workos 5.3.0 → 5.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e386ae2dd110ea57c1a5c8d15c09c68263dedbee77c6ffa015b84a952d88920
-  data.tar.gz: e5001300c2da182fd3a230e66c7ced29ef937c8f0774cbd51d1f4e8bc9b8ee45
+  metadata.gz: 9c1790feb170b50e199cef2297443aef2021978b3e1fe0c48c28e9b144e4120b
+  data.tar.gz: 1b78e33b06c689280525ffb2f94847a86d17f2c9001ba229a16745511698442f
 SHA512:
-  metadata.gz: d7882eb8eaef394157785a2592bcb616fa2bd4a7b9015b0b8b37c203ea70ccf43b72c5eb10bbde9155938154d9fc3a2ab5f1e630330efd2eeb53f2672bea65fe
-  data.tar.gz: 0fb86220b0b5fe4dbbcdaa24b35586348d961a40c1628b5eebf44926e7c0a0350ea538b3dcc9610e073c654c65ab5f7d9ada0edb4196bc93b8d9994a3739c7f2
+  metadata.gz: d4f641c69ad3f57def5fbb4533aef65a7fd294b59e169e4ef1d141cea58732643417727b1c84d510a3cf379e28f9b4fad931aea6d2c9cf50cf84765be29033d5
+  data.tar.gz: 58f22a8a48d35941994f9877adbc02ed6ec2dd7cf9b6107401156cc8665912a54956e304aa64229ebd5515ddab14977ae293768700171ee7a1593efff272f59d

data/Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    workos (5.3.0)
+    workos (5.7.0)
+      encryptor (~> 3.0)
+      jwt (~> 2.8)
 
 GEM
   remote: https://rubygems.org/
@@ -9,12 +11,16 @@ GEM
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
+    base64 (0.2.0)
     bigdecimal (3.1.7)
     crack (1.0.0)
       bigdecimal
       rexml
     diff-lcs (1.5.1)
+    encryptor (3.0.0)
     hashdiff (1.1.0)
+    jwt (2.8.2)
+      base64
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)

data/lib/workos/authentication_response.rb

@@ -6,10 +6,19 @@ module WorkOS
   class AuthenticationResponse
     include HashProvider
 
-    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token
+    attr_accessor :user,
+                  :organization_id,
+                  :impersonator,
+                  :access_token,
+                  :refresh_token,
+                  :authentication_method,
+                  :sealed_session
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
+      @access_token = json[:access_token]
+      @refresh_token = json[:refresh_token]
       @user = WorkOS::User.new(json[:user].to_json)
       @organization_id = json[:organization_id]
       @impersonator =
@@ -17,9 +26,19 @@ module WorkOS
           Impersonator.new(email: impersonator_json[:email],
                            reason: impersonator_json[:reason],)
         end
-      @access_token = json[:access_token]
-      @refresh_token = json[:refresh_token]
+      @authentication_method = json[:authentication_method]
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data({
+                                      access_token: access_token,
+                                      refresh_token: refresh_token,
+                                      user: user.to_json,
+                                      organization_id: organization_id,
+                                      impersonator: impersonator.to_json,
+                                    }, session[:cookie_password],)
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
@@ -28,6 +47,8 @@ module WorkOS
         impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        authentication_method: authentication_method,
+        sealed_session: sealed_session,
       }
     end
   end

data/lib/workos/organizations.rb

@@ -131,7 +131,7 @@ module WorkOS
         organization:,
         domain_data: nil,
         domains: nil,
-        name:,
+        name: nil,
         allow_profiles_outside_organization: nil
       )
         body = { name: name }

data/lib/workos/refresh_authentication_response.rb

@@ -6,18 +6,41 @@ module WorkOS
   class RefreshAuthenticationResponse
     include HashProvider
 
-    attr_accessor :access_token, :refresh_token
+    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token, :sealed_session
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
       @access_token = json[:access_token]
       @refresh_token = json[:refresh_token]
+      @user = WorkOS::User.new(json[:user].to_json)
+      @organization_id = json[:organization_id]
+      @impersonator =
+        if (impersonator_json = json[:impersonator])
+          Impersonator.new(email: impersonator_json[:email],
+                           reason: impersonator_json[:reason],)
+        end
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data({
+                                      access_token: access_token,
+                                      refresh_token: refresh_token,
+                                      user: user.to_json,
+                                      organization_id: organization_id,
+                                      impersonator: impersonator.to_json,
+                                    }, session[:cookie_password],)
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
+        user: user.to_json,
+        organization_id: organization_id,
+        impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        sealed_session: sealed_session,
       }
     end
   end

data/lib/workos/session.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'uri'
+require 'net/http'
+require 'encryptor'
+require 'securerandom'
+require 'json'
+require 'uri'
+
+module WorkOS
+  # The Session class provides helper methods for working with WorkOS sessions
+  # This class is not meant to be instantiated in a user space, and is instantiated internally but exposed.
+  # rubocop:disable Metrics/ClassLength
+  class Session
+    attr_accessor :jwks, :jwks_algorithms, :user_management, :cookie_password, :session_data, :client_id
+
+    def initialize(user_management:, client_id:, session_data:, cookie_password:)
+      raise ArgumentError, 'cookiePassword is required' if cookie_password.nil? || cookie_password.empty?
+
+      @user_management = user_management
+      @cookie_password = cookie_password
+      @session_data = session_data
+      @client_id = client_id
+
+      @jwks = create_remote_jwk_set(URI(@user_management.get_jwks_url(client_id)))
+      @jwks_algorithms = @jwks.map { |key| key[:alg] }.compact.uniq
+    end
+
+    # Authenticates the user based on the session data
+    # @return [Hash] A hash containing the authentication response and a reason if the authentication failed
+    def authenticate
+      return { authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' } if @session_data.nil?
+
+      begin
+        session = Session.unseal_data(@session_data, @cookie_password)
+      rescue StandardError
+        return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
+      end
+
+      return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:access_token]
+      return { authenticated: false, reason: 'INVALID_JWT' } unless is_valid_jwt(session[:access_token])
+
+      decoded = JWT.decode(session[:access_token], nil, true, algorithms: @jwks_algorithms, jwks: @jwks).first
+
+      {
+        authenticated: true,
+        session_id: decoded['sid'],
+        organization_id: decoded['org_id'],
+        role: decoded['role'],
+        permissions: decoded['permissions'],
+        user: session[:user],
+        impersonator: session[:impersonator],
+        reason: nil,
+      }
+    end
+
+    # Refreshes the session data using the refresh token stored in the session data
+    # @param options [Hash] Options for refreshing the session
+    # @option options [String] :cookie_password The password to use for unsealing the session data
+    # @option options [String] :organization_id The organization ID to use for refreshing the session
+    # @return [Hash] A hash containing a new sealed session, the authentication response,
+    # and a reason if the refresh failed
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/PerceivedComplexity
+    def refresh(options = nil)
+      cookie_password = options.nil? || options[:cookie_password].nil? ? @cookie_password : options[:cookie_password]
+
+      begin
+        session = Session.unseal_data(@session_data, cookie_password)
+      rescue StandardError
+        return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
+      end
+
+      return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:refresh_token] && session[:user]
+
+      begin
+        auth_response = @user_management.authenticate_with_refresh_token(
+          client_id: @client_id,
+          refresh_token: session[:refresh_token],
+          organization_id: options.nil? || options[:organization_id].nil? ? nil : options[:organization_id],
+          session: { seal_session: true, cookie_password: cookie_password },
+        )
+
+        @session_data = auth_response.sealed_session
+        @cookie_password = cookie_password
+
+        {
+          authenticated: true,
+          sealed_session: auth_response.sealed_session,
+          session: auth_response,
+          reason: nil,
+        }
+      rescue StandardError => e
+        { authenticated: false, reason: e.message }
+      end
+    end
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    # Returns a URL to redirect the user to for logging out
+    # @return [String] The URL to redirect the user to for logging out
+    # rubocop:disable Naming/AccessorMethodName
+    def get_logout_url
+      auth_response = authenticate
+
+      unless auth_response[:authenticated]
+        raise "Failed to extract session ID for logout URL: #{auth_response[:reason]}"
+      end
+
+      @user_management.get_logout_url(session_id: auth_response[:session_id])
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    # Encrypts and seals data using AES-256-GCM
+    # @param data [Hash] The data to seal
+    # @param key [String] The key to use for encryption
+    # @return [String] The sealed data
+    def self.seal_data(data, key)
+      iv = SecureRandom.random_bytes(12)
+
+      encrypted_data = Encryptor.encrypt(
+        value: JSON.generate(data),
+        key: key,
+        iv: iv,
+        algorithm: 'aes-256-gcm',
+      )
+      Base64.encode64(iv + encrypted_data) # Combine IV with encrypted data and encode as base64
+    end
+
+    # Decrypts and unseals data using AES-256-GCM
+    # @param sealed_data [String] The sealed data to unseal
+    # @param key [String] The key to use for decryption
+    # @return [Hash] The unsealed data
+    def self.unseal_data(sealed_data, key)
+      decoded_data = Base64.decode64(sealed_data)
+      iv = decoded_data[0..11] # Extract the IV (first 12 bytes)
+      encrypted_data = decoded_data[12..-1] # Extract the encrypted data
+
+      decrypted_data = Encryptor.decrypt(
+        value: encrypted_data,
+        key: key,
+        iv: iv,
+        algorithm: 'aes-256-gcm',
+      )
+
+      JSON.parse(decrypted_data, symbolize_names: true) # Parse the decrypted JSON string back to original data
+    end
+
+    private
+
+    # Creates a JWKS set from a remote JWKS URL
+    # @param uri [URI] The URI of the JWKS
+    # @return [JWT::JWK::Set] The JWKS set
+    def create_remote_jwk_set(uri)
+      # Fetch the JWKS from the remote URL
+      response = Net::HTTP.get(uri)
+
+      jwks_hash = JSON.parse(response)
+      jwks = JWT::JWK::Set.new(jwks_hash)
+
+      # filter jwks so it only returns the keys where 'use' is equal to 'sig'
+      jwks.keys.select! { |key| key[:use] == 'sig' }
+
+      jwks
+    end
+
+    # Validates a JWT token using the JWKS set
+    # @param token [String] The JWT token to validate
+    # @return [Boolean] True if the token is valid, false otherwise
+    # rubocop:disable Naming/PredicateName
+    def is_valid_jwt(token)
+      JWT.decode(token, nil, true, algorithms: @jwks_algorithms, jwks: @jwks)
+      true
+    rescue StandardError
+      false
+    end
+    # rubocop:enable Naming/PredicateName
+  end
+  # rubocop:enable Metrics/ClassLength
+end

