@workos-inc/node 7.50.0 → 7.50.1

package/lib/actions/actions.js

@@ -10,12 +10,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Actions = void 0;
-const SignatureProvider_1 = require("../common/crypto/SignatureProvider");
+const signature_provider_1 = require("../common/crypto/signature-provider");
 const unreachable_1 = require("../common/utils/unreachable");
 const action_serializer_1 = require("./serializers/action.serializer");
 class Actions {
     constructor(cryptoProvider) {
-        this.signatureProvider = new SignatureProvider_1.SignatureProvider(cryptoProvider);
+        this.signatureProvider = new signature_provider_1.SignatureProvider(cryptoProvider);
     }
     get computeSignature() {
         return this.signatureProvider.computeSignature.bind(this.signatureProvider);

package/lib/actions/actions.spec.js

@@ -16,8 +16,8 @@ const crypto_1 = __importDefault(require("crypto"));
 const workos_1 = require("../workos");
 const authentication_action_context_json_1 = __importDefault(require("./fixtures/authentication-action-context.json"));
 const user_registration_action_context_json_1 = __importDefault(require("./fixtures/user-registration-action-context.json"));
+const node_crypto_provider_1 = require("../common/crypto/node-crypto-provider");
 const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
-const NodeCryptoProvider_1 = require("../common/crypto/NodeCryptoProvider");
 describe('Actions', () => {
     let secret;
     beforeEach(() => {
@@ -36,7 +36,7 @@ describe('Actions', () => {
     describe('signResponse', () => {
         describe('type: authentication', () => {
             it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
                 const response = yield workos.actions.signResponse({
                     type: 'authentication',
                     verdict: 'Allow',
@@ -51,7 +51,7 @@ describe('Actions', () => {
         });
         describe('type: user_registration', () => {
             it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
                 const response = yield workos.actions.signResponse({
                     type: 'user_registration',
                     verdict: 'Deny',

package/lib/common/crypto/crypto-provider.d.ts

@@ -29,4 +29,37 @@ export declare abstract class CryptoProvider {
      * Cryptographically determine whether two signatures are equal
      */
     abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    /**
+     * Encrypts data using AES-256-GCM algorithm.
+     *
+     * @param plaintext The data to encrypt
+     * @param key The encryption key (should be 32 bytes for AES-256)
+     * @param iv Optional initialization vector (if not provided, a random one will be generated)
+     * @param aad Optional additional authenticated data
+     * @returns Object containing the encrypted ciphertext, the IV used, and the authentication tag
+     */
+    abstract encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    /**
+     * Decrypts data that was encrypted using AES-256-GCM algorithm.
+     *
+     * @param ciphertext The encrypted data
+     * @param key The decryption key (must be the same key used for encryption)
+     * @param iv The initialization vector used during encryption
+     * @param tag The authentication tag produced during encryption
+     * @param aad Optional additional authenticated data (must match what was used during encryption)
+     * @returns The decrypted data
+     * @throws Will throw an error if authentication fails or the data has been tampered with
+     */
+    abstract decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Generates cryptographically secure random bytes.
+     *
+     * @param length The number of random bytes to generate
+     * @returns A Uint8Array containing the random bytes
+     */
+    abstract randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/{CryptoProvider.spec.js → crypto-provider.spec.js}

@@ -13,10 +13,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const crypto_1 = __importDefault(require("crypto"));
-const NodeCryptoProvider_1 = require("./NodeCryptoProvider");
-const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const node_crypto_provider_1 = require("./node-crypto-provider");
+const subtle_crypto_provider_1 = require("./subtle-crypto-provider");
 const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
-const SignatureProvider_1 = require("./SignatureProvider");
+const signature_provider_1 = require("./signature-provider");
 describe('CryptoProvider', () => {
     let payload;
     let secret;
@@ -35,8 +35,8 @@ describe('CryptoProvider', () => {
     });
     describe('when computing HMAC signature', () => {
         it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
-            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
+            const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
             const stringifiedPayload = JSON.stringify(payload);
             const payloadHMAC = `${timestamp}.${stringifiedPayload}`;
             const nodeCompare = yield nodeCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
@@ -46,9 +46,9 @@ describe('CryptoProvider', () => {
     });
     describe('when securely comparing', () => {
         it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
-            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
-            const signatureProvider = new SignatureProvider_1.SignatureProvider(subtleCryptoProvider);
+            const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
+            const signatureProvider = new signature_provider_1.SignatureProvider(subtleCryptoProvider);
             const signature = yield signatureProvider.computeSignature(timestamp, payload, secret);
             expect(nodeCryptoProvider.secureCompare(signature, signatureHash)).toEqual(subtleCryptoProvider.secureCompare(signature, signatureHash));
             expect(nodeCryptoProvider.secureCompare(signature, 'foo')).toEqual(subtleCryptoProvider.secureCompare(signature, 'foo'));

package/lib/common/crypto/node-crypto-provider.d.ts

@@ -9,4 +9,11 @@ export declare class NodeCryptoProvider extends CryptoProvider {
     computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
     /** @override */
     secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/node-crypto-provider.js

