better_auth-scim 0.1.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a25f1b935926c0b3cd74a888fc9c923ddbb9c7ade8912d2c935ab2f27b747f33
-  data.tar.gz: 37210f202bee13853b720dbec539db4ba086eb3693a7234d2745ab41f45ceb63
+  metadata.gz: 1201afe86cacf80ee69f816878a2e3e19674ee2e60a73898aa0532f0ada7b644
+  data.tar.gz: 8677ea4796b8821bb1c1e8def36709d50d6bbdb49a61e2459e816f41a2055ae3
 SHA512:
-  metadata.gz: ee253db8f45e7827d333beb10cc77fdef1dd11d6dfb74ddfe8446960b85da5c137f42cf201fef3bad292f3c5ce0b001a31752b25ea95259b0fd3861140b70883
-  data.tar.gz: 7c16ca543cfb57e42a1a8da8a0afd0c3c568e6b3b6969b18c46186d651f5a94349bb40689cb1efdb7cacb271d9bbcff349e5e78e2be36693a9a7da94339c6c2c
+  metadata.gz: 7c5ca6ceb7a0327467e2a3ab062d4e93b495cf908a0216c59f564ad170801c71d8e9eed48841cbe219feaeb0720e5bc2d97c57f0e483611e3a4a0a581deae481
+  data.tar.gz: 76cfb02894397fdc38280f407be6848044f717b0fee2f4907b4edba881cac91693bc96eb75c8106182f6aff382c3bf042ff2fd8ed707c284cdca4f99d0763973

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.2.0 - 2026-04-29
+
+- Aligned SCIM user and group provisioning behavior with upstream Better Auth v1.6.9, including filtering, patch operations, schema responses, error shapes, and token handling.
+- Expanded SCIM documentation and tests for upstream parity flows.
+
 ## 0.1.0
 
 - Initial package skeleton for Better Auth SCIM.

data/README.md

@@ -4,13 +4,46 @@ External SCIM provisioning plugin package for `better_auth`.
 
 SCIM is not login. It is a provisioning API used by identity platforms to create, update, deactivate, and list users. It can be used alongside SSO, but it does not depend on SSO.
 
+```ruby
+gem "better_auth-scim"
+```
+
 ```ruby
 require "better_auth"
 require "better_auth/scim"
 
 BetterAuth.auth(
   plugins: [
-    BetterAuth::Plugins.scim
+    BetterAuth::Plugins.scim(
+      store_scim_token: "hashed",
+      provider_ownership: { enabled: true }
+    )
   ]
 )
 ```
+
+Implemented API methods include token generation, provider connection management, SCIM user CRUD, and SCIM metadata endpoints:
+
+- `generate_scim_token`
+- `list_scim_provider_connections`
+- `get_scim_provider_connection`
+- `delete_scim_provider_connection`
+- `create_scim_user`
+- `list_scim_users`
+- `get_scim_user`
+- `update_scim_user`
+- `patch_scim_user`
+- `delete_scim_user`
+- `get_scim_service_provider_config`
+- `get_scim_schemas`
+- `get_scim_schema`
+- `get_scim_resource_types`
+- `get_scim_resource_type`
+
+Options use Ruby snake_case names: `store_scim_token`, `default_scim`, `provider_ownership`, `required_role`, `before_scim_token_generated`, and `after_scim_token_generated`.
+
+The plugin exposes upstream-style surface metadata:
+
+- `BetterAuth::Plugins.scim.version` returns the gem SCIM version.
+- `BetterAuth::Plugins.scim.client` returns the Ruby client-plugin descriptor (`scim-client`) for integrations that inspect plugin parity metadata.
+- SCIM protocol routes are hidden from generated OpenAPI output, matching upstream `HIDE_METADATA`; provider management routes remain visible.

