workos 5.28.0 → 5.30.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f536a3eeb0b6d0fc877337104c31dc441ab6f32ccceef45ee7dad60bdba36e99
-  data.tar.gz: c9a9bb5353eb0077d43f41da09ad95269034f4a81b4504db72ca13f3086f3a29
+  metadata.gz: e92012bf9ac81d3796ef280568d50188ec6cb01bd4dfdd9c053b61196a608063
+  data.tar.gz: 379504e11cbbf1e6d64670631b87c58b4a3bfac4b6fb724a68707423015d9641
 SHA512:
-  metadata.gz: b689a75850258ff01f9929fdcfccbe8b76c816395d6266053fdabb2515a8c2fcdae43becd6cec2e5ed378cf6f2b6a0176bc38d92111c9bc12a4f44ec8b1b03e6
-  data.tar.gz: da8fc3b665684df85724b12e8a9c7d86a95fdb26509b92c3e5a13923560c33c8106bc9a65e22d2abe2b7fcf444d3ba67121316b3b2cf75954ce2c51db256c71d
+  metadata.gz: 3b62dcaec41f4936b5027394952cd6d8f2050c80cd8676cbe69d1187d54a70d7e7b0f9673f9565a80b1de3662a64478321615521363eb61f7d8f72f8800b56fd
+  data.tar.gz: 594a6d8526ec2719e4c342433a95fe15b775809dc8921ac9c7e6dc25ecf11a2c97a59e095085c082b2ee83ff1490443fb868d80c9d35128849ae09ac6307a77d

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.28.0)
+    workos (5.30.1)
       encryptor (~> 3.0)
       jwt (~> 2.8)
 

data/lib/workos/directory_user.rb

@@ -8,7 +8,7 @@ module WorkOS
     include HashProvider
 
     attr_accessor :id, :idp_id, :email, :emails, :first_name, :last_name, :job_title, :username, :state,
-                  :groups, :role, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
+                  :groups, :role, :roles, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
                   :created_at, :updated_at
 
     # rubocop:disable Metrics/AbcSize
@@ -37,6 +37,7 @@ module WorkOS
       @state = hash[:state]
       @groups = hash[:groups]
       @role = hash[:role]
+      @roles = hash[:roles]
       @custom_attributes = hash[:custom_attributes]
       @raw_attributes = hash[:raw_attributes]
       @created_at = hash[:created_at]
@@ -47,6 +48,13 @@ module WorkOS
     # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
+      base_attributes.
+        merge(authorization_attributes)
+    end
+
+    private
+
+    def base_attributes
       {
         id: id,
         directory_id: directory_id,
@@ -60,7 +68,6 @@ module WorkOS
         username: username,
         state: state,
         groups: groups,
-        role: role,
         custom_attributes: custom_attributes,
         raw_attributes: raw_attributes,
         created_at: created_at,
@@ -68,6 +75,15 @@ module WorkOS
       }
     end
 
+    def authorization_attributes
+      {
+        role: role,
+        roles: roles,
+      }
+    end
+
+    public
+
     # @deprecated Will be removed in a future major version. Use {#email} instead.
     def primary_email
       primary_email = (emails || []).find { |email| email[:primary] }

data/lib/workos/profile.rb

@@ -9,7 +9,7 @@ module WorkOS
   class Profile
     include HashProvider
 
-    attr_accessor :id, :email, :first_name, :last_name, :role, :groups, :organization_id,
+    attr_accessor :id, :email, :first_name, :last_name, :role, :roles, :groups, :organization_id,
                   :connection_id, :connection_type, :idp_id, :custom_attributes, :raw_attributes
 
     # rubocop:disable Metrics/AbcSize
@@ -21,6 +21,7 @@ module WorkOS
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
       @role = hash[:role]
+      @roles = hash[:roles]
       @groups = hash[:groups]
       @organization_id = hash[:organization_id]
       @connection_id = hash[:connection_id]
@@ -42,6 +43,7 @@ module WorkOS
         first_name: first_name,
         last_name: last_name,
         role: role,
+        roles: roles,
         groups: groups,
         organization_id: organization_id,
         connection_id: connection_id,

data/lib/workos/session.rb

@@ -29,9 +29,10 @@ module WorkOS
     end
 
     # Authenticates the user based on the session data
+    # @param include_expired [Boolean] If true, returns decoded token data even when expired (default: false)
     # @return [Hash] A hash containing the authentication response and a reason if the authentication failed
-    # rubocop:disable Metrics/AbcSize
-    def authenticate
+    # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
+    def authenticate(include_expired: false)
       return { authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' } if @session_data.nil?
 
       begin
@@ -41,23 +42,41 @@ module WorkOS
       end
 
       return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:access_token]
-      return { authenticated: false, reason: 'INVALID_JWT' } unless is_valid_jwt(session[:access_token])
-
-      decoded = JWT.decode(session[:access_token], nil, true, algorithms: @jwks_algorithms, jwks: @jwks).first
-
-      {
-        authenticated: true,
-        session_id: decoded['sid'],
-        organization_id: decoded['org_id'],
-        role: decoded['role'],
-        roles: decoded['roles'],
-        permissions: decoded['permissions'],
-        entitlements: decoded['entitlements'],
-        feature_flags: decoded['feature_flags'],
-        user: session[:user],
-        impersonator: session[:impersonator],
-        reason: nil,
-      }
+
+      begin
+        decoded = JWT.decode(
+          session[:access_token],
+          nil,
+          true,
+          algorithms: @jwks_algorithms,
+          jwks: @jwks,
+          verify_expiration: false,
+        ).first
+
+        expired = decoded['exp'] && decoded['exp'] < Time.now.to_i
+
+        # Early return for expired tokens when not including expired data (backward compatible)
+        return { authenticated: false, reason: 'INVALID_JWT' } if expired && !include_expired
+
+        # Return full data for valid tokens or when include_expired is true
+        {
+          authenticated: !expired,
+          session_id: decoded['sid'],
+          organization_id: decoded['org_id'],
+          role: decoded['role'],
+          roles: decoded['roles'],
+          permissions: decoded['permissions'],
+          entitlements: decoded['entitlements'],
+          feature_flags: decoded['feature_flags'],
+          user: session[:user],
+          impersonator: session[:impersonator],
+          reason: expired ? 'INVALID_JWT' : nil,
+        }
+      rescue JWT::DecodeError
+        { authenticated: false, reason: 'INVALID_JWT' }
+      rescue StandardError => e
+        { authenticated: false, reason: e.message }
+      end
     end
 
     # Refreshes the session data using the refresh token stored in the session data
@@ -66,7 +85,6 @@ module WorkOS
     # @option options [String] :organization_id The organization ID to use for refreshing the session
     # @return [Hash] A hash containing a new sealed session, the authentication response,
     # and a reason if the refresh failed
-    # rubocop:disable Metrics/PerceivedComplexity
     def refresh(options = nil)
       cookie_password = options.nil? || options[:cookie_password].nil? ? @cookie_password : options[:cookie_password]
 
@@ -168,17 +186,5 @@ module WorkOS
 
       jwks
     end
-
-    # Validates a JWT token using the JWKS set
-    # @param token [String] The JWT token to validate
-    # @return [Boolean] True if the token is valid, false otherwise
-    # rubocop:disable Naming/PredicateName
-    def is_valid_jwt(token)
-      JWT.decode(token, nil, true, algorithms: @jwks_algorithms, jwks: @jwks)
-      true
-    rescue StandardError
-      false
-    end
-    # rubocop:enable Naming/PredicateName
   end
 end

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.28.0'
+  VERSION = '5.30.1'
 end

data/spec/lib/workos/directory_user_spec.rb

@@ -37,13 +37,23 @@ describe WorkOS::DirectoryUser do
       it 'returns no role' do
         user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq(nil)
+        expect(user.roles).to eq(nil)
       end
     end
 
-    context 'with a role' do
-      it 'returns the role slug' do
-        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+    context 'with a single role' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"roles":[{"slug":"member"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq({ slug: 'member' })
+        expect(user.roles).to eq([{ slug: 'member' }])
+      end
+    end
+
+    context 'with multiple roles' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"admin"},"roles":[{"slug":"member"}, {"slug":"admin"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+        expect(user.role).to eq({ slug: 'admin' })
+        expect(user.roles).to eq([{ slug: 'member' }, { slug: 'admin' }])
       end
     end
   end

data/spec/lib/workos/session_spec.rb

@@ -160,6 +160,44 @@ describe WorkOS::Session do
       expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
     end
 
+    it 'returns INVALID_JWT without token data when session is expired' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+      allow(Time).to receive(:now).and_return(Time.at(9_999_999_999))
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
+    end
+
+    it 'returns INVALID_JWT with full token data when session is expired and include_expired is true' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+      allow(Time).to receive(:now).and_return(Time.at(9_999_999_999))
+      result = session.authenticate(include_expired: true)
+      expect(result).to eq({
+                             authenticated: false,
+                             session_id: 'session_id',
+                             organization_id: 'org_id',
+                             role: 'role',
+                             roles: ['role'],
+                             permissions: ['read'],
+                             feature_flags: nil,
+                             entitlements: nil,
+                             user: 'user',
+                             impersonator: 'impersonator',
+                             reason: 'INVALID_JWT',
+                           })
+    end
+
     it 'authenticates successfully with valid session_data' do
       session = WorkOS::Session.new(
         user_management: user_management,

data/spec/lib/workos/sso_spec.rb

@@ -305,6 +305,9 @@ describe WorkOS::SSO do
           role: {
             slug: 'member',
           },
+          roles: [{
+            slug: 'member',
+          }],
           groups: nil,
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           custom_attributes: {},
@@ -380,6 +383,9 @@ describe WorkOS::SSO do
           role: {
             slug: 'admin',
           },
+          roles: [{
+            slug: 'admin',
+          }],
           groups: %w[Admins Developers],
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           custom_attributes: {

data/spec/support/fixtures/vcr_cassettes/directory_sync/get_user.yml

@@ -74,7 +74,7 @@ http_interactions:
       - 72abbbf2b93e8ca5-EWR
     body:
       encoding: ASCII-8BIT
-      string: '{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","organization_id":"org_01FAZWCWR03DVWA83NCJYKKD54","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}],"first_name":"Bob","last_name":"Fakename","job_title":"Developer Success Engineer","state":"active","raw_attributes":{"id":"6092c280a3f1e19ef6d8cef8","name":"Bob
+      string: '{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","organization_id":"org_01FAZWCWR03DVWA83NCJYKKD54","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}],"first_name":"Bob","last_name":"Fakename","job_title":"Developer Success Engineer","state":"active","role":{"slug":"member"},"roles":[{"slug":"member"}],"raw_attributes":{"id":"6092c280a3f1e19ef6d8cef8","name":"Bob
         Bob Fakename","teams":["5f696c8e9a63a60e965aaca8"],"spokeId":null,"lastName":"Fakename","created_at":"2021-05-05T16:06:24+0000","firstName":"Bob","updated_at":"2021-11-11T05:08:14+0000","workEmail":"bob.fakename@workos.com","department":"Infra","departmentId":"5f27ada9a5e9bc0001a0ae4a"},"custom_attributes":{},"created_at":"2021-07-19T17:57:57.268Z","updated_at":"2022-01-24T11:23:01.614Z","groups":[{"object":"directory_group","id":"directory_group_01FAZYNNQ4HQ6EBF29MPTH7VKB","idp_id":"5f696c8e9a63a60e965aaca8","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","organization_id":"org_01FAZWCWR03DVWA83NCJYKKD54","name":"Team
         - Platform","created_at":"2021-07-19T17:57:56.580Z","updated_at":"2022-01-24T11:23:01.333Z","raw_attributes":{"id":"5f696c8e9a63a60e965aaca8","name":"Platform","parent":null}},{"object":"directory_group","id":"directory_group_01FAZYNN1NZWMBRAXXDSTB5NFH","idp_id":"5f27ada9a5e9bc0001a0ae4a","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","organization_id":"org_01FAZWCWR03DVWA83NCJYKKD54","name":"Department
         - Infra","role":{"slug":"member"},"created_at":"2021-07-19T17:57:55.893Z","updated_at":"2022-01-24T11:23:01.333Z","raw_attributes":{"id":"5f27ada9a5e9bc0001a0ae4a","name":"Infra","parent":"5f27ada9a5e9bc0001a0ae48"}}]}'

data/spec/support/fixtures/vcr_cassettes/sso/profile.yml

@@ -67,7 +67,7 @@ http_interactions:
       body:
         encoding: UTF-8
         string:
-          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","role":{"slug":"member"},"custom_attributes":{},"raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
+          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","role":{"slug":"member"},"roles":[{"slug":"member"}],"custom_attributes":{},"raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
           Loblaw","email":"bob.loblaw@workos.com","locale":"en","picture":"https://lh3.googleusercontent.com/a-/AOh14GyO2hLlgZvteDQ3Ldi3_-RteZLya0hWH7247Cam=s96-c","given_name":"Bob","family_name":"Loblaw","verified_email":true}}'
       http_version:
     recorded_at: Tue, 18 May 2021 22:55:21 GMT

data/spec/support/profile.txt

@@ -1 +1 @@
-{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","role":{"slug": "admin"},"groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","custom_attributes":{"license": "professional"},"raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","license": "professional"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}
+{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","role":{"slug": "admin"},"roles":[{"slug": "admin"}],"groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","custom_attributes":{"license": "professional"},"raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","license": "professional"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.28.0
+  version: 5.30.1
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-20 00:00:00.000000000 Z
+date: 2025-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor