workos 5.3.0 → 6.1.0

data/spec/lib/workos/user_management_spec.rb

@@ -36,6 +36,32 @@ describe WorkOS::UserManagement do
           'edit%22%7D&provider=authkit',
         )
       end
+
+      context 'with provider_scopes' do
+        it 'returns a valid authorization URL that includes provider_scopes' do
+          url = WorkOS::UserManagement.authorization_url(
+            provider: 'GoogleOAuth',
+            provider_scopes: %w[custom-scope-1 custom-scope-2],
+            client_id: 'workos-proj-123',
+            redirect_uri: 'foo.com/auth/callback',
+            state: {
+              next_page: '/dashboard/edit',
+            }.to_s,
+          )
+
+          expect(url).to eq(
+            'https://api.workos.com/user_management/authorize?' \
+            'client_id=workos-proj-123' \
+            '&redirect_uri=foo.com%2Fauth%2Fcallback' \
+            '&response_type=code' \
+            '&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2F' \
+            'edit%22%7D' \
+            '&provider=GoogleOAuth' \
+            '&provider_scopes=custom-scope-1' \
+            '&provider_scopes=custom-scope-2',
+          )
+        end
+      end
     end
 
     context 'with a connection selector' do
@@ -176,6 +202,41 @@ describe WorkOS::UserManagement do
       end
     end
 
+    context 'with a screen hint' do
+      let(:args) do
+        {
+          provider: 'authkit',
+          screen_hint: 'sign_up',
+          client_id: 'workos-proj-123',
+          redirect_uri: 'foo.com/auth/callback',
+          state: {
+            next_page: '/dashboard/edit',
+          }.to_s,
+        }
+      end
+      it 'returns a valid URL' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url)).to be_a URI
+      end
+
+      it 'returns the expected hostname' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).host).to eq(WorkOS.config.api_hostname)
+      end
+
+      it 'returns the expected query string' do
+        authorization_url = described_class.authorization_url(**args)
+
+        expect(URI.parse(authorization_url).query).to eq(
+          'client_id=workos-proj-123&redirect_uri=foo.com%2Fauth%2Fcallback' \
+          '&response_type=code&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2F' \
+          'edit%22%7D&screen_hint=sign_up&provider=authkit',
+        )
+      end
+    end
+
     context 'with neither connection_id, organization_id or provider' do
       let(:args) do
         {
@@ -213,7 +274,7 @@ describe WorkOS::UserManagement do
         end.to raise_error(
           ArgumentError,
           'Okta is not a valid value. `provider` must be in ' \
-          '["GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth", "authkit"]',
+          '["AppleOAuth", "GitHubOAuth", "GoogleOAuth", "MicrosoftOAuth", "authkit"]',
         )
       end
     end
@@ -229,6 +290,12 @@ describe WorkOS::UserManagement do
 
           expect(user.id.instance_of?(String))
           expect(user.instance_of?(WorkOS::User))
+          expect(user.first_name).to eq('Bob')
+          expect(user.last_name).to eq('Loblaw')
+          expect(user.email).to eq('bob@example.com')
+          expect(user.email_verified).to eq(false)
+          expect(user.profile_picture_url).to eq(nil)
+          expect(user.last_sign_in_at).to eq('2024-02-06T23:13:18.137Z')
         end
       end
     end
@@ -306,6 +373,42 @@ describe WorkOS::UserManagement do
         end
       end
 
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@example.com', first_name: 'John' })
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email_verified)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email": "test@example.com"}'),
+        )
+
+        described_class.create_user(
+          email: 'test@example.com',
+          first_name: 'John',
+        )
+      end
+
+      it 'creates a user with external_id' do
+        VCR.use_cassette 'user_management/create_user_with_external_id' do
+          user = described_class.create_user(
+            email: 'external@example.com',
+            first_name: 'External',
+            last_name: 'User',
+            external_id: 'ext_user_123',
+          )
+
+          expect(user.first_name).to eq('External')
+          expect(user.last_name).to eq('User')
+          expect(user.email).to eq('external@example.com')
+          expect(user.external_id).to eq('ext_user_123')
+        end
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/create_user_invalid' do
@@ -330,13 +433,80 @@ describe WorkOS::UserManagement do
             first_name: 'Jane',
             last_name: 'Doe',
             email_verified: false,
+            external_id: '123',
           )
           expect(user.first_name).to eq('Jane')
           expect(user.last_name).to eq('Doe')
           expect(user.email_verified).to eq(false)
+          expect(user.external_id).to eq('123')
         end
       end
 
