@workos-inc/node 8.0.0-rc.1 → 8.0.0-rc.3

package/lib/esm/organization-domains/organization-domains.d.ts

@@ -1,4 +1,4 @@
-export { a as OrganizationDomains } from '../workos-e5MfmByv.js';
+export { a as OrganizationDomains } from '../workos-DLj13cxf.js';
 import './interfaces/create-organization-domain-options.interface.js';
 import './interfaces/organization-domain.interface.js';
 import '../common/interfaces/get-options.interface.js';
@@ -6,12 +6,18 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
+import '../common/utils/pagination.js';
+import '../common/interfaces/pagination-options.interface.js';
+import '../common/interfaces/list.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../sso/interfaces/connection.interface.js';
 import '../sso/interfaces/connection-type.enum.js';
@@ -25,9 +31,6 @@ import '../user-management/interfaces/magic-auth.interface.js';
 import '../user-management/interfaces/password-reset.interface.js';
 import '../user-management/interfaces/session.interface.js';
 import '../user-management/interfaces/impersonator.interface.js';
-import '../common/interfaces/list.interface.js';
-import '../common/utils/pagination.js';
-import '../common/interfaces/pagination-options.interface.js';
 import '../organizations/interfaces/create-organization-options.interface.js';
 import '../organizations/interfaces/domain-data.interface.js';
 import '../organizations/interfaces/list-organization-feature-flags-options.interface.js';
@@ -123,6 +126,5 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';

package/lib/esm/organizations/organizations.d.ts

@@ -1,5 +1,5 @@
 import '../common/utils/pagination.js';
-export { O as Organizations } from '../workos-e5MfmByv.js';
+export { O as Organizations } from '../workos-DLj13cxf.js';
 import './interfaces/create-organization-options.interface.js';
 import './interfaces/list-organization-feature-flags-options.interface.js';
 import './interfaces/list-organizations-options.interface.js';
@@ -15,11 +15,14 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../sso/interfaces/connection.interface.js';
 import '../sso/interfaces/connection-type.enum.js';
 import '../user-management/interfaces/user.interface.js';
@@ -122,7 +125,6 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';
 import './interfaces/domain-data.interface.js';

package/lib/esm/passwordless/passwordless.d.ts

@@ -1,4 +1,4 @@
-export { P as Passwordless } from '../workos-e5MfmByv.js';
+export { P as Passwordless } from '../workos-DLj13cxf.js';
 import './interfaces/passwordless-session.interface.js';
 import './interfaces/create-passwordless-session-options.interface.js';
 import './interfaces/send-session-response.interface.js';
@@ -7,12 +7,18 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
+import '../common/utils/pagination.js';
+import '../common/interfaces/pagination-options.interface.js';
+import '../common/interfaces/list.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../organization-domains/interfaces/organization-domain.interface.js';
 import '../sso/interfaces/connection.interface.js';
@@ -27,9 +33,6 @@ import '../user-management/interfaces/magic-auth.interface.js';
 import '../user-management/interfaces/password-reset.interface.js';
 import '../user-management/interfaces/session.interface.js';
 import '../user-management/interfaces/impersonator.interface.js';
-import '../common/interfaces/list.interface.js';
-import '../common/utils/pagination.js';
-import '../common/interfaces/pagination-options.interface.js';
 import '../organizations/interfaces/create-organization-options.interface.js';
 import '../organizations/interfaces/domain-data.interface.js';
 import '../organizations/interfaces/list-organization-feature-flags-options.interface.js';
@@ -123,6 +126,5 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';

package/lib/esm/portal/portal.d.ts

@@ -1,16 +1,22 @@
-export { b as Portal } from '../workos-e5MfmByv.js';
+export { b as Portal } from '../workos-DLj13cxf.js';
 import './interfaces/generate-portal-link-intent.interface.js';
 import '../common/interfaces/get-options.interface.js';
 import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
+import '../common/utils/pagination.js';
+import '../common/interfaces/pagination-options.interface.js';
+import '../common/interfaces/list.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../organization-domains/interfaces/organization-domain.interface.js';
 import '../sso/interfaces/connection.interface.js';
@@ -25,9 +31,6 @@ import '../user-management/interfaces/magic-auth.interface.js';
 import '../user-management/interfaces/password-reset.interface.js';
 import '../user-management/interfaces/session.interface.js';
 import '../user-management/interfaces/impersonator.interface.js';
-import '../common/interfaces/list.interface.js';
-import '../common/utils/pagination.js';
-import '../common/interfaces/pagination-options.interface.js';
 import '../organizations/interfaces/create-organization-options.interface.js';
 import '../organizations/interfaces/domain-data.interface.js';
 import '../organizations/interfaces/list-organization-feature-flags-options.interface.js';
@@ -123,6 +126,5 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';