data/lib/better_auth/plugins/scim.rb

@@ -1,7 +1,18 @@
 # frozen_string_literal: true
 
-require "base64"
-require "securerandom"
+require_relative "../scim/version"
+require_relative "../scim/scim_metadata"
+require_relative "../scim/scim_error"
+require_relative "../scim/utils"
+require_relative "../scim/client"
+require_relative "../scim/user_schemas"
+require_relative "../scim/scim_resources"
+require_relative "../scim/mappings"
+require_relative "../scim/scim_filters"
+require_relative "../scim/patch_operations"
+require_relative "../scim/scim_tokens"
+require_relative "../scim/middlewares"
+require_relative "../scim/routes"
 
 module BetterAuth
   module Plugins
@@ -14,9 +25,14 @@ module BetterAuth
       config = {store_scim_token: "plain"}.merge(normalize_hash(options))
       Plugin.new(
         id: "scim",
-        schema: scim_schema,
+        version: BetterAuth::SCIM::VERSION,
+        client: scim_client,
+        schema: scim_schema(config),
         endpoints: {
           generate_scim_token: scim_generate_token_endpoint(config),
+          list_scim_provider_connections: scim_list_provider_connections_endpoint(config),
+          get_scim_provider_connection: scim_get_provider_connection_endpoint(config),
+          delete_scim_provider_connection: scim_delete_provider_connection_endpoint(config),
           create_scim_user: scim_create_user_endpoint(config),
           update_scim_user: scim_update_user_endpoint(config),
           patch_scim_user: scim_patch_user_endpoint(config),
@@ -33,413 +49,19 @@ module BetterAuth
       )
     end
 
-    def scim_schema
+    def scim_schema(config = {})
+      scim_provider_fields = {
+        providerId: {type: "string", required: true, unique: true},
+        scimToken: {type: "string", required: true, unique: true},
+        organizationId: {type: "string", required: false}
+      }
+      scim_provider_fields[:userId] = {type: "string", required: false} if scim_provider_ownership_enabled?(config)
+
       {
         scimProvider: {
-          fields: {
-            providerId: {type: "string", required: true, unique: true},
-            scimToken: {type: "string", required: true, unique: true},
-            organizationId: {type: "string", required: false}
-          }
-        },
-        user: {
-          fields: {
-            active: {type: "boolean", required: false, default_value: true},
-            externalId: {type: "string", required: false}
-          }
+          fields: scim_provider_fields
         }
       }
     end
-
-    def scim_generate_token_endpoint(config)
-      Endpoint.new(path: "/scim/generate-token", method: "POST") do |ctx|
-        session = Routes.current_session(ctx)
-        body = normalize_hash(ctx.body)
-        provider_id = body[:provider_id].to_s
-        organization_id = body[:organization_id]
-        raise APIError.new("BAD_REQUEST", message: "Provider id contains forbidden characters") if provider_id.include?(":")
-        if organization_id && !scim_has_organization_plugin?(ctx)
-          raise APIError.new("BAD_REQUEST", message: "Restricting a token to an organization requires the organization plugin")
-        end
-
-        if organization_id
-          member = ctx.context.adapter.find_one(
-            model: "member",
-            where: [
-              {field: "userId", value: session.fetch(:user).fetch("id")},
-              {field: "organizationId", value: organization_id}
-            ]
-          )
-          raise APIError.new("FORBIDDEN", message: "You are not a member of the organization") unless member
-        end
-
-        base_token = Crypto.random_string(24)
-        token = Base64.urlsafe_encode64([base_token, provider_id, organization_id].compact.join(":"), padding: false)
-        stored = scim_store_token(ctx, config, base_token)
-        where = [{field: "providerId", value: provider_id}]
-        where << {field: "organizationId", value: organization_id} if organization_id
-        existing = ctx.context.adapter.find_one(model: "scimProvider", where: where)
-        data = {providerId: provider_id, scimToken: stored, organizationId: organization_id}
-        ctx.context.adapter.delete(model: "scimProvider", where: [{field: "id", value: existing.fetch("id")}]) if existing
-        ctx.context.adapter.create(model: "scimProvider", data: data)
-        ctx.json({scimToken: token}, status: 201)
-      end
-    end
-
-    def scim_create_user_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users", method: "POST", use: [scim_auth_middleware(config)]) do |ctx|
-        body = normalize_hash(ctx.body)
-        provider = ctx.context.scim_provider
-        provider_id = provider.fetch("providerId")
-        email = scim_primary_email(body).downcase
-        account_id = scim_account_id(body)
-        existing_account = ctx.context.adapter.find_one(model: "account", where: [{field: "accountId", value: account_id}, {field: "providerId", value: provider_id}])
-        raise APIError.new("CONFLICT", message: "User already exists") if existing_account
-
-        user = ctx.context.internal_adapter.find_user_by_email(email)&.fetch(:user)
-        user ||= ctx.context.internal_adapter.create_user(
-          email: email,
-          name: scim_display_name(body, email),
-          emailVerified: true,
-          active: body.key?(:active) ? body[:active] : true,
-          externalId: body[:external_id]
-        )
-        account = ctx.context.internal_adapter.create_account(
-          userId: user.fetch("id"),
-          providerId: provider_id,
-          accountId: account_id,
-          accessToken: "",
-          refreshToken: ""
-        )
-        scim_create_org_membership(ctx, user.fetch("id"), provider["organizationId"])
-        ctx.json(scim_user_resource(user, account, ctx.context.base_url), status: 201)
-      end
-    end
-
-    def scim_update_user_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users/:userId", method: "PUT", use: [scim_auth_middleware(config)]) do |ctx|
-        user, account = scim_find_user_with_account!(ctx)
-        body = normalize_hash(ctx.body)
-        updated = ctx.context.internal_adapter.update_user(user.fetch("id"), scim_user_update(body))
-        updated_account = ctx.context.internal_adapter.update_account(account.fetch("id"), accountId: scim_account_id(body))
-        ctx.json(scim_user_resource(updated, updated_account, ctx.context.base_url))
-      end
-    end
-
-    def scim_patch_user_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users/:userId", method: "PATCH", use: [scim_auth_middleware(config)]) do |ctx|
-        user, account = scim_find_user_with_account!(ctx)
-        update = {}
-        account_update = {}
-        Array(normalize_hash(ctx.body)[:operations] || ctx.body["Operations"]).each do |operation|
-          op = normalize_hash(operation)
-          operation_name = op[:op].to_s.downcase
-          raise APIError.new("BAD_REQUEST", message: "Invalid SCIM patch operation") unless %w[replace add remove].include?(operation_name)
-
-          if op[:path].to_s.empty? && op[:value].is_a?(Hash)
-            scim_apply_patch_value!(user, update, account_update, normalize_hash(op[:value]), operation_name)
-            next
-          end
-
-          scim_apply_patch_path!(user, update, account_update, op[:path], op[:value], operation_name)
-        end
-        raise APIError.new("BAD_REQUEST", message: "No valid fields to update") if update.empty? && account_update.empty?
-
-        ctx.context.internal_adapter.update_user(user.fetch("id"), update) unless update.empty?
-        ctx.context.internal_adapter.update_account(account.fetch("id"), account_update) unless account_update.empty?
-        ctx.json(nil, status: 204)
-      end
-    end
-
-    def scim_delete_user_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users/:userId", method: "DELETE", metadata: {allowed_media_types: ["application/json", ""]}, use: [scim_auth_middleware(config)]) do |ctx|
