workos 2.1.0 → 2.2.1

data/lib/workos/types/factor_struct.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+# typed: strict
+
+module WorkOS
+  module Types
+    # This FactorStruct acts as a typed interface
+    # for the Factor class
+    class FactorStruct < T::Struct
+      const :id, String
+      const :environment_id, String
+      const :object, String
+      const :type, String
+      const :totp, T.nilable(T::Hash[Symbol, Object])
+      const :sms, T.nilable(T::Hash[Symbol, Object])
+      const :created_at, String
+      const :updated_at, String
+    end
+  end
+end

data/lib/workos/types/passwordless_session_struct.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 # typed: strict
 
+require 'date'
+
 module WorkOS
   module Types
     # This PasswordlessSessionStruct acts as a typed interface

data/lib/workos/types/verify_factor_struct.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# typed: strict
+
+module WorkOS
+  module Types
+    # This VerifyFactorStruct acts as a typed interface
+    # for the Factor class
+    class VerifyFactorStruct < T::Struct
+      const :challenge, T.nilable(T::Hash[Symbol, Object])
+      const :valid, T::Boolean
+    end
+  end
+end

data/lib/workos/types.rb

@@ -16,5 +16,8 @@ module WorkOS
     require_relative 'types/provider_enum'
     require_relative 'types/directory_user_struct'
     require_relative 'types/webhook_struct'
+    require_relative 'types/factor_struct'
+    require_relative 'types/challenge_struct'
+    require_relative 'types/verify_factor_struct'
   end
 end

data/lib/workos/verify_factor.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+# typed: false
+
+module WorkOS
+  # The VerifyFactor class provides a lightweight wrapper around
+  # a WorkOS DirectoryUser resource. This class is not meant to be instantiated
+  # in DirectoryUser space, and is instantiated internally but exposed.
+  class VerifyFactor
+    include HashProvider
+    extend T::Sig
+
+    attr_accessor :challenge, :valid
+
+    sig { params(json: String).void }
+    def initialize(json)
+      raw = parse_json(json)
+      @challenge = T.let(raw.challenge, Hash)
+      @valid = raw.valid
+    end
+
+    def to_json(*)
+      {
+        challenge: challenge,
+        valid: valid,
+      }
+    end
+
+    private
+
+    sig { params(json_string: String).returns(WorkOS::Types::VerifyFactorStruct) }
+    def parse_json(json_string)
+      hash = JSON.parse(json_string, symbolize_names: true)
+
+      WorkOS::Types::VerifyFactorStruct.new(
+        challenge: hash[:challenge],
+        valid: hash[:valid],
+      )
+    end
+  end
+end

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 # typed: strong
 
 module WorkOS
-  VERSION = '2.1.0'
+  VERSION = '2.2.1'
 end

data/lib/workos/webhook.rb

@@ -6,6 +6,7 @@ module WorkOS
   # a WorkOS Webhook resource. This class is not meant to be instantiated
   # in user space, and is instantiated internally but exposed.
   class Webhook
+    include HashProvider
     extend T::Sig
 
     attr_accessor :id, :event, :data

data/lib/workos/webhooks.rb

@@ -65,7 +65,7 @@ module WorkOS
           tolerance: Integer,
         ).returns(T::Boolean)
       end
-      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       def verify_header(
         payload:,
         sig_header:,
@@ -86,7 +86,9 @@ module WorkOS
           )
         end
 
-        if timestamp < Time.now - tolerance
+        timestamp_to_time = Time.at(timestamp.to_i / 1000)
+
+        if timestamp_to_time < Time.now - tolerance
           raise WorkOS::SignatureVerificationError.new(
             message: 'Timestamp outside the tolerance zone',
           )
@@ -101,12 +103,12 @@ module WorkOS
 
         true
       end
-      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/MethodLength, Metrics/AbcSize
 
       sig do
         params(
           sig_header: String,
-        ).returns(T::Array[T.untyped])
+        ).returns([String, String])
       end
       def get_timestamp_and_signature_hash(
         sig_header:
@@ -122,12 +124,12 @@ module WorkOS
         timestamp = timestamp.sub('t=', '')
         signature_hash = signature_hash.sub('v1=', '')
 
-        [Time.at(timestamp.to_i), signature_hash]
+        [timestamp, signature_hash]
       end
 
       sig do
         params(
-          timestamp: Time,
+          timestamp: String,
           payload: String,
           secret: String,
         ).returns(String)
@@ -137,7 +139,7 @@ module WorkOS
         payload:,
         secret:
       )
-        unhashed_string = "#{timestamp.to_i}.#{payload}"
+        unhashed_string = "#{timestamp}.#{payload}"
         digest = OpenSSL::Digest.new('sha256')
         OpenSSL::HMAC.hexdigest(digest, secret, unhashed_string)
       end

data/lib/workos.rb

@@ -4,6 +4,7 @@
 require 'workos/version'
 require 'sorbet-runtime'
 require 'json'
+require 'workos/hash_provider'
 
