@mastra/auth-workos 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/CHANGELOG.md +76 -0
  2. package/LICENSE.md +15 -0
  3. package/dist/admin-portal.d.ts +77 -0
  4. package/dist/admin-portal.d.ts.map +1 -0
  5. package/dist/auth-provider.d.ts +137 -0
  6. package/dist/auth-provider.d.ts.map +1 -0
  7. package/dist/directory-sync.d.ts +129 -0
  8. package/dist/directory-sync.d.ts.map +1 -0
  9. package/dist/index.cjs +835 -130
  10. package/dist/index.cjs.map +1 -1
  11. package/dist/index.d.ts +42 -16
  12. package/dist/index.d.ts.map +1 -1
  13. package/dist/index.js +832 -132
  14. package/dist/index.js.map +1 -1
  15. package/dist/rbac-provider.d.ts +129 -0
  16. package/dist/rbac-provider.d.ts.map +1 -0
  17. package/dist/session-storage.d.ts +25 -0
  18. package/dist/session-storage.d.ts.map +1 -0
  19. package/dist/types.d.ts +196 -0
  20. package/dist/types.d.ts.map +1 -0
  21. package/package.json +16 -10
package/CHANGELOG.md CHANGED
@@ -1,5 +1,81 @@
1
1
  # @mastra/auth-workos
2
2
 
3
+ ## 1.1.0
4
+
5
+ ### Minor Changes
6
+
7
+ - Added full auth provider to `@mastra/auth-workos` with SSO, RBAC, SCIM directory sync, and admin portal support. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
8
+
9
+ ```ts
10
+ import { MastraAuthWorkos, MastraRBACWorkos } from '@mastra/auth-workos';
11
+
12
+ const mastra = new Mastra({
13
+ server: {
14
+ auth: new MastraAuthWorkos({
15
+ apiKey: process.env.WORKOS_API_KEY,
16
+ clientId: process.env.WORKOS_CLIENT_ID,
17
+ }),
18
+ rbac: new MastraRBACWorkos({
19
+ apiKey: process.env.WORKOS_API_KEY,
20
+ clientId: process.env.WORKOS_CLIENT_ID,
21
+ roleMapping: {
22
+ admin: ['*'],
23
+ member: ['agents:read', 'workflows:*'],
24
+ },
25
+ }),
26
+ },
27
+ });
28
+ ```
29
+
30
+ - **SSO** via WorkOS AuthKit (SAML, OIDC)
31
+ - **RBAC** with wildcard permission mapping from WorkOS organization roles
32
+ - **Directory Sync** webhook handler for SCIM-based user provisioning
33
+ - **Admin Portal** helper for customer self-service SSO configuration
34
+
35
+ ### Patch Changes
36
+
37
+ - Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
38
+ - @mastra/core@1.9.0
39
+ - @mastra/auth@1.0.0
40
+
41
+ ## 1.1.0-alpha.0
42
+
43
+ ### Minor Changes
44
+
45
+ - Added full auth provider to `@mastra/auth-workos` with SSO, RBAC, SCIM directory sync, and admin portal support. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
46
+
47
+ ```ts
48
+ import { MastraAuthWorkos, MastraRBACWorkos } from '@mastra/auth-workos';
49
+
50
+ const mastra = new Mastra({
51
+ server: {
52
+ auth: new MastraAuthWorkos({
53
+ apiKey: process.env.WORKOS_API_KEY,
54
+ clientId: process.env.WORKOS_CLIENT_ID,
55
+ }),
56
+ rbac: new MastraRBACWorkos({
57
+ apiKey: process.env.WORKOS_API_KEY,
58
+ clientId: process.env.WORKOS_CLIENT_ID,
59
+ roleMapping: {
60
+ admin: ['*'],
61
+ member: ['agents:read', 'workflows:*'],
62
+ },
63
+ }),
64
+ },
65
+ });
66
+ ```
67
+
68
+ - **SSO** via WorkOS AuthKit (SAML, OIDC)
69
+ - **RBAC** with wildcard permission mapping from WorkOS organization roles
70
+ - **Directory Sync** webhook handler for SCIM-based user provisioning
71
+ - **Admin Portal** helper for customer self-service SSO configuration
72
+
73
+ ### Patch Changes
74
+
75
+ - Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
76
+ - @mastra/core@1.9.0-alpha.0
77
+ - @mastra/auth@1.0.0
78
+
3
79
  ## 1.0.0
4
80
 
5
81
  ### Major Changes
package/LICENSE.md CHANGED
@@ -1,3 +1,18 @@
1
+ Portions of this software are licensed as follows:
2
+
3
+ - All content that resides under any directory named "ee/" within this
4
+ repository, including but not limited to:
5
+ - `packages/core/src/auth/ee/`
6
+ - `packages/server/src/server/auth/ee/`
7
+ is licensed under the license defined in `ee/LICENSE`.
8
+
9
+ - All third-party components incorporated into the Mastra Software are
10
+ licensed under the original license provided by the owner of the
11
+ applicable component.
12
+
13
+ - Content outside of the above-mentioned directories or restrictions is
14
+ available under the "Apache License 2.0" as defined below.
15
+
1
16
  # Apache License 2.0
2
17
 
3
18
  Copyright (c) 2025 Kepler Software, Inc.
package/dist/admin-portal.d.ts ADDED
@@ -0,0 +1,77 @@
1
+ /**
2
+ * WorkOS Admin Portal integration for customer self-service configuration.
3
+ *
4
+ * The Admin Portal allows enterprise customers to configure their own:
5
+ * - SSO connections (SAML, OIDC)
6
+ * - Directory Sync (SCIM)
7
+ * - Audit log viewing and export
8
+ * - Log streaming to SIEM systems
9
+ *
10
+ * @module
11
+ */
12
+ import type { WorkOS } from '@workos-inc/node';
13
+ import type { AdminPortalIntent, WorkOSAdminPortalOptions } from './types.js';
14
+ /**
15
+ * Generates links to the WorkOS Admin Portal for customer self-service configuration.
16
+ *
17
+ * The Admin Portal provides a pre-built UI where enterprise customers can manage
18
+ * their own identity configuration without developer intervention.
19
+ *
20
+ * @example
21
+ * ```typescript
22
+ * import { WorkOS } from '@workos-inc/node';
23
+ * import { WorkOSAdminPortal } from '@mastra/workos';
24
+ *
25
+ * const workos = new WorkOS(process.env.WORKOS_API_KEY);
26
+ * const adminPortal = new WorkOSAdminPortal(workos, {
27
+ * returnUrl: 'https://app.example.com/settings',
28
+ * });
29
+ *
30
+ * // Generate a link for SSO configuration
31
+ * const ssoLink = await adminPortal.getPortalLink('org_01H...', 'sso');
32
+ *
33
+ * // Generate a link for Directory Sync configuration
34
+ * const dsyncLink = await adminPortal.getPortalLink('org_01H...', 'dsync');
35
+ *
36
+ * // Redirect the user to the generated link
37
+ * ```
38
+ */
39
+ export declare class WorkOSAdminPortal {
40
+ private workos;
41
+ private returnUrl;
42
+ /**
43
+ * Creates a new WorkOSAdminPortal instance.
44
+ *
45
+ * @param workos - The WorkOS client instance
46
+ * @param options - Configuration options for the Admin Portal
47
+ */
48
+ constructor(workos: WorkOS, options?: WorkOSAdminPortalOptions);
49
+ /**
50
+ * Generates a link to the WorkOS Admin Portal for a specific organization.
51
+ *
52
+ * The generated link is a one-time use URL that expires after a short period.
53
+ * Users should be redirected to this link immediately after generation.
54
+ *
55
+ * @param organizationId - The WorkOS organization ID (e.g., 'org_01H...')
56
+ * @param intent - The portal section to open. Determines what the user can configure:
57
+ * - `'sso'`: Configure SSO connections (SAML, OIDC providers)
58
+ * - `'dsync'`: Configure Directory Sync (SCIM provisioning)
59
+ * - `'audit_logs'`: View and export audit logs
60
+ * - `'log_streams'`: Configure log streaming to external SIEM systems
61
+ * @returns A promise that resolves to the Admin Portal URL
62
+ *
63
+ * @example
64
+ * ```typescript
65
+ * // SSO configuration (default)
66
+ * const link = await adminPortal.getPortalLink('org_01H...');
67
+ *
68
+ * // Directory Sync configuration
69
+ * const link = await adminPortal.getPortalLink('org_01H...', 'dsync');
70
+ *
71
+ * // Audit logs viewing
72
+ * const link = await adminPortal.getPortalLink('org_01H...', 'audit_logs');
73
+ * ```
74
+ */
75
+ getPortalLink(organizationId: string, intent?: AdminPortalIntent): Promise<string>;
76
+ }
77
+ //# sourceMappingURL=admin-portal.d.ts.map
package/dist/admin-portal.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"admin-portal.d.ts","sourceRoot":"","sources":["../src/admin-portal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,KAAK,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAY9E;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAS;IAE1B;;;;;OAKG;gBACS,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB;IAK9D;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,aAAa,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;CASzF"}
package/dist/auth-provider.d.ts ADDED
@@ -0,0 +1,137 @@
1
+ /**
2
+ * MastraAuthWorkos - WorkOS authentication provider for Mastra.
