workos 5.10.0 → 5.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83c350d6c017c0cf423adb02925391b3a5e11d622479d76073c3c6372e526105
-  data.tar.gz: 83a8e5700dc7a3d47d37a84de01f866997a260eeaf96c55fd40318a30195a7d7
+  metadata.gz: 2792dbbd0e3dac4d2a9eac0920a135b0db63c723a85fbbec049327ab2cffd547
+  data.tar.gz: 356cb856f6e2df599daf2affc94eb74d4ee885ab71d77e6002ab176718dbc0ee
 SHA512:
-  metadata.gz: 48bcc853e186de15ce9e71e98415d801e412540a43fe1711ab97264b3419ce7dc7c1ec6095411cc7093bcb788b02ab51efe4689c0a79993f921e037ce0a7954c
-  data.tar.gz: f52aec8320aa98bb11ec114ffccb51a82218c7581cac202f74facfe943e96633b90262a67c37ed0677c73f4f73bb3bdd77760a67471c80a18ca878e0d7dffb55
+  metadata.gz: d4a1406d88ac981d0d0653027cf2afe17b64d7c577d6cfe0d4ccc9ffb0a6c6be29c0f3ed140a03bb8ce5a8876990e41bea60a892f5675dc6578ce1526a4504f6
+  data.tar.gz: 55abb8c32270ce7b4b5e4e7142f9f6c390e9cca88c3f3eb1242840193f4155da9bf4f018d85e5b34f51ebd3cc85f0cac176c8cd00abffd077133962100083566

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.10.0)
+    workos (5.11.1)
       encryptor (~> 3.0)
       jwt (~> 2.8)
 
@@ -19,7 +19,7 @@ GEM
     diff-lcs (1.5.1)
     encryptor (3.0.0)
     hashdiff (1.1.0)
-    jwt (2.8.2)
+    jwt (2.10.1)
       base64
     parallel (1.24.0)
     parser (3.3.0.5)

data/lib/workos/cache.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The Cache module provides a simple in-memory cache for storing values
+  # This module is not meant to be instantiated in a user space, and is used internally by the SDK
+  module Cache
+    # The Entry class represents a cache entry with a value and an expiration time
+    class Entry
+      attr_reader :value, :expires_at
+
+      # Initializes a new cache entry
+      # @param value [Object] The value to store in the cache
+      # @param expires_in_seconds [Integer, nil] The expiration time for the value in seconds, or nil for no expiration
+      def initialize(value, expires_in_seconds)
+        @value = value
+        @expires_at = expires_in_seconds ? Time.now + expires_in_seconds : nil
+      end
+
+      # Checks if the entry has expired
+      # @return [Boolean] True if the entry has expired, false otherwise
+      def expired?
+        return false if expires_at.nil?
+
+        Time.now > @expires_at
+      end
+    end
+
+    class << self
+      # Fetches a value from the cache, or calls the block to fetch the value if it is not present
+      # @param key [String] The key to fetch the value for
+      # @param expires_in [Integer] The expiration time for the value in seconds
+      # @param force [Boolean] If true, the value will be fetched from the block even if it is present in the cache
+      # @param block [Proc] The block to call to fetch the value if it is not present in the cache
+      # @return [Object] The value fetched from the cache or the block
+      def fetch(key, expires_in: nil, force: false, &block)
+        entry = store[key]
+
+        if force || entry.nil? || entry.expired?
+          value = block.call
+          store[key] = Entry.new(value, expires_in)
+          return value
+        end
+
+        entry.value
+      end
+
+      # Reads a value from the cache
+      # @param key [String] The key to read the value for
+      # @return [Object] The value read from the cache, or nil if the value is not present or has expired
+      def read(key)
+        entry = store[key]
+        return nil if entry.nil? || entry.expired?
+
+        entry.value
+      end
+
+      # Writes a value to the cache
+      # @param key [String] The key to write the value for
+      # @param value [Object] The value to write to the cache
+      # @param expires_in [Integer] The expiration time for the value in seconds
+      # @return [Object] The value written to the cache
+      def write(key, value, expires_in: nil)
+        store[key] = Entry.new(value, expires_in)
+        value
+      end
+
+      # Deletes a value from the cache
+      # @param key [String] The key to delete the value for
+      def delete(key)
+        store.delete(key)
+      end
+
+      # Clears all values from the cache
+      def clear
+        store.clear
+      end
+
+      # Checks if a value exists in the cache
+      # @param key [String] The key to check for
+      # @return [Boolean] True if the value exists and has not expired, false otherwise
+      def exist?(key)
+        entry = store[key]
+        !(entry.nil? || entry.expired?)
+      end
+
+      private
+
+      # The in-memory store for the cache
+      def store
+        @store ||= {}
+      end
+    end
+  end
+end

data/lib/workos/session.rb

@@ -23,7 +23,9 @@ module WorkOS
       @session_data = session_data
       @client_id = client_id
 
-      @jwks = create_remote_jwk_set(URI(@user_management.get_jwks_url(client_id)))
+      @jwks = Cache.fetch("jwks_#{client_id}", expires_in: 5 * 60) do
+        create_remote_jwk_set(URI(@user_management.get_jwks_url(client_id)))
+      end
       @jwks_algorithms = @jwks.map { |key| key[:alg] }.compact.uniq
     end
 
@@ -101,18 +103,17 @@ module WorkOS
     # rubocop:enable Metrics/PerceivedComplexity
 
     # Returns a URL to redirect the user to for logging out
+    # @param return_to [String] The URL to redirect the user to after logging out
     # @return [String] The URL to redirect the user to for logging out
-    # rubocop:disable Naming/AccessorMethodName
-    def get_logout_url
+    def get_logout_url(return_to: nil)
       auth_response = authenticate
 
       unless auth_response[:authenticated]
         raise "Failed to extract session ID for logout URL: #{auth_response[:reason]}"
       end
 
-      @user_management.get_logout_url(session_id: auth_response[:session_id])
+      @user_management.get_logout_url(session_id: auth_response[:session_id], return_to: return_to)
     end
-    # rubocop:enable Naming/AccessorMethodName
 
     # Encrypts and seals data using AES-256-GCM
     # @param data [Hash] The data to seal

data/lib/workos/user_management.rb

@@ -530,13 +530,17 @@ module WorkOS
       #
       # @param [String] session_id The session ID can be found in the `sid`
       #   claim of the access token
+      # @param [String] return_to The URL to redirect the user to after logging out
       #
       # @return String
-      def get_logout_url(session_id:)
+      def get_logout_url(session_id:, return_to: nil)
+        params = { session_id: session_id }
+        params[:return_to] = return_to if return_to
+
         URI::HTTPS.build(
           host: WorkOS.config.api_hostname,
           path: '/user_management/sessions/logout',
-          query: "session_id=#{session_id}",
+          query: URI.encode_www_form(params),
         ).to_s
       end
 

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.10.0'
+  VERSION = '5.11.1'
 end

data/lib/workos.rb

@@ -45,6 +45,7 @@ module WorkOS
   autoload :AuthenticationFactorAndChallenge, 'workos/authentication_factor_and_challenge'
   autoload :AuthenticationResponse, 'workos/authentication_response'
   autoload :AuditLogs, 'workos/audit_logs'
+  autoload :Cache, 'workos/cache'
   autoload :Challenge, 'workos/challenge'
   autoload :Client, 'workos/client'
   autoload :Connection, 'workos/connection'

data/spec/lib/workos/cache_spec.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+describe WorkOS::Cache do
+  before { described_class.clear }
+
+  describe '.write and .read' do
+    it 'stores and retrieves data' do
+      described_class.write('key', 'value')
+      expect(described_class.read('key')).to eq('value')
+    end
+
+    it 'returns nil if key does not exist' do
+      expect(described_class.read('missing')).to be_nil
+    end
+  end
+
+  describe '.fetch' do
+    it 'returns cached value when present and not expired' do
+      described_class.write('key', 'value')
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('value')
+    end
+
+    it 'executes block and caches value when not present' do
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+
+    it 'executes block and caches value when force is true' do
+      described_class.write('key', 'value')
+      fetch_value = described_class.fetch('key', force: true) { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+  end
+
+  describe 'expiration' do
+    it 'expires values after specified time' do
+      described_class.write('key', 'value', expires_in: 0.1)
+      expect(described_class.read('key')).to eq('value')
+      sleep 0.2
+      expect(described_class.read('key')).to be_nil
+    end
+
+    it 'executes block and caches new value when expired' do
+      described_class.write('key', 'old_value', expires_in: 0.1)
+      sleep 0.2
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+
+    it 'does not expire values when expires_in is nil' do
+      described_class.write('key', 'value', expires_in: nil)
+      sleep 0.2
+      expect(described_class.read('key')).to eq('value')
+    end
+  end
+
+  describe '.exist?' do
+    it 'returns true if key exists' do
+      described_class.write('key', 'value')
+      expect(described_class.exist?('key')).to be true
+    end
+
+    it 'returns false if expired' do
+      described_class.write('key', 'value', expires_in: 0.1)
+      sleep 0.2
+      expect(described_class.exist?('key')).to be false
+    end
+
+    it 'returns false if key does not exist' do
+      expect(described_class.exist?('missing')).to be false
+    end
+  end
+
+  describe '.delete' do
+    it 'deletes key' do
+      described_class.write('key', 'value')
+      described_class.delete('key')
+      expect(described_class.read('key')).to be_nil
+    end
+  end
+
+  describe '.clear' do
+    it 'removes all keys from the cache' do
+      described_class.write('key1', 'value1')
+      described_class.write('key2', 'value2')
+
+      described_class.clear
+
+      expect(described_class.read('key1')).to be_nil
+      expect(described_class.read('key2')).to be_nil
+    end
+  end
+end

data/spec/lib/workos/session_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 describe WorkOS::Session do
-  let(:user_management) { instance_double('UserManagement') }
   let(:client_id) { 'test_client_id' }
   let(:cookie_password) { 'test_very_long_cookie_password__' }
   let(:session_data) { 'test_session_data' }
@@ -10,11 +9,62 @@ describe WorkOS::Session do
   let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), { kid: 'sso_oidc_key_pair_123', use: 'sig', alg: 'RS256' }) }
 
   before do
-    allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
     allow(Net::HTTP).to receive(:get).and_return(jwks_hash)
   end
 
   describe 'initialize' do
+    let(:user_management) { instance_double('UserManagement') }
+
+    before do
+      allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
+    end
+
+    describe 'JWKS caching' do
+      before do
+        WorkOS::Cache.clear
+      end
+
+      it 'caches and returns JWKS' do
+        expect(Net::HTTP).to receive(:get).once
+        session1 = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+
+        session2 = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+
+        expect(session1.jwks.map(&:export)).to eq(session2.jwks.map(&:export))
+      end
+
+      it 'fetches JWKS from remote when cache is expired' do
+        expect(Net::HTTP).to receive(:get).twice
+        session1 = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+
+        allow(Time).to receive(:now).and_return(Time.now + 301)
+
+        session2 = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+
+        expect(session1.jwks.map(&:export)).to eq(session2.jwks.map(&:export))
+      end
+    end
+
     it 'raises an error if cookie_password is nil or empty' do
       expect do
         WorkOS::Session.new(
@@ -52,6 +102,7 @@ describe WorkOS::Session do
   end
 
   describe '.authenticate' do
+    let(:user_management) { instance_double('UserManagement') }
     let(:valid_access_token) do
       payload = {
         sid: 'session_id',
@@ -71,6 +122,10 @@ describe WorkOS::Session do
                             }, cookie_password,)
 end
 
+    before do
+      allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
+    end
+
     it 'returns NO_SESSION_COOKIE_PROVIDED if session_data is nil' do
       session = WorkOS::Session.new(
         user_management: user_management,
@@ -135,11 +190,13 @@ end
   end
 
   describe '.refresh' do
+    let(:user_management) { instance_double('UserManagement') }
     let(:refresh_token) { 'test_refresh_token' }
     let(:session_data) { WorkOS::Session.seal_data({ refresh_token: refresh_token, user: 'user' }, cookie_password) }
     let(:auth_response) { double('AuthResponse', sealed_session: 'new_sealed_session') }
 
     before do
+      allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
       allow(user_management).to receive(:authenticate_with_refresh_token).and_return(auth_response)
     end
 