package/lib/esm/sso/sso.d.ts

@@ -1,6 +1,6 @@
 import '../common/interfaces/unknown-record.interface.js';
 import '../common/utils/pagination.js';
-export { S as SSO } from '../workos-e5MfmByv.js';
+export { S as SSO } from '../workos-DLj13cxf.js';
 import './interfaces/authorization-url-options.interface.js';
 import './interfaces/connection.interface.js';
 import './interfaces/get-profile-options.interface.js';
@@ -15,12 +15,15 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../organization-domains/interfaces/organization-domain.interface.js';
 import '../user-management/interfaces/user.interface.js';
@@ -123,6 +126,5 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';

package/lib/esm/user-management/session.d.ts

@@ -1,6 +1,6 @@
 import './interfaces/authenticate-with-session-cookie.interface.js';
 import './interfaces/refresh-and-seal-session-data.interface.js';
-export { C as CookieSession } from '../workos-e5MfmByv.js';
+export { C as CookieSession } from '../workos-DLj13cxf.js';
 import './interfaces/authentication-response.interface.js';
 import './interfaces/impersonator.interface.js';
 import './interfaces/oauth-tokens.interface.js';
@@ -10,12 +10,18 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
+import '../common/utils/pagination.js';
+import '../common/interfaces/pagination-options.interface.js';
+import '../common/interfaces/list.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../organization-domains/interfaces/organization-domain.interface.js';
 import '../sso/interfaces/connection.interface.js';
@@ -28,9 +34,6 @@ import './interfaces/organization-membership.interface.js';
 import './interfaces/magic-auth.interface.js';
 import './interfaces/password-reset.interface.js';
 import './interfaces/session.interface.js';
-import '../common/interfaces/list.interface.js';
-import '../common/utils/pagination.js';
-import '../common/interfaces/pagination-options.interface.js';
 import '../organizations/interfaces/create-organization-options.interface.js';
 import '../organizations/interfaces/domain-data.interface.js';
 import '../organizations/interfaces/list-organization-feature-flags-options.interface.js';
@@ -123,6 +126,5 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';

package/lib/esm/user-management/session.js

@@ -1,17 +1,16 @@
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-import { decodeJwt, jwtVerify } from "jose";
 import { OauthException } from "../common/exceptions/oauth.exception.js";
 import {
   AuthenticateWithSessionCookieFailureReason,
   RefreshSessionFailureReason
 } from "./interfaces/index.js";
 import { unsealData } from "iron-session";
+import { getJose } from "../utils/jose.js";
 class CookieSession {
   static {
     __name(this, "CookieSession");
   }
-  jwks;
   userManagement;
   cookiePassword;
   sessionData;
@@ -22,7 +21,6 @@ class CookieSession {
     this.userManagement = userManagement;
     this.cookiePassword = cookiePassword;
     this.sessionData = sessionData;
-    this.jwks = this.userManagement.jwks;
   }
   /**
    * Authenticates a user with a session cookie.
@@ -59,6 +57,7 @@ class CookieSession {
         reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT
       };
     }
+    const { decodeJwt } = await getJose();
     const {
       sid: sessionId,
       org_id: organizationId,
@@ -91,6 +90,7 @@ class CookieSession {
    * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.
    */
   async refresh(options = {}) {
+    const { decodeJwt } = await getJose();
     const session = await unsealData(this.sessionData, {
       password: this.cookiePassword
     });
@@ -172,13 +172,15 @@ class CookieSession {
     });
   }
   async isValidJwt(accessToken) {
-    if (!this.jwks) {
+    const { jwtVerify } = await getJose();
+    const jwks = await this.userManagement.getJWKS();
+    if (!jwks) {
       throw new Error(
         "Missing client ID. Did you provide it when initializing WorkOS?"
       );
     }
     try {
-      await jwtVerify(accessToken, this.jwks);
+      await jwtVerify(accessToken, jwks);
       return true;
     } catch (e) {
       return false;

package/lib/esm/user-management/session.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/user-management/session.ts"],"sourcesContent":["import { createRemoteJWKSet, decodeJwt, jwtVerify } from 'jose';\nimport { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieSuccessResponse,\n  AuthenticationResponse,\n  RefreshSessionFailureReason,\n  RefreshSessionResponse,\n  SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from 'iron-session';\n\ntype RefreshOptions = {\n  cookiePassword?: string;\n  organizationId?: string;\n};\n\nexport class CookieSession {\n  private jwks: ReturnType<typeof createRemoteJWKSet> | undefined;\n  private userManagement: UserManagement;\n  private cookiePassword: string;\n  private sessionData: string;\n\n  constructor(\n    userManagement: UserManagement,\n    sessionData: string,\n    cookiePassword: string,\n  ) {\n    if (!cookiePassword) {\n      throw new Error('cookiePassword is required');\n    }\n\n    this.userManagement = userManagement;\n    this.cookiePassword = cookiePassword;\n    this.sessionData = sessionData;\n\n    this.jwks = this.userManagement.jwks;\n  }\n\n  /**\n   * Authenticates a user with a session cookie.\n   *\n   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n   */\n  async authenticate(): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!this.sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    let session: SessionCookieData;\n\n    try {\n      session = await unsealData<SessionCookieData>(this.sessionData, {\n        password: this.cookiePassword,\n      });\n    } catch (e) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      featureFlags,\n      user: session.user,\n      impersonator: session.impersonator,\n      accessToken: session.accessToken,\n    };\n  }\n\n  /**\n   * Refreshes the user's session.\n   *\n   * @param options - Optional options for refreshing the session.\n   * @param options.cookiePassword - The password to use for the new session cookie.\n   * @param options.organizationId - The organization ID to use for the new session cookie.\n   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n   */\n  async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.refreshToken || !session.user) {\n      return {\n        authenticated: false,\n        reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      session.accessToken,\n    );\n\n    try {\n      const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n      const authenticationResponse =\n        await this.userManagement.authenticateWithRefreshToken({\n          clientId: this.userManagement.clientId as string,\n          refreshToken: session.refreshToken,\n          organizationId:\n            options.organizationId ?? organizationIdFromAccessToken,\n          session: {\n            // We want to store the new sealed session in this class instance, so this always needs to be true\n            sealSession: true,\n            cookiePassword,\n          },\n        });\n\n      // Update the password if a new one was provided\n      if (options.cookiePassword) {\n        this.cookiePassword = options.cookiePassword;\n      }\n\n      this.sessionData = authenticationResponse.sealedSession as string;\n\n      const {\n        sid: sessionId,\n        org_id: organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        feature_flags: featureFlags,\n      } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n      // TODO: Returning `session` here means there's some duplicated data.\n      // Slim down the return type in a future major version.\n      return {\n        authenticated: true,\n        sealedSession: authenticationResponse.sealedSession,\n        session: authenticationResponse as AuthenticationResponse,\n        sessionId,\n        organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        featureFlags,\n        user: session.user,\n        impersonator: session.impersonator,\n      };\n    } catch (error) {\n      if (\n        error instanceof OauthException &&\n        // TODO: Add additional known errors and remove re-throw\n        (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n          error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n          error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n      ) {\n        return {\n          authenticated: false,\n          reason: error.error,\n        };\n      }\n\n      throw error;\n    }\n  }\n\n  /**\n   * Gets the URL to redirect the user to for logging out.