RubyGems - workos - Versions diffs - 5.28.0 → 5.29.0 - Mend

workos 5.28.0 → 5.29.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -1
data/lib/workos/session.rb +38 -32
data/lib/workos/version.rb +1 -1
data/spec/lib/workos/session_spec.rb +38 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f536a3eeb0b6d0fc877337104c31dc441ab6f32ccceef45ee7dad60bdba36e99
-  data.tar.gz: c9a9bb5353eb0077d43f41da09ad95269034f4a81b4504db72ca13f3086f3a29
+  metadata.gz: 65fed812ccb7c97df25793369c07af5024b6cb7e1a12675c125bbdf4f3fd5730
+  data.tar.gz: b38903b53ed0bad99605ba619453f7fab5653d67baefa0313b6768a81faf0cd6
 SHA512:
-  metadata.gz: b689a75850258ff01f9929fdcfccbe8b76c816395d6266053fdabb2515a8c2fcdae43becd6cec2e5ed378cf6f2b6a0176bc38d92111c9bc12a4f44ec8b1b03e6
-  data.tar.gz: da8fc3b665684df85724b12e8a9c7d86a95fdb26509b92c3e5a13923560c33c8106bc9a65e22d2abe2b7fcf444d3ba67121316b3b2cf75954ce2c51db256c71d
+  metadata.gz: 3a06ceb94077a433ac395d1f979209df0a3473f201843c09dc622ebbf389817fc05377556a84ce363d5d9eecf69a8dba9182581ff1b78450cff22cdef4aaf520
+  data.tar.gz: 7a746ec3b9930327ad6961da2132be517735f204cc548c4c8c8a36f88db1b85d177daf6225ee947cb90a6b27cc6a0121ba37dd1fea4976f28ad84d11cda84f16

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.28.0)
+    workos (5.29.0)
       encryptor (~> 3.0)
       jwt (~> 2.8)

data/lib/workos/session.rb CHANGED Viewed

@@ -29,9 +29,10 @@ module WorkOS
     end
     # Authenticates the user based on the session data
+    # @param include_expired [Boolean] If true, returns decoded token data even when expired (default: false)
     # @return [Hash] A hash containing the authentication response and a reason if the authentication failed
-    # rubocop:disable Metrics/AbcSize
-    def authenticate
+    # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
+    def authenticate(include_expired: false)
       return { authenticated: false, reason: 'NO_SESSION_COOKIE_PROVIDED' } if @session_data.nil?
       begin
@@ -41,23 +42,41 @@ module WorkOS
       end
       return { authenticated: false, reason: 'INVALID_SESSION_COOKIE' } unless session[:access_token]
-      return { authenticated: false, reason: 'INVALID_JWT' } unless is_valid_jwt(session[:access_token])
-      decoded = JWT.decode(session[:access_token], nil, true, algorithms: @jwks_algorithms, jwks: @jwks).first
-      {
-        authenticated: true,
-        session_id: decoded['sid'],
-        organization_id: decoded['org_id'],
-        role: decoded['role'],
-        roles: decoded['roles'],
-        permissions: decoded['permissions'],
-        entitlements: decoded['entitlements'],
-        feature_flags: decoded['feature_flags'],
-        user: session[:user],
-        impersonator: session[:impersonator],
-        reason: nil,
-      }
+      begin
+        decoded = JWT.decode(
+          session[:access_token],
+          nil,
+          true,
+          algorithms: @jwks_algorithms,
+          jwks: @jwks,
+          verify_expiration: false,
+        ).first
+        expired = decoded['exp'] && decoded['exp'] < Time.now.to_i
+        # Early return for expired tokens when not including expired data (backward compatible)
+        return { authenticated: false, reason: 'INVALID_JWT' } if expired && !include_expired
+        # Return full data for valid tokens or when include_expired is true
+        {
+          authenticated: !expired,
+          session_id: decoded['sid'],
+          organization_id: decoded['org_id'],
+          role: decoded['role'],
+          roles: decoded['roles'],
+          permissions: decoded['permissions'],
+          entitlements: decoded['entitlements'],
+          feature_flags: decoded['feature_flags'],
+          user: session[:user],
+          impersonator: session[:impersonator],
+          reason: expired ? 'INVALID_JWT' : nil,
+        }
+      rescue JWT::DecodeError
+        { authenticated: false, reason: 'INVALID_JWT' }
+      rescue StandardError => e
+        { authenticated: false, reason: e.message }
+      end
     end
     # Refreshes the session data using the refresh token stored in the session data
@@ -66,7 +85,6 @@ module WorkOS
     # @option options [String] :organization_id The organization ID to use for refreshing the session
     # @return [Hash] A hash containing a new sealed session, the authentication response,
     # and a reason if the refresh failed
-    # rubocop:disable Metrics/PerceivedComplexity
     def refresh(options = nil)
       cookie_password = options.nil? || options[:cookie_password].nil? ? @cookie_password : options[:cookie_password]
@@ -168,17 +186,5 @@ module WorkOS
       jwks
     end
-    # Validates a JWT token using the JWKS set
-    # @param token [String] The JWT token to validate
-    # @return [Boolean] True if the token is valid, false otherwise
-    # rubocop:disable Naming/PredicateName
-    def is_valid_jwt(token)
-      JWT.decode(token, nil, true, algorithms: @jwks_algorithms, jwks: @jwks)
-      true
-    rescue StandardError
-      false
-    end
-    # rubocop:enable Naming/PredicateName
   end
 end

data/lib/workos/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WorkOS
-  VERSION = '5.28.0'
+  VERSION = '5.29.0'
 end

data/spec/lib/workos/session_spec.rb CHANGED Viewed

@@ -160,6 +160,44 @@ describe WorkOS::Session do
       expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
     end
+    it 'returns INVALID_JWT without token data when session is expired' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+      allow(Time).to receive(:now).and_return(Time.at(9_999_999_999))
+      result = session.authenticate
+      expect(result).to eq({ authenticated: false, reason: 'INVALID_JWT' })
+    end
+    it 'returns INVALID_JWT with full token data when session is expired and include_expired is true' do
+      session = WorkOS::Session.new(
+        user_management: user_management,
+        client_id: client_id,
+        session_data: session_data,
+        cookie_password: cookie_password,
+      )
+      allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
+      allow(Time).to receive(:now).and_return(Time.at(9_999_999_999))
+      result = session.authenticate(include_expired: true)
+      expect(result).to eq({
+                             authenticated: false,
+                             session_id: 'session_id',
+                             organization_id: 'org_id',
+                             role: 'role',
+                             roles: ['role'],
+                             permissions: ['read'],
+                             feature_flags: nil,
+                             entitlements: nil,
+                             user: 'user',
+                             impersonator: 'impersonator',
+                             reason: 'INVALID_JWT',
+                           })
+    end
     it 'authenticates successfully with valid session_data' do
       session = WorkOS::Session.new(
         user_management: user_management,

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.28.0
+  version: 5.29.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-20 00:00:00.000000000 Z
+date: 2025-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor