workos 5.6.0 → 5.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aee47792913b272d66e3adb2d504793a7ae40b756c9f5ee545bf407df78ff4c4
-  data.tar.gz: 33e3cc29078c68806f2cbf463945c11153c2e92d75bc8def9898a14c15623118
+  metadata.gz: 0afe2a59cbc6559cee74fe894ad0ed632b6788955377949f87c641a3550fff92
+  data.tar.gz: 1725783e695045041a65334679db26c2fb396f1e79a3c4d18d7491d91d479756
 SHA512:
-  metadata.gz: ba6b7b8ad5f8715ad599cf4228a52970d4dd32834b5f35b35fc534ffc066e0b12e431e3ff16d9f30dbe4c5c88f49651e71d891f921bd8fd534a3276a1bf2a5dc
-  data.tar.gz: 388f1a1bb1235012b25c336052b51e4a142c2d225af938cb7aa12e01580003ae7430e7a4e2c4b55f81508edc0547a4d6e7df05b2d9c31e636b5a49736cd48233
+  metadata.gz: 626069aef80ea5cf1b3254679fb7f7c9054fe7f908c464521e42c566186c21170f5a3187e98c59d6f1f209d107e53995facb58763965042ce257d2e4cd8f5d63
+  data.tar.gz: 0f941008d87d91b19bbd5829cf79580df7cabb9e3d37891aa3016fca9e4af844ecd8a30f3b4e6e567d6a47ece9249b6e6da02eda157928bd2ee8c5d45c6404d2

data/.rubocop.yml

@@ -12,7 +12,7 @@ Layout/LineLength:
     - 'VCR\.use_cassette'
     - '(\A|\s)/.*?/'
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context', 'before']
+  ExcludedMethods: ['describe', 'context', 'before', 'it']
 Metrics/MethodLength:
   Max: 30
 Metrics/ModuleLength:

data/Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    workos (5.6.0)
+    workos (5.8.0)
+      encryptor (~> 3.0)
+      jwt (~> 2.8)
 
 GEM
   remote: https://rubygems.org/
@@ -9,12 +11,16 @@ GEM
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
+    base64 (0.2.0)
     bigdecimal (3.1.7)
     crack (1.0.0)
       bigdecimal
       rexml
     diff-lcs (1.5.1)
+    encryptor (3.0.0)
     hashdiff (1.1.0)
+    jwt (2.8.2)
+      base64
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)

data/lib/workos/authentication_response.rb

@@ -6,10 +6,19 @@ module WorkOS
   class AuthenticationResponse
     include HashProvider
 
-    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token
+    attr_accessor :user,
+                  :organization_id,
+                  :impersonator,
+                  :access_token,
+                  :refresh_token,
+                  :authentication_method,
+                  :sealed_session
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
+      @access_token = json[:access_token]
+      @refresh_token = json[:refresh_token]
       @user = WorkOS::User.new(json[:user].to_json)
       @organization_id = json[:organization_id]
       @impersonator =
@@ -17,9 +26,19 @@ module WorkOS
           Impersonator.new(email: impersonator_json[:email],
                            reason: impersonator_json[:reason],)
         end
-      @access_token = json[:access_token]
-      @refresh_token = json[:refresh_token]
+      @authentication_method = json[:authentication_method]
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data({
+                                      access_token: access_token,
+                                      refresh_token: refresh_token,
+                                      user: user.to_json,
+                                      organization_id: organization_id,
+                                      impersonator: impersonator.to_json,
+                                    }, session[:cookie_password],)
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
@@ -28,6 +47,8 @@ module WorkOS
         impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        authentication_method: authentication_method,
+        sealed_session: sealed_session,
       }
     end
   end

data/lib/workos/profile.rb

@@ -9,7 +9,7 @@ module WorkOS
   class Profile
     include HashProvider
 
-    attr_accessor :id, :email, :first_name, :last_name, :groups, :organization_id,
+    attr_accessor :id, :email, :first_name, :last_name, :role, :groups, :organization_id,
                   :connection_id, :connection_type, :idp_id, :raw_attributes
 
     def initialize(profile_json)
@@ -19,6 +19,7 @@ module WorkOS
       @email = hash[:email]
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
+      @role = hash[:role]
       @groups = hash[:groups]
       @organization_id = hash[:organization_id]
       @connection_id = hash[:connection_id]
@@ -37,6 +38,7 @@ module WorkOS
         email: email,
         first_name: first_name,
         last_name: last_name,
+        role: role,
         groups: groups,
         organization_id: organization_id,
         connection_id: connection_id,

data/lib/workos/refresh_authentication_response.rb

@@ -6,18 +6,41 @@ module WorkOS
   class RefreshAuthenticationResponse
     include HashProvider
 
-    attr_accessor :access_token, :refresh_token
+    attr_accessor :user, :organization_id, :impersonator, :access_token, :refresh_token, :sealed_session
 
-    def initialize(authentication_response_json)
+    # rubocop:disable Metrics/AbcSize
+    def initialize(authentication_response_json, session = nil)
       json = JSON.parse(authentication_response_json, symbolize_names: true)
       @access_token = json[:access_token]
       @refresh_token = json[:refresh_token]
+      @user = WorkOS::User.new(json[:user].to_json)
+      @organization_id = json[:organization_id]
+      @impersonator =
+        if (impersonator_json = json[:impersonator])
+          Impersonator.new(email: impersonator_json[:email],
+                           reason: impersonator_json[:reason],)
+        end
+      @sealed_session =
+        if session && session[:seal_session]
+          WorkOS::Session.seal_data({
+                                      access_token: access_token,
+                                      refresh_token: refresh_token,
+                                      user: user.to_json,
+                                      organization_id: organization_id,
+                                      impersonator: impersonator.to_json,
+                                    }, session[:cookie_password],)
+        end
     end
+    # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
       {
+        user: user.to_json,
+        organization_id: organization_id,
+        impersonator: impersonator.to_json,
         access_token: access_token,
         refresh_token: refresh_token,
+        sealed_session: sealed_session,
       }
     end
   end

data/lib/workos/session.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'uri'
+require 'net/http'
+require 'encryptor'
+require 'securerandom'
+require 'json'
+require 'uri'
+
+module WorkOS
+  # The Session class provides helper methods for working with WorkOS sessions
+  # This class is not meant to be instantiated in a user space, and is instantiated internally but exposed.
+  # rubocop:disable Metrics/ClassLength
+  class Session
+    attr_accessor :jwks, :jwks_algorithms, :user_management, :cookie_password, :session_data, :client_id
+
+    def initialize(user_management:, client_id:, session_data:, cookie_password:)
+      raise ArgumentError, 'cookiePassword is required' if cookie_password.nil? || cookie_password.empty?
+
+      @user_management = user_management
+      @cookie_password = cookie_password
+      @session_data = session_data
+      @client_id = client_id
+
+      @jwks = create_remote_jwk_set(URI(@user_management.get_jwks_url(client_id)))
+      @jwks_algorithms = @jwks.map { |key| key[:alg] }.compact.uniq
+    end
+
+    # Authenticates the user based on the session data
+    # @return [Hash] A hash containing the authentication response and a reason if the authentication failed
+    def authenticate
+      return { authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' } if @session_data.nil?
+
+      begin
+        session = Session.unseal_data(@session_data, @cookie_password)
+      rescue StandardError
+        return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
+      end
+
+      return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:access_token]
+      return { authenticated: false, reason: 'INVALID_JWT' } unless is_valid_jwt(session[:access_token])
+
+      decoded = JWT.decode(session[:access_token], nil, true, algorithms: @jwks_algorithms, jwks: @jwks).first
+
+      {
+        authenticated: true,
+        session_id: decoded['sid'],
+        organization_id: decoded['org_id'],
+        role: decoded['role'],
+        permissions: decoded['permissions'],
+        user: session[:user],
+        impersonator: session[:impersonator],
+        reason: nil,
+      }
+    end
+
+    # Refreshes the session data using the refresh token stored in the session data
+    # @param options [Hash] Options for refreshing the session
+    # @option options [String] :cookie_password The password to use for unsealing the session data
+    # @option options [String] :organization_id The organization ID to use for refreshing the session
+    # @return [Hash] A hash containing a new sealed session, the authentication response,
+    # and a reason if the refresh failed
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/PerceivedComplexity
+    def refresh(options = nil)
+      cookie_password = options.nil? || options[:cookie_password].nil? ? @cookie_password : options[:cookie_password]
+
+      begin
+        session = Session.unseal_data(@session_data, cookie_password)
+      rescue StandardError
+        return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' }
+      end
+
+      return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:refresh_token] && session[:user]
+
+      begin
+        auth_response = @user_management.authenticate_with_refresh_token(
+          client_id: @client_id,
+          refresh_token: session[:refresh_token],
+          organization_id: options.nil? || options[:organization_id].nil? ? nil : options[:organization_id],
+          session: { seal_session: true, cookie_password: cookie_password },
+        )
+
+        @session_data = auth_response.sealed_session
+        @cookie_password = cookie_password
+
+        {
+          authenticated: true,
+          sealed_session: auth_response.sealed_session,
+          session: auth_response,
+          reason: nil,
+        }
+      rescue StandardError => e
+        { authenticated: false, reason: e.message }
+      end
+    end
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    # Returns a URL to redirect the user to for logging out
+    # @return [String] The URL to redirect the user to for logging out
+    # rubocop:disable Naming/AccessorMethodName
+    def get_logout_url
+      auth_response = authenticate
+
+      unless auth_response[:authenticated]
+        raise "Failed to extract session ID for logout URL: #{auth_response[:reason]}"
+      end
+
+      @user_management.get_logout_url(session_id: auth_response[:session_id])
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    # Encrypts and seals data using AES-256-GCM
+    # @param data [Hash] The data to seal
+    # @param key [String] The key to use for encryption
+    # @return [String] The sealed data
+    def self.seal_data(data, key)
+      iv = SecureRandom.random_bytes(12)
+
+      encrypted_data = Encryptor.encrypt(
+        value: JSON.generate(data),
+        key: key,
+        iv: iv,
+        algorithm: 'aes-256-gcm',
+      )
+      Base64.encode64(iv + encrypted_data) # Combine IV with encrypted data and encode as base64
+    end
+
+    # Decrypts and unseals data using AES-256-GCM
+    # @param sealed_data [String] The sealed data to unseal
+    # @param key [String] The key to use for decryption
+    # @return [Hash] The unsealed data
+    def self.unseal_data(sealed_data, key)
+      decoded_data = Base64.decode64(sealed_data)
+      iv = decoded_data[0..11] # Extract the IV (first 12 bytes)
+      encrypted_data = decoded_data[12..-1] # Extract the encrypted data
+
+      decrypted_data = Encryptor.decrypt(
+        value: encrypted_data,
+        key: key,
+        iv: iv,
+        algorithm: 'aes-256-gcm',
+      )
+
+      JSON.parse(decrypted_data, symbolize_names: true) # Parse the decrypted JSON string back to original data
+    end
+
+    private
+
+    # Creates a JWKS set from a remote JWKS URL
+    # @param uri [URI] The URI of the JWKS
+    # @return [JWT::JWK::Set] The JWKS set
+    def create_remote_jwk_set(uri)
+      # Fetch the JWKS from the remote URL
+      response = Net::HTTP.get(uri)
+
+      jwks_hash = JSON.parse(response)
+      jwks = JWT::JWK::Set.new(jwks_hash)
+
+      # filter jwks so it only returns the keys where 'use' is equal to 'sig'
+      jwks.keys.select! { |key| key[:use] == 'sig' }
+
+      jwks
+    end
+
+    # Validates a JWT token using the JWKS set
+    # @param token [String] The JWT token to validate
+    # @return [Boolean] True if the token is valid, false otherwise
+    # rubocop:disable Naming/PredicateName
+    def is_valid_jwt(token)
+      JWT.decode(token, nil, true, algorithms: @jwks_algorithms, jwks: @jwks)
+      true
+    rescue StandardError
+      false
+    end
+    # rubocop:enable Naming/PredicateName
+  end
+  # rubocop:enable Metrics/ClassLength
+end

data/lib/workos/user_management.rb

@@ -37,6 +37,22 @@ module WorkOS
       PROVIDERS = WorkOS::UserManagement::Types::Provider::ALL
       AUTH_FACTOR_TYPES = WorkOS::UserManagement::Types::AuthFactorType::ALL
 
+      # Load a sealed session
+      #
+      # @param [String] client_id The WorkOS client ID for the environment
+      # @param [String] session_data The sealed session data
+      # @param [String] cookie_password The password used to seal the session
+      #
+      # @return WorkOS::Session
+      def load_sealed_session(client_id:, session_data:, cookie_password:)
+        WorkOS::Session.new(
+          user_management: self,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: cookie_password,
+        )
+      end
+
       # Generate an OAuth 2.0 authorization URL that automatically directs a user
       # to their Identity Provider.
       #
@@ -289,14 +305,21 @@ module WorkOS
       # @param [String] client_id The WorkOS client ID for the environment
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [Hash] session An optional hash that determines whether the session should be sealed and
+      # the optional cookie password.
       #
       # @return WorkOS::AuthenticationResponse
       def authenticate_with_code(
         code:,
         client_id:,
         ip_address: nil,
-        user_agent: nil
+        user_agent: nil,
+        session: nil
       )
+        if session && (session[:seal_session] == true) && session[:cookie_password].nil?
+          raise ArgumentError, 'cookie_password is required when sealing session'
+        end
+
         response = execute_request(
           request: post_request(
             path: '/user_management/authenticate',
@@ -311,7 +334,7 @@ module WorkOS
           ),
         )
 
-        WorkOS::AuthenticationResponse.new(response.body)
+        WorkOS::AuthenticationResponse.new(response.body, session)
       end
 
       # Authenticate a user using a refresh token.
@@ -321,6 +344,8 @@ module WorkOS
       # @param [String] organization_id The organization to issue the new access token for. (Optional)
       # @param [String] ip_address The IP address of the request from the user who is attempting to authenticate.
       # @param [String] user_agent The user agent of the request from the user who is attempting to authenticate.
+      # @param [Hash] session An optional hash that determines whether the session should be sealed and
+      # the optional cookie password.
       #
       # @return WorkOS::RefreshAuthenticationResponse
       def authenticate_with_refresh_token(
@@ -328,8 +353,13 @@ module WorkOS
         client_id:,
         organization_id: nil,
         ip_address: nil,
-        user_agent: nil
+        user_agent: nil,
+        session: nil
       )
+        if session && (session[:seal_session] == true) && session[:cookie_password].nil?
+          raise ArgumentError, 'cookie_password is required when sealing session'
+        end
+
         response = execute_request(
           request: post_request(
             path: '/user_management/authenticate',
@@ -345,7 +375,7 @@ module WorkOS
           ),
         )
 
-        WorkOS::RefreshAuthenticationResponse.new(response.body)
+        WorkOS::RefreshAuthenticationResponse.new(response.body, session)
       end
 
       # Authenticate user by Magic Auth Code.

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.6.0'
+  VERSION = '5.8.0'
 end

data/lib/workos.rb

@@ -71,6 +71,7 @@ module WorkOS
   autoload :Profile, 'workos/profile'
   autoload :ProfileAndToken, 'workos/profile_and_token'
   autoload :RefreshAuthenticationResponse, 'workos/refresh_authentication_response'
+  autoload :Session, 'workos/session'
   autoload :SSO, 'workos/sso'
   autoload :Types, 'workos/types'
   autoload :User, 'workos/user'

data/spec/lib/workos/session_spec.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+describe WorkOS::Session do
+  let(:user_management) { instance_double('UserManagement') }
+  let(:client_id) { 'test_client_id' }
+  let(:cookie_password) { 'test_very_long_cookie_password__' }
+  let(:session_data) { 'test_session_data' }
+  let(:jwks_url) { 'https://api.workos.com/sso/jwks/client_123' }
+  let(:jwks_hash) { '{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","n":"test_n","e":"AQAB","kid":"sso_oidc_key_pair_123","x5c":["test"],"x5t#S256":"test"}]}' } # rubocop:disable all
+  let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), { kid: 'sso_oidc_key_pair_123', use: 'sig', alg: 'RS256' }) }
+
+  before do
+    allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
+    allow(Net::HTTP).to receive(:get).and_return(jwks_hash)
+  end
+
+  describe 'initialize' do
+    it 'raises an error if cookie_password is nil or empty' do
+      expect do
+        WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: nil,
+        )
+      end.to raise_error(ArgumentError, 'cookiePassword is required')
+
+      expect do
+        WorkOS::Session.new(
+          user_management: user_management,
+          client_id: client_id,
+          session_data: session_data,
+          cookie_password: '',
+        )
+      end.to raise_error(ArgumentError, 'cookiePassword is required')
+    end
+
+    it 'initializes with valid parameters' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      expect(session.user_management).to eq(user_management)
+      expect(session.client_id).to eq(client_id)
+      expect(session.session_data).to eq(session_data)
+      expect(session.cookie_password).to eq(cookie_password)
+      expect(session.jwks.map(&:export)).to eq(JSON.parse(jwks_hash, symbolize_names: true)[:keys])
+      expect(session.jwks_algorithms).to eq(['RS256'])
+    end
+  end
+
+  describe '.authenticate' do
+    let(:valid_access_token) do
+      payload = {
+        sid: 'session_id',
+        org_id: 'org_id',
+        role: 'role',
+        permissions: ['read'],
+        exp: Time.now.to_i + 3600,
+      }
+      headers = { kid: jwk[:kid] }
+      JWT.encode(payload, jwk.signing_key, jwk[:alg], headers)
+    end
+    let(:session_data) do
+  WorkOS::Session.seal_data({
+                              access_token: valid_access_token,
+                              user: 'user',
+                              impersonator: 'impersonator',
+                            }, cookie_password,)
+end
+
+    it 'returns NO_SESSION_COOKIE_PROVIDED if session_data is nil' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: nil,
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' })
+    end
+
+    it 'returns INVALID_SESSION_COOKIE if session_data is invalid' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: 'invalid_data',
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_SESSION_COOKIE' })
+    end
+
+    it 'returns INVALID_JWT if access_token is invalid' do
+      invalid_session_data = WorkOS::Session.seal_data({ access_token: 'invalid_token' }, cookie_password)
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: invalid_session_data,
+        cookie_password: cookie_password,
+      )
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
+    end
+
+    it 'authenticates successfully with valid session_data' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow(session).to receive(:is_valid_jwt).and_return(true)
+      allow(JWT).to receive(:decode).and_return([{
+                                                  'sid' => 'session_id',
+                                                  'org_id' => 'org_id',
+                                                  'role' => 'role',
+                                                  'permissions' => ['read'],
+                                                }])
+
+      result = session.authenticate
+      expect(result).to eq({
+                             authenticated: true,
+                             session_id: 'session_id',
+                             organization_id: 'org_id',
+                             role: 'role',
+                             permissions: ['read'],
+                             user: 'user',
+                             impersonator: 'impersonator',
+                             reason: nil,
+                           })
+    end
+  end
+
+  describe '.refresh' do
+    let(:refresh_token) { 'test_refresh_token' }
+    let(:session_data) { WorkOS::Session.seal_data({ refresh_token: refresh_token, user: 'user' }, cookie_password) }
+    let(:auth_response) { double('AuthResponse', sealed_session: 'new_sealed_session') }
+
+    before do
+      allow(user_management).to receive(:authenticate_with_refresh_token).and_return(auth_response)
+    end
+
+    it 'returns INVALID_SESSION_COOKIE if session_data is invalid' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: 'invalid_data',
+        cookie_password: cookie_password,
+      )
+      result = session.refresh
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_SESSION_COOKIE' })
+    end
+
+    it 'refreshes the session successfully with valid session_data' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      result = session.refresh
+      expect(result).to eq({
+                             authenticated: true,
+                             sealed_session: 'new_sealed_session',
+                             session: auth_response,
+                             reason: nil,
+                           })
+    end
+  end
+
+  describe '.get_logout_url' do
+    let(:session) do
+    WorkOS::Session.new(
+      user_management: user_management,
+      client_id: client_id,
+      session_data: session_data,
+      cookie_password: cookie_password,
+    )
+  end
+
+    context 'when authentication is successful' do
+      before do
+        allow(session).to receive(:authenticate).and_return({
+                                                              authenticated: true,
+                                                              session_id: 'session_id',
+                                                              reason: nil,
+                                                            })
+        allow(user_management).to receive(:get_logout_url).with(session_id: 'session_id').and_return('https://example.com/logout')
+      end
+
+      it 'returns the logout URL' do
+        expect(session.get_logout_url).to eq('https://example.com/logout')
+      end
+    end
+
+    context 'when authentication fails' do
+      before do
+        allow(session).to receive(:authenticate).and_return({
+                                                              authenticated: false,
+                                                              reason: 'Invalid session',
+                                                            })
+      end
+
+      it 'raises an error' do
+        expect { session.get_logout_url }.to raise_error(
+          RuntimeError, 'Failed to extract session ID for logout URL: Invalid session',
+        )
+      end
+    end
+  end
+end

data/spec/lib/workos/sso_spec.rb

@@ -302,6 +302,9 @@ describe WorkOS::SSO do
           id: 'prof_01EEJTY9SZ1R350RB7B73SNBKF',
           idp_id: '116485463307139932699',
           last_name: 'Loblaw',
+          role: {
+            slug: 'member',
+          },
           groups: nil,
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           raw_attributes: {
@@ -373,6 +376,9 @@ describe WorkOS::SSO do
           id: 'prof_01DRA1XNSJDZ19A31F183ECQW5',
           idp_id: '00u1klkowm8EGah2H357',
           last_name: 'Demo',
+          role: {
+            slug: 'admin',
+          },
           groups: %w[Admins Developers],
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           raw_attributes: {

data/spec/lib/workos/user_management_spec.rb

@@ -467,6 +467,7 @@ describe WorkOS::UserManagement do
           )
           expect(authentication_response.access_token).to eq('<ACCESS_TOKEN>')
           expect(authentication_response.refresh_token).to eq('<REFRESH_TOKEN>')
+          expect(authentication_response.user.id).to eq('user_01H93WD0R0KWF8Q7BK02C0RPYJ')
         end
       end
     end

data/spec/support/fixtures/vcr_cassettes/sso/profile.yml

@@ -67,7 +67,7 @@ http_interactions:
       body:
         encoding: UTF-8
         string:
-          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
+          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","role":{"slug":"member"},"raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
           Loblaw","email":"bob.loblaw@workos.com","locale":"en","picture":"https://lh3.googleusercontent.com/a-/AOh14GyO2hLlgZvteDQ3Ldi3_-RteZLya0hWH7247Cam=s96-c","given_name":"Bob","family_name":"Loblaw","verified_email":true}}'
       http_version:
     recorded_at: Tue, 18 May 2021 22:55:21 GMT

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_refresh_token/valid.yml

@@ -1,81 +1,82 @@
 ---
 http_interactions:
-- request:
-    method: post
-    uri: https://api.workos.com/user_management/authenticate
-    body:
-      encoding: UTF-8
-      string: '{"refresh_token":"some_refresh_token","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
-        (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
-    headers:
-      Content-Type:
-      - application/json
-      Accept-Encoding:
-      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
-      Accept:
-      - "*/*"
-      User-Agent:
-      - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
-  response:
-    status:
-      code: 200
-      message: OK
-    headers:
-      Date:
-      - Mon, 18 Mar 2024 19:00:53 GMT
-      Content-Type:
-      - application/json; charset=utf-8
-      Transfer-Encoding:
-      - chunked
-      Connection:
-      - keep-alive
-      Cf-Ray:
-      - 866777d63b4627e8-SLC
-      Cf-Cache-Status:
-      - DYNAMIC
-      Etag:
-      - W/"335-M3MDQYhs5724SayBHHCwnBDn3qA"
-      Strict-Transport-Security:
-      - max-age=15552000; includeSubDomains
-      Vary:
-      - Origin, Accept-Encoding
-      Via:
-      - 1.1 spaces-router (devel)
-      Access-Control-Allow-Credentials:
-      - 'true'
-      Content-Security-Policy:
-      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
-        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
-        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
-      Expect-Ct:
-      - max-age=0
-      Referrer-Policy:
-      - no-referrer
-      X-Content-Type-Options:
-      - nosniff
-      X-Dns-Prefetch-Control:
-      - 'off'
-      X-Download-Options:
-      - noopen
-      X-Frame-Options:
-      - SAMEORIGIN
-      X-Permitted-Cross-Domain-Policies:
-      - none
-      X-Request-Id:
-      - 995ed1ed-e892-4049-86c9-0e07baa6cc4b
-      X-Xss-Protection:
-      - '0'
-      Set-Cookie:
-      - __cf_bm=2NHqv1cd1BisOc8KKcQ0oNzFxZZT4OHQd6c2QDuGnUU-1710788453-1.0.1.1-4BxBRzVrhL7rCH895PcfORXr_6Rnj3Oh5w1YG4xi7X1st62LMzb5dHZO7u7P.V1P8nBDAAt3Wbz7xsDTWrfWJg;
-        path=/; expires=Mon, 18-Mar-24 19:30:53 GMT; domain=.workos.com; HttpOnly;
-        Secure; SameSite=None
-      - __cfruid=06035c17e9b60a1d7a42a5b568146a0bb71a06dc-1710788453; path=/; domain=.workos.com;
-        HttpOnly; Secure; SameSite=None
-      Server:
-      - cloudflare
-    body:
-      encoding: UTF-8
-      string: '{"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
-    http_version:
-  recorded_at: Mon, 18 Mar 2024 19:00:53 GMT
+  - request:
+      method: post
+      uri: https://api.workos.com/user_management/authenticate
+      body:
+        encoding: UTF-8
+        string:
+          '{"refresh_token":"some_refresh_token","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
+          (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"refresh_token"}'
+      headers:
+        Content-Type:
+          - application/json
+        Accept-Encoding:
+          - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+        Accept:
+          - '*/*'
+        User-Agent:
+          - WorkOS; ruby/3.2.2; arm64-darwin22; v4.0.0
+    response:
+      status:
+        code: 200
+        message: OK
+      headers:
+        Date:
+          - Mon, 18 Mar 2024 19:00:53 GMT
+        Content-Type:
+          - application/json; charset=utf-8
+        Transfer-Encoding:
+          - chunked
+        Connection:
+          - keep-alive
+        Cf-Ray:
+          - 866777d63b4627e8-SLC
+        Cf-Cache-Status:
+          - DYNAMIC
+        Etag:
+          - W/"335-M3MDQYhs5724SayBHHCwnBDn3qA"
+        Strict-Transport-Security:
+          - max-age=15552000; includeSubDomains
+        Vary:
+          - Origin, Accept-Encoding
+        Via:
+          - 1.1 spaces-router (devel)
+        Access-Control-Allow-Credentials:
+          - 'true'
+        Content-Security-Policy:
+          - "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self'
+            https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src
+            'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
+        Expect-Ct:
+          - max-age=0
+        Referrer-Policy:
+          - no-referrer
+        X-Content-Type-Options:
+          - nosniff
+        X-Dns-Prefetch-Control:
+          - 'off'
+        X-Download-Options:
+          - noopen
+        X-Frame-Options:
+          - SAMEORIGIN
+        X-Permitted-Cross-Domain-Policies:
+          - none
+        X-Request-Id:
+          - 995ed1ed-e892-4049-86c9-0e07baa6cc4b
+        X-Xss-Protection:
+          - '0'
+        Set-Cookie:
+          - __cf_bm=2NHqv1cd1BisOc8KKcQ0oNzFxZZT4OHQd6c2QDuGnUU-1710788453-1.0.1.1-4BxBRzVrhL7rCH895PcfORXr_6Rnj3Oh5w1YG4xi7X1st62LMzb5dHZO7u7P.V1P8nBDAAt3Wbz7xsDTWrfWJg;
+            path=/; expires=Mon, 18-Mar-24 19:30:53 GMT; domain=.workos.com; HttpOnly;
+            Secure; SameSite=None
+          - __cfruid=06035c17e9b60a1d7a42a5b568146a0bb71a06dc-1710788453; path=/; domain=.workos.com;
+            HttpOnly; Secure; SameSite=None
+        Server:
+          - cloudflare
+      body:
+        encoding: UTF-8
+        string: '{"user":{"object":"user","id":"user_01H93WD0R0KWF8Q7BK02C0RPYJ","email":"test@workos.app","email_verified":true,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T18:48:26.517Z","updated_at":"2023-08-30T18:58:00.821Z","user_type":"unmanaged","email_verified_at":"2023-08-30T18:58:00.915Z","google_oauth_profile_id":null,"microsoft_oauth_profile_id":null},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>"}'
+      http_version:
+    recorded_at: Mon, 18 Mar 2024 19:00:53 GMT
 recorded_with: VCR 5.0.0

data/spec/support/profile.txt

@@ -1 +1 @@
-{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}
+{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","role":{"slug": "admin"},"groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}

data/workos.gemspec

@@ -21,6 +21,9 @@ Gem::Specification.new do |spec|
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'encryptor', '~> 3.0'
+  spec.add_dependency 'jwt', '~> 2.8'
+
   spec.add_development_dependency 'bundler', '>= 2.0.1'
   spec.add_development_dependency 'rspec', '~> 3.9.0'
   spec.add_development_dependency 'rubocop', '~> 0.77'

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.6.0
+  version: 5.8.0
 platform: ruby
 authors:
 - WorkOS
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-19 00:00:00.000000000 Z
+date: 2024-10-16 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -137,6 +165,7 @@ files:
 - lib/workos/profile.rb
 - lib/workos/profile_and_token.rb
 - lib/workos/refresh_authentication_response.rb
+- lib/workos/session.rb
 - lib/workos/sso.rb
 - lib/workos/types.rb
 - lib/workos/types/intent.rb
@@ -161,6 +190,7 @@ files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
 - spec/lib/workos/webhooks_spec.rb
@@ -373,6 +403,7 @@ test_files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
 - spec/lib/workos/webhooks_spec.rb