+      it 'can update user locale' do
+        VCR.use_cassette 'user_management/update_user/locale' do
+          user = described_class.update_user(
+            id: 'user_01K78B3ZB5B7119MYEXTQE5KNE',
+            locale: 'en-US',
+          )
+          expect(user.locale).to eq('en-US')
+        end
+      end
+
+      it 'can update email addresses' do
+        VCR.use_cassette 'user_management/update_user/email' do
+          user = described_class.update_user(
+            id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+            email: 'jane@example.com',
+          )
+          expect(user.email).to eq('jane@example.com')
+          expect(user.email_verified).to eq(false)
+        end
+      end
+
+      it 'only sends non-nil values in request body' do
+        # Mock the request to inspect what's being sent
+        expect(described_class).to receive(:put_request) do |options|
+          # Verify that the body only contains non-nil values
+          body = options[:body]
+          expect(body).to eq({ email_verified: true })
+          expect(body).not_to have_key(:first_name)
+          expect(body).not_to have_key(:last_name)
+          expect(body).not_to have_key(:email)
+          expect(body).not_to have_key(:locale)
+
+          # Return a mock request object
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_user", "email_verified": true}'),
+        )
+
+        described_class.update_user(
+          id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+          email_verified: true,
+        )
+      end
+
+      it 'can set external_id to null explicitly' do
+        original_method = described_class.method(:put_request)
+        allow(described_class).to receive(:put_request) do |kwargs|
+          original_method.call(**kwargs)
+        end
+
+        VCR.use_cassette 'user_management/update_user_external_id_null' do
+          described_class.update_user(
+            id: 'user_01K0SR53HJ58M957MYAB6TDZ9X',
+            first_name: 'John',
+            external_id: nil,
+          )
+        end
+
+        expect(described_class).to have_received(:put_request).with(
+          hash_including(body: hash_including(external_id: nil)),
+        )
+      end
+
       context 'with an invalid payload' do
         it 'returns an error' do
           VCR.use_cassette 'user_management/update_user/invalid' do
@@ -404,6 +574,42 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an unverified user' do
+      it 'raises a ForbiddenRequestError' do
+        VCR.use_cassette('user_management/authenticate_with_password/unverified') do
+          expect do
+            WorkOS::UserManagement.authenticate_with_password(
+              email: 'unverified@workos.app',
+              password: '7YtYic00VWcXatPb',
+              client_id: 'client_123',
+            )
+          end.to raise_error(WorkOS::ForbiddenRequestError, /Email ownership must be verified before authentication/)
+        end
+      end
+    end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_password(
+          email: 'test@workos.app',
+          password: 'password123',
+          client_id: 'client_123',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_code' do
@@ -422,6 +628,40 @@ describe WorkOS::UserManagement do
         end
       end
 