data/lib/workos/types/intent.rb

@@ -6,11 +6,12 @@ module WorkOS
     # intents while generating an Admin Portal link.
     module Intent
       AUDIT_LOGS = 'audit_logs'
+      CERTIFICATE_RENEWAL = 'certificate_renewal'
       DSYNC = 'dsync'
       LOG_STREAMS = 'log_streams'
       SSO = 'sso'
 
-      ALL = [AUDIT_LOGS, DSYNC, LOG_STREAMS, SSO].freeze
+      ALL = [AUDIT_LOGS, CERTIFICATE_RENEWAL, DSYNC, LOG_STREAMS, SSO].freeze
     end
   end
 end

data/lib/workos/types/provider.rb

@@ -10,7 +10,7 @@ module WorkOS
       Google = 'GoogleOAuth'
       Microsoft = 'MicrosoftOAuth'
 
-      ALL = [GitHub, Google, Microsoft].freeze
+      ALL = [Apple, GitHub, Google, Microsoft].freeze
     end
   end
 end

data/lib/workos/user_management.rb

@@ -19,7 +19,7 @@ module WorkOS
         Microsoft = 'MicrosoftOAuth'
         AuthKit = 'authkit'
 
-        ALL = [GitHub, Google, Microsoft, AuthKit].freeze
+        ALL = [Apple, GitHub, Google, Microsoft, AuthKit].freeze
       end
 
       # The AuthFactorType is a declaration of a
@@ -37,6 +37,22 @@ module WorkOS
       PROVIDERS = WorkOS::UserManagement::Types::Provider::ALL
       AUTH_FACTOR_TYPES = WorkOS::UserManagement::Types::AuthFactorType::ALL
 
+      # Load a sealed session
+      #
+      # @param [String] client_id The WorkOS client ID for the environment
+      # @param [String] session_data The sealed session data
+      # @param [String] cookie_password The password used to seal the session
+      #
+      # @return WorkOS::Session
+      def load_sealed_session(client_id:, session_data:, cookie_password:)
+        WorkOS::Session.new(
+          user_management: self,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+      end
+
       # Generate an OAuth 2.0 authorization URL that automatically directs a user
       # to their Identity Provider.
       #
@@ -289,14 +305,21 @@ module WorkOS
       # @param [String] client_id The WorkOS client ID for the environment
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [Hash] session An optional hash that determines whether the session should be sealed and
+      # the optional cookie password.
       #
       # @return WorkOS::AuthenticationResponse
       def authenticate_with_code(
         code:,
         client_id:,
         ip_address: nil,
-        user_agent: nil
+        user_agent: nil,
+        session: nil
       )
+        if session && (session[:seal_session] == true) && session[:cookie_password].nil?
+          raise ArgumentError, 'cookie_password is required when sealing session'
+        end
+
         response = execute_request(
           request: post_request(
             path: '/user_management/authenticate',
@@ -311,23 +334,32 @@ module WorkOS
           ),
         )
 
-        WorkOS::AuthenticationResponse.new(response.body)
+        WorkOS::AuthenticationResponse.new(response.body, session)
       end
 
