workos 5.3.0 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e386ae2dd110ea57c1a5c8d15c09c68263dedbee77c6ffa015b84a952d88920
-  data.tar.gz: e5001300c2da182fd3a230e66c7ced29ef937c8f0774cbd51d1f4e8bc9b8ee45
+  metadata.gz: 2c2b3e2f56e5f5ffc2d59d27eb6613c018b24ec57ff270ed9e95730a46aafdc6
+  data.tar.gz: 6e001f5af6046daf9b640f570cd7318767fc106e90cdf3c9e7f8a3b0c11d1b3b
 SHA512:
-  metadata.gz: d7882eb8eaef394157785a2592bcb616fa2bd4a7b9015b0b8b37c203ea70ccf43b72c5eb10bbde9155938154d9fc3a2ab5f1e630330efd2eeb53f2672bea65fe
-  data.tar.gz: 0fb86220b0b5fe4dbbcdaa24b35586348d961a40c1628b5eebf44926e7c0a0350ea538b3dcc9610e073c654c65ab5f7d9ada0edb4196bc93b8d9994a3739c7f2
+  metadata.gz: aa0bdfff2eb4de65c9bd5679be9f44b36df9eafd5eb8d3826f490d435825f61f3df32768e77b8954df538a3e3af2963aaba3fe23c89148b7f7619d83ea349c46
+  data.tar.gz: 6ae668143797a324cea0db2d9d779fe803c13f9defc62d707bb7b4419ba931a71d12ff5dd4bdc17da5c6c284623b1484a111817a1294e1f02f0e1e741dd15781

data/.github/CODEOWNERS

@@ -2,4 +2,4 @@
 # https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
 
 # Rubyist Team
-* @workos-inc/ruby
+* @workos/ruby

data/.github/workflows/ci.yml

@@ -17,13 +17,11 @@ jobs:
     strategy:
       matrix:
         ruby:
-          - '2.7'
-          - '3.0'
           - '3.1'
           - '3.2'
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@v6
+      - uses: ruby/setup-ruby@675dd7ba1b06c8786a1480d89c384f5620a42647 # v1.281.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true

data/.github/workflows/lint-pr-title.yml

@@ -0,0 +1,20 @@
+name: Lint PR Title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/.github/workflows/release-please.yml

@@ -0,0 +1,25 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.SDK_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@v4
+        with:
+          token: ${{ steps.generate-token.outputs.token }}

data/.github/workflows/release.yml

@@ -1,43 +1,40 @@
 name: Release
 
 on:
-  # Support manually pushing a new release
-  workflow_dispatch: {}
-  # Trigger when a release is published
   release:
-    types: [released]
+    types: [published]
 
 defaults:
   run:
     shell: bash
 
 jobs:
-  test:
+  publish:
     name: Publish to RubyGems
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+      - name: Configure RubyGems credentials
+        uses: rubygems/configure-rubygems-credentials@main
         with:
-          ruby-version: '3.2'
-          bundler-cache: true
-
-      - name: Spec
-        run: |
-          bundle exec rspec
+          role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
 
-      - name: Publish
-        env:
-          RUBYGEMS_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
-        run: |
-          mkdir -p ~/.gem
+      - name: Checkout
+        uses: actions/checkout@v6
 
-          cat << EOF > ~/.gem/credentials
-          ---
-          :rubygems_api_key: ${RUBYGEMS_API_KEY}
-          EOF
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.2"
+          bundler-cache: true
 
-          chmod 0600 ~/.gem/credentials
+      - name: Run tests
+        run: bundle exec rspec
 
-          bundle exec gem build workos --output=release.gem
-          bundle exec gem push release.gem
+      - name: Publish to RubyGems
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          bundle exec rake build
+          gem push pkg/workos-${VERSION}.gem --host https://rubygems.org

data/.gitignore

@@ -49,3 +49,4 @@
 # .rubocop-https?--*
 
 .vscode
+.idea/

data/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "6.1.0"
+}

data/.rubocop.yml

@@ -1,6 +1,5 @@
-# Disabling due to conflict with Ruby 2.7/3.1
-Layout/BlockAlignment:
-  Enabled: false
+inherit_from: .rubocop_todo.yml
+
 Layout/DotPosition:
   EnforcedStyle: trailing
 Layout/EmptyLineAfterMagicComment:
@@ -8,15 +7,19 @@ Layout/EmptyLineAfterMagicComment:
 Layout/EmptyLines:
   Enabled: false
 Layout/LineLength:
-  IgnoredPatterns:
+  AllowedPatterns:
     - 'VCR\.use_cassette'
     - '(\A|\s)/.*?/'
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context', 'before']
+  AllowedMethods: ['describe', 'context', 'before', 'it']
+Metrics/ClassLength:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
 Metrics/MethodLength:
-  Max: 30
+  Enabled: false
 Metrics/ModuleLength:
-  Max: 200
+  Enabled: false
 Metrics/ParameterLists:
   Max: 6
 Naming/ConstantName:
@@ -28,4 +31,4 @@ Style/TrailingCommaInArguments:
 Style/TrailingCommaInHashLiteral:
   EnforcedStyleForMultiline: 'consistent_comma'
 AllCops:
-  TargetRubyVersion: 2.7
+  TargetRubyVersion: 3.1

data/.rubocop_todo.yml

@@ -0,0 +1,94 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2025-01-22 21:38:20 UTC using RuboCop version 1.71.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyleAlignWith.
+# SupportedStylesAlignWith: either, start_of_block, start_of_line
+Layout/BlockAlignment:
+  Exclude:
+    - 'spec/lib/workos/session_spec.rb'
+
+# Offense count: 2
+# This cop supports safe autocorrection (--autocorrect).
+Layout/EmptyLinesAroundMethodBody:
+  Exclude:
+    - 'lib/workos/mfa.rb'
+    - 'lib/workos/user_management.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+Layout/SpaceAroundMethodCallOperator:
+  Exclude:
+    - 'spec/lib/workos/directory_sync_spec.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Lint/DuplicateRequire:
+  Exclude:
+    - 'lib/workos/session.rb'
+
+# Offense count: 3
+# Configuration parameters: AllowedParentClasses.
+Lint/MissingSuper:
+  Exclude:
+    - 'lib/workos/directory_group.rb'
+    - 'lib/workos/directory_user.rb'
+    - 'lib/workos/errors.rb'
+
+# Offense count: 5
+# Configuration parameters: CountComments, CountAsOne.
+Metrics/ClassLength:
+  Max: 624
+
+# Offense count: 8
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: separated, grouped
+Style/AccessorGrouping:
+  Exclude:
+    - 'lib/workos/errors.rb'
+
+# Offense count: 34
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: braces, no_braces
+Style/HashAsLastArrayItem:
+  Exclude:
+    - 'spec/lib/workos/directory_sync_spec.rb'
+    - 'spec/lib/workos/event_spec.rb'
+    - 'spec/lib/workos/organizations_spec.rb'
+    - 'spec/lib/workos/sso_spec.rb'
+    - 'spec/lib/workos/user_management_spec.rb'
+
+# Offense count: 2
+# This cop supports safe autocorrection (--autocorrect).
+Style/KeywordParametersOrder:
+  Exclude:
+    - 'lib/workos/organizations.rb'
+
+# Offense count: 3
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: SafeForConstants.
+Style/RedundantFetchBlock:
+  Exclude:
+    - 'spec/lib/workos/cache_spec.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowMultipleReturnValues.
+Style/RedundantReturn:
+  Exclude:
+    - 'lib/workos/directory_user.rb'
+
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/SlicingWithRange:
+  Exclude:
+    - 'lib/workos/deprecated_hash_wrapper.rb'
+    - 'lib/workos/session.rb'

