@hammadj/better-auth-scim 1.5.0-beta.9

package/dist/index.mjs

@@ -0,0 +1,1308 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { createAuthEndpoint, createAuthMiddleware, defaultKeyHasher } from "better-auth/plugins";
+import { APIError, HIDE_METADATA } from "better-auth";
+import { statusCodes } from "better-call";
+import { generateRandomString, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
+import { APIError as APIError$1, sessionMiddleware } from "better-auth/api";
+import * as z from "zod";
+
+//#region src/scim-error.ts
+/**
+* SCIM compliant error
+* See: https://datatracker.ietf.org/doc/html/rfc7644#section-3.12
+*/
+var SCIMAPIError = class extends APIError {
+	constructor(status = "INTERNAL_SERVER_ERROR", overrides = {}) {
+		const body = {
+			schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+			status: (typeof status === "number" ? status : statusCodes[status]).toString(),
+			detail: overrides.detail,
+			...overrides
+		};
+		super(status, body);
+		this.message = body.detail ?? body.message;
+	}
+};
+const SCIMErrorOpenAPISchema = {
+	type: "object",
+	properties: {
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		status: { type: "string" },
+		detail: { type: "string" },
+		scimType: { type: "string" }
+	}
+};
+const SCIMErrorOpenAPISchemas = {
+	"400": {
+		description: "Bad Request. Usually due to missing parameters, or invalid parameters",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"401": {
+		description: "Unauthorized. Due to missing or invalid authentication.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"403": {
+		description: "Unauthorized. Due to missing or invalid authentication.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"404": {
+		description: "Not Found. The requested resource was not found.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"429": {
+		description: "Too Many Requests. You have exceeded the rate limit. Try again later.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	},
+	"500": {
+		description: "Internal Server Error. This is a problem with the server that you cannot fix.",
+		content: { "application/json": { schema: SCIMErrorOpenAPISchema } }
+	}
+};
+
+//#endregion
+//#region src/scim-tokens.ts
+async function storeSCIMToken(ctx, opts, scimToken) {
+	if (opts.storeSCIMToken === "encrypted") return await symmetricEncrypt({
+		key: ctx.context.secret,
+		data: scimToken
+	});
+	if (opts.storeSCIMToken === "hashed") return await defaultKeyHasher(scimToken);
+	if (typeof opts.storeSCIMToken === "object" && "hash" in opts.storeSCIMToken) return await opts.storeSCIMToken.hash(scimToken);
+	if (typeof opts.storeSCIMToken === "object" && "encrypt" in opts.storeSCIMToken) return await opts.storeSCIMToken.encrypt(scimToken);
+	return scimToken;
+}
+async function verifySCIMToken(ctx, opts, storedSCIMToken, scimToken) {
+	if (opts.storeSCIMToken === "encrypted") return await symmetricDecrypt({
+		key: ctx.context.secret,
+		data: storedSCIMToken
+	}) === scimToken;
+	if (opts.storeSCIMToken === "hashed") return await defaultKeyHasher(scimToken) === storedSCIMToken;
+	if (typeof opts.storeSCIMToken === "object" && "hash" in opts.storeSCIMToken) return await opts.storeSCIMToken.hash(scimToken) === storedSCIMToken;
+	if (typeof opts.storeSCIMToken === "object" && "decrypt" in opts.storeSCIMToken) return await opts.storeSCIMToken.decrypt(storedSCIMToken) === scimToken;
+	return scimToken === storedSCIMToken;
+}
+
+//#endregion
+//#region src/middlewares.ts
+/**
+* The middleware forces the endpoint to have a valid token
+*/
+const authMiddlewareFactory = (opts) => createAuthMiddleware(async (ctx) => {
+	const authSCIMToken = (ctx.headers?.get("Authorization"))?.replace(/^Bearer\s+/i, "");
+	if (!authSCIMToken) throw new SCIMAPIError("UNAUTHORIZED", { detail: "SCIM token is required" });
+	const baseScimTokenParts = new TextDecoder().decode(base64Url.decode(authSCIMToken)).split(":");
+	const [scimToken, providerId] = baseScimTokenParts;
+	const organizationId = baseScimTokenParts.slice(2).join(":");
+	if (!scimToken || !providerId) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	let scimProvider = opts.defaultSCIM?.find((p) => {
+		if (p.providerId === providerId && !organizationId) return true;
+		return !!(p.providerId === providerId && organizationId && p.organizationId === organizationId);
+	}) ?? null;
+	if (scimProvider) if (scimProvider.scimToken === scimToken) return {
+		authSCIMToken: scimProvider.scimToken,
+		scimProvider
+	};
+	else throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	scimProvider = await ctx.context.adapter.findOne({
+		model: "scimProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}, ...organizationId ? [{
+			field: "organizationId",
+			value: organizationId
+		}] : []]
+	});
+	if (!scimProvider) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	if (!await verifySCIMToken(ctx, opts, scimProvider.scimToken, scimToken)) throw new SCIMAPIError("UNAUTHORIZED", { detail: "Invalid SCIM token" });
+	return {
+		authSCIMToken: scimToken,
+		scimProvider
+	};
+});
+
+//#endregion
+//#region src/mappings.ts
+const getAccountId = (userName, externalId) => {
+	return externalId ?? userName;
+};
+const getFormattedName = (name) => {
+	if (name.givenName && name.familyName) return `${name.givenName} ${name.familyName}`;
+	if (name.givenName) return name.givenName;
+	return name.familyName ?? "";
+};
+const getUserFullName = (email, name) => {
+	if (name) {
+		const formatted = name.formatted?.trim() ?? "";
+		if (formatted.length > 0) return formatted;
+		return getFormattedName(name) || email;
+	}
+	return email;
+};
+const getUserPrimaryEmail = (userName, emails) => {
+	return emails?.find((email) => email.primary)?.value ?? emails?.[0]?.value ?? userName;
+};
+
+//#endregion
+//#region src/patch-operations.ts
+const identity = (user, op, resources) => {
+	return op.value;
+};
+const lowerCase = (user, op, resources) => {
+	return op.value.toLowerCase();
+};
+const givenName = (user, op, resources) => {
+	const familyName = (resources.user.name ?? user.name).split(" ").slice(1).join(" ").trim();
+	const givenName = op.value;
+	return getUserFullName(user.email, {
+		givenName,
+		familyName
+	});
+};
+const familyName = (user, op, resources) => {
+	const currentName = resources.user.name ?? user.name;
+	const givenName = (currentName.split(" ").slice(0, -1).join(" ") || currentName).trim();
+	const familyName = op.value;
+	return getUserFullName(user.email, {
+		givenName,
+		familyName
+	});
+};
+const userPatchMappings = {
+	"/name/formatted": {
+		resource: "user",
+		target: "name",
+		map: identity
+	},
+	"/name/givenName": {
+		resource: "user",
+		target: "name",
+		map: givenName
+	},
+	"/name/familyName": {
+		resource: "user",
+		target: "name",
+		map: familyName
+	},
+	"/externalId": {
+		resource: "account",
+		target: "accountId",
+		map: identity
+	},
+	"/userName": {
+		resource: "user",
+		target: "email",
+		map: lowerCase
+	}
+};
+const normalizePath = (path) => {
+	return `/${(path.startsWith("/") ? path.slice(1) : path).replaceAll(".", "/")}`;
+};
+const isNestedObject = (value) => {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+const applyMapping = (user, resources, path, value, op) => {
+	const normalizedPath = normalizePath(path);
+	const mapping = userPatchMappings[normalizedPath];
+	if (!mapping) return;
+	const newValue = mapping.map(user, {
+		op,
+		value,
+		path: normalizedPath
+	}, resources);
+	if (op === "add" && mapping.resource === "user") {
+		if (user[mapping.target] === newValue) return;
+	}
+	resources[mapping.resource][mapping.target] = newValue;
+};
+const applyPatchValue = (user, resources, value, op, path) => {
+	if (isNestedObject(value)) for (const [key, nestedValue] of Object.entries(value)) applyPatchValue(user, resources, nestedValue, op, path ? `${path}.${key}` : key);
+	else if (path) applyMapping(user, resources, path, value, op);
+};
+const buildUserPatch = (user, operations) => {
+	const resources = {
+		user: {},
+		account: {}
+	};
+	for (const operation of operations) {
+		if (operation.op !== "add" && operation.op !== "replace") continue;
+		applyPatchValue(user, resources, operation.value, operation.op, operation.path);
+	}
+	return resources;
+};
+
+//#endregion
+//#region src/user-schemas.ts
+const APIUserSchema = z.object({
+	userName: z.string().lowercase(),
+	externalId: z.string().optional(),
+	name: z.object({
+		formatted: z.string().optional(),
+		givenName: z.string().optional(),
+		familyName: z.string().optional()
+	}).optional(),
+	emails: z.array(z.object({
+		value: z.email(),
+		primary: z.boolean().optional()
+	})).optional()
+});
+const OpenAPIUserResourceSchema = {
+	type: "object",
+	properties: {
+		id: { type: "string" },
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				created: {
+					type: "string",
+					format: "date-time"
+				},
+				lastModified: {
+					type: "string",
+					format: "date-time"
+				},
+				location: { type: "string" }
+			}
+		},
+		userName: { type: "string" },
+		name: {
+			type: "object",
+			properties: {
+				formatted: { type: "string" },
+				givenName: { type: "string" },
+				familyName: { type: "string" }
+			}
+		},
+		displayName: { type: "string" },
+		active: { type: "boolean" },
+		emails: {
+			type: "array",
+			items: {
+				type: "object",
+				properties: {
+					value: { type: "string" },
+					primary: { type: "boolean" }
+				}
+			}
+		},
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		}
+	}
+};
+const SCIMUserResourceSchema = {
+	id: "urn:ietf:params:scim:schemas:core:2.0:User",
+	schemas: ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
+	name: "User",
+	description: "User Account",
+	attributes: [
+		{
+			name: "id",
+			type: "string",
+			multiValued: false,
+			description: "Unique opaque identifier for the User",
+			required: false,
+			caseExact: true,
+			mutability: "readOnly",
+			returned: "default",
+			uniqueness: "server"
+		},
+		{
+			name: "userName",
+			type: "string",
+			multiValued: false,
+			description: "Unique identifier for the User, typically used by the user to directly authenticate to the service provider",
+			required: true,
+			caseExact: false,
+			mutability: "readWrite",
+			returned: "default",
+			uniqueness: "server"
+		},
+		{
+			name: "displayName",
+			type: "string",
+			multiValued: false,
+			description: "The name of the User, suitable for display to end-users.  The name SHOULD be the full name of the User being described, if known.",
+			required: false,
+			caseExact: true,
+			mutability: "readOnly",
+			returned: "default",
+			uniqueness: "none"
+		},
+		{
+			name: "active",
+			type: "boolean",
+			multiValued: false,
+			description: "A Boolean value indicating the User's administrative status.",
+			required: false,
+			mutability: "readOnly",
+			returned: "default"
+		},
+		{
+			name: "name",
+			type: "complex",
+			multiValued: false,
+			description: "The components of the user's real name.",
+			required: false,
+			subAttributes: [
+				{
+					name: "formatted",
+					type: "string",
+					multiValued: false,
+					description: "The full name, including all middlenames, titles, and suffixes as appropriate, formatted for display(e.g., 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				},
+				{
+					name: "familyName",
+					type: "string",
+					multiValued: false,
+					description: "The family name of the User, or last name in most Western languages (e.g., 'Jensen' given the fullname 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				},
+				{
+					name: "givenName",
+					type: "string",
+					multiValued: false,
+					description: "The given name of the User, or first name in most Western languages (e.g., 'Barbara' given the full name 'Ms. Barbara J Jensen, III').",
+					required: false,
+					caseExact: false,
+					mutability: "readWrite",
+					returned: "default",
+					uniqueness: "none"
+				}
+			]
+		},
+		{
+			name: "emails",
+			type: "complex",
+			multiValued: true,
+			description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.",
+			required: false,
+			subAttributes: [{
+				name: "value",
+				type: "string",
+				multiValued: false,
+				description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.",
+				required: false,
+				caseExact: false,
+				mutability: "readWrite",
+				returned: "default",
+				uniqueness: "server"
+			}, {
+				name: "primary",
+				type: "boolean",
+				multiValued: false,
+				description: "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary email address.  The primary attribute value 'true' MUST appear no more than once.",
+				required: false,
+				mutability: "readWrite",
+				returned: "default"
+			}],
+			mutability: "readWrite",
+			returned: "default",
+			uniqueness: "none"
+		}
+	],
+	meta: {
+		resourceType: "Schema",
+		location: "/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
+	}
+};
+const SCIMUserResourceType = {
+	schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+	id: "User",
+	name: "User",
+	endpoint: "/Users",
+	description: "User Account",
+	schema: "urn:ietf:params:scim:schemas:core:2.0:User",
+	meta: {
+		resourceType: "ResourceType",
+		location: "/scim/v2/ResourceTypes/User"
+	}
+};
+
+//#endregion
+//#region src/scim-filters.ts
+const SCIMOperators = { eq: "eq" };
+const SCIMUserAttributes = { userName: "email" };
+var SCIMParseError = class extends Error {};
+const SCIMFilterRegex = /^\s*(?<attribute>[^\s]+)\s+(?<op>eq|ne|co|sw|ew|pr)\s*(?:(?<value>"[^"]*"|[^\s]+))?\s*$/i;
+const parseSCIMFilter = (filter) => {
+	const match = filter.match(SCIMFilterRegex);
+	if (!match) throw new SCIMParseError("Invalid filter expression");
+	const attribute = match.groups?.attribute;
+	const op = match.groups?.op?.toLowerCase();
+	const value = match.groups?.value;
+	if (!attribute || !op || !value) throw new SCIMParseError("Invalid filter expression");
+	const operator = SCIMOperators[op];
+	if (!operator) throw new SCIMParseError(`The operator "${op}" is not supported`);
+	return {
+		attribute,
+		operator,
+		value
+	};
+};
+const parseSCIMUserFilter = (filter) => {
+	const { attribute, operator, value } = parseSCIMFilter(filter);
+	const filters = [];
+	const targetAttribute = SCIMUserAttributes[attribute];
+	const resourceAttribute = SCIMUserResourceSchema.attributes.find((attr) => attr.name === attribute);
+	if (!targetAttribute || !resourceAttribute) throw new SCIMParseError(`The attribute "${attribute}" is not supported`);
+	let finalValue = value.replaceAll("\"", "");
+	if (!resourceAttribute.caseExact) finalValue = finalValue.toLowerCase();
+	filters.push({
+		field: targetAttribute,
+		value: finalValue,
+		operator
+	});
+	return filters;
+};
+
+//#endregion
+//#region src/scim-metadata.ts
+const MetadataFieldSupportOpenAPISchema = {
+	type: "object",
+	properties: { supported: { type: "boolean" } }
+};
+const ServiceProviderOpenAPISchema = {
+	type: "object",
+	properties: {
+		patch: MetadataFieldSupportOpenAPISchema,
+		bulk: MetadataFieldSupportOpenAPISchema,
+		filter: MetadataFieldSupportOpenAPISchema,
+		changePassword: MetadataFieldSupportOpenAPISchema,
+		sort: MetadataFieldSupportOpenAPISchema,
+		etag: MetadataFieldSupportOpenAPISchema,
+		authenticationSchemes: {
+			type: "array",
+			items: {
+				type: "object",
+				properties: {
+					name: { type: "string" },
+					description: { type: "string" },
+					specUri: { type: "string" },
+					type: { type: "string" },
+					primary: { type: "boolean" }
+				}
+			}
+		},
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		meta: {
+			type: "object",
+			properties: { resourceType: { type: "string" } }
+		}
+	}
+};
+const ResourceTypeOpenAPISchema = {
+	type: "object",
+	properties: {
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		id: { type: "string" },
+		name: { type: "string" },
+		endpoint: { type: "string" },
+		description: { type: "string" },
+		schema: { type: "string" },
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				location: { type: "string" }
+			}
+		}
+	}
+};
+const SCIMSchemaAttributesOpenAPISchema = {
+	type: "object",
+	properties: {
+		name: { type: "string" },
+		type: { type: "string" },
+		multiValued: { type: "boolean" },
+		description: { type: "string" },
+		required: { type: "boolean" },
+		caseExact: { type: "boolean" },
+		mutability: { type: "string" },
+		returned: { type: "string" },
+		uniqueness: { type: "string" }
+	}
+};
+const SCIMSchemaOpenAPISchema = {
+	type: "object",
+	properties: {
+		id: { type: "string" },
+		schemas: {
+			type: "array",
+			items: { type: "string" }
+		},
+		name: { type: "string" },
+		description: { type: "string" },
+		attributes: {
+			type: "array",
+			items: {
+				...SCIMSchemaAttributesOpenAPISchema,
+				properties: {
+					...SCIMSchemaAttributesOpenAPISchema.properties,
+					subAttributes: {
+						type: "array",
+						items: SCIMSchemaAttributesOpenAPISchema
+					}
+				}
+			}
+		},
+		meta: {
+			type: "object",
+			properties: {
+				resourceType: { type: "string" },
+				location: { type: "string" }
+			},
+			required: ["resourceType", "location"]
+		}
+	}
+};
+
+//#endregion
+//#region src/utils.ts
+const getResourceURL = (path, baseURL) => {
+	const normalizedBaseURL = baseURL.endsWith("/") ? baseURL : `${baseURL}/`;
+	const normalizedPath = path.replace(/^\/+/, "");
+	return new URL(normalizedPath, normalizedBaseURL).toString();
+};
+
+//#endregion
+//#region src/scim-resources.ts
+const createUserResource = (baseURL, user, account) => {
+	return {
+		id: user.id,
+		externalId: account?.accountId,
+		meta: {
+			resourceType: "User",
+			created: user.createdAt,
+			lastModified: user.updatedAt,
+			location: getResourceURL(`/scim/v2/Users/${user.id}`, baseURL)
+		},
+		userName: user.email,
+		name: { formatted: user.name },
+		displayName: user.name,
+		active: true,
+		emails: [{
+			primary: true,
+			value: user.email
+		}],
+		schemas: [SCIMUserResourceSchema.id]
+	};
+};
+
+//#endregion
+//#region src/routes.ts
+const supportedSCIMSchemas = [SCIMUserResourceSchema];
+const supportedSCIMResourceTypes = [SCIMUserResourceType];
+const supportedMediaTypes = ["application/json", "application/scim+json"];
+const generateSCIMTokenBodySchema = z.object({
+	providerId: z.string().meta({ description: "Unique provider identifier" }),
+	organizationId: z.string().optional().meta({ description: "Optional organization id" })
+});
+const generateSCIMToken = (opts) => createAuthEndpoint("/scim/generate-token", {
+	method: "POST",
+	body: generateSCIMTokenBodySchema,
+	metadata: { openapi: {
+		summary: "Generates a new SCIM token for the given provider",
+		description: "Generates a new SCIM token to be used for SCIM operations",
+		responses: { "201": {
+			description: "SCIM token response",
+			content: { "application/json": { schema: {
+				type: "object",
+				properties: { scimToken: {
+					description: "SCIM token",
+					type: "string"
+				} }
+			} } }
+		} }
+	} },
+	use: [sessionMiddleware]
+}, async (ctx) => {
+	const { providerId, organizationId } = ctx.body;
+	const user = ctx.context.session.user;
+	if (providerId.includes(":")) throw new APIError$1("BAD_REQUEST", { message: "Provider id contains forbidden characters" });
+	if (organizationId && !ctx.context.hasPlugin("organization")) throw new APIError$1("BAD_REQUEST", { message: "Restricting a token to an organization requires the organization plugin" });
+	let member = null;
+	if (organizationId) {
+		member = await ctx.context.adapter.findOne({
+			model: "member",
+			where: [{
+				field: "userId",
+				value: user.id
+			}, {
+				field: "organizationId",
+				value: organizationId
+			}]
+		});
+		if (!member) throw new APIError$1("FORBIDDEN", { message: "You are not a member of the organization" });
+	}
+	const scimProvider = await ctx.context.adapter.findOne({
+		model: "scimProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}, ...organizationId ? [{
+			field: "organizationId",
+			value: organizationId
+		}] : []]
+	});
+	if (scimProvider) await ctx.context.adapter.delete({
+		model: "scimProvider",
+		where: [{
+			field: "id",
+			value: scimProvider.id
+		}]
+	});
+	const baseToken = generateRandomString(24);
+	const scimToken = base64Url.encode(`${baseToken}:${providerId}${organizationId ? `:${organizationId}` : ""}`);
+	if (opts.beforeSCIMTokenGenerated) await opts.beforeSCIMTokenGenerated({
+		user,
+		member,
+		scimToken
+	});
+	const newSCIMProvider = await ctx.context.adapter.create({
+		model: "scimProvider",
+		data: {
+			providerId,
+			organizationId,
+			scimToken: await storeSCIMToken(ctx, opts, baseToken)
+		}
+	});
+	if (opts.afterSCIMTokenGenerated) await opts.afterSCIMTokenGenerated({
+		user,
+		member,
+		scimToken,
+		scimProvider: newSCIMProvider
+	});
+	ctx.setStatus(201);
+	return ctx.json({ scimToken });
+});
+const createSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users", {
+	method: "POST",
+	body: APIUserSchema,
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "Create SCIM user.",
+			description: "Provision a new user into the linked organization via SCIM. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.3",
+			responses: {
+				"201": {
+					description: "SCIM user resource",
+					content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const body = ctx.body;
+	const providerId = ctx.context.scimProvider.providerId;
+	const accountId = getAccountId(body.userName, body.externalId);
+	if (await ctx.context.adapter.findOne({
+		model: "account",
+		where: [{
+			field: "accountId",
+			value: accountId
+		}, {
+			field: "providerId",
+			value: providerId
+		}]
+	})) throw new SCIMAPIError("CONFLICT", {
+		detail: "User already exists",
+		scimType: "uniqueness"
+	});
+	const email = getUserPrimaryEmail(body.userName, body.emails);
+	const name = getUserFullName(email, body.name);
+	const existingUser = await ctx.context.adapter.findOne({
+		model: "user",
+		where: [{
+			field: "email",
+			value: email
+		}]
+	});
+	const createAccount = (userId) => ctx.context.internalAdapter.createAccount({
+		userId,
+		providerId,
+		accountId,
+		accessToken: "",
+		refreshToken: ""
+	});
+	const createUser = () => ctx.context.internalAdapter.createUser({
+		email,
+		name
+	});
+	const createOrgMembership = async (userId) => {
+		const organizationId = ctx.context.scimProvider.organizationId;
+		if (organizationId) {
+			if (!await ctx.context.adapter.findOne({
+				model: "member",
+				where: [{
+					field: "organizationId",
+					value: organizationId
+				}, {
+					field: "userId",
+					value: userId
+				}]
+			})) return await ctx.context.adapter.create({
+				model: "member",
+				data: {
+					userId,
+					role: "member",
+					createdAt: /* @__PURE__ */ new Date(),
+					organizationId
+				}
+			});
+		}
+	};
+	let user;
+	let account;
+	if (existingUser) {
+		user = existingUser;
+		account = await ctx.context.adapter.transaction(async () => {
+			const account = await createAccount(user.id);
+			await createOrgMembership(user.id);
+			return account;
+		});
+	} else [user, account] = await ctx.context.adapter.transaction(async () => {
+		const user = await createUser();
+		const account = await createAccount(user.id);
+		await createOrgMembership(user.id);
+		return [user, account];
+	});
+	const userResource = createUserResource(ctx.context.baseURL, user, account);
+	ctx.setStatus(201);
+	ctx.setHeader("location", userResource.meta.location);
+	return ctx.json(userResource);
+});
+const updateSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:userId", {
+	method: "PUT",
+	body: APIUserSchema,
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "Update SCIM user.",
+			description: "Updates an existing user into the linked organization via SCIM. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.3",
+			responses: {
+				"200": {
+					description: "SCIM user resource",
+					content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const body = ctx.body;
+	const userId = ctx.params.userId;
+	const { organizationId, providerId } = ctx.context.scimProvider;
+	const accountId = getAccountId(body.userName, body.externalId);
+	const { user, account } = await findUserById(ctx.context.adapter, {
+		userId,
+		providerId,
+		organizationId
+	});
+	if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+	const [updatedUser, updatedAccount] = await ctx.context.adapter.transaction(async () => {
+		const email = getUserPrimaryEmail(body.userName, body.emails);
+		const name = getUserFullName(email, body.name);
+		return [await ctx.context.internalAdapter.updateUser(userId, {
+			email,
+			name,
+			updatedAt: /* @__PURE__ */ new Date()
+		}), await ctx.context.internalAdapter.updateAccount(account.id, {
+			accountId,
+			updatedAt: /* @__PURE__ */ new Date()
+		})];
+	});
+	const userResource = createUserResource(ctx.context.baseURL, updatedUser, updatedAccount);
+	return ctx.json(userResource);
+});
+const listSCIMUsersQuerySchema = z.object({ filter: z.string().optional() }).optional();
+const listSCIMUsers = (authMiddleware) => createAuthEndpoint("/scim/v2/Users", {
+	method: "GET",
+	query: listSCIMUsersQuerySchema,
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "List SCIM users",
+			description: "Returns all users provisioned via SCIM for the linked organization. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2",
+			responses: {
+				"200": {
+					description: "SCIM user list",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							totalResults: { type: "number" },
+							itemsPerPage: { type: "number" },
+							startIndex: { type: "number" },
+							Resources: {
+								type: "array",
+								items: OpenAPIUserResourceSchema
+							}
+						}
+					} } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const apiFilters = parseSCIMAPIUserFilter(ctx.query?.filter);
+	ctx.context.logger.info("Querying result with filters: ", apiFilters);
+	const providerId = ctx.context.scimProvider.providerId;
+	const accounts = await ctx.context.adapter.findMany({
+		model: "account",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	const accountUserIds = accounts.map((account) => account.userId);
+	let userFilters = [{
+		field: "id",
+		value: accountUserIds,
+		operator: "in"
+	}];
+	const organizationId = ctx.context.scimProvider.organizationId;
+	if (organizationId) userFilters = [{
+		field: "id",
+		value: (await ctx.context.adapter.findMany({
+			model: "member",
+			where: [{
+				field: "organizationId",
+				value: organizationId
+			}, {
+				field: "userId",
+				value: accountUserIds,
+				operator: "in"
+			}]
+		})).map((member) => member.userId),
+		operator: "in"
+	}];
+	const users = await ctx.context.adapter.findMany({
+		model: "user",
+		where: [...userFilters, ...apiFilters]
+	});
+	return ctx.json({
+		schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+		totalResults: users.length,
+		startIndex: 1,
+		itemsPerPage: users.length,
+		Resources: users.map((user) => {
+			const account = accounts.find((a) => a.userId === user.id);
+			return createUserResource(ctx.context.baseURL, user, account);
+		})
+	});
+});
+const getSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:userId", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "Get SCIM user details",
+			description: "Returns the provisioned SCIM user details. See https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.1",
+			responses: {
+				"200": {
+					description: "SCIM user resource",
+					content: { "application/json": { schema: OpenAPIUserResourceSchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const userId = ctx.params.userId;
+	const providerId = ctx.context.scimProvider.providerId;
+	const organizationId = ctx.context.scimProvider.organizationId;
+	const { user, account } = await findUserById(ctx.context.adapter, {
+		userId,
+		providerId,
+		organizationId
+	});
+	if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+	return ctx.json(createUserResource(ctx.context.baseURL, user, account));
+});
+const patchSCIMUserBodySchema = z.object({
+	schemas: z.array(z.string()).refine((s) => s.includes("urn:ietf:params:scim:api:messages:2.0:PatchOp"), { message: "Invalid schemas for PatchOp" }),
+	Operations: z.array(z.object({
+		op: z.string().toLowerCase().default("replace").pipe(z.enum([
+			"replace",
+			"add",
+			"remove"
+		])),
+		path: z.string().optional(),
+		value: z.any()
+	}))
+});
+const patchSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:userId", {
+	method: "PATCH",
+	body: patchSCIMUserBodySchema,
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "Patch SCIM user",
+			description: "Updates fields on a SCIM user record",
+			responses: {
+				"204": { description: "Patch update applied correctly" },
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const userId = ctx.params.userId;
+	const organizationId = ctx.context.scimProvider.organizationId;
+	const providerId = ctx.context.scimProvider.providerId;
+	const { user, account } = await findUserById(ctx.context.adapter, {
+		userId,
+		providerId,
+		organizationId
+	});
+	if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+	const { user: userPatch, account: accountPatch } = buildUserPatch(user, ctx.body.Operations);
+	if (Object.keys(userPatch).length === 0 && Object.keys(accountPatch).length === 0) throw new SCIMAPIError("BAD_REQUEST", { detail: "No valid fields to update" });
+	await Promise.all([Object.keys(userPatch).length > 0 ? ctx.context.internalAdapter.updateUser(userId, {
+		...userPatch,
+		updatedAt: /* @__PURE__ */ new Date()
+	}) : Promise.resolve(), Object.keys(accountPatch).length > 0 ? ctx.context.internalAdapter.updateAccount(account.id, {
+		...accountPatch,
+		updatedAt: /* @__PURE__ */ new Date()
+	}) : Promise.resolve()]);
+	ctx.setStatus(204);
+});
+const deleteSCIMUser = (authMiddleware) => createAuthEndpoint("/scim/v2/Users/:userId", {
+	method: "DELETE",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: [...supportedMediaTypes, ""],
+		openapi: {
+			summary: "Delete SCIM user",
+			description: "Deletes (or deactivates) a user within the linked organization.",
+			responses: {
+				"204": { description: "Delete applied successfully" },
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	},
+	use: [authMiddleware]
+}, async (ctx) => {
+	const userId = ctx.params.userId;
+	const providerId = ctx.context.scimProvider.providerId;
+	const organizationId = ctx.context.scimProvider.organizationId;
+	const { user } = await findUserById(ctx.context.adapter, {
+		userId,
+		providerId,
+		organizationId
+	});
+	if (!user) throw new SCIMAPIError("NOT_FOUND", { detail: "User not found" });
+	await ctx.context.internalAdapter.deleteUser(userId);
+	ctx.setStatus(204);
+});
+const getSCIMServiceProviderConfig = createAuthEndpoint("/scim/v2/ServiceProviderConfig", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "SCIM Service Provider Configuration",
+			description: "Standard SCIM metadata endpoint used by identity providers. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+			responses: {
+				"200": {
+					description: "SCIM metadata object",
+					content: { "application/json": { schema: ServiceProviderOpenAPISchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	}
+}, async (ctx) => {
+	return ctx.json({
+		patch: { supported: true },
+		bulk: { supported: false },
+		filter: { supported: true },
+		changePassword: { supported: false },
+		sort: { supported: false },
+		etag: { supported: false },
+		authenticationSchemes: [{
+			name: "OAuth Bearer Token",
+			description: "Authentication scheme using the Authorization header with a bearer token tied to an organization.",
+			specUri: "http://www.rfc-editor.org/info/rfc6750",
+			type: "oauthbearertoken",
+			primary: true
+		}],
+		schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+		meta: { resourceType: "ServiceProviderConfig" }
+	});
+});
+const getSCIMSchemas = createAuthEndpoint("/scim/v2/Schemas", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "SCIM Service Provider Configuration Schemas",
+			description: "Standard SCIM metadata endpoint used by identity providers to acquire information about supported schemas. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+			responses: {
+				"200": {
+					description: "SCIM metadata object",
+					content: { "application/json": { schema: {
+						type: "array",
+						items: SCIMSchemaOpenAPISchema
+					} } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	}
+}, async (ctx) => {
+	return ctx.json({
+		totalResults: supportedSCIMSchemas.length,
+		itemsPerPage: supportedSCIMSchemas.length,
+		startIndex: 1,
+		schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+		Resources: supportedSCIMSchemas.map((s) => {
+			return {
+				...s,
+				meta: {
+					...s.meta,
+					location: getResourceURL(s.meta.location, ctx.context.baseURL)
+				}
+			};
+		})
+	});
+});
+const getSCIMSchema = createAuthEndpoint("/scim/v2/Schemas/:schemaId", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "SCIM a Service Provider Configuration Schema",
+			description: "Standard SCIM metadata endpoint used by identity providers to acquire information about a given schema. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+			responses: {
+				"200": {
+					description: "SCIM metadata object",
+					content: { "application/json": { schema: SCIMSchemaOpenAPISchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	}
+}, async (ctx) => {
+	const schema = supportedSCIMSchemas.find((s) => s.id === ctx.params.schemaId);
+	if (!schema) throw new SCIMAPIError("NOT_FOUND", { detail: "Schema not found" });
+	return ctx.json({
+		...schema,
+		meta: {
+			...schema.meta,
+			location: getResourceURL(schema.meta.location, ctx.context.baseURL)
+		}
+	});
+});
+const getSCIMResourceTypes = createAuthEndpoint("/scim/v2/ResourceTypes", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "SCIM Service Provider Supported Resource Types",
+			description: "Standard SCIM metadata endpoint used by identity providers to get a list of server supported types. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+			responses: {
+				"200": {
+					description: "SCIM metadata object",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							totalResults: { type: "number" },
+							itemsPerPage: { type: "number" },
+							startIndex: { type: "number" },
+							Resources: {
+								type: "array",
+								items: ResourceTypeOpenAPISchema
+							}
+						}
+					} } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	}
+}, async (ctx) => {
+	return ctx.json({
+		totalResults: supportedSCIMResourceTypes.length,
+		itemsPerPage: supportedSCIMResourceTypes.length,
+		startIndex: 1,
+		schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+		Resources: supportedSCIMResourceTypes.map((s) => {
+			return {
+				...s,
+				meta: {
+					...s.meta,
+					location: getResourceURL(s.meta.location, ctx.context.baseURL)
+				}
+			};
+		})
+	});
+});
+const getSCIMResourceType = createAuthEndpoint("/scim/v2/ResourceTypes/:resourceTypeId", {
+	method: "GET",
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: supportedMediaTypes,
+		openapi: {
+			summary: "SCIM Service Provider Supported Resource Type",
+			description: "Standard SCIM metadata endpoint used by identity providers to get a server supported type. See https://datatracker.ietf.org/doc/html/rfc7644#section-4",
+			responses: {
+				"200": {
+					description: "SCIM metadata object",
+					content: { "application/json": { schema: ResourceTypeOpenAPISchema } }
+				},
+				...SCIMErrorOpenAPISchemas
+			}
+		}
+	}
+}, async (ctx) => {
+	const resourceType = supportedSCIMResourceTypes.find((s) => s.id === ctx.params.resourceTypeId);
+	if (!resourceType) throw new SCIMAPIError("NOT_FOUND", { detail: "Resource type not found" });
+	return ctx.json({
+		...resourceType,
+		meta: {
+			...resourceType.meta,
+			location: getResourceURL(resourceType.meta.location, ctx.context.baseURL)
+		}
+	});
+});
+const findUserById = async (adapter, { userId, providerId, organizationId }) => {
+	const account = await adapter.findOne({
+		model: "account",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!account) return {
+		user: null,
+		account: null
+	};
+	let member = null;
+	if (organizationId) member = await adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: organizationId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (organizationId && !member) return {
+		user: null,
+		account: null
+	};
+	const user = await adapter.findOne({
+		model: "user",
+		where: [{
+			field: "id",
+			value: userId
+		}]
+	});
+	if (!user) return {
+		user: null,
+		account: null
+	};
+	return {
+		user,
+		account
+	};
+};
+const parseSCIMAPIUserFilter = (filter) => {
+	let filters = [];
+	try {
+		filters = filter ? parseSCIMUserFilter(filter) : [];
+	} catch (error) {
+		throw new SCIMAPIError("BAD_REQUEST", {
+			detail: error instanceof SCIMParseError ? error.message : "Invalid SCIM filter",
+			scimType: "invalidFilter"
+		});
+	}
+	return filters;
+};
+
+//#endregion
+//#region src/index.ts
+const scim = (options) => {
+	const opts = {
+		storeSCIMToken: "plain",
+		...options
+	};
+	const authMiddleware = authMiddlewareFactory(opts);
+	return {
+		id: "scim",
+		endpoints: {
+			generateSCIMToken: generateSCIMToken(opts),
+			getSCIMUser: getSCIMUser(authMiddleware),
+			createSCIMUser: createSCIMUser(authMiddleware),
+			patchSCIMUser: patchSCIMUser(authMiddleware),
+			deleteSCIMUser: deleteSCIMUser(authMiddleware),
+			updateSCIMUser: updateSCIMUser(authMiddleware),
+			listSCIMUsers: listSCIMUsers(authMiddleware),
+			getSCIMServiceProviderConfig,
+			getSCIMSchemas,
+			getSCIMSchema,
+			getSCIMResourceTypes,
+			getSCIMResourceType
+		},
+		schema: { scimProvider: { fields: {
+			providerId: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			scimToken: {
+				type: "string",
+				required: true,
+				unique: true
+			},
+			organizationId: {
+				type: "string",
+				required: false
+			}
+		} } },
+		options
+	};
+};
+
+//#endregion
+export { scim };
+//# sourceMappingURL=index.mjs.map