       # Authenticate a user using a refresh token.
       #
       # @param [String] refresh_token The refresh token previously obtained from a successful authentication call
       # @param [String] client_id The WorkOS client ID for the environment
+      # @param [String] organization_id The organization to issue the new access token for. (Optional)
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [Hash] session An optional hash that determines whether the session should be sealed and
+      # the optional cookie password.
       #
       # @return WorkOS::RefreshAuthenticationResponse
       def authenticate_with_refresh_token(
         refresh_token:,
         client_id:,
+        organization_id: nil,
         ip_address: nil,
-        user_agent: nil
+        user_agent: nil,
+        session: nil
       )
+        if session && (session[:seal_session] == true) && session[:cookie_password].nil?
+          raise ArgumentError, 'cookie_password is required when sealing session'
+        end
+
         response = execute_request(
           request: post_request(
             path: '/user_management/authenticate',
@@ -338,11 +370,12 @@ module WorkOS
               ip_address: ip_address,
               user_agent: user_agent,
               grant_type: 'refresh_token',
+              organization_id: organization_id,
             },
           ),
         )
 
-        WorkOS::RefreshAuthenticationResponse.new(response.body)
+        WorkOS::RefreshAuthenticationResponse.new(response.body, session)
       end
 
       # Authenticate user by Magic Auth Code.

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.3.0'
+  VERSION = '5.7.0'
 end

data/lib/workos.rb

@@ -71,6 +71,7 @@ module WorkOS
   autoload :Profile, 'workos/profile'
   autoload :ProfileAndToken, 'workos/profile_and_token'
   autoload :RefreshAuthenticationResponse, 'workos/refresh_authentication_response'
+  autoload :Session, 'workos/session'
   autoload :SSO, 'workos/sso'
   autoload :Types, 'workos/types'
   autoload :User, 'workos/user'

data/spec/lib/workos/organizations_spec.rb

@@ -267,7 +267,7 @@ describe WorkOS::Organizations do
 
   describe '.update_organization' do
     context 'with valid payload' do
-      it 'creates an organization' do
+      it 'updates the organization' do
         VCR.use_cassette 'organization/update' do
           organization = described_class.update_organization(
             organization: 'org_01F6Q6TFP7RD2PF6J03ANNWDKV',
@@ -275,6 +275,20 @@ describe WorkOS::Organizations do
             name: 'Test Organization',
           )
 
+          expect(organization.id).to eq('org_01F6Q6TFP7RD2PF6J03ANNWDKV')
+          expect(organization.name).to eq('Test Organization')
+          expect(organization.domains.first[:domain]).to eq('example.me')
+        end
+      end
+    end
+    context 'without a name' do
+      it 'updates the organization' do
+        VCR.use_cassette 'organization/update_without_name' do
+          organization = described_class.update_organization(
+            organization: 'org_01F6Q6TFP7RD2PF6J03ANNWDKV',
+            domains: ['example.me'],
+          )
+
           expect(organization.id).to eq('org_01F6Q6TFP7RD2PF6J03ANNWDKV')
           expect(organization.name).to eq('Test Organization')
           expect(organization.domains.first[:domain]).to eq('example.me')

data/spec/lib/workos/portal_spec.rb

@@ -51,6 +51,21 @@ describe WorkOS::Portal do
           end
         end
       end
+
+      describe 'with the certificate_renewal intent' do
+        it 'returns an Admin Portal link' do
+          VCR.use_cassette 'portal/generate_link_certificate_renewal', match_requests_on: %i[path body] do
+            portal_link = described_class.generate_link(
+              intent: 'certificate_renewal',
+              organization: organization,
+            )
+
+            expect(portal_link).to eq(
+              'https://id.workos.com/portal/launch?secret=secret',
+            )
+          end
+        end
+      end
     end
 
