Skip to content

Add authenticationMethod to sealed session#1417

Merged
cmatheson merged 1 commit intomainfrom
add-authentication-method-to-sealed-session
Dec 16, 2025
Merged

Add authenticationMethod to sealed session#1417
cmatheson merged 1 commit intomainfrom
add-authentication-method-to-sealed-session

Conversation

@cmatheson
Copy link
Contributor

@cmatheson cmatheson commented Dec 15, 2025

Description

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

@cmatheson cmatheson requested a review from a team as a code owner December 15, 2025 23:03
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 15, 2025

Greptile Overview

Greptile Summary

Added authenticationMethod field to sealed session data and related response types. This field flows through the session management pipeline: stored in SessionCookieData when sealing sessions, retrieved when authenticating with session cookies, and returned in session refresh responses.

Changes:

  • Updated SessionCookieData type to include authenticationMethod from AuthenticationResponse
  • Updated AuthenticateWithSessionCookieSuccessResponse to expose authenticationMethod field
  • Modified CookieSession.authenticate() to return authenticationMethod from unsealed session data
  • Modified CookieSession.refresh() to include authenticationMethod in response
  • Modified UserManagement.authenticateWithSessionCookie() to include authenticationMethod in response
  • Modified UserManagement.sealSessionDataFromAuthenticationResponse() to store authenticationMethod in sealed session data

The implementation is consistent across all authentication and session refresh flows.

Confidence Score: 5/5

  • This PR is safe to merge with no identified risks
  • The changes are straightforward and follow existing patterns in the codebase. The authenticationMethod field already exists in AuthenticationResponse and is simply being propagated through the session management flow. All changes are additive (no breaking changes), properly typed, and consistent with the existing architecture. No security issues, logic errors, or custom rule violations detected.
  • No files require special attention

Important Files Changed

File Analysis

Filename Score Overview
src/user-management/interfaces/authenticate-with-session-cookie.interface.ts 5/5 Added authenticationMethod to SessionCookieData and AuthenticateWithSessionCookieSuccessResponse types, no issues found
src/user-management/session.ts 5/5 Added authenticationMethod to return values in authenticate() and refresh() methods, properly mapped from session data
src/user-management/user-management.ts 5/5 Added authenticationMethod to session cookie response and session sealing logic, consistently passing through the field

Sequence Diagram

sequenceDiagram
    participant Client
    participant UserManagement
    participant CookieSession
    participant IronSessionProvider
    participant AuthResponse

    Note over Client,AuthResponse: Authentication Flow with authenticationMethod

    Client->>UserManagement: authenticateWithCode/Password/etc(options)
    UserManagement->>AuthResponse: POST /user_management/authenticate
    AuthResponse-->>UserManagement: AuthenticationResponse (with authenticationMethod)
    
    alt sealSession is true
        UserManagement->>UserManagement: sealSessionDataFromAuthenticationResponse()
        Note over UserManagement: Creates SessionCookieData with:<br/>- accessToken<br/>- refreshToken<br/>- user<br/>- authenticationMethod<br/>- impersonator<br/>- organizationId
        UserManagement->>IronSessionProvider: sealData(sessionData)
        IronSessionProvider-->>UserManagement: sealedSession string
    end
    
    UserManagement-->>Client: AuthenticationResponse + sealedSession

    Note over Client,AuthResponse: Session Cookie Authentication Flow

    Client->>UserManagement: authenticateWithSessionCookie(sessionData)
    UserManagement->>IronSessionProvider: unsealData(sessionData)
    IronSessionProvider-->>UserManagement: SessionCookieData (with authenticationMethod)
    UserManagement->>UserManagement: isValidJwt(accessToken)
    UserManagement-->>Client: AuthenticateWithSessionCookieSuccessResponse<br/>(includes authenticationMethod)

    Note over Client,AuthResponse: Session Refresh Flow

    Client->>CookieSession: refresh(options)
    CookieSession->>IronSessionProvider: unsealData(sessionData)
    IronSessionProvider-->>CookieSession: SessionCookieData
    CookieSession->>UserManagement: authenticateWithRefreshToken()
    UserManagement->>AuthResponse: POST /user_management/authenticate
    AuthResponse-->>UserManagement: AuthenticationResponse (with authenticationMethod)
    UserManagement->>IronSessionProvider: sealData(sessionData with authenticationMethod)
    IronSessionProvider-->>CookieSession: new sealedSession
    CookieSession-->>Client: RefreshSessionResponse<br/>(includes authenticationMethod)
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@cmatheson cmatheson merged commit 381ffb8 into main Dec 16, 2025
7 checks passed
@cmatheson cmatheson deleted the add-authentication-method-to-sealed-session branch December 16, 2025 00:00
@greptile-apps greptile-apps bot mentioned this pull request Dec 16, 2025
Merged
cmatheson added a commit that referenced this pull request Dec 24, 2025
@cmatheson
v7.78.0 (#1418)
0e60589 
## Description

Includes:
-  #1417
- #1420 

## Documentation

Does this require changes to the WorkOS Docs? E.g. the [API
Reference](https://workos.com/docs/reference) or code snippets need
updates.

```
[ ] Yes
```

If yes, link a related docs PR and add a docs maintainer as a reviewer.
Their approval is required.

<!-- av pr metadata
This information is embedded by the av CLI when creating PRs to track
the status of stacks when using Aviator. Please do not delete or edit
this section of the PR.
```
{"parent":"main","parentHead":"","trunk":"main"}
```
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@mthadley mthadley mthadley approved these changes

@blairworkos blairworkos Awaiting requested review from blairworkos blairworkos is a code owner automatically assigned from workos/typescript

@nicknisi nicknisi Awaiting requested review from nicknisi

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmatheson @mthadley