better_auth-scim 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1201afe86cacf80ee69f816878a2e3e19674ee2e60a73898aa0532f0ada7b644
-  data.tar.gz: 8677ea4796b8821bb1c1e8def36709d50d6bbdb49a61e2459e816f41a2055ae3
+  metadata.gz: 65e35401e83150cb6dbd98d3b47c19a61d6c7bcca3c1310c40dec3f42e3ecbaa
+  data.tar.gz: 66a37c96b0eff2236194fce3d916930c83f555cc73e450681ca9540214154404
 SHA512:
-  metadata.gz: 7c5ca6ceb7a0327467e2a3ab062d4e93b495cf908a0216c59f564ad170801c71d8e9eed48841cbe219feaeb0720e5bc2d97c57f0e483611e3a4a0a581deae481
-  data.tar.gz: 76cfb02894397fdc38280f407be6848044f717b0fee2f4907b4edba881cac91693bc96eb75c8106182f6aff382c3bf042ff2fd8ed707c284cdca4f99d0763973
+  metadata.gz: 531454f782e6930da56af377970a36b075b74b878594d79b550e87d750949bc1b856e25301c164c31ee55d476363d0b90ecac6b2d7271aa24fe423f8d42fe822
+  data.tar.gz: 0fe6821fab2facb5ebfdd333a7e4eda13205f325ef5235a5d822319cb7ccfba855aea4837943d8379400ad8ea0f1610b3c62df1f3f710589d18446deba67e300

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Unreleased
+
+## 0.7.0 - 2026-05-05
+
+- Changed generated SCIM provider tokens to use hashed storage by default. Set `store_scim_token: "plain"` only when plaintext database storage is intentionally required.
+- Split provider management and validation flows and hardened SCIM user listing, patch handling, and auth error responses.
+
 ## 0.2.0 - 2026-04-29
 
 - Aligned SCIM user and group provisioning behavior with upstream Better Auth v1.6.9, including filtering, patch operations, schema responses, error shapes, and token handling.

data/README.md

@@ -15,7 +15,6 @@ require "better_auth/scim"
 BetterAuth.auth(
   plugins: [
     BetterAuth::Plugins.scim(
-      store_scim_token: "hashed",
       provider_ownership: { enabled: true }
     )
   ]
@@ -41,9 +40,15 @@ Implemented API methods include token generation, provider connection management
 - `get_scim_resource_type`
 
 Options use Ruby snake_case names: `store_scim_token`, `default_scim`, `provider_ownership`, `required_role`, `before_scim_token_generated`, and `after_scim_token_generated`.
+`store_scim_token` defaults to `"hashed"` so generated SCIM provider tokens are
+not stored in plaintext.
 
 The plugin exposes upstream-style surface metadata:
 
 - `BetterAuth::Plugins.scim.version` returns the gem SCIM version.
 - `BetterAuth::Plugins.scim.client` returns the Ruby client-plugin descriptor (`scim-client`) for integrations that inspect plugin parity metadata.
 - SCIM protocol routes are hidden from generated OpenAPI output, matching upstream `HIDE_METADATA`; provider management routes remain visible.
+
+## Production recommendations
+
+- In the accounts table (`accounts` or the configured table name), use a unique composite index on `(providerId, accountId)` to prevent duplicate SCIM accounts under concurrent provisioning. The gem does not create this constraint automatically because index syntax and migrations depend on your database adapter and application.

data/lib/better_auth/plugins/scim.rb

@@ -12,6 +12,8 @@ require_relative "../scim/scim_filters"
 require_relative "../scim/patch_operations"
 require_relative "../scim/scim_tokens"
 require_relative "../scim/middlewares"
+require_relative "../scim/provider_management"
+require_relative "../scim/validation"
 require_relative "../scim/routes"
 
 module BetterAuth
@@ -22,7 +24,7 @@ module BetterAuth
     singleton_class.remove_method(:scim) if singleton_class.method_defined?(:scim) || singleton_class.private_method_defined?(:scim)
 
     def scim(options = {})
-      config = {store_scim_token: "plain"}.merge(normalize_hash(options))
+      config = {store_scim_token: "hashed"}.merge(normalize_hash(options))
       Plugin.new(
         id: "scim",
         version: BetterAuth::SCIM::VERSION,

data/lib/better_auth/scim/middlewares.rb

@@ -12,7 +12,11 @@ module BetterAuth
         token, provider_id, organization_id = scim_decode_token(encoded)
         provider = scim_default_provider(config, provider_id, organization_id)
         if provider
-          raise scim_error("UNAUTHORIZED", "Invalid SCIM token") unless provider.fetch("scimToken") == token
+          stored = provider.fetch("scimToken").to_s
+          provided = token.to_s
+          unless scim_token_string_matches?(stored, provided)
+            raise scim_error("UNAUTHORIZED", "Invalid SCIM token")
+          end
         else
           provider = ctx.context.adapter.find_one(
             model: "scimProvider",

data/lib/better_auth/scim/provider_management.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_has_organization_plugin?(ctx)
+      Array(ctx.context.options.plugins).any? { |plugin| plugin.id == "organization" }
+    end
+
+    def scim_organization_plugin(ctx)
+      Array(ctx.context.options.plugins).find { |plugin| plugin.id == "organization" }
+    end
+
+    def scim_required_roles(ctx, config)
+      configured = config[:required_role] || config[:required_roles]
+      return Array(configured).map(&:to_s) if configured
+
+      creator_role = scim_organization_plugin(ctx)&.options&.fetch(:creator_role, nil)
+      ["admin", creator_role || "owner"].uniq
+    end
+
+    def scim_provider_ownership_enabled?(config)
+      normalize_hash(config[:provider_ownership] || {})[:enabled] == true
+    end
+
+    def scim_find_organization_member(ctx, user_id, organization_id)
+      ctx.context.adapter.find_one(
+        model: "member",
+        where: [
+          {field: "userId", value: user_id},
+          {field: "organizationId", value: organization_id}
+        ]
+      )
+    end
+
+    def scim_parse_roles(role)
+      Array(role).flat_map { |entry| entry.to_s.split(",") }.map(&:strip).reject(&:empty?)
+    end
+
+    def scim_has_required_role?(role, required_roles)
+      required = Array(required_roles).map(&:to_s)
+      required.empty? || scim_parse_roles(role).any? { |candidate| required.include?(candidate) }
+    end
+
+    def scim_user_org_memberships(ctx, user_id)
+      ctx.context.adapter.find_many(model: "member", where: [{field: "userId", value: user_id}]).each_with_object({}) do |member, result|
+        result[member.fetch("organizationId")] = member
+      end
+    end
+
+    def scim_assert_provider_access!(ctx, user_id, provider, required_roles)
+      return unless provider
+
+      organization_id = provider["organizationId"]
+      if organization_id
+        raise APIError.new("FORBIDDEN", message: "Organization plugin is required to access this SCIM provider") unless scim_has_organization_plugin?(ctx)
+
+        member = scim_find_organization_member(ctx, user_id, organization_id)
+        raise APIError.new("FORBIDDEN", message: "You must be a member of the organization to access this provider") unless member
+        raise APIError.new("FORBIDDEN", message: "Insufficient role for this operation") unless scim_has_required_role?(member.fetch("role", ""), required_roles)
+      elsif provider.key?("userId") && provider["userId"] && provider["userId"] != user_id
+        raise APIError.new("FORBIDDEN", message: "You must be the owner to access this provider")
+      end
+    end
+
+    def scim_provider_by_provider_id!(ctx, provider_id)
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VALIDATION_ERROR"]) unless provider_id.is_a?(String)
+
+      provider = ctx.context.adapter.find_one(model: "scimProvider", where: [{field: "providerId", value: provider_id.to_s}])
+      raise APIError.new("NOT_FOUND", message: "SCIM provider not found") unless provider
+
+      provider
+    end
+
+    def scim_provider_id_query(ctx)
+      ctx.query[:providerId] || ctx.query[:provider_id] || ctx.query["providerId"] || ctx.query["provider_id"]
+    end
+
+    def scim_normalized_provider(provider)
+      {
+        id: provider.fetch("id"),
+        providerId: provider.fetch("providerId"),
+        organizationId: provider["organizationId"]
+      }
+    end
+
+    def scim_call_token_hook(callback, payload)
+      callback.call(payload) if callback.respond_to?(:call)
+    end
+
+    def scim_create_org_membership(ctx, user_id, organization_id)
+      return unless organization_id
+      return if ctx.context.adapter.find_one(model: "member", where: [{field: "organizationId", value: organization_id}, {field: "userId", value: user_id}])
+
+      ctx.context.adapter.create(model: "member", data: {userId: user_id, organizationId: organization_id, role: "member", createdAt: Time.now})
+    end
+  end
+end