     describe 'with an invalid organization' do

data/spec/lib/workos/session_spec.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+describe WorkOS::Session do
+  let(:user_management) { instance_double('UserManagement') }
+  let(:client_id) { 'test_client_id' }
+  let(:cookie_password) { 'test_very_long_cookie_password__' }
+  let(:session_data) { 'test_session_data' }
+  let(:jwks_url) { 'https://api.workos.com/sso/jwks/client_123' }
+  let(:jwks_hash) { '{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","n":"test_n","e":"AQAB","kid":"sso_oidc_key_pair_123","x5c":["test"],"x5t#S256":"test"}]}' } # rubocop:disable all
+  let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), { kid: 'sso_oidc_key_pair_123', use: 'sig', alg: 'RS256' }) }
+
+  before do
+    allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
+    allow(Net::HTTP).to receive(:get).and_return(jwks_hash)
+  end
+
+  describe 'initialize' do
+    it 'raises an error if cookie_password is nil or empty' do
+      expect do
+        WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: nil,
+        )
+      end.to raise_error(ArgumentError, 'cookiePassword is required')
+
+      expect do
+        WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: '',
+        )
+      end.to raise_error(ArgumentError, 'cookiePassword is required')
+    end
+
+    it 'initializes with valid parameters' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      expect(session.user_management).to eq(user_management)
+      expect(session.client_id).to eq(client_id)
+      expect(session.session_data).to eq(session_data)
+      expect(session.cookie_password).to eq(cookie_password)
+      expect(session.jwks.map(&:export)).to eq(JSON.parse(jwks_hash, symbolize_names: true)[:keys])
+      expect(session.jwks_algorithms).to eq(['RS256'])
+    end
+  end
+
+  describe '.authenticate' do
+    let(:valid_access_token) do
+      payload = {
+        sid: 'session_id',
+        org_id: 'org_id',
+        role: 'role',
+        permissions: ['read'],
+        exp: Time.now.to_i + 3600,
+      }
+      headers = { kid: jwk[:kid] }
+      JWT.encode(payload, jwk.signing_key, jwk[:alg], headers)
+    end
+    let(:session_data) do
+  WorkOS::Session.seal_data({
+                              access_token: valid_access_token,
+                              user: 'user',
+                              impersonator: 'impersonator',
+                            }, cookie_password,)
+end
+
+    it 'returns NO_SESSION_COOKIE_PROVIDED if session_data is nil' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: nil,
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' })
+    end
+
+    it 'returns INVALID_SESSION_COOKIE if session_data is invalid' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: 'invalid_data',
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_SESSION_COOKIE' })
+    end
+
+    it 'returns INVALID_JWT if access_token is invalid' do
+      invalid_session_data = WorkOS::Session.seal_data({ access_token: 'invalid_token' }, cookie_password)
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: invalid_session_data,
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
+    end
+
+    it 'authenticates successfully with valid session_data' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow(session).to receive(:is_valid_jwt).and_return(true)
+      allow(JWT).to receive(:decode).and_return([{
+                                                  'sid' => 'session_id',
+                                                  'org_id' => 'org_id',
+                                                  'role' => 'role',
+                                                  'permissions' => ['read'],
+                                                }])
+
+      result = session.authenticate
+      expect(result).to eq({
+                             authenticated: true,
+                             session_id: 'session_id',
+                             organization_id: 'org_id',
+                             role: 'role',
+                             permissions: ['read'],
+                             user: 'user',
+                             impersonator: 'impersonator',
+                             reason: nil,
+                           })
+    end
+  end
+
+  describe '.refresh' do
+    let(:refresh_token) { 'test_refresh_token' }
+    let(:session_data) { WorkOS::Session.seal_data({ refresh_token: refresh_token, user: 'user' }, cookie_password) }
+    let(:auth_response) { double('AuthResponse', sealed_session: 'new_sealed_session') }
+
+    before do
+      allow(user_management).to receive(:authenticate_with_refresh_token).and_return(auth_response)
+    end
+
+    it 'returns INVALID_SESSION_COOKIE if session_data is invalid' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: 'invalid_data',
+        cookie_password: cookie_password,
+      )
+      result = session.refresh
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_SESSION_COOKIE' })
+    end
+
+    it 'refreshes the session successfully with valid session_data' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      result = session.refresh
+      expect(result).to eq({
+                             authenticated: true,
+                             sealed_session: 'new_sealed_session',
+                             session: auth_response,
+                             reason: nil,
+                           })
+    end
+  end
+
+  describe '.get_logout_url' do
+    let(:session) do
+    WorkOS::Session.new(
+      user_management: user_management,
+      client_id: client_id,
+      session_data: session_data,
+      cookie_password: cookie_password,
+    )
+  end
+
+    context 'when authentication is successful' do
+      before do
+        allow(session).to receive(:authenticate).and_return({
+                                                              authenticated: true,
+                                                              session_id: 'session_id',
+                                                              reason: nil,
+                                                            })
+        allow(user_management).to receive(:get_logout_url).with(session_id: 'session_id').and_return('https://example.com/logout')
+      end
+
+      it 'returns the logout URL' do
+        expect(session.get_logout_url).to eq('https://example.com/logout')
+      end
+    end
+
+    context 'when authentication fails' do
+      before do
+        allow(session).to receive(:authenticate).and_return({
+                                                              authenticated: false,
+                                                              reason: 'Invalid session',
+                                                            })
+      end
+
+      it 'raises an error' do
+        expect { session.get_logout_url }.to raise_error(
+          RuntimeError, 'Failed to extract session ID for logout URL: Invalid session',
+        )
+      end
+    end
+  end
+end