\n   *\n   * @returns The URL to redirect the user to for logging out.\n   */\n  async getLogoutUrl({\n    returnTo,\n  }: { returnTo?: string } = {}): Promise<string> {\n    const authenticationResponse = await this.authenticate();\n\n    if (!authenticationResponse.authenticated) {\n      const { reason } = authenticationResponse;\n      throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n    }\n\n    return this.userManagement.getLogoutUrl({\n      sessionId: authenticationResponse.sessionId,\n      returnTo,\n    });\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    if (!this.jwks) {\n      throw new Error(\n        'Missing client ID. Did you provide it when initializing WorkOS?',\n      );\n    }\n\n    try {\n      await jwtVerify(accessToken, this.jwks);\n      return true;\n    } catch (e) {\n      return false;\n    }\n  }\n}\n"],"mappings":";;AAAA,SAA6B,WAAW,iBAAiB;AACzD,SAAS,sBAAsB;AAC/B;AAAA,EAGE;AAAA,EAGA;AAAA,OAGK;AAEP,SAAS,kBAAkB;AAOpB,MAAM,cAAc;AAAA,EApB3B,OAoB2B;AAAA;AAAA;AAAA,EACjB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,gBACA,aACA,gBACA;AACA,QAAI,CAAC,gBAAgB;AACnB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,SAAK,iBAAiB;AACtB,SAAK,iBAAiB;AACtB,SAAK,cAAc;AAEnB,SAAK,OAAO,KAAK,eAAe;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAGJ;AACA,QAAI,CAAC,KAAK,aAAa;AACrB,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI;AAEJ,QAAI;AACF,gBAAU,MAAM,WAA8B,KAAK,aAAa;AAAA,QAC9D,UAAU,KAAK;AAAA,MACjB,CAAC;AAAA,IACH,SAAS,GAAG;AACV,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ,aAAa;AACxB,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,WAAW,GAAI;AACjD,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QAAQ,2CAA2C;AAAA,MACrD;AAAA,IACF;AAEA,UAAM;AAAA,MACJ,KAAK;AAAA,MACL,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,eAAe;AAAA,IACjB,IAAI,UAAuB,QAAQ,WAAW;AAE9C,WAAO;AAAA,MACL,eAAe;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,cAAc,QAAQ;AAAA,MACtB,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,QAAQ,UAA0B,CAAC,GAAoC;AAC3E,UAAM,UAAU,MAAM,WAA8B,KAAK,aAAa;AAAA,MACpE,UAAU,KAAK;AAAA,IACjB,CAAC;AAED,QAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,MAAM;AAC1C,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QAAQ,4BAA4B;AAAA,MACtC;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,8BAA8B,IAAI;AAAA,MAChD,QAAQ;AAAA,IACV;AAEA,QAAI;AACF,YAAM,iBAAiB,QAAQ,kBAAkB,KAAK;AAEtD,YAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;AAAA,QACrD,UAAU,KAAK,eAAe;AAAA,QAC9B,cAAc,QAAQ;AAAA,QACtB,gBACE,QAAQ,kBAAkB;AAAA,QAC5B,SAAS;AAAA;AAAA,UAEP,aAAa;AAAA,UACb;AAAA,QACF;AAAA,MACF,CAAC;AAGH,UAAI,QAAQ,gBAAgB;AAC1B,aAAK,iBAAiB,QAAQ;AAAA,MAChC;AAEA,WAAK,cAAc,uBAAuB;AAE1C,YAAM;AAAA,QACJ,KAAK;AAAA,QACL,QAAQ;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,eAAe;AAAA,MACjB,IAAI,UAAuB,uBAAuB,WAAW;AAI7D,aAAO;AAAA,QACL,eAAe;AAAA,QACf,eAAe,uBAAuB;AAAA,QACtC,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM,QAAQ;AAAA,QACd,cAAc,QAAQ;AAAA,MACxB;AAAA,IACF,SAAS,OAAO;AACd,UACE,iBAAiB;AAAA,OAEhB,MAAM,UAAU,4BAA4B,iBAC3C,MAAM,UAAU,4BAA4B,kBAC5C,MAAM,UAAU,4BAA4B,eAC9C;AACA,eAAO;AAAA,UACL,eAAe;AAAA,UACf,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aAAa;AAAA,IACjB;AAAA,EACF,IAA2B,CAAC,GAAoB;AAC9C,UAAM,yBAAyB,MAAM,KAAK,aAAa;AAEvD,QAAI,CAAC,uBAAuB,eAAe;AACzC,YAAM,EAAE,OAAO,IAAI;AACnB,YAAM,IAAI,MAAM,gDAAgD,MAAM,EAAE;AAAA,IAC1E;AAEA,WAAO,KAAK,eAAe,aAAa;AAAA,MACtC,WAAW,uBAAuB;AAAA,MAClC;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,WAAW,aAAuC;AAC9D,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI;AACF,YAAM,UAAU,aAAa,KAAK,IAAI;AACtC,aAAO;AAAA,IACT,SAAS,GAAG;AACV,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieSuccessResponse,\n  