workos 0.11.2 → 0.12.0-beta.1

package/dist/emulate/workos/routes/audit-logs.js

@@ -0,0 +1,107 @@
+import { notFound, parseJsonBody, validationError } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatAuditLogAction, formatAuditLogEvent, formatAuditLogExport, parseListParams } from '../helpers.js';
+export function auditLogRoutes(ctx) {
+    const { app, store } = ctx;
+    const ws = getWorkOSStore(store);
+    // List actions
+    app.get('/audit_logs/actions', (c) => {
+        const url = new URL(c.req.url);
+        const params = parseListParams(url);
+        const result = ws.auditLogActions.list({ ...params });
+        return c.json({
+            object: 'list',
+            data: result.data.map(formatAuditLogAction),
+            list_metadata: result.list_metadata,
+        });
+    });
+    // Create/update action schema
+    app.post('/audit_logs/actions/:actionName/schemas', async (c) => {
+        const actionName = c.req.param('actionName');
+        const body = await parseJsonBody(c);
+        // Upsert: find existing action or create new one
+        let action = ws.auditLogActions.findOneBy('name', actionName);
+        if (action) {
+            // Store schema in store data keyed by action name
+            store.setData(`audit_schema_${actionName}`, body);
+            return c.json(formatAuditLogAction(action));
+        }
+        action = ws.auditLogActions.insert({
+            object: 'audit_log_action',
+            name: actionName,
+            description: null,
+            condition: null,
+        });
+        store.setData(`audit_schema_${actionName}`, body);
+        return c.json(formatAuditLogAction(action), 201);
+    });
+    // Create audit log event
+    app.post('/audit_logs/events', async (c) => {
+        const body = await parseJsonBody(c);
+        const organizationId = body.organization_id;
+        if (!organizationId) {
+            throw validationError('organization_id is required', [{ field: 'organization_id', code: 'required' }]);
+        }
+        const actionBody = body.action;
+        if (!actionBody?.name) {
+            throw validationError('action.name is required', [{ field: 'action.name', code: 'required' }]);
+        }
+        const event = ws.auditLogEvents.insert({
+            object: 'audit_log_event',
+            organization_id: organizationId,
+            action: {
+                name: actionBody.name,
+                type: actionBody.type ?? 'C',
+                id: actionBody.id ?? actionBody.name,
+            },
+            actor: body.actor ?? {},
+            targets: body.targets ?? [],
+            metadata: body.metadata ?? null,
+            occurred_at: body.occurred_at ?? new Date().toISOString(),
+        });
+        return c.json(formatAuditLogEvent(event), 201);
+    });
+    // Create export (auto-transition to ready)
+    app.post('/audit_logs/exports', async (c) => {
+        const body = await parseJsonBody(c);
+        const organizationId = body.organization_id;
+        if (!organizationId) {
+            throw validationError('organization_id is required', [{ field: 'organization_id', code: 'required' }]);
+        }
+        const exp = ws.auditLogExports.insert({
+            object: 'audit_log_export',
+            organization_id: organizationId,
+            state: 'ready',
+            url: `https://emulator.workos.test/exports/audit_log_export_mock.csv`,
+            filters: body.filters ?? {},
+        });
+        return c.json(formatAuditLogExport(exp), 201);
+    });
+    // Get export
+    app.get('/audit_logs/exports/:id', (c) => {
+        const exp = ws.auditLogExports.get(c.req.param('id'));
+        if (!exp)
+            throw notFound('AuditLogExport');
+        return c.json(formatAuditLogExport(exp));
+    });
+    // Get org audit log configuration
+    app.get('/organizations/:id/audit_log_configuration', (c) => {
+        const orgId = c.req.param('id');
+        return c.json({
+            object: 'audit_log_configuration',
+            organization_id: orgId,
+            enabled: true,
+            retention_days: 365,
+        });
+    });
+    // Get org audit logs retention
+    app.get('/organizations/:id/audit_logs_retention', (c) => {
+        const orgId = c.req.param('id');
+        return c.json({
+            object: 'audit_logs_retention',
+            organization_id: orgId,
+            retention_days: 365,
+        });
+    });
+}
+//# sourceMappingURL=audit-logs.js.map

