RubyGems - workos - Versions diffs - 7.1.2 → 8.0.1 - Mend

workos 7.1.2 → 8.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

checksums.yaml +4 -4
data/.github/workflows/docs.yml +49 -0
data/.github/workflows/release-please.yml +2 -2
data/.gitignore +2 -0
data/.last-synced-sha +1 -1
data/.oagen-manifest.json +61 -40
data/.release-please-manifest.json +1 -1
data/.yardopts +6 -0
data/CHANGELOG.md +36 -0
data/Gemfile +6 -0
data/Gemfile.lock +33 -2
data/README.md +19 -0
data/docs/V7_MIGRATION_GUIDE.md +21 -0
data/lib/workos/actions.rb +1 -1
data/lib/workos/api_keys/api_key.rb +1 -1
data/lib/workos/api_keys/api_key_created_data.rb +1 -1
data/lib/workos/api_keys/organization_api_key.rb +43 -0
data/lib/workos/{types/events_order.rb → api_keys/organization_api_key_owner.rb} +1 -3
data/lib/workos/api_keys/organization_api_key_with_value.rb +46 -0
data/lib/workos/{types/audit_logs_order.rb → api_keys/organization_api_key_with_value_owner.rb} +1 -3
data/lib/workos/api_keys.rb +46 -46
data/lib/workos/audit_logs.rb +4 -4
data/lib/workos/authorization/user_organization_membership_base_list_data.rb +5 -2
data/lib/workos/authorization/{role_assignment.rb → user_role_assignment.rb} +5 -2
data/lib/workos/authorization/{role_assignment_resource.rb → user_role_assignment_resource.rb} +1 -1
data/lib/workos/authorization.rb +122 -22
data/lib/workos/base_client.rb +71 -5
data/lib/workos/client.rb +4 -4
data/lib/workos/connect.rb +2 -2
data/lib/workos/directory_sync/directory_user.rb +3 -0
data/lib/workos/directory_sync/directory_user_with_groups.rb +4 -1
data/lib/workos/directory_sync/dsync_user_updated_data.rb +3 -0
data/lib/workos/directory_sync.rb +6 -6
data/lib/workos/encryptors/aes_gcm.rb +19 -5
data/lib/workos/events.rb +2 -2
data/lib/workos/feature_flags.rb +6 -6
data/lib/workos/groups.rb +4 -4
data/lib/workos/multi_factor_auth.rb +2 -2
data/lib/workos/organizations.rb +2 -2
data/lib/workos/session.rb +28 -7
data/lib/workos/session_manager.rb +24 -1
data/lib/workos/sso/profile.rb +3 -0
data/lib/workos/sso.rb +2 -2
data/lib/workos/types/event_context_actor_source.rb +2 -1
data/lib/workos/types/{applications_order.rb → pagination_order.rb} +1 -1
data/lib/workos/types/{vault_byok_key_verification_completed_data_key_provider.rb → vault_byok_key_provider.rb} +1 -1
data/lib/workos/user_management/create_user_api_key.rb +25 -0
data/lib/workos/user_management/organization_membership.rb +5 -2
data/lib/workos/user_management/user_api_key.rb +43 -0
data/lib/workos/user_management/user_api_key_created_data_owner.rb +25 -0
data/lib/workos/{api_keys/api_key_with_value_owner.rb → user_management/user_api_key_owner.rb} +1 -1
data/lib/workos/{types/webhooks_order.rb → user_management/user_api_key_revoked_data_owner.rb} +1 -3
data/lib/workos/{api_keys/api_key_with_value.rb → user_management/user_api_key_with_value.rb} +2 -2
data/lib/workos/{types/groups_order.rb → user_management/user_api_key_with_value_owner.rb} +1 -3
data/lib/workos/user_management/user_organization_membership.rb +5 -2
data/lib/workos/user_management.rb +114 -10
data/lib/workos/user_management_organization_membership_groups.rb +2 -2
data/lib/workos/vault/vault_byok_key_deleted.rb +34 -0
