Merge branch 'main' into add-email-to-update-user

Author: cmatheson

.github/workflows/coana-analysis.yml

@@ -2,24 +2,27 @@ name: Coana Vulnerability Analysis
 
 on:
   schedule:
-    # every day at 12 AM
-    - cron: '0 0 * * *'
+    - cron: '0 3 * * *' # every day at 3 AM
   workflow_dispatch:
     inputs:
       tags:
         description: 'Manually run vulnerability analysis'
+      # Required by the return-dispatch action
+      distinct_id:
 
 jobs:
   coana-vulnerability-analysis:
     runs-on: ubuntu-latest
-    timeout-minutes: 60
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
       - name: Run Coana CLI
         id: coana-cli
-        run: |
-          npx @coana-tech/cli run . \
-            --api-key ${{ secrets.COANA_API_KEY }} \
-            --repo-url https://github.com/${{github.repository}}
+        uses: docker://coana/coana:latest@sha256:74144ed0fc9d7da87dcd45ccd12458cc7c25ad23e47eebd7ceb4860ed396d63e
+        with:
+          args: |
+            coana run . \
+              --api-key ${{ secrets.COANA_API_KEY }} \
+              --repo-url https://github.com/${{github.repository}}

.github/workflows/coana-guardrail.yml

@@ -5,24 +5,27 @@ on: pull_request
 jobs:
   guardrail:
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+
     steps:
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v44
-        with:
-          separator: ' '
- 
       - name: Checkout the ${{github.base_ref}} branch
         uses: actions/checkout@v4
         with:
           ref: ${{github.base_ref}} # checkout the base branch (usually master/main).
- 
+
+      - name: Fetch the PR branch
+        run: |
+          git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1
+
+      - name: Get list of changed files relative to the main/master branch
+        id: changed-files
+        run: |
+          echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT
+
       - name: Use Node.js 20.x
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
- 
+
       - name: Run Coana on the ${{github.base_ref}} branch
         run: |
           npx @coana-tech/cli run . \
@@ -31,16 +34,20 @@ jobs:
             -o /tmp/main-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
-      # Reset file permissions changed by Coana CLI.
+
+      # Reset file permissions.
+      # This is necessary because the Coana CLI may add
+      # new files with root ownership since it's using docker.
+      # These files will not be deleted by the clean step in checkout
+      # if the permissions are not reset.
       - name: Reset file permissions
         run: sudo chown -R $USER:$USER .
- 
+
       - name: Checkout the current branch
         uses: actions/checkout@v4
         with:
           clean: true
- 
+
       - name: Run Coana on the current branch
         run: |
           npx @coana-tech/cli run . \
@@ -49,12 +56,12 @@ jobs:
             -o /tmp/current-branch \
             --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \
             --lightweight-reachability \
- 
+
       - name: Run Report Comparison
         run: |
           npx @coana-tech/cli compare-reports \
             --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \
             /tmp/main-branch/coana-report.json \
             /tmp/current-branch/coana-report.json
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "7.41.0",
+  "version": "7.50.1",
   "name": "@workos-inc/node",
   "author": "WorkOS",
   "description": "A Node wrapper for the WorkOS API",
@@ -40,6 +40,7 @@
   "dependencies": {
     "iron-session": "~6.3.1",
     "jose": "~5.6.3",
+    "leb": "^1.0.0",
     "pluralize": "8.0.0"
   },
   "devDependencies": {

src/actions/actions.spec.ts

@@ -2,8 +2,9 @@ import crypto from 'crypto';
 import { WorkOS } from '../workos';
 import mockAuthActionContext from './fixtures/authentication-action-context.json';
 import mockUserRegistrationActionContext from './fixtures/user-registration-action-context.json';
+import { NodeCryptoProvider } from '../common/crypto/node-crypto-provider';
+
 const workos = new WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
-import { NodeCryptoProvider } from '../common/crypto/NodeCryptoProvider';
 
 describe('Actions', () => {
   let secret: string;
@@ -127,6 +128,7 @@ describe('Actions', () => {
           createdAt: '2024-10-22T17:12:50.746Z',
           updatedAt: '2024-10-22T17:12:50.746Z',
           externalId: null,
+          metadata: {},
         },
         ipAddress: '50.141.123.10',
         userAgent: 'Mozilla/5.0',
@@ -142,6 +144,7 @@ describe('Actions', () => {
           createdAt: '2024-10-22T17:12:50.746Z',
           updatedAt: '2024-10-22T17:12:50.746Z',
           externalId: null,
+          metadata: {},
         },
         organizationMembership: {
           object: 'organization_membership',

src/actions/actions.ts

@@ -1,5 +1,5 @@
-import { SignatureProvider } from '../common/crypto/SignatureProvider';
 import { CryptoProvider } from '../common/crypto/crypto-provider';
+import { SignatureProvider } from '../common/crypto/signature-provider';
 import { unreachable } from '../common/utils/unreachable';
 import { ActionContext, ActionPayload } from './interfaces/action.interface';
 import {

src/common/crypto/CryptoProvider.ts

@@ -1,8 +1,8 @@
 import crypto from 'crypto';
-import { NodeCryptoProvider } from './NodeCryptoProvider';
-import { SubtleCryptoProvider } from './SubtleCryptoProvider';
+import { NodeCryptoProvider } from './node-crypto-provider';
+import { SubtleCryptoProvider } from './subtle-crypto-provider';
 import mockWebhook from '../../webhooks/fixtures/webhook.json';
-import { SignatureProvider } from './SignatureProvider';
+import { SignatureProvider } from './signature-provider';
 
 describe('CryptoProvider', () => {
   let payload: any;

src/common/crypto/NodeCryptoProvider.ts

@@ -35,4 +35,51 @@ export abstract class CryptoProvider {
    * Cryptographically determine whether two signatures are equal
    */
   abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
+
+  /**
+   * Encrypts data using AES-256-GCM algorithm.
+   *
+   * @param plaintext The data to encrypt
+   * @param key The encryption key (should be 32 bytes for AES-256)
+   * @param iv Optional initialization vector (if not provided, a random one will be generated)
+   * @param aad Optional additional authenticated data
+   * @returns Object containing the encrypted ciphertext, the IV used, and the authentication tag
+   */
+  abstract encrypt(
+    plaintext: Uint8Array,
+    key: Uint8Array,
+    iv?: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<{
+    ciphertext: Uint8Array;
+    iv: Uint8Array;
+    tag: Uint8Array;
+  }>;
+
+  /**
+   * Decrypts data that was encrypted using AES-256-GCM algorithm.
+   *
+   * @param ciphertext The encrypted data
+   * @param key The decryption key (must be the same key used for encryption)
+   * @param iv The initialization vector used during encryption
+   * @param tag The authentication tag produced during encryption
+   * @param aad Optional additional authenticated data (must match what was used during encryption)
+   * @returns The decrypted data
+   * @throws Will throw an error if authentication fails or the data has been tampered with
+   */
+  abstract decrypt(
+    ciphertext: Uint8Array,
+    key: Uint8Array,
+    iv: Uint8Array,
+    tag: Uint8Array,
+    aad?: Uint8Array,
+  ): Promise<Uint8Array>;
+
+  /**
+   * Generates cryptographically secure random bytes.
+   *
+   * @param length The number of random bytes to generate
+   * @returns A Uint8Array containing the random bytes
+   */
+  abstract randomBytes(length: number): Uint8Array;
 }