Refactor session architecture to match workos-node scope

Removes authkit-level abstractions that belong in a separate authkit-php
library. The SDK now matches workos-node's session handling scope.

Removed (moved to future authkit-php):
- AuthService orchestration layer
- AuthKitCore sealing coordination
- DefaultSessionStorage and SessionStorageInterface
- sealSession() method (sealing is authkit's responsibility)
- REASON_INVALID_JWT constant (unused)

Simplified:
- UserManagement: keeps injectable encryption, removes sealing
- CookieSession: only accepts UserManagement, refresh() returns raw
  tokens instead of sealed session string

Breaking changes:
- CookieSession no longer accepts AuthService
- CookieSession.refresh() returns [response, tokens] not [response, sealed]
- UserManagement.sealSession() removed
- UserManagement.getAuthKitCore() removed

This addresses PR feedback:
- Injectable encryption via SessionEncryptionInterface
- Separate try/catch blocks for encryption vs HTTP errors
- Pluggable session backing without prescriptive sealing

Author: birdcar

lib/CookieSession.php

@@ -9,6 +9,7 @@
  * Class CookieSession
  *
  * Handles encrypted session cookies for user authentication and session management.
+ * Matches workos-node CookieSession behavior - unsealing and validating sessions.
  */
 class CookieSession
 {
@@ -59,20 +60,25 @@ public function authenticate()
     }
 
     /**
-     * Refreshes an expired session and optionally rotates the cookie password.
+     * Refreshes an expired session and returns new tokens.
+     *
+     * Note: This method returns raw tokens. The calling code (e.g., authkit-php)
+     * is responsible for sealing the tokens into a new session cookie.
      *
      * @param array $options Options for session refresh
      *   - 'organizationId' (string|null): Organization to scope the session to
-     *   - 'cookiePassword' (string|null): New password for cookie rotation
      *
-     * @return array{SessionAuthenticationSuccessResponse|SessionAuthenticationFailureResponse, string|null}
-     *         Returns [response, newSealedSession]
+     * @return array{SessionAuthenticationSuccessResponse|SessionAuthenticationFailureResponse, array|null}
+     *         Returns [response, newTokens] where newTokens contains:
+     *         - 'access_token': The new access token
+     *         - 'refresh_token': The new refresh token
+     *         - 'session_id': The session ID
+     *         Returns [failureResponse, null] on error.
      * @throws Exception\WorkOSException
      */
     public function refresh(array $options = [])
     {
         $organizationId = $options['organizationId'] ?? null;
-        $newCookiePassword = $options['cookiePassword'] ?? $this->cookiePassword;
 
         // First authenticate to get the current session data
         $authResult = $this->authenticate();
@@ -81,7 +87,7 @@ public function refresh(array $options = [])
             return [$authResult, null];
         }
 
-        // Use the refresh token to get new authentication tokens
+        // Tight try/catch for refresh token API call
         try {
             $refreshedAuth = $this->userManagement->authenticateWithRefreshToken(
                 WorkOS::getClientId(),
@@ -90,35 +96,32 @@ public function refresh(array $options = [])
                 null,
                 $organizationId
             );
-
-            // Create new sealed session with refreshed data
-            $newSealedSession = $this->userManagement->sealSession(
-                [
-                    'access_token' => $refreshedAuth->accessToken,
-                    'refresh_token' => $refreshedAuth->refreshToken,
-                    'session_id' => $authResult->sessionId
-                ],
-                $newCookiePassword
-            );
-
-            // Build success response from refreshed auth
-            $successResponse = SessionAuthenticationSuccessResponse::constructFromResponse([
-                'authenticated' => true,
-                'access_token' => $refreshedAuth->accessToken,
-                'refresh_token' => $refreshedAuth->refreshToken,
-                'session_id' => $authResult->sessionId,
-                'user' => $refreshedAuth->user->raw,
-                'organization_id' => $refreshedAuth->organizationId ?? $organizationId,
-                'authentication_method' => $authResult->authenticationMethod
-            ]);
-
-            return [$successResponse, $newSealedSession];
         } catch (\Exception $e) {
             $failureResponse = new SessionAuthenticationFailureResponse(
-                SessionAuthenticationFailureResponse::REASON_INVALID_JWT
+                SessionAuthenticationFailureResponse::REASON_HTTP_ERROR
             );
             return [$failureResponse, null];
         }
+
+        // Build success response
+        $successResponse = SessionAuthenticationSuccessResponse::constructFromResponse([
+            'authenticated' => true,
+            'access_token' => $refreshedAuth->accessToken,
+            'refresh_token' => $refreshedAuth->refreshToken,
+            'session_id' => $authResult->sessionId,
+            'user' => $refreshedAuth->user->raw,
+            'organization_id' => $refreshedAuth->organizationId ?? $organizationId,
+            'authentication_method' => $authResult->authenticationMethod
+        ]);
+
+        // Return raw tokens for the caller to seal
+        $newTokens = [
+            'access_token' => $refreshedAuth->accessToken,
+            'refresh_token' => $refreshedAuth->refreshToken,
+            'session_id' => $authResult->sessionId
+        ];
+
+        return [$successResponse, $newTokens];
     }
 
     /**

lib/Resource/SessionAuthenticationFailureResponse.php

@@ -14,7 +14,8 @@ class SessionAuthenticationFailureResponse extends BaseWorkOSResource
 {
     public const REASON_NO_SESSION_COOKIE_PROVIDED = "NO_SESSION_COOKIE_PROVIDED";
     public const REASON_INVALID_SESSION_COOKIE = "INVALID_SESSION_COOKIE";
-    public const REASON_INVALID_JWT = "INVALID_JWT";
+    public const REASON_ENCRYPTION_ERROR = "ENCRYPTION_ERROR";
+    public const REASON_HTTP_ERROR = "HTTP_ERROR";
 
     public const RESOURCE_ATTRIBUTES = [
         "authenticated",

lib/UserManagement.php

@@ -16,6 +16,43 @@ class UserManagement
     public const AUTHORIZATION_PROVIDER_GOOGLE_OAUTH = "GoogleOAuth";
     public const AUTHORIZATION_PROVIDER_MICROSOFT_OAUTH = "MicrosoftOAuth";
 
+    /**
+     * @var Session\SessionEncryptionInterface|null
+     */
+    private $sessionEncryptor = null;
+
+    /**
+     * @param Session\SessionEncryptionInterface|null $encryptor Optional encryption provider
+     */
+    public function __construct(?Session\SessionEncryptionInterface $encryptor = null)
+    {
+        $this->sessionEncryptor = $encryptor;
+    }
+
+    /**
+     * Set the session encryptor.
+     *
+     * @param Session\SessionEncryptionInterface $encryptor
+     * @return void
+     */
+    public function setSessionEncryptor(Session\SessionEncryptionInterface $encryptor): void
+    {
+        $this->sessionEncryptor = $encryptor;
+    }
+
+    /**
+     * Get the session encryptor, defaulting to Halite.
+     *
+     * @return Session\SessionEncryptionInterface
+     */
+    private function getSessionEncryptor(): Session\SessionEncryptionInterface
+    {
+        if ($this->sessionEncryptor === null) {
+            $this->sessionEncryptor = new Session\HaliteSessionEncryption();
+        }
+        return $this->sessionEncryptor;
+    }
+
     /**
      * Create User.
      *
@@ -1395,22 +1432,6 @@ public function revokeSession(string $sessionId)
         return Resource\Session::constructFromResponse($response);
     }
 
-    /**
-     * Creates a sealed session from session data.
-     *
-     * @param array $sessionData Session data containing access_token, refresh_token, session_id
-     * @param string $cookiePassword Password to encrypt the session
-     * @param int|null $ttl Time-to-live in seconds (null for default)
-     *
-     * @return string Sealed session string
-     * @throws Exception\WorkOSException
-     */
-    public function sealSession(array $sessionData, string $cookiePassword, ?int $ttl = null)
-    {
-        $encryptor = new Session\HaliteSessionEncryption();
-        return $encryptor->seal($sessionData, $cookiePassword, $ttl);
-    }
-
     /**
      * Authenticate with a sealed session cookie.
      *
@@ -1430,17 +1451,23 @@ public function authenticateWithSessionCookie(
             );
         }
 
+        // Tight try/catch for unsealing only
         try {
-            $encryptor = new Session\HaliteSessionEncryption();
-            $sessionData = $encryptor->unseal($sealedSession, $cookiePassword);
+            $sessionData = $this->getSessionEncryptor()->unseal($sealedSession, $cookiePassword);
+        } catch (\Exception $e) {
+            return new Resource\SessionAuthenticationFailureResponse(
+                Resource\SessionAuthenticationFailureResponse::REASON_ENCRYPTION_ERROR
+            );
+        }
 
