@blamejs/core 0.14.18 → 0.14.20

package/lib/middleware/fetch-metadata.js

@@ -43,6 +43,52 @@ var observability = lazyRequire(function () { return require("../observability")
 
 var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
 
+// Sec-Fetch-Dest request-destination vocabulary (Fetch Standard §3.2.6
+// "destination", https://fetch.spec.whatwg.org/#concept-request-destination;
+// surfaced as the Sec-Fetch-Dest header by the Fetch Metadata Request
+// Headers spec, https://www.w3.org/TR/fetch-metadata/#sec-fetch-dest-header).
+// "webidentity" (FedCM credentialed-request destination,
+// https://w3c.github.io/FedCM/) is included so an operator can recognize
+// and gate FedCM traffic first-class — a webidentity Sec-Fetch-Dest on a
+// route that is not a FedCM identity endpoint is a request worth refusing.
+var KNOWN_DESTINATIONS = Object.freeze([
+  "audio", "audioworklet", "document", "embed", "empty", "fencedframe",
+  "font", "frame", "iframe", "image", "json", "manifest", "object",
+  "paintworklet", "report", "script", "serviceworker", "sharedworker",
+  "style", "track", "video", "webidentity", "worker", "xslt",
+]);
+var KNOWN_DEST_SET = Object.create(null);
+(function () {
+  for (var i = 0; i < KNOWN_DESTINATIONS.length; i += 1) {
+    KNOWN_DEST_SET[KNOWN_DESTINATIONS[i]] = true;
+  }
+})();
+
+// Sec-Fetch-Storage-Access status values (Storage Access API,
+// https://privacycg.github.io/storage-access-headers/ — the header is
+// distinct from Sec-Fetch-Dest). The browser sends this only on cross-site
+// credentialed requests. "active" / "inactive" both indicate the embedded
+// context can (active) or could (inactive, permission granted but not yet
+// exercised) reach unpartitioned cross-site cookies; "none" carries no
+// such capability. A route that does not participate in the Storage Access
+// flow may refuse the active/inactive escalation.
+var STORAGE_ACCESS_ESCALATED = Object.freeze({ active: true, inactive: true });
+
+function _validateDestList(list, label) {
+  // Config-time tier — an unknown Sec-Fetch-Dest value in a strict
+  // allow/deny list is almost always an operator typo (e.g. "web-identity"
+  // for "webidentity"). Throw at boot per the config/entry-point tier so
+  // the typo surfaces before it silently fails to match at request time.
+  if (!Array.isArray(list)) return;
+  for (var i = 0; i < list.length; i += 1) {
+    if (!KNOWN_DEST_SET[list[i]]) {
+      throw new Error("middleware.fetchMetadata: " + label + "[" + i +
+        "] is not a known Sec-Fetch-Dest value (got '" + String(list[i]) +
+        "'). Known destinations: " + KNOWN_DESTINATIONS.join(", ") + ".");
+    }
+  }
+}
+
 function _writeReject(req, res, message, reason, onDeny, problemMode) {
   denyResponse(req, res, {
     onDeny:        onDeny,
@@ -75,17 +121,30 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * the value-add; non-browser callers carry their own auth threat
  * model.
  *
+ * The Sec-Fetch-Dest vocabulary tracks the Fetch Standard request-
+ * destination list, including `webidentity` (FedCM credentialed
+ * requests). `deniedDest` refuses chosen destinations outright on the
+ * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
+ * that is not an identity endpoint is refused. `allowStorageAccess:
+ * false` refuses the Storage Access API escalation (a cross-site request
+ * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
+ * that do not participate in the Storage Access flow. Both are opt-in;
+ * leaving them unset preserves the prior behavior exactly.
+ *
  * @opts
  *   {
- *     allowSameSite:   boolean,    // default true
- *     allowCrossSite:  boolean,    // default false
- *     allowMissing:    boolean,    // default true
- *     allowedDest:     string[],
- *     allowedNavigate: boolean,    // default true
- *     methods:         string[],   // default POST/PUT/DELETE/PATCH
- *     audit:           boolean,    // default true
- *     onDeny:          function(req, res, info): void,  // own the 403; info = { status, reason }
- *     problemDetails:  boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
+ *     allowSameSite:      boolean,    // default true
+ *     allowCrossSite:     boolean,    // default false
+ *     allowMissing:       boolean,    // default true
+ *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
+ *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
+ *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
+ *     allowedNavigate:    boolean,    // default true
+ *     methods:            string[],   // default POST/PUT/DELETE/PATCH
+ *     audit:              boolean,    // default true
+ *     onDeny:             function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:     boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -102,15 +161,34 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "allowSameSite", "allowCrossSite", "allowMissing",
-    "allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
+    "allowedDest", "deniedDest", "allowStorageAccess", "strictDest",
+    "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
   ], "middleware.fetchMetadata");
+  validateOpts.optionalBoolean(opts.allowStorageAccess, "middleware.fetchMetadata: allowStorageAccess");
+  validateOpts.optionalBoolean(opts.strictDest, "middleware.fetchMetadata: strictDest");
+  validateOpts.optionalNonEmptyStringArray(opts.deniedDest, "middleware.fetchMetadata: deniedDest");
+  if (opts.strictDest === true) {
+    _validateDestList(opts.allowedDest, "allowedDest");
+    _validateDestList(opts.deniedDest, "deniedDest");
+  }
 
