diff --git a/dist/b2b/discovery_intermediate_sessions.js b/dist/b2b/discovery_intermediate_sessions.js index 805d9dfa..50ab2749 100644 --- a/dist/b2b/discovery_intermediate_sessions.js +++ b/dist/b2b/discovery_intermediate_sessions.js @@ -29,8 +29,8 @@ class IntermediateSessions { * * This endpoint can be used to accept invites and create new members via domain matching. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`. * The `intermediate_session_token` will not be consumed and instead will be returned in the response. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the @@ -40,6 +40,13 @@ class IntermediateSessions { * or the * [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. * The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. + * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`. + * The `intermediate_session_token` will not be consumed and instead will be returned in the response. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. * @param data {@link B2BDiscoveryIntermediateSessionsExchangeRequest} * @returns {@link B2BDiscoveryIntermediateSessionsExchangeResponse} * @async diff --git a/dist/b2b/discovery_organizations.js b/dist/b2b/discovery_organizations.js index 640ebbb8..2698783a 100644 --- a/dist/b2b/discovery_organizations.js +++ b/dist/b2b/discovery_organizations.js @@ -26,8 +26,8 @@ class Organizations { } /** - * If an end user does not want to join any already-existing Organization, or has no possible Organizations - * to join, this endpoint can be used to create a new + * If an end user does not want to join any already-existing, or has no possible Organizations to join, + * this endpoint can be used to create a new * [Organization](https://stytch.com/docs/b2b/api/organization-object) and * [Member](https://stytch.com/docs/b2b/api/member-object). * @@ -35,7 +35,7 @@ class Organizations { * * This endpoint will also create an initial Member Session for the newly created Member. * - * The Member created by this endpoint will automatically be granted the `stytch_admin` Role. See the + * The created by this endpoint will automatically be granted the `stytch_admin` Role. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role. * * If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member diff --git a/dist/b2b/magic_links.js b/dist/b2b/magic_links.js index 83b80a76..3811253f 100644 --- a/dist/b2b/magic_links.js +++ b/dist/b2b/magic_links.js @@ -26,14 +26,14 @@ class MagicLinks { } /** - * Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired - * or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. + * Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or + * previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. * Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the * `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute * duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/dist/b2b/magic_links_email.js b/dist/b2b/magic_links_email.js index eb508696..448e47a7 100644 --- a/dist/b2b/magic_links_email.js +++ b/dist/b2b/magic_links_email.js @@ -50,9 +50,9 @@ class Email { } /** - * Send an invite email to a new Member to join an Organization. The Member will be created with an - * `invited` status until they successfully authenticate. Sending invites to `pending` Members will update - * their status to `invited`. Sending invites to already `active` Members will return an error. + * Send an invite email to a new to join an. The Member will be created with an `invited` status until they + * successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. + * Sending invites to already `active` Members will return an error. * * The magic link invite will be valid for 1 week. * @param data {@link B2BMagicLinksEmailInviteRequest} diff --git a/dist/b2b/oauth.js b/dist/b2b/oauth.js index 0619db2d..a412ccf5 100644 --- a/dist/b2b/oauth.js +++ b/dist/b2b/oauth.js @@ -24,13 +24,13 @@ class OAuth { } /** - * Authenticate a Member given a `token`. This endpoint verifies that the member completed the OAuth flow - * by verifying that the token is valid and hasn't expired. Provide the `session_duration_minutes` - * parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not - * specified, a Stytch session will be created with a 60 minute duration. + * Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying + * that the token is valid and hasn't expired. Provide the `session_duration_minutes` parameter to set the + * lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session + * will be created with a 60 minute duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. @@ -43,6 +43,12 @@ class OAuth { * If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an * MFA step. * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. + * * We’re actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) * or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth * provider that is not currently supported. diff --git a/dist/b2b/oauth_discovery.js b/dist/b2b/oauth_discovery.js index da42dd2a..283fb28f 100644 --- a/dist/b2b/oauth_discovery.js +++ b/dist/b2b/oauth_discovery.js @@ -22,7 +22,7 @@ class Discovery { } /** - * Authenticates the Discovery OAuth token and exchanges it for an Intermediate Session Token. Intermediate + * Authenticates the Discovery token and exchanges it for an Intermediate Session Token. Intermediate * Session Tokens can be used for various Discovery login flows and are valid for 10 minutes. * @param data {@link B2BOAuthDiscoveryAuthenticateRequest} * @returns {@link B2BOAuthDiscoveryAuthenticateResponse} diff --git a/dist/b2b/organizations.js b/dist/b2b/organizations.js index 4bcca3db..1aad0145 100644 --- a/dist/b2b/organizations.js +++ b/dist/b2b/organizations.js @@ -44,7 +44,7 @@ class Organizations { } /** - * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. + * Creates an. An `organization_name` and a unique `organization_slug` are required. * * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` * will be set to `OPTIONAL` if no Organization authentication settings are explicitly defined in the @@ -70,7 +70,7 @@ class Organizations { } /** - * Returns an Organization specified by `organization_id`. + * Returns an specified by `organization_id`. * @param params {@link B2BOrganizationsGetRequest} * @returns {@link B2BOrganizationsGetResponse} * @async @@ -88,8 +88,8 @@ class Organizations { } /** - * Updates an Organization specified by `organization_id`. An Organization must always have at least one - * auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. + * Updates an specified by `organization_id`. An Organization must always have at least one auth setting + * set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) * resource to learn more about fields like `email_jit_provisioning`, `email_invites`, @@ -134,8 +134,7 @@ class Organizations { } /** - * Deletes an Organization specified by `organization_id`. All Members of the Organization will also be - * deleted. + * Deletes an specified by `organization_id`. All Members of the Organization will also be deleted. * @param data {@link B2BOrganizationsDeleteRequest} * @param options {@link B2BOrganizationsDeleteRequestOptions} * @returns {@link B2BOrganizationsDeleteResponse} diff --git a/dist/b2b/organizations_members.js b/dist/b2b/organizations_members.js index c1ddfec2..1c92fb67 100644 --- a/dist/b2b/organizations_members.js +++ b/dist/b2b/organizations_members.js @@ -62,7 +62,7 @@ class Members { } /** - * Updates a Member specified by `organization_id` and `member_id`. + * Updates a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersUpdateRequest} * @param options {@link B2BOrganizationsMembersUpdateRequestOptions} * @returns {@link B2BOrganizationsMembersUpdateResponse} @@ -95,7 +95,7 @@ class Members { } /** - * Deletes a Member specified by `organization_id` and `member_id`. + * Deletes a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersDeleteRequest} * @param options {@link B2BOrganizationsMembersDeleteRequestOptions} * @returns {@link B2BOrganizationsMembersDeleteResponse} @@ -117,8 +117,9 @@ class Members { } /** - * Reactivates a deleted Member's status and its associated email status (if applicable) to active, - * specified by `organization_id` and `member_id`. + * Reactivates a deleted's status and its associated email status (if applicable) to active, specified by + * `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified + * email where their `email_address_verified` is `true`. * @param data {@link B2BOrganizationsMembersReactivateRequest} * @param options {@link B2BOrganizationsMembersReactivateRequestOptions} * @returns {@link B2BOrganizationsMembersReactivateResponse} @@ -140,7 +141,7 @@ class Members { } /** - * Delete a Member's MFA phone number. + * Delete a's MFA phone number. * * To change a Member's phone number, you must first call this endpoint to delete the existing phone number. * @@ -224,7 +225,7 @@ class Members { } /** - * Delete a Member's password. + * Delete a's password. * @param data {@link B2BOrganizationsMembersDeletePasswordRequest} * @param options {@link B2BOrganizationsMembersDeletePasswordRequestOptions} * @returns {@link B2BOrganizationsMembersDeletePasswordResponse} @@ -267,8 +268,8 @@ class Members { } /** - * Unlinks a retired email address from a Member specified by their `organization_id` and `member_id`. The - * email address + * Unlinks a retired email address from a specified by their `organization_id` and `member_id`. The email + * address * to be retired can be identified in the request body by either its `email_id`, its `email_address`, or * both. If using * both identifiers they must refer to the same email. @@ -310,7 +311,7 @@ class Members { } /** - * Creates a Member. An `organization_id` and `email_address` are required. + * Creates a. An `organization_id` and `email_address` are required. * @param data {@link B2BOrganizationsMembersCreateRequest} * @param options {@link B2BOrganizationsMembersCreateRequestOptions} * @returns {@link B2BOrganizationsMembersCreateResponse} diff --git a/dist/b2b/otp_sms.js b/dist/b2b/otp_sms.js index be35969f..71b0d64f 100644 --- a/dist/b2b/otp_sms.js +++ b/dist/b2b/otp_sms.js @@ -26,7 +26,7 @@ class Sms { } /** - * Send a One-Time Passcode (OTP) to a Member's phone number. + * Send a One-Time Passcode (OTP) to a's phone number. * * If the Member already has a phone number, the `mfa_phone_number` field is not needed; the endpoint will * send an OTP to the number associated with the Member. @@ -93,8 +93,8 @@ class Sms { * or upon successful calls to discovery authenticate methods, such as * [email magic link discovery authenticate](https://stytch.com/docs/b2b/api/authenticate-discovery-magic-link). * - * If the Organization's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the - * Member's `mfa_enrolled` status to `true` if it is not already `true`. + * If the's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the's + * `mfa_enrolled` status to `true` if it is not already `true`. * If the Organization's MFA policy is `OPTIONAL`, the Member's MFA enrollment can be toggled by passing in * a value for the `set_mfa_enrollment` field. * The Member's MFA enrollment can also be toggled through the diff --git a/dist/b2b/passwords.js b/dist/b2b/passwords.js index 8e99bba9..3d122ca3 100644 --- a/dist/b2b/passwords.js +++ b/dist/b2b/passwords.js @@ -107,8 +107,8 @@ class Passwords { * this case to ensure that the member is the legitimate owner of the email address and not a malicious * actor abusing the compromised credentials. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. diff --git a/dist/b2b/passwords_email.js b/dist/b2b/passwords_email.js index f7ff8fe3..2127e265 100644 --- a/dist/b2b/passwords_email.js +++ b/dist/b2b/passwords_email.js @@ -54,8 +54,8 @@ class Email { } /** - * Reset the member's password and authenticate them. This endpoint checks that the password reset token is - * valid, hasn’t expired, or already been used. + * Reset the's password and authenticate them. This endpoint checks that the password reset token is valid, + * hasn’t expired, or already been used. * * The provided password needs to meet our password strength requirements, which can be checked in advance * with the password strength endpoint. If the token and password are accepted, the password is securely @@ -87,5 +87,22 @@ class Email { data }); } + + /** + * @param data {@link B2BPasswordsEmailDeleteRequest} + * @returns {@link B2BPasswordsEmailDeleteResponse} + * @async + * @throws A {@link StytchError} on a non-2xx response from the Stytch API + * @throws A {@link RequestError} when the Stytch API cannot be reached + */ + delete(data) { + const headers = {}; + return (0, _shared.request)(this.fetchConfig, { + method: "POST", + url: `/v1/b2b/passwords/email/delete`, + headers, + data + }); + } } exports.Email = Email; \ No newline at end of file diff --git a/dist/b2b/passwords_existing_password.js b/dist/b2b/passwords_existing_password.js index 7bf63d04..09c2112f 100644 --- a/dist/b2b/passwords_existing_password.js +++ b/dist/b2b/passwords_existing_password.js @@ -22,7 +22,7 @@ class ExistingPassword { } /** - * Reset the member’s password using their existing password. + * Reset the’s password using their existing password. * * This endpoint adapts to your Project's password strength configuration. * If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your diff --git a/dist/b2b/passwords_session.js b/dist/b2b/passwords_session.js index d96207a1..dbda4535 100644 --- a/dist/b2b/passwords_session.js +++ b/dist/b2b/passwords_session.js @@ -22,9 +22,9 @@ class Sessions { } /** - * Reset the Member's password using their existing session. The endpoint will error if the session does - * not contain an authentication factor that has been issued within the last 5 minutes. Either - * `session_token` or `session_jwt` should be provided. + * Reset the's password using their existing session. The endpoint will error if the session does not + * contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` + * or `session_jwt` should be provided. * * Note that a successful password reset via an existing session will revoke all active sessions for the * `member_id`, except for the one used during the reset flow. diff --git a/dist/b2b/recovery_codes.js b/dist/b2b/recovery_codes.js index c9135242..d7a8ec04 100644 --- a/dist/b2b/recovery_codes.js +++ b/dist/b2b/recovery_codes.js @@ -30,8 +30,8 @@ class RecoveryCodes { } /** - * Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code - * and returns a session token that can be used to authenticate the Member. + * Allows a to complete an MFA flow by consuming a recovery code. This consumes the recovery code and + * returns a session token that can be used to authenticate the Member. * @param data {@link B2BRecoveryCodesRecoverRequest} * @returns {@link B2BRecoveryCodesRecoverResponse} * @async @@ -49,7 +49,7 @@ class RecoveryCodes { } /** - * Returns a Member's full set of active recovery codes. + * Returns a's full set of active recovery codes. * @param params {@link B2BRecoveryCodesGetRequest} * @returns {@link B2BRecoveryCodesGetResponse} * @async @@ -67,8 +67,8 @@ class RecoveryCodes { } /** - * Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set - * of recovery codes. + * Rotate a's recovery codes. This invalidates all existing recovery codes and generates a new set of + * recovery codes. * @param data {@link B2BRecoveryCodesRotateRequest} * @returns {@link B2BRecoveryCodesRotateResponse} * @async diff --git a/dist/b2b/sessions.js b/dist/b2b/sessions.js index 9099fc8c..367cff81 100644 --- a/dist/b2b/sessions.js +++ b/dist/b2b/sessions.js @@ -90,8 +90,8 @@ class Sessions { * for more information. * * If an `authorization_check` object is passed in, this method will also check if the Member is authorized - * to perform the given action on the given Resource in the specified Organization. A Member is authorized - * if their Member Session contains a Role, assigned + * to perform the given action on the given Resource in the specified. A is authorized if their Member + * Session contains a Role, assigned * [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate * permissions. * In addition, the `organization_id` passed in the authorization check must match the Member's @@ -141,8 +141,8 @@ class Sessions { } /** - * Use this endpoint to exchange a Member's existing session for another session in a different - * Organization. This can be used to accept an invite, but not to create a new member via domain matching. + * Use this endpoint to exchange a's existing session for another session in a different. This can be used + * to accept an invite, but not to create a new member via domain matching. * * To create a new member via domain matching, use the * [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow @@ -153,6 +153,8 @@ class Sessions { * Any OAuth Tokens owned by the Member will not be transferred to the new Organization. * SMS OTP factors can be used to fulfill MFA requirements for the target Organization if both the original * and target Member have the same phone number and the phone number is verified for both Members. + * HubSpot and Slack OAuth registrations will not be transferred between sessions. Instead, you will + * receive a corresponding factor with type `"oauth_exchange_slack"` or `"oauth_exchange_hubspot"` * * If the Member is required to complete MFA to log in to the Organization, the returned value of * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. @@ -184,8 +186,8 @@ class Sessions { * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo * endpoint defined in your Stytch Project settings in the [Dashboard](/dashboard), and then perform a * lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to - * match that email address with an existing Member in your Organization and create a Stytch Session. You - * will need to create the member before using this endpoint. + * match that email address with an existing in your and create a Stytch Session. You will need to create + * the member before using this endpoint. * @param data {@link B2BSessionsMigrateRequest} * @returns {@link B2BSessionsMigrateResponse} * @async diff --git a/dist/b2b/sso.js b/dist/b2b/sso.js index 48e4fd5e..5c29d3e2 100644 --- a/dist/b2b/sso.js +++ b/dist/b2b/sso.js @@ -87,8 +87,8 @@ class SSO { * To link this authentication event to an existing Stytch session, include either the `session_token` or * `session_jwt` param. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/dist/b2b/totps.js b/dist/b2b/totps.js index d32e3a77..18e74ff8 100644 --- a/dist/b2b/totps.js +++ b/dist/b2b/totps.js @@ -30,8 +30,8 @@ class TOTPs { } /** - * Create a new TOTP instance for a Member. The Member can use the authenticator application of their - * choice to scan the QR code or enter the secret. + * Create a new TOTP instance for a. The Member can use the authenticator application of their choice to + * scan the QR code or enter the secret. * * Passing an intermediate session token, session token, or session JWT is not required, but if passed must * match the Member ID passed. @@ -70,8 +70,8 @@ class TOTPs { } /** - * Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for - * the Member if not provided. + * Migrate an existing TOTP instance for a. Recovery codes are not required and will be minted for the + * Member if not provided. * @param data {@link B2BTOTPsMigrateRequest} * @returns {@link B2BTOTPsMigrateResponse} * @async diff --git a/dist/b2c/m2m.js b/dist/b2c/m2m.js index ec80c00a..538a0cc6 100644 --- a/dist/b2c/m2m.js +++ b/dist/b2c/m2m.js @@ -97,19 +97,19 @@ class M2M { // ADDIMPORT: import { performAuthorizationCheck, ScopeAuthorizationFunc } from "./m2m_local"; // ADDIMPORT: import { ClientError } from "../shared/errors"; /** - * Authenticate an access token issued by Stytch from the Token endpoint. - * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. - * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. - * You may also override the default scope authorization function to implement custom authorization logic. - * - * @param data {@link AuthenticateTokenRequest} - * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. - The default function assumes scopes are either direct string matches or written in the form "action:resource". See the - documentation for {@link performAuthorizationCheck} for more information. - * @async - * @returns {@link AuthenticateTokenResponse} - * @throws {ClientError} when token can not be authenticated - */ + * Authenticate