package/dist/emulate/workos/routes/audit-logs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logs.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/audit-logs.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEjH,MAAM,UAAU,cAAc,CAAC,GAAiB;IAC9C,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAC3B,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAEjC,eAAe;IACf,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,MAAM,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAC3C,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,8BAA8B;IAC9B,GAAG,CAAC,IAAI,CAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC9D,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QAEpC,iDAAiD;QACjD,IAAI,MAAM,GAAG,EAAE,CAAC,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC9D,IAAI,MAAM,EAAE,CAAC;YACX,kDAAkD;YAClD,KAAK,CAAC,OAAO,CAAC,gBAAgB,UAAU,EAAE,EAAE,IAAI,CAAC,CAAC;YAClD,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC;YACjC,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,UAAU;YAChB,WAAW,EAAE,IAAI;YACjB,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QACH,KAAK,CAAC,OAAO,CAAC,gBAAgB,UAAU,EAAE,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,yBAAyB;IACzB,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,IAAI,CAAC,eAAqC,CAAC;QAClE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,eAAe,CAAC,6BAA6B,EAAE,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACzG,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,MAA4C,CAAC;QACrE,IAAI,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;YACtB,MAAM,eAAe,CAAC,yBAAyB,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACjG,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC;YACrC,MAAM,EAAE,iBAAiB;YACzB,eAAe,EAAE,cAAc;YAC/B,MAAM,EAAE;gBACN,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,GAAG;gBAC5B,EAAE,EAAE,UAAU,CAAC,EAAE,IAAI,UAAU,CAAC,IAAI;aACrC;YACD,KAAK,EAAG,IAAI,CAAC,KAAiC,IAAI,EAAE;YACpD,OAAO,EAAG,IAAI,CAAC,OAA0C,IAAI,EAAE;YAC/D,QAAQ,EAAG,IAAI,CAAC,QAAoC,IAAI,IAAI;YAC5D,WAAW,EAAG,IAAI,CAAC,WAAsB,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACtE,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,2CAA2C;IAC3C,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1C,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,IAAI,CAAC,eAAqC,CAAC;QAClE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,eAAe,CAAC,6BAA6B,EAAE,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACzG,CAAC;QAED,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC;YACpC,MAAM,EAAE,kBAAkB;YAC1B,eAAe,EAAE,cAAc;YAC/B,KAAK,EAAE,OAAO;YACd,GAAG,EAAE,gEAAgE;YACrE,OAAO,EAAG,IAAI,CAAC,OAAmC,IAAI,EAAE;SACzD,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,aAAa;IACb,GAAG,CAAC,GAAG,CAAC,yBAAyB,EAAE,CAAC,CAAC,EAAE,EAAE;QACvC,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,GAAG;YAAE,MAAM,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC3C,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,kCAAkC;IAClC,GAAG,CAAC,GAAG,CAAC,4CAA4C,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1D,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,yBAAyB;YACjC,eAAe,EAAE,KAAK;YACtB,OAAO,EAAE,IAAI;YACb,cAAc,EAAE,GAAG;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,GAAG,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,CAAC,EAAE,EAAE;QACvD,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,sBAAsB;YAC9B,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,GAAG;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type RouteContext, notFound, parseJsonBody, validationError } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatAuditLogAction, formatAuditLogEvent, formatAuditLogExport, parseListParams } from '../helpers.js';\n\nexport function auditLogRoutes(ctx: RouteContext): void {\n  const { app, store } = ctx;\n  const ws = getWorkOSStore(store);\n\n  // List actions\n  app.get('/audit_logs/actions', (c) => {\n    const url = new URL(c.req.url);\n    const params = parseListParams(url);\n    const result = ws.auditLogActions.list({ ...params });\n    return c.json({\n      object: 'list',\n      data: result.data.map(formatAuditLogAction),\n      list_metadata: result.list_metadata,\n    });\n  });\n\n  // Create/update action schema\n  app.post('/audit_logs/actions/:actionName/schemas', async (c) => {\n    const actionName = c.req.param('actionName');\n    const body = await parseJsonBody(c);\n\n    // Upsert: find existing action or create new one\n    let action = ws.auditLogActions.findOneBy('name', actionName);\n    if (action) {\n      // Store schema in store data keyed by action name\n      store.setData(`audit_schema_${actionName}`, body);\n      return c.json(formatAuditLogAction(action));\n    }\n\n    action = ws.auditLogActions.insert({\n      object: 'audit_log_action',\n      name: actionName,\n      description: null,\n      condition: null,\n    });\n    store.setData(`audit_schema_${actionName}`, body);\n    return c.json(formatAuditLogAction(action), 201);\n  });\n\n  // Create audit log event\n  app.post('/audit_logs/events', async (c) => {\n    const body = await parseJsonBody(c);\n    const organizationId = body.organization_id as string | undefined;\n    if (!organizationId) {\n      throw validationError('organization_id is required', [{ field: 'organization_id', code: 'required' }]);\n    }\n\n    const actionBody = body.action as Record<string, string> | undefined;\n    if (!actionBody?.name) {\n      throw validationError('action.name is required', [{ field: 'action.name', code: 'required' }]);\n    }\n\n    const event = ws.auditLogEvents.insert({\n      object: 'audit_log_event',\n      organization_id: organizationId,\n      action: {\n        name: actionBody.name,\n        type: actionBody.type ?? 'C',\n        id: actionBody.id ?? actionBody.name,\n      },\n      actor: (body.actor as Record<string, unknown>) ?? {},\n      targets: (body.targets as Array<Record<string, unknown>>) ?? [],\n      metadata: (body.metadata as Record<string, unknown>) ?? null,\n      occurred_at: (body.occurred_at as string) ?? new Date().toISOString(),\n    });\n\n    return c.json(formatAuditLogEvent(event), 201);\n  });\n\n  // Create export (auto-transition to ready)\n  app.post('/audit_logs/exports', async (c) => {\n    const body = await parseJsonBody(c);\n    const organizationId = body.organization_id as string | undefined;\n    if (!organizationId) {\n      throw validationError('organization_id is required', [{ field: 'organization_id', code: 'required' }]);\n    }\n\n    const exp = ws.auditLogExports.insert({\n      object: 'audit_log_export',\n      organization_id: organizationId,\n      state: 'ready',\n      url: `https://emulator.workos.test/exports/audit_log_export_mock.csv`,\n      filters: (body.filters as Record<string, unknown>) ?? {},\n    });\n\n    return c.json(formatAuditLogExport(exp), 201);\n  });\n\n  // Get export\n  app.get('/audit_logs/exports/:id', (c) => {\n    const exp = ws.auditLogExports.get(c.req.param('id'));\n    if (!exp) throw notFound('AuditLogExport');\n    return c.json(formatAuditLogExport(exp));\n  });\n\n  // Get org audit log configuration\n  app.get('/organizations/:id/audit_log_configuration', (c) => {\n    const orgId = c.req.param('id');\n    return c.json({\n      object: 'audit_log_configuration',\n      organization_id: orgId,\n      enabled: true,\n      retention_days: 365,\n    });\n  });\n\n  // Get org audit logs retention\n  app.get('/organizations/:id/audit_logs_retention', (c) => {\n    const orgId = c.req.param('id');\n    return c.json({\n      object: 'audit_logs_retention',\n      organization_id: orgId,\n      retention_days: 365,\n    });\n  });\n}\n"]}

