@better-auth/scim 1.4.12-beta.2 → 1.4.13

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/scim@1.4.12-beta.2 build /home/runner/work/better-auth/better-auth/packages/scim
+> @better-auth/scim@1.4.13 build /home/runner/work/better-auth/better-auth/packages/scim
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs              37.99 kB │ gzip: 7.68 kB
+ℹ dist/index.mjs              39.48 kB │ gzip: 8.06 kB
 ℹ dist/client.mjs              0.15 kB │ gzip: 0.14 kB
 ℹ dist/client.d.mts            0.22 kB │ gzip: 0.18 kB
 ℹ dist/index.d.mts             0.07 kB │ gzip: 0.08 kB
-ℹ dist/index-aXWBaAAu.d.mts  108.11 kB │ gzip: 4.19 kB
-ℹ 5 files, total: 146.54 kB
-✔ Build complete in 6096ms
+ℹ dist/index-BGaCP2s8.d.mts  108.38 kB │ gzip: 4.29 kB
+ℹ 5 files, total: 148.29 kB
+✔ Build complete in 6065ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as scim } from "./index-aXWBaAAu.mjs";
+import { t as scim } from "./index-BGaCP2s8.mjs";
 
 //#region src/client.d.ts
 declare const scimClient: () => {

package/dist/{index-aXWBaAAu.d.mts → index-BGaCP2s8.d.mts}

@@ -12,6 +12,11 @@ interface SCIMProvider {
   organizationId?: string;
 }
 type SCIMOptions = {
+  /**
+   * Default list of SCIM providers for testing
+   * These will take precedence over the database when present
+   */
+  defaultSCIM?: Omit<SCIMProvider, "id">[];
   /**
    * A callback that runs before a new SCIM token is generated.
    * @returns
@@ -365,7 +370,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, {
       id: string;
@@ -654,7 +659,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, {
       id: string;
@@ -682,7 +687,7 @@ declare const scim: (options?: SCIMOptions) => {
       body: zod0.ZodObject<{
         schemas: zod0.ZodArray<zod0.ZodString>;
         Operations: zod0.ZodArray<zod0.ZodObject<{
-          op: zod0.ZodDefault<zod0.ZodEnum<{
+          op: zod0.ZodPipe<zod0.ZodDefault<zod0.ZodString>, zod0.ZodEnum<{
             add: "add";
             remove: "remove";
             replace: "replace";
@@ -868,7 +873,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, void>;
     deleteSCIMUser: better_call0.StrictEndpoint<"/scim/v2/Users/:userId", {
@@ -1050,7 +1055,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, void>;
     updateSCIMUser: better_call0.StrictEndpoint<"/scim/v2/Users/:userId", {
@@ -1319,7 +1324,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, {
       id: string;
@@ -1615,7 +1620,7 @@ declare const scim: (options?: SCIMOptions) => {
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         authSCIMToken: string;
-        scimProvider: SCIMProvider;
+        scimProvider: Omit<SCIMProvider, "id">;
       }>)[];
     }, {
       schemas: string[];

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { t as scim } from "./index-aXWBaAAu.mjs";
+import { t as scim } from "./index-BGaCP2s8.mjs";
 export { scim };

package/dist/index.mjs

@@ -97,7 +97,16 @@ const authMiddlewareFactory = (opts) => createAuthMiddleware(async (ctx) => {
 	const [scimToken, providerId] = baseScimTokenParts;
 	const organizationId = baseScimTokenParts.slice(2).join(":");
 	if (!scimToken || !providerId) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
-	const scimProvider = await ctx.context.adapter.findOne({
+	let scimProvider = opts.defaultSCIM?.find((p) => {
+		if (p.providerId === providerId && !organizationId) return true;
+		return !!(p.providerId === providerId && organizationId && p.organizationId === organizationId);
+	}) ?? null;
+	if (scimProvider) if (scimProvider.scimToken === scimToken) return {
+		authSCIMToken: scimProvider.scimToken,
+		scimProvider
+	};
+	else throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	scimProvider = await ctx.context.adapter.findOne({
 		model: "scimProvider",
 		where: [{
 			field: "providerId",
@@ -139,22 +148,23 @@ const getUserPrimaryEmail = (userName, emails) => {
 
 //#endregion
 //#region src/patch-operations.ts
-const identity = (user, op) => {
+const identity = (user, op, resources) => {
 	return op.value;
 };
-const lowerCase = (user, op) => {
+const lowerCase = (user, op, resources) => {
 	return op.value.toLowerCase();
 };
-const givenName = (user, op) => {
-	const familyName$1 = user.name.split(" ").slice(1).join(" ").trim();
+const givenName = (user, op, resources) => {
+	const familyName$1 = (resources.user.name ?? user.name).split(" ").slice(1).join(" ").trim();
 	const givenName$1 = op.value;
 	return getUserFullName(user.email, {
 		givenName: givenName$1,
 		familyName: familyName$1
 	});
 };
-const familyName = (user, op) => {
-	const givenName$1 = (user.name.split(" ").slice(0, -1).join(" ") || user.name).trim();
+const familyName = (user, op, resources) => {
+	const currentName = resources.user.name ?? user.name;
+	const givenName$1 = (currentName.split(" ").slice(0, -1).join(" ") || currentName).trim();
 	const familyName$1 = op.value;
 	return getUserFullName(user.email, {
 		givenName: givenName$1,
@@ -188,18 +198,38 @@ const userPatchMappings = {
 		map: lowerCase
 	}
 };
+const normalizePath = (path) => {
+	return `/${(path.startsWith("/") ? path.slice(1) : path).replaceAll(".", "/")}`;
+};
+const isNestedObject = (value) => {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+const applyMapping = (user, resources, path, value, op) => {
+	const normalizedPath = normalizePath(path);
+	const mapping = userPatchMappings[normalizedPath];
+	if (!mapping) return;
+	const newValue = mapping.map(user, {
+		op,
+		value,
+		path: normalizedPath
+	}, resources);
+	if (op === "add" && mapping.resource === "user") {
+		if (user[mapping.target] === newValue) return;
+	}
+	resources[mapping.resource][mapping.target] = newValue;
+};
+const applyPatchValue = (user, resources, value, op, path) => {
+	if (isNestedObject(value)) for (const [key, nestedValue] of Object.entries(value)) applyPatchValue(user, resources, nestedValue, op, path ? `${path}.${key}` : key);
+	else if (path) applyMapping(user, resources, path, value, op);
+};
 const buildUserPatch = (user, operations) => {
 	const resources = {
 		user: {},
 		account: {}
 	};
 	for (const operation of operations) {
-		if (operation.op !== "replace" || !operation.path) continue;
-		const mapping = userPatchMappings[operation.path];
-		if (mapping) {
-			const resource = resources[mapping.resource];
-			resource[mapping.target] = mapping.map(user, operation);
-		}
+		if (operation.op !== "add" && operation.op !== "replace") continue;
+		applyPatchValue(user, resources, operation.value, operation.op, operation.path);
 	}
 	return resources;
 };
@@ -843,7 +873,7 @@ const listSCIMUsers = (authMiddleware) => createAuthEndpoint("/scim/v2/Users", {
 	},
 	use: [authMiddleware]
 }, async (ctx) => {
-	let apiFilters = parseSCIMAPIUserFilter(ctx.query?.filter);
+	const apiFilters = parseSCIMAPIUserFilter(ctx.query?.filter);
 	ctx.context.logger.info("Querying result with filters: ", apiFilters);
 	const providerId = ctx.context.scimProvider.providerId;
 	const accounts = await ctx.context.adapter.findMany({
@@ -923,11 +953,11 @@ const getSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:user
 const patchSCIMUserBodySchema = z.object({
 	schemas: z.array(z.string()).refine((s) => s.includes("urn:ietf:params:scim:api:messages:2.0:PatchOp"), { message: "Invalid schemas for PatchOp" }),
 	Operations: z.array(z.object({
-		op: z.enum([
+		op: z.string().toLowerCase().default("replace").pipe(z.enum([
 			"replace",
 			"add",
 			"remove"
-		]).default("replace"),
+		])),
 		path: z.string().optional(),
 		value: z.any()
 	}))
@@ -973,7 +1003,7 @@ const deleteSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:u
 	method: "DELETE",
 	metadata: {
 		...HIDE_METADATA,
-		allowedMediaTypes: supportedMediaTypes,
+		allowedMediaTypes: [...supportedMediaTypes, ""],
 		openapi: {
 			summary: "Delete SCIM user",
 			description: "Deletes (or deactivates) a user within the linked organization.",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/scim",
   "author": "Jonathan Samines",
-  "version": "1.4.12-beta.2",
+  "version": "1.4.13",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -49,10 +49,10 @@
   },
   "devDependencies": {
     "tsdown": "^0.17.2",
-    "@better-auth/sso": "1.4.12-beta.2"
+    "@better-auth/sso": "1.4.13"
   },
   "peerDependencies": {
-    "better-auth": "1.4.12-beta.2"
+    "better-auth": "1.4.13"
   },
   "scripts": {
     "test": "vitest",

package/src/middlewares.ts

@@ -33,7 +33,30 @@ export const authMiddlewareFactory = (opts: SCIMOptions) =>
 			});
 		}
 
-		const scimProvider = await ctx.context.adapter.findOne<SCIMProvider>({
+		let scimProvider: Omit<SCIMProvider, "id"> | null =
+			opts.defaultSCIM?.find((p) => {
+				if (p.providerId === providerId && !organizationId) {
+					return true;
+				}
+
+				return !!(
+					p.providerId === providerId &&
+					organizationId &&
+					p.organizationId === organizationId
+				);
+			}) ?? null;
+
+		if (scimProvider) {
+			if (scimProvider.scimToken === scimToken) {
+				return { authSCIMToken: scimProvider.scimToken, scimProvider };
+			} else {
+				throw new SCIMAPIError("UNAUTHORIZED", {
+					detail: "Invalid SCIM token",
+				});
+			}
+		}
+
+		scimProvider = await ctx.context.adapter.findOne<SCIMProvider>({
 			model: "scimProvider",
 			where: [
 				{ field: "providerId", value: providerId },

package/src/patch-operations.ts

@@ -10,19 +10,25 @@ type Operation = {
 type Mapping = {
 	target: string;
 	resource: "user" | "account";
-	map: (user: User, op: Operation) => any;
+	map: (user: User, op: Operation, resources: Resources) => any;
 };
 
-const identity = (user: User, op: Operation) => {
+type Resources = {
+	user: Record<string, any>;
+	account: Record<string, any>;
+};
+
+const identity = (user: User, op: Operation, resources: Resources) => {
 	return op.value;
 };
 
-const lowerCase = (user: User, op: Operation) => {
+const lowerCase = (user: User, op: Operation, resources: Resources) => {
 	return op.value.toLowerCase();
 };
 
-const givenName = (user: User, op: Operation) => {
-	const familyName = user.name.split(" ").slice(1).join(" ").trim();
+const givenName = (user: User, op: Operation, resources: Resources) => {
+	const currentName = (resources.user.name as string) ?? user.name;
+	const familyName = currentName.split(" ").slice(1).join(" ").trim();
 	const givenName = op.value;
 
 	return getUserFullName(user.email, {
@@ -31,9 +37,10 @@ const givenName = (user: User, op: Operation) => {
 	});
 };
 
-const familyName = (user: User, op: Operation) => {
+const familyName = (user: User, op: Operation, resources: Resources) => {
+	const currentName = (resources.user.name as string) ?? user.name;
 	const givenName = (
-		user.name.split(" ").slice(0, -1).join(" ") || user.name
+		currentName.split(" ").slice(0, -1).join(" ") || currentName
 	).trim();
 	const familyName = op.value;
 	return getUserFullName(user.email, {
@@ -58,22 +65,83 @@ const userPatchMappings: Record<string, Mapping> = {
 	"/userName": { resource: "user", target: "email", map: lowerCase },
 };
 
+const normalizePath = (path: string): string => {
+	const withoutLeadingSlash = path.startsWith("/") ? path.slice(1) : path;
+	return `/${withoutLeadingSlash.replaceAll(".", "/")}`;
+};
+
+const isNestedObject = (value: unknown): value is Record<string, unknown> => {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+
+const applyMapping = (
+	user: User,
+	resources: Resources,
+	path: string,
+	value: unknown,
+	op: "add" | "replace",
+) => {
+	const normalizedPath = normalizePath(path);
+	const mapping = userPatchMappings[normalizedPath];
+
+	if (!mapping) {
+		return;
+	}
+
+	const newValue = mapping.map(
+		user,
+		{
+			op,
+			value,
+			path: normalizedPath,
+		},
+		resources,
+	);
+
+	if (op === "add" && mapping.resource === "user") {
+		const currentValue = (user as Record<string, unknown>)[mapping.target];
+		if (currentValue === newValue) {
+			return;
+		}
+	}
+
+	resources[mapping.resource][mapping.target] = newValue;
+};
+
+const applyPatchValue = (
+	user: User,
+	resources: Resources,
+	value: unknown,
+	op: "add" | "replace",
+	path?: string | undefined,
+) => {
+	if (isNestedObject(value)) {
+		for (const [key, nestedValue] of Object.entries(value)) {
+			const nestedPath = path ? `${path}.${key}` : key;
+			applyPatchValue(user, resources, nestedValue, op, nestedPath);
+		}
+	} else if (path) {
+		applyMapping(user, resources, path, value, op);
+	}
+};
+
 export const buildUserPatch = (user: User, operations: Operation[]) => {
 	const userPatch: Record<string, any> = {};
 	const accountPatch: Record<string, any> = {};
-
-	const resources = { user: userPatch, account: accountPatch };
+	const resources: Resources = { user: userPatch, account: accountPatch };
 
