workos 5.3.0 → 6.1.0

data/lib/workos/directory_user.rb

@@ -7,8 +7,8 @@ module WorkOS
   class DirectoryUser < DeprecatedHashWrapper
     include HashProvider
 
-    attr_accessor :id, :idp_id, :emails, :first_name, :last_name, :job_title, :username, :state,
-                  :groups, :role, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
+    attr_accessor :id, :idp_id, :email, :emails, :first_name, :last_name, :job_title, :username, :state,
+                  :groups, :role, :roles, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
                   :created_at, :updated_at
 
     # rubocop:disable Metrics/AbcSize
@@ -19,14 +19,25 @@ module WorkOS
       @directory_id = hash[:directory_id]
       @organization_id = hash[:organization_id]
       @idp_id = hash[:idp_id]
+      @email = hash[:email]
+      # @deprecated Will be removed in a future major version.
+      # Enable the `emails` custom attribute in dashboard and pull from customAttributes instead.
+      # See https://workos.com/docs/directory-sync/attributes/custom-attributes/auto-mapped-attributes for details.
       @emails = hash[:emails]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      # @deprecated Will be removed in a future major version.
+      # Enable the `job_title` custom attribute in dashboard and pull from customAttributes instead.
+      # See https://workos.com/docs/directory-sync/attributes/custom-attributes/auto-mapped-attributes for details.
       @job_title = hash[:job_title]
+      # @deprecated Will be removed in a future major version.
+      # Enable the `username` custom attribute in dashboard and pull from customAttributes instead.
+      # See https://workos.com/docs/directory-sync/attributes/custom-attributes/auto-mapped-attributes for details.
       @username = hash[:username]
       @state = hash[:state]
       @groups = hash[:groups]
       @role = hash[:role]
+      @roles = hash[:roles]
       @custom_attributes = hash[:custom_attributes]
       @raw_attributes = hash[:raw_attributes]
       @created_at = hash[:created_at]
@@ -37,11 +48,19 @@ module WorkOS
     # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
+      base_attributes.
+        merge(authorization_attributes)
+    end
+
+    private
+
+    def base_attributes
       {
         id: id,
         directory_id: directory_id,
         organization_id: organization_id,
         idp_id: idp_id,
+        email: email,
         emails: emails,
         first_name: first_name,
         last_name: last_name,
@@ -49,7 +68,6 @@ module WorkOS
         username: username,
         state: state,
         groups: groups,
-        role: role,
         custom_attributes: custom_attributes,
         raw_attributes: raw_attributes,
         created_at: created_at,
@@ -57,6 +75,16 @@ module WorkOS
       }
     end
 
+    def authorization_attributes
+      {
+        role: role,
+        roles: roles,
+      }
+    end
+
+    public
+
+    # @deprecated Will be removed in a future major version. Use {#email} instead.
     def primary_email
       primary_email = (emails || []).find { |email| email[:primary] }
       return primary_email[:value] if primary_email

data/lib/workos/encryptors/aes_gcm.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'encryptor'
+require 'securerandom'
+require 'json'
+require 'base64'
+
+module WorkOS
+  module Encryptors
+    # Default encryptor using AES-256-GCM.
+    # Implements the encryptor interface: #seal(data, key) and #unseal(sealed_data, key)
+    class AesGcm
+      # Encrypts and seals data using AES-256-GCM
+      # @param data [Hash] The data to seal
+      # @param key [String] The encryption key
+      # @return [String] Base64-encoded sealed data
+      def seal(data, key)
+        iv = SecureRandom.random_bytes(12)
+
+        encrypted_data = Encryptor.encrypt(
+          value: JSON.generate(data),
+          key: key,
+          iv: iv,
+          algorithm: 'aes-256-gcm',
+        )
+        Base64.encode64(iv + encrypted_data)
+      end
+
+      # Decrypts and unseals data using AES-256-GCM
+      # @param sealed_data [String] The sealed data to unseal
+      # @param key [String] The decryption key
+      # @return [Hash] The unsealed data with symbolized keys
+      def unseal(sealed_data, key)
+        decoded_data = Base64.decode64(sealed_data)
+        iv = decoded_data[0..11]
+        encrypted_data = decoded_data[12..]
+
+        decrypted_data = Encryptor.decrypt(
+          value: encrypted_data,
+          key: key,
+          iv: iv,
+          algorithm: 'aes-256-gcm',
+        )
+
+        JSON.parse(decrypted_data, symbolize_names: true)
+      end
+    end
+  end
+end

data/lib/workos/encryptors.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # Encryptors module provides pluggable encryption implementations for session data.
+  # The default encryptor is AesGcm, which uses AES-256-GCM encryption.
+  module Encryptors
+    autoload :AesGcm, 'workos/encryptors/aes_gcm'
+  end
+end

data/lib/workos/errors.rb

@@ -64,6 +64,10 @@ module WorkOS
   # parameters.
   class InvalidRequestError < WorkOSError; end
 
