workos 1.5.1 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5aecf9fa40a85a4623e12f1ba6804c87fde006931bed9a443327f6851d714df1
-  data.tar.gz: 63d0daa095bf705643906247371d36a15f7ec9aac2b9d5b04293fb7e135a1d57
+  metadata.gz: dd493c247c202074fa3d93d6f4db6f1cb4cffb19b63f140eeb37a3236255be1a
+  data.tar.gz: a266a358383a5242299a2df002b04486d6ef1203f0d3448736b6d5904d657643
 SHA512:
-  metadata.gz: f6c47e8d64139d4e3452dca04e6466b177b8c029b97779e58b93407d5e08f9c886076a0101a9b272376fe33e9ee16c180464e25b3be42a6089b921108187eeb1
-  data.tar.gz: 577c4b464439eed2216d1011d637d619cd0af9c69f985f5d56f56ce58f6c72deb71f0d2dc66efc1014daa7d973cd2c1d3e95a2f729627658d4235ce2da683184
+  metadata.gz: d05f397238b7e94d6f8e7e513523de96c87da44042c65638dbe8ce947076b5383f38491997a887a30e05a0c47e4193178dd39f0e4c62b5f14ebb1fcfb40b3299
+  data.tar.gz: 28158f92efaff774bbfaaf02e9be76552dd94bfebb996515824e278faf4011b4996846990074e30694f4306ba26c2cb76440294a020e5832b8bf25c3c504ccb3

data/.rubocop.yml

@@ -9,7 +9,7 @@ Layout/LineLength:
     - 'VCR\.use_cassette'
     - '(\A|\s)/.*?/'
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context']
+  ExcludedMethods: ['describe', 'context', 'before']
 Metrics/MethodLength:
   Max: 15
 Metrics/ModuleLength:

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (1.5.1)
+    workos (1.6.0)
       sorbet-runtime (~> 0.5)
 
 GEM

data/lib/workos/errors.rb

@@ -55,4 +55,8 @@ module WorkOS
   # InvalidRequestError is raised when a request is initiated with invalid
   # parameters.
   class InvalidRequestError < WorkOSError; end
+
+  # SignatureVerificationError is raised when the signature verification for a
+  # webhook fails
+  class SignatureVerificationError < WorkOSError; end
 end

data/lib/workos/organization.rb

@@ -8,7 +8,7 @@ module WorkOS
   class Organization
     extend T::Sig
 
-    attr_accessor :id, :domains, :name, :created_at, :updated_at
+    attr_accessor :id, :domains, :name, :allow_profiles_outside_organization, :created_at, :updated_at
 
     sig { params(json: String).void }
     def initialize(json)
@@ -16,6 +16,7 @@ module WorkOS
 
       @id = T.let(raw.id, String)
       @name = T.let(raw.name, String)
+      @allow_profiles_outside_organization = T.let(raw.allow_profiles_outside_organization, T::Boolean)
       @domains = T.let(raw.domains, Array)
       @created_at = T.let(raw.created_at, String)
       @updated_at = T.let(raw.updated_at, String)
@@ -25,6 +26,7 @@ module WorkOS
       {
         id: id,
         name: name,
+        allow_profiles_outside_organization: allow_profiles_outside_organization,
         domains: domains,
         created_at: created_at,
         updated_at: updated_at,
@@ -44,6 +46,7 @@ module WorkOS
       WorkOS::Types::OrganizationStruct.new(
         id: hash[:id],
         name: hash[:name],
+        allow_profiles_outside_organization: hash[:allow_profiles_outside_organization],
         domains: hash[:domains],
         created_at: hash[:created_at],
         updated_at: hash[:updated_at],

data/lib/workos/organizations.rb

@@ -80,16 +80,23 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def create_organization(domains:, name:)
+      def create_organization(domains:, name:, allow_profiles_outside_organization: nil)
         request = post_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: '/organizations',
         )
 
@@ -105,17 +112,24 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           organization: String,
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def update_organization(organization:, domains:, name:)
+      def update_organization(organization:, domains:, name:, allow_profiles_outside_organization: nil)
         request = put_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: "/organizations/#{organization}",
         )
 

data/lib/workos/profile.rb

@@ -11,9 +11,10 @@ module WorkOS
     extend T::Sig
 
     sig { returns(String) }
-    attr_accessor :id, :email, :first_name, :last_name, :connection_id,
-                  :connection_type, :idp_id, :raw_attributes
+    attr_accessor :id, :email, :first_name, :last_name, :organization_id,
+                  :connection_id, :connection_type, :idp_id, :raw_attributes
 
