workos
diff --git a/‎package.json‎
Lines changed: 9 additions & 0 deletions b/‎package.json‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/index.public.spec.ts‎
Lines changed: 153 additions & 0 deletions b/‎src/index.public.spec.ts‎
Lines changed: 153 additions & 0 deletions
diff --git a/‎src/index.public.ts‎
Lines changed: 90 additions & 0 deletions b/‎src/index.public.ts‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎src/public-exports.spec.ts‎
Lines changed: 49 additions & 0 deletions b/‎src/public-exports.spec.ts‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎src/public/index.ts‎
Lines changed: 17 additions & 0 deletions b/‎src/public/index.ts‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎src/public/sso.ts‎
Lines changed: 62 additions & 0 deletions b/‎src/public/sso.ts‎
Lines changed: 62 additions & 0 deletions
@@ -103,6 +103,15 @@
       "require": "./lib/cjs/index.cjs",
       "default": "./lib/esm/index.js"
     },
+    "./public": {
+      "types": {
+        "require": "./lib/cjs/index.public.d.cts",
+        "import": "./lib/esm/index.public.d.ts"
+      },
+      "import": "./lib/esm/index.public.js",
+      "require": "./lib/cjs/index.public.cjs",
+      "default": "./lib/esm/index.public.js"
+    },
     "./worker": {
       "types": {
         "require": "./lib/cjs/index.worker.d.cts",
 
@@ -0,0 +1,153 @@
+import { WorkOS } from './index.public';
+
+describe('WorkOS Public API', () => {
+  let workosPublic: WorkOS;
+
+  beforeEach(() => {
+    workosPublic = new WorkOS({
+      clientId: 'client_123',
+      apiHostname: 'api.workos.dev',
+    });
+  });
+
+  describe('instantiation', () => {
+    it('should instantiate without requiring an API key', () => {
+      expect(() => new WorkOS()).not.toThrow();
+    });
+
+    it('should accept public configuration options', () => {
+      const client = new WorkOS({
+        clientId: 'test_client',
+        apiHostname: 'test.api.com',
+        https: false,
+        port: 3000,
+      });
+
+      expect(client).toBeDefined();
+      expect(client.version).toBeDefined();
+    });
+  });
+
+  describe('exposed services', () => {
+    it('should expose webhooks service', () => {
+      expect(workosPublic.webhooks).toBeDefined();
+      expect(workosPublic.webhooks.verifyHeader).toBeDefined();
+      expect(workosPublic.webhooks.computeSignature).toBeDefined();
+      expect(workosPublic.webhooks.constructEvent).toBeDefined();
+    });
+
+    it('should expose actions service', () => {
+      expect(workosPublic.actions).toBeDefined();
+      expect(workosPublic.actions.verifyHeader).toBeDefined();
+      expect(workosPublic.actions.signResponse).toBeDefined();
+      expect(workosPublic.actions.constructAction).toBeDefined();
+    });
+
+    it('should expose client-safe user management methods', () => {
+      expect(workosPublic.userManagement).toBeDefined();
+      expect(
+        workosPublic.userManagement.authenticateWithCodeAndVerifier,
+      ).toBeDefined();
+      expect(workosPublic.userManagement.getAuthorizationUrl).toBeDefined();
+      expect(workosPublic.userManagement.getLogoutUrl).toBeDefined();
+      expect(workosPublic.userManagement.getJwksUrl).toBeDefined();
+    });
+
+    it('should expose client-safe SSO methods', () => {
+      expect(workosPublic.sso).toBeDefined();
+      expect(workosPublic.sso.getAuthorizationUrl).toBeDefined();
+    });
+
+    it('should expose version', () => {
+      expect(workosPublic.version).toBeDefined();
+      expect(typeof workosPublic.version).toBe('string');
+    });
+  });
+
+  describe('method behavior', () => {
+    it('should be able to call URL generation methods', () => {
+      const authUrl = workosPublic.userManagement.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://example.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(authUrl).toContain('api.workos.dev');
+      expect(authUrl).toContain('client_id=client_123');
+      expect(authUrl).toContain('provider=GoogleOAuth');
+    });
+
+    it('should be able to call JWKS URL generation', () => {
+      const jwksUrl = workosPublic.userManagement.getJwksUrl('client_123');
+      expect(jwksUrl).toBe('https://api.workos.dev/sso/jwks/client_123');
+    });
+
+    it('should be able to call logout URL generation', () => {
+      const logoutUrl = workosPublic.userManagement.getLogoutUrl({
+        sessionId: 'session_123',
+        returnTo: 'https://example.com',
