Merge branch 'main' into auth-5288-user-locale

Author: stacurry

tests/test_session.py

@@ -51,6 +51,7 @@ def session_constants(self):
             "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
+            "feature_flags": ["flag1", "flag2"],
             "exp": int(current_datetime.timestamp()) + 3600,
             "iat": int(current_datetime.timestamp()),
         }
@@ -244,6 +245,7 @@ def test_authenticate_success(self, session_constants, mock_user_management):
             "roles": ["admin"],
             "permissions": ["read"],
             "entitlements": ["feature_1"],
+            "feature_flags": ["flag1", "flag2"],
         }
 
         with patch.object(Session, "unseal_data", return_value=mock_session), patch(
@@ -263,6 +265,7 @@ def test_authenticate_success(self, session_constants, mock_user_management):
             assert response.roles == ["admin"]
             assert response.permissions == ["read"]
             assert response.entitlements == ["feature_1"]
+            assert response.feature_flags == ["flag1", "flag2"]
             assert response.user.id == session_constants["USER_ID"]
             assert response.impersonator is None
 
@@ -312,6 +315,7 @@ def test_authenticate_success_with_roles(
             "roles": ["admin", "member"],
             "permissions": ["read", "write"],
             "entitlements": ["feature_1"],
+            "feature_flags": ["flag1", "flag2"],
         }
 
         with patch.object(Session, "unseal_data", return_value=mock_session), patch(
@@ -331,6 +335,7 @@ def test_authenticate_success_with_roles(
             assert response.roles == ["admin", "member"]
             assert response.permissions == ["read", "write"]
             assert response.entitlements == ["feature_1"]
+            assert response.feature_flags == ["flag1", "flag2"]
             assert response.user.id == session_constants["USER_ID"]
             assert response.impersonator is None
 
@@ -410,6 +415,7 @@ def test_refresh_success(self, session_constants, mock_user_management):
                 "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
+                "feature_flags": ["flag1", "flag2"],
             },
         ):
             response = session.refresh()
@@ -511,6 +517,7 @@ async def test_refresh_success(self, session_constants, mock_user_management):
                 "roles": ["admin"],
                 "permissions": ["read"],
                 "entitlements": ["feature_1"],
+                "feature_flags": ["flag1", "flag2"],
             },
         ):
             response = await session.refresh()

tests/test_sync_http_client.py

@@ -10,6 +10,7 @@
     BadRequestException,
     BaseRequestException,
     ConflictException,
+    EmailVerificationRequiredException,
     ServerException,
 )
 from workos.utils.http_client import SyncHTTPClient
@@ -263,6 +264,57 @@ def test_conflict_exception(self):
             assert str(ex) == "(message=No message, request_id=request-123)"
             assert ex.__class__ == ConflictException
 
+    def test_email_verification_required_exception(self):
+        request_id = "request-123"
+        email_verification_id = "email_verification_01J6K4PMSWQXVFGF5ZQJXC6VC8"
+
+        self.http_client._client.request = MagicMock(
+            return_value=httpx.Response(
+                status_code=403,
+                json={
+                    "message": "Please verify your email to authenticate via password.",
+                    "code": "email_verification_required",
+                    "email_verification_id": email_verification_id,
+                },
+                headers={"X-Request-ID": request_id},
+            ),
+        )
+
+        try:
+            self.http_client.request("bad_place")
+        except EmailVerificationRequiredException as ex:
+            assert (
+                ex.message == "Please verify your email to authenticate via password."
+            )
+            assert ex.code == "email_verification_required"
+            assert ex.email_verification_id == email_verification_id
+            assert ex.request_id == request_id
+            assert ex.__class__ == EmailVerificationRequiredException
+            assert isinstance(ex, AuthorizationException)
+
+    def test_regular_authorization_exception_still_raised(self):
+        request_id = "request-123"
+
+        self.http_client._client.request = MagicMock(
+            return_value=httpx.Response(
+                status_code=403,
+                json={
+                    "message": "You do not have permission to access this resource.",
+                    "code": "forbidden",
+                },
+                headers={"X-Request-ID": request_id},
+            ),
+        )
+
+        try:
+            self.http_client.request("bad_place")
+        except AuthorizationException as ex:
+            assert ex.message == "You do not have permission to access this resource."
+            assert ex.code == "forbidden"
+            assert ex.request_id == request_id
+            assert ex.__class__ == AuthorizationException
+            assert not isinstance(ex, EmailVerificationRequiredException)
+
     def test_request_includes_base_headers(self, capture_and_mock_http_client_request):
         request_kwargs = capture_and_mock_http_client_request(self.http_client, {}, 200)
 

