workos 9.0.0 → 9.2.0

data/rbi/workos/pipes_provider.rbi

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+# typed: strong
+
+module WorkOS
+  class PipesProvider
+    sig { params(client: WorkOS::BaseClient).void }
+    def initialize(client); end
+
+    sig do
+      params(
+        organization_id: String,
+        request_options: T::Hash[Symbol, T.untyped]
+      ).returns(WorkOS::DataIntegrationConfigurationListResponse)
+    end
+    def list_organization_data_integration_configurations(organization_id:, request_options:); end
+
+    sig do
+      params(
+        organization_id: String,
+        slug: String,
+        enabled: T.nilable(T::Boolean),
+        scopes: T.nilable(T::Array[String]),
+        client_id: T.nilable(String),
+        client_secret: T.nilable(String),
+        request_options: T::Hash[Symbol, T.untyped]
+      ).returns(WorkOS::DataIntegrationConfigurationResponse)
+    end
+    def update_organization_data_integration_configuration(organization_id:, slug:, enabled:, scopes:, client_id:, client_secret:, request_options:); end
+
+  end
+end

data/rbi/workos/refresh_token_session_authenticate_request.rbi

@@ -15,10 +15,10 @@ module WorkOS
     sig { params(value: String).returns(String) }
     def client_id=(value); end
 
-    sig { returns(String) }
+    sig { returns(T.nilable(String)) }
     def client_secret; end
 
-    sig { params(value: String).returns(String) }
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
     def client_secret=(value); end
 
     sig { returns(String) }

data/rbi/workos/replace_group_role_assignment_entry.rbi

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+# typed: strong
+
+module WorkOS
+  class ReplaceGroupRoleAssignmentEntry
+    sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
+    def initialize(json); end
+
+    sig { returns(String) }
+    def role_slug; end
+
+    sig { params(value: String).returns(String) }
+    def role_slug=(value); end
+
+    sig { returns(T.nilable(String)) }
+    def resource_id; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def resource_id=(value); end
+
+    sig { returns(T.nilable(String)) }
+    def resource_external_id; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def resource_external_id=(value); end
+
+    sig { returns(T.nilable(String)) }
+    def resource_type_slug; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def resource_type_slug=(value); end
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    def to_h; end
+
+    sig { params(args: T.untyped).returns(String) }
+    def to_json(*args); end
+  end
+end

data/rbi/workos/replace_group_role_assignments.rbi

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+# typed: strong
+
+module WorkOS
+  class ReplaceGroupRoleAssignments
+    sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
+    def initialize(json); end
+
+    sig { returns(T::Array[WorkOS::ReplaceGroupRoleAssignmentEntry]) }
+    def role_assignments; end
+
+    sig { params(value: T::Array[WorkOS::ReplaceGroupRoleAssignmentEntry]).returns(T::Array[WorkOS::ReplaceGroupRoleAssignmentEntry]) }
+    def role_assignments=(value); end
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    def to_h; end
+
+    sig { params(args: T.untyped).returns(String) }
+    def to_json(*args); end
+  end
+end

data/rbi/workos/revoke_session.rbi

@@ -15,12 +15,6 @@ module WorkOS
     sig { params(value: String).returns(String) }
     def session_id=(value); end
 
-    sig { returns(T.nilable(String)) }
-    def return_to; end
-
-    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
-    def return_to=(value); end
-
     sig { returns(T::Hash[Symbol, T.untyped]) }
     def to_h; end
 

data/rbi/workos/update_user.rbi

@@ -27,6 +27,12 @@ module WorkOS
     sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
     def last_name=(value); end
 
+    sig { returns(T.nilable(String)) }
+    def name; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def name=(value); end
+
     sig { returns(T.nilable(T::Boolean)) }
     def email_verified; end
 

data/rbi/workos/user.rbi

@@ -33,6 +33,12 @@ module WorkOS
     sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
     def last_name=(value); end
 
+    sig { returns(T.nilable(String)) }
+    def name; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def name=(value); end
+
     sig { returns(T.nilable(String)) }
     def profile_picture_url; end
 

data/rbi/workos/{dsync_deactivated_data_domain.rbi → user_api_key_updated_data_owner.rbi}

@@ -5,15 +5,15 @@
 # typed: strong
 
 module WorkOS
-  class DsyncDeactivatedDataDomain
+  class UserApiKeyUpdatedDataOwner
     sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
     def initialize(json); end
 
     sig { returns(String) }
-    def object; end
+    def type; end
 
     sig { params(value: String).returns(String) }
-    def object=(value); end
+    def type=(value); end
 
     sig { returns(String) }
     def id; end
@@ -22,10 +22,10 @@ module WorkOS
     def id=(value); end
 
     sig { returns(String) }
-    def domain; end
+    def organization_id; end
 
     sig { params(value: String).returns(String) }
-    def domain=(value); end
+    def organization_id=(value); end
 
     sig { returns(T::Hash[Symbol, T.untyped]) }
     def to_h; end

data/rbi/workos/user_management.rbi

@@ -48,9 +48,9 @@ module WorkOS
     sig do
       params(
         client_id: String,
-        client_secret: String,
         grant_type: String,
         code: String,
+        client_secret: T.nilable(String),
         code_verifier: T.nilable(String),
         invitation_token: T.nilable(String),
         ip_address: T.nilable(String),
@@ -59,7 +59,7 @@ module WorkOS
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::AuthenticateResponse)
     end
-    def create_authenticate(client_id:, client_secret:, grant_type:, code:, code_verifier:, invitation_token:, ip_address:, device_id:, user_agent:, request_options:); end
+    def create_authenticate(client_id:, grant_type:, code:, client_secret:, code_verifier:, invitation_token:, ip_address:, device_id:, user_agent:, request_options:); end
 
     sig do
       params(
@@ -72,11 +72,10 @@ module WorkOS
     sig do
       params(
         session_id: String,
-        return_to: T.nilable(String),
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(NilClass)
     end
-    def revoke_session(session_id:, return_to:, request_options:); end
+    def revoke_session(session_id:, request_options:); end
 
     sig do
       params(
@@ -138,6 +137,7 @@ module WorkOS
         email: String,
         first_name: T.nilable(String),
         last_name: T.nilable(String),
+        name: T.nilable(String),
         email_verified: T.nilable(T::Boolean),
         metadata: T.nilable(T::Hash[String, String]),
         external_id: T.nilable(String),
@@ -145,7 +145,7 @@ module WorkOS
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::User)
     end
-    def create_user(email:, first_name:, last_name:, email_verified:, metadata:, external_id:, password:, request_options:); end
+    def create_user(email:, first_name:, last_name:, name:, email_verified:, metadata:, external_id:, password:, request_options:); end
 
     sig do
       params(
@@ -169,6 +169,7 @@ module WorkOS
         email: T.nilable(String),
         first_name: T.nilable(String),
         last_name: T.nilable(String),
+        name: T.nilable(String),
         email_verified: T.nilable(T::Boolean),
         metadata: T.nilable(T::Hash[String, String]),
         external_id: T.nilable(String),
@@ -177,7 +178,7 @@ module WorkOS
         request_options: T::Hash[Symbol, T.untyped]
       ).returns(WorkOS::User)
     end
-    def update_user(id:, email:, first_name:, last_name:, email_verified:, metadata:, external_id:, locale:, password:, request_options:); end
+    def update_user(id:, email:, first_name:, last_name:, name:, email_verified:, metadata:, external_id:, locale:, password:, request_options:); end
 
     sig do
       params(
@@ -251,7 +252,7 @@ module WorkOS
         organization_id: T.nilable(String),
         email: T.nilable(String),
         request_options: T::Hash[Symbol, T.untyped]
-      ).returns(T::Array[WorkOS::UserInvite])
+      ).returns(WorkOS::Types::ListStruct)
     end
     def list_invitations(before:, after:, limit:, order:, organization_id:, email:, request_options:); end
 

data/rbi/workos/user_object.rbi

@@ -33,6 +33,12 @@ module WorkOS
     sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
     def last_name=(value); end
 
+    sig { returns(T.nilable(String)) }
+    def name; end
+
+    sig { params(value: T.nilable(String)).returns(T.nilable(String)) }
+    def name=(value); end
+
     sig { returns(T.nilable(T::Hash[String, String])) }
     def metadata; end
 

data/rbi/workos/vault.rbi

@@ -61,7 +61,7 @@ module WorkOS
       params(
         name: String,
         request_options: T::Hash[Symbol, T.untyped]
-      ).returns(WorkOS::ObjectModel)
+      ).returns(WorkOS::VaultObject)
     end
     def get_name(name:, request_options:); end
 
@@ -69,7 +69,7 @@ module WorkOS
       params(
         id: String,
         request_options: T::Hash[Symbol, T.untyped]
-      ).returns(WorkOS::ObjectModel)
+      ).returns(WorkOS::VaultObject)
     end
     def get_kv(id:, request_options:); end
 

data/rbi/workos/{object.rbi → vault_object.rbi}

@@ -5,7 +5,7 @@
 # typed: strong
 
 module WorkOS
-  class ObjectModel
+  class VaultObject
     sig { params(json: T.any(String, T::Hash[Symbol, T.untyped])).void }
     def initialize(json); end
 

data/renovate.json

@@ -1,66 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "github>workos/renovate-config"
-  ],
-  "dependencyDashboard": false,
-  "schedule": [
-    "on the 15th day of the month before 12pm"
-  ],
-  "timezone": "UTC",
-  "rebaseWhen": "conflicted",
-  "packageRules": [
-    {
-      "matchManagers": [
-        "github-actions"
-      ],
-      "pinDigests": true,
-      "extractVersion": "^v(?<version>\\d+\\.\\d+\\.\\d+)$"
-    },
-    {
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
-      ],
-      "automerge": true,
-      "groupName": "minor and patch updates"
-    },
-    {
-      "matchUpdateTypes": [
-        "major"
-      ],
-      "automerge": false
-    },
-    {
-      "matchUpdateTypes": [
-        "digest"
-      ],
-      "automerge": false
-    },
-    {
-      "matchManagers": [
-        "github-actions"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch",
-        "digest",
-        "pinDigest"
-      ],
-      "groupName": "github actions non-major",
-      "groupSlug": "github-actions-non-major",
-      "automerge": true
-    },
-    {
-      "matchManagers": [
-        "github-actions"
-      ],
-      "matchUpdateTypes": [
-        "major"
-      ],
-      "groupName": "github actions major",
-      "groupSlug": "github-actions-major",
-      "automerge": false
-    }
+    "github>workos/renovate-config:public"
   ]
 }

data/test/workos/test_api_keys.rb

@@ -39,12 +39,20 @@ class ApiKeysTest < Minitest::Test
     assert_nil result
   end
 
+  def test_create_api_key_expire_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/api_keys/stub/expire(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.api_keys.create_api_key_expire(id: "stub")
+    refute_nil result
+  end
+
   # Parameterized authentication error tests (one per endpoint).
   [
     {name: :list_organization_api_keys, verb: :get, url: %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)}, args: {organization_id: "stub"}},
     {name: :create_organization_api_key, verb: :post, url: %r{\Ahttps://api\.workos\.com/organizations/stub/api_keys(\?|\z)}, args: {organization_id: "stub", name: "stub"}},
     {name: :create_validation, verb: :post, url: %r{\Ahttps://api\.workos\.com/api_keys/validations(\?|\z)}, args: {value: "stub"}},
-    {name: :delete_api_key, verb: :delete, url: %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)}, args: {id: "stub"}}
+    {name: :delete_api_key, verb: :delete, url: %r{\Ahttps://api\.workos\.com/api_keys/stub(\?|\z)}, args: {id: "stub"}},
+    {name: :create_api_key_expire, verb: :post, url: %r{\Ahttps://api\.workos\.com/api_keys/stub/expire(\?|\z)}, args: {id: "stub"}}
   ].each do |spec|
     define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
       stub_request(spec[:verb], spec[:url])

data/test/workos/test_authorization.rb

@@ -11,6 +11,48 @@ class AuthorizationTest < Minitest::Test
     @client = WorkOS::Client.new(api_key: "sk_test_123")
   end
 
+  def test_list_group_role_assignments_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.list_group_role_assignments(group_id: "stub")
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_create_group_role_assignment_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.create_group_role_assignment(group_id: "stub", role_slug: "stub")
+    refute_nil result
+  end
+
+  def test_update_group_role_assignments_returns_expected_result
+    stub_request(:put, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)})
+      .to_return(body: '{"data": [], "list_metadata": {}}', status: 200)
+    result = @client.authorization.update_group_role_assignments(group_id: "stub", role_assignments: [{}])
+    assert_kind_of WorkOS::Types::ListStruct, result
+  end
+
+  def test_delete_group_role_assignments_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.delete_group_role_assignments(group_id: "stub", role_slug: "stub")
+    assert_nil result
+  end
+
+  def test_get_group_role_assignment_returns_expected_result
+    stub_request(:get, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.get_group_role_assignment(group_id: "stub", role_assignment_id: "stub")
+    refute_nil result
+  end
+
+  def test_delete_group_role_assignment_returns_expected_result
+    stub_request(:delete, %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments/stub(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.authorization.delete_group_role_assignment(group_id: "stub", role_assignment_id: "stub")
+    assert_nil result
+  end
+
   def test_check_returns_expected_result
     stub_request(:post, %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)})
       .with(body: hash_including("permission_slug" => "stub", "resource_id" => "stub"))
@@ -352,6 +394,12 @@ class AuthorizationTest < Minitest::Test
 
   # Parameterized authentication error tests (one per endpoint).
   [
+    {name: :list_group_role_assignments, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)}, args: {group_id: "stub"}},
+    {name: :create_group_role_assignment, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)}, args: {group_id: "stub", role_slug: "stub"}},
+    {name: :update_group_role_assignments, verb: :put, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)}, args: {group_id: "stub", role_assignments: [{}]}},
+    {name: :delete_group_role_assignments, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments(\?|\z)}, args: {group_id: "stub", role_slug: "stub"}},
+    {name: :get_group_role_assignment, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments/stub(\?|\z)}, args: {group_id: "stub", role_assignment_id: "stub"}},
+    {name: :delete_group_role_assignment, verb: :delete, url: %r{\Ahttps://api\.workos\.com/authorization/groups/stub/role_assignments/stub(\?|\z)}, args: {group_id: "stub", role_assignment_id: "stub"}},
     {name: :check, verb: :post, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/check(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", resource_target: WorkOS::Authorization::ResourceTargetById.new(resource_id: "stub")}},
     {name: :list_resources_for_membership, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources(\?|\z)}, args: {organization_membership_id: "stub", permission_slug: "stub", parent_resource: WorkOS::Authorization::ParentResourceById.new(parent_resource_id: "stub")}},
     {name: :list_effective_permissions, verb: :get, url: %r{\Ahttps://api\.workos\.com/authorization/organization_memberships/stub/resources/stub/permissions(\?|\z)}, args: {organization_membership_id: "stub", resource_id: "stub"}},

data/test/workos/test_base_client.rb

@@ -86,6 +86,14 @@ class BaseClientTest < Minitest::Test
     @client = WorkOS::BaseClient.new(api_key: "sk_test_123", max_retries: 1)
   end
 
+  def teardown
+    super
+    # Close any open connections and clear the thread-local cache to avoid
+    # leaking sockets between tests.
+    @client.shutdown
+    Thread.current[:workos_connections] = nil
+  end
+
   def test_request_dispatches_known_methods
     client = RecordingClient.new(api_key: "sk_test_123")
 
@@ -171,6 +179,62 @@ class BaseClientTest < Minitest::Test
     refute keep.finished
   end
 
+  # Regression test for https://github.com/workos/workos-ruby/issues/496
+  #
+  # The connection cache must be isolated per thread. A previous version
+  # keyed it on Fiber[] (inheritable fiber storage), which is inherited *by
+  # reference* by child threads — so a Net::HTTP socket warmed in a parent
+  # thread leaked into every worker thread spawned afterward (Solid Queue,
+  # Puma, etc.) and got driven concurrently, corrupting the stream.
+  def test_connection_cache_is_not_shared_with_threads_spawned_after_warming
+    # Warm a connection in the "parent" thread before spawning workers.
+    parent_cache = @client.send(:thread_connections)
+    warm = FakeConnection.new
+    parent_cache["https:api.workos.com:443:30"] = warm
+
+    results = Array.new(4) do
+      Thread.new do
+        cache = @client.send(:thread_connections)
+        {cache_id: cache.object_id, leaked: cache.value?(warm), size: cache.size}
+      end
+    end.map(&:value)
+
+    results.each do |r|
+      refute_equal parent_cache.object_id, r[:cache_id],
+        "worker thread must not share the parent thread's connection cache"
+      refute r[:leaked],
+        "parent thread's warmed connection leaked into a worker thread"
+      assert_equal 0, r[:size],
+        "worker thread should start with an empty, isolated cache"
+    end
+
+    # The parent's own cache is left intact.
+    assert_same warm, parent_cache["https:api.workos.com:443:30"]
+  end
+
+  # Exercises the connection_for path (not just the storage helper):
+  # each thread must open and cache its *own* Net::HTTP connection rather
+  # than reusing one established on another thread.
+  #
+  # Net::HTTP#start is stubbed to avoid real TCP+TLS connections.
+  def test_connection_for_opens_a_distinct_connection_per_thread
+    original_start = Net::HTTP.instance_method(:start)
+    Net::HTTP.define_method(:start) { self }
+
+    parent_conn = @client.send(:connection_for, "https://api.workos.com", 30)
+
+    worker_conns = Array.new(4) do
+      Thread.new { @client.send(:connection_for, "https://api.workos.com", 30).object_id }
+    end.map(&:value)
+
+    refute_includes worker_conns, parent_conn.object_id,
+      "a worker thread reused a connection opened on another thread"
+    assert_equal worker_conns.length, worker_conns.uniq.length,
+      "worker threads must each get a distinct connection"
+  ensure
+    Net::HTTP.define_method(:start, original_start)
+  end
+
   def test_redact_path_strips_invitation_token_segment
     redacted = @client.send(:redact_path, "/user_management/invitations/by_token/invtoken_secret123")
     assert_equal "/user_management/invitations/by_token/[REDACTED]", redacted

data/test/workos/test_client_api.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# This file is auto-generated by oagen. Do not edit.
+
+require "test_helper"
+
+class ClientApiTest < Minitest::Test
+  include FixtureHelper
+
+  def setup
+    @client = WorkOS::Client.new(api_key: "sk_test_123")
+  end
+
+  def test_create_token_returns_expected_result
+    stub_request(:post, %r{\Ahttps://api\.workos\.com/client/token(\?|\z)})
+      .to_return(body: "{}", status: 200)
+    result = @client.client_api.create_token(organization_id: "stub", user_id: "stub")
+    refute_nil result
+  end
+
+  # Parameterized authentication error tests (one per endpoint).
+  [
+    {name: :create_token, verb: :post, url: %r{\Ahttps://api\.workos\.com/client/token(\?|\z)}, args: {organization_id: "stub", user_id: "stub"}}
+  ].each do |spec|
+    define_method("test_#{spec[:name]}_raises_authentication_error_on_401") do
+      stub_request(spec[:verb], spec[:url])
+        .to_return(body: '{"message": "Unauthorized"}', status: 401)
+      assert_raises(WorkOS::AuthenticationError) do
+        @client.client_api.send(spec[:name], **(spec[:args] || {}))
+      end
+    end
+  end
+end