User Authentication

const user = await workos.userManagement.createUser({
  email: '[email protected]',
  password: 'secure-password',
  firstName: 'John',
  lastName: 'Doe',
  emailVerified: false
});

console.log(user.id);           // user_123
console.log(user.email);        // [email protected]
console.log(user.emailVerified); // false

const { user, accessToken, refreshToken } = 
  await workos.userManagement.authenticateWithPassword({
    clientId: process.env.WORKOS_CLIENT_ID,
    email: '[email protected]',
    password: 'secure-password'
  });

console.log('Logged in:', user.email);
console.log('Access token:', accessToken);

const response = await workos.userManagement.authenticateWithPassword({
  clientId: process.env.WORKOS_CLIENT_ID,
  email: '[email protected]',
  password: 'secure-password',
  session: {
    sealSession: true,
    cookiePassword: process.env.COOKIE_PASSWORD // 32+ character secret
  }
});

// Set the encrypted session cookie
res.cookie('wos-session', response.sealedSession, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  maxAge: 7 * 24 * 60 * 60 * 1000 // 7 days
});

const session = await workos.userManagement.authenticateWithSessionCookie({
  sessionData: req.cookies['wos-session'],
  cookiePassword: process.env.COOKIE_PASSWORD
});

if (session.authenticated) {
  console.log('User:', session.user.email);
  console.log('Session ID:', session.sessionId);
  console.log('Organization:', session.organizationId);
  console.log('Permissions:', session.permissions);
} else {
  console.log('Invalid session:', session.reason);
}

const magicAuth = await workos.userManagement.createMagicAuth({
  email: '[email protected]',
  invitationToken: 'optional_invitation_token'
});

console.log(magicAuth.id);    // magic_auth_123
console.log(magicAuth.code);  // Secret code for email
console.log(magicAuth.email); // [email protected]

// Send magicAuth.code via email to the user

const { user, accessToken } = 
  await workos.userManagement.authenticateWithMagicAuth({
    clientId: process.env.WORKOS_CLIENT_ID,
    code: '123456',
    email: '[email protected]'
  });

console.log('User authenticated:', user.email);

const authorizationUrl = workos.userManagement.getAuthorizationUrl({
  provider: 'authkit',
  clientId: process.env.WORKOS_CLIENT_ID,
  redirectUri: 'http://localhost:3000/callback',
  state: 'random-state'
});

res.redirect(authorizationUrl);

const { url, state, codeVerifier } = 
  await workos.userManagement.getAuthorizationUrlWithPKCE({
    provider: 'authkit',
    clientId: process.env.WORKOS_CLIENT_ID,
    redirectUri: 'myapp://callback'
  });

// Store state and codeVerifier securely

const { user, accessToken, refreshToken } = 
  await workos.userManagement.authenticateWithCode({
    clientId: process.env.WORKOS_CLIENT_ID,
    code: req.query.code as string
  });

// For public clients with PKCE:
const result = await workos.userManagement.authenticateWithCode({
  clientId: process.env.WORKOS_CLIENT_ID,
  code: req.query.code as string,
  codeVerifier: storedCodeVerifier
});

const { accessToken, refreshToken } = 
  await workos.userManagement.authenticateWithRefreshToken({
    clientId: process.env.WORKOS_CLIENT_ID,
    refreshToken: storedRefreshToken
  });

console.log('New access token:', accessToken);

const { authenticationFactor, authenticationChallenge } = 
  await workos.userManagement.enrollAuthFactor({
    userId: 'user_123',
    type: 'totp'
  });

// Display authenticationFactor.totp.qrCode to user
console.log('QR Code:', authenticationFactor.totp?.qrCode);
console.log('Secret:', authenticationFactor.totp?.secret);

// First authenticate with password
const passwordAuth = await workos.userManagement.authenticateWithPassword({
  clientId: process.env.WORKOS_CLIENT_ID,
  email: '[email protected]',
  password: 'secure-password'
});

// User is prompted for MFA
if (passwordAuth.authenticationMethod === 'Password') {
  // Verify TOTP code
  const { user, accessToken } = 
    await workos.userManagement.authenticateWithTotp({
      clientId: process.env.WORKOS_CLIENT_ID,
      code: '123456',
      authenticationChallengeId: passwordAuth.authenticationChallengeId,
      pendingAuthenticationToken: passwordAuth.pendingAuthenticationToken
    });

  console.log('MFA verified:', user.email);
}

const factors = await workos.userManagement.listAuthFactors({
  userId: 'user_123'
});

for await (const factor of factors.autoPagination()) {
  console.log(factor.id, factor.type, factor.totp);
}

const { user } = await workos.userManagement.sendVerificationEmail({
  userId: 'user_123'
});

console.log('Verification sent to:', user.email);

const { user } = await workos.userManagement.verifyEmail({
  userId: 'user_123',
  code: '123456'
});

console.log('Email verified:', user.emailVerified);

const { user, accessToken } = 
  await workos.userManagement.authenticateWithEmailVerification({
    clientId: process.env.WORKOS_CLIENT_ID,
    code: '123456',
    pendingAuthenticationToken: 'pending_token'
  });

const passwordReset = await workos.userManagement.createPasswordReset({
  email: '[email protected]'
});

console.log('Reset token:', passwordReset.passwordResetToken);
console.log('Reset URL:', passwordReset.passwordResetUrl);

// Send passwordReset.passwordResetUrl via email

const { user } = await workos.userManagement.resetPassword({
  token: 'password_reset_token',
  newPassword: 'new-secure-password'
});

console.log('Password reset for:', user.email);