arazzo: 1.0.1
info:
  title: Kinde Migrate User with Password
  summary: Create a user with an email identity and import their existing hashed password.
  description: >-
    Migrates a user from a legacy system into Kinde while preserving their
    existing credentials. The workflow creates the user with a verified email
    identity, imports the user's pre-hashed password using the supplied hashing
    method, and then reads the user record back to confirm the migration. This
    lets existing users sign in with their current password without a reset.
    Every step inlines its request so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: kindeManagementApi
  url: ../openapi/kinde-management-api-openapi.yml
  type: openapi
workflows:
- workflowId: migrate-user-with-password
  summary: Create a user and import their existing hashed password.
  description: >-
    Creates a user with a verified email identity, sets the user's password from
    a pre-computed hash, then retrieves the user record to verify the migration.
  inputs:
    type: object
    required:
    - givenName
    - familyName
    - email
    - hashedPassword
    properties:
      givenName:
        type: string
        description: The user's first name.
      familyName:
        type: string
        description: The user's last name.
      email:
        type: string
        description: The email address to register as the user's identity.
      hashedPassword:
        type: string
        description: The user's pre-hashed password to import.
      hashingMethod:
        type: string
        description: The hashing algorithm used - one of bcrypt, crypt, md5, wordpress.
  steps:
  - stepId: createUser
    description: >-
      Create the user with a verified email identity. Returns the Kinde user id
      used to set the password.
    operationId: createUser
    requestBody:
      contentType: application/json
      payload:
        profile:
          given_name: $inputs.givenName
          family_name: $inputs.familyName
        identities:
        - type: email
          is_verified: true
          details:
            email: $inputs.email
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
  - stepId: importPassword
    description: >-
      Import the user's existing hashed password so they can sign in with their
      current credentials without a reset.
    operationId: SetUserPassword
    parameters:
    - name: user_id
      in: path
      value: $steps.createUser.outputs.userId
    requestBody:
      contentType: application/json
      payload:
        hashed_password: $inputs.hashedPassword
        hashing_method: $inputs.hashingMethod
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      passwordCode: $response.body#/code
  - stepId: verifyUser
    description: >-
      Retrieve the user record to confirm the user exists and the migration
      completed.
    operationId: getUserData
    parameters:
    - name: id
      in: query
      value: $steps.createUser.outputs.userId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      preferredEmail: $response.body#/preferred_email
  outputs:
    userId: $steps.createUser.outputs.userId
    preferredEmail: $steps.verifyUser.outputs.preferredEmail