@workos-inc/node 7.50.0 → 7.51.0

package/lib/actions/actions.js

@@ -10,12 +10,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Actions = void 0;
-const SignatureProvider_1 = require("../common/crypto/SignatureProvider");
+const signature_provider_1 = require("../common/crypto/signature-provider");
 const unreachable_1 = require("../common/utils/unreachable");
 const action_serializer_1 = require("./serializers/action.serializer");
 class Actions {
     constructor(cryptoProvider) {
-        this.signatureProvider = new SignatureProvider_1.SignatureProvider(cryptoProvider);
+        this.signatureProvider = new signature_provider_1.SignatureProvider(cryptoProvider);
     }
     get computeSignature() {
         return this.signatureProvider.computeSignature.bind(this.signatureProvider);

package/lib/actions/actions.spec.js

@@ -16,8 +16,8 @@ const crypto_1 = __importDefault(require("crypto"));
 const workos_1 = require("../workos");
 const authentication_action_context_json_1 = __importDefault(require("./fixtures/authentication-action-context.json"));
 const user_registration_action_context_json_1 = __importDefault(require("./fixtures/user-registration-action-context.json"));
+const node_crypto_provider_1 = require("../common/crypto/node-crypto-provider");
 const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
-const NodeCryptoProvider_1 = require("../common/crypto/NodeCryptoProvider");
 describe('Actions', () => {
     let secret;
     beforeEach(() => {
@@ -36,7 +36,7 @@ describe('Actions', () => {
     describe('signResponse', () => {
         describe('type: authentication', () => {
             it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
                 const response = yield workos.actions.signResponse({
                     type: 'authentication',
                     verdict: 'Allow',
@@ -51,7 +51,7 @@ describe('Actions', () => {
         });
         describe('type: user_registration', () => {
             it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
-                const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+                const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
                 const response = yield workos.actions.signResponse({
                     type: 'user_registration',
                     verdict: 'Deny',

package/lib/common/crypto/crypto-provider.d.ts

@@ -29,4 +29,37 @@ export declare abstract class CryptoProvider {
      * Cryptographically determine whether two signatures are equal
      */
     abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    /**
+     * Encrypts data using AES-256-GCM algorithm.
+     *
+     * @param plaintext The data to encrypt
+     * @param key The encryption key (should be 32 bytes for AES-256)
+     * @param iv Optional initialization vector (if not provided, a random one will be generated)
+     * @param aad Optional additional authenticated data
+     * @returns Object containing the encrypted ciphertext, the IV used, and the authentication tag
+     */
+    abstract encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    /**
+     * Decrypts data that was encrypted using AES-256-GCM algorithm.
+     *
+     * @param ciphertext The encrypted data
+     * @param key The decryption key (must be the same key used for encryption)
+     * @param iv The initialization vector used during encryption
+     * @param tag The authentication tag produced during encryption
+     * @param aad Optional additional authenticated data (must match what was used during encryption)
+     * @returns The decrypted data
+     * @throws Will throw an error if authentication fails or the data has been tampered with
+     */
+    abstract decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Generates cryptographically secure random bytes.
+     *
+     * @param length The number of random bytes to generate
+     * @returns A Uint8Array containing the random bytes
+     */
+    abstract randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/{CryptoProvider.spec.js → crypto-provider.spec.js}

@@ -13,10 +13,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const crypto_1 = __importDefault(require("crypto"));
-const NodeCryptoProvider_1 = require("./NodeCryptoProvider");
-const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const node_crypto_provider_1 = require("./node-crypto-provider");
+const subtle_crypto_provider_1 = require("./subtle-crypto-provider");
 const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
-const SignatureProvider_1 = require("./SignatureProvider");
+const signature_provider_1 = require("./signature-provider");
 describe('CryptoProvider', () => {
     let payload;
     let secret;
@@ -35,8 +35,8 @@ describe('CryptoProvider', () => {
     });
     describe('when computing HMAC signature', () => {
         it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
-            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
+            const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
             const stringifiedPayload = JSON.stringify(payload);
             const payloadHMAC = `${timestamp}.${stringifiedPayload}`;
             const nodeCompare = yield nodeCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
@@ -46,9 +46,9 @@ describe('CryptoProvider', () => {
     });
     describe('when securely comparing', () => {
         it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
-            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
-            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
-            const signatureProvider = new SignatureProvider_1.SignatureProvider(subtleCryptoProvider);
+            const nodeCryptoProvider = new node_crypto_provider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new subtle_crypto_provider_1.SubtleCryptoProvider();
+            const signatureProvider = new signature_provider_1.SignatureProvider(subtleCryptoProvider);
             const signature = yield signatureProvider.computeSignature(timestamp, payload, secret);
             expect(nodeCryptoProvider.secureCompare(signature, signatureHash)).toEqual(subtleCryptoProvider.secureCompare(signature, signatureHash));
             expect(nodeCryptoProvider.secureCompare(signature, 'foo')).toEqual(subtleCryptoProvider.secureCompare(signature, 'foo'));

package/lib/common/crypto/node-crypto-provider.d.ts

@@ -9,4 +9,11 @@ export declare class NodeCryptoProvider extends CryptoProvider {
     computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
     /** @override */
     secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/node-crypto-provider.js

@@ -33,7 +33,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.NodeCryptoProvider = void 0;
-const crypto = __importStar(require("node:crypto"));
+const crypto = __importStar(require("crypto"));
 const crypto_provider_1 = require("./crypto-provider");
 /**
  * `CryptoProvider which uses the Node `crypto` package for its computations.
@@ -49,7 +49,7 @@ class NodeCryptoProvider extends crypto_provider_1.CryptoProvider {
     /** @override */
     computeHMACSignatureAsync(payload, secret) {
         return __awaiter(this, void 0, void 0, function* () {
-            const signature = yield this.computeHMACSignature(payload, secret);
+            const signature = this.computeHMACSignature(payload, secret);
             return signature;
         });
     }
@@ -69,5 +69,41 @@ class NodeCryptoProvider extends crypto_provider_1.CryptoProvider {
             return crypto.timingSafeEqual(hmacA, hmacB);
         });
     }
+    encrypt(plaintext, key, iv, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const actualIv = iv || crypto.randomBytes(32);
+            const cipher = crypto.createCipheriv('aes-256-gcm', key, actualIv);
+            if (aad) {
+                cipher.setAAD(Buffer.from(aad));
+            }
+            const ciphertext = Buffer.concat([
+                cipher.update(Buffer.from(plaintext)),
+                cipher.final(),
+            ]);
+            const tag = cipher.getAuthTag();
+            return {
+                ciphertext: new Uint8Array(ciphertext),
+                iv: new Uint8Array(actualIv),
+                tag: new Uint8Array(tag),
+            };
+        });
+    }
+    decrypt(ciphertext, key, iv, tag, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+            decipher.setAuthTag(Buffer.from(tag));
+            if (aad) {
+                decipher.setAAD(Buffer.from(aad));
+            }
+            const decrypted = Buffer.concat([
+                decipher.update(Buffer.from(ciphertext)),
+                decipher.final(),
+            ]);
+            return new Uint8Array(decrypted);
+        });
+    }
+    randomBytes(length) {
+        return new Uint8Array(crypto.randomBytes(length));
+    }
 }
 exports.NodeCryptoProvider = NodeCryptoProvider;

package/lib/common/crypto/{SignatureProvider.d.ts → signature-provider.d.ts}

@@ -1,4 +1,4 @@
-import { CryptoProvider } from './CryptoProvider';
+import { CryptoProvider } from './crypto-provider';
 export declare class SignatureProvider {
     private cryptoProvider;
     constructor(cryptoProvider: CryptoProvider);

package/lib/common/crypto/{SignatureProvider.spec.js → signature-provider.spec.js}

@@ -13,15 +13,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const crypto_1 = __importDefault(require("crypto"));
-const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const subtle_crypto_provider_1 = require("./subtle-crypto-provider");
 const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
-const SignatureProvider_1 = require("./SignatureProvider");
+const signature_provider_1 = require("./signature-provider");
 describe('SignatureProvider', () => {
     let payload;
     let secret;
     let timestamp;
     let signatureHash;
-    const signatureProvider = new SignatureProvider_1.SignatureProvider(new SubtleCryptoProvider_1.SubtleCryptoProvider());
+    const signatureProvider = new signature_provider_1.SignatureProvider(new subtle_crypto_provider_1.SubtleCryptoProvider());
     beforeEach(() => {
         payload = webhook_json_1.default;
         secret = 'secret';
@@ -60,7 +60,7 @@ describe('SignatureProvider', () => {
     describe('when in an environment that supports SubtleCrypto', () => {
         it('automatically uses the subtle crypto library', () => {
             // tslint:disable-next-line
-            expect(signatureProvider['cryptoProvider']).toBeInstanceOf(SubtleCryptoProvider_1.SubtleCryptoProvider);
+            expect(signatureProvider['cryptoProvider']).toBeInstanceOf(subtle_crypto_provider_1.SubtleCryptoProvider);
         });
     });
 });

package/lib/common/crypto/subtle-crypto-provider.d.ts

@@ -12,4 +12,11 @@ export declare class SubtleCryptoProvider extends CryptoProvider {
     computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
     /** @override */
     secureCompare(stringA: string, stringB: string): Promise<boolean>;
+    encrypt(plaintext: Uint8Array, key: Uint8Array, iv?: Uint8Array, aad?: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        iv: Uint8Array;
+        tag: Uint8Array;
+    }>;
+    decrypt(ciphertext: Uint8Array, key: Uint8Array, iv: Uint8Array, tag: Uint8Array, aad?: Uint8Array): Promise<Uint8Array>;
+    randomBytes(length: number): Uint8Array;
 }

package/lib/common/crypto/subtle-crypto-provider.js

@@ -65,6 +65,54 @@ class SubtleCryptoProvider extends crypto_provider_1.CryptoProvider {
             return equal;
         });
     }
+    encrypt(plaintext, key, iv, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));
+            const cryptoKey = yield this.subtleCrypto.importKey('raw', key, { name: 'AES-GCM' }, false, ['encrypt']);
+            const encryptParams = {
+                name: 'AES-GCM',
+                iv: actualIv,
+            };
+            if (aad) {
+                encryptParams.additionalData = aad;
+            }
+            const encryptedData = yield this.subtleCrypto.encrypt(encryptParams, cryptoKey, plaintext);
+            const encryptedBytes = new Uint8Array(encryptedData);
+            // Extract tag (last 16 bytes)
+            const tagSize = 16;
+            const tagStart = encryptedBytes.length - tagSize;
+            const tag = encryptedBytes.slice(tagStart);
+            const ciphertext = encryptedBytes.slice(0, tagStart);
+            return {
+                ciphertext,
+                iv: actualIv,
+                tag,
+            };
+        });
+    }
+    decrypt(ciphertext, key, iv, tag, aad) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // SubtleCrypto expects tag to be appended to ciphertext for AES-GCM
+            const combinedData = new Uint8Array(ciphertext.length + tag.length);
+            combinedData.set(ciphertext, 0);
+            combinedData.set(tag, ciphertext.length);
+            const cryptoKey = yield this.subtleCrypto.importKey('raw', key, { name: 'AES-GCM' }, false, ['decrypt']);
+            const decryptParams = {
+                name: 'AES-GCM',
+                iv,
+            };
+            if (aad) {
+                decryptParams.additionalData = aad;
+            }
+            const decryptedData = yield this.subtleCrypto.decrypt(decryptParams, cryptoKey, combinedData);
+            return new Uint8Array(decryptedData);
+        });
+    }
+    randomBytes(length) {
+        const bytes = new Uint8Array(length);
+        crypto.getRandomValues(bytes);
+        return bytes;
+    }
 }
 exports.SubtleCryptoProvider = SubtleCryptoProvider;
 // Cached mapping of byte to hex representation. We do this once to avoid re-

package/lib/common/utils/base64.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Cross-runtime compatible base64 encoding/decoding utilities
+ * that work in both Node.js and browser environments
+ */
+/**
+ * Converts a base64 string to a Uint8Array
+ */
+export declare function base64ToUint8Array(base64: string): Uint8Array;
+/**
+ * Converts a Uint8Array to a base64 string
+ */
+export declare function uint8ArrayToBase64(bytes: Uint8Array): string;