data/lib/workos/vault/vault_byok_key_deleted_data.rb +22 -0
data/lib/workos/version.rb +1 -1
data/lib/workos/webhooks.rb +3 -3
data/rbi/workos/api_key.rbi +2 -2
data/rbi/workos/api_key_created_data.rbi +2 -2
data/rbi/workos/api_key_revoked_data.rbi +2 -2
data/rbi/workos/api_keys.rbi +17 -17
data/rbi/workos/authorization.rbi +27 -1
data/rbi/workos/client.rbi +3 -3
data/rbi/workos/create_user_api_key.rbi +36 -0
data/rbi/workos/directory_user.rbi +6 -0
data/rbi/workos/directory_user_with_groups.rbi +6 -0
data/rbi/workos/dsync_user_updated_data.rbi +6 -0
data/rbi/workos/organization_api_key.rbi +72 -0
data/rbi/workos/{api_key_with_value_owner.rbi → organization_api_key_owner.rbi} +1 -1
data/rbi/workos/organization_api_key_with_value.rbi +78 -0
data/rbi/workos/organization_api_key_with_value_owner.rbi +30 -0
data/rbi/workos/organization_membership.rbi +6 -0
data/rbi/workos/profile.rbi +6 -0
data/rbi/workos/user_api_key.rbi +72 -0
data/rbi/workos/user_api_key_created_data_owner.rbi +36 -0
data/rbi/workos/user_api_key_owner.rbi +36 -0
data/rbi/workos/user_api_key_revoked_data_owner.rbi +36 -0
data/rbi/workos/{api_key_with_value.rbi → user_api_key_with_value.rbi} +3 -3
data/rbi/workos/user_api_key_with_value_owner.rbi +36 -0
data/rbi/workos/user_management.rbi +31 -0
data/rbi/workos/user_organization_membership.rbi +6 -0
data/rbi/workos/user_organization_membership_base_list_data.rbi +6 -0
data/rbi/workos/{role_assignment.rbi → user_role_assignment.rbi} +9 -3
data/rbi/workos/{role_assignment_resource.rbi → user_role_assignment_resource.rbi} +1 -1
data/rbi/workos/vault_byok_key_deleted.rbi +54 -0
data/rbi/workos/vault_byok_key_deleted_data.rbi +30 -0
data/script/docs +16 -0
data/script/docs-serve +12 -0
data/script/llms-txt +37 -0
data/test/workos/test_actions.rb +9 -0
data/test/workos/test_api_keys.rb +17 -17
data/test/workos/test_authorization.rb +16 -0
data/test/workos/test_base_client.rb +44 -0
data/test/workos/test_encryptors_aes_gcm.rb +16 -1
data/test/workos/test_model_round_trip.rb +278 -83
data/test/workos/test_session.rb +43 -4
data/test/workos/test_user_management.rb +25 -1
data/test/workos/test_webhook_verify.rb +11 -0
metadata +39 -33
data/lib/workos/types/authorization_order.rb +0 -9
data/lib/workos/types/connections_order.rb +0 -9
data/lib/workos/types/directories_order.rb +0 -9
data/lib/workos/types/directory_groups_order.rb +0 -9
data/lib/workos/types/directory_users_order.rb +0 -9
data/lib/workos/types/feature_flags_order.rb +0 -9
data/lib/workos/types/organizations_api_keys_order.rb +0 -9
data/lib/workos/types/organizations_feature_flags_order.rb +0 -9
data/lib/workos/types/organizations_order.rb +0 -9
data/lib/workos/types/permissions_order.rb +0 -9
data/lib/workos/types/user_management_invitations_order.rb +0 -9
data/lib/workos/types/user_management_multi_factor_authentication_order.rb +0 -9
data/lib/workos/types/user_management_organization_membership_groups_order.rb +0 -9
data/lib/workos/types/user_management_organization_membership_order.rb +0 -9
data/lib/workos/types/user_management_users_authorized_applications_order.rb +0 -9
data/lib/workos/types/user_management_users_feature_flags_order.rb +0 -9
data/lib/workos/types/user_management_users_order.rb +0 -9

