workos 5.20.0 → 5.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dc1f97c76fdf489cb3be51bd9026dc515195c34aaf9810379bfe4773029aafc1
-  data.tar.gz: 2176f6680ae6a7c46ca77824c7dcf2fbe91ca244986a05f7039a1d40265db881
+  metadata.gz: 65c18f67663b8681a74442c6771d1527b66fecd20a9c114557255d4ce8d9ca38
+  data.tar.gz: 242b03d06e9caa456b3128d284fee00481fb4e7edec79934fd22c2e57598901b
 SHA512:
-  metadata.gz: 6bda209314485831a8237e381566472c5815dea3b727db277e2a06c3db1c06191da54dc59292ec37bd4415291ca78c7593ae4a78cad82775ce6ffb8eae6d0931
-  data.tar.gz: fd199d57bd3e29e0bea6b21840597ae255db869c9815b6a06348a90c3d70532606732c999c8bef3caa2ba2900914c20b222b526c7e1a9b61c836f30f5e55d694
+  metadata.gz: f6f3ccbbc9b6026beee00f92fcb8d87ce3f321ba8be4c808cd524daeb1dc1aa7fa13ef3c9c885096f83e8a68347b70a78d2d9297a396a8071727506e31787c9f
+  data.tar.gz: d8f71832e8767dcfbcc2bcad5760ff5f59cbb3513a73708dc41c50dd5d4f3ac515788a8b81c596b9bb069244d912f3c3a2db9b1e39a0e34ff920bc87a7233b39

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.20.0)
+    workos (5.22.0)
       encryptor (~> 3.0)
       jwt (~> 2.8)
 

data/lib/workos/organizations.rb

@@ -185,7 +185,14 @@ module WorkOS
 
       # Retrieve a list of roles for the given organization.
       #
-      # @param [String] organizationId The ID of the organization to fetch roles for.
+      # @param [String] organization_id The ID of the organization to fetch roles for.
+      #
+      # @example
+      #   WorkOS::Organizations.list_organization_roles(organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT')
+      #   => #<WorkOS::Types::ListStruct data=[#<WorkOS::Role id="role_123" name="Admin" slug="admin"
+      #                                         permissions=["admin:all"] ...>] ...>
+      #
+      # @return [WorkOS::Types::ListStruct] - Collection of Role objects, each including permissions array
       def list_organization_roles(organization_id:)
         response = execute_request(
           request: get_request(

data/lib/workos/role.rb

@@ -7,7 +7,7 @@ module WorkOS
   class Role
     include HashProvider
 
-    attr_accessor :id, :name, :slug, :description, :type, :created_at, :updated_at
+    attr_accessor :id, :name, :slug, :description, :permissions, :type, :created_at, :updated_at
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
@@ -16,6 +16,7 @@ module WorkOS
       @name = hash[:name]
       @slug = hash[:slug]
       @description = hash[:description]
+      @permissions = hash[:permissions] || []
       @type = hash[:type]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
@@ -27,6 +28,7 @@ module WorkOS
         name: name,
         slug: slug,
         description: description,
+        permissions: permissions,
         type: type,
         created_at: created_at,
         updated_at: updated_at,

data/lib/workos/session.rb

@@ -51,6 +51,7 @@ module WorkOS
         role: decoded['role'],
         permissions: decoded['permissions'],
         entitlements: decoded['entitlements'],
+        feature_flags: decoded['feature_flags'],
         user: session[:user],
         impersonator: session[:impersonator],
         reason: nil,

data/lib/workos/sso.rb

@@ -120,8 +120,9 @@ module WorkOS
           code: code,
         }
 
-        response = client.request(post_request(path: '/sso/token', body: body))
-        check_and_raise_profile_and_token_error(response: response)
+        response = execute_request(
+          request: post_request(path: '/sso/token', body: body),
+        )
 
         WorkOS::ProfileAndToken.new(response.body)
       end
@@ -229,28 +230,6 @@ module WorkOS
         raise ArgumentError, "#{provider} is not a valid value." \
           " `provider` must be in #{PROVIDERS}"
       end
-
-      def check_and_raise_profile_and_token_error(response:)
-        begin
-          body = JSON.parse(response.body)
-          return if body['access_token'] && body['profile']
-
-          message = body['message']
-          error = body['error']
-          error_description = body['error_description']
-          request_id = response['x-request-id']
-        rescue StandardError
-          message = 'Something went wrong'
-        end
-
-        raise APIError.new(
-          message: message,
-          error: error,
-          error_description: error_description,
-          http_status: nil,
-          request_id: request_id,
-        )
-      end
     end
   end
 end

data/lib/workos/user.rb

@@ -8,7 +8,7 @@ module WorkOS
     include HashProvider
 
     attr_accessor :id, :email, :first_name, :last_name, :email_verified,
-                  :profile_picture_url, :last_sign_in_at, :created_at, :updated_at
+                  :profile_picture_url, :external_id, :last_sign_in_at, :created_at, :updated_at
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
@@ -19,6 +19,7 @@ module WorkOS
       @last_name = hash[:last_name]
       @email_verified = hash[:email_verified]
       @profile_picture_url = hash[:profile_picture_url]
+      @external_id = hash[:external_id]
       @last_sign_in_at = hash[:last_sign_in_at]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
@@ -32,6 +33,7 @@ module WorkOS
         last_name: last_name,
         email_verified: email_verified,
         profile_picture_url: profile_picture_url,
+        external_id: external_id,
         last_sign_in_at: last_sign_in_at,
         created_at: created_at,
         updated_at: updated_at,

data/lib/workos/user_management.rb

@@ -206,7 +206,7 @@ module WorkOS
             email_verified: email_verified,
             password_hash: password_hash,
             password_hash_type: password_hash_type,
-          },
+          }.compact,
           auth: true,
         )
 
@@ -222,6 +222,7 @@ module WorkOS
       # @param [String] first_name The user's first name.
       # @param [String] last_name The user's last name.
       # @param [Boolean] email_verified Whether the user's email address was previously verified.
+      # @param [String] external_id The users's external ID
       # @param [String] password The user's password.
       # @param [String] password_hash The user's hashed password.
       # @option [String] password_hash_type The algorithm originally used to hash the password.
@@ -234,6 +235,7 @@ module WorkOS
         first_name: nil,
         last_name: nil,
         email_verified: nil,
+        external_id: nil,
         password: nil,
         password_hash: nil,
         password_hash_type: nil
@@ -245,10 +247,11 @@ module WorkOS
             first_name: first_name,
             last_name: last_name,
             email_verified: email_verified,
+            external_id: external_id,
             password: password,
             password_hash: password_hash,
             password_hash_type: password_hash_type,
-          },
+          }.compact,
           auth: true,
         )
 
@@ -640,7 +643,7 @@ module WorkOS
             body: {
               email: email,
               invitation_token: invitation_token,
-            },
+            }.compact,
             auth: true,
           ),
         )
@@ -694,7 +697,7 @@ module WorkOS
               totp_issuer: totp_issuer,
               totp_user: totp_user,
               totp_secret: totp_secret,
-            },
+            }.compact,
             auth: true,
           ),
         )
@@ -925,7 +928,7 @@ module WorkOS
             user_id: user_id,
             organization_id: organization_id,
             role_slug: role_slug,
-          },
+          }.compact,
           auth: true,
         )
 
@@ -1090,7 +1093,7 @@ module WorkOS
               expires_in_days: expires_in_days,
               inviter_user_id: inviter_user_id,
               role_slug: role_slug,
-            },
+            }.compact,
             auth: true,
           ),
         )

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.20.0'
+  VERSION = '5.22.0'
 end

data/spec/lib/workos/organizations_spec.rb

@@ -354,6 +354,48 @@ describe WorkOS::Organizations do
           expect(roles.list_metadata).to eq(expected_metadata)
         end
       end
+
+      it 'returns properly initialized Role objects with all attributes' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          first_role = roles.data.first
+          expect(first_role).to be_a(WorkOS::Role)
+          expect(first_role.id).to eq('role_01HS1C7GRJE08PBR3M6Y0ZYGDZ')
+          expect(first_role.name).to eq('Admin')
+          expect(first_role.slug).to eq('admin')
+          expect(first_role.description).to eq('Write access to every resource available')
+          expect(first_role.permissions).to eq(['admin:all', 'read:users', 'write:users', 'manage:roles'])
+          expect(first_role.type).to eq('EnvironmentRole')
+          expect(first_role.created_at).to eq('2024-03-15T15:38:29.521Z')
+          expect(first_role.updated_at).to eq('2024-11-14T17:08:00.556Z')
+        end
+      end
+
+      it 'handles roles with empty permissions arrays' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          platform_manager_role = roles.data.find { |role| role.slug == 'org-platform-manager' }
+          expect(platform_manager_role).to be_a(WorkOS::Role)
+          expect(platform_manager_role.permissions).to eq([])
+        end
+      end
+
+      it 'properly serializes Role objects including permissions' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          billing_role = roles.data.find { |role| role.slug == 'billing' }
+          serialized = billing_role.to_json
+
+          expect(serialized[:id]).to eq('role_01JA8GJZRDSZEB9289DQXJ3N9Z')
+          expect(serialized[:name]).to eq('Billing Manager')
+          expect(serialized[:slug]).to eq('billing')
+          expect(serialized[:permissions]).to eq(['read:billing', 'write:billing'])
+          expect(serialized[:type]).to eq('EnvironmentRole')
+        end
+      end
     end
   end
 end

data/spec/lib/workos/role_spec.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+describe WorkOS::Role do
+  describe '.initialize' do
+    context 'with full role data including permissions' do
+      it 'initializes all attributes correctly' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role with full access',
+          permissions: ['read:users', 'write:users', 'admin:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('Admin')
+        expect(role.slug).to eq('admin')
+        expect(role.description).to eq('Administrator role with full access')
+        expect(role.permissions).to eq(['read:users', 'write:users', 'admin:all'])
+        expect(role.type).to eq('system')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data without permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('User')
+        expect(role.slug).to eq('user')
+        expect(role.description).to eq('Basic user role')
+        expect(role.permissions).to eq([])
+        expect(role.type).to eq('custom')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data with null permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: nil,
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+
+    context 'with role data with empty permissions array' do
+      it 'preserves empty permissions array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: [],
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+  end
+
+  describe '.to_json' do
+    context 'with role that has permissions' do
+      it 'includes permissions in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role',
+          permissions: ['read:all', 'write:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:id]).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(serialized[:name]).to eq('Admin')
+        expect(serialized[:slug]).to eq('admin')
+        expect(serialized[:description]).to eq('Administrator role')
+        expect(serialized[:permissions]).to eq(['read:all', 'write:all'])
+        expect(serialized[:type]).to eq('system')
+        expect(serialized[:created_at]).to eq('2022-05-13T17:45:31.732Z')
+        expect(serialized[:updated_at]).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role that has no permissions' do
+      it 'includes empty permissions array in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:permissions]).to eq([])
+      end
+    end
+  end
+end

data/spec/lib/workos/session_spec.rb

@@ -174,6 +174,7 @@ describe WorkOS::Session do
                              organization_id: 'org_id',
                              role: 'role',
                              permissions: ['read'],
+                             feature_flags: nil,
                              entitlements: nil,
                              user: 'user',
                              impersonator: 'impersonator',
@@ -209,6 +210,43 @@ describe WorkOS::Session do
                                role: 'role',
                                permissions: ['read'],
                                entitlements: ['billing'],
+                               feature_flags: nil,
+                               user: 'user',
+                               impersonator: 'impersonator',
+                               reason: nil,
+                             })
+      end
+    end
+
+    describe 'with feature flags' do
+      let(:payload) do
+        {
+          sid: 'session_id',
+          org_id: 'org_id',
+          role: 'role',
+          permissions: ['read'],
+          feature_flags: ['new_feature_enabled'],
+          exp: Time.now.to_i + 3600,
+        }
+      end
+
+      it 'includes feature flags in the result' do
+        session = WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+        allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+        result = session.authenticate
+        expect(result).to eq({
+                               authenticated: true,
+                               session_id: 'session_id',
+                               organization_id: 'org_id',
+                               role: 'role',
+                               permissions: ['read'],
+                               entitlements: nil,
+                               feature_flags: ['new_feature_enabled'],
                                user: 'user',
                                impersonator: 'impersonator',
                                reason: nil,