an access token issued by Stytch from the Token endpoint. + * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. + * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. + * You may also override the default scope authorization function to implement custom authorization logic. + * + * @param data {@link AuthenticateTokenRequest} + * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. + The default function assumes scopes are either direct string matches or written in the form "action:resource". See the + documentation for {@link performAuthorizationCheck} for more information. + * @async + * @returns {@link AuthenticateTokenResponse} + * @throws {ClientError} when token can not be authenticated + */ async authenticateToken(data, scopeAuthorizationFunc = _m2m_local.performAuthorizationCheck) { const { sub, diff --git a/lib/b2b/discovery_intermediate_sessions.ts b/lib/b2b/discovery_intermediate_sessions.ts index ed44639a..d4de9b04 100644 --- a/lib/b2b/discovery_intermediate_sessions.ts +++ b/lib/b2b/discovery_intermediate_sessions.ts @@ -59,7 +59,7 @@ export interface B2BDiscoveryIntermediateSessionsExchangeRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -121,6 +121,7 @@ export interface B2BDiscoveryIntermediateSessionsExchangeResponse { member_session?: MemberSession; // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. mfa_required?: MfaRequired; + // Information about the primary authentication requirements of the Organization. primary_required?: PrimaryRequired; } @@ -139,8 +140,8 @@ export class IntermediateSessions { * * This endpoint can be used to accept invites and create new members via domain matching. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`. * The `intermediate_session_token` will not be consumed and instead will be returned in the response. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the @@ -150,6 +151,13 @@ export class IntermediateSessions { * or the * [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. * The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. + * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`. + * The `intermediate_session_token` will not be consumed and instead will be returned in the response. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. * @param data {@link B2BDiscoveryIntermediateSessionsExchangeRequest} * @returns {@link B2BDiscoveryIntermediateSessionsExchangeResponse} * @async diff --git a/lib/b2b/discovery_organizations.ts b/lib/b2b/discovery_organizations.ts index b2d69b34..56a8a74d 100644 --- a/lib/b2b/discovery_organizations.ts +++ b/lib/b2b/discovery_organizations.ts @@ -244,6 +244,7 @@ export interface B2BDiscoveryOrganizationsCreateResponse { organization?: Organization; // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. mfa_required?: MfaRequired; + // Information about the primary authentication requirements of the Organization. primary_required?: PrimaryRequired; } @@ -318,8 +319,8 @@ export class Organizations { } /** - * If an end user does not want to join any already-existing Organization, or has no possible Organizations - * to join, this endpoint can be used to create a new + * If an end user does not want to join any already-existing, or has no possible Organizations to join, + * this endpoint can be used to create a new * [Organization](https://stytch.com/docs/b2b/api/organization-object) and * [Member](https://stytch.com/docs/b2b/api/member-object). * @@ -327,7 +328,7 @@ export class Organizations { * * This endpoint will also create an initial Member Session for the newly created Member. * - * The Member created by this endpoint will automatically be granted the `stytch_admin` Role. See the + * The created by this endpoint will automatically be granted the `stytch_admin` Role. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role. * * If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member diff --git a/lib/b2b/index.ts b/lib/b2b/index.ts index ed5cc63d..3e82782a 100644 --- a/lib/b2b/index.ts +++ b/lib/b2b/index.ts @@ -246,6 +246,8 @@ export type { } from "./passwords"; export type { + B2BPasswordsEmailDeleteRequest, + B2BPasswordsEmailDeleteResponse, B2BPasswordsEmailResetRequest, B2BPasswordsEmailResetResponse, B2BPasswordsEmailResetStartRequest, @@ -264,6 +266,8 @@ export type { export type { Connection, + ConnectionImplicitRoleAssignment, + GroupImplicitRoleAssignment, OIDCConnection, SAMLConnection, SAMLConnectionImplicitRoleAssignment, diff --git a/lib/b2b/magic_links.ts b/lib/b2b/magic_links.ts index 09d55166..5da21da1 100644 --- a/lib/b2b/magic_links.ts +++ b/lib/b2b/magic_links.ts @@ -63,7 +63,7 @@ export interface B2BMagicLinksAuthenticateRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -116,8 +116,6 @@ export interface B2BMagicLinksAuthenticateResponse { session_token: string; // The JSON Web Token (JWT) for a given Stytch Session. session_jwt: string; - // The [Session object](https://stytch.com/docs/b2b/api/session-object). - member_session: MemberSession; // The [Organization object](https://stytch.com/docs/b2b/api/organization-object). organization: Organization; /** @@ -144,6 +142,8 @@ export interface B2BMagicLinksAuthenticateResponse { * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. */ status_code: number; + // The [Session object](https://stytch.com/docs/b2b/api/session-object). + member_session?: MemberSession; // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. mfa_required?: MfaRequired; } @@ -160,14 +160,14 @@ export class MagicLinks { } /** - * Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired - * or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. + * Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or + * previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. * Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the * `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute * duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/lib/b2b/magic_links_email.ts b/lib/b2b/magic_links_email.ts index 23dc79f7..91b00435 100644 --- a/lib/b2b/magic_links_email.ts +++ b/lib/b2b/magic_links_email.ts @@ -216,9 +216,9 @@ export class Email { } /** - * Send an invite email to a new Member to join an Organization. The Member will be created with an - * `invited` status until they successfully authenticate. Sending invites to `pending` Members will update - * their status to `invited`. Sending invites to already `active` Members will return an error. + * Send an invite email to a new to join an. The Member will be created with an `invited` status until they + * successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. + * Sending invites to already `active` Members will return an error. * * The magic link invite will be valid for 1 week. * @param data {@link B2BMagicLinksEmailInviteRequest} diff --git a/lib/b2b/oauth.ts b/lib/b2b/oauth.ts index efec1c06..a6c99e52 100644 --- a/lib/b2b/oauth.ts +++ b/lib/b2b/oauth.ts @@ -73,7 +73,7 @@ export interface B2BOAuthAuthenticateRequest { // A base64url encoded one time secret used to validate that the request starts and ends on the same device. pkce_code_verifier?: string; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -167,6 +167,7 @@ export interface B2BOAuthAuthenticateResponse { provider_values?: B2BOAuthProviderValues; // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA. mfa_required?: MfaRequired; + // Information about the primary authentication requirements of the Organization. primary_required?: PrimaryRequired; } @@ -180,13 +181,13 @@ export class OAuth { } /** - * Authenticate a Member given a `token`. This endpoint verifies that the member completed the OAuth flow - * by verifying that the token is valid and hasn't expired. Provide the `session_duration_minutes` - * parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not - * specified, a Stytch session will be created with a 60 minute duration. + * Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying + * that the token is valid and hasn't expired. Provide the `session_duration_minutes` parameter to set the + * lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session + * will be created with a 60 minute duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. @@ -199,6 +200,12 @@ export class OAuth { * If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an * MFA step. * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. + * * We’re actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) * or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth * provider that is not currently supported. diff --git a/lib/b2b/oauth_discovery.ts b/lib/b2b/oauth_discovery.ts index 5c3302f8..63c1d372 100644 --- a/lib/b2b/oauth_discovery.ts +++ b/lib/b2b/oauth_discovery.ts @@ -79,7 +79,7 @@ export class Discovery { } /** - * Authenticates the Discovery OAuth token and exchanges it for an Intermediate Session Token. Intermediate + * Authenticates the Discovery token and exchanges it for an Intermediate Session Token. Intermediate * Session Tokens can be used for various Discovery login flows and are valid for 10 minutes. * @param data {@link B2BOAuthDiscoveryAuthenticateRequest} * @returns {@link B2BOAuthDiscoveryAuthenticateResponse} diff --git a/lib/b2b/organizations.ts b/lib/b2b/organizations.ts index 9b44cf3e..49bf3b59 100644 --- a/lib/b2b/organizations.ts +++ b/lib/b2b/organizations.ts @@ -1082,7 +1082,7 @@ export class Organizations { } /** - * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. + * Creates an. An `organization_name` and a unique `organization_slug` are required. * * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` * will be set to `OPTIONAL` if no Organization authentication settings are explicitly defined in the @@ -1110,7 +1110,7 @@ export class Organizations { } /** - * Returns an Organization specified by `organization_id`. + * Returns an specified by `organization_id`. * @param params {@link B2BOrganizationsGetRequest} * @returns {@link B2BOrganizationsGetResponse} * @async @@ -1130,8 +1130,8 @@ export class Organizations { } /** - * Updates an Organization specified by `organization_id`. An Organization must always have at least one - * auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. + * Updates an specified by `organization_id`. An Organization must always have at least one auth setting + * set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) * resource to learn more about fields like `email_jit_provisioning`, `email_invites`, @@ -1181,8 +1181,7 @@ export class Organizations { } /** - * Deletes an Organization specified by `organization_id`. All Members of the Organization will also be - * deleted. + * Deletes an specified by `organization_id`. All Members of the Organization will also be deleted. * @param data {@link B2BOrganizationsDeleteRequest} * @param options {@link B2BOrganizationsDeleteRequestOptions} * @returns {@link B2BOrganizationsDeleteResponse} diff --git a/lib/b2b/organizations_members.ts b/lib/b2b/organizations_members.ts index d31c1357..1413f05c 100644 --- a/lib/b2b/organizations_members.ts +++ b/lib/b2b/organizations_members.ts @@ -631,7 +631,7 @@ export class Members { } /** - * Updates a Member specified by `organization_id` and `member_id`. + * Updates a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersUpdateRequest} * @param options {@link B2BOrganizationsMembersUpdateRequestOptions} * @returns {@link B2BOrganizationsMembersUpdateResponse} @@ -667,7 +667,7 @@ export class Members { } /** - * Deletes a Member specified by `organization_id` and `member_id`. + * Deletes a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersDeleteRequest} * @param options {@link B2BOrganizationsMembersDeleteRequestOptions} * @returns {@link B2BOrganizationsMembersDeleteResponse} @@ -692,8 +692,9 @@ export class Members { } /** - * Reactivates a deleted Member's status and its associated email status (if applicable) to active, - * specified by `organization_id` and `member_id`. + * Reactivates a deleted's status and its associated email status (if applicable) to active, specified by + * `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified + * email where their `email_address_verified` is `true`. * @param data {@link B2BOrganizationsMembersReactivateRequest} * @param options {@link B2BOrganizationsMembersReactivateRequestOptions} * @returns {@link B2BOrganizationsMembersReactivateResponse} @@ -721,7 +722,7 @@ export class Members { } /** - * Delete a Member's MFA phone number. + * Delete a's MFA phone number. * * To change a Member's phone number, you must first call this endpoint to delete the existing phone number. * @@ -820,7 +821,7 @@ export class Members { } /** - * Delete a Member's password. + * Delete a's password. * @param data {@link B2BOrganizationsMembersDeletePasswordRequest} * @param options {@link B2BOrganizationsMembersDeletePasswordRequestOptions} * @returns {@link B2BOrganizationsMembersDeletePasswordResponse} @@ -871,8 +872,8 @@ export class Members { } /** - * Unlinks a retired email address from a Member specified by their `organization_id` and `member_id`. The - * email address + * Unlinks a retired email address from a specified by their `organization_id` and `member_id`. The email + * address * to be retired can be identified in the request body by either its `email_id`, its `email_address`, or * both. If using * both identifiers they must refer to the same email. @@ -920,7 +921,7 @@ export class Members { } /** - * Creates a Member. An `organization_id` and `email_address` are required. + * Creates a. An `organization_id` and `email_address` are required. * @param data {@link B2BOrganizationsMembersCreateRequest} * @param options {@link B2BOrganizationsMembersCreateRequestOptions} * @returns {@link B2BOrganizationsMembersCreateResponse} diff --git a/lib/b2b/otp_sms.ts b/lib/b2b/otp_sms.ts index 906b83e2..9ad933da 100644 --- a/lib/b2b/otp_sms.ts +++ b/lib/b2b/otp_sms.ts @@ -186,7 +186,7 @@ export class Sms { } /** - * Send a One-Time Passcode (OTP) to a Member's phone number. + * Send a One-Time Passcode (OTP) to a's phone number. * * If the Member already has a phone number, the `mfa_phone_number` field is not needed; the endpoint will * send an OTP to the number associated with the Member. @@ -253,8 +253,8 @@ export class Sms { * or upon successful calls to discovery authenticate methods, such as * [email magic link discovery authenticate](https://stytch.com/docs/b2b/api/authenticate-discovery-magic-link). * - * If the Organization's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the - * Member's `mfa_enrolled` status to `true` if it is not already `true`. + * If the's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the's + * `mfa_enrolled` status to `true` if it is not already `true`. * If the Organization's MFA policy is `OPTIONAL`, the Member's MFA enrollment can be toggled by passing in * a value for the `set_mfa_enrollment` field. * The Member's MFA enrollment can also be toggled through the diff --git a/lib/b2b/passwords.ts b/lib/b2b/passwords.ts index 4f702af3..df8fa240 100644 --- a/lib/b2b/passwords.ts +++ b/lib/b2b/passwords.ts @@ -105,7 +105,7 @@ export interface B2BPasswordsAuthenticateRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -185,7 +185,7 @@ export interface B2BPasswordsMigrateRequest { // The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string. hash: string; /** - * The password hash used. Currently `bcrypt`, `scrypt`, `argon2i`, `argon2id`, `md_5`, `sha_1`, and + * The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon2_id`, `md_5`, `sha_1`, and * `pbkdf_2` are supported. */ hash_type: @@ -428,8 +428,8 @@ export class Passwords { * this case to ensure that the member is the legitimate owner of the email address and not a malicious * actor abusing the compromised credentials. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. diff --git a/lib/b2b/passwords_email.ts b/lib/b2b/passwords_email.ts index b5b24235..fda03e95 100644 --- a/lib/b2b/passwords_email.ts +++ b/lib/b2b/passwords_email.ts @@ -11,6 +11,19 @@ import { MemberSession } from "./sessions"; import { MfaRequired } from "./mfa"; import { request } from "../shared"; +export interface B2BPasswordsEmailDeleteRequest { + email_address: string; + organization_id?: string; + member_id?: string; +} + +export interface B2BPasswordsEmailDeleteResponse { + member: Member; + organization: Organization; + status_code: number; + member_id?: string; +} + // Request type for `passwords.email.reset`. export interface B2BPasswordsEmailResetRequest { // The password reset token to authenticate. @@ -66,7 +79,7 @@ export interface B2BPasswordsEmailResetRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -254,8 +267,8 @@ export class Email { } /** - * Reset the member's password and authenticate them. This endpoint checks that the password reset token is - * valid, hasn’t expired, or already been used. + * Reset the's password and authenticate them. This endpoint checks that the password reset token is valid, + * hasn’t expired, or already been used. * * The provided password needs to meet our password strength requirements, which can be checked in advance * with the password strength endpoint. If the token and password are accepted, the password is securely @@ -289,4 +302,23 @@ export class Email { data, }); } + + /** + * @param data {@link B2BPasswordsEmailDeleteRequest} + * @returns {@link B2BPasswordsEmailDeleteResponse} + * @async + * @throws A {@link StytchError} on a non-2xx response from the Stytch API + * @throws A {@link RequestError} when the Stytch API cannot be reached + */ + delete( + data: B2BPasswordsEmailDeleteRequest + ): Promise { + const headers: Record = {}; + return request(this.fetchConfig, { + method: "POST", + url: `/v1/b2b/passwords/email/delete`, + headers, + data, + }); + } } diff --git a/lib/b2b/passwords_existing_password.ts b/lib/b2b/passwords_existing_password.ts index 743b2566..8b4e37ad 100644 --- a/lib/b2b/passwords_existing_password.ts +++ b/lib/b2b/passwords_existing_password.ts @@ -56,7 +56,7 @@ export interface B2BPasswordsExistingPasswordResetRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -125,7 +125,7 @@ export class ExistingPassword { } /** - * Reset the member’s password using their existing password. + * Reset the’s password using their existing password. * * This endpoint adapts to your Project's password strength configuration. * If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your diff --git a/lib/b2b/passwords_session.ts b/lib/b2b/passwords_session.ts index f3453b1f..6f1813fb 100644 --- a/lib/b2b/passwords_session.ts +++ b/lib/b2b/passwords_session.ts @@ -122,9 +122,9 @@ export class Sessions { } /** - * Reset the Member's password using their existing session. The endpoint will error if the session does - * not contain an authentication factor that has been issued within the last 5 minutes. Either - * `session_token` or `session_jwt` should be provided. + * Reset the's password using their existing session. The endpoint will error if the session does not + * contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` + * or `session_jwt` should be provided. * * Note that a successful password reset via an existing session will revoke all active sessions for the * `member_id`, except for the one used during the reset flow. diff --git a/lib/b2b/recovery_codes.ts b/lib/b2b/recovery_codes.ts index c4476b57..6e33b594 100644 --- a/lib/b2b/recovery_codes.ts +++ b/lib/b2b/recovery_codes.ts @@ -181,8 +181,8 @@ export class RecoveryCodes { } /** - * Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code - * and returns a session token that can be used to authenticate the Member. + * Allows a to complete an MFA flow by consuming a recovery code. This consumes the recovery code and + * returns a session token that can be used to authenticate the Member. * @param data {@link B2BRecoveryCodesRecoverRequest} * @returns {@link B2BRecoveryCodesRecoverResponse} * @async @@ -202,7 +202,7 @@ export class RecoveryCodes { } /** - * Returns a Member's full set of active recovery codes. + * Returns a's full set of active recovery codes. * @param params {@link B2BRecoveryCodesGetRequest} * @returns {@link B2BRecoveryCodesGetResponse} * @async @@ -222,8 +222,8 @@ export class RecoveryCodes { } /** - * Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set - * of recovery codes. + * Rotate a's recovery codes. This invalidates all existing recovery codes and generates a new set of + * recovery codes. * @param data {@link B2BRecoveryCodesRotateRequest} * @returns {@link