data/rbi/workos/user_management.rbi CHANGED Viewed

@@ -333,6 +333,13 @@ module WorkOS
     end
     def revoke_invitation(id:, request_options:); end
+    sig do
+      params(
+        request_options: T::Hash[Symbol, T.untyped]
+      ).returns(WorkOS::JWTTemplateResponse)
+    end
+    def list_jwt_template(request_options:); end
     sig do
       params(
         content: String,
@@ -452,5 +459,29 @@ module WorkOS
     end
     def delete_user_authorized_application(application_id:, user_id:, request_options:); end
+    sig do
+      params(
+        user_id: String,
+        before: T.nilable(String),
+        after: T.nilable(String),
+        limit: T.nilable(Integer),
+        order: T.nilable(String),
+        organization_id: T.nilable(String),
+        request_options: T::Hash[Symbol, T.untyped]
+      ).returns(WorkOS::Types::ListStruct)
+    end
+    def list_user_api_keys(user_id:, before:, after:, limit:, order:, organization_id:, request_options:); end
+    sig do
+      params(
+        user_id: String,
+        name: String,
+        organization_id: String,
+        permissions: T.nilable(T::Array[String]),
+        request_options: T::Hash[Symbol, T.untyped]
+      ).returns(WorkOS::UserApiKeyWithValue)
+    end
+    def create_user_api_key(user_id:, name:, organization_id:, permissions:, request_options:); end
   end
 end

data/rbi/workos/user_organization_membership.rbi CHANGED Viewed

@@ -75,6 +75,12 @@ module WorkOS
     sig { params(value: WorkOS::SlimRole).returns(WorkOS::SlimRole) }
     def role=(value); end
+    sig { returns(WorkOS::User) }
+    def user; end
+    sig { params(value: WorkOS::User).returns(WorkOS::User) }
+    def user=(value); end
     sig { returns(T::Hash[Symbol, T.untyped]) }
     def to_h; end

data/rbi/workos/user_organization_membership_base_list_data.rbi CHANGED Viewed

@@ -69,6 +69,12 @@ module WorkOS
     sig { params(value: String).returns(String) }
     def updated_at=(value); end
+    sig { returns(WorkOS::User) }
+    def user; end
+    sig { params(value: WorkOS::User).returns(WorkOS::User) }
+    def user=(value); end
     sig { returns(T::Hash[Symbol, T.untyped]) }
     def to_h; end

data/rbi/workos/{role_assignment.rbi → user_role_assignment.rbi} RENAMED Viewed

@@ -5,7 +5,7 @@
 # typed: strong
 module WorkOS
-  class RoleAssignment
+  class UserRoleAssignment
     sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
     def initialize(json); end
@@ -21,16 +21,22 @@ module WorkOS
     sig { params(value: String).returns(String) }
     def id=(value); end
+    sig { returns(String) }
+    def organization_membership_id; end
+    sig { params(value: String).returns(String) }
+    def organization_membership_id=(value); end
     sig { returns(WorkOS::SlimRole) }
     def role; end
     sig { params(value: WorkOS::SlimRole).returns(WorkOS::SlimRole) }
     def role=(value); end
-    sig { returns(WorkOS::RoleAssignmentResource) }
+    sig { returns(WorkOS::UserRoleAssignmentResource) }
     def resource; end
-    sig { params(value: WorkOS::RoleAssignmentResource).returns(WorkOS::RoleAssignmentResource) }
+    sig { params(value: WorkOS::UserRoleAssignmentResource).returns(WorkOS::UserRoleAssignmentResource) }
     def resource=(value); end
     sig { returns(String) }

data/rbi/workos/{role_assignment_resource.rbi → user_role_assignment_resource.rbi} RENAMED Viewed

@@ -5,7 +5,7 @@
 # typed: strong
 module WorkOS
-  class RoleAssignmentResource
+  class UserRoleAssignmentResource
     sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
     def initialize(json); end

data/rbi/workos/vault_byok_key_deleted.rbi ADDED Viewed

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+# This file is auto-generated by oagen. Do not edit.
+# typed: strong
+module WorkOS
+  class VaultByokKeyDeleted
+    sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
+    def initialize(json); end
+    sig { returns(String) }
+    def id; end
+    sig { params(value: String).returns(String) }
+    def id=(value); end
+    sig { returns(String) }
+    def event; end
+    sig { params(value: String).returns(String) }
+    def event=(value); end
+    sig { returns(WorkOS::VaultByokKeyDeletedData) }
+    def data; end
+    sig { params(value: WorkOS::VaultByokKeyDeletedData).returns(WorkOS::VaultByokKeyDeletedData) }
+    def data=(value); end
+    sig { returns(String) }
+    def created_at; end
+    sig { params(value: String).returns(String) }
+    def created_at=(value); end
+    sig { returns(T.nilable(WorkOS::EventContext)) }
+    def context; end
+    sig { params(value: T.nilable(WorkOS::EventContext)).returns(T.nilable(WorkOS::EventContext)) }
+    def context=(value); end
+    sig { returns(String) }
+    def object; end
+    sig { params(value: String).returns(String) }
+    def object=(value); end
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    def to_h; end
+    sig { params(args: T.untyped).returns(String) }
+    def to_json(*args); end
+  end
+end