data/spec/lib/workos/sso_spec.rb

@@ -281,7 +281,8 @@ describe WorkOS::SSO do
           described_class.authorization_url(**args)
         end.to raise_error(
           ArgumentError,
-          'Okta is not a valid value. `provider` must be in ["GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth"]',
+          'Okta is not a valid value. `provider` must be in ' \
+          '["AppleOAuth", "GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth"]',
         )
       end
     end

data/spec/lib/workos/user_management_spec.rb

@@ -213,7 +213,7 @@ describe WorkOS::UserManagement do
         end.to raise_error(
           ArgumentError,
           'Okta is not a valid value. `provider` must be in ' \
-          '["GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth", "authkit"]',
+          '["AppleOAuth", "GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth", "authkit"]',
         )
       end
     end
@@ -467,6 +467,7 @@ describe WorkOS::UserManagement do
           )
           expect(authentication_response.access_token).to eq('<ACCESS_TOKEN>')
           expect(authentication_response.refresh_token).to eq('<REFRESH_TOKEN>')
+          expect(authentication_response.user.id).to eq('user_01H93WD0R0KWF8Q7BK02C0RPYJ')
         end
       end
     end

data/spec/support/fixtures/vcr_cassettes/organization/update_without_name.yml

@@ -0,0 +1,85 @@
+---
+http_interactions:
+  - request:
+      method: put
+      uri: https://api.workos.com/organizations/org_01F6Q6TFP7RD2PF6J03ANNWDKV
+      body:
+        encoding: UTF-8
+        string: '{"domains":["example.me"]}'
+      headers:
+        Content-Type:
+          - application/json
+        Accept-Encoding:
+          - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+        Accept:
+          - "*/*"
+        User-Agent:
+          - WorkOS; ruby/3.0.1; x86_64-darwin19; v1.4.0
+        Authorization:
+          - Bearer <API_KEY>
+    response:
+      status:
+        code: 200
+        message: OK
+      headers:
+        Date:
+          - Mon, 09 Aug 2021 21:53:34 GMT
+        Content-Type:
+          - application/json; charset=utf-8
+        Transfer-Encoding:
+          - chunked
+        Connection:
+          - keep-alive
+        Vary:
+          - Origin, Accept-Encoding
+        Access-Control-Allow-Credentials:
+          - "true"
+        Content-Security-Policy:
+          - "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self'
+            https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src
+            'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
+        X-Dns-Prefetch-Control:
+          - "off"
+        Expect-Ct:
+          - max-age=0
+        X-Frame-Options:
+          - SAMEORIGIN
+        Strict-Transport-Security:
+          - max-age=15552000; includeSubDomains
+        X-Download-Options:
+          - noopen
+        X-Content-Type-Options:
+          - nosniff
+        X-Permitted-Cross-Domain-Policies:
+          - none
+        Referrer-Policy:
+          - no-referrer
+        X-Xss-Protection:
+          - "0"
+        X-Request-Id:
+          - b8c5da9a-d1f7-470c-abbd-a2de3f2edf77
+        Etag:
+          - W/"11a-SLpC9UGp2O5SWQr5VJZSNCpOF/Q"
+        Via:
+          - 1.1 vegur
+        Cf-Cache-Status:
+          - DYNAMIC
+        Report-To:
+          - '{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jh1EtP1h1CwA2nWmx0cvFGD5NdEiga3dbTCmcQH%2BgrdDPGqko8R8mehU9ywQ%2BW1AKKTGWbmRNHiRXpVhaJTNrULEuLt9TpGVoDH0IrixJhVS4N0Czi7n2UfPL0m684giLJtD2t7EVEj1XeeLlQ%3D%3D"}],"group":"cf-nel","max_age":604800}'
+        Nel:
+          - '{"success_fraction":0,"report_to":"cf-nel","max_age":604800}'
+        Server:
+          - cloudflare
+        Cf-Ray:
+          - 67c437cdde060bb8-DFW
+        Alt-Svc:
+          - h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443";
+            ma=86400
+      body:
+        encoding: ASCII-8BIT
+        string:
+          '{"object":"organization","id":"org_01F6Q6TFP7RD2PF6J03ANNWDKV","name":"Test
+          Organization","allow_profiles_outside_organization":false,"created_at":"2021-05-27T15:24:25.670Z","updated_at":"2021-08-09T21:53:34.525Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEG7BAYMQ4CHMG41Y2VNHF","domain":"example.me"}]}'
+      http_version:
+    recorded_at: Mon, 09 Aug 2021 21:53:34 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/portal/generate_link_certificate_renewal.yml