 	for (const operation of operations) {
-		if (operation.op !== "replace" || !operation.path) {
+		if (operation.op !== "add" && operation.op !== "replace") {
 			continue;
 		}
 
-		const mapping = userPatchMappings[operation.path];
-		if (mapping) {
-			const resource = resources[mapping.resource];
-			resource[mapping.target] = mapping.map(user, operation);
-		}
+		applyPatchValue(
+			user,
+			resources,
+			operation.value,
+			operation.op,
+			operation.path,
+		);
 	}
 
 	return resources;

package/src/routes.ts

@@ -430,7 +430,7 @@ export const listSCIMUsers = (authMiddleware: AuthMiddleware) =>
 			use: [authMiddleware],
 		},
 		async (ctx) => {
-			let apiFilters: DBFilter[] = parseSCIMAPIUserFilter(ctx.query?.filter);
+			const apiFilters: DBFilter[] = parseSCIMAPIUserFilter(ctx.query?.filter);
 
 			ctx.context.logger.info("Querying result with filters: ", apiFilters);
 
@@ -536,7 +536,11 @@ const patchSCIMUserBodySchema = z.object({
 		),
 	Operations: z.array(
 		z.object({
-			op: z.enum(["replace", "add", "remove"]).default("replace"),
+			op: z
+				.string()
+				.toLowerCase()
+				.default("replace")
+				.pipe(z.enum(["replace", "add", "remove"])),
 			path: z.string().optional(),
 			value: z.any(),
 		}),
@@ -623,7 +627,7 @@ export const deleteSCIMUser = (authMiddleware: AuthMiddleware) =>
 			method: "DELETE",
 			metadata: {
 				...HIDE_METADATA,
-				allowedMediaTypes: supportedMediaTypes,
+				allowedMediaTypes: [...supportedMediaTypes, ""],
 				openapi: {
 					summary: "Delete SCIM user",
 					description:

package/src/scim.test.ts

@@ -9,99 +9,99 @@ import { scim } from ".";
 import { scimClient } from "./client";
 import type { SCIMOptions } from "./types";
 
-describe("SCIM", () => {
+const createTestInstance = (scimOptions?: SCIMOptions) => {
 	const testUser = {
 		email: "test@email.com",
 		password: "password",
 		name: "Test User",
 	};
 
-	const createTestInstance = (scimOptions?: SCIMOptions) => {
-		const data = {
-			user: [],
-			session: [],
-			verification: [],
-			account: [],
-			ssoProvider: [],
-			scimProvider: [],
-			organization: [],
-			member: [],
-		};
-		const memory = memoryAdapter(data);
-
-		const auth = betterAuth({
-			database: memory,
-			baseURL: "http://localhost:3000",
-			emailAndPassword: {
-				enabled: true,
-			},
-			plugins: [sso(), scim(scimOptions), organization()],
-		});
+	const data = {
+		user: [],
+		session: [],
+		verification: [],
+		account: [],
+		ssoProvider: [],
+		scimProvider: [],
+		organization: [],
+		member: [],
+	};
+	const memory = memoryAdapter(data);
+
+	const auth = betterAuth({
+		database: memory,
+		baseURL: "http://localhost:3000",
+		emailAndPassword: {
+			enabled: true,
+		},
+		plugins: [sso(), scim(scimOptions), organization()],
+	});
 