@@ -33,7 +33,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.NodeCryptoProvider = void 0;
-const crypto = __importStar(require("node:crypto"));
+const crypto = __importStar(require("crypto"));
 const crypto_provider_1 = require("./crypto-provider");
 /**
  * `CryptoProvider which uses the Node `crypto` package for its computations.
@@ -49,7 +49,7 @@ class NodeCryptoProvider extends crypto_provider_1.CryptoProvider {
     /** @override */
     computeHMACSignatureAsync(payload, secret) {
         return __awaiter(this, void 0, void 0, function* () {
-            const signature = yield this.computeHMACSignature(payload, secret);
+            const signature = this.computeHMACSignature(payload, secret);
             return signature;
         });
     }
@@ -69,5 +69,41 @@ class NodeCryptoProvider extends crypto_provider_1.CryptoProvider {
             return crypto.timingSafeEqual(hmacA, hmacB);
         });
     }
+    encrypt(plaintext, key, iv, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const actualIv = iv || crypto.randomBytes(32);
+            const cipher = crypto.createCipheriv('aes-256-gcm', key, actualIv);
+            if (aad) {
+                cipher.setAAD(Buffer.from(aad));
+            }
+            const ciphertext = Buffer.concat([
+                cipher.update(Buffer.from(plaintext)),
+                cipher.final(),
+            ]);
+            const tag = cipher.getAuthTag();
+            return {
+                ciphertext: new Uint8Array(ciphertext),
+                iv: new Uint8Array(actualIv),
+                tag: new Uint8Array(tag),
+            };
+        });
+    }
+    decrypt(ciphertext, key, iv, tag, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+            decipher.setAuthTag(Buffer.from(tag));
+            if (aad) {
+                decipher.setAAD(Buffer.from(aad));
+            }
+            const decrypted = Buffer.concat([
+                decipher.update(Buffer.from(ciphertext)),
+                decipher.final(),
+            ]);
+            return new Uint8Array(decrypted);
+        });
+    }
+    randomBytes(length) {
+        return new Uint8Array(crypto.randomBytes(length));
+    }
 }
 exports.NodeCryptoProvider = NodeCryptoProvider;

package/lib/common/crypto/{SignatureProvider.d.ts → signature-provider.d.ts}

@@ -1,4 +1,4 @@
-import { CryptoProvider } from './CryptoProvider';
+import { CryptoProvider } from './crypto-provider';
 export declare class SignatureProvider {
     private cryptoProvider;
     constructor(cryptoProvider: CryptoProvider);

package/lib/common/crypto/{SignatureProvider.spec.js → signature-provider.spec.js}

@@ -13,15 +13,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const crypto_1 = __importDefault(require("crypto"));
-const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const subtle_crypto_provider_1 = require("./subtle-crypto-provider");
 const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
-const SignatureProvider_1 = require("./SignatureProvider");
+const signature_provider_1 = require("./signature-provider");
 describe('SignatureProvider', () => {
     let payload;
     let secret;
     let timestamp;
     let signatureHash;
-    const signatureProvider = new SignatureProvider_1.SignatureProvider(new SubtleCryptoProvider_1.SubtleCryptoProvider());
+    const signatureProvider = new signature_provider_1.SignatureProvider(new subtle_crypto_provider_1.SubtleCryptoProvider());
     beforeEach(() => {
         payload = webhook_json_1.default;
         secret = 'secret';
@@ -60,7 +60,7 @@ describe('SignatureProvider', () => {
     describe('when in an environment that supports SubtleCrypto', () => {
         it('automatically uses the subtle crypto library', () => {
             // tslint:disable-next-line
-            expect(signatureProvider['cryptoProvider']).toBeInstanceOf(SubtleCryptoProvider_1.SubtleCryptoProvider);
+            expect(signatureProvider['cryptoProvider']).toBeInstanceOf(subtle_crypto_provider_1.SubtleCryptoProvider);
         });
     });
 });

package/lib/common/crypto/subtle-crypto-provider.d.ts

@@ -12,4 +12,11 @@ export declare class SubtleCryptoProvider extends CryptoProvider {
     computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
     /** @override */
     secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/subtle-crypto-provider.js

@@ -65,6 +65,54 @@ class SubtleCryptoProvider extends crypto_provider_1.CryptoProvider {
             return equal;
         });
     }
+    encrypt(plaintext, key, iv, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));
+            const cryptoKey = yield this.subtleCrypto.importKey('raw', key, { name: 'AES-GCM' }, false, ['encrypt']);
+            const encryptParams = {
+                name: 'AES-GCM',
+                iv: actualIv,
+            };
+            if (aad) {
+                encryptParams.additionalData = aad;
+            }
+            const encryptedData = yield this.subtleCrypto.encrypt(encryptParams, cryptoKey, plaintext);
+            const encryptedBytes = new Uint8Array(encryptedData);
+            // Extract tag (last 16 bytes)
+            const tagSize = 16;
+            const tagStart = encryptedBytes.length - tagSize;
+            const tag = encryptedBytes.slice(tagStart);
+            const ciphertext = encryptedBytes.slice(0, tagStart);
+            return {
+                ciphertext,
+                iv: actualIv,
+                tag,
+            };
+        });
+    }
+    decrypt(ciphertext, key, iv, tag, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // SubtleCrypto expects tag to be appended to ciphertext for AES-GCM
+            const combinedData = new Uint8Array(ciphertext.length + tag.length);
+            combinedData.set(ciphertext, 0);
+            combinedData.set(tag, ciphertext.length);
+            const cryptoKey = yield this.subtleCrypto.importKey('raw', key, { name: 'AES-GCM' }, false, ['decrypt']);
+            const decryptParams = {
+                name: 'AES-GCM',
+                iv,
+            };
+            if (aad) {
+                decryptParams.additionalData = aad;
+            }
+            const decryptedData = yield this.subtleCrypto.decrypt(decryptParams, cryptoKey, combinedData);
+            return new Uint8Array(decryptedData);
+        });
+    }
+    randomBytes(length) {
+        const bytes = new Uint8Array(length);
+        crypto.getRandomValues(bytes);
+        return bytes;
+    }
 }
 exports.SubtleCryptoProvider = SubtleCryptoProvider;
 // Cached mapping of byte to hex representation. We do this once to avoid re-

package/lib/common/utils/base64.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Cross-runtime compatible base64 encoding/decoding utilities
+ * that work in both Node.js and browser environments
+ */
+/**
+ * Converts a base64 string to a Uint8Array
+ */
+export declare function base64ToUint8Array(base64: string): Uint8Array;
+/**
+ * Converts a Uint8Array to a base64 string
+ */
+export declare function uint8ArrayToBase64(bytes: Uint8Array): string;

package/lib/common/utils/base64.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * Cross-runtime compatible base64 encoding/decoding utilities
+ * that work in both Node.js and browser environments
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.uint8ArrayToBase64 = exports.base64ToUint8Array = void 0;
+/**
+ * Converts a base64 string to a Uint8Array
+ */
+function base64ToUint8Array(base64) {
+    // In browsers and modern Node.js
+    if (typeof atob === 'function') {
+        const binary = atob(base64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    // Node.js fallback using Buffer
+    else if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(base64, 'base64'));
+    }
+    // Fallback implementation if neither is available
+    else {
+        throw new Error('No base64 decoding implementation available');
+    }
+}
+exports.base64ToUint8Array = base64ToUint8Array;
+/**
+ * Converts a Uint8Array to a base64 string
+ */
+function uint8ArrayToBase64(bytes) {
+    // In browsers and modern Node.js
+    if (typeof btoa === 'function') {
+        let binary = '';
+        for (let i = 0; i < bytes.byteLength; i++) {
+            binary += String.fromCharCode(bytes[i]);
+        }
+        return btoa(binary);
+    }
+    // Node.js fallback using Buffer
+    else if (typeof Buffer !== 'undefined') {
+        return Buffer.from(bytes).toString('base64');
+    }
+    // Fallback implementation if neither is available
+    else {
+        throw new Error('No base64 encoding implementation available');
+    }
+}
+exports.uint8ArrayToBase64 = uint8ArrayToBase64;

package/lib/index.d.ts

@@ -1,3 +1,4 @@
+import { CryptoProvider } from './common/crypto/crypto-provider';
 import { HttpClient } from './common/net/http-client';
 import { Actions } from './actions/actions';
 import { Webhooks } from './webhooks/webhooks';
@@ -25,6 +26,7 @@ declare class WorkOSNode extends WorkOS {
     createHttpClient(options: WorkOSOptions, userAgent: string): HttpClient;
     /** @override */
     createWebhookClient(): Webhooks;
+    getCryptoProvider(): CryptoProvider;
     /** @override */
     createActionsClient(): Actions;
     /** @override */

package/lib/index.js

@@ -54,6 +54,9 @@ class WorkOSNode extends workos_1.WorkOS {
     }
     /** @override */
     createWebhookClient() {
+        return new webhooks_1.Webhooks(this.getCryptoProvider());
+    }
+    getCryptoProvider() {
         let cryptoProvider;
         if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
             cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
@@ -61,18 +64,11 @@ class WorkOSNode extends workos_1.WorkOS {
         else {
             cryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
         }
-        return new webhooks_1.Webhooks(cryptoProvider);
+        return cryptoProvider;
     }
     /** @override */
     createActionsClient() {
-        let cryptoProvider;
-        if (typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined') {
-            cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
-        }
-        else {
-            cryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
-        }
-        return new actions_1.Actions(cryptoProvider);
+        return new actions_1.Actions(this.getCryptoProvider());
     }
     /** @override */
     createIronSessionProvider() {

