@blamejs/core 0.8.76 → 0.8.77

package/lib/middleware/protected-resource-metadata.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * @module     b.middleware.protectedResourceMetadata
+ * @nav        Identity & access
+ * @title      Protected Resource Metadata
+ * @order      210
+ * @slug       protected-resource-metadata
+ *
+ * @intro
+ *   draft-ietf-oauth-resource-metadata: serves the
+ *   `/.well-known/oauth-protected-resource` document so RFC 9728
+ *   clients can auto-discover which authorization servers issue
+ *   tokens for this resource, what scopes the resource accepts,
+ *   what dpop algorithms the resource verifies, and which bearer-
+ *   method binding (DPoP / mTLS cnf claim) is required. Pairs with
+ *   b.middleware.bearerAuth so a 401 from the protected resource
+ *   includes `WWW-Authenticate: Bearer resource_metadata=<url>` and
+ *   the client can self-rediscover.
+ *
+ * @card
+ *   `.well-known/oauth-protected-resource` discovery endpoint per
+ *   draft-ietf-oauth-resource-metadata. Closes the gap that previously
+ *   forced operators to hand-write the JSON.
+ */
+
+var framework_error = require("../framework-error");
+var validateOpts    = require("../validate-opts");
+var requestHelpers  = require("../request-helpers");
+
+var H = requestHelpers.HTTP_STATUS;
+
+var ProtectedResourceMetadataError = framework_error.defineClass(
+  "ProtectedResourceMetadataError",
+  "middleware/protected-resource-metadata"
+);
+
+var ALLOWED_BEARER_METHODS  = ["header", "body", "query"];
+var ALLOWED_DPOP_ALGS       = ["ES256", "ES384", "RS256", "PS256", "EdDSA", "ML-DSA-65", "ML-DSA-87"];
+
+/**
+ * @primitive b.middleware.protectedResourceMetadata
+ * @signature b.middleware.protectedResourceMetadata(opts)
+ * @since     0.8.77
+ * @related   b.auth.oauth.introspectToken, b.middleware.bearerAuth
+ *
+ * Returns a request middleware that serves the protected-resource
+ * metadata JSON document at `/.well-known/oauth-protected-resource`
+ * (or operator-overridden path).
+ *
+ * @opts
+ *   {
+ *     resource:                       string,        // canonical resource URI (required)
+ *     authorizationServers:           string[],      // issuer URLs that mint tokens for this resource (required, ≥1)
+ *     scopesSupported?:               string[],
+ *     bearerMethodsSupported?:        ("header"|"body"|"query")[],   // default ["header"]
+ *     resourceSigningAlgValuesSupported?: string[], // for signed introspection / jwt-secured responses
+ *     resourceDocumentation?:         string,        // URL to operator docs
+ *     resourcePolicyUri?:             string,
+ *     resourceTosUri?:                string,
+ *     dpopSigningAlgValuesSupported?: string[],
+ *     dpopBoundAccessTokensRequired?: boolean,
+ *     mtlsBoundAccessTokensRequired?: boolean,
+ *     path?:                          string,        // default "/.well-known/oauth-protected-resource"
+ *   }
+ *
+ * @example
+ *   var mw = b.middleware.protectedResourceMetadata({
+ *     resource:             "https://api.example.com",
+ *     authorizationServers: ["https://idp.example.com"],
+ *     scopesSupported:      ["read", "write"],
+ *     dpopBoundAccessTokensRequired: true,
+ *   });
+ *   app.use(mw);
+ */
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.protectedResourceMetadata",
+    ProtectedResourceMetadataError, "middleware/protected-resource-metadata/bad-opts");
+  validateOpts.requireNonEmptyString(opts.resource, "resource",
+    ProtectedResourceMetadataError, "middleware/protected-resource-metadata/no-resource");
+
+  if (!Array.isArray(opts.authorizationServers) || opts.authorizationServers.length === 0) {
+    throw new ProtectedResourceMetadataError(
+      "middleware/protected-resource-metadata/no-as",
+      "authorizationServers must be a non-empty array of issuer URLs");
+  }
+  opts.authorizationServers.forEach(function (u, i) {
+    if (typeof u !== "string" || u.length === 0) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-as",
+        "authorizationServers[" + i + "] must be a non-empty string");
+    }
+  });
+
+  var bearerMethods = opts.bearerMethodsSupported || ["header"];
+  bearerMethods.forEach(function (m, i) {
+    if (ALLOWED_BEARER_METHODS.indexOf(m) === -1) {
+      throw new ProtectedResourceMetadataError(
+        "middleware/protected-resource-metadata/bad-bearer-method",
+        "bearerMethodsSupported[" + i + "] must be one of: " + ALLOWED_BEARER_METHODS.join(", "));
+    }
+  });
+
+  if (opts.dpopSigningAlgValuesSupported) {
+    opts.dpopSigningAlgValuesSupported.forEach(function (a, i) {
+      if (ALLOWED_DPOP_ALGS.indexOf(a) === -1) {
+        throw new ProtectedResourceMetadataError(
+          "middleware/protected-resource-metadata/bad-dpop-alg",
+          "dpopSigningAlgValuesSupported[" + i + "] = '" + a +
+          "' not in allowlist: " + ALLOWED_DPOP_ALGS.join(", "));
+      }
+    });
+  }
+
+  var path = opts.path || "/.well-known/oauth-protected-resource";
+
+  var doc = {
+    resource:                opts.resource,
+    authorization_servers:   opts.authorizationServers,
+    bearer_methods_supported: bearerMethods,
+  };
+  if (opts.scopesSupported)                       doc.scopes_supported = opts.scopesSupported;
+  if (opts.resourceSigningAlgValuesSupported)     doc.resource_signing_alg_values_supported = opts.resourceSigningAlgValuesSupported;
+  if (opts.resourceDocumentation)                 doc.resource_documentation = opts.resourceDocumentation;
+  if (opts.resourcePolicyUri)                     doc.resource_policy_uri = opts.resourcePolicyUri;
+  if (opts.resourceTosUri)                        doc.resource_tos_uri = opts.resourceTosUri;
+  if (opts.dpopSigningAlgValuesSupported)         doc.dpop_signing_alg_values_supported = opts.dpopSigningAlgValuesSupported;
+  if (opts.dpopBoundAccessTokensRequired === true) doc.dpop_bound_access_tokens_required = true;
+  if (opts.mtlsBoundAccessTokensRequired === true) doc.tls_client_certificate_bound_access_tokens = true;
+
+  var bodyText  = JSON.stringify(doc);
+  var bodyBytes = Buffer.byteLength(bodyText, "utf8");
+
+  function middleware(req, res, next) {
+    if (req.url !== path && req.url.split("?")[0] !== path) {
+      next();
+      return;
+    }
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      res.writeHead(H.METHOD_NOT_ALLOWED, {
+        "Allow":         "GET, HEAD",
+        "Cache-Control": "no-store",
+      });
+      res.end();
+      return;
+    }
+    res.writeHead(H.OK, {
+      "Content-Type":   "application/json",
+      "Content-Length": String(bodyBytes),
+      "Cache-Control":  "public, max-age=3600",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyText);
+  }
+
+  middleware.document = doc;
+  middleware.path     = path;
+  return middleware;
+}
+
+module.exports = {
+  create:                        create,
+  ProtectedResourceMetadataError: ProtectedResourceMetadataError,
+  ALLOWED_BEARER_METHODS:        ALLOWED_BEARER_METHODS,
+  ALLOWED_DPOP_ALGS:             ALLOWED_DPOP_ALGS,
+};

package/lib/middleware/rate-limit.js

@@ -159,12 +159,16 @@ function _memoryTokenBucketBackend(opts) {
     buckets.delete(key);
   }
 
+  function resetAll() {
+    buckets.clear();
+  }
+
   function close() {
     try { gcInterval.stop(); } catch (_e) { /* timer already stopped */ }
     buckets.clear();
   }
 
-  return { take: take, reset: reset, close: close };
+  return { take: take, reset: reset, resetAll: resetAll, close: close };
 }
 
 // Fixed-window in-memory algorithm — per-key counter that resets at the
@@ -224,12 +228,14 @@ function _memoryFixedWindowBackend(opts) {
 
   function reset(key) { counters.delete(key); }
 
+  function resetAll() { counters.clear(); }
+
   function close() {
     try { gcInterval.stop(); } catch (_e) { /* timer already stopped */ }
     counters.clear();
   }
 
-  return { take: take, reset: reset, close: close };
+  return { take: take, reset: reset, resetAll: resetAll, close: close };
 }
 
 // ---- Cluster backend (fixed-window counter, SQL-backed) ----
@@ -485,13 +491,63 @@ function create(opts) {
 
   // Expose a couple of operator hooks on the middleware function.
   middleware.reset = function (key) { return backend.reset(key); };
-  middleware.close = function ()    { return backend.close && backend.close(); };
+  // Global drop-all for the in-memory backend. Used by incident-
+  // response workflows ("operator confirmed false-positive lockout
+  // wave, drop the whole table") + by test suites that need a clean
+  // slate between cases without re-creating the middleware. For the
+  // cluster backend this is a no-op (cluster backends are
+  // multi-process and require operator-side coordination — flushing
+  // a shared row table from one replica races every other replica's
+  // in-flight take() calls).
+  middleware.resetAll = function () {
+    if (typeof backend.resetAll === "function") return backend.resetAll();
+    return null;
+  };
+  middleware.close = function () {
+    _instances.delete(middleware);
+    return backend.close && backend.close();
+  };
 
+  _instances.add(middleware);
   return middleware;
 }
 
+// Module-level registry of every rate-limit middleware in the running
+// process. Operators reach for this during incident response: when a
+// false-positive lockout wave hits, an oncall script can iterate
+// `instances()` and call `.resetAll()` on each, without having to
+// thread a reference to every rate-limit middleware through wherever
+// the response code runs. Tests use it to assert a clean slate.
+//
+// Lifetime: a middleware joins on `create()` return and leaves on
+// `middleware.close()`. Long-lived servers create rate-limiters once at
+// boot; throwaway middlewares (tests, sandboxes) must close() to
+// deregister. We deliberately don't use WeakRef here — operators want
+// strong, observable membership ("did this rate-limiter actually get
+// created?"), and the count is bounded by how many limiters an app
+// configures, not how much traffic it sees.
+var _instances = new Set();
+
+function instances() {
+  return Array.from(_instances);
+}
+
+// Global drop-all across every middleware in the process. Returns the
+// number of instances that responded to resetAll (cluster-backed
+// middlewares no-op their own resetAll but still count toward the
+// total so operators see all instances were addressed).
+function resetAll() {
+  var n = 0;
+  _instances.forEach(function (m) {
+    try { m.resetAll(); n += 1; } catch (_e) { /* best-effort */ }
+  });
+  return n;
+}
+
 module.exports = {
   create:           create,
+  instances:        instances,
+  resetAll:         resetAll,
   // Backends exported for tests + advanced operator wiring.
   _memoryBackend:              _memoryBackend,
   _memoryTokenBucketBackend:   _memoryTokenBucketBackend,

package/lib/middleware/scim-server.js

@@ -0,0 +1,375 @@
+"use strict";
+// SCIM 2.0 server middleware (RFC 7642 / 7643 / 7644).
+// Provides /Users + /Groups + /ServiceProviderConfig + /ResourceTypes
+// + /Schemas surfaces backed by operator-supplied CRUD callbacks.
+
+var framework_error = require("../framework-error");
+var validateOpts    = require("../validate-opts");
+var safeJson        = require("../safe-json");
+var safeBuffer      = require("../safe-buffer");
+var requestHelpers  = require("../request-helpers");
+var C               = require("../constants");
+
+var H = requestHelpers.HTTP_STATUS;
+
+var ScimServerError = framework_error.defineClass(
+  "ScimServerError",
+  "middleware/scim-server"
+);
+
+var SCIM_CORE_SCHEMA_USER  = "urn:ietf:params:scim:schemas:core:2.0:User";
+var SCIM_CORE_SCHEMA_GROUP = "urn:ietf:params:scim:schemas:core:2.0:Group";
+var SCIM_MESSAGE_ERROR     = "urn:ietf:params:scim:api:messages:2.0:Error";
+var SCIM_MESSAGE_LIST      = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+
+var ALLOWED_FILTER_OPS = ["eq", "ne", "co", "sw", "ew", "pr", "gt", "ge", "lt", "le"];
+
+var SCIM_FILTER_RE = /^\s*([a-zA-Z][a-zA-Z0-9._-]*)\s+(eq|ne|co|sw|ew|pr|gt|ge|lt|le)(?:\s+(.+))?\s*$/;
+var RESOURCE_PATH_RE = /^\/(Users|Groups)(?:\/([^/]+))?$/;
+var BEARER_RE = /^Bearer\s+(.+)$/i;
+
+/**
+ * @primitive b.middleware.scimServer
+ * @signature b.middleware.scimServer(opts)
+ * @since     0.8.77
+ * @related   b.auth.oauth.introspectToken
+ *
+ * Returns a request middleware that handles SCIM 2.0 requests
+ * (RFC 7642-7644). Operator supplies CRUD callbacks per resource.
+ *
+ * @opts
+ *   {
+ *     basePath?:    string,
+ *     users:        ScimResourceImpl,
+ *     groups?:      ScimResourceImpl,
+ *     bearer?:      (token) => Promise<actor>,
+ *     maxPageSize?: number,
+ *   }
+ *
+ * @example
+ *   var mw = b.middleware.scimServer({
+ *     basePath: "/scim/v2",
+ *     users:  myUserAdapter,
+ *     groups: myGroupAdapter,
+ *   });
+ *   app.use(mw);
+ */
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.scimServer",
+    ScimServerError, "middleware/scim-server/bad-opts");
+  _validateResourceImpl(opts.users,  "users");
+  if (opts.groups) _validateResourceImpl(opts.groups, "groups");
+
+  var basePath    = opts.basePath || "/scim/v2";
+  var maxPageSize = opts.maxPageSize || 200;                                                                  // allow:raw-byte-literal — page-size count, not bytes
+  var bearer      = opts.bearer || null;
+
+  function middleware(req, res, next) {
+    var url = req.url.split("?")[0];
+    if (url.indexOf(basePath) !== 0) { next(); return; }
+    _dispatch(req, res, basePath, bearer, opts, maxPageSize)
+      .catch(function (err) {
+        _writeScimError(res, err.statusCode || 500, err.scimType || "internal",
+          (err.message || String(err)).slice(0, 500));
+      });
+  }
+
+  middleware.basePath           = basePath;
+  middleware.serviceProviderDoc = _serviceProviderConfig(opts);
+  return middleware;
+}
+
+function _validateResourceImpl(impl, name) {
+  if (!impl || typeof impl !== "object") {
+    throw new ScimServerError("middleware/scim-server/no-" + name,
+      "middleware.scimServer: opts." + name + " must be an object implementing { create, read, update, patch, remove, list }");
+  }
+  ["create", "read", "update", "patch", "remove", "list"].forEach(function (m) {
+    if (typeof impl[m] !== "function") {
+      throw new ScimServerError("middleware/scim-server/bad-" + name + "-impl",
+        "middleware.scimServer: opts." + name + "." + m + " must be a function");
+    }
+  });
+}
+
+async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
+  var relUrl = req.url.slice(basePath.length) || "/";
+  var qIdx   = relUrl.indexOf("?");
+  var path   = qIdx === -1 ? relUrl : relUrl.slice(0, qIdx);
+  var query  = _parseQuery(qIdx === -1 ? "" : relUrl.slice(qIdx + 1));
+
+  if (path === "/ServiceProviderConfig" && req.method === "GET") {
+    _writeJson(res, H.OK, _serviceProviderConfig(opts)); return;
+  }
+  if (path === "/ResourceTypes" && req.method === "GET") {
+    _writeJson(res, H.OK, _resourceTypes(opts)); return;
+  }
+  if (path === "/Schemas" && req.method === "GET") {
+    _writeJson(res, H.OK, _schemas()); return;
+  }
+
+  var actor = null;
+  if (bearer) {
+    var authz = req.headers && req.headers.authorization;
+    // BEARER_RE applies to a single header line; node http caps header lines at 8 KiB.
+    var m = authz && typeof authz === "string" && authz.length < C.BYTES.kib(8) && BEARER_RE.test(authz)    // allow:regex-no-length-cap header line bounded above
+      ? authz.match(BEARER_RE) : null;
+    if (!m) {
+      res.writeHead(H.UNAUTHORIZED, {
+        "Content-Type":     "application/scim+json",
+        "WWW-Authenticate": "Bearer",
+        "Cache-Control":    "no-store",
+      });
+      res.end(JSON.stringify({
+        schemas:  [SCIM_MESSAGE_ERROR],
+        status:   "401",
+        detail:   "Missing Bearer token",
+      }));
+      return;
+    }
+    try { actor = await bearer(m[1]); }
+    catch (_e) { actor = null; }
+    if (!actor) {
+      res.writeHead(H.UNAUTHORIZED, {
+        "Content-Type":     "application/scim+json",
+        "WWW-Authenticate": 'Bearer error="invalid_token"',
+        "Cache-Control":    "no-store",
+      });
+      res.end(JSON.stringify({
+        schemas:  [SCIM_MESSAGE_ERROR],
+        status:   "401",
+        detail:   "Bearer token rejected",
+      }));
+      return;
+    }
+  }
+
+  var ctx     = { actor: actor, req: req };
+  var users   = opts.users;
+  var groups  = opts.groups;
+
+  // RESOURCE_PATH_RE applies to a URL path; node http caps URL at 8 KiB.
+  var match = path.length < C.BYTES.kib(8) && RESOURCE_PATH_RE.test(path) ? path.match(RESOURCE_PATH_RE) : null;   // allow:regex-no-length-cap URL bounded above
+  if (!match) {
+    _writeScimError(res, H.NOT_FOUND, "notFound", "no SCIM resource at " + path);
+    return;
+  }
+  var resourceType = match[1];
+  var resourceId   = match[2] || null;
+  var impl = resourceType === "Users" ? users : groups;
+  if (!impl) {
+    _writeScimError(res, 404, "notFound", "/" + resourceType + " not configured");
+    return;
+  }
+
+  var body = null;
+  if (req.method === "POST" || req.method === "PUT" || req.method === "PATCH") {
+    body = await _readJsonBody(req);
+  }
+
+  if (req.method === "GET" && !resourceId) {
+    var filter = _parseFilter(query.filter);
+    var pageSize   = Math.min(maxPageSize, parseInt(query.count || "100", 10) || 100);
+    var startIndex = Math.max(1, parseInt(query.startIndex || "1", 10) || 1);
+    var listRv = await impl.list({
+      filter:             filter,
+      startIndex:         startIndex,
+      count:              pageSize,
+      sortBy:             query.sortBy || null,
+      sortOrder:          query.sortOrder || null,
+      attributes:         query.attributes ? query.attributes.split(",") : null,
+      excludedAttributes: query.excludedAttributes ? query.excludedAttributes.split(",") : null,
+    }, ctx);
+    _writeJson(res, H.OK, {
+      schemas:      [SCIM_MESSAGE_LIST],
+      totalResults: listRv.totalResults,
+      startIndex:   startIndex,
+      itemsPerPage: listRv.Resources.length,
+      Resources:    listRv.Resources,
+    });
+    return;
+  }
+
+  if (req.method === "GET" && resourceId) {
+    var rec = await impl.read(resourceId, ctx);
+    if (!rec) { _writeScimError(res, H.NOT_FOUND, "notFound", "no resource with id " + resourceId); return; }
+    _writeJson(res, H.OK, rec);
+    return;
+  }
+
+  if (req.method === "POST" && !resourceId) {
+    _assertSchema(body, resourceType === "Users" ? SCIM_CORE_SCHEMA_USER : SCIM_CORE_SCHEMA_GROUP);
+    var created = await impl.create(body, ctx);
+    _writeJson(res, H.CREATED, created);
+    return;
+  }
+
+  if (req.method === "PUT" && resourceId) {
+    _assertSchema(body, resourceType === "Users" ? SCIM_CORE_SCHEMA_USER : SCIM_CORE_SCHEMA_GROUP);
+    var updated = await impl.update(resourceId, body, ctx);
+    _writeJson(res, H.OK, updated);
+    return;
+  }
+
+  if (req.method === "PATCH" && resourceId) {
+    if (!body || !Array.isArray(body.Operations) || body.Operations.length === 0) {
+      _writeScimError(res, H.BAD_REQUEST, "invalidValue", "PATCH body must include Operations[]");
+      return;
+    }
+    body.Operations.forEach(function (op, i) {
+      if (!op || typeof op !== "object" || typeof op.op !== "string") {
+        var e = new Error("Operations[" + i + "] missing op");
+        e.statusCode = H.BAD_REQUEST; e.scimType = "invalidValue";
+        throw e;
+      }
+      var verb = op.op.toLowerCase();
+      if (verb !== "add" && verb !== "remove" && verb !== "replace") {
+        var e2 = new Error("Operations[" + i + "].op = '" + op.op + "' not in add/remove/replace");
+        e2.statusCode = H.BAD_REQUEST; e2.scimType = "invalidValue";
+        throw e2;
+      }
+    });
+    var patched = await impl.patch(resourceId, body.Operations, ctx);
+    _writeJson(res, H.OK, patched);
+    return;
+  }
+
+  if (req.method === "DELETE" && resourceId) {
+    await impl.remove(resourceId, ctx);
+    res.writeHead(H.NO_CONTENT, { "Cache-Control": "no-store" });
+    res.end();
+    return;
+  }
+
+  _writeScimError(res, H.METHOD_NOT_ALLOWED, "noTarget", req.method + " not allowed on " + path);
+}
+
+function _parseQuery(qs) {
+  var out = {};
+  if (!qs) return out;
+  qs.split("&").forEach(function (pair) {
+    var eq = pair.indexOf("=");
+    var k  = eq === -1 ? pair : pair.slice(0, eq);
+    var v  = eq === -1 ? ""   : pair.slice(eq + 1);
+    try { out[decodeURIComponent(k)] = decodeURIComponent(v.replace(/\+/g, " ")); }
+    catch (_e) { /* skip malformed */ }
+  });
+  return out;
+}
+
+function _parseFilter(filter) {
+  if (typeof filter !== "string" || filter.length === 0) return null;
+  if (!SCIM_FILTER_RE.test(filter)) return { raw: filter };
+  var m = filter.match(SCIM_FILTER_RE);
+  var op = m[2].toLowerCase();
+  if (ALLOWED_FILTER_OPS.indexOf(op) === -1) return { raw: filter };
+  var rv = { attribute: m[1], op: op, raw: filter };
+  if (op === "pr") return rv;
+  var v = (m[3] || "").trim();
+  if (v.charAt(0) === '"' && v.charAt(v.length - 1) === '"') {
+    v = v.slice(1, -1).replace(/\\"/g, '"');
+  }
+  rv.value = v;
+  return rv;
+}
+
+function _readJsonBody(req) {
+  var MAX = C.BYTES.mib(1);
+  if (req.body && Buffer.isBuffer(req.body)) {
+    return Promise.resolve(safeJson.parse(req.body.toString("utf8"), { maxBytes: MAX }));
+  }
+  if (req.body && typeof req.body === "object") return Promise.resolve(req.body);
+  return safeBuffer.boundedChunkCollector(req, MAX, ScimServerError, "middleware/scim-server/body-too-large")
+    .then(function (buf) {
+      return safeJson.parse(buf.toString("utf8"), { maxBytes: MAX });
+    });
+}
+
+function _assertSchema(body, expectedSchema) {
+  if (!body || typeof body !== "object") {
+    var e = new Error("request body must be a JSON object");
+    e.statusCode = H.BAD_REQUEST; e.scimType = "invalidValue"; throw e;
+  }
+  if (!Array.isArray(body.schemas) || body.schemas.indexOf(expectedSchema) === -1) {
+    var e2 = new Error("body.schemas must include '" + expectedSchema + "'");
+    e2.statusCode = H.BAD_REQUEST; e2.scimType = "invalidValue"; throw e2;
+  }
+}
+
+function _writeJson(res, status, body) {
+  res.writeHead(status, {
+    "Content-Type":  "application/scim+json",
+    "Cache-Control": "no-store",
+  });
+  res.end(JSON.stringify(body));
+}
+
+function _writeScimError(res, status, scimType, detail) {
+  res.writeHead(status, {
+    "Content-Type":  "application/scim+json",
+    "Cache-Control": "no-store",
+  });
+  res.end(JSON.stringify({
+    schemas:  [SCIM_MESSAGE_ERROR],
+    status:   String(status),
+    scimType: scimType,
+    detail:   detail,
+  }));
+}
+
+function _serviceProviderConfig(opts) {
+  return {
+    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+    documentationUri: opts.documentationUri || "https://datatracker.ietf.org/doc/html/rfc7643",
+    patch:            { supported: true },
+    bulk:             { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+    filter:           { supported: true, maxResults: opts.maxPageSize || 200 },
+    changePassword:   { supported: false },
+    sort:             { supported: true },
+    etag:             { supported: false },
+    authenticationSchemes: [
+      {
+        type:        "oauthbearertoken",
+        name:        "OAuth 2.0 Bearer Token",
+        description: "Authentication scheme using the OAuth Bearer Token Standard",
+        specUri:     "https://www.rfc-editor.org/info/rfc6750",
+        primary:     true,
+      },
+    ],
+  };
+}
+
+function _resourceTypes(opts) {
+  var rv = [
+    {
+      schemas:  ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+      id:       "User", name: "User", endpoint: "/Users",
+      description: "User resource (RFC 7643 §4.1)",
+      schema:   SCIM_CORE_SCHEMA_USER,
+    },
+  ];
+  if (opts.groups) {
+    rv.push({
+      schemas:  ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+      id:       "Group", name: "Group", endpoint: "/Groups",
+      description: "Group resource (RFC 7643 §4.2)",
+      schema:   SCIM_CORE_SCHEMA_GROUP,
+    });
+  }
+  return rv;
+}
+
+function _schemas() {
+  return [
+    { id: SCIM_CORE_SCHEMA_USER,  name: "User",  description: "RFC 7643 §4.1 User resource" },
+    { id: SCIM_CORE_SCHEMA_GROUP, name: "Group", description: "RFC 7643 §4.2 Group resource" },
+  ];
+}
+
+module.exports = {
+  create:                 create,
+  ScimServerError:        ScimServerError,
+  SCIM_CORE_SCHEMA_USER:  SCIM_CORE_SCHEMA_USER,
+  SCIM_CORE_SCHEMA_GROUP: SCIM_CORE_SCHEMA_GROUP,
+  ALLOWED_FILTER_OPS:     ALLOWED_FILTER_OPS,
+};

package/lib/middleware/security-headers.js

@@ -71,6 +71,18 @@ var DEFAULT_PERMISSIONS = [
   //     embedding APIs; deny-by-default.
   "storage-access=()", "browsing-topics=()",
   "private-aggregation=()", "controlled-frame=()", "captured-surface-control=()",
+  // v0.8.77 expansion — remaining Privacy Sandbox + Browser-API
+  // directives surfacing through Chrome 130+ / Firefox 132+ stable.
+  // Default-deny: FedCM (identity-credentials-get), cross-site
+  // attribution reporting, WebAuthn create flow (operators that need
+  // it opt in explicitly), FLEDGE/Topics auction APIs (join-ad-
+  // interest-group / run-ad-auction), Shared Storage API + selectURL,
+  // Smart Card API, all-screens capture, deferred-fetch (background
+  // resource sync).
+  "identity-credentials-get=()", "attribution-reporting-cross-site=()",
+  "publickey-credentials-create=()", "join-ad-interest-group=()",
+  "run-ad-auction=()", "shared-storage=()", "shared-storage-select-url=()",
+  "smartcard=()", "all-screens-capture=()", "deferred-fetch=()",
 ];
 
 // Strict CSP — no 'unsafe-inline' on script-src OR style-src.