npm - @workos-inc/node - Versions diffs - 8.0.0-rc.6 → 8.0.0-rc.8 - Mend

@workos-inc/node 8.0.0-rc.6 → 8.0.0-rc.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/lib/user-management/serializers/authenticate-with-totp-options.serializer.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authenticate-with-totp-options.serializer.js","names":[],"sources":["../../../src/user-management/serializers/authenticate-with-totp-options.serializer.ts"],"sourcesContent":["import {\n AuthenticateUserWithTotpCredentials,\n AuthenticateWithTotpOptions,\n SerializedAuthenticateWithTotpOptions,\n} from '../interfaces';\n\nexport const serializeAuthenticateWithTotpOptions = (\n options: AuthenticateWithTotpOptions & AuthenticateUserWithTotpCredentials,\n): SerializedAuthenticateWithTotpOptions => ({\n grant_type: 'urn:workos:oauth:grant-type:mfa-totp',\n client_id: options.clientId,\n client_secret: options.clientSecret,\n code: options.code,\n authentication_challenge_id: options.authenticationChallengeId,\n pending_authentication_token: options.pendingAuthenticationToken,\n ip_address: options.ipAddress,\n user_agent: options.userAgent,\n});\n"],"mappings":";~~AAMA~~,MAAa,wCACX,~~aAC2C~~;CAC3C,YAAY;CACZ,WAAW,QAAQ;CACnB,eAAe,QAAQ;CACvB,MAAM,QAAQ;CACd,6BAA6B,QAAQ;CACrC,8BAA8B,QAAQ;CACtC,YAAY,QAAQ;CACpB,YAAY,QAAQ;CACrB"}
1	+ {"version":3,"file":"authenticate-with-totp-options.serializer.js","names":[],"sources":["../../../src/user-management/serializers/authenticate-with-totp-options.serializer.ts"],"sourcesContent":["import {\n AuthenticateUserWithTotpCredentials,\n AuthenticateWithTotpOptions,\n SerializedAuthenticateWithTotpOptions,\n WithResolvedClientId,\n} from '../interfaces';\n\nexport const serializeAuthenticateWithTotpOptions = (\n options: WithResolvedClientId<AuthenticateWithTotpOptions> &\n AuthenticateUserWithTotpCredentials,\n): SerializedAuthenticateWithTotpOptions => ({\n grant_type: 'urn:workos:oauth:grant-type:mfa-totp',\n client_id: options.clientId,\n client_secret: options.clientSecret,\n code: options.code,\n authentication_challenge_id: options.authenticationChallengeId,\n pending_authentication_token: options.pendingAuthenticationToken,\n ip_address: options.ipAddress,\n user_agent: options.userAgent,\n});\n"],"mappings":";AAOA,MAAa,wCACX,aAE2C;CAC3C,YAAY;CACZ,WAAW,QAAQ;CACnB,eAAe,QAAQ;CACvB,MAAM,QAAQ;CACd,6BAA6B,QAAQ;CACrC,8BAA8B,QAAQ;CACtC,YAAY,QAAQ;CACpB,YAAY,QAAQ;CACrB"}

package/lib/user-management/serializers/index.cjs CHANGED Viewed

@@ -3,6 +3,7 @@ const require_user_management_serializers_authenticate_with_code_and_verifier_op
 const require_user_management_serializers_authenticate_with_magic_auth_options_serializer = require('./authenticate-with-magic-auth-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_password_options_serializer = require('./authenticate-with-password-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_refresh_token_options_serializer = require('./authenticate-with-refresh-token.options.serializer.cjs');
+const require_user_management_serializers_authenticate_with_refresh_token_public_client_options_serializer = require('./authenticate-with-refresh-token-public-client-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_totp_options_serializer = require('./authenticate-with-totp-options.serializer.cjs');
 const require_user_management_serializers_authentication_event_serializer = require('./authentication-event.serializer.cjs');
 const require_user_management_serializers_user_serializer = require('./user.serializer.cjs');
@@ -41,6 +42,7 @@ exports.serializeAuthenticateWithCodeOptions = require_user_management_serialize
 exports.serializeAuthenticateWithMagicAuthOptions = require_user_management_serializers_authenticate_with_magic_auth_options_serializer.serializeAuthenticateWithMagicAuthOptions;
 exports.serializeAuthenticateWithPasswordOptions = require_user_management_serializers_authenticate_with_password_options_serializer.serializeAuthenticateWithPasswordOptions;
 exports.serializeAuthenticateWithRefreshTokenOptions = require_user_management_serializers_authenticate_with_refresh_token_options_serializer.serializeAuthenticateWithRefreshTokenOptions;
+exports.serializeAuthenticateWithRefreshTokenPublicClientOptions = require_user_management_serializers_authenticate_with_refresh_token_public_client_options_serializer.serializeAuthenticateWithRefreshTokenPublicClientOptions;
 exports.serializeAuthenticateWithTotpOptions = require_user_management_serializers_authenticate_with_totp_options_serializer.serializeAuthenticateWithTotpOptions;
 exports.serializeCreateMagicAuthOptions = require_user_management_serializers_create_magic_auth_options_serializer.serializeCreateMagicAuthOptions;
 exports.serializeCreatePasswordResetOptions = require_user_management_serializers_create_password_reset_options_serializer.serializeCreatePasswordResetOptions;

package/lib/user-management/serializers/index.d.cts CHANGED Viewed

@@ -2,6 +2,7 @@ import { serializeAuthenticateWithCodeAndVerifierOptions } from "./authenticate-
 import { serializeAuthenticateWithCodeOptions } from "./authenticate-with-code-options.serializer.cjs";
 import { serializeAuthenticateWithMagicAuthOptions } from "./authenticate-with-magic-auth-options.serializer.cjs";
 import { serializeAuthenticateWithPasswordOptions } from "./authenticate-with-password-options.serializer.cjs";
+import { serializeAuthenticateWithRefreshTokenPublicClientOptions } from "./authenticate-with-refresh-token-public-client-options.serializer.cjs";
 import { serializeAuthenticateWithRefreshTokenOptions } from "./authenticate-with-refresh-token.options.serializer.cjs";
 import { serializeAuthenticateWithTotpOptions } from "./authenticate-with-totp-options.serializer.cjs";
 import { deserializeAuthenticationEvent } from "./authentication-event.serializer.cjs";
@@ -21,4 +22,4 @@ import { deserializeSession } from "./session.serializer.cjs";
 import { serializeUpdateUserOptions } from "./update-user-options.serializer.cjs";
 import { serializeUpdateUserPasswordOptions } from "./update-user-password-options.serializer.cjs";
 import { deserializeUser } from "./user.serializer.cjs";
-export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };
+export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithRefreshTokenPublicClientOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };

package/lib/user-management/serializers/index.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { serializeAuthenticateWithCodeAndVerifierOptions } from "./authenticate-
 import { serializeAuthenticateWithCodeOptions } from "./authenticate-with-code-options.serializer.js";
 import { serializeAuthenticateWithMagicAuthOptions } from "./authenticate-with-magic-auth-options.serializer.js";
 import { serializeAuthenticateWithPasswordOptions } from "./authenticate-with-password-options.serializer.js";
+import { serializeAuthenticateWithRefreshTokenPublicClientOptions } from "./authenticate-with-refresh-token-public-client-options.serializer.js";
 import { serializeAuthenticateWithRefreshTokenOptions } from "./authenticate-with-refresh-token.options.serializer.js";
 import { serializeAuthenticateWithTotpOptions } from "./authenticate-with-totp-options.serializer.js";
 import { deserializeAuthenticationEvent } from "./authentication-event.serializer.js";
@@ -21,4 +22,4 @@ import { deserializeSession } from "./session.serializer.js";
 import { serializeUpdateUserOptions } from "./update-user-options.serializer.js";
 import { serializeUpdateUserPasswordOptions } from "./update-user-password-options.serializer.js";
 import { deserializeUser } from "./user.serializer.js";
-export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };
+export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithRefreshTokenPublicClientOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };

package/lib/user-management/serializers/index.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { serializeAuthenticateWithCodeAndVerifierOptions } from "./authenticate-
 import { serializeAuthenticateWithMagicAuthOptions } from "./authenticate-with-magic-auth-options.serializer.js";
 import { serializeAuthenticateWithPasswordOptions } from "./authenticate-with-password-options.serializer.js";
 import { serializeAuthenticateWithRefreshTokenOptions } from "./authenticate-with-refresh-token.options.serializer.js";
+import { serializeAuthenticateWithRefreshTokenPublicClientOptions } from "./authenticate-with-refresh-token-public-client-options.serializer.js";
 import { serializeAuthenticateWithTotpOptions } from "./authenticate-with-totp-options.serializer.js";
 import { deserializeAuthenticationEvent } from "./authentication-event.serializer.js";
 import { deserializeUser } from "./user.serializer.js";
@@ -22,4 +23,4 @@ import { serializeCreateUserOptions } from "./create-user-options.serializer.js"
 import { serializeUpdateUserOptions } from "./update-user-options.serializer.js";
 import { serializeUpdateUserPasswordOptions } from "./update-user-password-options.serializer.js";
-export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };
+export { deserializeAuthenticationEvent, deserializeAuthenticationResponse, deserializeEmailVerification, deserializeEmailVerificationEvent, deserializeFactor, deserializeFactorWithSecrets, deserializeInvitation, deserializeInvitationEvent, deserializeMagicAuth, deserializeMagicAuthEvent, deserializePasswordReset, deserializePasswordResetEvent, deserializeSession, deserializeUser, serializeAuthenticateWithCodeAndVerifierOptions, serializeAuthenticateWithCodeOptions, serializeAuthenticateWithMagicAuthOptions, serializeAuthenticateWithPasswordOptions, serializeAuthenticateWithRefreshTokenOptions, serializeAuthenticateWithRefreshTokenPublicClientOptions, serializeAuthenticateWithTotpOptions, serializeCreateMagicAuthOptions, serializeCreatePasswordResetOptions, serializeCreateUserOptions, serializeEnrollAuthFactorOptions, serializeListSessionsOptions, serializeResetPasswordOptions, serializeUpdateUserOptions, serializeUpdateUserPasswordOptions };