-            if (!isset($sessionData['access_token']) || !isset($sessionData['refresh_token'])) {
-                return new Resource\SessionAuthenticationFailureResponse(
-                    Resource\SessionAuthenticationFailureResponse::REASON_INVALID_SESSION_COOKIE
-                );
-            }
+        if (!isset($sessionData['access_token']) || !isset($sessionData['refresh_token'])) {
+            return new Resource\SessionAuthenticationFailureResponse(
+                Resource\SessionAuthenticationFailureResponse::REASON_INVALID_SESSION_COOKIE
+            );
+        }
 
-            // Verify the JWT access token and get user info via API
+        // Separate try/catch for HTTP request
+        try {
             $path = "user_management/sessions/authenticate";
             $params = [
                 "access_token" => $sessionData['access_token'],
@@ -1458,7 +1485,7 @@ public function authenticateWithSessionCookie(
             return Resource\SessionAuthenticationSuccessResponse::constructFromResponse($response);
         } catch (\Exception $e) {
             return new Resource\SessionAuthenticationFailureResponse(
-                Resource\SessionAuthenticationFailureResponse::REASON_INVALID_SESSION_COOKIE
+                Resource\SessionAuthenticationFailureResponse::REASON_HTTP_ERROR
             );
         }
     }

tests/WorkOS/CookieSessionTest.php

@@ -31,16 +31,15 @@ protected function setUp(): void
         $this->withApiKeyAndClientId();
         $this->userManagement = new UserManagement();
 
-        // Create a sealed session for testing
+        // Create a sealed session for testing using encryptor directly
+        // (sealing is authkit-php's responsibility, not SDK's)
         $sessionData = [
             'access_token' => 'test_access_token_12345',
             'refresh_token' => 'test_refresh_token_67890',
             'session_id' => 'session_01H7X1M4TZJN5N4HG4XXMA1234'
         ];
-        $this->sealedSession = $this->userManagement->sealSession(
-            $sessionData,
-            $this->cookiePassword
-        );
+        $encryptor = new Session\HaliteSessionEncryption();
+        $this->sealedSession = $encryptor->seal($sessionData, $this->cookiePassword);
     }
 
     public function testConstructCookieSession()
@@ -95,17 +94,13 @@ public function testLoadSealedSessionReturnsValidCookieSession()
         $this->assertInstanceOf(CookieSession::class, $cookieSession);
     }
 
-    public function testRefreshPassesCorrectParametersToAuthenticateWithRefreshToken()
+    public function testRefreshReturnsRawTokensOnSuccess()
     {
-        // REGRESSION TEST: Verify that CookieSession.refresh() passes all 5 parameters
-        // to authenticateWithRefreshToken(), not just 2. The clientId parameter must be
-        // included from WorkOS::getClientId() (see CookieSession.php:86-92)
-
         $organizationId = "org_01H7X1M4TZJN5N4HG4XXMA1234";
 
         // Create a mock UserManagement to verify method calls
         $userManagementMock = $this->getMockBuilder(UserManagement::class)
-            ->onlyMethods(['authenticateWithSessionCookie', 'authenticateWithRefreshToken', 'sealSession'])
+            ->onlyMethods(['authenticateWithSessionCookie', 'authenticateWithRefreshToken'])
             ->getMock();
 
         // Mock authenticateWithSessionCookie to return a successful authentication
@@ -129,7 +124,7 @@ public function testRefreshPassesCorrectParametersToAuthenticateWithRefreshToken
         $userManagementMock->method('authenticateWithSessionCookie')
             ->willReturn($authResponse);
 
-        // CRITICAL ASSERTION: Verify authenticateWithRefreshToken is called with exactly 5 parameters
+        // Setup refresh to succeed
         $refreshResponseData = [
             'access_token' => 'new_access_token',
             'refresh_token' => 'new_refresh_token',
@@ -150,28 +145,107 @@ public function testRefreshPassesCorrectParametersToAuthenticateWithRefreshToken
             ->method('authenticateWithRefreshToken')
             ->with(
                 $this->identicalTo(WorkOS::getClientId()),  // clientId from config
-                $this->identicalTo('test_refresh_token'),    // refresh token
-                $this->identicalTo(null),                    // ipAddress
-                $this->identicalTo(null),                    // userAgent
-                $this->identicalTo($organizationId)          // organizationId
+                $this->identicalTo('test_refresh_token'),   // refresh token
+                $this->identicalTo(null),                   // ipAddress
+                $this->identicalTo(null),                   // userAgent
+                $this->identicalTo($organizationId)         // organizationId
             )
             ->willReturn($refreshResponse);
 
-        $userManagementMock->method('sealSession')
-            ->willReturn('new_sealed_session');
-
         // Execute refresh with the mocked UserManagement
         $cookieSession = new CookieSession(
             $userManagementMock,
             $this->sealedSession,
             $this->cookiePassword
         );
 
-        [$response, $newSealedSession] = $cookieSession->refresh([
+        [$response, $tokens] = $cookieSession->refresh([
             'organizationId' => $organizationId
         ]);
 
-        // If we reach here without the mock throwing an exception, the test passes
+        // Verify response is successful
         $this->assertInstanceOf(Resource\SessionAuthenticationSuccessResponse::class, $response);
+        $this->assertTrue($response->authenticated);
+
+        // Verify tokens are returned as raw array (not sealed)
+        $this->assertIsArray($tokens);
+        $this->assertArrayHasKey('access_token', $tokens);
+        $this->assertArrayHasKey('refresh_token', $tokens);
+        $this->assertArrayHasKey('session_id', $tokens);
+        $this->assertEquals('new_access_token', $tokens['access_token']);
+        $this->assertEquals('new_refresh_token', $tokens['refresh_token']);
+        $this->assertEquals('session_123', $tokens['session_id']);
+    }
+
+    public function testRefreshReturnsNullTokensOnAuthFailure()
+    {
+        $userManagementMock = $this->getMockBuilder(UserManagement::class)
+            ->onlyMethods(['authenticateWithSessionCookie'])
+            ->getMock();
+
+        $failResponse = new Resource\SessionAuthenticationFailureResponse(
+            Resource\SessionAuthenticationFailureResponse::REASON_INVALID_SESSION_COOKIE
+        );
+
+        $userManagementMock->method('authenticateWithSessionCookie')
+            ->willReturn($failResponse);
+
+        $cookieSession = new CookieSession(
+            $userManagementMock,
+            'invalid-session',
+            $this->cookiePassword
+        );
+
+        [$response, $tokens] = $cookieSession->refresh();
+
+        $this->assertFalse($response->authenticated);
+        $this->assertNull($tokens);
+    }
+
+    public function testRefreshReturnsHttpErrorOnApiFailure()
+    {
+        $userManagementMock = $this->getMockBuilder(UserManagement::class)
+            ->onlyMethods(['authenticateWithSessionCookie', 'authenticateWithRefreshToken'])
+            ->getMock();
+
+        // Mock successful initial auth
+        $authResponseData = [
+            'authenticated' => true,
+            'access_token' => 'test_access_token',
+            'refresh_token' => 'test_refresh_token',
+            'session_id' => 'session_123',
+            'user' => [
+                'object' => 'user',
+                'id' => 'user_123',
+                'email' => 'test@test.com',
+                'first_name' => 'Test',
+                'last_name' => 'User',
+                'email_verified' => true,
+                'created_at' => '2021-01-01T00:00:00.000Z',
+                'updated_at' => '2021-01-01T00:00:00.000Z'
+            ]
+        ];
+        $authResponse = Resource\SessionAuthenticationSuccessResponse::constructFromResponse($authResponseData);
+        $userManagementMock->method('authenticateWithSessionCookie')
+            ->willReturn($authResponse);
+
+        // Mock refresh to throw exception
+        $userManagementMock->method('authenticateWithRefreshToken')
+            ->willThrowException(new \Exception('HTTP request failed'));
+
+        $cookieSession = new CookieSession(
+            $userManagementMock,
+            $this->sealedSession,
+            $this->cookiePassword
+        );
+
+        [$response, $tokens] = $cookieSession->refresh();
+
+        $this->assertFalse($response->authenticated);
+        $this->assertEquals(
+            Resource\SessionAuthenticationFailureResponse::REASON_HTTP_ERROR,
+            $response->reason
+        );
+        $this->assertNull($tokens);
     }
 }