3
+ *
4
+ * Uses @workos/authkit-session for session management with encrypted
5
+ * cookie-based sessions that persist across server restarts.
6
+ */
7
+ import type { IUserProvider, ISSOProvider, ISessionProvider, Session, SSOCallbackResult, SSOLoginConfig } from '@mastra/core/auth';
8
+ import type { EEUser } from '@mastra/core/auth/ee';
9
+ import { MastraAuthProvider } from '@mastra/core/server';
10
+ import { AuthService } from '@workos/authkit-session';
11
+ import type { AuthKitConfig } from '@workos/authkit-session';
12
+ import { WorkOS } from '@workos-inc/node';
13
+ import type { HonoRequest } from 'hono';
14
+ import type { WorkOSUser, MastraAuthWorkosOptions } from './types.js';
15
+ /**
16
+ * Mastra authentication provider for WorkOS.
17
+ *
18
+ * Uses WorkOS AuthKit with encrypted cookie-based sessions.
19
+ * Sessions are stored in cookies, so they persist across server restarts.
20
+ *
21
+ * @example Basic usage with SSO
22
+ * ```typescript
23
+ * import { MastraAuthWorkos } from '@mastra/auth-workos';
24
+ *
25
+ * const auth = new MastraAuthWorkos({
26
+ * apiKey: process.env.WORKOS_API_KEY,
27
+ * clientId: process.env.WORKOS_CLIENT_ID,
28
+ * redirectUri: 'https://myapp.com/auth/callback',
29
+ * cookiePassword: process.env.WORKOS_COOKIE_PASSWORD, // min 32 chars
30
+ * });
31
+ * ```
32
+ */
33
+ export declare class MastraAuthWorkos extends MastraAuthProvider<WorkOSUser> implements IUserProvider<EEUser>, ISSOProvider<EEUser>, ISessionProvider<Session> {
34
+ protected workos: WorkOS;
35
+ protected clientId: string;
36
+ protected redirectUri: string;
37
+ protected ssoConfig: MastraAuthWorkosOptions['sso'];
38
+ protected authService: AuthService<Request, Response>;
39
+ protected config: AuthKitConfig;
40
+ constructor(options?: MastraAuthWorkosOptions);
41
+ /**
42
+ * Authenticate a bearer token or session cookie.
43
+ *
44
+ * Uses AuthKit's withAuth() for cookie-based sessions, falls back to
45
+ * JWT verification for bearer tokens.
46
+ */
47
+ authenticateToken(token: string, request: HonoRequest | Request): Promise<WorkOSUser | null>;
48
+ /**
49
+ * Authorize a user for access.
50
+ */
51
+ authorizeUser(user: WorkOSUser): Promise<boolean>;
52
+ /**
53
+ * Get the current user from the request using AuthKit session.
54
+ */
55
+ getCurrentUser(request: Request): Promise<EEUser | null>;
56
+ /**
57
+ * Get a user by their ID.
58
+ */
59
+ getUser(userId: string): Promise<WorkOSUser | null>;
60
+ /**
61
+ * Get the URL to the user's profile page.
62
+ */
63
+ getUserProfileUrl(user: EEUser): string;
64
+ /**
65
+ * Get the URL to redirect users to for SSO login.
66
+ */
67
+ getLoginUrl(redirectUri: string, state: string): string;
68
+ /**
69
+ * Handle the OAuth callback from WorkOS.
70
+ *
71
+ * Uses AuthKit's handleCallback for proper session creation.
72
+ */
73
+ handleCallback(code: string, _state: string): Promise<SSOCallbackResult<EEUser>>;
74
+ /**
75
+ * Get the URL to redirect users to for logout.
76
+ * Extracts session ID from the request's JWT to build a valid WorkOS logout URL.
77
+ *
78
+ * @param redirectUri - URL to redirect to after logout
79
+ * @param request - Request containing session cookie (needed to extract sid)
80
+ * @returns Logout URL or null if no active session
81
+ */
82
+ getLogoutUrl(redirectUri: string, request?: Request): Promise<string | null>;
83
+ /**
84
+ * Get the configuration for rendering the login button.
85
+ */
86
+ getLoginButtonConfig(): SSOLoginConfig;
87
+ /**
88
+ * Create a new session for a user.
89
+ *
90
+ * Note: With AuthKit, sessions are created via handleCallback.
91
+ * This method is kept for interface compatibility.
92
+ */
93
+ createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session>;
94
+ /**
95
+ * Validate a session.
96
+ *
97
+ * With AuthKit, sessions are validated via withAuth().
98
+ */
99
+ validateSession(_sessionId: string): Promise<Session | null>;
100
+ /**
101
+ * Destroy a session.
102
+ */
103
+ destroySession(_sessionId: string): Promise<void>;
104
+ /**
105
+ * Refresh a session.
106
+ */
107
+ refreshSession(_sessionId: string): Promise<Session | null>;
108
+ /**
109
+ * Extract session ID from a request.
110
+ */
111
+ getSessionIdFromRequest(_request: Request): string | null;
112
+ /**
113
+ * Get response headers to set the session cookie.
114
+ */
115
+ getSessionHeaders(session: Session): Record<string, string>;
116
+ /**
117
+ * Get response headers to clear the session cookie.
118
+ */
119
+ getClearSessionHeaders(): Record<string, string>;
120
+ /**
121
+ * Get the underlying WorkOS client.
122
+ */
123
+ getWorkOS(): WorkOS;
124
+ /**
125
+ * Get the AuthKit AuthService.
126
+ */
127
+ getAuthService(): AuthService<Request, Response>;
128
+ /**
129
+ * Get the configured client ID.
130
+ */
131
+ getClientId(): string;
132
+ /**
133
+ * Get the configured redirect URI.
134
+ */
135
+ getRedirectUri(): string;
136
+ }
137
+ //# sourceMappingURL=auth-provider.d.ts.map
package/dist/auth-provider.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-provider.d.ts","sourceRoot":"","sources":["../src/auth-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAqB,MAAM,yBAAyB,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAGxC,OAAO,KAAK,EAAE,UAAU,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAStE;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC;IAEjF,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC;IAC9B,SAAS,CAAC,SAAS,EAAE,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACpD,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC;gBAEpB,OAAO,CAAC,EAAE,uBAAuB;IAqE7C;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IA2ClG;;OAEG;IACG,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC;IAQvD;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAuC9D;;OAEG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAYzD;;OAEG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAQvC;;OAEG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA8BvD;;;;OAIG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IA4BtF;;;;;;;OAOG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiClF;;OAEG;IACH,oBAAoB,IAAI,cAAc;IAyBtC;;;;;OAKG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAczF;;;;OAIG;IACG,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAMlE;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvD;;OAEG;IACG,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAKjE;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAMzD;;OAEG;IACH,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAU3D;;OAEG;IACH,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAShD;;OAEG;IACH,SAAS,IAAI,MAAM;IAInB;;OAEG;IACH,cAAc,IAAI,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC;IAIhD;;OAEG;IACH,WAAW,IAAI,MAAM;IAIrB;;OAEG;IACH,cAAc,IAAI,MAAM;CAGzB"}
package/dist/directory-sync.d.ts ADDED
@@ -0,0 +1,129 @@
1
+ /**
2
+ * WorkOS Directory Sync integration for automated user provisioning via SCIM.
3
+ *
4
+ * This class handles SCIM webhook events from WorkOS, enabling automated
5
+ * user and group management when integrated with identity providers.
6
+ */
7
+ import type { WorkOS, Directory, DirectoryUser, DirectoryGroup } from '@workos-inc/node';
8
+ import type { WorkOSDirectorySyncOptions } from './types.js';
9
+ /**
10
+ * WorkOSDirectorySync handles SCIM webhook events from WorkOS for automated
11
+ * user provisioning and deprovisioning.
12
+ *
13
+ * @example
14
+ * ```typescript
15
+ * import { WorkOS } from '@workos-inc/node';
16
+ * import { WorkOSDirectorySync } from '@mastra/auth-workos';
17
+ *
18
+ * const workos = new WorkOS(process.env.WORKOS_API_KEY);
19
+ *
20
+ * const directorySync = new WorkOSDirectorySync(workos, {
21
+ * webhookSecret: process.env.WORKOS_WEBHOOK_SECRET,
22
+ * handlers: {
23
+ * onUserCreated: async (user) => {
24
+ * await db.users.create({ email: user.emails[0]?.value });
25
+ * },
26
+ * onUserDeleted: async (user) => {
27
+ * await db.users.delete({ id: user.id });
28
+ * },
29
+ * },
30
+ * });
31
+ *
32
+ * // In your webhook endpoint:
33
+ * app.post('/webhooks/workos', async (req, res) => {
34
+ * const signature = req.headers['workos-signature'] as string;
35
+ * await directorySync.handleWebhook(req.body, signature);
36
+ * res.status(200).send('OK');
37
+ * });
38
+ * ```
39
+ */
40
+ export declare class WorkOSDirectorySync {
41
+ private workos;
42
+ private webhookSecret;
43
+ private handlers;
44
+ /**
45
+ * Creates a new WorkOSDirectorySync instance.
