Add structured authentication error handling (#441)

* Add structured authentication error handling

* Refactored to remove helper functions, adjust types, and handle nil user cases

Author: awolfden

pkg/common/user.go

@@ -0,0 +1,37 @@
+package common
+
+// User contains data about a particular User.
+type User struct {
+	// The User's unique identifier.
+	ID string `json:"id"`
+
+	// The User's first name.
+	FirstName string `json:"first_name"`
+
+	// The User's last name.
+	LastName string `json:"last_name"`
+
+	// The User's email.
+	Email string `json:"email"`
+
+	// The timestamp of when the User was created.
+	CreatedAt string `json:"created_at"`
+
+	// The timestamp of when the User was updated.
+	UpdatedAt string `json:"updated_at"`
+
+	// Whether the User email is verified.
+	EmailVerified bool `json:"email_verified"`
+
+	// A URL reference to an image representing the User.
+	ProfilePictureURL string `json:"profile_picture_url"`
+
+	// The timestamp when the user last signed in.
+	LastSignInAt string `json:"last_sign_in_at"`
+
+	// The User's external id.
+	ExternalID string `json:"external_id"`
+
+	// The User's metadata.
+	Metadata map[string]string `json:"metadata"`
+}

pkg/common/user_test.go

@@ -0,0 +1,49 @@
+package common
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserMarshalUnmarshal(t *testing.T) {
+	user := User{
+		ID:                "user_123",
+		Email:             "[email protected]",
+		FirstName:         "John",
+		LastName:          "Doe",
+		EmailVerified:     true,
+		ProfilePictureURL: "https://example.com/avatar.jpg",
+		CreatedAt:         "2023-01-01T00:00:00Z",
+		UpdatedAt:         "2023-01-02T00:00:00Z",
+		LastSignInAt:      "2023-01-03T00:00:00Z",
+		ExternalID:        "ext_123",
+		Metadata: map[string]string{
+			"key1": "value1",
+			"key2": "value2",
+		},
+	}
+
+	// Marshal to JSON
+	data, err := json.Marshal(user)
+	require.NoError(t, err)
+
+	// Unmarshal back to struct
+	var unmarshaledUser User
+	err = json.Unmarshal(data, &unmarshaledUser)
+	require.NoError(t, err)
+
+	// Verify all fields are preserved
+	require.Equal(t, user.ID, unmarshaledUser.ID)
+	require.Equal(t, user.Email, unmarshaledUser.Email)
+	require.Equal(t, user.FirstName, unmarshaledUser.FirstName)
+	require.Equal(t, user.LastName, unmarshaledUser.LastName)
+	require.Equal(t, user.EmailVerified, unmarshaledUser.EmailVerified)
+	require.Equal(t, user.ProfilePictureURL, unmarshaledUser.ProfilePictureURL)
+	require.Equal(t, user.CreatedAt, unmarshaledUser.CreatedAt)
+	require.Equal(t, user.UpdatedAt, unmarshaledUser.UpdatedAt)
+	require.Equal(t, user.LastSignInAt, unmarshaledUser.LastSignInAt)
+	require.Equal(t, user.ExternalID, unmarshaledUser.ExternalID)
+	require.Equal(t, user.Metadata, unmarshaledUser.Metadata)
+}

pkg/usermanagement/client.go

@@ -139,40 +139,8 @@ type OrganizationMembership struct {
 }
 
 // User contains data about a particular User.
-type User struct {
-	// The User's unique identifier.
-	ID string `json:"id"`
-
-	// The User's first name.
-	FirstName string `json:"first_name"`
-
-	// The User's last name.
-	LastName string `json:"last_name"`
-
-	// The User's email.
-	Email string `json:"email"`
-
-	// The timestamp of when the User was created.
-	CreatedAt string `json:"created_at"`
-
-	// The timestamp of when the User was updated.
-	UpdatedAt string `json:"updated_at"`
-
-	// Whether the User email is verified.
-	EmailVerified bool `json:"email_verified"`
-
-	// A URL reference to an image representing the User.
-	ProfilePictureURL string `json:"profile_picture_url"`
-
-	// The timestamp when the user last signed in.
-	LastSignInAt string `json:"last_sign_in_at"`
-
-	// The User's external id.
-	ExternalID string `json:"external_id"`
-
-	// The User's metadata.
-	Metadata map[string]string `json:"metadata"`
-}
+// User is an alias for common.User to maintain backwards compatibility
+type User = common.User
 
 // Represents User identities obtained from external identity providers.
 type Identity struct {

pkg/workos_errors/authentication_errors.go

@@ -0,0 +1,123 @@
+package workos_errors
+
+import (
+	"github.com/workos/workos-go/v4/pkg/common"
+)
+
+// Authentication error code constants
+const (
+	EmailVerificationRequiredCode                 = "email_verification_required"
+	MFAEnrollmentCode                             = "mfa_enrollment"
+	MFAChallengeCode                              = "mfa_challenge"
+	OrganizationSelectionRequiredCode             = "organization_selection_required"
+	SSORequiredCode                               = "sso_required"
+	OrganizationAuthenticationMethodsRequiredCode = "organization_authentication_methods_required"
+)
+
+// FactorType represents the type of Authentication Factor
+type FactorType string
+
+// Constants that enumerate the available Types (matching mfa.FactorType)
+const (
+	SMS  FactorType = "sms"
+	TOTP FactorType = "totp"
+)
+
+// AuthenticationFactor represents an MFA factor
+type AuthenticationFactor struct {
+	ID   string     `json:"id"`
+	Type FactorType `json:"type"`
+}
+
+// PendingAuthenticationOrganizationInfo represents an organization in selection error
+type PendingAuthenticationOrganizationInfo struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+// User is an alias for common.User to maintain consistency
+type User = common.User
+
+// EmailVerificationRequiredError occurs when a user with unverified email attempts authentication
+type EmailVerificationRequiredError struct {
+	HTTPError
+	Code                       string `json:"code"`
+	Message                    string `json:"message"`
+	Email                      string `json:"email"`
+	EmailVerificationID        string `json:"email_verification_id"`
+	PendingAuthenticationToken string `json:"pending_authentication_token"`
+}
+
+func (e EmailVerificationRequiredError) Error() string {
+	return e.HTTPError.Error()
+}
+
+// MFAEnrollmentError occurs when a user needs to enroll in MFA
+type MFAEnrollmentError struct {
+	HTTPError
+	Code                       string `json:"code"`
+	Message                    string `json:"message"`
+	User                       User   `json:"user"`
+	PendingAuthenticationToken string `json:"pending_authentication_token"`
+}
+
+func (e MFAEnrollmentError) Error() string {
+	return e.HTTPError.Error()
+}
+
+// MFAChallengeError occurs when a user needs to complete MFA challenge
+type MFAChallengeError struct {
+	HTTPError
+	Code                       string                 `json:"code"`
+	Message                    string                 `json:"message"`
+	User                       User                   `json:"user"`
+	AuthenticationFactors      []AuthenticationFactor `json:"authentication_factors"`
+	PendingAuthenticationToken string                 `json:"pending_authentication_token"`
+}
+
+func (e MFAChallengeError) Error() string {
+	return e.HTTPError.Error()
+}
+
+// OrganizationSelectionRequiredError occurs when user must choose an organization
+type OrganizationSelectionRequiredError struct {
+	HTTPError
+	Code                       string                                  `json:"code"`
+	Message                    string                                  `json:"message"`
+	User                       User                                    `json:"user"`
+	Organizations              []PendingAuthenticationOrganizationInfo `json:"organizations"`
+	PendingAuthenticationToken string                                  `json:"pending_authentication_token"`
+}
+
+func (e OrganizationSelectionRequiredError) Error() string {
+	return e.HTTPError.Error()
+}
+
+// SSORequiredError occurs when user must authenticate via SSO
+type SSORequiredError struct {
+	HTTPError
+	ErrorCode                  string   `json:"error"`
+	ErrorDescription           string   `json:"error_description"`
+	Email                      string   `json:"email"`
+	ConnectionIDs              []string `json:"connection_ids"`
+	PendingAuthenticationToken string   `json:"pending_authentication_token"`
+}
+
+func (e SSORequiredError) Error() string {
+	return e.HTTPError.Error()
+}
+
+// OrganizationAuthenticationMethodsRequiredError occurs when org restricts auth methods
+type OrganizationAuthenticationMethodsRequiredError struct {
+	HTTPError
+	ErrorCode                  string          `json:"error"`
+	ErrorDescription           string          `json:"error_description"`
+	Email                      string          `json:"email"`
+	SSOConnectionIDs           []string        `json:"sso_connection_ids"`
+	AuthMethods                map[string]bool `json:"auth_methods"`
+	PendingAuthenticationToken string          `json:"pending_authentication_token"`
+}
+
+func (e OrganizationAuthenticationMethodsRequiredError) Error() string {
+	return e.HTTPError.Error()
+}