@better-auth/scim 1.5.0-beta.9 → 1.5.0

package/package.json

@@ -1,25 +1,31 @@
 {
   "name": "@better-auth/scim",
-  "author": "Jonathan Samines",
-  "version": "1.5.0-beta.9",
+  "version": "1.5.0",
+  "description": "SCIM plugin for Better Auth",
   "type": "module",
-  "main": "dist/index.mjs",
-  "types": "dist/index.d.mts",
   "license": "MIT",
+  "homepage": "https://www.better-auth.com/docs/plugins/scim",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/better-auth/better-auth.git",
     "directory": "packages/scim"
   },
+  "author": "Jonathan Samines",
   "keywords": [
     "auth",
-    "scim"
+    "scim",
+    "typescript",
+    "better-auth"
   ],
   "publishConfig": {
     "access": "public"
   },
-  "module": "dist/index.mjs",
-  "description": "SCIM plugin for Better Auth",
+  "files": [
+    "dist"
+  ],
+  "main": "./dist/index.mjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.mts",
   "exports": {
     ".": {
       "dev-source": "./src/index.ts",
@@ -43,26 +49,26 @@
     }
   },
   "dependencies": {
-    "@better-auth/utils": "0.3.0",
-    "better-call": "1.2.0",
-    "zod": "^4.3.5"
+    "@better-auth/utils": "0.3.1",
+    "better-call": "1.3.2",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
-    "tsdown": "^0.19.0",
-    "@better-auth/core": "1.5.0-beta.9",
-    "@better-auth/sso": "1.5.0-beta.9"
+    "tsdown": "^0.20.3",
+    "@better-auth/core": "1.5.0",
+    "@better-auth/sso": "1.5.0"
   },
   "peerDependencies": {
-    "@better-auth/core": "1.5.0-beta.9",
-    "better-auth": "1.5.0-beta.9"
+    "@better-auth/core": "1.5.0",
+    "better-auth": "1.5.0"
   },
   "scripts": {
-    "test": "vitest",
-    "coverage": "vitest run --coverage --coverage.provider=istanbul",
-    "lint:package": "publint run --strict",
-    "lint:types": "attw --profile esm-only --pack .",
     "build": "tsdown",
     "dev": "tsdown --watch",
-    "typecheck": "tsc --project tsconfig.json"
+    "lint:package": "publint run --strict",
+    "lint:types": "attw --profile esm-only --pack .",
+    "typecheck": "tsc --project tsconfig.json",
+    "test": "vitest",
+    "coverage": "vitest run --coverage --coverage.provider=istanbul"
   }
 }

package/.turbo/turbo-build.log

@@ -1,15 +0,0 @@
-
-> @better-auth/scim@1.5.0-beta.9 build /home/runner/work/better-auth/better-auth/packages/scim
-> tsdown
-
-ℹ tsdown v0.19.0 powered by rolldown v1.0.0-beta.59
-ℹ config file: /home/runner/work/better-auth/better-auth/packages/scim/tsdown.config.ts 
-ℹ entry: src/index.ts, src/client.ts
-ℹ tsconfig: tsconfig.json
-ℹ Build start
-ℹ dist/index.mjs      39.48 kB │ gzip: 8.06 kB
-ℹ dist/client.mjs      0.15 kB │ gzip: 0.14 kB
-ℹ dist/index.d.mts   108.72 kB │ gzip: 4.42 kB
-ℹ dist/client.d.mts    0.20 kB │ gzip: 0.17 kB
-ℹ 4 files, total: 148.54 kB
-✔ Build complete in 7981ms

package/src/client.ts

@@ -1,9 +0,0 @@
-import type { BetterAuthClientPlugin } from "better-auth";
-import type { scim } from "./index";
-
-export const scimClient = () => {
-	return {
-		id: "scim-client",
-		$InferServerPlugin: {} as ReturnType<typeof scim>,
-	} satisfies BetterAuthClientPlugin;
-};

package/src/index.ts

@@ -1,76 +0,0 @@
-import type { BetterAuthPlugin } from "better-auth";
-import { authMiddlewareFactory } from "./middlewares";
-import {
-	createSCIMUser,
-	deleteSCIMUser,
-	generateSCIMToken,
-	getSCIMResourceType,
-	getSCIMResourceTypes,
-	getSCIMSchema,
-	getSCIMSchemas,
-	getSCIMServiceProviderConfig,
-	getSCIMUser,
-	listSCIMUsers,
-	patchSCIMUser,
-	updateSCIMUser,
-} from "./routes";
-import type { SCIMOptions } from "./types";
-
-declare module "@better-auth/core" {
-	// biome-ignore lint/correctness/noUnusedVariables: Auth and Context need to be same as declared in the module
-	interface BetterAuthPluginRegistry<Auth, Context> {
-		scim: {
-			creator: typeof scim;
-		};
-	}
-}
-
-export const scim = (options?: SCIMOptions) => {
-	const opts = {
-		storeSCIMToken: "plain",
-		...options,
-	} satisfies SCIMOptions;
-
-	const authMiddleware = authMiddlewareFactory(opts);
-
-	return {
-		id: "scim",
-		endpoints: {
-			generateSCIMToken: generateSCIMToken(opts),
-			getSCIMUser: getSCIMUser(authMiddleware),
-			createSCIMUser: createSCIMUser(authMiddleware),
-			patchSCIMUser: patchSCIMUser(authMiddleware),
-			deleteSCIMUser: deleteSCIMUser(authMiddleware),
-			updateSCIMUser: updateSCIMUser(authMiddleware),
-			listSCIMUsers: listSCIMUsers(authMiddleware),
-			getSCIMServiceProviderConfig,
-			getSCIMSchemas,
-			getSCIMSchema,
-			getSCIMResourceTypes,
-			getSCIMResourceType,
-		},
-		schema: {
-			scimProvider: {
-				fields: {
-					providerId: {
-						type: "string",
-						required: true,
-						unique: true,
-					},
-					scimToken: {
-						type: "string",
-						required: true,
-						unique: true,
-					},
-					organizationId: {
-						type: "string",
-						required: false,
-					},
-				},
-			},
-		},
-		options,
-	} satisfies BetterAuthPlugin;
-};
-
-export * from "./types";

package/src/mappings.ts

@@ -1,38 +0,0 @@
-import type { SCIMEmail, SCIMName } from "./types";
-
-export const getAccountId = (userName: string, externalId?: string) => {
-	return externalId ?? userName;
-};
-
-const getFormattedName = (name: SCIMName) => {
-	if (name.givenName && name.familyName) {
-		return `${name.givenName} ${name.familyName}`;
-	}
-
-	if (name.givenName) {
-		return name.givenName;
-	}
-
-	return name.familyName ?? "";
-};
-
-export const getUserFullName = (email: string, name?: SCIMName) => {
-	if (name) {
-		const formatted = name.formatted?.trim() ?? "";
-		if (formatted.length > 0) {
-			return formatted;
-		}
-
-		return getFormattedName(name) || email;
-	}
-
-	return email;
-};
-
-export const getUserPrimaryEmail = (userName: string, emails?: SCIMEmail[]) => {
-	return (
-		emails?.find((email) => email.primary)?.value ??
-		emails?.[0]?.value ??
-		userName
-	);
-};

package/src/middlewares.ts

@@ -1,89 +0,0 @@
-import { base64Url } from "@better-auth/utils/base64";
-import { createAuthMiddleware } from "better-auth/plugins";
-import { SCIMAPIError } from "./scim-error";
-import { verifySCIMToken } from "./scim-tokens";
-import type { SCIMOptions, SCIMProvider } from "./types";
-
-export type AuthMiddleware = ReturnType<typeof authMiddlewareFactory>;
-
-/**
- * The middleware forces the endpoint to have a valid token
- */
-export const authMiddlewareFactory = (opts: SCIMOptions) =>
-	createAuthMiddleware(async (ctx) => {
-		const authHeader = ctx.headers?.get("Authorization");
-		const authSCIMToken = authHeader?.replace(/^Bearer\s+/i, "");
-
-		if (!authSCIMToken) {
-			throw new SCIMAPIError("UNAUTHORIZED", {
-				detail: "SCIM token is required",
-			});
-		}
-
-		const baseScimTokenParts = new TextDecoder()
-			.decode(base64Url.decode(authSCIMToken))
-			.split(":");
-
-		const [scimToken, providerId] = baseScimTokenParts;
-		const organizationId = baseScimTokenParts.slice(2).join(":");
-
-		if (!scimToken || !providerId) {
-			throw new SCIMAPIError("UNAUTHORIZED", {
-				detail: "Invalid SCIM token",
-			});
-		}
-
-		let scimProvider: Omit<SCIMProvider, "id"> | null =
-			opts.defaultSCIM?.find((p) => {
-				if (p.providerId === providerId && !organizationId) {
-					return true;
-				}
-
-				return !!(
-					p.providerId === providerId &&
-					organizationId &&
-					p.organizationId === organizationId
-				);
-			}) ?? null;
-
-		if (scimProvider) {
-			if (scimProvider.scimToken === scimToken) {
-				return { authSCIMToken: scimProvider.scimToken, scimProvider };
-			} else {
-				throw new SCIMAPIError("UNAUTHORIZED", {
-					detail: "Invalid SCIM token",
-				});
-			}
-		}
-
-		scimProvider = await ctx.context.adapter.findOne<SCIMProvider>({
-			model: "scimProvider",
-			where: [
-				{ field: "providerId", value: providerId },
-				...(organizationId
-					? [{ field: "organizationId", value: organizationId }]
-					: []),
-			],
-		});
-
-		if (!scimProvider) {
-			throw new SCIMAPIError("UNAUTHORIZED", {
-				detail: "Invalid SCIM token",
-			});
-		}
-
-		const isValidToken = await verifySCIMToken(
-			ctx,
-			opts,
-			scimProvider.scimToken,
-			scimToken,
-		);
-
-		if (!isValidToken) {
-			throw new SCIMAPIError("UNAUTHORIZED", {
-				detail: "Invalid SCIM token",
-			});
-		}
-
-		return { authSCIMToken: scimToken, scimProvider };
-	});

package/src/patch-operations.ts

@@ -1,148 +0,0 @@
-import type { User } from "better-auth";
-import { getUserFullName } from "./mappings";
-
-type Operation = {
-	op: "add" | "remove" | "replace";
-	value: any;
-	path?: string;
-};
-
-type Mapping = {
-	target: string;
-	resource: "user" | "account";
-	map: (user: User, op: Operation, resources: Resources) => any;
-};
-
-type Resources = {
-	user: Record<string, any>;
-	account: Record<string, any>;
-};
-
-const identity = (user: User, op: Operation, resources: Resources) => {
-	return op.value;
-};
-
-const lowerCase = (user: User, op: Operation, resources: Resources) => {
-	return op.value.toLowerCase();
-};
-
-const givenName = (user: User, op: Operation, resources: Resources) => {
-	const currentName = (resources.user.name as string) ?? user.name;
-	const familyName = currentName.split(" ").slice(1).join(" ").trim();
-	const givenName = op.value;
-
-	return getUserFullName(user.email, {
-		givenName,
-		familyName,
-	});
-};
-
-const familyName = (user: User, op: Operation, resources: Resources) => {
-	const currentName = (resources.user.name as string) ?? user.name;
-	const givenName = (
-		currentName.split(" ").slice(0, -1).join(" ") || currentName
-	).trim();
-	const familyName = op.value;
-	return getUserFullName(user.email, {
-		givenName,
-		familyName,
-	});
-};
-
-const userPatchMappings: Record<string, Mapping> = {
-	"/name/formatted": { resource: "user", target: "name", map: identity },
-	"/name/givenName": { resource: "user", target: "name", map: givenName },
-	"/name/familyName": {
-		resource: "user",
-		target: "name",
-		map: familyName,
-	},
-	"/externalId": {
-		resource: "account",
-		target: "accountId",
-		map: identity,
-	},
-	"/userName": { resource: "user", target: "email", map: lowerCase },
-};
-
-const normalizePath = (path: string): string => {
-	const withoutLeadingSlash = path.startsWith("/") ? path.slice(1) : path;
-	return `/${withoutLeadingSlash.replaceAll(".", "/")}`;
-};
-
-const isNestedObject = (value: unknown): value is Record<string, unknown> => {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-};
-
-const applyMapping = (
-	user: User,
-	resources: Resources,
-	path: string,
-	value: unknown,
-	op: "add" | "replace",
-) => {
-	const normalizedPath = normalizePath(path);
-	const mapping = userPatchMappings[normalizedPath];
-
-	if (!mapping) {
-		return;
-	}
-
-	const newValue = mapping.map(
-		user,
-		{
-			op,
-			value,
-			path: normalizedPath,
-		},
-		resources,
-	);
-
-	if (op === "add" && mapping.resource === "user") {
-		const currentValue = (user as Record<string, unknown>)[mapping.target];
-		if (currentValue === newValue) {
-			return;
-		}
-	}
-
-	resources[mapping.resource][mapping.target] = newValue;
-};
-
-const applyPatchValue = (
-	user: User,
-	resources: Resources,
-	value: unknown,
-	op: "add" | "replace",
-	path?: string | undefined,
-) => {
-	if (isNestedObject(value)) {
-		for (const [key, nestedValue] of Object.entries(value)) {
-			const nestedPath = path ? `${path}.${key}` : key;
-			applyPatchValue(user, resources, nestedValue, op, nestedPath);
-		}
-	} else if (path) {
-		applyMapping(user, resources, path, value, op);
-	}
-};
-
-export const buildUserPatch = (user: User, operations: Operation[]) => {
-	const userPatch: Record<string, any> = {};
-	const accountPatch: Record<string, any> = {};
-	const resources: Resources = { user: userPatch, account: accountPatch };
-
-	for (const operation of operations) {
-		if (operation.op !== "add" && operation.op !== "replace") {
-			continue;
-		}
-
-		applyPatchValue(
-			user,
-			resources,
-			operation.value,
-			operation.op,
-			operation.path,
-		);
-	}
-
-	return resources;
-};