-        user, = scim_find_user_with_account!(ctx)
-        ctx.context.internal_adapter.delete_user(user.fetch("id"))
-        ctx.json(nil, status: 204)
-      end
-    end
-
-    def scim_list_users_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users", method: "GET", use: [scim_auth_middleware(config)]) do |ctx|
-        provider = ctx.context.scim_provider
-        accounts = ctx.context.adapter.find_many(model: "account", where: [{field: "providerId", value: provider.fetch("providerId")}])
-        users_by_id = ctx.context.internal_adapter.list_users.each_with_object({}) { |user, result| result[user.fetch("id")] = user }
-        users = accounts.filter_map { |account| users_by_id[account.fetch("userId")] }
-        if provider["organizationId"]
-          member_ids = ctx.context.adapter.find_many(
-            model: "member",
-            where: [{field: "organizationId", value: provider.fetch("organizationId")}]
-          ).map { |member| member.fetch("userId") }
-          users = users.select { |user| member_ids.include?(user.fetch("id")) }
-        end
-        filter_field, filter_value = scim_parse_filter(ctx.query[:filter] || ctx.query["filter"]) if ctx.query[:filter] || ctx.query["filter"]
-        resources = users.filter_map do |user|
-          account = accounts.find { |entry| entry.fetch("userId") == user.fetch("id") }
-          resource = scim_user_resource(user, account, ctx.context.base_url)
-          next resource unless filter_field
-
-          (resource[filter_field.to_sym].to_s.downcase == filter_value.to_s.downcase) ? resource : nil
-        end
-        ctx.json({schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], totalResults: resources.length, itemsPerPage: resources.length, startIndex: 1, Resources: resources})
-      end
-    end
-
-    def scim_get_user_endpoint(config)
-      Endpoint.new(path: "/scim/v2/Users/:userId", method: "GET", use: [scim_auth_middleware(config)]) do |ctx|
-        user, account = scim_find_user_with_account!(ctx)
-        ctx.json(scim_user_resource(user, account, ctx.context.base_url))
-      end
-    end
-
-    def scim_service_provider_config_endpoint
-      Endpoint.new(path: "/scim/v2/ServiceProviderConfig", method: "GET") do |ctx|
-        ctx.json({
-          schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
-          patch: {supported: true},
-          filter: {supported: true, maxResults: 100},
-          changePassword: {supported: false},
-          sort: {supported: false},
-          etag: {supported: false},
-          authenticationSchemes: [{type: "oauthbearertoken", name: "OAuth Bearer Token"}]
-        })
-      end
-    end
-
-    def scim_schemas_endpoint
-      Endpoint.new(path: "/scim/v2/Schemas", method: "GET") do |ctx|
-        ctx.json({Resources: [scim_user_schema], totalResults: 1})
-      end
-    end
-
-    def scim_schema_endpoint
-      Endpoint.new(path: "/scim/v2/Schemas/:schemaId", method: "GET") do |ctx|
-        raise APIError.new("NOT_FOUND", message: "Schema not found") unless scim_param(ctx, :schema_id).to_s.end_with?("User")
-
-        ctx.json(scim_user_schema)
-      end
-    end
-
-    def scim_resource_types_endpoint
-      Endpoint.new(path: "/scim/v2/ResourceTypes", method: "GET") do |ctx|
-        ctx.json({Resources: [scim_user_resource_type], totalResults: 1})
-      end
-    end
-
-    def scim_resource_type_endpoint
-      Endpoint.new(path: "/scim/v2/ResourceTypes/:resourceTypeId", method: "GET") do |ctx|
-        raise APIError.new("NOT_FOUND", message: "Resource type not found") unless scim_param(ctx, :resource_type_id) == "User"
-
-        ctx.json(scim_user_resource_type)
-      end
-    end
-
-    def scim_auth_middleware(config)
-      lambda do |ctx|
-        encoded = ctx.headers["authorization"].to_s.sub(/\ABearer\s+/i, "")
-        raise APIError.new("UNAUTHORIZED", message: "SCIM token is required") if encoded.empty?
-
-        token, provider_id, organization_id = scim_decode_token(encoded)
-        provider = scim_default_provider(config, token, provider_id, organization_id) ||
-          ctx.context.adapter.find_one(
-            model: "scimProvider",
-            where: [{field: "providerId", value: provider_id}].tap { |where| where << {field: "organizationId", value: organization_id} if organization_id }
-          )
-        raise APIError.new("UNAUTHORIZED", message: "Invalid SCIM token") unless provider
-        raise APIError.new("UNAUTHORIZED", message: "Invalid SCIM token") unless scim_token_matches?(ctx, config, token, provider.fetch("scimToken"))
-
-        ctx.context.apply_plugin_context!(scim_provider: provider)
-        nil
-      end
-    end
-
-    def scim_store_token(ctx, config, token)
-      storage = config[:store_scim_token]
-      if storage == "hashed"
-        Crypto.sha256(token)
-      elsif storage == "encrypted"
-        Crypto.symmetric_encrypt(key: ctx.context.secret, data: token)
-      elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
-        storage[:hash].call(token)
-      elsif storage.is_a?(Hash) && storage[:encrypt].respond_to?(:call)
-        storage[:encrypt].call(token)
-      else
-        token
-      end
-    end
-
-    def scim_token_matches?(ctx, config, token, stored)
-      storage = config[:store_scim_token]
-      return Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored) == token if storage == "encrypted"
-      return storage[:decrypt].call(stored) == token if storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)
-
-      !token.to_s.empty? && scim_store_token(ctx, config, token) == stored
-    end
-
-    def scim_decode_token(encoded)
-      decoded = Base64.urlsafe_decode64(encoded.to_s)
-      token, provider_id, *organization_parts = decoded.split(":")
-      raise APIError.new("UNAUTHORIZED", message: "Invalid SCIM token") if token.to_s.empty? || provider_id.to_s.empty?
-
-      [token, provider_id, organization_parts.join(":").then { |value| value.empty? ? nil : value }]
-    rescue ArgumentError
-      raise APIError.new("UNAUTHORIZED", message: "Invalid SCIM token")
-    end
-
-    def scim_default_provider(config, token, provider_id, organization_id)
-      Array(config[:default_scim]).find do |provider|
-        candidate = normalize_hash(provider)
-        candidate[:provider_id].to_s == provider_id.to_s &&