-		const authClient = createAuthClient({
-			baseURL: "http://localhost:3000",
-			plugins: [bearer(), scimClient()],
-			fetchOptions: {
-				customFetchImpl: async (url, init) => {
-					return auth.handler(new Request(url, init));
-				},
+	const authClient = createAuthClient({
+		baseURL: "http://localhost:3000",
+		plugins: [bearer(), scimClient()],
+		fetchOptions: {
+			customFetchImpl: async (url, init) => {
+				return auth.handler(new Request(url, init));
 			},
-		});
-
-		async function getAuthCookieHeaders() {
-			const headers = new Headers();
-
-			await authClient.signUp.email({
-				email: testUser.email,
-				password: testUser.password,
-				name: testUser.name,
-			});
+		},
+	});
 
-			await authClient.signIn.email(testUser, {
-				throw: true,
-				onSuccess: setCookieToHeader(headers),
-			});
+	async function getAuthCookieHeaders() {
+		const headers = new Headers();
 
-			return headers;
-		}
+		await authClient.signUp.email({
+			email: testUser.email,
+			password: testUser.password,
+			name: testUser.name,
+		});
 
-		async function getSCIMToken(
-			providerId: string = "the-saml-provider-1",
-			organizationId?: string,
-		) {
-			const headers = await getAuthCookieHeaders();
-			const { scimToken } = await auth.api.generateSCIMToken({
-				body: {
-					providerId,
-					organizationId,
-				},
-				headers,
-			});
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
 
-			return scimToken;
-		}
+		return headers;
+	}
+
+	async function getSCIMToken(
+		providerId: string = "the-saml-provider-1",
+		organizationId?: string,
+	) {
+		const headers = await getAuthCookieHeaders();
+		const { scimToken } = await auth.api.generateSCIMToken({
+			body: {
+				providerId,
+				organizationId,
+			},
+			headers,
+		});
 
-		async function registerOrganization(org: string) {
-			const headers = await getAuthCookieHeaders();
+		return scimToken;
+	}
 
-			return await auth.api.createOrganization({
-				body: {
-					slug: `the-${org}`,
-					name: `the organization ${org}`,
-				},
-				headers,
-			});
-		}
+	async function registerOrganization(org: string) {
+		const headers = await getAuthCookieHeaders();
 
-		return {
-			auth,
-			authClient,
-			registerOrganization,
-			getSCIMToken,
-			getAuthCookieHeaders,
-		};
+		return await auth.api.createOrganization({
+			body: {
+				slug: `the-${org}`,
+				name: `the organization ${org}`,
+			},
+			headers,
+		});
+	}
+
+	return {
+		auth,
+		authClient,
+		registerOrganization,
+		getSCIMToken,
+		getAuthCookieHeaders,
 	};
+};
 
+describe("SCIM", () => {
 	describe("POST /scim/generate-token", () => {
 		it("should require user session", async () => {
 			const { auth } = createTestInstance();
@@ -1310,7 +1310,86 @@ describe("SCIM", () => {
 	});
 
 	describe("PATCH /scim/v2/users", () => {
-		it("should partially update a user resource", async () => {
+		it.each([
+			"replace",
+			"add",
+		])("should partially update a user resource with %s", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "the-username",
+					name: {
+						formatted: "Juan Perez",
+					},
+					emails: [{ value: "primary-email@test.com", primary: true }],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(user).toBeTruthy();
+			expect(user.externalId).toBe("the-username");
+			expect(user.userName).toBe("primary-email@test.com");
+			expect(user.name.formatted).toBe("Juan Perez");
+			expect(user.emails[0]?.value).toBe("primary-email@test.com");
+
+			await auth.api.patchSCIMUser({
+				params: {
+					userId: user.id,
+				},
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{ op: op, path: "/externalId", value: "external-username" },
+						{ op: op, path: "/userName", value: "other-username" },
+						{ op: op, path: "/name/givenName", value: "Daniel" },
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: {
+					userId: user.id,
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser).toMatchObject({
+				active: true,
+				displayName: "Daniel Perez",
+				emails: [
+					{
+						primary: true,
+						value: "other-username",
+					},
+				],
+				externalId: "external-username",
+				id: expect.any(String),
+				meta: expect.objectContaining({
+					created: expect.any(Date),
+					lastModified: expect.any(Date),
+					location: expect.stringContaining("/api/auth/scim/v2/Users/"),
+					resourceType: "User",
+				}),
+				name: {
+					formatted: "Daniel Perez",
+				},
+				schemas: expect.arrayContaining([
+					"urn:ietf:params:scim:schemas:core:2.0:User",
+				]),
+				userName: "other-username",
+			});
+		});
+
+		it("should partially update a user resource with mixed operations", async () => {
 			const { auth, getSCIMToken } = createTestInstance();
 			const scimToken = await getSCIMToken();
 
@@ -1340,9 +1419,9 @@ describe("SCIM", () => {
 				body: {
 					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
 					Operations: [
-						{ op: "replace", path: "/externalId", value: "external-username" },
+						{ op: "add", path: "/externalId", value: "external-username" },
 						{ op: "replace", path: "/userName", value: "other-username" },
-						{ op: "replace", path: "/name/formatted", value: "Daniel Lopez" },
+						{ op: "add", path: "/name/formatted", value: "Daniel Lopez" },
 					],
 				},
 				headers: {
@@ -1386,6 +1465,356 @@ describe("SCIM", () => {
 			});
 		});
 
+		it.each([
+			"replace",
+			"add",
+		])("should partially update multiple name sub-attributes with %s", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "sub-attribute-test-user",
+					name: {
+						formatted: "Original Name",
+					},
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			await auth.api.patchSCIMUser({
+				params: { userId: user.id },
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{ op: op, path: "/name/givenName", value: "Updated" },
+						{ op: op, path: "/name/familyName", value: "Value" },
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: { userId: user.id },
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.name.formatted).toBe("Updated Value");
+		});
+
+		it.each([
+			"replace",
+			"add",
+		])("should %s nested object values with path prefix", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "nested-test-user",
+					name: { formatted: "Original Name" },
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			await auth.api.patchSCIMUser({
+				params: { userId: user.id },
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{
+							op: op,
+							path: "name",
+							value: { givenName: "Nested" },
+						},
+						{
+							op: op,
+							path: "name",
+							value: { familyName: "User" },
+						},
+						{
+							op: op,
+							path: "userName",
+							value: "nested-test-user-updated",
+						},
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: { userId: user.id },
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.name.formatted).toBe("Nested User");
+			expect(updatedUser.displayName).toBe("Nested User");
+			expect(updatedUser.userName).toBe("nested-test-user-updated");
+		});
+
+		it.each([
+			"replace",
+			"add",
+		])("should support operations without explicit path with %s", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "no-path-test-user",
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			await auth.api.patchSCIMUser({
+				params: { userId: user.id },
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{
+							op: op,
+							value: {
+								name: { formatted: "No Path Name" },
+								userName: "Username",
+							},
+						},
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: { userId: user.id },
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.name.formatted).toBe("No Path Name");
+			expect(updatedUser.userName).toBe("username");
+		});
+
+		it("should support dot notation in paths", async () => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "dot-notation-user",
+					name: { formatted: "Original Name" },
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			await auth.api.patchSCIMUser({
+				params: { userId: user.id },
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{ op: "replace", path: "name.familyName", value: "Dot" },
+						{ op: "add", path: "name.givenName", value: "User" },
+						{ op: "add", path: "userName", value: "Username" },
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: { userId: user.id },
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.name.formatted).toBe("User Dot");
+			expect(updatedUser.userName).toBe("username");
+		});
+
+		it.each([
+			"replace",
+			"add",
+		])("should handle %s operation case-insensitively", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "user-case-insensitive",
+					name: { formatted: "Original" },
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			await auth.api.patchSCIMUser({
+				params: { userId: user.id },
+				body: {
+					schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+					Operations: [
+						{
+							op: op.toUpperCase(),
+							path: "name.formatted",
+							value: "user-case",
+						},
+					],
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const updatedUser = await auth.api.getSCIMUser({
+				params: { userId: user.id },
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.name.formatted).toBe("user-case");
+		});
+
+		it("should skip add operation when value already exists", async () => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "add-same-info-user",
+					name: { formatted: "Existing Name" },
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const patchUser = () =>
+				auth.api.patchSCIMUser({
+					params: { userId: user.id },
+					body: {
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+						Operations: [
+							{ op: "add", path: "/name/formatted", value: "Existing Name" },
+						],
+					},
+					headers: {
+						authorization: `Bearer ${scimToken}`,
+					},
+				});
+
+			await expect(patchUser()).rejects.toThrowError(
+				expect.objectContaining({
+					message: "No valid fields to update",
+					body: {
+						detail: "No valid fields to update",
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+						status: "400",
+					},
+				}),
+			);
+		});
+
+		it.each([
+			"replace",
+			"add",
+		])("should ignore %s on non-existing path", async (op) => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "non-existing-path",
+					name: { formatted: "Original Name" },
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const patchUser = () =>
+				auth.api.patchSCIMUser({
+					params: { userId: user.id },
+					body: {
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+						Operations: [
+							{ op: op, path: "/nonExistentField", value: "Some Value" },
+						],
+					},
+					headers: {
+						authorization: `Bearer ${scimToken}`,
+					},
+				});
+
+			await expect(patchUser()).rejects.toThrowError(
+				expect.objectContaining({
+					message: "No valid fields to update",
+					body: {
+						detail: "No valid fields to update",
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+						status: "400",
+					},
+				}),
+			);
+		});
+
+		it("should ignore non-existing operation", async () => {
+			const { auth, getSCIMToken } = createTestInstance();
+			const scimToken = await getSCIMToken();
+
+			const user = await auth.api.createSCIMUser({
+				body: {
+					userName: "non-existing-operation",
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			const patchUser = () =>
+				auth.api.patchSCIMUser({
+					params: { userId: user.id },
+					body: {
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+						Operations: [
+							{ op: "update", path: "userName", value: "Some Value" },
+						],
+					},
+					headers: {
+						authorization: `Bearer ${scimToken}`,
+					},
+				});
+
+			await expect(patchUser()).rejects.toThrowError(
+				expect.objectContaining({
+					body: {
+						code: "VALIDATION_ERROR",
+						message:
+							'[body.Operations.0.op] Invalid option: expected one of "replace"|"add"|"remove"',
+					},
+				}),
+			);
+		});
+
 		it("should return not found for missing users", async () => {
 			const { auth, getSCIMToken } = createTestInstance();
 			const scimToken = await getSCIMToken();
@@ -1992,4 +2421,105 @@ describe("SCIM", () => {
 			);
 		});
 	});
+
+	describe("Default SCIM provider", () => {
+		it("should work with a default SCIM provider", async () => {
+			const scimToken = "dGhlLXNjaW0tdG9rZW46dGhlLXNjaW0tcHJvdmlkZXI="; // base64(scimToken:providerId)
+			const { auth } = createTestInstance({
+				defaultSCIM: [
+					{
+						providerId: "the-scim-provider",
+						scimToken: "the-scim-token",
+					},
+				],
+			});
+
+			const createdUser = await auth.api.createSCIMUser({
+				body: {
+					userName: "the-username",
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(createdUser.id).toBeTruthy();
+
+			const user = await auth.api.getSCIMUser({
+				params: {
+					userId: createdUser.id,
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(user).toEqual(createdUser);
+
+			const users = await auth.api.listSCIMUsers({
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(users.Resources).toEqual([createdUser]);
+
+			const updatedUser = await auth.api.updateSCIMUser({
+				params: {
+					userId: user.id,
+				},
+				body: {
+					userName: "new-username",
+				},
+				headers: {
+					authorization: `Bearer ${scimToken}`,
+				},
+			});
+
+			expect(updatedUser.userName).toBe("new-username");
+
+			await expect(
+				auth.api.deleteSCIMUser({
+					params: {
+						userId: user.id,
+					},
+					headers: {
+						authorization: `Bearer ${scimToken}`,
+					},
+				}),
+			).resolves.toBe(undefined);
+		});
+
+		it("should reject invalid SCIM tokens", async () => {
+			const { auth } = createTestInstance({
+				defaultSCIM: [
+					{
+						providerId: "the-scim-provider",
+						scimToken: "the-scim-token",
+					},
+				],
+			});
+
+			const createUser = () =>
+				auth.api.createSCIMUser({
+					body: {
+						userName: "the-username",
+					},
+					headers: {
+						authorization: `Bearer invalid-scim-token`,
+					},
+				});
+
+			await expect(createUser()).rejects.toThrow(
+				expect.objectContaining({
+					message: "Invalid SCIM token",
+					body: {
+						detail: "Invalid SCIM token",
+						schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+						status: "401",
+					},
+				}),
+			);
+		});
+	});
 });

package/src/types.ts

@@ -17,6 +17,11 @@ export type SCIMName = {
 export type SCIMEmail = { value?: string; primary?: boolean };
 
 export type SCIMOptions = {
+	/**
+	 * Default list of SCIM providers for testing
+	 * These will take precedence over the database when present
+	 */
+	defaultSCIM?: Omit<SCIMProvider, "id">[];
 	/**
 	 * A callback that runs before a new SCIM token is generated.
 	 * @returns