AuthenticationResponse,\n  RefreshSessionFailureReason,\n  RefreshSessionResponse,\n  SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from 'iron-session';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n  cookiePassword?: string;\n  organizationId?: string;\n};\n\nexport class CookieSession {\n  private userManagement: UserManagement;\n  private cookiePassword: string;\n  private sessionData: string;\n\n  constructor(\n    userManagement: UserManagement,\n    sessionData: string,\n    cookiePassword: string,\n  ) {\n    if (!cookiePassword) {\n      throw new Error('cookiePassword is required');\n    }\n\n    this.userManagement = userManagement;\n    this.cookiePassword = cookiePassword;\n    this.sessionData = sessionData;\n  }\n\n  /**\n   * Authenticates a user with a session cookie.\n   *\n   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n   */\n  async authenticate(): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!this.sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    let session: SessionCookieData;\n\n    try {\n      session = await unsealData<SessionCookieData>(this.sessionData, {\n        password: this.cookiePassword,\n      });\n    } catch (e) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      featureFlags,\n      user: session.user,\n      impersonator: session.impersonator,\n      accessToken: session.accessToken,\n    };\n  }\n\n  /**\n   * Refreshes the user's session.\n   *\n   * @param options - Optional options for refreshing the session.\n   * @param options.cookiePassword - The password to use for the new session cookie.\n   * @param options.organizationId - The organization ID to use for the new session cookie.\n   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n   */\n  async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n    const { decodeJwt } = await getJose();\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.refreshToken || !session.user) {\n      return {\n        authenticated: false,\n        reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      session.accessToken,\n    );\n\n    try {\n      const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n      const authenticationResponse =\n        await this.userManagement.authenticateWithRefreshToken({\n          clientId: this.userManagement.clientId as string,\n          refreshToken: session.refreshToken,\n          organizationId:\n            options.organizationId ?? organizationIdFromAccessToken,\n          session: {\n            // We want to store the new sealed session in this class instance, so this always needs to be true\n            sealSession: true,\n            cookiePassword,\n          },\n        });\n\n      // Update the password if a new one was provided\n      if (options.cookiePassword) {\n        this.cookiePassword = options.cookiePassword;\n      }\n\n      this.sessionData = authenticationResponse.sealedSession as string;\n\n      const {\n        sid: sessionId,\n        org_id: organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        feature_flags: featureFlags,\n      } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n      // TODO: Returning `session` here means there's some duplicated data.\n      // Slim down the return type in a future major version.\n      return {\n        authenticated: true,\n        sealedSession: authenticationResponse.sealedSession,\n        session: authenticationResponse as AuthenticationResponse,\n        sessionId,\n        organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        featureFlags,\n        user: session.user,\n        impersonator: session.impersonator,\n      };\n    } catch (error) {\n      if (\n        error instanceof OauthException &&\n        // TODO: Add additional known errors and remove re-throw\n        (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n          error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n          error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n      ) {\n        return {\n          authenticated: false,\n          reason: error.error,\n        };\n      }\n\n      throw error;\n    }\n  }\n\n  /**\n   * Gets the URL to redirect the user to for logging out.