   var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
   var problemMode = opts.problemDetails === true;
-  var allowSameSite   = opts.allowSameSite !== false;
-  var allowCrossSite  = opts.allowCrossSite === true;
-  var allowMissing    = opts.allowMissing !== false;
-  var allowedDest     = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowSameSite      = opts.allowSameSite !== false;
+  var allowCrossSite     = opts.allowCrossSite === true;
+  var allowMissing       = opts.allowMissing !== false;
+  var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
+  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // deniedDest → a null-prototype membership map; an operator-supplied
+  // destination string is never assigned onto a plain object, so no
+  // reserved name (__proto__ / constructor / prototype) can pollute it.
+  var deniedDest = null;
+  if (Array.isArray(opts.deniedDest) && opts.deniedDest.length > 0) {
+    deniedDest = Object.create(null);
+    for (var di = 0; di < opts.deniedDest.length; di += 1) {
+      deniedDest[opts.deniedDest[di]] = true;
+    }
+  }
   var allowedNavigate = opts.allowedNavigate !== false;
   var methods         = (opts.methods || DEFAULT_METHODS).map(function (m) { return m.toUpperCase(); });
   var auditOn         = opts.audit !== false;
@@ -139,6 +217,16 @@ function create(opts) {
     var mode = headers["sec-fetch-mode"];
     var dest = headers["sec-fetch-dest"];
 
+    // Destination refusal — independent of site. A FedCM `webidentity`
+    // (or any operator-denied) Sec-Fetch-Dest on a route that is not an
+    // identity endpoint is refused outright. The membership test is exact
+    // (null-prototype map keyed on the verbatim header value), never a
+    // substring scan.
+    if (deniedDest && typeof dest === "string" && deniedDest[dest] === true) {
+      _emitDenied(req, "dest-denied (dest=" + dest + ")");
+      return _writeReject(req, res, "Request destination not allowed for this route.", "dest-not-allowed", onDeny, problemMode);
+    }
+
     if (typeof site !== "string" || site.length === 0) {
       // No Sec-Fetch-Site header — legacy browser or non-browser client.
       // Defer to other auth/CSRF layers per allowMissing.
@@ -165,6 +253,19 @@ function create(opts) {
     }
 
     // cross-site
+    // Storage Access API escalation — the browser sends
+    // Sec-Fetch-Storage-Access only on cross-site credentialed requests.
+    // active|inactive both mean the embedded context can / could reach
+    // unpartitioned cross-site cookies; refuse it on routes that do not
+    // participate in the Storage Access flow. Exact membership, never a
+    // substring scan. Checked before the allowCrossSite shortcut so the
+    // escalation is gated even when cross-site is otherwise permitted.
+    var storageAccess = headers["sec-fetch-storage-access"];
+    if (!allowStorageAccess && typeof storageAccess === "string" &&
+        STORAGE_ACCESS_ESCALATED[storageAccess] === true) {
+      _emitDenied(req, "storage-access-refused (status=" + storageAccess + ")");
+      return _writeReject(req, res, "Storage Access escalation not allowed for this route.", "storage-access-refused", onDeny, problemMode);
+    }
     if (allowCrossSite) return next();
     if (allowedDest && typeof dest === "string" && allowedDest.indexOf(dest) !== -1) {
       return next();

