diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizations/Organizations.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizations/Organizations.kt index 056898f..edbac56 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizations/Organizations.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizations/Organizations.kt @@ -48,8 +48,8 @@ public interface Organizations { /** * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. * - * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` will be set to - * `OPTIONAL` if no Organization authentication settings are explicitly defined in the request. + * If no Organization authentication setting parameters are passed in, `email_invites` will default to `ALL_ALLOWED` so + * that the Organization has a way to add Members. Otherwise, `email_invites` will default to `NOT_ALLOWED`. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn * more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors. @@ -59,8 +59,8 @@ public interface Organizations { /** * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. * - * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` will be set to - * `OPTIONAL` if no Organization authentication settings are explicitly defined in the request. + * If no Organization authentication setting parameters are passed in, `email_invites` will default to `ALL_ALLOWED` so + * that the Organization has a way to add Members. Otherwise, `email_invites` will default to `NOT_ALLOWED`. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn * more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors. @@ -73,8 +73,8 @@ public interface Organizations { /** * Creates an Organization. An `organization_name` and a unique `organization_slug` are required. * - * By default, `email_invites` and `sso_jit_provisioning` will be set to `ALL_ALLOWED`, and `mfa_policy` will be set to - * `OPTIONAL` if no Organization authentication settings are explicitly defined in the request. + * If no Organization authentication setting parameters are passed in, `email_invites` will default to `ALL_ALLOWED` so + * that the Organization has a way to add Members. Otherwise, `email_invites` will default to `NOT_ALLOWED`. * * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings) resource to learn * more about fields like `email_jit_provisioning`, `email_invites`, `sso_jit_provisioning`, etc., and their behaviors. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizationsmembers/OrganizationsMembers.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizationsmembers/OrganizationsMembers.kt index 34b45e3..05aaa57 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizationsmembers/OrganizationsMembers.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/organizationsmembers/OrganizationsMembers.kt @@ -433,6 +433,10 @@ public interface Members { * The member will receive an Email Magic Link that expires in 5 minutes. If they do not verify their new email address in * that timeframe, the email * will be freed up for other members to use. + * + * The Magic Link will redirect to your `login_redirect_url` (or the configured default if one isn't provided), and you + * should invoke the [Authenticate Magic Link](https://stytch.com/docs/b2b/api/authenticate-magic-link) endpoint as normal + * to complete the flow. */ public suspend fun startEmailUpdate( data: StartEmailUpdateRequest, @@ -452,6 +456,10 @@ public interface Members { * The member will receive an Email Magic Link that expires in 5 minutes. If they do not verify their new email address in * that timeframe, the email * will be freed up for other members to use. + * + * The Magic Link will redirect to your `login_redirect_url` (or the configured default if one isn't provided), and you + * should invoke the [Authenticate Magic Link](https://stytch.com/docs/b2b/api/authenticate-magic-link) endpoint as normal + * to complete the flow. */ public fun startEmailUpdate( data: StartEmailUpdateRequest, @@ -472,6 +480,10 @@ public interface Members { * The member will receive an Email Magic Link that expires in 5 minutes. If they do not verify their new email address in * that timeframe, the email * will be freed up for other members to use. + * + * The Magic Link will redirect to your `login_redirect_url` (or the configured default if one isn't provided), and you + * should invoke the [Authenticate Magic Link](https://stytch.com/docs/b2b/api/authenticate-magic-link) endpoint as normal + * to complete the flow. */ public fun startEmailUpdateCompletable( data: StartEmailUpdateRequest, diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/otpsms/OTPSms.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/otpsms/OTPSms.kt index 5d49b84..4c0184b 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/otpsms/OTPSms.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/otpsms/OTPSms.kt @@ -43,8 +43,11 @@ public interface Sms { * their phone number. In that case, this endpoint should only be used for subsequent authentication events, such as * prompting a Member for an OTP again after a period of inactivity. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. * * ### Cost to send SMS OTP * Before configuring SMS or WhatsApp OTPs, please review how Stytch @@ -56,8 +59,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. */ public suspend fun send(data: SendRequest): StytchResult @@ -81,8 +85,11 @@ public interface Sms { * their phone number. In that case, this endpoint should only be used for subsequent authentication events, such as * prompting a Member for an OTP again after a period of inactivity. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. * * ### Cost to send SMS OTP * Before configuring SMS or WhatsApp OTPs, please review how Stytch @@ -94,8 +101,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. */ public fun send( data: SendRequest, @@ -122,8 +130,11 @@ public interface Sms { * their phone number. In that case, this endpoint should only be used for subsequent authentication events, such as * prompting a Member for an OTP again after a period of inactivity. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. * * ### Cost to send SMS OTP * Before configuring SMS or WhatsApp OTPs, please review how Stytch @@ -135,8 +146,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. */ public fun sendCompletable(data: SendRequest): CompletableFuture> diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/rbac/RBAC.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/rbac/RBAC.kt index 4c05f0e..4838c31 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/rbac/RBAC.