@workos-inc/node 7.30.0 → 7.31.0-beta.actions1

package/lib/index.js

@@ -19,6 +19,7 @@ const node_crypto_provider_1 = require("./common/crypto/node-crypto-provider");
 const subtle_crypto_provider_1 = require("./common/crypto/subtle-crypto-provider");
 const fetch_client_1 = require("./common/net/fetch-client");
 const node_client_1 = require("./common/net/node-client");
+const actions_1 = require("./actions/actions");
 const webhooks_1 = require("./webhooks/webhooks");
 const workos_1 = require("./workos");
 const web_iron_session_provider_1 = require("./common/iron-session/web-iron-session-provider");
@@ -61,6 +62,17 @@ class WorkOSNode extends workos_1.WorkOS {
         return new webhooks_1.Webhooks(cryptoProvider);
     }
     /** @override */
+    createActionsClient() {
+        let cryptoProvider;
+        if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
+            cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
+        }
+        else {
+            cryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
+        }
+        return new actions_1.Actions(cryptoProvider);
+    }
+    /** @override */
     createIronSessionProvider() {
         return new web_iron_session_provider_1.WebIronSessionProvider();
     }

package/lib/index.worker.d.ts

@@ -1,3 +1,4 @@
+import { Actions } from './actions/actions';
 import { IronSessionProvider } from './common/iron-session/iron-session-provider';
 import { HttpClient } from './common/net/http-client';
 import { WorkOSOptions } from './index.worker';
@@ -21,6 +22,8 @@ declare class WorkOSWorker extends WorkOS {
     /** @override */
     createWebhookClient(): Webhooks;
     /** @override */
+    createActionsClient(): Actions;
+    /** @override */
     createIronSessionProvider(): IronSessionProvider;
     /** @override */
     emitWarning(warning: string): void;

package/lib/index.worker.js

@@ -15,6 +15,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.WorkOS = void 0;
+const actions_1 = require("./actions/actions");
 const subtle_crypto_provider_1 = require("./common/crypto/subtle-crypto-provider");
 const edge_iron_session_provider_1 = require("./common/iron-session/edge-iron-session-provider");
 const fetch_client_1 = require("./common/net/fetch-client");
@@ -44,6 +45,11 @@ class WorkOSWorker extends workos_1.WorkOS {
         return new webhooks_1.Webhooks(cryptoProvider);
     }
     /** @override */
+    createActionsClient() {
+        const cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
+        return new actions_1.Actions(cryptoProvider);
+    }
+    /** @override */
     createIronSessionProvider() {
         return new edge_iron_session_provider_1.EdgeIronSessionProvider();
     }

package/lib/organizations/fixtures/clear-stripe-customer-id.json

@@ -0,0 +1,13 @@
+{
+    "name": "Test Organization 3",
+    "object": "organization",
+    "id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+    "allow_profiles_outside_organization": false,
+    "domains": [
+        {
+            "domain": "example.com",
+            "object": "organization_domain",
+            "id": "org_domain_01EHT88Z8WZEFWYPM6EC9BX2R8"
+        }
+    ]
+}

package/lib/organizations/fixtures/set-stripe-customer-id-disabled.json

@@ -0,0 +1,4 @@
+{
+    "message": "stripe_customer_id is not enabled for this environment",
+    "error": "Unprocessable Entity"
+}

package/lib/organizations/fixtures/set-stripe-customer-id.json

@@ -0,0 +1,14 @@
+{
+    "name": "Test Organization 3",
+    "object": "organization",
+    "id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+    "allow_profiles_outside_organization": false,
+    "domains": [
+        {
+            "domain": "example.com",
+            "object": "organization_domain",
+            "id": "org_domain_01EHT88Z8WZEFWYPM6EC9BX2R8"
+        }
+    ],
+    "stripe_customer_id": "cus_MX8J9nfK4lP2Yw"
+}

package/lib/organizations/interfaces/organization.interface.d.ts

@@ -5,6 +5,7 @@ export interface Organization {
     name: string;
     allowProfilesOutsideOrganization: boolean;
     domains: OrganizationDomain[];
+    stripeCustomerId?: string;
     createdAt: string;
     updatedAt: string;
 }
@@ -14,6 +15,7 @@ export interface OrganizationResponse {
     name: string;
     allow_profiles_outside_organization: boolean;
     domains: OrganizationDomainResponse[];
+    stripe_customer_id?: string;
     created_at: string;
     updated_at: string;
 }

package/lib/organizations/interfaces/update-organization-options.interface.d.ts

@@ -3,6 +3,7 @@ export interface UpdateOrganizationOptions {
     organization: string;
     name?: string;
     domainData?: DomainData[];
+    stripeCustomerId?: string | null;
     /**
      * @deprecated If you need to allow sign-ins from any email domain, contact support@workos.com.
      */
@@ -15,6 +16,7 @@ export interface UpdateOrganizationOptions {
 export interface SerializedUpdateOrganizationOptions {
     name?: string;
     domain_data?: DomainData[];
+    stripe_customer_id?: string | null;
     /**
      * @deprecated If you need to allow sign-ins from any email domain, contact support@workos.com.
      */

package/lib/organizations/organizations.spec.js

@@ -15,11 +15,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const jest_fetch_mock_1 = __importDefault(require("jest-fetch-mock"));
 const test_utils_1 = require("../common/utils/test-utils");
 const workos_1 = require("../workos");
+const clear_stripe_customer_id_json_1 = __importDefault(require("./fixtures/clear-stripe-customer-id.json"));
 const create_organization_invalid_json_1 = __importDefault(require("./fixtures/create-organization-invalid.json"));
 const create_organization_json_1 = __importDefault(require("./fixtures/create-organization.json"));
 const get_organization_json_1 = __importDefault(require("./fixtures/get-organization.json"));
 const list_organizations_json_1 = __importDefault(require("./fixtures/list-organizations.json"));
 const update_organization_json_1 = __importDefault(require("./fixtures/update-organization.json"));
+const set_stripe_customer_id_json_1 = __importDefault(require("./fixtures/set-stripe-customer-id.json"));
+const set_stripe_customer_id_disabled_json_1 = __importDefault(require("./fixtures/set-stripe-customer-id-disabled.json"));
 const interfaces_1 = require("./interfaces");
 const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
 describe('Organizations', () => {
@@ -235,5 +238,41 @@ describe('Organizations', () => {
                 }));
             });
         });
+        describe('when given `stripeCustomerId`', () => {
+            it('updates the organization’s Stripe customer ID', () => __awaiter(void 0, void 0, void 0, function* () {
+                (0, test_utils_1.fetchOnce)(set_stripe_customer_id_json_1.default);
+                const subject = yield workos.organizations.updateOrganization({
+                    organization: 'org_01EHT88Z8J8795GZNQ4ZP1J81T',
+                    stripeCustomerId: 'cus_MX8J9nfK4lP2Yw',
+                });
+                expect((0, test_utils_1.fetchBody)()).toMatchObject({
+                    stripe_customer_id: 'cus_MX8J9nfK4lP2Yw',
+                });
+                expect(subject.stripeCustomerId).toBe('cus_MX8J9nfK4lP2Yw');
+            }));
+            it('clears the organization’s Stripe customer ID with a `null` value', () => __awaiter(void 0, void 0, void 0, function* () {
+                (0, test_utils_1.fetchOnce)(clear_stripe_customer_id_json_1.default);
+                const subject = yield workos.organizations.updateOrganization({
+                    organization: 'org_01EHT88Z8J8795GZNQ4ZP1J81T',
+                    stripeCustomerId: null,
+                });
+                expect((0, test_utils_1.fetchBody)()).toEqual({
+                    stripe_customer_id: null,
+                });
+                expect(subject.stripeCustomerId).toBeUndefined();
+            }));
+            describe('when the feature is not enabled', () => {
+                it('returns an error', () => __awaiter(void 0, void 0, void 0, function* () {
+                    (0, test_utils_1.fetchOnce)(set_stripe_customer_id_disabled_json_1.default, { status: 422 });
+                    yield expect(workos.organizations.updateOrganization({
+                        organization: 'org_01EHT88Z8J8795GZNQ4ZP1J81T',
+                        stripeCustomerId: 'cus_MX8J9nfK4lP2Yw',
+                    })).rejects.toThrowError('stripe_customer_id is not enabled for this environment');
+                    expect((0, test_utils_1.fetchBody)()).toEqual({
+                        stripe_customer_id: 'cus_MX8J9nfK4lP2Yw',
+                    });
+                }));
+            });
+        });
     });
 });

package/lib/organizations/serializers/organization.serializer.js

@@ -2,13 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.deserializeOrganization = void 0;
 const organization_domain_serializer_1 = require("../../organization-domains/serializers/organization-domain.serializer");
-const deserializeOrganization = (organization) => ({
-    object: organization.object,
-    id: organization.id,
-    name: organization.name,
-    allowProfilesOutsideOrganization: organization.allow_profiles_outside_organization,
-    domains: organization.domains.map(organization_domain_serializer_1.deserializeOrganizationDomain),
-    createdAt: organization.created_at,
-    updatedAt: organization.updated_at,
-});
+const deserializeOrganization = (organization) => (Object.assign(Object.assign({ object: organization.object, id: organization.id, name: organization.name, allowProfilesOutsideOrganization: organization.allow_profiles_outside_organization, domains: organization.domains.map(organization_domain_serializer_1.deserializeOrganizationDomain) }, (typeof organization.stripe_customer_id === 'undefined'
+    ? undefined
+    : { stripeCustomerId: organization.stripe_customer_id })), { createdAt: organization.created_at, updatedAt: organization.updated_at }));
 exports.deserializeOrganization = deserializeOrganization;

package/lib/organizations/serializers/update-organization-options.serializer.js

@@ -6,5 +6,6 @@ const serializeUpdateOrganizationOptions = (options) => ({
     allow_profiles_outside_organization: options.allowProfilesOutsideOrganization,
     domain_data: options.domainData,
     domains: options.domains,
+    stripe_customer_id: options.stripeCustomerId,
 });
 exports.serializeUpdateOrganizationOptions = serializeUpdateOrganizationOptions;

package/lib/user-management/interfaces/authenticate-with-session-cookie.interface.d.ts

@@ -10,6 +10,7 @@ export interface AccessToken {
     org_id?: string;
     role?: string;
     permissions?: string[];
+    entitlements?: string[];
 }
 export type SessionCookieData = Pick<AuthenticationResponse, 'accessToken' | 'impersonator' | 'organizationId' | 'refreshToken' | 'user'>;
 export declare enum AuthenticateWithSessionCookieFailureReason {
@@ -27,6 +28,7 @@ export type AuthenticateWithSessionCookieSuccessResponse = {
     organizationId?: string;
     role?: string;
     permissions?: string[];
+    entitlements?: string[];
     user: User;
     impersonator?: Impersonator;
 };

package/lib/user-management/session.js

@@ -64,13 +64,14 @@ class Session {
                     reason: interfaces_1.AuthenticateWithSessionCookieFailureReason.INVALID_JWT,
                 };
             }
-            const { sid: sessionId, org_id: organizationId, role, permissions, } = (0, jose_1.decodeJwt)(session.accessToken);
+            const { sid: sessionId, org_id: organizationId, role, permissions, entitlements, } = (0, jose_1.decodeJwt)(session.accessToken);
             return {
                 authenticated: true,
                 sessionId,
                 organizationId,
                 role,
                 permissions,
+                entitlements,
                 user: session.user,
                 impersonator: session.impersonator,
             };

package/lib/user-management/session.spec.js

@@ -120,7 +120,7 @@ describe('Session', () => {
                 .mockResolvedValue({});
             const cookiePassword = 'alongcookiesecretmadefortestingsessions';
             const sessionData = yield (0, iron_session_1.sealData)({
-                accessToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJpYXQiOiAxNTE2MjM5MDIyLAogICJzaWQiOiAic2Vzc2lvbl8xMjMiLAogICJvcmdfaWQiOiAib3JnXzEyMyIsCiAgInJvbGUiOiAibWVtYmVyIiwKICAicGVybWlzc2lvbnMiOiBbInBvc3RzOmNyZWF0ZSIsICJwb3N0czpkZWxldGUiXQp9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
+                accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoZW50aWNhdGVkIjp0cnVlLCJpbXBlcnNvbmF0b3IiOnsiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsInJlYXNvbiI6InRlc3QifSwic2lkIjoic2Vzc2lvbl8xMjMiLCJvcmdfaWQiOiJvcmdfMTIzIiwicm9sZSI6Im1lbWJlciIsInBlcm1pc3Npb25zIjpbInBvc3RzOmNyZWF0ZSIsInBvc3RzOmRlbGV0ZSJdLCJlbnRpdGxlbWVudHMiOlsiYXVkaXQtbG9ncyJdLCJ1c2VyIjp7Im9iamVjdCI6InVzZXIiLCJpZCI6InVzZXJfMDFINUpRRFY3UjdBVEVZWkRFRzBXNVBSWVMiLCJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifX0.A8mDST4wtq_0vId6ALg7k2Ukr7FXrszZtdJ_6dfXeAc',
                 refreshToken: 'def456',
                 impersonator: {
                     email: 'admin@example.com',
@@ -146,6 +146,7 @@ describe('Session', () => {
                 organizationId: 'org_123',
                 role: 'member',
                 permissions: ['posts:create', 'posts:delete'],
+                entitlements: ['audit-logs'],
                 user: {
                     object: 'user',
                     id: 'user_01H5JQDV7R7ATEYZDEG0W5PRYS',

package/lib/user-management/user-management.js

@@ -192,7 +192,7 @@ class UserManagement {
                     reason: authenticate_with_session_cookie_interface_1.AuthenticateWithSessionCookieFailureReason.INVALID_JWT,
                 };
             }
-            const { sid: sessionId, org_id: organizationId, role, permissions, } = (0, jose_1.decodeJwt)(session.accessToken);
+            const { sid: sessionId, org_id: organizationId, role, permissions, entitlements, } = (0, jose_1.decodeJwt)(session.accessToken);
             return {
                 authenticated: true,
                 sessionId,
@@ -200,6 +200,7 @@ class UserManagement {
                 role,
                 user: session.user,
                 permissions,
+                entitlements,
             };
         });
     }

package/lib/user-management/user-management.spec.js

@@ -720,7 +720,7 @@ describe('UserManagement', () => {
                 .mockResolvedValue({});
             const cookiePassword = 'alongcookiesecretmadefortestingsessions';
             const sessionData = yield (0, iron_session_1.sealData)({
-                accessToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJpYXQiOiAxNTE2MjM5MDIyLAogICJzaWQiOiAic2Vzc2lvbl8xMjMiLAogICJvcmdfaWQiOiAib3JnXzEyMyIsCiAgInJvbGUiOiAibWVtYmVyIiwKICAicGVybWlzc2lvbnMiOiBbInBvc3RzOmNyZWF0ZSIsICJwb3N0czpkZWxldGUiXQp9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
+                accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoZW50aWNhdGVkIjp0cnVlLCJpbXBlcnNvbmF0b3IiOnsiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsInJlYXNvbiI6InRlc3QifSwic2lkIjoic2Vzc2lvbl8xMjMiLCJvcmdfaWQiOiJvcmdfMTIzIiwicm9sZSI6Im1lbWJlciIsInBlcm1pc3Npb25zIjpbInBvc3RzOmNyZWF0ZSIsInBvc3RzOmRlbGV0ZSJdLCJlbnRpdGxlbWVudHMiOlsiYXVkaXQtbG9ncyJdLCJ1c2VyIjp7Im9iamVjdCI6InVzZXIiLCJpZCI6InVzZXJfMDFINUpRRFY3UjdBVEVZWkRFRzBXNVBSWVMiLCJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifX0.A8mDST4wtq_0vId6ALg7k2Ukr7FXrszZtdJ_6dfXeAc',
                 refreshToken: 'def456',
                 user: {
                     object: 'user',
@@ -737,6 +737,7 @@ describe('UserManagement', () => {
                 organizationId: 'org_123',
                 role: 'member',
                 permissions: ['posts:create', 'posts:delete'],
+                entitlements: ['audit-logs'],
                 user: expect.objectContaining({
                     email: 'test@example.com',
                 }),