package/lib/common/utils/base64.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * Cross-runtime compatible base64 encoding/decoding utilities
+ * that work in both Node.js and browser environments
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.uint8ArrayToBase64 = exports.base64ToUint8Array = void 0;
+/**
+ * Converts a base64 string to a Uint8Array
+ */
+function base64ToUint8Array(base64) {
+    // In browsers and modern Node.js
+    if (typeof atob === 'function') {
+        const binary = atob(base64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    // Node.js fallback using Buffer
+    else if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(base64, 'base64'));
+    }
+    // Fallback implementation if neither is available
+    else {
+        throw new Error('No base64 decoding implementation available');
+    }
+}
+exports.base64ToUint8Array = base64ToUint8Array;
+/**
+ * Converts a Uint8Array to a base64 string
+ */
+function uint8ArrayToBase64(bytes) {
+    // In browsers and modern Node.js
+    if (typeof btoa === 'function') {
+        let binary = '';
+        for (let i = 0; i < bytes.byteLength; i++) {
+            binary += String.fromCharCode(bytes[i]);
+        }
+        return btoa(binary);
+    }
+    // Node.js fallback using Buffer
+    else if (typeof Buffer !== 'undefined') {
+        return Buffer.from(bytes).toString('base64');
+    }
+    // Fallback implementation if neither is available
+    else {
+        throw new Error('No base64 encoding implementation available');
+    }
+}
+exports.uint8ArrayToBase64 = uint8ArrayToBase64;

package/lib/common/utils/pagination.d.ts

@@ -1,6 +1,6 @@
 import { List, PaginationOptions } from '../interfaces';
 export declare class AutoPaginatable<T> {
-    private list;
+    protected list: List<T>;
     private apiCall;
     readonly object: 'list';
     readonly options: PaginationOptions;

package/lib/fga/fga.d.ts

@@ -1,6 +1,7 @@
 import { WorkOS } from '../workos';
 import { Resource, CheckBatchOptions, CheckOptions, CheckRequestOptions, CheckResult, CreateResourceOptions, DeleteResourceOptions, ListResourcesOptions, ListWarrantsRequestOptions, ListWarrantsOptions, QueryOptions, QueryRequestOptions, QueryResult, ResourceInterface, ResourceOptions, UpdateResourceOptions, WriteWarrantOptions, Warrant, WarrantToken, BatchWriteResourcesOptions } from './interfaces';
 import { AutoPaginatable } from '../common/utils/pagination';
+import { FgaPaginatable } from './utils/fga-paginatable';
 export declare class FGA {
     private readonly workos;
     constructor(workos: WorkOS);
@@ -15,5 +16,5 @@ export declare class FGA {
     writeWarrant(options: WriteWarrantOptions): Promise<WarrantToken>;
     batchWriteWarrants(options: WriteWarrantOptions[]): Promise<WarrantToken>;
     listWarrants(options?: ListWarrantsOptions, requestOptions?: ListWarrantsRequestOptions): Promise<AutoPaginatable<Warrant>>;
-    query(options: QueryOptions, requestOptions?: QueryRequestOptions): Promise<AutoPaginatable<QueryResult>>;
+    query(options: QueryOptions, requestOptions?: QueryRequestOptions): Promise<FgaPaginatable<QueryResult>>;
 }

package/lib/fga/fga.js

@@ -15,6 +15,8 @@ const serializers_1 = require("./serializers");
 const interface_check_1 = require("./utils/interface-check");
 const pagination_1 = require("../common/utils/pagination");
 const fetch_and_deserialize_1 = require("../common/utils/fetch-and-deserialize");
+const fga_paginatable_1 = require("./utils/fga-paginatable");
+const fetch_and_deserialize_list_1 = require("./utils/fetch-and-deserialize-list");
 class FGA {
     constructor(workos) {
         this.workos = workos;
@@ -104,7 +106,7 @@ class FGA {
     }
     query(options, requestOptions = {}) {
         return __awaiter(this, void 0, void 0, function* () {
-            return new pagination_1.AutoPaginatable(yield (0, fetch_and_deserialize_1.fetchAndDeserialize)(this.workos, '/fga/v1/query', serializers_1.deserializeQueryResult, (0, serializers_1.serializeQueryOptions)(options), requestOptions), (params) => (0, fetch_and_deserialize_1.fetchAndDeserialize)(this.workos, '/fga/v1/query', serializers_1.deserializeQueryResult, params, requestOptions), (0, serializers_1.serializeQueryOptions)(options));
+            return new fga_paginatable_1.FgaPaginatable(yield (0, fetch_and_deserialize_list_1.fetchAndDeserializeFGAList)(this.workos, '/fga/v1/query', serializers_1.deserializeQueryResult, (0, serializers_1.serializeQueryOptions)(options), requestOptions), (params) => (0, fetch_and_deserialize_list_1.fetchAndDeserializeFGAList)(this.workos, '/fga/v1/query', serializers_1.deserializeQueryResult, params, requestOptions), (0, serializers_1.serializeQueryOptions)(options));
         });
     }
 }

package/lib/fga/fga.spec.js

@@ -48,6 +48,56 @@ describe('FGA', () => {
                 warrantToken: 'abc',
             });
         }));
+        it('deserializes warnings in check response', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)({
+                result: 'authorized',
+                is_implicit: false,
+                warrant_token: 'abc',
+                warnings: [
+                    {
+                        code: 'missing_context_keys',
+                        message: 'Missing required context keys',
+                        keys: ['tenant_id', 'region'],
+                    },
+                    {
+                        code: 'some_other_warning',
+                        message: 'Some other warning message',
+                    },
+                ],
+            });
+            const checkResult = yield workos.fga.check({
+                checks: [
+                    {
+                        resource: {
+                            resourceType: 'role',
+                            resourceId: 'admin',
+                        },
+                        relation: 'member',
+                        subject: {
+                            resourceType: 'user',
+                            resourceId: 'user_123',
+                        },
+                    },
+                ],
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain('/fga/v1/check');
+            expect(checkResult).toMatchObject({
+                result: 'authorized',
+                isImplicit: false,
+                warrantToken: 'abc',
+                warnings: [
+                    {
+                        code: 'missing_context_keys',
+                        message: 'Missing required context keys',
+                        keys: ['tenant_id', 'region'],
+                    },
+                    {
+                        code: 'some_other_warning',
+                        message: 'Some other warning message',
+                    },
+                ],
+            });
+        }));
     });
     describe('createResource', () => {
         it('creates resource', () => __awaiter(void 0, void 0, void 0, function* () {
@@ -606,6 +656,100 @@ describe('FGA', () => {
                 },
             ]);
         }));
+        it('deserializes warnings in query response', () => __awaiter(void 0, void 0, void 0, function* () {
+            (0, test_utils_1.fetchOnce)({
+                data: [
+                    {
+                        resource_type: 'role',
+                        resource_id: 'admin',
+                        warrant: {
+                            resource_type: 'role',
+                            resource_id: 'admin',
+                            relation: 'member',
+                            subject: {
+                                resource_type: 'user',
+                                resource_id: 'user_123',
+                            },
+                        },
+                        is_implicit: false,
+                    },
+                    {
+                        resource_type: 'role',
+                        resource_id: 'manager',
+                        warrant: {
+                            resource_type: 'role',
+                            resource_id: 'manager',
+                            relation: 'member',
+                            subject: {
+                                resource_type: 'user',
+                                resource_id: 'user_123',
+                            },
+                        },
+                        is_implicit: true,
+                    },
+                ],
+                list_metadata: {
+                    before: null,
+                    after: null,
+                },
+                warnings: [
+                    {
+                        code: 'missing_context_keys',
+                        message: 'Missing required context keys',
+                        keys: ['tenant_id'],
+                    },
+                    {
+                        code: 'some_other_warning',
+                        message: 'Some other warning message',
+                    },
+                ],
+            });
+            const result = yield workos.fga.query({
+                q: 'select role where user:user_123 is member',
+            });
+            expect((0, test_utils_1.fetchURL)()).toContain('/fga/v1/query');
+            expect(result.data).toMatchObject([
+                {
+                    resourceType: 'role',
+                    resourceId: 'admin',
+                    warrant: {
+                        resourceType: 'role',
+                        resourceId: 'admin',
+                        relation: 'member',
+                        subject: {
+                            resourceType: 'user',
+                            resourceId: 'user_123',
+                        },
+                    },
+                    isImplicit: false,
+                },
+                {
+                    resourceType: 'role',
+                    resourceId: 'manager',
+                    warrant: {
+                        resourceType: 'role',
+                        resourceId: 'manager',
+                        relation: 'member',
+                        subject: {
+                            resourceType: 'user',
+                            resourceId: 'user_123',
+                        },
+                    },
+                    isImplicit: true,
+                },
+            ]);
+            expect(result.warnings).toMatchObject([
+                {
+                    code: 'missing_context_keys',
+                    message: 'Missing required context keys',
+                    keys: ['tenant_id'],
+                },
+                {
+                    code: 'some_other_warning',
+                    message: 'Some other warning message',
+                },
+            ]);
+        }));
         it('sends correct params and options', () => __awaiter(void 0, void 0, void 0, function* () {
             (0, test_utils_1.fetchOnce)({
                 data: [

