workos 4.0.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 301b7f9d339c1ec1bf85dfc43a4d1ba85de8b6234323c8982fa2f2cf76bed6dd
-  data.tar.gz: 91ed96c899e42ccaed1955304fd98a7da7ca7e946be803df4e7c27f4cb3db5fc
+  metadata.gz: '0828780b58051c7e4da7d76717a9eb71209803a508c71ca287a99dabcb0cc55a'
+  data.tar.gz: 5da4147318e6c1f9947b50f69e8bf37dfbed7fd936deda7c46c9a072abfed99f
 SHA512:
-  metadata.gz: b96feaf7d73165f33b979f3cd396adcf91aa4457161647b57423bf204bd89de42e6badeba37f06faf562bd58f5148fe9bd329850721c1efe5f0d0d18e0459bf6
-  data.tar.gz: 9417023f79e961c063fcb17c4ca60035e292fe2c321710778d99610165bea2b5c564e7dfad24a7b2effdb51b0d5355fe0c4155de45c7ef5d0d073ddfbbb1f1c6
+  metadata.gz: '0916ae54fc3f1e30edf8f03dab9a75382062122a5b554aeefbaea26b39edc2e4d6415a9bdda25e53f19c5b82e6bb6e5e675c7c4ba1bc971a689346e6af997935'
+  data.tar.gz: 232a18c18b3c58181dd3f3a16c8c8f16a9f7aa7d1dc5ac088dbda986b9fd86347fe41def6a27d3d19ca7ff2867f03353daefa611c6df175ad5b9464539cadfff

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (4.0.0)
+    workos (4.1.0)
       sorbet-runtime (~> 0.5)
 
 GEM

data/lib/workos/authentication_response.rb

@@ -8,19 +8,29 @@ module WorkOS
     include HashProvider
     extend T::Sig
 
-    attr_accessor :user, :organization_id
+    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token
 
     sig { params(authentication_response_json: String).void }
     def initialize(authentication_response_json)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
       @user = WorkOS::User.new(json[:user].to_json)
       @organization_id = T.let(json[:organization_id], T.nilable(String))
+      @impersonator =
+        if (impersonator_json = json[:impersonator])
+          Impersonator.new(email: impersonator_json[:email],
+                           reason: impersonator_json[:reason],)
+        end
+      @access_token = T.let(json[:access_token], String)
+      @refresh_token = T.let(json[:refresh_token], String)
     end
 
     def to_json(*)
       {
         user: user.to_json,
         organization_id: organization_id,
+        impersonator: impersonator.to_json,
+        access_token: access_token,
+        refresh_token: refresh_token,
       }
     end
   end

data/lib/workos/impersonator.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+# typed: true
+
+module WorkOS
+  # Contains information about a WorkOS Dashboard user impersonating
+  # a User Management user.
+  class Impersonator
+    include HashProvider
+    extend T::Sig
+
+    attr_accessor :email, :reason
+
+    sig { params(email: String, reason: T.nilable(String)).void }
+    def initialize(email:, reason:)
+      @email = email
+      @reason = reason
+    end
+
+    def to_json(*)
+      {
+        email: email,
+        reason: reason,
+      }
+    end
+  end
+end

data/lib/workos/refresh_authentication_response.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+# typed: true
+
+module WorkOS
+  # The RefreshAuthenticationResponse contains response data from a successful
+  # `UserManagement.authenticate_with_refresh_token` call
+  class RefreshAuthenticationResponse
+    include HashProvider
+    extend T::Sig
+
+    attr_accessor :access_token, :refresh_token
+
+    sig { params(authentication_response_json: String).void }
+    def initialize(authentication_response_json)
+      json = JSON.parse(authentication_response_json, symbolize_names: true)
+      @access_token = T.let(json[:access_token], String)
+      @refresh_token = T.let(json[:refresh_token], String)
+    end
+
+    def to_json(*)
+      {
+        access_token: access_token,
+        refresh_token: refresh_token,
+      }
+    end
+  end
+end

data/lib/workos/user_management.rb

@@ -366,6 +366,46 @@ module WorkOS
         WorkOS::AuthenticationResponse.new(response.body)
       end
 
+      # Authenticate a user using a refresh token.
+      #
+      # @param [String] refresh_token The refresh token previously obtained from a successful authentication call
+      # @param [String] client_id The WorkOS client ID for the environment
+      # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
+      # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      #
+      # @return WorkOS::RefreshAuthenticationResponse
+
+      sig do
+        params(
+          refresh_token: String,
+          client_id: String,
+          ip_address: T.nilable(String),
+          user_agent: T.nilable(String),
+        ).returns(WorkOS::RefreshAuthenticationResponse)
+      end
+      def authenticate_with_refresh_token(
+        refresh_token:,
+        client_id:,
+        ip_address: nil,
+        user_agent: nil
+      )
+        response = execute_request(
+          request: post_request(
+            path: '/user_management/authenticate',
+            body: {
+              refresh_token: refresh_token,
+              client_id: client_id,
+              client_secret: WorkOS.config.key!,
+              ip_address: ip_address,
+              user_agent: user_agent,
+              grant_type: 'refresh_token',
+            },
+          ),
+        )
+
+        WorkOS::RefreshAuthenticationResponse.new(response.body)
+      end
+
       # Authenticate user by Magic Auth Code.
       #
       # @param [String] code The one-time code that was emailed to the user.
@@ -554,6 +594,66 @@ module WorkOS
         WorkOS::AuthenticationResponse.new(response.body)
       end
 
+      # Get the logout URL for a session
+      #
+      # The user's browser should be navigated to this URL
+      #
+      # @param [String] session_id The session ID can be found in the `sid`
+      #   claim of the access token
+      #
+      # @return String
+      sig do
+        params(
+          session_id: String,
+        ).returns(String)
+      end
+      def get_logout_url(session_id:)
+        URI::HTTPS.build(
+          host: WorkOS.config.api_hostname,
+          path: '/user_management/sessions/logout',
+          query: "session_id=#{session_id}",
+        ).to_s
+      end
+
+      # Revokes a session
+      #
+      # @param [String] session_id The session ID can be found in the `sid`
+      #   claim of the access token
+      sig do
+        params(
+          session_id: String,
+        ).void
+      end
+      def revoke_session(session_id:)
+        execute_request(
+          request: post_request(
+            path: '/user_management/sessions/revoke',
+            body: {
+              session_id: session_id,
+            },
+          ),
+        )
+      end
+
+      # Get the JWKS URL
+      #
+      # The JWKS can be used to validate the access token returned upon successful authentication
+      #
+      # @param [String] client_id The WorkOS client ID for the environment
+      #
+      # @return String
+      sig do
+        params(
+          client_id: String,
+        ).returns(String)
+      end
+      def get_jwks_url(client_id)
+        URI::HTTPS.build(
+          host: WorkOS.config.api_hostname,
+          path: "/sso/jwks/#{client_id}",
+        ).to_s
+      end
+
       # Create a one-time Magic Auth code and emails it to the user.
       #
       # @param [String] email The email address the one-time code will be sent to.

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 # typed: strong
 
 module WorkOS
-  VERSION = '4.0.0'
+  VERSION = '4.1.0'
 end

data/lib/workos.rb

@@ -58,6 +58,7 @@ module WorkOS
   autoload :Event, 'workos/event'
   autoload :Events, 'workos/events'
   autoload :Factor, 'workos/factor'
+  autoload :Impersonator, 'workos/impersonator'
   autoload :Invitation, 'workos/invitation'
   autoload :MFA, 'workos/mfa'
   autoload :Organization, 'workos/organization'
@@ -67,6 +68,7 @@ module WorkOS
   autoload :Portal, 'workos/portal'
   autoload :Profile, 'workos/profile'
   autoload :ProfileAndToken, 'workos/profile_and_token'
+  autoload :RefreshAuthenticationResponse, 'workos/refresh_authentication_response'
   autoload :SSO, 'workos/sso'
   autoload :Types, 'workos/types'
   autoload :User, 'workos/user'

data/spec/lib/workos/user_management_spec.rb

@@ -377,7 +377,7 @@ describe WorkOS::UserManagement do
   describe '.authenticate_with_password' do
     context 'with a valid password' do
       it 'returns user' do
-        VCR.use_cassette('user_management/authenticate_with_password/valid') do
+        VCR.use_cassette('user_management/authenticate_with_password/valid', tag: :token) do
           authentication_response = WorkOS::UserManagement.authenticate_with_password(
             email: 'test@workos.app',
             password: '7YtYic00VWcXatPb',
@@ -418,6 +418,24 @@ describe WorkOS::UserManagement do
             user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
           )
           expect(authentication_response.user.id).to eq('user_01H93ZY4F80YZRRS6N59Z2HFVS')
+          expect(authentication_response.access_token).to eq('<ACCESS_TOKEN>')
+          expect(authentication_response.refresh_token).to eq('<REFRESH_TOKEN>')
+        end
+      end
+
+      context 'when the user is being impersonated' do
+        it 'contains the impersonator metadata' do
+          VCR.use_cassette('user_management/authenticate_with_code/valid_with_impersonator') do
+            authentication_response = WorkOS::UserManagement.authenticate_with_code(
+              code: '01HRX85ATQB2MN40K4FZ9C2HFR',
+              client_id: 'client_01GS91XFB2YPR1C0NR5SH758Q0',
+            )
+
+            expect(authentication_response.impersonator).to have_attributes(
+              email: 'admin@foocorp.com',
+              reason: 'For testing.',
+            )
+          end
         end
       end
     end
@@ -438,10 +456,42 @@ describe WorkOS::UserManagement do
     end
   end
 
+  describe '.authenticate_with_refresh_token' do
+    context 'with a valid refresh_token' do
+      it 'returns user' do
+        VCR.use_cassette('user_management/authenticate_with_refresh_token/valid', tag: :token) do
+          authentication_response = WorkOS::UserManagement.authenticate_with_refresh_token(
+            refresh_token: 'some_refresh_token',
+            client_id: 'client_123',
+            ip_address: '200.240.210.16',
+            user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+          )
+          expect(authentication_response.access_token).to eq('<ACCESS_TOKEN>')
+          expect(authentication_response.refresh_token).to eq('<REFRESH_TOKEN>')
+        end
+      end
+    end
+
+    context 'with an invalid refresh_token' do
+      it 'raises an error' do
+        VCR.use_cassette('user_management/authenticate_with_refresh_code/invalid', tag: :token) do
+          expect do
+            WorkOS::UserManagement.authenticate_with_refresh_token(
+              refresh_token: 'invalid',
+              client_id: 'client_123',
+              ip_address: '200.240.210.16',
+              user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+            )
+          end.to raise_error(WorkOS::InvalidRequestError, /Status 400/)
+        end
+      end
+    end
+  end
+
   describe '.authenticate_with_magic_auth' do
     context 'with a valid code' do
       it 'returns user' do
-        VCR.use_cassette('user_management/authenticate_with_magic_auth/valid') do
+        VCR.use_cassette('user_management/authenticate_with_magic_auth/valid', tag: :token) do
           authentication_response = WorkOS::UserManagement.authenticate_with_magic_auth(
             code: '452079',
             client_id: 'project_01EGKAEB7G5N88E83MF99J785F',
@@ -456,7 +506,7 @@ describe WorkOS::UserManagement do
 
     context 'with an invalid code' do
       it 'returns an error' do
-        VCR.use_cassette('user_management/authenticate_with_magic_auth/invalid') do
+        VCR.use_cassette('user_management/authenticate_with_magic_auth/invalid', tag: :token) do
           expect do
             WorkOS::UserManagement.authenticate_with_magic_auth(
               code: 'invalid',
@@ -472,7 +522,7 @@ describe WorkOS::UserManagement do
   describe '.authenticate_with_organization_selection' do
     context 'with a valid code' do
       it 'returns user' do
-        VCR.use_cassette('user_management/authenticate_with_organization_selection/valid') do
+        VCR.use_cassette('user_management/authenticate_with_organization_selection/valid', tag: :token) do
           authentication_response = WorkOS::UserManagement.authenticate_with_organization_selection(
             client_id: 'project_01EGKAEB7G5N88E83MF99J785F',
             organization_id: 'org_01H5JQDV7R7ATEYZDEG0W5PRYS',
@@ -488,7 +538,7 @@ describe WorkOS::UserManagement do
 
     context 'with an invalid token' do
       it 'returns an error' do
-        VCR.use_cassette('user_management/authenticate_with_organization_selection/invalid') do
+        VCR.use_cassette('user_management/authenticate_with_organization_selection/invalid', tag: :token) do
           expect do
             WorkOS::UserManagement.authenticate_with_organization_selection(
               organization_id: 'invalid_org_id',
@@ -504,7 +554,7 @@ describe WorkOS::UserManagement do
   describe '.authenticate_with_totp' do
     context 'with a valid code' do
       it 'returns user' do
-        VCR.use_cassette('user_management/authenticate_with_totp/valid') do
+        VCR.use_cassette('user_management/authenticate_with_totp/valid', tag: :token) do
           authentication_response = WorkOS::UserManagement.authenticate_with_totp(
             code: '01H93ZZHA0JBHFJH9RR11S83YN',
             client_id: 'client_123',
@@ -520,7 +570,7 @@ describe WorkOS::UserManagement do
 
     context 'with an invalid code' do
       it 'raises an error' do
-        VCR.use_cassette('user_management/authenticate_with_totp/invalid') do
+        VCR.use_cassette('user_management/authenticate_with_totp/invalid', tag: :token) do
           expect do
             WorkOS::UserManagement.authenticate_with_totp(
               code: 'invalid',
@@ -539,7 +589,7 @@ describe WorkOS::UserManagement do
   describe '.authenticate_with_email_verification' do
     context 'with a valid code' do
       it 'returns user' do
-        VCR.use_cassette('user_management/authenticate_with_email_verification/valid') do
+        VCR.use_cassette('user_management/authenticate_with_email_verification/valid', tag: :token) do
           authentication_response = WorkOS::UserManagement.authenticate_with_email_verification(
             code: '01H93ZZHA0JBHFJH9RR11S83YN',
             client_id: 'client_123',
@@ -554,7 +604,7 @@ describe WorkOS::UserManagement do
 
     context 'with an invalid code' do
       it 'raises an error' do
-        VCR.use_cassette('user_management/authenticate_with_email_verification/invalid') do
+        VCR.use_cassette('user_management/authenticate_with_email_verification/invalid', tag: :token) do
           expect do
             WorkOS::UserManagement.authenticate_with_email_verification(
               code: 'invalid',

data/spec/spec_helper.rb

@@ -26,6 +26,12 @@ SPEC_ROOT = File.dirname __FILE__
 VCR.configure do |config|
   config.cassette_library_dir = 'spec/support/fixtures/vcr_cassettes'
   config.filter_sensitive_data('<API_KEY>') { WorkOS.config.key }
+  config.filter_sensitive_data('<ACCESS_TOKEN>', :token) do |interaction|
+    JSON.parse(interaction.response.body)['access_token']
+  end
+  config.filter_sensitive_data('<REFRESH_TOKEN>', :token) do |interaction|
+    JSON.parse(interaction.response.body)['refresh_token']
+  end
   config.hook_into :webmock
 end
 

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid.yml

@@ -76,7 +76,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: ASCII-8BIT
-        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"}}'
+        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Wed, 30 Aug 2023 19:51:51 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_impersonator.yml

@@ -0,0 +1,80 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/user_management/authenticate
+    body:
+      encoding: UTF-8
+      string: '{"code":"01HRX85ATQB2MN40K4FZ9C2HFR","client_id":"client_01GS91XFB2YPR1C0NR5SH758Q0","client_secret":"<API_KEY>","ip_address":null,"user_agent":null,"grant_type":"authorization_code"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.1.1; arm64-darwin21; v4.0.0
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Thu, 14 Mar 2024 01:10:34 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '875'
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 8640628169fa0d54-LAX
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"47c-66YSPNMN47PZx4ahCgTQvmryR90"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Via:
+      - 1.1 spaces-router (devel)
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - f22ea52f-bf1a-4d5e-acb1-10b2e99ffbe5
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - __cf_bm=pYiV6zsrN3V8vd8vKA_bp0qN2LYd1HUQAIVHcevLYw4-1710378634-1.0.1.1-wNPVRK6jpySHc7bqiAVCtM6T64oKxFAjrcvJNJAPU.RhZFRgPfQRGWYbC4l0ckcsyhZ2_I7GTu17yNowC.smHA;
+        path=/; expires=Thu, 14-Mar-24 01:40:34 GMT; domain=.workos.com; HttpOnly;
+        Secure; SameSite=None
+      - __cfruid=914cc38ede83520e897d1eaef25a8e5daa4975d0-1710378634; path=/; domain=.workos.com;
+        HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: ASCII-8BIT
+      string: '{"user":{"object":"user","id":"user_01HP0B4ZV2FWWVY0BF16GFDAER","email":"bob@example.com","email_verified":false,"first_name":"Bob","last_name":"Loblaw","profile_picture_url":null,"created_at":"2024-02-06T23:13:18.137Z","updated_at":"2024-02-06T23:13:36.946Z"},"impersonator":{"email":"admin@foocorp.com","reason":"For testing."},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
+    http_version:
+  recorded_at: Thu, 14 Mar 2024 01:10:34 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/valid.yml

@@ -75,7 +75,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: ASCII-8BIT
-        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"}}'
+        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Wed, 30 Aug 2023 19:51:51 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_magic_auth/valid.yml

@@ -76,7 +76,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: ASCII-8BIT
-        string: '{"user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}}'
+        string: '{"user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Wed, 30 Aug 2023 18:58:00 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_organization_selection/valid.yml

@@ -76,7 +76,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: UTF-8
-        string: '{"organization_id":"org_01H5JQDV7R7ATEYZDEG0W5PRYS","user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}}'
+        string: '{"organization_id":"org_01H5JQDV7R7ATEYZDEG0W5PRYS","user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Wed, 20 Dec 2023 22:00:12 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/valid.yml

@@ -76,7 +76,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: ASCII-8BIT
-        string: '{"user":{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"test@workos.app","email_verified":true,"first_name":null,"last_name":null,"created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-28T15:56:19.798Z","user_type":"unmanaged","email_verified_at":"2023-08-22T11:18:01.850Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}}'
+        string: '{"user":{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"test@workos.app","email_verified":true,"first_name":null,"last_name":null,"created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-28T15:56:19.798Z","user_type":"unmanaged","email_verified_at":"2023-08-22T11:18:01.850Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Tue, 29 Aug 2023 00:24:25 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_code/invalid.yml

@@ -0,0 +1,81 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/user_management/authenticate
+    body:
+      encoding: UTF-8
+      string: '{"refresh_token":"invalid","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
+        (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
+  response:
+    status:
+      code: 400
+      message: Bad Request
+    headers:
+      Date:
+      - Tue, 19 Mar 2024 16:06:37 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '70'
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 866eb5f11e5f5304-SLC
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"46-6ugkBnqF9SxNnhijAAHjGcT083A"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Via:
+      - 1.1 spaces-router (devel)
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - 32619697-61a5-4ad1-80ab-9d26a6a74d12
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - __cf_bm=QdnPZspsJTPGj.ljZ.hfxMSzw0C1in.rjVkGjY75Ht8-1710864397-1.0.1.1-dA2qdL_CwORHen0HwGvbeJXGixoc_htTepIFYUnChePSsMpTdvHI7pWe0ddNWtrRbDD6GEK7TkgM7qPdAXVsaw;
+        path=/; expires=Tue, 19-Mar-24 16:36:37 GMT; domain=.workos.com; HttpOnly;
+        Secure; SameSite=None
+      - __cfruid=a7cc4637e2746cb557755f0665c5f2a6206b907a-1710864397; path=/; domain=.workos.com;
+        HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: UTF-8
+      string: '{"error":"invalid_grant","error_description":"Invalid refresh token."}'
+    http_version:
+  recorded_at: Tue, 19 Mar 2024 16:06:37 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_token/valid.yml

@@ -0,0 +1,81 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/user_management/authenticate
+    body:
+      encoding: UTF-8
+      string: '{"refresh_token":"some_refresh_token","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
+        (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Mon, 18 Mar 2024 19:00:53 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Cf-Ray:
+      - 866777d63b4627e8-SLC
+      Cf-Cache-Status:
+      - DYNAMIC
+      Etag:
+      - W/"335-M3MDQYhs5724SayBHHCwnBDn3qA"
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      Vary:
+      - Origin, Accept-Encoding
+      Via:
+      - 1.1 spaces-router (devel)
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      Expect-Ct:
+      - max-age=0
+      Referrer-Policy:
+      - no-referrer
+      X-Content-Type-Options:
+      - nosniff
+      X-Dns-Prefetch-Control:
+      - 'off'
+      X-Download-Options:
+      - noopen
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      X-Request-Id:
+      - 995ed1ed-e892-4049-86c9-0e07baa6cc4b
+      X-Xss-Protection:
+      - '0'
+      Set-Cookie:
+      - __cf_bm=2NHqv1cd1BisOc8KKcQ0oNzFxZZT4OHQd6c2QDuGnUU-1710788453-1.0.1.1-4BxBRzVrhL7rCH895PcfORXr_6Rnj3Oh5w1YG4xi7X1st62LMzb5dHZO7u7P.V1P8nBDAAt3Wbz7xsDTWrfWJg;
+        path=/; expires=Mon, 18-Mar-24 19:30:53 GMT; domain=.workos.com; HttpOnly;
+        Secure; SameSite=None
+      - __cfruid=06035c17e9b60a1d7a42a5b568146a0bb71a06dc-1710788453; path=/; domain=.workos.com;
+        HttpOnly; Secure; SameSite=None
+      Server:
+      - cloudflare
+    body:
+      encoding: UTF-8
+      string: '{"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
+    http_version:
+  recorded_at: Mon, 18 Mar 2024 19:00:53 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_totp/valid.yml

@@ -75,7 +75,7 @@ http_interactions:
           - cloudflare
       body:
         encoding: ASCII-8BIT
-        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"}}'
+        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
       http_version:
     recorded_at: Wed, 30 Aug 2023 19:51:51 GMT
 recorded_with: VCR 5.0.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.1.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-08 00:00:00.000000000 Z
+date: 2024-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sorbet-runtime
@@ -182,6 +182,7 @@ files:
 - lib/workos/events.rb
 - lib/workos/factor.rb
 - lib/workos/hash_provider.rb
+- lib/workos/impersonator.rb
 - lib/workos/invitation.rb
 - lib/workos/mfa.rb
 - lib/workos/organization.rb
@@ -191,6 +192,7 @@ files:
 - lib/workos/portal.rb
 - lib/workos/profile.rb
 - lib/workos/profile_and_token.rb
+- lib/workos/refresh_authentication_response.rb
 - lib/workos/sso.rb
 - lib/workos/types.rb
 - lib/workos/types/audit_log_export_struct.rb
@@ -364,6 +366,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/sso/profile.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_impersonator.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_magic_auth/invalid.yml
@@ -372,6 +375,8 @@ files:
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_organization_selection/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_code/invalid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_token/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_totp/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_totp/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/confirm_password_reset/invalid.yml
@@ -549,6 +554,7 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/sso/profile.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_impersonator.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_magic_auth/invalid.yml
@@ -557,6 +563,8 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_organization_selection/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_password/valid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_code/invalid.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_token/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_totp/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_totp/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/confirm_password_reset/invalid.yml