Return action type (#1179)

tribble · web-flow · commit 70a326ddc2a4 · 2024-11-26T11:48:38.000-08:00
## Description Now action returns the exact action types and support exhaustiveness checking: ```typescript const DISALLOWED_EMAIL_DOMAINS = ['gmail.com', 'yahoo.com', 'hotmail.com']; const computeSignature = async ( payload: any, timestamp: number, ): Promise<string> => workos.webhooks.computeSignature( timestamp, payload, process.env.WORKOS_ACTIONS_SECRET ?? '', ); export const POST = async (req: NextRequest) => { const body = await req.json(); const action = await workos.actions.constructAction({ payload: body, sigHeader: req.headers.get('WorkOS-Signature'), secret: process.env.WORKOS_ACTIONS_SECRET ?? '', }); switch (action.object) { case 'user_registration_action_context': const timestamp = Date.now(); let verdict: 'Allow' | 'Deny'; const emailDomain = action.userData.email.split('@')[1]; if (DISALLOWED_EMAIL_DOMAINS.includes(emailDomain)) { verdict = 'Deny'; } else { verdict = 'Allow'; } const responsePayload = { timestamp, verdict }; const response = { object: 'user_registration_action_response', payload: responsePayload, signature: await computeSignature( responsePayload, responsePayload.timestamp, ), }; return NextResponse.json(response); case 'authentication_action_context': throw new Error('Unsupported action type'); default: throw new Error('Unrecognized action type'); } }; ``` ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
diff --git a/src/actions/actions.spec.ts b/src/actions/actions.spec.ts
@@ -1,6 +1,7 @@
 import crypto from 'crypto';
 import { WorkOS } from '../workos';
-import mockActionContext from './fixtures/action-context.json';
+import mockAuthActionContext from './fixtures/authentication-action-context.json';
+import mockUserRegistrationActionContext from './fixtures/user-registration-action-context.json';
 const workos = new WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
 import { NodeCryptoProvider } from '../common/crypto';
 
@@ -11,6 +12,17 @@ describe('Actions', () => {
     secret = 'secret';
   });
 
+  const makeSigHeader = (payload: unknown, secret: string) => {
+    const timestamp = Date.now() * 1000;
+    const unhashedString = `${timestamp}.${JSON.stringify(payload)}`;
+    const signatureHash = crypto
+      .createHmac('sha256', secret)
+      .update(unhashedString)
+      .digest()
+      .toString('hex');
+    return `t=${timestamp}, v1=${signatureHash}`;
+  };
+
   describe('signResponse', () => {
     describe('type: authentication', () => {
       it('returns a signed response', async () => {
@@ -71,30 +83,108 @@ describe('Actions', () => {
   });
 
   describe('verifyHeader', () => {
-    it('aliases to the signature provider', async () => {
-      const spy = jest.spyOn(
-        // tslint:disable-next-line
-        workos.actions['signatureProvider'],
-        'verifyHeader',
-      );
-
-      const timestamp = Date.now() * 1000;
-      const unhashedString = `${timestamp}.${JSON.stringify(
-        mockActionContext,
-      )}`;
-      const signatureHash = crypto
-        .createHmac('sha256', secret)
-        .update(unhashedString)
-        .digest()
-        .toString('hex');
-
-      await workos.actions.verifyHeader({
-        payload: mockActionContext,
-        sigHeader: `t=${timestamp}, v1=${signatureHash}`,
+    it('verifies the header', async () => {
+      await expect(
+        workos.actions.verifyHeader({
+          payload: mockAuthActionContext,
+          sigHeader: makeSigHeader(mockAuthActionContext, secret),
+          secret,
+        }),
+      ).resolves.not.toThrow();
+    });
+
+    it('throws when the header is invalid', async () => {
+      await expect(
+        workos.actions.verifyHeader({
+          payload: mockAuthActionContext,
+          sigHeader: 't=123, v1=123',
+          secret,
+        }),
+      ).rejects.toThrow();
+    });
+  });
+
+  describe('constructAction', () => {
+    it('returns an authentication action', async () => {
+      const payload = mockAuthActionContext;
+      const sigHeader = makeSigHeader(payload, secret);
+      const action = await workos.actions.constructAction({
+        payload,
+        sigHeader,
         secret,
       });
 
-      expect(spy).toHaveBeenCalled();
+      expect(action).toEqual({
+        id: '01JATCMZJY26PQ59XT9BNT0FNN',
+        user: {
+          object: 'user',
+          id: '01JATCHZVEC5EPANDPEZVM68Y9',
+          email: 'jane@foocorp.com',
+          firstName: 'Jane',
+          lastName: 'Doe',
+          emailVerified: true,
+          profilePictureUrl: 'https://example.com/jane.jpg',
+          createdAt: '2024-10-22T17:12:50.746Z',
+          updatedAt: '2024-10-22T17:12:50.746Z',
+        },
+        ipAddress: '50.141.123.10',
+        userAgent: 'Mozilla/5.0',
+        issuer: 'test',
+        object: 'authentication_action_context',
+        organization: {
+          object: 'organization',
+          id: '01JATCMZJY26PQ59XT9BNT0FNN',
+          name: 'Foo Corp',
+          allowProfilesOutsideOrganization: false,
+          domains: [],
+          createdAt: '2024-10-22T17:12:50.746Z',
+          updatedAt: '2024-10-22T17:12:50.746Z',
+        },
+        organizationMembership: {
+          object: 'organization_membership',
+          id: '01JATCNVYCHT1SZGENR4QTXKRK',
+          userId: '01JATCHZVEC5EPANDPEZVM68Y9',
+          organizationId: '01JATCMZJY26PQ59XT9BNT0FNN',
+          role: {
+            slug: 'member',
+          },
+          status: 'active',
+          createdAt: '2024-10-22T17:12:50.746Z',
+          updatedAt: '2024-10-22T17:12:50.746Z',
+        },
+      });
+    });
+
+    it('returns a user registration action', async () => {
+      const payload = mockUserRegistrationActionContext;
+      const sigHeader = makeSigHeader(payload, secret);
+      const action = await workos.actions.constructAction({
+        payload,
+        sigHeader,
+        secret,
+      });
+
+      expect(action).toEqual({
+        id: '01JATCMZJY26PQ59XT9BNT0FNN',
+        object: 'user_registration_action_context',
+        userData: {
+          object: 'user_data',
+          email: 'jane@foocorp.com',
+          firstName: 'Jane',
+          lastName: 'Doe',
+        },
+        ipAddress: '50.141.123.10',
+        userAgent: 'Mozilla/5.0',
+        invitation: expect.objectContaining({
+          object: 'invitation',
+          id: '01JBVZWH8HJ855YZ5BWHG1WNZN',
+          email: 'jane@foocorp.com',
+          expiresAt: '2024-10-22T17:12:50.746Z',
+          createdAt: '2024-10-21T17:12:50.746Z',
+          updatedAt: '2024-10-21T17:12:50.746Z',
+          acceptedAt: '2024-10-22T17:13:50.746Z',
+        }),
+      });
     });
   });
 });
diff --git a/src/actions/actions.ts b/src/actions/actions.ts
@@ -1,11 +1,13 @@
 import { SignatureProvider } from '../common/crypto';
 import { CryptoProvider } from '../common/crypto/crypto-provider';
 import { unreachable } from '../common/utils/unreachable';
+import { ActionContext, ActionPayload } from './interfaces/action.interface';
 import {
   AuthenticationActionResponseData,
   ResponsePayload,
   UserRegistrationActionResponseData,
-} from './interfaces/response-payload';
+} from './interfaces/response-payload.interface';
+import { deserializeAction } from './serializers/action.serializer';
 
 export class Actions {
   private signatureProvider: SignatureProvider;
@@ -67,4 +69,21 @@ export class Actions {
 
     return response;
   }
+
+  async constructAction({
+    payload,
+    sigHeader,
+    secret,
+    tolerance = 300,
+  }: {
+    payload: unknown;
+    sigHeader: string;
+    secret: string;
+    tolerance?: number;
+  }): Promise<ActionContext> {
+    const options = { payload, sigHeader, secret, tolerance };
+    await this.verifyHeader(options);
+
+    return deserializeAction(payload as ActionPayload);
+  }
 }
diff --git a/src/actions/fixtures/authentication-action-context.json b/src/actions/fixtures/authentication-action-context.json
@@ -1,4 +1,5 @@
 {
+    "id": "01JATCMZJY26PQ59XT9BNT0FNN",
     "user": {
         "object": "user",
         "id": "01JATCHZVEC5EPANDPEZVM68Y9",
diff --git a/src/actions/fixtures/user-registration-action-context.json b/src/actions/fixtures/user-registration-action-context.json
@@ -0,0 +1,24 @@
+{
+    "id": "01JATCMZJY26PQ59XT9BNT0FNN",
+    "user_data": {
+        "object": "user_data",
+        "email": "jane@foocorp.com",
+        "first_name": "Jane",
+        "last_name": "Doe"
+    },
+    "ip_address": "50.141.123.10",
+    "user_agent": "Mozilla/5.0",
+    "object": "user_registration_action_context",
+    "invitation": {
+        "object": "invitation",
+        "id": "01JBVZWH8HJ855YZ5BWHG1WNZN",
+        "email": "jane@foocorp.com",
+        "expires_at": "2024-10-22T17:12:50.746Z",
+        "created_at": "2024-10-21T17:12:50.746Z",
+        "updated_at": "2024-10-21T17:12:50.746Z",
+        "accepted_at": "2024-10-22T17:13:50.746Z",
+        "revoked_at": null,
+        "organization_id": "01JBW46BTKAA98WZN8826XQ2YP",
+        "inviter_user_id": "01JBVZWAEPWAE3YYKBVT0AF81F"
+      }
+}
diff --git a/src/actions/interfaces/action.interface.ts b/src/actions/interfaces/action.interface.ts
@@ -0,0 +1,74 @@
+import {
+  Organization,
+  OrganizationResponse,
+} from '../../organizations/interfaces';
+import {
+  Invitation,
+  InvitationResponse,
+  OrganizationMembership,
+  OrganizationMembershipResponse,
+  User,
+  UserResponse,
+} from '../../user-management/interfaces';
+
+interface AuthenticationActionContext {
+  id: string;
+  object: 'authentication_action_context';
+  user: User;
+  organization?: Organization;
+  organizationMembership?: OrganizationMembership;
+  ipAddress?: string;
+  userAgent?: string;
+  issuer?: string;
+}
+
+export interface UserData {
+  object: 'user_data';
+  email: string;
+  firstName: string;
+  lastName: string;
+}
+
+interface UserRegistrationActionContext {
+  id: string;
+  object: 'user_registration_action_context';
+  userData: UserData;
+  invitation?: Invitation;
+  ipAddress?: string;
+  userAgent?: string;
+}
+
+export type ActionContext =
+  | AuthenticationActionContext
+  | UserRegistrationActionContext;
+
+interface AuthenticationActionPayload {
+  id: string;
+  object: 'authentication_action_context';
+  user: UserResponse;
+  organization?: OrganizationResponse;
+  organization_membership?: OrganizationMembershipResponse;
+  ip_address?: string;
+  user_agent?: string;
+  issuer?: string;
+}
+
+export interface UserDataPayload {
+  object: 'user_data';
+  email: string;
+  first_name: string;
+  last_name: string;
+}
+
+export interface UserRegistrationActionPayload {
+  id: string;
+  object: 'user_registration_action_context';
+  user_data: UserDataPayload;
+  invitation?: InvitationResponse;
+  ip_address?: string;
+  user_agent?: string;
+}
+
+export type ActionPayload =
+  | AuthenticationActionPayload
+  | UserRegistrationActionPayload;
diff --git a/src/actions/interfaces/response-payload.interface.ts b/src/actions/interfaces/response-payload.interface.ts
diff --git a/src/actions/serializers/action.serializer.ts b/src/actions/serializers/action.serializer.ts
@@ -0,0 +1,57 @@
+import { deserializeOrganization } from '../../organizations/serializers/organization.serializer';
+import {
+  deserializeInvitation,
+  deserializeUser,
+} from '../../user-management/serializers';
+import { deserializeOrganizationMembership } from '../../user-management/serializers/organization-membership.serializer';
+import {
+  ActionContext,
+  ActionPayload,
+  UserData,
+  UserDataPayload,
+} from '../interfaces/action.interface';
+
+const deserializeUserData = (userData: UserDataPayload): UserData => {
+  return {
+    object: userData.object,
+    email: userData.email,
+    firstName: userData.first_name,
+    lastName: userData.last_name,
+  };
+};
+
+export const deserializeAction = (
+  actionPayload: ActionPayload,
+): ActionContext => {
+  switch (actionPayload.object) {
+    case 'user_registration_action_context':
+      return {
+        id: actionPayload.id,
+        object: actionPayload.object,
+        userData: deserializeUserData(actionPayload.user_data),
+        invitation: actionPayload.invitation
+          ? deserializeInvitation(actionPayload.invitation)
+          : undefined,
+
+        ipAddress: actionPayload.ip_address,
+        userAgent: actionPayload.user_agent,
+      };
+    case 'authentication_action_context':
+      return {
+        id: actionPayload.id,
+        object: actionPayload.object,
+        user: deserializeUser(actionPayload.user),
+        organization: actionPayload.organization
+          ? deserializeOrganization(actionPayload.organization)
+          : undefined,
+        organizationMembership: actionPayload.organization_membership
+          ? deserializeOrganizationMembership(
+              actionPayload.organization_membership,
+            )
+          : undefined,
+        ipAddress: actionPayload.ip_address,
+        userAgent: actionPayload.user_agent,
+        issuer: actionPayload.issuer,
+      };
+  }
+};

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{`
	`2`	`+ "id": "01JATCMZJY26PQ59XT9BNT0FNN",`
`2`	`3`	`"user": {`
`3`	`4`	`"object": "user",`
`4`	`5`	`"id": "01JATCHZVEC5EPANDPEZVM68Y9",`