package/lib/index.worker.d.ts

@@ -1,4 +1,5 @@
 import { Actions } from './actions/actions';
+import { CryptoProvider } from './common/crypto/crypto-provider';
 import { IronSessionProvider } from './common/iron-session/iron-session-provider';
 import { HttpClient } from './common/net/http-client';
 import { WorkOSOptions } from './index.worker';
@@ -25,6 +26,7 @@ declare class WorkOSWorker extends WorkOS {
     createHttpClient(options: WorkOSOptions, userAgent: string): HttpClient;
     /** @override */
     createWebhookClient(): Webhooks;
+    getCryptoProvider(): CryptoProvider;
     /** @override */
     createActionsClient(): Actions;
     /** @override */

package/lib/index.worker.js

@@ -48,6 +48,9 @@ class WorkOSWorker extends workos_1.WorkOS {
         const cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
         return new webhooks_1.Webhooks(cryptoProvider);
     }
+    getCryptoProvider() {
+        return new subtle_crypto_provider_1.SubtleCryptoProvider();
+    }
     /** @override */
     createActionsClient() {
         const cryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();

package/lib/user-management/interfaces/update-user-options.interface.d.ts

@@ -8,7 +8,7 @@ export interface UpdateUserOptions {
     passwordHash?: string;
     passwordHashType?: PasswordHashType;
     externalId?: string;
-    metadata?: Record<string, string>;
+    metadata?: Record<string, string | null>;
 }
 export interface SerializedUpdateUserOptions {
     first_name?: string;
@@ -18,5 +18,5 @@ export interface SerializedUpdateUserOptions {
     password_hash?: string;
     password_hash_type?: PasswordHashType;
     external_id?: string;
-    metadata?: Record<string, string>;
+    metadata?: Record<string, string | null>;
 }

package/lib/user-management/user-management.spec.js

@@ -1112,6 +1112,16 @@ describe('UserManagement', () => {
                 metadata: { key: 'value' },
             });
         }));
+        it('removes metadata from the request', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)(user_json_1.default);
+            yield workos.userManagement.updateUser({
+                userId,
+                metadata: { key: null },
+            });
+            expect((0, test_utils_1.fetchBody)()).toMatchObject({
+                metadata: {},
+            });
+        }));
     });
     describe('enrollAuthFactor', () => {
         it('sends an enrollAuthFactor request', () => __awaiter(void 0, void 0, void 0, function* () {

package/lib/vault/vault.d.ts

@@ -1,10 +1,12 @@
-import { PaginationOptions } from '../index.worker';
-import { WorkOS } from '../workos';
-import { CreateDataKeyOptions, CreateObjectOptions, DataKey, DataKeyPair, DecryptDataKeyOptions, DeleteObjectOptions, ReadObjectOptions, KeyContext, ObjectDigest, ObjectMetadata, ObjectVersion, UpdateObjectOptions, VaultObject } from './interfaces';
 import { List } from '../common/interfaces';
+import { PaginationOptions } from '../index.worker';
+import type { WorkOS } from '../workos';
+import { CreateDataKeyOptions, CreateObjectOptions, DataKey, DataKeyPair, DecryptDataKeyOptions, DeleteObjectOptions, KeyContext, ObjectDigest, ObjectMetadata, ObjectVersion, ReadObjectOptions, UpdateObjectOptions, VaultObject } from './interfaces';
 export declare class Vault {
     private readonly workos;
+    private cryptoProvider;
     constructor(workos: WorkOS);
+    private decode;
     createObject(options: CreateObjectOptions): Promise<ObjectMetadata>;
     listObjects(options?: PaginationOptions | undefined): Promise<List<ObjectDigest>>;
     listObjectVersions(options: ReadObjectOptions): Promise<ObjectVersion[]>;

package/lib/vault/vault.js

@@ -10,8 +10,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Vault = void 0;
-const decrypt_1 = require("./cryptography/decrypt");
-const encrypt_1 = require("./cryptography/encrypt");
+const leb_1 = require("leb");
+const base64_1 = require("../common/utils/base64");
 const vault_key_serializer_1 = require("./serializers/vault-key.serializer");
 const vault_object_serializer_1 = require("./serializers/vault-object.serializer");
 class Vault {
@@ -45,6 +45,24 @@ class Vault {
          * @deprecated Use `deleteObject` instead.
          */
         this.deleteSecret = this.deleteObject;
+        this.cryptoProvider = workos.getCryptoProvider();
+    }
+    decode(payload) {
+        const inputData = (0, base64_1.base64ToUint8Array)(payload);
+        // Use 12 bytes for IV (standard for AES-GCM)
+        const iv = new Uint8Array(inputData.subarray(0, 12));
+        const tag = new Uint8Array(inputData.subarray(12, 28));
+        const { value: keyLen, nextIndex } = (0, leb_1.decodeUInt32)(inputData, 28);
+        // Use subarray instead of slice and convert directly to base64
+        const keysBuffer = inputData.subarray(nextIndex, nextIndex + keyLen);
+        const keys = (0, base64_1.uint8ArrayToBase64)(keysBuffer);
+        const ciphertext = new Uint8Array(inputData.subarray(nextIndex + keyLen));
+        return {
+            iv,
+            tag,
+            keys,
+            ciphertext,
+        };
     }
     createObject(options) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -108,17 +126,53 @@ class Vault {
     }
     encrypt(data, context, associatedData) {
         return __awaiter(this, void 0, void 0, function* () {
-            const { dataKey, encryptedKeys } = yield this.createDataKey({
+            const keyPair = yield this.createDataKey({
                 context,
             });
-            return (0, encrypt_1.encrypt)(data, dataKey.key, encryptedKeys, associatedData || '');
+            // Convert base64 key to Uint8Array
+            const encoder = new TextEncoder();
+            // Use our cross-runtime base64 utility
+            const key = (0, base64_1.base64ToUint8Array)(keyPair.dataKey.key);
+            const keyBlob = (0, base64_1.base64ToUint8Array)(keyPair.encryptedKeys);
+            const prefixLenBuffer = (0, leb_1.encodeUInt32)(keyBlob.length);
+            const aadBuffer = associatedData
+                ? encoder.encode(associatedData)
+                : undefined;
+            // Use a 12-byte IV for AES-GCM (industry standard)
+            const iv = this.cryptoProvider.randomBytes(12);
+            const { ciphertext, iv: resultIv, tag, } = yield this.cryptoProvider.encrypt(encoder.encode(data), key, iv, aadBuffer);
+            // Concatenate all parts into a single array
+            const resultArray = new Uint8Array(resultIv.length +
+                tag.length +
+                prefixLenBuffer.length +
+                keyBlob.length +
+                ciphertext.length);
+            let offset = 0;
+            resultArray.set(resultIv, offset);
+            offset += resultIv.length;
+            resultArray.set(tag, offset);
+            offset += tag.length;
+            resultArray.set(new Uint8Array(prefixLenBuffer), offset);
+            offset += prefixLenBuffer.length;
+            resultArray.set(keyBlob, offset);
+            offset += keyBlob.length;
+            resultArray.set(ciphertext, offset);
+            // Convert to base64 using our cross-runtime utility
+            return (0, base64_1.uint8ArrayToBase64)(resultArray);
         });
     }
     decrypt(encryptedData, associatedData) {
         return __awaiter(this, void 0, void 0, function* () {
-            const decoded = (0, decrypt_1.decode)(encryptedData);
+            const decoded = this.decode(encryptedData);
             const dataKey = yield this.decryptDataKey({ keys: decoded.keys });
-            return (0, decrypt_1.decrypt)(decoded, dataKey.key, associatedData || '');
+            // Convert base64 key to Uint8Array using our cross-runtime utility
+            const key = (0, base64_1.base64ToUint8Array)(dataKey.key);
+            const encoder = new TextEncoder();
+            const aadBuffer = associatedData
+                ? encoder.encode(associatedData)
+                : undefined;
+            const decrypted = yield this.cryptoProvider.decrypt(decoded.ciphertext, key, decoded.iv, decoded.tag, aadBuffer);
+            return new TextDecoder().decode(decrypted);
         });
     }
 }

package/lib/vault/vault.spec.js

@@ -244,4 +244,43 @@ describe('Vault', () => {
             expect((0, test_utils_1.fetchMethod)()).toBe('PUT');
         }));
     });
+    describe('encrypt and decrypt', () => {
+        it('correctly encrypts and decrypts data', () => __awaiter(void 0, void 0, void 0, function* () {
+            // Generate a valid 32-byte (256-bit) key for AES-256-GCM
+            const validKey = Buffer.alloc(32).fill('A').toString('base64');
+            // Mock createDataKey to return a valid key for testing
+            (0, test_utils_1.fetchOnce)({
+                data_key: validKey,
+                encrypted_keys: 'ZW5jcnlwdGVkX2tleXM=',
+                id: 'key123',
+                context: { type: 'test' },
+            });
+            // Mock decryptDataKey to return same key
+            (0, test_utils_1.fetchOnce)({
+                data_key: validKey,
+                id: 'key123',
+            });
+            const originalText = 'This is a secret message';
+            const context = { type: 'test' };
+            const associatedData = 'additional-auth-data';
+            // Encrypt the data
+            const encrypted = yield workos.vault.encrypt(originalText, context, associatedData);
+            // Verify encrypt API call
+            expect((0, test_utils_1.fetchURL)()).toContain('/vault/v1/keys/data-key');
+            expect((0, test_utils_1.fetchMethod)()).toBe('POST');
+            // Reset fetch for the decrypt call
+            jest_fetch_mock_1.default.resetMocks();
+            (0, test_utils_1.fetchOnce)({
+                data_key: validKey,
+                id: 'key123',
+            });
+            // Decrypt the data
+            const decrypted = yield workos.vault.decrypt(encrypted, associatedData);
+            // Verify decrypt API call
+            expect((0, test_utils_1.fetchURL)()).toContain('/vault/v1/keys/decrypt');
+            expect((0, test_utils_1.fetchMethod)()).toBe('POST');
+            // Verify the decrypted text matches the original
+            expect(decrypted).toBe(originalText);
+        }));
+    });
 });

package/lib/webhooks/webhooks.js

@@ -11,10 +11,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Webhooks = void 0;
 const serializers_1 = require("../common/serializers");
-const SignatureProvider_1 = require("../common/crypto/SignatureProvider");
+const signature_provider_1 = require("../common/crypto/signature-provider");
 class Webhooks {
     constructor(cryptoProvider) {
-        this.signatureProvider = new SignatureProvider_1.SignatureProvider(cryptoProvider);
+        this.signatureProvider = new signature_provider_1.SignatureProvider(cryptoProvider);
     }
     get verifyHeader() {
         return this.signatureProvider.verifyHeader.bind(this.signatureProvider);

package/lib/workos.d.ts

@@ -16,6 +16,7 @@ import { IronSessionProvider } from './common/iron-session/iron-session-provider
 import { Widgets } from './widgets/widgets';
 import { Actions } from './actions/actions';
 import { Vault } from './vault/vault';
+import { CryptoProvider } from './common/crypto/crypto-provider';
 export declare class WorkOS {
     readonly key?: string | undefined;
     readonly options: WorkOSOptions;
@@ -40,6 +41,7 @@ export declare class WorkOS {
     constructor(key?: string | undefined, options?: WorkOSOptions);
     createWebhookClient(): Webhooks;
     createActionsClient(): Actions;
+    getCryptoProvider(): CryptoProvider;
     createHttpClient(options: WorkOSOptions, userAgent: string): HttpClient;
     createIronSessionProvider(): IronSessionProvider;
     get version(): string;

package/lib/workos.js

@@ -31,7 +31,7 @@ const widgets_1 = require("./widgets/widgets");
 const actions_1 = require("./actions/actions");
 const vault_1 = require("./vault/vault");
 const conflict_exception_1 = require("./common/exceptions/conflict.exception");
-const VERSION = '7.50.0';
+const VERSION = '7.50.1';
 const DEFAULT_HOSTNAME = 'api.workos.com';
 const HEADER_AUTHORIZATION = 'Authorization';
 const HEADER_IDEMPOTENCY_KEY = 'Idempotency-Key';
@@ -88,10 +88,13 @@ class WorkOS {
         this.client = this.createHttpClient(options, userAgent);
     }
     createWebhookClient() {
-        return new webhooks_1.Webhooks(new subtle_crypto_provider_1.SubtleCryptoProvider());
+        return new webhooks_1.Webhooks(this.getCryptoProvider());
     }
     createActionsClient() {
-        return new actions_1.Actions(new subtle_crypto_provider_1.SubtleCryptoProvider());
+        return new actions_1.Actions(this.getCryptoProvider());
+    }
+    getCryptoProvider() {
+        return new subtle_crypto_provider_1.SubtleCryptoProvider();
     }
     createHttpClient(options, userAgent) {
         var _a;

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "7.50.0",
+  "version": "7.50.1",
   "name": "@workos-inc/node",
   "author": "WorkOS",
   "description": "A Node wrapper for the WorkOS API",

package/lib/common/crypto/CryptoProvider.d.ts

@@ -1,32 +0,0 @@
-/**
- * Interface encapsulating the various crypto computations used by the library,
- * allowing pluggable underlying crypto implementations.
- */
-export declare abstract class CryptoProvider {
-    encoder: TextEncoder;
-    /**
-     * Computes a SHA-256 HMAC given a secret and a payload (encoded in UTF-8).
-     * The output HMAC should be encoded in hexadecimal.
-     *
-     * Sample values for implementations:
-     * - computeHMACSignature('', 'test_secret') => 'f7f9bd47fb987337b5796fdc1fdb9ba221d0d5396814bfcaf9521f43fd8927fd'
-     * - computeHMACSignature('\ud83d\ude00', 'test_secret') => '837da296d05c4fe31f61d5d7ead035099d9585a5bcde87de952012a78f0b0c43
-     */
-    abstract computeHMACSignature(payload: string, secret: string): string;
-    /**
-     * Asynchronous version of `computeHMACSignature`. Some implementations may
-     * only allow support async signature computation.
-     *
-     * Computes a SHA-256 HMAC given a secret and a payload (encoded in UTF-8).
-     * The output HMAC should be encoded in hexadecimal.
-     *
-     * Sample values for implementations:
-     * - computeHMACSignature('', 'test_secret') => 'f7f9bd47fb987337b5796fdc1fdb9ba221d0d5396814bfcaf9521f43fd8927fd'
-     * - computeHMACSignature('\ud83d\ude00', 'test_secret') => '837da296d05c4fe31f61d5d7ead035099d9585a5bcde87de952012a78f0b0c43
-     */
-    abstract computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
-    /**
-     * Cryptographically determine whether two signatures are equal
-     */
-    abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
-}

package/lib/common/crypto/CryptoProvider.js

@@ -1,13 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CryptoProvider = void 0;
-/**
- * Interface encapsulating the various crypto computations used by the library,
- * allowing pluggable underlying crypto implementations.
- */
-class CryptoProvider {
-    constructor() {
-        this.encoder = new TextEncoder();
-    }
-}
-exports.CryptoProvider = CryptoProvider;

package/lib/common/crypto/NodeCryptoProvider.d.ts

@@ -1,12 +0,0 @@
-import { CryptoProvider } from './CryptoProvider';
-/**
- * `CryptoProvider which uses the Node `crypto` package for its computations.
- */
-export declare class NodeCryptoProvider extends CryptoProvider {
-    /** @override */
-    computeHMACSignature(payload: string, secret: string): string;
-    /** @override */
-    computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
-    /** @override */
-    secureCompare(stringA: string, stringB: string): Promise<boolean>;
-}

package/lib/common/crypto/NodeCryptoProvider.js

@@ -1,73 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeCryptoProvider = void 0;
-const crypto = __importStar(require("crypto"));
-const CryptoProvider_1 = require("./CryptoProvider");
-/**
- * `CryptoProvider which uses the Node `crypto` package for its computations.
- */
-class NodeCryptoProvider extends CryptoProvider_1.CryptoProvider {
-    /** @override */
-    computeHMACSignature(payload, secret) {
-        return crypto
-            .createHmac('sha256', secret)
-            .update(payload, 'utf8')
-            .digest('hex');
-    }
-    /** @override */
-    computeHMACSignatureAsync(payload, secret) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const signature = yield this.computeHMACSignature(payload, secret);
-            return signature;
-        });
-    }
-    /** @override */
-    secureCompare(stringA, stringB) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const bufferA = this.encoder.encode(stringA);
-            const bufferB = this.encoder.encode(stringB);
-            if (bufferA.length !== bufferB.length) {
-                return false;
-            }
-            // Generate a random key for HMAC
-            const key = crypto.randomBytes(32); // Generates a 256-bit key
-            const hmacA = crypto.createHmac('sha256', key).update(bufferA).digest();
-            const hmacB = crypto.createHmac('sha256', key).update(bufferB).digest();
-            // Perform a constant time comparison
-            return crypto.timingSafeEqual(hmacA, hmacB);
-        });
-    }
-}
-exports.NodeCryptoProvider = NodeCryptoProvider;

package/lib/common/crypto/SubtleCryptoProvider.d.ts

@@ -1,15 +0,0 @@
-import { CryptoProvider } from './CryptoProvider';
-/**
- * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.
- *
- * This only supports asynchronous operations.
- */
-export declare class SubtleCryptoProvider extends CryptoProvider {
-    subtleCrypto: SubtleCrypto;
-    constructor(subtleCrypto?: SubtleCrypto);
-    computeHMACSignature(_payload: string, _secret: string): string;
-    /** @override */
-    computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
-    /** @override */
-    secureCompare(stringA: string, stringB: string): Promise<boolean>;
-}