package/lib/middleware/scim-server.js

@@ -19,8 +19,17 @@ var ScimServerError = framework_error.defineClass(
 
 var SCIM_CORE_SCHEMA_USER  = "urn:ietf:params:scim:schemas:core:2.0:User";
 var SCIM_CORE_SCHEMA_GROUP = "urn:ietf:params:scim:schemas:core:2.0:Group";
-var SCIM_MESSAGE_ERROR     = "urn:ietf:params:scim:api:messages:2.0:Error";
-var SCIM_MESSAGE_LIST      = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+var SCIM_MESSAGE_ERROR        = "urn:ietf:params:scim:api:messages:2.0:Error";
+var SCIM_MESSAGE_LIST         = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+var SCIM_MESSAGE_BULK_REQUEST  = "urn:ietf:params:scim:api:messages:2.0:BulkRequest";
+var SCIM_MESSAGE_BULK_RESPONSE = "urn:ietf:params:scim:api:messages:2.0:BulkResponse";
+
+// RFC 7644 §3.7.2 — a bulkId cross-reference is the literal token
+// "bulkId:" followed by the client-assigned identifier. Bounded: the
+// identifier is matched lazily-free (one or more non-quote chars) and
+// only ever applied to operator-defined bulkId strings, never to free
+// request text, so there is no super-linear backtracking exposure.
+var BULK_ID_REF_RE = /^bulkId:(.+)$/;
 
 var ALLOWED_FILTER_OPS = ["eq", "ne", "co", "sw", "ew", "pr", "gt", "ge", "lt", "le"];
 
@@ -37,6 +46,11 @@ var BEARER_RE = /^Bearer\s+(.+)$/i;
  * Returns a request middleware that handles SCIM 2.0 requests
  * (RFC 7642-7644). Operator supplies CRUD callbacks per resource.
  *
+ * Bulk operations (RFC 7644 §3.7) are opt-in: pass `opts.bulk` to
+ * enable the `/Bulk` POST endpoint and advertise it in
+ * ServiceProviderConfig. When omitted, `bulk.supported` stays `false`
+ * and `/Bulk` is not routed (back-compatible default).
+ *
  * @opts
  *   {
  *     basePath?:    string,
@@ -44,6 +58,10 @@ var BEARER_RE = /^Bearer\s+(.+)$/i;
  *     groups?:      ScimResourceImpl,
  *     bearer?:      (token) => Promise<actor>,
  *     maxPageSize?: number,
+ *     bulk?: {
+ *       maxOperations?:  number,   // default: 1000 (config-time positive int)
+ *       maxPayloadSize?: number,   // default: 1 MiB  (config-time positive int, bytes)
+ *     },
  *   }
  *
  * @example
@@ -51,6 +69,7 @@ var BEARER_RE = /^Bearer\s+(.+)$/i;
  *     basePath: "/scim/v2",
  *     users:  myUserAdapter,
  *     groups: myGroupAdapter,
+ *     bulk:   { maxOperations: 100 },
  *   });
  *   app.use(mw);
  */
@@ -63,11 +82,12 @@ function create(opts) {
   var basePath    = opts.basePath || "/scim/v2";
   var maxPageSize = opts.maxPageSize || 200;                                                                  // page-size count, not bytes
   var bearer      = opts.bearer || null;
+  var bulkCfg     = _resolveBulkConfig(opts.bulk);
 
   function middleware(req, res, next) {
     var url = req.url.split("?")[0];
     if (url.indexOf(basePath) !== 0) { next(); return; }
-    _dispatch(req, res, basePath, bearer, opts, maxPageSize)
+    _dispatch(req, res, basePath, bearer, opts, maxPageSize, bulkCfg)
       .catch(function (err) {
         _writeScimError(res, err.statusCode || 500, err.scimType || "internal",
           (err.message || String(err)).slice(0, 500));
@@ -92,7 +112,26 @@ function _validateResourceImpl(impl, name) {
   });
 }
 