package/dist/emulate/workos/routes/auth-challenges.d.ts

@@ -0,0 +1,2 @@
+import { type RouteContext } from '../../core/index.js';
+export declare function authChallengeRoutes(ctx: RouteContext): void;

package/dist/emulate/workos/routes/auth-challenges.js

@@ -0,0 +1,51 @@
+import { notFound, parseJsonBody, WorkOSApiError } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatAuthChallenge, expiresIn, isExpired, generateCode } from '../helpers.js';
+export function authChallengeRoutes(ctx) {
+    const { app, store } = ctx;
+    const ws = getWorkOSStore(store);
+    app.post('/user_management/auth_factors/:id/challenges', async (c) => {
+        const factorId = c.req.param('id');
+        const factor = ws.authFactors.get(factorId);
+        if (!factor)
+            throw notFound('AuthenticationFactor');
+        const user = ws.users.get(factor.user_id);
+        if (!user)
+            throw notFound('User');
+        // Emulator generates a code and stores it for verification
+        const code = generateCode();
+        const challenge = ws.authChallenges.insert({
+            object: 'authentication_challenge',
+            user_id: user.id,
+            factor_id: factor.id,
+            expires_at: expiresIn(10),
+            code,
+        });
+        return c.json(formatAuthChallenge(challenge), 201);
+    });
+    app.post('/user_management/auth_challenges/:id/verify', async (c) => {
+        const challengeId = c.req.param('id');
+        const challenge = ws.authChallenges.get(challengeId);
+        if (!challenge)
+            throw notFound('AuthenticationChallenge');
+        if (isExpired(challenge.expires_at)) {
+            ws.authChallenges.delete(challenge.id);
+            throw new WorkOSApiError(400, 'Challenge has expired', 'expired_challenge');
+        }
+        const body = await parseJsonBody(c);
+        const code = body.code;
+        if (!code) {
+            throw new WorkOSApiError(400, 'code is required', 'invalid_request');
+        }
+        // In the emulator, accept the stored code or any 6-digit code for convenience
+        if (challenge.code && code !== challenge.code) {
+            throw new WorkOSApiError(400, 'Invalid one-time code', 'invalid_one_time_code');
+        }
+        ws.authChallenges.delete(challenge.id);
+        return c.json({
+            challenge: formatAuthChallenge(challenge),
+            valid: true,
+        });
+    });
+}
+//# sourceMappingURL=auth-challenges.js.map

