@mastra/auth-workos 0.10.0

package/dist/index.d.cts

@@ -0,0 +1 @@
+export { MastraAuthWorkos } from './_tsup-dts-rollup.cjs';

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { MastraAuthWorkos } from './_tsup-dts-rollup.js';

package/dist/index.js

@@ -0,0 +1,361 @@
+import { SpanKind, trace, context, propagation, SpanStatusCode } from './chunk-JLXWUSDO.js';
+import { verifyJwks } from '@mastra/auth';
+import { WorkOS } from '@workos-inc/node';
+
+// ../../packages/core/dist/chunk-EWDGXKOQ.js
+function hasActiveTelemetry(tracerName = "default-tracer") {
+  try {
+    return !!trace.getTracer(tracerName);
+  } catch {
+    return false;
+  }
+}
+function getBaggageValues(ctx) {
+  const currentBaggage = propagation.getBaggage(ctx);
+  const requestId = currentBaggage?.getEntry("http.request_id")?.value;
+  const componentName = currentBaggage?.getEntry("componentName")?.value;
+  const runId = currentBaggage?.getEntry("runId")?.value;
+  return {
+    requestId,
+    componentName,
+    runId
+  };
+}
+function withSpan(options) {
+  return function(_target, propertyKey, descriptor) {
+    if (!descriptor || typeof descriptor === "number") return;
+    const originalMethod = descriptor.value;
+    const methodName = String(propertyKey);
+    descriptor.value = function(...args) {
+      if (options?.skipIfNoTelemetry && !hasActiveTelemetry(options?.tracerName)) {
+        return originalMethod.apply(this, args);
+      }
+      const tracer = trace.getTracer(options?.tracerName ?? "default-tracer");
+      let spanName;
+      let spanKind;
+      if (typeof options === "string") {
+        spanName = options;
+      } else if (options) {
+        spanName = options.spanName || methodName;
+        spanKind = options.spanKind;
+      } else {
+        spanName = methodName;
+      }
+      const span = tracer.startSpan(spanName, { kind: spanKind });
+      let ctx = trace.setSpan(context.active(), span);
+      args.forEach((arg, index) => {
+        try {
+          span.setAttribute(`${spanName}.argument.${index}`, JSON.stringify(arg));
+        } catch {
+          span.setAttribute(`${spanName}.argument.${index}`, "[Not Serializable]");
+        }
+      });
+      const { requestId, componentName, runId } = getBaggageValues(ctx);
+      if (requestId) {
+        span.setAttribute("http.request_id", requestId);
+      }
+      if (componentName) {
+        span.setAttribute("componentName", componentName);
+        span.setAttribute("runId", runId);
+      } else if (this && this.name) {
+        span.setAttribute("componentName", this.name);
+        span.setAttribute("runId", this.runId);
+        ctx = propagation.setBaggage(
+          ctx,
+          propagation.createBaggage({
+            // @ts-ignore
+            componentName: { value: this.name },
+            // @ts-ignore
+            runId: { value: this.runId },
+            // @ts-ignore
+            "http.request_id": { value: requestId }
+          })
+        );
+      }
+      let result;
+      try {
+        result = context.with(ctx, () => originalMethod.apply(this, args));
+        if (result instanceof Promise) {
+          return result.then((resolvedValue) => {
+            try {
+              span.setAttribute(`${spanName}.result`, JSON.stringify(resolvedValue));
+            } catch {
+              span.setAttribute(`${spanName}.result`, "[Not Serializable]");
+            }
+            return resolvedValue;
+          }).finally(() => span.end());
+        }
+        try {
+          span.setAttribute(`${spanName}.result`, JSON.stringify(result));
+        } catch {
+          span.setAttribute(`${spanName}.result`, "[Not Serializable]");
+        }
+        return result;
+      } catch (error) {
+        span.setStatus({
+          code: SpanStatusCode.ERROR,
+          message: error instanceof Error ? error.message : "Unknown error"
+        });
+        if (error instanceof Error) {
+          span.recordException(error);
+        }
+        throw error;
+      } finally {
+        if (!(result instanceof Promise)) {
+          span.end();
+        }
+      }
+    };
+    return descriptor;
+  };
+}
+function InstrumentClass(options) {
+  return function(target) {
+    const methods = Object.getOwnPropertyNames(target.prototype);
+    methods.forEach((method) => {
+      if (options?.excludeMethods?.includes(method) || method === "constructor") return;
+      if (options?.methodFilter && !options.methodFilter(method)) return;
+      const descriptor = Object.getOwnPropertyDescriptor(target.prototype, method);
+      if (descriptor && typeof descriptor.value === "function") {
+        Object.defineProperty(
+          target.prototype,
+          method,
+          withSpan({
+            spanName: options?.prefix ? `${options.prefix}.${method}` : method,
+            skipIfNoTelemetry: true,
+            spanKind: options?.spanKind || SpanKind.INTERNAL,
+            tracerName: options?.tracerName
+          })(target, method, descriptor)
+        );
+      }
+    });
+    return target;
+  };
+}
+
+// ../../packages/core/dist/chunk-XXVGT7SJ.js
+var RegisteredLogger = {
+  LLM: "LLM"};
+var LogLevel = {
+  DEBUG: "debug",
+  INFO: "info",
+  WARN: "warn",
+  ERROR: "error"};
+var MastraLogger = class {
+  name;
+  level;
+  transports;
+  constructor(options = {}) {
+    this.name = options.name || "Mastra";
+    this.level = options.level || LogLevel.ERROR;
+    this.transports = new Map(Object.entries(options.transports || {}));
+  }
+  getTransports() {
+    return this.transports;
+  }
+  async getLogs(transportId) {
+    if (!transportId || !this.transports.has(transportId)) {
+      return [];
+    }
+    return this.transports.get(transportId).getLogs() ?? [];
+  }
+  async getLogsByRunId({ transportId, runId }) {
+    if (!transportId || !this.transports.has(transportId) || !runId) {
+      return [];
+    }
+    return this.transports.get(transportId).getLogsByRunId({ runId }) ?? [];
+  }
+};
+var ConsoleLogger = class extends MastraLogger {
+  constructor(options = {}) {
+    super(options);
+  }
+  debug(message, ...args) {
+    if (this.level === LogLevel.DEBUG) {
+      console.debug(message, ...args);
+    }
+  }
+  info(message, ...args) {
+    if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.info(message, ...args);
+    }
+  }
+  warn(message, ...args) {
+    if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.warn(message, ...args);
+    }
+  }
+  error(message, ...args) {
+    if (this.level === LogLevel.ERROR || this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
+      console.error(message, ...args);
+    }
+  }
+  async getLogs(_transportId) {
+    return [];
+  }
+  async getLogsByRunId(_args) {
+    return [];
+  }
+};
+
+// ../../packages/core/dist/chunk-JOCKZ2US.js
+var MastraBase = class {
+  component = RegisteredLogger.LLM;
+  logger;
+  name;
+  telemetry;
+  constructor({ component, name }) {
+    this.component = component || RegisteredLogger.LLM;
+    this.name = name;
+    this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });
+  }
+  /**
+   * Set the logger for the agent
+   * @param logger
+   */
+  __setLogger(logger) {
+    this.logger = logger;
+    if (this.component !== RegisteredLogger.LLM) {
+      this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);
+    }
+  }
+  /**
+   * Set the telemetry for the
+   * @param telemetry
+   */
+  __setTelemetry(telemetry) {
+    this.telemetry = telemetry;
+    if (this.component !== RegisteredLogger.LLM) {
+      this.logger.debug(`Telemetry updated [component=${this.component}] [name=${this.telemetry.name}]`);
+    }
+  }
+  /**
+   * Get the telemetry on the vector
+   * @returns telemetry
+   */
+  __getTelemetry() {
+    return this.telemetry;
+  }
+  /* 
+    get experimental_telemetry config
+    */
+  get experimental_telemetry() {
+    return this.telemetry ? {
+      // tracer: this.telemetry.tracer,
+      tracer: this.telemetry.getBaggageTracer(),
+      isEnabled: !!this.telemetry.tracer
+    } : void 0;
+  }
+};
+
+// ../../packages/core/dist/chunk-C6A6W6XS.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __knownSymbol = (name, symbol) => (symbol = Symbol[name]) ? symbol : Symbol.for("Symbol." + name);
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, {
+  enumerable: true,
+  configurable: true,
+  writable: true,
+  value
+}) : obj[key] = value;
+var __name = (target, value) => __defProp(target, "name", {
+  value,
+  configurable: true
+});
+var __decoratorStart = (base) => [, , , __create(base?.[__knownSymbol("metadata")] ?? null)];
+var __decoratorStrings = ["class", "method", "getter", "setter", "accessor", "field", "value", "get", "set"];
+var __expectFn = (fn) => fn !== void 0 && typeof fn !== "function" ? __typeError("Function expected") : fn;
+var __decoratorContext = (kind, name, done, metadata, fns) => ({
+  kind: __decoratorStrings[kind],
+  name,
+  metadata,
+  addInitializer: (fn) => done._ ? __typeError("Already initialized") : fns.push(__expectFn(fn || null))
+});
+var __decoratorMetadata = (array, target) => __defNormalProp(target, __knownSymbol("metadata"), array[3]);
+var __runInitializers = (array, flags, self, value) => {
+  for (var i = 0, fns = array[flags >> 1], n = fns && fns.length; i < n; i++) fns[i].call(self) ;
+  return value;
+};
+var __decorateElement = (array, flags, name, decorators, target, extra) => {
+  var it, done, ctx, k = flags & 7, p = false;
+  var j = 0;
+  var extraInitializers = array[j] || (array[j] = []);
+  var desc = k && ((target = target.prototype), k < 5 && (k > 3 || !p) && __getOwnPropDesc(target , name));
+  __name(target, name);
+  for (var i = decorators.length - 1; i >= 0; i--) {
+    ctx = __decoratorContext(k, name, done = {}, array[3], extraInitializers);
+    it = (0, decorators[i])(target, ctx), done._ = 1;
+    __expectFn(it) && (target = it);
+  }
+  return __decoratorMetadata(array, target), desc && __defProp(target, name, desc), p ? k ^ 4 ? extra : desc : target;
+};
+
+// ../../packages/core/dist/server/index.js
+var _MastraAuthProvider_decorators;
+var _init;
+var _a;
+_MastraAuthProvider_decorators = [InstrumentClass({
+  prefix: "auth",
+  excludeMethods: ["__setTools", "__setLogger", "__setTelemetry", "#log"]
+})];
+var MastraAuthProvider = class extends (_a = MastraBase) {
+  constructor(options) {
+    super({
+      component: "AUTH",
+      name: options?.name
+    });
+    if (options?.authorizeUser) {
+      this.authorizeUser = options.authorizeUser.bind(this);
+    }
+  }
+  registerOptions(opts) {
+    if (opts?.authorizeUser) {
+      this.authorizeUser = opts.authorizeUser.bind(this);
+    }
+  }
+};
+MastraAuthProvider = /* @__PURE__ */ ((_) => {
+  _init = __decoratorStart(_a);
+  MastraAuthProvider = __decorateElement(_init, 0, "MastraAuthProvider", _MastraAuthProvider_decorators, MastraAuthProvider);
+  __runInitializers(_init, 1, MastraAuthProvider);
+  return MastraAuthProvider;
+})();
+var MastraAuthWorkos = class extends MastraAuthProvider {
+  workos;
+  constructor(options) {
+    super({ name: options?.name ?? "workos" });
+    const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;
+    if (!apiKey || !clientId) {
+      throw new Error(
+        "WorkOS API key and client ID are required, please provide them in the options or set the environment variables WORKOS_API_KEY and WORKOS_CLIENT_ID"
+      );
+    }
+    this.workos = new WorkOS(apiKey, {
+      clientId
+    });
+    this.registerOptions(options);
+  }
+  async authenticateToken(token) {
+    const jwksUri = this.workos.userManagement.getJwksUrl(process.env.WORKOS_CLIENT_ID);
+    const user = await verifyJwks(token, jwksUri);
+    return user;
+  }
+  async authorizeUser(user) {
+    if (!user) {
+      return false;
+    }
+    const org = await this.workos.userManagement.listOrganizationMemberships({
+      userId: user.sub
+    });
+    const roles = org.data.map((org2) => org2.role);
+    const isAdmin = roles.some((role) => role.slug === "admin");
+    return isAdmin;
+  }
+};
+
+export { MastraAuthWorkos };

package/eslint.config.js

@@ -0,0 +1,6 @@
+import { createConfig } from '@internal/lint/eslint';
+
+const config = await createConfig();
+
+/** @type {import("eslint").Linter.Config[]} */
+export default [...config];

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@mastra/auth-workos",
+  "version": "0.10.0",
+  "description": "Mastra WorkOS Auth integration",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "license": "Elastic-2.0",
+  "dependencies": {
+    "@workos-inc/node": "^7.50.1",
+    "@mastra/auth": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.1",
+    "eslint": "^9.25.1",
+    "tsup": "^8.4.0",
+    "typescript": "^5.8.3",
+    "vitest": "^2.1.9",
+    "@mastra/core": "0.10.2",
+    "@internal/lint": "0.0.8"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --experimental-dts --clean --treeshake",
+    "build:watch": "pnpm build --watch",
+    "test": "vitest run",
+    "lint": "eslint ."
+  }
+}

package/src/index.test.ts

@@ -0,0 +1,185 @@
+import type { JwtPayload } from '@mastra/auth';
+import { verifyJwks } from '@mastra/auth';
+import { WorkOS } from '@workos-inc/node';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { MastraAuthWorkos } from './index';
+
+// Mock the WorkOS class
+vi.mock('@workos-inc/node', () => ({
+  WorkOS: vi.fn().mockImplementation(() => ({
+    userManagement: {
+      getJwksUrl: vi.fn().mockReturnValue('https://mock-jwks-url'),
+      listOrganizationMemberships: vi.fn().mockResolvedValue({
+        data: [{ role: { slug: 'admin' } }, { role: { slug: 'member' } }],
+      }),
+    },
+  })),
+}));
+
+// Mock the verifyJwks function
+vi.mock('@mastra/auth', () => ({
+  verifyJwks: vi.fn().mockResolvedValue({
+    sub: 'user123',
+    email: 'test@example.com',
+  } as JwtPayload),
+}));
+
+describe('MastraAuthWorkos', () => {
+  const mockApiKey = 'test-api-key';
+  const mockClientId = 'test-client-id';
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Reset environment variables
+    delete process.env.WORKOS_API_KEY;
+    delete process.env.WORKOS_CLIENT_ID;
+  });
+
+  describe('constructor', () => {
+    it('should initialize with provided options', () => {
+      new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      expect(WorkOS).toHaveBeenCalledWith(mockApiKey, {
+        clientId: mockClientId,
+      });
+    });
+
+    it('should initialize with environment variables', () => {
+      process.env.WORKOS_API_KEY = mockApiKey;
+      process.env.WORKOS_CLIENT_ID = mockClientId;
+
+      new MastraAuthWorkos();
+
+      expect(WorkOS).toHaveBeenCalledWith(mockApiKey, {
+        clientId: mockClientId,
+      });
+    });
+
+    it('should throw error when neither options nor environment variables are provided', () => {
+      expect(() => new MastraAuthWorkos()).toThrow('WorkOS API key and client ID are required');
+    });
+  });
+
+  describe('authenticateToken', () => {
+    it('should authenticate a valid token', async () => {
+      const auth = new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      const mockToken = 'valid-token';
+      const result = await auth.authenticateToken(mockToken);
+
+      expect(verifyJwks).toHaveBeenCalledWith(mockToken, 'https://mock-jwks-url');
+      expect(result).toEqual({
+        sub: 'user123',
+        email: 'test@example.com',
+      });
+    });
+
+    it('should return null for invalid token', async () => {
+      vi.mocked(verifyJwks).mockResolvedValueOnce(null as unknown as JwtPayload);
+
+      const auth = new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      const result = await auth.authenticateToken('invalid-token');
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('authorizeUser', () => {
+    it('should return true for admin users', async () => {
+      const auth = new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      const result = await auth.authorizeUser({
+        sub: 'user123',
+        email: 'test@example.com',
+      });
+
+      expect(result).toBe(true);
+    });
+
+    it('should return false for non-admin users', async () => {
+      vi.mocked(WorkOS).mockImplementationOnce(
+        () =>
+          ({
+            userManagement: {
+              getJwksUrl: vi.fn().mockReturnValue('https://mock-jwks-url'),
+              listOrganizationMemberships: vi.fn().mockResolvedValue({
+                data: [{ role: { slug: 'member' } }],
+              }),
+            },
+          }) as unknown as WorkOS,
+      );
+
+      const auth = new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      const result = await auth.authorizeUser({
+        sub: 'user123',
+        email: 'test@example.com',
+      });
+
+      expect(result).toBe(false);
+    });
+
+    it('should return false for falsy user', async () => {
+      vi.mocked(WorkOS).mockImplementationOnce(
+        () =>
+          ({
+            userManagement: {
+              getJwksUrl: vi.fn().mockReturnValue('https://mock-jwks-url'),
+              listOrganizationMemberships: vi.fn().mockResolvedValue({
+                data: [], // Empty data array means no roles
+              }),
+            },
+          }) as unknown as WorkOS,
+      );
+
+      const auth = new MastraAuthWorkos({
+        apiKey: mockApiKey,
+        clientId: mockClientId,
+      });
+
+      const result = await auth.authorizeUser({
+        sub: '',
+        email: '',
+      });
+      expect(result).toBe(false);
+    });
+  });
+
+  it('can be overridden with custom authorization logic', async () => {
+    const workos = new MastraAuthWorkos({
+      apiKey: mockApiKey,
+      clientId: mockClientId,
+      async authorizeUser(user: any): Promise<boolean> {
+        // Custom authorization logic that checks for specific permissions
+        return user?.permissions?.includes('admin') ?? false;
+      },
+    });
+
+    // Test with admin user
+    const adminUser = { sub: 'user123', permissions: ['admin'] };
+    expect(await workos.authorizeUser(adminUser)).toBe(true);
+
+    // Test with non-admin user
+    const regularUser = { sub: 'user456', permissions: ['read'] };
+    expect(await workos.authorizeUser(regularUser)).toBe(false);
+
+    // Test with user without permissions
+    const noPermissionsUser = { sub: 'user789' };
+    expect(await workos.authorizeUser(noPermissionsUser)).toBe(false);
+  });
+});

package/src/index.ts

@@ -0,0 +1,57 @@
+import { verifyJwks } from '@mastra/auth';
+import type { JwtPayload } from '@mastra/auth';
+import type { MastraAuthProviderOptions } from '@mastra/core/server';
+import { MastraAuthProvider } from '@mastra/core/server';
+import { WorkOS } from '@workos-inc/node';
+
+type WorkosUser = JwtPayload;
+
+interface MastraAuthWorkosOptions extends MastraAuthProviderOptions<WorkosUser> {
+  apiKey?: string;
+  clientId?: string;
+}
+
+export class MastraAuthWorkos extends MastraAuthProvider<WorkosUser> {
+  protected workos: WorkOS;
+
+  constructor(options?: MastraAuthWorkosOptions) {
+    super({ name: options?.name ?? 'workos' });
+
+    const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;
+
+    if (!apiKey || !clientId) {
+      throw new Error(
+        'WorkOS API key and client ID are required, please provide them in the options or set the environment variables WORKOS_API_KEY and WORKOS_CLIENT_ID',
+      );
+    }
+
+    this.workos = new WorkOS(apiKey, {
+      clientId,
+    });
+
+    this.registerOptions(options);
+  }
+
+  async authenticateToken(token: string): Promise<WorkosUser | null> {
+    const jwksUri = this.workos.userManagement.getJwksUrl(process.env.WORKOS_CLIENT_ID!);
+    const user = await verifyJwks(token, jwksUri);
+    return user;
+  }
+
+  async authorizeUser(user: WorkosUser) {
+    if (!user) {
+      return false;
+    }
+
+    const org = await this.workos.userManagement.listOrganizationMemberships({
+      userId: user.sub,
+    });
+
+    const roles = org.data.map(org => org.role);
+
+    const isAdmin = roles.some(role => role.slug === 'admin');
+
+    return isAdmin;
+  }
+}

package/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": "../../tsconfig.node.json",
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

package/vitest.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: ['src/**/*.test.ts'],
+  },
+});