46
+ *
47
+ * @param workos - WorkOS client instance
48
+ * @param options - Configuration options including webhook secret and event handlers
49
+ * @throws Error if webhook secret is not provided
50
+ */
51
+ constructor(workos: WorkOS, options: WorkOSDirectorySyncOptions);
52
+ /**
53
+ * Handles incoming webhook events from WorkOS Directory Sync.
54
+ *
55
+ * This method verifies the webhook signature for security, parses the event,
56
+ * and routes it to the appropriate handler based on the event type.
57
+ *
58
+ * @param payload - Raw webhook payload (string or object)
59
+ * @param signature - WorkOS signature header for verification
60
+ * @throws Error if signature verification fails
61
+ */
62
+ handleWebhook(payload: string | object, signature: string): Promise<void>;
63
+ /**
64
+ * Routes a directory sync event to the appropriate handler.
65
+ *
66
+ * @param event - The verified webhook event
67
+ */
68
+ private routeEvent;
69
+ /**
70
+ * Maps raw webhook user data to the DirectorySyncUserData type.
71
+ *
72
+ * @param data - Raw user data from webhook
73
+ * @returns Typed user data
74
+ */
75
+ private mapUserData;
76
+ /**
77
+ * Maps raw webhook group data to the DirectorySyncGroupData type.
78
+ *
79
+ * @param data - Raw group data from webhook
80
+ * @returns Typed group data
81
+ */
82
+ private mapGroupData;
83
+ /**
84
+ * Lists all directories for an organization.
85
+ *
86
+ * @param organizationId - The WorkOS organization ID
87
+ * @returns Array of directories
88
+ *
89
+ * @example
90
+ * ```typescript
91
+ * const directories = await directorySync.listDirectories('org_123');
92
+ * for (const dir of directories) {
93
+ * console.log(`Directory: ${dir.name} (${dir.type})`);
94
+ * }
95
+ * ```
96
+ */
97
+ listDirectories(organizationId: string): Promise<Directory[]>;
98
+ /**
99
+ * Lists all users in a directory.
100
+ *
101
+ * @param directoryId - The directory ID
102
+ * @returns Array of directory users
103
+ *
104
+ * @example
105
+ * ```typescript
106
+ * const users = await directorySync.listDirectoryUsers('directory_123');
107
+ * for (const user of users) {
108
+ * console.log(`User: ${user.firstName} ${user.lastName}`);
109
+ * }
110
+ * ```
111
+ */
112
+ listDirectoryUsers(directoryId: string): Promise<DirectoryUser[]>;
113
+ /**
114
+ * Lists all groups in a directory.
115
+ *
116
+ * @param directoryId - The directory ID
117
+ * @returns Array of directory groups
118
+ *
119
+ * @example
120
+ * ```typescript
121
+ * const groups = await directorySync.listDirectoryGroups('directory_123');
122
+ * for (const group of groups) {
123
+ * console.log(`Group: ${group.name}`);
124
+ * }
125
+ * ```
126
+ */
127
+ listDirectoryGroups(directoryId: string): Promise<DirectoryGroup[]>;
128
+ }
129
+ //# sourceMappingURL=directory-sync.d.ts.map
package/dist/directory-sync.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"directory-sync.d.ts","sourceRoot":"","sources":["../src/directory-sync.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEzF,OAAO,KAAK,EACV,0BAA0B,EAI3B,MAAM,YAAY,CAAC;AAyBpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAwB;IAExC;;;;;;OAMG;gBACS,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,0BAA0B;IAc/D;;;;;;;;;OASG;IACG,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB/E;;;;OAIG;YACW,UAAU;IAgExB;;;;;OAKG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;OAKG;IACH,OAAO,CAAC,YAAY;IAiBpB;;;;;;;;;;;;;OAaG;IACG,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAOnE;;;;;;;;;;;;;OAaG;IACG,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAOvE;;;;;;;;;;;;;OAaG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;CAM1E"}