package/lib/user-management/session.cjs CHANGED Viewed

@@ -25,15 +25,7 @@ var CookieSession = class {
 			authenticated: false,
 			reason: require_user_management_interfaces_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
 		};
-		let session;
-		try {
-			session = await require_common_crypto_seal.unsealData(this.sessionData, { password: this.cookiePassword });
-		} catch (e) {
-			return {
-				authenticated: false,
-				reason: require_user_management_interfaces_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
-			};
-		}
+		const session = await require_common_crypto_seal.unsealData(this.sessionData, { password: this.cookiePassword });
 		if (!session.accessToken) return {
 			authenticated: false,
 			reason: require_user_management_interfaces_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
@@ -136,7 +128,8 @@ var CookieSession = class {
 			await jwtVerify(accessToken, jwks);
 			return true;
 		} catch (e) {
-			return false;
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
 		}
 	}
 };

package/lib/user-management/session.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"session.cjs","names":["AuthenticateWithSessionCookieFailureReason","~~session: SessionCookieData","~~unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieSuccessResponse,\n AuthenticationResponse,\n RefreshSessionFailureReason,\n RefreshSessionResponse,\n SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n cookiePassword?: string;\n organizationId?: string;\n};\n\nexport class CookieSession {\n private userManagement: UserManagement;\n private cookiePassword: string;\n private sessionData: string;\n\n constructor(\n userManagement: UserManagement,\n sessionData: string,\n cookiePassword: string,\n ) {\n if (!cookiePassword) {\n throw new Error('cookiePassword is required');\n }\n\n this.userManagement = userManagement;\n this.cookiePassword = cookiePassword;\n this.sessionData = sessionData;\n }\n\n /*\n Authenticates a user with a session cookie.\n \n @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n /\n async authenticate(): Promise<\n \| AuthenticateWithSessionCookieSuccessResponse\n \| AuthenticateWithSessionCookieFailedResponse\n > {\n if (!this.sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n ~~let~~ ~~session:~~ ~~SessionCookieData;\n~~\n ~~try~~ {\n session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n ~~});\n~~ } ~~catch (e~~) ~~{\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n }~~;\n }\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const { decodeJwt } = await getJose();\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n authenticationMethod: session.authenticationMethod,\n impersonator: session.impersonator,\n accessToken: session.accessToken,\n };\n }\n\n /\n Refreshes the user's session.\n \n @param options - Optional options for refreshing the session.\n * @param options.cookiePassword - The password to use for the new session cookie.\n * @param options.organizationId - The organization ID to use for the new session cookie.\n * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n /\n async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n const { decodeJwt } = await getJose();\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.refreshToken \|\| !session.user) {\n return {\n authenticated: false,\n reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n session.accessToken,\n );\n\n try {\n const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n const authenticationResponse =\n await this.userManagement.authenticateWithRefreshToken({\n clientId: this.userManagement.clientId as string,\n refreshToken: session.refreshToken,\n organizationId:\n options.organizationId ?? organizationIdFromAccessToken,\n session: {\n // We want to store the new sealed session in this class instance, so this always needs to be true\n sealSession: true,\n cookiePassword,\n },\n });\n\n // Update the password if a new one was provided\n if (options.cookiePassword) {\n this.cookiePassword = options.cookiePassword;\n }\n\n this.sessionData = authenticationResponse.sealedSession as string;\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n // TODO: Returning `session` here means there's some duplicated data.\n // Slim down the return type in a future major version.\n return {\n authenticated: true,\n sealedSession: authenticationResponse.sealedSession,\n session: authenticationResponse as AuthenticationResponse,\n authenticationMethod: authenticationResponse.authenticationMethod,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n impersonator: session.impersonator,\n };\n } catch (error) {\n if (\n error instanceof OauthException &&\n // TODO: Add additional known errors and remove re-throw\n (error.error === RefreshSessionFailureReason.INVALID_GRANT \|\|\n error.error === RefreshSessionFailureReason.MFA_ENROLLMENT \|\|\n error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n ) {\n return {\n authenticated: false,\n reason: error.error,\n };\n }\n\n throw error;\n }\n }\n\n /\n Gets the URL to redirect the user to for logging out.\n \n @returns The URL to redirect the user to for logging out.\n */\n async getLogoutUrl({\n returnTo,\n }: { returnTo?: string } = {}): Promise<string> {\n const authenticationResponse = await this.authenticate();\n\n if (!authenticationResponse.authenticated) {\n const { reason } = authenticationResponse;\n throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n }\n\n return this.userManagement.getLogoutUrl({\n sessionId: authenticationResponse.sessionId,\n returnTo,\n });\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const { jwtVerify } = await getJose();\n const jwks = await this.userManagement.getJWKS();\n if (!jwks) {\n throw new Error(\n 'Missing client ID. Did you provide it when initializing WorkOS?',\n );\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n return false;\n }\n }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,yHAA2C;GAC9C;~~EAGH~~,~~IAAIC;AAEJ~~,~~MAAI;AACF~~,~~aAAU,~~MAAMC,sCAA8B,KAAK,aAAa,~~EAC9D~~,UAAU,KAAK,gBAChB,CAAC;~~WACK~~,~~GAAG;AACV,UAAO;IACL,eAAe;IACf,QACEF,yHAA2C;IAC9C;;AAGH,~~MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,~~QACEA~~,yHAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,yHAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,~~MAAMG~~,4BAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,4BAAS;EACrC,MAAM,UAAU,MAAMD,sCAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,uGAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,6DAEhB,MAAM,UAAUD,uGAA4B,iBAC3C,MAAM,UAAUA,uGAA4B,kBAC5C,MAAM,UAAUA,uGAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,4BAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;~~AACV~~,~~UAAO~~"}
1	+ {"version":3,"file":"session.cjs","names":["AuthenticateWithSessionCookieFailureReason","unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieSuccessResponse,\n AuthenticationResponse,\n RefreshSessionFailureReason,\n RefreshSessionResponse,\n SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n cookiePassword?: string;\n organizationId?: string;\n};\n\nexport class CookieSession {\n private userManagement: UserManagement;\n private cookiePassword: string;\n private sessionData: string;\n\n constructor(\n userManagement: UserManagement,\n sessionData: string,\n cookiePassword: string,\n ) {\n if (!cookiePassword) {\n throw new Error('cookiePassword is required');\n }\n\n this.userManagement = userManagement;\n this.cookiePassword = cookiePassword;\n this.sessionData = sessionData;\n }\n\n /*\n Authenticates a user with a session cookie.\n \n @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n /\n async authenticate(): Promise<\n \| AuthenticateWithSessionCookieSuccessResponse\n \| AuthenticateWithSessionCookieFailedResponse\n > {\n if (!this.sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n // Unknown errors propagate - don't catch them as \"invalid session\"\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const { decodeJwt } = await getJose();\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n authenticationMethod: session.authenticationMethod,\n impersonator: session.impersonator,\n accessToken: session.accessToken,\n };\n }\n\n /\n Refreshes the user's session.\n \n @param options - Optional options for refreshing the session.\n * @param options.cookiePassword - The password to use for the new session cookie.\n * @param options.organizationId - The organization ID to use for the new session cookie.\n * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n /\n async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n const { decodeJwt } = await getJose();\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.refreshToken \|\| !session.user) {\n return {\n authenticated: false,\n reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n session.accessToken,\n );\n\n try {\n const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n const authenticationResponse =\n await this.userManagement.authenticateWithRefreshToken({\n clientId: this.userManagement.clientId as string,\n refreshToken: session.refreshToken,\n organizationId:\n options.organizationId ?? organizationIdFromAccessToken,\n session: {\n // We want to store the new sealed session in this class instance, so this always needs to be true\n sealSession: true,\n cookiePassword,\n },\n });\n\n // Update the password if a new one was provided\n if (options.cookiePassword) {\n this.cookiePassword = options.cookiePassword;\n }\n\n this.sessionData = authenticationResponse.sealedSession as string;\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n // TODO: Returning `session` here means there's some duplicated data.\n // Slim down the return type in a future major version.\n return {\n authenticated: true,\n sealedSession: authenticationResponse.sealedSession,\n session: authenticationResponse as AuthenticationResponse,\n authenticationMethod: authenticationResponse.authenticationMethod,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n impersonator: session.impersonator,\n };\n } catch (error) {\n if (\n error instanceof OauthException &&\n // TODO: Add additional known errors and remove re-throw\n (error.error === RefreshSessionFailureReason.INVALID_GRANT \|\|\n error.error === RefreshSessionFailureReason.MFA_ENROLLMENT \|\|\n error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n ) {\n return {\n authenticated: false,\n reason: error.error,\n };\n }\n\n throw error;\n }\n }\n\n /\n Gets the URL to redirect the user to for logging out.\n \n @returns The URL to redirect the user to for logging out.\n */\n async getLogoutUrl({\n returnTo,\n }: { returnTo?: string } = {}): Promise<string> {\n const authenticationResponse = await this.authenticate();\n\n if (!authenticationResponse.authenticated) {\n const { reason } = authenticationResponse;\n throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n }\n\n return this.userManagement.getLogoutUrl({\n sessionId: authenticationResponse.sessionId,\n returnTo,\n });\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const { jwtVerify } = await getJose();\n const jwks = await this.userManagement.getJWKS();\n if (!jwks) {\n throw new Error(\n 'Missing client ID. Did you provide it when initializing WorkOS?',\n );\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n // Network errors, crypto failures, etc. should propagate\n if (\n e instanceof Error &&\n 'code' in e &&\n typeof e.code === 'string' &&\n (e.code.startsWith('ERR_JWT_') \|\| e.code.startsWith('ERR_JWS_'))\n ) {\n return false;\n }\n throw e;\n }\n }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,yHAA2C;GAC9C;EAKH,MAAM,UAAU,MAAMC,sCAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,yHAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,yHAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAME,4BAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,4BAAS;EACrC,MAAM,UAAU,MAAMD,sCAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,uGAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,6DAEhB,MAAM,UAAUD,uGAA4B,iBAC3C,MAAM,UAAUA,uGAA4B,kBAC5C,MAAM,UAAUA,uGAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,4BAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}

package/lib/user-management/session.js CHANGED Viewed

@@ -25,15 +25,7 @@ var CookieSession = class {
 			authenticated: false,
 			reason: AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
 		};
-		let session;
-		try {
-			session = await unsealData(this.sessionData, { password: this.cookiePassword });
-		} catch (e) {
-			return {
-				authenticated: false,
-				reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
-			};
-		}
+		const session = await unsealData(this.sessionData, { password: this.cookiePassword });
 		if (!session.accessToken) return {
 			authenticated: false,
 			reason: AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
@@ -136,7 +128,8 @@ var CookieSession = class {
 			await jwtVerify(accessToken, jwks);
 			return true;
 		} catch (e) {
-			return false;
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
 		}
 	}
 };

package/lib/user-management/session.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"session.js","names":[~~"session: SessionCookieData"~~],"sources":["../../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieSuccessResponse,\n AuthenticationResponse,\n RefreshSessionFailureReason,\n RefreshSessionResponse,\n SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n cookiePassword?: string;\n organizationId?: string;\n};\n\nexport class CookieSession {\n private userManagement: UserManagement;\n private cookiePassword: string;\n private sessionData: string;\n\n constructor(\n userManagement: UserManagement,\n sessionData: string,\n cookiePassword: string,\n ) {\n if (!cookiePassword) {\n throw new Error('cookiePassword is required');\n }\n\n this.userManagement = userManagement;\n this.cookiePassword = cookiePassword;\n this.sessionData = sessionData;\n }\n\n /*\n Authenticates a user with a session cookie.\n \n @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n /\n async authenticate(): Promise<\n \| AuthenticateWithSessionCookieSuccessResponse\n \| AuthenticateWithSessionCookieFailedResponse\n > {\n if (!this.sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n ~~let~~ ~~session:~~ ~~SessionCookieData;\n~~\n ~~try~~ {\n session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n ~~});\n~~ } ~~catch (e~~) ~~{\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n }~~;\n }\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const { decodeJwt } = await getJose();\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n authenticationMethod: session.authenticationMethod,\n impersonator: session.impersonator,\n accessToken: session.accessToken,\n };\n }\n\n /\n Refreshes the user's session.\n \n @param options - Optional options for refreshing the session.\n * @param options.cookiePassword - The password to use for the new session cookie.\n * @param options.organizationId - The organization ID to use for the new session cookie.\n * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n /\n async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n const { decodeJwt } = await getJose();\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.refreshToken \|\| !session.user) {\n return {\n authenticated: false,\n reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n session.accessToken,\n );\n\n try {\n const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n const authenticationResponse =\n await this.userManagement.authenticateWithRefreshToken({\n clientId: this.userManagement.clientId as string,\n refreshToken: session.refreshToken,\n organizationId:\n options.organizationId ?? organizationIdFromAccessToken,\n session: {\n // We want to store the new sealed session in this class instance, so this always needs to be true\n sealSession: true,\n cookiePassword,\n },\n });\n\n // Update the password if a new one was provided\n if (options.cookiePassword) {\n this.cookiePassword = options.cookiePassword;\n }\n\n this.sessionData = authenticationResponse.sealedSession as string;\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n // TODO: Returning `session` here means there's some duplicated data.\n // Slim down the return type in a future major version.\n return {\n authenticated: true,\n sealedSession: authenticationResponse.sealedSession,\n session: authenticationResponse as AuthenticationResponse,\n authenticationMethod: authenticationResponse.authenticationMethod,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n impersonator: session.impersonator,\n };\n } catch (error) {\n if (\n error instanceof OauthException &&\n // TODO: Add additional known errors and remove re-throw\n (error.error === RefreshSessionFailureReason.INVALID_GRANT \|\|\n error.error === RefreshSessionFailureReason.MFA_ENROLLMENT \|\|\n error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n ) {\n return {\n authenticated: false,\n reason: error.error,\n };\n }\n\n throw error;\n }\n }\n\n /\n Gets the URL to redirect the user to for logging out.\n \n @returns The URL to redirect the user to for logging out.\n */\n async getLogoutUrl({\n returnTo,\n }: { returnTo?: string } = {}): Promise<string> {\n const authenticationResponse = await this.authenticate();\n\n if (!authenticationResponse.authenticated) {\n const { reason } = authenticationResponse;\n throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n }\n\n return this.userManagement.getLogoutUrl({\n sessionId: authenticationResponse.sessionId,\n returnTo,\n });\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const { jwtVerify } = await getJose();\n const jwks = await this.userManagement.getJWKS();\n if (!jwks) {\n throw new Error(\n 'Missing client ID. Did you provide it when initializing WorkOS?',\n );\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n return false;\n }\n }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;~~EAGH~~,~~IAAIA;AAEJ~~,~~MAAI;AACF~~,~~aAAU,~~MAAM,WAA8B,KAAK,aAAa,~~EAC9D~~,UAAU,KAAK,gBAChB,CAAC;~~WACK~~,~~GAAG;AACV,UAAO;IACL,eAAe;IACf,QACE,2CAA2C;IAC9C;;AAGH,~~MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQ,2CAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAM,SAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAM,SAAS;EACrC,MAAM,UAAU,MAAM,WAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQ,4BAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiB,mBAEhB,MAAM,UAAU,4BAA4B,iBAC3C,MAAM,UAAU,4BAA4B,kBAC5C,MAAM,UAAU,4BAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAM,SAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;~~AACV~~,~~UAAO~~"}
