npm - @better-auth/scim - Versions diffs - 1.6.0-beta.0 → 1.6.0 - Mend

@better-auth/scim 1.6.0-beta.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/client.mjs +1 -1
package/dist/index.d.mts +2365 -2298
package/dist/index.mjs +45 -24
package/dist/{version-BqMHXjG-.mjs → version-Cf5gNNxE.mjs} +1 -1
package/package.json +6 -6

package/dist/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BqMHXjG-.mjs";
+import { t as PACKAGE_VERSION } from "./version-Cf5gNNxE.mjs";
 import { base64Url } from "@better-auth/utils/base64";
 import { APIError, createAuthEndpoint, createAuthMiddleware, sessionMiddleware } from "better-auth/api";
 import { APIError as APIError$1, HIDE_METADATA } from "better-auth";
@@ -614,7 +614,21 @@ const generateSCIMTokenBodySchema = z.object({
 });
 const getSCIMProviderConnectionQuerySchema = z.object({ providerId: z.string() });
 const deleteSCIMProviderConnectionBodySchema = z.object({ providerId: z.string() });
-async function getSCIMUserOrgIds(ctx, userId) {
+function parseMemberRoles(role) {
+	return role.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function hasRequiredRole(memberRole, requiredRole) {
+	return !requiredRole.length || parseMemberRoles(memberRole).some((role) => requiredRole.includes(role));
+}
+function resolveRequiredRoles(ctx, opts) {
+	if (opts.requiredRole) return opts.requiredRole;
+	const creatorRole = ctx.context.getPlugin("organization")?.options?.creatorRole;
+	return Array.from(new Set(["admin", creatorRole ?? "owner"]));
+}
+function isProviderOwnershipEnabled(opts) {
+	return opts.providerOwnership?.enabled ?? false;
+}
+async function getSCIMUserOrgMemberships(ctx, userId) {
 	const members = await ctx.context.adapter.findMany({
 		model: "member",
 		where: [{
@@ -622,7 +636,7 @@ async function getSCIMUserOrgIds(ctx, userId) {
 			value: userId
 		}]
 	});
-	return new Set(members.map((m) => m.organizationId));
+	return new Map(members.map((member) => [member.organizationId, parseMemberRoles(member.role)]));
 }
 function normalizeSCIMProvider(provider) {
 	return {
@@ -643,13 +657,15 @@ async function findOrganizationMember(ctx, userId, organizationId) {
 		}]
 	});
 }
-async function assertSCIMProviderAccess(ctx, userId, provider) {
+async function assertSCIMProviderAccess(ctx, userId, provider, requiredRole) {
 	if (provider.organizationId) {
 		if (!ctx.context.hasPlugin("organization")) throw new APIError("FORBIDDEN", { message: "Organization plugin is required to access this SCIM provider" });
-		if (!await findOrganizationMember(ctx, userId, provider.organizationId)) throw new APIError("FORBIDDEN", { message: "You must be a member of the organization to access this provider" });
+		const member = await findOrganizationMember(ctx, userId, provider.organizationId);
+		if (!member) throw new APIError("FORBIDDEN", { message: "You must be a member of the organization to access this provider" });
+		if (!hasRequiredRole(member.role, requiredRole)) throw new APIError("FORBIDDEN", { message: "Insufficient role for this operation" });
 	} else if (provider.userId && provider.userId !== userId) throw new APIError("FORBIDDEN", { message: "You must be the owner to access this provider" });
 }
-async function checkSCIMProviderAccess(ctx, userId, providerId) {
+async function checkSCIMProviderAccess(ctx, userId, providerId, requiredRole) {
 	const provider = await ctx.context.adapter.findOne({
 		model: "scimProvider",
 		where: [{
@@ -658,7 +674,7 @@ async function checkSCIMProviderAccess(ctx, userId, providerId) {
 		}]
 	});
 	if (!provider) throw new APIError("NOT_FOUND", { message: "SCIM provider not found" });
-	await assertSCIMProviderAccess(ctx, userId, provider);
+	await assertSCIMProviderAccess(ctx, userId, provider, requiredRole);
 	return provider;
 }
 const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
@@ -682,12 +698,14 @@ const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
 }, async (ctx) => {
 	const { providerId, organizationId } = ctx.body;
 	const user = ctx.context.session.user;
+	const requiredRole = resolveRequiredRoles(ctx, opts);
 	if (providerId.includes(":")) throw new APIError("BAD_REQUEST", { message: "Provider id contains forbidden characters" });
 	if (organizationId && !ctx.context.hasPlugin("organization")) throw new APIError("BAD_REQUEST", { message: "Restricting a token to an organization requires the organization plugin" });
 	let member = null;
 	if (organizationId) {
 		member = await findOrganizationMember(ctx, user.id, organizationId);
 		if (!member) throw new APIError("FORBIDDEN", { message: "You are not a member of the organization" });
+		if (!hasRequiredRole(member.role, requiredRole)) throw new APIError("FORBIDDEN", { message: "Insufficient role for this operation" });
 	}
 	const scimProvider = await ctx.context.adapter.findOne({
 		model: "scimProvider",
@@ -700,7 +718,7 @@ const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
 		}] : []]
 	});
 	if (scimProvider) {
-		await assertSCIMProviderAccess(ctx, user.id, scimProvider);
+		await assertSCIMProviderAccess(ctx, user.id, scimProvider, requiredRole);
 		await ctx.context.adapter.delete({
 			model: "scimProvider",
 			where: [{
@@ -722,7 +740,7 @@ const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
 			providerId,
 			organizationId,
 			scimToken: await storeSCIMToken(ctx, opts, baseToken),
-			...opts.providerOwnership?.enabled ? { userId: user.id } : {}
+			...isProviderOwnershipEnabled(opts) ? { userId: user.id } : {}
 		}
 	});
 	if (opts.afterSCIMTokenGenerated) await opts.afterSCIMTokenGenerated({
@@ -734,13 +752,13 @@ const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
 	ctx.setStatus(201);
 	return ctx.json({ scimToken });
 });
-const listSCIMProviderConnections = () => createAuthEndpoint("/scim/list-provider-connections", {
+const listSCIMProviderConnections = (opts) => createAuthEndpoint("/scim/list-provider-connections", {
 	method: "GET",
 	use: [sessionMiddleware],
 	metadata: { openapi: {
 		operationId: "listSCIMProviderConnections",
 		summary: "List SCIM providers",
-		description: "Returns SCIM providers for organizations the user is a member of.",
+		description: "Returns SCIM providers the user owns or has the required org role for.",
 		responses: { "200": {
 			description: "List of SCIM providers",
 			content: { "application/json": { schema: {
@@ -764,15 +782,18 @@ const listSCIMProviderConnections = () => createAuthEndpoint("/scim/list-provide
 	} }
 }, async (ctx) => {
 	const userId = ctx.context.session.user.id;
-	const userOrgIds = ctx.context.hasPlugin("organization") ? await getSCIMUserOrgIds(ctx, userId) : /* @__PURE__ */ new Set();
+	const requiredRole = resolveRequiredRoles(ctx, opts);
+	const orgMemberships = ctx.context.hasPlugin("organization") ? await getSCIMUserOrgMemberships(ctx, userId) : /* @__PURE__ */ new Map();
 	const providers = (await ctx.context.adapter.findMany({ model: "scimProvider" })).filter((p) => {
-		if (p.organizationId) return userOrgIds.has(p.organizationId);
-		if (p.userId === userId) return true;
-		return !p.userId;
+		if (p.organizationId) {
+			const roles = orgMemberships.get(p.organizationId);
+			return roles ? !requiredRole.length || roles.some((role) => requiredRole.includes(role)) : false;
+		}
+		return p.userId === userId || !p.userId;