B2BRecoveryCodesRotateResponse} * @async diff --git a/lib/b2b/sessions.ts b/lib/b2b/sessions.ts index 6baf5924..d3224422 100644 --- a/lib/b2b/sessions.ts +++ b/lib/b2b/sessions.ts @@ -98,11 +98,10 @@ export interface MemberSession { export interface PrimaryRequired { /** - * If non-empty, indicates that the Organization restricts the authentication methods it allows for login - * (such as `sso` or `password`), and the end user must complete one of those authentication methods to log - * in. If empty, indicates that the Organization does not restrict the authentication method it allows for - * login, but the end user does not have any transferrable primary factors. Only email magic link and OAuth - * factors can be transferred between Organizations. + * Details the auth method that the member must also complete to fulfill the primary authentication + * requirements of the Organization. For example, a value of `[magic_link]` indicates that the Member must + * also complete a magic link authentication step. If you have an intermediate session token, you must pass + * it into that primary authentication step. */ allowed_auth_methods: string[]; } @@ -232,7 +231,7 @@ export interface B2BSessionsExchangeRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -541,8 +540,8 @@ export class Sessions { * for more information. * * If an `authorization_check` object is passed in, this method will also check if the Member is authorized - * to perform the given action on the given Resource in the specified Organization. A Member is authorized - * if their Member Session contains a Role, assigned + * to perform the given action on the given Resource in the specified. A is authorized if their Member + * Session contains a Role, assigned * [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate * permissions. * In addition, the `organization_id` passed in the authorization check must match the Member's @@ -597,8 +596,8 @@ export class Sessions { } /** - * Use this endpoint to exchange a Member's existing session for another session in a different - * Organization. This can be used to accept an invite, but not to create a new member via domain matching. + * Use this endpoint to exchange a's existing session for another session in a different. This can be used + * to accept an invite, but not to create a new member via domain matching. * * To create a new member via domain matching, use the * [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow @@ -609,6 +608,8 @@ export class Sessions { * Any OAuth Tokens owned by the Member will not be transferred to the new Organization. * SMS OTP factors can be used to fulfill MFA requirements for the target Organization if both the original * and target Member have the same phone number and the phone number is verified for both Members. + * HubSpot and Slack OAuth registrations will not be transferred between sessions. Instead, you will + * receive a corresponding factor with type `"oauth_exchange_slack"` or `"oauth_exchange_hubspot"` * * If the Member is required to complete MFA to log in to the Organization, the returned value of * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. @@ -642,8 +643,8 @@ export class Sessions { * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo * endpoint defined in your Stytch Project settings in the [Dashboard](/dashboard), and then perform a * lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to - * match that email address with an existing Member in your Organization and create a Stytch Session. You - * will need to create the member before using this endpoint. + * match that email address with an existing in your and create a Stytch Session. You will need to create + * the member before using this endpoint. * @param data {@link B2BSessionsMigrateRequest} * @returns {@link B2BSessionsMigrateResponse} * @async diff --git a/lib/b2b/sso.ts b/lib/b2b/sso.ts index d9056786..57a94844 100644 --- a/lib/b2b/sso.ts +++ b/lib/b2b/sso.ts @@ -41,6 +41,17 @@ export interface Connection { external_connection_id: string; display_name: string; status: string; + external_connection_implicit_role_assignments: ConnectionImplicitRoleAssignment[]; + external_group_implicit_role_assignments: GroupImplicitRoleAssignment[]; +} + +export interface ConnectionImplicitRoleAssignment { + role_id: string; +} + +export interface GroupImplicitRoleAssignment { + role_id: string; + group: string; } export interface OIDCConnection { @@ -159,7 +170,7 @@ export interface B2BSSOAuthenticateRequest { */ session_custom_claims?: Record; // eslint-disable-line @typescript-eslint/no-explicit-any /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -368,8 +379,8 @@ export class SSO { * To link this authentication event to an existing Stytch session, include either the `session_token` or * `session_jwt` param. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/lib/b2b/totps.ts b/lib/b2b/totps.ts index 95f35b51..d48223e1 100644 --- a/lib/b2b/totps.ts +++ b/lib/b2b/totps.ts @@ -233,8 +233,8 @@ export class TOTPs { } /** - * Create a new TOTP instance for a Member. The Member can use the authenticator application of their - * choice to scan the QR code or enter the secret. + * Create a new TOTP instance for a. The Member can use the authenticator application of their choice to + * scan the QR code or enter the secret. * * Passing an intermediate session token, session token, or session JWT is not required, but if passed must * match the Member ID passed. @@ -275,8 +275,8 @@ export class TOTPs { } /** - * Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for - * the Member if not provided. + * Migrate an existing TOTP instance for a. Recovery codes are not required and will be minted for the + * Member if not provided. * @param data {@link B2BTOTPsMigrateRequest} * @returns {@link B2BTOTPsMigrateResponse} * @async diff --git a/lib/b2c/m2m.ts b/lib/b2c/m2m.ts index 232ed5b2..62be267d 100644 --- a/lib/b2c/m2m.ts +++ b/lib/b2c/m2m.ts @@ -241,19 +241,19 @@ export class M2M { // ADDIMPORT: import { performAuthorizationCheck, ScopeAuthorizationFunc } from "./m2m_local"; // ADDIMPORT: import { ClientError } from "../shared/errors"; /** - * Authenticate an access token issued by Stytch from the Token endpoint. - * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. - * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. - * You may also override the default scope authorization function to implement custom authorization logic. - * - * @param data {@link AuthenticateTokenRequest} - * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. - The default function assumes scopes are either direct string matches or written in the form "action:resource". See the - documentation for {@link performAuthorizationCheck} for more information. - * @async - * @returns {@link AuthenticateTokenResponse} - * @throws {ClientError} when token can not be authenticated - */ + * Authenticate an access token issued by Stytch from the Token endpoint. + * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. + * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. + * You may also override the default scope authorization function to implement custom authorization logic. + * + * @param data {@link AuthenticateTokenRequest} + * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. + The default function assumes scopes are either direct string matches or written in the form "action:resource". See the + documentation for {@link performAuthorizationCheck} for more information. + * @async + * @returns {@link AuthenticateTokenResponse} + * @throws {ClientError} when token can not be authenticated + */ async authenticateToken( data: AuthenticateTokenRequest, scopeAuthorizationFunc: ScopeAuthorizationFunc = performAuthorizationCheck diff --git a/package-lock.json b/package-lock.json index 55576979..72511e0a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "stytch", - "version": "11.4.2", + "version": "11.5.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "stytch", - "version": "11.4.2", + "version": "11.5.0", "license": "MIT", "dependencies": { "jose": "^5.6.3", diff --git a/package.json b/package.json index e7a140a9..a64c29af 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "stytch", - "version": "11.4.2", + "version": "11.5.0", "description": "A wrapper for the Stytch API", "types": "./types/lib/index.d.ts", "main": "./dist/index.js", diff --git a/types/lib/b2b/discovery_intermediate_sessions.d.ts b/types/lib/b2b/discovery_intermediate_sessions.d.ts index c8263827..3e6a545e 100644 --- a/types/lib/b2b/discovery_intermediate_sessions.d.ts +++ b/types/lib/b2b/discovery_intermediate_sessions.d.ts @@ -49,7 +49,7 @@ export interface B2BDiscoveryIntermediateSessionsExchangeRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -115,8 +115,8 @@ export declare class IntermediateSessions { * * This endpoint can be used to accept invites and create new members via domain matching. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`. * The `intermediate_session_token` will not be consumed and instead will be returned in the response. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the @@ -126,6 +126,13 @@ export declare class IntermediateSessions { * or the * [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one. * The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. + * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`. + * The `intermediate_session_token` will not be consumed and instead will be returned in the response. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. * @param data {@link B2BDiscoveryIntermediateSessionsExchangeRequest} * @returns {@link B2BDiscoveryIntermediateSessionsExchangeResponse} * @async diff --git a/types/lib/b2b/discovery_organizations.d.ts b/types/lib/b2b/discovery_organizations.d.ts index 3eec6592..eb851622 100644 --- a/types/lib/b2b/discovery_organizations.d.ts +++ b/types/lib/b2b/discovery_organizations.d.ts @@ -281,8 +281,8 @@ export declare class Organizations { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * If an end user does not want to join any already-existing Organization, or has no possible Organizations - * to join, this endpoint can be used to create a new + * If an end user does not want to join any already-existing, or has no possible Organizations to join, + * this endpoint can be used to create a new * [Organization](https://stytch.com/docs/b2b/api/organization-object) and * [Member](https://stytch.com/docs/b2b/api/member-object). * @@ -290,7 +290,7 @@ export declare class Organizations { * * This endpoint will also create an initial Member Session for the newly created Member. * - * The Member created by this endpoint will automatically be granted the `stytch_admin` Role. See the + * The created by this endpoint will automatically be granted the `stytch_admin` Role. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role. * * If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member diff --git a/types/lib/b2b/index.d.ts b/types/lib/b2b/index.d.ts index 745f7573..8211946a 100644 --- a/types/lib/b2b/index.d.ts +++ b/types/lib/b2b/index.d.ts @@ -23,9 +23,9 @@ export type { B2BOAuthProviderValues, B2BOAuthAuthenticateRequest, B2BOAuthAuthe export type { B2BOAuthDiscoveryAuthenticateRequest, B2BOAuthDiscoveryAuthenticateResponse, } from "./oauth_discovery"; export type { B2BOTPSmsAuthenticateRequest, B2BOTPSmsAuthenticateResponse, B2BOTPSmsSendRequest, B2BOTPSmsSendResponse, } from "./otp_sms"; export type { LudsFeedback, ZxcvbnFeedback, B2BPasswordsAuthenticateRequest, B2BPasswordsAuthenticateResponse, B2BPasswordsMigrateRequest, B2BPasswordsMigrateResponse, B2BPasswordsStrengthCheckRequest, B2BPasswordsStrengthCheckResponse, } from "./passwords"; -export type { B2BPasswordsEmailResetRequest, B2BPasswordsEmailResetResponse, B2BPasswordsEmailResetStartRequest, B2BPasswordsEmailResetStartResponse, } from "./passwords_email"; +export type { B2BPasswordsEmailDeleteRequest, B2BPasswordsEmailDeleteResponse, B2BPasswordsEmailResetRequest, B2BPasswordsEmailResetResponse, B2BPasswordsEmailResetStartRequest, B2BPasswordsEmailResetStartResponse, } from "./passwords_email"; export type { B2BPasswordsSessionResetRequest, B2BPasswordsSessionResetResponse, } from "./passwords_session"; export type { B2BPasswordsExistingPasswordResetRequest, B2BPasswordsExistingPasswordResetResponse, } from "./passwords_existing_password"; -export type { Connection, OIDCConnection, SAMLConnection, SAMLConnectionImplicitRoleAssignment, SAMLGroupImplicitRoleAssignment, X509Certificate, B2BSSOAuthenticateRequest, B2BSSOAuthenticateResponse, B2BSSODeleteConnectionRequest, B2BSSODeleteConnectionResponse, B2BSSOGetConnectionsRequest, B2BSSOGetConnectionsResponse, B2BSSOGetConnectionsRequestOptions, B2BSSODeleteConnectionRequestOptions, } from "./sso"; +export type { Connection, ConnectionImplicitRoleAssignment, GroupImplicitRoleAssignment, OIDCConnection, SAMLConnection, SAMLConnectionImplicitRoleAssignment, SAMLGroupImplicitRoleAssignment, X509Certificate, B2BSSOAuthenticateRequest, B2BSSOAuthenticateResponse, B2BSSODeleteConnectionRequest, B2BSSODeleteConnectionResponse, B2BSSOGetConnectionsRequest, B2BSSOGetConnectionsResponse, B2BSSOGetConnectionsRequestOptions, B2BSSODeleteConnectionRequestOptions, } from "./sso"; export type { B2BSSOOIDCCreateConnectionRequest, B2BSSOOIDCCreateConnectionResponse, B2BSSOOIDCUpdateConnectionRequest, B2BSSOOIDCUpdateConnectionResponse, B2BSSOOIDCCreateConnectionRequestOptions, B2BSSOOIDCUpdateConnectionRequestOptions, } from "./sso_oidc"; export type { B2BSSOSAMLCreateConnectionRequest, B2BSSOSAMLCreateConnectionResponse, B2BSSOSAMLDeleteVerificationCertificateRequest, B2BSSOSAMLDeleteVerificationCertificateResponse, B2BSSOSAMLUpdateByURLRequest, B2BSSOSAMLUpdateByURLResponse, B2BSSOSAMLUpdateConnectionRequest, B2BSSOSAMLUpdateConnectionResponse, B2BSSOSAMLCreateConnectionRequestOptions, B2BSSOSAMLUpdateConnectionRequestOptions, B2BSSOSAMLUpdateByURLRequestOptions, B2BSSOSAMLDeleteVerificationCertificateRequestOptions, } from "./sso_saml"; diff --git a/types/lib/b2b/magic_links.d.ts b/types/lib/b2b/magic_links.d.ts index c638b87a..7cfc3916 100644 --- a/types/lib/b2b/magic_links.d.ts +++ b/types/lib/b2b/magic_links.d.ts @@ -51,7 +51,7 @@ export interface B2BMagicLinksAuthenticateRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -97,7 +97,6 @@ export interface B2BMagicLinksAuthenticateResponse { member: Member; session_token: string; session_jwt: string; - member_session: MemberSession; organization: Organization; /** * The returned Intermediate Session Token contains an Email Magic Link factor associated with the Member's @@ -123,6 +122,7 @@ export interface B2BMagicLinksAuthenticateResponse { * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. */ status_code: number; + member_session?: MemberSession; mfa_required?: MfaRequired; } export declare class MagicLinks { @@ -131,14 +131,14 @@ export declare class MagicLinks { discovery: Discovery; constructor(fetchConfig: fetchConfig); /** - * Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired - * or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. + * Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or + * previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`. * Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the * `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute * duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/types/lib/b2b/magic_links_email.d.ts b/types/lib/b2b/magic_links_email.d.ts index c6ea6301..f036244a 100644 --- a/types/lib/b2b/magic_links_email.d.ts +++ b/types/lib/b2b/magic_links_email.d.ts @@ -169,9 +169,9 @@ export declare class Email { */ loginOrSignup(data: B2BMagicLinksEmailLoginOrSignupRequest): Promise; /** - * Send an invite email to a new Member to join an Organization. The Member will be created with an - * `invited` status until they successfully authenticate. Sending invites to `pending` Members will update - * their status to `invited`. Sending invites to already `active` Members will return an error. + * Send an invite email to a new to join an. The Member will be created with an `invited` status until they + * successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. + * Sending invites to already `active` Members will return an error. * * The magic link invite will be valid for 1 week. * @param data {@link B2BMagicLinksEmailInviteRequest} diff --git a/types/lib/b2b/oauth.d.ts b/types/lib/b2b/oauth.d.ts index d7558f6b..0edd0cc7 100644 --- a/types/lib/b2b/oauth.d.ts +++ b/types/lib/b2b/oauth.d.ts @@ -57,7 +57,7 @@ export interface B2BOAuthAuthenticateRequest { session_custom_claims?: Record; pkce_code_verifier?: string; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -149,13 +149,13 @@ export declare class OAuth { discovery: Discovery; constructor(fetchConfig: fetchConfig); /** - * Authenticate a Member given a `token`. This endpoint verifies that the member completed the OAuth flow - * by verifying that the token is valid and hasn't expired. Provide the `session_duration_minutes` - * parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not - * specified, a Stytch session will be created with a 60 minute duration. + * Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying + * that the token is valid and hasn't expired. Provide the `session_duration_minutes` parameter to set the + * lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session + * will be created with a 60 minute duration. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` + * will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. @@ -168,6 +168,12 @@ export declare class OAuth { * If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an * MFA step. * + * If the Member is logging in via an OAuth provider that does not fully verify the email, the returned + * value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * The `primary_required` field details the authentication flow the Member must perform in order to + * [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the + * organization. The `intermediate_session_token` must be passed into that authentication flow. + * * We’re actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) * or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth * provider that is not currently supported. diff --git a/types/lib/b2b/oauth_discovery.d.ts b/types/lib/b2b/oauth_discovery.d.ts index 7f3783eb..39c7b21a 100644 --- a/types/lib/b2b/oauth_discovery.d.ts +++ b/types/lib/b2b/oauth_discovery.d.ts @@ -59,7 +59,7 @@ export declare class Discovery { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Authenticates the Discovery OAuth token and exchanges it for an Intermediate Session Token. Intermediate + * Authenticates the Discovery token and exchanges it for an Intermediate Session Token. Intermediate * Session Tokens can be used for various Discovery login flows and are valid for 10 minutes. * @param data {@link B2BOAuthDiscoveryAuthenticateRequest} * @returns {@link B2BOAuthDiscoveryAuthenticateResponse} diff --git a/types/lib/b2b/organizations.d.ts b/types/lib/b2b/organizations.d.ts index c79eeda4..33cad903 100644 --- a/types/lib/b2b/organizations.d.ts +++ b/types/lib/b2b/organizations.d.ts @@ -967,7 +967,7 @@ export declare class Organizations { members: Members; constructor(fetchConfig: fetchConfig); /** - * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. + * Creates an. An `organization_name` and a unique `organization_slug` are required. * * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` * will be set to `OPTIONAL` if no Organization authentication settings are explicitly defined in the @@ -984,7 +984,7 @@ export declare class Organizations { */ create(data: B2BOrganizationsCreateRequest): Promise; /** - * Returns an Organization specified by `organization_id`. + * Returns an specified by `organization_id`. * @param params {@link B2BOrganizationsGetRequest} * @returns {@link B2BOrganizationsGetResponse} * @async @@ -993,8 +993,8 @@ export declare class Organizations { */ get(params: B2BOrganizationsGetRequest): Promise; /** - * Updates an Organization specified by `organization_id`. An Organization must always have at least one - * auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. + * Updates an specified by `organization_id`. An Organization must always have at least one auth setting + * set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) * resource to learn more about fields like `email_jit_provisioning`, `email_invites`, @@ -1008,8 +1008,7 @@ export declare class Organizations { */ update(data: B2BOrganizationsUpdateRequest, options?: B2BOrganizationsUpdateRequestOptions): Promise; /** - * Deletes an Organization specified by `organization_id`. All Members of the Organization will also be - * deleted. + * Deletes an specified by `organization_id`. All Members of the Organization will also be deleted. * @param data {@link B2BOrganizationsDeleteRequest} * @param options {@link B2BOrganizationsDeleteRequestOptions} * @returns {@link B2BOrganizationsDeleteResponse} diff --git a/types/lib/b2b/organizations_members.d.ts b/types/lib/b2b/organizations_members.d.ts index e34bb74e..5bf4e36d 100644 --- a/types/lib/b2b/organizations_members.d.ts +++ b/types/lib/b2b/organizations_members.d.ts @@ -524,7 +524,7 @@ export declare class Members { oauthProviders: OAuthProviders; constructor(fetchConfig: fetchConfig); /** - * Updates a Member specified by `organization_id` and `member_id`. + * Updates a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersUpdateRequest} * @param options {@link B2BOrganizationsMembersUpdateRequestOptions} * @returns {@link B2BOrganizationsMembersUpdateResponse} @@ -534,7 +534,7 @@ export declare class Members { */ update(data: B2BOrganizationsMembersUpdateRequest, options?: B2BOrganizationsMembersUpdateRequestOptions): Promise; /** - * Deletes a Member specified by `organization_id` and `member_id`. + * Deletes a specified by `organization_id` and `member_id`. * @param data {@link B2BOrganizationsMembersDeleteRequest} * @param options {@link B2BOrganizationsMembersDeleteRequestOptions} * @returns {@link B2BOrganizationsMembersDeleteResponse} @@ -544,8 +544,9 @@ export declare class Members { */ delete(data: B2BOrganizationsMembersDeleteRequest, options?: B2BOrganizationsMembersDeleteRequestOptions): Promise; /** - * Reactivates a deleted Member's status and its associated email status (if applicable) to active, - * specified by `organization_id` and `member_id`. + * Reactivates a deleted's status and its associated email status (if applicable) to active, specified by + * `organization_id` and `member_id`. This endpoint will only work for Members with at least one verified + * email where their `email_address_verified` is `true`. * @param data {@link B2BOrganizationsMembersReactivateRequest} * @param options {@link B2BOrganizationsMembersReactivateRequestOptions} * @returns {@link B2BOrganizationsMembersReactivateResponse} @@ -555,7 +556,7 @@ export declare class Members { */ reactivate(data: B2BOrganizationsMembersReactivateRequest, options?: B2BOrganizationsMembersReactivateRequestOptions): Promise; /** - * Delete a Member's MFA phone number. + * Delete a's MFA phone number. * * To change a Member's phone number, you must first call this endpoint to delete the existing phone number. * @@ -603,7 +604,7 @@ export declare class Members { */ search(data: B2BOrganizationsMembersSearchRequest, options?: B2BOrganizationsMembersSearchRequestOptions): Promise; /** - * Delete a Member's password. + * Delete a's password. * @param data {@link B2BOrganizationsMembersDeletePasswordRequest} * @param options {@link B2BOrganizationsMembersDeletePasswordRequestOptions} * @returns {@link B2BOrganizationsMembersDeletePasswordResponse} @@ -625,8 +626,8 @@ export declare class Members { */ dangerouslyGet(params: B2BOrganizationsMembersDangerouslyGetRequest): Promise; /** - * Unlinks a retired email address from a Member specified by their `organization_id` and `member_id`. The - * email address + * Unlinks a retired email address from a specified by their `organization_id` and `member_id`. The email + * address * to be retired can be identified in the request body by either its `email_id`, its `email_address`, or * both. If using * both identifiers they must refer to the same email. @@ -653,7 +654,7 @@ export declare class Members { */ unlinkRetiredEmail(data: B2BOrganizationsMembersUnlinkRetiredEmailRequest, options?: B2BOrganizationsMembersUnlinkRetiredEmailRequestOptions): Promise; /** - * Creates a Member. An `organization_id` and `email_address` are required. + * Creates a. An `organization_id` and `email_address` are required. * @param data {@link B2BOrganizationsMembersCreateRequest} * @param options {@link B2BOrganizationsMembersCreateRequestOptions} * @returns {@link B2BOrganizationsMembersCreateResponse} diff --git a/types/lib/b2b/otp_sms.d.ts b/types/lib/b2b/otp_sms.d.ts index 045cc9cf..b452b23b 100644 --- a/types/lib/b2b/otp_sms.d.ts +++ b/types/lib/b2b/otp_sms.d.ts @@ -151,7 +151,7 @@ export declare class Sms { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Send a One-Time Passcode (OTP) to a Member's phone number. + * Send a One-Time Passcode (OTP) to a's phone number. * * If the Member already has a phone number, the `mfa_phone_number` field is not needed; the endpoint will * send an OTP to the number associated with the Member. @@ -209,8 +209,8 @@ export declare class Sms { * or upon successful calls to discovery authenticate methods, such as * [email magic link discovery authenticate](https://stytch.com/docs/b2b/api/authenticate-discovery-magic-link). * - * If the Organization's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the - * Member's `mfa_enrolled` status to `true` if it is not already `true`. + * If the's MFA policy is `REQUIRED_FOR_ALL`, a successful OTP authentication will change the's + * `mfa_enrolled` status to `true` if it is not already `true`. * If the Organization's MFA policy is `OPTIONAL`, the Member's MFA enrollment can be toggled by passing in * a value for the `set_mfa_enrollment` field. * The Member's MFA enrollment can also be toggled through the diff --git a/types/lib/b2b/passwords.d.ts b/types/lib/b2b/passwords.d.ts index 2cd9e754..fe518b8d 100644 --- a/types/lib/b2b/passwords.d.ts +++ b/types/lib/b2b/passwords.d.ts @@ -81,7 +81,7 @@ export interface B2BPasswordsAuthenticateRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -148,7 +148,7 @@ export interface B2BPasswordsMigrateRequest { email_address: string; hash: string; /** - * The password hash used. Currently `bcrypt`, `scrypt`, `argon2i`, `argon2id`, `md_5`, `sha_1`, and + * The password hash used. Currently `bcrypt`, `scrypt`, `argon_2i`, `argon2_id`, `md_5`, `sha_1`, and * `pbkdf_2` are supported. */ hash_type: "bcrypt" | "md_5" | "argon_2i" | "argon_2id" | "sha_1" | "scrypt" | "phpass" | "pbkdf_2" | string; @@ -335,8 +335,8 @@ export declare class Passwords { * this case to ensure that the member is the legitimate owner of the email address and not a malicious * actor abusing the compromised credentials. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the * MFA step and acquire a full member session. diff --git a/types/lib/b2b/passwords_email.d.ts b/types/lib/b2b/passwords_email.d.ts index 39194656..efb46094 100644 --- a/types/lib/b2b/passwords_email.d.ts +++ b/types/lib/b2b/passwords_email.d.ts @@ -2,6 +2,17 @@ import { fetchConfig } from "../shared"; import { Member, Organization } from "./organizations"; import { MemberSession } from "./sessions"; import { MfaRequired } from "./mfa"; +export interface B2BPasswordsEmailDeleteRequest { + email_address: string; + organization_id?: string; + member_id?: string; +} +export interface B2BPasswordsEmailDeleteResponse { + member: Member; + organization: Organization; + status_code: number; + member_id?: string; +} export interface B2BPasswordsEmailResetRequest { password_reset_token: string; /** @@ -54,7 +65,7 @@ export interface B2BPasswordsEmailResetRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -207,8 +218,8 @@ export declare class Email { */ resetStart(data: B2BPasswordsEmailResetStartRequest): Promise; /** - * Reset the member's password and authenticate them. This endpoint checks that the password reset token is - * valid, hasn’t expired, or already been used. + * Reset the's password and authenticate them. This endpoint checks that the password reset token is valid, + * hasn’t expired, or already been used. * * The provided password needs to meet our password strength requirements, which can be checked in advance * with the password strength endpoint. If the token and password are accepted, the password is securely @@ -232,4 +243,12 @@ export declare class Email { * @throws A {@link RequestError} when the Stytch API cannot be reached */ reset(data: B2BPasswordsEmailResetRequest): Promise; + /** + * @param data {@link B2BPasswordsEmailDeleteRequest} + * @returns {@link B2BPasswordsEmailDeleteResponse} + * @async + * @throws A {@link StytchError} on a non-2xx response from the Stytch API + * @throws A {@link RequestError} when the Stytch API cannot be reached + */ + delete(data: B2BPasswordsEmailDeleteRequest): Promise; } diff --git a/types/lib/b2b/passwords_existing_password.d.ts b/types/lib/b2b/passwords_existing_password.d.ts index 4e0fdb86..e6762f66 100644 --- a/types/lib/b2b/passwords_existing_password.d.ts +++ b/types/lib/b2b/passwords_existing_password.d.ts @@ -41,7 +41,7 @@ export interface B2BPasswordsExistingPasswordResetRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -96,7 +96,7 @@ export declare class ExistingPassword { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Reset the member’s password using their existing password. + * Reset the’s password using their existing password. * * This endpoint adapts to your Project's password strength configuration. * If you're using [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the default, your diff --git a/types/lib/b2b/passwords_session.d.ts b/types/lib/b2b/passwords_session.d.ts index 58a772c2..1b1aa74e 100644 --- a/types/lib/b2b/passwords_session.d.ts +++ b/types/lib/b2b/passwords_session.d.ts @@ -96,9 +96,9 @@ export declare class Sessions { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Reset the Member's password using their existing session. The endpoint will error if the session does - * not contain an authentication factor that has been issued within the last 5 minutes. Either - * `session_token` or `session_jwt` should be provided. + * Reset the's password using their existing session. The endpoint will error if the session does not + * contain an authentication factor that has been issued within the last 5 minutes. Either `session_token` + * or `session_jwt` should be provided. * * Note that a successful password reset via an existing session will revoke all active sessions for the * `member_id`, except for the one used during the reset flow. diff --git a/types/lib/b2b/recovery_codes.d.ts b/types/lib/b2b/recovery_codes.d.ts index cc212cd3..32cedecd 100644 --- a/types/lib/b2b/recovery_codes.d.ts +++ b/types/lib/b2b/recovery_codes.d.ts @@ -139,8 +139,8 @@ export declare class RecoveryCodes { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Allows a Member to complete an MFA flow by consuming a recovery code. This consumes the recovery code - * and returns a session token that can be used to authenticate the Member. + * Allows a to complete an MFA flow by consuming a recovery code. This consumes the recovery code and + * returns a session token that can be used to authenticate the Member. * @param data {@link B2BRecoveryCodesRecoverRequest} * @returns {@link B2BRecoveryCodesRecoverResponse} * @async @@ -149,7 +149,7 @@ export declare class RecoveryCodes { */ recover(data: B2BRecoveryCodesRecoverRequest): Promise; /** - * Returns a Member's full set of active recovery codes. + * Returns a's full set of active recovery codes. * @param params {@link B2BRecoveryCodesGetRequest} * @returns {@link B2BRecoveryCodesGetResponse} * @async @@ -158,8 +158,8 @@ export declare class RecoveryCodes { */ get(params: B2BRecoveryCodesGetRequest): Promise; /** - * Rotate a Member's recovery codes. This invalidates all existing recovery codes and generates a new set - * of recovery codes. + * Rotate a's recovery codes. This invalidates all existing recovery codes and generates a new set of + * recovery codes. * @param data {@link B2BRecoveryCodesRotateRequest} * @returns {@link B2BRecoveryCodesRotateResponse} * @async diff --git a/types/lib/b2b/sessions.d.ts b/types/lib/b2b/sessions.d.ts index 1af2e94c..0a4a401a 100644 --- a/types/lib/b2b/sessions.d.ts +++ b/types/lib/b2b/sessions.d.ts @@ -76,11 +76,10 @@ export interface MemberSession { } export interface PrimaryRequired { /** - * If non-empty, indicates that the Organization restricts the authentication methods it allows for login - * (such as `sso` or `password`), and the end user must complete one of those authentication methods to log - * in. If empty, indicates that the Organization does not restrict the authentication method it allows for - * login, but the end user does not have any transferrable primary factors. Only email magic link and OAuth - * factors can be transferred between Organizations. + * Details the auth method that the member must also complete to fulfill the primary authentication + * requirements of the Organization. For example, a value of `[magic_link]` indicates that the Member must + * also complete a magic link authentication step. If you have an intermediate session token, you must pass + * it into that primary authentication step. */ allowed_auth_methods: string[]; } @@ -195,7 +194,7 @@ export interface B2BSessionsExchangeRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -429,8 +428,8 @@ export declare class Sessions { * for more information. * * If an `authorization_check` object is passed in, this method will also check if the Member is authorized - * to perform the given action on the given Resource in the specified Organization. A Member is authorized - * if their Member Session contains a Role, assigned + * to perform the given action on the given Resource in the specified. A is authorized if their Member + * Session contains a Role, assigned * [explicitly or implicitly](https://stytch.com/docs/b2b/guides/rbac/role-assignment), with adequate * permissions. * In addition, the `organization_id` passed in the authorization check must match the Member's @@ -459,8 +458,8 @@ export declare class Sessions { */ revoke(data: B2BSessionsRevokeRequest, options?: B2BSessionsRevokeRequestOptions): Promise; /** - * Use this endpoint to exchange a Member's existing session for another session in a different - * Organization. This can be used to accept an invite, but not to create a new member via domain matching. + * Use this endpoint to exchange a's existing session for another session in a different. This can be used + * to accept an invite, but not to create a new member via domain matching. * * To create a new member via domain matching, use the * [Exchange Intermediate Session](https://stytch.com/docs/b2b/api/exchange-intermediate-session) flow @@ -471,6 +470,8 @@ export declare class Sessions { * Any OAuth Tokens owned by the Member will not be transferred to the new Organization. * SMS OTP factors can be used to fulfill MFA requirements for the target Organization if both the original * and target Member have the same phone number and the phone number is verified for both Members. + * HubSpot and Slack OAuth registrations will not be transferred between sessions. Instead, you will + * receive a corresponding factor with type `"oauth_exchange_slack"` or `"oauth_exchange_hubspot"` * * If the Member is required to complete MFA to log in to the Organization, the returned value of * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. @@ -493,8 +494,8 @@ export declare class Sessions { * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo * endpoint defined in your Stytch Project settings in the [Dashboard](/dashboard), and then perform a * lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to - * match that email address with an existing Member in your Organization and create a Stytch Session. You - * will need to create the member before using this endpoint. + * match that email address with an existing in your and create a Stytch Session. You will need to create + * the member before using this endpoint. * @param data {@link B2BSessionsMigrateRequest} * @returns {@link B2BSessionsMigrateResponse} * @async diff --git a/types/lib/b2b/sso.d.ts b/types/lib/b2b/sso.d.ts index c9977683..84e9ea12 100644 --- a/types/lib/b2b/sso.d.ts +++ b/types/lib/b2b/sso.d.ts @@ -28,6 +28,15 @@ export interface Connection { external_connection_id: string; display_name: string; status: string; + external_connection_implicit_role_assignments: ConnectionImplicitRoleAssignment[]; + external_group_implicit_role_assignments: GroupImplicitRoleAssignment[]; +} +export interface ConnectionImplicitRoleAssignment { + role_id: string; +} +export interface GroupImplicitRoleAssignment { + role_id: string; + group: string; } export interface OIDCConnection { organization_id: string; @@ -134,7 +143,7 @@ export interface B2BSSOAuthenticateRequest { */ session_custom_claims?: Record; /** - * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will + * If the needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * @@ -286,8 +295,8 @@ export declare class SSO { * To link this authentication event to an existing Stytch session, include either the `session_token` or * `session_jwt` param. * - * If the Member is required to complete MFA to log in to the Organization, the returned value of - * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. + * If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will + * be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), diff --git a/types/lib/b2b/totps.d.ts b/types/lib/b2b/totps.d.ts index 2f1a42ad..7f51f4e3 100644 --- a/types/lib/b2b/totps.d.ts +++ b/types/lib/b2b/totps.d.ts @@ -184,8 +184,8 @@ export declare class TOTPs { private fetchConfig; constructor(fetchConfig: fetchConfig); /** - * Create a new TOTP instance for a Member. The Member can use the authenticator application of their - * choice to scan the QR code or enter the secret. + * Create a new TOTP instance for a. The Member can use the authenticator application of their choice to + * scan the QR code or enter the secret. * * Passing an intermediate session token, session token, or session JWT is not required, but if passed must * match the Member ID passed. @@ -206,8 +206,8 @@ export declare class TOTPs { */ authenticate(data: B2BTOTPsAuthenticateRequest): Promise; /** - * Migrate an existing TOTP instance for a Member. Recovery codes are not required and will be minted for - * the Member if not provided. + * Migrate an existing TOTP instance for a. Recovery codes are not required and will be minted for the + * Member if not provided. * @param data {@link B2BTOTPsMigrateRequest} * @returns {@link B2BTOTPsMigrateResponse} * @async diff --git a/types/lib/b2c/m2m.d.ts b/types/lib/b2c/m2m.d.ts index 4086c2af..412b7108 100644 --- a/types/lib/b2c/m2m.d.ts +++ b/types/lib/b2c/m2m.d.ts @@ -133,18 +133,18 @@ export declare class M2M { */ token(data: TokenRequest): Promise; /** - * Authenticate an access token issued by Stytch from the Token endpoint. - * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. - * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. - * You may also override the default scope authorization function to implement custom authorization logic. - * - * @param data {@link AuthenticateTokenRequest} - * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. - The default function assumes scopes are either direct string matches or written in the form "action:resource". See the - documentation for {@link performAuthorizationCheck} for more information. - * @async - * @returns {@link AuthenticateTokenResponse} - * @throws {ClientError} when token can not be authenticated - */ + * Authenticate an access token issued by Stytch from the Token endpoint. + * M2M access tokens are JWTs signed with the project's JWKs, and can be validated locally using any Stytch client library. + * You may pass in an optional set of scopes that the JWT must contain in order to enforce permissions. + * You may also override the default scope authorization function to implement custom authorization logic. + * + * @param data {@link AuthenticateTokenRequest} + * @param scopeAuthorizationFunc {@link ScopeAuthorizationFunc} - A function that checks if the token has the required scopes. + The default function assumes scopes are either direct string matches or written in the form "action:resource". See the + documentation for {@link performAuthorizationCheck} for more information. + * @async + * @returns {@link AuthenticateTokenResponse} + * @throws {ClientError} when token can not be authenticated + */ authenticateToken(data: AuthenticateTokenRequest, scopeAuthorizationFunc?: ScopeAuthorizationFunc): Promise; }