workos 5.36.0__tar.gz → 5.38.0__tar.gz

{workos-5.36.0 → workos-5.38.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.36.0
+Version: 5.38.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

workos-5.38.0/tests/test_pipes.py

@@ -0,0 +1,167 @@
+import pytest
+
+from tests.utils.syncify import syncify
+from workos.pipes import AsyncPipes, Pipes
+
+
+@pytest.mark.sync_and_async(Pipes, AsyncPipes)
+class TestPipes:
+    @pytest.fixture
+    def mock_access_token(self):
+        return {
+            "object": "access_token",
+            "access_token": "test_access_token_123",
+            "expires_at": "2026-01-09T12:00:00.000Z",
+            "scopes": ["read:users", "write:users"],
+            "missing_scopes": [],
+        }
+
+    def test_get_access_token_success_with_expiry(
+        self,
+        module_instance,
+        mock_access_token,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": True,
+            "access_token": mock_access_token,
+        }
+        request_kwargs = capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        result = syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+            )
+        )
+
+        assert request_kwargs["url"].endswith("data-integrations/test-provider/token")
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["json"]["user_id"] == "user_123"
+        assert result.active is True
+        assert result.access_token.access_token == mock_access_token["access_token"]
+        assert result.access_token.scopes == mock_access_token["scopes"]
+
+    def test_get_access_token_success_without_expiry(
+        self,
+        module_instance,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": True,
+            "access_token": {
+                "object": "access_token",
+                "access_token": "test_token",
+                "expires_at": None,
+                "scopes": ["read"],
+                "missing_scopes": [],
+            },
+        }
+        capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        result = syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+            )
+        )
+
+        assert result.active is True
+        assert result.access_token.expires_at is None
+
+    def test_get_access_token_with_organization_id(
+        self,
+        module_instance,
+        mock_access_token,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": True,
+            "access_token": mock_access_token,
+        }
+        request_kwargs = capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+                organization_id="org_456",
+            )
+        )
+
+        assert request_kwargs["json"]["organization_id"] == "org_456"
+
+    def test_get_access_token_without_organization_id(
+        self,
+        module_instance,
+        mock_access_token,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": True,
+            "access_token": mock_access_token,
+        }
+        request_kwargs = capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+            )
+        )
+
+        assert "organization_id" not in request_kwargs["json"]
+
+    def test_get_access_token_not_installed(
+        self,
+        module_instance,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": False,
+            "error": "not_installed",
+        }
+        capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        result = syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+            )
+        )
+
+        assert result.active is False
+        assert result.error == "not_installed"
+
+    def test_get_access_token_needs_reauthorization(
+        self,
+        module_instance,
+        capture_and_mock_http_client_request,
+    ):
+        response_body = {
+            "active": False,
+            "error": "needs_reauthorization",
+        }
+        capture_and_mock_http_client_request(
+            module_instance._http_client, response_body, 200
+        )
+
+        result = syncify(
+            module_instance.get_access_token(
+                provider="test-provider",
+                user_id="user_123",
+            )
+        )
+
+        assert result.active is False
+        assert result.error == "needs_reauthorization"

{workos-5.36.0 → workos-5.38.0}/tests/test_user_management.py

@@ -6,6 +6,7 @@ import pytest
 
 from tests.utils.fixtures.mock_auth_factor_totp import MockAuthenticationFactorTotp
 from tests.utils.fixtures.mock_email_verification import MockEmailVerification
+from tests.utils.fixtures.mock_feature_flag import MockFeatureFlag
 from tests.utils.fixtures.mock_invitation import MockInvitation
 from tests.utils.fixtures.mock_magic_auth import MockMagicAuth
 from tests.utils.fixtures.mock_organization_membership import MockOrganizationMembership
@@ -146,6 +147,14 @@ class UserManagementFixtures:
         invitations_list = [MockInvitation(id=str(i)).dict() for i in range(40)]
         return list_response_of(data=invitations_list)
 