+  # ForbiddenError is raised when a request is forbidden, likely due to missing a step
+  # (i.e. verifying email ownership before authenticating).
+  class ForbiddenRequestError < WorkOSError; end
+
   # SignatureVerificationError is raised when the signature verification for a
   # webhook fails
   class SignatureVerificationError < WorkOSError; end

data/lib/workos/feature_flag.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The FeatureFlag class provides a lightweight wrapper around
+  # a WorkOS Feature Flag resource. This class is not meant to be instantiated
+  # in user space, and is instantiated internally but exposed.
+  class FeatureFlag
+    include HashProvider
+
+    attr_accessor :id, :name, :slug, :description, :created_at, :updated_at
+
+    def initialize(json)
+      hash = JSON.parse(json, symbolize_names: true)
+
+      @id = hash[:id]
+      @name = hash[:name]
+      @slug = hash[:slug]
+      @description = hash[:description]
+      @created_at = hash[:created_at]
+      @updated_at = hash[:updated_at]
+    end
+
+    def to_json(*)
+      {
+        id: id,
+        name: name,
+        slug: slug,
+        description: description,
+        created_at: created_at,
+        updated_at: updated_at,
+      }
+    end
+  end
+end

data/lib/workos/mfa.rb

@@ -32,7 +32,6 @@ module WorkOS
         WorkOS::Factor.new(response.body)
       end
 
-      # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
       def validate_args(
         type:,

data/lib/workos/oauth_tokens.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The OAuthTokens class represents the third party provider OAuth tokens returned in the authentication response.
+  # This class is not meant to be instantiated in user space, and is instantiated internally but exposed.
+  class OAuthTokens
+    include HashProvider
+
+    attr_accessor :access_token, :refresh_token, :scopes, :expires_at
+
+    def initialize(json)
+      hash = JSON.parse(json, symbolize_names: true)
+
+      @access_token = hash[:access_token]
+      @refresh_token = hash[:refresh_token]
+      @scopes = hash[:scopes]
+      @expires_at = hash[:expires_at]
+    end
+
+    def to_json(*)
+      {
+        access_token: access_token,
+        refresh_token: refresh_token,
+        scopes: scopes,
+        expires_at: expires_at,
+      }
+    end
+  end
+end

data/lib/workos/organization.rb

@@ -7,15 +7,26 @@ module WorkOS
   class Organization
     include HashProvider
 
-    attr_accessor :id, :domains, :name, :allow_profiles_outside_organization, :created_at, :updated_at
+    attr_accessor(
+      :id,
+      :domains,
+      :stripe_customer_id,
+      :name,
+      :external_id,
+      :allow_profiles_outside_organization,
+      :created_at,
+      :updated_at,
+    )
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
 
       @id = hash[:id]
       @name = hash[:name]
+      @external_id = hash[:external_id]
       @allow_profiles_outside_organization = hash[:allow_profiles_outside_organization]
       @domains = hash[:domains]
+      @stripe_customer_id = hash[:stripe_customer_id]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
     end
@@ -24,8 +35,10 @@ module WorkOS
       {
         id: id,
         name: name,
+        external_id: external_id,
         allow_profiles_outside_organization: allow_profiles_outside_organization,
         domains: domains,
+        stripe_customer_id: stripe_customer_id,
         created_at: created_at,
         updated_at: updated_at,
       }

data/lib/workos/organization_membership.rb

@@ -7,7 +7,7 @@ module WorkOS
   class OrganizationMembership
     include HashProvider
 
-    attr_accessor :id, :user_id, :organization_id, :status, :role, :created_at, :updated_at
+    attr_accessor :id, :user_id, :organization_id, :status, :role, :roles, :custom_attributes, :created_at, :updated_at
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
@@ -17,6 +17,8 @@ module WorkOS
       @organization_id = hash[:organization_id]
       @status = hash[:status]
       @role = hash[:role]
+      @roles = hash[:roles]
+      @custom_attributes = hash[:custom_attributes]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
     end
@@ -28,6 +30,8 @@ module WorkOS
         organization_id: organization_id,
         status: status,
         role: role,
+        roles: roles,
+        custom_attributes: custom_attributes,
         created_at: created_at,
         updated_at: updated_at,
       }

data/lib/workos/organizations.rb

@@ -71,10 +71,11 @@ module WorkOS
 
       # Create an organization
       #
-      # @param [Array<Hash>] domain_data List of domain hashes describing an orgnaization domain.
+      # @param [Array<Hash>] domain_data List of domain hashes describing an organization domain.
       # @option domain_data [String] domain The domain that belongs to the organization.
       # @option domain_data [String] state The state of the domain. "verified" or "pending"
       # @param [String] name A unique, descriptive name for the organization
+      # @param [String] external_id The organization's external ID.
       # @param [String] idempotency_key An idempotency key
       # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
       #   within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
@@ -85,11 +86,13 @@ module WorkOS
         domain_data: nil,
         domains: nil,
         name:,
+        external_id: nil,
         allow_profiles_outside_organization: nil,
         idempotency_key: nil
       )
         body = { name: name }
         body[:domain_data] = domain_data if domain_data
+        body[:external_id] = external_id if external_id
 
         if domains
           warn_deprecation '`domains` is deprecated. Use `domain_data` instead.'
@@ -118,24 +121,31 @@ module WorkOS
       # Update an organization
       #
       # @param [String] organization Organization unique identifier
-      # @param [Array<Hash>] domain_data List of domain hashes describing an orgnaization domain.
+      # @param [Array<Hash>] domain_data List of domain hashes describing an organization domain.
       # @option domain_data [String] domain The domain that belongs to the organization.
       # @option domain_data [String] state The state of the domain. "verified" or "pending"
+      # @param [String] stripe_customer_id The Stripe customer ID associated with this organization.
       # @param [String] name A unique, descriptive name for the organization
+      # @param [String] external_id The organization's external ID.
       # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
       #   within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       #   Deprecated: If you need to allow sign-ins from any email domain, contact suppport@workos.com.
       # @param [Array<String>] domains List of domains that belong to the organization.
       #   Deprecated: Use domain_data instead.
+      # rubocop:disable Metrics/ParameterLists
       def update_organization(
         organization:,
+        stripe_customer_id: nil,
         domain_data: nil,
         domains: nil,
-        name:,
+        name: nil,
+        external_id: :not_set,
         allow_profiles_outside_organization: nil
       )
         body = { name: name }
         body[:domain_data] = domain_data if domain_data
+        body[:stripe_customer_id] = stripe_customer_id if stripe_customer_id
+        body[:external_id] = external_id if external_id != :not_set
 
         if domains
           warn_deprecation '`domains` is deprecated. Use `domain_data` instead.'
@@ -159,6 +169,7 @@ module WorkOS
 
         WorkOS::Organization.new(response.body)
       end
+      # rubocop:enable Metrics/ParameterLists
 
       # Delete an Organization
       #
@@ -180,6 +191,79 @@ module WorkOS
         response.is_a? Net::HTTPSuccess
       end
 
+      # Retrieve a list of roles for the given organization.
+      #
+      # @param [String] organization_id The ID of the organization to fetch roles for.
+      #
+      # @example
+      #   WorkOS::Organizations.list_organization_roles(organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT')
+      #   => #<WorkOS::Types::ListStruct data=[#<WorkOS::Role id="role_123" name="Admin" slug="admin"
+      #                                         permissions=["admin:all"] ...>] ...>
+      #
+      # @return [WorkOS::Types::ListStruct] - Collection of Role objects, each including permissions array
+      def list_organization_roles(organization_id:)
+        response = execute_request(
+          request: get_request(
+            path: "/organizations/#{organization_id}/roles",
+            auth: true,
+          ),
+        )
+
+        parsed_response = JSON.parse(response.body)
+
+        roles = parsed_response['data'].map do |role|
+          WorkOS::Role.new(role.to_json)
+        end
+
+        WorkOS::Types::ListStruct.new(
+          data: roles,
+          list_metadata: {
+            after: nil,
+            before: nil,
+          },
+        )
+      end
+
+      # Retrieve a list of feature flags for the given organization.
+      #
+      # @param [String] organization_id The ID of the organization to fetch feature flags for.
+      # @param [Hash] options
+      # @option options [String] before A pagination argument used to request
+      #  feature flags before the provided FeatureFlag ID.
+      # @option options [String] after A pagination argument used to request
+      #  feature flags after the provided FeatureFlag ID.
+      # @option options [Integer] limit A pagination argument used to limit the number
+      #  of listed FeatureFlags that are returned.
+      # @option options [String] order The order in which to paginate records
+      #
+      # @example
+      #   WorkOS::Organizations.list_organization_feature_flags(organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT')
+      #   => #<WorkOS::Types::ListStruct data=[#<WorkOS::FeatureFlag id="flag_123" slug="new-feature"
+      #                                         enabled=true ...>] ...>
+      #
+      # @return [WorkOS::Types::ListStruct] - Collection of FeatureFlag objects
+      def list_organization_feature_flags(organization_id:, options: {})
+        options[:order] ||= 'desc'
+        response = execute_request(
+          request: get_request(
+            path: "/organizations/#{organization_id}/feature-flags",
+            auth: true,
+            params: options,
+          ),
+        )
+
+        parsed_response = JSON.parse(response.body)
+
+        feature_flags = parsed_response['data'].map do |feature_flag|
+          WorkOS::FeatureFlag.new(feature_flag.to_json)
+        end
+
+        WorkOS::Types::ListStruct.new(
+          data: feature_flags,
+          list_metadata: parsed_response['list_metadata']&.transform_keys(&:to_sym),
+        )
+      end
+
       private
 
       def check_and_raise_organization_error(response:)

data/lib/workos/profile.rb

@@ -9,9 +9,10 @@ module WorkOS
   class Profile
     include HashProvider
 
-    attr_accessor :id, :email, :first_name, :last_name, :groups, :organization_id,
-                  :connection_id, :connection_type, :idp_id, :raw_attributes
+    attr_accessor :id, :email, :first_name, :last_name, :role, :roles, :groups, :organization_id,
+                  :connection_id, :connection_type, :idp_id, :custom_attributes, :raw_attributes
 
+    # rubocop:disable Metrics/AbcSize
     def initialize(profile_json)
       hash = JSON.parse(profile_json, symbolize_names: true)
 
@@ -19,13 +20,17 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @role = hash[:role]
+      @roles = hash[:roles]
       @groups = hash[:groups]
       @organization_id = hash[:organization_id]
       @connection_id = hash[:connection_id]
       @connection_type = hash[:connection_type]
       @idp_id = hash[:idp_id]
+      @custom_attributes = hash[:custom_attributes]
       @raw_attributes = hash[:raw_attributes]
     end
+    # rubocop:enable Metrics/AbcSize
 
     def full_name
       [first_name, last_name].compact.join(' ')
@@ -37,11 +42,14 @@ module WorkOS
         email: email,
         first_name: first_name,
         last_name: last_name,
+        role: role,
+        roles: roles,
         groups: groups,
         organization_id: organization_id,
         connection_id: connection_id,
         connection_type: connection_type,
         idp_id: idp_id,
+        custom_attributes: custom_attributes,
         raw_attributes: raw_attributes,
       }
     end

data/lib/workos/refresh_authentication_response.rb

@@ -6,18 +6,45 @@ module WorkOS
   class RefreshAuthenticationResponse
     include HashProvider
 
-    attr_accessor :access_token, :refresh_token
+    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token, :sealed_session
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
       @access_token = json[:access_token]
       @refresh_token = json[:refresh_token]
+      @user = WorkOS::User.new(json[:user].to_json)
+      @organization_id = json[:organization_id]
+      @impersonator =
+        if (impersonator_json = json[:impersonator])
+          Impersonator.new(email: impersonator_json[:email],
+                           reason: impersonator_json[:reason],)
+        end
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data(
+            {
+              access_token: access_token,
+              refresh_token: refresh_token,
+              user: user.to_json,
+              organization_id: organization_id,
+              impersonator: impersonator.to_json,
+            },
+            session[:cookie_password],
+            encryptor: session[:encryptor],
+          )
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
+        user: user.to_json,
+        organization_id: organization_id,
+        impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        sealed_session: sealed_session,
       }
     end
   end

data/lib/workos/role.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The Role class provides a lightweight wrapper around
+  # a WorkOS Role resource. This class is not meant to be instantiated
+  # in user space, and is instantiated internally but exposed.
+  class Role
+    include HashProvider
+
+    attr_accessor :id, :name, :slug, :description, :permissions, :type, :created_at, :updated_at
+
+    def initialize(json)
+      hash = JSON.parse(json, symbolize_names: true)
+
+      @id = hash[:id]
+      @name = hash[:name]
+      @slug = hash[:slug]
+      @description = hash[:description]
+      @permissions = hash[:permissions] || []
+      @type = hash[:type]
+      @created_at = hash[:created_at]
+      @updated_at = hash[:updated_at]
+    end
+
+    def to_json(*)
+      {
+        id: id,
+        name: name,
+        slug: slug,
+        description: description,
+        permissions: permissions,
+        type: type,
+        created_at: created_at,
+        updated_at: updated_at,
+      }
+    end
+  end
+end