@stytch/vanilla-js 3.2.4 → 3.3.0

package/CHANGELOG.md

@@ -1,5 +1,26 @@
 # @stytch/vanilla-js
 
+## 3.3.0
+
+### Minor Changes
+
+- 6890694: Mark stytch.member as deprecated in favor of stytch.self
+  Adds RBAC functionality
+
+### Patch Changes
+
+- 9ee61b3: Allow "Login without a password" to immediately login a user who followed a valid password reset link
+- c3c108b: Remove bundled dependencies from package manifest
+- Updated dependencies [76ad832]
+- Updated dependencies [6890694]
+  - @stytch/core@1.5.0
+
+## 3.2.5
+
+### Patch Changes
+
+- 70cf053: Adding better handling for Passkey cross device errors.
+
 ## 3.2.4
 
 ### Patch Changes

package/dist/b2b/index.d.ts

@@ -1,4 +1,4 @@
-import { IHeadlessB2BDiscoveryClient, IHeadlessB2BMagicLinksClient, IHeadlessB2BMemberClient, IHeadlessB2BOAuthClient, IHeadlessB2BOrganizationClient, IHeadlessB2BOTPsClient, IHeadlessB2BSessionClient, IHeadlessB2BSSOClient, StytchClientOptions } from "@stytch/core/public";
+import { IHeadlessB2BDiscoveryClient, IHeadlessB2BMagicLinksClient, IHeadlessB2BMemberClient, IHeadlessB2BSelfClient, IHeadlessB2BOAuthClient, IHeadlessB2BOrganizationClient, IHeadlessB2BOTPsClient, IHeadlessB2BSessionClient, IHeadlessB2BSSOClient, IHeadlessB2BRBACClient, StytchClientOptions } from "@stytch/core/public";
 import { Callbacks as Callbacks$0 } from "@stytch/core/public";
 import { StyleConfig as StyleConfig$0 } from "@stytch/core/public";
 import { StytchB2BUIConfig as StytchB2BUIConfig$0 } from "@stytch/core/public";
@@ -122,7 +122,7 @@ interface MemberSession {
     /**
      * All the authentication factors that have been associated with the current member session.
      */
-    authentication_factors: Array<B2BAuthenticationFactor>;
+    authentication_factors: B2BAuthenticationFactor[];
     /**
      * A map of the custom claims associated with the session.
      * Custom claims can only be set from the server, they cannot be set using the clientside SDKs.
@@ -131,6 +131,12 @@ interface MemberSession {
      * If no claims are set, this field will be null.
      */
     custom_claims?: Record<string, unknown>;
+    /**
+     * A list of the roles associated with the session.
+     * Members may inherit certain roles depending on the factors in their session.
+     * For example, some roles may only be active if the member logged in from a specific SAML IDP.
+     */
+    roles: string[];
 }
 interface SSORegistration {
     connection_id: string;
@@ -138,6 +144,26 @@ interface SSORegistration {
     registration_id: string;
     sso_attributes: Record<string, unknown>;
 }
+type RoleSource = {
+    type: "direct_assignment";
+    details: Record<string, never>;
+} | {
+    type: "email_assignment";
+    details: {
+        email_domain: string;
+    };
+} | {
+    type: "sso_connection";
+    details: {
+        connection_id: string;
+    };
+} | {
+    type: "sso_connection_group";
+    details: {
+        connection_id: string;
+        group: string;
+    };
+};
 interface Member {
     /**
      * Globally unique UUID that identifies an organization in the Stytch API.
@@ -178,7 +204,11 @@ interface Member {
      * See our {@link https://stytch.com/docs/api/metadata metadata reference} for complete details.
      */
     untrusted_metadata: Record<string, unknown>;
-    sso_registrations: Array<SSORegistration>;
+    sso_registrations: SSORegistration[];
+    /**
+     * Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings.
+     * A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures.
+     */
     is_breakglass: boolean;
     /**
      * Returned if the member has a registered password
@@ -197,6 +227,13 @@ interface Member {
      * Whether the member's phone number is verified.
      */
     mfa_phone_number_verified: boolean;
+    /**
+     * A list of the member's roles and their sources
+     */
+    roles: {
+        role_id: string;
+        sources: RoleSource[];
+    }[];
 }
 type B2BAuthenticateResponse = ResponseCommon & {
     /**
@@ -281,19 +318,77 @@ interface Organization {
      * This field can only be updated by a direct API integration.