package/dist/emulate/workos/routes/auth-challenges.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-challenges.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/auth-challenges.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACjG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAExF,MAAM,UAAU,mBAAmB,CAAC,GAAiB;IACnD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAC3B,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAEjC,GAAG,CAAC,IAAI,CAAC,8CAA8C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACnE,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,MAAM,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QAEpD,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,2DAA2D;QAC3D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAE5B,MAAM,SAAS,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC;YACzC,MAAM,EAAE,0BAA0B;YAClC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,MAAM,CAAC,EAAE;YACpB,UAAU,EAAE,SAAS,CAAC,EAAE,CAAC;YACzB,IAAI;SACL,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,6CAA6C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAClE,MAAM,WAAW,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,SAAS,GAAG,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACrD,IAAI,CAAC,SAAS;YAAE,MAAM,QAAQ,CAAC,yBAAyB,CAAC,CAAC;QAE1D,IAAI,SAAS,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACvC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,mBAAmB,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;QACjC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;QACvE,CAAC;QAED,8EAA8E;QAC9E,IAAI,SAAS,CAAC,IAAI,IAAI,IAAI,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;QAClF,CAAC;QAED,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAEvC,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,SAAS,EAAE,mBAAmB,CAAC,SAAS,CAAC;YACzC,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type RouteContext, notFound, parseJsonBody, WorkOSApiError } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatAuthChallenge, expiresIn, isExpired, generateCode } from '../helpers.js';\n\nexport function authChallengeRoutes(ctx: RouteContext): void {\n  const { app, store } = ctx;\n  const ws = getWorkOSStore(store);\n\n  app.post('/user_management/auth_factors/:id/challenges', async (c) => {\n    const factorId = c.req.param('id');\n    const factor = ws.authFactors.get(factorId);\n    if (!factor) throw notFound('AuthenticationFactor');\n\n    const user = ws.users.get(factor.user_id);\n    if (!user) throw notFound('User');\n\n    // Emulator generates a code and stores it for verification\n    const code = generateCode();\n\n    const challenge = ws.authChallenges.insert({\n      object: 'authentication_challenge',\n      user_id: user.id,\n      factor_id: factor.id,\n      expires_at: expiresIn(10),\n      code,\n    });\n\n    return c.json(formatAuthChallenge(challenge), 201);\n  });\n\n  app.post('/user_management/auth_challenges/:id/verify', async (c) => {\n    const challengeId = c.req.param('id');\n    const challenge = ws.authChallenges.get(challengeId);\n    if (!challenge) throw notFound('AuthenticationChallenge');\n\n    if (isExpired(challenge.expires_at)) {\n      ws.authChallenges.delete(challenge.id);\n      throw new WorkOSApiError(400, 'Challenge has expired', 'expired_challenge');\n    }\n\n    const body = await parseJsonBody(c);\n    const code = body.code as string;\n    if (!code) {\n      throw new WorkOSApiError(400, 'code is required', 'invalid_request');\n    }\n\n    // In the emulator, accept the stored code or any 6-digit code for convenience\n    if (challenge.code && code !== challenge.code) {\n      throw new WorkOSApiError(400, 'Invalid one-time code', 'invalid_one_time_code');\n    }\n\n    ws.authChallenges.delete(challenge.id);\n\n    return c.json({\n      challenge: formatAuthChallenge(challenge),\n      valid: true,\n    });\n  });\n}\n"]}

package/dist/emulate/workos/routes/auth-factors.d.ts

@@ -0,0 +1,2 @@
+import { type RouteContext } from '../../core/index.js';
+export declare function authFactorRoutes(ctx: RouteContext): void;

package/dist/emulate/workos/routes/auth-factors.js

@@ -0,0 +1,51 @@
+import { notFound, parseJsonBody } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatAuthFactor } from '../helpers.js';
+import { randomBytes } from 'node:crypto';
+export function authFactorRoutes(ctx) {
+    const { app, store } = ctx;
+    const ws = getWorkOSStore(store);
+    app.post('/user_management/users/:userlandUserId/auth_factors', async (c) => {
+        const userId = c.req.param('userlandUserId');
+        const user = ws.users.get(userId);
+        if (!user)
+            throw notFound('User');
+        const body = await parseJsonBody(c);
+        const type = body.type ?? 'totp';
+        const issuer = body.totp_issuer ?? 'WorkOS Emulator';
+        const secret = randomBytes(20).toString('hex').slice(0, 32).toUpperCase();
+        const uri = `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(user.email)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}`;
+        const factor = ws.authFactors.insert({
+            object: 'authentication_factor',
+            user_id: user.id,
+            type: type,
+            totp: {
+                issuer,
+                user: user.email,
+                uri,
+            },
+        });
+        return c.json(formatAuthFactor(factor), 201);
+    });
+    app.get('/user_management/users/:userlandUserId/auth_factors', (c) => {
+        const userId = c.req.param('userlandUserId');
+        const user = ws.users.get(userId);
+        if (!user)
+            throw notFound('User');
+        const factors = ws.authFactors.findBy('user_id', user.id);
+        return c.json({
+            object: 'list',
+            data: factors.map(formatAuthFactor),
+            list_metadata: { before: null, after: null },
+        });
+    });
+    app.delete('/user_management/auth_factors/:id', (c) => {
+        const factorId = c.req.param('id');
+        const factor = ws.authFactors.get(factorId);
+        if (!factor)
+            throw notFound('AuthenticationFactor');
+        ws.authFactors.delete(factor.id);
+        return c.body(null, 204);
+    });
+}
+//# sourceMappingURL=auth-factors.js.map

package/dist/emulate/workos/routes/auth-factors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-factors.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/auth-factors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,UAAU,gBAAgB,CAAC,GAAiB;IAChD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAC3B,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAEjC,GAAG,CAAC,IAAI,CAAC,qDAAqD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1E,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAI,IAAI,CAAC,IAAe,IAAI,MAAM,CAAC;QAC7C,MAAM,MAAM,GAAI,IAAI,CAAC,WAAsB,IAAI,iBAAiB,CAAC;QACjE,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1E,MAAM,GAAG,GAAG,kBAAkB,kBAAkB,CAAC,MAAM,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,MAAM,WAAW,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QAEnJ,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;YACnC,MAAM,EAAE,uBAAuB;YAC/B,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,IAAI,EAAE,IAAc;YACpB,IAAI,EAAE;gBACJ,MAAM;gBACN,IAAI,EAAE,IAAI,CAAC,KAAK;gBAChB,GAAG;aACJ;SACF,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,qDAAqD,EAAE,CAAC,CAAC,EAAE,EAAE;QACnE,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;YACnC,aAAa,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;QACpD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,MAAM,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QAEpD,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type RouteContext, notFound, parseJsonBody } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatAuthFactor } from '../helpers.js';\nimport { randomBytes } from 'node:crypto';\n\nexport function authFactorRoutes(ctx: RouteContext): void {\n  const { app, store } = ctx;\n  const ws = getWorkOSStore(store);\n\n  app.post('/user_management/users/:userlandUserId/auth_factors', async (c) => {\n    const userId = c.req.param('userlandUserId');\n    const user = ws.users.get(userId);\n    if (!user) throw notFound('User');\n\n    const body = await parseJsonBody(c);\n    const type = (body.type as string) ?? 'totp';\n    const issuer = (body.totp_issuer as string) ?? 'WorkOS Emulator';\n    const secret = randomBytes(20).toString('hex').slice(0, 32).toUpperCase();\n    const uri = `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(user.email)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}`;\n\n    const factor = ws.authFactors.insert({\n      object: 'authentication_factor',\n      user_id: user.id,\n      type: type as 'totp',\n      totp: {\n        issuer,\n        user: user.email,\n        uri,\n      },\n    });\n\n    return c.json(formatAuthFactor(factor), 201);\n  });\n\n  app.get('/user_management/users/:userlandUserId/auth_factors', (c) => {\n    const userId = c.req.param('userlandUserId');\n    const user = ws.users.get(userId);\n    if (!user) throw notFound('User');\n\n    const factors = ws.authFactors.findBy('user_id', user.id);\n    return c.json({\n      object: 'list',\n      data: factors.map(formatAuthFactor),\n      list_metadata: { before: null, after: null },\n    });\n  });\n\n  app.delete('/user_management/auth_factors/:id', (c) => {\n    const factorId = c.req.param('id');\n    const factor = ws.authFactors.get(factorId);\n    if (!factor) throw notFound('AuthenticationFactor');\n\n    ws.authFactors.delete(factor.id);\n    return c.body(null, 204);\n  });\n}\n"]}

package/dist/emulate/workos/routes/auth.d.ts

@@ -0,0 +1,2 @@
+import { type RouteContext } from '../../core/index.js';
+export declare function authRoutes(ctx: RouteContext): void;

package/dist/emulate/workos/routes/auth.js

@@ -0,0 +1,349 @@
+import { createHash } from 'node:crypto';
+import { notFound, parseJsonBody, WorkOSApiError, generateId } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatUser, formatDeviceAuthorization, verifyPassword, isExpired, expiresIn, assertLocalRedirectUri, sealSession, } from '../helpers.js';
+export function authRoutes(ctx) {
+    const { app, store, jwt } = ctx;
+    const ws = getWorkOSStore(store);
+    app.get('/user_management/authorize', (c) => {
+        const url = new URL(c.req.url);
+        const redirectUri = url.searchParams.get('redirect_uri');
+        const state = url.searchParams.get('state');
+        const codeChallenge = url.searchParams.get('code_challenge');
+        const codeChallengeMethod = url.searchParams.get('code_challenge_method');
+        const loginHint = url.searchParams.get('login_hint');
+        if (!redirectUri) {
+            throw new WorkOSApiError(400, 'redirect_uri is required', 'invalid_request');
+        }
+        assertLocalRedirectUri(redirectUri);
+        let user;
+        if (loginHint) {
+            user = ws.users.findOneBy('email', loginHint);
+            if (!user) {
+                const redirect = new URL(redirectUri);
+                redirect.searchParams.set('error', 'user_not_found');
+                if (state)
+                    redirect.searchParams.set('state', state);
+                return c.redirect(redirect.toString());
+            }
+        }
+        else {
+            const users = ws.users.all();
+            user = users[0];
+        }
+        if (!user) {
+            const redirect = new URL(redirectUri);
+            redirect.searchParams.set('error', 'no_users');
+            if (state)
+                redirect.searchParams.set('state', state);
+            return c.redirect(redirect.toString());
+        }
+        const authCode = ws.authCodes.insert({
+            user_id: user.id,
+            organization_id: null,
+            code: generateId('auth_code'),
+            redirect_uri: redirectUri,
+            expires_at: expiresIn(10),
+            code_challenge: codeChallenge ?? null,
+            code_challenge_method: codeChallengeMethod ?? null,
+        });
+        const redirect = new URL(redirectUri);
+        redirect.searchParams.set('code', authCode.code);
+        if (state)
+            redirect.searchParams.set('state', state);
+        return c.redirect(redirect.toString());
+    });
+    // Device authorization endpoint
+    app.post('/user_management/authorize/device', async (c) => {
+        const body = await parseJsonBody(c);
+        const clientId = body.client_id;
+        if (!clientId) {
+            throw new WorkOSApiError(400, 'client_id is required', 'invalid_request');
+        }
+        // Auto-approve with first user for emulator convenience
+        const users = ws.users.all();
+        const user = users[0] ?? null;
+        const deviceAuth = ws.deviceAuthorizations.insert({
+            device_code: generateId('dev_code'),
+            user_code: Math.random().toString(36).slice(2, 10).toUpperCase(),
+            user_id: user?.id ?? null,
+            client_id: clientId,
+            expires_at: expiresIn(15),
+            interval: 5,
+        });
+        return c.json(formatDeviceAuthorization(deviceAuth));
+    });
+    // AuthKit SDK uses /x/authkit/users/authenticate for the same flow
+    const authenticateHandler = async (c) => {
+        const body = await parseJsonBody(c);
+        const grantType = body.grant_type;
+        const clientId = body.client_id;
+        const clientSecret = body.client_secret;
+        if (!grantType) {
+            throw new WorkOSApiError(400, 'grant_type is required', 'invalid_request');
+        }
+        let user;
+        let organizationId = null;
+        let authMethod;
+        switch (grantType) {
+            case 'authorization_code': {
+                const code = body.code;
+                if (!code)
+                    throw new WorkOSApiError(400, 'code is required', 'invalid_request');
+                const authCode = ws.authCodes.all().find((ac) => ac.code === code);
+                if (!authCode)
+                    throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');
+                if (isExpired(authCode.expires_at)) {
+                    throw new WorkOSApiError(400, 'Code has expired', 'expired_code');
+                }
+                if (authCode.code_challenge) {
+                    const codeVerifier = body.code_verifier;
+                    if (!codeVerifier) {
+                        throw new WorkOSApiError(400, 'code_verifier is required', 'invalid_request');
+                    }
+                    const method = authCode.code_challenge_method ?? 'S256';
+                    let challenge;
+                    if (method === 'S256') {
+                        challenge = createHash('sha256').update(codeVerifier).digest('base64url');
+                    }
+                    else {
+                        challenge = codeVerifier;
+                    }
+                    if (challenge !== authCode.code_challenge) {
+                        throw new WorkOSApiError(400, 'Invalid code_verifier', 'invalid_code_verifier');
+                    }
+                }
+                user = ws.users.get(authCode.user_id);
+                organizationId = authCode.organization_id;
+                ws.authCodes.delete(authCode.id);
+                authMethod = 'OAuth';
+                break;
+            }
+            case 'password': {
+                const email = body.email;
+                const password = body.password;
+                if (!email || !password) {
+                    throw new WorkOSApiError(400, 'email and password are required', 'invalid_request');
+                }
+                user = ws.users.findOneBy('email', email);
+                if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
+                    throw new WorkOSApiError(401, 'Invalid credentials', 'invalid_credentials');
+                }
+                authMethod = 'Password';
+                break;
+            }
+            // Accept both old and new grant type names for magic-auth
+            case 'urn:workos:oauth:grant-type:magic-auth':
+            case 'urn:workos:oauth:grant-type:magic-auth:code': {
+                const code = body.code;
+                const email = body.email;
+                if (!code || !email) {
+                    throw new WorkOSApiError(400, 'code and email are required', 'invalid_request');
+                }
+                const magicAuth = ws.magicAuths.all().find((ma) => ma.code === code && ma.email === email);
+                if (!magicAuth) {
+                    throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');
+                }
+                if (isExpired(magicAuth.expires_at)) {
+                    throw new WorkOSApiError(400, 'Code has expired', 'expired_code');
+                }
+                user = ws.users.get(magicAuth.user_id);
+                ws.magicAuths.delete(magicAuth.id);
+                authMethod = 'MagicAuth';
+                break;
+            }
+            // Accept both old and new grant type names for email-verification
+            case 'urn:workos:oauth:grant-type:email-verification':
+            case 'urn:workos:oauth:grant-type:email-verification:code': {
+                const code = body.code;
+                const userId = body.user_id;
+                if (!code || !userId) {
+                    throw new WorkOSApiError(400, 'code and user_id are required', 'invalid_request');
+                }
+                const ev = ws.emailVerifications.findBy('user_id', userId).find((v) => v.code === code);
+                if (!ev) {
+                    throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');
+                }
+                if (isExpired(ev.expires_at)) {
+                    throw new WorkOSApiError(400, 'Code has expired', 'expired_code');
+                }
+                ws.users.update(userId, { email_verified: true });
+                ws.emailVerifications.delete(ev.id);
+                user = ws.users.get(userId);
+                authMethod = 'EmailVerification';
+                break;
+            }
+            case 'refresh_token': {
+                const token = body.refresh_token;
+                if (!token) {
+                    throw new WorkOSApiError(400, 'refresh_token is required', 'invalid_request');
+                }
+                const refreshToken = ws.refreshTokens.findOneBy('token', token);
+                if (!refreshToken) {
+                    throw new WorkOSApiError(400, 'Invalid refresh token', 'invalid_grant');
+                }
+                if (isExpired(refreshToken.expires_at)) {
+                    ws.refreshTokens.delete(refreshToken.id);
+                    throw new WorkOSApiError(400, 'Refresh token has expired', 'invalid_grant');
+                }
+                user = ws.users.get(refreshToken.user_id);
+                // Allow body.organization_id to switch org context (switchToOrganization)
+                organizationId = body.organization_id ?? refreshToken.organization_id;
+                // Rotate: delete old, issue new below
+                ws.refreshTokens.delete(refreshToken.id);
+                authMethod = 'OAuth';
+                break;
+            }
+            case 'urn:workos:oauth:grant-type:mfa-totp': {
+                const code = body.code;
+                const pendingToken = body.pending_authentication_token;
+                const challengeId = body.authentication_challenge_id;
+                if (!code || !pendingToken || !challengeId) {
+                    throw new WorkOSApiError(400, 'code, pending_authentication_token, and authentication_challenge_id are required', 'invalid_request');
+                }
+                const pending = store.getData(`pending_auth:${pendingToken}`);
+                if (!pending) {
+                    throw new WorkOSApiError(400, 'Invalid pending authentication token', 'invalid_pending_authentication_token');
+                }
+                const challenge = ws.authChallenges.get(challengeId);
+                if (!challenge) {
+                    throw new WorkOSApiError(400, 'Invalid authentication challenge', 'invalid_request');
+                }
+                if (isExpired(challenge.expires_at)) {
+                    ws.authChallenges.delete(challenge.id);
+                    throw new WorkOSApiError(400, 'Challenge has expired', 'expired_challenge');
+                }
+                // Verify code against the challenge's stored code
+                if (challenge.code && code !== challenge.code) {
+                    throw new WorkOSApiError(400, 'Invalid one-time code', 'invalid_one_time_code');
+                }
+                ws.authChallenges.delete(challenge.id);
+                store.setData(`pending_auth:${pendingToken}`, undefined);
+                user = ws.users.get(pending.user_id);
+                organizationId = pending.organization_id;
+                authMethod = 'MFA';
+                break;
+            }
+            case 'urn:workos:oauth:grant-type:organization-selection': {
+                const pendingToken = body.pending_authentication_token;
+                const orgId = body.organization_id;
+                if (!pendingToken || !orgId) {
+                    throw new WorkOSApiError(400, 'pending_authentication_token and organization_id are required', 'invalid_request');
+                }
+                const pending = store.getData(`pending_auth:${pendingToken}`);
+                if (!pending) {
+                    throw new WorkOSApiError(400, 'Invalid pending authentication token', 'invalid_pending_authentication_token');
+                }
+                const org = ws.organizations.get(orgId);
+                if (!org)
+                    throw notFound('Organization');
+                store.setData(`pending_auth:${pendingToken}`, undefined);
+                user = ws.users.get(pending.user_id);
+                organizationId = orgId;
+                authMethod = pending.auth_method;
+                break;
+            }
+            case 'urn:ietf:params:oauth:grant-type:device_code': {
+                const deviceCode = body.device_code;
+                if (!deviceCode) {
+                    throw new WorkOSApiError(400, 'device_code is required', 'invalid_request');
+                }
+                const deviceAuth = ws.deviceAuthorizations.findOneBy('device_code', deviceCode);
+                if (!deviceAuth) {
+                    throw new WorkOSApiError(400, 'Invalid device code', 'invalid_grant');
+                }
+                if (isExpired(deviceAuth.expires_at)) {
+                    ws.deviceAuthorizations.delete(deviceAuth.id);
+                    throw new WorkOSApiError(400, 'Device code has expired', 'expired_token');
+                }
+                if (!deviceAuth.user_id) {
+                    throw new WorkOSApiError(400, 'Authorization pending', 'authorization_pending');
+                }
+                user = ws.users.get(deviceAuth.user_id);
+                ws.deviceAuthorizations.delete(deviceAuth.id);
+                authMethod = 'OAuth';
+                break;
+            }
+            default:
+                throw new WorkOSApiError(400, `Unsupported grant_type: ${grantType}`, 'invalid_request');
+        }
+        if (!user)
+            throw notFound('User');
+        ws.users.update(user.id, { last_sign_in_at: new Date().toISOString() });
+        const updatedUser = ws.users.get(user.id);
+        const session = ws.sessions.insert({
+            object: 'session',
+            user_id: user.id,
+            organization_id: organizationId,
+            ip_address: c.req.header('x-forwarded-for') ?? null,
+            user_agent: c.req.header('user-agent') ?? null,
+        });
+        // Resolve role + permissions for org-scoped sessions
+        let roleSlug;
+        let permissionSlugs;
+        if (organizationId) {
+            const membership = ws.organizationMemberships
+                .findBy('organization_id', organizationId)
+                .find((m) => m.user_id === user.id);
+            if (membership) {
+                roleSlug = membership.role.slug;
+                const role = ws.roles
+                    .findBy('slug', membership.role.slug)
+                    .find((r) => r.organization_id === organizationId || r.type === 'EnvironmentRole');
+                if (role) {
+                    const rps = ws.rolePermissions.findBy('role_id', role.id);
+                    permissionSlugs = rps
+                        .map((rp) => ws.permissions.get(rp.permission_id))
+                        .filter(Boolean)
+                        .map((p) => p.slug);
+                }
+            }
+        }
+        const accessToken = jwt.sign({
+            sub: user.id,
+            sid: session.id,
+            org_id: organizationId ?? undefined,
+            role: roleSlug,
+            permissions: permissionSlugs,
+            aud: clientId ?? 'workos-emulate',
+        });
+        // Store a real refresh token
+        const newRefreshToken = ws.refreshTokens.insert({
+            token: generateId('ref'),
+            user_id: user.id,
+            organization_id: organizationId,
+            session_id: session.id,
+            expires_at: expiresIn(30 * 24 * 60), // 30 days
+        });
+        // Compute sealed session when client_secret is provided
+        const apiKey = c.req
+            .header('Authorization')
+            ?.replace(/^Bearer\s+/i, '')
+            .trim();
+        const sealKey = clientSecret ?? apiKey;
+        const sealedSession = sealKey
+            ? sealSession({ access_token: accessToken, refresh_token: newRefreshToken.token, session_id: session.id }, sealKey)
+            : null;
+        // Emit authentication event (hybrid Option B for action-specific events)
+        const eventBus = store.getData('eventBus');
+        if (eventBus) {
+            const authEventType = `authentication.${authMethod.toLowerCase()}_succeeded`;
+            eventBus.emit({
+                event: authEventType,
+                data: { user_id: user.id, email: updatedUser.email, method: authMethod, ip_address: session.ip_address },
+            });
+        }
+        return c.json({
+            user: formatUser(updatedUser),
+            organization_id: organizationId,
+            access_token: accessToken,
+            refresh_token: newRefreshToken.token,
+            authentication_method: authMethod,
+            sealed_session: sealedSession,
+            impersonator: updatedUser.impersonator ?? undefined,
+        });
+    };
+    app.post('/user_management/authenticate', authenticateHandler);
+    app.post('/x/authkit/users/authenticate', authenticateHandler);
+}
+//# sourceMappingURL=auth.js.map