npm - workos - Versions diffs - 0.11.2 → 0.12.0-beta.1 - Mend

workos 0.11.2 → 0.12.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/README.md +163 -6
package/dist/bin.js +20 -1
package/dist/bin.js.map +1 -1
package/dist/check-coverage.ts +237 -0
package/dist/commands/dev.d.ts +23 -0
package/dist/commands/dev.js +139 -0
package/dist/commands/dev.js.map +1 -0
package/dist/commands/emulate.d.ts +6 -0
package/dist/commands/emulate.js +64 -0
package/dist/commands/emulate.js.map +1 -0
package/dist/emulate/core/id.d.ts +33 -0
package/dist/emulate/core/id.js +58 -0
package/dist/emulate/core/id.js.map +1 -0
package/dist/emulate/core/index.d.ts +8 -0
package/dist/emulate/core/index.js +8 -0
package/dist/emulate/core/index.js.map +1 -0
package/dist/emulate/core/jwt.d.ts +28 -0
package/dist/emulate/core/jwt.js +78 -0
package/dist/emulate/core/jwt.js.map +1 -0
package/dist/emulate/core/middleware/auth.d.ts +18 -0
package/dist/emulate/core/middleware/auth.js +28 -0
package/dist/emulate/core/middleware/auth.js.map +1 -0
package/dist/emulate/core/middleware/error-handler.d.ts +22 -0
package/dist/emulate/core/middleware/error-handler.js +72 -0
package/dist/emulate/core/middleware/error-handler.js.map +1 -0
package/dist/emulate/core/pagination.d.ts +21 -0
package/dist/emulate/core/pagination.js +35 -0
package/dist/emulate/core/pagination.js.map +1 -0
package/dist/emulate/core/plugin.d.ts +15 -0
package/dist/emulate/core/plugin.js +2 -0
package/dist/emulate/core/plugin.js.map +1 -0
package/dist/emulate/core/server.d.ts +17 -0
package/dist/emulate/core/server.js +116 -0
package/dist/emulate/core/server.js.map +1 -0
package/dist/emulate/core/store.d.ts +42 -0
package/dist/emulate/core/store.js +148 -0
package/dist/emulate/core/store.js.map +1 -0
package/dist/emulate/index.d.ts +25 -0
package/dist/emulate/index.js +47 -0
package/dist/emulate/index.js.map +1 -0
package/dist/emulate/workos/entities.d.ts +360 -0
package/dist/emulate/workos/entities.js +2 -0
package/dist/emulate/workos/entities.js.map +1 -0
package/dist/emulate/workos/event-bus.d.ts +12 -0
package/dist/emulate/workos/event-bus.js +45 -0
package/dist/emulate/workos/event-bus.js.map +1 -0
package/dist/emulate/workos/helpers.d.ts +63 -0
package/dist/emulate/workos/helpers.js +518 -0
package/dist/emulate/workos/helpers.js.map +1 -0
package/dist/emulate/workos/index.d.ts +91 -0
package/dist/emulate/workos/index.js +319 -0
package/dist/emulate/workos/index.js.map +1 -0
package/dist/emulate/workos/routes/api-keys.d.ts +2 -0
package/dist/emulate/workos/routes/api-keys.js +35 -0
package/dist/emulate/workos/routes/api-keys.js.map +1 -0
package/dist/emulate/workos/routes/audit-logs.d.ts +2 -0
package/dist/emulate/workos/routes/audit-logs.js +107 -0
package/dist/emulate/workos/routes/audit-logs.js.map +1 -0
package/dist/emulate/workos/routes/auth-challenges.d.ts +2 -0
package/dist/emulate/workos/routes/auth-challenges.js +51 -0
package/dist/emulate/workos/routes/auth-challenges.js.map +1 -0
package/dist/emulate/workos/routes/auth-factors.d.ts +2 -0
package/dist/emulate/workos/routes/auth-factors.js +51 -0
package/dist/emulate/workos/routes/auth-factors.js.map +1 -0
package/dist/emulate/workos/routes/auth.d.ts +2 -0
package/dist/emulate/workos/routes/auth.js +349 -0
package/dist/emulate/workos/routes/auth.js.map +1 -0
package/dist/emulate/workos/routes/authorization-checks.d.ts +10 -0
package/dist/emulate/workos/routes/authorization-checks.js +135 -0
package/dist/emulate/workos/routes/authorization-checks.js.map +1 -0
package/dist/emulate/workos/routes/authorization-org-roles.d.ts +2 -0
package/dist/emulate/workos/routes/authorization-org-roles.js +206 -0
package/dist/emulate/workos/routes/authorization-org-roles.js.map +1 -0
package/dist/emulate/workos/routes/authorization-permissions.d.ts +2 -0
package/dist/emulate/workos/routes/authorization-permissions.js +78 -0
package/dist/emulate/workos/routes/authorization-permissions.js.map +1 -0
package/dist/emulate/workos/routes/authorization-resources.d.ts +2 -0
package/dist/emulate/workos/routes/authorization-resources.js +128 -0
package/dist/emulate/workos/routes/authorization-resources.js.map +1 -0
package/dist/emulate/workos/routes/authorization-roles.d.ts +2 -0
package/dist/emulate/workos/routes/authorization-roles.js +136 -0
package/dist/emulate/workos/routes/authorization-roles.js.map +1 -0
package/dist/emulate/workos/routes/config.d.ts +2 -0
package/dist/emulate/workos/routes/config.js +56 -0
package/dist/emulate/workos/routes/config.js.map +1 -0
package/dist/emulate/workos/routes/connect.d.ts +2 -0
package/dist/emulate/workos/routes/connect.js +69 -0
package/dist/emulate/workos/routes/connect.js.map +1 -0
package/dist/emulate/workos/routes/connections.d.ts +2 -0
package/dist/emulate/workos/routes/connections.js +77 -0
package/dist/emulate/workos/routes/connections.js.map +1 -0
package/dist/emulate/workos/routes/data-integrations.d.ts +2 -0
package/dist/emulate/workos/routes/data-integrations.js +55 -0
package/dist/emulate/workos/routes/data-integrations.js.map +1 -0
package/dist/emulate/workos/routes/directories.d.ts +2 -0
package/dist/emulate/workos/routes/directories.js +106 -0
package/dist/emulate/workos/routes/directories.js.map +1 -0
package/dist/emulate/workos/routes/email-verification.d.ts +2 -0
package/dist/emulate/workos/routes/email-verification.js +49 -0
package/dist/emulate/workos/routes/email-verification.js.map +1 -0
package/dist/emulate/workos/routes/events.d.ts +2 -0
package/dist/emulate/workos/routes/events.js +21 -0
package/dist/emulate/workos/routes/events.js.map +1 -0
package/dist/emulate/workos/routes/feature-flags.d.ts +2 -0
package/dist/emulate/workos/routes/feature-flags.js +131 -0
package/dist/emulate/workos/routes/feature-flags.js.map +1 -0
package/dist/emulate/workos/routes/invitations.d.ts +2 -0
package/dist/emulate/workos/routes/invitations.js +125 -0
package/dist/emulate/workos/routes/invitations.js.map +1 -0
package/dist/emulate/workos/routes/legacy-mfa.d.ts +2 -0
package/dist/emulate/workos/routes/legacy-mfa.js +75 -0
package/dist/emulate/workos/routes/legacy-mfa.js.map +1 -0
package/dist/emulate/workos/routes/magic-auth.d.ts +2 -0
package/dist/emulate/workos/routes/magic-auth.js +32 -0
package/dist/emulate/workos/routes/magic-auth.js.map +1 -0
package/dist/emulate/workos/routes/memberships.d.ts +2 -0
package/dist/emulate/workos/routes/memberships.js +118 -0
package/dist/emulate/workos/routes/memberships.js.map +1 -0
package/dist/emulate/workos/routes/organization-domains.d.ts +2 -0
package/dist/emulate/workos/routes/organization-domains.js +58 -0
package/dist/emulate/workos/routes/organization-domains.js.map +1 -0
package/dist/emulate/workos/routes/organizations.d.ts +2 -0
package/dist/emulate/workos/routes/organizations.js +133 -0
package/dist/emulate/workos/routes/organizations.js.map +1 -0
package/dist/emulate/workos/routes/password-reset.d.ts +2 -0
package/dist/emulate/workos/routes/password-reset.js +61 -0
package/dist/emulate/workos/routes/password-reset.js.map +1 -0
package/dist/emulate/workos/routes/pipes.d.ts +2 -0
package/dist/emulate/workos/routes/pipes.js +86 -0
package/dist/emulate/workos/routes/pipes.js.map +1 -0
package/dist/emulate/workos/routes/portal.d.ts +2 -0
package/dist/emulate/workos/routes/portal.js +18 -0
package/dist/emulate/workos/routes/portal.js.map +1 -0
package/dist/emulate/workos/routes/radar.d.ts +2 -0
package/dist/emulate/workos/routes/radar.js +45 -0
package/dist/emulate/workos/routes/radar.js.map +1 -0
package/dist/emulate/workos/routes/sessions.d.ts +2 -0
package/dist/emulate/workos/routes/sessions.js +51 -0
package/dist/emulate/workos/routes/sessions.js.map +1 -0
package/dist/emulate/workos/routes/sso.d.ts +2 -0
package/dist/emulate/workos/routes/sso.js +160 -0
package/dist/emulate/workos/routes/sso.js.map +1 -0
package/dist/emulate/workos/routes/user-features.d.ts +2 -0
package/dist/emulate/workos/routes/user-features.js +50 -0
package/dist/emulate/workos/routes/user-features.js.map +1 -0
package/dist/emulate/workos/routes/users.d.ts +2 -0
package/dist/emulate/workos/routes/users.js +133 -0
package/dist/emulate/workos/routes/users.js.map +1 -0
package/dist/emulate/workos/routes/webhook-endpoints.d.ts +2 -0
package/dist/emulate/workos/routes/webhook-endpoints.js +70 -0
package/dist/emulate/workos/routes/webhook-endpoints.js.map +1 -0
package/dist/emulate/workos/routes/widgets.d.ts +2 -0
package/dist/emulate/workos/routes/widgets.js +27 -0
package/dist/emulate/workos/routes/widgets.js.map +1 -0
package/dist/emulate/workos/store.d.ts +48 -0
package/dist/emulate/workos/store.js +93 -0
package/dist/emulate/workos/store.js.map +1 -0
package/dist/emulate/workos/webhook-signer.d.ts +1 -0
package/dist/emulate/workos/webhook-signer.js +8 -0
package/dist/emulate/workos/webhook-signer.js.map +1 -0
package/dist/gen-routes-lib.spec.ts +659 -0
package/dist/gen-routes-lib.ts +647 -0
package/dist/gen-routes.ts +96 -0
package/dist/lib/dev-command.d.ts +26 -0
package/dist/lib/dev-command.js +122 -0
package/dist/lib/dev-command.js.map +1 -0
package/dist/utils/help-json.js +23 -0
package/dist/utils/help-json.js.map +1 -1
package/package.json +20 -7

package/dist/emulate/workos/routes/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAqB,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAC7G,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EACL,UAAU,EACV,yBAAyB,EACzB,cAAc,EACd,SAAS,EACT,SAAS,EACT,sBAAsB,EACtB,WAAW,GACZ,MAAM,eAAe,CAAC;AASvB,MAAM,UAAU,UAAU,CAAC,GAAiB;IAC1C,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IAChC,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IAEjC,GAAG,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC7D,MAAM,mBAAmB,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAErD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,0BAA0B,EAAE,iBAAiB,CAAC,CAAC;QAC/E,CAAC;QACD,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAEpC,IAAI,IAAI,CAAC;QACT,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAC9C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;gBACrD,IAAI,KAAK;oBAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBACrD,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;YAC7B,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;YACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YAC/C,IAAI,KAAK;gBAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,eAAe,EAAE,IAAI;YACrB,IAAI,EAAE,UAAU,CAAC,WAAW,CAAC;YAC7B,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,SAAS,CAAC,EAAE,CAAC;YACzB,cAAc,EAAE,aAAa,IAAI,IAAI;YACrC,qBAAqB,EAAE,mBAAmB,IAAI,IAAI;SACnD,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,KAAK;YAAE,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrD,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,gCAAgC;IAChC,GAAG,CAAC,IAAI,CAAC,mCAAmC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxD,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAmB,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,iBAAiB,CAAC,CAAC;QAC5E,CAAC;QAED,wDAAwD;QACxD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAE9B,MAAM,UAAU,GAAG,EAAE,CAAC,oBAAoB,CAAC,MAAM,CAAC;YAChD,WAAW,EAAE,UAAU,CAAC,UAAU,CAAC;YACnC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE;YAChE,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI;YACzB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,SAAS,CAAC,EAAE,CAAC;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,MAAM,mBAAmB,GAAG,KAAK,EAAE,CAAM,EAAE,EAAE;QAC3C,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAgC,CAAC;QACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAA+B,CAAC;QACtD,MAAM,YAAY,GAAG,IAAI,CAAC,aAAmC,CAAC;QAE9D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,wBAAwB,EAAE,iBAAiB,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,IAAI,CAAC;QACT,IAAI,cAAc,GAAkB,IAAI,CAAC;QACzC,IAAI,UAAkB,CAAC;QAEvB,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,oBAAoB,CAAC,CAAC,CAAC;gBAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;gBACjC,IAAI,CAAC,IAAI;oBAAE,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;gBAEhF,MAAM,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;gBACnE,IAAI,CAAC,QAAQ;oBAAE,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;gBAC7E,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kBAAkB,EAAE,cAAc,CAAC,CAAC;gBACpE,CAAC;gBAED,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;oBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,aAAuB,CAAC;oBAClD,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,2BAA2B,EAAE,iBAAiB,CAAC,CAAC;oBAChF,CAAC;oBACD,MAAM,MAAM,GAAG,QAAQ,CAAC,qBAAqB,IAAI,MAAM,CAAC;oBACxD,IAAI,SAAiB,CAAC;oBACtB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;wBACtB,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;oBAC5E,CAAC;yBAAM,CAAC;wBACN,SAAS,GAAG,YAAY,CAAC;oBAC3B,CAAC;oBACD,IAAI,SAAS,KAAK,QAAQ,CAAC,cAAc,EAAE,CAAC;wBAC1C,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;oBAClF,CAAC;gBACH,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACtC,cAAc,GAAG,QAAQ,CAAC,eAAe,CAAC;gBAC1C,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;gBACjC,UAAU,GAAG,OAAO,CAAC;gBACrB,MAAM;YACR,CAAC;YAED,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAkB,CAAC;gBACzC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACxB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,iCAAiC,EAAE,iBAAiB,CAAC,CAAC;gBACtF,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC1C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClF,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,qBAAqB,EAAE,qBAAqB,CAAC,CAAC;gBAC9E,CAAC;gBACD,UAAU,GAAG,UAAU,CAAC;gBACxB,MAAM;YACR,CAAC;YAED,0DAA0D;YAC1D,KAAK,wCAAwC,CAAC;YAC9C,KAAK,6CAA6C,CAAC,CAAC,CAAC;gBACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;gBACjC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACpB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,6BAA6B,EAAE,iBAAiB,CAAC,CAAC;gBAClF,CAAC;gBAED,MAAM,SAAS,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;gBAC3F,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,SAAS,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kBAAkB,EAAE,cAAc,CAAC,CAAC;gBACpE,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;gBACvC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACnC,UAAU,GAAG,WAAW,CAAC;gBACzB,MAAM;YACR,CAAC;YAED,kEAAkE;YAClE,KAAK,gDAAgD,CAAC;YACtD,KAAK,qDAAqD,CAAC,CAAC,CAAC;gBAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;gBACjC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAiB,CAAC;gBACtC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;oBACrB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,+BAA+B,EAAE,iBAAiB,CAAC,CAAC;gBACpF,CAAC;gBAED,MAAM,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;gBACxF,IAAI,CAAC,EAAE,EAAE,CAAC;oBACR,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;gBAChE,CAAC;gBACD,IAAI,SAAS,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kBAAkB,EAAE,cAAc,CAAC,CAAC;gBACpE,CAAC;gBAED,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;gBAClD,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;gBACpC,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC5B,UAAU,GAAG,mBAAmB,CAAC;gBACjC,MAAM;YACR,CAAC;YAED,KAAK,eAAe,CAAC,CAAC,CAAC;gBACrB,MAAM,KAAK,GAAG,IAAI,CAAC,aAAuB,CAAC;gBAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,2BAA2B,EAAE,iBAAiB,CAAC,CAAC;gBAChF,CAAC;gBAED,MAAM,YAAY,GAAG,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAChE,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,eAAe,CAAC,CAAC;gBAC1E,CAAC;gBACD,IAAI,SAAS,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;oBACvC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;oBACzC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,2BAA2B,EAAE,eAAe,CAAC,CAAC;gBAC9E,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;gBAC1C,0EAA0E;gBAC1E,cAAc,GAAI,IAAI,CAAC,eAA0B,IAAI,YAAY,CAAC,eAAe,CAAC;gBAElF,sCAAsC;gBACtC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;gBACzC,UAAU,GAAG,OAAO,CAAC;gBACrB,MAAM;YACR,CAAC;YAED,KAAK,sCAAsC,CAAC,CAAC,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;gBACjC,MAAM,YAAY,GAAG,IAAI,CAAC,4BAAsC,CAAC;gBACjE,MAAM,WAAW,GAAG,IAAI,CAAC,2BAAqC,CAAC;gBAE/D,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;oBAC3C,MAAM,IAAI,cAAc,CACtB,GAAG,EACH,kFAAkF,EAClF,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAc,gBAAgB,YAAY,EAAE,CAAC,CAAC;gBAC3E,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,sCAAsC,EAAE,sCAAsC,CAAC,CAAC;gBAChH,CAAC;gBAED,MAAM,SAAS,GAAG,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACrD,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,kCAAkC,EAAE,iBAAiB,CAAC,CAAC;gBACvF,CAAC;gBACD,IAAI,SAAS,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;oBACpC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;oBACvC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,mBAAmB,CAAC,CAAC;gBAC9E,CAAC;gBAED,kDAAkD;gBAClD,IAAI,SAAS,CAAC,IAAI,IAAI,IAAI,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;oBAC9C,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;gBAClF,CAAC;gBAED,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACvC,KAAK,CAAC,OAAO,CAAC,gBAAgB,YAAY,EAAE,EAAE,SAAS,CAAC,CAAC;gBAEzD,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;gBACrC,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;gBACzC,UAAU,GAAG,KAAK,CAAC;gBACnB,MAAM;YACR,CAAC;YAED,KAAK,oDAAoD,CAAC,CAAC,CAAC;gBAC1D,MAAM,YAAY,GAAG,IAAI,CAAC,4BAAsC,CAAC;gBACjE,MAAM,KAAK,GAAG,IAAI,CAAC,eAAyB,CAAC;gBAE7C,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC;oBAC5B,MAAM,IAAI,cAAc,CACtB,GAAG,EACH,+DAA+D,EAC/D,iBAAiB,CAClB,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAc,gBAAgB,YAAY,EAAE,CAAC,CAAC;gBAC3E,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,sCAAsC,EAAE,sCAAsC,CAAC,CAAC;gBAChH,CAAC;gBAED,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACxC,IAAI,CAAC,GAAG;oBAAE,MAAM,QAAQ,CAAC,cAAc,CAAC,CAAC;gBAEzC,KAAK,CAAC,OAAO,CAAC,gBAAgB,YAAY,EAAE,EAAE,SAAS,CAAC,CAAC;gBAEzD,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;gBACrC,cAAc,GAAG,KAAK,CAAC;gBACvB,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC;gBACjC,MAAM;YACR,CAAC;YAED,KAAK,8CAA8C,CAAC,CAAC,CAAC;gBACpD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAqB,CAAC;gBAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,yBAAyB,EAAE,iBAAiB,CAAC,CAAC;gBAC9E,CAAC;gBAED,MAAM,UAAU,GAAG,EAAE,CAAC,oBAAoB,CAAC,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBAChF,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,qBAAqB,EAAE,eAAe,CAAC,CAAC;gBACxE,CAAC;gBACD,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBACrC,EAAE,CAAC,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;oBAC9C,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,yBAAyB,EAAE,eAAe,CAAC,CAAC;gBAC5E,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;oBACxB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;gBAClF,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBACxC,EAAE,CAAC,oBAAoB,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;gBAC9C,UAAU,GAAG,OAAO,CAAC;gBACrB,MAAM;YACR,CAAC;YAED;gBACE,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,2BAA2B,SAAS,EAAE,EAAE,iBAAiB,CAAC,CAAC;QAC7F,CAAC;QAED,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACxE,MAAM,WAAW,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAE,CAAC;QAE3C,MAAM,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACjC,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,eAAe,EAAE,cAAc;YAC/B,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,IAAI;YACnD,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,IAAI;SAC/C,CAAC,CAAC;QAEH,qDAAqD;QACrD,IAAI,QAA4B,CAAC;QACjC,IAAI,eAAqC,CAAC;QAC1C,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB;iBAC1C,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC;iBACzC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC;YACtC,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;qBAClB,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;qBACpC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,cAAc,IAAI,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;gBACrF,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC1D,eAAe,GAAG,GAAG;yBAClB,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;yBACjD,MAAM,CAAC,OAAO,CAAC;yBACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAE,CAAC,IAAI,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,GAAG,CAAC,IAAI,CAAC;YAC3B,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,MAAM,EAAE,cAAc,IAAI,SAAS;YACnC,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,eAAe;YAC5B,GAAG,EAAE,QAAQ,IAAI,gBAAgB;SAClC,CAAC,CAAC;QAEH,6BAA6B;QAC7B,MAAM,eAAe,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YAC9C,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;YACxB,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,eAAe,EAAE,cAAc;YAC/B,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,UAAU,EAAE,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,UAAU;SAChD,CAAC,CAAC;QAEH,wDAAwD;QACxD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG;aACjB,MAAM,CAAC,eAAe,CAAC;YACxB,EAAE,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC;aAC3B,IAAI,EAAE,CAAC;QACV,MAAM,OAAO,GAAG,YAAY,IAAI,MAAM,CAAC;QACvC,MAAM,aAAa,GAAG,OAAO;YAC3B,CAAC,CAAC,WAAW,CACT,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,EAAE,EAC3F,OAAO,CACR;YACH,CAAC,CAAC,IAAI,CAAC;QAET,yEAAyE;QACzE,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAW,UAAU,CAAC,CAAC;QACrD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,aAAa,GAAG,kBAAkB,UAAU,CAAC,WAAW,EAAE,YAAY,CAAC;YAC7E,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,aAAa;gBACpB,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE;aACzG,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,UAAU,CAAC,WAAW,CAAC;YAC7B,eAAe,EAAE,cAAc;YAC/B,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,eAAe,CAAC,KAAK;YACpC,qBAAqB,EAAE,UAAU;YACjC,cAAc,EAAE,aAAa;YAC7B,YAAY,EAAE,WAAW,CAAC,YAAY,IAAI,SAAS;SACpD,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,mBAAmB,CAAC,CAAC;IAC/D,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,mBAAmB,CAAC,CAAC;AACjE,CAAC","sourcesContent":["import { createHash } from 'node:crypto';\nimport { type RouteContext, notFound, parseJsonBody, WorkOSApiError, generateId } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport {\n formatUser,\n formatDeviceAuthorization,\n verifyPassword,\n isExpired,\n expiresIn,\n assertLocalRedirectUri,\n sealSession,\n} from '../helpers.js';\nimport type { EventBus } from '../event-bus.js';\n\ninterface PendingAuth {\n user_id: string;\n organization_id: string | null;\n auth_method: string;\n}\n\nexport function authRoutes(ctx: RouteContext): void {\n const { app, store, jwt } = ctx;\n const ws = getWorkOSStore(store);\n\n app.get('/user_management/authorize', (c) => {\n const url = new URL(c.req.url);\n const redirectUri = url.searchParams.get('redirect_uri');\n const state = url.searchParams.get('state');\n const codeChallenge = url.searchParams.get('code_challenge');\n const codeChallengeMethod = url.searchParams.get('code_challenge_method');\n const loginHint = url.searchParams.get('login_hint');\n\n if (!redirectUri) {\n throw new WorkOSApiError(400, 'redirect_uri is required', 'invalid_request');\n }\n assertLocalRedirectUri(redirectUri);\n\n let user;\n if (loginHint) {\n user = ws.users.findOneBy('email', loginHint);\n if (!user) {\n const redirect = new URL(redirectUri);\n redirect.searchParams.set('error', 'user_not_found');\n if (state) redirect.searchParams.set('state', state);\n return c.redirect(redirect.toString());\n }\n } else {\n const users = ws.users.all();\n user = users[0];\n }\n\n if (!user) {\n const redirect = new URL(redirectUri);\n redirect.searchParams.set('error', 'no_users');\n if (state) redirect.searchParams.set('state', state);\n return c.redirect(redirect.toString());\n }\n\n const authCode = ws.authCodes.insert({\n user_id: user.id,\n organization_id: null,\n code: generateId('auth_code'),\n redirect_uri: redirectUri,\n expires_at: expiresIn(10),\n code_challenge: codeChallenge ?? null,\n code_challenge_method: codeChallengeMethod ?? null,\n });\n\n const redirect = new URL(redirectUri);\n redirect.searchParams.set('code', authCode.code);\n if (state) redirect.searchParams.set('state', state);\n return c.redirect(redirect.toString());\n });\n\n // Device authorization endpoint\n app.post('/user_management/authorize/device', async (c) => {\n const body = await parseJsonBody(c);\n const clientId = body.client_id as string;\n if (!clientId) {\n throw new WorkOSApiError(400, 'client_id is required', 'invalid_request');\n }\n\n // Auto-approve with first user for emulator convenience\n const users = ws.users.all();\n const user = users[0] ?? null;\n\n const deviceAuth = ws.deviceAuthorizations.insert({\n device_code: generateId('dev_code'),\n user_code: Math.random().toString(36).slice(2, 10).toUpperCase(),\n user_id: user?.id ?? null,\n client_id: clientId,\n expires_at: expiresIn(15),\n interval: 5,\n });\n\n return c.json(formatDeviceAuthorization(deviceAuth));\n });\n\n // AuthKit SDK uses /x/authkit/users/authenticate for the same flow\n const authenticateHandler = async (c: any) => {\n const body = await parseJsonBody(c);\n const grantType = body.grant_type as string | undefined;\n const clientId = body.client_id as string | undefined;\n const clientSecret = body.client_secret as string | undefined;\n\n if (!grantType) {\n throw new WorkOSApiError(400, 'grant_type is required', 'invalid_request');\n }\n\n let user;\n let organizationId: string | null = null;\n let authMethod: string;\n\n switch (grantType) {\n case 'authorization_code': {\n const code = body.code as string;\n if (!code) throw new WorkOSApiError(400, 'code is required', 'invalid_request');\n\n const authCode = ws.authCodes.all().find((ac) => ac.code === code);\n if (!authCode) throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');\n if (isExpired(authCode.expires_at)) {\n throw new WorkOSApiError(400, 'Code has expired', 'expired_code');\n }\n\n if (authCode.code_challenge) {\n const codeVerifier = body.code_verifier as string;\n if (!codeVerifier) {\n throw new WorkOSApiError(400, 'code_verifier is required', 'invalid_request');\n }\n const method = authCode.code_challenge_method ?? 'S256';\n let challenge: string;\n if (method === 'S256') {\n challenge = createHash('sha256').update(codeVerifier).digest('base64url');\n } else {\n challenge = codeVerifier;\n }\n if (challenge !== authCode.code_challenge) {\n throw new WorkOSApiError(400, 'Invalid code_verifier', 'invalid_code_verifier');\n }\n }\n\n user = ws.users.get(authCode.user_id);\n organizationId = authCode.organization_id;\n ws.authCodes.delete(authCode.id);\n authMethod = 'OAuth';\n break;\n }\n\n case 'password': {\n const email = body.email as string;\n const password = body.password as string;\n if (!email || !password) {\n throw new WorkOSApiError(400, 'email and password are required', 'invalid_request');\n }\n\n user = ws.users.findOneBy('email', email);\n if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {\n throw new WorkOSApiError(401, 'Invalid credentials', 'invalid_credentials');\n }\n authMethod = 'Password';\n break;\n }\n\n // Accept both old and new grant type names for magic-auth\n case 'urn:workos:oauth:grant-type:magic-auth':\n case 'urn:workos:oauth:grant-type:magic-auth:code': {\n const code = body.code as string;\n const email = body.email as string;\n if (!code || !email) {\n throw new WorkOSApiError(400, 'code and email are required', 'invalid_request');\n }\n\n const magicAuth = ws.magicAuths.all().find((ma) => ma.code === code && ma.email === email);\n if (!magicAuth) {\n throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');\n }\n if (isExpired(magicAuth.expires_at)) {\n throw new WorkOSApiError(400, 'Code has expired', 'expired_code');\n }\n\n user = ws.users.get(magicAuth.user_id);\n ws.magicAuths.delete(magicAuth.id);\n authMethod = 'MagicAuth';\n break;\n }\n\n // Accept both old and new grant type names for email-verification\n case 'urn:workos:oauth:grant-type:email-verification':\n case 'urn:workos:oauth:grant-type:email-verification:code': {\n const code = body.code as string;\n const userId = body.user_id as string;\n if (!code || !userId) {\n throw new WorkOSApiError(400, 'code and user_id are required', 'invalid_request');\n }\n\n const ev = ws.emailVerifications.findBy('user_id', userId).find((v) => v.code === code);\n if (!ev) {\n throw new WorkOSApiError(400, 'Invalid code', 'invalid_code');\n }\n if (isExpired(ev.expires_at)) {\n throw new WorkOSApiError(400, 'Code has expired', 'expired_code');\n }\n\n ws.users.update(userId, { email_verified: true });\n ws.emailVerifications.delete(ev.id);\n user = ws.users.get(userId);\n authMethod = 'EmailVerification';\n break;\n }\n\n case 'refresh_token': {\n const token = body.refresh_token as string;\n if (!token) {\n throw new WorkOSApiError(400, 'refresh_token is required', 'invalid_request');\n }\n\n const refreshToken = ws.refreshTokens.findOneBy('token', token);\n if (!refreshToken) {\n throw new WorkOSApiError(400, 'Invalid refresh token', 'invalid_grant');\n }\n if (isExpired(refreshToken.expires_at)) {\n ws.refreshTokens.delete(refreshToken.id);\n throw new WorkOSApiError(400, 'Refresh token has expired', 'invalid_grant');\n }\n\n user = ws.users.get(refreshToken.user_id);\n // Allow body.organization_id to switch org context (switchToOrganization)\n organizationId = (body.organization_id as string) ?? refreshToken.organization_id;\n\n // Rotate: delete old, issue new below\n ws.refreshTokens.delete(refreshToken.id);\n authMethod = 'OAuth';\n break;\n }\n\n case 'urn:workos:oauth:grant-type:mfa-totp': {\n const code = body.code as string;\n const pendingToken = body.pending_authentication_token as string;\n const challengeId = body.authentication_challenge_id as string;\n\n if (!code || !pendingToken || !challengeId) {\n throw new WorkOSApiError(\n 400,\n 'code, pending_authentication_token, and authentication_challenge_id are required',\n 'invalid_request',\n );\n }\n\n const pending = store.getData<PendingAuth>(`pending_auth:${pendingToken}`);\n if (!pending) {\n throw new WorkOSApiError(400, 'Invalid pending authentication token', 'invalid_pending_authentication_token');\n }\n\n const challenge = ws.authChallenges.get(challengeId);\n if (!challenge) {\n throw new WorkOSApiError(400, 'Invalid authentication challenge', 'invalid_request');\n }\n if (isExpired(challenge.expires_at)) {\n ws.authChallenges.delete(challenge.id);\n throw new WorkOSApiError(400, 'Challenge has expired', 'expired_challenge');\n }\n\n // Verify code against the challenge's stored code\n if (challenge.code && code !== challenge.code) {\n throw new WorkOSApiError(400, 'Invalid one-time code', 'invalid_one_time_code');\n }\n\n ws.authChallenges.delete(challenge.id);\n store.setData(`pending_auth:${pendingToken}`, undefined);\n\n user = ws.users.get(pending.user_id);\n organizationId = pending.organization_id;\n authMethod = 'MFA';\n break;\n }\n\n case 'urn:workos:oauth:grant-type:organization-selection': {\n const pendingToken = body.pending_authentication_token as string;\n const orgId = body.organization_id as string;\n\n if (!pendingToken || !orgId) {\n throw new WorkOSApiError(\n 400,\n 'pending_authentication_token and organization_id are required',\n 'invalid_request',\n );\n }\n\n const pending = store.getData<PendingAuth>(`pending_auth:${pendingToken}`);\n if (!pending) {\n throw new WorkOSApiError(400, 'Invalid pending authentication token', 'invalid_pending_authentication_token');\n }\n\n const org = ws.organizations.get(orgId);\n if (!org) throw notFound('Organization');\n\n store.setData(`pending_auth:${pendingToken}`, undefined);\n\n user = ws.users.get(pending.user_id);\n organizationId = orgId;\n authMethod = pending.auth_method;\n break;\n }\n\n case 'urn:ietf:params:oauth:grant-type:device_code': {\n const deviceCode = body.device_code as string;\n if (!deviceCode) {\n throw new WorkOSApiError(400, 'device_code is required', 'invalid_request');\n }\n\n const deviceAuth = ws.deviceAuthorizations.findOneBy('device_code', deviceCode);\n if (!deviceAuth) {\n throw new WorkOSApiError(400, 'Invalid device code', 'invalid_grant');\n }\n if (isExpired(deviceAuth.expires_at)) {\n ws.deviceAuthorizations.delete(deviceAuth.id);\n throw new WorkOSApiError(400, 'Device code has expired', 'expired_token');\n }\n if (!deviceAuth.user_id) {\n throw new WorkOSApiError(400, 'Authorization pending', 'authorization_pending');\n }\n\n user = ws.users.get(deviceAuth.user_id);\n ws.deviceAuthorizations.delete(deviceAuth.id);\n authMethod = 'OAuth';\n break;\n }\n\n default:\n throw new WorkOSApiError(400, `Unsupported grant_type: ${grantType}`, 'invalid_request');\n }\n\n if (!user) throw notFound('User');\n\n ws.users.update(user.id, { last_sign_in_at: new Date().toISOString() });\n const updatedUser = ws.users.get(user.id)!;\n\n const session = ws.sessions.insert({\n object: 'session',\n user_id: user.id,\n organization_id: organizationId,\n ip_address: c.req.header('x-forwarded-for') ?? null,\n user_agent: c.req.header('user-agent') ?? null,\n });\n\n // Resolve role + permissions for org-scoped sessions\n let roleSlug: string | undefined;\n let permissionSlugs: string[] | undefined;\n if (organizationId) {\n const membership = ws.organizationMemberships\n .findBy('organization_id', organizationId)\n .find((m) => m.user_id === user.id);\n if (membership) {\n roleSlug = membership.role.slug;\n const role = ws.roles\n .findBy('slug', membership.role.slug)\n .find((r) => r.organization_id === organizationId || r.type === 'EnvironmentRole');\n if (role) {\n const rps = ws.rolePermissions.findBy('role_id', role.id);\n permissionSlugs = rps\n .map((rp) => ws.permissions.get(rp.permission_id))\n .filter(Boolean)\n .map((p) => p!.slug);\n }\n }\n }\n\n const accessToken = jwt.sign({\n sub: user.id,\n sid: session.id,\n org_id: organizationId ?? undefined,\n role: roleSlug,\n permissions: permissionSlugs,\n aud: clientId ?? 'workos-emulate',\n });\n\n // Store a real refresh token\n const newRefreshToken = ws.refreshTokens.insert({\n token: generateId('ref'),\n user_id: user.id,\n organization_id: organizationId,\n session_id: session.id,\n expires_at: expiresIn(30 * 24 * 60), // 30 days\n });\n\n // Compute sealed session when client_secret is provided\n const apiKey = c.req\n .header('Authorization')\n ?.replace(/^Bearer\\s+/i, '')\n .trim();\n const sealKey = clientSecret ?? apiKey;\n const sealedSession = sealKey\n ? sealSession(\n { access_token: accessToken, refresh_token: newRefreshToken.token, session_id: session.id },\n sealKey,\n )\n : null;\n\n // Emit authentication event (hybrid Option B for action-specific events)\n const eventBus = store.getData<EventBus>('eventBus');\n if (eventBus) {\n const authEventType = `authentication.${authMethod.toLowerCase()}_succeeded`;\n eventBus.emit({\n event: authEventType,\n data: { user_id: user.id, email: updatedUser.email, method: authMethod, ip_address: session.ip_address },\n });\n }\n\n return c.json({\n user: formatUser(updatedUser),\n organization_id: organizationId,\n access_token: accessToken,\n refresh_token: newRefreshToken.token,\n authentication_method: authMethod,\n sealed_session: sealedSession,\n impersonator: updatedUser.impersonator ?? undefined,\n });\n };\n\n app.post('/user_management/authenticate', authenticateHandler);\n app.post('/x/authkit/users/authenticate', authenticateHandler);\n}\n"]}

package/dist/emulate/workos/routes/authorization-checks.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type RouteContext } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+/**
+ * Gather all permission slugs for a given membership:
+ * 1. From the membership's role (role.slug field)
+ * 2. From any additional role assignments
+ */
+declare function getPermissionsForMembership(ws: ReturnType<typeof getWorkOSStore>, membershipId: string): Set<string>;
+export declare function authorizationCheckRoutes(ctx: RouteContext): void;
+export { getPermissionsForMembership };

package/dist/emulate/workos/routes/authorization-checks.js ADDED Viewed

@@ -0,0 +1,135 @@
+import { notFound, validationError, parseJsonBody } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatRoleAssignment, formatAuthorizationResource, parseListParams } from '../helpers.js';
+/**
+ * Gather all permission slugs for a given membership:
+ * 1. From the membership's role (role.slug field)
+ * 2. From any additional role assignments
+ */
+function getPermissionsForMembership(ws, membershipId) {
+    const membership = ws.organizationMemberships.get(membershipId);
+    if (!membership)
+        return new Set();
+    const permSlugs = new Set();
+    // Permissions from the membership's primary role
+    const primaryRole = ws.roles
+        .findBy('slug', membership.role.slug)
+        .find((r) => r.organization_id === membership.organization_id || r.type === 'EnvironmentRole');
+    if (primaryRole) {
+        const rps = ws.rolePermissions.findBy('role_id', primaryRole.id);
+        for (const rp of rps) {
+            const perm = ws.permissions.get(rp.permission_id);
+            if (perm)
+                permSlugs.add(perm.slug);
+        }
+    }
+    // Permissions from additional role assignments
+    const assignments = ws.roleAssignments.findBy('organization_membership_id', membershipId);
+    for (const assignment of assignments) {
+        const role = ws.roles.get(assignment.role_id);
+        if (!role)
+            continue;
+        const rps = ws.rolePermissions.findBy('role_id', role.id);
+        for (const rp of rps) {
+            const perm = ws.permissions.get(rp.permission_id);
+            if (perm)
+                permSlugs.add(perm.slug);
+        }
+    }
+    return permSlugs;
+}
+export function authorizationCheckRoutes(ctx) {
+    const { app, store } = ctx;
+    // Permission check
+    app.post('/authorization/organization_memberships/:id/check', async (c) => {
+        const ws = getWorkOSStore(store);
+        const membershipId = c.req.param('id');
+        const membership = ws.organizationMemberships.get(membershipId);
+        if (!membership)
+            throw notFound('OrganizationMembership');
+        const body = await parseJsonBody(c);
+        const permission = body.permission;
+        if (!permission) {
+            throw validationError('permission is required', [{ field: 'permission', code: 'required' }]);
+        }
+        const permSlugs = getPermissionsForMembership(ws, membershipId);
+        return c.json({ authorized: permSlugs.has(permission) });
+    });
+    // List resources accessible to a membership (all resources in the membership's org)
+    app.get('/authorization/organization_memberships/:id/resources', (c) => {
+        const ws = getWorkOSStore(store);
+        const membershipId = c.req.param('id');
+        const membership = ws.organizationMemberships.get(membershipId);
+        if (!membership)
+            throw notFound('OrganizationMembership');
+        const url = new URL(c.req.url);
+        const params = parseListParams(url);
+        const result = ws.authorizationResources.list({
+            ...params,
+            filter: (r) => r.organization_id === membership.organization_id,
+        });
+        return c.json({
+            object: 'list',
+            data: result.data.map(formatAuthorizationResource),
+            list_metadata: result.list_metadata,
+        });
+    });
+    // List role assignments for a membership
+    app.get('/authorization/organization_memberships/:id/role_assignments', (c) => {
+        const ws = getWorkOSStore(store);
+        const membershipId = c.req.param('id');
+        const membership = ws.organizationMemberships.get(membershipId);
+        if (!membership)
+            throw notFound('OrganizationMembership');
+        const url = new URL(c.req.url);
+        const params = parseListParams(url);
+        const result = ws.roleAssignments.list({
+            ...params,
+            filter: (ra) => ra.organization_membership_id === membershipId,
+        });
+        return c.json({
+            object: 'list',
+            data: result.data.map(formatRoleAssignment),
+            list_metadata: result.list_metadata,
+        });
+    });
+    // Create role assignment
+    app.post('/authorization/organization_memberships/:id/role_assignments', async (c) => {
+        const ws = getWorkOSStore(store);
+        const membershipId = c.req.param('id');
+        const membership = ws.organizationMemberships.get(membershipId);
+        if (!membership)
+            throw notFound('OrganizationMembership');
+        const body = await parseJsonBody(c);
+        const roleId = body.role_id;
+        if (!roleId) {
+            throw validationError('role_id is required', [{ field: 'role_id', code: 'required' }]);
+        }
+        const role = ws.roles.get(roleId);
+        if (!role)
+            throw notFound('Role');
+        const assignment = ws.roleAssignments.insert({
+            object: 'role_assignment',
+            organization_membership_id: membershipId,
+            role_id: roleId,
+        });
+        return c.json(formatRoleAssignment(assignment), 201);
+    });
+    // Delete role assignment
+    app.delete('/authorization/organization_memberships/:id/role_assignments/:assignmentId', (c) => {
+        const ws = getWorkOSStore(store);
+        const membershipId = c.req.param('id');
+        const assignmentId = c.req.param('assignmentId');
+        const membership = ws.organizationMemberships.get(membershipId);
+        if (!membership)
+            throw notFound('OrganizationMembership');
+        const assignment = ws.roleAssignments.get(assignmentId);
+        if (!assignment || assignment.organization_membership_id !== membershipId) {
+            throw notFound('RoleAssignment');
+        }
+        ws.roleAssignments.delete(assignmentId);
+        return c.body(null, 204);
+    });
+}
+export { getPermissionsForMembership };
+//# sourceMappingURL=authorization-checks.js.map

package/dist/emulate/workos/routes/authorization-checks.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorization-checks.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/authorization-checks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,2BAA2B,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEnG;;;;GAIG;AACH,SAAS,2BAA2B,CAAC,EAAqC,EAAE,YAAoB;IAC9F,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAChE,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IAElC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,iDAAiD;IACjD,MAAM,WAAW,GAAG,EAAE,CAAC,KAAK;SACzB,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;SACpC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,UAAU,CAAC,eAAe,IAAI,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;IACjG,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC;QACjE,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;YAClD,IAAI,IAAI;gBAAE,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,WAAW,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,4BAA4B,EAAE,YAAY,CAAC,CAAC;IAC1F,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC;YAClD,IAAI,IAAI;gBAAE,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAiB;IACxD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAE3B,mBAAmB;IACnB,GAAG,CAAC,IAAI,CAAC,mDAAmD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAE1D,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAoB,CAAC;QAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,eAAe,CAAC,wBAAwB,EAAE,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAC/F,CAAC;QAED,MAAM,SAAS,GAAG,2BAA2B,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;QAChE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,oFAAoF;IACpF,GAAG,CAAC,GAAG,CAAC,uDAAuD,EAAE,CAAC,CAAC,EAAE,EAAE;QACrE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC;YAC5C,GAAG,MAAM;YACT,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,UAAU,CAAC,eAAe;SAChE,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC;YAClD,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,yCAAyC;IACzC,GAAG,CAAC,GAAG,CAAC,8DAA8D,EAAE,CAAC,CAAC,EAAE,EAAE;QAC5E,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAE1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;YACrC,GAAG,MAAM;YACT,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,0BAA0B,KAAK,YAAY;SAC/D,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC;YAC3C,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,yBAAyB;IACzB,GAAG,CAAC,IAAI,CAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACnF,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAE1D,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAiB,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,eAAe,CAAC,qBAAqB,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,UAAU,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC;YAC3C,MAAM,EAAE,iBAAiB;YACzB,0BAA0B,EAAE,YAAY;YACxC,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,yBAAyB;IACzB,GAAG,CAAC,MAAM,CAAC,4EAA4E,EAAE,CAAC,CAAC,EAAE,EAAE;QAC7F,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAEjD,MAAM,UAAU,GAAG,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAE1D,MAAM,UAAU,GAAG,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,0BAA0B,KAAK,YAAY,EAAE,CAAC;YAC1E,MAAM,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACnC,CAAC;QAED,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACxC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,2BAA2B,EAAE,CAAC","sourcesContent":["import { type RouteContext, notFound, validationError, parseJsonBody } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatRoleAssignment, formatAuthorizationResource, parseListParams } from '../helpers.js';\n\n/**\n * Gather all permission slugs for a given membership:\n * 1. From the membership's role (role.slug field)\n * 2. From any additional role assignments\n */\nfunction getPermissionsForMembership(ws: ReturnType<typeof getWorkOSStore>, membershipId: string): Set<string> {\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) return new Set();\n\n const permSlugs = new Set<string>();\n\n // Permissions from the membership's primary role\n const primaryRole = ws.roles\n .findBy('slug', membership.role.slug)\n .find((r) => r.organization_id === membership.organization_id || r.type === 'EnvironmentRole');\n if (primaryRole) {\n const rps = ws.rolePermissions.findBy('role_id', primaryRole.id);\n for (const rp of rps) {\n const perm = ws.permissions.get(rp.permission_id);\n if (perm) permSlugs.add(perm.slug);\n }\n }\n\n // Permissions from additional role assignments\n const assignments = ws.roleAssignments.findBy('organization_membership_id', membershipId);\n for (const assignment of assignments) {\n const role = ws.roles.get(assignment.role_id);\n if (!role) continue;\n const rps = ws.rolePermissions.findBy('role_id', role.id);\n for (const rp of rps) {\n const perm = ws.permissions.get(rp.permission_id);\n if (perm) permSlugs.add(perm.slug);\n }\n }\n\n return permSlugs;\n}\n\nexport function authorizationCheckRoutes(ctx: RouteContext): void {\n const { app, store } = ctx;\n\n // Permission check\n app.post('/authorization/organization_memberships/:id/check', async (c) => {\n const ws = getWorkOSStore(store);\n const membershipId = c.req.param('id');\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) throw notFound('OrganizationMembership');\n\n const body = await parseJsonBody(c);\n const permission = body.permission as string;\n if (!permission) {\n throw validationError('permission is required', [{ field: 'permission', code: 'required' }]);\n }\n\n const permSlugs = getPermissionsForMembership(ws, membershipId);\n return c.json({ authorized: permSlugs.has(permission) });\n });\n\n // List resources accessible to a membership (all resources in the membership's org)\n app.get('/authorization/organization_memberships/:id/resources', (c) => {\n const ws = getWorkOSStore(store);\n const membershipId = c.req.param('id');\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) throw notFound('OrganizationMembership');\n\n const url = new URL(c.req.url);\n const params = parseListParams(url);\n\n const result = ws.authorizationResources.list({\n ...params,\n filter: (r) => r.organization_id === membership.organization_id,\n });\n\n return c.json({\n object: 'list',\n data: result.data.map(formatAuthorizationResource),\n list_metadata: result.list_metadata,\n });\n });\n\n // List role assignments for a membership\n app.get('/authorization/organization_memberships/:id/role_assignments', (c) => {\n const ws = getWorkOSStore(store);\n const membershipId = c.req.param('id');\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) throw notFound('OrganizationMembership');\n\n const url = new URL(c.req.url);\n const params = parseListParams(url);\n\n const result = ws.roleAssignments.list({\n ...params,\n filter: (ra) => ra.organization_membership_id === membershipId,\n });\n\n return c.json({\n object: 'list',\n data: result.data.map(formatRoleAssignment),\n list_metadata: result.list_metadata,\n });\n });\n\n // Create role assignment\n app.post('/authorization/organization_memberships/:id/role_assignments', async (c) => {\n const ws = getWorkOSStore(store);\n const membershipId = c.req.param('id');\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) throw notFound('OrganizationMembership');\n\n const body = await parseJsonBody(c);\n const roleId = body.role_id as string;\n if (!roleId) {\n throw validationError('role_id is required', [{ field: 'role_id', code: 'required' }]);\n }\n\n const role = ws.roles.get(roleId);\n if (!role) throw notFound('Role');\n\n const assignment = ws.roleAssignments.insert({\n object: 'role_assignment',\n organization_membership_id: membershipId,\n role_id: roleId,\n });\n\n return c.json(formatRoleAssignment(assignment), 201);\n });\n\n // Delete role assignment\n app.delete('/authorization/organization_memberships/:id/role_assignments/:assignmentId', (c) => {\n const ws = getWorkOSStore(store);\n const membershipId = c.req.param('id');\n const assignmentId = c.req.param('assignmentId');\n\n const membership = ws.organizationMemberships.get(membershipId);\n if (!membership) throw notFound('OrganizationMembership');\n\n const assignment = ws.roleAssignments.get(assignmentId);\n if (!assignment || assignment.organization_membership_id !== membershipId) {\n throw notFound('RoleAssignment');\n }\n\n ws.roleAssignments.delete(assignmentId);\n return c.body(null, 204);\n });\n}\n\nexport { getPermissionsForMembership };\n"]}

package/dist/emulate/workos/routes/authorization-org-roles.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { type RouteContext } from '../../core/index.js';
2	+ export declare function authorizationOrgRoleRoutes(ctx: RouteContext): void;

package/dist/emulate/workos/routes/authorization-org-roles.js ADDED Viewed

@@ -0,0 +1,206 @@
+import { notFound, validationError, parseJsonBody } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatRole, formatPermission, parseListParams } from '../helpers.js';
+export function authorizationOrgRoleRoutes(ctx) {
+    const { app, store } = ctx;
+    app.post('/authorization/organizations/:orgId/roles', async (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const org = ws.organizations.get(orgId);
+        if (!org)
+            throw notFound('Organization');
+        const body = await parseJsonBody(c);
+        const slug = body.slug;
+        const name = body.name;
+        if (!slug || typeof slug !== 'string') {
+            throw validationError('slug is required', [{ field: 'slug', code: 'required' }]);
+        }
+        if (!name || typeof name !== 'string') {
+            throw validationError('name is required', [{ field: 'name', code: 'required' }]);
+        }
+        // Check uniqueness within this org
+        const existing = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (existing) {
+            throw validationError('Role with this slug already exists in this organization', [
+                { field: 'slug', code: 'duplicate' },
+            ]);
+        }
+        const role = ws.roles.insert({
+            object: 'role',
+            slug,
+            name,
+            description: body.description ?? null,
+            type: 'OrganizationRole',
+            organization_id: orgId,
+            is_default_role: Boolean(body.is_default_role),
+            priority: typeof body.priority === 'number' ? body.priority : 0,
+        });
+        return c.json(formatRole(role), 201);
+    });
+    app.get('/authorization/organizations/:orgId/roles', (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const url = new URL(c.req.url);
+        const params = parseListParams(url);
+        const result = ws.roles.list({
+            ...params,
+            filter: (r) => r.organization_id === orgId && r.type === 'OrganizationRole',
+        });
+        return c.json({
+            object: 'list',
+            data: result.data.map(formatRole),
+            list_metadata: result.list_metadata,
+        });
+    });
+    // Priority ordering — must be registered before :slug routes
+    app.put('/authorization/organizations/:orgId/roles/priority', async (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const body = await parseJsonBody(c);
+        const slugs = body.slugs;
+        if (!Array.isArray(slugs)) {
+            throw validationError('slugs must be an array', [{ field: 'slugs', code: 'invalid' }]);
+        }
+        for (let i = 0; i < slugs.length; i++) {
+            const role = ws.roles
+                .findBy('organization_id', orgId)
+                .find((r) => r.slug === slugs[i] && r.type === 'OrganizationRole');
+            if (!role)
+                throw notFound('Role');
+            ws.roles.update(role.id, { priority: i });
+        }
+        const roles = ws.roles
+            .findBy('organization_id', orgId)
+            .filter((r) => r.type === 'OrganizationRole')
+            .sort((a, b) => a.priority - b.priority);
+        return c.json({
+            object: 'list',
+            data: roles.map(formatRole),
+            list_metadata: { before: null, after: null },
+        });
+    });
+    app.get('/authorization/organizations/:orgId/roles/:slug', (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        return c.json(formatRole(role));
+    });
+    app.put('/authorization/organizations/:orgId/roles/:slug', async (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        const body = await parseJsonBody(c);
+        const updates = {};
+        if ('name' in body)
+            updates.name = body.name;
+        if ('description' in body)
+            updates.description = body.description ?? null;
+        if ('is_default_role' in body)
+            updates.is_default_role = Boolean(body.is_default_role);
+        if ('priority' in body)
+            updates.priority = body.priority;
+        const updated = ws.roles.update(role.id, updates);
+        return c.json(formatRole(updated));
+    });
+    app.delete('/authorization/organizations/:orgId/roles/:slug', (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        // Cascade: remove role-permission joins and role assignments
+        const rps = ws.rolePermissions.findBy('role_id', role.id);
+        for (const rp of rps)
+            ws.rolePermissions.delete(rp.id);
+        const ras = ws.roleAssignments.findBy('role_id', role.id);
+        for (const ra of ras)
+            ws.roleAssignments.delete(ra.id);
+        ws.roles.delete(role.id);
+        return c.body(null, 204);
+    });
+    // Org role permissions
+    app.get('/authorization/organizations/:orgId/roles/:slug/permissions', (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        const rps = ws.rolePermissions.findBy('role_id', role.id);
+        const permissions = rps.map((rp) => ws.permissions.get(rp.permission_id)).filter(Boolean);
+        return c.json({
+            object: 'list',
+            data: permissions.map((p) => formatPermission(p)),
+            list_metadata: { before: null, after: null },
+        });
+    });
+    app.post('/authorization/organizations/:orgId/roles/:slug/permissions', async (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        const body = await parseJsonBody(c);
+        const permissionSlugs = body.permissions;
+        if (!Array.isArray(permissionSlugs)) {
+            throw validationError('permissions must be an array of slugs', [{ field: 'permissions', code: 'invalid' }]);
+        }
+        // Replace all
+        const existing = ws.rolePermissions.findBy('role_id', role.id);
+        for (const rp of existing)
+            ws.rolePermissions.delete(rp.id);
+        for (const permSlug of permissionSlugs) {
+            const perm = ws.permissions.findOneBy('slug', permSlug);
+            if (!perm)
+                throw notFound('Permission');
+            ws.rolePermissions.insert({ role_id: role.id, permission_id: perm.id });
+        }
+        const rps = ws.rolePermissions.findBy('role_id', role.id);
+        const permissions = rps.map((rp) => ws.permissions.get(rp.permission_id)).filter(Boolean);
+        return c.json({
+            object: 'list',
+            data: permissions.map((p) => formatPermission(p)),
+            list_metadata: { before: null, after: null },
+        });
+    });
+    app.delete('/authorization/organizations/:orgId/roles/:slug/permissions/:permissionSlug', (c) => {
+        const ws = getWorkOSStore(store);
+        const orgId = c.req.param('orgId');
+        const slug = c.req.param('slug');
+        const permissionSlug = c.req.param('permissionSlug');
+        const role = ws.roles
+            .findBy('organization_id', orgId)
+            .find((r) => r.slug === slug && r.type === 'OrganizationRole');
+        if (!role)
+            throw notFound('Role');
+        const perm = ws.permissions.findOneBy('slug', permissionSlug);
+        if (!perm)
+            throw notFound('Permission');
+        const rp = ws.rolePermissions.findBy('role_id', role.id).find((rp) => rp.permission_id === perm.id);
+        if (!rp)
+            throw notFound('RolePermission');
+        ws.rolePermissions.delete(rp.id);
+        return c.body(null, 204);
+    });
+}
+//# sourceMappingURL=authorization-org-roles.js.map

package/dist/emulate/workos/routes/authorization-org-roles.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorization-org-roles.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/authorization-org-roles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAE9E,MAAM,UAAU,0BAA0B,CAAC,GAAiB;IAC1D,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAE3B,GAAG,CAAC,IAAI,CAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAChE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,GAAG;YAAE,MAAM,QAAQ,CAAC,cAAc,CAAC,CAAC;QAEzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;QAEjC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,eAAe,CAAC,kBAAkB,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,eAAe,CAAC,kBAAkB,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,mCAAmC;QACnC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK;aACtB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,eAAe,CAAC,yDAAyD,EAAE;gBAC/E,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE;aACrC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;YAC3B,MAAM,EAAE,MAAM;YACd,IAAI;YACJ,IAAI;YACJ,WAAW,EAAG,IAAI,CAAC,WAAsB,IAAI,IAAI;YACjD,IAAI,EAAE,kBAAkB;YACxB,eAAe,EAAE,KAAK;YACtB,eAAe,EAAE,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC;YAC9C,QAAQ,EAAE,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;SAChE,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,2CAA2C,EAAE,CAAC,CAAC,EAAE,EAAE;QACzD,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;YAC3B,GAAG,MAAM;YACT,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB;SAC5E,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,oDAAoD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACxE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAiB,CAAC;QAErC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,eAAe,CAAC,wBAAwB,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QACzF,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;iBAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;iBAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;YACrE,IAAI,CAAC,IAAI;gBAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;YAClC,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK;aACnB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC;aAC5C,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC;YAC3B,aAAa,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,iDAAiD,EAAE,CAAC,CAAC,EAAE,EAAE;QAC/D,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,iDAAiD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACrE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,IAAI,MAAM,IAAI,IAAI;YAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAC7C,IAAI,aAAa,IAAI,IAAI;YAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;QAC1E,IAAI,iBAAiB,IAAI,IAAI;YAAE,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACvF,IAAI,UAAU,IAAI,IAAI;YAAE,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEzD,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAQ,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,iDAAiD,EAAE,CAAC,CAAC,EAAE,EAAE;QAClE,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,6DAA6D;QAC7D,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,KAAK,MAAM,EAAE,IAAI,GAAG;YAAE,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,KAAK,MAAM,EAAE,IAAI,GAAG;YAAE,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QAEvD,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzB,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,GAAG,CAAC,GAAG,CAAC,6DAA6D,EAAE,CAAC,CAAC,EAAE,EAAE;QAC3E,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE1F,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAE,CAAC,CAAC;YAClD,aAAa,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,6DAA6D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAClF,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,eAAe,GAAG,IAAI,CAAC,WAAuB,CAAC;QACrD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,MAAM,eAAe,CAAC,uCAAuC,EAAE,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAC9G,CAAC;QAED,cAAc;QACd,MAAM,QAAQ,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/D,KAAK,MAAM,EAAE,IAAI,QAAQ;YAAE,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QAE5D,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI;gBAAE,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;YACxC,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE1F,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAE,CAAC,CAAC;YAClD,aAAa,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,6EAA6E,EAAE,CAAC,CAAC,EAAE,EAAE;QAC9F,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,cAAc,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAErD,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK;aAClB,MAAM,CAAC,iBAAiB,EAAE,KAAK,CAAC;aAChC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI;YAAE,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAExC,MAAM,EAAE,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,aAAa,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC;QACpG,IAAI,CAAC,EAAE;YAAE,MAAM,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAE1C,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type RouteContext, notFound, validationError, parseJsonBody } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatRole, formatPermission, parseListParams } from '../helpers.js';\n\nexport function authorizationOrgRoleRoutes(ctx: RouteContext): void {\n const { app, store } = ctx;\n\n app.post('/authorization/organizations/:orgId/roles', async (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const org = ws.organizations.get(orgId);\n if (!org) throw notFound('Organization');\n\n const body = await parseJsonBody(c);\n const slug = body.slug as string;\n const name = body.name as string;\n\n if (!slug || typeof slug !== 'string') {\n throw validationError('slug is required', [{ field: 'slug', code: 'required' }]);\n }\n if (!name || typeof name !== 'string') {\n throw validationError('name is required', [{ field: 'name', code: 'required' }]);\n }\n\n // Check uniqueness within this org\n const existing = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (existing) {\n throw validationError('Role with this slug already exists in this organization', [\n { field: 'slug', code: 'duplicate' },\n ]);\n }\n\n const role = ws.roles.insert({\n object: 'role',\n slug,\n name,\n description: (body.description as string) ?? null,\n type: 'OrganizationRole',\n organization_id: orgId,\n is_default_role: Boolean(body.is_default_role),\n priority: typeof body.priority === 'number' ? body.priority : 0,\n });\n\n return c.json(formatRole(role), 201);\n });\n\n app.get('/authorization/organizations/:orgId/roles', (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const url = new URL(c.req.url);\n const params = parseListParams(url);\n\n const result = ws.roles.list({\n ...params,\n filter: (r) => r.organization_id === orgId && r.type === 'OrganizationRole',\n });\n\n return c.json({\n object: 'list',\n data: result.data.map(formatRole),\n list_metadata: result.list_metadata,\n });\n });\n\n // Priority ordering — must be registered before :slug routes\n app.put('/authorization/organizations/:orgId/roles/priority', async (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const body = await parseJsonBody(c);\n const slugs = body.slugs as string[];\n\n if (!Array.isArray(slugs)) {\n throw validationError('slugs must be an array', [{ field: 'slugs', code: 'invalid' }]);\n }\n\n for (let i = 0; i < slugs.length; i++) {\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slugs[i] && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n ws.roles.update(role.id, { priority: i });\n }\n\n const roles = ws.roles\n .findBy('organization_id', orgId)\n .filter((r) => r.type === 'OrganizationRole')\n .sort((a, b) => a.priority - b.priority);\n\n return c.json({\n object: 'list',\n data: roles.map(formatRole),\n list_metadata: { before: null, after: null },\n });\n });\n\n app.get('/authorization/organizations/:orgId/roles/:slug', (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n return c.json(formatRole(role));\n });\n\n app.put('/authorization/organizations/:orgId/roles/:slug', async (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n\n const body = await parseJsonBody(c);\n const updates: Record<string, unknown> = {};\n if ('name' in body) updates.name = body.name;\n if ('description' in body) updates.description = body.description ?? null;\n if ('is_default_role' in body) updates.is_default_role = Boolean(body.is_default_role);\n if ('priority' in body) updates.priority = body.priority;\n\n const updated = ws.roles.update(role.id, updates);\n return c.json(formatRole(updated!));\n });\n\n app.delete('/authorization/organizations/:orgId/roles/:slug', (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n\n // Cascade: remove role-permission joins and role assignments\n const rps = ws.rolePermissions.findBy('role_id', role.id);\n for (const rp of rps) ws.rolePermissions.delete(rp.id);\n const ras = ws.roleAssignments.findBy('role_id', role.id);\n for (const ra of ras) ws.roleAssignments.delete(ra.id);\n\n ws.roles.delete(role.id);\n return c.body(null, 204);\n });\n\n // Org role permissions\n app.get('/authorization/organizations/:orgId/roles/:slug/permissions', (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n\n const rps = ws.rolePermissions.findBy('role_id', role.id);\n const permissions = rps.map((rp) => ws.permissions.get(rp.permission_id)).filter(Boolean);\n\n return c.json({\n object: 'list',\n data: permissions.map((p) => formatPermission(p!)),\n list_metadata: { before: null, after: null },\n });\n });\n\n app.post('/authorization/organizations/:orgId/roles/:slug/permissions', async (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n\n const body = await parseJsonBody(c);\n const permissionSlugs = body.permissions as string[];\n if (!Array.isArray(permissionSlugs)) {\n throw validationError('permissions must be an array of slugs', [{ field: 'permissions', code: 'invalid' }]);\n }\n\n // Replace all\n const existing = ws.rolePermissions.findBy('role_id', role.id);\n for (const rp of existing) ws.rolePermissions.delete(rp.id);\n\n for (const permSlug of permissionSlugs) {\n const perm = ws.permissions.findOneBy('slug', permSlug);\n if (!perm) throw notFound('Permission');\n ws.rolePermissions.insert({ role_id: role.id, permission_id: perm.id });\n }\n\n const rps = ws.rolePermissions.findBy('role_id', role.id);\n const permissions = rps.map((rp) => ws.permissions.get(rp.permission_id)).filter(Boolean);\n\n return c.json({\n object: 'list',\n data: permissions.map((p) => formatPermission(p!)),\n list_metadata: { before: null, after: null },\n });\n });\n\n app.delete('/authorization/organizations/:orgId/roles/:slug/permissions/:permissionSlug', (c) => {\n const ws = getWorkOSStore(store);\n const orgId = c.req.param('orgId');\n const slug = c.req.param('slug');\n const permissionSlug = c.req.param('permissionSlug');\n\n const role = ws.roles\n .findBy('organization_id', orgId)\n .find((r) => r.slug === slug && r.type === 'OrganizationRole');\n if (!role) throw notFound('Role');\n\n const perm = ws.permissions.findOneBy('slug', permissionSlug);\n if (!perm) throw notFound('Permission');\n\n const rp = ws.rolePermissions.findBy('role_id', role.id).find((rp) => rp.permission_id === perm.id);\n if (!rp) throw notFound('RolePermission');\n\n ws.rolePermissions.delete(rp.id);\n return c.body(null, 204);\n });\n}\n"]}

package/dist/emulate/workos/routes/authorization-permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { type RouteContext } from '../../core/index.js';
2	+ export declare function authorizationPermissionRoutes(ctx: RouteContext): void;

package/dist/emulate/workos/routes/authorization-permissions.js ADDED Viewed

@@ -0,0 +1,78 @@
+import { notFound, validationError, parseJsonBody } from '../../core/index.js';
+import { getWorkOSStore } from '../store.js';
+import { formatPermission, parseListParams } from '../helpers.js';
+export function authorizationPermissionRoutes(ctx) {
+    const { app, store } = ctx;
+    app.post('/authorization/permissions', async (c) => {
+        const ws = getWorkOSStore(store);
+        const body = await parseJsonBody(c);
+        const slug = body.slug;
+        const name = body.name;
+        if (!slug || typeof slug !== 'string') {
+            throw validationError('slug is required', [{ field: 'slug', code: 'required' }]);
+        }
+        if (!name || typeof name !== 'string') {
+            throw validationError('name is required', [{ field: 'name', code: 'required' }]);
+        }
+        const existing = ws.permissions.findOneBy('slug', slug);
+        if (existing) {
+            throw validationError('Permission with this slug already exists', [{ field: 'slug', code: 'duplicate' }]);
+        }
+        const permission = ws.permissions.insert({
+            object: 'permission',
+            slug,
+            name,
+            description: body.description ?? null,
+        });
+        return c.json(formatPermission(permission), 201);
+    });
+    app.get('/authorization/permissions', (c) => {
+        const ws = getWorkOSStore(store);
+        const url = new URL(c.req.url);
+        const params = parseListParams(url);
+        const result = ws.permissions.list(params);
+        return c.json({
+            object: 'list',
+            data: result.data.map(formatPermission),
+            list_metadata: result.list_metadata,
+        });
+    });
+    app.get('/authorization/permissions/:slug', (c) => {
+        const ws = getWorkOSStore(store);
+        const slug = c.req.param('slug');
+        const permission = ws.permissions.findOneBy('slug', slug);
+        if (!permission)
+            throw notFound('Permission');
+        return c.json(formatPermission(permission));
+    });
+    app.put('/authorization/permissions/:slug', async (c) => {
+        const ws = getWorkOSStore(store);
+        const slug = c.req.param('slug');
+        const permission = ws.permissions.findOneBy('slug', slug);
+        if (!permission)
+            throw notFound('Permission');
+        const body = await parseJsonBody(c);
+        const updates = {};
+        if ('name' in body)
+            updates.name = body.name;
+        if ('description' in body)
+            updates.description = body.description ?? null;
+        const updated = ws.permissions.update(permission.id, updates);
+        return c.json(formatPermission(updated));
+    });
+    app.delete('/authorization/permissions/:slug', (c) => {
+        const ws = getWorkOSStore(store);
+        const slug = c.req.param('slug');
+        const permission = ws.permissions.findOneBy('slug', slug);
+        if (!permission)
+            throw notFound('Permission');
+        // Cascade: remove from all role-permission joins
+        const rps = ws.rolePermissions.findBy('permission_id', permission.id);
+        for (const rp of rps) {
+            ws.rolePermissions.delete(rp.id);
+        }
+        ws.permissions.delete(permission.id);
+        return c.body(null, 204);
+    });
+}
+//# sourceMappingURL=authorization-permissions.js.map

package/dist/emulate/workos/routes/authorization-permissions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"authorization-permissions.js","sourceRoot":"","sources":["../../../../src/emulate/workos/routes/authorization-permissions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAqB,QAAQ,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAElE,MAAM,UAAU,6BAA6B,CAAC,GAAiB;IAC7D,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAE3B,GAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACjD,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAc,CAAC;QAEjC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,eAAe,CAAC,kBAAkB,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,eAAe,CAAC,kBAAkB,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,QAAQ,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,eAAe,CAAC,0CAA0C,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;QAC5G,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;YACvC,MAAM,EAAE,YAAY;YACpB,IAAI;YACJ,IAAI;YACJ,WAAW,EAAG,IAAI,CAAC,WAAsB,IAAI,IAAI;SAClD,CAAC,CAAC;QAEH,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,CAAC,EAAE,EAAE;QAC1C,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC;YACvC,aAAa,EAAE,MAAM,CAAC,aAAa;SACpC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,kCAAkC,EAAE,CAAC,CAAC,EAAE,EAAE;QAChD,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC9C,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,kCAAkC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACtD,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAE9C,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,IAAI,MAAM,IAAI,IAAI;YAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAC7C,IAAI,aAAa,IAAI,IAAI;YAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;QAE1E,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC9D,OAAO,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAQ,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,kCAAkC,EAAE,CAAC,CAAC,EAAE,EAAE;QACnD,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAE9C,iDAAiD;QACjD,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;QACtE,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;YACrB,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACnC,CAAC;QAED,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { type RouteContext, notFound, validationError, parseJsonBody } from '../../core/index.js';\nimport { getWorkOSStore } from '../store.js';\nimport { formatPermission, parseListParams } from '../helpers.js';\n\nexport function authorizationPermissionRoutes(ctx: RouteContext): void {\n const { app, store } = ctx;\n\n app.post('/authorization/permissions', async (c) => {\n const ws = getWorkOSStore(store);\n const body = await parseJsonBody(c);\n const slug = body.slug as string;\n const name = body.name as string;\n\n if (!slug || typeof slug !== 'string') {\n throw validationError('slug is required', [{ field: 'slug', code: 'required' }]);\n }\n if (!name || typeof name !== 'string') {\n throw validationError('name is required', [{ field: 'name', code: 'required' }]);\n }\n\n const existing = ws.permissions.findOneBy('slug', slug);\n if (existing) {\n throw validationError('Permission with this slug already exists', [{ field: 'slug', code: 'duplicate' }]);\n }\n\n const permission = ws.permissions.insert({\n object: 'permission',\n slug,\n name,\n description: (body.description as string) ?? null,\n });\n\n return c.json(formatPermission(permission), 201);\n });\n\n app.get('/authorization/permissions', (c) => {\n const ws = getWorkOSStore(store);\n const url = new URL(c.req.url);\n const params = parseListParams(url);\n\n const result = ws.permissions.list(params);\n return c.json({\n object: 'list',\n data: result.data.map(formatPermission),\n list_metadata: result.list_metadata,\n });\n });\n\n app.get('/authorization/permissions/:slug', (c) => {\n const ws = getWorkOSStore(store);\n const slug = c.req.param('slug');\n const permission = ws.permissions.findOneBy('slug', slug);\n if (!permission) throw notFound('Permission');\n return c.json(formatPermission(permission));\n });\n\n app.put('/authorization/permissions/:slug', async (c) => {\n const ws = getWorkOSStore(store);\n const slug = c.req.param('slug');\n const permission = ws.permissions.findOneBy('slug', slug);\n if (!permission) throw notFound('Permission');\n\n const body = await parseJsonBody(c);\n const updates: Record<string, unknown> = {};\n if ('name' in body) updates.name = body.name;\n if ('description' in body) updates.description = body.description ?? null;\n\n const updated = ws.permissions.update(permission.id, updates);\n return c.json(formatPermission(updated!));\n });\n\n app.delete('/authorization/permissions/:slug', (c) => {\n const ws = getWorkOSStore(store);\n const slug = c.req.param('slug');\n const permission = ws.permissions.findOneBy('slug', slug);\n if (!permission) throw notFound('Permission');\n\n // Cascade: remove from all role-permission joins\n const rps = ws.rolePermissions.findBy('permission_id', permission.id);\n for (const rp of rps) {\n ws.rolePermissions.delete(rp.id);\n }\n\n ws.permissions.delete(permission.id);\n return c.body(null, 204);\n });\n}\n"]}

package/dist/emulate/workos/routes/authorization-resources.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { type RouteContext } from '../../core/index.js';
2	+ export declare function authorizationResourceRoutes(ctx: RouteContext): void;