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/rbac/RBAC.kt @@ -31,7 +31,7 @@ public interface RBAC { * extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was * last updated more than 5 minutes ago. * - * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/docs/dashboard/rbac) in the + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the * Dashboard. * Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically * managed through certain Stytch API endpoints. @@ -49,7 +49,7 @@ public interface RBAC { * extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was * last updated more than 5 minutes ago. * - * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/docs/dashboard/rbac) in the + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the * Dashboard. * Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically * managed through certain Stytch API endpoints. @@ -70,7 +70,7 @@ public interface RBAC { * extra request to Stytch. The policy will be refreshed if an authorization check is requested and the RBAC policy was * last updated more than 5 minutes ago. * - * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/docs/dashboard/rbac) in the + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the * Dashboard. * Additionally, [Role assignment](https://stytch.com/docs/b2b/guides/rbac/role-assignment) can be programmatically * managed through certain Stytch API endpoints. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/sessions/Sessions.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/sessions/Sessions.kt index 40eedf5..8312101 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/sessions/Sessions.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/sessions/Sessions.kt @@ -315,7 +315,7 @@ public interface Sessions { /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing * session. */ @@ -323,7 +323,7 @@ public interface Sessions { /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing * session. */ @@ -334,7 +334,7 @@ public interface Sessions { /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing * session. */ @@ -343,8 +343,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. * Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the - * [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. + * [Dashboard](https://stytch.com/dashboard/migrations), and then perform a lookup using the `session_token`. * If the response contains a valid email address, Stytch will attempt to match that email address with an existing Member * in your Organization and create a Stytch Session. * You will need to create the member before using this endpoint. @@ -354,8 +353,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. * Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the - * [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. + * [Dashboard](https://stytch.com/dashboard/migrations), and then perform a lookup using the `session_token`. * If the response contains a valid email address, Stytch will attempt to match that email address with an existing Member * in your Organization and create a Stytch Session. * You will need to create the member before using this endpoint. @@ -368,8 +366,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. * Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the - * [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. + * [Dashboard](https://stytch.com/dashboard/migrations), and then perform a lookup using the `session_token`. * If the response contains a valid email address, Stytch will attempt to match that email address with an existing Member * in your Organization and create a Stytch Session. * You will need to create the member before using this endpoint. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/api/totps/TOTPs.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/api/totps/TOTPs.kt index f636265..e0094cf 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/api/totps/TOTPs.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/api/totps/TOTPs.kt @@ -29,8 +29,11 @@ public interface TOTPs { * Create a new TOTP instance for a Member. The Member can use the authenticator application of their choice to scan the * QR code or enter the secret. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. */ public suspend fun create(data: CreateRequest): StytchResult @@ -38,8 +41,11 @@ public interface TOTPs { * Create a new TOTP instance for a Member. The Member can use the authenticator application of their choice to scan the * QR code or enter the secret. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. */ public fun create( data: CreateRequest, @@ -50,8 +56,11 @@ public interface TOTPs { * Create a new TOTP instance for a Member. The Member can use the authenticator application of their choice to scan the * QR code or enter the secret. * - * Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the - * Member ID passed. + * If the Member already has an active MFA factor, then passing an intermediate session token, session token, or session + * JWT with the existing MFA factor on it is required to prevent bypassing MFA. + * + * Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must + * match the `member_id` passed. */ public fun createCompletable(data: CreateRequest): CompletableFuture> diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/discoveryorganizations/DiscoveryOrganizations.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/discoveryorganizations/DiscoveryOrganizations.kt index b6cbdc0..607fdd4 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/discoveryorganizations/DiscoveryOrganizations.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/discoveryorganizations/DiscoveryOrganizations.kt @@ -120,8 +120,8 @@ public data class CreateRequest * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted * values are: * - * `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the - * Organization's `sso_active_connections`. + * `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via + * any of the Organization's `sso_active_connections`. * * `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be * provisioned upon authentication. @@ -148,7 +148,7 @@ public data class CreateRequest * `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon * authentication via Email Magic Link or OAuth. * - * `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. * */ @Json(name = "email_jit_provisioning") @@ -232,7 +232,7 @@ public data class CreateRequest * * `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. * - * `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. * */ @Json(name = "oauth_tenant_jit_provisioning") @@ -247,7 +247,7 @@ public data class CreateRequest * The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -267,7 +267,7 @@ public data class CreateRequest * The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizations/Organizations.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizations/Organizations.kt index 6e56414..24d6679 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizations/Organizations.