data/.ruby-version

@@ -1 +1 @@
-3.0.2
+3.1.4

data/CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+## [6.1.0](https://github.com/workos/workos-ruby/compare/workos-v6.0.0...workos/v6.1.0) (2026-02-10)
+
+
+### Features
+
+* add support for totp_secret ([#300](https://github.com/workos/workos-ruby/issues/300)) ([c0a26bf](https://github.com/workos/workos-ruby/commit/c0a26bf745fb49ebaac7c5241e99d51188b886bb))
+* Include Feature Flags decoded from the JWT in the payload of a Session ([#386](https://github.com/workos/workos-ruby/issues/386)) ([31a0e79](https://github.com/workos/workos-ruby/commit/31a0e7901247652182dcaad95e131357b93d0d71))
+* **workos-ruby:** Add `connection` to `authorization_url` ([#78](https://github.com/workos/workos-ruby/issues/78)) ([c3a0e8e](https://github.com/workos/workos-ruby/commit/c3a0e8e4031a3ee888d925c11f1fd2fb152f0a16))
+
+
+### Bug Fixes
+
+* add `invitation_token` parameter to authentication methods ([#438](https://github.com/workos/workos-ruby/issues/438)) ([d24e3dc](https://github.com/workos/workos-ruby/commit/d24e3dc2995de26970415e4570a7ed810d432715))

data/Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    workos (5.3.0)
+    workos (6.1.0)
+      encryptor (~> 3.0)
+      jwt (~> 3.1)
 
 GEM
   remote: https://rubygems.org/
@@ -9,21 +11,28 @@ GEM
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
+    base64 (0.3.0)
     bigdecimal (3.1.7)
     crack (1.0.0)
       bigdecimal
       rexml
     diff-lcs (1.5.1)
+    encryptor (3.0.0)
     hashdiff (1.1.0)
-    parallel (1.24.0)
-    parser (3.3.0.5)
+    json (2.9.1)
+    jwt (3.1.2)
+      base64
+    language_server-protocol (3.17.0.3)
+    parallel (1.26.3)
+    parser (3.3.7.0)
       ast (~> 2.4.1)
       racc
     public_suffix (5.0.4)
-    racc (1.7.3)
+    racc (1.8.1)
     rainbow (3.1.1)
-    regexp_parser (2.9.0)
-    rexml (3.2.6)
+    rake (13.3.1)
+    regexp_parser (2.10.0)
+    rexml (3.4.2)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
@@ -37,20 +46,24 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.4)
-    rubocop (0.93.1)
+    rubocop (1.71.0)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
-      rexml
-      rubocop-ast (>= 0.6.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.36.2, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.31.2)
-      parser (>= 3.3.0.4)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.37.0)
+      parser (>= 3.3.1.0)
     ruby-progressbar (1.13.0)
-    unicode-display_width (1.8.0)
-    vcr (5.0.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    vcr (6.3.1)
+      base64
     webmock (3.23.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -61,9 +74,10 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (>= 2.0.1)
+  rake
   rspec (~> 3.9.0)
-  rubocop (~> 0.77)
-  vcr (~> 5.0.0)
+  rubocop (~> 1.71)
+  vcr (~> 6.0)
   webmock
   workos!
 

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/context7.json

@@ -0,0 +1,4 @@
+{
+  "url": "https://context7.com/workos/workos-ruby",
+  "public_key": "pk_q7NnKuFFXMWA7WnmjMHQU"
+}

data/lib/workos/authentication_response.rb

@@ -6,10 +6,20 @@ module WorkOS
   class AuthenticationResponse
     include HashProvider
 
-    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token
+    attr_accessor :user,
+                  :organization_id,
+                  :impersonator,
+                  :access_token,
+                  :refresh_token,
+                  :authentication_method,
+                  :sealed_session,
+                  :oauth_tokens
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
+      @access_token = json[:access_token]
+      @refresh_token = json[:refresh_token]
       @user = WorkOS::User.new(json[:user].to_json)
       @organization_id = json[:organization_id]
       @impersonator =
@@ -17,9 +27,24 @@ module WorkOS
           Impersonator.new(email: impersonator_json[:email],
                            reason: impersonator_json[:reason],)
         end
-      @access_token = json[:access_token]
-      @refresh_token = json[:refresh_token]
+      @authentication_method = json[:authentication_method]
+      @oauth_tokens = json[:oauth_tokens] ? WorkOS::OAuthTokens.new(json[:oauth_tokens].to_json) : nil
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data(
+            {
+              access_token: access_token,
+              refresh_token: refresh_token,
+              user: user.to_json,
+              organization_id: organization_id,
+              impersonator: impersonator.to_json,
+            },
+            session[:cookie_password],
+            encryptor: session[:encryptor],
+          )
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
@@ -28,6 +53,9 @@ module WorkOS
         impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        authentication_method: authentication_method,
+        sealed_session: sealed_session,
+        oauth_tokens: oauth_tokens&.to_json,
       }
     end
   end

data/lib/workos/cache.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The Cache module provides a simple in-memory cache for storing values
+  # This module is not meant to be instantiated in a user space, and is used internally by the SDK
+  module Cache
+    # The Entry class represents a cache entry with a value and an expiration time
+    class Entry
+      attr_reader :value, :expires_at
+
+      # Initializes a new cache entry
+      # @param value [Object] The value to store in the cache
+      # @param expires_in_seconds [Integer, nil] The expiration time for the value in seconds, or nil for no expiration
+      def initialize(value, expires_in_seconds)
+        @value = value
+        @expires_at = expires_in_seconds ? Time.now + expires_in_seconds : nil
+      end
+
+      # Checks if the entry has expired
+      # @return [Boolean] True if the entry has expired, false otherwise
+      def expired?
+        return false if expires_at.nil?
+
+        Time.now > @expires_at
+      end
+    end
+
+    class << self
+      # Fetches a value from the cache, or calls the block to fetch the value if it is not present
+      # @param key [String] The key to fetch the value for
+      # @param expires_in [Integer] The expiration time for the value in seconds
+      # @param force [Boolean] If true, the value will be fetched from the block even if it is present in the cache
+      # @param block [Proc] The block to call to fetch the value if it is not present in the cache
+      # @return [Object] The value fetched from the cache or the block
+      def fetch(key, expires_in: nil, force: false, &block)
+        entry = store[key]
+
+        if force || entry.nil? || entry.expired?
+          value = block.call
+          store[key] = Entry.new(value, expires_in)
+          return value
+        end
+
+        entry.value
+      end
+
+      # Reads a value from the cache
+      # @param key [String] The key to read the value for
+      # @return [Object] The value read from the cache, or nil if the value is not present or has expired
+      def read(key)
+        entry = store[key]
+        return nil if entry.nil? || entry.expired?
+
+        entry.value
+      end
+
+      # Writes a value to the cache
+      # @param key [String] The key to write the value for
+      # @param value [Object] The value to write to the cache
+      # @param expires_in [Integer] The expiration time for the value in seconds
+      # @return [Object] The value written to the cache
+      def write(key, value, expires_in: nil)
+        store[key] = Entry.new(value, expires_in)
+        value
+      end
+
+      # Deletes a value from the cache
+      # @param key [String] The key to delete the value for
+      def delete(key)
+        store.delete(key)
+      end
+
+      # Clears all values from the cache
+      def clear
+        store.clear
+      end
+
+      # Checks if a value exists in the cache
+      # @param key [String] The key to check for
+      # @return [Boolean] True if the value exists and has not expired, false otherwise
+      def exist?(key)
+        entry = store[key]
+        !(entry.nil? || entry.expired?)
+      end
+
+      private
+
+      # The in-memory store for the cache
+      def store
+        @store ||= {}
+      end
+    end
+  end
+end

data/lib/workos/client.rb

@@ -86,7 +86,7 @@ module WorkOS
       ].join('; ')
     end
 
-    # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity:
+    # rubocop:disable Metrics/AbcSize:
     def handle_error_response(response:)
       http_status = response.code.to_i
       json = JSON.parse(response.body)
@@ -109,6 +109,14 @@ module WorkOS
           http_status: http_status,
           request_id: response['x-request-id'],
         )
+      when 403
+        raise ForbiddenRequestError.new(
+          message: json['message'],
+          http_status: http_status,
+          request_id: response['x-request-id'],
+          code: json['code'],
+          data: json,
+        )
       when 404
         raise NotFoundError.new(
           message: json['message'],

data/lib/workos/directory_sync.rb

@@ -115,7 +115,7 @@ module WorkOS
       # @param [Hash] options An options hash
       # @option options [String] directory The ID of the directory whose
       #  directory users will be retrieved.
-      # @option options [String] user The ID of the directory group whose
+      # @option options [String] group The ID of the directory group whose
       #  directory users will be retrieved.
       # @option options [String] limit Maximum number of records to return.
       # @option options [String] order The order in which to paginate records