data/rbi/workos/vault_byok_key_deleted_data.rbi ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+# This file is auto-generated by oagen. Do not edit.
+# typed: strong
+module WorkOS
+  class VaultByokKeyDeletedData
+    sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
+    def initialize(json); end
+    sig { returns(String) }
+    def organization_id; end
+    sig { params(value: String).returns(String) }
+    def organization_id=(value); end
+    sig { returns(String) }
+    def key_provider; end
+    sig { params(value: String).returns(String) }
+    def key_provider=(value); end
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    def to_h; end
+    sig { params(args: T.untyped).returns(String) }
+    def to_json(*args); end
+  end
+end

data/script/docs ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -eu
+cd "$(dirname "$0")/.."
+bundle config set --local with 'docs'
+bundle install
+rm -rf docs/_site
+# 1. Generate HTML docs (default YARD format).
+bundle exec yard doc
+# 2. Generate Markdown docs alongside the HTML, using the yard-markdown plugin.
+#    We point output at the same docs/_site directory so .md files land next to .html.
+#    --no-cache forces a re-parse so the markdown formatter sees fresh registry data.
+#    --plugin yard-markdown ensures the plugin is loaded without relying on ~/.yard/config.
+bundle exec yard doc --plugin yard-markdown --format markdown --no-cache --output-dir docs/_site
+# 3. Generate llms.txt (index) from the markdown output, so the published site
+#    is consumable by LLM tooling.
+bundle exec ./script/llms-txt

data/script/docs-serve ADDED Viewed

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -eu
+cd "$(dirname "$0")/.."
+bundle config set --local with 'docs'
+bundle install --quiet
+if [ "${1:-}" = "--static" ]; then
+  if [ ! -d docs/_site ]; then
+    ./script/docs
+  fi
+  exec bundle exec ruby -run -e httpd -- docs/_site -p 4000
+fi
+exec bundle exec yard server --reload --port 4000

data/script/llms-txt ADDED Viewed

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+# Generates llms.txt (curated index) from the Markdown docs produced by
+# `yard --format markdown` in docs/_site. See https://llmstxt.org for the format.
+require "pathname"
+ROOT = Pathname.new(__dir__).join("..").expand_path
+SITE = ROOT.join("docs/_site")
+require ROOT.join("lib/workos/version").to_s
+abort "docs/_site is missing — run script/docs first" unless SITE.directory?
+md_files = Pathname.glob(SITE.join("**/*.md")).sort_by { |p| p.relative_path_from(SITE).to_s }
+title_for = lambda do |path|
+  first_heading = path.each_line.lazy.map(&:strip).find { |l| l.start_with?("# ") }
+  first_heading ? first_heading.sub(/^#\s+/, "").sub(/\s*<a id=.*?<\/a>\s*$/, "").strip : path.basename(".md").to_s
+end
+index_lines = []
+index_lines << "# WorkOS Ruby SDK v#{WorkOS::VERSION}"
+index_lines << ""
+index_lines << "> API client for WorkOS. This file indexes the auto-generated YARD documentation for the `workos` gem so language models can locate per-class references."
+index_lines << ""
+index_lines << "## API Reference"
+index_lines << ""
+md_files.each do |path|
+  rel = path.relative_path_from(SITE).to_s
+  index_lines << "- [#{title_for.call(path)}](#{rel})"
+end
+index_lines << ""
+SITE.join("llms.txt").write(index_lines.join("\n"))
+puts "Wrote #{SITE.join("llms.txt")} (#{md_files.size} entries)"

data/test/workos/test_actions.rb CHANGED Viewed

@@ -49,6 +49,15 @@ class ActionsTest < Minitest::Test
     end
   end
+  def test_verify_header_raises_on_future_timestamp
+    payload = '{"x":1}'
+    future_ts = now_ms + 60_000 # 60s ahead, beyond default 30s tolerance
+    sig = OpenSSL::HMAC.hexdigest("SHA256", SECRET, "#{future_ts}.#{payload}")
+    assert_raises(WorkOS::SignatureVerificationError) do
+      @actions.verify_header(payload: payload, sig_header: "t=#{future_ts}, v1=#{sig}", secret: SECRET)
+    end
+  end
   def test_sign_response_authentication_allow
     resp = @actions.sign_response(action_type: "authentication", verdict: "Allow", secret: SECRET)
     assert_equal "authentication_action_response", resp["object"]