@@ -173,26 +230,33 @@ end
 
   describe '.get_logout_url' do
     let(:session) do
-    WorkOS::Session.new(
-      user_management: user_management,
-      client_id: client_id,
-      session_data: session_data,
-      cookie_password: cookie_password,
-    )
-  end
+      WorkOS::Session.new(
+        user_management: WorkOS::UserManagement,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+    end
 
     context 'when authentication is successful' do
       before do
         allow(session).to receive(:authenticate).and_return({
                                                               authenticated: true,
-                                                              session_id: 'session_id',
+                                                              session_id: 'session_123abc',
                                                               reason: nil,
                                                             })
-        allow(user_management).to receive(:get_logout_url).with(session_id: 'session_id').and_return('https://example.com/logout')
       end
 
       it 'returns the logout URL' do
-        expect(session.get_logout_url).to eq('https://example.com/logout')
+        expect(session.get_logout_url).to eq('https://api.workos.com/user_management/sessions/logout?session_id=session_123abc')
+      end
+
+      context 'when given a return_to URL' do
+        it 'returns the logout URL with the return_to parameter' do
+          expect(session.get_logout_url(return_to: 'https://example.com/signed-out')).to eq(
+            'https://api.workos.com/user_management/sessions/logout?session_id=session_123abc&return_to=https%3A%2F%2Fexample.com%2Fsigned-out',
+          )
+        end
       end
     end
 

data/spec/lib/workos/user_management_spec.rb

@@ -1441,4 +1441,25 @@ describe WorkOS::UserManagement do
       end
     end
   end
+
+  describe '.get_logout_url' do
+    it 'returns a logout url for the given session ID' do
+      result = described_class.get_logout_url(
+        session_id: 'session_01HRX85ATNADY1GQ053AHRFFN6',
+      )
+
+      expect(result).to eq 'https://api.workos.com/user_management/sessions/logout?session_id=session_01HRX85ATNADY1GQ053AHRFFN6'
+    end
+
+    context 'when a `return_to` is given' do
+      it 'returns a logout url with the `return_to` query parameter' do
+        result = described_class.get_logout_url(
+          session_id: 'session_01HRX85ATNADY1GQ053AHRFFN6',
+          return_to: 'https://example.com/signed-out',
+        )
+
+        expect(result).to eq 'https://api.workos.com/user_management/sessions/logout?session_id=session_01HRX85ATNADY1GQ053AHRFFN6&return_to=https%3A%2F%2Fexample.com%2Fsigned-out'
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.10.0
+  version: 5.11.1
 platform: ruby
 authors:
 - WorkOS
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-01-06 00:00:00.000000000 Z
+date: 2025-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -136,6 +136,7 @@ files:
 - lib/workos/audit_logs.rb
 - lib/workos/authentication_factor_and_challenge.rb
 - lib/workos/authentication_response.rb
+- lib/workos/cache.rb
 - lib/workos/challenge.rb
 - lib/workos/client.rb
 - lib/workos/configuration.rb
@@ -184,6 +185,7 @@ files:
 - lib/workos/webhooks.rb
 - lib/workos/widgets.rb
 - spec/lib/workos/audit_logs_spec.rb
+- spec/lib/workos/cache_spec.rb
 - spec/lib/workos/client.rb
 - spec/lib/workos/configuration_spec.rb
 - spec/lib/workos/directory_sync_spec.rb
@@ -403,6 +405,7 @@ specification_version: 4
 summary: API client for WorkOS
 test_files:
 - spec/lib/workos/audit_logs_spec.rb
+- spec/lib/workos/cache_spec.rb
 - spec/lib/workos/client.rb
 - spec/lib/workos/configuration_spec.rb
 - spec/lib/workos/directory_sync_spec.rb