-async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
+// Config-time / entry-point tier: bad bulk caps THROW so the operator
+// catches a typo at boot rather than at request time. RFC 7644 §3.7.
+// Returns null when bulk is not opted into (back-compat default off).
+function _resolveBulkConfig(bulk) {
+  if (bulk === undefined || bulk === null) return null;
+  if (typeof bulk !== "object") {
+    throw new ScimServerError("middleware/scim-server/bad-bulk",
+      "middleware.scimServer: opts.bulk must be an object { maxOperations?, maxPayloadSize? }");
+  }
+  validateOpts.optionalPositiveInt(bulk.maxOperations, "middleware.scimServer: opts.bulk.maxOperations",
+    ScimServerError, "middleware/scim-server/bad-bulk-max-operations");
+  validateOpts.optionalPositiveInt(bulk.maxPayloadSize, "middleware.scimServer: opts.bulk.maxPayloadSize",
+    ScimServerError, "middleware/scim-server/bad-bulk-max-payload-size");
+  return {
+    maxOperations:  bulk.maxOperations  || 1000,
+    maxPayloadSize: bulk.maxPayloadSize || C.BYTES.mib(1),
+  };
+}
+
+async function _dispatch(req, res, basePath, bearer, opts, maxPageSize, bulkCfg) {
   var relUrl = req.url.slice(basePath.length) || "/";
   var qIdx   = relUrl.indexOf("?");
   var path   = qIdx === -1 ? relUrl : relUrl.slice(0, qIdx);
@@ -148,6 +187,19 @@ async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
   var users   = opts.users;
   var groups  = opts.groups;
 
+  if (path === "/Bulk") {
+    if (req.method !== "POST") {
+      _writeScimError(res, H.METHOD_NOT_ALLOWED, "noTarget", req.method + " not allowed on /Bulk");
+      return;
+    }
+    if (!bulkCfg) {
+      _writeScimError(res, 501, "notSupported", "bulk operations are not enabled");
+      return;
+    }
+    await _handleBulk(req, res, opts, bulkCfg, ctx);
+    return;
+  }
+
   // RESOURCE_PATH_RE applies to a URL path; node http caps URL at 8 KiB.
   var match = path.length < C.BYTES.kib(8) && RESOURCE_PATH_RE.test(path) ? path.match(RESOURCE_PATH_RE) : null;   // allow:regex-no-length-cap URL bounded above
   if (!match) {
@@ -244,6 +296,230 @@ async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
   _writeScimError(res, H.METHOD_NOT_ALLOWED, "noTarget", req.method + " not allowed on " + path);
 }
 
+// RFC 7644 §3.7 — /Bulk POST. Parses a BulkRequest, enforces the
+// config-time maxOperations / maxPayloadSize caps, optionally
+// short-circuits at failOnErrors, resolves bulkId cross-references
+// (§3.7.2), dispatches each operation through the same per-resource
+// create/update/delete logic the singleton endpoints use, and returns
+// a BulkResponse carrying one result object per operation.
+async function _handleBulk(req, res, opts, bulkCfg, ctx) {
+  var body;
+  try {
+    body = await _readBulkBody(req, bulkCfg.maxPayloadSize);
+  } catch (e) {
+    // collectStream rejects with the configured errorClass on overflow.
+    if (e && e.code === "middleware/scim-server/bulk-too-large") {
+      _writeScimError(res, H.PAYLOAD_TOO_LARGE, "tooLarge",
+        "bulk payload exceeds maxPayloadSize of " + bulkCfg.maxPayloadSize + " bytes");
+      return;
+    }
+    throw e;
+  }
+
+  if (!body || typeof body !== "object" ||
+      !Array.isArray(body.schemas) ||
+      body.schemas.indexOf(SCIM_MESSAGE_BULK_REQUEST) === -1) {
+    _writeScimError(res, H.BAD_REQUEST, "invalidValue",
+      "BulkRequest body.schemas must include '" + SCIM_MESSAGE_BULK_REQUEST + "'");
+    return;
+  }
+  if (!Array.isArray(body.Operations)) {
+    _writeScimError(res, H.BAD_REQUEST, "invalidValue", "BulkRequest must include Operations[]");
+    return;
+  }
+  if (body.Operations.length > bulkCfg.maxOperations) {
+    _writeScimError(res, H.PAYLOAD_TOO_LARGE, "tooMany",
+      "bulk request has " + body.Operations.length +
+      " operations, exceeding maxOperations of " + bulkCfg.maxOperations);
+    return;
+  }
+
+  var failOnErrors = _parseFailOnErrors(body.failOnErrors);
+  var bulkIdMap    = Object.create(null);   // client bulkId -> assigned resource id
+  var results      = [];
+  var errorCount   = 0;
+
+  for (var i = 0; i < body.Operations.length; i++) {
+    var result = await _runBulkOperation(body.Operations[i], i, opts, ctx, bulkIdMap);
+    results.push(result.entry);
+    if (result.isError) {
+      errorCount++;
+      // RFC 7644 §3.7 — once the error count reaches failOnErrors the
+      // service stops processing and returns the results so far.
+      if (failOnErrors !== null && errorCount >= failOnErrors) break;
+    }
+  }
+
+  _writeJson(res, H.OK, {
+    schemas:    [SCIM_MESSAGE_BULK_RESPONSE],
+    Operations: results,
+  });
+}
+
+// RFC 7644 §3.7 — failOnErrors is an OPTIONAL integer >= 1. Absent /
+// non-conforming values mean "process every operation" (null).
+function _parseFailOnErrors(value) {
+  if (typeof value !== "number" || !isFinite(value) || Math.floor(value) !== value || value < 1) {
+    return null;
+  }
+  return value;
+}
+
+// Dispatch one BulkOperation through the matching per-resource adapter.
+// Returns { entry, isError }; entry is the BulkResponse Operation object
+// (RFC 7644 §3.7). Adapter rejections become per-op error entries — one
+// failing operation never aborts the whole batch (unless failOnErrors).
+async function _runBulkOperation(op, index, opts, ctx, bulkIdMap) {
+  if (!op || typeof op !== "object" || typeof op.method !== "string") {
+    return _bulkErr(op, "400", "invalidSyntax",
+      "Operations[" + index + "] missing string method");
+  }
+  var method = op.method.toUpperCase();
+  if (method !== "POST" && method !== "PUT" && method !== "PATCH" && method !== "DELETE") {
+    return _bulkErr(op, "400", "invalidValue",
+      "Operations[" + index + "].method '" + op.method + "' not in POST/PUT/PATCH/DELETE");
+  }
+
+  var parsed = _parseBulkPath(op.path);
+  if (!parsed) {
+    return _bulkErr(op, "400", "invalidValue",
+      "Operations[" + index + "].path '" + String(op.path) + "' is not a valid bulk path");
+  }
+  var impl = parsed.resourceType === "Users" ? opts.users : opts.groups;
+  if (!impl) {
+    return _bulkErr(op, "404", "invalidValue", "/" + parsed.resourceType + " not configured");
+  }
+  // POST defines a bulkId-assigned resource; PUT/PATCH/DELETE target an id.
+  if (method === "POST" && !op.bulkId) {
+    return _bulkErr(op, "400", "invalidValue",
+      "Operations[" + index + "] POST requires a bulkId");
+  }
+  if (method !== "POST" && !parsed.resourceId) {
+    return _bulkErr(op, "400", "invalidValue",
+      "Operations[" + index + "] " + method + " requires a resource id in path");
+  }
+
+  var data = op.data;
+  if (method === "POST" || method === "PUT" || method === "PATCH") {
+    // RFC 7644 §3.7.2 — substitute any bulkId cross-references that
+    // earlier operations have resolved before handing data to the adapter.
+    data = _resolveBulkIdRefs(op.data, bulkIdMap);
+  }
+
+  try {
+    if (method === "POST" || method === "PUT") {
+      // The same SCIM schema gate the singleton POST / PUT routes apply,
+      // so a bulk op cannot persist a resource with a missing or wrong
+      // schema that the singleton endpoints would reject (RFC 7644