1	+ {"version":3,"file":"session.js","names":[],"sources":["../../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieSuccessResponse,\n AuthenticationResponse,\n RefreshSessionFailureReason,\n RefreshSessionResponse,\n SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n cookiePassword?: string;\n organizationId?: string;\n};\n\nexport class CookieSession {\n private userManagement: UserManagement;\n private cookiePassword: string;\n private sessionData: string;\n\n constructor(\n userManagement: UserManagement,\n sessionData: string,\n cookiePassword: string,\n ) {\n if (!cookiePassword) {\n throw new Error('cookiePassword is required');\n }\n\n this.userManagement = userManagement;\n this.cookiePassword = cookiePassword;\n this.sessionData = sessionData;\n }\n\n /*\n Authenticates a user with a session cookie.\n \n @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n /\n async authenticate(): Promise<\n \| AuthenticateWithSessionCookieSuccessResponse\n \| AuthenticateWithSessionCookieFailedResponse\n > {\n if (!this.sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n // Unknown errors propagate - don't catch them as \"invalid session\"\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const { decodeJwt } = await getJose();\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n authenticationMethod: session.authenticationMethod,\n impersonator: session.impersonator,\n accessToken: session.accessToken,\n };\n }\n\n /\n Refreshes the user's session.\n \n @param options - Optional options for refreshing the session.\n * @param options.cookiePassword - The password to use for the new session cookie.\n * @param options.organizationId - The organization ID to use for the new session cookie.\n * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n /\n async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n const { decodeJwt } = await getJose();\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.refreshToken \|\| !session.user) {\n return {\n authenticated: false,\n reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n session.accessToken,\n );\n\n try {\n const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n const authenticationResponse =\n await this.userManagement.authenticateWithRefreshToken({\n clientId: this.userManagement.clientId as string,\n refreshToken: session.refreshToken,\n organizationId:\n options.organizationId ?? organizationIdFromAccessToken,\n session: {\n // We want to store the new sealed session in this class instance, so this always needs to be true\n sealSession: true,\n cookiePassword,\n },\n });\n\n // Update the password if a new one was provided\n if (options.cookiePassword) {\n this.cookiePassword = options.cookiePassword;\n }\n\n this.sessionData = authenticationResponse.sealedSession as string;\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n // TODO: Returning `session` here means there's some duplicated data.\n // Slim down the return type in a future major version.\n return {\n authenticated: true,\n sealedSession: authenticationResponse.sealedSession,\n session: authenticationResponse as AuthenticationResponse,\n authenticationMethod: authenticationResponse.authenticationMethod,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n impersonator: session.impersonator,\n };\n } catch (error) {\n if (\n error instanceof OauthException &&\n // TODO: Add additional known errors and remove re-throw\n (error.error === RefreshSessionFailureReason.INVALID_GRANT \|\|\n error.error === RefreshSessionFailureReason.MFA_ENROLLMENT \|\|\n error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n ) {\n return {\n authenticated: false,\n reason: error.error,\n };\n }\n\n throw error;\n }\n }\n\n /\n Gets the URL to redirect the user to for logging out.\n \n @returns The URL to redirect the user to for logging out.\n */\n async getLogoutUrl({\n returnTo,\n }: { returnTo?: string } = {}): Promise<string> {\n const authenticationResponse = await this.authenticate();\n\n if (!authenticationResponse.authenticated) {\n const { reason } = authenticationResponse;\n throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n }\n\n return this.userManagement.getLogoutUrl({\n sessionId: authenticationResponse.sessionId,\n returnTo,\n });\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const { jwtVerify } = await getJose();\n const jwks = await this.userManagement.getJWKS();\n if (!jwks) {\n throw new Error(\n 'Missing client ID. Did you provide it when initializing WorkOS?',\n );\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n // Network errors, crypto failures, etc. should propagate\n if (\n e instanceof Error &&\n 'code' in e &&\n typeof e.code === 'string' &&\n (e.code.startsWith('ERR_JWT_') \|\| e.code.startsWith('ERR_JWS_'))\n ) {\n return false;\n }\n throw e;\n }\n }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;EAKH,MAAM,UAAU,MAAM,WAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQ,2CAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAM,SAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAM,SAAS;EACrC,MAAM,UAAU,MAAM,WAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQ,4BAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiB,mBAEhB,MAAM,UAAU,4BAA4B,iBAC3C,MAAM,UAAU,4BAA4B,kBAC5C,MAAM,UAAU,4BAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAM,SAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}

package/lib/user-management/user-management.cjs CHANGED Viewed

@@ -1,9 +1,10 @@
-const require_client_user_management = require('../client/user-management.cjs');
+const require_common_utils_pagination = require('../common/utils/pagination.cjs');
 const require_user_management_serializers_authenticate_with_code_options_serializer = require('./serializers/authenticate-with-code-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_code_and_verifier_options_serializer = require('./serializers/authenticate-with-code-and-verifier-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_magic_auth_options_serializer = require('./serializers/authenticate-with-magic-auth-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_password_options_serializer = require('./serializers/authenticate-with-password-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_refresh_token_options_serializer = require('./serializers/authenticate-with-refresh-token.options.serializer.cjs');
+const require_user_management_serializers_authenticate_with_refresh_token_public_client_options_serializer = require('./serializers/authenticate-with-refresh-token-public-client-options.serializer.cjs');
 const require_user_management_serializers_authenticate_with_totp_options_serializer = require('./serializers/authenticate-with-totp-options.serializer.cjs');
 const require_user_management_serializers_user_serializer = require('./serializers/user.serializer.cjs');
 const require_user_management_serializers_authentication_response_serializer = require('./serializers/authentication-response.serializer.cjs');
@@ -21,9 +22,9 @@ const require_user_management_serializers_session_serializer = require('./serial
 const require_user_management_serializers_create_user_options_serializer = require('./serializers/create-user-options.serializer.cjs');
 const require_user_management_serializers_update_user_options_serializer = require('./serializers/update-user-options.serializer.cjs');
 const require_user_management_serializers_organization_membership_serializer = require('./serializers/organization-membership.serializer.cjs');
-const require_common_utils_pagination = require('../common/utils/pagination.cjs');
 const require_common_utils_fetch_and_deserialize = require('../common/utils/fetch-and-deserialize.cjs');
 const require_feature_flags_serializers_feature_flag_serializer = require('../feature-flags/serializers/feature-flag.serializer.cjs');
+const require_common_utils_query_string = require('../common/utils/query-string.cjs');
 const require_mfa_serializers_challenge_serializer = require('../mfa/serializers/challenge.serializer.cjs');
 const require_common_crypto_seal = require('../common/crypto/seal.cjs');
 const require_common_utils_env = require('../common/utils/env.cjs');
@@ -50,6 +51,15 @@ var UserManagement = class {
 		const { clientId } = workos.options;
 		this.clientId = clientId;
 	}
+	/**
+	* Resolve clientId from method options or fall back to constructor-provided value.
+	* @throws TypeError if clientId is not available from either source
+	*/
+	resolveClientId(clientId) {
+		const resolved = clientId ?? this.clientId;
+		if (!resolved) throw new TypeError("clientId is required. Provide it in method options or when initializing WorkOS.");
+		return resolved;
+	}
 	async getJWKS() {
 		const { createRemoteJWKSet } = await require_utils_jose.getJose();
 		if (!this.clientId) return;
@@ -83,9 +93,11 @@ var UserManagement = class {
 		return require_user_management_serializers_user_serializer.deserializeUser(data);
 	}
 	async authenticateWithMagicAuth(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_magic_auth_options_serializer.serializeAuthenticateWithMagicAuthOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -94,9 +106,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithPassword(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_password_options_serializer.serializeAuthenticateWithPasswordOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -104,40 +118,86 @@ var UserManagement = class {
 			session
 		});
 	}
+	/**
+	* Exchange an authorization code for tokens.
+	*
+	* Auto-detects public vs confidential client mode:
+	* - If codeVerifier is provided: Uses PKCE flow (public client)
+	* - If no codeVerifier: Uses client_secret from API key (confidential client)
+	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+	*
+	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+	* in depth and provides additional CSRF protection on the authorization flow.
+	*
+	* @throws Error if neither codeVerifier nor API key is available
+	*/
 	async authenticateWithCode(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, codeVerifier, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
+		const hasApiKey = !!this.workos.key;
+		if (!!!codeVerifier && !hasApiKey) throw new TypeError("authenticateWithCode requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_code_options_serializer.serializeAuthenticateWithCodeOptions({
 			...remainingPayload,
-			clientSecret: this.workos.key
-		}));
+			clientId: resolvedClientId,
+			codeVerifier,
+			clientSecret: hasApiKey ? this.workos.key : void 0
+		}), { skipApiKeyCheck: !hasApiKey });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: require_user_management_serializers_authentication_response_serializer.deserializeAuthenticationResponse(data),
 			session
 		});
 	}
+	/**
+	* Exchange an authorization code for tokens using PKCE (public client flow).
+	* Use this instead of authenticateWithCode() when the client cannot securely
+	* store a client_secret (browser, mobile, CLI, desktop apps).
+	*
+	* @param payload.clientId - Your WorkOS client ID
+	* @param payload.code - The authorization code from the OAuth callback
+	* @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
+	*/
 	async authenticateWithCodeAndVerifier(payload) {
-		const { session, ...remainingPayload } = payload;
-		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_code_and_verifier_options_serializer.serializeAuthenticateWithCodeAndVerifierOptions(remainingPayload));
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_code_and_verifier_options_serializer.serializeAuthenticateWithCodeAndVerifierOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}), { skipApiKeyCheck: true });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: require_user_management_serializers_authentication_response_serializer.deserializeAuthenticationResponse(data),
 			session
 		});
 	}
+	/**
+	* Refresh an access token using a refresh token.
+	* Automatically detects public client mode - if no API key is configured,
+	* omits client_secret from the request.
+	*/
 	async authenticateWithRefreshToken(payload) {
-		const { session, ...remainingPayload } = payload;
-		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_refresh_token_options_serializer.serializeAuthenticateWithRefreshTokenOptions({
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
+		const isPublicClient = !this.workos.key;
+		const body = isPublicClient ? require_user_management_serializers_authenticate_with_refresh_token_public_client_options_serializer.serializeAuthenticateWithRefreshTokenPublicClientOptions({
+			...remainingPayload,
+			clientId: resolvedClientId
+		}) : require_user_management_serializers_authenticate_with_refresh_token_options_serializer.serializeAuthenticateWithRefreshTokenOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
-		}));
+		});
+		const { data } = await this.workos.post("/user_management/authenticate", body, { skipApiKeyCheck: isPublicClient });
 		return this.prepareAuthenticationResponse({
 			authenticationResponse: require_user_management_serializers_authentication_response_serializer.deserializeAuthenticationResponse(data),
 			session
 		});
 	}
 	async authenticateWithTotp(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_totp_options_serializer.serializeAuthenticateWithTotpOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -146,9 +206,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithEmailVerification(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_email_verification_serializer.serializeAuthenticateWithEmailVerificationOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -157,9 +219,11 @@ var UserManagement = class {
 		});
 	}
 	async authenticateWithOrganizationSelection(payload) {
-		const { session, ...remainingPayload } = payload;
+		const { session, clientId, ...remainingPayload } = payload;
+		const resolvedClientId = this.resolveClientId(clientId);
 		const { data } = await this.workos.post("/user_management/authenticate", require_user_management_serializers_authenticate_with_organization_selection_options_serializer.serializeAuthenticateWithOrganizationSelectionOptions({
 			...remainingPayload,
+			clientId: resolvedClientId,
 			clientSecret: this.workos.key
 		}));
 		return this.prepareAuthenticationResponse({
@@ -207,17 +271,21 @@ var UserManagement = class {
 			await jwtVerify(accessToken, jwks);
 			return true;
 		} catch (e) {
-			return false;
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
 		}
 	}
 	async prepareAuthenticationResponse({ authenticationResponse, session }) {
-		if (session?.sealSession) return {
-			...authenticationResponse,
-			sealedSession: await this.sealSessionDataFromAuthenticationResponse({
-				authenticationResponse,
-				cookiePassword: session.cookiePassword
-			})
-		};
+		if (session?.sealSession) {
+			if (!this.workos.key) throw new Error("Session sealing requires server-side usage with an API key. Public clients should store tokens directly (e.g., secure storage on mobile, keychain on desktop).");
+			return {
+				...authenticationResponse,
+				sealedSession: await this.sealSessionDataFromAuthenticationResponse({
+					authenticationResponse,
+					cookiePassword: session.cookiePassword
+				})
+			};
+		}
 		return authenticationResponse;
 	}
 	async sealSessionDataFromAuthenticationResponse({ authenticationResponse, cookiePassword }) {
@@ -356,20 +424,107 @@ var UserManagement = class {
 	async revokeSession(payload) {
 		await this.workos.post("/user_management/sessions/revoke", require_user_management_interfaces_revoke_session_options_interface.serializeRevokeSessionOptions(payload));
 	}
+	/**
+	* Generate an OAuth 2.0 authorization URL.
+	*
+	* For public clients (browser, mobile, CLI), include PKCE parameters:
+	* - Generate PKCE using workos.pkce.generate()
+	* - Pass codeChallenge and codeChallengeMethod here
+	* - Store codeVerifier and pass to authenticateWithCode() later
+	*
+	* Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
+	*/
 	getAuthorizationUrl(options) {
-		return require_client_user_management.getAuthorizationUrl({
-			...options,
-			baseURL: this.workos.baseURL
+		const { connectionId, codeChallenge, codeChallengeMethod, clientId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, state, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const query = require_common_utils_query_string.toQueryString({
+			connection_id: connectionId,
+			code_challenge: codeChallenge,
+			code_challenge_method: codeChallengeMethod,
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
 		});
+		return `${this.workos.baseURL}/user_management/authorize?${query}`;
 	}
-	getLogoutUrl(options) {
-		return require_client_user_management.getLogoutUrl({
-			...options,
-			baseURL: this.workos.baseURL
+	/**
+	* Generate an OAuth 2.0 authorization URL with automatic PKCE.
+	*
+	* This method generates PKCE parameters internally and returns them along with
+	* the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
+	* that cannot securely store a client secret.
+	*
+	* @returns Object containing url, state, and codeVerifier
+	*
+	* @example
+	* ```typescript
+	* const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
+	*   provider: 'authkit',
+	*   clientId: 'client_123',
+	*   redirectUri: 'myapp://callback',
+	* });
+	*
+	* // Store state and codeVerifier securely, then redirect user to url
+	* // After callback, exchange the code:
+	* const response = await workos.userManagement.authenticateWithCode({
+	*   code: authorizationCode,
+	*   codeVerifier,
+	*   clientId: 'client_123',
+	* });
+	* ```
+	*/
+	async getAuthorizationUrlWithPKCE(options) {
+		const { clientId, connectionId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, screenHint } = options;
+		const resolvedClientId = this.resolveClientId(clientId);
+		if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
+		if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
+		const pkce = await this.workos.pkce.generate();
+		const state = this.workos.pkce.generateCodeVerifier(43);
+		const query = require_common_utils_query_string.toQueryString({
+			connection_id: connectionId,
+			code_challenge: pkce.codeChallenge,
+			code_challenge_method: "S256",
+			organization_id: organizationId,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			prompt,
+			client_id: resolvedClientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state,
+			screen_hint: screenHint
 		});
+		return {
+			url: `${this.workos.baseURL}/user_management/authorize?${query}`,
+			state,
+			codeVerifier: pkce.codeVerifier
+		};
+	}
+	getLogoutUrl(options) {
+		const { sessionId, returnTo } = options;
+		if (!sessionId) throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);
+		const url = new URL("/user_management/sessions/logout", this.workos.baseURL);
+		url.searchParams.set("session_id", sessionId);
+		if (returnTo) url.searchParams.set("return_to", returnTo);
+		return url.toString();
 	}
 	getJwksUrl(clientId) {
-		return require_client_user_management.getJwksUrl(clientId, this.workos.baseURL);
+		if (!clientId) throw new TypeError("clientId must be a valid clientId");
+		return `${this.workos.baseURL}/sso/jwks/${clientId}`;
 	}
 };