      */
     trusted_metadata: Record<string, unknown>;
+    /**
+     * The default connection used for SSO when there are multiple active connections.
+     */
     sso_default_connection_id: string | null;
+    /**
+     * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO.
+     * The accepted values are:
+     *   ALL_ALLOWED – new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connections.
+     *   RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication.
+     *   NOT_ALLOWED – disable JIT provisioning via SSO.
+     */
     sso_jit_provisioning: "ALL_ALLOWED" | "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * An array of connection_ids that reference SAML Connection objects.
+     * Only these connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.
+     */
     sso_jit_provisioning_allowed_connections: string[];
-    sso_active_connections: Array<{
+    /**
+     * An array of active SSO Connection references.
+     */
+    sso_active_connections: {
         connection_id: string;
         display_name: string;
-    }>;
+    }[];
+    /**
+     * An array of email domains that allow invites or JIT provisioning for new Members.
+     * This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED.
+     * Common domains such as gmail.com are not allowed.
+     */
     email_allowed_domains: string[];
+    /**
+     * The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link.
+     * The accepted values are:
+     *   RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link.
+     *   NOT_ALLOWED – disable JIT provisioning via Email Magic Link.
+     */
     email_jit_provisioning: "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * The authentication setting that controls how a new Member can be invited to an organization by email.
+     * The accepted values are:
+     *   ALL_ALLOWED – any new Member can be invited to join via email.
+     *   RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email.
+     *   NOT_ALLOWED – disable email invites.
+     */
     email_invites: "ALL_ALLOWED" | "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * The setting that controls which authentication methods can be used by Members of an Organization.
+     * The accepted values are:
+     *   ALL_ALLOWED – the default setting which allows all authentication methods to be used.
+     *   RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
+     */
     auth_methods: "ALL_ALLOWED" | "RESTRICTED";
+    /**
+     * An array of allowed authentication methods.
+     * This list is enforced when auth_methods is set to RESTRICTED.
+     * The list's accepted values are: sso, magic_link, password, google_oauth, and microsoft_oauth.
+     */
     allowed_auth_methods: string[];
+    /**
+     * The setting that controls the MFA policy for all Members in the Organization. The accepted values are:
+     *   REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in.
+     *   OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true
+     */
     mfa_policy: "OPTIONAL" | "REQUIRED_FOR_ALL";
+    /**
+     * An array of implicit role assignments granted to members in this organization whose emails match the domain.
+     */
+    rbac_email_implicit_role_assignments?: {
+        role_id: string;
+        domain: string;
+    }[];
 }
 interface MfaRequired {
     member_options: MemberOptions;
@@ -623,13 +718,16 @@ declare class StytchB2BHeadlessClient {
     // External API Clients
     magicLinks: IHeadlessB2BMagicLinksClient;
     session: IHeadlessB2BSessionClient;
+    /** @deprecated Please use client.self instead. This will be removed in a future release. */
     member: IHeadlessB2BMemberClient;
+    self: IHeadlessB2BSelfClient;
     organization: IHeadlessB2BOrganizationClient;
     oauth: IHeadlessB2BOAuthClient;
     sso: IHeadlessB2BSSOClient;
     discovery: IHeadlessB2BDiscoveryClient;
     passwords: IHeadlessB2BPasswordClient;
     otps: IHeadlessB2BOTPsClient;
+    rbac: IHeadlessB2BRBACClient;
     constructor(_PUBLIC_TOKEN: string, options?: StytchClientOptions);
 }
 /**

package/dist/b2b/index.esm.d.ts

@@ -1,4 +1,4 @@
-import { IHeadlessB2BDiscoveryClient, IHeadlessB2BMagicLinksClient, IHeadlessB2BMemberClient, IHeadlessB2BOAuthClient, IHeadlessB2BOrganizationClient, IHeadlessB2BOTPsClient, IHeadlessB2BSessionClient, IHeadlessB2BSSOClient, StytchClientOptions } from "@stytch/core/public";
+import { IHeadlessB2BDiscoveryClient, IHeadlessB2BMagicLinksClient, IHeadlessB2BMemberClient, IHeadlessB2BSelfClient, IHeadlessB2BOAuthClient, IHeadlessB2BOrganizationClient, IHeadlessB2BOTPsClient, IHeadlessB2BSessionClient, IHeadlessB2BSSOClient, IHeadlessB2BRBACClient, StytchClientOptions } from "@stytch/core/public";
 import { Callbacks as Callbacks$0 } from "@stytch/core/public";
 import { StyleConfig as StyleConfig$0 } from "@stytch/core/public";
 import { StytchB2BUIConfig as StytchB2BUIConfig$0 } from "@stytch/core/public";
@@ -122,7 +122,7 @@ interface MemberSession {
     /**
      * All the authentication factors that have been associated with the current member session.
      */
-    authentication_factors: Array<B2BAuthenticationFactor>;
+    authentication_factors: B2BAuthenticationFactor[];
     /**
      * A map of the custom claims associated with the session.
      * Custom claims can only be set from the server, they cannot be set using the clientside SDKs.
@@ -131,6 +131,12 @@ interface MemberSession {
      * If no claims are set, this field will be null.
      */
     custom_claims?: Record<string, unknown>;
+    /**
+     * A list of the roles associated with the session.
+     * Members may inherit certain roles depending on the factors in their session.
+     * For example, some roles may only be active if the member logged in from a specific SAML IDP.
+     */
+    roles: string[];
 }
 interface SSORegistration {
     connection_id: string;
@@ -138,6 +144,26 @@ interface SSORegistration {
     registration_id: string;
     sso_attributes: Record<string, unknown>;
 }
+type RoleSource = {
+    type: "direct_assignment";
+    details: Record<string, never>;
+} | {
+    type: "email_assignment";
+    details: {
+        email_domain: string;
+    };
+} | {
+    type: "sso_connection";
+    details: {
+        connection_id: string;
+    };
+} | {
+    type: "sso_connection_group";
+    details: {
+        connection_id: string;
+        group: string;
+    };
+};
 interface Member {
     /**
      * Globally unique UUID that identifies an organization in the Stytch API.
@@ -178,7 +204,11 @@ interface Member {
      * See our {@link https://stytch.com/docs/api/metadata metadata reference} for complete details.
      */
     untrusted_metadata: Record<string, unknown>;
-    sso_registrations: Array<SSORegistration>;
+    sso_registrations: SSORegistration[];
+    /**
+     * Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings.
+     * A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures.
+     */
     is_breakglass: boolean;
     /**
      * Returned if the member has a registered password
@@ -197,6 +227,13 @@ interface Member {
      * Whether the member's phone number is verified.
      */
     mfa_phone_number_verified: boolean;
+    /**
+     * A list of the member's roles and their sources
+     */
+    roles: {
+        role_id: string;
+        sources: RoleSource[];
+    }[];
 }
 type B2BAuthenticateResponse = ResponseCommon & {
     /**
@@ -281,19 +318,77 @@ interface Organization {
      * This field can only be updated by a direct API integration.
      */
     trusted_metadata: Record<string, unknown>;
+    /**
+     * The default connection used for SSO when there are multiple active connections.
+     */
     sso_default_connection_id: string | null;
+    /**
+     * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO.
+     * The accepted values are:
+     *   ALL_ALLOWED – new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connections.
+     *   RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication.
+     *   NOT_ALLOWED – disable JIT provisioning via SSO.
+     */
     sso_jit_provisioning: "ALL_ALLOWED" | "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * An array of connection_ids that reference SAML Connection objects.
+     * Only these connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.
+     */
     sso_jit_provisioning_allowed_connections: string[];
-    sso_active_connections: Array<{
+    /**
+     * An array of active SSO Connection references.
+     */
+    sso_active_connections: {
         connection_id: string;
         display_name: string;
-    }>;
+    }[];
+    /**
+     * An array of email domains that allow invites or JIT provisioning for new Members.
+     * This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED.
+     * Common domains such as gmail.com are not allowed.
+     */
     email_allowed_domains: string[];
+    /**
+     * The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link.
+     * The accepted values are:
+     *   RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link.
+     *   NOT_ALLOWED – disable JIT provisioning via Email Magic Link.
+     */
     email_jit_provisioning: "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * The authentication setting that controls how a new Member can be invited to an organization by email.
+     * The accepted values are:
+     *   ALL_ALLOWED – any new Member can be invited to join via email.
+     *   RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email.
+     *   NOT_ALLOWED – disable email invites.
+     */
     email_invites: "ALL_ALLOWED" | "RESTRICTED" | "NOT_ALLOWED";
+    /**
+     * The setting that controls which authentication methods can be used by Members of an Organization.
+     * The accepted values are:
+     *   ALL_ALLOWED – the default setting which allows all authentication methods to be used.
+     *   RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.
+     */
     auth_methods: "ALL_ALLOWED" | "RESTRICTED";
+    /**
+     * An array of allowed authentication methods.
+     * This list is enforced when auth_methods is set to RESTRICTED.
+     * The list's accepted values are: sso, magic_link, password, google_oauth, and microsoft_oauth.
+     */
     allowed_auth_methods: string[];
+    /**
+     * The setting that controls the MFA policy for all Members in the Organization. The accepted values are:
+     *   REQUIRED_FOR_ALL – All Members within the Organization will be required to complete MFA every time they wish to log in.
+     *   OPTIONAL – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their mfa_enrolled status is set to true
+     */
     mfa_policy: "OPTIONAL" | "REQUIRED_FOR_ALL";
+    /**
+     * An array of implicit role assignments granted to members in this organization whose emails match the domain.
+     */
+    rbac_email_implicit_role_assignments?: {
+        role_id: string;
+        domain: string;
+    }[];
 }
 interface MfaRequired {
     member_options: MemberOptions;
@@ -623,13 +718,16 @@ declare class StytchB2BHeadlessClient {
     // External API Clients
     magicLinks: IHeadlessB2BMagicLinksClient;
     session: IHeadlessB2BSessionClient;
+    /** @deprecated Please use client.self instead. This will be removed in a future release. */
     member: IHeadlessB2BMemberClient;
+    self: IHeadlessB2BSelfClient;
     organization: IHeadlessB2BOrganizationClient;
     oauth: IHeadlessB2BOAuthClient;
     sso: IHeadlessB2BSSOClient;
     discovery: IHeadlessB2BDiscoveryClient;
     passwords: IHeadlessB2BPasswordClient;
     otps: IHeadlessB2BOTPsClient;
+    rbac: IHeadlessB2BRBACClient;
     constructor(_PUBLIC_TOKEN: string, options?: StytchClientOptions);
 }
 /**