+      // §3.5.1). A throw here is caught below and returned as the op's
+      // own error, not aborting the batch.
+      _assertSchema(data, parsed.resourceType === "Users" ? SCIM_CORE_SCHEMA_USER : SCIM_CORE_SCHEMA_GROUP);
+    }
+    if (method === "POST") {
+      var created = await impl.create(data || {}, ctx);
+      var newId   = created && created.id;
+      if (op.bulkId && newId !== undefined && newId !== null) {
+        bulkIdMap[String(op.bulkId)] = String(newId);
+      }
+      return _bulkOk(op, "201", _bulkLocation(parsed.resourceType, newId), created);
+    }
+    if (method === "PUT") {
+      var replaced = await impl.update(parsed.resourceId, data || {}, ctx);
+      return _bulkOk(op, "200", _bulkLocation(parsed.resourceType, parsed.resourceId), replaced);
+    }
+    if (method === "PATCH") {
+      var ops = data && Array.isArray(data.Operations) ? data.Operations : [];
+      var patched = await impl.patch(parsed.resourceId, ops, ctx);
+      return _bulkOk(op, "200", _bulkLocation(parsed.resourceType, parsed.resourceId), patched);
+    }
+    await impl.remove(parsed.resourceId, ctx);   // DELETE
+    return _bulkOk(op, "204", _bulkLocation(parsed.resourceType, parsed.resourceId), null);
+  } catch (e) {
+    var status   = e && e.statusCode ? String(e.statusCode) : "500";
+    var scimType = e && e.scimType ? e.scimType : null;
+    // Operator-adapter error detail is surfaced verbatim (it is the
+    // adapter's own message, not request-derived secret material).
+    return _bulkErr(op, status, scimType, (e && e.message) ? String(e.message) : "operation failed");
+  }
+}
+
+// A bulk path is "/Users", "/Users/<id>", "/Groups", or "/Groups/<id>".
+function _parseBulkPath(path) {
+  if (typeof path !== "string" || path.length === 0) return null;
+  // Reuse the singleton resource-path grammar; node http caps URL at 8 KiB.
+  var m = path.length < C.BYTES.kib(8) && RESOURCE_PATH_RE.test(path)                                          // allow:regex-no-length-cap path bounded above
+    ? path.match(RESOURCE_PATH_RE) : null;
+  if (!m) return null;
+  return { resourceType: m[1], resourceId: m[2] || null };
+}
+
+// RFC 7644 §3.7.2 — walk operation data and replace any string of the
+// form "bulkId:<clientId>" with the server-assigned id once known.
+// Operates only on operator/client-supplied bulk data of bounded size
+// (the whole payload is capped at maxPayloadSize before parse).
+function _resolveBulkIdRefs(value, bulkIdMap) {
+  if (typeof value === "string") {
+    var ref = BULK_ID_REF_RE.exec(value);
+    if (ref) {
+      var resolved = bulkIdMap[ref[1]];
+      return resolved !== undefined ? resolved : value;
+    }
+    return value;
+  }
+  if (Array.isArray(value)) {
+    var arr = [];
+    for (var i = 0; i < value.length; i++) arr.push(_resolveBulkIdRefs(value[i], bulkIdMap));
+    return arr;
+  }
+  if (value && typeof value === "object") {
+    var out = {};
+    var keys = Object.keys(value);
+    for (var k = 0; k < keys.length; k++) {
+      if (keys[k] === "__proto__" || keys[k] === "constructor" || keys[k] === "prototype") continue;
+      out[keys[k]] = _resolveBulkIdRefs(value[keys[k]], bulkIdMap);
+    }
+    return out;
+  }
+  return value;
+}
+
+function _bulkLocation(resourceType, id) {
+  if (id === undefined || id === null) return undefined;
+  return "/" + resourceType + "/" + String(id);
+}
+
+function _bulkOk(op, status, location, response) {
+  var entry = { method: op && op.method, status: status };
+  if (op && op.bulkId) entry.bulkId = op.bulkId;
+  if (location) entry.location = location;
+  // Per §3.7 the response body is OPTIONAL; include it when the adapter
+  // returned a representation (omit on 204 No Content).
+  if (response !== null && response !== undefined) entry.response = response;
+  return { entry: entry, isError: false };
+}
+
+function _bulkErr(op, status, scimType, detail) {
+  var errBody = { schemas: [SCIM_MESSAGE_ERROR], status: status, detail: detail };
+  if (scimType) errBody.scimType = scimType;
+  var entry = { method: op && op.method, status: status, response: errBody };
+  if (op && op.bulkId) entry.bulkId = op.bulkId;
+  return { entry: entry, isError: true };
+}
+
+function _readBulkBody(req, maxBytes) {
+  if (req.body && Buffer.isBuffer(req.body)) {
+    return Promise.resolve(safeJson.parse(req.body.toString("utf8"), { maxBytes: maxBytes }));
+  }
+  if (req.body && typeof req.body === "object") return Promise.resolve(req.body);
+  return safeBuffer.collectStream(req, {
+    maxBytes:   maxBytes,
+    errorClass: ScimServerError,
+    sizeCode:   "middleware/scim-server/bulk-too-large",
+  }).then(function (buf) {
+    return safeJson.parse(buf.toString("utf8"), { maxBytes: maxBytes });
+  });
+}
+
 function _parseQuery(qs) {
   var out = {};
   if (!qs) return out;
@@ -321,11 +597,17 @@ function _writeScimError(res, status, scimType, detail) {
 }
 
 function _serviceProviderConfig(opts) {
+  // RFC 7644 §3.7 — advertise bulk only when the operator opted in via
+  // opts.bulk; otherwise report it unsupported (back-compat default).
+  var bulkCfg = _resolveBulkConfig(opts.bulk);
+  var bulk = bulkCfg
+    ? { supported: true,  maxOperations: bulkCfg.maxOperations, maxPayloadSize: bulkCfg.maxPayloadSize }
+    : { supported: false, maxOperations: 0, maxPayloadSize: 0 };
   return {
     schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
     documentationUri: opts.documentationUri || "https://datatracker.ietf.org/doc/html/rfc7643",
     patch:            { supported: true },
-    bulk:             { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+    bulk:             bulk,
     filter:           { supported: true, maxResults: opts.maxPageSize || 200 },
     changePassword:   { supported: false },
     sort:             { supported: true },
@@ -370,9 +652,11 @@ function _schemas() {
 }
 
 module.exports = {
-  create:                 create,
-  ScimServerError:        ScimServerError,
-  SCIM_CORE_SCHEMA_USER:  SCIM_CORE_SCHEMA_USER,
-  SCIM_CORE_SCHEMA_GROUP: SCIM_CORE_SCHEMA_GROUP,
-  ALLOWED_FILTER_OPS:     ALLOWED_FILTER_OPS,
+  create:                         create,
+  ScimServerError:                ScimServerError,
+  SCIM_CORE_SCHEMA_USER:          SCIM_CORE_SCHEMA_USER,
+  SCIM_CORE_SCHEMA_GROUP:         SCIM_CORE_SCHEMA_GROUP,
+  SCIM_MESSAGE_BULK_REQUEST:      SCIM_MESSAGE_BULK_REQUEST,
+  SCIM_MESSAGE_BULK_RESPONSE:     SCIM_MESSAGE_BULK_RESPONSE,
+  ALLOWED_FILTER_OPS:             ALLOWED_FILTER_OPS,
 };

package/lib/middleware/security-headers.js

@@ -34,6 +34,18 @@
  *     dnsPrefetchControl:   'off' (default) or 'on' or false
  *     csp:                  '<full CSP string>' or false to disable
  *   }
+ *
+ * Monitor-mode opt-ins (all default-off; unset emits no new header):
+ *
+ *   coopReportOnly / coepReportOnly / documentPolicyReportOnly — set a
+ *     policy string to emit the matching `*-Report-Only` header so the
+ *     operator can roll out the enforcing policy in monitor mode first.
+ *     The browser reports violations (to a Reporting-Endpoints group named
+ *     in the value, e.g. `same-origin; report-to="coop"`) without blocking.
+ *   requireDocumentPolicy — the embedder-required Document-Policy a
+ *     subframe must advertise before this document will embed it.
+ *   serviceWorkerAllowed — broadens the max scope a service worker
+ *     registered from this script may claim (the operator opts in).
  */
 
 var requestHelpers = require("../request-helpers");
@@ -186,6 +198,11 @@ function _validatePermissionsPolicy(value) {
  *     criticalCh:         string|false,
  *     reportingEndpoints: object,
  *     trustProxy:         boolean|number,
+ *     coopReportOnly:           string,  // default: off — monitor-mode COOP
+ *     coepReportOnly:           string,  // default: off — monitor-mode COEP
+ *     documentPolicyReportOnly: string,  // default: off — monitor-mode Document-Policy
+ *     requireDocumentPolicy:    string,  // default: off — embedder-required subframe policy
+ *     serviceWorkerAllowed:     string,  // default: off — broadens SW registration scope
  *   }
  *
  * @example
@@ -202,6 +219,8 @@ function create(opts) {
     "permissionsPolicy", "coop", "coep", "corp",
     "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
     "reportingEndpoints", "documentPolicy", "criticalCh", "acceptCh",
+    "coopReportOnly", "coepReportOnly", "documentPolicyReportOnly",
+    "requireDocumentPolicy", "serviceWorkerAllowed",
   ], "middleware.securityHeaders");
   if (opts.permissionsPolicy && typeof opts.permissionsPolicy === "string") {
     _validatePermissionsPolicy(opts.permissionsPolicy);
@@ -222,6 +241,26 @@ function create(opts) {
   var docPolicy = opts.documentPolicy === undefined ? DEFAULT_DOCUMENT_POLICY : opts.documentPolicy;
   var criticalCh = opts.criticalCh && typeof opts.criticalCh === "string" ? opts.criticalCh : false;
   var acceptCh   = opts.acceptCh   && typeof opts.acceptCh   === "string" ? opts.acceptCh   : false;
+  // Monitor-mode + scope opt-ins — all default-off. Each only emits its
+  // header when the operator passes a non-empty string; unset = silent.
+  //   coopReportOnly / coepReportOnly — WHATWG HTML cross-origin isolation
+  //     report-only variants: the UA evaluates the policy and reports
+  //     violations to the named Reporting-Endpoints group without
+  //     enforcing, so an operator can verify a same-origin / require-corp
+  //     rollout won't break embeds before flipping the enforcing header.
+  //   documentPolicyReportOnly — W3C Document Policy report-only variant
+  //     (same monitor-mode semantics for the Document-Policy feature set).
+  //   requireDocumentPolicy — W3C Document Policy: the policy a subframe
+  //     must itself advertise (via Document-Policy) before this document
+  //     will embed it; the embedder declares its floor.
+  //   serviceWorkerAllowed — W3C Service Workers §Service-Worker-Allowed:
+  //     widens the max scope a worker registered from this script may
+  //     claim beyond the script's own path. Operator opts in explicitly.
+  var coopReportOnly = opts.coopReportOnly && typeof opts.coopReportOnly === "string" ? opts.coopReportOnly : false;
+  var coepReportOnly = opts.coepReportOnly && typeof opts.coepReportOnly === "string" ? opts.coepReportOnly : false;
+  var docPolicyReportOnly = opts.documentPolicyReportOnly && typeof opts.documentPolicyReportOnly === "string" ? opts.documentPolicyReportOnly : false;
+  var requireDocPolicy = opts.requireDocumentPolicy && typeof opts.requireDocumentPolicy === "string" ? opts.requireDocumentPolicy : false;
+  var serviceWorkerAllowed = opts.serviceWorkerAllowed && typeof opts.serviceWorkerAllowed === "string" ? opts.serviceWorkerAllowed : false;
   // Reporting-Endpoints (W3C Reporting API) — when operator passes a
   // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
   // name2="url2", ...` and (when default CSP is in force) append
@@ -273,6 +312,14 @@ function create(opts) {
     if (acceptCh)           res.setHeader("Accept-CH", acceptCh);
     if (criticalCh)         res.setHeader("Critical-CH", criticalCh);
     if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
+    // Monitor-mode + scope opt-ins — emitted only when the operator set
+    // the corresponding opt; the enforcing COOP/COEP/Document-Policy
+    // headers above are unaffected.
+    if (coopReportOnly)       res.setHeader("Cross-Origin-Opener-Policy-Report-Only", coopReportOnly);
+    if (coepReportOnly)       res.setHeader("Cross-Origin-Embedder-Policy-Report-Only", coepReportOnly);
+    if (docPolicyReportOnly)  res.setHeader("Document-Policy-Report-Only", docPolicyReportOnly);
+    if (requireDocPolicy)     res.setHeader("Require-Document-Policy", requireDocPolicy);
+    if (serviceWorkerAllowed) res.setHeader("Service-Worker-Allowed", serviceWorkerAllowed);
     next();
   };
 }