package/lib/fga/interfaces/check.interface.d.ts

@@ -2,6 +2,7 @@ import { ResourceInterface, ResourceOptions } from './resource.interface';
 import { PolicyContext, SerializedSubject, Subject } from './warrant.interface';
 import { CheckOp } from './check-op.enum';
 import { PostOptions } from '../../common/interfaces';
+import { Warning } from './warning.interface';
 export interface CheckWarrantOptions {
     resource: ResourceInterface | ResourceOptions;
     relation: string;
@@ -39,6 +40,7 @@ export interface CheckResultResponse {
     is_implicit: boolean;
     warrant_token: string;
     debug_info?: DebugInfoResponse;
+    warnings?: Warning[];
 }
 export interface DebugInfo {
     processingTime: number;
@@ -67,12 +69,14 @@ export interface CheckResultInterface {
     isImplicit: boolean;
     warrantToken: string;
     debugInfo?: DebugInfo;
+    warnings?: Warning[];
 }
 export declare class CheckResult implements CheckResultInterface {
     result: string;
     isImplicit: boolean;
     warrantToken: string;
     debugInfo?: DebugInfo;
+    warnings?: Warning[];
     constructor(json: CheckResultResponse);
     isAuthorized(): boolean;
 }

package/lib/fga/interfaces/check.interface.js

@@ -14,6 +14,7 @@ class CheckResult {
                 decisionTree: (0, check_options_serializer_1.deserializeDecisionTreeNode)(json.debug_info.decision_tree),
             }
             : undefined;
+        this.warnings = json.warnings;
     }
     isAuthorized() {
         return this.result === CHECK_RESULT_AUTHORIZED;

package/lib/fga/interfaces/list.interface.d.ts

@@ -0,0 +1,8 @@
+import { List, ListResponse } from '../../common/interfaces';
+import { Warning } from './warning.interface';
+export interface FGAListResponse<T> extends ListResponse<T> {
+    warnings?: Warning[];
+}
+export interface FGAList<T> extends List<T> {
+    warnings?: Warning[];
+}

package/lib/fga/interfaces/list.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/fga/interfaces/warning.interface.d.ts

@@ -0,0 +1,9 @@
+export interface BaseWarning {
+    code: string;
+    message: string;
+}
+export interface MissingContextKeysWarning extends BaseWarning {
+    code: 'missing_context_keys';
+    keys: string[];
+}
+export type Warning = BaseWarning | MissingContextKeysWarning;

package/lib/fga/interfaces/warning.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/fga/serializers/index.d.ts

@@ -10,3 +10,4 @@ export * from './resource.serializer';
 export * from './warrant-token.serializer';
 export * from './warrant.serializer';
 export * from './write-warrant-options.serializer';
+export * from './list.serializer';

package/lib/fga/serializers/index.js

@@ -26,3 +26,4 @@ __exportStar(require("./resource.serializer"), exports);
 __exportStar(require("./warrant-token.serializer"), exports);
 __exportStar(require("./warrant.serializer"), exports);
 __exportStar(require("./write-warrant-options.serializer"), exports);
+__exportStar(require("./list.serializer"), exports);

package/lib/fga/serializers/list.serializer.d.ts

@@ -0,0 +1,5 @@
+import { FGAList } from '../interfaces/list.interface';
+import { ListResponse } from '../../common/interfaces';
+export declare const deserializeFGAList: <T, U>(response: ListResponse<T> & {
+    warnings?: any[] | undefined;
+}, deserializeFn: (data: T) => U) => FGAList<U>;