@workos-inc/node 8.0.0-rc.6 → 8.0.0-rc.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/README.md +54 -0
  2. package/lib/api-keys/api-keys.cjs +3 -0
  3. package/lib/api-keys/api-keys.cjs.map +1 -1
  4. package/lib/api-keys/api-keys.d.cts +2 -1
  5. package/lib/api-keys/api-keys.d.ts +2 -1
  6. package/lib/api-keys/api-keys.js +3 -0
  7. package/lib/api-keys/api-keys.js.map +1 -1
  8. package/lib/api-keys/interfaces/create-organization-api-key-options.interface.cjs +0 -0
  9. package/lib/api-keys/interfaces/create-organization-api-key-options.interface.d.cts +16 -0
  10. package/lib/api-keys/interfaces/create-organization-api-key-options.interface.d.ts +16 -0
  11. package/lib/api-keys/interfaces/create-organization-api-key-options.interface.js +1 -0
  12. package/lib/api-keys/interfaces/created-api-key.interface.cjs +0 -0
  13. package/lib/api-keys/interfaces/created-api-key.interface.d.cts +34 -0
  14. package/lib/api-keys/interfaces/created-api-key.interface.d.ts +34 -0
  15. package/lib/api-keys/interfaces/created-api-key.interface.js +1 -0
  16. package/lib/api-keys/interfaces/index.cjs +0 -0
  17. package/lib/api-keys/interfaces/index.d.cts +6 -0
  18. package/lib/api-keys/interfaces/index.d.ts +6 -0
  19. package/lib/api-keys/interfaces/index.js +1 -0
  20. package/lib/api-keys/interfaces/list-organization-api-keys-options.interface.cjs +0 -0
  21. package/lib/api-keys/interfaces/list-organization-api-keys-options.interface.d.cts +9 -0
  22. package/lib/api-keys/interfaces/list-organization-api-keys-options.interface.d.ts +9 -0
  23. package/lib/api-keys/interfaces/list-organization-api-keys-options.interface.js +1 -0
  24. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.cjs +12 -0
  25. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.cjs.map +1 -0
  26. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.d.cts +7 -0
  27. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.d.ts +7 -0
  28. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.js +11 -0
  29. package/lib/api-keys/serializers/create-organization-api-key-options.serializer.js.map +1 -0
  30. package/lib/api-keys/serializers/created-api-key.serializer.cjs +20 -0
  31. package/lib/api-keys/serializers/created-api-key.serializer.cjs.map +1 -0
  32. package/lib/api-keys/serializers/created-api-key.serializer.d.cts +7 -0
  33. package/lib/api-keys/serializers/created-api-key.serializer.d.ts +7 -0
  34. package/lib/api-keys/serializers/created-api-key.serializer.js +19 -0
  35. package/lib/api-keys/serializers/created-api-key.serializer.js.map +1 -0
  36. package/lib/api-keys/serializers/index.cjs +9 -0
  37. package/lib/api-keys/serializers/index.d.cts +5 -0
  38. package/lib/api-keys/serializers/index.d.ts +5 -0
  39. package/lib/api-keys/serializers/index.js +6 -0
  40. package/lib/common/crypto/seal.cjs +7 -7
  41. package/lib/common/crypto/seal.cjs.map +1 -1
  42. package/lib/common/crypto/seal.js +1 -1
  43. package/lib/common/exceptions/api-key-required.exception.cjs +15 -0
  44. package/lib/common/exceptions/api-key-required.exception.cjs.map +1 -0
  45. package/lib/common/exceptions/api-key-required.exception.d.cts +10 -0
  46. package/lib/common/exceptions/api-key-required.exception.d.ts +10 -0
  47. package/lib/common/exceptions/api-key-required.exception.js +14 -0
  48. package/lib/common/exceptions/api-key-required.exception.js.map +1 -0
  49. package/lib/common/exceptions/index.cjs +2 -0
  50. package/lib/common/exceptions/index.d.cts +2 -1
  51. package/lib/common/exceptions/index.d.ts +2 -1
  52. package/lib/common/exceptions/index.js +2 -1
  53. package/lib/common/interfaces/event.interface.d.cts +28 -3
  54. package/lib/common/interfaces/event.interface.d.ts +28 -3
  55. package/lib/common/interfaces/get-options.interface.d.cts +2 -0
  56. package/lib/common/interfaces/get-options.interface.d.ts +2 -0
  57. package/lib/common/interfaces/index.d.cts +2 -2
  58. package/lib/common/interfaces/index.d.ts +2 -2
  59. package/lib/common/interfaces/post-options.interface.d.cts +2 -0
  60. package/lib/common/interfaces/post-options.interface.d.ts +2 -0
  61. package/lib/common/interfaces/put-options.interface.d.cts +2 -0
  62. package/lib/common/interfaces/put-options.interface.d.ts +2 -0
  63. package/lib/common/interfaces/workos-options.interface.d.cts +1 -0
  64. package/lib/common/interfaces/workos-options.interface.d.ts +1 -0
  65. package/lib/common/net/http-client.cjs.map +1 -1
  66. package/lib/common/net/http-client.js.map +1 -1
  67. package/lib/common/serializers/event.serializer.cjs +13 -5
  68. package/lib/common/serializers/event.serializer.cjs.map +1 -1
  69. package/lib/common/serializers/event.serializer.js +13 -5
  70. package/lib/common/serializers/event.serializer.js.map +1 -1
  71. package/lib/directory-sync/directory-sync.cjs +1 -1
  72. package/lib/directory-sync/directory-sync.js +1 -1
  73. package/lib/factory.cjs +10 -0
  74. package/lib/factory.cjs.map +1 -0
  75. package/lib/factory.d.cts +83 -0
  76. package/lib/factory.d.ts +83 -0
  77. package/lib/factory.js +10 -0
  78. package/lib/factory.js.map +1 -0
  79. package/lib/feature-flags/feature-flags.cjs +37 -0
  80. package/lib/feature-flags/feature-flags.cjs.map +1 -0
  81. package/lib/feature-flags/feature-flags.d.cts +21 -0
  82. package/lib/feature-flags/feature-flags.d.ts +21 -0
  83. package/lib/feature-flags/feature-flags.js +37 -0
  84. package/lib/feature-flags/feature-flags.js.map +1 -0
  85. package/lib/feature-flags/interfaces/add-flag-target-options.interface.cjs +0 -0
  86. package/lib/feature-flags/interfaces/add-flag-target-options.interface.d.cts +8 -0
  87. package/lib/feature-flags/interfaces/add-flag-target-options.interface.d.ts +8 -0
  88. package/lib/feature-flags/interfaces/add-flag-target-options.interface.js +1 -0
  89. package/lib/feature-flags/interfaces/feature-flag.interface.d.cts +8 -2
  90. package/lib/feature-flags/interfaces/feature-flag.interface.d.ts +8 -2
  91. package/lib/feature-flags/interfaces/index.d.cts +4 -1
  92. package/lib/feature-flags/interfaces/index.d.ts +4 -1
  93. package/lib/feature-flags/interfaces/list-feature-flags-options.interface.cjs +0 -0
  94. package/lib/feature-flags/interfaces/list-feature-flags-options.interface.d.cts +7 -0
  95. package/lib/feature-flags/interfaces/list-feature-flags-options.interface.d.ts +7 -0
  96. package/lib/feature-flags/interfaces/list-feature-flags-options.interface.js +1 -0
  97. package/lib/feature-flags/interfaces/remove-flag-target-options.interface.cjs +0 -0
  98. package/lib/feature-flags/interfaces/remove-flag-target-options.interface.d.cts +8 -0
  99. package/lib/feature-flags/interfaces/remove-flag-target-options.interface.d.ts +8 -0
  100. package/lib/feature-flags/interfaces/remove-flag-target-options.interface.js +1 -0
  101. package/lib/feature-flags/serializers/feature-flag.serializer.cjs +3 -0
  102. package/lib/feature-flags/serializers/feature-flag.serializer.cjs.map +1 -1
  103. package/lib/feature-flags/serializers/feature-flag.serializer.js +3 -0
  104. package/lib/feature-flags/serializers/feature-flag.serializer.js.map +1 -1
  105. package/lib/feature-flags/serializers/index.cjs +3 -0
  106. package/lib/feature-flags/serializers/index.d.cts +2 -0
  107. package/lib/feature-flags/serializers/index.d.ts +2 -0
  108. package/lib/feature-flags/serializers/index.js +3 -0
  109. package/lib/fga/serializers/query-result.serializer.cjs.map +1 -1
  110. package/lib/fga/serializers/query-result.serializer.js.map +1 -1
  111. package/lib/index.cjs +18 -9
  112. package/lib/index.cjs.map +1 -1
  113. package/lib/index.d.cts +18 -5
  114. package/lib/index.d.ts +18 -5
  115. package/lib/index.js +16 -10
  116. package/lib/index.js.map +1 -1
  117. package/lib/index.worker.cjs +15 -9
  118. package/lib/index.worker.cjs.map +1 -1
  119. package/lib/index.worker.d.cts +10 -5
  120. package/lib/index.worker.d.ts +10 -5
  121. package/lib/index.worker.js +13 -10
  122. package/lib/index.worker.js.map +1 -1
  123. package/lib/node_modules/iron-webcrypto/index.cjs +218 -0
  124. package/lib/node_modules/iron-webcrypto/index.cjs.map +1 -0
  125. package/lib/node_modules/iron-webcrypto/index.js +216 -0
  126. package/lib/node_modules/iron-webcrypto/index.js.map +1 -0
  127. package/lib/node_modules/uint8array-extras/index.cjs +55 -0
  128. package/lib/node_modules/uint8array-extras/index.cjs.map +1 -0
  129. package/lib/node_modules/uint8array-extras/index.js +52 -0
  130. package/lib/node_modules/uint8array-extras/index.js.map +1 -0
  131. package/lib/organizations/organizations.cjs +14 -2
  132. package/lib/organizations/organizations.cjs.map +1 -1
  133. package/lib/organizations/organizations.d.cts +6 -0
  134. package/lib/organizations/organizations.d.ts +6 -0
  135. package/lib/organizations/organizations.js +14 -2
  136. package/lib/organizations/organizations.js.map +1 -1
  137. package/lib/organizations/serializers/index.cjs +1 -1
  138. package/lib/organizations/serializers/index.js +1 -1
  139. package/lib/pkce/pkce.cjs +54 -0
  140. package/lib/pkce/pkce.cjs.map +1 -0
  141. package/lib/pkce/pkce.d.cts +38 -0
  142. package/lib/pkce/pkce.d.ts +38 -0
  143. package/lib/pkce/pkce.js +53 -0
  144. package/lib/pkce/pkce.js.map +1 -0
  145. package/lib/sso/interfaces/authorization-url-options.interface.d.cts +34 -8
  146. package/lib/sso/interfaces/authorization-url-options.interface.d.ts +34 -8
  147. package/lib/sso/interfaces/get-profile-and-token-options.interface.d.cts +6 -0
  148. package/lib/sso/interfaces/get-profile-and-token-options.interface.d.ts +6 -0
  149. package/lib/sso/interfaces/index.d.cts +2 -2
  150. package/lib/sso/interfaces/index.d.ts +2 -2
  151. package/lib/sso/sso.cjs +90 -8
  152. package/lib/sso/sso.cjs.map +1 -1
  153. package/lib/sso/sso.d.cts +41 -2
  154. package/lib/sso/sso.d.ts +41 -2
  155. package/lib/sso/sso.js +90 -8
  156. package/lib/sso/sso.js.map +1 -1
  157. package/lib/user-management/interfaces/authenticate-with-code-and-verifier-options.interface.d.cts +2 -2
  158. package/lib/user-management/interfaces/authenticate-with-code-and-verifier-options.interface.d.ts +2 -2
  159. package/lib/user-management/interfaces/authenticate-with-options-base.interface.d.cts +19 -3
  160. package/lib/user-management/interfaces/authenticate-with-options-base.interface.d.ts +19 -3
  161. package/lib/user-management/interfaces/authenticate-with-refresh-token-public-client-options.interface.cjs +0 -0
  162. package/lib/user-management/interfaces/authenticate-with-refresh-token-public-client-options.interface.d.cts +16 -0
  163. package/lib/user-management/interfaces/authenticate-with-refresh-token-public-client-options.interface.d.ts +16 -0
  164. package/lib/user-management/interfaces/authenticate-with-refresh-token-public-client-options.interface.js +1 -0
  165. package/lib/user-management/interfaces/authorization-url-options.interface.d.cts +30 -5
  166. package/lib/user-management/interfaces/authorization-url-options.interface.d.ts +30 -5
  167. package/lib/user-management/interfaces/index.d.cts +5 -3
  168. package/lib/user-management/interfaces/index.d.ts +5 -3
  169. package/lib/user-management/interfaces/logout-url-options.interface.cjs +0 -0
  170. package/lib/user-management/interfaces/logout-url-options.interface.d.cts +8 -0
  171. package/lib/user-management/interfaces/logout-url-options.interface.d.ts +8 -0
  172. package/lib/user-management/interfaces/logout-url-options.interface.js +1 -0
  173. package/lib/user-management/serializers/authenticate-with-code-and-verifier-options.serializer.cjs.map +1 -1
  174. package/lib/user-management/serializers/authenticate-with-code-and-verifier-options.serializer.d.cts +2 -1
  175. package/lib/user-management/serializers/authenticate-with-code-and-verifier-options.serializer.d.ts +2 -1
  176. package/lib/user-management/serializers/authenticate-with-code-and-verifier-options.serializer.js.map +1 -1
  177. package/lib/user-management/serializers/authenticate-with-code-options.serializer.cjs.map +1 -1
  178. package/lib/user-management/serializers/authenticate-with-code-options.serializer.d.cts +2 -1
  179. package/lib/user-management/serializers/authenticate-with-code-options.serializer.d.ts +2 -1
  180. package/lib/user-management/serializers/authenticate-with-code-options.serializer.js.map +1 -1
  181. package/lib/user-management/serializers/authenticate-with-email-verification.serializer.cjs.map +1 -1
  182. package/lib/user-management/serializers/authenticate-with-email-verification.serializer.d.cts +2 -1
  183. package/lib/user-management/serializers/authenticate-with-email-verification.serializer.d.ts +2 -1
  184. package/lib/user-management/serializers/authenticate-with-email-verification.serializer.js.map +1 -1
  185. package/lib/user-management/serializers/authenticate-with-magic-auth-options.serializer.cjs.map +1 -1
  186. package/lib/user-management/serializers/authenticate-with-magic-auth-options.serializer.d.cts +2 -1
  187. package/lib/user-management/serializers/authenticate-with-magic-auth-options.serializer.d.ts +2 -1
  188. package/lib/user-management/serializers/authenticate-with-magic-auth-options.serializer.js.map +1 -1
  189. package/lib/user-management/serializers/authenticate-with-organization-selection-options.serializer.cjs.map +1 -1
  190. package/lib/user-management/serializers/authenticate-with-organization-selection-options.serializer.d.cts +2 -1
  191. package/lib/user-management/serializers/authenticate-with-organization-selection-options.serializer.d.ts +2 -1
  192. package/lib/user-management/serializers/authenticate-with-organization-selection-options.serializer.js.map +1 -1
  193. package/lib/user-management/serializers/authenticate-with-password-options.serializer.cjs.map +1 -1
  194. package/lib/user-management/serializers/authenticate-with-password-options.serializer.d.cts +2 -1
  195. package/lib/user-management/serializers/authenticate-with-password-options.serializer.d.ts +2 -1
  196. package/lib/user-management/serializers/authenticate-with-password-options.serializer.js.map +1 -1
  197. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.cjs +14 -0
  198. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.cjs.map +1 -0
  199. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.d.cts +8 -0
  200. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.d.ts +8 -0
  201. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.js +13 -0
  202. package/lib/user-management/serializers/authenticate-with-refresh-token-public-client-options.serializer.js.map +1 -0
  203. package/lib/user-management/serializers/authenticate-with-refresh-token.options.serializer.cjs.map +1 -1
  204. package/lib/user-management/serializers/authenticate-with-refresh-token.options.serializer.d.cts +2 -1
  205. package/lib/user-management/serializers/authenticate-with-refresh-token.options.serializer.d.ts +2 -1
  206. package/lib/user-management/serializers/authenticate-with-refresh-token.options.serializer.js.map +1 -1
  207. package/lib/user-management/serializers/authenticate-with-totp-options.serializer.cjs.map +1 -1
  208. package/lib/user-management/serializers/authenticate-with-totp-options.serializer.d.cts +2 -1
  209. package/lib/user-management/serializers/authenticate-with-totp-options.serializer.d.ts +2 -1
  210. package/lib/user-management/serializers/authenticate-with-totp-options.serializer.js.map +1 -1
  211. package/lib/user-management/serializers/index.cjs +2 -0
  212. package/lib/user-management/serializers/index.d.cts +2 -1
  213. package/lib/user-management/serializers/index.d.ts +2 -1
  214. package/lib/user-management/serializers/index.js +2 -1
  215. package/lib/user-management/session.cjs +3 -10
  216. package/lib/user-management/session.cjs.map +1 -1
  217. package/lib/user-management/session.js +3 -10
  218. package/lib/user-management/session.js.map +1 -1
  219. package/lib/user-management/user-management.cjs +186 -31
  220. package/lib/user-management/user-management.cjs.map +1 -1
  221. package/lib/user-management/user-management.d.cts +71 -2
  222. package/lib/user-management/user-management.d.ts +71 -2
  223. package/lib/user-management/user-management.js +186 -31
  224. package/lib/user-management/user-management.js.map +1 -1
  225. package/lib/vault/vault.cjs +4 -0
  226. package/lib/vault/vault.cjs.map +1 -1
  227. package/lib/vault/vault.d.cts +1 -0
  228. package/lib/vault/vault.d.ts +1 -0
  229. package/lib/vault/vault.js +4 -0
  230. package/lib/vault/vault.js.map +1 -1
  231. package/lib/webhooks/webhooks.cjs +1 -1
  232. package/lib/webhooks/webhooks.js +1 -1
  233. package/lib/workos.cjs +68 -26
  234. package/lib/workos.cjs.map +1 -1
  235. package/lib/workos.d.cts +37 -8
  236. package/lib/workos.d.ts +37 -8
  237. package/lib/workos.js +68 -26
  238. package/lib/workos.js.map +1 -1
  239. package/package.json +4 -21
  240. package/lib/_virtual/rolldown_runtime.cjs +0 -19
  241. package/lib/_virtual/rolldown_runtime.js +0 -18
  242. package/lib/client/index.cjs +0 -15
  243. package/lib/client/index.d.cts +0 -3
  244. package/lib/client/index.d.ts +0 -3
  245. package/lib/client/index.js +0 -4
  246. package/lib/client/sso.cjs +0 -40
  247. package/lib/client/sso.cjs.map +0 -1
  248. package/lib/client/sso.d.cts +0 -21
  249. package/lib/client/sso.d.ts +0 -21
  250. package/lib/client/sso.js +0 -34
  251. package/lib/client/sso.js.map +0 -1
  252. package/lib/client/user-management.cjs +0 -80
  253. package/lib/client/user-management.cjs.map +0 -1
  254. package/lib/client/user-management.d.cts +0 -58
  255. package/lib/client/user-management.d.ts +0 -58
  256. package/lib/client/user-management.js +0 -72
  257. package/lib/client/user-management.js.map +0 -1
  258. package/lib/index.client.cjs +0 -15
  259. package/lib/index.client.d.cts +0 -3
  260. package/lib/index.client.d.ts +0 -3
  261. package/lib/index.client.js +0 -4
package/lib/user-management/user-management.js CHANGED
@@ -1,9 +1,10 @@
1
- import { getAuthorizationUrl, getJwksUrl, getLogoutUrl } from "../client/user-management.js";
1
+ import { AutoPaginatable } from "../common/utils/pagination.js";
2
2
  import { serializeAuthenticateWithCodeOptions } from "./serializers/authenticate-with-code-options.serializer.js";
3
3
  import { serializeAuthenticateWithCodeAndVerifierOptions } from "./serializers/authenticate-with-code-and-verifier-options.serializer.js";
4
4
  import { serializeAuthenticateWithMagicAuthOptions } from "./serializers/authenticate-with-magic-auth-options.serializer.js";
5
5
  import { serializeAuthenticateWithPasswordOptions } from "./serializers/authenticate-with-password-options.serializer.js";
6
6
  import { serializeAuthenticateWithRefreshTokenOptions } from "./serializers/authenticate-with-refresh-token.options.serializer.js";
7
+ import { serializeAuthenticateWithRefreshTokenPublicClientOptions } from "./serializers/authenticate-with-refresh-token-public-client-options.serializer.js";
7
8
  import { serializeAuthenticateWithTotpOptions } from "./serializers/authenticate-with-totp-options.serializer.js";
8
9
  import { deserializeUser } from "./serializers/user.serializer.js";
9
10
  import { deserializeAuthenticationResponse } from "./serializers/authentication-response.serializer.js";
@@ -21,9 +22,9 @@ import { deserializeSession } from "./serializers/session.serializer.js";
21
22
  import { serializeCreateUserOptions } from "./serializers/create-user-options.serializer.js";
22
23
  import { serializeUpdateUserOptions } from "./serializers/update-user-options.serializer.js";
23
24
  import { deserializeOrganizationMembership } from "./serializers/organization-membership.serializer.js";
24
- import { AutoPaginatable } from "../common/utils/pagination.js";
25
25
  import { fetchAndDeserialize } from "../common/utils/fetch-and-deserialize.js";
26
26
  import { deserializeFeatureFlag } from "../feature-flags/serializers/feature-flag.serializer.js";
27
+ import { toQueryString } from "../common/utils/query-string.js";
27
28
  import { deserializeChallenge } from "../mfa/serializers/challenge.serializer.js";
28
29
  import { sealData, unsealData } from "../common/crypto/seal.js";
29
30
  import { getEnv } from "../common/utils/env.js";
@@ -50,6 +51,15 @@ var UserManagement = class {
50
51
  const { clientId } = workos.options;
51
52
  this.clientId = clientId;
52
53
  }
54
+ /**
55
+ * Resolve clientId from method options or fall back to constructor-provided value.
56
+ * @throws TypeError if clientId is not available from either source
57
+ */
58
+ resolveClientId(clientId) {
59
+ const resolved = clientId ?? this.clientId;
60
+ if (!resolved) throw new TypeError("clientId is required. Provide it in method options or when initializing WorkOS.");
61
+ return resolved;
62
+ }
53
63
  async getJWKS() {
54
64
  const { createRemoteJWKSet } = await getJose();
55
65
  if (!this.clientId) return;
@@ -83,9 +93,11 @@ var UserManagement = class {
83
93
  return deserializeUser(data);
84
94
  }
85
95
  async authenticateWithMagicAuth(payload) {
86
- const { session, ...remainingPayload } = payload;
96
+ const { session, clientId, ...remainingPayload } = payload;
97
+ const resolvedClientId = this.resolveClientId(clientId);
87
98
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithMagicAuthOptions({
88
99
  ...remainingPayload,
100
+ clientId: resolvedClientId,
89
101
  clientSecret: this.workos.key
90
102
  }));
91
103
  return this.prepareAuthenticationResponse({
@@ -94,9 +106,11 @@ var UserManagement = class {
94
106
  });
95
107
  }
96
108
  async authenticateWithPassword(payload) {
97
- const { session, ...remainingPayload } = payload;
109
+ const { session, clientId, ...remainingPayload } = payload;
110
+ const resolvedClientId = this.resolveClientId(clientId);
98
111
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithPasswordOptions({
99
112
  ...remainingPayload,
113
+ clientId: resolvedClientId,
100
114
  clientSecret: this.workos.key
101
115
  }));
102
116
  return this.prepareAuthenticationResponse({
@@ -104,40 +118,86 @@ var UserManagement = class {
104
118
  session
105
119
  });
106
120
  }
121
+ /**
122
+ * Exchange an authorization code for tokens.
123
+ *
124
+ * Auto-detects public vs confidential client mode:
125
+ * - If codeVerifier is provided: Uses PKCE flow (public client)
126
+ * - If no codeVerifier: Uses client_secret from API key (confidential client)
127
+ * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
128
+ *
129
+ * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
130
+ * in depth and provides additional CSRF protection on the authorization flow.
131
+ *
132
+ * @throws Error if neither codeVerifier nor API key is available
133
+ */
107
134
  async authenticateWithCode(payload) {
108
- const { session, ...remainingPayload } = payload;
135
+ const { session, clientId, codeVerifier, ...remainingPayload } = payload;
136
+ const resolvedClientId = this.resolveClientId(clientId);
137
+ if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
138
+ const hasApiKey = !!this.workos.key;
139
+ if (!!!codeVerifier && !hasApiKey) throw new TypeError("authenticateWithCode requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
109
140
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeOptions({
110
141
  ...remainingPayload,
111
- clientSecret: this.workos.key
112
- }));
142
+ clientId: resolvedClientId,
143
+ codeVerifier,
144
+ clientSecret: hasApiKey ? this.workos.key : void 0
145
+ }), { skipApiKeyCheck: !hasApiKey });
113
146
  return this.prepareAuthenticationResponse({
114
147
  authenticationResponse: deserializeAuthenticationResponse(data),
115
148
  session
116
149
  });
117
150
  }
151
+ /**
152
+ * Exchange an authorization code for tokens using PKCE (public client flow).
153
+ * Use this instead of authenticateWithCode() when the client cannot securely
154
+ * store a client_secret (browser, mobile, CLI, desktop apps).
155
+ *
156
+ * @param payload.clientId - Your WorkOS client ID
157
+ * @param payload.code - The authorization code from the OAuth callback
158
+ * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge
159
+ */
118
160
  async authenticateWithCodeAndVerifier(payload) {
119
- const { session, ...remainingPayload } = payload;
120
- const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeAndVerifierOptions(remainingPayload));
161
+ const { session, clientId, ...remainingPayload } = payload;
162
+ const resolvedClientId = this.resolveClientId(clientId);
163
+ const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithCodeAndVerifierOptions({
164
+ ...remainingPayload,
165
+ clientId: resolvedClientId
166
+ }), { skipApiKeyCheck: true });
121
167
  return this.prepareAuthenticationResponse({
122
168
  authenticationResponse: deserializeAuthenticationResponse(data),
123
169
  session
124
170
  });
125
171
  }
172
+ /**
173
+ * Refresh an access token using a refresh token.
174
+ * Automatically detects public client mode - if no API key is configured,
175
+ * omits client_secret from the request.
176
+ */
126
177
  async authenticateWithRefreshToken(payload) {
127
- const { session, ...remainingPayload } = payload;
128
- const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithRefreshTokenOptions({
178
+ const { session, clientId, ...remainingPayload } = payload;
179
+ const resolvedClientId = this.resolveClientId(clientId);
180
+ const isPublicClient = !this.workos.key;
181
+ const body = isPublicClient ? serializeAuthenticateWithRefreshTokenPublicClientOptions({
182
+ ...remainingPayload,
183
+ clientId: resolvedClientId
184
+ }) : serializeAuthenticateWithRefreshTokenOptions({
129
185
  ...remainingPayload,
186
+ clientId: resolvedClientId,
130
187
  clientSecret: this.workos.key
131
- }));
188
+ });
189
+ const { data } = await this.workos.post("/user_management/authenticate", body, { skipApiKeyCheck: isPublicClient });
132
190
  return this.prepareAuthenticationResponse({
133
191
  authenticationResponse: deserializeAuthenticationResponse(data),
134
192
  session
135
193
  });
136
194
  }
137
195
  async authenticateWithTotp(payload) {
138
- const { session, ...remainingPayload } = payload;
196
+ const { session, clientId, ...remainingPayload } = payload;
197
+ const resolvedClientId = this.resolveClientId(clientId);
139
198
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithTotpOptions({
140
199
  ...remainingPayload,
200
+ clientId: resolvedClientId,
141
201
  clientSecret: this.workos.key
142
202
  }));
143
203
  return this.prepareAuthenticationResponse({
@@ -146,9 +206,11 @@ var UserManagement = class {
146
206
  });
147
207
  }
148
208
  async authenticateWithEmailVerification(payload) {
149
- const { session, ...remainingPayload } = payload;
209
+ const { session, clientId, ...remainingPayload } = payload;
210
+ const resolvedClientId = this.resolveClientId(clientId);
150
211
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithEmailVerificationOptions({
151
212
  ...remainingPayload,
213
+ clientId: resolvedClientId,
152
214
  clientSecret: this.workos.key
153
215
  }));
154
216
  return this.prepareAuthenticationResponse({
@@ -157,9 +219,11 @@ var UserManagement = class {
157
219
  });
158
220
  }
159
221
  async authenticateWithOrganizationSelection(payload) {
160
- const { session, ...remainingPayload } = payload;
222
+ const { session, clientId, ...remainingPayload } = payload;
223
+ const resolvedClientId = this.resolveClientId(clientId);
161
224
  const { data } = await this.workos.post("/user_management/authenticate", serializeAuthenticateWithOrganizationSelectionOptions({
162
225
  ...remainingPayload,
226
+ clientId: resolvedClientId,
163
227
  clientSecret: this.workos.key
164
228
  }));
165
229
  return this.prepareAuthenticationResponse({
@@ -207,17 +271,21 @@ var UserManagement = class {
207
271
  await jwtVerify(accessToken, jwks);
208
272
  return true;
209
273
  } catch (e) {
210
- return false;
274
+ if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
275
+ throw e;
211
276
  }
212
277
  }
213
278
  async prepareAuthenticationResponse({ authenticationResponse, session }) {
214
- if (session?.sealSession) return {
215
- ...authenticationResponse,
216
- sealedSession: await this.sealSessionDataFromAuthenticationResponse({
217
- authenticationResponse,
218
- cookiePassword: session.cookiePassword
219
- })
220
- };
279
+ if (session?.sealSession) {
280
+ if (!this.workos.key) throw new Error("Session sealing requires server-side usage with an API key. Public clients should store tokens directly (e.g., secure storage on mobile, keychain on desktop).");
281
+ return {
282
+ ...authenticationResponse,
283
+ sealedSession: await this.sealSessionDataFromAuthenticationResponse({
284
+ authenticationResponse,
285
+ cookiePassword: session.cookiePassword
286
+ })
287
+ };
288
+ }
221
289
  return authenticationResponse;
222
290
  }
223
291
  async sealSessionDataFromAuthenticationResponse({ authenticationResponse, cookiePassword }) {
@@ -356,20 +424,107 @@ var UserManagement = class {
356
424
  async revokeSession(payload) {
357
425
  await this.workos.post("/user_management/sessions/revoke", serializeRevokeSessionOptions(payload));
358
426
  }
427
+ /**
428
+ * Generate an OAuth 2.0 authorization URL.
429
+ *
430
+ * For public clients (browser, mobile, CLI), include PKCE parameters:
431
+ * - Generate PKCE using workos.pkce.generate()
432
+ * - Pass codeChallenge and codeChallengeMethod here
433
+ * - Store codeVerifier and pass to authenticateWithCode() later
434
+ *
435
+ * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.
436
+ */
359
437
  getAuthorizationUrl(options) {
360
- return getAuthorizationUrl({
361
- ...options,
362
- baseURL: this.workos.baseURL
438
+ const { connectionId, codeChallenge, codeChallengeMethod, clientId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, state, screenHint } = options;
439
+ const resolvedClientId = this.resolveClientId(clientId);
440
+ if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
441
+ if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
442
+ const query = toQueryString({
443
+ connection_id: connectionId,
444
+ code_challenge: codeChallenge,
445
+ code_challenge_method: codeChallengeMethod,
446
+ organization_id: organizationId,
447
+ domain_hint: domainHint,
448
+ login_hint: loginHint,
449
+ provider,
450
+ provider_query_params: providerQueryParams,
451
+ provider_scopes: providerScopes,
452
+ prompt,
453
+ client_id: resolvedClientId,
454
+ redirect_uri: redirectUri,
455
+ response_type: "code",
456
+ state,
457
+ screen_hint: screenHint
363
458
  });
459
+ return `${this.workos.baseURL}/user_management/authorize?${query}`;
364
460
  }
365
- getLogoutUrl(options) {
366
- return getLogoutUrl({
367
- ...options,
368
- baseURL: this.workos.baseURL
461
+ /**
462
+ * Generate an OAuth 2.0 authorization URL with automatic PKCE.
463
+ *
464
+ * This method generates PKCE parameters internally and returns them along with
465
+ * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)
466
+ * that cannot securely store a client secret.
467
+ *
468
+ * @returns Object containing url, state, and codeVerifier
469
+ *
470
+ * @example
471
+ * ```typescript
472
+ * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({
473
+ * provider: 'authkit',
474
+ * clientId: 'client_123',
475
+ * redirectUri: 'myapp://callback',
476
+ * });
477
+ *
478
+ * // Store state and codeVerifier securely, then redirect user to url
479
+ * // After callback, exchange the code:
480
+ * const response = await workos.userManagement.authenticateWithCode({
481
+ * code: authorizationCode,
482
+ * codeVerifier,
483
+ * clientId: 'client_123',
484
+ * });
485
+ * ```
486
+ */
487
+ async getAuthorizationUrlWithPKCE(options) {
488
+ const { clientId, connectionId, domainHint, loginHint, organizationId, provider, providerQueryParams, providerScopes, prompt, redirectUri, screenHint } = options;
489
+ const resolvedClientId = this.resolveClientId(clientId);
490
+ if (!provider && !connectionId && !organizationId) throw new TypeError(`Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`);
491
+ if (provider !== "authkit" && screenHint) throw new TypeError(`'screenHint' is only supported for 'authkit' provider`);
492
+ const pkce = await this.workos.pkce.generate();
493
+ const state = this.workos.pkce.generateCodeVerifier(43);
494
+ const query = toQueryString({
495
+ connection_id: connectionId,
496
+ code_challenge: pkce.codeChallenge,
497
+ code_challenge_method: "S256",
498
+ organization_id: organizationId,
499
+ domain_hint: domainHint,
500
+ login_hint: loginHint,
501
+ provider,
502
+ provider_query_params: providerQueryParams,
503
+ provider_scopes: providerScopes,
504
+ prompt,
505
+ client_id: resolvedClientId,
506
+ redirect_uri: redirectUri,
507
+ response_type: "code",
508
+ state,
509
+ screen_hint: screenHint
369
510
  });
511
+ return {
512
+ url: `${this.workos.baseURL}/user_management/authorize?${query}`,
513
+ state,
514
+ codeVerifier: pkce.codeVerifier
515
+ };
516
+ }
517
+ getLogoutUrl(options) {
518
+ const { sessionId, returnTo } = options;
519
+ if (!sessionId) throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);
520
+ const url = new URL("/user_management/sessions/logout", this.workos.baseURL);
521
+ url.searchParams.set("session_id", sessionId);
522
+ if (returnTo) url.searchParams.set("return_to", returnTo);
523
+ return url.toString();
370
524
  }
371
525
  getJwksUrl(clientId) {
372
- return getJwksUrl(clientId, this.workos.baseURL);
526
+ if (!clientId) throw new TypeError("clientId must be a valid clientId");
527
+ return `${this.workos.baseURL}/sso/jwks/${clientId}`;
373
528
  }
374
529
  };
375
530
 
package/lib/user-management/user-management.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"user-management.js","names":["workos: WorkOS","clientUserManagement.getAuthorizationUrl","clientUserManagement.getLogoutUrl","clientUserManagement.getJwksUrl"],"sources":["../../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport * as clientUserManagement from '../client/user-management';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n FeatureFlag,\n FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers/feature-flag.serializer';\nimport { WorkOS } from '../workos';\nimport {\n AuthenticateWithCodeAndVerifierOptions,\n AuthenticateWithCodeOptions,\n AuthenticateWithMagicAuthOptions,\n AuthenticateWithPasswordOptions,\n AuthenticateWithRefreshTokenOptions,\n AuthenticateWithSessionOptions,\n AuthenticateWithTotpOptions,\n AuthenticationResponse,\n AuthenticationResponseResponse,\n CreateMagicAuthOptions,\n CreatePasswordResetOptions,\n CreateUserOptions,\n EmailVerification,\n EmailVerificationResponse,\n EnrollAuthFactorOptions,\n ListAuthFactorsOptions,\n ListSessionsOptions,\n ListUsersOptions,\n ListUserFeatureFlagsOptions,\n MagicAuth,\n MagicAuthResponse,\n PasswordReset,\n PasswordResetResponse,\n ResetPasswordOptions,\n SendVerificationEmailOptions,\n SerializedAuthenticateWithCodeAndVerifierOptions,\n SerializedAuthenticateWithCodeOptions,\n SerializedAuthenticateWithMagicAuthOptions,\n SerializedAuthenticateWithPasswordOptions,\n SerializedAuthenticateWithRefreshTokenOptions,\n SerializedAuthenticateWithTotpOptions,\n SerializedCreateMagicAuthOptions,\n SerializedCreatePasswordResetOptions,\n SerializedCreateUserOptions,\n SerializedListSessionsOptions,\n SerializedListUsersOptions,\n SerializedResetPasswordOptions,\n SerializedVerifyEmailOptions,\n Session,\n SessionResponse,\n UpdateUserOptions,\n User,\n UserResponse,\n VerifyEmailOptions,\n} from './interfaces';\nimport {\n AuthenticateWithEmailVerificationOptions,\n SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n AuthenticateWithOrganizationSelectionOptions,\n SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieOptions,\n AuthenticateWithSessionCookieSuccessResponse,\n SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport { UserManagementAuthorizationURLOptions } from './interfaces/authorization-url-options.interface';\nimport {\n CreateOrganizationMembershipOptions,\n SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n Factor,\n FactorResponse,\n FactorWithSecrets,\n FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n Invitation,\n InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n ListInvitationsOptions,\n SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n ListOrganizationMembershipsOptions,\n SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n OrganizationMembership,\n OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n RevokeSessionOptions,\n SerializedRevokeSessionOptions,\n serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n SendInvitationOptions,\n SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n SerializedUpdateOrganizationMembershipOptions,\n UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n deserializeAuthenticationResponse,\n deserializeEmailVerification,\n deserializeFactorWithSecrets,\n deserializeMagicAuth,\n deserializePasswordReset,\n deserializeSession,\n deserializeUser,\n serializeAuthenticateWithCodeAndVerifierOptions,\n serializeAuthenticateWithCodeOptions,\n serializeAuthenticateWithMagicAuthOptions,\n serializeAuthenticateWithPasswordOptions,\n serializeAuthenticateWithRefreshTokenOptions,\n serializeAuthenticateWithTotpOptions,\n serializeCreateMagicAuthOptions,\n serializeCreatePasswordResetOptions,\n serializeCreateUserOptions,\n serializeEnrollAuthFactorOptions,\n serializeListSessionsOptions,\n serializeResetPasswordOptions,\n serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n private _jwks:\n | ReturnType<typeof import('jose').createRemoteJWKSet>\n | undefined;\n public clientId: string | undefined;\n\n constructor(private readonly workos: WorkOS) {\n const { clientId } = workos.options;\n\n this.clientId = clientId;\n }\n\n async getJWKS(): Promise<\n ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n > {\n const { createRemoteJWKSet } = await getJose();\n if (!this.clientId) {\n return;\n }\n\n // Set the JWKS URL. This is used to verify if the JWT is still valid\n this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n cooldownDuration: 1000 * 60 * 5,\n });\n\n return this._jwks;\n }\n\n /**\n * Loads a sealed session using the provided session data and cookie password.\n *\n * @param options - The options for loading the sealed session.\n * @param options.sessionData - The sealed session data.\n * @param options.cookiePassword - The password used to encrypt the session data.\n * @returns The session class.\n */\n loadSealedSession(options: {\n sessionData: string;\n cookiePassword: string;\n }): CookieSession {\n return new CookieSession(this, options.sessionData, options.cookiePassword);\n }\n\n async getUser(userId: string): Promise<User> {\n const { data } = await this.workos.get<UserResponse>(\n `/user_management/users/${userId}`,\n );\n\n return deserializeUser(data);\n }\n\n async getUserByExternalId(externalId: string): Promise<User> {\n const { data } = await this.workos.get<UserResponse>(\n `/user_management/users/external_id/${externalId}`,\n );\n\n return deserializeUser(data);\n }\n\n async listUsers(\n options?: ListUsersOptions,\n ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<UserResponse, User>(\n this.workos,\n '/user_management/users',\n deserializeUser,\n options ? serializeListUsersOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<UserResponse, User>(\n this.workos,\n '/user_management/users',\n deserializeUser,\n params,\n ),\n options ? serializeListUsersOptions(options) : undefined,\n );\n }\n\n async createUser(payload: CreateUserOptions): Promise<User> {\n const { data } = await this.workos.post<\n UserResponse,\n SerializedCreateUserOptions\n >('/user_management/users', serializeCreateUserOptions(payload));\n\n return deserializeUser(data);\n }\n\n async authenticateWithMagicAuth(\n payload: AuthenticateWithMagicAuthOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithMagicAuthOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithMagicAuthOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithPassword(\n payload: AuthenticateWithPasswordOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithPasswordOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithPasswordOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithCode(\n payload: AuthenticateWithCodeOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithCodeOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithCodeOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithCodeAndVerifier(\n payload: AuthenticateWithCodeAndVerifierOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithCodeAndVerifierOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithCodeAndVerifierOptions(remainingPayload),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithRefreshToken(\n payload: AuthenticateWithRefreshTokenOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithRefreshTokenOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithRefreshTokenOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithTotp(\n payload: AuthenticateWithTotpOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithTotpOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithTotpOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithEmailVerification(\n payload: AuthenticateWithEmailVerificationOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithEmailVerificationOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithEmailVerificationOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithOrganizationSelection(\n payload: AuthenticateWithOrganizationSelectionOptions,\n ): Promise<AuthenticationResponse> {\n const { session, ...remainingPayload } = payload;\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithOrganizationSelectionOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithOrganizationSelectionOptions({\n ...remainingPayload,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithSessionCookie({\n sessionData,\n cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n }: AuthenticateWithSessionCookieOptions): Promise<\n | AuthenticateWithSessionCookieSuccessResponse\n | AuthenticateWithSessionCookieFailedResponse\n > {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n const jwks = await this.getJWKS();\n\n if (!jwks) {\n throw new Error('Must provide clientId to initialize JWKS');\n }\n\n const { decodeJwt } = await getJose();\n\n if (!sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n const session = await unsealData<SessionCookieData>(sessionData, {\n password: cookiePassword,\n });\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n user: session.user,\n permissions,\n entitlements,\n featureFlags,\n accessToken: session.accessToken,\n authenticationMethod: session.authenticationMethod,\n };\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const jwks = await this.getJWKS();\n const { jwtVerify } = await getJose();\n if (!jwks) {\n throw new Error('Must provide clientId to initialize JWKS');\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n return false;\n }\n }\n\n private async prepareAuthenticationResponse({\n authenticationResponse,\n session,\n }: {\n authenticationResponse: AuthenticationResponse;\n session?: AuthenticateWithSessionOptions;\n }): Promise<AuthenticationResponse> {\n if (session?.sealSession) {\n return {\n ...authenticationResponse,\n sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n authenticationResponse,\n cookiePassword: session.cookiePassword,\n }),\n };\n }\n\n return authenticationResponse;\n }\n\n private async sealSessionDataFromAuthenticationResponse({\n authenticationResponse,\n cookiePassword,\n }: {\n authenticationResponse: AuthenticationResponse;\n cookiePassword?: string;\n }): Promise<string> {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n const { decodeJwt } = await getJose();\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n authenticationResponse.accessToken,\n );\n\n const sessionData: SessionCookieData = {\n organizationId: organizationIdFromAccessToken,\n user: authenticationResponse.user,\n accessToken: authenticationResponse.accessToken,\n refreshToken: authenticationResponse.refreshToken,\n authenticationMethod: authenticationResponse.authenticationMethod,\n impersonator: authenticationResponse.impersonator,\n };\n\n return sealData(sessionData, {\n password: cookiePassword,\n });\n }\n\n async getSessionFromCookie({\n sessionData,\n cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n if (sessionData) {\n return unsealData<SessionCookieData>(sessionData, {\n password: cookiePassword,\n });\n }\n\n return undefined;\n }\n\n async getEmailVerification(\n emailVerificationId: string,\n ): Promise<EmailVerification> {\n const { data } = await this.workos.get<EmailVerificationResponse>(\n `/user_management/email_verification/${emailVerificationId}`,\n );\n\n return deserializeEmailVerification(data);\n }\n\n async sendVerificationEmail({\n userId,\n }: SendVerificationEmailOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<{ user: UserResponse }>(\n `/user_management/users/${userId}/email_verification/send`,\n {},\n );\n\n return { user: deserializeUser(data.user) };\n }\n\n async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n const { data } = await this.workos.get<MagicAuthResponse>(\n `/user_management/magic_auth/${magicAuthId}`,\n );\n\n return deserializeMagicAuth(data);\n }\n\n async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n const { data } = await this.workos.post<\n MagicAuthResponse,\n SerializedCreateMagicAuthOptions\n >(\n '/user_management/magic_auth',\n serializeCreateMagicAuthOptions({\n ...options,\n }),\n );\n\n return deserializeMagicAuth(data);\n }\n\n async verifyEmail({\n code,\n userId,\n }: VerifyEmailOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<\n { user: UserResponse },\n SerializedVerifyEmailOptions\n >(`/user_management/users/${userId}/email_verification/confirm`, {\n code,\n });\n\n return { user: deserializeUser(data.user) };\n }\n\n async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n const { data } = await this.workos.get<PasswordResetResponse>(\n `/user_management/password_reset/${passwordResetId}`,\n );\n\n return deserializePasswordReset(data);\n }\n\n async createPasswordReset(\n options: CreatePasswordResetOptions,\n ): Promise<PasswordReset> {\n const { data } = await this.workos.post<\n PasswordResetResponse,\n SerializedCreatePasswordResetOptions\n >(\n '/user_management/password_reset',\n serializeCreatePasswordResetOptions({\n ...options,\n }),\n );\n\n return deserializePasswordReset(data);\n }\n\n async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<\n { user: UserResponse },\n SerializedResetPasswordOptions\n >(\n '/user_management/password_reset/confirm',\n serializeResetPasswordOptions(payload),\n );\n\n return { user: deserializeUser(data.user) };\n }\n\n async updateUser(payload: UpdateUserOptions): Promise<User> {\n const { data } = await this.workos.put<UserResponse>(\n `/user_management/users/${payload.userId}`,\n serializeUpdateUserOptions(payload),\n );\n\n return deserializeUser(data);\n }\n\n async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n authenticationFactor: FactorWithSecrets;\n authenticationChallenge: Challenge;\n }> {\n const { data } = await this.workos.post<{\n authentication_factor: FactorWithSecretsResponse;\n authentication_challenge: ChallengeResponse;\n }>(\n `/user_management/users/${payload.userId}/auth_factors`,\n serializeEnrollAuthFactorOptions(payload),\n );\n\n return {\n authenticationFactor: deserializeFactorWithSecrets(\n data.authentication_factor,\n ),\n authenticationChallenge: deserializeChallenge(\n data.authentication_challenge,\n ),\n };\n }\n\n async listAuthFactors(\n options: ListAuthFactorsOptions,\n ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n const { userId, ...restOfOptions } = options;\n return new AutoPaginatable(\n await fetchAndDeserialize<FactorResponse, Factor>(\n this.workos,\n `/user_management/users/${userId}/auth_factors`,\n deserializeFactor,\n restOfOptions,\n ),\n (params) =>\n fetchAndDeserialize<FactorResponse, Factor>(\n this.workos,\n `/user_management/users/${userId}/auth_factors`,\n deserializeFactor,\n params,\n ),\n restOfOptions,\n );\n }\n\n async listUserFeatureFlags(\n options: ListUserFeatureFlagsOptions,\n ): Promise<AutoPaginatable<FeatureFlag>> {\n const { userId, ...paginationOptions } = options;\n\n return new AutoPaginatable(\n await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n this.workos,\n `/user_management/users/${userId}/feature-flags`,\n deserializeFeatureFlag,\n paginationOptions,\n ),\n (params) =>\n fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n this.workos,\n `/user_management/users/${userId}/feature-flags`,\n deserializeFeatureFlag,\n params,\n ),\n paginationOptions,\n );\n }\n\n async listSessions(\n userId: string,\n options?: ListSessionsOptions,\n ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<SessionResponse, Session>(\n this.workos,\n `/user_management/users/${userId}/sessions`,\n deserializeSession,\n options ? serializeListSessionsOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<SessionResponse, Session>(\n this.workos,\n `/user_management/users/${userId}/sessions`,\n deserializeSession,\n params,\n ),\n options ? serializeListSessionsOptions(options) : undefined,\n );\n }\n\n async deleteUser(userId: string) {\n await this.workos.delete(`/user_management/users/${userId}`);\n }\n\n async getUserIdentities(userId: string): Promise<Identity[]> {\n if (!userId) {\n throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n }\n\n const { data } = await this.workos.get<IdentityResponse[]>(\n `/user_management/users/${userId}/identities`,\n );\n\n return deserializeIdentities(data);\n }\n\n async getOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.get<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async listOrganizationMemberships(\n options: ListOrganizationMembershipsOptions,\n ): Promise<\n AutoPaginatable<\n OrganizationMembership,\n SerializedListOrganizationMembershipsOptions\n >\n > {\n const serializedOptions =\n serializeListOrganizationMembershipsOptions(options);\n\n return new AutoPaginatable(\n await fetchAndDeserialize<\n OrganizationMembershipResponse,\n OrganizationMembership\n >(\n this.workos,\n '/user_management/organization_memberships',\n deserializeOrganizationMembership,\n serializedOptions,\n ),\n (params) =>\n fetchAndDeserialize<\n OrganizationMembershipResponse,\n OrganizationMembership\n >(\n this.workos,\n '/user_management/organization_memberships',\n deserializeOrganizationMembership,\n params,\n ),\n serializedOptions,\n );\n }\n\n async createOrganizationMembership(\n options: CreateOrganizationMembershipOptions,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.post<\n OrganizationMembershipResponse,\n SerializedCreateOrganizationMembershipOptions\n >(\n '/user_management/organization_memberships',\n serializeCreateOrganizationMembershipOptions(options),\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async updateOrganizationMembership(\n organizationMembershipId: string,\n options: UpdateOrganizationMembershipOptions,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<\n OrganizationMembershipResponse,\n SerializedUpdateOrganizationMembershipOptions\n >(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n serializeUpdateOrganizationMembershipOptions(options),\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async deleteOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<void> {\n await this.workos.delete(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n );\n }\n\n async deactivateOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n {},\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async reactivateOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n {},\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async getInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.get<InvitationResponse>(\n `/user_management/invitations/${invitationId}`,\n );\n\n return deserializeInvitation(data);\n }\n\n async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n const { data } = await this.workos.get<InvitationResponse>(\n `/user_management/invitations/by_token/${invitationToken}`,\n );\n\n return deserializeInvitation(data);\n }\n\n async listInvitations(\n options: ListInvitationsOptions,\n ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<InvitationResponse, Invitation>(\n this.workos,\n '/user_management/invitations',\n deserializeInvitation,\n options ? serializeListInvitationsOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<InvitationResponse, Invitation>(\n this.workos,\n '/user_management/invitations',\n deserializeInvitation,\n params,\n ),\n options ? serializeListInvitationsOptions(options) : undefined,\n );\n }\n\n async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n const { data } = await this.workos.post<\n InvitationResponse,\n SerializedSendInvitationOptions\n >(\n '/user_management/invitations',\n serializeSendInvitationOptions({\n ...payload,\n }),\n );\n\n return deserializeInvitation(data);\n }\n\n async acceptInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/accept`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async revokeInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/revoke`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async resendInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/resend`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n await this.workos.post<void, SerializedRevokeSessionOptions>(\n '/user_management/sessions/revoke',\n serializeRevokeSessionOptions(payload),\n );\n }\n\n getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n // Delegate to client implementation\n return clientUserManagement.getAuthorizationUrl({\n ...options,\n baseURL: this.workos.baseURL,\n });\n }\n\n getLogoutUrl(options: clientUserManagement.LogoutURLOptions): string {\n // Delegate to client implementation\n return clientUserManagement.getLogoutUrl({\n ...options,\n baseURL: this.workos.baseURL,\n });\n }\n\n getJwksUrl(clientId: string): string {\n // Delegate to client implementation\n return clientUserManagement.getJwksUrl(clientId, this.workos.baseURL);\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2JA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;CAGlB,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAM,SAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAI,cAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BACA,iBACA,UAAU,0BAA0B,QAAQ,GAAG,OAChD,GACA,WACC,oBACE,KAAK,QACL,0BACA,iBACA,OACD,EACH,UAAU,0BAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,2BAA2B,QAAQ,CAAC;AAEhE,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,0CAA0C;GACxC,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,yCAAyC;GACvC,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,qCAAqC;GACnC,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,gDAAgD,iBAAiB,CAClE;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,6CAA6C;GAC3C,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,qCAAqC;GACnC,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,kDAAkD;GAChD,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,GAAG,qBAAqB;EAEzC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,sDAAsD;GACpD,GAAG;GACH,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiB,OAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAM,SAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;EAGH,MAAM,UAAU,MAAM,WAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQ,2CAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAM,SAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AACV,UAAO;;;CAIX,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,YACX,QAAO;GACL,GAAG;GACH,eAAe,MAAM,KAAK,0CAA0C;IAClE;IACA,gBAAgB,QAAQ;IACzB,CAAC;GACH;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAM,SAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAO,SATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiB,OAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAO,WAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAO,6BAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAO,qBAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACA,gCAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAO,qBAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAO,yBAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACA,oCAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAO,yBAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACA,8BAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClC,2BAA2B,QAAQ,CACpC;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC,iCAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsB,6BACpB,KAAK,sBACN;GACD,yBAAyB,qBACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC,mBACA,cACD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,gBACjC,mBACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC,wBACA,kBACD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,iBACjC,wBACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,YACjC,oBACA,UAAU,6BAA6B,QAAQ,GAAG,OACnD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,YACjC,oBACA,OACD,EACH,UAAU,6BAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJ,4CAA4C,QAAQ;AAEtD,SAAO,IAAI,gBACT,MAAM,oBAIJ,KAAK,QACL,6CACA,mCACA,kBACD,GACA,WACC,oBAIE,KAAK,QACL,6CACA,mCACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACA,6CAA6C,QAAQ,CACtD;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7C,6CAA6C,QAAQ,CACtD;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,gCACA,uBACA,UAAU,gCAAgC,QAAQ,GAAG,OACtD,GACA,WACC,oBACE,KAAK,QACL,gCACA,uBACA,OACD,EACH,UAAU,gCAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACA,+BAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACA,8BAA8B,QAAQ,CACvC;;CAGH,oBAAoB,SAAwD;AAE1E,SAAOC,oBAAyC;GAC9C,GAAG;GACH,SAAS,KAAK,OAAO;GACtB,CAAC;;CAGJ,aAAa,SAAwD;AAEnE,SAAOC,aAAkC;GACvC,GAAG;GACH,SAAS,KAAK,OAAO;GACtB,CAAC;;CAGJ,WAAW,UAA0B;AAEnC,SAAOC,WAAgC,UAAU,KAAK,OAAO,QAAQ"}
1
+ {"version":3,"file":"user-management.js","names":["workos: WorkOS"],"sources":["../../src/user-management/user-management.ts"],"sourcesContent":["import { sealData, unsealData } from '../common/crypto/seal';\nimport { PaginationOptions } from '../common/interfaces/pagination-options.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { getEnv } from '../common/utils/env';\nimport { toQueryString } from '../common/utils/query-string';\nimport { Challenge, ChallengeResponse } from '../mfa/interfaces';\nimport { deserializeChallenge } from '../mfa/serializers';\nimport {\n FeatureFlag,\n FeatureFlagResponse,\n} from '../feature-flags/interfaces/feature-flag.interface';\nimport { deserializeFeatureFlag } from '../feature-flags/serializers';\nimport { WorkOS } from '../workos';\nimport {\n AuthenticateWithCodeAndVerifierOptions,\n AuthenticateWithCodeOptions,\n AuthenticateWithMagicAuthOptions,\n AuthenticateWithPasswordOptions,\n AuthenticateWithRefreshTokenOptions,\n AuthenticateWithSessionOptions,\n AuthenticateWithTotpOptions,\n AuthenticationResponse,\n AuthenticationResponseResponse,\n CreateMagicAuthOptions,\n CreatePasswordResetOptions,\n CreateUserOptions,\n EmailVerification,\n EmailVerificationResponse,\n EnrollAuthFactorOptions,\n ListAuthFactorsOptions,\n ListSessionsOptions,\n ListUsersOptions,\n ListUserFeatureFlagsOptions,\n LogoutURLOptions,\n MagicAuth,\n MagicAuthResponse,\n PasswordReset,\n PasswordResetResponse,\n ResetPasswordOptions,\n SendVerificationEmailOptions,\n SerializedAuthenticateWithCodeAndVerifierOptions,\n SerializedAuthenticateWithCodeOptions,\n SerializedAuthenticateWithMagicAuthOptions,\n SerializedAuthenticateWithPasswordOptions,\n SerializedAuthenticateWithRefreshTokenOptions,\n SerializedAuthenticateWithRefreshTokenPublicClientOptions,\n SerializedAuthenticateWithTotpOptions,\n SerializedCreateMagicAuthOptions,\n SerializedCreatePasswordResetOptions,\n SerializedCreateUserOptions,\n SerializedListSessionsOptions,\n SerializedListUsersOptions,\n SerializedResetPasswordOptions,\n SerializedVerifyEmailOptions,\n Session,\n SessionResponse,\n UpdateUserOptions,\n User,\n UserResponse,\n VerifyEmailOptions,\n} from './interfaces';\nimport {\n AuthenticateWithEmailVerificationOptions,\n SerializedAuthenticateWithEmailVerificationOptions,\n} from './interfaces/authenticate-with-email-verification-options.interface';\nimport {\n AuthenticateWithOrganizationSelectionOptions,\n SerializedAuthenticateWithOrganizationSelectionOptions,\n} from './interfaces/authenticate-with-organization-selection.interface';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieOptions,\n AuthenticateWithSessionCookieSuccessResponse,\n SessionCookieData,\n} from './interfaces/authenticate-with-session-cookie.interface';\nimport {\n PKCEAuthorizationURLResult,\n UserManagementAuthorizationURLOptions,\n} from './interfaces/authorization-url-options.interface';\nimport {\n CreateOrganizationMembershipOptions,\n SerializedCreateOrganizationMembershipOptions,\n} from './interfaces/create-organization-membership-options.interface';\nimport {\n Factor,\n FactorResponse,\n FactorWithSecrets,\n FactorWithSecretsResponse,\n} from './interfaces/factor.interface';\nimport { Identity, IdentityResponse } from './interfaces/identity.interface';\nimport {\n Invitation,\n InvitationResponse,\n} from './interfaces/invitation.interface';\nimport {\n ListInvitationsOptions,\n SerializedListInvitationsOptions,\n} from './interfaces/list-invitations-options.interface';\nimport {\n ListOrganizationMembershipsOptions,\n SerializedListOrganizationMembershipsOptions,\n} from './interfaces/list-organization-memberships-options.interface';\nimport {\n OrganizationMembership,\n OrganizationMembershipResponse,\n} from './interfaces/organization-membership.interface';\nimport {\n RevokeSessionOptions,\n SerializedRevokeSessionOptions,\n serializeRevokeSessionOptions,\n} from './interfaces/revoke-session-options.interface';\nimport {\n SendInvitationOptions,\n SerializedSendInvitationOptions,\n} from './interfaces/send-invitation-options.interface';\nimport { SessionHandlerOptions } from './interfaces/session-handler-options.interface';\nimport {\n SerializedUpdateOrganizationMembershipOptions,\n UpdateOrganizationMembershipOptions,\n} from './interfaces/update-organization-membership-options.interface';\nimport {\n deserializeAuthenticationResponse,\n deserializeEmailVerification,\n deserializeFactorWithSecrets,\n deserializeMagicAuth,\n deserializePasswordReset,\n deserializeSession,\n deserializeUser,\n serializeAuthenticateWithCodeAndVerifierOptions,\n serializeAuthenticateWithCodeOptions,\n serializeAuthenticateWithMagicAuthOptions,\n serializeAuthenticateWithPasswordOptions,\n serializeAuthenticateWithRefreshTokenOptions,\n serializeAuthenticateWithRefreshTokenPublicClientOptions,\n serializeAuthenticateWithTotpOptions,\n serializeCreateMagicAuthOptions,\n serializeCreatePasswordResetOptions,\n serializeCreateUserOptions,\n serializeEnrollAuthFactorOptions,\n serializeListSessionsOptions,\n serializeResetPasswordOptions,\n serializeUpdateUserOptions,\n} from './serializers';\nimport { serializeAuthenticateWithEmailVerificationOptions } from './serializers/authenticate-with-email-verification.serializer';\nimport { serializeAuthenticateWithOrganizationSelectionOptions } from './serializers/authenticate-with-organization-selection-options.serializer';\nimport { serializeCreateOrganizationMembershipOptions } from './serializers/create-organization-membership-options.serializer';\nimport { deserializeFactor } from './serializers/factor.serializer';\nimport { deserializeIdentities } from './serializers/identity.serializer';\nimport { deserializeInvitation } from './serializers/invitation.serializer';\nimport { serializeListInvitationsOptions } from './serializers/list-invitations-options.serializer';\nimport { serializeListOrganizationMembershipsOptions } from './serializers/list-organization-memberships-options.serializer';\nimport { serializeListUsersOptions } from './serializers/list-users-options.serializer';\nimport { deserializeOrganizationMembership } from './serializers/organization-membership.serializer';\nimport { serializeSendInvitationOptions } from './serializers/send-invitation-options.serializer';\nimport { serializeUpdateOrganizationMembershipOptions } from './serializers/update-organization-membership-options.serializer';\nimport { CookieSession } from './session';\nimport { getJose } from '../utils/jose';\n\nexport class UserManagement {\n private _jwks:\n | ReturnType<typeof import('jose').createRemoteJWKSet>\n | undefined;\n public clientId: string | undefined;\n\n constructor(private readonly workos: WorkOS) {\n const { clientId } = workos.options;\n\n this.clientId = clientId;\n }\n\n /**\n * Resolve clientId from method options or fall back to constructor-provided value.\n * @throws TypeError if clientId is not available from either source\n */\n private resolveClientId(clientId?: string): string {\n const resolved = clientId ?? this.clientId;\n if (!resolved) {\n throw new TypeError(\n 'clientId is required. Provide it in method options or when initializing WorkOS.',\n );\n }\n return resolved;\n }\n\n async getJWKS(): Promise<\n ReturnType<typeof import('jose').createRemoteJWKSet> | undefined\n > {\n const { createRemoteJWKSet } = await getJose();\n if (!this.clientId) {\n return;\n }\n\n // Set the JWKS URL. This is used to verify if the JWT is still valid\n this._jwks ??= createRemoteJWKSet(new URL(this.getJwksUrl(this.clientId)), {\n cooldownDuration: 1000 * 60 * 5,\n });\n\n return this._jwks;\n }\n\n /**\n * Loads a sealed session using the provided session data and cookie password.\n *\n * @param options - The options for loading the sealed session.\n * @param options.sessionData - The sealed session data.\n * @param options.cookiePassword - The password used to encrypt the session data.\n * @returns The session class.\n */\n loadSealedSession(options: {\n sessionData: string;\n cookiePassword: string;\n }): CookieSession {\n return new CookieSession(this, options.sessionData, options.cookiePassword);\n }\n\n async getUser(userId: string): Promise<User> {\n const { data } = await this.workos.get<UserResponse>(\n `/user_management/users/${userId}`,\n );\n\n return deserializeUser(data);\n }\n\n async getUserByExternalId(externalId: string): Promise<User> {\n const { data } = await this.workos.get<UserResponse>(\n `/user_management/users/external_id/${externalId}`,\n );\n\n return deserializeUser(data);\n }\n\n async listUsers(\n options?: ListUsersOptions,\n ): Promise<AutoPaginatable<User, SerializedListUsersOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<UserResponse, User>(\n this.workos,\n '/user_management/users',\n deserializeUser,\n options ? serializeListUsersOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<UserResponse, User>(\n this.workos,\n '/user_management/users',\n deserializeUser,\n params,\n ),\n options ? serializeListUsersOptions(options) : undefined,\n );\n }\n\n async createUser(payload: CreateUserOptions): Promise<User> {\n const { data } = await this.workos.post<\n UserResponse,\n SerializedCreateUserOptions\n >('/user_management/users', serializeCreateUserOptions(payload));\n\n return deserializeUser(data);\n }\n\n async authenticateWithMagicAuth(\n payload: AuthenticateWithMagicAuthOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithMagicAuthOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithMagicAuthOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithPassword(\n payload: AuthenticateWithPasswordOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithPasswordOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithPasswordOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n /**\n * Exchange an authorization code for tokens.\n *\n * Auto-detects public vs confidential client mode:\n * - If codeVerifier is provided: Uses PKCE flow (public client)\n * - If no codeVerifier: Uses client_secret from API key (confidential client)\n * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n *\n * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n * in depth and provides additional CSRF protection on the authorization flow.\n *\n * @throws Error if neither codeVerifier nor API key is available\n */\n async authenticateWithCode(\n payload: AuthenticateWithCodeOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, codeVerifier, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n // Validate codeVerifier is not an empty string (common mistake)\n if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n throw new TypeError(\n 'codeVerifier cannot be an empty string. ' +\n 'Generate a valid PKCE pair using workos.pkce.generate().',\n );\n }\n\n const hasApiKey = !!this.workos.key;\n const hasPKCE = !!codeVerifier;\n\n if (!hasPKCE && !hasApiKey) {\n throw new TypeError(\n 'authenticateWithCode requires either a codeVerifier (for public clients) ' +\n 'or an API key configured on the WorkOS instance (for confidential clients).',\n );\n }\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithCodeOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithCodeOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n codeVerifier,\n clientSecret: hasApiKey ? this.workos.key : undefined,\n }),\n { skipApiKeyCheck: !hasApiKey },\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n /**\n * Exchange an authorization code for tokens using PKCE (public client flow).\n * Use this instead of authenticateWithCode() when the client cannot securely\n * store a client_secret (browser, mobile, CLI, desktop apps).\n *\n * @param payload.clientId - Your WorkOS client ID\n * @param payload.code - The authorization code from the OAuth callback\n * @param payload.codeVerifier - The PKCE code verifier used to generate the code challenge\n */\n async authenticateWithCodeAndVerifier(\n payload: AuthenticateWithCodeAndVerifierOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithCodeAndVerifierOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithCodeAndVerifierOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n }),\n { skipApiKeyCheck: true },\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n /**\n * Refresh an access token using a refresh token.\n * Automatically detects public client mode - if no API key is configured,\n * omits client_secret from the request.\n */\n async authenticateWithRefreshToken(\n payload: AuthenticateWithRefreshTokenOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n const isPublicClient = !this.workos.key;\n\n const body = isPublicClient\n ? serializeAuthenticateWithRefreshTokenPublicClientOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n })\n : serializeAuthenticateWithRefreshTokenOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n });\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n | SerializedAuthenticateWithRefreshTokenOptions\n | SerializedAuthenticateWithRefreshTokenPublicClientOptions\n >('/user_management/authenticate', body, {\n skipApiKeyCheck: isPublicClient,\n });\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithTotp(\n payload: AuthenticateWithTotpOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithTotpOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithTotpOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithEmailVerification(\n payload: AuthenticateWithEmailVerificationOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithEmailVerificationOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithEmailVerificationOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithOrganizationSelection(\n payload: AuthenticateWithOrganizationSelectionOptions,\n ): Promise<AuthenticationResponse> {\n const { session, clientId, ...remainingPayload } = payload;\n const resolvedClientId = this.resolveClientId(clientId);\n\n const { data } = await this.workos.post<\n AuthenticationResponseResponse,\n SerializedAuthenticateWithOrganizationSelectionOptions\n >(\n '/user_management/authenticate',\n serializeAuthenticateWithOrganizationSelectionOptions({\n ...remainingPayload,\n clientId: resolvedClientId,\n clientSecret: this.workos.key,\n }),\n );\n\n return this.prepareAuthenticationResponse({\n authenticationResponse: deserializeAuthenticationResponse(data),\n session,\n });\n }\n\n async authenticateWithSessionCookie({\n sessionData,\n cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n }: AuthenticateWithSessionCookieOptions): Promise<\n | AuthenticateWithSessionCookieSuccessResponse\n | AuthenticateWithSessionCookieFailedResponse\n > {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n const jwks = await this.getJWKS();\n\n if (!jwks) {\n throw new Error('Must provide clientId to initialize JWKS');\n }\n\n const { decodeJwt } = await getJose();\n\n if (!sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n const session = await unsealData<SessionCookieData>(sessionData, {\n password: cookiePassword,\n });\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n user: session.user,\n permissions,\n entitlements,\n featureFlags,\n accessToken: session.accessToken,\n authenticationMethod: session.authenticationMethod,\n };\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const jwks = await this.getJWKS();\n const { jwtVerify } = await getJose();\n if (!jwks) {\n throw new Error('Must provide clientId to initialize JWKS');\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n // Network errors, crypto failures, etc. should propagate\n if (\n e instanceof Error &&\n 'code' in e &&\n typeof e.code === 'string' &&\n (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n ) {\n return false;\n }\n throw e;\n }\n }\n\n private async prepareAuthenticationResponse({\n authenticationResponse,\n session,\n }: {\n authenticationResponse: AuthenticationResponse;\n session?: AuthenticateWithSessionOptions;\n }): Promise<AuthenticationResponse> {\n if (session?.sealSession) {\n if (!this.workos.key) {\n throw new Error(\n 'Session sealing requires server-side usage with an API key. ' +\n 'Public clients should store tokens directly ' +\n '(e.g., secure storage on mobile, keychain on desktop).',\n );\n }\n\n return {\n ...authenticationResponse,\n sealedSession: await this.sealSessionDataFromAuthenticationResponse({\n authenticationResponse,\n cookiePassword: session.cookiePassword,\n }),\n };\n }\n\n return authenticationResponse;\n }\n\n private async sealSessionDataFromAuthenticationResponse({\n authenticationResponse,\n cookiePassword,\n }: {\n authenticationResponse: AuthenticationResponse;\n cookiePassword?: string;\n }): Promise<string> {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n const { decodeJwt } = await getJose();\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n authenticationResponse.accessToken,\n );\n\n const sessionData: SessionCookieData = {\n organizationId: organizationIdFromAccessToken,\n user: authenticationResponse.user,\n accessToken: authenticationResponse.accessToken,\n refreshToken: authenticationResponse.refreshToken,\n authenticationMethod: authenticationResponse.authenticationMethod,\n impersonator: authenticationResponse.impersonator,\n };\n\n return sealData(sessionData, {\n password: cookiePassword,\n });\n }\n\n async getSessionFromCookie({\n sessionData,\n cookiePassword = getEnv('WORKOS_COOKIE_PASSWORD'),\n }: SessionHandlerOptions): Promise<SessionCookieData | undefined> {\n if (!cookiePassword) {\n throw new Error('Cookie password is required');\n }\n\n if (sessionData) {\n return unsealData<SessionCookieData>(sessionData, {\n password: cookiePassword,\n });\n }\n\n return undefined;\n }\n\n async getEmailVerification(\n emailVerificationId: string,\n ): Promise<EmailVerification> {\n const { data } = await this.workos.get<EmailVerificationResponse>(\n `/user_management/email_verification/${emailVerificationId}`,\n );\n\n return deserializeEmailVerification(data);\n }\n\n async sendVerificationEmail({\n userId,\n }: SendVerificationEmailOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<{ user: UserResponse }>(\n `/user_management/users/${userId}/email_verification/send`,\n {},\n );\n\n return { user: deserializeUser(data.user) };\n }\n\n async getMagicAuth(magicAuthId: string): Promise<MagicAuth> {\n const { data } = await this.workos.get<MagicAuthResponse>(\n `/user_management/magic_auth/${magicAuthId}`,\n );\n\n return deserializeMagicAuth(data);\n }\n\n async createMagicAuth(options: CreateMagicAuthOptions): Promise<MagicAuth> {\n const { data } = await this.workos.post<\n MagicAuthResponse,\n SerializedCreateMagicAuthOptions\n >(\n '/user_management/magic_auth',\n serializeCreateMagicAuthOptions({\n ...options,\n }),\n );\n\n return deserializeMagicAuth(data);\n }\n\n async verifyEmail({\n code,\n userId,\n }: VerifyEmailOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<\n { user: UserResponse },\n SerializedVerifyEmailOptions\n >(`/user_management/users/${userId}/email_verification/confirm`, {\n code,\n });\n\n return { user: deserializeUser(data.user) };\n }\n\n async getPasswordReset(passwordResetId: string): Promise<PasswordReset> {\n const { data } = await this.workos.get<PasswordResetResponse>(\n `/user_management/password_reset/${passwordResetId}`,\n );\n\n return deserializePasswordReset(data);\n }\n\n async createPasswordReset(\n options: CreatePasswordResetOptions,\n ): Promise<PasswordReset> {\n const { data } = await this.workos.post<\n PasswordResetResponse,\n SerializedCreatePasswordResetOptions\n >(\n '/user_management/password_reset',\n serializeCreatePasswordResetOptions({\n ...options,\n }),\n );\n\n return deserializePasswordReset(data);\n }\n\n async resetPassword(payload: ResetPasswordOptions): Promise<{ user: User }> {\n const { data } = await this.workos.post<\n { user: UserResponse },\n SerializedResetPasswordOptions\n >(\n '/user_management/password_reset/confirm',\n serializeResetPasswordOptions(payload),\n );\n\n return { user: deserializeUser(data.user) };\n }\n\n async updateUser(payload: UpdateUserOptions): Promise<User> {\n const { data } = await this.workos.put<UserResponse>(\n `/user_management/users/${payload.userId}`,\n serializeUpdateUserOptions(payload),\n );\n\n return deserializeUser(data);\n }\n\n async enrollAuthFactor(payload: EnrollAuthFactorOptions): Promise<{\n authenticationFactor: FactorWithSecrets;\n authenticationChallenge: Challenge;\n }> {\n const { data } = await this.workos.post<{\n authentication_factor: FactorWithSecretsResponse;\n authentication_challenge: ChallengeResponse;\n }>(\n `/user_management/users/${payload.userId}/auth_factors`,\n serializeEnrollAuthFactorOptions(payload),\n );\n\n return {\n authenticationFactor: deserializeFactorWithSecrets(\n data.authentication_factor,\n ),\n authenticationChallenge: deserializeChallenge(\n data.authentication_challenge,\n ),\n };\n }\n\n async listAuthFactors(\n options: ListAuthFactorsOptions,\n ): Promise<AutoPaginatable<Factor, PaginationOptions>> {\n const { userId, ...restOfOptions } = options;\n return new AutoPaginatable(\n await fetchAndDeserialize<FactorResponse, Factor>(\n this.workos,\n `/user_management/users/${userId}/auth_factors`,\n deserializeFactor,\n restOfOptions,\n ),\n (params) =>\n fetchAndDeserialize<FactorResponse, Factor>(\n this.workos,\n `/user_management/users/${userId}/auth_factors`,\n deserializeFactor,\n params,\n ),\n restOfOptions,\n );\n }\n\n async listUserFeatureFlags(\n options: ListUserFeatureFlagsOptions,\n ): Promise<AutoPaginatable<FeatureFlag>> {\n const { userId, ...paginationOptions } = options;\n\n return new AutoPaginatable(\n await fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n this.workos,\n `/user_management/users/${userId}/feature-flags`,\n deserializeFeatureFlag,\n paginationOptions,\n ),\n (params) =>\n fetchAndDeserialize<FeatureFlagResponse, FeatureFlag>(\n this.workos,\n `/user_management/users/${userId}/feature-flags`,\n deserializeFeatureFlag,\n params,\n ),\n paginationOptions,\n );\n }\n\n async listSessions(\n userId: string,\n options?: ListSessionsOptions,\n ): Promise<AutoPaginatable<Session, SerializedListSessionsOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<SessionResponse, Session>(\n this.workos,\n `/user_management/users/${userId}/sessions`,\n deserializeSession,\n options ? serializeListSessionsOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<SessionResponse, Session>(\n this.workos,\n `/user_management/users/${userId}/sessions`,\n deserializeSession,\n params,\n ),\n options ? serializeListSessionsOptions(options) : undefined,\n );\n }\n\n async deleteUser(userId: string) {\n await this.workos.delete(`/user_management/users/${userId}`);\n }\n\n async getUserIdentities(userId: string): Promise<Identity[]> {\n if (!userId) {\n throw new TypeError(`Incomplete arguments. Need to specify 'userId'.`);\n }\n\n const { data } = await this.workos.get<IdentityResponse[]>(\n `/user_management/users/${userId}/identities`,\n );\n\n return deserializeIdentities(data);\n }\n\n async getOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.get<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async listOrganizationMemberships(\n options: ListOrganizationMembershipsOptions,\n ): Promise<\n AutoPaginatable<\n OrganizationMembership,\n SerializedListOrganizationMembershipsOptions\n >\n > {\n const serializedOptions =\n serializeListOrganizationMembershipsOptions(options);\n\n return new AutoPaginatable(\n await fetchAndDeserialize<\n OrganizationMembershipResponse,\n OrganizationMembership\n >(\n this.workos,\n '/user_management/organization_memberships',\n deserializeOrganizationMembership,\n serializedOptions,\n ),\n (params) =>\n fetchAndDeserialize<\n OrganizationMembershipResponse,\n OrganizationMembership\n >(\n this.workos,\n '/user_management/organization_memberships',\n deserializeOrganizationMembership,\n params,\n ),\n serializedOptions,\n );\n }\n\n async createOrganizationMembership(\n options: CreateOrganizationMembershipOptions,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.post<\n OrganizationMembershipResponse,\n SerializedCreateOrganizationMembershipOptions\n >(\n '/user_management/organization_memberships',\n serializeCreateOrganizationMembershipOptions(options),\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async updateOrganizationMembership(\n organizationMembershipId: string,\n options: UpdateOrganizationMembershipOptions,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<\n OrganizationMembershipResponse,\n SerializedUpdateOrganizationMembershipOptions\n >(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n serializeUpdateOrganizationMembershipOptions(options),\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async deleteOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<void> {\n await this.workos.delete(\n `/user_management/organization_memberships/${organizationMembershipId}`,\n );\n }\n\n async deactivateOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}/deactivate`,\n {},\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async reactivateOrganizationMembership(\n organizationMembershipId: string,\n ): Promise<OrganizationMembership> {\n const { data } = await this.workos.put<OrganizationMembershipResponse>(\n `/user_management/organization_memberships/${organizationMembershipId}/reactivate`,\n {},\n );\n\n return deserializeOrganizationMembership(data);\n }\n\n async getInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.get<InvitationResponse>(\n `/user_management/invitations/${invitationId}`,\n );\n\n return deserializeInvitation(data);\n }\n\n async findInvitationByToken(invitationToken: string): Promise<Invitation> {\n const { data } = await this.workos.get<InvitationResponse>(\n `/user_management/invitations/by_token/${invitationToken}`,\n );\n\n return deserializeInvitation(data);\n }\n\n async listInvitations(\n options: ListInvitationsOptions,\n ): Promise<AutoPaginatable<Invitation, SerializedListInvitationsOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<InvitationResponse, Invitation>(\n this.workos,\n '/user_management/invitations',\n deserializeInvitation,\n options ? serializeListInvitationsOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<InvitationResponse, Invitation>(\n this.workos,\n '/user_management/invitations',\n deserializeInvitation,\n params,\n ),\n options ? serializeListInvitationsOptions(options) : undefined,\n );\n }\n\n async sendInvitation(payload: SendInvitationOptions): Promise<Invitation> {\n const { data } = await this.workos.post<\n InvitationResponse,\n SerializedSendInvitationOptions\n >(\n '/user_management/invitations',\n serializeSendInvitationOptions({\n ...payload,\n }),\n );\n\n return deserializeInvitation(data);\n }\n\n async acceptInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/accept`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async revokeInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/revoke`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async resendInvitation(invitationId: string): Promise<Invitation> {\n const { data } = await this.workos.post<InvitationResponse, any>(\n `/user_management/invitations/${invitationId}/resend`,\n null,\n );\n\n return deserializeInvitation(data);\n }\n\n async revokeSession(payload: RevokeSessionOptions): Promise<void> {\n await this.workos.post<void, SerializedRevokeSessionOptions>(\n '/user_management/sessions/revoke',\n serializeRevokeSessionOptions(payload),\n );\n }\n\n /**\n * Generate an OAuth 2.0 authorization URL.\n *\n * For public clients (browser, mobile, CLI), include PKCE parameters:\n * - Generate PKCE using workos.pkce.generate()\n * - Pass codeChallenge and codeChallengeMethod here\n * - Store codeVerifier and pass to authenticateWithCode() later\n *\n * Or use getAuthorizationUrlWithPKCE() which handles PKCE automatically.\n */\n getAuthorizationUrl(options: UserManagementAuthorizationURLOptions): string {\n const {\n connectionId,\n codeChallenge,\n codeChallengeMethod,\n clientId,\n domainHint,\n loginHint,\n organizationId,\n provider,\n providerQueryParams,\n providerScopes,\n prompt,\n redirectUri,\n state,\n screenHint,\n } = options;\n const resolvedClientId = this.resolveClientId(clientId);\n\n if (!provider && !connectionId && !organizationId) {\n throw new TypeError(\n `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n );\n }\n\n if (provider !== 'authkit' && screenHint) {\n throw new TypeError(\n `'screenHint' is only supported for 'authkit' provider`,\n );\n }\n\n const query = toQueryString({\n connection_id: connectionId,\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n organization_id: organizationId,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n prompt,\n client_id: resolvedClientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n screen_hint: screenHint,\n });\n\n return `${this.workos.baseURL}/user_management/authorize?${query}`;\n }\n\n /**\n * Generate an OAuth 2.0 authorization URL with automatic PKCE.\n *\n * This method generates PKCE parameters internally and returns them along with\n * the authorization URL. Use this for public clients (CLI apps, Electron, mobile)\n * that cannot securely store a client secret.\n *\n * @returns Object containing url, state, and codeVerifier\n *\n * @example\n * ```typescript\n * const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({\n * provider: 'authkit',\n * clientId: 'client_123',\n * redirectUri: 'myapp://callback',\n * });\n *\n * // Store state and codeVerifier securely, then redirect user to url\n * // After callback, exchange the code:\n * const response = await workos.userManagement.authenticateWithCode({\n * code: authorizationCode,\n * codeVerifier,\n * clientId: 'client_123',\n * });\n * ```\n */\n async getAuthorizationUrlWithPKCE(\n options: Omit<\n UserManagementAuthorizationURLOptions,\n 'codeChallenge' | 'codeChallengeMethod' | 'state'\n >,\n ): Promise<PKCEAuthorizationURLResult> {\n const {\n clientId,\n connectionId,\n domainHint,\n loginHint,\n organizationId,\n provider,\n providerQueryParams,\n providerScopes,\n prompt,\n redirectUri,\n screenHint,\n } = options;\n const resolvedClientId = this.resolveClientId(clientId);\n\n if (!provider && !connectionId && !organizationId) {\n throw new TypeError(\n `Incomplete arguments. Need to specify either a 'connectionId', 'organizationId', or 'provider'.`,\n );\n }\n\n if (provider !== 'authkit' && screenHint) {\n throw new TypeError(\n `'screenHint' is only supported for 'authkit' provider`,\n );\n }\n\n // Generate PKCE parameters\n const pkce = await this.workos.pkce.generate();\n\n // Generate secure random state\n const state = this.workos.pkce.generateCodeVerifier(43);\n\n const query = toQueryString({\n connection_id: connectionId,\n code_challenge: pkce.codeChallenge,\n code_challenge_method: 'S256',\n organization_id: organizationId,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n prompt,\n client_id: resolvedClientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n screen_hint: screenHint,\n });\n\n const url = `${this.workos.baseURL}/user_management/authorize?${query}`;\n\n return { url, state, codeVerifier: pkce.codeVerifier };\n }\n\n getLogoutUrl(options: LogoutURLOptions): string {\n const { sessionId, returnTo } = options;\n\n if (!sessionId) {\n throw new TypeError(`Incomplete arguments. Need to specify 'sessionId'.`);\n }\n\n const url = new URL(\n '/user_management/sessions/logout',\n this.workos.baseURL,\n );\n\n url.searchParams.set('session_id', sessionId);\n if (returnTo) {\n url.searchParams.set('return_to', returnTo);\n }\n\n return url.toString();\n }\n\n getJwksUrl(clientId: string): string {\n if (!clientId) {\n throw new TypeError('clientId must be a valid clientId');\n }\n\n return `${this.workos.baseURL}/sso/jwks/${clientId}`;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiKA,IAAa,iBAAb,MAA4B;CAC1B,AAAQ;CAGR,AAAO;CAEP,YAAY,AAAiBA,QAAgB;EAAhB;EAC3B,MAAM,EAAE,aAAa,OAAO;AAE5B,OAAK,WAAW;;;;;;CAOlB,AAAQ,gBAAgB,UAA2B;EACjD,MAAM,WAAW,YAAY,KAAK;AAClC,MAAI,CAAC,SACH,OAAM,IAAI,UACR,kFACD;AAEH,SAAO;;CAGT,MAAM,UAEJ;EACA,MAAM,EAAE,uBAAuB,MAAM,SAAS;AAC9C,MAAI,CAAC,KAAK,SACR;AAIF,OAAK,UAAU,mBAAmB,IAAI,IAAI,KAAK,WAAW,KAAK,SAAS,CAAC,EAAE,EACzE,kBAAkB,MAAO,KAAK,GAC/B,CAAC;AAEF,SAAO,KAAK;;;;;;;;;;CAWd,kBAAkB,SAGA;AAChB,SAAO,IAAI,cAAc,MAAM,QAAQ,aAAa,QAAQ,eAAe;;CAG7E,MAAM,QAAQ,QAA+B;EAC3C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,SAC3B;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,oBAAoB,YAAmC;EAC3D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,sCAAsC,aACvC;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,UACJ,SAC4D;AAC5D,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BACA,iBACA,UAAU,0BAA0B,QAAQ,GAAG,OAChD,GACA,WACC,oBACE,KAAK,QACL,0BACA,iBACA,OACD,EACH,UAAU,0BAA0B,QAAQ,GAAG,OAChD;;CAGH,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,2BAA2B,QAAQ,CAAC;AAEhE,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,0BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,0CAA0C;GACxC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,yBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,yCAAyC;GACvC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;;;;;CAgBJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,cAAc,GAAG,qBAAqB;EACjE,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAGvD,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;AAGhC,MAAI,CAFY,CAAC,CAAC,gBAEF,CAAC,UACf,OAAM,IAAI,UACR,uJAED;EAGH,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,qCAAqC;GACnC,GAAG;GACH,UAAU;GACV;GACA,cAAc,YAAY,KAAK,OAAO,MAAM;GAC7C,CAAC,EACF,EAAE,iBAAiB,CAAC,WAAW,CAChC;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;;;;;CAYJ,MAAM,gCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,gDAAgD;GAC9C,GAAG;GACH,UAAU;GACX,CAAC,EACF,EAAE,iBAAiB,MAAM,CAC1B;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;;;;;;CAQJ,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EACvD,MAAM,iBAAiB,CAAC,KAAK,OAAO;EAEpC,MAAM,OAAO,iBACT,yDAAyD;GACvD,GAAG;GACH,UAAU;GACX,CAAC,GACF,6CAA6C;GAC3C,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC;EAEN,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCAAiC,MAAM,EACvC,iBAAiB,gBAClB,CAAC;AAEF,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,qBACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,qCAAqC;GACnC,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,kCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,kDAAkD;GAChD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,sCACJ,SACiC;EACjC,MAAM,EAAE,SAAS,UAAU,GAAG,qBAAqB;EACnD,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;EAEvD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,iCACA,sDAAsD;GACpD,GAAG;GACH,UAAU;GACV,cAAc,KAAK,OAAO;GAC3B,CAAC,CACH;AAED,SAAO,KAAK,8BAA8B;GACxC,wBAAwB,kCAAkC,KAAK;GAC/D;GACD,CAAC;;CAGJ,MAAM,8BAA8B,EAClC,aACA,iBAAiB,OAAO,yBAAyB,IAIjD;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAKhD,MAAI,CAFS,MAAM,KAAK,SAAS,CAG/B,OAAM,IAAI,MAAM,2CAA2C;EAG7D,MAAM,EAAE,cAAc,MAAM,SAAS;AAErC,MAAI,CAAC,YACH,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;EAGH,MAAM,UAAU,MAAM,WAA8B,aAAa,EAC/D,UAAU,gBACX,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACE,2CAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQ,2CAA2C;GACpD;EAGH,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd;GACA;GACA;GACA,aAAa,QAAQ;GACrB,sBAAsB,QAAQ;GAC/B;;CAGH,MAAc,WAAW,aAAuC;EAC9D,MAAM,OAAO,MAAM,KAAK,SAAS;EACjC,MAAM,EAAE,cAAc,MAAM,SAAS;AACrC,MAAI,CAAC,KACH,OAAM,IAAI,MAAM,2CAA2C;AAG7D,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM;;;CAIV,MAAc,8BAA8B,EAC1C,wBACA,WAIkC;AAClC,MAAI,SAAS,aAAa;AACxB,OAAI,CAAC,KAAK,OAAO,IACf,OAAM,IAAI,MACR,iKAGD;AAGH,UAAO;IACL,GAAG;IACH,eAAe,MAAM,KAAK,0CAA0C;KAClE;KACA,gBAAgB,QAAQ;KACzB,CAAC;IACH;;AAGH,SAAO;;CAGT,MAAc,0CAA0C,EACtD,wBACA,kBAIkB;AAClB,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;EAGhD,MAAM,EAAE,cAAc,MAAM,SAAS;EAErC,MAAM,EAAE,QAAQ,kCAAkC,UAChD,uBAAuB,YACxB;AAWD,SAAO,SATgC;GACrC,gBAAgB;GAChB,MAAM,uBAAuB;GAC7B,aAAa,uBAAuB;GACpC,cAAc,uBAAuB;GACrC,sBAAsB,uBAAuB;GAC7C,cAAc,uBAAuB;GACtC,EAE4B,EAC3B,UAAU,gBACX,CAAC;;CAGJ,MAAM,qBAAqB,EACzB,aACA,iBAAiB,OAAO,yBAAyB,IACe;AAChE,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,8BAA8B;AAGhD,MAAI,YACF,QAAO,WAA8B,aAAa,EAChD,UAAU,gBACX,CAAC;;CAMN,MAAM,qBACJ,qBAC4B;EAC5B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,uCAAuC,sBACxC;AAED,SAAO,6BAA6B,KAAK;;CAG3C,MAAM,sBAAsB,EAC1B,UACwD;EACxD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BAA0B,OAAO,2BACjC,EAAE,CACH;AAED,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,aAAa,aAAyC;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,+BAA+B,cAChC;AAED,SAAO,qBAAqB,KAAK;;CAGnC,MAAM,gBAAgB,SAAqD;EACzE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,+BACA,gCAAgC,EAC9B,GAAG,SACJ,CAAC,CACH;AAED,SAAO,qBAAqB,KAAK;;CAGnC,MAAM,YAAY,EAChB,MACA,UAC8C;EAC9C,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAGjC,0BAA0B,OAAO,8BAA8B,EAC/D,MACD,CAAC;AAEF,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,iBAAiB,iBAAiD;EACtE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,mCAAmC,kBACpC;AAED,SAAO,yBAAyB,KAAK;;CAGvC,MAAM,oBACJ,SACwB;EACxB,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,mCACA,oCAAoC,EAClC,GAAG,SACJ,CAAC,CACH;AAED,SAAO,yBAAyB,KAAK;;CAGvC,MAAM,cAAc,SAAwD;EAC1E,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,2CACA,8BAA8B,QAAQ,CACvC;AAED,SAAO,EAAE,MAAM,gBAAgB,KAAK,KAAK,EAAE;;CAG7C,MAAM,WAAW,SAA2C;EAC1D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,QAAQ,UAClC,2BAA2B,QAAQ,CACpC;AAED,SAAO,gBAAgB,KAAK;;CAG9B,MAAM,iBAAiB,SAGpB;EACD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,0BAA0B,QAAQ,OAAO,gBACzC,iCAAiC,QAAQ,CAC1C;AAED,SAAO;GACL,sBAAsB,6BACpB,KAAK,sBACN;GACD,yBAAyB,qBACvB,KAAK,yBACN;GACF;;CAGH,MAAM,gBACJ,SACqD;EACrD,MAAM,EAAE,QAAQ,GAAG,kBAAkB;AACrC,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,gBACjC,mBACA,cACD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,gBACjC,mBACA,OACD,EACH,cACD;;CAGH,MAAM,qBACJ,SACuC;EACvC,MAAM,EAAE,QAAQ,GAAG,sBAAsB;AAEzC,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,iBACjC,wBACA,kBACD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,iBACjC,wBACA,OACD,EACH,kBACD;;CAGH,MAAM,aACJ,QACA,SACkE;AAClE,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,0BAA0B,OAAO,YACjC,oBACA,UAAU,6BAA6B,QAAQ,GAAG,OACnD,GACA,WACC,oBACE,KAAK,QACL,0BAA0B,OAAO,YACjC,oBACA,OACD,EACH,UAAU,6BAA6B,QAAQ,GAAG,OACnD;;CAGH,MAAM,WAAW,QAAgB;AAC/B,QAAM,KAAK,OAAO,OAAO,0BAA0B,SAAS;;CAG9D,MAAM,kBAAkB,QAAqC;AAC3D,MAAI,CAAC,OACH,OAAM,IAAI,UAAU,kDAAkD;EAGxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,0BAA0B,OAAO,aAClC;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,0BACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,2BAC9C;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,4BACJ,SAMA;EACA,MAAM,oBACJ,4CAA4C,QAAQ;AAEtD,SAAO,IAAI,gBACT,MAAM,oBAIJ,KAAK,QACL,6CACA,mCACA,kBACD,GACA,WACC,oBAIE,KAAK,QACL,6CACA,mCACA,OACD,EACH,kBACD;;CAGH,MAAM,6BACJ,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,6CACA,6CAA6C,QAAQ,CACtD;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACA,SACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAIjC,6CAA6C,4BAC7C,6CAA6C,QAAQ,CACtD;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,6BACJ,0BACe;AACf,QAAM,KAAK,OAAO,OAChB,6CAA6C,2BAC9C;;CAGH,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,iCACJ,0BACiC;EACjC,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,6CAA6C,yBAAyB,cACtE,EAAE,CACH;AAED,SAAO,kCAAkC,KAAK;;CAGhD,MAAM,cAAc,cAA2C;EAC7D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gCAAgC,eACjC;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,sBAAsB,iBAA8C;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,yCAAyC,kBAC1C;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAI,gBACT,MAAM,oBACJ,KAAK,QACL,gCACA,uBACA,UAAU,gCAAgC,QAAQ,GAAG,OACtD,GACA,WACC,oBACE,KAAK,QACL,gCACA,uBACA,OACD,EACH,UAAU,gCAAgC,QAAQ,GAAG,OACtD;;CAGH,MAAM,eAAe,SAAqD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAIjC,gCACA,+BAA+B,EAC7B,GAAG,SACJ,CAAC,CACH;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,iBAAiB,cAA2C;EAChE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gCAAgC,aAAa,UAC7C,KACD;AAED,SAAO,sBAAsB,KAAK;;CAGpC,MAAM,cAAc,SAA8C;AAChE,QAAM,KAAK,OAAO,KAChB,oCACA,8BAA8B,QAAQ,CACvC;;;;;;;;;;;;CAaH,oBAAoB,SAAwD;EAC1E,MAAM,EACJ,cACA,eACA,qBACA,UACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,OACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAGH,MAAM,QAAQ,cAAc;GAC1B,eAAe;GACf,gBAAgB;GAChB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6B7D,MAAM,4BACJ,SAIqC;EACrC,MAAM,EACJ,UACA,cACA,YACA,WACA,gBACA,UACA,qBACA,gBACA,QACA,aACA,eACE;EACJ,MAAM,mBAAmB,KAAK,gBAAgB,SAAS;AAEvD,MAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,eACjC,OAAM,IAAI,UACR,kGACD;AAGH,MAAI,aAAa,aAAa,WAC5B,OAAM,IAAI,UACR,wDACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQ,cAAc;GAC1B,eAAe;GACf,gBAAgB,KAAK;GACrB,uBAAuB;GACvB,iBAAiB;GACjB,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB;GACA,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACA,aAAa;GACd,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,6BAA6B;GAElD;GAAO,cAAc,KAAK;GAAc;;CAGxD,aAAa,SAAmC;EAC9C,MAAM,EAAE,WAAW,aAAa;AAEhC,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,qDAAqD;EAG3E,MAAM,MAAM,IAAI,IACd,oCACA,KAAK,OAAO,QACb;AAED,MAAI,aAAa,IAAI,cAAc,UAAU;AAC7C,MAAI,SACF,KAAI,aAAa,IAAI,aAAa,SAAS;AAG7C,SAAO,IAAI,UAAU;;CAGvB,WAAW,UAA0B;AACnC,MAAI,CAAC,SACH,OAAM,IAAI,UAAU,oCAAoC;AAG1D,SAAO,GAAG,KAAK,OAAO,QAAQ,YAAY"}
package/lib/vault/vault.cjs CHANGED
@@ -41,6 +41,10 @@ var Vault = class {
41
41
  const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}`);
42
42
  return require_vault_serializers_vault_object_serializer.deserializeObject(data);
43
43
  }
44
+ async readObjectByName(name) {
45
+ const { data } = await this.workos.get(`/vault/v1/kv/name/${encodeURIComponent(name)}`);
46
+ return require_vault_serializers_vault_object_serializer.deserializeObject(data);
47
+ }
44
48
  async describeObject(options) {
45
49
  const { data } = await this.workos.get(`/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`);
46
50
  return require_vault_serializers_vault_object_serializer.deserializeObject(data);
package/lib/vault/vault.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"vault.cjs","names":["workos: WorkOS","base64ToUint8Array","decodeUInt32","uint8ArrayToBase64","serializeCreateObjectEntity","deserializeObjectMetadata","deserializeListObjects","desrializeListObjectVersions","deserializeObject","serializeUpdateObjectEntity","deserializeCreateDataKeyResponse","deserializeDecryptDataKeyResponse","encodeUInt32"],"sources":["../../src/vault/vault.ts"],"sourcesContent":["import { decodeUInt32, encodeUInt32 } from '../common/utils/leb128';\nimport { CryptoProvider } from '../common/crypto/crypto-provider';\nimport { List, ListResponse } from '../common/interfaces';\nimport { PaginationOptions } from '../index.worker';\nimport { base64ToUint8Array, uint8ArrayToBase64 } from '../common/utils/base64';\nimport type { WorkOS } from '../workos';\nimport {\n CreateDataKeyOptions,\n CreateDataKeyResponse,\n CreateObjectOptions,\n DataKey,\n DataKeyPair,\n DecryptDataKeyOptions,\n DecryptDataKeyResponse,\n DeleteObjectOptions,\n KeyContext,\n ListObjectVersionsResponse,\n ObjectDigest,\n ObjectDigestResponse,\n ObjectMetadata,\n ObjectVersion,\n ReadObjectMetadataResponse,\n ReadObjectOptions,\n ReadObjectResponse,\n UpdateObjectOptions,\n VaultObject,\n} from './interfaces';\nimport {\n deserializeCreateDataKeyResponse,\n deserializeDecryptDataKeyResponse,\n} from './serializers/vault-key.serializer';\nimport {\n deserializeListObjects,\n deserializeObject,\n deserializeObjectMetadata,\n desrializeListObjectVersions,\n serializeCreateObjectEntity,\n serializeUpdateObjectEntity,\n} from './serializers/vault-object.serializer';\n\ninterface Decoded {\n iv: Uint8Array;\n tag: Uint8Array;\n keys: string;\n ciphertext: Uint8Array;\n}\n\nexport class Vault {\n private cryptoProvider: CryptoProvider;\n\n constructor(private readonly workos: WorkOS) {\n this.cryptoProvider = workos.getCryptoProvider();\n }\n\n private decode(payload: string): Decoded {\n const inputData = base64ToUint8Array(payload);\n // Use 12 bytes for IV (standard for AES-GCM)\n const iv = new Uint8Array(inputData.subarray(0, 12));\n const tag = new Uint8Array(inputData.subarray(12, 28));\n const { value: keyLen, nextIndex } = decodeUInt32(inputData, 28);\n\n // Use subarray instead of slice and convert directly to base64\n const keysBuffer = inputData.subarray(nextIndex, nextIndex + keyLen);\n const keys = uint8ArrayToBase64(keysBuffer);\n\n const ciphertext = new Uint8Array(inputData.subarray(nextIndex + keyLen));\n\n return {\n iv,\n tag,\n keys,\n ciphertext,\n };\n }\n\n async createObject(options: CreateObjectOptions): Promise<ObjectMetadata> {\n const { data } = await this.workos.post<ReadObjectMetadataResponse>(\n `/vault/v1/kv`,\n serializeCreateObjectEntity(options),\n );\n return deserializeObjectMetadata(data);\n }\n\n async listObjects(\n options?: PaginationOptions | undefined,\n ): Promise<List<ObjectDigest>> {\n const url = new URL('/vault/v1/kv', this.workos.baseURL);\n if (options?.after) {\n url.searchParams.set('after', options.after);\n }\n if (options?.limit) {\n url.searchParams.set('limit', options.limit.toString());\n }\n\n const { data } = await this.workos.get<ListResponse<ObjectDigestResponse>>(\n url.toString(),\n );\n return deserializeListObjects(data);\n }\n\n async listObjectVersions(\n options: ReadObjectOptions,\n ): Promise<ObjectVersion[]> {\n const { data } = await this.workos.get<ListObjectVersionsResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}/versions`,\n );\n return desrializeListObjectVersions(data);\n }\n\n async readObject(options: ReadObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.get<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}`,\n );\n return deserializeObject(data);\n }\n\n async describeObject(options: ReadObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.get<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`,\n );\n return deserializeObject(data);\n }\n\n async updateObject(options: UpdateObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.put<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}`,\n serializeUpdateObjectEntity(options),\n );\n return deserializeObject(data);\n }\n\n async deleteObject(options: DeleteObjectOptions): Promise<void> {\n return this.workos.delete(`/vault/v1/kv/${encodeURIComponent(options.id)}`);\n }\n\n async createDataKey(options: CreateDataKeyOptions): Promise<DataKeyPair> {\n const { data } = await this.workos.post<CreateDataKeyResponse>(\n `/vault/v1/keys/data-key`,\n options,\n );\n return deserializeCreateDataKeyResponse(data);\n }\n\n async decryptDataKey(options: DecryptDataKeyOptions): Promise<DataKey> {\n const { data } = await this.workos.post<DecryptDataKeyResponse>(\n `/vault/v1/keys/decrypt`,\n options,\n );\n return deserializeDecryptDataKeyResponse(data);\n }\n\n async encrypt(\n data: string,\n context: KeyContext,\n associatedData?: string,\n ): Promise<string> {\n const keyPair = await this.createDataKey({\n context,\n });\n\n // Convert base64 key to Uint8Array\n const encoder = new TextEncoder();\n\n // Use our cross-runtime base64 utility\n const key = base64ToUint8Array(keyPair.dataKey.key);\n const keyBlob = base64ToUint8Array(keyPair.encryptedKeys);\n\n const prefixLenBuffer = encodeUInt32(keyBlob.length);\n const aadBuffer = associatedData\n ? encoder.encode(associatedData)\n : undefined;\n\n // Use a 12-byte IV for AES-GCM (industry standard)\n const iv = this.cryptoProvider.randomBytes(12);\n\n const {\n ciphertext,\n iv: resultIv,\n tag,\n } = await this.cryptoProvider.encrypt(\n encoder.encode(data),\n key,\n iv,\n aadBuffer,\n );\n\n // Concatenate all parts into a single array\n const resultArray = new Uint8Array(\n resultIv.length +\n tag.length +\n prefixLenBuffer.length +\n keyBlob.length +\n ciphertext.length,\n );\n\n let offset = 0;\n resultArray.set(resultIv, offset);\n offset += resultIv.length;\n\n resultArray.set(tag, offset);\n offset += tag.length;\n\n resultArray.set(new Uint8Array(prefixLenBuffer), offset);\n offset += prefixLenBuffer.length;\n\n resultArray.set(keyBlob, offset);\n offset += keyBlob.length;\n\n resultArray.set(ciphertext, offset);\n\n // Convert to base64 using our cross-runtime utility\n return uint8ArrayToBase64(resultArray);\n }\n\n async decrypt(\n encryptedData: string,\n associatedData?: string,\n ): Promise<string> {\n const decoded = this.decode(encryptedData);\n const dataKey = await this.decryptDataKey({ keys: decoded.keys });\n\n // Convert base64 key to Uint8Array using our cross-runtime utility\n const key = base64ToUint8Array(dataKey.key);\n\n const encoder = new TextEncoder();\n const aadBuffer = associatedData\n ? encoder.encode(associatedData)\n : undefined;\n\n const decrypted = await this.cryptoProvider.decrypt(\n decoded.ciphertext,\n key,\n decoded.iv,\n decoded.tag,\n aadBuffer,\n );\n\n return new TextDecoder().decode(decrypted);\n }\n}\n"],"mappings":";;;;;;AA+CA,IAAa,QAAb,MAAmB;CACjB,AAAQ;CAER,YAAY,AAAiBA,QAAgB;EAAhB;AAC3B,OAAK,iBAAiB,OAAO,mBAAmB;;CAGlD,AAAQ,OAAO,SAA0B;EACvC,MAAM,YAAYC,+CAAmB,QAAQ;EAE7C,MAAM,KAAK,IAAI,WAAW,UAAU,SAAS,GAAG,GAAG,CAAC;EACpD,MAAM,MAAM,IAAI,WAAW,UAAU,SAAS,IAAI,GAAG,CAAC;EACtD,MAAM,EAAE,OAAO,QAAQ,cAAcC,yCAAa,WAAW,GAAG;AAQhE,SAAO;GACL;GACA;GACA,MAPWC,+CADM,UAAU,SAAS,WAAW,YAAY,OAAO,CACzB;GAQzC,YANiB,IAAI,WAAW,UAAU,SAAS,YAAY,OAAO,CAAC;GAOxE;;CAGH,MAAM,aAAa,SAAuD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gBACAC,8EAA4B,QAAQ,CACrC;AACD,SAAOC,4EAA0B,KAAK;;CAGxC,MAAM,YACJ,SAC6B;EAC7B,MAAM,MAAM,IAAI,IAAI,gBAAgB,KAAK,OAAO,QAAQ;AACxD,MAAI,SAAS,MACX,KAAI,aAAa,IAAI,SAAS,QAAQ,MAAM;AAE9C,MAAI,SAAS,MACX,KAAI,aAAa,IAAI,SAAS,QAAQ,MAAM,UAAU,CAAC;EAGzD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,IAAI,UAAU,CACf;AACD,SAAOC,yEAAuB,KAAK;;CAGrC,MAAM,mBACJ,SAC0B;EAC1B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,CAAC,WAChD;AACD,SAAOC,+EAA6B,KAAK;;CAG3C,MAAM,WAAW,SAAkD;EACjE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,GAC/C;AACD,SAAOC,oEAAkB,KAAK;;CAGhC,MAAM,eAAe,SAAkD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,CAAC,WAChD;AACD,SAAOA,oEAAkB,KAAK;;CAGhC,MAAM,aAAa,SAAoD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,IAC9CC,8EAA4B,QAAQ,CACrC;AACD,SAAOD,oEAAkB,KAAK;;CAGhC,MAAM,aAAa,SAA6C;AAC9D,SAAO,KAAK,OAAO,OAAO,gBAAgB,mBAAmB,QAAQ,GAAG,GAAG;;CAG7E,MAAM,cAAc,SAAqD;EACvE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,2BACA,QACD;AACD,SAAOE,gFAAiC,KAAK;;CAG/C,MAAM,eAAe,SAAkD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BACA,QACD;AACD,SAAOC,iFAAkC,KAAK;;CAGhD,MAAM,QACJ,MACA,SACA,gBACiB;EACjB,MAAM,UAAU,MAAM,KAAK,cAAc,EACvC,SACD,CAAC;EAGF,MAAM,UAAU,IAAI,aAAa;EAGjC,MAAM,MAAMV,+CAAmB,QAAQ,QAAQ,IAAI;EACnD,MAAM,UAAUA,+CAAmB,QAAQ,cAAc;EAEzD,MAAM,kBAAkBW,yCAAa,QAAQ,OAAO;EACpD,MAAM,YAAY,iBACd,QAAQ,OAAO,eAAe,GAC9B;EAGJ,MAAM,KAAK,KAAK,eAAe,YAAY,GAAG;EAE9C,MAAM,EACJ,YACA,IAAI,UACJ,QACE,MAAM,KAAK,eAAe,QAC5B,QAAQ,OAAO,KAAK,EACpB,KACA,IACA,UACD;EAGD,MAAM,cAAc,IAAI,WACtB,SAAS,SACP,IAAI,SACJ,gBAAgB,SAChB,QAAQ,SACR,WAAW,OACd;EAED,IAAI,SAAS;AACb,cAAY,IAAI,UAAU,OAAO;AACjC,YAAU,SAAS;AAEnB,cAAY,IAAI,KAAK,OAAO;AAC5B,YAAU,IAAI;AAEd,cAAY,IAAI,IAAI,WAAW,gBAAgB,EAAE,OAAO;AACxD,YAAU,gBAAgB;AAE1B,cAAY,IAAI,SAAS,OAAO;AAChC,YAAU,QAAQ;AAElB,cAAY,IAAI,YAAY,OAAO;AAGnC,SAAOT,+CAAmB,YAAY;;CAGxC,MAAM,QACJ,eACA,gBACiB;EACjB,MAAM,UAAU,KAAK,OAAO,cAAc;EAI1C,MAAM,MAAMF,gDAHI,MAAM,KAAK,eAAe,EAAE,MAAM,QAAQ,MAAM,CAAC,EAG1B,IAAI;EAE3C,MAAM,UAAU,IAAI,aAAa;EACjC,MAAM,YAAY,iBACd,QAAQ,OAAO,eAAe,GAC9B;EAEJ,MAAM,YAAY,MAAM,KAAK,eAAe,QAC1C,QAAQ,YACR,KACA,QAAQ,IACR,QAAQ,KACR,UACD;AAED,SAAO,IAAI,aAAa,CAAC,OAAO,UAAU"}
1
+ {"version":3,"file":"vault.cjs","names":["workos: WorkOS","base64ToUint8Array","decodeUInt32","uint8ArrayToBase64","serializeCreateObjectEntity","deserializeObjectMetadata","deserializeListObjects","desrializeListObjectVersions","deserializeObject","serializeUpdateObjectEntity","deserializeCreateDataKeyResponse","deserializeDecryptDataKeyResponse","encodeUInt32"],"sources":["../../src/vault/vault.ts"],"sourcesContent":["import { decodeUInt32, encodeUInt32 } from '../common/utils/leb128';\nimport { CryptoProvider } from '../common/crypto/crypto-provider';\nimport { List, ListResponse } from '../common/interfaces';\nimport { PaginationOptions } from '../index.worker';\nimport { base64ToUint8Array, uint8ArrayToBase64 } from '../common/utils/base64';\nimport type { WorkOS } from '../workos';\nimport {\n CreateDataKeyOptions,\n CreateDataKeyResponse,\n CreateObjectOptions,\n DataKey,\n DataKeyPair,\n DecryptDataKeyOptions,\n DecryptDataKeyResponse,\n DeleteObjectOptions,\n KeyContext,\n ListObjectVersionsResponse,\n ObjectDigest,\n ObjectDigestResponse,\n ObjectMetadata,\n ObjectVersion,\n ReadObjectMetadataResponse,\n ReadObjectOptions,\n ReadObjectResponse,\n UpdateObjectOptions,\n VaultObject,\n} from './interfaces';\nimport {\n deserializeCreateDataKeyResponse,\n deserializeDecryptDataKeyResponse,\n} from './serializers/vault-key.serializer';\nimport {\n deserializeListObjects,\n deserializeObject,\n deserializeObjectMetadata,\n desrializeListObjectVersions,\n serializeCreateObjectEntity,\n serializeUpdateObjectEntity,\n} from './serializers/vault-object.serializer';\n\ninterface Decoded {\n iv: Uint8Array;\n tag: Uint8Array;\n keys: string;\n ciphertext: Uint8Array;\n}\n\nexport class Vault {\n private cryptoProvider: CryptoProvider;\n\n constructor(private readonly workos: WorkOS) {\n this.cryptoProvider = workos.getCryptoProvider();\n }\n\n private decode(payload: string): Decoded {\n const inputData = base64ToUint8Array(payload);\n // Use 12 bytes for IV (standard for AES-GCM)\n const iv = new Uint8Array(inputData.subarray(0, 12));\n const tag = new Uint8Array(inputData.subarray(12, 28));\n const { value: keyLen, nextIndex } = decodeUInt32(inputData, 28);\n\n // Use subarray instead of slice and convert directly to base64\n const keysBuffer = inputData.subarray(nextIndex, nextIndex + keyLen);\n const keys = uint8ArrayToBase64(keysBuffer);\n\n const ciphertext = new Uint8Array(inputData.subarray(nextIndex + keyLen));\n\n return {\n iv,\n tag,\n keys,\n ciphertext,\n };\n }\n\n async createObject(options: CreateObjectOptions): Promise<ObjectMetadata> {\n const { data } = await this.workos.post<ReadObjectMetadataResponse>(\n `/vault/v1/kv`,\n serializeCreateObjectEntity(options),\n );\n return deserializeObjectMetadata(data);\n }\n\n async listObjects(\n options?: PaginationOptions | undefined,\n ): Promise<List<ObjectDigest>> {\n const url = new URL('/vault/v1/kv', this.workos.baseURL);\n if (options?.after) {\n url.searchParams.set('after', options.after);\n }\n if (options?.limit) {\n url.searchParams.set('limit', options.limit.toString());\n }\n\n const { data } = await this.workos.get<ListResponse<ObjectDigestResponse>>(\n url.toString(),\n );\n return deserializeListObjects(data);\n }\n\n async listObjectVersions(\n options: ReadObjectOptions,\n ): Promise<ObjectVersion[]> {\n const { data } = await this.workos.get<ListObjectVersionsResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}/versions`,\n );\n return desrializeListObjectVersions(data);\n }\n\n async readObject(options: ReadObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.get<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}`,\n );\n return deserializeObject(data);\n }\n\n async readObjectByName(name: string): Promise<VaultObject> {\n const { data } = await this.workos.get<ReadObjectResponse>(\n `/vault/v1/kv/name/${encodeURIComponent(name)}`,\n );\n return deserializeObject(data);\n }\n\n async describeObject(options: ReadObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.get<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}/metadata`,\n );\n return deserializeObject(data);\n }\n\n async updateObject(options: UpdateObjectOptions): Promise<VaultObject> {\n const { data } = await this.workos.put<ReadObjectResponse>(\n `/vault/v1/kv/${encodeURIComponent(options.id)}`,\n serializeUpdateObjectEntity(options),\n );\n return deserializeObject(data);\n }\n\n async deleteObject(options: DeleteObjectOptions): Promise<void> {\n return this.workos.delete(`/vault/v1/kv/${encodeURIComponent(options.id)}`);\n }\n\n async createDataKey(options: CreateDataKeyOptions): Promise<DataKeyPair> {\n const { data } = await this.workos.post<CreateDataKeyResponse>(\n `/vault/v1/keys/data-key`,\n options,\n );\n return deserializeCreateDataKeyResponse(data);\n }\n\n async decryptDataKey(options: DecryptDataKeyOptions): Promise<DataKey> {\n const { data } = await this.workos.post<DecryptDataKeyResponse>(\n `/vault/v1/keys/decrypt`,\n options,\n );\n return deserializeDecryptDataKeyResponse(data);\n }\n\n async encrypt(\n data: string,\n context: KeyContext,\n associatedData?: string,\n ): Promise<string> {\n const keyPair = await this.createDataKey({\n context,\n });\n\n // Convert base64 key to Uint8Array\n const encoder = new TextEncoder();\n\n // Use our cross-runtime base64 utility\n const key = base64ToUint8Array(keyPair.dataKey.key);\n const keyBlob = base64ToUint8Array(keyPair.encryptedKeys);\n\n const prefixLenBuffer = encodeUInt32(keyBlob.length);\n const aadBuffer = associatedData\n ? encoder.encode(associatedData)\n : undefined;\n\n // Use a 12-byte IV for AES-GCM (industry standard)\n const iv = this.cryptoProvider.randomBytes(12);\n\n const {\n ciphertext,\n iv: resultIv,\n tag,\n } = await this.cryptoProvider.encrypt(\n encoder.encode(data),\n key,\n iv,\n aadBuffer,\n );\n\n // Concatenate all parts into a single array\n const resultArray = new Uint8Array(\n resultIv.length +\n tag.length +\n prefixLenBuffer.length +\n keyBlob.length +\n ciphertext.length,\n );\n\n let offset = 0;\n resultArray.set(resultIv, offset);\n offset += resultIv.length;\n\n resultArray.set(tag, offset);\n offset += tag.length;\n\n resultArray.set(new Uint8Array(prefixLenBuffer), offset);\n offset += prefixLenBuffer.length;\n\n resultArray.set(keyBlob, offset);\n offset += keyBlob.length;\n\n resultArray.set(ciphertext, offset);\n\n // Convert to base64 using our cross-runtime utility\n return uint8ArrayToBase64(resultArray);\n }\n\n async decrypt(\n encryptedData: string,\n associatedData?: string,\n ): Promise<string> {\n const decoded = this.decode(encryptedData);\n const dataKey = await this.decryptDataKey({ keys: decoded.keys });\n\n // Convert base64 key to Uint8Array using our cross-runtime utility\n const key = base64ToUint8Array(dataKey.key);\n\n const encoder = new TextEncoder();\n const aadBuffer = associatedData\n ? encoder.encode(associatedData)\n : undefined;\n\n const decrypted = await this.cryptoProvider.decrypt(\n decoded.ciphertext,\n key,\n decoded.iv,\n decoded.tag,\n aadBuffer,\n );\n\n return new TextDecoder().decode(decrypted);\n }\n}\n"],"mappings":";;;;;;AA+CA,IAAa,QAAb,MAAmB;CACjB,AAAQ;CAER,YAAY,AAAiBA,QAAgB;EAAhB;AAC3B,OAAK,iBAAiB,OAAO,mBAAmB;;CAGlD,AAAQ,OAAO,SAA0B;EACvC,MAAM,YAAYC,+CAAmB,QAAQ;EAE7C,MAAM,KAAK,IAAI,WAAW,UAAU,SAAS,GAAG,GAAG,CAAC;EACpD,MAAM,MAAM,IAAI,WAAW,UAAU,SAAS,IAAI,GAAG,CAAC;EACtD,MAAM,EAAE,OAAO,QAAQ,cAAcC,yCAAa,WAAW,GAAG;AAQhE,SAAO;GACL;GACA;GACA,MAPWC,+CADM,UAAU,SAAS,WAAW,YAAY,OAAO,CACzB;GAQzC,YANiB,IAAI,WAAW,UAAU,SAAS,YAAY,OAAO,CAAC;GAOxE;;CAGH,MAAM,aAAa,SAAuD;EACxE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,gBACAC,8EAA4B,QAAQ,CACrC;AACD,SAAOC,4EAA0B,KAAK;;CAGxC,MAAM,YACJ,SAC6B;EAC7B,MAAM,MAAM,IAAI,IAAI,gBAAgB,KAAK,OAAO,QAAQ;AACxD,MAAI,SAAS,MACX,KAAI,aAAa,IAAI,SAAS,QAAQ,MAAM;AAE9C,MAAI,SAAS,MACX,KAAI,aAAa,IAAI,SAAS,QAAQ,MAAM,UAAU,CAAC;EAGzD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,IAAI,UAAU,CACf;AACD,SAAOC,yEAAuB,KAAK;;CAGrC,MAAM,mBACJ,SAC0B;EAC1B,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,CAAC,WAChD;AACD,SAAOC,+EAA6B,KAAK;;CAG3C,MAAM,WAAW,SAAkD;EACjE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,GAC/C;AACD,SAAOC,oEAAkB,KAAK;;CAGhC,MAAM,iBAAiB,MAAoC;EACzD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,qBAAqB,mBAAmB,KAAK,GAC9C;AACD,SAAOA,oEAAkB,KAAK;;CAGhC,MAAM,eAAe,SAAkD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,CAAC,WAChD;AACD,SAAOA,oEAAkB,KAAK;;CAGhC,MAAM,aAAa,SAAoD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,mBAAmB,QAAQ,GAAG,IAC9CC,8EAA4B,QAAQ,CACrC;AACD,SAAOD,oEAAkB,KAAK;;CAGhC,MAAM,aAAa,SAA6C;AAC9D,SAAO,KAAK,OAAO,OAAO,gBAAgB,mBAAmB,QAAQ,GAAG,GAAG;;CAG7E,MAAM,cAAc,SAAqD;EACvE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,2BACA,QACD;AACD,SAAOE,gFAAiC,KAAK;;CAG/C,MAAM,eAAe,SAAkD;EACrE,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KACjC,0BACA,QACD;AACD,SAAOC,iFAAkC,KAAK;;CAGhD,MAAM,QACJ,MACA,SACA,gBACiB;EACjB,MAAM,UAAU,MAAM,KAAK,cAAc,EACvC,SACD,CAAC;EAGF,MAAM,UAAU,IAAI,aAAa;EAGjC,MAAM,MAAMV,+CAAmB,QAAQ,QAAQ,IAAI;EACnD,MAAM,UAAUA,+CAAmB,QAAQ,cAAc;EAEzD,MAAM,kBAAkBW,yCAAa,QAAQ,OAAO;EACpD,MAAM,YAAY,iBACd,QAAQ,OAAO,eAAe,GAC9B;EAGJ,MAAM,KAAK,KAAK,eAAe,YAAY,GAAG;EAE9C,MAAM,EACJ,YACA,IAAI,UACJ,QACE,MAAM,KAAK,eAAe,QAC5B,QAAQ,OAAO,KAAK,EACpB,KACA,IACA,UACD;EAGD,MAAM,cAAc,IAAI,WACtB,SAAS,SACP,IAAI,SACJ,gBAAgB,SAChB,QAAQ,SACR,WAAW,OACd;EAED,IAAI,SAAS;AACb,cAAY,IAAI,UAAU,OAAO;AACjC,YAAU,SAAS;AAEnB,cAAY,IAAI,KAAK,OAAO;AAC5B,YAAU,IAAI;AAEd,cAAY,IAAI,IAAI,WAAW,gBAAgB,EAAE,OAAO;AACxD,YAAU,gBAAgB;AAE1B,cAAY,IAAI,SAAS,OAAO;AAChC,YAAU,QAAQ;AAElB,cAAY,IAAI,YAAY,OAAO;AAGnC,SAAOT,+CAAmB,YAAY;;CAGxC,MAAM,QACJ,eACA,gBACiB;EACjB,MAAM,UAAU,KAAK,OAAO,cAAc;EAI1C,MAAM,MAAMF,gDAHI,MAAM,KAAK,eAAe,EAAE,MAAM,QAAQ,MAAM,CAAC,EAG1B,IAAI;EAE3C,MAAM,UAAU,IAAI,aAAa;EACjC,MAAM,YAAY,iBACd,QAAQ,OAAO,eAAe,GAC9B;EAEJ,MAAM,YAAY,MAAM,KAAK,eAAe,QAC1C,QAAQ,YACR,KACA,QAAQ,IACR,QAAQ,KACR,UACD;AAED,SAAO,IAAI,aAAa,CAAC,OAAO,UAAU"}
package/lib/vault/vault.d.cts CHANGED
@@ -20,6 +20,7 @@ declare class Vault {
20
20
  listObjects(options?: PaginationOptions | undefined): Promise<List<ObjectDigest>>;
21
21
  listObjectVersions(options: ReadObjectOptions): Promise<ObjectVersion[]>;
22
22
  readObject(options: ReadObjectOptions): Promise<VaultObject>;
23
+ readObjectByName(name: string): Promise<VaultObject>;
23
24
  describeObject(options: ReadObjectOptions): Promise<VaultObject>;
24
25
  updateObject(options: UpdateObjectOptions): Promise<VaultObject>;
25
26
  deleteObject(options: DeleteObjectOptions): Promise<void>;