+      });
+
+      expect(logoutUrl).toContain('api.workos.dev');
+      expect(logoutUrl).toContain('session_id=session_123');
+    });
+
+    it('should be able to call SSO authorization URL generation', () => {
+      const authUrl = workosPublic.sso.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://example.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(authUrl).toContain('api.workos.dev');
+      expect(authUrl).toContain('client_id=client_123');
+    });
+  });
+
+  describe('server-only methods should not be exposed', () => {
+    it('should not expose getUser on userManagement', () => {
+      expect((workosPublic.userManagement as any).getUser).toBeUndefined();
+    });
+
+    it('should not expose createUser on userManagement', () => {
+      expect((workosPublic.userManagement as any).createUser).toBeUndefined();
+    });
+
+    it('should not expose listUsers on userManagement', () => {
+      expect((workosPublic.userManagement as any).listUsers).toBeUndefined();
+    });
+
+    it('should not expose updateUser on userManagement', () => {
+      expect((workosPublic.userManagement as any).updateUser).toBeUndefined();
+    });
+
+    it('should not expose server-only authentication methods', () => {
+      expect(
+        (workosPublic.userManagement as any).authenticateWithPassword,
+      ).toBeUndefined();
+      expect(
+        (workosPublic.userManagement as any).authenticateWithMagicAuth,
+      ).toBeUndefined();
+      expect(
+        (workosPublic.userManagement as any).authenticateWithRefreshToken,
+      ).toBeUndefined();
+    });
+  });
+
+  describe('type safety', () => {
+    it('should provide proper TypeScript types for exposed methods', () => {
+      // These should compile without errors
+      const authUrl: string = workosPublic.userManagement.getAuthorizationUrl({
+        clientId: 'test',
+        redirectUri: 'https://example.com',
+        provider: 'GoogleOAuth',
+      });
+
+      const jwksUrl: string =
+        workosPublic.userManagement.getJwksUrl('client_id');
+
+      expect(typeof authUrl).toBe('string');
+      expect(typeof jwksUrl).toBe('string');
+    });
+  });
+});
@@ -0,0 +1,90 @@
+import { WorkOSBase } from './workos';
+import { WorkOSOptions } from './common/interfaces';
+
+// Export public methods directly (new approach)
+export * as userManagement from './public/user-management';
+export * as sso from './public/sso';
+
+// Re-export types for convenience
+export type {
+  AuthorizationURLOptions as UserManagementAuthorizationURLOptions,
+  LogoutURLOptions,
+} from './public/user-management';
+
+export type { SSOAuthorizationURLOptions } from './public/sso';
+
+interface WorkOSPublicOptions {
+  clientId?: string;
+  apiHostname?: string;
+  https?: boolean;
+  port?: number;
+}
+
+/**
+ * WorkOS public-safe SDK for browser environments.
+ * Only exposes methods that are safe to use without API keys.
+ * @deprecated Use the direct method imports instead:
+ * import { userManagement, sso } from '@workos-inc/node/public';
+ */
+export class WorkOS {
+  private _base: WorkOSBase;
+
+  // Client-safe services
+  readonly userManagement: {
+    authenticateWithCodeAndVerifier: typeof WorkOSBase.prototype.userManagement.authenticateWithCodeAndVerifier;
+    getAuthorizationUrl: typeof WorkOSBase.prototype.userManagement.getAuthorizationUrl;
+    getLogoutUrl: typeof WorkOSBase.prototype.userManagement.getLogoutUrl;
+    getJwksUrl: typeof WorkOSBase.prototype.userManagement.getJwksUrl;
+  };
+
+  readonly sso: {
+    getAuthorizationUrl: typeof WorkOSBase.prototype.sso.getAuthorizationUrl;
+  };
+
+  readonly webhooks: typeof WorkOSBase.prototype.webhooks;
+  readonly actions: typeof WorkOSBase.prototype.actions;
+
+  constructor(options: WorkOSPublicOptions = {}) {
+    // Convert public options to base WorkOS options format
+    const baseOptions: WorkOSOptions = {
+      clientId: options.clientId,
+      apiHostname: options.apiHostname,
+      https: options.https,
+      port: options.port,
+    };
+
+    // Create base instance without API key
+    this._base = new WorkOSBase(undefined, baseOptions);
+
+    // Initialize public-safe service methods
+    this.userManagement = {
+      authenticateWithCodeAndVerifier:
+        this._base.userManagement.authenticateWithCodeAndVerifier.bind(
+          this._base.userManagement,
+        ),
+      getAuthorizationUrl: this._base.userManagement.getAuthorizationUrl.bind(
+        this._base.userManagement,
+      ),
+      getLogoutUrl: this._base.userManagement.getLogoutUrl.bind(
+        this._base.userManagement,
+      ),
+      getJwksUrl: this._base.userManagement.getJwksUrl.bind(
+        this._base.userManagement,
+      ),
+    };
+
+    this.sso = {
+      getAuthorizationUrl: this._base.sso.getAuthorizationUrl.bind(
+        this._base.sso,
+      ),
+    };
+
+    // These services are fully public-safe - expose entirely
+    this.webhooks = this._base.webhooks;
+    this.actions = this._base.actions;
+  }
+
+  get version() {
+    return this._base.version;
+  }
+}
@@ -0,0 +1,49 @@
+import { userManagement, sso } from './index.public';
+
+describe('New Public Exports', () => {
+  describe('userManagement exports', () => {
+    it('exports getAuthorizationUrl function', () => {
+      expect(userManagement.getAuthorizationUrl).toBeDefined();
+      expect(typeof userManagement.getAuthorizationUrl).toBe('function');
+    });
+
+    it('exports getLogoutUrl function', () => {
+      expect(userManagement.getLogoutUrl).toBeDefined();
+      expect(typeof userManagement.getLogoutUrl).toBe('function');
+    });
+
+    it('exports getJwksUrl function', () => {
+      expect(userManagement.getJwksUrl).toBeDefined();
+      expect(typeof userManagement.getJwksUrl).toBe('function');
+    });
+
+    it('can generate authorization URL directly', () => {
+      const url = userManagement.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://app.com/callback',
+        provider: 'authkit',
+      });
+
+      expect(url).toContain('https://api.workos.com/user_management/authorize');
+      expect(url).toContain('client_id=client_123');
+    });
+  });
+
+  describe('sso exports', () => {
+    it('exports getAuthorizationUrl function', () => {
+      expect(sso.getAuthorizationUrl).toBeDefined();
+      expect(typeof sso.getAuthorizationUrl).toBe('function');
+    });
+
+    it('can generate SSO authorization URL directly', () => {
+      const url = sso.getAuthorizationUrl({
+        clientId: 'client_123',
+        redirectUri: 'https://app.com/callback',
+        provider: 'GoogleOAuth',
+      });
+
+      expect(url).toContain('https://api.workos.com/sso/authorize');
+      expect(url).toContain('provider=GoogleOAuth');
+    });
+  });
+});
@@ -0,0 +1,17 @@
+/**
+ * Public methods that can be safely used in without an API key.
+ */
+
+// User Management public methods and types
+export * as userManagement from './user-management';
+
+// SSO public methods and types
+export * as sso from './sso';
+
+// Re-export specific types for convenience
+export type {
+  AuthorizationURLOptions as UserManagementAuthorizationURLOptions,
+  LogoutURLOptions,
+} from './user-management';
+
+export type { SSOAuthorizationURLOptions } from './sso';
@@ -0,0 +1,62 @@
+import { toQueryString } from './utils';
+
+export interface SSOAuthorizationURLOptions {
+  clientId: string;
+  connection?: string;
+  organization?: string;
+  domainHint?: string;
+  loginHint?: string;
+  provider?: string;
+  providerQueryParams?: Record<string, string | boolean | number>;
+  providerScopes?: string[];
+  redirectUri: string;
+  state?: string;
+}
+
+/**
+ * Generates the authorization URL for SSO authentication.
+ * This method is safe to use in browser environments as it doesn't require an API key.
+ *
+ * @param options - SSO authorization URL options
+ * @returns The authorization URL as a string
+ * @throws Error if required arguments are missing
+ */
+export function getAuthorizationUrl(
+  options: SSOAuthorizationURLOptions & { baseURL?: string },
+): string {
+  const {
+    connection,
+    clientId,
+    domainHint,
+    loginHint,
+    organization,
+    provider,
+    providerQueryParams,
+    providerScopes,
+    redirectUri,
+    state,
+    baseURL = 'https://api.workos.com',
+  } = options;
+
+  if (!provider && !connection && !organization) {
+    throw new Error(
+      `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,
+    );
+  }
+
+  const query = toQueryString({
+    connection,
+    organization,
+    domain_hint: domainHint,
+    login_hint: loginHint,
+    provider,
+    provider_query_params: providerQueryParams,
+    provider_scopes: providerScopes,
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: 'code',
+    state,
+  });
+
+  return `${baseURL}/sso/authorize?${query}`;
+}