workos 5.3.0 → 6.1.0

data/release-please-config.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "release-type": "ruby",
+      "package-name": "workos",
+      "version-file": "lib/workos/version.rb",
+      "changelog-path": "CHANGELOG.md",
+      "include-component-in-tag": false
+    }
+  }
+}

data/spec/lib/workos/cache_spec.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+describe WorkOS::Cache do
+  before { described_class.clear }
+
+  describe '.write and .read' do
+    it 'stores and retrieves data' do
+      described_class.write('key', 'value')
+      expect(described_class.read('key')).to eq('value')
+    end
+
+    it 'returns nil if key does not exist' do
+      expect(described_class.read('missing')).to be_nil
+    end
+  end
+
+  describe '.fetch' do
+    it 'returns cached value when present and not expired' do
+      described_class.write('key', 'value')
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('value')
+    end
+
+    it 'executes block and caches value when not present' do
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+
+    it 'executes block and caches value when force is true' do
+      described_class.write('key', 'value')
+      fetch_value = described_class.fetch('key', force: true) { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+  end
+
+  describe 'expiration' do
+    it 'expires values after specified time' do
+      described_class.write('key', 'value', expires_in: 0.1)
+      expect(described_class.read('key')).to eq('value')
+      sleep 0.2
+      expect(described_class.read('key')).to be_nil
+    end
+
+    it 'executes block and caches new value when expired' do
+      described_class.write('key', 'old_value', expires_in: 0.1)
+      sleep 0.2
+      fetch_value = described_class.fetch('key') { 'new_value' }
+      expect(fetch_value).to eq('new_value')
+    end
+
+    it 'does not expire values when expires_in is nil' do
+      described_class.write('key', 'value', expires_in: nil)
+      sleep 0.2
+      expect(described_class.read('key')).to eq('value')
+    end
+  end
+
+  describe '.exist?' do
+    it 'returns true if key exists' do
+      described_class.write('key', 'value')
+      expect(described_class.exist?('key')).to be true
+    end
+
+    it 'returns false if expired' do
+      described_class.write('key', 'value', expires_in: 0.1)
+      sleep 0.2
+      expect(described_class.exist?('key')).to be false
+    end
+
+    it 'returns false if key does not exist' do
+      expect(described_class.exist?('missing')).to be false
+    end
+  end
+
+  describe '.delete' do
+    it 'deletes key' do
+      described_class.write('key', 'value')
+      described_class.delete('key')
+      expect(described_class.read('key')).to be_nil
+    end
+  end
+
+  describe '.clear' do
+    it 'removes all keys from the cache' do
+      described_class.write('key1', 'value1')
+      described_class.write('key2', 'value2')
+
+      described_class.clear
+
+      expect(described_class.read('key1')).to be_nil
+      expect(described_class.read('key2')).to be_nil
+    end
+  end
+end

data/spec/lib/workos/directory_user_spec.rb

@@ -37,13 +37,23 @@ describe WorkOS::DirectoryUser do
       it 'returns no role' do
         user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq(nil)
+        expect(user.roles).to eq(nil)
       end
     end
 
-    context 'with a role' do
-      it 'returns the role slug' do
-        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+    context 'with a single role' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"roles":[{"slug":"member"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq({ slug: 'member' })
+        expect(user.roles).to eq([{ slug: 'member' }])
+      end
+    end
+
+    context 'with multiple roles' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"bob.fakename@workos.com","emails":[{"primary":true,"value":"bob.fakename@workos.com"}, {"primary":false,"value":"bob.fakename@gmail.com"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"admin"},"roles":[{"slug":"member"}, {"slug":"admin"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+        expect(user.role).to eq({ slug: 'admin' })
+        expect(user.roles).to eq([{ slug: 'member' }, { slug: 'admin' }])
       end
     end
   end

