@better-auth/scim 1.4.0-beta.27

package/dist/index.mjs

@@ -0,0 +1,1247 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { APIError, sessionMiddleware } from "better-auth/api";
+import { generateRandomString, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
+import { createAuthEndpoint, createAuthMiddleware, defaultKeyHasher } from "better-auth/plugins";
+import * as z from "zod";
+import { APIError as APIError$1 } from "better-auth";
+import { statusCodes } from "better-call";
+
+//#region src/mappings.ts
+const getAccountId = (userName, externalId) => {
+	return externalId ?? userName;
+};
+const getFormattedName = (name) => {
+	if (name.givenName && name.familyName) return `${name.givenName} ${name.familyName}`;
+	if (name.givenName) return name.givenName;
+	return name.familyName ?? "";
+};
+const getUserFullName = (email, name) => {
+	if (name) {
+		const formatted = name.formatted?.trim() ?? "";
+		if (formatted.length > 0) return formatted;
+		return getFormattedName(name) || email;
+	}
+	return email;
+};
+const getUserPrimaryEmail = (userName, emails) => {
+	return emails?.find((email) => email.primary)?.value ?? emails?.[0]?.value ?? userName;
+};
+
+//#endregion
+//#region src/scim-error.ts
+/**
+* SCIM compliant error
+* See: https://datatracker.ietf.org/doc/html/rfc7644#section-3.12
+*/
+var SCIMAPIError = class extends APIError$1 {
+	constructor(status = "INTERNAL_SERVER_ERROR", overrides = {}) {
+		const body = {
+			schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+			status: (typeof status === "number" ? status : statusCodes[status]).toString(),
+			detail: overrides.detail,
+			...overrides
+		};
+		super(status, body);
+		this.message = body.detail ?? body.message;
+	}
+};
+const SCIMErrorOpenAPISchema = {
+	type: "object",
+	properties: {
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		status: { type: "string" },
+		detail: { type: "string" },
+		scimType: { type: "string" }
+	}
+};
+const SCIMErrorOpenAPISchemas = {
+	"400": {
+		description: "Bad Request. Usually due to missing parameters, or invalid parameters",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"401": {
+		description: "Unauthorized. Due to missing or invalid authentication.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"403": {
+		description: "Unauthorized. Due to missing or invalid authentication.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"404": {
+		description: "Not Found. The requested resource was not found.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"429": {
+		description: "Too Many Requests. You have exceeded the rate limit. Try again later.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"500": {
+		description: "Internal Server Error. This is a problem with the server that you cannot fix.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	}
+};
+
+//#endregion
+//#region src/scim-tokens.ts
+async function storeSCIMToken(ctx, opts, scimToken) {
+	if (opts.storeSCIMToken === "encrypted") return await symmetricEncrypt({
+		key: ctx.context.secret,
+		data: scimToken
+	});
+	if (opts.storeSCIMToken === "hashed") return await defaultKeyHasher(scimToken);
+	if (typeof opts.storeSCIMToken === "object" && "hash" in opts.storeSCIMToken) return await opts.storeSCIMToken.hash(scimToken);
+	if (typeof opts.storeSCIMToken === "object" && "encrypt" in opts.storeSCIMToken) return await opts.storeSCIMToken.encrypt(scimToken);
+	return scimToken;
+}
+async function verifySCIMToken(ctx, opts, storedSCIMToken, scimToken) {
+	if (opts.storeSCIMToken === "encrypted") return await symmetricDecrypt({
+		key: ctx.context.secret,
+		data: storedSCIMToken
+	}) === scimToken;
+	if (opts.storeSCIMToken === "hashed") return await defaultKeyHasher(scimToken) === storedSCIMToken;
+	if (typeof opts.storeSCIMToken === "object" && "hash" in opts.storeSCIMToken) return await opts.storeSCIMToken.hash(scimToken) === storedSCIMToken;
+	if (typeof opts.storeSCIMToken === "object" && "decrypt" in opts.storeSCIMToken) return await opts.storeSCIMToken.decrypt(storedSCIMToken) === scimToken;
+	return scimToken === storedSCIMToken;
+}
+
+//#endregion
+//#region src/middlewares.ts
+/**
+* The middleware forces the endpoint to have a valid token
+*/
+const authMiddlewareFactory = (opts) => createAuthMiddleware(async (ctx) => {
+	const authSCIMToken = (ctx.headers?.get("Authorization"))?.replace(/^Bearer\s+/i, "");
+	if (!authSCIMToken) throw new SCIMAPIError("UNAUTHORIZED", { detail: "SCIM token is required" });
+	const baseScimTokenParts = new TextDecoder().decode(base64Url.decode(authSCIMToken)).split(":");