+    @pytest.fixture
+    def mock_feature_flags(self):
+        return {
+            "data": [MockFeatureFlag(id=f"flag_{str(i)}").dict() for i in range(2)],
+            "object": "list",
+            "list_metadata": {"before": None, "after": None},
+        }
+
 
 class TestUserManagementBase(UserManagementFixtures):
     @pytest.fixture(autouse=True)
@@ -1250,3 +1259,28 @@ class TestUserManagement(UserManagementFixtures):
 
         with pytest.raises(Exception):
             syncify(self.user_management.resend_invitation("invitation_accepted"))
+
+    def test_list_feature_flags(
+        self, mock_feature_flags, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_feature_flags, 200
+        )
+
+        feature_flags_response = syncify(
+            self.user_management.list_feature_flags(
+                user_id="user_01H7ZGXFP5C6BBQY6Z7277ZCT0"
+            )
+        )
+
+        def to_dict(x):
+            return x.dict()
+
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith(
+            "/user_management/users/user_01H7ZGXFP5C6BBQY6Z7277ZCT0/feature-flags"
+        )
+        assert (
+            list(map(to_dict, feature_flags_response.data))
+            == mock_feature_flags["data"]
+        )

{workos-5.36.0 → workos-5.38.0}/tests/test_vault.py

@@ -107,6 +107,34 @@ class TestVault:
         ):
             self.vault.read_object(object_id=None)
 
+    def test_read_object_by_name_success(
+        self, mock_vault_object, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_vault_object, 200
+        )
+
+        vault_object = self.vault.read_object_by_name(name="test-secret")
+
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith("/vault/v1/kv/name/test-secret")
+        assert vault_object.id == "vault_01234567890abcdef"
+        assert vault_object.name == "test-secret"
+        assert vault_object.value == "secret-value"
+        assert vault_object.metadata.environment_id == "env_01234567890abcdef"
+
+    def test_read_object_by_name_missing_name(self):
+        with pytest.raises(
+            ValueError, match="Incomplete arguments: 'name' is a required argument"
+        ):
+            self.vault.read_object_by_name(name="")
+
+    def test_read_object_by_name_none_name(self):
+        with pytest.raises(
+            ValueError, match="Incomplete arguments: 'name' is a required argument"
+        ):
+            self.vault.read_object_by_name(name=None)
+
     def test_list_objects_default_params(
         self, mock_vault_objects_list, capture_and_mock_http_client_request
     ):

{workos-5.36.0 → workos-5.38.0}/workos/__about__.py

@@ -12,7 +12,7 @@ __package_name__ = "workos"
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.36.0"
+__version__ = "5.38.0"
 
 __author__ = "WorkOS"
 

{workos-5.36.0 → workos-5.38.0}/workos/_base_client.py

@@ -10,6 +10,7 @@ from workos.events import EventsModule
 from workos.fga import FGAModule
 from workos.mfa import MFAModule
 from workos.organization_domains import OrganizationDomainsModule
+from workos.pipes import PipesModule
 from workos.organizations import OrganizationsModule
 from workos.passwordless import PasswordlessModule
 from workos.portal import PortalModule
@@ -101,6 +102,10 @@ class BaseClient(ClientConfiguration):
     @abstractmethod
     def passwordless(self) -> PasswordlessModule: ...
 
+    @property
+    @abstractmethod
+    def pipes(self) -> PipesModule: ...
+
     @property
     @abstractmethod
     def portal(self) -> PortalModule: ...

{workos-5.36.0 → workos-5.38.0}/workos/async_client.py

@@ -10,6 +10,7 @@ from workos.mfa import MFAModule
 from workos.organizations import AsyncOrganizations
 from workos.organization_domains import AsyncOrganizationDomains
 from workos.passwordless import PasswordlessModule
+from workos.pipes import AsyncPipes
 from workos.portal import PortalModule
 from workos.sso import AsyncSSO
 from workos.user_management import AsyncUserManagement
@@ -102,6 +103,12 @@ class AsyncClient(BaseClient):
             "Passwordless APIs are not yet supported in the async client."
         )
 
+    @property
+    def pipes(self) -> AsyncPipes:
+        if not getattr(self, "_pipes", None):
+            self._pipes = AsyncPipes(self._http_client)
+        return self._pipes
+
     @property
     def portal(self) -> PortalModule:
         raise NotImplementedError(

{workos-5.36.0 → workos-5.38.0}/workos/client.py

@@ -8,6 +8,7 @@ from workos.fga import FGA
 from workos.organizations import Organizations
 from workos.organization_domains import OrganizationDomains
 from workos.passwordless import Passwordless
+from workos.pipes import Pipes
 from workos.portal import Portal
 from workos.sso import SSO
 from workos.webhooks import Webhooks
@@ -102,6 +103,12 @@ class SyncClient(BaseClient):
             self._passwordless = Passwordless(self._http_client)
         return self._passwordless
 
+    @property
+    def pipes(self) -> Pipes:
+        if not getattr(self, "_pipes", None):
+            self._pipes = Pipes(self._http_client)
+        return self._pipes
+
     @property
     def portal(self) -> Portal:
         if not getattr(self, "_portal", None):

workos-5.38.0/workos/pipes.py

@@ -0,0 +1,93 @@
+from typing import Dict, Optional, Protocol
+
+from workos.types.pipes import (
+    GetAccessTokenFailureResponse,
+    GetAccessTokenResponse,
+    GetAccessTokenSuccessResponse,
+)
+from workos.typing.sync_or_async import SyncOrAsync
+from workos.utils.http_client import AsyncHTTPClient, SyncHTTPClient
+from workos.utils.request_helper import REQUEST_METHOD_POST
+
+
+class PipesModule(Protocol):
+    """Protocol defining the Pipes module interface."""
+
+    def get_access_token(
+        self,
+        *,
+        provider: str,
+        user_id: str,
+        organization_id: Optional[str] = None,
+    ) -> SyncOrAsync[GetAccessTokenResponse]:
+        """Retrieve an access token for a third-party provider.
+
+        Kwargs:
+            provider (str): The third-party provider identifier
+            user_id (str): The WorkOS user ID
+            organization_id (str, optional): The WorkOS organization ID
+
+        Returns:
+            GetAccessTokenResponse: Success response with token or failure response with error
+        """
+        ...
+
+
+class Pipes(PipesModule):
+    """Sync implementation of the Pipes module."""
+
+    _http_client: SyncHTTPClient
+
+    def __init__(self, http_client: SyncHTTPClient):
+        self._http_client = http_client
+
+    def get_access_token(
+        self,
+        *,
+        provider: str,
+        user_id: str,
+        organization_id: Optional[str] = None,
+    ) -> GetAccessTokenResponse:
+        json_data: Dict[str, str] = {"user_id": user_id}
+        if organization_id is not None:
+            json_data["organization_id"] = organization_id
+
+        response = self._http_client.request(
+            f"data-integrations/{provider}/token",
+            method=REQUEST_METHOD_POST,
+            json=json_data,
+        )
+
+        if response.get("active") is True:
+            return GetAccessTokenSuccessResponse.model_validate(response)
+        return GetAccessTokenFailureResponse.model_validate(response)
+
+
+class AsyncPipes(PipesModule):
+    """Async implementation of the Pipes module."""
+
+    _http_client: AsyncHTTPClient
+
+    def __init__(self, http_client: AsyncHTTPClient):
+        self._http_client = http_client
+
+    async def get_access_token(
+        self,
+        *,
+        provider: str,
+        user_id: str,
+        organization_id: Optional[str] = None,
+    ) -> GetAccessTokenResponse:
+        json_data: Dict[str, str] = {"user_id": user_id}
+        if organization_id is not None:
+            json_data["organization_id"] = organization_id
+
+        response = await self._http_client.request(
+            f"data-integrations/{provider}/token",
+            method=REQUEST_METHOD_POST,
+            json=json_data,
+        )
+
+        if response.get("active") is True:
+            return GetAccessTokenSuccessResponse.model_validate(response)
+        return GetAccessTokenFailureResponse.model_validate(response)

workos-5.38.0/workos/types/pipes/__init__.py

@@ -0,0 +1,6 @@
+from workos.types.pipes.pipes import (
+    AccessToken as AccessToken,
+    GetAccessTokenFailureResponse as GetAccessTokenFailureResponse,
+    GetAccessTokenResponse as GetAccessTokenResponse,
+    GetAccessTokenSuccessResponse as GetAccessTokenSuccessResponse,
+)

workos-5.38.0/workos/types/pipes/pipes.py

@@ -0,0 +1,34 @@
+from datetime import datetime
+from typing import Literal, Optional, Sequence, Union
+
+from workos.types.workos_model import WorkOSModel
+
+
+class AccessToken(WorkOSModel):
+    """Represents an OAuth access token for a third-party provider."""
+
+    object: Literal["access_token"]
+    access_token: str
+    expires_at: Optional[datetime] = None
+    scopes: Sequence[str]
+    missing_scopes: Sequence[str]
+
+
+class GetAccessTokenSuccessResponse(WorkOSModel):
+    """Successful response containing the access token."""
+
+    active: Literal[True]
+    access_token: AccessToken
+
+
+class GetAccessTokenFailureResponse(WorkOSModel):
+    """Failed response indicating why the token couldn't be retrieved."""
+
+    active: Literal[False]
+    error: Literal["not_installed", "needs_reauthorization"]
+
+
+GetAccessTokenResponse = Union[
+    GetAccessTokenSuccessResponse,
+    GetAccessTokenFailureResponse,
+]

{workos-5.36.0 → workos-5.38.0}/workos/user_management.py

@@ -2,6 +2,8 @@ from typing import Awaitable, Optional, Protocol, Sequence, Type, Union, cast
 from urllib.parse import urlencode
 from workos._client_configuration import ClientConfiguration
 from workos.session import AsyncSession, Session
+from workos.types.feature_flags import FeatureFlag
+from workos.types.feature_flags.list_filters import FeatureFlagListFilters
 from workos.types.list_resource import (
     ListArgs,
     ListMetadata,
@@ -97,6 +99,7 @@ INVITATION_REVOKE_PATH = "user_management/invitations/{0}/revoke"
 INVITATION_RESEND_PATH = "user_management/invitations/{0}/resend"
 PASSWORD_RESET_PATH = "user_management/password_reset"
 PASSWORD_RESET_DETAIL_PATH = "user_management/password_reset/{0}"
+USER_FEATURE_FLAGS_PATH = "user_management/users/{0}/feature-flags"
 
 
 UsersListResource = WorkOSListResource[User, UsersListFilters, ListMetadata]
@@ -113,6 +116,10 @@ InvitationsListResource = WorkOSListResource[
     Invitation, InvitationsListFilters, ListMetadata
 ]
 
+FeatureFlagsListResource = WorkOSListResource[
+    FeatureFlag, FeatureFlagListFilters, ListMetadata
+]
+
 from workos.types.user_management.list_filters import SessionsListFilters
 
 SessionsListResource = WorkOSListResource[
@@ -908,6 +915,29 @@ class UserManagementModule(Protocol):
         """
         ...
 
+    def list_feature_flags(
+        self,
+        user_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> SyncOrAsync[FeatureFlagsListResource]:
+        """Retrieve a list of feature flags for a user
+
+        Args:
+            user_id (str): User's unique identifier
+            limit (int): Maximum number of records to return. (Optional)
+            before (str): Pagination cursor to receive records before a provided Feature Flag ID. (Optional)
+            after (str): Pagination cursor to receive records after a provided Feature Flag ID. (Optional)
+            order (Literal["asc","desc"]): Sort records in either ascending or descending (default) order by created_at timestamp. (Optional)
+
+        Returns:
+            FeatureFlagsListResource: Feature flags list response from WorkOS.
+        """
+        ...
+
 
 class UserManagement(UserManagementModule):
     _http_client: SyncHTTPClient
@@ -1603,6 +1633,34 @@ class UserManagement(UserManagementModule):
 
         return Invitation.model_validate(response)
 
+    def list_feature_flags(
+        self,
+        user_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> FeatureFlagsListResource:
+        list_params: FeatureFlagListFilters = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+            "order": order,
+        }
+
+        response = self._http_client.request(
+            USER_FEATURE_FLAGS_PATH.format(user_id),
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        return FeatureFlagsListResource(
+            list_method=self.list_feature_flags,
+            list_args=list_params,
+            **ListPage[FeatureFlag](**response).model_dump(),
+        )
+
 
 class AsyncUserManagement(UserManagementModule):
     _http_client: AsyncHTTPClient
@@ -2312,3 +2370,31 @@ class AsyncUserManagement(UserManagementModule):
         )
 
         return Invitation.model_validate(response)
+
+    async def list_feature_flags(
+        self,
+        user_id: str,
+        *,
+        limit: int = DEFAULT_LIST_RESPONSE_LIMIT,
+        before: Optional[str] = None,
+        after: Optional[str] = None,
+        order: PaginationOrder = "desc",
+    ) -> FeatureFlagsListResource:
+        list_params: FeatureFlagListFilters = {
+            "limit": limit,
+            "before": before,
+            "after": after,
+            "order": order,
+        }
+
+        response = await self._http_client.request(
+            USER_FEATURE_FLAGS_PATH.format(user_id),
+            method=REQUEST_METHOD_GET,
+            params=list_params,
+        )
+
+        return FeatureFlagsListResource(
+            list_method=self.list_feature_flags,
+            list_args=list_params,
+            **ListPage[FeatureFlag](**response).model_dump(),
+        )

{workos-5.36.0 → workos-5.38.0}/workos/vault.py

@@ -37,6 +37,17 @@ class VaultModule(Protocol):
         """
         ...
 
+    def read_object_by_name(self, *, name: str) -> VaultObject:
+        """
+        Get a Vault object by name with the value decrypted.
+
+        Kwargs:
+            name (str): The unique name of the object.
+        Returns:
+            VaultObject: A vault object with metadata, name and decrypted value.
+        """
+        ...
+
     def list_objects(
         self,
         *,
@@ -230,6 +241,24 @@ class Vault(VaultModule):
 
         return VaultObject.model_validate(response)
 
+    def read_object_by_name(
+        self,
+        *,
+        name: str,
+    ) -> VaultObject:
+        if not name:
+            raise ValueError("Incomplete arguments: 'name' is a required argument")
+
+        response = self._http_client.request(
+            RequestHelper.build_parameterized_url(
+                "vault/v1/kv/name/{name}",
+                name=name,
+            ),
+            method=REQUEST_METHOD_GET,
+        )
+
+        return VaultObject.model_validate(response)
+
     def list_objects(
         self,
         *,

{workos-5.36.0 → workos-5.38.0}/workos.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: workos
-Version: 5.36.0
+Version: 5.38.0
 Summary: WorkOS Python Client
 Home-page: https://github.com/workos-inc/workos-python
 Author: WorkOS

{workos-5.36.0 → workos-5.38.0}/workos.egg-info/SOURCES.txt

@@ -12,6 +12,7 @@ tests/test_mfa.py
 tests/test_organization_domains.py
 tests/test_organizations.py
 tests/test_passwordless.py
+tests/test_pipes.py
 tests/test_portal.py
 tests/test_session.py
 tests/test_sso.py
@@ -38,6 +39,7 @@ workos/mfa.py
 workos/organization_domains.py
 workos/organizations.py
 workos/passwordless.py
+workos/pipes.py
 workos/portal.py
 workos/py.typed
 workos/session.py
@@ -113,6 +115,8 @@ workos/types/organizations/organization_common.py
 workos/types/passwordless/__init__.py
 workos/types/passwordless/passwordless_session.py
 workos/types/passwordless/passwordless_session_type.py
+workos/types/pipes/__init__.py
+workos/types/pipes/pipes.py
 workos/types/portal/__init__.py
 workos/types/portal/portal_link.py
 workos/types/portal/portal_link_intent.py