Add additional fields to B2B Password Reset by Session (#256)

* add additional fields to stytch password session reset b2b and autogen

* add fields

lib/b2b/passwords.ts

@@ -376,21 +376,14 @@ export class Passwords {
 
   /**
    * Authenticate a member with their email address and password. This endpoint verifies that the member has
-   * a password currently set, and that the entered password is correct. There are two instances where the
-   * endpoint will return a reset_password error even if they enter their previous password:
-   * * The member’s credentials appeared in the HaveIBeenPwned dataset.
-   *     * We force a password reset to ensure that the member is the legitimate owner of the email address,
-   * and not a malicious actor abusing the compromised credentials.
-   * * A member that has previously authenticated with email/password uses a passwordless authentication
-   * method tied to the same email address (e.g. Magic Links) for the first time. Any subsequent
-   * email/password authentication attempt will result in this error.
-   *     * We force a password reset in this instance in order to safely deduplicate the account by email
-   * address, without introducing the risk of a pre-hijack account takeover attack.
-   *     * Imagine a bad actor creates many accounts using passwords and the known email addresses of their
-   * victims. If a victim comes to the site and logs in for the first time with an email-based passwordless
-   * authentication method then both the victim and the bad actor have credentials to access to the same
-   * account. To prevent this, any further email/password login attempts first require a password reset which
-   * can only be accomplished by someone with access to the underlying email address.
+   * a password currently set, and that the entered password is correct.
+   *
+   * If you have breach detection during authentication enabled in your
+   * [password strength policy](https://stytch.com/docs/b2b/guides/passwords/strength-policies) and the
+   * member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a
+   * `member_reset_password` error even if the member enters a correct password. We force a password reset in
+   * this case to ensure that the member is the legitimate owner of the email address and not a malicious
+   * actor abusing the compromised credentials.
    *
    * If the Member is required to complete MFA to log in to the Organization, the returned value of
    * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.

lib/b2b/passwords_session.ts

@@ -7,6 +7,7 @@
 import { fetchConfig } from "../shared";
 import { Member, Organization } from "./organizations";
 import { MemberSession } from "./sessions";
+import { MfaRequired } from "./mfa";
 import { request } from "../shared";
 
 // Request type for `passwords.sessions.reset`.
@@ -22,6 +23,45 @@ export interface B2BPasswordsSessionResetRequest {
   session_token?: string;
   // The JSON Web Token (JWT) for a given Stytch Session.
   session_jwt?: string;
+  /**
+   * Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't
+   * already exist,
+   *   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the
+   * `session_jwt` will have a fixed lifetime of
+   *   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
+   *
+   *   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
+   *
+   *   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to
+   * extend the session this many minutes.
+   *
+   *   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a
+   * 60 minute duration. If you don't want
+   *   to use the Stytch session product, you can ignore the session fields in the response.
+   */
+  session_duration_minutes?: number;
+  /**
+   * Add a custom claims map to the Session being authenticated. Claims are only created if a Session is
+   * initialized by providing a value in
+   *   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a
+   * key in an existing Session, supply a new value. To
+   *   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`,
+   * `exp`, `nbf`, `iat`, `jti`) will be ignored.
+   *   Total custom claims size cannot exceed four kilobytes.
+   */
+  session_custom_claims?: Record<string, any>; // eslint-disable-line @typescript-eslint/no-explicit-any
+  /**
+   * Used to determine which language to use when sending the user this delivery method. Parameter is a
+   * [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
+   *
+   * Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese
+   * (`"pt-br"`); if no value is provided, the copy defaults to English.
+   *
+   * Request support for additional languages
+   * [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
+   *
+   */
+  locale?: "en" | "es" | "pt-br" | string;
 }
 
 // Response type for `passwords.sessions.reset`.
@@ -37,13 +77,37 @@ export interface B2BPasswordsSessionResetResponse {
   member: Member;
   // The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
   organization: Organization;
+  // A secret token for a given Stytch Session.
+  session_token: string;
+  // The JSON Web Token (JWT) for a given Stytch Session.
+  session_jwt: string;
+  /**
+   * The Intermediate Session Token. This token does not necessarily belong to a specific instance of a
+   * Member, but represents a bag of factors that may be converted to a member session.
+   *     The token can be used with the
+   * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete an MFA
+   * flow;
+   *     the
+   * [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session)
+   * to join a specific Organization that allows the factors represented by the intermediate session token;
+   *     or the
+   * [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member.
+   */
+  intermediate_session_token: string;
+  /**
+   * Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step
+   * to log in to the Organization.
+   */
+  member_authenticated: boolean;
   /**
    * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g.
    * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
    */
   status_code: number;
   // The [Session object](https://stytch.com/docs/b2b/api/session-object).
   member_session?: MemberSession;
+  // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
+  mfa_required?: MfaRequired;
 }
 
 export class Sessions {

lib/b2c/magic_links.ts

@@ -20,7 +20,15 @@ export interface Options {
 
 // Request type for `magicLinks.authenticate`.
 export interface MagicLinksAuthenticateRequest {
-  // The token to authenticate.
+  /**
+   * The Magic Link `token` from the `?token=` query parameter in the URL.
+   *
+   *       The redirect URL will look like
+   * `https://example.com/authenticate?stytch_token_type=magic_links&token=rM_kw42CWBhsHLF62V75jELMbvJ87njMe3tFVj7Qupu7`
+   *
+   *       In the redirect URL, the `stytch_token_type` will be `magic_link`. See
+   * [here](https://stytch.com/docs/guides/dashboard/redirect-urls) for more detail.
+   */
   token: string;
   // Provided attributes help with fraud detection.
   attributes?: Attributes;

lib/b2c/magic_links_email.ts

@@ -277,8 +277,10 @@ export class Email {
    * ### Add an email to an existing user
    * This endpoint also allows you to add a new email address to an existing Stytch User. Including a
    * `user_id`, `session_token`, or `session_jwt` in your Send Magic Link by email request will add the new,
-   * unverified email address to the existing Stytch User. Upon successful authentication, the email address
-   * will be marked as verified.
+   * unverified email address to the existing Stytch User. If the user successfully authenticates within 5
+   * minutes, the new email address will be marked as verified and remain permanently on the existing Stytch
+   * User. Otherwise, it will be removed from the User object, and any subsequent login requests using that
+   * email address will create a new User.
    *
    * ### Next steps
    * The user is emailed a magic link which redirects them to the provided
@@ -308,8 +310,8 @@ export class Email {
    *
    * ### Next steps
    * The User is emailed a Magic Link which redirects them to the provided
-   * [redirect URL](https://stytch.com/docs/magic-links#email-magic-links_redirect-routing). Collect the
-   * `token` from the URL query parameters and call
+   * [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect
+   * the `token` from the URL query parameters and call
    * [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete
    * authentication.
    * @param data {@link MagicLinksEmailLoginOrCreateRequest}
@@ -334,8 +336,8 @@ export class Email {
    *
    * ### Next steps
    * The User is emailed a Magic Link which redirects them to the provided
-   * [redirect URL](https://stytch.com/docs/magic-links#email-magic-links_redirect-routing). Collect the
-   * `token` from the URL query parameters and call
+   * [redirect URL](https://stytch.com/docs/guides/magic-links/email-magic-links/redirect-routing). Collect
+   * the `token` from the URL query parameters and call
    * [Authenticate Magic Link](https://stytch.com/docs/api/authenticate-magic-link) to complete
    * authentication.
    * @param data {@link MagicLinksEmailInviteRequest}