+    # rubocop:disable Metrics/AbcSize
     sig { params(profile_json: String).void }
     def initialize(profile_json)
       raw = parse_json(profile_json)
@@ -22,11 +23,13 @@ module WorkOS
       @email = T.let(raw.email, String)
       @first_name = raw.first_name
       @last_name = raw.last_name
+      @organization_id = T.let(raw.organization_id, String)
       @connection_id = T.let(raw.connection_id, String)
       @connection_type = T.let(raw.connection_type, String)
       @idp_id = raw.idp_id
       @raw_attributes = raw.raw_attributes
     end
+    # rubocop:enable Metrics/AbcSize
 
     sig { returns(String) }
     def full_name
@@ -39,6 +42,7 @@ module WorkOS
         email: email,
         first_name: first_name,
         last_name: last_name,
+        organization_id: organization_id,
         connection_id: connection_id,
         connection_type: connection_type,
         idp_id: idp_id,
@@ -57,6 +61,7 @@ module WorkOS
         email: hash[:email],
         first_name: hash[:first_name],
         last_name: hash[:last_name],
+        organization_id: hash[:organization_id],
         connection_id: hash[:connection_id],
         connection_type: hash[:connection_type],
         idp_id: hash[:idp_id],

data/lib/workos/types/organization_struct.rb

@@ -8,6 +8,7 @@ module WorkOS
     class OrganizationStruct < T::Struct
       const :id, String
       const :name, String
+      const :allow_profiles_outside_organization, T::Boolean
       const :domains, T::Array[T.untyped]
       const :created_at, String
       const :updated_at, String

data/lib/workos/types/profile_struct.rb

@@ -10,6 +10,7 @@ module WorkOS
       const :email, String
       const :first_name, T.nilable(String)
       const :last_name, T.nilable(String)
+      const :organization_id, String
       const :connection_id, String
       const :connection_type, String
       const :idp_id, T.nilable(String)

data/lib/workos/types/webhook_struct.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+# typed: strict
+
+module WorkOS
+  module Types
+    # This WebhookStruct acts as a typed interface
+    # for the Webhook class
+    class WebhookStruct < T::Struct
+      const :id, String
+      const :event, String
+      const :data, T::Hash[Symbol, Object]
+    end
+  end
+end

data/lib/workos/types.rb

@@ -15,5 +15,6 @@ module WorkOS
     require_relative 'types/profile_struct'
     require_relative 'types/provider_enum'
     require_relative 'types/directory_user_struct'
+    require_relative 'types/webhook_struct'
   end
 end

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 # typed: strong
 
 module WorkOS
-  VERSION = '1.5.1'
+  VERSION = '1.6.0'
 end

data/lib/workos/webhook.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+# typed: true
+
+module WorkOS
+  # The Webhook class provides a lightweight wrapper around
+  # a WorkOS Webhook resource. This class is not meant to be instantiated
+  # in user space, and is instantiated internally but exposed.
+  class Webhook
+    extend T::Sig
+
+    attr_accessor :id, :event, :data
+
+    sig { params(json: String).void }
+    def initialize(json)
+      raw = parse_json(json)
+
+      @id = T.let(raw.id, String)
+      @event = T.let(raw.event, String)
+      @data = raw.data
+    end
+
+    def to_json(*)
+      {
+        id: id,
+        event: event,
+        data: data,
+      }
+    end
+
+    private
+
+    sig do
+      params(
+        json_string: String,
+      ).returns(WorkOS::Types::WebhookStruct)
+    end
+    def parse_json(json_string)
+      hash = JSON.parse(json_string, symbolize_names: true)
+
+      WorkOS::Types::WebhookStruct.new(
+        id: hash[:id],
+        event: hash[:event],
+        data: hash[:data],
+      )
+    end
+  end
+end

data/lib/workos/webhooks.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+# typed: true
+
+require 'openssl'
+
+module WorkOS
+  # The Webhooks module provides convenience methods for working with the WorkOS webhooks.
+  # You'll need to extract the signature header and payload from the webhook request
+  # sig_header = request.headers['WorkOS-Signature']
+  # payload = request.body.read
+  #
+  # The secret is the Webhook Secret from your WorkOS Dashboard
+  # The tolerance is for the timestamp validation
+  #
+  module Webhooks
+    class << self
+      extend T::Sig
+
+      DEFAULT_TOLERANCE = 180
+
+      # Initializes an Event object from a JSON payload
+      # rubocop:disable Layout/LineLength
+      #
+      # @param [String] payload The payload from the webhook sent by WorkOS. This is the RAW_POST_DATA of the request.
+      # @param [String] sig_header The signature from the webhook sent by WorkOS.
+      # @param [String] secret The webhook secret from the WorkOS dashboard.
+      # @param [Integer] tolerance The time tolerance in seconds for the webhook.
+      #
+      # @example
+      #   WorkOS::Webhooks.construct_event(
+      #     payload: "{"id": "wh_123","data":{"id":"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG","state":"active","emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"idp_id":"00u1e8mutl6wlH3lL4x7","object":"directory_user","username":"blair@foo-corp.com","last_name":"Lunceford","first_name":"Blair","directory_id":"directory_01F9M7F68PZP8QXP8G7X5QRHS7","raw_attributes":{"name":{"givenName":"Blair","familyName":"Lunceford","middleName":"Elizabeth","honorificPrefix":"Ms."},"title":"Developer Success Engineer","active":true,"emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"groups":[],"locale":"en-US","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"blair@foo-corp.com","addresses":[{"region":"CO","primary":true,"locality":"Steamboat Springs","postalCode":"80487"}],"externalId":"00u1e8mutl6wlH3lL4x7","displayName":"Blair Lunceford","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"2","displayName":"Kathleen Chung"},"division":"Engineering","department":"Customer Success"}}},"event":"dsync.user.created"}",
+      #     sig_header: 't=1626125972272, v1=80f7ab7efadc306eb5797c588cee9410da9be4416782b497bf1e1bf4175fb928',
+      #     secret: 'LJlTiC19GmCKWs8AE0IaOQcos',
+      #   )
+      #
+      #   => #<WorkOS::Webhook:0x00007fa64b980910 @event="dsync.user.created", @data={:id=>"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG", :state=>"active", :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :idp_id=>"00u1e8mutl6wlH3lL4x7", :object=>"directory_user", :username=>"blair@foo-corp.com", :last_name=>"Lunceford", :first_name=>"Blair", :directory_id=>"directory_01F9M7F68PZP8QXP8G7X5QRHS7", :raw_attributes=>{:name=>{:givenName=>"Blair", :familyName=>"Lunceford", :middleName=>"Elizabeth", :honorificPrefix=>"Ms."}, :title=>"Developer Success Engineer", :active=>true, :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :groups=>[], :locale=>"en-US", :schemas=>["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], :userName=>"blair@foo-corp.com", :addresses=>[{:region=>"CO", :primary=>true, :locality=>"Steamboat Springs", :postalCode=>"80487"}], :externalId=>"00u1e8mutl6wlH3lL4x7", :displayName=>"Blair Lunceford", :"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"=>{:manager=>{:value=>"2", :displayName=>"Kathleen Chung"}, :division=>"Engineering", :department=>"Customer Success"}}}>
+      #
+      # @return [WorkOS::Webhook]
+      # rubocop:enable Layout/LineLength
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(WorkOS::Webhook)
+      end
+      def construct_event(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        verify_header(payload: payload, sig_header: sig_header, secret: secret, tolerance: tolerance)
+        WorkOS::Webhook.new(payload)
+      end
+
+      private
+
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(T::Boolean)
+      end
+      # rubocop:disable Metrics/MethodLength
+      def verify_header(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        begin
+          timestamp, signature_hash = get_timestamp_and_signature_hash(sig_header: sig_header)
+        rescue StandardError
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        if signature_hash.empty?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'No signature hash found with expected scheme v1',
+          )
+        end
+
+        if timestamp < Time.now - tolerance
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Timestamp outside the tolerance zone',
+          )
+        end
+
+        expected_sig = compute_signature(timestamp: timestamp, payload: payload, secret: secret)
+        unless secure_compare(str_a: expected_sig, str_b: signature_hash)
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Signature hash does not match the expected signature hash for payload',
+          )
+        end
+
+        true
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      sig do
+        params(
+          sig_header: String,
+        ).returns(T::Array[T.untyped])
+      end
+      def get_timestamp_and_signature_hash(
+        sig_header:
+      )
+        timestamp, signature_hash = sig_header.split(', ')
+
+        if timestamp.nil? || signature_hash.nil?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        timestamp = timestamp.sub('t=', '')
+        signature_hash = signature_hash.sub('v1=', '')
+
+        [Time.at(timestamp.to_i), signature_hash]
+      end
+
+      sig do
+        params(
+          timestamp: Time,
+          payload: String,
+          secret: String,
+        ).returns(String)
+      end
+      def compute_signature(
+        timestamp:,
+        payload:,
+        secret:
+      )
+        unhashed_string = "#{timestamp.to_i}.#{payload}"
+        digest = OpenSSL::Digest.new('sha256')
+        OpenSSL::HMAC.hexdigest(digest, secret, unhashed_string)
+      end
+
+      # Constant time string comparison to prevent timing attacks
+      # Code borrowed from ActiveSupport
+      sig do
+        params(
+          str_a: String,
+          str_b: String,
+        ).returns(T::Boolean)
+      end
+      def secure_compare(
+        str_a:,
+        str_b:
+      )
+        return false unless str_a.bytesize == str_b.bytesize
+
+        l = T.unsafe(str_a.unpack("C#{str_a.bytesize}"))
+
+        res = 0
+        str_b.each_byte { |byte| res |= byte ^ l.shift }
+
+        res.zero?
+      end
+    end
+  end
+end