 	}).map((p) => normalizeSCIMProvider(p));
 	return ctx.json({ providers });
 });
-const getSCIMProviderConnection = () => createAuthEndpoint("/scim/get-provider-connection", {
+const getSCIMProviderConnection = (opts) => createAuthEndpoint("/scim/get-provider-connection", {
 	method: "GET",
 	use: [sessionMiddleware],
 	query: getSCIMProviderConnectionQuerySchema,
@@ -802,10 +823,10 @@ const getSCIMProviderConnection = () => createAuthEndpoint("/scim/get-provider-c
 }, async (ctx) => {
 	const { providerId } = ctx.query;
 	const userId = ctx.context.session.user.id;
-	const provider = await checkSCIMProviderAccess(ctx, userId, providerId);
+	const provider = await checkSCIMProviderAccess(ctx, userId, providerId, resolveRequiredRoles(ctx, opts));
 	return ctx.json(normalizeSCIMProvider(provider));
 });
-const deleteSCIMProviderConnection = () => createAuthEndpoint("/scim/delete-provider-connection", {
+const deleteSCIMProviderConnection = (opts) => createAuthEndpoint("/scim/delete-provider-connection", {
 	method: "POST",
 	use: [sessionMiddleware],
 	body: deleteSCIMProviderConnectionBodySchema,
@@ -828,7 +849,7 @@ const deleteSCIMProviderConnection = () => createAuthEndpoint("/scim/delete-prov
 }, async (ctx) => {
 	const { providerId } = ctx.body;
 	const userId = ctx.context.session.user.id;
-	await checkSCIMProviderAccess(ctx, userId, providerId);
+	await checkSCIMProviderAccess(ctx, userId, providerId, resolveRequiredRoles(ctx, opts));
 	await ctx.context.adapter.delete({
 		model: "scimProvider",
 		where: [{
@@ -1417,18 +1438,18 @@ const parseSCIMAPIUserFilter = (filter) => {
 const scim = (options) => {
 	const opts = {
 		storeSCIMToken: "plain",
-		providerOwnership: { enabled: false },
 		...options
 	};
+	const providerOwnershipEnabled = options?.providerOwnership?.enabled ?? false;
 	const authMiddleware = authMiddlewareFactory(opts);
 	return {
 		id: "scim",
 		version: PACKAGE_VERSION,
 		endpoints: {
 			generateSCIMToken: generateSCIMToken(opts),
-			listSCIMProviderConnections: listSCIMProviderConnections(),
-			getSCIMProviderConnection: getSCIMProviderConnection(),
-			deleteSCIMProviderConnection: deleteSCIMProviderConnection(),
+			listSCIMProviderConnections: listSCIMProviderConnections(opts),
+			getSCIMProviderConnection: getSCIMProviderConnection(opts),
+			deleteSCIMProviderConnection: deleteSCIMProviderConnection(opts),
 			getSCIMUser: getSCIMUser(authMiddleware),
 			createSCIMUser: createSCIMUser(authMiddleware),
 			patchSCIMUser: patchSCIMUser(authMiddleware),
@@ -1456,7 +1477,7 @@ const scim = (options) => {
 				type: "string",
 				required: false
 			},
-			...opts.providerOwnership?.enabled ? { userId: {
+			...providerOwnershipEnabled ? { userId: {
 				type: "string",
 				required: false
 			} } : {}

package/dist/{version-BqMHXjG-.mjs → version-Cf5gNNxE.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.0-beta.0";
+const PACKAGE_VERSION = "1.6.0";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/scim",
-  "version": "1.6.0-beta.0",
+  "version": "1.6.0",
   "description": "SCIM plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -54,14 +54,14 @@
   },
   "devDependencies": {
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.0-beta.0",
-    "@better-auth/sso": "1.6.0-beta.0"
+    "@better-auth/core": "1.6.0",
+    "@better-auth/sso": "1.6.0"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
-    "better-call": "2.0.3",
-    "@better-auth/core": "^1.6.0-beta.0",
-    "better-auth": "^1.6.0-beta.0"
+    "better-call": "1.3.5",
+    "@better-auth/core": "^1.6.0",
+    "better-auth": "^1.6.0"
   },
   "scripts": {
     "build": "tsdown",