
   # Remove WORKOS_KEY at some point in the future. Keeping it here now for
   # backwards compatibility.

data/spec/lib/workos/audit_trail_spec.rb

@@ -2,6 +2,8 @@
 # typed: false
 
 describe WorkOS::AuditTrail do
+  it_behaves_like 'client'
+
   describe '.create_event' do
     context 'with valid event payload' do
       let(:valid_event) do