data/lib/workos.rb

@@ -42,11 +42,14 @@ module WorkOS
   autoload :ProfileAndToken, 'workos/profile_and_token'
   autoload :SSO, 'workos/sso'
   autoload :DirectoryUser, 'workos/directory_user'
+  autoload :Webhook, 'workos/webhook'
+  autoload :Webhooks, 'workos/webhooks'
 
   # Errors
   autoload :APIError, 'workos/errors'
   autoload :AuthenticationError, 'workos/errors'
   autoload :InvalidRequestError, 'workos/errors'
+  autoload :SignatureVerificationError, 'workos/errors'
 
   # Remove WORKOS_KEY at some point in the future. Keeping it here now for
   # backwards compatibility.

data/spec/lib/workos/sso_spec.rb

@@ -164,6 +164,7 @@ describe WorkOS::SSO do
           id: 'prof_01EEJTY9SZ1R350RB7B73SNBKF',
           idp_id: '116485463307139932699',
           last_name: 'Loblaw',
+          organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           raw_attributes: {
             email: 'bob.loblaw@workos.com',
             family_name: 'Loblaw',
@@ -233,6 +234,7 @@ describe WorkOS::SSO do
           id: 'prof_01DRA1XNSJDZ19A31F183ECQW5',
           idp_id: '00u1klkowm8EGah2H357',
           last_name: 'Demo',
+          organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           raw_attributes: {
             email: 'demo@workos-okta.com',
             first_name: 'WorkOS',

data/spec/lib/workos/webhooks_spec.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+# typed: false
+
+require 'json'
+require 'openssl'
+
+describe WorkOS::Webhooks do
+  describe '.construct_event' do
+    before(:each) do
+      @payload = File.read("#{SPEC_ROOT}/support/webhook_payload.txt")
+      @secret = 'secret'
+      @timestamp = Time.at(Time.now.to_i * 1000)
+      unhashed_string = "#{@timestamp.to_i}.#{@payload}"
+      digest = OpenSSL::Digest.new('sha256')
+      @signature_hash = OpenSSL::HMAC.hexdigest(digest, @secret, unhashed_string)
+      @expectation = {
+        id: 'directory_user_01FAEAJCR3ZBZ30D8BD1924TVG',
+        state: 'active',
+        emails: [{
+          type: 'work',
+          value: 'blair@foo-corp.com',
+          primary: true,
+        }],
+        idp_id: '00u1e8mutl6wlH3lL4x7',
+        object: 'directory_user',
+        username: 'blair@foo-corp.com',
+        last_name: 'Lunceford',
+        first_name: 'Blair',
+        directory_id: 'directory_01F9M7F68PZP8QXP8G7X5QRHS7',
+        raw_attributes: {
+          name: {
+            givenName: 'Blair',
+            familyName: 'Lunceford',
+            middleName: 'Elizabeth',
+            honorificPrefix: 'Ms.',
+          },
+          title: 'Developer Success Engineer',
+          active: true,
+          emails: [{
+            type: 'work',
+            value: 'blair@foo-corp.com',
+            primary: true,
+          }],
+          groups: [],
+          locale: 'en-US',
+          schemas: [
+            'urn:ietf:params:scim:schemas:core:2.0:User',
+            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'
+          ],
+          userName: 'blair@foo-corp.com',
+          addresses: [{
+            region: 'CO',
+            primary: true,
+            locality: 'Steamboat Springs',
+            postalCode: '80487',
+          }],
+          externalId: '00u1e8mutl6wlH3lL4x7',
+          displayName: 'Blair Lunceford',
+          "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+            manager: {
+              value: '2',
+              displayName: 'Kathleen Chung',
+            },
+            division: 'Engineering',
+            department: 'Customer Success',
+          },
+        },
+      }
+    end
+
+    context 'with the correct payload, sig_header, and secret' do
+      it 'returns a webhook event' do
+        webhook = described_class.construct_event(
+          payload: @payload,
+          sig_header: "t=#{@timestamp.to_i}, v1=#{@signature_hash}",
+          secret: @secret,
+        )
+
+        expect(webhook.data).to eq(@expectation)
+        expect(webhook.event).to eq('dsync.user.created')
+        expect(webhook.id).to eq('wh_123')
+      end
+    end
+
+    context 'with the correct payload, sig_header, secret, and tolerance' do
+      it 'returns a webhook event' do
+        webhook = described_class.construct_event(
+          payload: @payload,
+          sig_header: "t=#{@timestamp.to_i}, v1=#{@signature_hash}",
+          secret: @secret,
+          tolerance: 300,
+        )
+
+        expect(webhook.data).to eq(@expectation)
+        expect(webhook.event).to eq('dsync.user.created')
+        expect(webhook.id).to eq('wh_123')
+      end
+    end
+
+    context 'with an empty header' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: @payload,
+            sig_header: '',
+            secret: @secret,
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'Unable to extract timestamp and signature hash from header',
+        )
+      end
+    end
+
+    context 'with an empty signature hash' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: @payload,
+            sig_header: "t=#{@timestamp.to_i}, v1=",
+            secret: @secret,
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'No signature hash found with expected scheme v1',
+        )
+      end
+    end
+
+    context 'with an incorrect signature hash' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: @payload,
+            sig_header: "t=#{@timestamp.to_i}, v1=99999",
+            secret: @secret,
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'Signature hash does not match the expected signature hash for payload',
+        )
+      end
+    end
+
+    context 'with an incorrect payload' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: 'invalid',
+            sig_header: "t=#{@timestamp.to_i}, v1=#{@signature_hash}",
+            secret: @secret,
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'Signature hash does not match the expected signature hash for payload',
+        )
+      end
+    end
+
+    context 'with an incorrect webhook secret' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: @payload,
+            sig_header: "t=#{@timestamp.to_i}, v1=#{@signature_hash}",
+            secret: 'invalid',
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'Signature hash does not match the expected signature hash for payload',
+        )
+      end
+    end
+
+    context 'with a timestamp outside tolerance' do
+      it 'raises an error' do
+        expect do
+          described_class.construct_event(
+            payload: @payload,
+            sig_header: "t=9999, v1=#{@signature_hash}",
+            secret: @secret,
+          )
+        end.to raise_error(
+          WorkOS::SignatureVerificationError,
+          'Timestamp outside the tolerance zone',
+        )
+      end
+    end
+  end
+end

data/spec/support/fixtures/vcr_cassettes/organization/create.yml

@@ -78,7 +78,7 @@ http_interactions:
     body:
       encoding: UTF-8
       string: '{"object":"organization","id":"org_01FCPEJXEZR4DSBA625YMGQT9N","name":"Test
-        Organization","created_at":"2021-08-09T21:55:02.755Z","updated_at":"2021-08-09T21:55:02.755Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEJXF4CTFEDFEGDTRN1MZG","domain":"example.io"}]}'
+        Organization","allow_profiles_outside_organization":false,"created_at":"2021-08-09T21:55:02.755Z","updated_at":"2021-08-09T21:55:02.755Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEJXF4CTFEDFEGDTRN1MZG","domain":"example.io"}]}'
     http_version:
   recorded_at: Mon, 09 Aug 2021 21:55:02 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/organization/get.yml

@@ -78,7 +78,7 @@ http_interactions:
     body:
       encoding: ASCII-8BIT
       string: '{"object":"organization","id":"org_01F9293WD2PDEEV4Y625XPZVG7","name":"Foo
-        Corp","created_at":"2021-06-25T19:07:33.155Z","updated_at":"2021-06-25T19:07:33.155Z","domains":[{"object":"organization_domain","id":"org_domain_01F9293WD8KZAS4ESBK57SZ4D8","domain":"foo-corp.com"}]}'
+        Corp","allow_profiles_outside_organization":false,"created_at":"2021-06-25T19:07:33.155Z","updated_at":"2021-06-25T19:07:33.155Z","domains":[{"object":"organization_domain","id":"org_domain_01F9293WD8KZAS4ESBK57SZ4D8","domain":"foo-corp.com"}]}'
     http_version:
   recorded_at: Mon, 09 Aug 2021 21:53:34 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/organization/list.yml

