B2B TOTPs + General SDK Bump

README.md

@@ -39,12 +39,15 @@ This client library supports all of Stytch's live products:
 
 - [x] [Organizations](https://stytch.com/docs/b2b/api/organization-object)
 - [x] [Members](https://stytch.com/docs/b2b/api/member-object)
+- [x] [RBAC](https://stytch.com/docs/b2b/api/rbac-resource-object)
 - [x] [Email Magic Links](https://stytch.com/docs/b2b/api/send-login-signup-email)
 - [x] [OAuth logins](https://stytch.com/docs/b2b/api/oauth-google-start)
 - [x] [Session Management](https://stytch.com/docs/b2b/api/session-object)
 - [x] [Single-Sign On](https://stytch.com/docs/b2b/api/sso-authenticate-start)
 - [x] [Discovery](https://stytch.com/docs/b2b/api/discovered-organization-object)
 - [x] [Passwords](https://stytch.com/docs/b2b/api/passwords-authenticate)
+- [x] [SMS OTP (MFA)](https://stytch.com/docs/b2b/api/otp-sms-send)
+- [x] [M2M](https://stytch.com/docs/b2b/api/m2m-client)
 
 **Shared**
 
@@ -118,10 +121,11 @@ client.organizations
 Log the first user into the organization
 
 ```javascript
-client.magicLinks.loginOrSignup({
-  organization_id: "organization-id-from-create-response-..."
-  email_address: "admin@acme.co"
-})
+client.magicLinks
+  .loginOrSignup({
+    organization_id: "organization-id-from-create-response-...",
+    email_address: "admin@acme.co",
+  })
   .then((res) => console.log(res))
   .catch((err) => console.error(err));
 ```

lib/b2b/client.ts

@@ -12,6 +12,7 @@ import { PolicyCache } from "./rbac_local";
 import { RBAC } from "./rbac";
 import { Sessions } from "./sessions";
 import { SSO } from "./sso";
+import { TOTPs } from "./totps";
 
 export class B2BClient extends BaseClient {
   protected jwtConfig: JwtConfig;
@@ -25,6 +26,7 @@ export class B2BClient extends BaseClient {
   rbac: RBAC;
   sso: SSO;
   sessions: Sessions;
+  totps: TOTPs;
 
   constructor(config: ClientConfig) {
     super(config);
@@ -53,5 +55,6 @@ export class B2BClient extends BaseClient {
     this.rbac = new RBAC(this.fetchConfig);
     this.sso = new SSO(this.fetchConfig);
     this.sessions = new Sessions(this.fetchConfig, this.jwtConfig, policyCache);
+    this.totps = new TOTPs(this.fetchConfig);
   }
 }

lib/b2b/discovery_organizations.ts

@@ -156,7 +156,7 @@ export interface B2BDiscoveryOrganizationsCreateRequest {
    */
   mfa_policy?: string;
   /**
-   * (Coming Soon) Implicit role assignments based off of email domains.
+   * Implicit role assignments based off of email domains.
    *   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
    * granted the
    *   associated Role, regardless of their login method. See the

lib/b2b/index.ts

@@ -91,6 +91,15 @@ export type {
   B2BSessionsRevokeResponse,
 } from "./sessions";
 
+export type {
+  B2BTOTPsAuthenticateRequest,
+  B2BTOTPsAuthenticateResponse,
+  B2BTOTPsCreateRequest,
+  B2BTOTPsCreateResponse,
+  B2BTOTPsMigrateRequest,
+  B2BTOTPsMigrateResponse,
+} from "./totps";
+
 export type {
   DiscoveredOrganization,
   Membership,

lib/b2b/magic_links_email.ts

@@ -72,7 +72,7 @@ export interface B2BMagicLinksEmailInviteRequest {
    */
   locale?: "en" | "es" | "pt-br" | string;
   /**
-   * (Coming Soon) Roles to explicitly assign to this Member. See the
+   * Roles to explicitly assign to this Member. See the
    * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
    *    for more information about role assignment.
    */

lib/b2b/organizations.ts

@@ -105,8 +105,7 @@ export interface Member {
   // Whether or not the Member's phone number is verified.
   mfa_phone_number_verified: boolean;
   /**
-   * (Coming Soon) Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted
-   * to Members
+   * Whether or not the Member has the `stytch_admin` Role. This Role is automatically granted to Members
    *   who create an Organization through the
    * [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
    *   [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for more details on this Role.
@@ -120,9 +119,9 @@ export interface Member {
   mfa_enrolled: boolean;
   // The Member's phone number. A Member may only have one phone number.
   mfa_phone_number: string;
+  default_mfa_method: string;
   /**
-   * (Coming Soon) Explicit or implicit Roles assigned to this Member, along with details about the role
-   * assignment source.
+   * Explicit or implicit Roles assigned to this Member, along with details about the role assignment source.
    *    See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information
    * about role assignment.
    */
@@ -345,14 +344,32 @@ export interface Organization {
   allowed_auth_methods: string[];
   mfa_policy: string;
   /**
-   * (Coming Soon) Implicit role assignments based off of email domains.
+   * Implicit role assignments based off of email domains.
    *   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
    * granted the
    *   associated Role, regardless of their login method. See the
    * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
    *   for more information about role assignment.
    */
   rbac_email_implicit_role_assignments: EmailImplicitRoleAssignment[];
+  /**
+   * The setting that controls which mfa methods can be used by Members of an Organization. The accepted
+   * values are:
+   *
+   *   `ALL_ALLOWED` – the default setting which allows all authentication methods to be used.
+   *
+   *   `RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication.
+   * This setting does not apply to Members with `is_breakglass` set to `true`.
+   *
+   */
+  mfa_methods: string;
+  /**
+   * An array of allowed mfa authentication methods. This list is enforced when `mfa_methods` is set to
+   * `RESTRICTED`.
+   *   The list's accepted values are: `sms_otp` and `totp`.
+   *
+   */
+  allowed_mfa_methods: string[];
   // An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
   trusted_metadata?: Record<string, any>; // eslint-disable-line @typescript-eslint/no-explicit-any
   // The default connection used for SSO when there are multiple active connections.
@@ -474,14 +491,16 @@ export interface B2BOrganizationsCreateRequest {
    */
   mfa_policy?: string;
   /**
-   * (Coming Soon) Implicit role assignments based off of email domains.
+   * Implicit role assignments based off of email domains.
    *   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
    * granted the
    *   associated Role, regardless of their login method. See the
    * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
    *   for more information about role assignment.
    */
   rbac_email_implicit_role_assignments?: EmailImplicitRoleAssignment[];
+  mfa_methods?: string;
+  allowed_mfa_methods?: string[];
 }
 
 // Response type for `organizations.create`.
@@ -756,7 +775,7 @@ export interface B2BOrganizationsUpdateRequest {
    */
   mfa_policy?: string;
   /**
-   * (Coming Soon) Implicit role assignments based off of email domains.
+   * Implicit role assignments based off of email domains.
    *   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
    * granted the
    *   associated Role, regardless of their login method. See the
@@ -767,6 +786,8 @@ export interface B2BOrganizationsUpdateRequest {
    * permission to perform the `update.settings.implicit-roles` action on the `stytch.organization` Resource.
    */
   rbac_email_implicit_role_assignments?: string[];
+  mfa_methods?: string;
+  allowed_mfa_methods?: string[];
 }
 
 // Response type for `organizations.update`.
@@ -924,8 +945,8 @@ export class Organizations {
    * resource to learn more about fields like `email_jit_provisioning`, `email_invites`,
    * `sso_jit_provisioning`, etc., and their behaviors.
    *
-   * (Coming Soon) Our RBAC implementation offers out-of-the-box handling of authorization checks for this
-   * endpoint. If you pass in
+   * Our RBAC implementation offers out-of-the-box handling of authorization checks for this endpoint. If you
+   * pass in
    * a header containing a `session_token` or a `session_jwt` for an unexpired Member Session, we will check
    * that the
    * Member Session has the necessary permissions. The specific permissions needed depend on which of the
@@ -978,6 +999,8 @@ export class Organizations {
         mfa_policy: data.mfa_policy,
         rbac_email_implicit_role_assignments:
           data.rbac_email_implicit_role_assignments,
+        mfa_methods: data.mfa_methods,
+        allowed_mfa_methods: data.allowed_mfa_methods,
       },
     });
   }