data/spec/lib/workos/encryptors/aes_gcm_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+RSpec.describe WorkOS::Encryptors::AesGcm do
+  subject(:encryptor) { described_class.new }
+
+  let(:key) { 'a' * 32 }
+  let(:data) { { access_token: 'tok_123', user: { id: 'user_01' } } }
+
+  describe '#seal' do
+    it 'returns a base64-encoded string' do
+      sealed = encryptor.seal(data, key)
+      expect(sealed).to be_a(String)
+      expect { Base64.decode64(sealed) }.not_to raise_error
+    end
+
+    it 'produces different output each time (random IV)' do
+      sealed1 = encryptor.seal(data, key)
+      sealed2 = encryptor.seal(data, key)
+      expect(sealed1).not_to eq(sealed2)
+    end
+  end
+
+  describe '#unseal' do
+    it 'round-trips data correctly' do
+      sealed = encryptor.seal(data, key)
+      unsealed = encryptor.unseal(sealed, key)
+      expect(unsealed).to eq(data)
+    end
+
+    it 'returns hash with symbolized keys' do
+      sealed = encryptor.seal({ 'string_key' => 'value' }, key)
+      unsealed = encryptor.unseal(sealed, key)
+      expect(unsealed.keys.first).to be_a(Symbol)
+    end
+
+    it 'raises error with wrong key' do
+      sealed = encryptor.seal(data, key)
+      expect { encryptor.unseal(sealed, 'b' * 32) }.to raise_error(OpenSSL::Cipher::CipherError)
+    end
+  end
+end

data/spec/lib/workos/organizations_spec.rb

@@ -33,6 +33,21 @@ describe WorkOS::Organizations do
           end
         end
 
+        context 'with external_id' do
+          it 'creates an organization with external_id' do
+            VCR.use_cassette 'organization/create_with_external_id' do
+              organization = described_class.create_organization(
+                name: 'Test Organization with External ID',
+                external_id: 'ext_org_123',
+              )
+
+              expect(organization.id).to start_with('org_')
+              expect(organization.name).to eq('Test Organization with External ID')
+              expect(organization.external_id).to eq('ext_org_123')
+            end
+          end
+        end
+
         context 'with domains' do
           it 'creates an organization and warns' do
             VCR.use_cassette 'organization/create_with_domains' do
@@ -267,7 +282,7 @@ describe WorkOS::Organizations do
 
   describe '.update_organization' do
     context 'with valid payload' do
-      it 'creates an organization' do
+      it 'updates the organization' do
         VCR.use_cassette 'organization/update' do
           organization = described_class.update_organization(
             organization: 'org_01F6Q6TFP7RD2PF6J03ANNWDKV',
@@ -281,6 +296,72 @@ describe WorkOS::Organizations do
         end
       end
     end
+    context 'without a name' do
+      it 'updates the organization' do
+        VCR.use_cassette 'organization/update_without_name' do
+          organization = described_class.update_organization(
+            organization: 'org_01F6Q6TFP7RD2PF6J03ANNWDKV',
+            domains: ['example.me'],
+          )
+
+          expect(organization.id).to eq('org_01F6Q6TFP7RD2PF6J03ANNWDKV')
+          expect(organization.name).to eq('Test Organization')
+          expect(organization.domains.first[:domain]).to eq('example.me')
+        end
+      end
+    end
+    context 'with a stripe_customer_id' do
+      it 'updates the organization' do
+        VCR.use_cassette 'organization/update_with_stripe_customer_id' do
+          organization = described_class.update_organization(
+            organization: 'org_01JJ5H14CAA2SQ5G9HNN6TBZ05',
+            name: 'Test Organization',
+            stripe_customer_id: 'cus_123',
+          )
+
+          expect(organization.id).to eq('org_01JJ5H14CAA2SQ5G9HNN6TBZ05')
+          expect(organization.name).to eq('Test Organization')
+          expect(organization.stripe_customer_id).to eq('cus_123')
+        end
+      end
+    end
+    context 'with an external_id' do
+      it 'updates the organization' do
+        VCR.use_cassette 'organization/update_with_external_id' do
+          organization = described_class.update_organization(
+            organization: 'org_01K0SQV0S6EPWK2ZDEFD1CP1JC',
+            name: 'Test Organization',
+            external_id: 'ext_org_456',
+          )
+
+          expect(organization.id).to eq('org_01K0SQV0S6EPWK2ZDEFD1CP1JC')
+          expect(organization.name).to eq('Test Organization')
+          expect(organization.external_id).to eq('ext_org_456')
+        end
+      end
+    end
+
+    context 'can set external_id to null explicitly' do
+      it 'includes external_id null in request body' do
+        original_method = described_class.method(:put_request)
+        allow(described_class).to receive(:put_request) do |kwargs|
+          original_method.call(**kwargs)
+        end
+
+        VCR.use_cassette 'organization/update_with_external_id_null' do
+          described_class.update_organization(
+            organization: 'org_01K0SQV0S6EPWK2ZDEFD1CP1JC',
+            name: 'Test Organization',
+            external_id: nil,
+          )
+        end
+
+        # Verify the spy captured the right call
+        expect(described_class).to have_received(:put_request).with(
+          hash_including(body: hash_including(external_id: nil)),
+        )
+      end
+    end
   end
 
   describe '.delete_organization' do
@@ -309,4 +390,180 @@ describe WorkOS::Organizations do
       end
     end
   end
+
+  describe '.list_organization_roles' do
+    context 'with no options' do
+      it 'returns roles for organization' do
+        expected_metadata = {
+          after: nil,
+          before: nil,
+        }
+
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          expect(roles.data.size).to eq(7)
+          expect(roles.list_metadata).to eq(expected_metadata)
+        end
+      end
+
+      it 'returns properly initialized Role objects with all attributes' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          first_role = roles.data.first
+          expect(first_role).to be_a(WorkOS::Role)
+          expect(first_role.id).to eq('role_01HS1C7GRJE08PBR3M6Y0ZYGDZ')
+          expect(first_role.name).to eq('Admin')
+          expect(first_role.slug).to eq('admin')
+          expect(first_role.description).to eq('Write access to every resource available')
+          expect(first_role.permissions).to eq(['admin:all', 'read:users', 'write:users', 'manage:roles'])
+          expect(first_role.type).to eq('EnvironmentRole')
+          expect(first_role.created_at).to eq('2024-03-15T15:38:29.521Z')
+          expect(first_role.updated_at).to eq('2024-11-14T17:08:00.556Z')
+        end
+      end
+
+      it 'handles roles with empty permissions arrays' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          platform_manager_role = roles.data.find { |role| role.slug == 'org-platform-manager' }
+          expect(platform_manager_role).to be_a(WorkOS::Role)
+          expect(platform_manager_role.permissions).to eq([])
+        end
+      end
+
+      it 'properly serializes Role objects including permissions' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          billing_role = roles.data.find { |role| role.slug == 'billing' }
+          serialized = billing_role.to_json
+
+          expect(serialized[:id]).to eq('role_01JA8GJZRDSZEB9289DQXJ3N9Z')
+          expect(serialized[:name]).to eq('Billing Manager')
+          expect(serialized[:slug]).to eq('billing')
+          expect(serialized[:permissions]).to eq(['read:billing', 'write:billing'])
+          expect(serialized[:type]).to eq('EnvironmentRole')
+        end
+      end
+    end
+  end
+
+  describe '.list_organization_feature_flags' do
+    context 'with no options' do
+      it 'returns feature flags for organization' do
+        expected_metadata = {
+          after: nil,
+          before: nil,
+        }
+
+        VCR.use_cassette 'organization/list_organization_feature_flags' do
+          feature_flags = described_class.list_organization_feature_flags(
+            organization_id: 'org_01HX7Q7R12H1JMAKN75SH2G529',
+          )
+
+          expect(feature_flags.data.size).to eq(2)
+          expect(feature_flags.list_metadata).to eq(expected_metadata)
+        end
+      end
+    end
+
+    context 'with the before option' do
+      it 'forms the proper request to the API' do
+        request_args = [
+          '/organizations/org_01HX7Q7R12H1JMAKN75SH2G529/feature-flags?before=before-id&'\
+          'order=desc',
+          'Content-Type' => 'application/json'
+        ]
+
+        expected_request = Net::HTTP::Get.new(*request_args)
+
+        expect(Net::HTTP::Get).to receive(:new).with(*request_args).
+          and_return(expected_request)
+
+        VCR.use_cassette 'organization/list_organization_feature_flags', match_requests_on: [:path] do
+          feature_flags = described_class.list_organization_feature_flags(
+            organization_id: 'org_01HX7Q7R12H1JMAKN75SH2G529',
+            options: { before: 'before-id' },
+          )
+
+          expect(feature_flags.data.size).to eq(2)
+        end
+      end
+    end
+
+    context 'with the after option' do
+      it 'forms the proper request to the API' do
+        request_args = [
+          '/organizations/org_01HX7Q7R12H1JMAKN75SH2G529/feature-flags?after=after-id&'\
+          'order=desc',
+          'Content-Type' => 'application/json'
+        ]
+
+        expected_request = Net::HTTP::Get.new(*request_args)
+
+        expect(Net::HTTP::Get).to receive(:new).with(*request_args).
+          and_return(expected_request)
+
+        VCR.use_cassette 'organization/list_organization_feature_flags', match_requests_on: [:path] do
+          feature_flags = described_class.list_organization_feature_flags(
+            organization_id: 'org_01HX7Q7R12H1JMAKN75SH2G529',
+            options: { after: 'after-id' },
+          )
+
+          expect(feature_flags.data.size).to eq(2)
+        end
+      end
+    end
+
+    context 'with the limit option' do
+      it 'forms the proper request to the API' do
+        request_args = [
+          '/organizations/org_01HX7Q7R12H1JMAKN75SH2G529/feature-flags?limit=10&'\
+          'order=desc',
+          'Content-Type' => 'application/json'
+        ]
+
+        expected_request = Net::HTTP::Get.new(*request_args)
+
+        expect(Net::HTTP::Get).to receive(:new).with(*request_args).
+          and_return(expected_request)
+
+        VCR.use_cassette 'organization/list_organization_feature_flags', match_requests_on: [:path] do
+          feature_flags = described_class.list_organization_feature_flags(
+            organization_id: 'org_01HX7Q7R12H1JMAKN75SH2G529',
+            options: { limit: 10 },
+          )
+
+          expect(feature_flags.data.size).to eq(2)
+        end
+      end
+    end
+
+    context 'with multiple pagination options' do
+      it 'forms the proper request to the API' do
+        request_args = [
+          '/organizations/org_01HX7Q7R12H1JMAKN75SH2G529/feature-flags?after=after-id&'\
+          'limit=5&order=asc',
+          'Content-Type' => 'application/json'
+        ]
+
+        expected_request = Net::HTTP::Get.new(*request_args)
+
+        expect(Net::HTTP::Get).to receive(:new).with(*request_args).
+          and_return(expected_request)
+
+        VCR.use_cassette 'organization/list_organization_feature_flags', match_requests_on: [:path] do
+          feature_flags = described_class.list_organization_feature_flags(
+            organization_id: 'org_01HX7Q7R12H1JMAKN75SH2G529',
+            options: { after: 'after-id', limit: 5, order: 'asc' },
+          )
+
+          expect(feature_flags.data.size).to eq(2)
+        end
+      end
+    end
+  end
 end

data/spec/lib/workos/portal_spec.rb

@@ -51,6 +51,36 @@ describe WorkOS::Portal do
           end
         end
       end
+
+      describe 'with the certificate_renewal intent' do
+        it 'returns an Admin Portal link' do
+          VCR.use_cassette 'portal/generate_link_certificate_renewal', match_requests_on: %i[path body] do
+            portal_link = described_class.generate_link(
+              intent: 'certificate_renewal',
+              organization: organization,
+            )
+
+            expect(portal_link).to eq(
+              'https://id.workos.com/portal/launch?secret=secret',
+            )
+          end
+        end
+      end
+    end
+
+    describe 'with the domain_verification intent' do
+      it 'returns an Admin Portal link' do
+        VCR.use_cassette 'portal/generate_link_domain_verification', match_requests_on: %i[path body] do
+          portal_link = described_class.generate_link(
+            intent: 'domain_verification',
+            organization: organization,
+          )
+
+          expect(portal_link).to eq(
+            'https://id.workos.com/portal/launch?secret=secret',
+          )
+        end
+      end
     end
 
     describe 'with an invalid organization' do

data/spec/lib/workos/role_spec.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+describe WorkOS::Role do
+  describe '.initialize' do
+    context 'with full role data including permissions' do
+      it 'initializes all attributes correctly' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role with full access',
+          permissions: ['read:users', 'write:users', 'admin:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('Admin')
+        expect(role.slug).to eq('admin')
+        expect(role.description).to eq('Administrator role with full access')
+        expect(role.permissions).to eq(['read:users', 'write:users', 'admin:all'])
+        expect(role.type).to eq('system')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data without permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('User')
+        expect(role.slug).to eq('user')
+        expect(role.description).to eq('Basic user role')
+        expect(role.permissions).to eq([])
+        expect(role.type).to eq('custom')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data with null permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: nil,
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+
+    context 'with role data with empty permissions array' do
+      it 'preserves empty permissions array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: [],
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+  end
+
+  describe '.to_json' do
+    context 'with role that has permissions' do
+      it 'includes permissions in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role',
+          permissions: ['read:all', 'write:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:id]).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(serialized[:name]).to eq('Admin')
+        expect(serialized[:slug]).to eq('admin')
+        expect(serialized[:description]).to eq('Administrator role')
+        expect(serialized[:permissions]).to eq(['read:all', 'write:all'])
+        expect(serialized[:type]).to eq('system')
+        expect(serialized[:created_at]).to eq('2022-05-13T17:45:31.732Z')
+        expect(serialized[:updated_at]).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role that has no permissions' do
+      it 'includes empty permissions array in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:permissions]).to eq([])
+      end
+    end
+  end
+end