\n   *\n   * @returns The URL to redirect the user to for logging out.\n   */\n  async getLogoutUrl({\n    returnTo,\n  }: { returnTo?: string } = {}): Promise<string> {\n    const authenticationResponse = await this.authenticate();\n\n    if (!authenticationResponse.authenticated) {\n      const { reason } = authenticationResponse;\n      throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n    }\n\n    return this.userManagement.getLogoutUrl({\n      sessionId: authenticationResponse.sessionId,\n      returnTo,\n    });\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const { jwtVerify } = await getJose();\n    const jwks = await this.userManagement.getJWKS();\n    if (!jwks) {\n      throw new Error(\n        'Missing client ID. Did you provide it when initializing WorkOS?',\n      );\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      return false;\n    }\n  }\n}\n"],"mappings":";;AAAA,SAAS,sBAAsB;AAC/B;AAAA,EAGE;AAAA,EAGA;AAAA,OAGK;AAEP,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AAOjB,MAAM,cAAc;AAAA,EApB3B,OAoB2B;AAAA;AAAA;AAAA,EACjB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,gBACA,aACA,gBACA;AACA,QAAI,CAAC,gBAAgB;AACnB,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,SAAK,iBAAiB;AACtB,SAAK,iBAAiB;AACtB,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAGJ;AACA,QAAI,CAAC,KAAK,aAAa;AACrB,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI;AAEJ,QAAI;AACF,gBAAU,MAAM,WAA8B,KAAK,aAAa;AAAA,QAC9D,UAAU,KAAK;AAAA,MACjB,CAAC;AAAA,IACH,SAAS,GAAG;AACV,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ,aAAa;AACxB,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QACE,2CAA2C;AAAA,MAC/C;AAAA,IACF;AAEA,QAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,WAAW,GAAI;AACjD,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QAAQ,2CAA2C;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,EAAE,UAAU,IAAI,MAAM,QAAQ;AAEpC,UAAM;AAAA,MACJ,KAAK;AAAA,MACL,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,eAAe;AAAA,IACjB,IAAI,UAAuB,QAAQ,WAAW;AAE9C,WAAO;AAAA,MACL,eAAe;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,cAAc,QAAQ;AAAA,MACtB,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,QAAQ,UAA0B,CAAC,GAAoC;AAC3E,UAAM,EAAE,UAAU,IAAI,MAAM,QAAQ;AACpC,UAAM,UAAU,MAAM,WAA8B,KAAK,aAAa;AAAA,MACpE,UAAU,KAAK;AAAA,IACjB,CAAC;AAED,QAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,MAAM;AAC1C,aAAO;AAAA,QACL,eAAe;AAAA,QACf,QAAQ,4BAA4B;AAAA,MACtC;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,8BAA8B,IAAI;AAAA,MAChD,QAAQ;AAAA,IACV;AAEA,QAAI;AACF,YAAM,iBAAiB,QAAQ,kBAAkB,KAAK;AAEtD,YAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;AAAA,QACrD,UAAU,KAAK,eAAe;AAAA,QAC9B,cAAc,QAAQ;AAAA,QACtB,gBACE,QAAQ,kBAAkB;AAAA,QAC5B,SAAS;AAAA;AAAA,UAEP,aAAa;AAAA,UACb;AAAA,QACF;AAAA,MACF,CAAC;AAGH,UAAI,QAAQ,gBAAgB;AAC1B,aAAK,iBAAiB,QAAQ;AAAA,MAChC;AAEA,WAAK,cAAc,uBAAuB;AAE1C,YAAM;AAAA,QACJ,KAAK;AAAA,QACL,QAAQ;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,eAAe;AAAA,MACjB,IAAI,UAAuB,uBAAuB,WAAW;AAI7D,aAAO;AAAA,QACL,eAAe;AAAA,QACf,eAAe,uBAAuB;AAAA,QACtC,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM,QAAQ;AAAA,QACd,cAAc,QAAQ;AAAA,MACxB;AAAA,IACF,SAAS,OAAO;AACd,UACE,iBAAiB;AAAA,OAEhB,MAAM,UAAU,4BAA4B,iBAC3C,MAAM,UAAU,4BAA4B,kBAC5C,MAAM,UAAU,4BAA4B,eAC9C;AACA,eAAO;AAAA,UACL,eAAe;AAAA,UACf,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AAEA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aAAa;AAAA,IACjB;AAAA,EACF,IAA2B,CAAC,GAAoB;AAC9C,UAAM,yBAAyB,MAAM,KAAK,aAAa;AAEvD,QAAI,CAAC,uBAAuB,eAAe;AACzC,YAAM,EAAE,OAAO,IAAI;AACnB,YAAM,IAAI,MAAM,gDAAgD,MAAM,EAAE;AAAA,IAC1E;AAEA,WAAO,KAAK,eAAe,aAAa;AAAA,MACtC,WAAW,uBAAuB;AAAA,MAClC;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,WAAW,aAAuC;AAC9D,UAAM,EAAE,UAAU,IAAI,MAAM,QAAQ;AACpC,UAAM,OAAO,MAAM,KAAK,eAAe,QAAQ;AAC/C,QAAI,CAAC,MAAM;AACT,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI;AACF,YAAM,UAAU,aAAa,IAAI;AACjC,aAAO;AAAA,IACT,SAAS,GAAG;AACV,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}