 # Use the WorkOS module to authenticate your
 # requests to the WorkOS API. The gem will read
@@ -44,6 +45,12 @@ module WorkOS
   autoload :DirectoryUser, 'workos/directory_user'
   autoload :Webhook, 'workos/webhook'
   autoload :Webhooks, 'workos/webhooks'
+  autoload :MFA, 'workos/mfa'
+  autoload :Factor, 'workos/factor'
+  autoload :Challenge, 'workos/challenge'
+  autoload :VerifyFactor, 'workos/verify_factor'
+  autoload :DeprecatedHashWrapper, 'workos/deprecated_hash_wrapper'
+
 
   # Errors
   autoload :APIError, 'workos/errors'

data/spec/lib/workos/directory_sync_spec.rb

@@ -204,6 +204,7 @@ describe WorkOS::DirectorySync do
           )
 
           expect(groups.data.size).to eq(10)
+          expect(groups.data[0].name).to eq(groups.data[0]['name'])
         end
       end
     end
@@ -332,6 +333,7 @@ describe WorkOS::DirectorySync do
           )
 
           expect(users.data.size).to eq(4)
+          expect(users.data[0].first_name).to eq(users.data[0]['first_name'])
         end
       end
     end
@@ -440,6 +442,7 @@ describe WorkOS::DirectorySync do
           )
 
           expect(group['name']).to eq('Walrus')
+          expect(group.name).to eq('Walrus')
         end
       end
     end
@@ -464,6 +467,7 @@ describe WorkOS::DirectorySync do
           )
 
           expect(user['first_name']).to eq('Logan')
+          expect(user.first_name).to eq('Logan')
         end
       end
     end