data/spec/lib/workos/sso_spec.rb

@@ -416,10 +416,73 @@ describe WorkOS::SSO do
         expect do
           described_class.profile_and_token(**args)
         end.to raise_error(
-          WorkOS::APIError,
-          'error: some error, error_description: some error description - request ID: request-id',
+          WorkOS::UnprocessableEntityError,
+          'Status 422, some error - request ID: request-id',
         )
       end
+
+      it 'raises an exception with proper error object attributes' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::UnprocessableEntityError)
+      end
+
+      it 'includes proper error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::UnprocessableEntityError => e
+          e
+        end
+
+        expect(error.http_status).to eq(422)
+        expect(error.request_id).to eq('request-id')
+        expect(error.error).to eq('some error')
+        expect(error.message).to include('some error')
+      end
+    end
+
+    context 'with detailed field validation errors' do
+      before do
+        stub_request(:post, 'https://api.workos.com/sso/token').
+          with(headers: headers, body: request_body).
+          to_return(
+            headers: { 'X-Request-ID' => 'request-id' },
+            status: 422,
+            body: {
+              "message": 'Validation failed',
+              "code": 'invalid_request_parameters',
+              "errors": [
+                {
+                  "field": 'code',
+                  "code": 'missing_required_parameter',
+                  "message": 'The code parameter is required',
+                }
+              ],
+            }.to_json,
+          )
+      end
+
+      it 'raises an exception with detailed field errors' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::UnprocessableEntityError)
+      end
+
+      it 'includes detailed field error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::UnprocessableEntityError => e
+          e
+        end
+
+        expect(error.http_status).to eq(422)
+        expect(error.request_id).to eq('request-id')
+        expect(error.code).to eq('invalid_request_parameters')
+        expect(error.errors).not_to be_nil
+        expect(error.errors).to include('code: missing_required_parameter')
+        expect(error.message).to include('Validation failed')
+        expect(error.message).to include('(code: missing_required_parameter)')
+      end
     end
 
     context 'with an expired code' do
@@ -440,11 +503,31 @@ describe WorkOS::SSO do
         expect do
           described_class.profile_and_token(**args)
         end.to raise_error(
-          WorkOS::APIError,
-          "error: invalid_grant, error_description: The code '01DVX3C5Z367SFHR8QNDMK7V24'" \
+          WorkOS::InvalidRequestError,
+          "Status 400, error: invalid_grant, error_description: The code '01DVX3C5Z367SFHR8QNDMK7V24'" \
           ' has expired or is invalid. - request ID: request-id',
         )
       end
+
+      it 'raises an exception with proper error object attributes' do
+        expect do
+          described_class.profile_and_token(**args)
+        end.to raise_error(WorkOS::InvalidRequestError)
+      end
+
+      it 'includes proper error attributes' do
+        error = begin
+          described_class.profile_and_token(**args)
+        rescue WorkOS::InvalidRequestError => e
+          e
+        end
+
+        expect(error.http_status).to eq(400)
+        expect(error.request_id).to eq('request-id')
+        expect(error.error).to eq('invalid_grant')
+        expect(error.error_description).to eq("The code '01DVX3C5Z367SFHR8QNDMK7V24' has expired or is invalid.")
+        expect(error.message).to include('invalid_grant')
+      end
     end
   end
 

data/spec/lib/workos/user_management_spec.rb

@@ -338,6 +338,26 @@ describe WorkOS::UserManagement do
         end
       end
 
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@example.com', first_name: 'John' })
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email_verified)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email": "test@example.com"}'),
+        )
+
+        described_class.create_user(
+          email: 'test@example.com',
+          first_name: 'John',
+        )
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/create_user_invalid' do
@@ -362,10 +382,12 @@ describe WorkOS::UserManagement do
             first_name: 'Jane',
             last_name: 'Doe',
             email_verified: false,
+            external_id: '123',
           )
           expect(user.first_name).to eq('Jane')
           expect(user.last_name).to eq('Doe')
           expect(user.email_verified).to eq(false)
+          expect(user.external_id).to eq('123')
         end
       end
 
@@ -380,6 +402,30 @@ describe WorkOS::UserManagement do
         end
       end
 
+      it 'only sends non-nil values in request body' do
+        # Mock the request to inspect what's being sent
+        expect(described_class).to receive(:put_request) do |options|
+          # Verify that the body only contains non-nil values
+          body = options[:body]
+          expect(body).to eq({ email_verified: true })
+          expect(body).not_to have_key(:first_name)
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email)
+
+          # Return a mock request object
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email_verified": true}'),
+        )
+
+        described_class.update_user(
+          id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+          email_verified: true,
+        )
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/update_user/invalid' do
@@ -776,6 +822,28 @@ describe WorkOS::UserManagement do
           expect(authentication_response.authentication_challenge.id).to eq('auth_challenge_01H96FETXGTW1QMBSBT2T36PW0')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ type: 'totp', totp_issuer: 'Test App' })
+          expect(body).not_to have_key(:totp_user)
+          expect(body).not_to have_key(:totp_secret)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response',
+                 body: '{"authentication_factor": {"id": "test"}, "authentication_challenge": {"id": "test"}}',),
+        )
+
+        described_class.enroll_auth_factor(
+          user_id: 'user_123',
+          type: 'totp',
+          totp_issuer: 'Test App',
+        )
+      end
     end
 
     context 'with an incorrect user id' do
@@ -1442,6 +1510,27 @@ describe WorkOS::UserManagement do
           expect(invitation.email).to eq('test@workos.com')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@workos.com', organization_id: 'org_123' })
+          expect(body).not_to have_key(:expires_in_days)
+          expect(body).not_to have_key(:inviter_user_id)
+          expect(body).not_to have_key(:role_slug)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_invitation"}'),
+        )
+
+        described_class.send_invitation(
+          email: 'test@workos.com',
+          organization_id: 'org_123',
+        )
+      end
     end
 
     context 'with an invalid payload' do

data/spec/support/fixtures/vcr_cassettes/organization/list_organization_roles.yml

@@ -70,13 +70,13 @@ http_interactions:
         encoding: ASCII-8BIT
         string:
           '{"object":"list","data":[{"object":"role","id":"role_01HS1C7GRJE08PBR3M6Y0ZYGDZ","description":"Write
-          access to every resource available","name":"Admin","slug":"admin","type":"EnvironmentRole","created_at":"2024-03-15T15:38:29.521Z","updated_at":"2024-11-14T17:08:00.556Z"},{"object":"role","id":"role_01JA8GJZRDSZEB9289DQXJ3N9Z","description":"","name":"Billing
-          Manager","slug":"billing","type":"EnvironmentRole","created_at":"2024-10-15T16:36:11.653Z","updated_at":"2024-12-19T21:27:01.286Z"},{"object":"role","id":"role_01HSBH4R6RX0V86S3R590NNZW2","description":"Developer
-          role","name":"Developer","slug":"developer","type":"EnvironmentRole","created_at":"2024-03-19T14:16:46.038Z","updated_at":"2024-03-19T14:16:46.038Z"},{"object":"role","id":"role_01HS4GDWJ8T6NQPTX2D0R5KBHN","description":"Edit
-          and view access to non-critical resources","name":"Editor","slug":"editor","type":"EnvironmentRole","created_at":"2024-03-16T20:49:35.815Z","updated_at":"2024-03-16T20:52:19.410Z"},{"object":"role","id":"role_01HRFZE22WS2MGX6EWAG2JX6NW","description":"The
-          default user role","name":"Member","slug":"member","type":"EnvironmentRole","created_at":"2024-03-08T21:27:47.034Z","updated_at":"2024-08-14T00:27:46.265Z"},{"object":"role","id":"role_01JEYJ2Z5MYG0TZYTDF02MW11N","description":"Manage
-          billing for organization.","name":"Billing manager","slug":"org-billing-manager","type":"OrganizationRole","created_at":"2024-12-12T23:08:28.712Z","updated_at":"2024-12-12T23:08:28.712Z"},{"object":"role","id":"role_01JF0B7MQ9X414WQRAQMQYE1GS","description":"","name":"Platform
-          Manager","slug":"org-platform-manager","type":"OrganizationRole","created_at":"2024-12-13T15:47:10.692Z","updated_at":"2024-12-13T15:47:10.692Z"}]}'
+          access to every resource available","name":"Admin","slug":"admin","permissions":["admin:all","read:users","write:users","manage:roles"],"type":"EnvironmentRole","created_at":"2024-03-15T15:38:29.521Z","updated_at":"2024-11-14T17:08:00.556Z"},{"object":"role","id":"role_01JA8GJZRDSZEB9289DQXJ3N9Z","description":"","name":"Billing
+          Manager","slug":"billing","permissions":["read:billing","write:billing"],"type":"EnvironmentRole","created_at":"2024-10-15T16:36:11.653Z","updated_at":"2024-12-19T21:27:01.286Z"},{"object":"role","id":"role_01HSBH4R6RX0V86S3R590NNZW2","description":"Developer
+          role","name":"Developer","slug":"developer","permissions":["read:code","write:code","deploy:apps"],"type":"EnvironmentRole","created_at":"2024-03-19T14:16:46.038Z","updated_at":"2024-03-19T14:16:46.038Z"},{"object":"role","id":"role_01HS4GDWJ8T6NQPTX2D0R5KBHN","description":"Edit
+          and view access to non-critical resources","name":"Editor","slug":"editor","permissions":["read:content","write:content","publish:content"],"type":"EnvironmentRole","created_at":"2024-03-16T20:49:35.815Z","updated_at":"2024-03-16T20:52:19.410Z"},{"object":"role","id":"role_01HRFZE22WS2MGX6EWAG2JX6NW","description":"The
+          default user role","name":"Member","slug":"member","permissions":["read:basic"],"type":"EnvironmentRole","created_at":"2024-03-08T21:27:47.034Z","updated_at":"2024-08-14T00:27:46.265Z"},{"object":"role","id":"role_01JEYJ2Z5MYG0TZYTDF02MW11N","description":"Manage
+          billing for organization.","name":"Billing manager","slug":"org-billing-manager","permissions":["read:org:billing","write:org:billing"],"type":"OrganizationRole","created_at":"2024-12-12T23:08:28.712Z","updated_at":"2024-12-12T23:08:28.712Z"},{"object":"role","id":"role_01JF0B7MQ9X414WQRAQMQYE1GS","description":"","name":"Platform
+          Manager","slug":"org-platform-manager","permissions":[],"type":"OrganizationRole","created_at":"2024-12-13T15:47:10.692Z","updated_at":"2024-12-13T15:47:10.692Z"}]}'
       http_version:
     recorded_at: Mon, 23 Dec 2024 20:23:07 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/update_user/valid.yml

@@ -5,7 +5,7 @@ http_interactions:
     uri: https://api.workos.com/user_management/users/user_01H7TVSKS45SDHN5V9XPSM6H44
     body:
       encoding: UTF-8
-      string: '{"first_name":"Jane","last_name":"Doe","email_verified":false}'
+      string: '{"first_name":"Jane","last_name":"Doe","email_verified":false,"external_id":"123"}'
     headers:
       Content-Type:
       - application/json
@@ -76,7 +76,7 @@ http_interactions:
       - cloudflare
     body:
       encoding: ASCII-8BIT
-      string: '{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"willman@blips.app","email_verified":false,"first_name":"Jane","last_name":"Doe","created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-25T22:57:44.262Z","user_type":"unmanaged","email_verified_at":null,"google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}'
+      string: '{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"willman@blips.app","email_verified":false,"first_name":"Jane","last_name":"Doe","external_id":"123","created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-25T22:57:44.262Z","user_type":"unmanaged","email_verified_at":null,"google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}'
     http_version:
   recorded_at: Fri, 25 Aug 2023 23:37:04 GMT
 recorded_with: VCR 5.0.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.20.0
+  version: 5.22.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-23 00:00:00.000000000 Z
+date: 2025-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -197,6 +197,7 @@ files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/role_spec.rb
 - spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
@@ -421,6 +422,7 @@ test_files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/role_spec.rb
 - spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb