Skip to content

Commit

Permalink
Add entitlements to session (#349)
Browse files Browse the repository at this point in the history 
* Refactor session spec to mock less and split out the payload

Allowing more complete testing of the token with only the verification being mocked.

The separate payload enables creating more tests with differing payloads.

* Include entitlements in the authenticated session

If the users organisation has a stripe link the token includes any entitlements, this should be exposed to client code.

Fixes #336
  • Loading branch information
@adam-h
adam-h authored Jan 27, 2025
1 parent 2a1b2a5 commit 7b9e66b
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 18 deletions.
1 change: 1 addition & 0 deletions lib/workos/session.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ def authenticate
organization_id: decoded['org_id'],
role: decoded['role'],
permissions: decoded['permissions'],
entitlements: decoded['entitlements'],
user: session[:user],
impersonator: session[:impersonator],
reason: nil,
Expand Down
64 changes: 46 additions & 18 deletions spec/lib/workos/session_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,24 +103,23 @@

describe '.authenticate' do
let(:user_management) { instance_double('UserManagement') }
let(:valid_access_token) do
payload = {
let(:payload) do
{
sid: 'session_id',
org_id: 'org_id',
role: 'role',
permissions: ['read'],
exp: Time.now.to_i + 3600,
}
headers = { kid: jwk[:kid] }
JWT.encode(payload, jwk.signing_key, jwk[:alg], headers)
end
let(:valid_access_token) { JWT.encode(payload, jwk.signing_key, jwk[:alg], { kid: jwk[:kid] }) }
let(:session_data) do
WorkOS::Session.seal_data({
access_token: valid_access_token,
user: 'user',
impersonator: 'impersonator',
}, cookie_password,)
end
WorkOS::Session.seal_data({
access_token: valid_access_token,
user: 'user',
impersonator: 'impersonator',
}, cookie_password,)
end

before do
allow(user_management).to receive(:get_jwks_url).with(client_id).and_return(jwks_url)
Expand Down Expand Up @@ -167,26 +166,55 @@
session_data: session_data,
cookie_password: cookie_password,
)
allow(session).to receive(:is_valid_jwt).and_return(true)
allow(JWT).to receive(:decode).and_return([{
'sid' => 'session_id',
'org_id' => 'org_id',
'role' => 'role',
'permissions' => ['read'],
}])

allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
result = session.authenticate
expect(result).to eq({
authenticated: true,
session_id: 'session_id',
organization_id: 'org_id',
role: 'role',
permissions: ['read'],
entitlements: nil,
user: 'user',
impersonator: 'impersonator',
reason: nil,
})
end

describe 'with entitlements' do
let(:payload) do
{
sid: 'session_id',
org_id: 'org_id',
role: 'role',
permissions: ['read'],
entitlements: ['billing'],
exp: Time.now.to_i + 3600,
}
end

it 'includes entitlements in the result' do
session = WorkOS::Session.new(
user_management: user_management,
client_id: client_id,
session_data: session_data,
cookie_password: cookie_password,
)
allow_any_instance_of(JWT::Decode).to receive(:verify_signature).and_return(true)
result = session.authenticate
expect(result).to eq({
authenticated: true,
session_id: 'session_id',
organization_id: 'org_id',
role: 'role',
permissions: ['read'],
entitlements: ['billing'],
user: 'user',
impersonator: 'impersonator',
reason: nil,
})
end
end
end

describe '.refresh' do
Expand Down

0 comments on commit 7b9e66b

Please sign in to comment.