data/lib/better_auth/scim/routes.rb

@@ -32,9 +32,7 @@ module BetterAuth
           raise APIError.new("FORBIDDEN", message: "Insufficient role for this operation") unless scim_has_required_role?(member.fetch("role", ""), required_roles)
         end
 
-        where = [{field: "providerId", value: provider_id}]
-        where << {field: "organizationId", value: organization_id} if organization_id
-        existing = ctx.context.adapter.find_one(model: "scimProvider", where: where)
+        existing = ctx.context.adapter.find_one(model: "scimProvider", where: [{field: "providerId", value: provider_id}])
         if existing
           scim_assert_provider_access!(ctx, session.fetch(:user).fetch("id"), existing, required_roles)
           ctx.context.adapter.delete(model: "scimProvider", where: [{field: "id", value: existing.fetch("id")}])
@@ -106,8 +104,7 @@ module BetterAuth
           user = ctx.context.internal_adapter.find_user_by_email(email)&.fetch(:user)
           user ||= ctx.context.internal_adapter.create_user(
             email: email,
-            name: scim_display_name(body, email),
-            emailVerified: true
+            name: scim_display_name(body, email)
           )
           account = ctx.context.internal_adapter.create_account(
             userId: user.fetch("id"),
@@ -161,8 +158,10 @@ module BetterAuth
         end
         raise scim_error("BAD_REQUEST", "No valid fields to update") if update.empty? && account_update.empty?
 
-        ctx.context.internal_adapter.update_user(user.fetch("id"), update.merge(updatedAt: Time.now)) unless update.empty?
-        ctx.context.internal_adapter.update_account(account.fetch("id"), account_update.merge(updatedAt: Time.now)) unless account_update.empty?
+        ctx.context.adapter.transaction do
+          ctx.context.internal_adapter.update_user(user.fetch("id"), update.merge(updatedAt: Time.now)) unless update.empty?
+          ctx.context.internal_adapter.update_account(account.fetch("id"), account_update.merge(updatedAt: Time.now)) unless account_update.empty?
+        end
         ctx.json(nil, status: 204)
       end
     end
@@ -179,24 +178,37 @@ module BetterAuth
       Endpoint.new(path: "/scim/v2/Users", method: "GET", metadata: scim_hidden_metadata("List SCIM users.", SCIM_SUPPORTED_MEDIA_TYPES), use: [scim_auth_middleware(config)]) do |ctx|
         provider = ctx.context.scim_provider
         accounts = ctx.context.adapter.find_many(model: "account", where: [{field: "providerId", value: provider.fetch("providerId")}])
-        users_by_id = ctx.context.internal_adapter.list_users.each_with_object({}) { |user, result| result[user.fetch("id")] = user }
-        users = accounts.filter_map { |account| users_by_id[account.fetch("userId")] }
-        if provider["organizationId"]
-          member_ids = ctx.context.adapter.find_many(
-            model: "member",
-            where: [{field: "organizationId", value: provider.fetch("organizationId")}]
-          ).map { |member| member.fetch("userId") }
-          users = users.select { |user| member_ids.include?(user.fetch("id")) }
-        end
-        filter_field, filter_value = scim_parse_filter(ctx.query[:filter] || ctx.query["filter"]) if ctx.query[:filter] || ctx.query["filter"]
-        resources = users.filter_map do |user|
-          account = accounts.find { |entry| entry.fetch("userId") == user.fetch("id") }
-          resource = scim_user_resource(user, account, ctx.context.base_url)
-          next resource unless filter_field
+        account_user_ids = accounts.map { |account| account.fetch("userId") }.uniq
+        empty_list = {schemas: [SCIM_LIST_RESPONSE_SCHEMA], totalResults: 0, itemsPerPage: 0, startIndex: 1, Resources: []}
+        if account_user_ids.empty?
+          ctx.json(empty_list)
+        else
+          user_ids = account_user_ids
+          if provider["organizationId"]
+            user_ids = ctx.context.adapter.find_many(
+              model: "member",
+              where: [
+                {field: "organizationId", value: provider.fetch("organizationId")},
+                {field: "userId", value: account_user_ids, operator: "in"}
+              ]
+            ).map { |member| member.fetch("userId") }.uniq
+          end
 
-          (resource[filter_field.to_sym].to_s.downcase == filter_value.to_s.downcase) ? resource : nil
+          if user_ids.empty?
+            ctx.json(empty_list)
+          else
+            where = [{field: "id", value: user_ids, operator: "in"}]
+            if ctx.query[:filter] || ctx.query["filter"]
+              _filter_field, filter_value = scim_parse_filter(ctx.query[:filter] || ctx.query["filter"])
+              where << {field: "email", value: filter_value.to_s.downcase, operator: "eq"}
+            end
+
+            users = ctx.context.internal_adapter.list_users(where: where, sort_by: {field: "email", direction: "asc"})
+            accounts_by_user = accounts.each_with_object({}) { |account, result| result[account.fetch("userId")] ||= account }
+            resources = users.map { |user| scim_user_resource(user, accounts_by_user[user.fetch("id")], ctx.context.base_url) }
+            ctx.json({schemas: [SCIM_LIST_RESPONSE_SCHEMA], totalResults: resources.length, itemsPerPage: resources.length, startIndex: 1, Resources: resources})
+          end
         end
-        ctx.json({schemas: [SCIM_LIST_RESPONSE_SCHEMA], totalResults: resources.length, itemsPerPage: resources.length, startIndex: 1, Resources: resources})
       end
     end
 
@@ -281,141 +293,5 @@ module BetterAuth
 
       [user, account]
     end
-
-    def scim_validate_user_body!(body)
-      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless body[:user_name].is_a?(String)
-      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body[:user_name].empty?
-      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:external_id) && !body[:external_id].is_a?(String)
-      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:name) && !body[:name].is_a?(Hash)
-      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:emails) && !body[:emails].is_a?(Array)
-      normalize_hash(body[:name] || {}).each_value do |value|
-        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless value.is_a?(String)
-      end
-
-      Array(body[:emails]).each do |email|
-        email = normalize_hash(email)
-        value = email[:value]
-        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if email.key?(:primary) && ![true, false].include?(email[:primary])
-        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless value.to_s.match?(/\A[^@\s]+@[^@\s]+\.[^@\s]+\z/)
-      end
-    end
-
-    def scim_validate_patch_body!(body)
-      schemas = Array(body[:schemas])
-      raise scim_error("BAD_REQUEST", "Invalid schemas for PatchOp") unless schemas.include?("urn:ietf:params:scim:api:messages:2.0:PatchOp")
-
-      Array(body[:operations]).each_with_index do |operation, index|
-        op = normalize_hash(operation)[:op]
-        next if op.nil? || op.to_s.empty?
-
-        unless op.is_a?(String)
-          raise scim_patch_validation_error("[body.Operations.#{index}.op] Invalid input: expected string")
-        end
-
-        next if %w[replace add remove].include?(op.downcase)
-
-        raise scim_patch_validation_error("[body.Operations.#{index}.op] Invalid option: expected one of \"replace\"|\"add\"|\"remove\"")
-      end
-    end
-
-    def scim_patch_validation_error(message)
-      APIError.new(
-        "BAD_REQUEST",
-        message: BASE_ERROR_CODES["VALIDATION_ERROR"],
-        body: {code: "VALIDATION_ERROR", message: message}
-      )
-    end
-
-    def scim_has_organization_plugin?(ctx)
-      Array(ctx.context.options.plugins).any? { |plugin| plugin.id == "organization" }
-    end
-
-    def scim_organization_plugin(ctx)
-      Array(ctx.context.options.plugins).find { |plugin| plugin.id == "organization" }
-    end
-
-    def scim_required_roles(ctx, config)
-      configured = config[:required_role] || config[:required_roles]
-      return Array(configured).map(&:to_s) if configured
-
-      creator_role = scim_organization_plugin(ctx)&.options&.fetch(:creator_role, nil)
-      ["admin", creator_role || "owner"].uniq
-    end
-
-    def scim_provider_ownership_enabled?(config)
-      normalize_hash(config[:provider_ownership] || {})[:enabled] == true
-    end
-
-    def scim_find_organization_member(ctx, user_id, organization_id)
-      ctx.context.adapter.find_one(
-        model: "member",
-        where: [
-          {field: "userId", value: user_id},
-          {field: "organizationId", value: organization_id}
-        ]
-      )
-    end
-
-    def scim_parse_roles(role)
-      Array(role).flat_map { |entry| entry.to_s.split(",") }.map(&:strip).reject(&:empty?)
-    end
-
-    def scim_has_required_role?(role, required_roles)
-      required = Array(required_roles).map(&:to_s)
-      required.empty? || scim_parse_roles(role).any? { |candidate| required.include?(candidate) }
-    end
-
-    def scim_user_org_memberships(ctx, user_id)
-      ctx.context.adapter.find_many(model: "member", where: [{field: "userId", value: user_id}]).each_with_object({}) do |member, result|
-        result[member.fetch("organizationId")] = member
-      end
-    end
-
-    def scim_assert_provider_access!(ctx, user_id, provider, required_roles)
-      return unless provider
-
-      organization_id = provider["organizationId"]
-      if organization_id
-        raise APIError.new("FORBIDDEN", message: "Organization plugin is required to access this SCIM provider") unless scim_has_organization_plugin?(ctx)
-
-        member = scim_find_organization_member(ctx, user_id, organization_id)
-        raise APIError.new("FORBIDDEN", message: "You must be a member of the organization to access this provider") unless member
-        raise APIError.new("FORBIDDEN", message: "Insufficient role for this operation") unless scim_has_required_role?(member.fetch("role", ""), required_roles)
-      elsif provider.key?("userId") && provider["userId"] && provider["userId"] != user_id
-        raise APIError.new("FORBIDDEN", message: "You must be the owner to access this provider")
-      end
-    end
-
-    def scim_provider_by_provider_id!(ctx, provider_id)
-      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VALIDATION_ERROR"]) unless provider_id.is_a?(String)
-
-      provider = ctx.context.adapter.find_one(model: "scimProvider", where: [{field: "providerId", value: provider_id.to_s}])
-      raise APIError.new("NOT_FOUND", message: "SCIM provider not found") unless provider
-
-      provider
-    end
-
-    def scim_provider_id_query(ctx)
-      ctx.query[:providerId] || ctx.query[:provider_id] || ctx.query["providerId"] || ctx.query["provider_id"]
-    end
-
-    def scim_normalized_provider(provider)
-      {
-        id: provider.fetch("id"),
-        providerId: provider.fetch("providerId"),
-        organizationId: provider["organizationId"]
-      }
-    end
-
-    def scim_call_token_hook(callback, payload)
-      callback.call(payload) if callback.respond_to?(:call)
-    end
-
-    def scim_create_org_membership(ctx, user_id, organization_id)
-      return unless organization_id
-      return if ctx.context.adapter.find_one(model: "member", where: [{field: "organizationId", value: organization_id}, {field: "userId", value: user_id}])
-
-      ctx.context.adapter.create(model: "member", data: {userId: user_id, organizationId: organization_id, role: "member", createdAt: Time.now})
-    end
   end
 end

data/lib/better_auth/scim/scim_tokens.rb

@@ -23,10 +23,16 @@ module BetterAuth
 
     def scim_token_matches?(ctx, config, token, stored)
       storage = config[:store_scim_token]
-      return Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored) == token if storage == "encrypted"
-      return storage[:decrypt].call(stored) == token if storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)
+      return scim_token_string_matches?(Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored), token) if storage == "encrypted"
+      return scim_token_string_matches?(storage[:decrypt].call(stored), token) if storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)
 
-      !token.to_s.empty? && scim_store_token(ctx, config, token) == stored
+      scim_token_string_matches?(scim_store_token(ctx, config, token), stored)
+    end
+
+    def scim_token_string_matches?(expected, provided)
+      expected = expected.to_s
+      provided = provided.to_s
+      !provided.empty? && expected.bytesize == provided.bytesize && Crypto.constant_time_compare(expected, provided)
     end
 
     def scim_decode_token(encoded)

data/lib/better_auth/scim/validation.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_validate_user_body!(body)
+      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless body[:user_name].is_a?(String)
+      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body[:user_name].empty?
+      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:external_id) && !body[:external_id].is_a?(String)
+      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:name) && !body[:name].is_a?(Hash)
+      raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if body.key?(:emails) && !body[:emails].is_a?(Array)
+      normalize_hash(body[:name] || {}).each_value do |value|
+        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless value.is_a?(String)
+      end
+
+      Array(body[:emails]).each do |email|
+        email = normalize_hash(email)
+        value = email[:value]
+        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) if email.key?(:primary) && ![true, false].include?(email[:primary])
+        raise scim_error("BAD_REQUEST", BASE_ERROR_CODES["VALIDATION_ERROR"]) unless value.to_s.match?(/\A[^@\s]+@[^@\s]+\.[^@\s]+\z/)
+      end
+    end
+
+    def scim_validate_patch_body!(body)
+      schemas = Array(body[:schemas])
+      raise scim_error("BAD_REQUEST", "Invalid schemas for PatchOp") unless schemas.include?("urn:ietf:params:scim:api:messages:2.0:PatchOp")
+
+      Array(body[:operations]).each_with_index do |operation, index|
+        op = normalize_hash(operation)[:op]
+        next if op.nil? || op.to_s.empty?
+
+        unless op.is_a?(String)
+          raise scim_patch_validation_error("[body.Operations.#{index}.op] Invalid input: expected string")
+        end
+
+        next if %w[replace add remove].include?(op.downcase)
+
+        raise scim_patch_validation_error("[body.Operations.#{index}.op] Invalid option: expected one of \"replace\"|\"add\"|\"remove\"")
+      end
+    end
+
+    def scim_patch_validation_error(message)
+      APIError.new(
+        "BAD_REQUEST",
+        message: BASE_ERROR_CODES["VALIDATION_ERROR"],
+        body: {code: "VALIDATION_ERROR", message: message}
+      )
+    end
+  end
+end

data/lib/better_auth/scim/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module SCIM
-    VERSION = "0.5.0"
+    VERSION = "0.7.0"
   end
 end

data/lib/better_auth/scim.rb

@@ -13,6 +13,8 @@ require_relative "scim/scim_filters"
 require_relative "scim/patch_operations"
 require_relative "scim/scim_tokens"
 require_relative "scim/middlewares"
+require_relative "scim/provider_management"
+require_relative "scim/validation"
 require_relative "scim/routes"
 require_relative "plugins/scim"
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-scim
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Sebastian Sala
@@ -115,6 +115,7 @@ files:
 - lib/better_auth/scim/mappings.rb
 - lib/better_auth/scim/middlewares.rb
 - lib/better_auth/scim/patch_operations.rb
+- lib/better_auth/scim/provider_management.rb
 - lib/better_auth/scim/routes.rb
 - lib/better_auth/scim/scim_error.rb
 - lib/better_auth/scim/scim_filters.rb
@@ -123,6 +124,7 @@ files:
 - lib/better_auth/scim/scim_tokens.rb
 - lib/better_auth/scim/user_schemas.rb
 - lib/better_auth/scim/utils.rb
+- lib/better_auth/scim/validation.rb
 - lib/better_auth/scim/version.rb
 homepage: https://github.com/sebasxsala/better-auth
 licenses: