RubyGems - workos - Versions diffs - 7.1.1 → 7.1.2 - Mend

workos 7.1.1 → 7.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +4 -4
data/.oagen-manifest.json +1 -1
data/.release-please-manifest.json +1 -1
data/CHANGELOG.md +9 -0
data/Gemfile.lock +2 -2
data/lib/workos/api_keys.rb +1 -1
data/lib/workos/audit_logs.rb +2 -2
data/lib/workos/authorization.rb +128 -116
data/lib/workos/base_client.rb +6 -1
data/lib/workos/encryptors/aes_gcm.rb +35 -3
data/lib/workos/groups.rb +1 -1
data/lib/workos/multi_factor_auth.rb +1 -1
data/lib/workos/organization_domains.rb +1 -1
data/lib/workos/radar.rb +2 -2
data/lib/workos/sso.rb +2 -2
data/lib/workos/user_management.rb +74 -65
data/lib/workos/version.rb +1 -1
data/lib/workos/webhooks.rb +1 -1
data/rbi/workos/authorization.rbi +100 -26
data/rbi/workos/user_management.rbi +60 -14
data/test/workos/test_audit_logs.rb +2 -2
data/test/workos/test_authorization.rb +86 -20
data/test/workos/test_encryptors_aes_gcm.rb +21 -0
data/test/workos/test_session.rb +68 -0
data/test/workos/test_user_management.rb +44 -8
data/test/workos/test_webhooks.rb +2 -2
metadata +2 -2

data/test/workos/test_authorization.rb CHANGED Viewed

@@ -13,15 +13,31 @@ class AuthorizationTest < Minitest::Test
   def test_check_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)})
+      .with(body: hash_including("permission_slug" => "stub", "resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    refute_nil result
+  end
+  def test_check_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)})
+      .with(body: hash_including("permission_slug" => "stub", "resource_external_id" => "stub", "resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.check(organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     refute_nil result
   end
   def test_list_resources_for_membership_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
-    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: {type: "by_id"})
+    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+  def test_list_resources_for_membership_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_resources_for_membership(organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_type_slug: "stub", parent_resource_external_id: "stub"))
     assert_kind_of WorkOS::Types::ListStruct, result
   end
@@ -48,15 +64,31 @@ class AuthorizationTest < Minitest::Test
   def test_assign_role_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub", "resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    refute_nil result
+  end
+  def test_assign_role_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub", "resource_external_id" => "stub", "resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.assign_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     refute_nil result
   end
   def test_remove_role_returns_expected_result
     stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"})
+    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub"))
+    assert_nil result
+  end
+  def test_remove_role_with_resource_target_by_external_id_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.remove_role(organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetByExternalId.new(resource_external_id: "stub", resource_type_slug: "stub"))
     assert_nil result
   end
@@ -112,7 +144,7 @@ class AuthorizationTest < Minitest::Test
   def test_set_organization_role_permissions_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.set_organization_role_permissions(organization_id: "stub", slug: "stub", permissions: [])
+    result = @client.authorization.set_organization_role_permissions(organization_id: "stub", slug: "stub", permissions: ["stub"])
     refute_nil result
   end
@@ -132,8 +164,17 @@ class AuthorizationTest < Minitest::Test
   def test_update_resource_by_external_id_returns_expected_result
     stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub")
+    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+  def test_update_resource_by_external_id_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.update_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
@@ -154,14 +195,30 @@ class AuthorizationTest < Minitest::Test
   def test_list_resources_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
-    result = @client.authorization.list_resources
+    result = @client.authorization.list_resources(parent: WorkOS::Authorization::ParentById.new(parent_resource_id: "stub"))
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+  def test_list_resources_with_parent_by_external_id_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_resources(parent: WorkOS::Authorization::ParentByExternalId.new(parent_resource_type_slug: "stub", parent_external_id: "stub"))
     assert_kind_of WorkOS::Types::ListStruct, result
   end
   def test_create_resource_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .with(body: hash_including("external_id" => "stub", "name" => "stub", "resource_type_slug" => "stub", "organization_id" => "stub", "parent_resource_id" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub")
+    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+  def test_create_resource_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
+      .with(body: hash_including("external_id" => "stub", "name" => "stub", "resource_type_slug" => "stub", "organization_id" => "stub", "parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.create_resource(external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
@@ -174,8 +231,17 @@ class AuthorizationTest < Minitest::Test
   def test_update_resource_returns_expected_result
     stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_id" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.update_resource(resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub"))
+    refute_nil result
+  end
+  def test_update_resource_with_parent_resource_by_external_id_returns_expected_result
+    stub_request(:patch, %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)})
+      .with(body: hash_including("parent_resource_external_id" => "stub", "parent_resource_type_slug" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.update_resource(resource_id: "stub")
+    result = @client.authorization.update_resource(resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceByExternalId.new(parent_resource_external_id: "stub", parent_resource_type_slug: "stub"))
     refute_nil result
   end
@@ -231,7 +297,7 @@ class AuthorizationTest < Minitest::Test
   def test_set_environment_role_permissions_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.authorization.set_environment_role_permissions(slug: "stub", permissions: [])
+    result = @client.authorization.set_environment_role_permissions(slug: "stub", permissions: ["stub"])
     refute_nil result
   end
@@ -272,13 +338,13 @@ class AuthorizationTest < Minitest::Test
   # Parameterized authentication error tests (one per endpoint).
   [
-    {name: :check, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", resource_target: {type: "by_id"}}},
-    {name: :list_resources_for_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", parent_resource: {type: "by_id"}}},
+    {name: :check, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
+    {name: :list_resources_for_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :list_effective_permissions, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources/stub/permissions(\?|\z)}, args: {organization_membership_id: "stub", resource_id: "stub"}},
     {name: :list_effective_permissions_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources/stub/stub/permissions(\?|\z)}, args: {organization_membership_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_role_assignments, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub"}},
-    {name: :assign_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"}}},
-    {name: :remove_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: {type: "by_id"}}},
+    {name: :assign_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
+    {name: :remove_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments(\?|\z)}, args: {organization_membership_id: "stub", role_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
     {name: :remove_role_assignment, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/role_assignments/stub(\?|\z)}, args: {organization_membership_id: "stub", role_assignment_id: "stub"}},
     {name: :list_organization_roles, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles(\?|\z)}, args: {organization_id: "stub"}},
     {name: :create_organization_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles(\?|\z)}, args: {organization_id: "stub", name: "stub"}},
@@ -286,16 +352,16 @@ class AuthorizationTest < Minitest::Test
     {name: :update_organization_role, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub"}},
     {name: :delete_organization_role, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub"}},
     {name: :add_organization_role_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", body_slug: "stub"}},
-    {name: :set_organization_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", permissions: []}},
+    {name: :set_organization_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions(\?|\z)}, args: {organization_id: "stub", slug: "stub", permissions: ["stub"]}},
     {name: :remove_organization_role_permission, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/roles/stub/permissions/stub(\?|\z)}, args: {organization_id: "stub", slug: "stub", permission_slug: "stub"}},
     {name: :get_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
-    {name: :update_resource_by_external_id, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
+    {name: :update_resource_by_external_id, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource_by_external_id, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_memberships_for_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub/organization_memberships(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", permission_slug: "stub"}},
-    {name: :list_resources, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}},
-    {name: :create_resource, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub"}},
+    {name: :list_resources, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {parent: WorkOS::Authorization::ParentById.new(parent_resource_id: "stub")}},
+    {name: :create_resource, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :get_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
-    {name: :update_resource, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
+    {name: :update_resource, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
     {name: :list_memberships_for_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub/organization_memberships(\?|\z)}, args: {resource_id: "stub", permission_slug: "stub"}},
     {name: :list_environment_roles, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles(\?|\z)}},
@@ -303,7 +369,7 @@ class AuthorizationTest < Minitest::Test
     {name: :get_environment_role, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub(\?|\z)}, args: {slug: "stub"}},
     {name: :update_environment_role, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub(\?|\z)}, args: {slug: "stub"}},
     {name: :add_environment_role_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", body_slug: "stub"}},
-    {name: :set_environment_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", permissions: []}},
+    {name: :set_environment_role_permissions, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub/permissions(\?|\z)}, args: {slug: "stub", permissions: ["stub"]}},
     {name: :list_permissions, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/permissions(\?|\z)}},
     {name: :create_permission, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/permissions(\?|\z)}, args: {slug: "stub", name: "stub"}},
     {name: :get_permission, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/permissions/stub(\?|\z)}, args: {slug: "stub"}},

data/test/workos/test_encryptors_aes_gcm.rb CHANGED Viewed

@@ -3,6 +3,9 @@
 # @oagen-ignore-file
 require "test_helper"
 require "base64"
+require "json"
+require "openssl"
+require "securerandom"
 class EncryptorsAesGcmTest < Minitest::Test
   PASSWORD = "test-cookie-password-at-least-32"
@@ -51,4 +54,22 @@ class EncryptorsAesGcmTest < Minitest::Test
     sealed2 = @enc.seal(data, PASSWORD)
     refute_equal sealed1, sealed2
   end
+  def test_unseal_reads_legacy_v6_payload
+    data = {"access_token" => "tok_abc", "refresh_token" => "ref_xyz"}
+    sealed = legacy_v6_seal(data, PASSWORD)
+    assert_equal data, @enc.unseal(sealed, PASSWORD)
+  end
+  private
+  def legacy_v6_seal(data, key)
+    cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
+    iv = SecureRandom.random_bytes(12)
+    cipher.key = key
+    cipher.iv = iv
+    ciphertext = cipher.update(JSON.generate(data)) + cipher.final
+    Base64.encode64(iv + ciphertext + cipher.auth_tag)
+  end
 end

data/test/workos/test_session.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "json"
 require "openssl"
 require "jwt"
 require "base64"
+require "securerandom"
 class SessionTest < Minitest::Test
   PASSWORD = "very-long-cookie-password-secret"
@@ -84,6 +85,22 @@ class SessionTest < Minitest::Test
     assert_equal "u_1", result.user["id"]
   end
+  def test_authenticate_reads_legacy_v6_sealed_session
+    rsa, pub = signing_key_pair
+    access_token = make_jwt({"sid" => "session_v6", "org_id" => "org_legacy", "exp" => Time.now.to_i + 60}, rsa)
+    sealed = legacy_v6_seal({"access_token" => access_token, "user" => {"id" => "u_legacy"}}, PASSWORD)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+    result = @sm.authenticate(seal_data: sealed, cookie_password: PASSWORD)
+    assert_kind_of WorkOS::SessionManager::AuthSuccess, result
+    assert result.authenticated
+    assert_equal "session_v6", result.session_id
+    assert_equal "org_legacy", result.organization_id
+    assert_equal "u_legacy", result.user["id"]
+  end
   def test_authenticate_merges_custom_claims_from_block
     rsa, pub = signing_key_pair
     access_token = make_jwt(
@@ -244,6 +261,45 @@ class SessionTest < Minitest::Test
     assert_equal "rt_new", unsealed["refresh_token"]
   end
+  def test_refresh_reads_legacy_v6_sealed_session
+    rsa, pub = signing_key_pair
+    old_access = make_jwt({"sid" => "session_old_v6", "exp" => Time.now.to_i - 60}, rsa)
+    sealed = legacy_v6_seal(
+      {"access_token" => old_access, "refresh_token" => "rt_old_v6", "user" => {"id" => "u_v6"}},
+      PASSWORD
+    )
+    new_access = make_jwt({"sid" => "session_new_v6", "org_id" => "org_v6", "role" => "member", "exp" => Time.now.to_i + 300}, rsa)
+    api_response = {
+      "access_token" => new_access,
+      "refresh_token" => "rt_new_v6",
+      "user" => {"id" => "u_v6", "email" => "legacy@example.com"},
+      "impersonator" => nil
+    }
+    stub_request(:post, "https://api.workos.com/user_management/authenticate")
+      .with(body: hash_including("grant_type" => "refresh_token", "refresh_token" => "rt_old_v6"))
+      .to_return(status: 200, body: api_response.to_json)
+    stub_request(:get, "https://api.workos.com/sso/jwks/client_001")
+      .to_return(status: 200, body: jwks_payload(pub).to_json)
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    result = session.refresh
+    assert_kind_of WorkOS::SessionManager::RefreshSuccess, result
+    assert result.authenticated
+    assert_equal "session_new_v6", result.session_id
+    assert_equal "org_v6", result.organization_id
+    assert_equal "member", result.role
+    assert_equal "u_v6", result.user["id"]
+    refute_empty result.sealed_session
+    unsealed = @sm.unseal_data(result.sealed_session, PASSWORD)
+    assert_equal new_access, unsealed["access_token"]
+    assert_equal "rt_new_v6", unsealed["refresh_token"]
+    assert_equal "u_v6", unsealed["user"]["id"]
+  end
   def test_refresh_updates_internal_seal_data_for_subsequent_authenticate
     rsa, pub = signing_key_pair
     old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
@@ -383,4 +439,16 @@ class SessionTest < Minitest::Test
     assert_kind_of WorkOS::SessionManager::AuthSuccess, result
     assert_equal "s_custom", result.session_id
   end
+  private
+  def legacy_v6_seal(data, key)
+    cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
+    iv = SecureRandom.random_bytes(12)
+    cipher.key = key
+    cipher.iv = iv
+    ciphertext = cipher.update(JSON.generate(data)) + cipher.final
+    Base64.encode64(iv + ciphertext + cipher.auth_tag)
+  end
 end

data/test/workos/test_user_management.rb CHANGED Viewed

@@ -203,8 +203,17 @@ class UserManagementTest < Minitest::Test
   def test_create_user_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/users(\?|\z)})
+      .with(body: hash_including("email" => "stub", "password" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.user_management.create_user(email: "stub")
+    result = @client.user_management.create_user(email: "stub", password: WorkOS::UserManagement::PasswordPlaintext.new(password: "stub"))
+    refute_nil result
+  end
+  def test_create_user_with_password_hashed_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/users(\?|\z)})
+      .with(body: hash_including("email" => "stub", "password_hash" => "stub", "password_hash_type" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.create_user(email: "stub", password: WorkOS::UserManagement::PasswordHashed.new(password_hash: "stub", password_hash_type: "stub"))
     refute_nil result
   end
@@ -224,8 +233,17 @@ class UserManagementTest < Minitest::Test
   def test_update_user_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)})
+      .with(body: hash_including("password" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.update_user(id: "stub", password: WorkOS::UserManagement::PasswordPlaintext.new(password: "stub"))
+    refute_nil result
+  end
+  def test_update_user_with_password_hashed_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)})
+      .with(body: hash_including("password_hash" => "stub", "password_hash_type" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.user_management.update_user(id: "stub")
+    result = @client.user_management.update_user(id: "stub", password: WorkOS::UserManagement::PasswordHashed.new(password_hash: "stub", password_hash_type: "stub"))
     refute_nil result
   end
@@ -357,8 +375,17 @@ class UserManagementTest < Minitest::Test
   def test_create_organization_membership_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
+      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slug" => "stub"))
       .to_return(body: "{}", status: 200)
-    result = @client.user_management.create_organization_membership(user_id: "stub", organization_id: "stub")
+    result = @client.user_management.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub"))
+    refute_nil result
+  end
+  def test_create_organization_membership_with_role_multiple_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)})
+      .with(body: hash_including("user_id" => "stub", "organization_id" => "stub", "role_slugs" => ["stub"]))
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.create_organization_membership(user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleMultiple.new(role_slugs: ["stub"]))
     refute_nil result
   end
@@ -371,8 +398,17 @@ class UserManagementTest < Minitest::Test
   def test_update_organization_membership_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .with(body: hash_including("role_slug" => "stub"))
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.update_organization_membership(id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub"))
+    refute_nil result
+  end
+  def test_update_organization_membership_with_role_multiple_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)})
+      .with(body: hash_including("role_slugs" => ["stub"]))
       .to_return(body: "{}", status: 200)
-    result = @client.user_management.update_organization_membership(id: "stub")
+    result = @client.user_management.update_organization_membership(id: "stub", role: WorkOS::UserManagement::RoleMultiple.new(role_slugs: ["stub"]))
     refute_nil result
   end
@@ -430,10 +466,10 @@ class UserManagementTest < Minitest::Test
     {name: :confirm_password_reset, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/password_reset/confirm(\?|\z)}, args: {token: "stub", new_password: "stub"}},
     {name: :get_password_reset, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/password_reset/stub(\?|\z)}, args: {id: "stub"}},
     {name: :list_users, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users(\?|\z)}},
-    {name: :create_user, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/users(\?|\z)}, args: {email: "stub"}},
+    {name: :create_user, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/users(\?|\z)}, args: {email: "stub", password: WorkOS::UserManagement::PasswordPlaintext.new(password: "stub")}},
     {name: :get_user_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users/external_id/stub(\?|\z)}, args: {external_id: "stub"}},
     {name: :get_user, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)}, args: {id: "stub"}},
-    {name: :update_user, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :update_user, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)}, args: {id: "stub", password: WorkOS::UserManagement::PasswordPlaintext.new(password: "stub")}},
     {name: :delete_user, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub(\?|\z)}, args: {id: "stub"}},
     {name: :confirm_email_change, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/email_change/confirm(\?|\z)}, args: {id: "stub", code: "stub"}},
     {name: :send_email_change, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/email_change/send(\?|\z)}, args: {id: "stub", new_email: "stub"}},
@@ -452,9 +488,9 @@ class UserManagementTest < Minitest::Test
     {name: :create_magic_auth, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth(\?|\z)}, args: {email: "stub"}},
     {name: :get_magic_auth, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth/stub(\?|\z)}, args: {id: "stub"}},
     {name: :list_organization_memberships, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}},
-    {name: :create_organization_membership, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}, args: {user_id: "stub", organization_id: "stub"}},
+    {name: :create_organization_membership, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships(\?|\z)}, args: {user_id: "stub", organization_id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub")}},
     {name: :get_organization_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
-    {name: :update_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :update_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub", role: WorkOS::UserManagement::RoleSingle.new(role_slug: "stub")}},
     {name: :delete_organization_membership, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub(\?|\z)}, args: {id: "stub"}},
     {name: :deactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/deactivate(\?|\z)}, args: {id: "stub"}},
     {name: :reactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)}, args: {id: "stub"}},

data/test/workos/test_webhooks.rb CHANGED Viewed

@@ -21,7 +21,7 @@ class WebhooksTest < Minitest::Test
   def test_create_webhook_endpoint_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/webhook_endpoints(\?|\z)})
       .to_return(body: "{}", status: 200)
-    result = @client.webhooks.create_webhook_endpoint(endpoint_url: "stub", events: [])
+    result = @client.webhooks.create_webhook_endpoint(endpoint_url: "stub", events: ["stub"])
     refute_nil result
   end
@@ -42,7 +42,7 @@ class WebhooksTest < Minitest::Test
   # Parameterized authentication error tests (one per endpoint).
   [
     {name: :list_webhook_endpoints, verb: :get, url: %r{\Ahttps://api\.workos\.com/webhook_endpoints(\?|\z)}},
-    {name: :create_webhook_endpoint, verb: :post, url: %r{\Ahttps://api\.workos\.com/webhook_endpoints(\?|\z)}, args: {endpoint_url: "stub", events: []}},
+    {name: :create_webhook_endpoint, verb: :post, url: %r{\Ahttps://api\.workos\.com/webhook_endpoints(\?|\z)}, args: {endpoint_url: "stub", events: ["stub"]}},
     {name: :update_webhook_endpoint, verb: :patch, url: %r{\Ahttps://api\.workos\.com/webhook_endpoints/stub(\?|\z)}, args: {id: "stub"}},
     {name: :delete_webhook_endpoint, verb: :delete, url: %r{\Ahttps://api\.workos\.com/webhook_endpoints/stub(\?|\z)}, args: {id: "stub"}}
   ].each do |spec|

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 7.1.1
+  version: 7.1.2
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-29 00:00:00.000000000 Z
+date: 2026-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt