npm - @workos-inc/node - Versions diffs - 8.0.0-rc.9 → 8.0.0 - Mend

@workos-inc/node 8.0.0-rc.9 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1297) hide show

package/lib/sso/interfaces/profile-and-token.interface.d.cts CHANGED Viewed

@@ -1,18 +1,2 @@
-import { UnknownRecord } from "../../common/interfaces/unknown-record.interface.cjs";
-import { OauthTokens, OauthTokensResponse } from "../../user-management/interfaces/oauth-tokens.interface.cjs";
-import { Profile, ProfileResponse } from "./profile.interface.cjs";
-//#region src/sso/interfaces/profile-and-token.interface.d.ts
-interface ProfileAndToken<CustomAttributesType extends UnknownRecord> {
-  accessToken: string;
-  profile: Profile<CustomAttributesType>;
-  oauthTokens?: OauthTokens;
-}
-interface ProfileAndTokenResponse<CustomAttributesType extends UnknownRecord> {
-  access_token: string;
-  profile: ProfileResponse<CustomAttributesType>;
-  oauth_tokens?: OauthTokensResponse;
-}
-//#endregion
-export { ProfileAndToken, ProfileAndTokenResponse };
-//# sourceMappingURL=profile-and-token.interface.d.cts.map
+import { n as ProfileAndTokenResponse, t as ProfileAndToken } from "../../profile-and-token.interface-ZhaI1B_G.cjs";
+export { ProfileAndToken, ProfileAndTokenResponse };

package/lib/sso/interfaces/profile.interface.d.cts CHANGED Viewed

@@ -1,42 +1,2 @@
-import { RoleResponse } from "../../roles/interfaces/role.interface.cjs";
-import { ConnectionType } from "./connection-type.enum.cjs";
-import { UnknownRecord } from "../../common/interfaces/unknown-record.interface.cjs";
-//#region src/sso/interfaces/profile.interface.d.ts
-interface Profile<CustomAttributesType extends UnknownRecord> {
-  id: string;
-  idpId: string;
-  organizationId?: string;
-  connectionId: string;
-  connectionType: ConnectionType;
-  email: string;
-  firstName?: string;
-  lastName?: string;
-  role?: RoleResponse;
-  roles?: RoleResponse[];
-  groups?: string[];
-  customAttributes?: CustomAttributesType;
-  rawAttributes?: {
-    [key: string]: any;
-  };
-}
-interface ProfileResponse<CustomAttributesType extends UnknownRecord> {
-  id: string;
-  idp_id: string;
-  organization_id?: string;
-  connection_id: string;
-  connection_type: ConnectionType;
-  email: string;
-  first_name?: string;
-  last_name?: string;
-  role?: RoleResponse;
-  roles?: RoleResponse[];
-  groups?: string[];
-  custom_attributes?: CustomAttributesType;
-  raw_attributes?: {
-    [key: string]: any;
-  };
-}
-//#endregion
-export { Profile, ProfileResponse };
-//# sourceMappingURL=profile.interface.d.cts.map
+import { n as ProfileResponse, t as Profile } from "../../profile.interface-CPseQwyu.cjs";
+export { Profile, ProfileResponse };

package/lib/sso/serializers/connection.serializer.cjs CHANGED Viewed

@@ -1,17 +1,3 @@
+const require_connection_serializer = require('../../connection.serializer-phS0D1t9.cjs');
-//#region src/sso/serializers/connection.serializer.ts
-const deserializeConnection = (connection) => ({
-	object: connection.object,
-	id: connection.id,
-	organizationId: connection.organization_id,
-	name: connection.name,
-	type: connection.connection_type,
-	state: connection.state,
-	domains: connection.domains,
-	createdAt: connection.created_at,
-	updatedAt: connection.updated_at
-});
-//#endregion
-exports.deserializeConnection = deserializeConnection;
-//# sourceMappingURL=connection.serializer.cjs.map
+exports.deserializeConnection = require_connection_serializer.deserializeConnection;

package/lib/sso/serializers/connection.serializer.d.cts CHANGED Viewed

@@ -1,7 +1,2 @@
-import { Connection, ConnectionResponse } from "../interfaces/connection.interface.cjs";
-//#region src/sso/serializers/connection.serializer.d.ts
-declare const deserializeConnection: (connection: ConnectionResponse) => Connection;
-//#endregion
-export { deserializeConnection };
-//# sourceMappingURL=connection.serializer.d.cts.map
+import { t as deserializeConnection } from "../../connection.serializer-Biy7KKu3.cjs";
+export { deserializeConnection };