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizations/Organizations.kt @@ -666,8 +666,8 @@ public data class Organization * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted * values are: * - * `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the - * Organization's `sso_active_connections`. + * `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via + * any of the Organization's `sso_active_connections`. * * `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be * provisioned upon authentication. @@ -708,7 +708,7 @@ public data class Organization * `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon * authentication via Email Magic Link or OAuth. * - * `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. * */ @Json(name = "email_jit_provisioning") @@ -782,7 +782,7 @@ public data class Organization * * `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. * - * `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. * */ @Json(name = "oauth_tenant_jit_provisioning") @@ -793,7 +793,7 @@ public data class Organization * The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -813,7 +813,7 @@ public data class Organization * The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -1130,8 +1130,8 @@ public data class CreateRequest * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted * values are: * - * `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the - * Organization's `sso_active_connections`. + * `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via + * any of the Organization's `sso_active_connections`. * * `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be * provisioned upon authentication. @@ -1158,7 +1158,7 @@ public data class CreateRequest * `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon * authentication via Email Magic Link or OAuth. * - * `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. * */ @Json(name = "email_jit_provisioning") @@ -1242,7 +1242,7 @@ public data class CreateRequest * * `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. * - * `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. * */ @Json(name = "oauth_tenant_jit_provisioning") @@ -1262,7 +1262,7 @@ public data class CreateRequest * The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -1282,7 +1282,7 @@ public data class CreateRequest * The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -1609,8 +1609,8 @@ public data class UpdateRequest * The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted * values are: * - * `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the - * Organization's `sso_active_connections`. + * `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via + * any of the Organization's `sso_active_connections`. * * `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be * provisioned upon authentication. @@ -1654,7 +1654,7 @@ public data class UpdateRequest * `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon * authentication via Email Magic Link or OAuth. * - * `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth. * * * If this field is provided and a session header is passed into the request, the Member Session must have permission to @@ -1762,7 +1762,7 @@ public data class UpdateRequest * * `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant. * - * `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant. + * `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant. * * * If this field is provided and a session header is passed into the request, the Member Session must have permission to @@ -1788,7 +1788,7 @@ public data class UpdateRequest * The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. @@ -1808,7 +1808,7 @@ public data class UpdateRequest * The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values * are: * - * `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members. + * `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members. * * `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by * Members. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizationsmembers/OrganizationsMembers.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizationsmembers/OrganizationsMembers.kt index a2d8aa2..26cacab 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizationsmembers/OrganizationsMembers.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/organizationsmembers/OrganizationsMembers.kt @@ -902,7 +902,7 @@ public data class StartEmailUpdateRequest @Json(name = "member_id") val memberId: String, /** - * The email address of the Member. + * The new email address for the Member. */ @Json(name = "email_address") val emailAddress: String, diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/passwordsemail/PasswordsEmail.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/passwordsemail/PasswordsEmail.kt index f9736b9..a98e5fe 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/passwordsemail/PasswordsEmail.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/passwordsemail/PasswordsEmail.kt @@ -97,6 +97,12 @@ public data class RequireResetRequest public data class RequireResetResponse @JvmOverloads constructor( + /** + * Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we + * may ask for this value to help identify a specific API call when helping you debug an issue. + */ + @Json(name = "request_id") + val requestId: String, /** * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values * equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/rbac/RBAC.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/rbac/RBAC.kt index beea49e..7933c58 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/rbac/RBAC.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/rbac/RBAC.kt @@ -35,7 +35,7 @@ public data class PolicyResource * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. * * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources - * with reserved `resource_id`s. These include: + * with reserved `resource_id`s. These include: * * * `stytch.organization` * * `stytch.member` @@ -141,15 +141,15 @@ public data class PolicyRolePermission * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. * * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources - * with reserved `resource_id`s. These include: + * with reserved `resource_id`s. These include: * * * `stytch.organization` * * `stytch.member` * * `stytch.sso` * * `stytch.self` * - * Check out the [guide on Stytch default Resources](https://stytch.com/docs/docs/b2b/guides/rbac/stytch-default) for a - * more detailed explanation. + * Check out the [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more + * detailed explanation. * * */ @@ -214,7 +214,7 @@ public data class PolicyResponse val statusCode: Int, /** * The RBAC Policy document that contains all defined Roles and Resources – which are managed in the - * [Dashboard](https://stytch.com/docs/dashboard/rbac). Read more about these entities and how they work in our + * [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our * [RBAC overview](https://stytch.com/docs/b2b/guides/rbac/overview). */ @Json(name = "policy") diff --git a/stytch/src/main/kotlin/com/stytch/java/b2b/models/sessions/Sessions.kt