+	const [scimToken, providerId] = baseScimTokenParts;
+	const organizationId = baseScimTokenParts.slice(2).join(":");
+	if (!scimToken || !providerId) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	const scimProvider = await ctx.context.adapter.findOne({
+		model: "scimProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}, ...organizationId ? [{
+			field: "organizationId",
+			value: organizationId
+		}] : []]
+	});
+	if (!scimProvider) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	if (!await verifySCIMToken(ctx, opts, scimProvider.scimToken, scimToken)) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	return {
+		authSCIMToken: scimToken,
+		scimProvider
+	};
+});
+
+//#endregion
+//#region src/patch-operations.ts
+const identity = (user, op) => {
+	return op.value;
+};
+const lowerCase = (user, op) => {
+	return op.value.toLowerCase();
+};
+const givenName = (user, op) => {
+	const familyName$1 = user.name.split(" ").slice(1).join(" ").trim();
+	const givenName$1 = op.value;
+	return getUserFullName(user.email, {
+		givenName: givenName$1,
+		familyName: familyName$1
+	});
+};
+const familyName = (user, op) => {
+	const givenName$1 = (user.name.split(" ").slice(0, -1).join(" ") || user.name).trim();
+	const familyName$1 = op.value;
+	return getUserFullName(user.email, {
+		givenName: givenName$1,
+		familyName: familyName$1
+	});
+};
+const userPatchMappings = {
+	"/name/formatted": {
+		resource: "user",
+		target: "name",
+		map: identity
+	},
+	"/name/givenName": {
+		resource: "user",
+		target: "name",
+		map: givenName
+	},
+	"/name/familyName": {
+		resource: "user",
+		target: "name",
+		map: familyName
+	},
+	"/externalId": {
+		resource: "account",
+		target: "accountId",
+		map: identity
+	},
+	"/userName": {
+		resource: "user",
+		target: "email",
+		map: lowerCase
+	}
+};
+const buildUserPatch = (user, operations) => {
+	const resources = {
+		user: {},
+		account: {}
+	};
+	for (const operation of operations) {
+		if (operation.op !== "replace" || !operation.path) continue;
+		const mapping = userPatchMappings[operation.path];
+		if (mapping) {
+			const resource = resources[mapping.resource];
+			resource[mapping.target] = mapping.map(user, operation);
+		}
+	}
+	return resources;
+};
+
+//#endregion
+//#region src/user-schemas.ts
+const APIUserSchema = z.object({
+	userName: z.string().lowercase(),
+	externalId: z.string().optional(),
+	name: z.object({
+		formatted: z.string().optional(),
+		givenName: z.string().optional(),
+		familyName: z.string().optional()
+	}).optional(),
+	emails: z.array(z.object({
+		value: z.email(),
+		primary: z.boolean().optional()
+	})).optional()
+});
+const OpenAPIUserResourceSchema = {
+	type: "object",
+	properties: {
+		id: { type: "string" },
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				created: {
+					type: "string",
+					format: "date-time"
+				},
+				lastModified: {
+					type: "string",
+					format: "date-time"
+				},
+				location: { type: "string" }
+			}
+		},
+		userName: { type: "string" },
+		name: {
+			type: "object",
+			properties: {
+				formatted: { type: "string" },
+				givenName: { type: "string" },
+				familyName: { type: "string" }
+			}
+		},
+		displayName: { type: "string" },
+		active: { type: "boolean" },
+		emails: {
+			type: "array",
+			items: {
+				type: "object",
+				properties: {
+					value: { type: "string" },
+					primary: { type: "boolean" }
+				}
+			}
+		},
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		}
+	}
+};
+const SCIMUserResourceSchema = {
+	id: "urn:ietf:params:scim:schemas:core:2.0:User",
+	schemas: ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
+	name: "User",
+	description: "User Account",
+	attributes: [
+		{
+			name: "id",
+			type: "string",
+			multiValued: false,
+			description: "Unique opaque identifier for the User",
+			required: false,
+			caseExact: true,
+			mutability: "readOnly",
+			returned: "default",
+			uniqueness: "server"
+		},
+		{
+			name: "userName",
+			type: "string",
+			multiValued: false,
+			description: "Unique identifier for the User, typically used by the user to directly authenticate to the service provider",
+			required: true,
+			caseExact: false,
+			mutability: "readWrite",
+			returned: "default",
+			uniqueness: "server"
+		},
+		{
+			name: "displayName",
+			type: "string",
+			multiValued: false,
+			description: "The name of the User, suitable for display to end-users.  The name SHOULD be the full name of the User being described, if known.",
+			required: false,
+			caseExact: true,
+			mutability: "readOnly",
+			returned: "default",
