workos 5.27.0__tar.gz → 5.28.0__tar.gz

{workos-5.27.0 → workos-5.28.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.27.0
+Version: 5.28.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.27.0 → workos-5.28.0}/tests/test_session.py

@@ -1,8 +1,11 @@
-import pytest
+import concurrent.futures
+from datetime import datetime, timezone
 from unittest.mock import AsyncMock, Mock, patch
+
 import jwt
-from datetime import datetime, timezone
-import concurrent.futures
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
 
 from tests.conftest import with_jwks_mock
 from workos.session import AsyncSession, Session, _get_jwks_client
@@ -16,9 +19,6 @@ from workos.types.user_management.session import (
     RefreshWithSessionCookieSuccessResponse,
 )
 
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-
 
 class SessionFixtures:
     @pytest.fixture(autouse=True)
@@ -48,6 +48,7 @@ class SessionFixtures:
             "sid": "session_123",
             "org_id": "organization_123",
             "role": "admin",
+            "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
             "exp": int(current_datetime.timestamp()) + 3600,
@@ -215,6 +216,7 @@ class TestSessionBase(SessionFixtures):
                     "sid": session_constants["SESSION_ID"],
                     "org_id": session_constants["ORGANIZATION_ID"],
                     "role": "admin",
+                    "roles": ["admin"],
                     "permissions": ["read"],
                     "entitlements": ["feature_1"],
                     "exp": int(datetime.now(timezone.utc).timestamp()) + 3600,
@@ -239,6 +241,7 @@ class TestSessionBase(SessionFixtures):
             "sid": session_constants["SESSION_ID"],
             "org_id": session_constants["ORGANIZATION_ID"],
             "role": "admin",
+            "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
         }
@@ -257,11 +260,80 @@ class TestSessionBase(SessionFixtures):
             assert response.session_id == session_constants["SESSION_ID"]
             assert response.organization_id == session_constants["ORGANIZATION_ID"]
             assert response.role == "admin"
+            assert response.roles == ["admin"]
             assert response.permissions == ["read"]
             assert response.entitlements == ["feature_1"]
             assert response.user.id == session_constants["USER_ID"]
             assert response.impersonator is None
 
+    @with_jwks_mock
+    def test_authenticate_success_with_roles(
+        self, session_constants, mock_user_management
+    ):
+        session = Session(
+            user_management=mock_user_management,
+            client_id=session_constants["CLIENT_ID"],
+            session_data=session_constants["SESSION_DATA"],
+            cookie_password=session_constants["COOKIE_PASSWORD"],
+        )
+
+        # Mock the session data that would be unsealed
+        mock_session = {
+            "access_token": jwt.encode(
+                {
+                    "sid": session_constants["SESSION_ID"],
+                    "org_id": session_constants["ORGANIZATION_ID"],
+                    "role": "admin",
+                    "roles": ["admin", "member"],
+                    "permissions": ["read", "write"],
+                    "entitlements": ["feature_1"],
+                    "exp": int(datetime.now(timezone.utc).timestamp()) + 3600,
+                    "iat": int(datetime.now(timezone.utc).timestamp()),
+                },
+                session_constants["PRIVATE_KEY"],
+                algorithm="RS256",
+            ),
+            "user": {
+                "object": "user",
+                "id": session_constants["USER_ID"],
+                "email": "user@example.com",
+                "email_verified": True,
+                "created_at": session_constants["CURRENT_TIMESTAMP"],
+                "updated_at": session_constants["CURRENT_TIMESTAMP"],
+            },
+            "impersonator": None,
+        }
+
+        # Mock the JWT payload that would be decoded
+        mock_jwt_payload = {
+            "sid": session_constants["SESSION_ID"],
+            "org_id": session_constants["ORGANIZATION_ID"],
+            "role": "admin",
+            "roles": ["admin", "member"],
+            "permissions": ["read", "write"],
+            "entitlements": ["feature_1"],
+        }
+
+        with patch.object(Session, "unseal_data", return_value=mock_session), patch(
+            "jwt.decode", return_value=mock_jwt_payload
+        ), patch.object(
+            session.jwks,
+            "get_signing_key_from_jwt",
+            return_value=Mock(key=session_constants["PUBLIC_KEY"]),
+        ):
+            response = session.authenticate()
+
+            assert isinstance(response, AuthenticateWithSessionCookieSuccessResponse)
+            assert response.authenticated is True
+            assert response.session_id == session_constants["SESSION_ID"]
+            assert response.organization_id == session_constants["ORGANIZATION_ID"]
+            assert response.role == "admin"
+            assert response.roles == ["admin", "member"]
+            assert response.permissions == ["read", "write"]
+            assert response.entitlements == ["feature_1"]
+            assert response.user.id == session_constants["USER_ID"]
+            assert response.impersonator is None
+
     @with_jwks_mock
     def test_refresh_invalid_session_cookie(
         self, session_constants, mock_user_management
@@ -335,6 +407,7 @@ class TestSession(SessionFixtures):
                 "sid": session_constants["SESSION_ID"],
                 "org_id": session_constants["ORGANIZATION_ID"],
                 "role": "admin",
+                "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
             },
@@ -435,6 +508,7 @@ class TestAsyncSession(SessionFixtures):
                 "sid": session_constants["SESSION_ID"],
                 "org_id": session_constants["ORGANIZATION_ID"],
                 "role": "admin",
+                "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
             },

{workos-5.27.0 → workos-5.28.0}/workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.27.0"
+__version__ = "5.28.0"
 
 __author__ = "WorkOS"
 

{workos-5.27.0 → workos-5.28.0}/workos/session.py

@@ -102,6 +102,7 @@ class SessionModule(Protocol):
             session_id=decoded["sid"],
             organization_id=decoded.get("org_id", None),
             role=decoded.get("role", None),
+            roles=decoded.get("roles", None),
             permissions=decoded.get("permissions", None),
             entitlements=decoded.get("entitlements", None),
             user=session["user"],
@@ -229,6 +230,7 @@ class Session(SessionModule):
                 session_id=decoded["sid"],
                 organization_id=decoded.get("org_id", None),
                 role=decoded.get("role", None),
+                roles=decoded.get("roles", None),
                 permissions=decoded.get("permissions", None),
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,
@@ -319,6 +321,7 @@ class AsyncSession(SessionModule):
                 session_id=decoded["sid"],
                 organization_id=decoded.get("org_id", None),
                 role=decoded.get("role", None),
+                roles=decoded.get("roles", None),
                 permissions=decoded.get("permissions", None),
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,

{workos-5.27.0 → workos-5.28.0}/workos/types/user_management/organization_membership.py

@@ -1,4 +1,4 @@
-from typing import Literal
+from typing import Literal, Sequence, Optional
 from typing_extensions import TypedDict
 
 from workos.types.workos_model import WorkOSModel
@@ -19,6 +19,7 @@ class OrganizationMembership(WorkOSModel):
     user_id: str
     organization_id: str
     role: OrganizationMembershipRole
+    roles: Optional[Sequence[OrganizationMembershipRole]] = None
     status: LiteralOrUntyped[OrganizationMembershipStatus]
     created_at: str
     updated_at: str

{workos-5.27.0 → workos-5.28.0}/workos/types/user_management/session.py

@@ -1,6 +1,8 @@
-from typing import Optional, Sequence, TypedDict, Union
 from enum import Enum
+from typing import Optional, Sequence, TypedDict, Union
+
 from typing_extensions import Literal
+
 from workos.types.user_management.impersonator import Impersonator
 from workos.types.user_management.user import User
 from workos.types.workos_model import WorkOSModel
@@ -17,6 +19,7 @@ class AuthenticateWithSessionCookieSuccessResponse(WorkOSModel):
     session_id: str
     organization_id: Optional[str] = None
     role: Optional[str] = None
+    roles: Optional[Sequence[str]] = None
     permissions: Optional[Sequence[str]] = None
     user: User
     impersonator: Optional[Impersonator] = None

{workos-5.27.0 → workos-5.28.0}/workos/types/webhooks/webhook.py

@@ -1,9 +1,9 @@
 from typing import Literal, Union
+
 from pydantic import Field
 from typing_extensions import Annotated
+
 from workos.types.directory_sync import DirectoryGroup
-from workos.types.user_management import OrganizationMembership, User
-from workos.types.webhooks.webhook_model import WebhookModel
 from workos.types.directory_sync.directory_user import DirectoryUser
 from workos.types.events.authentication_payload import (
     AuthenticationEmailVerificationSucceededPayload,
@@ -37,16 +37,18 @@ from workos.types.events.organization_domain_verification_failed_payload import
     OrganizationDomainVerificationFailedPayload,
 )
 from workos.types.events.session_created_payload import SessionCreatedPayload
-from workos.types.organizations.organization_common import OrganizationCommon
 from workos.types.organization_domains import OrganizationDomain
+from workos.types.organizations.organization_common import OrganizationCommon
 from workos.types.roles.role import EventRole
 from workos.types.sso.connection import Connection
+from workos.types.user_management import OrganizationMembership, User
 from workos.types.user_management.email_verification import (
     EmailVerificationCommon,
 )
 from workos.types.user_management.invitation import InvitationCommon
 from workos.types.user_management.magic_auth import MagicAuthCommon
 from workos.types.user_management.password_reset import PasswordResetCommon
+from workos.types.webhooks.webhook_model import WebhookModel
 
 # README
 # When adding a new webhook event type, ensure the new webhook class is
@@ -205,6 +207,18 @@ class OrganizationDomainVerifiedWebhook(WebhookModel[OrganizationDomain]):
     event: Literal["organization_domain.verified"]
 
 
+class OrganizationDomainCreatedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.created"]
+
+
+class OrganizationDomainUpdatedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.updated"]
+
+
+class OrganizationDomainDeletedWebhook(WebhookModel[OrganizationDomain]):
+    event: Literal["organization_domain.deleted"]
+
+
 class OrganizationMembershipCreatedWebhook(WebhookModel[OrganizationMembership]):
     event: Literal["organization_membership.created"]
 
@@ -286,6 +300,9 @@ Webhook = Annotated[
         OrganizationCreatedWebhook,
         OrganizationDeletedWebhook,
         OrganizationUpdatedWebhook,
+        OrganizationDomainCreatedWebhook,
+        OrganizationDomainDeletedWebhook,
+        OrganizationDomainUpdatedWebhook,
         OrganizationDomainVerificationFailedWebhook,
         OrganizationDomainVerifiedWebhook,
         OrganizationMembershipCreatedWebhook,

{workos-5.27.0 → workos-5.28.0}/workos/user_management.py

@@ -245,15 +245,24 @@ class UserManagementModule(Protocol):
         ...
 
     def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> SyncOrAsync[OrganizationMembership]:
         """Create a new OrganizationMembership for the given Organization and User.
 
         Kwargs:
-            user_id: The Unique ID of the User.
-            organization_id: The Unique ID of the Organization to which the user belongs to.
-            role_slug: The Unique Slug of the Role to which to grant to this membership.
-                If no slug is passed in, the default role will be granted.(Optional)
+            user_id: The unique ID of the User.
+            organization_id: The unique ID of the Organization to which the user belongs to.
+            role_slug: The unique slug of the role to grant to this membership.(Optional)
+            role_slugs: The unique slugs of the roles to grant to this membership.(Optional)
+
+        Note:
+          role_slug and role_slugs are mutually exclusive. If neither is provided,
+          the user will be assigned the organization's default role.
 
         Returns:
             OrganizationMembership: Created OrganizationMembership response from WorkOS.
@@ -261,14 +270,22 @@ class UserManagementModule(Protocol):
         ...
 
     def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> SyncOrAsync[OrganizationMembership]:
         """Updates an OrganizationMembership for the given id.
 
         Args:
             organization_membership_id (str):  The unique ID of the Organization Membership.
-            role_slug: The Unique Slug of the Role to which to grant to this membership.
-                If no slug is passed in, it will not be changed (Optional)
+            role_slug: The unique slug of the role to grant to this membership.(Optional)
+            role_slugs: The unique slugs of the roles to grant to this membership.(Optional)
+
+        Note:
+          role_slug and role_slugs are mutually exclusive. If neither is provided,
+          the role(s) of the membership will remain unchanged.
 
         Returns:
             OrganizationMembership: Updated OrganizationMembership response from WorkOS.
@@ -988,12 +1005,18 @@ class UserManagement(UserManagementModule):
         )
 
     def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "user_id": user_id,
             "organization_id": organization_id,
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = self._http_client.request(
@@ -1003,10 +1026,15 @@ class UserManagement(UserManagementModule):
         return OrganizationMembership.model_validate(response)
 
     def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = self._http_client.request(
@@ -1614,12 +1642,18 @@ class AsyncUserManagement(UserManagementModule):
         )
 
     async def create_organization_membership(
-        self, *, user_id: str, organization_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        user_id: str,
+        organization_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "user_id": user_id,
             "organization_id": organization_id,
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = await self._http_client.request(
@@ -1629,10 +1663,15 @@ class AsyncUserManagement(UserManagementModule):
         return OrganizationMembership.model_validate(response)
 
     async def update_organization_membership(
-        self, *, organization_membership_id: str, role_slug: Optional[str] = None
+        self,
+        *,
+        organization_membership_id: str,
+        role_slug: Optional[str] = None,
+        role_slugs: Optional[Sequence[str]] = None,
     ) -> OrganizationMembership:
         json = {
             "role_slug": role_slug,
+            "role_slugs": role_slugs,
         }
 
         response = await self._http_client.request(

{workos-5.27.0 → workos-5.28.0}/workos.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.27.0
+Version: 5.28.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS