workos 5.20.1__tar.gz → 5.21.0__tar.gz

{workos-5.20.1 → workos-5.21.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.20.1
+Version: 5.21.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.20.1 → workos-5.21.0}/tests/test_fga.py

@@ -101,6 +101,103 @@ class TestErrorHandling:
             self.fga.get_resource(resource_type="test", resource_id="test")
 
 
+class TestWarnings:
+    @pytest.fixture(autouse=True)
+    def setup(self, sync_http_client_for_test):
+        self.http_client = sync_http_client_for_test
+        self.fga = FGA(http_client=self.http_client)
+
+    def test_check_with_warning(self, mock_http_client_with_response):
+        mock_response = {
+            "result": "authorized",
+            "is_implicit": True,
+            "warnings": [
+                {
+                    "code": "missing_context_keys",
+                    "message": "Missing context keys",
+                    "keys": ["key1", "key2"],
+                }
+            ],
+        }
+        mock_http_client_with_response(self.http_client, mock_response, 200)
+
+        response = self.fga.check(
+            op="any_of",
+            checks=[
+                WarrantCheckInput(
+                    resource_type="schedule",
+                    resource_id="schedule-A1",
+                    relation="viewer",
+                    subject=SubjectInput(resource_type="user", resource_id="user-A"),
+                )
+            ],
+        )
+        assert response.dict(exclude_none=True) == mock_response
+
+    def test_query_with_warning(self, mock_http_client_with_response):
+        mock_response = {
+            "object": "list",
+            "data": [
+                {
+                    "resource_type": "user",
+                    "resource_id": "richard",
+                    "relation": "member",
+                    "warrant": {
+                        "resource_type": "role",
+                        "resource_id": "developer",
+                        "relation": "member",
+                        "subject": {"resource_type": "user", "resource_id": "richard"},
+                    },
+                    "is_implicit": True,
+                }
+            ],
+            "list_metadata": {},
+            "warnings": [
+                {
+                    "code": "missing_context_keys",
+                    "message": "Missing context keys",
+                    "keys": ["key1", "key2"],
+                }
+            ],
+        }
+
+        mock_http_client_with_response(self.http_client, mock_response, 200)
+
+        response = self.fga.query(
+            q="select member of type user for permission:view-docs",
+            order="asc",
+            warrant_token="warrant_token",
+        )
+        assert response.dict(exclude_none=True) == mock_response
+
+    def test_check_with_generic_warning(self, mock_http_client_with_response):
+        mock_response = {
+            "result": "authorized",
+            "is_implicit": True,
+            "warnings": [
+                {
+                    "code": "generic",
+                    "message": "Generic warning",
+                }
+            ],
+        }
+
+        mock_http_client_with_response(self.http_client, mock_response, 200)
+
+        response = self.fga.check(
+            op="any_of",
+            checks=[
+                WarrantCheckInput(
+                    resource_type="schedule",
+                    resource_id="schedule-A1",
+                    relation="viewer",
+                    subject=SubjectInput(resource_type="user", resource_id="user-A"),
+                )
+            ],
+        )
+        assert response.dict(exclude_none=True) == mock_response
+
+
 class TestFGA:
     @pytest.fixture(autouse=True)
     def setup(self, sync_http_client_for_test):

{workos-5.20.1 → workos-5.21.0}/tests/test_session.py

@@ -236,9 +236,7 @@ class TestSessionBase(SessionFixtures):
             "entitlements": ["feature_1"],
         }
 
-        with patch.object(
-            Session, "unseal_data", return_value=mock_session
-        ), patch.object(session, "_is_valid_jwt", return_value=True), patch(
+        with patch.object(Session, "unseal_data", return_value=mock_session), patch(
             "jwt.decode", return_value=mock_jwt_payload
         ), patch.object(
             session.jwks,
@@ -324,22 +322,21 @@ class TestSession(SessionFixtures):
             cookie_password=session_constants["COOKIE_PASSWORD"],
         )
 
-        with patch.object(session, "_is_valid_jwt", return_value=True) as _:
-            with patch(
-                "jwt.decode",
-                return_value={
-                    "sid": session_constants["SESSION_ID"],
-                    "org_id": session_constants["ORGANIZATION_ID"],
-                    "role": "admin",
-                    "permissions": ["read"],
-                    "entitlements": ["feature_1"],
-                },
-            ):
-                response = session.refresh()
+        with patch(
+            "jwt.decode",
+            return_value={
+                "sid": session_constants["SESSION_ID"],
+                "org_id": session_constants["ORGANIZATION_ID"],
+                "role": "admin",
+                "permissions": ["read"],
+                "entitlements": ["feature_1"],
+            },
+        ):
+            response = session.refresh()
 
-                assert isinstance(response, RefreshWithSessionCookieSuccessResponse)
-                assert response.authenticated is True
-                assert response.user.id == session_constants["TEST_USER"]["id"]
+            assert isinstance(response, RefreshWithSessionCookieSuccessResponse)
+            assert response.authenticated is True
+            assert response.user.id == session_constants["TEST_USER"]["id"]
 
         # Verify the refresh token was used correctly
         mock_user_management.authenticate_with_refresh_token.assert_called_once_with(
@@ -425,22 +422,21 @@ class TestAsyncSession(SessionFixtures):
             cookie_password=session_constants["COOKIE_PASSWORD"],
         )
 
-        with patch.object(session, "_is_valid_jwt", return_value=True) as _:
-            with patch(
-                "jwt.decode",
-                return_value={
-                    "sid": session_constants["SESSION_ID"],
-                    "org_id": session_constants["ORGANIZATION_ID"],
-                    "role": "admin",
-                    "permissions": ["read"],
-                    "entitlements": ["feature_1"],
-                },
-            ):
-                response = await session.refresh()
+        with patch(
+            "jwt.decode",
+            return_value={
+                "sid": session_constants["SESSION_ID"],
+                "org_id": session_constants["ORGANIZATION_ID"],
+                "role": "admin",
+                "permissions": ["read"],
+                "entitlements": ["feature_1"],
+            },
+        ):
+            response = await session.refresh()
 
-                assert isinstance(response, RefreshWithSessionCookieSuccessResponse)
-                assert response.authenticated is True
-                assert response.user.id == session_constants["TEST_USER"]["id"]
+            assert isinstance(response, RefreshWithSessionCookieSuccessResponse)
+            assert response.authenticated is True
+            assert response.user.id == session_constants["TEST_USER"]["id"]
 
         # Verify the refresh token was used correctly
         mock_user_management.authenticate_with_refresh_token.assert_called_once_with(

{workos-5.20.1 → workos-5.21.0}/workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.20.1"
+__version__ = "5.21.0"
 
 __author__ = "WorkOS"
 

{workos-5.20.1 → workos-5.21.0}/workos/fga.py

@@ -11,6 +11,7 @@ from workos.types.fga import (
     WarrantWriteOperation,
     WriteWarrantResponse,
     WarrantQueryResult,
+    FGAWarning,
 )
 from workos.types.fga.list_filters import (
     AuthorizationResourceListFilters,
@@ -45,9 +46,11 @@ AuthorizationResourceTypeListResource = WorkOSListResource[
 
 WarrantListResource = WorkOSListResource[Warrant, WarrantListFilters, ListMetadata]
 
-WarrantQueryListResource = WorkOSListResource[
-    WarrantQueryResult, WarrantQueryListFilters, ListMetadata
-]
+
+class WarrantQueryListResource(
+    WorkOSListResource[WarrantQueryResult, WarrantQueryListFilters, ListMetadata]
+):
+    warnings: Optional[Sequence[FGAWarning]] = None
 
 
 class FGAModule(Protocol):
@@ -641,5 +644,6 @@ class FGA(FGAModule):
         return WarrantQueryListResource(
             list_method=self.query,
             list_args=list_params,
+            warnings=response.get("warnings"),
             **ListPage[WarrantQueryResult](**response).model_dump(),
         )

{workos-5.20.1 → workos-5.21.0}/workos/session.py

@@ -77,20 +77,20 @@ class SessionModule(Protocol):
                 reason=AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,
             )
 
-        if not self._is_valid_jwt(session["access_token"]):
+        try:
+            signing_key = self.jwks.get_signing_key_from_jwt(session["access_token"])
+            decoded = jwt.decode(
+                session["access_token"],
+                signing_key.key,
+                algorithms=self.jwk_algorithms,
+                options={"verify_aud": False},
+            )
+        except jwt.exceptions.InvalidTokenError:
             return AuthenticateWithSessionCookieErrorResponse(
                 authenticated=False,
                 reason=AuthenticateWithSessionCookieFailureReason.INVALID_JWT,
             )
 
-        signing_key = self.jwks.get_signing_key_from_jwt(session["access_token"])
-        decoded = jwt.decode(
-            session["access_token"],
-            signing_key.key,
-            algorithms=self.jwk_algorithms,
-            options={"verify_aud": False},
-        )
-
         return AuthenticateWithSessionCookieSuccessResponse(
             authenticated=True,
             session_id=decoded["sid"],
@@ -128,19 +128,6 @@ class SessionModule(Protocol):
         )
         return str(result)
 
-    def _is_valid_jwt(self, token: str) -> bool:
-        try:
-            signing_key = self.jwks.get_signing_key_from_jwt(token)
-            jwt.decode(
-                token,
-                signing_key.key,
-                algorithms=self.jwk_algorithms,
-                options={"verify_aud": False},
-            )
-            return True
-        except jwt.exceptions.InvalidTokenError:
-            return False
-
     @staticmethod
     def seal_data(data: Dict[str, Any], key: str) -> str:
         fernet = Fernet(key)

{workos-5.20.1 → workos-5.21.0}/workos/types/fga/__init__.py

@@ -2,3 +2,4 @@ from .check import *
 from .authorization_resource_types import *
 from .authorization_resources import *
 from .warrant import *
+from .warnings import *

{workos-5.20.1 → workos-5.21.0}/workos/types/fga/check.py

@@ -3,6 +3,7 @@ from typing import Any, Literal, Mapping, Optional, Sequence, TypedDict
 from workos.types.workos_model import WorkOSModel
 from workos.typing.literals import LiteralOrUntyped
 
+from .warnings import FGAWarning
 from .warrant import Subject, SubjectInput
 
 CheckOperation = Literal["any_of", "all_of", "batch"]
@@ -44,6 +45,7 @@ class CheckResponse(WorkOSModel):
     result: LiteralOrUntyped[CheckResult]
     is_implicit: bool
     debug_info: Optional[DebugInfo] = None
+    warnings: Optional[Sequence[FGAWarning]] = None
 
     def authorized(self) -> bool:
         return self.result == "authorized"

workos-5.21.0/workos/types/fga/warnings.py

@@ -0,0 +1,33 @@
+from typing import Sequence, Union, Any, Dict, Literal
+from typing_extensions import Annotated
+
+from pydantic import BeforeValidator
+from pydantic_core.core_schema import ValidationInfo
+
+from workos.types.workos_model import WorkOSModel
+
+
+class FGABaseWarning(WorkOSModel):
+    code: str
+    message: str
+
+
+class MissingContextKeysWarning(FGABaseWarning):
+    code: Literal["missing_context_keys"]
+    keys: Sequence[str]
+
+
+def fga_warning_dispatch_validator(
+    value: Dict[str, Any], info: ValidationInfo
+) -> FGABaseWarning:
+    if value.get("code") == "missing_context_keys":
+        return MissingContextKeysWarning.model_validate(value)
+
+    # Fallback to the base warning model
+    return FGABaseWarning.model_validate(value)
+
+
+FGAWarning = Annotated[
+    Union[MissingContextKeysWarning, FGABaseWarning],
+    BeforeValidator(fga_warning_dispatch_validator),
+]

{workos-5.20.1 → workos-5.21.0}/workos.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.20.1
+Version: 5.21.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.20.1 → workos-5.21.0}/workos.egg-info/SOURCES.txt

@@ -82,6 +82,7 @@ workos/types/fga/authorization_resource_types.py
 workos/types/fga/authorization_resources.py
 workos/types/fga/check.py
 workos/types/fga/list_filters.py
+workos/types/fga/warnings.py
 workos/types/fga/warrant.py
 workos/types/mfa/__init__.py
 workos/types/mfa/authentication_challenge.py