+			uniqueness: "none"
+		},
+		{
+			name: "active",
+			type: "boolean",
+			multiValued: false,
+			description: "A Boolean value indicating the User's administrative status.",
+			required: false,
+			mutability: "readOnly",
+			returned: "default"
+		},
+		{
+			name: "name",
+			type: "complex",
+			multiValued: false,
+			description: "The components of the user's real name.",
+			required: false,
+			subAttributes: [
+				{
+					name: "formatted",
+					type: "string",
+					multiValued: false,
+					description: "The full name, including all middlenames, titles, and suffixes as appropriate, formatted for display(e.g., 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				},
+				{
+					name: "familyName",
+					type: "string",
+					multiValued: false,
+					description: "The family name of the User, or last name in most Western languages (e.g., 'Jensen' given the fullname 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				},
+				{
+					name: "givenName",
+					type: "string",
+					multiValued: false,
+					description: "The given name of the User, or first name in most Western languages (e.g., 'Barbara' given the full name 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				}
+			]
+		},
+		{
+			name: "emails",
+			type: "complex",
+			multiValued: true,
+			description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.",
+			required: false,
+			subAttributes: [{
+				name: "value",
+				type: "string",
+				multiValued: false,
+				description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.",
+				required: false,
+				caseExact: false,
+				mutability: "readWrite",
+				returned: "default",
+				uniqueness: "server"
+			}, {
+				name: "primary",
+				type: "boolean",
+				multiValued: false,
+				description: "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary email address.  The primary attribute value 'true' MUST appear no more than once.",
+				required: false,
+				mutability: "readWrite",
+				returned: "default"
+			}],
+			mutability: "readWrite",
+			returned: "default",
+			uniqueness: "none"
+		}
+	],
+	meta: {
+		resourceType: "Schema",
+		location: "/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
+	}
+};
+const SCIMUserResourceType = {
+	schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+	id: "User",
+	name: "User",
+	endpoint: "/Users",
+	description: "User Account",
+	schema: "urn:ietf:params:scim:schemas:core:2.0:User",
+	meta: {
+		resourceType: "ResourceType",
+		location: "/scim/v2/ResourceTypes/User"
+	}
+};
+
+//#endregion
+//#region src/scim-filters.ts
+const SCIMOperators = { eq: "eq" };
+const SCIMUserAttributes = { userName: "email" };
+var SCIMParseError = class extends Error {};
+const SCIMFilterRegex = /^\s*(?<attribute>[^\s]+)\s+(?<op>eq|ne|co|sw|ew|pr)\s*(?:(?<value>"[^"]*"|[^\s]+))?\s*$/i;
+const parseSCIMFilter = (filter) => {
+	const match = filter.match(SCIMFilterRegex);
+	if (!match) throw new SCIMParseError("Invalid filter expression");
+	const attribute = match.groups?.attribute;
+	const op = match.groups?.op?.toLowerCase();
+	const value = match.groups?.value;
+	if (!attribute || !op || !value) throw new SCIMParseError("Invalid filter expression");
+	const operator = SCIMOperators[op];
+	if (!operator) throw new SCIMParseError(`The operator "${op}" is not supported`);
+	return {
+		attribute,
+		operator,
+		value
+	};
+};
+const parseSCIMUserFilter = (filter) => {
+	const { attribute, operator, value } = parseSCIMFilter(filter);
+	const filters = [];
+	const targetAttribute = SCIMUserAttributes[attribute];
+	const resourceAttribute = SCIMUserResourceSchema.attributes.find((attr) => attr.name === attribute);
+	if (!targetAttribute || !resourceAttribute) throw new SCIMParseError(`The attribute "${attribute}" is not supported`);
+	let finalValue = value.replaceAll("\"", "");
+	if (!resourceAttribute.caseExact) finalValue = finalValue.toLowerCase();
+	filters.push({
+		field: targetAttribute,
+		value: finalValue,
+		operator
+	});
+	return filters;
+};
+
+//#endregion
+//#region src/scim-metadata.ts
+const MetadataFieldSupportOpenAPISchema = {
+	type: "object",
+	properties: { supported: { type: "boolean" } }
+};
+const ServiceProviderOpenAPISchema = {
+	type: "object",
+	properties: {
+		patch: MetadataFieldSupportOpenAPISchema,
+		bulk: MetadataFieldSupportOpenAPISchema,
+		filter: MetadataFieldSupportOpenAPISchema,
+		changePassword: MetadataFieldSupportOpenAPISchema,
+		sort: MetadataFieldSupportOpenAPISchema,
+		etag: MetadataFieldSupportOpenAPISchema,
+		authenticationSchemes: {
+			type: "array",
+			items: {
+				type: "object",
+				properties: {
+					name: { type: "string" },
+					description: { type: "string" },
+					specUri: { type: "string" },
+					type: { type: "string" },
+					primary: { type: "boolean" }
+				}
+			}
+		},
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		meta: {
+			type: "object",
+			properties: { resourceType: { type: "string" } }
+		}
+	}
+};
+const ResourceTypeOpenAPISchema = {
+	type: "object",
+	properties: {
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		id: { type: "string" },
+		name: { type: "string" },
+		endpoint: { type: "string" },
+		description: { type: "string" },
+		schema: { type: "string" },
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				location: { type: "string" }
+			}
+		}
+	}
+};
+const SCIMSchemaAttributesOpenAPISchema = {
+	type: "object",
+	properties: {
+		name: { type: "string" },
+		type: { type: "string" },
+		multiValued: { type: "boolean" },
+		description: { type: "string" },
+		required: { type: "boolean" },
+		caseExact: { type: "boolean" },
+		mutability: { type: "string" },
+		returned: { type: "string" },
+		uniqueness: { type: "string" }
+	}
+};
+const SCIMSchemaOpenAPISchema = {
+	type: "object",
+	properties: {
+		id: { type: "string" },
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		name: { type: "string" },
+		description: { type: "string" },
+		attributes: {
+			type: "array",
+			items: {
+				...SCIMSchemaAttributesOpenAPISchema,
+				properties: {
+					...SCIMSchemaAttributesOpenAPISchema.properties,
+					subAttributes: {
+						type: "array",
+						items: SCIMSchemaAttributesOpenAPISchema
+					}
+				}
+			}
+		},
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				location: { type: "string" }
+			},
+			required: ["resourceType", "location"]
+		}
+	}
+};
+
+//#endregion
+//#region src/utils.ts
+const getResourceURL = (path, baseURL) => {
+	const normalizedBaseURL = baseURL.endsWith("/") ? baseURL : `${baseURL}/`;
+	const normalizedPath = path.replace(/^\/+/, "");
+	return new URL(normalizedPath, normalizedBaseURL).toString();
+};
+
+//#endregion
+//#region src/scim-resources.ts
+const createUserResource = (baseURL, user, account) => {
+	return {
+		id: user.id,
+		externalId: account?.accountId,
+		meta: {
+			resourceType: "User",
+			created: user.createdAt,
+			lastModified: user.updatedAt,
+			location: getResourceURL(`/scim/v2/Users/${user.id}`, baseURL)
+		},
+		userName: user.email,
+		name: { formatted: user.name },
+		displayName: user.name,
+		active: true,
+		emails: [{
+			primary: true,
+			value: user.email
+		}],
+		schemas: [SCIMUserResourceSchema.id]
+	};
+};
+
+//#endregion
+//#region src/index.ts
+const supportedSCIMSchemas = [SCIMUserResourceSchema];
+const supportedSCIMResourceTypes = [SCIMUserResourceType];
+const findUserById = async (adapter, { userId, providerId, organizationId }) => {
+	const account = await adapter.findOne({
+		model: "account",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!account) return {
+		user: null,
+		account: null
+	};
+	let member = null;
+	if (organizationId) member = await adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: organizationId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (organizationId && !member) return {
+		user: null,
+		account: null
+	};
+	const user = await adapter.findOne({
+		model: "user",
+		where: [{
+			field: "id",
+			value: userId
+		}]
+	});
+	if (!user) return {
+		user: null,
+		account: null
+	};
+	return {
+		user,
+		account
+	};
+};
+const scim = (options) => {
+	const opts = {
+		storeSCIMToken: "plain",
+		...options
+	};
+	const authMiddleware = authMiddlewareFactory(opts);
+	return {
+		id: "scim",
+		endpoints: {
+			generateSCIMToken: createAuthEndpoint("/scim/generate-token", {
+				method: "POST",
+				body: z.object({
+					providerId: z.string().meta({ description: "Unique provider identifier" }),
+					organizationId: z.string().optional().meta({ description: "Optional organization id" })
+				}),
+				metadata: { openapi: {
+					summary: "Generates a new SCIM token for the given provider",
+					description: "Generates a new SCIM token to be used for SCIM operations",
+					responses: { "201": {
+						description: "SCIM token response",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: { scimToken: {
+								description: "SCIM token",
+								type: "string"
+							} }
+						} } }
+					} }
+				} },
+				use: [sessionMiddleware]
+			}, async (ctx) => {
+				const { providerId, organizationId } = ctx.body;
+				const user = ctx.context.session.user;
+				if (providerId.includes(":")) throw new APIError("BAD_REQUEST", { message: "Provider id contains forbidden characters" });
+				const isOrgPluginEnabled = ctx.context.options.plugins?.some((p) => p.id === "organization");
+				if (organizationId && !isOrgPluginEnabled) throw new APIError("BAD_REQUEST", { message: "Restricting a token to an organization requires the organization plugin" });
+				let member = null;
+				if (organizationId) {
+					member = await ctx.context.adapter.findOne({
+						model: "member",
+						where: [{
+							field: "userId",
+							value: user.id
+						}, {
+							field: "organizationId",
+							value: organizationId
+						}]
+					});
+					if (!member) throw new APIError("FORBIDDEN", { message: "You are not a member of the organization" });
+				}
+				const scimProvider = await ctx.context.adapter.findOne({
+					model: "scimProvider",
+					where: [{
+						field: "providerId",
+						value: providerId
+					}, ...organizationId ? [{
+						field: "organizationId",
+						value: organizationId
+					}] : []]
+				});
+				if (scimProvider) await ctx.context.adapter.delete({
+					model: "scimProvider",
+					where: [{
+						field: "id",
+						value: scimProvider.id
+					}]
+				});
+				const baseToken = generateRandomString(24);
+				const scimToken = base64Url.encode(`${baseToken}:${providerId}${organizationId ? `:${organizationId}` : ""}`);
+				if (opts.beforeSCIMTokenGenerated) await opts.beforeSCIMTokenGenerated({
+					user,
+					member,
+					scimToken
+				});
+				const newSCIMProvider = await ctx.context.adapter.create({
+					model: "scimProvider",
+					data: {
+						providerId,
+						organizationId,
+						scimToken: await storeSCIMToken(ctx, opts, baseToken)
+					}
+				});
+				if (opts.afterSCIMTokenGenerated) await opts.afterSCIMTokenGenerated({
+					user,
+					member,
+					scimToken,
+					scimProvider: newSCIMProvider
+				});
+				ctx.setStatus(201);
+				return ctx.json({ scimToken });
+			}),
+			createSCIMUser: createAuthEndpoint("/scim/v2/Users", {
+				method: "POST",
+				body: APIUserSchema,
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "Create SCIM user.",
+						description: "Provision a new user into the linked organization via SCIM. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.3",
+						responses: {
+							"201": {
+								description: "SCIM user resource",
+								content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				const body = ctx.body;
+				const providerId = ctx.context.scimProvider.providerId;
+				const accountId = getAccountId(body.userName, body.externalId);
+				if (await ctx.context.adapter.findOne({
+					model: "account",
+					where: [{
+						field: "accountId",
+						value: accountId
+					}, {
+						field: "providerId",
+						value: providerId
+					}]
+				})) throw new SCIMAPIError("CONFLICT", {
+					detail: "User already exists",
+					scimType: "uniqueness"
+				});
+				const email = getUserPrimaryEmail(body.userName, body.emails);
+				const name = getUserFullName(email, body.name);
+				const existingUser = await ctx.context.adapter.findOne({
+					model: "user",
+					where: [{
+						field: "email",
+						value: email
+					}]
+				});
+				const createAccount = (userId) => ctx.context.internalAdapter.createAccount({
+					userId,
+					providerId,
+					accountId,
+					accessToken: "",
+					refreshToken: ""
+				});
+				const createUser = () => ctx.context.internalAdapter.createUser({
+					email,
+					name
+				});
+				const createOrgMembership = async (userId) => {
+					const organizationId = ctx.context.scimProvider.organizationId;
+					if (organizationId) {
+						if (!await ctx.context.adapter.findOne({
+							model: "member",
+							where: [{
+								field: "organizationId",
+								value: organizationId
+							}, {
+								field: "userId",
+								value: userId
+							}]
+						})) return await ctx.context.adapter.create({
+							model: "member",
+							data: {
+								userId,
+								role: "member",
+								createdAt: /* @__PURE__ */ new Date(),
+								organizationId
+							}
+						});
+					}
+				};
+				let user;
+				let account;
+				if (existingUser) {
+					user = existingUser;
+					account = await ctx.context.adapter.transaction(async () => {
+						const account$1 = await createAccount(user.id);
+						await createOrgMembership(user.id);
+						return account$1;
+					});
+				} else [user, account] = await ctx.context.adapter.transaction(async () => {
+					const user$1 = await createUser();
+					const account$1 = await createAccount(user$1.id);
+					await createOrgMembership(user$1.id);
+					return [user$1, account$1];
+				});
+				const userResource = createUserResource(ctx.context.baseURL, user, account);
+				ctx.setStatus(201);
+				ctx.setHeader("location", userResource.meta.location);
+				return ctx.json(userResource);
+			}),
+			updateSCIMUser: createAuthEndpoint("/scim/v2/Users/:userId", {
+				method: "PUT",
+				body: APIUserSchema,
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "Update SCIM user.",
+						description: "Updates an existing user into the linked organization via SCIM. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.3",
+						responses: {
+							"200": {
+								description: "SCIM user resource",
+								content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				const body = ctx.body;
+				const userId = ctx.params.userId;
+				const { organizationId, providerId } = ctx.context.scimProvider;
+				const accountId = getAccountId(body.userName, body.externalId);
+				const { user, account } = await findUserById(ctx.context.adapter, {
+					userId,
+					providerId,
+					organizationId
+				});
+				if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+				const [updatedUser, updatedAccount] = await ctx.context.adapter.transaction(async () => {
+					const email = getUserPrimaryEmail(body.userName, body.emails);
+					const name = getUserFullName(email, body.name);
+					return [await ctx.context.internalAdapter.updateUser(userId, {
+						email,
+						name,
+						updatedAt: /* @__PURE__ */ new Date()
+					}), await ctx.context.internalAdapter.updateAccount(account.id, {
+						accountId,
+						updatedAt: /* @__PURE__ */ new Date()
+					})];
+				});
+				const userResource = createUserResource(ctx.context.baseURL, updatedUser, updatedAccount);
+				return ctx.json(userResource);
+			}),
+			listSCIMUsers: createAuthEndpoint("/scim/v2/Users", {
+				method: "GET",
+				query: z.object({ filter: z.string().optional() }).optional(),
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "List SCIM users",
+						description: "Returns all users provisioned via SCIM for the linked organization. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2",
+						responses: {
+							"200": {
+								description: "SCIM user list",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										totalResults: { type: "number" },
+										itemsPerPage: { type: "number" },
+										startIndex: { type: "number" },
+										Resources: {
+											type: "array",
+											items: OpenAPIUserResourceSchema
+										}
+									}
+								} } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				let apiFilters = parseSCIMAPIUserFilter(ctx.query?.filter);
+				ctx.context.logger.info("Querying result with filters: ", apiFilters);
+				const providerId = ctx.context.scimProvider.providerId;
+				const accounts = await ctx.context.adapter.findMany({
+					model: "account",
+					where: [{
+						field: "providerId",
+						value: providerId
+					}]
+				});
+				const accountUserIds = accounts.map((account) => account.userId);
+				let userFilters = [{
+					field: "id",
+					value: accountUserIds,
+					operator: "in"
+				}];
+				const organizationId = ctx.context.scimProvider.organizationId;
+				if (organizationId) userFilters = [{
+					field: "id",
+					value: (await ctx.context.adapter.findMany({
+						model: "member",
+						where: [{
+							field: "organizationId",
+							value: organizationId
+						}, {
+							field: "userId",
+							value: accountUserIds,
+							operator: "in"
+						}]
+					})).map((member) => member.userId),
+					operator: "in"
+				}];
+				const users = await ctx.context.adapter.findMany({
+					model: "user",
+					where: [...userFilters, ...apiFilters]
+				});
+				return ctx.json({
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+					totalResults: users.length,
+					startIndex: 1,
+					itemsPerPage: users.length,
+					Resources: users.map((user) => {
+						const account = accounts.find((a) => a.userId === user.id);
+						return createUserResource(ctx.context.baseURL, user, account);
+					})
+				});
+			}),
+			getSCIMUser: createAuthEndpoint("/scim/v2/Users/:userId", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "Get SCIM user details",
+						description: "Returns the provisioned SCIM user details. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.1",
+						responses: {
+							"200": {
+								description: "SCIM user resource",
+								content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				const userId = ctx.params.userId;
+				const providerId = ctx.context.scimProvider.providerId;
+				const organizationId = ctx.context.scimProvider.organizationId;
+				const { user, account } = await findUserById(ctx.context.adapter, {
+					userId,
+					providerId,
+					organizationId
+				});
+				if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+				return ctx.json(createUserResource(ctx.context.baseURL, user, account));
+			}),
+			patchSCIMUser: createAuthEndpoint("/scim/v2/Users/:userId", {
+				method: "PATCH",
+				body: z.object({
+					schemas: z.array(z.string()).refine((s) => s.includes("urn:ietf:params:scim:api:messages:2.0:PatchOp"), { message: "Invalid schemas for PatchOp" }),
+					Operations: z.array(z.object({
+						op: z.enum([
+							"replace",
+							"add",
+							"remove"
+						]).default("replace"),
+						path: z.string().optional(),
+						value: z.any()
+					}))
+				}),
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "Patch SCIM user",
+						description: "Updates fields on a SCIM user record",
+						responses: {
+							"204": { description: "Patch update applied correctly" },
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				const userId = ctx.params.userId;
+				const organizationId = ctx.context.scimProvider.organizationId;
+				const providerId = ctx.context.scimProvider.providerId;
+				const { user, account } = await findUserById(ctx.context.adapter, {
+					userId,
+					providerId,
+					organizationId
+				});
+				if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+				const { user: userPatch, account: accountPatch } = buildUserPatch(user, ctx.body.Operations);
+				if (Object.keys(userPatch).length === 0 && Object.keys(accountPatch).length === 0) throw new SCIMAPIError("BAD_REQUEST", { detail: "No valid fields to update" });
+				await Promise.all([Object.keys(userPatch).length > 0 ? ctx.context.internalAdapter.updateUser(userId, {
+					...userPatch,
+					updatedAt: /* @__PURE__ */ new Date()
+				}) : Promise.resolve(), Object.keys(accountPatch).length > 0 ? ctx.context.internalAdapter.updateAccount(account.id, {
+					...accountPatch,
+					updatedAt: /* @__PURE__ */ new Date()
+				}) : Promise.resolve()]);
+				ctx.setStatus(204);
+			}),
+			deleteSCIMUser: createAuthEndpoint("/scim/v2/Users/:userId", {
+				method: "DELETE",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "Delete SCIM user",
+						description: "Deletes (or deactivates) a user within the linked organization.",
+						responses: {
+							"204": { description: "Delete applied successfully" },
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				},
+				use: [authMiddleware]
+			}, async (ctx) => {
+				const userId = ctx.params.userId;
+				const providerId = ctx.context.scimProvider.providerId;
+				const organizationId = ctx.context.scimProvider.organizationId;
+				const { user } = await findUserById(ctx.context.adapter, {
+					userId,
+					providerId,
+					organizationId
+				});
+				if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+				await ctx.context.internalAdapter.deleteUser(userId);
+				ctx.setStatus(204);
+			}),
+			getSCIMServiceProviderConfig: createAuthEndpoint("/scim/v2/ServiceProviderConfig", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "SCIM Service Provider Configuration",
+						description: "Standard SCIM metadata endpoint used by identity providers. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+						responses: {
+							"200": {
+								description: "SCIM metadata object",
+								content: { "application/json": { schema: ServiceProviderOpenAPISchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				}
+			}, async (ctx) => {
+				return ctx.json({
+					patch: { supported: true },
+					bulk: { supported: false },
+					filter: { supported: true },
+					changePassword: { supported: false },
+					sort: { supported: false },
+					etag: { supported: false },
+					authenticationSchemes: [{
+						name: "OAuth Bearer Token",
+						description: "Authentication scheme using the Authorization header with a bearer token tied to an organization.",
+						specUri: "http://www.rfc-editor.org/info/rfc6750",
+						type: "oauthbearertoken",
+						primary: true
+					}],
+					schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+					meta: { resourceType: "ServiceProviderConfig" }
+				});
+			}),
+			getSCIMSchemas: createAuthEndpoint("/scim/v2/Schemas", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "SCIM Service Provider Configuration Schemas",
+						description: "Standard SCIM metadata endpoint used by identity providers to acquire information about supported schemas. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+						responses: {
+							"200": {
+								description: "SCIM metadata object",
+								content: { "application/json": { schema: {
+									type: "array",
+									items: SCIMSchemaOpenAPISchema
+								} } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				}
+			}, async (ctx) => {
+				return ctx.json({
+					totalResults: supportedSCIMSchemas.length,
+					itemsPerPage: supportedSCIMSchemas.length,
+					startIndex: 1,
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+					Resources: supportedSCIMSchemas.map((s) => {
+						return {
+							...s,
+							meta: {
+								...s.meta,
+								location: getResourceURL(s.meta.location, ctx.context.baseURL)
+							}
+						};
+					})
+				});
+			}),
+			getSCIMSchema: createAuthEndpoint("/scim/v2/Schemas/:schemaId", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "SCIM a Service Provider Configuration Schema",
+						description: "Standard SCIM metadata endpoint used by identity providers to acquire information about a given schema. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+						responses: {
+							"200": {
+								description: "SCIM metadata object",
+								content: { "application/json": { schema: SCIMSchemaOpenAPISchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				}
+			}, async (ctx) => {
+				const schema = supportedSCIMSchemas.find((s) => s.id === ctx.params.schemaId);
+				if (!schema) throw new SCIMAPIError("NOT_FOUND", { detail: "Schema not found" });
+				return ctx.json({
+					...schema,
+					meta: {
+						...schema.meta,
+						location: getResourceURL(schema.meta.location, ctx.context.baseURL)
+					}
+				});
+			}),
+			getSCIMResourceTypes: createAuthEndpoint("/scim/v2/ResourceTypes", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "SCIM Service Provider Supported Resource Types",
+						description: "Standard SCIM metadata endpoint used by identity providers to get a list of server supported types. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+						responses: {
+							"200": {
+								description: "SCIM metadata object",
+								content: { "application/json": { schema: {
+									type: "object",
+									properties: {
+										totalResults: { type: "number" },
+										itemsPerPage: { type: "number" },
+										startIndex: { type: "number" },
+										Resources: {
+											type: "array",
+											items: ResourceTypeOpenAPISchema
+										}
+									}
+								} } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				}
+			}, async (ctx) => {
+				return ctx.json({
+					totalResults: supportedSCIMResourceTypes.length,
+					itemsPerPage: supportedSCIMResourceTypes.length,
+					startIndex: 1,
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+					Resources: supportedSCIMResourceTypes.map((s) => {
+						return {
+							...s,
+							meta: {
+								...s.meta,
+								location: getResourceURL(s.meta.location, ctx.context.baseURL)
+							}
+						};
+					})
+				});
+			}),
+			getSCIMResourceType: createAuthEndpoint("/scim/v2/ResourceTypes/:resourceTypeId", {
+				method: "GET",
+				metadata: {
+					isAction: false,
+					openapi: {
+						summary: "SCIM Service Provider Supported Resource Type",
+						description: "Standard SCIM metadata endpoint used by identity providers to get a server supported type. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+						responses: {
+							"200": {
+								description: "SCIM metadata object",
+								content: { "application/json": { schema: ResourceTypeOpenAPISchema } }
+							},
+							...SCIMErrorOpenAPISchemas
+						}
+					}
+				}
+			}, async (ctx) => {
+				const resourceType = supportedSCIMResourceTypes.find((s) => s.id === ctx.params.resourceTypeId);
+				if (!resourceType) throw new SCIMAPIError("NOT_FOUND", { detail: "Resource type not found" });
+				return ctx.json({
+					...resourceType,
+					meta: {
+						...resourceType.meta,
+						location: getResourceURL(resourceType.meta.location, ctx.context.baseURL)
+					}
+				});
+			})
+		},
+		schema: { scimProvider: { fields: {
+			providerId: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			scimToken: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			organizationId: {
+				type: "string",
+				required: false
+			}
+		} } }
+	};
+};
+const parseSCIMAPIUserFilter = (filter) => {
+	let filters = [];
+	try {
+		filters = filter ? parseSCIMUserFilter(filter) : [];
+	} catch (error) {
+		throw new SCIMAPIError("BAD_REQUEST", {
+			detail: error instanceof SCIMParseError ? error.message : "Invalid SCIM filter",
+			scimType: "invalidFilter"
+		});
+	}
+	return filters;
+};
+
+//#endregion
+export { scim };