Skip to content

fix: Correct request param placement for POST endpoints#237

Merged
gjtorikian merged 4 commits intomainfrom
correct-create-user
Apr 24, 2026
Merged

fix: Correct request param placement for POST endpoints#237
gjtorikian merged 4 commits intomainfrom
correct-create-user

Conversation

@gjtorikian
Copy link
Copy Markdown
Contributor

@gjtorikian gjtorikian commented Apr 24, 2026
edited
Loading

Summary

  • Parameter-group dispatch fields (passwords, resource IDs, role slugs, etc.) were incorrectly sent as query parameters on POST requests instead of in the JSON body
  • Adds ExtraBodyParams dictionary and AddBodyParam method to WorkOSRequest for body-level parameter injection
  • RequestUtilities now merges ExtraBodyParams into the serialized JSON body at request time
  • Fixes AuthorizationService and UserManagementService to use AddBodyParam instead of AddQueryParam for all parameter-group dispatch fields

Closes #236

Test plan

  • Verify user creation with password sends password in the JSON body, not as a query param
  • Verify user creation with hashed password sends password_hash and password_hash_type in the body
  • Verify authorization check/batch-check/list-objects send resource fields in the body
  • Verify create/update organization membership sends role fields in the body

@gjtorikian
fix: Correct request param placement for POST endpoints
dd4187c 
Parameter-group dispatch fields (passwords, resource IDs,
role slugs) were incorrectly sent as query parameters on
POST requests. They belong in the JSON request body.
Adds ExtraBodyParams support to WorkOSRequest and merges
them into the serialized JSON at request time.
@gjtorikian gjtorikian requested review from a team as code owners April 24, 2026 14:06
@gjtorikian gjtorikian requested a review from rwtombaugh April 24, 2026 14:07
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 24, 2026
edited
Loading

Greptile Summary

This PR fixes parameter-group dispatch fields (passwords, resource IDs, role slugs) that were being sent as query parameters on POST requests instead of in the JSON body. It introduces ExtraBodyParams/AddBodyParam on WorkOSRequest and merges those values into the serialized JSON body in RequestUtilities.CreateHttpContent. The role_slugs array is now correctly passed as a List<string> and serialized as a proper JSON array (fixing the previous comma-string concern), and ListAutoPagingAsync now copies ExtraBodyParams across pages.

Confidence Score: 5/5

Safe to merge; the core fix is correct and no new P0/P1 issues were found.

All changed POST endpoints use JSON content type so the ExtraBodyParams merge path is always exercised. role_slugs is now a proper JSON array. RemoveRoleAsync (DELETE) is correctly untouched. The only finding is a latent P2 (form-encoded path drops ExtraBodyParams) that doesn't affect any endpoint in this PR.

No files require special attention.

Important Files Changed

Filename Overview
src/WorkOS.net/Client/_interfaces/WorkOSRequest.cs Adds ExtraBodyParams dictionary and AddBodyParam method; clean addition parallel to existing ExtraQueryParams/AddQueryParam.
src/WorkOS.net/Client/Utilities/RequestUtilities.cs Merges ExtraBodyParams into serialized JSON body via JObject.Parse + JToken.FromObject; correctly handles arrays/strings, but ExtraBodyParams is silently dropped on the form-encoded content path.
src/WorkOS.net/Client/WorkOSClient.cs Copies ExtraBodyParams into the ListAutoPagingAsync working request, closing the latent pagination gap noted in the prior review.
src/WorkOS.net/Services/Authorization/AuthorizationService.cs Switches POST endpoints to AddBodyParam; RemoveRoleAsync (DELETE) correctly retains AddQueryParam and is unmodified by this PR.
src/WorkOS.net/Services/UserManagement/UserManagementService.cs Moves password/hash/role fields to AddBodyParam; role_slugs now passed as List<string> so JSON serialization produces a proper array instead of a comma-joined string.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant Service as AuthorizationService /UserManagementService
    participant Request as WorkOSRequest
    participant Client as WorkOSClient
    participant Utils as RequestUtilities

    Caller->>Service: e.g. CreateUserAsync(options)
    Service->>Request: new WorkOSRequest { Method=POST, ... }
    Service->>Request: AddBodyParam("password", value)
    Note over Request: ExtraBodyParams["password"] = value
    Service->>Client: MakeAPIRequest(request)
    Client->>Client: CreateHttpRequestMessage(request)
    Client->>Utils: CreateHttpContent(request)
    Note over Utils: IsJsonContentType == true
    Utils->>Utils: ToJsonString(options) → jsonOptions
    Utils->>Utils: JObject.Parse(jsonOptions)
    Utils->>Utils: foreach ExtraBodyParams → jobj[key] = JToken.FromObject(value)
    Utils->>Utils: jobj.ToString() → merged JSON body
    Utils-->>Client: StringContent (application/json)
    Client-->>Service: HttpResponseMessage
    Service-->>Caller: Typed result
Loading

Reviews (2): Last reviewed commit: "fix: Use query params for authorization ..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 24, 2026
View reviewed changes
Comment thread src/WorkOS.net/Services/Authorization/AuthorizationService.cs
Comment thread src/WorkOS.net/Services/UserManagement/UserManagementService.cs
@gjtorikian
fix: Support non-string types in extra body params
fa0d742 
ExtraBodyParams was typed as Dictionary<string, string>, so
array fields like role_slugs were comma-joined into a single
string ("admin,member") instead of serialized as a JSON array
(["admin","member"]). Widening to Dictionary<string, object>
and serializing via JToken.FromObject lets callers pass arrays
and other complex types that the API expects.
@gjtorikian
fix: Propagate extra params through auto-pagination
266aee8 
ExtraQueryParams and ExtraBodyParams were not copied into
subsequent page requests, so paginated endpoints that rely
on extra params (e.g. role_slugs filtering) only applied
them to the first page.
@gjtorikian
fix: Use query params for authorization resource targets
b5bd628 
Resource target fields (resource_id, resource_external_id,
resource_type_slug) were sent as body params, but the
authorization endpoint expects them as query params.
@gjtorikian gjtorikian merged commit c6e307a into main Apr 24, 2026
7 checks passed
@gjtorikian gjtorikian deleted the correct-create-user branch April 24, 2026 16:10
@workos-sdk-automation workos-sdk-automation Bot mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@rwtombaugh rwtombaugh Awaiting requested review from rwtombaugh rwtombaugh is a code owner automatically assigned from workos/dotnet

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create User is broken

1 participant

@gjtorikian