@@ -0,0 +1,72 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://api.workos.com/portal/generate_link
+    body:
+      encoding: UTF-8
+      string: '{"intent":"certificate_renewal","organization":"org_01EHQMYV6MBK39QC5PZXHY59C3","return_url":null,"success_url":null}'
+    headers:
+      Content-Type:
+      - application/json
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - WorkOS; ruby/2.7.1; x86_64-darwin19; v0.5.0
+      Authorization:
+      - Bearer <API_KEY>
+  response:
+    status:
+      code: 201
+      message: Created
+    headers:
+      Server:
+      - Cowboy
+      Connection:
+      - keep-alive
+      Vary:
+      - Origin, Accept-Encoding
+      Access-Control-Allow-Credentials:
+      - 'true'
+      Content-Security-Policy:
+      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
+        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
+        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
+      X-Dns-Prefetch-Control:
+      - 'off'
+      Expect-Ct:
+      - max-age=0
+      X-Frame-Options:
+      - SAMEORIGIN
+      Strict-Transport-Security:
+      - max-age=15552000; includeSubDomains
+      X-Download-Options:
+      - noopen
+      X-Content-Type-Options:
+      - nosniff
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Referrer-Policy:
+      - no-referrer
+      X-Xss-Protection:
+      - '0'
+      X-Request-Id:
+      - cb9ad5cf-243a-4084-a4f6-2d7d2b097b8b
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '79'
+      Etag:
+      - W/"4f-NN86NUZRu/GQgPAYTexTS6/9DnM"
+      Date:
+      - Wed, 09 Sep 2020 23:43:07 GMT
+      Via:
+      - 1.1 vegur
+    body:
+      encoding: UTF-8
+      string: '{"link":"https://id.workos.com/portal/launch?secret=secret"}'
+    http_version:
+  recorded_at: Wed, 09 Sep 2020 23:43:07 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_token/valid.yml

@@ -1,81 +1,82 @@
 ---
 http_interactions:
-- request:
-    method: post
-    uri: https://api.workos.com/user_management/authenticate
-    body:
-      encoding: UTF-8
-      string: '{"refresh_token":"some_refresh_token","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
-        (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
-    headers:
-      Content-Type:
-      - application/json
-      Accept-Encoding:
-      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
-      Accept:
-      - "*/*"
-      User-Agent:
-      - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
-  response:
-    status:
-      code: 200
-      message: OK
-    headers:
-      Date:
-      - Mon, 18 Mar 2024 19:00:53 GMT
-      Content-Type:
-      - application/json; charset=utf-8
-      Transfer-Encoding:
-      - chunked
-      Connection:
-      - keep-alive
-      Cf-Ray:
-      - 866777d63b4627e8-SLC
-      Cf-Cache-Status:
-      - DYNAMIC
-      Etag:
-      - W/"335-M3MDQYhs5724SayBHHCwnBDn3qA"
-      Strict-Transport-Security:
-      - max-age=15552000; includeSubDomains
-      Vary:
-      - Origin, Accept-Encoding
-      Via:
-      - 1.1 spaces-router (devel)
-      Access-Control-Allow-Credentials:
-      - 'true'
-      Content-Security-Policy:
-      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
-        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
-        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
-      Expect-Ct:
-      - max-age=0
-      Referrer-Policy:
-      - no-referrer
-      X-Content-Type-Options:
-      - nosniff
-      X-Dns-Prefetch-Control:
-      - 'off'
-      X-Download-Options:
-      - noopen
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-Permitted-Cross-Domain-Policies:
-      - none
-      X-Request-Id:
-      - 995ed1ed-e892-4049-86c9-0e07baa6cc4b
-      X-Xss-Protection:
-      - '0'
-      Set-Cookie:
-      - __cf_bm=2NHqv1cd1BisOc8KKcQ0oNzFxZZT4OHQd6c2QDuGnUU-1710788453-1.0.1.1-4BxBRzVrhL7rCH895PcfORXr_6Rnj3Oh5w1YG4xi7X1st62LMzb5dHZO7u7P.V1P8nBDAAt3Wbz7xsDTWrfWJg;
-        path=/; expires=Mon, 18-Mar-24 19:30:53 GMT; domain=.workos.com; HttpOnly;
-        Secure; SameSite=None
-      - __cfruid=06035c17e9b60a1d7a42a5b568146a0bb71a06dc-1710788453; path=/; domain=.workos.com;
-        HttpOnly; Secure; SameSite=None
-      Server:
-      - cloudflare
-    body:
-      encoding: UTF-8
-      string: '{"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
-    http_version:
-  recorded_at: Mon, 18 Mar 2024 19:00:53 GMT
+  - request:
+      method: post
+      uri: https://api.workos.com/user_management/authenticate
+      body:
+        encoding: UTF-8
+        string:
+          '{"refresh_token":"some_refresh_token","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
+          (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
+      headers:
+        Content-Type:
+          - application/json
+        Accept-Encoding:
+          - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+        Accept:
+          - '*/*'
+        User-Agent:
+          - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
+    response:
+      status:
+        code: 200
+        message: OK
+      headers:
+        Date:
+          - Mon, 18 Mar 2024 19:00:53 GMT
+        Content-Type:
+          - application/json; charset=utf-8
+        Transfer-Encoding:
+          - chunked
+        Connection:
+          - keep-alive
+        Cf-Ray:
+          - 866777d63b4627e8-SLC
+        Cf-Cache-Status:
+          - DYNAMIC
+        Etag:
+          - W/"335-M3MDQYhs5724SayBHHCwnBDn3qA"
+        Strict-Transport-Security:
+          - max-age=15552000; includeSubDomains
+        Vary:
+          - Origin, Accept-Encoding
+        Via:
+          - 1.1 spaces-router (devel)
+        Access-Control-Allow-Credentials:
+          - 'true'
+        Content-Security-Policy:
+          - "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self'
+            https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src
+            'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
+        Expect-Ct:
+          - max-age=0
+        Referrer-Policy:
+          - no-referrer
+        X-Content-Type-Options:
+          - nosniff
+        X-Dns-Prefetch-Control:
+          - 'off'
+        X-Download-Options:
+          - noopen
+        X-Frame-Options:
+          - SAMEORIGIN
+        X-Permitted-Cross-Domain-Policies:
+          - none
+        X-Request-Id:
+          - 995ed1ed-e892-4049-86c9-0e07baa6cc4b
+        X-Xss-Protection:
+          - '0'
+        Set-Cookie:
+          - __cf_bm=2NHqv1cd1BisOc8KKcQ0oNzFxZZT4OHQd6c2QDuGnUU-1710788453-1.0.1.1-4BxBRzVrhL7rCH895PcfORXr_6Rnj3Oh5w1YG4xi7X1st62LMzb5dHZO7u7P.V1P8nBDAAt3Wbz7xsDTWrfWJg;
+            path=/; expires=Mon, 18-Mar-24 19:30:53 GMT; domain=.workos.com; HttpOnly;
+            Secure; SameSite=None
+          - __cfruid=06035c17e9b60a1d7a42a5b568146a0bb71a06dc-1710788453; path=/; domain=.workos.com;
+            HttpOnly; Secure; SameSite=None
+        Server:
+          - cloudflare
+      body:
+        encoding: UTF-8
+        string: '{"user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
+      http_version:
+    recorded_at: Mon, 18 Mar 2024 19:00:53 GMT
 recorded_with: VCR 5.0.0

data/workos.gemspec

@@ -21,6 +21,9 @@ Gem::Specification.new do |spec|
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'encryptor', '~> 3.0'
+  spec.add_dependency 'jwt', '~> 2.8'
+
   spec.add_development_dependency 'bundler', '>= 2.0.1'
   spec.add_development_dependency 'rspec', '~> 3.9.0'
   spec.add_development_dependency 'rubocop', '~> 0.77'

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.3.0
+  version: 5.7.0
 platform: ruby
 authors:
 - WorkOS
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-19 00:00:00.000000000 Z
+date: 2024-08-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -137,6 +165,7 @@ files:
 - lib/workos/profile.rb
 - lib/workos/profile_and_token.rb
 - lib/workos/refresh_authentication_response.rb
+- lib/workos/session.rb
 - lib/workos/sso.rb
 - lib/workos/types.rb
 - lib/workos/types/intent.rb
@@ -161,6 +190,7 @@ files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
 - spec/lib/workos/webhooks_spec.rb
@@ -235,11 +265,13 @@ files:
 - spec/support/fixtures/vcr_cassettes/organization/get_invalid.yml
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_without_name.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_audit_logs.yml
+- spec/support/fixtures/vcr_cassettes/portal/generate_link_certificate_renewal.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_dsync.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_invalid.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_sso.yml
@@ -371,6 +403,7 @@ test_files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
 - spec/lib/workos/webhooks_spec.rb
@@ -445,11 +478,13 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/organization/get_invalid.yml
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
+- spec/support/fixtures/vcr_cassettes/organization/update_without_name.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_audit_logs.yml
+- spec/support/fixtures/vcr_cassettes/portal/generate_link_certificate_renewal.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_dsync.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_invalid.yml
 - spec/support/fixtures/vcr_cassettes/portal/generate_link_sso.yml