@@ -78,10 +78,10 @@ http_interactions:
     body:
       encoding: ASCII-8BIT
       string: '{"object":"list","data":[{"object":"organization","id":"org_01FCPEJXEZR4DSBA625YMGQT9N","name":"Test
-        Organization","created_at":"2021-08-09T21:55:02.755Z","updated_at":"2021-08-09T21:55:02.755Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEJXF4CTFEDFEGDTRN1MZG","domain":"example.io"}]},{"object":"organization","id":"org_01F9293WD2PDEEV4Y625XPZVG7","name":"Foo
-        Corp","created_at":"2021-06-25T19:07:33.155Z","updated_at":"2021-06-25T19:07:33.155Z","domains":[{"object":"organization_domain","id":"org_domain_01F9293WD8KZAS4ESBK57SZ4D8","domain":"foo-corp.com"}]},{"object":"organization","id":"org_01F8873JSZWN1MJCDN537FEK1H","name":"Example
-        Organization","created_at":"2021-06-15T16:12:10.942Z","updated_at":"2021-06-15T16:12:10.942Z","domains":[]},{"object":"organization","id":"org_01F79Z8TGGTA8Q67Q50FDXAYN3","name":"gmail.com","created_at":"2021-06-03T22:18:01.100Z","updated_at":"2021-06-03T22:18:01.100Z","domains":[{"object":"organization_domain","id":"org_domain_01F79Z8TGS4VYFX0246RAWSZMP","domain":"gmail.com"}]},{"object":"organization","id":"org_01F6Q6TFP7RD2PF6J03ANNWDKV","name":"Test
-        Organization","created_at":"2021-05-27T15:24:25.670Z","updated_at":"2021-08-09T21:53:34.525Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEG7BAYMQ4CHMG41Y2VNHF","domain":"example.me"}]},{"object":"organization","id":"org_01F6Q6NGZS8R5ZTH3C1XR96JK7","name":"WorkOS","created_at":"2021-05-27T15:21:43.160Z","updated_at":"2021-05-27T15:21:43.160Z","domains":[{"object":"organization_domain","id":"org_domain_01F6Q6NGZZ54WSX1XCMCKSC4DA","domain":"workos.com"}]}],"listMetadata":{"before":"before-id","after":null}}'
+        Organization","allow_profiles_outside_organization":false,"created_at":"2021-08-09T21:55:02.755Z","updated_at":"2021-08-09T21:55:02.755Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEJXF4CTFEDFEGDTRN1MZG","domain":"example.io"}]},{"object":"organization","id":"org_01F9293WD2PDEEV4Y625XPZVG7","name":"Foo
+        Corp","allow_profiles_outside_organization":false,"created_at":"2021-06-25T19:07:33.155Z","updated_at":"2021-06-25T19:07:33.155Z","domains":[{"object":"organization_domain","id":"org_domain_01F9293WD8KZAS4ESBK57SZ4D8","domain":"foo-corp.com"}]},{"object":"organization","id":"org_01F8873JSZWN1MJCDN537FEK1H","name":"Example
+        Organization","allow_profiles_outside_organization":false,"created_at":"2021-06-15T16:12:10.942Z","updated_at":"2021-06-15T16:12:10.942Z","domains":[]},{"object":"organization","id":"org_01F79Z8TGGTA8Q67Q50FDXAYN3","name":"gmail.com","allow_profiles_outside_organization":false,"created_at":"2021-06-03T22:18:01.100Z","updated_at":"2021-06-03T22:18:01.100Z","domains":[{"object":"organization_domain","id":"org_domain_01F79Z8TGS4VYFX0246RAWSZMP","domain":"gmail.com"}]},{"object":"organization","id":"org_01F6Q6TFP7RD2PF6J03ANNWDKV","name":"Test
+        Organization","allow_profiles_outside_organization":false,"created_at":"2021-05-27T15:24:25.670Z","updated_at":"2021-08-09T21:53:34.525Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEG7BAYMQ4CHMG41Y2VNHF","domain":"example.me"}]},{"object":"organization","id":"org_01F6Q6NGZS8R5ZTH3C1XR96JK7","name":"WorkOS","allow_profiles_outside_organization":false,"created_at":"2021-05-27T15:21:43.160Z","updated_at":"2021-05-27T15:21:43.160Z","domains":[{"object":"organization_domain","id":"org_domain_01F6Q6NGZZ54WSX1XCMCKSC4DA","domain":"workos.com"}]}],"listMetadata":{"before":"before-id","after":null}}'
     http_version:
   recorded_at: Mon, 09 Aug 2021 21:55:03 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/organization/update.yml

@@ -78,7 +78,7 @@ http_interactions:
     body:
       encoding: ASCII-8BIT
       string: '{"object":"organization","id":"org_01F6Q6TFP7RD2PF6J03ANNWDKV","name":"Test
-        Organization","created_at":"2021-05-27T15:24:25.670Z","updated_at":"2021-08-09T21:53:34.525Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEG7BAYMQ4CHMG41Y2VNHF","domain":"example.me"}]}'
+        Organization","allow_profiles_outside_organization":false,"created_at":"2021-05-27T15:24:25.670Z","updated_at":"2021-08-09T21:53:34.525Z","domains":[{"object":"organization_domain","id":"org_domain_01FCPEG7BAYMQ4CHMG41Y2VNHF","domain":"example.me"}]}'
     http_version:
   recorded_at: Mon, 09 Aug 2021 21:53:34 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/sso/profile.yml

@@ -67,7 +67,7 @@ http_interactions:
       body:
         encoding: UTF-8
         string:
-          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
+          '{"object":"profile","id":"prof_01EEJTY9SZ1R350RB7B73SNBKF","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01E83FVYZHY7DM4S9503JHV0R5","connection_type":"GoogleOAuth","idp_id":"116485463307139932699","email":"bob.loblaw@workos.com","first_name":"Bob","last_name":"Loblaw","raw_attributes":{"hd":"workos.com","id":"116485463307139932699","name":"Bob
           Loblaw","email":"bob.loblaw@workos.com","locale":"en","picture":"https://lh3.googleusercontent.com/a-/AOh14GyO2hLlgZvteDQ3Ldi3_-RteZLya0hWH7247Cam=s96-c","given_name":"Bob","family_name":"Loblaw","verified_email":true}}'
       http_version:
     recorded_at: Tue, 18 May 2021 22:55:21 GMT

data/spec/support/profile.txt

@@ -1 +1 @@
-{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","idp_id":"00u1klkowm8EGah2H357","raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","idp_id":"00u1klkowm8EGah2H357"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}
+{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","idp_id":"00u1klkowm8EGah2H357","raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"demo@workos-okta.com","first_name":"WorkOS","last_name":"Demo","idp_id":"00u1klkowm8EGah2H357"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}

data/spec/support/webhook_payload.txt

@@ -0,0 +1 @@
+{"id": "wh_123","data":{"id":"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG","state":"active","emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"idp_id":"00u1e8mutl6wlH3lL4x7","object":"directory_user","username":"blair@foo-corp.com","last_name":"Lunceford","first_name":"Blair","directory_id":"directory_01F9M7F68PZP8QXP8G7X5QRHS7","raw_attributes":{"name":{"givenName":"Blair","familyName":"Lunceford","middleName":"Elizabeth","honorificPrefix":"Ms."},"title":"Developer Success Engineer","active":true,"emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"groups":[],"locale":"en-US","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"blair@foo-corp.com","addresses":[{"region":"CO","primary":true,"locality":"Steamboat Springs","postalCode":"80487"}],"externalId":"00u1e8mutl6wlH3lL4x7","displayName":"Blair Lunceford","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"2","displayName":"Kathleen Chung"},"division":"Engineering","department":"Customer Success"}}},"event":"dsync.user.created"}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 1.5.1
+  version: 1.6.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-01 00:00:00.000000000 Z
+date: 2021-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sorbet-runtime
@@ -234,7 +234,10 @@ files:
 - lib/workos/types/passwordless_session_struct.rb
 - lib/workos/types/profile_struct.rb
 - lib/workos/types/provider_enum.rb
+- lib/workos/types/webhook_struct.rb
 - lib/workos/version.rb
+- lib/workos/webhook.rb
+- lib/workos/webhooks.rb
 - sorbet/config
 - sorbet/rbi/gems/addressable.rbi
 - sorbet/rbi/gems/ast.rbi
@@ -276,6 +279,7 @@ files:
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
 - spec/lib/workos/sso_spec.rb
+- spec/lib/workos/webhooks_spec.rb
 - spec/spec_helper.rb
 - spec/support/fixtures/vcr_cassettes/audit_trail/create_event.yml
 - spec/support/fixtures/vcr_cassettes/audit_trail/create_event_custom_idempotency_key.yml
@@ -315,7 +319,6 @@ files:
 - spec/support/fixtures/vcr_cassettes/organization/get_invalid.yml
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
-- spec/support/fixtures/vcr_cassettes/organization/update_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session.yml
@@ -337,6 +340,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/sso/profile.yml
 - spec/support/profile.txt
 - spec/support/shared_examples/client_spec.rb
+- spec/support/webhook_payload.txt
 - workos.gemspec
 homepage: https://github.com/workos-inc/workos-ruby
 licenses:
@@ -358,7 +362,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.26
+rubygems_version: 3.2.27
 signing_key:
 specification_version: 4
 summary: API client for WorkOS
@@ -370,6 +374,7 @@ test_files:
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
 - spec/lib/workos/sso_spec.rb
+- spec/lib/workos/webhooks_spec.rb
 - spec/spec_helper.rb
 - spec/support/fixtures/vcr_cassettes/audit_trail/create_event.yml
 - spec/support/fixtures/vcr_cassettes/audit_trail/create_event_custom_idempotency_key.yml
@@ -409,7 +414,6 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/organization/get_invalid.yml
 - spec/support/fixtures/vcr_cassettes/organization/list.yml
 - spec/support/fixtures/vcr_cassettes/organization/update.yml
-- spec/support/fixtures/vcr_cassettes/organization/update_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/create_session_invalid.yml
 - spec/support/fixtures/vcr_cassettes/passwordless/send_session.yml
@@ -431,3 +435,4 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/sso/profile.yml
 - spec/support/profile.txt
 - spec/support/shared_examples/client_spec.rb
+- spec/support/webhook_payload.txt

data/spec/support/fixtures/vcr_cassettes/organization/update_invalid.yml

@@ -1,73 +0,0 @@
----
-http_interactions:
-- request:
-    method: put
-    uri: https://api.workos.com/organizations/org_01F29YJ068E52HGEB8ZQGC9MJG
-    body:
-      encoding: UTF-8
-      string: '{"domains":["example.com"],"name":"Test Organization 2"}'
-    headers:
-      Content-Type:
-      - application/json
-      Accept-Encoding:
-      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
-      Accept:
-      - "*/*"
-      User-Agent:
-      - WorkOS; ruby/3.0.1; x86_64-darwin19; v0.11.1
-      Authorization:
-      - Bearer <API_KEY>
-  response:
-    status:
-      code: 200
-      message: OK
-    headers:
-      Server:
-      - Cowboy
-      Connection:
-      - keep-alive
-      Vary:
-      - Origin, Accept-Encoding
-      Access-Control-Allow-Credentials:
-      - 'true'
-      Content-Security-Policy:
-      - 'default-src ''self'';base-uri ''self'';block-all-mixed-content;font-src ''self''
-        https: data:;frame-ancestors ''self'';img-src ''self'' data:;object-src ''none'';script-src
-        ''self'';script-src-attr ''none'';style-src ''self'' https: ''unsafe-inline'';upgrade-insecure-requests'
-      X-Dns-Prefetch-Control:
-      - 'off'
-      Expect-Ct:
-      - max-age=0
-      X-Frame-Options:
-      - SAMEORIGIN
-      Strict-Transport-Security:
-      - max-age=15552000; includeSubDomains
-      X-Download-Options:
-      - noopen
-      X-Content-Type-Options:
-      - nosniff
-      X-Permitted-Cross-Domain-Policies:
-      - none
-      Referrer-Policy:
-      - no-referrer
-      X-Xss-Protection:
-      - '0'
-      X-Request-Id:
-      - 6ba2cbf9-76e3-4a6a-8ebe-d25edb366ed0
-      Content-Type:
-      - application/json; charset=utf-8
-      Content-Length:
-      - '205'
-      Etag:
-      - W/"cd-mlRMlyyz/LtzInRhAghs1B+BT4s"
-      Date:
-      - Wed, 05 May 2021 22:14:10 GMT
-      Via:
-      - 1.1 vegur
-    body:
-      encoding: UTF-8
-      string: '{"object":"organization","id":"org_01F29YJ068E52HGEB8ZQGC9MJG","name":"Test
-        Organization 2","domains":[{"object":"organization_domain","id":"org_domain_01F4Z9GY3089GV4SENXWZ9RBX1","domain":"example.com"}]}'
-    http_version:
-  recorded_at: Wed, 05 May 2021 22:14:10 GMT
-recorded_with: VCR 5.0.0