package/lib/esm/user-management/user-management.d.ts

@@ -4,7 +4,7 @@ import '../common/interfaces/pagination-options.interface.js';
 import '../common/utils/pagination.js';
 import '../mfa/interfaces/challenge.interface.js';
 import '../feature-flags/interfaces/feature-flag.interface.js';
-export { U as UserManagement } from '../workos-e5MfmByv.js';
+export { U as UserManagement } from '../workos-DLj13cxf.js';
 import './interfaces/authenticate-with-code-options.interface.js';
 import './interfaces/authenticate-with-code-and-verifier-options.interface.js';
 import './interfaces/authenticate-with-email-verification-options.interface.js';
@@ -50,12 +50,15 @@ import '../common/interfaces/post-options.interface.js';
 import '../common/interfaces/put-options.interface.js';
 import '../common/interfaces/workos-options.interface.js';
 import '../common/interfaces/app-info.interface.js';
-import '../events/interfaces/list-events-options.interface.js';
-import '../common/interfaces/event.interface.js';
 import '../directory-sync/interfaces/directory.interface.js';
 import '../directory-sync/interfaces/directory-group.interface.js';
+import '../directory-sync/interfaces/list-directories-options.interface.js';
+import '../directory-sync/interfaces/list-groups-options.interface.js';
+import '../directory-sync/interfaces/list-directory-users-options.interface.js';
 import '../directory-sync/interfaces/directory-user.interface.js';
 import '../roles/interfaces/role.interface.js';
+import '../events/interfaces/list-events-options.interface.js';
+import '../common/interfaces/event.interface.js';
 import '../organizations/interfaces/organization.interface.js';
 import '../organization-domains/interfaces/organization-domain.interface.js';
 import '../sso/interfaces/connection.interface.js';
@@ -121,8 +124,7 @@ import '../vault/interfaces/object/delete-object.interface.js';
 import '../vault/interfaces/object/read-object.interface.js';
 import '../vault/interfaces/object.interface.js';
 import '../vault/interfaces/object/update-object.interface.js';
-import '../directory-sync/interfaces/list-directories-options.interface.js';
-import '../directory-sync/interfaces/list-groups-options.interface.js';
-import '../directory-sync/interfaces/list-directory-users-options.interface.js';
+import '../api-keys/interfaces/validate-api-key.interface.js';
+import '../api-keys/interfaces/api-key.interface.js';
 import './interfaces/authenticate-with-options-base.interface.js';
 import './interfaces/password-hash-type.interface.js';

package/lib/esm/user-management/user-management.js

@@ -1,7 +1,6 @@
 var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 import { sealData, unsealData } from "iron-session";
-import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
 import * as clientUserManagement from "../client/user-management.js";
 import { fetchAndDeserialize } from "../common/utils/fetch-and-deserialize.js";
 import { AutoPaginatable } from "../common/utils/pagination.js";
@@ -49,6 +48,7 @@ import { deserializeOrganizationMembership } from "./serializers/organization-me
 import { serializeSendInvitationOptions } from "./serializers/send-invitation-options.serializer.js";
 import { serializeUpdateOrganizationMembershipOptions } from "./serializers/update-organization-membership-options.serializer.js";
 import { CookieSession } from "./session.js";
+import { getJose } from "../utils/jose.js";
 class UserManagement {
   constructor(workos) {
     this.workos = workos;
@@ -60,7 +60,8 @@ class UserManagement {
   }
   _jwks;
   clientId;
-  get jwks() {
+  async getJWKS() {
+    const { createRemoteJWKSet } = await getJose();
     if (!this.clientId) {
       return;
     }
@@ -229,9 +230,11 @@ class UserManagement {
     if (!cookiePassword) {
       throw new Error("Cookie password is required");
     }
-    if (!this.jwks) {
+    const jwks = await this.getJWKS();
+    if (!jwks) {
       throw new Error("Must provide clientId to initialize JWKS");
     }
+    const { decodeJwt } = await getJose();
     if (!sessionData) {
       return {
         authenticated: false,
@@ -276,11 +279,13 @@ class UserManagement {
     };
   }
   async isValidJwt(accessToken) {
-    if (!this.jwks) {
+    const jwks = await this.getJWKS();
+    const { jwtVerify } = await getJose();
+    if (!jwks) {
       throw new Error("Must provide clientId to initialize JWKS");
     }
     try {
-      await jwtVerify(accessToken, this.jwks);
+      await jwtVerify(accessToken, jwks);
       return true;
     } catch (e) {
       return false;
@@ -308,6 +313,7 @@ class UserManagement {
     if (!cookiePassword) {
       throw new Error("Cookie password is required");
     }
+    const { decodeJwt } = await getJose();
     const { org_id: organizationIdFromAccessToken } = decodeJwt(
       authenticationResponse.accessToken
     );