package/lib/sso/serializers/index.cjs CHANGED Viewed

@@ -1,9 +1,9 @@
-const require_sso_serializers_connection_serializer = require('./connection.serializer.cjs');
-const require_sso_serializers_list_connections_options_serializer = require('./list-connections-options.serializer.cjs');
-const require_sso_serializers_profile_serializer = require('./profile.serializer.cjs');
-const require_sso_serializers_profile_and_token_serializer = require('./profile-and-token.serializer.cjs');
+const require_connection_serializer = require('../../connection.serializer-phS0D1t9.cjs');
+const require_list_connections_options_serializer = require('../../list-connections-options.serializer-B9jyhBCh.cjs');
+const require_profile_serializer = require('../../profile.serializer-BDlm0TRU.cjs');
+const require_profile_and_token_serializer = require('../../profile-and-token.serializer-CUFdGpX3.cjs');
-exports.deserializeConnection = require_sso_serializers_connection_serializer.deserializeConnection;
-exports.deserializeProfile = require_sso_serializers_profile_serializer.deserializeProfile;
-exports.deserializeProfileAndToken = require_sso_serializers_profile_and_token_serializer.deserializeProfileAndToken;
-exports.serializeListConnectionsOptions = require_sso_serializers_list_connections_options_serializer.serializeListConnectionsOptions;
+exports.deserializeConnection = require_connection_serializer.deserializeConnection;
+exports.deserializeProfile = require_profile_serializer.deserializeProfile;
+exports.deserializeProfileAndToken = require_profile_and_token_serializer.deserializeProfileAndToken;
+exports.serializeListConnectionsOptions = require_list_connections_options_serializer.serializeListConnectionsOptions;

package/lib/sso/serializers/index.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { deserializeConnection } from "./connection.serializer.cjs";
-import { serializeListConnectionsOptions } from "./list-connections-options.serializer.cjs";
-import { deserializeProfileAndToken } from "./profile-and-token.serializer.cjs";
-import { deserializeProfile } from "./profile.serializer.cjs";
+import { t as deserializeConnection } from "../../connection.serializer-Biy7KKu3.cjs";
+import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-DfJliOZZ.cjs";
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-jvVxElaa.cjs";
+import { t as deserializeProfile } from "../../profile.serializer-DdojQSTs.cjs";
 export { deserializeConnection, deserializeProfile, deserializeProfileAndToken, serializeListConnectionsOptions };

package/lib/sso/serializers/list-connections-options.serializer.cjs CHANGED Viewed

@@ -1,15 +1,3 @@
+const require_list_connections_options_serializer = require('../../list-connections-options.serializer-B9jyhBCh.cjs');
-//#region src/sso/serializers/list-connections-options.serializer.ts
-const serializeListConnectionsOptions = (options) => ({
-	connection_type: options.connectionType,
-	domain: options.domain,
-	organization_id: options.organizationId,
-	limit: options.limit,
-	before: options.before,
-	after: options.after,
-	order: options.order
-});
-//#endregion
-exports.serializeListConnectionsOptions = serializeListConnectionsOptions;
-//# sourceMappingURL=list-connections-options.serializer.cjs.map
+exports.serializeListConnectionsOptions = require_list_connections_options_serializer.serializeListConnectionsOptions;

package/lib/sso/serializers/list-connections-options.serializer.d.cts CHANGED Viewed

@@ -1,7 +1,2 @@
-import { ListConnectionsOptions, SerializedListConnectionsOptions } from "../interfaces/list-connections-options.interface.cjs";
-//#region src/sso/serializers/list-connections-options.serializer.d.ts
-declare const serializeListConnectionsOptions: (options: ListConnectionsOptions) => SerializedListConnectionsOptions;
-//#endregion
-export { serializeListConnectionsOptions };
-//# sourceMappingURL=list-connections-options.serializer.d.cts.map
+import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-DfJliOZZ.cjs";
+export { serializeListConnectionsOptions };

package/lib/sso/serializers/profile-and-token.serializer.cjs CHANGED Viewed

@@ -1,13 +1,3 @@
-const require_user_management_serializers_oauth_tokens_serializer = require('../../user-management/serializers/oauth-tokens.serializer.cjs');
-const require_sso_serializers_profile_serializer = require('./profile.serializer.cjs');
+const require_profile_and_token_serializer = require('../../profile-and-token.serializer-CUFdGpX3.cjs');
-//#region src/sso/serializers/profile-and-token.serializer.ts
-const deserializeProfileAndToken = (profileAndToken) => ({
-	accessToken: profileAndToken.access_token,
-	profile: require_sso_serializers_profile_serializer.deserializeProfile(profileAndToken.profile),
-	oauthTokens: require_user_management_serializers_oauth_tokens_serializer.deserializeOauthTokens(profileAndToken.oauth_tokens)
-});
-//#endregion
-exports.deserializeProfileAndToken = deserializeProfileAndToken;
-//# sourceMappingURL=profile-and-token.serializer.cjs.map
+exports.deserializeProfileAndToken = require_profile_and_token_serializer.deserializeProfileAndToken;

package/lib/sso/serializers/profile-and-token.serializer.d.cts CHANGED Viewed

@@ -1,8 +1,2 @@
-import { UnknownRecord } from "../../common/interfaces/unknown-record.interface.cjs";
-import { ProfileAndToken, ProfileAndTokenResponse } from "../interfaces/profile-and-token.interface.cjs";
-//#region src/sso/serializers/profile-and-token.serializer.d.ts
-declare const deserializeProfileAndToken: <CustomAttributesType extends UnknownRecord>(profileAndToken: ProfileAndTokenResponse<CustomAttributesType>) => ProfileAndToken<CustomAttributesType>;
-//#endregion
-export { deserializeProfileAndToken };
-//# sourceMappingURL=profile-and-token.serializer.d.cts.map
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-jvVxElaa.cjs";
+export { deserializeProfileAndToken };

package/lib/sso/serializers/profile.serializer.cjs CHANGED Viewed

@@ -1,21 +1,3 @@
+const require_profile_serializer = require('../../profile.serializer-BDlm0TRU.cjs');
-//#region src/sso/serializers/profile.serializer.ts
-const deserializeProfile = (profile) => ({
-	id: profile.id,
-	idpId: profile.idp_id,
-	organizationId: profile.organization_id,
-	connectionId: profile.connection_id,
-	connectionType: profile.connection_type,
-	email: profile.email,
-	firstName: profile.first_name,
-	lastName: profile.last_name,
-	role: profile.role,
-	roles: profile.roles,
-	groups: profile.groups,
-	customAttributes: profile.custom_attributes,
-	rawAttributes: profile.raw_attributes
-});
-//#endregion
-exports.deserializeProfile = deserializeProfile;
-//# sourceMappingURL=profile.serializer.cjs.map
+exports.deserializeProfile = require_profile_serializer.deserializeProfile;

package/lib/sso/serializers/profile.serializer.d.cts CHANGED Viewed

@@ -1,8 +1,2 @@
-import { UnknownRecord } from "../../common/interfaces/unknown-record.interface.cjs";
-import { Profile, ProfileResponse } from "../interfaces/profile.interface.cjs";
-//#region src/sso/serializers/profile.serializer.d.ts
-declare const deserializeProfile: <CustomAttributesType extends UnknownRecord>(profile: ProfileResponse<CustomAttributesType>) => Profile<CustomAttributesType>;
-//#endregion
-export { deserializeProfile };
-//# sourceMappingURL=profile.serializer.d.cts.map
+import { t as deserializeProfile } from "../../profile.serializer-DdojQSTs.cjs";
+export { deserializeProfile };

package/lib/sso/sso.cjs CHANGED Viewed

@@ -1,130 +1,3 @@
-const require_common_utils_pagination = require('../common/utils/pagination.cjs');
-const require_sso_serializers_connection_serializer = require('./serializers/connection.serializer.cjs');
-const require_sso_serializers_list_connections_options_serializer = require('./serializers/list-connections-options.serializer.cjs');
-const require_sso_serializers_profile_serializer = require('./serializers/profile.serializer.cjs');
-const require_sso_serializers_profile_and_token_serializer = require('./serializers/profile-and-token.serializer.cjs');
-const require_common_utils_fetch_and_deserialize = require('../common/utils/fetch-and-deserialize.cjs');
-const require_common_utils_query_string = require('../common/utils/query-string.cjs');
+const require_sso = require('../sso-BGdbsFSR.cjs');
-//#region src/sso/sso.ts
-var SSO = class {
-	constructor(workos) {
-		this.workos = workos;
-	}
-	async listConnections(options) {
-		return new require_common_utils_pagination.AutoPaginatable(await require_common_utils_fetch_and_deserialize.fetchAndDeserialize(this.workos, "/connections", require_sso_serializers_connection_serializer.deserializeConnection, options ? require_sso_serializers_list_connections_options_serializer.serializeListConnectionsOptions(options) : void 0), (params) => require_common_utils_fetch_and_deserialize.fetchAndDeserialize(this.workos, "/connections", require_sso_serializers_connection_serializer.deserializeConnection, params), options ? require_sso_serializers_list_connections_options_serializer.serializeListConnectionsOptions(options) : void 0);
-	}
-	async deleteConnection(id) {
-		await this.workos.delete(`/connections/${id}`);
-	}
-	getAuthorizationUrl(options) {
-		const { codeChallenge, codeChallengeMethod, connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri, state } = options;
-		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
-		const query = require_common_utils_query_string.toQueryString({
-			code_challenge: codeChallenge,
-			code_challenge_method: codeChallengeMethod,
-			connection,
-			organization,
-			domain_hint: domainHint,
-			login_hint: loginHint,
-			provider,
-			provider_query_params: providerQueryParams,
-			provider_scopes: providerScopes,
-			client_id: clientId,
-			redirect_uri: redirectUri,
-			response_type: "code",
-			state
-		});
-		return `${this.workos.baseURL}/sso/authorize?${query}`;
-	}
-	/**
-	* Generates an authorization URL with PKCE parameters automatically generated.
-	* Use this for public clients (CLI apps, Electron, mobile) that cannot
-	* securely store a client secret.
-	*
-	* @returns Object containing url, state, and codeVerifier
-	*
-	* @example
-	* ```typescript
-	* const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({
-	*   connection: 'conn_123',
-	*   clientId: 'client_123',
-	*   redirectUri: 'myapp://callback',
-	* });
-	*
-	* // Store state and codeVerifier securely, then redirect user to url
-	* // After callback, exchange the code:
-	* const { profile, accessToken } = await workos.sso.getProfileAndToken({
-	*   code: authorizationCode,
-	*   codeVerifier,
-	*   clientId: 'client_123',
-	* });
-	* ```
-	*/
-	async getAuthorizationUrlWithPKCE(options) {
-		const { connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri } = options;
-		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
-		const pkce = await this.workos.pkce.generate();
-		const state = this.workos.pkce.generateCodeVerifier(43);
-		const query = require_common_utils_query_string.toQueryString({
-			code_challenge: pkce.codeChallenge,
-			code_challenge_method: "S256",
-			connection,
-			organization,
-			domain_hint: domainHint,
-			login_hint: loginHint,
-			provider,
-			provider_query_params: providerQueryParams,
-			provider_scopes: providerScopes,
-			client_id: clientId,
-			redirect_uri: redirectUri,
-			response_type: "code",
-			state
-		});
-		return {
-			url: `${this.workos.baseURL}/sso/authorize?${query}`,
-			state,
-			codeVerifier: pkce.codeVerifier
-		};
-	}
-	async getConnection(id) {
-		const { data } = await this.workos.get(`/connections/${id}`);
-		return require_sso_serializers_connection_serializer.deserializeConnection(data);
-	}
-	/**
-	* Exchange an authorization code for a profile and access token.
-	*
-	* Auto-detects public vs confidential client mode:
-	* - If codeVerifier is provided: Uses PKCE flow (public client)
-	* - If no codeVerifier: Uses client_secret from API key (confidential client)
-	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
-	*
-	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
-	* in depth and provides additional CSRF protection on the authorization flow.
-	*
-	* @throws Error if neither codeVerifier nor API key is available
-	*/
-	async getProfileAndToken({ code, clientId, codeVerifier }) {
-		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
-		const hasApiKey = !!this.workos.key;
-		const hasPKCE = !!codeVerifier;
-		if (!hasPKCE && !hasApiKey) throw new TypeError("getProfileAndToken requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
-		const form = new URLSearchParams({
-			client_id: clientId,
-			grant_type: "authorization_code",
-			code
-		});
-		if (hasPKCE) form.set("code_verifier", codeVerifier);
-		if (hasApiKey) form.set("client_secret", this.workos.key);
-		const { data } = await this.workos.post("/sso/token", form, { skipApiKeyCheck: !hasApiKey });
-		return require_sso_serializers_profile_and_token_serializer.deserializeProfileAndToken(data);
-	}
-	async getProfile({ accessToken }) {
-		const { data } = await this.workos.get("/sso/profile", { accessToken });
-		return require_sso_serializers_profile_serializer.deserializeProfile(data);
-	}
-};
-//#endregion
-exports.SSO = SSO;
-//# sourceMappingURL=sso.cjs.map
+exports.SSO = require_sso.SSO;

package/lib/sso/sso.d.cts CHANGED Viewed

@@ -1,69 +1,2 @@
-import { SSOAuthorizationURLOptions, SSOPKCEAuthorizationURLResult } from "./interfaces/authorization-url-options.interface.cjs";
-import { Connection } from "./interfaces/connection.interface.cjs";
-import { GetProfileOptions } from "./interfaces/get-profile-options.interface.cjs";
-import { GetProfileAndTokenOptions } from "./interfaces/get-profile-and-token-options.interface.cjs";
-import { ListConnectionsOptions, SerializedListConnectionsOptions } from "./interfaces/list-connections-options.interface.cjs";
-import { UnknownRecord } from "../common/interfaces/unknown-record.interface.cjs";
-import { Profile } from "./interfaces/profile.interface.cjs";
-import { ProfileAndToken } from "./interfaces/profile-and-token.interface.cjs";
-import { AutoPaginatable } from "../common/utils/pagination.cjs";
-import { WorkOS } from "../workos.cjs";
-//#region src/sso/sso.d.ts
-declare class SSO {
-  private readonly workos;
-  constructor(workos: WorkOS);
-  listConnections(options?: ListConnectionsOptions): Promise<AutoPaginatable<Connection, SerializedListConnectionsOptions>>;
-  deleteConnection(id: string): Promise<void>;
-  getAuthorizationUrl(options: SSOAuthorizationURLOptions): string;
-  /**
-   * Generates an authorization URL with PKCE parameters automatically generated.
-   * Use this for public clients (CLI apps, Electron, mobile) that cannot
-   * securely store a client secret.
-   *
-   * @returns Object containing url, state, and codeVerifier
-   *
-   * @example
-   * ```typescript
-   * const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({
-   *   connection: 'conn_123',
-   *   clientId: 'client_123',
-   *   redirectUri: 'myapp://callback',
-   * });
-   *
-   * // Store state and codeVerifier securely, then redirect user to url
-   * // After callback, exchange the code:
-   * const { profile, accessToken } = await workos.sso.getProfileAndToken({
-   *   code: authorizationCode,
-   *   codeVerifier,
-   *   clientId: 'client_123',
-   * });
-   * ```
-   */
-  getAuthorizationUrlWithPKCE(options: Omit<SSOAuthorizationURLOptions, 'codeChallenge' | 'codeChallengeMethod' | 'state'>): Promise<SSOPKCEAuthorizationURLResult>;
-  getConnection(id: string): Promise<Connection>;
-  /**
-   * Exchange an authorization code for a profile and access token.
-   *
-   * Auto-detects public vs confidential client mode:
-   * - If codeVerifier is provided: Uses PKCE flow (public client)
-   * - If no codeVerifier: Uses client_secret from API key (confidential client)
-   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
-   *
-   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
-   * in depth and provides additional CSRF protection on the authorization flow.
-   *
-   * @throws Error if neither codeVerifier nor API key is available
-   */
-  getProfileAndToken<CustomAttributesType extends UnknownRecord = UnknownRecord>({
-    code,
-    clientId,
-    codeVerifier
-  }: GetProfileAndTokenOptions): Promise<ProfileAndToken<CustomAttributesType>>;
-  getProfile<CustomAttributesType extends UnknownRecord = UnknownRecord>({
-    accessToken
-  }: GetProfileOptions): Promise<Profile<CustomAttributesType>>;
-}
-//#endregion
-export { SSO };
-//# sourceMappingURL=sso.d.cts.map
+import { v as SSO } from "../api-keys-mDyp4q6k.cjs";
+export { SSO };

package/lib/sso-BGdbsFSR.cjs ADDED Viewed

@@ -0,0 +1,135 @@
+const require_pagination = require('./pagination-BG1uBuL4.cjs');
+const require_connection_serializer = require('./connection.serializer-phS0D1t9.cjs');
+const require_list_connections_options_serializer = require('./list-connections-options.serializer-B9jyhBCh.cjs');
+const require_profile_serializer = require('./profile.serializer-BDlm0TRU.cjs');
+const require_profile_and_token_serializer = require('./profile-and-token.serializer-CUFdGpX3.cjs');
+const require_fetch_and_deserialize = require('./fetch-and-deserialize-Cw0qruaA.cjs');
+const require_query_string = require('./query-string-DvY-MOOT.cjs');
+//#region src/sso/sso.ts
+var SSO = class {
+	constructor(workos) {
+		this.workos = workos;
+	}
+	async listConnections(options) {
+		return new require_pagination.AutoPaginatable(await require_fetch_and_deserialize.fetchAndDeserialize(this.workos, "/connections", require_connection_serializer.deserializeConnection, options ? require_list_connections_options_serializer.serializeListConnectionsOptions(options) : void 0), (params) => require_fetch_and_deserialize.fetchAndDeserialize(this.workos, "/connections", require_connection_serializer.deserializeConnection, params), options ? require_list_connections_options_serializer.serializeListConnectionsOptions(options) : void 0);
+	}
+	async deleteConnection(id) {
+		await this.workos.delete(`/connections/${id}`);
+	}
+	getAuthorizationUrl(options) {
+		const { codeChallenge, codeChallengeMethod, connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri, state } = options;
+		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
+		const query = require_query_string.toQueryString({
+			code_challenge: codeChallenge,
+			code_challenge_method: codeChallengeMethod,
+			connection,
+			organization,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			client_id: clientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state
+		});
+		return `${this.workos.baseURL}/sso/authorize?${query}`;
+	}
+	/**
+	* Generates an authorization URL with PKCE parameters automatically generated.
+	* Use this for public clients (CLI apps, Electron, mobile) that cannot
+	* securely store a client secret.
+	*
+	* @returns Object containing url, state, and codeVerifier
+	*
+	* @example
+	* ```typescript
+	* const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({
+	*   connection: 'conn_123',
+	*   clientId: 'client_123',
+	*   redirectUri: 'myapp://callback',
+	* });
+	*
+	* // Store state and codeVerifier securely, then redirect user to url
+	* // After callback, exchange the code:
+	* const { profile, accessToken } = await workos.sso.getProfileAndToken({
+	*   code: authorizationCode,
+	*   codeVerifier,
+	*   clientId: 'client_123',
+	* });
+	* ```
+	*/
+	async getAuthorizationUrlWithPKCE(options) {
+		const { connection, clientId, domainHint, loginHint, organization, provider, providerQueryParams, providerScopes, redirectUri } = options;
+		if (!provider && !connection && !organization) throw new TypeError(`Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`);
+		const pkce = await this.workos.pkce.generate();
+		const state = this.workos.pkce.generateCodeVerifier(43);
+		const query = require_query_string.toQueryString({
+			code_challenge: pkce.codeChallenge,
+			code_challenge_method: "S256",
+			connection,
+			organization,
+			domain_hint: domainHint,
+			login_hint: loginHint,
+			provider,
+			provider_query_params: providerQueryParams,
+			provider_scopes: providerScopes,
+			client_id: clientId,
+			redirect_uri: redirectUri,
+			response_type: "code",
+			state
+		});
+		return {
+			url: `${this.workos.baseURL}/sso/authorize?${query}`,
+			state,
+			codeVerifier: pkce.codeVerifier
+		};
+	}
+	async getConnection(id) {
+		const { data } = await this.workos.get(`/connections/${id}`);
+		return require_connection_serializer.deserializeConnection(data);
+	}
+	/**
+	* Exchange an authorization code for a profile and access token.
+	*
+	* Auto-detects public vs confidential client mode:
+	* - If codeVerifier is provided: Uses PKCE flow (public client)
+	* - If no codeVerifier: Uses client_secret from API key (confidential client)
+	* - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)
+	*
+	* Using PKCE with confidential clients is recommended by OAuth 2.1 for defense
+	* in depth and provides additional CSRF protection on the authorization flow.
+	*
+	* @throws Error if neither codeVerifier nor API key is available
+	*/
+	async getProfileAndToken({ code, clientId, codeVerifier }) {
+		if (codeVerifier !== void 0 && codeVerifier.trim() === "") throw new TypeError("codeVerifier cannot be an empty string. Generate a valid PKCE pair using workos.pkce.generate().");
+		const hasApiKey = !!this.workos.key;
+		const hasPKCE = !!codeVerifier;
+		if (!hasPKCE && !hasApiKey) throw new TypeError("getProfileAndToken requires either a codeVerifier (for public clients) or an API key configured on the WorkOS instance (for confidential clients).");
+		const form = new URLSearchParams({
+			client_id: clientId,
+			grant_type: "authorization_code",
+			code
+		});
+		if (hasPKCE) form.set("code_verifier", codeVerifier);
+		if (hasApiKey) form.set("client_secret", this.workos.key);
+		const { data } = await this.workos.post("/sso/token", form, { skipApiKeyCheck: !hasApiKey });
+		return require_profile_and_token_serializer.deserializeProfileAndToken(data);
+	}
+	async getProfile({ accessToken }) {
+		const { data } = await this.workos.get("/sso/profile", { accessToken });
+		return require_profile_serializer.deserializeProfile(data);
+	}
+};
+//#endregion
+Object.defineProperty(exports, 'SSO', {
+  enumerable: true,
+  get: function () {
+    return SSO;
+  }
+});
+//# sourceMappingURL=sso-BGdbsFSR.cjs.map

package/lib/sso-BGdbsFSR.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sso-BGdbsFSR.cjs","names":["workos: WorkOS","AutoPaginatable","fetchAndDeserialize","deserializeConnection","serializeListConnectionsOptions","toQueryString","deserializeProfileAndToken","deserializeProfile"],"sources":["../src/sso/sso.ts"],"sourcesContent":["import { UnknownRecord } from '../common/interfaces/unknown-record.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { toQueryString } from '../common/utils/query-string';\nimport { WorkOS } from '../workos';\nimport {\n Connection,\n ConnectionResponse,\n GetProfileAndTokenOptions,\n GetProfileOptions,\n ListConnectionsOptions,\n Profile,\n ProfileAndToken,\n ProfileAndTokenResponse,\n ProfileResponse,\n SSOAuthorizationURLOptions,\n SSOPKCEAuthorizationURLResult,\n SerializedListConnectionsOptions,\n} from './interfaces';\nimport {\n deserializeConnection,\n deserializeProfile,\n deserializeProfileAndToken,\n serializeListConnectionsOptions,\n} from './serializers';\n\nexport class SSO {\n constructor(private readonly workos: WorkOS) {}\n\n async listConnections(\n options?: ListConnectionsOptions,\n ): Promise<AutoPaginatable<Connection, SerializedListConnectionsOptions>> {\n return new AutoPaginatable(\n await fetchAndDeserialize<ConnectionResponse, Connection>(\n this.workos,\n '/connections',\n deserializeConnection,\n options ? serializeListConnectionsOptions(options) : undefined,\n ),\n (params) =>\n fetchAndDeserialize<ConnectionResponse, Connection>(\n this.workos,\n '/connections',\n deserializeConnection,\n params,\n ),\n options ? serializeListConnectionsOptions(options) : undefined,\n );\n }\n async deleteConnection(id: string) {\n await this.workos.delete(`/connections/${id}`);\n }\n\n getAuthorizationUrl(options: SSOAuthorizationURLOptions): string {\n const {\n codeChallenge,\n codeChallengeMethod,\n connection,\n clientId,\n domainHint,\n loginHint,\n organization,\n provider,\n providerQueryParams,\n providerScopes,\n redirectUri,\n state,\n } = options;\n\n if (!provider && !connection && !organization) {\n throw new TypeError(\n `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n );\n }\n\n const query = toQueryString({\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n connection,\n organization,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n client_id: clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n });\n\n return `${this.workos.baseURL}/sso/authorize?${query}`;\n }\n\n /**\n * Generates an authorization URL with PKCE parameters automatically generated.\n * Use this for public clients (CLI apps, Electron, mobile) that cannot\n * securely store a client secret.\n *\n * @returns Object containing url, state, and codeVerifier\n *\n * @example\n * ```typescript\n * const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({\n * connection: 'conn_123',\n * clientId: 'client_123',\n * redirectUri: 'myapp://callback',\n * });\n *\n * // Store state and codeVerifier securely, then redirect user to url\n * // After callback, exchange the code:\n * const { profile, accessToken } = await workos.sso.getProfileAndToken({\n * code: authorizationCode,\n * codeVerifier,\n * clientId: 'client_123',\n * });\n * ```\n */\n async getAuthorizationUrlWithPKCE(\n options: Omit<\n SSOAuthorizationURLOptions,\n 'codeChallenge' | 'codeChallengeMethod' | 'state'\n >,\n ): Promise<SSOPKCEAuthorizationURLResult> {\n const {\n connection,\n clientId,\n domainHint,\n loginHint,\n organization,\n provider,\n providerQueryParams,\n providerScopes,\n redirectUri,\n } = options;\n\n if (!provider && !connection && !organization) {\n throw new TypeError(\n `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n );\n }\n\n // Generate PKCE parameters\n const pkce = await this.workos.pkce.generate();\n\n // Generate secure random state\n const state = this.workos.pkce.generateCodeVerifier(43);\n\n const query = toQueryString({\n code_challenge: pkce.codeChallenge,\n code_challenge_method: 'S256',\n connection,\n organization,\n domain_hint: domainHint,\n login_hint: loginHint,\n provider,\n provider_query_params: providerQueryParams,\n provider_scopes: providerScopes,\n client_id: clientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n state,\n });\n\n const url = `${this.workos.baseURL}/sso/authorize?${query}`;\n\n return { url, state, codeVerifier: pkce.codeVerifier };\n }\n\n async getConnection(id: string): Promise<Connection> {\n const { data } = await this.workos.get<ConnectionResponse>(\n `/connections/${id}`,\n );\n\n return deserializeConnection(data);\n }\n\n /**\n * Exchange an authorization code for a profile and access token.\n *\n * Auto-detects public vs confidential client mode:\n * - If codeVerifier is provided: Uses PKCE flow (public client)\n * - If no codeVerifier: Uses client_secret from API key (confidential client)\n * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n *\n * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n * in depth and provides additional CSRF protection on the authorization flow.\n *\n * @throws Error if neither codeVerifier nor API key is available\n */\n async getProfileAndToken<\n CustomAttributesType extends UnknownRecord = UnknownRecord,\n >({\n code,\n clientId,\n codeVerifier,\n }: GetProfileAndTokenOptions): Promise<\n ProfileAndToken<CustomAttributesType>\n > {\n // Validate codeVerifier is not an empty string (common mistake)\n if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n throw new TypeError(\n 'codeVerifier cannot be an empty string. ' +\n 'Generate a valid PKCE pair using workos.pkce.generate().',\n );\n }\n\n const hasApiKey = !!this.workos.key;\n const hasPKCE = !!codeVerifier;\n\n if (!hasPKCE && !hasApiKey) {\n throw new TypeError(\n 'getProfileAndToken requires either a codeVerifier (for public clients) ' +\n 'or an API key configured on the WorkOS instance (for confidential clients).',\n );\n }\n\n const form = new URLSearchParams({\n client_id: clientId,\n grant_type: 'authorization_code',\n code,\n });\n\n // Support PKCE with confidential clients (OAuth 2.1 best practice)\n // Both can be sent together for defense in depth\n if (hasPKCE) {\n form.set('code_verifier', codeVerifier);\n }\n if (hasApiKey) {\n form.set('client_secret', this.workos.key as string);\n }\n\n const { data } = await this.workos.post<\n ProfileAndTokenResponse<CustomAttributesType>\n >('/sso/token', form, { skipApiKeyCheck: !hasApiKey });\n\n return deserializeProfileAndToken(data);\n }\n\n async getProfile<CustomAttributesType extends UnknownRecord = UnknownRecord>({\n accessToken,\n }: GetProfileOptions): Promise<Profile<CustomAttributesType>> {\n const { data } = await this.workos.get<\n ProfileResponse<CustomAttributesType>\n >('/sso/profile', {\n accessToken,\n });\n\n return deserializeProfile(data);\n }\n}\n"],"mappings":";;;;;;;;;AA0BA,IAAa,MAAb,MAAiB;CACf,YAAY,AAAiBA,QAAgB;EAAhB;;CAE7B,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,gBACAC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCF,kDACE,KAAK,QACL,gBACAC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAEH,MAAM,iBAAiB,IAAY;AACjC,QAAM,KAAK,OAAO,OAAO,gBAAgB,KAAK;;CAGhD,oBAAoB,SAA6C;EAC/D,MAAM,EACJ,eACA,qBACA,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,aACA,UACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,gBAAgB;GAChB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BjD,MAAM,4BACJ,SAIwC;EACxC,MAAM,EACJ,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,gBACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,gBAAgB,KAAK;GACrB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,iBAAiB;GAEtC;GAAO,cAAc,KAAK;GAAc;;CAGxD,MAAM,cAAc,IAAiC;EACnD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,KACjB;AAED,SAAOF,oDAAsB,KAAK;;;;;;;;;;;;;;;CAgBpC,MAAM,mBAEJ,EACA,MACA,UACA,gBAGA;AAEA,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;EAChC,MAAM,UAAU,CAAC,CAAC;AAElB,MAAI,CAAC,WAAW,CAAC,UACf,OAAM,IAAI,UACR,qJAED;EAGH,MAAM,OAAO,IAAI,gBAAgB;GAC/B,WAAW;GACX,YAAY;GACZ;GACD,CAAC;AAIF,MAAI,QACF,MAAK,IAAI,iBAAiB,aAAa;AAEzC,MAAI,UACF,MAAK,IAAI,iBAAiB,KAAK,OAAO,IAAc;EAGtD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAEjC,cAAc,MAAM,EAAE,iBAAiB,CAAC,WAAW,CAAC;AAEtD,SAAOG,gEAA2B,KAAK;;CAGzC,MAAM,WAAuE,EAC3E,eAC4D;EAC5D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAEjC,gBAAgB,EAChB,aACD,CAAC;AAEF,SAAOC,8CAAmB,KAAK"}