tests/test_user_management.py

@@ -743,6 +743,37 @@ def test_authenticate_impersonator_with_code(
             "grant_type": "authorization_code",
         }
 
+    def test_authenticate_with_code_with_invitation_token(
+        self,
+        capture_and_mock_http_client_request,
+        mock_auth_response,
+        base_authentication_params,
+    ):
+        params = {
+            "code": "test_code",
+            "code_verifier": "test_code_verifier",
+            "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
+            "ip_address": "192.0.0.1",
+            "invitation_token": "invitation_token_12345",
+        }
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_auth_response, 200
+        )
+
+        response = syncify(self.user_management.authenticate_with_code(**params))
+
+        assert request_kwargs["url"].endswith("user_management/authenticate")
+        assert request_kwargs["method"] == "post"
+        assert response.user.id == "user_01H7ZGXFP5C6BBQY6Z7277ZCT0"
+        assert response.organization_id == "org_12345"
+        assert response.access_token == "access_token_12345"
+        assert response.refresh_token == "refresh_token_12345"
+        assert request_kwargs["json"] == {
+            **params,
+            **base_authentication_params,
+            "grant_type": "authorization_code",
+        }
+
     def test_authenticate_with_magic_auth(
         self,
         capture_and_mock_http_client_request,

tests/test_user_management_list_sessions.py

@@ -0,0 +1,73 @@
+from typing import Union
+
+import pytest
+
+from tests.utils.list_resource import list_response_of
+from tests.utils.syncify import syncify
+from tests.types.test_auto_pagination_function import TestAutoPaginationFunction
+from workos.user_management import AsyncUserManagement, UserManagement
+
+
+def _mock_session(id: str):
+    now = "2025-07-23T14:00:00.000Z"
+    return {
+        "object": "session",
+        "id": id,
+        "user_id": "user_123",
+        "organization_id": "org_123",
+        "status": "active",
+        "auth_method": "password",
+        "impersonator": None,
+        "ip_address": "192.168.1.1",
+        "user_agent": "Mozilla/5.0",
+        "expires_at": "2025-07-23T15:00:00.000Z",
+        "ended_at": None,
+        "created_at": now,
+        "updated_at": now,
+    }
+
+
+@pytest.mark.sync_and_async(UserManagement, AsyncUserManagement)
+class TestUserManagementListSessions:
+    @pytest.fixture(autouse=True)
+    def setup(self, module_instance: Union[UserManagement, AsyncUserManagement]):
+        self.http_client = module_instance._http_client
+        self.user_management = module_instance
+
+    def test_list_sessions_query_and_parsing(
+        self, capture_and_mock_http_client_request
+    ):
+        sessions = [_mock_session("session_1"), _mock_session("session_2")]
+        response = list_response_of(data=sessions)
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, response, 200
+        )
+
+        result = syncify(
+            self.user_management.list_sessions(
+                user_id="user_123", limit=10, before="before_id", order="desc"
+            )
+        )
+
+        assert request_kwargs["url"].endswith("user_management/users/user_123/sessions")
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["params"]["limit"] == 10
+        assert request_kwargs["params"]["before"] == "before_id"
+        assert request_kwargs["params"]["order"] == "desc"
+        assert "after" not in request_kwargs["params"]
+        assert len(result.data) == 2
+        assert result.data[0].id == "session_1"
+        assert result.list_metadata.before is None
+        assert result.list_metadata.after is None
+
+    def test_list_sessions_auto_pagination(
+        self, test_auto_pagination: TestAutoPaginationFunction
+    ):
+        data = [_mock_session(str(i)) for i in range(40)]
+        test_auto_pagination(
+            http_client=self.http_client,
+            list_function=self.user_management.list_sessions,
+            list_function_params={"user_id": "user_123"},
+            expected_all_page_data=data,
+            url_path_keys=["user_id"],
+        )

tests/test_user_management_revoke_session.py

@@ -0,0 +1,26 @@
+from typing import Union
+
+import pytest
+
+from tests.utils.syncify import syncify
+from workos.user_management import AsyncUserManagement, UserManagement
+
+
+@pytest.mark.sync_and_async(UserManagement, AsyncUserManagement)
+class TestUserManagementRevokeSession:
+    @pytest.fixture(autouse=True)
+    def setup(self, module_instance: Union[UserManagement, AsyncUserManagement]):
+        self.http_client = module_instance._http_client
+        self.user_management = module_instance
+
+    def test_revoke_session(self, capture_and_mock_http_client_request):
+        request_kwargs = capture_and_mock_http_client_request(self.http_client, {}, 200)
+
+        response = syncify(
+            self.user_management.revoke_session(session_id="session_abc")
+        )
+
+        assert request_kwargs["url"].endswith("user_management/sessions/revoke")
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["json"] == {"session_id": "session_abc"}
+        assert response is None

workos/__about__.py

@@ -12,7 +12,7 @@
 
 __package_url__ = "https://github.com/workos-inc/workos-python"
 
-__version__ = "5.29.0"
+__version__ = "5.31.2"
 
 __author__ = "WorkOS"
 

workos/exceptions.py

@@ -45,6 +45,24 @@ class AuthorizationException(BaseRequestException):
     pass
 
 
+class EmailVerificationRequiredException(AuthorizationException):
+    """Raised when email verification is required before authentication.
+
+    This exception includes an email_verification_id field that can be used
+    to retrieve the email verification object or resend the verification email.
+    """
+
+    def __init__(
+        self,
+        response: httpx.Response,
+        response_json: Optional[Mapping[str, Any]],
+    ) -> None:
+        super().__init__(response, response_json)
+        self.email_verification_id = self.extract_from_json(
+            "email_verification_id", None
+        )
+
+
 class AuthenticationException(BaseRequestException):
     pass
 

workos/session.py

@@ -4,6 +4,7 @@
 from functools import lru_cache
 import json
 from typing import Any, Dict, Optional, Union, cast
+
 import jwt
 from jwt import PyJWKClient
 from cryptography.fernet import Fernet
@@ -107,6 +108,7 @@ def authenticate(
             entitlements=decoded.get("entitlements", None),
             user=session["user"],
             impersonator=session.get("impersonator", None),
+            feature_flags=decoded.get("feature_flags", None),
         )
 
     def refresh(
@@ -235,6 +237,7 @@ def refresh(
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,
                 impersonator=auth_response.impersonator,
+                feature_flags=decoded.get("feature_flags", None),
             )
         except Exception as e:
             return RefreshWithSessionCookieErrorResponse(
@@ -326,6 +329,7 @@ async def refresh(
                 entitlements=decoded.get("entitlements", None),
                 user=auth_response.user,
                 impersonator=auth_response.impersonator,
+                feature_flags=decoded.get("feature_flags", None),
             )
         except Exception as e:
             return RefreshWithSessionCookieErrorResponse(

workos/types/list_resource.py

@@ -34,6 +34,7 @@
 from workos.types.organizations import Organization
 from workos.types.sso import ConnectionWithDomains
 from workos.types.user_management import Invitation, OrganizationMembership, User
+from workos.types.user_management.session import Session as UserManagementSession
 from workos.types.vault import ObjectDigest
 from workos.types.workos_model import WorkOSModel
 from workos.utils.request_helper import DEFAULT_LIST_RESPONSE_LIMIT
@@ -54,6 +55,7 @@
     AuthorizationResource,
     AuthorizationResourceType,
     User,
+    UserManagementSession,
     ObjectDigest,
     Warrant,
     WarrantQueryResult,

workos/types/user_management/__init__.py

@@ -9,3 +9,4 @@
 from .password_reset import *
 from .user_management_provider_type import *
 from .user import *
+from .session import *