-          candidate[:scim_token].to_s == token.to_s &&
-          candidate[:organization_id].to_s == organization_id.to_s
-      end&.then do |provider|
-        data = normalize_hash(provider)
-        {"providerId" => data[:provider_id], "scimToken" => data[:scim_token], "organizationId" => data[:organization_id]}
-      end
-    end
-
-    def scim_find_user_with_account!(ctx)
-      provider = ctx.context.scim_provider
-      user_id = scim_param(ctx, :user_id)
-      account = ctx.context.adapter.find_one(
-        model: "account",
-        where: [
-          {field: "userId", value: user_id},
-          {field: "providerId", value: provider.fetch("providerId")}
-        ]
-      )
-      user = account && ctx.context.internal_adapter.find_user_by_id(user_id)
-      if user && provider["organizationId"]
-        member = ctx.context.adapter.find_one(
-          model: "member",
-          where: [{field: "organizationId", value: provider.fetch("organizationId")}, {field: "userId", value: user_id}]
-        )
-        user = nil unless member
-      end
-      raise APIError.new("NOT_FOUND", message: "User not found") unless user && account
-
-      [user, account]
-    end
-
-    def scim_user_update(body)
-      {
-        email: scim_primary_email(body)&.downcase,
-        name: scim_display_name(body, body[:user_name].to_s),
-        active: body.key?(:active) ? body[:active] : nil,
-        externalId: body[:external_id]
-      }.compact
-    end
-
-    def scim_apply_patch_value!(user, update, account_update, value, operation_name, path = nil)
-      value.each do |key, nested_value|
-        nested_key = Schema.storage_key(key)
-        nested_path = path ? "#{path}.#{nested_key}" : nested_key
-        if nested_value.is_a?(Hash)
-          scim_apply_patch_value!(user, update, account_update, normalize_hash(nested_value), operation_name, nested_path)
-        else
-          scim_apply_patch_path!(user, update, account_update, nested_path, nested_value, operation_name)
-        end
-      end
-    end
-
-    def scim_apply_patch_path!(user, update, account_update, path, value, operation_name)
-      remove = operation_name == "remove"
-      normalized = "/" + path.to_s.sub(%r{\A/+}, "").tr(".", "/")
-      case normalized
-      when "/active"
-        update[:active] = remove ? nil : value
-      when "/userName"
-        update[:email] = remove ? nil : value.to_s.downcase
-      when "/externalId"
-        account_update[:accountId] = remove ? nil : value
-        update[:externalId] = remove ? nil : value
-      when "/name/formatted"
-        update[:name] = value unless remove
-      when "/name/givenName"
-        update[:name] = scim_full_name(user.fetch("email"), given_name: value, family_name: scim_family_name(update[:name] || user["name"])) unless remove
-      when "/name/familyName"
-        update[:name] = scim_full_name(user.fetch("email"), given_name: scim_given_name(update[:name] || user["name"]), family_name: value) unless remove
-      end
-    end
-
-    def scim_display_name(body, fallback = nil)
-      name = normalize_hash(body[:name] || {})
-      return name[:formatted].to_s.strip unless name[:formatted].to_s.strip.empty?
-
-      scim_full_name(fallback, given_name: name[:given_name], family_name: name[:family_name])
-    end
-
-    def scim_user_resource(user, account = nil, base_url = nil)
-      {
-        schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
-        id: user.fetch("id"),
-        userName: user.fetch("email"),
-        externalId: account&.fetch("accountId", nil) || user["externalId"],
-        displayName: user["name"],
-        active: user.key?("active") ? user["active"] : true,
-        name: {formatted: user["name"]},
-        emails: [{primary: true, value: user.fetch("email")}],
-        meta: {resourceType: "User", location: base_url ? "#{base_url}/scim/v2/Users/#{user.fetch("id")}" : nil}.compact
-      }.compact
-    end
-
-    def scim_parse_filter(filter)
-      match = filter.to_s.match(/\A\s*([^\s]+)\s+(eq|ne|co|sw|ew|pr)\s*(?:"([^"]*)"|([^\s]+))?\s*\z/i)
-      raise APIError.new("BAD_REQUEST", message: "Invalid SCIM filter") unless match
-
-      field = match[1]
-      operator = match[2].downcase
-      raise APIError.new("BAD_REQUEST", message: "The operator \"#{operator}\" is not supported") unless operator == "eq"
-      raise APIError.new("BAD_REQUEST", message: "Invalid SCIM filter") unless %w[userName externalId].include?(field)
-
-      [field, match[3] || match[4]]
-    end
-
-    def scim_user_schema
-      {id: "urn:ietf:params:scim:schemas:core:2.0:User", name: "User", attributes: [{name: "userName", type: "string"}, {name: "active", type: "boolean"}]}
-    end
-
-    def scim_user_resource_type
-      {id: "User", name: "User", endpoint: "/Users", schema: "urn:ietf:params:scim:schemas:core:2.0:User"}
-    end
-
-    def scim_param(ctx, key)
-      ctx.params[key] || ctx.params[key.to_s] || ctx.params[Schema.storage_key(key)] || ctx.params[Schema.storage_key(key).to_sym]
-    end
-
-    def scim_has_organization_plugin?(ctx)
-      Array(ctx.context.options.plugins).any? { |plugin| plugin.id == "organization" }
-    end
-
-    def scim_create_org_membership(ctx, user_id, organization_id)
-      return unless organization_id
-      return if ctx.context.adapter.find_one(model: "member", where: [{field: "organizationId", value: organization_id}, {field: "userId", value: user_id}])
-
-      ctx.context.adapter.create(model: "member", data: {userId: user_id, organizationId: organization_id, role: "member", createdAt: Time.now})
-    end
-
-    def scim_account_id(body)
-      body[:external_id] || body[:user_name]
-    end
-
-    def scim_primary_email(body)
-      primary = Array(body[:emails]).find { |email| normalize_hash(email)[:primary] }
-      first = Array(body[:emails]).first
-      normalize_hash(primary || first)[:value] || body[:user_name]
-    end
-
-    def scim_full_name(fallback, given_name:, family_name:)
-      name = [given_name, family_name].compact.join(" ").strip
-      name.empty? ? fallback.to_s : name
-    end
-
-    def scim_given_name(name)
-      parts = name.to_s.split
-      (parts.length > 1) ? parts[0...-1].join(" ") : name.to_s
-    end
-
-    def scim_family_name(name)
-      parts = name.to_s.split
-      (parts.length > 1) ? parts[1..].join(" ") : ""
-    end
   end
 end

data/lib/better_auth/scim/client.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_client
+      {
+        "id" => "scim-client",
+        "version" => BetterAuth::SCIM::VERSION,
+        "serverPluginId" => "scim"
+      }
+    end
+  end
+end

data/lib/better_auth/scim/mappings.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_user_update(body)
+      {
+        email: scim_primary_email(body)&.downcase,
+        name: scim_display_name(body, body[:user_name].to_s),
+        updatedAt: Time.now
+      }.compact
+    end
+
+    def scim_display_name(body, fallback = nil)
+      name = normalize_hash(body[:name] || {})
+      return name[:formatted].to_s.strip unless name[:formatted].to_s.strip.empty?
+
+      scim_full_name(fallback, given_name: name[:given_name], family_name: name[:family_name])
+    end
+
+    def scim_account_id(body)
+      body[:external_id] || body[:user_name].to_s.downcase
+    end
+
+    def scim_primary_email(body)
+      primary = Array(body[:emails]).find { |email| normalize_hash(email)[:primary] }
+      first = Array(body[:emails]).first
+      normalize_hash(primary || first)[:value] || body[:user_name]
+    end
+
+    def scim_full_name(fallback, given_name:, family_name:)
+      name = [given_name, family_name].compact.join(" ").strip
+      name.empty? ? fallback.to_s : name
+    end
+
+    def scim_given_name(name)
+      parts = name.to_s.split
+      (parts.length > 1) ? parts[0...-1].join(" ") : name.to_s
+    end
+
+    def scim_family_name(name)
+      parts = name.to_s.split
+      (parts.length > 1) ? parts[1..].join(" ") : ""
+    end
+  end
+end

data/lib/better_auth/scim/middlewares.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_auth_middleware(config)
+      lambda do |ctx|
+        encoded = ctx.headers["authorization"].to_s.sub(/\ABearer\s+/i, "")
+        raise scim_error("UNAUTHORIZED", "SCIM token is required") if encoded.empty?
+
+        token, provider_id, organization_id = scim_decode_token(encoded)
+        provider = scim_default_provider(config, provider_id, organization_id)
+        if provider
+          raise scim_error("UNAUTHORIZED", "Invalid SCIM token") unless provider.fetch("scimToken") == token
+        else
+          provider = ctx.context.adapter.find_one(
+            model: "scimProvider",
+            where: [{field: "providerId", value: provider_id}].tap { |where| where << {field: "organizationId", value: organization_id} if organization_id }
+          )
+          raise scim_error("UNAUTHORIZED", "Invalid SCIM token") unless provider
+          raise scim_error("UNAUTHORIZED", "Invalid SCIM token") unless scim_token_matches?(ctx, config, token, provider.fetch("scimToken"))
+        end
+
+        ctx.context.apply_plugin_context!(scim_provider: provider)
+        nil
+      end
+    end
+  end
+end

data/lib/better_auth/scim/patch_operations.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_apply_patch_value!(user, update, account_update, value, operation_name, path = nil)
+      value.each do |key, nested_value|
+        nested_key = Schema.storage_key(key)
+        nested_path = path ? "#{path}.#{nested_key}" : nested_key
+        if nested_value.is_a?(Hash)
+          scim_apply_patch_value!(user, update, account_update, normalize_hash(nested_value), operation_name, nested_path)
+        else
+          scim_apply_patch_path!(user, update, account_update, nested_path, nested_value, operation_name)
+        end
+      end
+    end
+
+    def scim_apply_patch_path!(user, update, account_update, path, value, operation_name)
+      remove = operation_name == "remove"
+      normalized = "/" + path.to_s.sub(%r{\A/+}, "").tr(".", "/")
+      case normalized
+      when "/userName"
+        new_value = value.to_s.downcase
+        update[:email] = new_value if scim_patch_should_apply?(user["email"], new_value, operation_name)
+      when "/externalId"
+        account_update[:accountId] = value unless remove
+      when "/name/formatted"
+        update[:name] = value if scim_patch_should_apply?(user["name"], value, operation_name)
+      when "/name/givenName"
+        new_value = scim_full_name(user.fetch("email"), given_name: value, family_name: scim_family_name(update[:name] || user["name"]))
+        update[:name] = new_value if scim_patch_should_apply?(user["name"], new_value, operation_name)
+      when "/name/familyName"
+        new_value = scim_full_name(user.fetch("email"), given_name: scim_given_name(update[:name] || user["name"]), family_name: value)
+        update[:name] = new_value if scim_patch_should_apply?(user["name"], new_value, operation_name)
+      end
+    end
+
+    def scim_patch_should_apply?(current_value, new_value, operation_name)
+      return false if operation_name == "remove"
+      return false if operation_name == "add" && current_value == new_value
+
+      true
+    end
+  end
+end