data/test/workos/test_api_keys.rb CHANGED Viewed

@@ -11,20 +11,6 @@ class ApiKeysTest < Minitest::Test
     @client = WorkOS::Client.new(api_key: "sk_test_123")
   end
-  def test_create_validation_returns_expected_result
-    stub_request(:post, %r{\Ahttps://api\.workos\.com/api_keys/validations(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.api_keys.create_validation(value: "stub")
-    refute_nil result
-  end
-  def test_delete_api_key_returns_expected_result
-    stub_request(:delete, %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)})
-      .to_return(body: "{}", status: 200)
-    result = @client.api_keys.delete_api_key(id: "stub")
-    assert_nil result
-  end
   def test_list_organization_api_keys_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
@@ -39,12 +25,26 @@ class ApiKeysTest < Minitest::Test
     refute_nil result
   end
+  def test_create_validation_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/api_keys/validations(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.api_keys.create_validation(value: "stub")
+    refute_nil result
+  end
+  def test_delete_api_key_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.api_keys.delete_api_key(id: "stub")
+    assert_nil result
+  end
   # Parameterized authentication error tests (one per endpoint).
   [
-    {name: :create_validation, verb: :post, url: %r{\Ahttps://api\.workos\.com/api_keys/validations(\?|\z)}, args: {value: "stub"}},
-    {name: :delete_api_key, verb: :delete, url: %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)}, args: {id: "stub"}},
     {name: :list_organization_api_keys, verb: :get, url: %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)}, args: {organization_id: "stub"}},
-    {name: :create_organization_api_key, verb: :post, url: %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)}, args: {organization_id: "stub", name: "stub"}}
+    {name: :create_organization_api_key, verb: :post, url: %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)}, args: {organization_id: "stub", name: "stub"}},
+    {name: :create_validation, verb: :post, url: %r{\Ahttps://api\.workos\.com/api_keys/validations(\?|\z)}, args: {value: "stub"}},
+    {name: :delete_api_key, verb: :delete, url: %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)}, args: {id: "stub"}}
   ].each do |spec|
     define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
       stub_request(spec[:verb], spec[:url])

data/test/workos/test_authorization.rb CHANGED Viewed

@@ -192,6 +192,13 @@ class AuthorizationTest < Minitest::Test
     assert_kind_of WorkOS::Types::ListStruct, result
   end
+  def test_list_role_assignments_for_resource_by_external_id_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub/role_assignments(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_role_assignments_for_resource_by_external_id(organization_id: "stub", resource_type_slug: "stub", external_id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
   def test_list_resources_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)})
       .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
@@ -259,6 +266,13 @@ class AuthorizationTest < Minitest::Test
     assert_kind_of WorkOS::Types::ListStruct, result
   end
+  def test_list_role_assignments_for_resource_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/resources/stub/role_assignments(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_role_assignments_for_resource(resource_id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
   def test_list_environment_roles_returns_expected_result
     stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/roles(\?|\z)})
       .to_return(body: "{}", status: 200)
@@ -358,12 +372,14 @@ class AuthorizationTest < Minitest::Test
     {name: :update_resource_by_external_id, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource_by_external_id, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_memberships_for_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub/organization_memberships(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub", permission_slug: "stub"}},
+    {name: :list_role_assignments_for_resource_by_external_id, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organizations/stub/resources/stub/stub/role_assignments(\?|\z)}, args: {organization_id: "stub", resource_type_slug: "stub", external_id: "stub"}},
     {name: :list_resources, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {parent: WorkOS::Authorization::ParentById.new(parent_resource_id: "stub")}},
     {name: :create_resource, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/resources(\?|\z)}, args: {external_id: "stub", name: "stub", resource_type_slug: "stub", organization_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :get_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
     {name: :update_resource, verb: :patch, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :delete_resource, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub(\?|\z)}, args: {resource_id: "stub"}},
     {name: :list_memberships_for_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub/organization_memberships(\?|\z)}, args: {resource_id: "stub", permission_slug: "stub"}},
+    {name: :list_role_assignments_for_resource, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/resources/stub/role_assignments(\?|\z)}, args: {resource_id: "stub"}},
     {name: :list_environment_roles, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles(\?|\z)}},
     {name: :create_environment_role, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/roles(\?|\z)}, args: {slug: "stub", name: "stub"}},
     {name: :get_environment_role, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/roles/stub(\?|\z)}, args: {slug: "stub"}},

data/test/workos/test_base_client.rb CHANGED Viewed

@@ -170,4 +170,48 @@ class BaseClientTest < Minitest::Test
     assert evict.finished
     refute keep.finished
   end
+  def test_redact_path_strips_invitation_token_segment
+    redacted = @client.send(:redact_path, "/user_management/invitations/by_token/invtoken_secret123")
+    assert_equal "/user_management/invitations/by_token/[REDACTED]", redacted
+  end
+  def test_redact_path_strips_magic_auth_token_segment
+    redacted = @client.send(:redact_path, "/user_management/magic_auth/magic_secret/extra")
+    assert_equal "/user_management/magic_auth/[REDACTED]/[REDACTED]", redacted
+  end
+  def test_redact_path_preserves_non_token_paths
+    assert_equal "/organizations/org_123", @client.send(:redact_path, "/organizations/org_123")
+  end
+  def test_redact_path_preserves_query_string
+    redacted = @client.send(:redact_path, "/user_management/invitations/by_token/secret?foo=bar")
+    assert_equal "/user_management/invitations/by_token/[REDACTED]?foo=bar", redacted
+  end
+  def test_redact_path_handles_nil_and_empty
+    assert_nil @client.send(:redact_path, nil)
+    assert_equal "", @client.send(:redact_path, "")
+  end
+  def test_redact_path_scrubs_sensitive_query_params
+    redacted = @client.send(:redact_path, "/user_management/sessions/logout?session_id=ses_abc123&return_to=https://app.example.com")
+    assert_equal "/user_management/sessions/logout?session_id=[REDACTED]&return_to=https://app.example.com", redacted
+  end
+  def test_redact_path_scrubs_authorize_code_query_param
+    redacted = @client.send(:redact_path, "/user_management/authorize?client_id=client_1&code=auth_code_secret&state=xyz")
+    assert_equal "/user_management/authorize?client_id=client_1&code=[REDACTED]&state=xyz", redacted
+  end
+  def test_redact_path_leaves_non_sensitive_query_params_untouched
+    redacted = @client.send(:redact_path, "/user_management/users?limit=10&order=desc")
+    assert_equal "/user_management/users?limit=10&order=desc", redacted
+  end
+  def test_redact_path_scrubs_query_alongside_path_segment_redaction
+    redacted = @client.send(:redact_path, "/user_management/magic_auth/magic_secret?token=qs_token")
+    assert_equal "/user_management/magic_auth/[REDACTED]?token=[REDACTED]", redacted
+  end
 end

data/test/workos/test_encryptors_aes_gcm.rb CHANGED Viewed

@@ -28,11 +28,26 @@ class EncryptorsAesGcmTest < Minitest::Test
   def test_unseal_with_wrong_key_raises
     sealed = @enc.seal({"x" => 1}, PASSWORD)
+    # Wrong key is the same length (>= 32 bytes) so the length guard doesn't
+    # short-circuit; we want to assert the underlying cipher rejection.
     assert_raises(OpenSSL::Cipher::CipherError) do
-      @enc.unseal(sealed, "wrong-password")
+      @enc.unseal(sealed, "wrong-cookie-password-32-bytes--")
     end
   end
+  def test_unseal_rejects_short_key
+    sealed = @enc.seal({"x" => 1}, PASSWORD)
+    assert_raises(ArgumentError) do
+      @enc.unseal(sealed, "too-short")
+    end
+  end
+  def test_seal_rejects_short_key
+    assert_raises(ArgumentError) { @enc.seal({"x" => 1}, "too-short") }
+    assert_raises(ArgumentError) { @enc.seal({"x" => 1}, nil) }
+    assert_raises(ArgumentError) { @enc.seal({"x" => 1}, "") }
+  end
   def test_unseal_rejects_short_payload
     assert_raises(ArgumentError) do
       @enc.unseal(Base64.strict_encode64("short"), PASSWORD)