package/lib/webhooks/webhooks.d.ts

@@ -1,20 +1,20 @@
 import { Event } from '../common/interfaces';
 import { CryptoProvider } from '../common/crypto/crypto-provider';
 export declare class Webhooks {
-    private cryptoProvider;
+    private signatureProvider;
     constructor(cryptoProvider: CryptoProvider);
+    get verifyHeader(): ({ payload, sigHeader, secret, tolerance, }: {
+        payload: any;
+        sigHeader: string;
+        secret: string;
+        tolerance?: number | undefined;
+    }) => Promise<boolean>;
+    get computeSignature(): (timestamp: any, payload: any, secret: string) => Promise<string>;
+    get getTimestampAndSignatureHash(): (sigHeader: string) => [string, string];
     constructEvent({ payload, sigHeader, secret, tolerance, }: {
         payload: unknown;
         sigHeader: string;
         secret: string;
         tolerance?: number;
     }): Promise<Event>;
-    verifyHeader({ payload, sigHeader, secret, tolerance, }: {
-        payload: any;
-        sigHeader: string;
-        secret: string;
-        tolerance?: number;
-    }): Promise<boolean>;
-    getTimestampAndSignatureHash(sigHeader: string): [string, string];
-    computeSignature(timestamp: any, payload: any, secret: string): Promise<string>;
 }

package/lib/webhooks/webhooks.js

@@ -10,11 +10,20 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Webhooks = void 0;
-const exceptions_1 = require("../common/exceptions");
 const serializers_1 = require("../common/serializers");
+const SignatureProvider_1 = require("../common/crypto/SignatureProvider");
 class Webhooks {
     constructor(cryptoProvider) {
-        this.cryptoProvider = cryptoProvider;
+        this.signatureProvider = new SignatureProvider_1.SignatureProvider(cryptoProvider);
+    }
+    get verifyHeader() {
+        return this.signatureProvider.verifyHeader.bind(this.signatureProvider);
+    }
+    get computeSignature() {
+        return this.signatureProvider.computeSignature.bind(this.signatureProvider);
+    }
+    get getTimestampAndSignatureHash() {
+        return this.signatureProvider.getTimestampAndSignatureHash.bind(this.signatureProvider);
     }
     constructEvent({ payload, sigHeader, secret, tolerance = 180000, }) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -24,39 +33,5 @@ class Webhooks {
             return (0, serializers_1.deserializeEvent)(webhookPayload);
         });
     }
-    verifyHeader({ payload, sigHeader, secret, tolerance = 180000, }) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const [timestamp, signatureHash] = this.getTimestampAndSignatureHash(sigHeader);
-            if (!signatureHash || Object.keys(signatureHash).length === 0) {
-                throw new exceptions_1.SignatureVerificationException('No signature hash found with expected scheme v1');
-            }
-            if (parseInt(timestamp, 10) < Date.now() - tolerance) {
-                throw new exceptions_1.SignatureVerificationException('Timestamp outside the tolerance zone');
-            }
-            const expectedSig = yield this.computeSignature(timestamp, payload, secret);
-            if ((yield this.cryptoProvider.secureCompare(expectedSig, signatureHash)) ===
-                false) {
-                throw new exceptions_1.SignatureVerificationException('Signature hash does not match the expected signature hash for payload');
-            }
-            return true;
-        });
-    }
-    getTimestampAndSignatureHash(sigHeader) {
-        const signature = sigHeader;
-        const [t, v1] = signature.split(',');
-        if (typeof t === 'undefined' || typeof v1 === 'undefined') {
-            throw new exceptions_1.SignatureVerificationException('Signature or timestamp missing');
-        }
-        const { 1: timestamp } = t.split('=');
-        const { 1: signatureHash } = v1.split('=');
-        return [timestamp, signatureHash];
-    }
-    computeSignature(timestamp, payload, secret) {
-        return __awaiter(this, void 0, void 0, function* () {
-            payload = JSON.stringify(payload);
-            const signedPayload = `${timestamp}.${payload}`;
-            return yield this.cryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
-        });
-    }
 }
 exports.Webhooks = Webhooks;

package/lib/webhooks/webhooks.spec.js

@@ -17,8 +17,6 @@ const workos_1 = require("../workos");
 const webhook_json_1 = __importDefault(require("./fixtures/webhook.json"));
 const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
 const exceptions_1 = require("../common/exceptions");
-const node_crypto_provider_1 = require("../common/crypto/node-crypto-provider");
-const subtle_crypto_provider_1 = require("../common/crypto/subtle-crypto-provider");
 describe('Webhooks', () => {
     let payload;
     let secret;
@@ -166,55 +164,34 @@ describe('Webhooks', () => {
         });
     });
     describe('verifyHeader', () => {
-        it('returns true when the signature is valid', () => __awaiter(void 0, void 0, void 0, function* () {
-            const sigHeader = `t=${timestamp}, v1=${signatureHash}`;
-            const options = { payload, sigHeader, secret };
-            const result = yield workos.webhooks.verifyHeader(options);
-            expect(result).toBeTruthy();
+        it('aliases to the signature provider', () => __awaiter(void 0, void 0, void 0, function* () {
+            const spy = jest.spyOn(
+            // tslint:disable-next-line
+            workos.webhooks['signatureProvider'], 'verifyHeader');
+            yield workos.webhooks.verifyHeader({
+                payload,
+                sigHeader: `t=${timestamp}, v1=${signatureHash}`,
+                secret,
+            });
+            expect(spy).toHaveBeenCalled();
         }));
     });
-    describe('getTimestampAndSignatureHash', () => {
-        it('returns the timestamp and signature when the signature is valid', () => {
-            const sigHeader = `t=${timestamp}, v1=${signatureHash}`;
-            const timestampAndSignature = workos.webhooks.getTimestampAndSignatureHash(sigHeader);
-            expect(timestampAndSignature).toEqual([
-                timestamp.toString(),
-                signatureHash,
-            ]);
-        });
-    });
     describe('computeSignature', () => {
-        it('returns the computed signature', () => __awaiter(void 0, void 0, void 0, function* () {
-            const signature = yield workos.webhooks.computeSignature(timestamp, payload, secret);
-            expect(signature).toEqual(signatureHash);
+        it('aliases to the signature provider', () => __awaiter(void 0, void 0, void 0, function* () {
+            const spy = jest.spyOn(
+            // tslint:disable-next-line
+            workos.webhooks['signatureProvider'], 'computeSignature');
+            yield workos.webhooks.computeSignature(timestamp, payload, secret);
+            expect(spy).toHaveBeenCalled();
         }));
     });
-    describe('when in an environment that supports SubtleCrypto', () => {
-        it('automatically uses the subtle crypto library', () => {
+    describe('getTimestampAndSignatureHash', () => {
+        it('aliases to the signature provider', () => __awaiter(void 0, void 0, void 0, function* () {
+            const spy = jest.spyOn(
             // tslint:disable-next-line
-            expect(workos.webhooks['cryptoProvider']).toBeInstanceOf(subtle_crypto_provider_1.SubtleCryptoProvider);
-        });
-    });
-    describe('CryptoProvider', () => {
-        describe('when computing HMAC signature', () => {
-            it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
-                const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
-                const stringifiedPayload = JSON.stringify(payload);
-                const payloadHMAC = `${timestamp}.${stringifiedPayload}`;
-                const nodeCompare = yield nodeCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
-                const subtleCompare = yield subtleCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
-                expect(nodeCompare).toEqual(subtleCompare);
-            }));
-        });
-        describe('when securely comparing', () => {
-            it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
-                const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
-                const signature = yield workos.webhooks.computeSignature(timestamp, payload, secret);
-                expect(nodeCryptoProvider.secureCompare(signature, signatureHash)).toEqual(subtleCryptoProvider.secureCompare(signature, signatureHash));
-                expect(nodeCryptoProvider.secureCompare(signature, 'foo')).toEqual(subtleCryptoProvider.secureCompare(signature, 'foo'));
-            }));
-        });
+            workos.webhooks['signatureProvider'], 'getTimestampAndSignatureHash');
+            workos.webhooks.getTimestampAndSignatureHash(`t=${timestamp}, v1=${signatureHash}`);
+            expect(spy).toHaveBeenCalled();
+        }));
     });
 });

package/lib/widgets/fixtures/get-token-error.json

@@ -0,0 +1,5 @@
+{
+    "message": "User not found 'user_123'",
+    "code": "entity_not_found",
+    "entity_id": "user_123"
+}

package/lib/widgets/fixtures/token.json

@@ -0,0 +1,3 @@
+{
+    "token": "this.is.a.token"
+}

package/lib/widgets/interfaces/get-token.d.ts

@@ -0,0 +1,19 @@
+export type WidgetScope = 'widgets:users-table:manage';
+export interface GetTokenOptions {
+    organizationId: string;
+    userId: string;
+    scopes: [WidgetScope];
+}
+export interface SerializedGetTokenOptions {
+    organization_id: string;
+    user_id: string;
+    scopes: [WidgetScope];
+}
+export declare const serializeGetTokenOptions: (options: GetTokenOptions) => SerializedGetTokenOptions;
+export interface GetTokenResponse {
+    token: string;
+}
+export interface GetTokenResponseResponse {
+    token: string;
+}
+export declare const deserializeGetTokenResponse: (data: GetTokenResponseResponse) => GetTokenResponse;

package/lib/widgets/interfaces/get-token.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deserializeGetTokenResponse = exports.serializeGetTokenOptions = void 0;
+const serializeGetTokenOptions = (options) => ({
+    organization_id: options.organizationId,
+    user_id: options.userId,
+    scopes: options.scopes,
+});
+exports.serializeGetTokenOptions = serializeGetTokenOptions;
+const deserializeGetTokenResponse = (data) => ({
+    token: data.token,
+});
+exports.deserializeGetTokenResponse = deserializeGetTokenResponse;

package/lib/widgets/widgets.d.ts

@@ -0,0 +1,7 @@
+import { WorkOS } from '../workos';
+import { GetTokenOptions } from './interfaces/get-token';
+export declare class Widgets {
+    private readonly workos;
+    constructor(workos: WorkOS);
+    getToken(payload: GetTokenOptions): Promise<string>;
+}

package/lib/widgets/widgets.js

@@ -0,0 +1,25 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Widgets = void 0;
+const get_token_1 = require("./interfaces/get-token");
+class Widgets {
+    constructor(workos) {
+        this.workos = workos;
+    }
+    getToken(payload) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { data } = yield this.workos.post('/widgets/token', (0, get_token_1.serializeGetTokenOptions)(payload));
+            return (0, get_token_1.deserializeGetTokenResponse)(data).token;
+        });
+    }
+}
+exports.Widgets = Widgets;

package/lib/widgets/widgets.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/widgets/widgets.spec.js

@@ -0,0 +1,49 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jest_fetch_mock_1 = __importDefault(require("jest-fetch-mock"));
+const workos_1 = require("../workos");
+const test_utils_1 = require("../common/utils/test-utils");
+const token_json_1 = __importDefault(require("./fixtures/token.json"));
+const get_token_error_json_1 = __importDefault(require("./fixtures/get-token-error.json"));
+describe('Widgets', () => {
+    let workos;
+    beforeAll(() => {
+        workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU', {
+            apiHostname: 'api.workos.test',
+            clientId: 'proj_123',
+        });
+    });
+    beforeEach(() => jest_fetch_mock_1.default.resetMocks());
+    describe('getToken', () => {
+        it('sends a Get Token request', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)(token_json_1.default);
+            const token = yield workos.widgets.getToken({
+                organizationId: 'org_123',
+                userId: 'user_123',
+                scopes: ['widgets:users-table:manage'],
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain('/widgets/token');
+            expect(token).toEqual('this.is.a.token');
+        }));
+        it('returns an error if the API returns an error', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)(get_token_error_json_1.default, { status: 404 });
+            yield expect(workos.widgets.getToken({
+                organizationId: 'org_123',
+                userId: 'user_123',
+                scopes: ['widgets:users-table:manage'],
+            })).rejects.toThrow("User not found 'user_123'");
+        }));
+    });
+});