Add vault describe_object endpoint and tests for passwordless/vault

gjtorikian · claude · gjtorikian · commit b030245f9d72 · 2026-04-03T11:56:09.000-04:00
- Add describe_object (sync + async) to vault.py for GET /vault/v1/kv/:id/metadata,
  matching the Node SDK's describeObject method
- Add test_passwordless.py with sync + async tests for create_session and send_session
- Add test_vault.py with sync + async tests for all vault operations including
  read, describe, list, create, update, delete, data keys, and encrypt/decrypt round-trip
- Add JSON fixtures for passwordless and vault test data

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/workos/vault.py b/src/workos/vault.py
@@ -302,6 +302,15 @@ def read_object_by_name(self, *, name: str) -> VaultObject:
         )
         return response
 
+    def describe_object(self, *, object_id: str) -> VaultObject:
+        """Get a Vault object's metadata without decrypting the value."""
+        response = self._client.request(
+            method="get",
+            path=f"vault/v1/kv/{object_id}/metadata",
+            model=VaultObject,
+        )
+        return response
+
     def list_objects(
         self,
         *,
@@ -475,6 +484,14 @@ async def read_object_by_name(self, *, name: str) -> VaultObject:
         )
         return response
 
+    async def describe_object(self, *, object_id: str) -> VaultObject:
+        response = await self._client.request(
+            method="get",
+            path=f"vault/v1/kv/{object_id}/metadata",
+            model=VaultObject,
+        )
+        return response
+
     async def list_objects(
         self,
         *,
diff --git a/tests/fixtures/passwordless_session.json b/tests/fixtures/passwordless_session.json
@@ -0,0 +1,7 @@
+{
+  "object": "passwordless_session",
+  "id": "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "email": "user@example.com",
+  "expires_at": "2025-01-01T00:00:00.000Z",
+  "link": "https://auth.workos.com/passwordless/01EHDAK2BFGWCSZXP9HGZ3VK8C/confirm"
+}
diff --git a/tests/fixtures/vault_create_object.json b/tests/fixtures/vault_create_object.json
@@ -0,0 +1,12 @@
+{
+  "context": {"tenant": "acme"},
+  "environment_id": "environment_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "key_id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "updated_at": "2025-01-01T00:00:00.000Z",
+  "updated_by": {
+    "id": "key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "name": "My API Key"
+  },
+  "version_id": "vault_ver_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+}
diff --git a/tests/fixtures/vault_data_key.json b/tests/fixtures/vault_data_key.json
@@ -0,0 +1,6 @@
+{
+  "context": {"tenant": "acme"},
+  "id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "data_key": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
+  "encrypted_keys": "dGVzdC1lbmNyeXB0ZWQta2V5cw=="
+}
diff --git a/tests/fixtures/vault_decrypt_key.json b/tests/fixtures/vault_decrypt_key.json
@@ -0,0 +1,4 @@
+{
+  "id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "data_key": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE="
+}
diff --git a/tests/fixtures/vault_list_object_versions.json b/tests/fixtures/vault_list_object_versions.json
@@ -0,0 +1,9 @@
+{
+  "data": [
+    {
+      "created_at": "2025-01-01T00:00:00.000Z",
+      "current_version": true,
+      "id": "vault_ver_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+    }
+  ]
+}
diff --git a/tests/fixtures/vault_list_objects.json b/tests/fixtures/vault_list_objects.json
@@ -0,0 +1,13 @@
+{
+  "data": [
+    {
+      "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+      "name": "my-secret",
+      "updated_at": "2025-01-01T00:00:00.000Z"
+    }
+  ],
+  "list_metadata": {
+    "before": null,
+    "after": null
+  }
+}
diff --git a/tests/fixtures/vault_object.json b/tests/fixtures/vault_object.json
@@ -0,0 +1,17 @@
+{
+  "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "metadata": {
+    "context": {"tenant": "acme"},
+    "environment_id": "environment_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "key_id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "updated_at": "2025-01-01T00:00:00.000Z",
+    "updated_by": {
+      "id": "key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+      "name": "My API Key"
+    },
+    "version_id": "vault_ver_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+  },
+  "name": "my-secret",
+  "value": "super-secret-value"
+}
diff --git a/tests/fixtures/vault_object_metadata.json b/tests/fixtures/vault_object_metadata.json
@@ -0,0 +1,16 @@
+{
+  "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+  "metadata": {
+    "context": {"tenant": "acme"},
+    "environment_id": "environment_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "id": "vault_obj_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "key_id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+    "updated_at": "2025-01-01T00:00:00.000Z",
+    "updated_by": {
+      "id": "key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
+      "name": "My API Key"
+    },
+    "version_id": "vault_ver_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+  },
+  "name": "my-secret"
+}
diff --git a/tests/test_passwordless.py b/tests/test_passwordless.py
@@ -0,0 +1,203 @@
+import json
+
+import pytest
+from workos import WorkOS, AsyncWorkOS
+from tests.generated_helpers import load_fixture
+
+from workos.passwordless import PasswordlessSession
+from workos._errors import (
+    AuthenticationException,
+    NotFoundException,
+    RateLimitExceededException,
+    ServerException,
+)
+
+
+class TestPasswordless:
+    def test_create_session(self, workos, httpx_mock):
+        httpx_mock.add_response(
+            json=load_fixture("passwordless_session.json"),
+        )
+        result = workos.passwordless.create_session(
+            email="user@example.com", type="MagicLink"
+        )
+        assert isinstance(result, PasswordlessSession)
+        assert result.id == "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+        assert result.email == "user@example.com"
+        assert result.link.startswith("https://auth.workos.com/passwordless/")
+        request = httpx_mock.get_request()
+        assert request.method == "POST"
+        assert request.url.path.endswith("/passwordless/sessions")
+        body = json.loads(request.content)
+        assert body["email"] == "user@example.com"
+        assert body["type"] == "MagicLink"
+
+    def test_create_session_with_optional_params(self, workos, httpx_mock):
+        httpx_mock.add_response(
+            json=load_fixture("passwordless_session.json"),
+        )
+        result = workos.passwordless.create_session(
+            email="user@example.com",
+            type="MagicLink",
+            redirect_uri="https://example.com/callback",
+            state="custom-state",
+            expires_in=3600,
+        )
+        assert isinstance(result, PasswordlessSession)
+        request = httpx_mock.get_request()
+        body = json.loads(request.content)
+        assert body["redirect_uri"] == "https://example.com/callback"
+        assert body["state"] == "custom-state"
+        assert body["expires_in"] == 3600
+
+    def test_send_session(self, workos, httpx_mock):
+        httpx_mock.add_response(status_code=204)
+        result = workos.passwordless.send_session(
+            "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+        )
+        assert result is True
+        request = httpx_mock.get_request()
+        assert request.method == "POST"
+        assert request.url.path.endswith(
+            "/passwordless/sessions/passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C/send"
+        )
+
+    def test_create_session_unauthorized(self, workos, httpx_mock):
+        httpx_mock.add_response(
+            status_code=401,
+            json={"message": "Unauthorized"},
+        )
+        with pytest.raises(AuthenticationException):
+            workos.passwordless.create_session(
+                email="user@example.com", type="MagicLink"
+            )
+
+    def test_create_session_not_found(self, httpx_mock):
+        workos = WorkOS(api_key="sk_test_123", client_id="client_test", max_retries=0)
+        try:
+            httpx_mock.add_response(status_code=404, json={"message": "Not found"})
+            with pytest.raises(NotFoundException):
+                workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            workos.close()
+
+    def test_create_session_rate_limited(self, httpx_mock):
+        workos = WorkOS(api_key="sk_test_123", client_id="client_test", max_retries=0)
+        try:
+            httpx_mock.add_response(
+                status_code=429,
+                headers={"Retry-After": "0"},
+                json={"message": "Slow down"},
+            )
+            with pytest.raises(RateLimitExceededException):
+                workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            workos.close()
+
+    def test_create_session_server_error(self, httpx_mock):
+        workos = WorkOS(api_key="sk_test_123", client_id="client_test", max_retries=0)
+        try:
+            httpx_mock.add_response(status_code=500, json={"message": "Server error"})
+            with pytest.raises(ServerException):
+                workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            workos.close()
+
+
+@pytest.mark.asyncio
+class TestAsyncPasswordless:
+    async def test_create_session(self, async_workos, httpx_mock):
+        httpx_mock.add_response(json=load_fixture("passwordless_session.json"))
+        result = await async_workos.passwordless.create_session(
+            email="user@example.com", type="MagicLink"
+        )
+        assert isinstance(result, PasswordlessSession)
+        assert result.id == "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+        assert result.email == "user@example.com"
+        request = httpx_mock.get_request()
+        assert request.method == "POST"
+        assert request.url.path.endswith("/passwordless/sessions")
+
+    async def test_create_session_with_optional_params(self, async_workos, httpx_mock):
+        httpx_mock.add_response(json=load_fixture("passwordless_session.json"))
+        result = await async_workos.passwordless.create_session(
+            email="user@example.com",
+            type="MagicLink",
+            redirect_uri="https://example.com/callback",
+            state="custom-state",
+            expires_in=3600,
+        )
+        assert isinstance(result, PasswordlessSession)
+        request = httpx_mock.get_request()
+        body = json.loads(request.content)
+        assert body["redirect_uri"] == "https://example.com/callback"
+        assert body["state"] == "custom-state"
+        assert body["expires_in"] == 3600
+
+    async def test_send_session(self, async_workos, httpx_mock):
+        httpx_mock.add_response(status_code=204)
+        result = await async_workos.passwordless.send_session(
+            "passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C"
+        )
+        assert result is True
+        request = httpx_mock.get_request()
+        assert request.method == "POST"
+        assert request.url.path.endswith(
+            "/passwordless/sessions/passwordless_session_01EHDAK2BFGWCSZXP9HGZ3VK8C/send"
+        )
+
+    async def test_create_session_unauthorized(self, async_workos, httpx_mock):
+        httpx_mock.add_response(status_code=401, json={"message": "Unauthorized"})
+        with pytest.raises(AuthenticationException):
+            await async_workos.passwordless.create_session(
+                email="user@example.com", type="MagicLink"
+            )
+
+    async def test_create_session_not_found(self, httpx_mock):
+        workos = AsyncWorkOS(
+            api_key="sk_test_123", client_id="client_test", max_retries=0
+        )
+        try:
+            httpx_mock.add_response(status_code=404, json={"message": "Not found"})
+            with pytest.raises(NotFoundException):
+                await workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            await workos.close()
+
+    async def test_create_session_rate_limited(self, httpx_mock):
+        workos = AsyncWorkOS(
+            api_key="sk_test_123", client_id="client_test", max_retries=0
+        )
+        try:
+            httpx_mock.add_response(
+                status_code=429,
+                headers={"Retry-After": "0"},
+                json={"message": "Slow down"},
+            )
+            with pytest.raises(RateLimitExceededException):
+                await workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            await workos.close()
+
+    async def test_create_session_server_error(self, httpx_mock):
+        workos = AsyncWorkOS(
+            api_key="sk_test_123", client_id="client_test", max_retries=0
+        )
+        try:
+            httpx_mock.add_response(status_code=500, json={"message": "Server error"})
+            with pytest.raises(ServerException):
+                await workos.passwordless.create_session(
+                    email="user@example.com", type="MagicLink"
+                )
+        finally:
+            await workos.close()
diff --git a/tests/test_vault.py b/tests/test_vault.py

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "id": "vault_key_01EHDAK2BFGWCSZXP9HGZ3VK8C",
 +  "data_key": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE="
 +}