data/spec/lib/workos/mfa_spec.rb

@@ -0,0 +1,262 @@
+# frozen_string_literal: true
+# typed: false
+
+describe WorkOS::MFA do
+  it_behaves_like 'client'
+
+  describe 'enroll_factor valid requests' do
+    context 'enroll factor using valid generic argument' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_generic_valid' do
+          factor = described_class.enroll_factor(
+            type: 'generic_otp',
+          )
+          expect(factor.type == 'generic_otp')
+        end
+      end
+    end
+
+    context 'enroll factor using valid totp arguments' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_totp_valid' do
+          factor = described_class.enroll_factor(
+            type: 'totp',
+            totp_issuer: 'WorkOS',
+            totp_user: 'some_user',
+          )
+          expect(factor.totp.instance_of?(Hash))
+        end
+      end
+    end
+
+    context 'enroll factor using valid sms arguments' do
+      it 'returns a valid factor object' do
+        VCR.use_cassette 'mfa/enroll_factor_sms_valid' do
+          factor = described_class.enroll_factor(
+            type: 'sms',
+            phone_number: '55555555555',
+          )
+          expect(factor.sms.instance_of?(Hash))
+        end
+      end
+    end
+  end
+
+  describe 'enroll_factor invalid responses' do
+    context 'enroll factor throws error if type is not sms or totp' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'invalid',
+            phone_number: '+15005550006',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Type argument must be either 'sms' or 'totp'",
+        )
+      end
+    end
+
+    context 'enroll factor throws error if type is not sms or totp' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'totp',
+            totp_issuer: 'WorkOS',
+          )
+        end.to raise_error(
+          ArgumentError,
+          'Incomplete arguments. Need to specify both totp_issuer and totp_user when type is totp',
+        )
+      end
+    end
+    context 'enroll factor throws error if type sms and phone number is nil' do
+      it 'returns an error' do
+        expect do
+          described_class.enroll_factor(
+            type: 'sms',
+          )
+        end.to raise_error(
+          ArgumentError,
+          'Incomplete arguments. Need to specify phone_number when type is sms',
+        )
+      end
+    end
+  end
+
+  describe 'challenge factor with valid request arguments' do
+    context 'challenge with totp' do
+      it 'returns challenge factor object for totp' do
+        VCR.use_cassette 'mfa/challenge_factor_totp_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4TS0MWPZR7GATS7KCXANQZ',
+          )
+          expect(challenge_factor.authentication_factor_id.class.instance_of?(String))
+        end
+      end
+    end
+
+    context 'challenge with sms' do
+      it 'returns a challenge factor object for sms' do
+        VCR.use_cassette 'mfa/challenge_factor_sms_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F',
+            sms_template: 'Your code is {{code}}',
+          )
+          expect(challenge_factor.authentication_factor_id.instance_of?(String))
+        end
+      end
+    end
+
+    context 'challenge with generic' do
+      it 'returns a valid challenge factor object for generic otp' do
+        VCR.use_cassette 'mfa/challenge_factor_generic_valid' do
+          challenge_factor = described_class.challenge_factor(
+            authentication_factor_id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(challenge_factor.code.instance_of?(String))
+        end
+      end
+    end
+  end
+
+  describe 'challenge factor with invalid arguments' do
+    context 'challenge with totp mssing authentication_factor_id' do
+      it 'returns argument error' do
+        expect do
+          described_class.challenge_factor
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_factor_id' is a required argument",
+        )
+      end
+    end
+  end
+
+  describe 'challenge factor with valid requests' do
+    context 'verify generic otp' do
+      it 'returns a true boolean if the challenge has not been verifed yet' do
+        VCR.use_cassette 'mfa/verify_factor_generic_valid' do
+          verify_factor = described_class.verify_factor(
+            authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+            code: '897792',
+          )
+          expect(verify_factor.valid == 'true')
+        end
+      end
+    end
+
+    context 'verify generic otp invalid response' do
+      it 'returns a true boolean if the challenge has not been verifed yet' do
+        VCR.use_cassette 'mfa/verify_factor_generic_valid_is_false' do
+          verify_factor = described_class.verify_factor(
+            authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+            code: '897792',
+          )
+          expect(verify_factor.valid == 'false')
+        end
+      end
+    end
+
+    context 'verify generic otp' do
+      it 'returns error that the challenge has already been verfied' do
+        VCR.use_cassette 'mfa/verify_factor_generic_invalid' do
+          expect do
+            described_class.verify_factor(
+              authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+              code: '897792',
+            )
+          end.to raise_error(WorkOS::InvalidRequestError)
+        end
+      end
+
+      context 'verify generic otp' do
+        it 'returns error that the challenge has expired' do
+          VCR.use_cassette 'mfa/verify_factor_generic_expired' do
+            expect do
+              described_class.verify_factor(
+                authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+                code: '897792',
+              )
+            end.to raise_error(WorkOS::InvalidRequestError)
+          end
+        end
+      end
+    end
+  end
+
+  describe 'verify_factor with invalid argument' do
+    context 'missing code argument' do
+      it 'returns argument error' do
+        expect do
+          described_class.verify_factor(
+            authentication_challenge_id: 'auth_challenge_01FZ4YVRBMXP5ZM0A7BP4AJ12J',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+
+    context 'missing authentication_challenge_id argument' do
+      it 'returns and error' do
+        expect do
+          described_class.verify_factor(
+            code: '897792',
+          )
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+
+    context 'missing code and authentication_challenge_id arguments' do
+      it 'returns argument error' do
+        expect do
+          described_class.verify_factor
+        end.to raise_error(
+          ArgumentError,
+          "Incomplete arguments: 'authentication_challenge_id' and 'code' are required arguments",
+        )
+      end
+    end
+  end
+
+  describe 'tests returning and deleting a factor' do
+    context 'returns a factor' do
+      it 'uses get_factor to return  factor' do
+        VCR.use_cassette 'mfa/get_factor_valid' do
+          factor = described_class.get_factor(
+            id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(factor.id.instance_of?(String))
+        end
+      end
+    end
+
+    context 'invalid factor request' do
+      it 'uses get_factor and throws error if id is wrong' do
+        VCR.use_cassette 'mfa/get_factor_invalid' do
+          expect do
+            described_class.get_factor(
+              id: 'auth_factor_invalid',
+            )
+          end.to raise_error(WorkOS::APIError)
+        end
+      end
+    end
+
+    context 'deletes facotr' do
+      it 'uses delete_factor to delete factor' do
+        VCR.use_cassette 'mfa/delete_factor' do
+          response = described_class.delete_factor(
+            id: 'auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M',
+          )
+          expect(response).to be(true)
+        end
+      end
+    end
+  end
+end

data/spec/lib/workos/sso_spec.rb

@@ -20,7 +20,6 @@ describe WorkOS::SSO do
       end
       it 'returns a valid URL' do
         authorization_url = described_class.authorization_url(**args)
-
         expect(URI.parse(authorization_url)).to be_a URI
       end
 
@@ -315,7 +314,6 @@ describe WorkOS::SSO do
             verified_email: true,
           },
         }
-
         expect(profile.to_json).to eq(expectation)
       end
     end

data/spec/lib/workos/webhooks_spec.rb

@@ -177,7 +177,7 @@ describe WorkOS::Webhooks do
         expect do
           described_class.construct_event(
             payload: @payload,
-            sig_header: "t=9999, v1=#{@signature_hash}",
+            sig_header: "t=#{@timestamp.to_i - (200 * 1000)}, v1=#{@signature_hash}",
             secret: @secret,
           )
         end.to raise_error(

data/spec/support/fixtures/vcr_cassettes/mfa/challenge_factor_generic_valid.yml

@@ -0,0 +1,82 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/auth/factors/challenge
+    body:
+      encoding: UTF-8
+      string: '{"sms_template":null,"authentication_factor_id":"auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.0.2; arm64-darwin21; v2.1.1
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Sun, 27 Mar 2022 05:15:26 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '290'
+      Connection:
+      - keep-alive
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      X-Dns-Prefetch-Control:
+      - 'off'
+      Expect-Ct:
+      - max-age=0
+      X-Frame-Options:
+      - SAMEORIGIN
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      X-Download-Options:
+      - noopen
+      X-Content-Type-Options:
+      - nosniff
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Referrer-Policy:
+      - no-referrer
+      X-Xss-Protection:
+      - '0'
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      X-Request-Id:
+      - 6f320a1f-92d8-496c-9c30-69355787d21e
+      Etag:
+      - W/"122-QtSiaXex7UKEyydEC3oPpuHzGNw"
+      Via:
+      - 1.1 vegur
+      Cf-Cache-Status:
+      - DYNAMIC
+      Report-To:
+      - '{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2kePZ4Q7kGQ1by5iXZxRevmSkQq4vTbW1vXTqFev99eLBrrfEHOLK2%2FE0ItWB2GAKoQvhPBk3rhS%2FKg0rtK3ZH4DGTf%2FEQKGFPT6BxtCqQE2L%2ByfEv1AgU152ZwIBPVYjQ%3D%3D"}],"group":"cf-nel","max_age":604800}'
+      Nel:
+      - '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}'
+      Server:
+      - cloudflare
+      Cf-Ray:
+      - 6f25a5f0dddf088d-SEA
+      Alt-Svc:
+      - h3=":443"; ma=86400, h3-29=":443"; ma=86400
+    body:
+      encoding: UTF-8
+      string: '{"object":"authentication_challenge","id":"auth_challenge_01FZ4WSWV2SCEDX3GKY1NA9YTN","created_at":"2022-03-27T05:15:26.432Z","updated_at":"2022-03-27T05:15:26.432Z","expires_at":"2022-03-27T05:25:26.434Z","code":"541295","authentication_factor_id":"auth_factor_01FZ4WMXXA09XF6NK1XMKNWB3M"}'
+    http_version:
+  recorded_at: Sun, 27 Mar 2022 05:15:26 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/mfa/challenge_factor_sms_valid.yml

@@ -0,0 +1,82 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/auth/factors/challenge
+    body:
+      encoding: UTF-8
+      string: '{"sms_template":"Your code is {{code}}","authentication_factor_id":"auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.0.2; arm64-darwin21; v2.1.1
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Date:
+      - Sun, 27 Mar 2022 05:03:26 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '274'
+      Connection:
+      - keep-alive
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      X-Dns-Prefetch-Control:
+      - 'off'
+      Expect-Ct:
+      - max-age=0
+      X-Frame-Options:
+      - SAMEORIGIN
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      X-Download-Options:
+      - noopen
+      X-Content-Type-Options:
+      - nosniff
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Referrer-Policy:
+      - no-referrer
+      X-Xss-Protection:
+      - '0'
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      X-Request-Id:
+      - b9c66c87-adf4-4a9a-854f-d838f966ea5c
+      Etag:
+      - W/"112-VpD9nscbxE6VOcsJlK2RHEzlq3s"
+      Via:
+      - 1.1 vegur
+      Cf-Cache-Status:
+      - DYNAMIC
+      Report-To:
+      - '{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yNaSbl1oXtixmxb7lJOn7tDKzD0mN8jSFHJmTsZfD6YTlSGeMrdBgfi3LUFeDv1ldKcdNe5eZ%2BkRrVM986RUizGOhL2xzdl2AkJEdudIRaaJCMdWbjQDmGLbC4OPFajMIA%3D%3D"}],"group":"cf-nel","max_age":604800}'
+      Nel:
+      - '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}'
+      Server:
+      - cloudflare
+      Cf-Ray:
+      - 6f25945b9ee639b4-SEA
+      Alt-Svc:
+      - h3=":443"; ma=86400, h3-29=":443"; ma=86400
+    body:
+      encoding: UTF-8
+      string: '{"object":"authentication_challenge","id":"auth_challenge_01FZ4W3XG1VD8ZD5TXSYQMFMSR","created_at":"2022-03-27T05:03:26.203Z","updated_at":"2022-03-27T05:03:26.203Z","expires_at":"2022-03-27T05:13:26.204Z","authentication_factor_id":"auth_factor_01FZ4TS14D1PHFNZ9GF6YD8M1F"}'
+    http_version:
+  recorded_at: Sun, 27 Mar 2022 05:03:26 GMT
+recorded_with: VCR 5.0.0