b/stytch/src/main/kotlin/com/stytch/java/b2b/models/sessions/Sessions.kt index c514168..722ed60 100644 --- a/stytch/src/main/kotlin/com/stytch/java/b2b/models/sessions/Sessions.kt +++ b/stytch/src/main/kotlin/com/stytch/java/b2b/models/sessions/Sessions.kt @@ -48,8 +48,7 @@ public data class AuthorizationCheck @JvmOverloads constructor( /** - * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations - * on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience. + * Globally unique UUID that identifies a specific Organization. The Organization's ID must match the Member's Organization */ @Json(name = "organization_id") val organizationId: String, @@ -57,7 +56,7 @@ public data class AuthorizationCheck * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. * * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources - * with reserved `resource_id`s. These include: + * with reserved `resource_id`s. These include: * * * `stytch.organization` * * `stytch.member` @@ -82,8 +81,15 @@ public data class AuthorizationCheck public data class AuthorizationVerdict @JvmOverloads constructor( + /** + * Whether the Member was authorized to perform the specified action on the specified Resource. Always true if the request + * succeeds. + */ @Json(name = "authorized") val authorized: Boolean, + /** + * The complete list of Roles that gave the Member permission to perform the specified action on the specified Resource. + */ @Json(name = "granting_roles") val grantingRoles: List, ) @@ -133,6 +139,13 @@ public data class MemberSession val organizationId: String, @Json(name = "roles") val roles: List, + /** + * The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved + * characters: `-` `.` `_` `~`. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in + * a path or request parameter, you may also use the organization_slug as a convenience. + */ + @Json(name = "organization_slug") + val organizationSlug: String, /** * The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call. */ @@ -396,7 +409,7 @@ public data class AuthenticateResponse val statusCode: Int, /** * If an `authorization_check` is provided in the request and the check succeeds, this field will return - * the complete list of Roles that gave the Member permission to perform the specified action on the specified Resource. + * information about why the Member was granted permission. */ @Json(name = "verdict") val verdict: AuthorizationVerdict? = null, diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/StytchClient.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/StytchClient.kt index fdf50ee..dda654a 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/StytchClient.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/StytchClient.kt @@ -9,6 +9,7 @@ import com.stytch.java.common.BASE_LIVE_URL import com.stytch.java.common.BASE_TEST_URL import com.stytch.java.common.JwtOptions import com.stytch.java.common.OptionalClientConfig +import com.stytch.java.common.PolicyCache import com.stytch.java.consumer.api.connectedapps.ConnectedApp import com.stytch.java.consumer.api.connectedapps.ConnectedAppImpl import com.stytch.java.consumer.api.cryptowallets.CryptoWallets @@ -29,6 +30,8 @@ import com.stytch.java.consumer.api.passwords.Passwords import com.stytch.java.consumer.api.passwords.PasswordsImpl import com.stytch.java.consumer.api.project.Project import com.stytch.java.consumer.api.project.ProjectImpl +import com.stytch.java.consumer.api.rbac.RBAC +import com.stytch.java.consumer.api.rbac.RBACImpl import com.stytch.java.consumer.api.sessions.Sessions import com.stytch.java.consumer.api.sessions.SessionsImpl import com.stytch.java.consumer.api.totps.TOTPs @@ -66,6 +69,7 @@ public class StytchClient issuers = listOf("stytch.com/$projectId", baseUrl), type = "JWT", ) + private val policyCache: PolicyCache = PolicyCache(RBACImpl(httpClient, coroutineScope)) @JvmField public val connectedApp: ConnectedApp = ConnectedAppImpl(httpClient, coroutineScope) @@ -98,7 +102,10 @@ public class StytchClient public val project: Project = ProjectImpl(httpClient, coroutineScope) @JvmField - public val sessions: Sessions = SessionsImpl(httpClient, coroutineScope, httpsJwks, jwtOptions) + public val rbac: RBAC = RBACImpl(httpClient, coroutineScope) + + @JvmField + public val sessions: Sessions = SessionsImpl(httpClient, coroutineScope, httpsJwks, jwtOptions, policyCache) @JvmField public val totps: TOTPs = TOTPsImpl(httpClient, coroutineScope) diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/api/fraudfingerprint/FraudFingerprint.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/api/fraudfingerprint/FraudFingerprint.kt index e4bed04..b4b9b02 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/api/fraudfingerprint/FraudFingerprint.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/api/fraudfingerprint/FraudFingerprint.kt @@ -22,11 +22,11 @@ import java.util.concurrent.CompletableFuture public interface Fingerprint { /** - * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. Learn more - * about the different fingerprint types and verdicts in our + * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. + * Learn more about the different fingerprint types and verdicts in our * [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview). * - * Make a decision based on the returned `verdict`: + * You can make a decision based on the recommended `verdict` in the response: * * `ALLOW` - This is a known valid device grouping or device profile that is part of the default `ALLOW` listed set of * known devices by Stytch. This grouping is made up of verified device profiles that match the characteristics of * known/authentic traffic origins. @@ -35,18 +35,20 @@ public interface Fingerprint { * * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such * as 2FA or other forms of extended user verification before allowing the privileged action to proceed. * - * If the `telemetry_id` is not found, we will return a 404 `telemetry_id_not_found` - * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). We recommend treating 404 errors as a - * `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections by generating fake telemetry IDs. + * If the `telemetry_id` is expired or not found, this endpoint returns a 404 `telemetry_id_not_found` + * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). + * We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections. + * See + * [Attacker-controlled telemetry IDs](https://stytch.com/docs/fraud/guides/device-fingerprinting/integration-steps/test-your-integration#attacker-controlled-telemetry-ids) for more information. */ public suspend fun lookup(data: LookupRequest): StytchResult /** - * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. Learn more - * about the different fingerprint types and verdicts in our + * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. + * Learn more about the different fingerprint types and verdicts in our * [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview). * - * Make a decision based on the returned `verdict`: + * You can make a decision based on the recommended `verdict` in the response: * * `ALLOW` - This is a known valid device grouping or device profile that is part of the default `ALLOW` listed set of * known devices by Stytch. This grouping is made up of verified device profiles that match the characteristics of * known/authentic traffic origins. @@ -55,9 +57,11 @@ public interface Fingerprint { * * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such * as 2FA or other forms of extended user verification before allowing the privileged action to proceed. * - * If the `telemetry_id` is not found, we will return a 404 `telemetry_id_not_found` - * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). We recommend treating 404 errors as a - * `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections by generating fake telemetry IDs. + * If the `telemetry_id` is expired or not found, this endpoint returns a 404 `telemetry_id_not_found` + * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). + * We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections. + * See + * [Attacker-controlled telemetry IDs](https://stytch.com/docs/fraud/guides/device-fingerprinting/integration-steps/test-your-integration#attacker-controlled-telemetry-ids) for more information. */ public fun lookup( data: LookupRequest, @@ -65,11 +69,11 @@ public interface Fingerprint { ) /** - * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. Learn more - * about the different fingerprint types and verdicts in our + * Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. + * Learn more about the different fingerprint types and verdicts in our * [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview). * - * Make a decision based on the returned `verdict`: + * You can make a decision based on the recommended `verdict` in the response: * * `ALLOW` - This is a known valid device grouping or device profile that is part of the default `ALLOW` listed set of * known devices by Stytch. This grouping is made up of verified device profiles that match the characteristics of * known/authentic traffic origins. @@ -78,9 +82,11 @@ public interface Fingerprint { * * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such * as 2FA or other forms of extended user verification before allowing the privileged action to proceed. * - * If the `telemetry_id` is not found, we will return a 404 `telemetry_id_not_found` - * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). We recommend treating 404 errors as a - * `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections by generating fake telemetry IDs. + * If the `telemetry_id` is expired or not found, this endpoint returns a 404 `telemetry_id_not_found` + * [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). + * We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections. + * See + * [Attacker-controlled telemetry IDs](https://stytch.com/docs/fraud/guides/device-fingerprinting/integration-steps/test-your-integration#attacker-controlled-telemetry-ids) for more information. */ public fun lookupCompletable(data: LookupRequest): CompletableFuture> } diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/api/otpsms/OTPSms.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/api/otpsms/OTPSms.kt index dac346d..586fd8a 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/api/otpsms/OTPSms.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/api/otpsms/OTPSms.kt @@ -36,8 +36,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). @@ -70,8 +71,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). @@ -107,8 +109,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). @@ -139,8 +142,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). @@ -163,8 +167,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). @@ -190,8 +195,9 @@ public interface Sms { * * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS * prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's - * allowlist via [the API](https://stytch.com/docs/workspace-management/pwa/country-code-allowlist-object), and - * [add credit card details](https://stytch.com/docs/dashboard/settings/billing) to your account. + * allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or + * [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and + * [add credit card details](https://stytch.com/dashboard/settings/billing) to your account. * * Even when international SMS is enabled, we do not support sending SMS to countries on our * [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries). diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/api/rbac/RBAC.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/api/rbac/RBAC.kt new file mode 100644 index 0000000..d4a99f1 --- /dev/null +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/api/rbac/RBAC.kt @@ -0,0 +1,117 @@ +package com.stytch.java.consumer.api.rbac + +// !!! +// WARNING: This file is autogenerated +// Only modify code within MANUAL() sections +// or your changes may be overwritten later! +// !!! + +import com.squareup.moshi.JsonAdapter +import com.squareup.moshi.Moshi +import com.squareup.moshi.Types +import com.stytch.java.common.InstantAdapter +import com.stytch.java.common.StytchResult +import com.stytch.java.consumer.models.rbac.PolicyRequest +import com.stytch.java.consumer.models.rbac.PolicyResponse +import com.stytch.java.http.HttpClient +import kotlinx.coroutines.CoroutineScope +import kotlinx.coroutines.Dispatchers +import kotlinx.coroutines.async +import kotlinx.coroutines.future.asCompletableFuture +import kotlinx.coroutines.launch +import kotlinx.coroutines.withContext +import java.util.concurrent.CompletableFuture + +public interface RBAC { + /** + * Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all + * defined Resources and Roles within your RBAC permissioning model. + * + * When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an + * extra request to Stytch. + * The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 + * minutes ago. + * + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the + * Dashboard. + * Additionally, [Role assignment](https://stytch.com/docs/guides/rbac/role-assignment) can be programmatically managed + * through certain Stytch API endpoints. + * + * Check out the [RBAC overview](https://stytch.com/docs/guides/rbac/overview) to learn more about Stytch's RBAC + * permissioning model. + */ + public suspend fun policy(data: PolicyRequest): StytchResult + + /** + * Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all + * defined Resources and Roles within your RBAC permissioning model. + * + * When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an + * extra request to Stytch. + * The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 + * minutes ago. + * + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the + * Dashboard. + * Additionally, [Role assignment](https://stytch.com/docs/guides/rbac/role-assignment) can be programmatically managed + * through certain Stytch API endpoints. + * + * Check out the [RBAC overview](https://stytch.com/docs/guides/rbac/overview) to learn more about Stytch's RBAC + * permissioning model. + */ + public fun policy( + data: PolicyRequest, + callback: (StytchResult) -> Unit, + ) + + /** + * Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all + * defined Resources and Roles within your RBAC permissioning model. + * + * When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an + * extra request to Stytch. + * The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 + * minutes ago. + * + * Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the + * Dashboard. + * Additionally, [Role assignment](https://stytch.com/docs/guides/rbac/role-assignment) can be programmatically managed + * through certain Stytch API endpoints. + * + * Check out the [RBAC overview](https://stytch.com/docs/guides/rbac/overview) to learn more about Stytch's RBAC + * permissioning model. + */ + public fun policyCompletable(data: PolicyRequest): CompletableFuture> +} + +internal class RBACImpl( + private val httpClient: HttpClient, + private val coroutineScope: CoroutineScope, +) : RBAC { + private val moshi = Moshi.Builder().add(InstantAdapter()).build() + + override suspend fun policy(data: PolicyRequest): StytchResult = + withContext(Dispatchers.IO) { + var headers = emptyMap() + + val asJson = moshi.adapter(PolicyRequest::class.java).toJson(data) + val type = Types.newParameterizedType(Map::class.java, String::class.java, Any::class.java) + val adapter: JsonAdapter> = moshi.adapter(type) + val asMap = adapter.fromJson(asJson) ?: emptyMap() + httpClient.get("/v1/rbac/policy", asMap, headers) + } + + override fun policy( + data: PolicyRequest, + callback: (StytchResult) -> Unit, + ) { + coroutineScope.launch { + callback(policy(data)) + } + } + + override fun policyCompletable(data: PolicyRequest): CompletableFuture> = + coroutineScope.async { + policy(data) + }.asCompletableFuture() +} diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/api/sessions/Sessions.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/api/sessions/Sessions.kt index a79ea2c..6876533 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/api/sessions/Sessions.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/api/sessions/Sessions.kt @@ -17,6 +17,7 @@ import com.stytch.java.common.JWTResponse import com.stytch.java.common.JWTSessionResponse import com.stytch.java.common.JwtOptions import com.stytch.java.common.ParseJWTClaimsOptions +import com.stytch.java.common.PolicyCache import com.stytch.java.common.StytchException import com.stytch.java.common.StytchResult import com.stytch.java.common.StytchSessionClaim @@ -137,7 +138,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in - * your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the + * your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the * `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with * an existing User and create a Stytch Session. You will need to create the user before using this endpoint. */ @@ -145,7 +146,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in - * your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the + * your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the * `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with * an existing User and create a Stytch Session. You will need to create the user before using this endpoint. */ @@ -156,7 +157,7 @@ public interface Sessions { /** * Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in - * your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the + * your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the * `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with * an existing User and create a Stytch Session. You will need to create the user before using this endpoint. */ @@ -271,17 +272,15 @@ public interface Sessions { /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session - * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing - * session. + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session token + * or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session. */ public suspend fun attest(data: AttestRequest): StytchResult /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session - * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing - * session. + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session token + * or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session. */ public fun attest( data: AttestRequest, @@ -290,9 +289,8 @@ public interface Sessions { /** * Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted - * Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session - * token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing - * session. + * Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session token + * or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session. */ public fun attestCompletable(data: AttestRequest): CompletableFuture> @@ -407,6 +405,7 @@ internal class SessionsImpl( private val coroutineScope: CoroutineScope, private val jwksClient: HttpsJwks, private val jwtOptions: JwtOptions, + private val policyCache: PolicyCache, ) : Sessions { private val moshi = Moshi.Builder().add(InstantAdapter()).build() diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/models/passwordsemail/PasswordsEmail.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/models/passwordsemail/PasswordsEmail.kt index ce46890..643b3e6 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/models/passwordsemail/PasswordsEmail.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/models/passwordsemail/PasswordsEmail.kt @@ -197,9 +197,8 @@ public data class ResetStartRequest * The URL Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be a * route in your application which will run `oauth.authenticate` (see below) and finish the login. * - * The URL must be configured as a Login URL in the - * [Redirect URL page](https://stytch.com/docs/dashboard/redirect-urls). If the field is not specified, the default Login - * URL will be used. + * The URL must be configured as a Login URL in the [Redirect URL page](https://stytch.com/dashboard/redirect-urls). If + * the field is not specified, the default Login URL will be used. */ @Json(name = "login_redirect_url") val loginRedirectURL: String? = null, diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/models/rbac/RBAC.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/models/rbac/RBAC.kt new file mode 100644 index 0000000..d64004b --- /dev/null +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/models/rbac/RBAC.kt @@ -0,0 +1,158 @@ +package com.stytch.java.consumer.models.rbac + +// !!! +// WARNING: This file is autogenerated +// Only modify code within MANUAL() sections +// or your changes may be overwritten later! +// !!! + +import com.squareup.moshi.Json +import com.squareup.moshi.JsonClass + +@JsonClass(generateAdapter = true) +public data class Policy + @JvmOverloads + constructor( + /** + * An array of [Role objects](https://stytch.com/docs/api/rbac-role-object). + */ + @Json(name = "roles") + val roles: List, + /** + * An array of [Resource objects](https://stytch.com/docs/api/rbac-resource-object). + */ + @Json(name = "resources") + val resources: List, + @Json(name = "scopes") + val scopes: List, + ) + +@JsonClass(generateAdapter = true) +public data class PolicyResource + @JvmOverloads + constructor( + /** + * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. + * + * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources + * with reserved `resource_id`s. + * + */ + @Json(name = "resource_id") + val resourceId: String, + /** + * The description of the RBAC Resource. + */ + @Json(name = "description") + val description: String, + /** + * A list of all possible actions for a provided Resource. + */ + @Json(name = "actions") + val actions: List, + ) + +@JsonClass(generateAdapter = true) +public data class PolicyRole + @JvmOverloads + constructor( + /** + * The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. + * + * The `stytch_user` `role_id` is predefined by Stytch. + * Check out the [guide on Stytch default Roles](https://stytch.com/docs/guides/rbac/stytch-default) for a more detailed + * explanation. + * + */ + @Json(name = "role_id") + val roleId: String, + /** + * The description of the RBAC Role. + */ + @Json(name = "description") + val description: String, + /** + * A list of permissions that link a [Resource](https://stytch.com/docs/api/rbac-resource-object) to a list of actions. + */ + @Json(name = "permissions") + val permissions: List, + ) + +@JsonClass(generateAdapter = true) +public data class PolicyRolePermission + @JvmOverloads + constructor( + /** + * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. + * + * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources + * with reserved `resource_id`s. + * + */ + @Json(name = "resource_id") + val resourceId: String, + /** + * A list of permitted actions the Role is authorized to take with the provided Resource. You can use `*` as a wildcard to + * grant a Role permission to use all possible actions related to the Resource. + */ + @Json(name = "actions") + val actions: List, + ) + +@JsonClass(generateAdapter = true) +public data class PolicyScope + @JvmOverloads + constructor( + @Json(name = "scope") + val scope: String, + @Json(name = "description") + val description: String, + @Json(name = "permissions") + val permissions: List, + ) + +@JsonClass(generateAdapter = true) +public data class PolicyScopePermission + @JvmOverloads + constructor( + @Json(name = "resource_id") + val resourceId: String, + @Json(name = "actions") + val actions: List, + ) + +/** +* Request type for `RBAC.policy`. +*/ +@JsonClass(generateAdapter = true) +public class PolicyRequest + @JvmOverloads + constructor() + +/** +* Response type for `RBAC.policy`. +*/ +@JsonClass(generateAdapter = true) +public data class PolicyResponse + @JvmOverloads + constructor( + /** + * Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we + * may ask for this value to help identify a specific API call when helping you debug an issue. + */ + @Json(name = "request_id") + val requestId: String, + /** + * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values + * equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. + */ + @Json(name = "status_code") + val statusCode: Int, + /** + * The RBAC Policy document that contains all defined Roles and Resources – which are managed in the + * [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our + * [RBAC overview](https://stytch.com/docs/guides/rbac/overview). + */ + @Json(name = "policy") + val policy: Policy? = null, + ) diff --git a/stytch/src/main/kotlin/com/stytch/java/consumer/models/sessions/Sessions.kt b/stytch/src/main/kotlin/com/stytch/java/consumer/models/sessions/Sessions.kt index d9ceb6f..de61156 100644 --- a/stytch/src/main/kotlin/com/stytch/java/consumer/models/sessions/Sessions.kt +++ b/stytch/src/main/kotlin/com/stytch/java/consumer/models/sessions/Sessions.kt @@ -221,24 +221,49 @@ public data class AuthenticationFactor @JvmOverloads constructor( /** - * The type of authentication factor. The possible values are: `magic_link`, `otp`, - * `oauth`, `password`, `email_otp`, or `sso` . + * The type of authentication factor. The possible values are: `email_otp`, `impersonated`, `imported`, + * `magic_link`, `oauth`, `otp`, `password`, `recovery_codes`, `sso`, `trusted_auth_token`, or `totp`. */ @Json(name = "type") val type: AuthenticationFactorType, /** * The method that was used to deliver the authentication factor. The possible values depend on the `type`: * + * `email_otp` – Only `email`. + * + * `impersonated` – Only `impersonation`. + * + * `imported` – Only `imported_auth0`. + * * `magic_link` – Only `email`. * - * `otp` – Either `sms` or `email` . + * `oauth` – The delivery method is determined by the specific OAuth provider used. The possible values are + * `oauth_google`, `oauth_microsoft`, `oauth_hubspot`, `oauth_slack`, or `oauth_github`. + * + * In addition, you may see an 'exchange' delivery method when a non-email-verifying OAuth factor originally + * authenticated in one organization is exchanged for a factor in another organization. + * This can happen during authentication flows such as + * [session exchange](https://stytch.com/docs/b2b/api/exchange-session). + * The non-email-verifying OAuth providers are Hubspot, Slack, and Github. + * Google is also considered non-email-verifying when the HD claim is empty. + * The possible exchange values are `oauth_exchange_google`, `oauth_exchange_hubspot`, `oauth_exchange_slack`, or + * `oauth_exchange_github`. * - * `oauth` – Either `oauth_google` or `oauth_microsoft`. + * The final possible value is `oauth_access_token_exchange`, if this factor came from an + * [access token exchange flow](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange). + * + * `otp` – Only `sms`. * * `password` – Only `knowledge`. * + * `recovery_codes` – Only `recovery_code`. + * * `sso` – Either `sso_saml` or `sso_oidc`. * + * `trusted_auth_token` – Only `trusted_token_exchange`. + * + * `totp` – Only `authenticator_app`. + * */ @Json(name = "delivery_method") val deliveryMethod: AuthenticationFactorDeliveryMethod, @@ -286,6 +311,9 @@ public data class AuthenticationFactor */ @Json(name = "authenticator_app_factor") val authenticatorAppFactor: AuthenticatorAppFactor? = null, + /** + * Information about the Github OAuth factor, if one is present. + */ @Json(name = "github_oauth_factor") val githubOAuthFactor: GithubOAuthFactor? = null, @Json(name = "recovery_code_factor") @@ -312,6 +340,9 @@ public data class AuthenticationFactor val linkedInOAuthFactor: LinkedInOAuthFactor? = null, @Json(name = "shopify_oauth_factor") val shopifyOAuthFactor: ShopifyOAuthFactor? = null, + /** + * Information about the Slack OAuth factor, if one is present. + */ @Json(name = "slack_oauth_factor") val slackOAuthFactor: SlackOAuthFactor? = null, @Json(name = "snapchat_oauth_factor") @@ -344,14 +375,29 @@ public data class AuthenticationFactor val salesforceOAuthFactor: SalesforceOAuthFactor? = null, @Json(name = "yahoo_oauth_factor") val yahooOAuthFactor: YahooOAuthFactor? = null, + /** + * Information about the Hubspot OAuth factor, if one is present. + */ @Json(name = "hubspot_oauth_factor") val hubspotOAuthFactor: HubspotOAuthFactor? = null, + /** + * Information about the Slack OAuth Exchange factor, if one is present. + */ @Json(name = "slack_oauth_exchange_factor") val slackOAuthExchangeFactor: SlackOAuthExchangeFactor? = null, + /** + * Information about the Hubspot OAuth Exchange factor, if one is present. + */ @Json(name = "hubspot_oauth_exchange_factor") val hubspotOAuthExchangeFactor: HubspotOAuthExchangeFactor? = null, + /** + * Information about the Github OAuth Exchange factor, if one is present. + */ @Json(name = "github_oauth_exchange_factor") val githubOAuthExchangeFactor: GithubOAuthExchangeFactor? = null, + /** + * Information about the Google OAuth Exchange factor, if one is present. + */ @Json(name = "google_oauth_exchange_factor") val googleOAuthExchangeFactor: GoogleOAuthExchangeFactor? = null, /** @@ -359,8 +405,14 @@ public data class AuthenticationFactor */ @Json(name = "impersonated_factor") val impersonatedFactor: ImpersonatedFactor? = null, + /** + * Information about the access token exchange factor, if one is present. + */ @Json(name = "oauth_access_token_exchange_factor") val oauthAccessTokenExchangeFactor: OAuthAccessTokenExchangeFactor? = null, + /** + * Information about the trusted auth token factor, if one is present. + */ @Json(name = "trusted_auth_token_factor") val trustedAuthTokenFactor: TrustedAuthTokenFactor? = null, ) @@ -376,6 +428,43 @@ public data class AuthenticatorAppFactor val totpId: String, ) +@JsonClass(generateAdapter = true) +public data class AuthorizationCheck + @JvmOverloads + constructor( + /** + * A unique identifier of the RBAC Resource, provided by the developer and intended to be human-readable. + * + * A `resource_id` is not allowed to start with `stytch`, which is a special prefix used for Stytch default Resources + * with reserved `resource_id`s. + * + */ + @Json(name = "resource_id") + val resourceId: String, + /** + * An action to take on a Resource. + */ + @Json(name = "action") + val action: String, + ) + +@JsonClass(generateAdapter = true) +public data class AuthorizationVerdict + @JvmOverloads + constructor( + /** + * Whether the User was authorized to perform the specified action on the specified Resource. Always true if the request + * succeeds. + */ + @Json(name = "authorized") + val authorized: Boolean, + /** + * The complete list of Roles that gave the User permission to perform the specified action on the specified Resource. + */ + @Json(name = "granting_roles") + val grantingRoles: List, + ) + @JsonClass(generateAdapter = true) public data class BiometricFactor @JvmOverloads @@ -496,6 +585,9 @@ public data class GitLabOAuthFactor public data class GithubOAuthExchangeFactor @JvmOverloads constructor( + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String, ) @@ -504,10 +596,20 @@ public data class GithubOAuthExchangeFactor public data class GithubOAuthFactor @JvmOverloads constructor( + /** + * The unique ID of an OAuth registration. + */ @Json(name = "id") val id: String, + /** + * The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in + * OAuth protocols. + */ @Json(name = "provider_subject") val providerSubject: String, + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String? = null, ) @@ -516,6 +618,9 @@ public data class GithubOAuthFactor public data class GoogleOAuthExchangeFactor @JvmOverloads constructor( + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String, ) @@ -546,6 +651,9 @@ public data class GoogleOAuthFactor public data class HubspotOAuthExchangeFactor @JvmOverloads constructor( + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String, ) @@ -554,10 +662,20 @@ public data class HubspotOAuthExchangeFactor public data class HubspotOAuthFactor @JvmOverloads constructor( + /** + * The unique ID of an OAuth registration. + */ @Json(name = "id") val id: String, + /** + * The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in + * OAuth protocols. + */ @Json(name = "provider_subject") val providerSubject: String, + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String? = null, ) @@ -653,6 +771,9 @@ public data class MicrosoftOAuthFactor public data class OAuthAccessTokenExchangeFactor @JvmOverloads constructor( + /** + * The ID of the Connected App client. + */ @Json(name = "client_id") val clientId: String, ) @@ -800,6 +921,9 @@ public data class ShopifyOAuthFactor public data class SlackOAuthExchangeFactor @JvmOverloads constructor( + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String, ) @@ -808,10 +932,20 @@ public data class SlackOAuthExchangeFactor public data class SlackOAuthFactor @JvmOverloads constructor( + /** + * The unique ID of an OAuth registration. + */ @Json(name = "id") val id: String, + /** + * The unique identifier for the User within a given OAuth provider. Also commonly called the `sub` or "Subject field" in + * OAuth protocols. + */ @Json(name = "provider_subject") val providerSubject: String, + /** + * The globally unique UUID of the Member's email. + */ @Json(name = "email_id") val emailId: String? = null, ) @@ -868,6 +1002,9 @@ public data class TikTokOAuthFactor public data class TrustedAuthTokenFactor @JvmOverloads constructor( + /** + * The ID of the trusted auth token. + */ @Json(name = "token_id") val tokenId: String, ) @@ -1059,6 +1196,16 @@ public data class AuthenticateRequest */ @Json(name = "session_custom_claims") val sessionCustomClaims: Map? = emptyMap(), + /** + * If an `authorization_check` object is passed in, this endpoint will also check if the User is + * authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with + * adequate permissions. + * + * If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. + * Otherwise, the response will contain a list of Roles that satisfied the authorization check. + */ + @Json(name = "authorization_check") + val authorizationCheck: AuthorizationCheck? = null, ) /** @@ -1105,6 +1252,12 @@ public data class AuthenticateResponse */ @Json(name = "status_code") val statusCode: Int, + /** + * If an `authorization_check` is provided in the request and the check succeeds, this field will return + * information about why the User was granted permission. + */ + @Json(name = "verdict") + val verdict: AuthorizationVerdict? = null, ) /**