workos 2.0.0 → 2.2.0

data/lib/workos/webhooks.rb

@@ -65,7 +65,7 @@ module WorkOS
           tolerance: Integer,
         ).returns(T::Boolean)
       end
-      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       def verify_header(
         payload:,
         sig_header:,
@@ -86,7 +86,9 @@ module WorkOS
           )
         end
 
-        if timestamp < Time.now - tolerance
+        timestamp_to_time = Time.at(timestamp.to_i / 1000)
+
+        if timestamp_to_time < Time.now - tolerance
           raise WorkOS::SignatureVerificationError.new(
             message: 'Timestamp outside the tolerance zone',
           )
@@ -101,12 +103,12 @@ module WorkOS
 
         true
       end
-      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/MethodLength, Metrics/AbcSize
 
       sig do
         params(
           sig_header: String,
-        ).returns(T::Array[T.untyped])
+        ).returns([String, String])
       end
       def get_timestamp_and_signature_hash(
         sig_header:
@@ -122,12 +124,12 @@ module WorkOS
         timestamp = timestamp.sub('t=', '')
         signature_hash = signature_hash.sub('v1=', '')
 
-        [Time.at(timestamp.to_i), signature_hash]
+        [timestamp, signature_hash]
       end
 
       sig do
         params(
-          timestamp: Time,
+          timestamp: String,
           payload: String,
           secret: String,
         ).returns(String)
@@ -137,7 +139,7 @@ module WorkOS
         payload:,
         secret:
       )
-        unhashed_string = "#{timestamp.to_i}.#{payload}"
+        unhashed_string = "#{timestamp}.#{payload}"
         digest = OpenSSL::Digest.new('sha256')
         OpenSSL::HMAC.hexdigest(digest, secret, unhashed_string)
       end

data/lib/workos.rb

@@ -44,6 +44,11 @@ module WorkOS
   autoload :DirectoryUser, 'workos/directory_user'
   autoload :Webhook, 'workos/webhook'
   autoload :Webhooks, 'workos/webhooks'
+  autoload :MFA, 'workos/mfa'
+  autoload :Factor, 'workos/factor'
+  autoload :Challenge, 'workos/challenge'
+  autoload :VerifyFactor, 'workos/verify_factor'
+
 
   # Errors
   autoload :APIError, 'workos/errors'

data/spec/lib/workos/mfa_spec.rb

@@ -0,0 +1,232 @@
+# frozen_string_literal: true
+# typed: false
+
+describe WorkOS::MFA do
+  it_behaves_like 'client'
+  describe 'enroll_factor valid requests' do
+    context 'enroll factor using valid generic argument' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_generic_valid' do
+          factor = described_class.enroll_factor(
+            type: 'generic_otp',
+          )
+          expect(factor.type == 'generic_otp')
+        end
+      end
+    end
+    context 'enroll factor using valid totp arguments' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_totp_valid' do
+          factor = described_class.enroll_factor(
+            type: 'totp',
+            totp_issuer: 'WorkOS',
+            totp_user: 'some_user',
+          )
+          expect(factor.totp.instance_of?(Hash))
+        end
+      end
+    end
+    context 'enroll factor using valid sms arguments' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_sms_valid' do
+          factor = described_class.enroll_factor(
+            type: 'sms',
+            phone_number: '55555555555',
+          )
+          expect(factor.sms.instance_of?(Hash))
+        end
+      end
+    end
+  end
+  describe 'enroll_factor invalid responses' do
+    context 'enroll factor throws error if type is not sms or totp' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'invalid',
+            phone_number: '+15005550006',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Type argument must be either 'sms' or 'totp'",
+        )
+      end
+    end
+    context 'enroll factor throws error if type is not sms or totp' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'totp',
+            totp_issuer: 'WorkOS',
+          )
+        end.to raise_error(
+          ArgumentError,
+          'Incomplete arguments. Need to specify both totp_issuer and totp_user when type is totp',
+        )
+      end
+    end
+    context 'enroll factor throws error if type sms and phone number is nil' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'sms',
+          )
+        end.to raise_error(
+          ArgumentError,
+          'Incomplete arguments. Need to specify phone_number when type is sms',
+        )
+      end
+    end
+  end
+  describe 'challenge factor with valid request arguments' do
+    context 'challenge with totp' do
+      it 'returns challenge factor object for totp' do
+        VCR.use_cassette 'mfa/challenge_factor_totp_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4TS0MWPZR7GATS7KCXANQZ',
+          )
+          expect(challenge_factor.authentication_factor_id.class.instance_of?(String))
+        end
+      end
+    end
+    context 'challenge with sms' do
+      it 'returns a challenge factor object for sms' do
+        VCR.use_cassette 'mfa/challenge_factor_sms_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F',
+            sms_template: 'Your code is {{code}}',
+          )
+          expect(challenge_factor.authentication_factor_id.instance_of?(String))
+        end
+      end
+    end
+    context 'challenge with generic' do
+      it 'returns a valid challenge factor object for generic otp' do
+        VCR.use_cassette 'mfa/challenge_factor_generic_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(challenge_factor.code.instance_of?(String))
+        end
+      end
+    end
+  end
+  describe 'challenge factor with invalid arguments' do
+    context 'challenge with totp mssing authentication_factor_id' do
+      it 'returns argument error' do
+        expect do
+          described_class.challenge_factor
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_factor_id' is a required argument",
+        )
+      end
+    end
+  end
+  describe 'challenge factor with valid requests' do
+    context 'verify generic otp' do
+      it 'returns a true boolean if the challenge has not been verifed yet' do
+        VCR.use_cassette 'mfa/verify_factor_generic_valid' do
+          verify_factor = described_class.verify_factor(
+            authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+            code: '897792',
+          )
+          expect(verify_factor.valid == 'true')
+        end
+      end
+    end
+    context 'verify generic otp' do
+      it 'returns error that the challenge has already been verfied' do
+        VCR.use_cassette 'mfa/verify_factor_generic_invalid' do
+          expect do
+            described_class.verify_factor(
+              authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+              code: '897792',
+            )
+          end.to raise_error(WorkOS::InvalidRequestError)
+        end
+      end
+      context 'verify generic otp' do
+        it 'returns error that the challenge has expired' do
+          VCR.use_cassette 'mfa/verify_factor_generic_expired' do
+            expect do
+              described_class.verify_factor(
+                authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+                code: '897792',
+              )
+            end.to raise_error(WorkOS::InvalidRequestError)
+          end
+        end
+      end
+    end
+  end
+  describe 'verify_factor with invalid argument' do
+    context 'missing code argument' do
+      it 'returns argument error' do
+        expect do
+          described_class.verify_factor(
+            authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+    context 'missing authentication_challenge_id argument' do
+      it '' do
+        expect do
+          described_class.verify_factor(
+            code: '897792',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+    context 'missing code and authentication_challenge_id arguments' do
+      it 'returns argument error' do
+        expect do
+          described_class.verify_factor
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+  end
+  describe 'tests returning and deleting a factor' do
+    context 'returns a factor' do
+      it 'uses get_factor to return  factor' do
+        VCR.use_cassette 'mfa/get_factor_valid' do
+          factor = described_class.get_factor(
+            id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(factor.id.instance_of?(String))
+        end
+      end
+    end
+    context 'invalid factor request' do
+      it 'uses get_factor and throws error if id is wrong' do
+        VCR.use_cassette 'mfa/get_factor_invalid' do
+          expect do
+            described_class.get_factor(
+              id: 'auth_factor_invalid',
+            )
+          end.to raise_error(WorkOS::APIError)
+        end
+      end
+    end
+    context 'deletes facotr' do
+      it 'uses delete_factor to delete factor' do
+        VCR.use_cassette 'mfa/delete_factor' do
+          response = described_class.delete_factor(
+            id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(response).to be(true)
+        end
+      end
+    end
+  end
+end

data/spec/lib/workos/sso_spec.rb

@@ -20,7 +20,6 @@ describe WorkOS::SSO do
       end
       it 'returns a valid URL' do
         authorization_url = described_class.authorization_url(**args)
-
         expect(URI.parse(authorization_url)).to be_a URI
       end
 
@@ -109,7 +108,145 @@ describe WorkOS::SSO do
       end
     end
 
-    context 'with neither connection, domain, or provider' do
+    context 'with a domain' do
+      let(:args) do
+        {
+          domain: 'foo.com',
+          client_id: 'workos-proj-123',
+          redirect_uri: 'foo.com/auth/callback',
+          state: {
+            next_page: '/dashboard/edit',
+          }.to_s,
+        }
+      end
+      it 'returns a valid URL' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url)).to be_a URI
+      end
+
+      it 'returns the expected hostname' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).host).to eq(WorkOS::API_HOSTNAME)
+      end
+
+      it 'returns the expected query string' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).query).to eq(
+          'client_id=workos-proj-123&redirect_uri=foo.com%2Fauth%2Fcallback' \
+          '&response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2F' \
+          'edit%22%7D&domain=foo.com',
+        )
+      end
+    end
+
+    context 'with a domain_hint' do
+      let(:args) do
+        {
+          connection: 'connection_123',
+          domain_hint: 'foo.com',
+          client_id: 'workos-proj-123',
+          redirect_uri: 'foo.com/auth/callback',
+          state: {
+            next_page: '/dashboard/edit',
+          }.to_s,
+        }
+      end
+      it 'returns a valid URL' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url)).to be_a URI
+      end
+
+      it 'returns the expected hostname' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).host).to eq(WorkOS::API_HOSTNAME)
+      end
+
+      it 'returns the expected query string' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).query).to eq(
+          'client_id=workos-proj-123&redirect_uri=foo.com%2Fauth%2Fcallback' \
+          '&response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2' \
+          'Fedit%22%7D&domain_hint=foo.com&connection=connection_123',
+        )
+      end
+    end
+
+    context 'with a login_hint' do
+      let(:args) do
+        {
+          connection: 'connection_123',
+          login_hint: 'foo@workos.com',
+          client_id: 'workos-proj-123',
+          redirect_uri: 'foo.com/auth/callback',
+          state: {
+            next_page: '/dashboard/edit',
+          }.to_s,
+        }
+      end
+      it 'returns a valid URL' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url)).to be_a URI
+      end
+
+      it 'returns the expected hostname' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).host).to eq(WorkOS::API_HOSTNAME)
+      end
+
+      it 'returns the expected query string' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).query).to eq(
+          'client_id=workos-proj-123&redirect_uri=foo.com%2Fauth%2Fcallback' \
+          '&response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2' \
+          'Fedit%22%7D&login_hint=foo%40workos.com&connection=connection_123',
+        )
+      end
+    end
+
+    context 'with an organization' do
+      let(:args) do
+        {
+          organization: 'org_123',
+          client_id: 'workos-proj-123',
+          redirect_uri: 'foo.com/auth/callback',
+          state: {
+            next_page: '/dashboard/edit',
+          }.to_s,
+        }
+      end
+      it 'returns a valid URL' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url)).to be_a URI
+      end
+
+      it 'returns the expected hostname' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).host).to eq(WorkOS::API_HOSTNAME)
+      end
+
+      it 'returns the expected query string' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).query).to eq(
+          'client_id=workos-proj-123&redirect_uri=foo.com%2Fauth%2Fcallback' \
+          '&response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2F' \
+          'edit%22%7D&organization=org_123',
+        )
+      end
+    end
+
+    context 'with neither connection, domain, provider, or organization' do
       let(:args) do
         {
           client_id: 'workos-proj-123',
@@ -124,7 +261,7 @@ describe WorkOS::SSO do
           described_class.authorization_url(**args)
         end.to raise_error(
           ArgumentError,
-          'Either connection, domain, or provider is required.',
+          'Either connection, domain, provider, or organization is required.',
         )
       end
     end
@@ -177,7 +314,6 @@ describe WorkOS::SSO do
             verified_email: true,
           },
         }
-
         expect(profile.to_json).to eq(expectation)
       end
     end

data/spec/lib/workos/webhooks_spec.rb

@@ -177,7 +177,7 @@ describe WorkOS::Webhooks do
         expect do
           described_class.construct_event(
             payload: @payload,
-            sig_header: "t=9999, v1=#{@signature_hash}",
+            sig_header: "t=#{@timestamp.to_i - (200 * 1000)}, v1=#{@signature_hash}",
             secret: @secret,
           )
         end.to raise_error(

data/spec/support/fixtures/vcr_cassettes/mfa/challenge_factor_generic_valid.yml

@@ -0,0 +1,82 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/auth/factors/challenge
+    body:
+      encoding: UTF-8
+      string: '{"sms_template":null,"authentication_factor_id":"auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.0.2; arm64-darwin21; v2.1.1
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Sun, 27 Mar 2022 05:15:26 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '290'
+      Connection:
+      - keep-alive
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      X-Dns-Prefetch-Control:
+      - 'off'
+      Expect-Ct:
+      - max-age=0
+      X-Frame-Options:
+      - SAMEORIGIN
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      X-Download-Options:
+      - noopen
+      X-Content-Type-Options:
+      - nosniff
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Referrer-Policy:
+      - no-referrer
+      X-Xss-Protection:
+      - '0'
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      X-Request-Id:
+      - 6f320a1f-92d8-496c-9c30-69355787d21e
+      Etag:
+      - W/"122-QtSiaXex7UKEyydEC3oPpuHzGNw"
+      Via:
+      - 1.1 vegur
+      Cf-Cache-Status:
+      - DYNAMIC
+      Report-To:
+      - '{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2kePZ4Q7kGQ1by5iXZxRevmSkQq4vTbW1vXTqFev99eLBrrfEHOLK2%2FE0ItWB2GAKoQvhPBk3rhS%2FKg0rtK3ZH4DGTf%2FEQKGFPT6BxtCqQE2L%2ByfEv1AgU152ZwIBPVYjQ%3D%3D"}],"group":"cf-nel","max_age":604800}'
+      Nel:
+      - '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}'
+      Server:
+      - cloudflare
+      Cf-Ray:
+      - 6f25a5f0dddf088d-SEA
+      Alt-Svc:
+      - h3=":443"; ma=86400, h3-29=":443"; ma=86400
+    body:
+      encoding: UTF-8
+      string: '{"object":"authentication_challenge","id":"auth_challenge_01FZ4WSWV2SCEDX3GKY1NA9YTN","created_at":"2022-03-27T05:15:26.432Z","updated_at":"2022-03-27T05:15:26.432Z","expires_at":"2022-03-27T05:25:26.434Z","code":"541295","authentication_factor_id":"auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M"}'
+    http_version:
+  recorded_at: Sun, 27 Mar 2022 05:15:26 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/mfa/challenge_factor_sms_valid.yml

@@ -0,0 +1,82 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/auth/factors/challenge
+    body:
+      encoding: UTF-8
+      string: '{"sms_template":"Your code is {{code}}","authentication_factor_id":"auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.0.2; arm64-darwin21; v2.1.1
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Sun, 27 Mar 2022 05:03:26 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '274'
+      Connection:
+      - keep-alive
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      X-Dns-Prefetch-Control:
+      - 'off'
+      Expect-Ct:
+      - max-age=0
+      X-Frame-Options:
+      - SAMEORIGIN
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      X-Download-Options:
+      - noopen
+      X-Content-Type-Options:
+      - nosniff
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Referrer-Policy:
+      - no-referrer
+      X-Xss-Protection:
+      - '0'
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      X-Request-Id:
+      - b9c66c87-adf4-4a9a-854f-d838f966ea5c
+      Etag:
+      - W/"112-VpD9nscbxE6VOcsJlK2RHEzlq3s"
+      Via:
+      - 1.1 vegur
+      Cf-Cache-Status:
+      - DYNAMIC
+      Report-To:
+      - '{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yNaSbl1oXtixmxb7lJOn7tDKzD0mN8jSFHJmTsZfD6YTlSGeMrdBgfi3LUFeDv1ldKcdNe5eZ%2BkRrVM986RUizGOhL2xzdl2AkJEdudIRaaJCMdWbjQDmGLbC4OPFajMIA%3D%3D"}],"group":"cf-nel","max_age":604800}'
+      Nel:
+      - '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}'
+      Server:
+      - cloudflare
+      Cf-Ray:
+      - 6f25945b9ee639b4-SEA
+      Alt-Svc:
+      - h3=":443"; ma=86400, h3-29=":443"; ma=86400
+    body:
+      encoding: UTF-8
+      string: '{"object":"authentication_challenge","id":"auth_challenge_01FZ4W3XG1VD8ZD5TXSYQMFMSR","created_at":"2022-03-27T05:03:26.203Z","updated_at":"2022-03-27T05:03:26.203Z","expires_at":"2022-03-27T05:13:26.204Z","authentication_factor_id":"auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F"}'
+    http_version:
+  recorded_at: Sun, 27 Mar 2022 05:03:26 GMT
+recorded_with: VCR 5.0.0