workos 7.1.2 → 8.0.1

data/test/workos/test_model_round_trip.rb

@@ -709,6 +709,20 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_create_user_api_key_round_trip
+    fixture = {
+      "name" => "stub",
+      "organization_id" => "stub",
+      "permissions" => []
+    }
+    model = WorkOS::CreateUserApiKey.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["name"], json[:name]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_create_user_round_trip
     fixture = {
       "email" => "stub",
@@ -1183,19 +1197,21 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_role_assignment_round_trip
+  def test_user_role_assignment_round_trip
     fixture = {
       "object" => "role_assignment",
       "id" => "stub",
+      "organization_membership_id" => "stub",
       "role" => {},
       "resource" => {},
       "created_at" => "stub",
       "updated_at" => "stub"
     }
-    model = WorkOS::RoleAssignment.new(fixture.to_json)
+    model = WorkOS::UserRoleAssignment.new(fixture.to_json)
     json = model.to_h
     assert_kind_of Hash, json
     assert_equal fixture["id"], json[:id]
+    assert_equal fixture["organization_membership_id"], json[:organization_membership_id]
     assert_equal fixture["created_at"], json[:created_at]
     assert_equal fixture["updated_at"], json[:updated_at]
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
@@ -1238,6 +1254,38 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_round_trip
+    fixture = {
+      "object" => "user",
+      "id" => "stub",
+      "first_name" => nil,
+      "last_name" => nil,
+      "profile_picture_url" => nil,
+      "email" => "stub",
+      "email_verified" => true,
+      "external_id" => nil,
+      "metadata" => {},
+      "last_sign_in_at" => nil,
+      "locale" => nil,
+      "created_at" => "stub",
+      "updated_at" => "stub"
+    }
+    model = WorkOS::User.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_nil json[:first_name]
+    assert_nil json[:last_name]
+    assert_nil json[:profile_picture_url]
+    assert_equal fixture["email"], json[:email]
+    assert_equal fixture["email_verified"], json[:email_verified]
+    assert_nil json[:external_id]
+    assert_nil json[:last_sign_in_at]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_connection_round_trip
     fixture = {
       "object" => "connection",
@@ -1341,6 +1389,7 @@ class ModelRoundTripTest < Minitest::Test
       "email" => nil,
       "first_name" => nil,
       "last_name" => nil,
+      "name" => nil,
       "emails" => [],
       "job_title" => nil,
       "username" => nil,
@@ -1427,6 +1476,7 @@ class ModelRoundTripTest < Minitest::Test
       "email" => nil,
       "first_name" => nil,
       "last_name" => nil,
+      "name" => nil,
       "emails" => [],
       "job_title" => nil,
       "username" => nil,
@@ -1451,38 +1501,6 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_user_round_trip
-    fixture = {
-      "object" => "user",
-      "id" => "stub",
-      "first_name" => nil,
-      "last_name" => nil,
-      "profile_picture_url" => nil,
-      "email" => "stub",
-      "email_verified" => true,
-      "external_id" => nil,
-      "metadata" => {},
-      "last_sign_in_at" => nil,
-      "locale" => nil,
-      "created_at" => "stub",
-      "updated_at" => "stub"
-    }
-    model = WorkOS::User.new(fixture.to_json)
-    json = model.to_h
-    assert_kind_of Hash, json
-    assert_equal fixture["id"], json[:id]
-    assert_nil json[:first_name]
-    assert_nil json[:last_name]
-    assert_nil json[:profile_picture_url]
-    assert_equal fixture["email"], json[:email]
-    assert_equal fixture["email_verified"], json[:email_verified]
-    assert_nil json[:external_id]
-    assert_nil json[:last_sign_in_at]
-    assert_equal fixture["created_at"], json[:created_at]
-    assert_equal fixture["updated_at"], json[:updated_at]
-    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
-  end
-
   def test_waitlist_user_round_trip
     fixture = {
       "object" => "waitlist_user",
@@ -1657,6 +1675,20 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_api_key_created_data_owner_round_trip
+    fixture = {
+      "type" => "user",
+      "id" => "stub",
+      "organization_id" => "stub"
+    }
+    model = WorkOS::UserApiKeyCreatedDataOwner.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_api_key_revoked_round_trip
     fixture = {
       "id" => "stub",
@@ -1710,6 +1742,20 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_api_key_revoked_data_owner_round_trip
+    fixture = {
+      "type" => "user",
+      "id" => "stub",
+      "organization_id" => "stub"
+    }
+    model = WorkOS::UserApiKeyRevokedDataOwner.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_authentication_email_verification_failed_round_trip
     fixture = {
       "id" => "stub",
@@ -3109,6 +3155,7 @@ class ModelRoundTripTest < Minitest::Test
       "email" => nil,
       "first_name" => nil,
       "last_name" => nil,
+      "name" => nil,
       "emails" => [],
       "job_title" => nil,
       "username" => nil,
@@ -5161,6 +5208,35 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_vault_byok_key_deleted_round_trip
+    fixture = {
+      "id" => "stub",
+      "event" => "vault.byok_key.deleted",
+      "data" => {},
+      "created_at" => "stub",
+      "context" => {},
+      "object" => "event"
+    }
+    model = WorkOS::VaultByokKeyDeleted.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["created_at"], json[:created_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
+  def test_vault_byok_key_deleted_data_round_trip
+    fixture = {
+      "organization_id" => "stub",
+      "key_provider" => "stub"
+    }
+    model = WorkOS::VaultByokKeyDeletedData.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_vault_byok_key_verification_completed_round_trip
     fixture = {
       "id" => "stub",
@@ -5548,22 +5624,6 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_jwt_template_response_round_trip
-    fixture = {
-      "object" => "jwt_template",
-      "content" => "stub",
-      "created_at" => "stub",
-      "updated_at" => "stub"
-    }
-    model = WorkOS::JWTTemplateResponse.new(fixture.to_json)
-    json = model.to_h
-    assert_kind_of Hash, json
-    assert_equal fixture["content"], json[:content]
-    assert_equal fixture["created_at"], json[:created_at]
-    assert_equal fixture["updated_at"], json[:updated_at]
-    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
-  end
-
   def test_organization_domain_stand_alone_round_trip
     fixture = {
       "object" => "organization_domain",
@@ -5616,7 +5676,31 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_api_key_with_value_round_trip
+  def test_organization_api_key_round_trip
+    fixture = {
+      "object" => "api_key",
+      "id" => "stub",
+      "owner" => {},
+      "name" => "stub",
+      "obfuscated_value" => "stub",
+      "last_used_at" => nil,
+      "permissions" => [],
+      "created_at" => "stub",
+      "updated_at" => "stub"
+    }
+    model = WorkOS::OrganizationApiKey.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["name"], json[:name]
+    assert_equal fixture["obfuscated_value"], json[:obfuscated_value]
+    assert_nil json[:last_used_at]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
+  def test_organization_api_key_with_value_round_trip
     fixture = {
       "object" => "api_key",
       "id" => "stub",
@@ -5629,7 +5713,7 @@ class ModelRoundTripTest < Minitest::Test
       "updated_at" => "stub",
       "value" => "stub"
     }
-    model = WorkOS::ApiKeyWithValue.new(fixture.to_json)
+    model = WorkOS::OrganizationApiKeyWithValue.new(fixture.to_json)
     json = model.to_h
     assert_kind_of Hash, json
     assert_equal fixture["id"], json[:id]
@@ -5879,7 +5963,8 @@ class ModelRoundTripTest < Minitest::Test
       "custom_attributes" => {},
       "created_at" => "stub",
       "updated_at" => "stub",
-      "role" => {}
+      "role" => {},
+      "user" => {}
     }
     model = WorkOS::UserOrganizationMembership.new(fixture.to_json)
     json = model.to_h
@@ -5893,6 +5978,56 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_api_key_round_trip
+    fixture = {
+      "object" => "api_key",
+      "id" => "stub",
+      "owner" => {},
+      "name" => "stub",
+      "obfuscated_value" => "stub",
+      "last_used_at" => nil,
+      "permissions" => [],
+      "created_at" => "stub",
+      "updated_at" => "stub"
+    }
+    model = WorkOS::UserApiKey.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["name"], json[:name]
+    assert_equal fixture["obfuscated_value"], json[:obfuscated_value]
+    assert_nil json[:last_used_at]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
+  def test_user_api_key_with_value_round_trip
+    fixture = {
+      "object" => "api_key",
+      "id" => "stub",
+      "owner" => {},
+      "name" => "stub",
+      "obfuscated_value" => "stub",
+      "last_used_at" => nil,
+      "permissions" => [],
+      "created_at" => "stub",
+      "updated_at" => "stub",
+      "value" => "stub"
+    }
+    model = WorkOS::UserApiKeyWithValue.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["name"], json[:name]
+    assert_equal fixture["obfuscated_value"], json[:obfuscated_value]
+    assert_nil json[:last_used_at]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    assert_equal fixture["value"], json[:value]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_email_verification_round_trip
     fixture = {
       "object" => "email_verification",
@@ -6081,6 +6216,7 @@ class ModelRoundTripTest < Minitest::Test
       "email" => "stub",
       "first_name" => nil,
       "last_name" => nil,
+      "name" => nil,
       "role" => nil,
       "roles" => nil,
       "groups" => [],
@@ -6097,6 +6233,7 @@ class ModelRoundTripTest < Minitest::Test
     assert_equal fixture["email"], json[:email]
     assert_nil json[:first_name]
     assert_nil json[:last_name]
+    assert_nil json[:name]
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
@@ -6139,6 +6276,22 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_jwt_template_response_round_trip
+    fixture = {
+      "object" => "jwt_template",
+      "content" => "stub",
+      "created_at" => "stub",
+      "updated_at" => "stub"
+    }
+    model = WorkOS::JWTTemplateResponse.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["content"], json[:content]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_jwks_response_keys_round_trip
     fixture = {
       "alg" => "RS256",
@@ -6209,6 +6362,34 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_api_key_with_value_owner_round_trip
+    fixture = {
+      "type" => "user",
+      "id" => "stub",
+      "organization_id" => "stub"
+    }
+    model = WorkOS::UserApiKeyWithValueOwner.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
+  def test_user_api_key_owner_round_trip
+    fixture = {
+      "type" => "user",
+      "id" => "stub",
+      "organization_id" => "stub"
+    }
+    model = WorkOS::UserApiKeyOwner.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_data_integrations_list_response_data_round_trip
     fixture = {
       "object" => "data_provider",
@@ -6295,12 +6476,24 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_api_key_with_value_owner_round_trip
+  def test_organization_api_key_with_value_owner_round_trip
     fixture = {
       "type" => "organization",
       "id" => "stub"
     }
-    model = WorkOS::ApiKeyWithValueOwner.new(fixture.to_json)
+    model = WorkOS::OrganizationApiKeyWithValueOwner.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
+  def test_organization_api_key_owner_round_trip
+    fixture = {
+      "type" => "organization",
+      "id" => "stub"
+    }
+    model = WorkOS::OrganizationApiKeyOwner.new(fixture.to_json)
     json = model.to_h
     assert_kind_of Hash, json
     assert_equal fixture["id"], json[:id]
@@ -6358,6 +6551,32 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
+  def test_user_organization_membership_base_list_data_round_trip
+    fixture = {
+      "object" => "organization_membership",
+      "id" => "stub",
+      "user_id" => "stub",
+      "organization_id" => "stub",
+      "status" => "stub",
+      "directory_managed" => true,
+      "organization_name" => "stub",
+      "custom_attributes" => {},
+      "created_at" => "stub",
+      "updated_at" => "stub",
+      "user" => {}
+    }
+    model = WorkOS::UserOrganizationMembershipBaseListData.new(fixture.to_json)
+    json = model.to_h
+    assert_kind_of Hash, json
+    assert_equal fixture["id"], json[:id]
+    assert_equal fixture["user_id"], json[:user_id]
+    assert_equal fixture["organization_id"], json[:organization_id]
+    assert_equal fixture["directory_managed"], json[:directory_managed]
+    assert_equal fixture["created_at"], json[:created_at]
+    assert_equal fixture["updated_at"], json[:updated_at]
+    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
+  end
+
   def test_directory_user_with_groups_email_round_trip
     fixture = {
       "primary" => true,
@@ -6407,38 +6626,13 @@ class ModelRoundTripTest < Minitest::Test
     fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
   end
 
-  def test_user_organization_membership_base_list_data_round_trip
-    fixture = {
-      "object" => "organization_membership",
-      "id" => "stub",
-      "user_id" => "stub",
-      "organization_id" => "stub",
-      "status" => "stub",
-      "directory_managed" => true,
-      "organization_name" => "stub",
-      "custom_attributes" => {},
-      "created_at" => "stub",
-      "updated_at" => "stub"
-    }
-    model = WorkOS::UserOrganizationMembershipBaseListData.new(fixture.to_json)
-    json = model.to_h
-    assert_kind_of Hash, json
-    assert_equal fixture["id"], json[:id]
-    assert_equal fixture["user_id"], json[:user_id]
-    assert_equal fixture["organization_id"], json[:organization_id]
-    assert_equal fixture["directory_managed"], json[:directory_managed]
-    assert_equal fixture["created_at"], json[:created_at]
-    assert_equal fixture["updated_at"], json[:updated_at]
-    fixture.each_key { |k| assert json.key?(k.to_sym) || json.key?(k), "Expected to_h to include key #{k}" }
-  end
-
-  def test_role_assignment_resource_round_trip
+  def test_user_role_assignment_resource_round_trip
     fixture = {
       "id" => "stub",
       "external_id" => "stub",
       "resource_type_slug" => "stub"
     }
-    model = WorkOS::RoleAssignmentResource.new(fixture.to_json)
+    model = WorkOS::UserRoleAssignmentResource.new(fixture.to_json)
     json = model.to_h
     assert_kind_of Hash, json
     assert_equal fixture["id"], json[:id]
@@ -6990,7 +7184,8 @@ class ModelRoundTripTest < Minitest::Test
       "custom_attributes" => {},
       "created_at" => "stub",
       "updated_at" => "stub",
-      "role" => {}
+      "role" => {},
+      "user" => {}
     }
     model = WorkOS::OrganizationMembership.new(fixture.to_json)
     json = model.to_h

data/test/workos/test_session.rb

@@ -26,11 +26,27 @@ class SessionTest < Minitest::Test
 
   def test_unseal_with_wrong_key_raises
     sealed = @sm.seal_data({"x" => 1}, PASSWORD)
+    # Wrong key is the same length (>= 32 bytes) so the length guard doesn't
+    # short-circuit; we want to assert the underlying cipher rejection.
     assert_raises(OpenSSL::Cipher::CipherError) do
-      @sm.unseal_data(sealed, "wrong-password")
+      @sm.unseal_data(sealed, "wrong-cookie-password-32-bytes--")
     end
   end
 
+  def test_unseal_with_short_key_raises_argument_error
+    sealed = @sm.seal_data({"x" => 1}, PASSWORD)
+    assert_raises(ArgumentError) { @sm.unseal_data(sealed, "too-short") }
+  end
+
+  def test_seal_with_short_key_raises_argument_error
+    assert_raises(ArgumentError) { @sm.seal_data({"x" => 1}, "too-short") }
+  end
+
+  def test_session_load_requires_min_length_cookie_password
+    short = "x" * 31
+    assert_raises(ArgumentError) { @sm.load(seal_data: "x", cookie_password: short) }
+  end
+
   def test_unseal_rejects_short_payload
     assert_raises(ArgumentError) do
       @sm.unseal_data(Base64.strict_encode64("short"), PASSWORD)
@@ -334,6 +350,19 @@ class SessionTest < Minitest::Test
     assert_equal WorkOS::SessionManager::INVALID_SESSION_COOKIE, result.reason
   end
 
+  def test_refresh_raises_argument_error_for_short_cookie_password_override
+    sealed = @sm.seal_data({"access_token" => "at", "refresh_token" => "rt"}, PASSWORD)
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    err = assert_raises(ArgumentError) { session.refresh(cookie_password: "x" * 31) }
+    assert_match(/at least 32 bytes/, err.message)
+  end
+
+  def test_refresh_raises_argument_error_for_empty_cookie_password_override
+    sealed = @sm.seal_data({"access_token" => "at", "refresh_token" => "rt"}, PASSWORD)
+    session = @sm.load(seal_data: sealed, cookie_password: PASSWORD)
+    assert_raises(ArgumentError) { session.refresh(cookie_password: "") }
+  end
+
   def test_refresh_returns_error_when_no_refresh_token
     sealed = @sm.seal_data({"access_token" => "at_only"}, PASSWORD)
     result = @sm.refresh(seal_data: sealed, cookie_password: PASSWORD)
@@ -361,7 +390,7 @@ class SessionTest < Minitest::Test
     assert_requested(stub)
   end
 
-  def test_refresh_returns_error_on_malformed_access_token_without_mutating_state
+  def test_refresh_persists_seal_data_even_when_access_token_decode_fails
     rsa, pub = signing_key_pair
     old_access = make_jwt({"sid" => "session_old", "exp" => Time.now.to_i - 60}, rsa)
     sealed = @sm.seal_data({"access_token" => old_access, "refresh_token" => "rt_old", "user" => {"id" => "u_1"}}, PASSWORD)
@@ -383,8 +412,18 @@ class SessionTest < Minitest::Test
     assert_kind_of WorkOS::SessionManager::RefreshError, result
     refute result.authenticated
 
-    # Session state should not have been mutated
-    assert_equal sealed, session.seal_data
+    # Session state IS updated to the freshly-sealed cookie before decode runs,
+    # so a transient JWT/JWKS failure leaves a usable seal the caller can
+    # re-#authenticate against rather than half-updated state pinned to the
+    # stale (already-rotated) refresh token.
+    refute_equal sealed, session.seal_data
+    refute_nil session.seal_data
+
+    # The rotated cookie is also reachable through the RefreshError result, so a
+    # caller that doesn't retain the Session object across requests (typical in
+    # a Rails request cycle) can still write the new cookie back to the browser
+    # rather than re-sending the now-revoked refresh token on the next request.
+    assert_equal session.seal_data, result.sealed_session
   end
 
   # --- Session constructor validation ---------------------------------------

data/test/workos/test_user_management.rb

@@ -345,6 +345,13 @@ class UserManagementTest < Minitest::Test
     refute_nil result
   end
 
+  def test_list_jwt_template_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/jwt_template(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.list_jwt_template
+    refute_nil result
+  end
+
   def test_update_jwt_template_returns_expected_result
     stub_request(:put, %r{\Ahttps://api\.workos\.com/user_management/jwt_template(\?|\z)})
       .to_return(body: "{}", status: 200)
@@ -454,6 +461,20 @@ class UserManagementTest < Minitest::Test
     assert_nil result
   end
 
+  def test_list_user_api_keys_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/user_management/users/stub/api_keys(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.user_management.list_user_api_keys(user_id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_create_user_api_key_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/user_management/users/stub/api_keys(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.user_management.create_user_api_key(user_id: "stub", name: "stub", organization_id: "stub")
+    refute_nil result
+  end
+
   # Parameterized authentication error tests (one per endpoint).
   [
     {name: :get_jwks, verb: :get, url: %r{\Ahttps://api\.workos\.com/sso/jwks/stub(\?|\z)}, args: {client_id: "stub"}},
@@ -484,6 +505,7 @@ class UserManagementTest < Minitest::Test
     {name: :accept_invitation, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/invitations/stub/accept(\?|\z)}, args: {id: "stub"}},
     {name: :resend_invitation, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/invitations/stub/resend(\?|\z)}, args: {id: "stub"}},
     {name: :revoke_invitation, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/invitations/stub/revoke(\?|\z)}, args: {id: "stub"}},
+    {name: :list_jwt_template, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/jwt_template(\?|\z)}},
     {name: :update_jwt_template, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/jwt_template(\?|\z)}, args: {content: "stub"}},
     {name: :create_magic_auth, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth(\?|\z)}, args: {email: "stub"}},
     {name: :get_magic_auth, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/magic_auth/stub(\?|\z)}, args: {id: "stub"}},
@@ -496,7 +518,9 @@ class UserManagementTest < Minitest::Test
     {name: :reactivate_organization_membership, verb: :put, url: %r{\Ahttps://api\.workos\.com/user_management/organization_memberships/stub/reactivate(\?|\z)}, args: {id: "stub"}},
     {name: :create_redirect_uri, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/redirect_uris(\?|\z)}, args: {uri: "stub"}},
     {name: :list_user_authorized_applications, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/authorized_applications(\?|\z)}, args: {user_id: "stub"}},
-    {name: :delete_user_authorized_application, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/authorized_applications/stub(\?|\z)}, args: {application_id: "stub", user_id: "stub"}}
+    {name: :delete_user_authorized_application, verb: :delete, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/authorized_applications/stub(\?|\z)}, args: {application_id: "stub", user_id: "stub"}},
+    {name: :list_user_api_keys, verb: :get, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/api_keys(\?|\z)}, args: {user_id: "stub"}},
+    {name: :create_user_api_key, verb: :post, url: %r{\Ahttps://api\.workos\.com/user_management/users/stub/api_keys(\?|\z)}, args: {user_id: "stub", name: "stub", organization_id: "stub"}}
   ].each do |spec|
     define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
       stub_request(spec[:verb], spec[:url])