package/lib/common/crypto/SubtleCryptoProvider.js

@@ -1,75 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SubtleCryptoProvider = void 0;
-const CryptoProvider_1 = require("./CryptoProvider");
-/**
- * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.
- *
- * This only supports asynchronous operations.
- */
-class SubtleCryptoProvider extends CryptoProvider_1.CryptoProvider {
-    constructor(subtleCrypto) {
-        super();
-        // If no subtle crypto is interface, default to the global namespace. This
-        // is to allow custom interfaces (eg. using the Node webcrypto interface in
-        // tests).
-        this.subtleCrypto = subtleCrypto || crypto.subtle;
-    }
-    computeHMACSignature(_payload, _secret) {
-        throw new Error('SubleCryptoProvider cannot be used in a synchronous context.');
-    }
-    /** @override */
-    computeHMACSignatureAsync(payload, secret) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const encoder = new TextEncoder();
-            const key = yield this.subtleCrypto.importKey('raw', encoder.encode(secret), {
-                name: 'HMAC',
-                hash: { name: 'SHA-256' },
-            }, false, ['sign']);
-            const signatureBuffer = yield this.subtleCrypto.sign('hmac', key, encoder.encode(payload));
-            // crypto.subtle returns the signature in base64 format. This must be
-            // encoded in hex to match the CryptoProvider contract. We map each byte in
-            // the buffer to its corresponding hex octet and then combine into a string.
-            const signatureBytes = new Uint8Array(signatureBuffer);
-            const signatureHexCodes = new Array(signatureBytes.length);
-            for (let i = 0; i < signatureBytes.length; i++) {
-                signatureHexCodes[i] = byteHexMapping[signatureBytes[i]];
-            }
-            return signatureHexCodes.join('');
-        });
-    }
-    /** @override */
-    secureCompare(stringA, stringB) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const bufferA = this.encoder.encode(stringA);
-            const bufferB = this.encoder.encode(stringB);
-            if (bufferA.length !== bufferB.length) {
-                return false;
-            }
-            const algorithm = { name: 'HMAC', hash: 'SHA-256' };
-            const key = (yield crypto.subtle.generateKey(algorithm, false, [
-                'sign',
-                'verify',
-            ]));
-            const hmac = yield crypto.subtle.sign(algorithm, key, bufferA);
-            const equal = yield crypto.subtle.verify(algorithm, key, hmac, bufferB);
-            return equal;
-        });
-    }
-}
-exports.SubtleCryptoProvider = SubtleCryptoProvider;
-// Cached mapping of byte to hex representation. We do this once to avoid re-
-// computing every time we need to convert the result of a signature to hex.
-const byteHexMapping = new Array(256);
-for (let i = 0; i < byteHexMapping.length; i++) {
-    byteHexMapping[i] = i.toString(16).padStart(2, '0');
-}

package/lib/vault/cryptography/decrypt.d.ts

@@ -1,9 +0,0 @@
-/// <reference types="node" />
-export interface Decoded {
-    iv: Buffer;
-    tag: Buffer;
-    keys: string;
-    ciphertext: Buffer;
-}
-export declare const decrypt: (payload: string | Decoded, dataKey: string, aad: string) => string;
-export declare const decode: (payload: string) => Decoded;

package/lib/vault/cryptography/decrypt.js

@@ -1,39 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.decode = exports.decrypt = void 0;
-const crypto_1 = __importDefault(require("crypto"));
-const leb_1 = require("leb");
-const decrypt = (payload, dataKey, aad) => {
-    if (typeof payload === 'string') {
-        payload = (0, exports.decode)(payload);
-    }
-    const { iv, tag, ciphertext } = payload;
-    const key = Buffer.from(dataKey, 'base64');
-    const decipher = crypto_1.default
-        .createDecipheriv('aes-256-gcm', key, iv)
-        .setAAD(Buffer.from(aad))
-        .setAuthTag(tag);
-    const decrypted = decipher.update(ciphertext, undefined, 'utf-8') + decipher.final('utf-8');
-    return decrypted;
-};
-exports.decrypt = decrypt;
-const decode = (payload) => {
-    const inputData = Buffer.from(payload, 'base64');
-    const iv = inputData.slice(0, 32);
-    const tag = inputData.slice(32, 48);
-    const { value: keyLen, nextIndex } = (0, leb_1.decodeUInt32)(inputData, 48);
-    const keys = inputData
-        .slice(nextIndex, nextIndex + keyLen)
-        .toString('base64');
-    const ciphertext = inputData.slice(nextIndex + keyLen);
-    return {
-        iv,
-        tag,
-        keys,
-        ciphertext,
-    };
-};
-exports.decode = decode;

package/lib/vault/cryptography/encrypt.d.ts

@@ -1 +0,0 @@
-export declare const encrypt: (data: string, dataKey: string, encryptedKeys: string, aad: string) => string;

package/lib/vault/cryptography/encrypt.js

@@ -1,33 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.encrypt = void 0;
-const crypto_1 = __importDefault(require("crypto"));
-const leb_1 = require("leb");
-const encrypt = (data, dataKey, encryptedKeys, aad) => {
-    // encrypt using the returned data key
-    const key = Buffer.from(dataKey, 'base64');
-    const keyBlob = Buffer.from(encryptedKeys, 'base64');
-    const prefixLen = (0, leb_1.encodeUInt32)(keyBlob.length);
-    const iv = crypto_1.default.randomBytes(32);
-    const cipher = crypto_1.default
-        .createCipheriv('aes-256-gcm', key, iv)
-        .setAAD(Buffer.from(aad));
-    const ciphertext = Buffer.concat([
-        cipher.update(data, 'utf8'),
-        cipher.final(),
-    ]);
-    const tag = cipher.getAuthTag();
-    // store the encrypted keys with the ciphertext
-    const payload = Buffer.concat([
-        iv,
-        tag,
-        prefixLen,
-        keyBlob,
-        ciphertext,
-    ]).toString('base64');
-    return payload;
-};
-exports.encrypt = encrypt;