+      context 'when oauth_tokens is present in the api response' do
+        it 'returns an oauth_tokens object' do
+          VCR.use_cassette('user_management/authenticate_with_code/valid_with_oauth_tokens') do
+            authentication_response = WorkOS::UserManagement.authenticate_with_code(
+              code: '01H93ZZHA0JBHFJH9RR11S83YN',
+              client_id: 'client_123',
+              ip_address: '200.240.210.16',
+              user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+            )
+
+            expect(authentication_response.oauth_tokens).to be_a(WorkOS::OAuthTokens)
+            expect(authentication_response.oauth_tokens.access_token).to eq('oauth_access_token')
+            expect(authentication_response.oauth_tokens.refresh_token).to eq('oauth_refresh_token')
+            expect(authentication_response.oauth_tokens.scopes).to eq(%w[read write])
+            expect(authentication_response.oauth_tokens.expires_at).to eq(1_234_567_890)
+          end
+        end
+      end
+
+      context 'when oauth_tokens is not present in the api response' do
+        it 'returns nil oauth_tokens' do
+          VCR.use_cassette('user_management/authenticate_with_code/valid') do
+            authentication_response = WorkOS::UserManagement.authenticate_with_code(
+              code: '01H93ZZHA0JBHFJH9RR11S83YN',
+              client_id: 'client_123',
+              ip_address: '200.240.210.16',
+              user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+            )
+
+            expect(authentication_response.oauth_tokens).to be_nil
+          end
+        end
+      end
+
       context 'when the user is being impersonated' do
         it 'contains the impersonator metadata' do
           VCR.use_cassette('user_management/authenticate_with_code/valid_with_impersonator') do
@@ -453,6 +693,27 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_code(
+          code: '01H93ZZHA0JBHFJH9RR11S83YN',
+          client_id: 'client_123',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_refresh_token' do
@@ -467,6 +728,7 @@ describe WorkOS::UserManagement do
           )
           expect(authentication_response.access_token).to eq('<ACCESS_TOKEN>')
           expect(authentication_response.refresh_token).to eq('<REFRESH_TOKEN>')
+          expect(authentication_response.user.id).to eq('user_01H93WD0R0KWF8Q7BK02C0RPYJ')
         end
       end
     end
@@ -516,6 +778,28 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with an invitation_token' do
+      it 'includes invitation_token in the request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body[:invitation_token]).to eq('invitation_token_123')
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"user": {"id": "user_123"}, "access_token": "token", "refresh_token": "refresh"}'),
+        )
+
+        described_class.authenticate_with_magic_auth(
+          code: '452079',
+          client_id: 'client_123',
+          email: 'test@workos.com',
+          invitation_token: 'invitation_token_123',
+        )
+      end
+    end
   end
 
   describe '.authenticate_with_organization_selection' do
@@ -684,6 +968,28 @@ describe WorkOS::UserManagement do
           expect(authentication_response.authentication_challenge.id).to eq('auth_challenge_01H96FETXGTW1QMBSBT2T36PW0')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ type: 'totp', totp_issuer: 'Test App' })
+          expect(body).not_to have_key(:totp_user)
+          expect(body).not_to have_key(:totp_secret)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response',
+                 body: '{"authentication_factor": {"id": "test"}, "authentication_challenge": {"id": "test"}}',),
+        )
+
+        described_class.enroll_auth_factor(
+          user_id: 'user_123',
+          type: 'totp',
+          totp_issuer: 'Test App',
+        )
+      end
     end
 
     context 'with an incorrect user id' do
@@ -1072,6 +1378,23 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with role slugs' do
+      it 'creates an organization membership with multiple roles' do
+        VCR.use_cassette 'user_management/create_organization_membership/valid_multiple_roles' do
+          organization_membership = described_class.create_organization_membership(
+            user_id: 'user_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            organization_id: 'org_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            role_slugs: %w[admin member],
+          )
+
+          expect(organization_membership.organization_id).to eq('organization_01H5JQDV7R7ATEYZDEG0W5PRYS')
+          expect(organization_membership.user_id).to eq('user_01H5JQDV7R7ATEYZDEG0W5PRYS')
+          expect(organization_membership.roles).to be_an(Array)
+          expect(organization_membership.roles.length).to eq(2)
+        end
+      end
+    end
   end
 
   describe '.update_organization_membership' do
@@ -1099,6 +1422,22 @@ describe WorkOS::UserManagement do
         end
       end
     end
+
+    context 'with role slugs' do
+      it 'updates an organization membership with multiple roles' do
+        VCR.use_cassette('user_management/update_organization_membership/valid_multiple_roles') do
+          organization_membership = WorkOS::UserManagement.update_organization_membership(
+            id: 'om_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            role_slugs: %w[admin editor],
+          )
+
+          expect(organization_membership.organization_id).to eq('organization_01H5JQDV7R7ATEYZDEG0W5PRYS')
+          expect(organization_membership.user_id).to eq('user_01H5JQDV7R7ATEYZDEG0W5PRYS')
+          expect(organization_membership.roles).to be_an(Array)
+          expect(organization_membership.roles.length).to eq(2)
+        end
+      end
+    end
   end
 
   describe '.delete_organization_membership' do
@@ -1350,6 +1689,27 @@ describe WorkOS::UserManagement do
           expect(invitation.email).to eq('test@workos.com')
         end
       end
+
+      it 'only sends non-nil values in request body' do
+        expect(described_class).to receive(:post_request) do |options|
+          body = options[:body]
+          expect(body).to eq({ email: 'test@workos.com', organization_id: 'org_123' })
+          expect(body).not_to have_key(:expires_in_days)
+          expect(body).not_to have_key(:inviter_user_id)
+          expect(body).not_to have_key(:role_slug)
+
+          double('request')
+        end.and_return(double('request'))
+
+        expect(described_class).to receive(:execute_request).and_return(
+          double('response', body: '{"id": "test_invitation"}'),
+        )
+
+        described_class.send_invitation(
+          email: 'test@workos.com',
+          organization_id: 'org_123',
+        )
+      end
     end
 
     context 'with an invalid payload' do
@@ -1398,6 +1758,81 @@ describe WorkOS::UserManagement do
     end
   end
 
+  describe '.resend_invitation' do
+    context 'with valid payload' do
+      it 'resends invitation' do
+        VCR.use_cassette 'user_management/resend_invitation/valid' do
+          invitation = described_class.resend_invitation(
+            id: 'invitation_01H5JQDV7R7ATEYZDEG0W5PRYS',
+          )
+
+          expect(invitation.id).to eq('invitation_01H5JQDV7R7ATEYZDEG0W5PRYS')
+          expect(invitation.email).to eq('test@workos.com')
+        end
+      end
+    end
+
+    context 'with an invalid id' do
+      it 'returns an error' do
+        VCR.use_cassette 'user_management/resend_invitation/invalid' do
+          expect do
+            described_class.resend_invitation(
+              id: 'invalid_id',
+            )
+          end.to raise_error(
+            WorkOS::NotFoundError,
+            /Invitation not found/,
+          )
+        end
+      end
+    end
+
+    context 'when invitation has expired' do
+      it 'returns an error' do
+        VCR.use_cassette 'user_management/resend_invitation/expired' do
+          expect do
+            described_class.resend_invitation(
+              id: 'invitation_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            )
+          end.to raise_error(
+            WorkOS::InvalidRequestError,
+            /Invite has expired/,
+          )
+        end
+      end
+    end
+
+    context 'when invitation has been revoked' do
+      it 'returns an error' do
+        VCR.use_cassette 'user_management/resend_invitation/revoked' do
+          expect do
+            described_class.resend_invitation(
+              id: 'invitation_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            )
+          end.to raise_error(
+            WorkOS::InvalidRequestError,
+            /Invite has been revoked/,
+          )
+        end
+      end
+    end
+
+    context 'when invitation has already been accepted' do
+      it 'returns an error' do
+        VCR.use_cassette 'user_management/resend_invitation/accepted' do
+          expect do
+            described_class.resend_invitation(
+              id: 'invitation_01H5JQDV7R7ATEYZDEG0W5PRYS',
+            )
+          end.to raise_error(
+            WorkOS::InvalidRequestError,
+            /Invite has already been accepted/,
+          )
+        end
+      end
+    end
+  end
+
   describe '.revoke_session' do
     context 'with valid payload' do
       it 'revokes session' do
@@ -1426,4 +1861,64 @@ describe WorkOS::UserManagement do
       end
     end
   end
+
+  describe '.list_sessions' do
+    context 'with a valid user_id' do
+      it 'returns a list of sessions' do
+        VCR.use_cassette('user_management/list_sessions/valid') do
+          result = described_class.list_sessions(
+            user_id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+          )
+
+          expect(result.data).to be_an(Array)
+          expect(result.data.first).to be_a(WorkOS::UserManagement::Session)
+          expect(result.data.first.id).to eq('session_01H96FETXGTW2S0V5V9XPSM6H44')
+          expect(result.data.first.status).to eq('active')
+          expect(result.data.first.auth_method).to eq('password')
+        end
+      end
+
+      it 'returns sessions that can be revoked' do
+        VCR.use_cassette('user_management/list_sessions/valid') do
+          result = described_class.list_sessions(
+            user_id: 'user_01H7TVSKS45SDHN5V9XPSM6H44',
+          )
+          session = result.data.first
+
+          expect(described_class).to receive(:post_request) do |options|
+            expect(options[:path]).to eq('/user_management/sessions/revoke')
+            expect(options[:body]).to eq({ session_id: 'session_01H96FETXGTW2S0V5V9XPSM6H44' })
+            expect(options[:auth]).to be true
+          end.and_return(double('request'))
+
+          expect(described_class).to receive(:execute_request).and_return(
+            double('response', is_a?: true),
+          )
+
+          expect(session.revoke).to be true
+        end
+      end
+    end
+  end
+
+  describe '.get_logout_url' do
+    it 'returns a logout url for the given session ID' do
+      result = described_class.get_logout_url(
+        session_id: 'session_01HRX85ATNADY1GQ053AHRFFN6',
+      )
+
+      expect(result).to eq 'https://api.workos.com/user_management/sessions/logout?session_id=session_01HRX85ATNADY1GQ053AHRFFN6'
+    end
+
+    context 'when a `return_to` is given' do
+      it 'returns a logout url with the `return_to` query parameter' do
+        result = described_class.get_logout_url(
+          session_id: 'session_01HRX85ATNADY1GQ053AHRFFN6',
+          return_to: 'https://example.com/signed-out',
+        )
+
+        expect(result).to eq 'https://api.workos.com/user_management/sessions/logout?session_id=session_01HRX85ATNADY1GQ053AHRFFN6&return_to=https%3A%2F%2Fexample.com%2Fsigned-out'
+      end
+    end
+  end
 end

data/spec/lib/workos/widgets_spec.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+describe WorkOS::Widgets do
+  it_behaves_like 'client'
+
+  describe '.get_token' do
+    let(:organization_id) { 'org_01JCP9G67MNAH0KC4B72XZ67M7' }
+    let(:user_id) { 'user_01JCP9H4SHS4N3J6XTKDT7JNPE' }
+
+    describe 'with a valid organization_id and user_id and scopes' do
+      it 'returns a widget token' do
+        VCR.use_cassette 'widgets/get_token' do
+          token = described_class.get_token(
+            organization_id: organization_id,
+            user_id: user_id,
+            scopes: ['widgets:users-table:manage'],
+          )
+
+          expect(token).to start_with('eyJhbGciOiJSUzI1NiIsImtpZ')
+        end
+      end
+    end
+
+    describe 'with an invalid organization_id' do
+      it 'raises an error' do
+        VCR.use_cassette 'widgets/get_token_invalid_organization_id' do
+          expect do
+            described_class.get_token(
+              organization_id: 'bogus-id',
+              user_id: user_id,
+              scopes: ['widgets:users-table:manage'],
+            )
+          end.to raise_error(
+            WorkOS::NotFoundError,
+            /Organization not found: 'bogus-id'/,
+          )
+        end
+      end
+    end
+
+    describe 'with an invalid user_id' do
+      it 'raises an error' do
+        VCR.use_cassette 'widgets/get_token_invalid_user_id' do
+          expect do
+            described_class.get_token(
+              organization_id: organization_id,
+              user_id: 'bogus-id',
+              scopes: ['widgets:users-table:manage'],
+            )
+          end.to raise_error(
+            WorkOS::NotFoundError,
+            /User not found: 'bogus-id'/,
+          )
+        end
+      end
+    end
+
+    describe 'with invalid scopes' do
+      it 'raises an error' do
+        expect do
+          described_class.get_token(
+            organization_id: organization_id,
+            user_id: user_id,
+            scopes: ['bogus-scope'],
+          )
+        end.to raise_error(
+          ArgumentError,
+          /scopes contains an invalid value/,
+        )
+      end
+    end
+  end
+end