@linagora/ldap-rest-client 1.0.0

package/dist/index.js

@@ -0,0 +1,1173 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApiError: () => ApiError,
+  AuthenticationError: () => AuthenticationError,
+  AuthorizationError: () => AuthorizationError,
+  ConflictError: () => ConflictError,
+  GroupsResource: () => GroupsResource,
+  LdapRestClient: () => LdapRestClient,
+  LdapRestError: () => LdapRestError,
+  NetworkError: () => NetworkError,
+  NotFoundError: () => NotFoundError,
+  OrganizationsResource: () => OrganizationsResource,
+  RateLimitError: () => RateLimitError,
+  UsersResource: () => UsersResource,
+  ValidationError: () => ValidationError
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/config/ClientConfig.ts
+var ConfigValidator = class {
+  static validate(config) {
+    if (!config.baseUrl || config.baseUrl.trim().length === 0) {
+      throw new Error("baseUrl is required");
+    }
+    if (config.auth?.type === "hmac") {
+      if (!config.auth.serviceId || config.auth.serviceId.trim().length === 0) {
+        throw new Error("serviceId is required for HMAC authentication");
+      }
+      if (!config.auth.secret || config.auth.secret.trim().length === 0) {
+        throw new Error("secret is required for HMAC authentication");
+      }
+      if (config.auth.secret.length < 32) {
+        console.warn(
+          `[LDAP-REST Client] Secret should be at least 32 characters (current: ${config.auth.secret.length})`
+        );
+      }
+    }
+    try {
+      new URL(config.baseUrl);
+    } catch {
+      throw new Error("baseUrl must be a valid URL");
+    }
+    if (config.timeout !== void 0 && (config.timeout <= 0 || !Number.isFinite(config.timeout))) {
+      throw new Error("timeout must be a positive number");
+    }
+  }
+  static normalize(config) {
+    return {
+      baseUrl: config.baseUrl.replace(/\/$/, ""),
+      auth: config.auth ?? { type: "cookie" },
+      timeout: config.timeout ?? 3e4,
+      logger: config.logger
+    };
+  }
+  static toHttpConfig(config) {
+    return {
+      baseUrl: config.baseUrl,
+      timeout: config.timeout
+    };
+  }
+};
+
+// src/lib/HmacAuth.ts
+var import_crypto = require("crypto");
+var HmacAuth = class {
+  /**
+   * Creates an HMAC authentication handler
+   *
+   * @param {HmacAuthConfig} config - HMAC authentication configuration containing serviceId and secret
+   */
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Generates authorization header for a request
+   *
+   * @param {SignatureParams} params - Request parameters to sign
+   * @returns {string} Authorization header value in format "HMAC-SHA256 service-id:timestamp:signature"
+   */
+  sign = (params) => {
+    const signature = this.generateSignature(params);
+    return `HMAC-SHA256 ${signature.serviceId}:${signature.timestamp}:${signature.signature}`;
+  };
+  /**
+   * Generates HMAC signature components
+   *
+   * @param {SignatureParams} params - Request parameters
+   * @returns {HmacSignature} Signature components including service ID, timestamp, and signature
+   * @private
+   */
+  generateSignature = (params) => {
+    const timestamp = Date.now();
+    const bodyHash = this.hashBody(params.method, params.body);
+    const signingString = `${params.method.toUpperCase()}|${params.path}|${timestamp}|${bodyHash}`;
+    const signature = this.computeHmac(signingString);
+    return {
+      serviceId: this.config.serviceId,
+      timestamp,
+      signature
+    };
+  };
+  /**
+   * Computes SHA256 hash of request body
+   *
+   * For GET/DELETE/HEAD requests, returns empty string.
+   * For other methods, returns SHA256 hash of body if provided.
+   *
+   * @param {string} method - HTTP method
+   * @param {string} [body] - Request body
+   * @returns {string} SHA256 hash as hex string or empty string
+   * @private
+   */
+  hashBody = (method, body) => {
+    const upperMethod = method.toUpperCase();
+    if (upperMethod === "GET" || upperMethod === "DELETE" || upperMethod === "HEAD") {
+      return "";
+    }
+    if (!body || body.trim().length === 0) {
+      return "";
+    }
+    return (0, import_crypto.createHash)("sha256").update(body, "utf8").digest("hex");
+  };
+  /**
+   * Computes HMAC-SHA256 signature
+   *
+   * @param {string} data - Data to sign
+   * @returns {string} HMAC-SHA256 signature as hex string
+   * @private
+   */
+  computeHmac = (data) => {
+    return (0, import_crypto.createHmac)("sha256", this.config.secret).update(data, "utf8").digest("hex");
+  };
+};
+
+// src/errors/LdapRestError.ts
+var LdapRestError = class extends Error {
+  /** Error class name (automatically set to constructor name) */
+  name;
+  /** HTTP status code associated with the error (if applicable) */
+  statusCode;
+  /** Machine-readable error code for programmatic handling */
+  code;
+  /**
+   * Creates a new LDAP-REST error
+   *
+   * @param {string} message - Human-readable error message
+   * @param {number} [statusCode] - HTTP status code
+   * @param {string} [code] - Machine-readable error code
+   */
+  constructor(message, statusCode, code) {
+    super(message);
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+    this.code = code;
+    Error.captureStackTrace(this, this.constructor);
+  }
+};
+
+// src/errors/ApiError.ts
+var ApiError = class _ApiError extends LdapRestError {
+  /**
+   * Creates a new API error
+   *
+   * @param {string} message - Human-readable error message
+   * @param {number} statusCode - HTTP status code
+   * @param {string} code - Machine-readable error code
+   */
+  constructor(message, statusCode, code) {
+    super(message, statusCode, code);
+  }
+  /**
+   * Creates an ApiError from an API response body
+   *
+   * @param {number} statusCode - HTTP status code from response
+   * @param {{ error: string; code: string }} body - Response body containing error details
+   * @returns {ApiError} New ApiError instance
+   */
+  static fromResponse(statusCode, body) {
+    return new _ApiError(body.error, statusCode, body.code);
+  }
+};
+var ValidationError = class extends LdapRestError {
+  /**
+   * Creates a new validation error
+   *
+   * @param {string} message - Description of what validation failed
+   */
+  constructor(message) {
+    super(message, 400, "VALIDATION_ERROR");
+  }
+};
+var AuthenticationError = class extends LdapRestError {
+  /**
+   * Creates a new authentication error
+   *
+   * @param {string} message - Authentication failure reason
+   */
+  constructor(message) {
+    super(message, 401, "AUTHENTICATION_ERROR");
+  }
+};
+var AuthorizationError = class extends LdapRestError {
+  /**
+   * Creates a new authorization error
+   *
+   * @param {string} message - Authorization failure reason
+   */
+  constructor(message) {
+    super(message, 403, "AUTHORIZATION_ERROR");
+  }
+};
+var NotFoundError = class extends LdapRestError {
+  /**
+   * Creates a new not found error
+   *
+   * @param {string} message - Description of what was not found
+   * @param {string} [code] - Optional specific error code (defaults to 'NOT_FOUND')
+   */
+  constructor(message, code) {
+    super(message, 404, code || "NOT_FOUND");
+  }
+};
+var ConflictError = class extends LdapRestError {
+  /**
+   * Creates a new conflict error
+   *
+   * @param {string} message - Description of the conflict
+   * @param {string} [code] - Optional specific error code (e.g., 'USERNAME_EXISTS', 'EMAIL_EXISTS')
+   */
+  constructor(message, code) {
+    super(message, 409, code || "CONFLICT");
+  }
+};
+var RateLimitError = class extends LdapRestError {
+  /** Number of seconds to wait before retrying (from Retry-After header) */
+  retryAfter;
+  /**
+   * Creates a new rate limit error
+   *
+   * @param {string} message - Rate limit error message
+   * @param {number} [retryAfter] - Seconds to wait before retrying
+   */
+  constructor(message, retryAfter) {
+    super(message, 429, "RATE_LIMIT_EXCEEDED");
+    this.retryAfter = retryAfter;
+  }
+};
+var NetworkError = class extends LdapRestError {
+  /** Original error that caused the network failure */
+  cause;
+  /**
+   * Creates a new network error
+   *
+   * @param {string} message - Network error description
+   * @param {Error} [cause] - Original error that caused the failure
+   */
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+  }
+};
+
+// src/lib/HttpClient.ts
+var HttpClient = class {
+  /**
+   * Creates an HTTP client instance
+   *
+   * @param {HttpConfig} config - HTTP configuration (baseUrl, timeout)
+   * @param {Auth | undefined} auth - Optional authentication handler (HMAC). If undefined, uses cookies.
+   * @param {Logger<unknown>} logger - Logger instance
+   */
+  constructor(config, auth, logger) {
+    this.config = config;
+    this.auth = auth;
+    this.logger = logger;
+  }
+  /**
+   * Makes an authenticated HTTP request
+   *
+   * @template T - Response type
+   * @param {RequestOptions} options - Request options
+   * @returns {Promise<T>} Parsed response body
+   * @throws {ApiError} When API returns an error
+   * @throws {NetworkError} When network request fails
+   */
+  request = async (options) => {
+    const url = `${this.config.baseUrl}${options.path}`;
+    const bodyString = options.body ? JSON.stringify(options.body) : void 0;
+    this.logger.debug("Sending request", {
+      method: options.method,
+      url,
+      hasBody: !!bodyString
+    });
+    const authHeader = this.auth?.sign({
+      method: options.method,
+      path: options.path,
+      body: bodyString
+    });
+    const headers = {
+      "Content-Type": "application/json",
+      ...options.headers
+    };
+    if (authHeader) {
+      headers.Authorization = authHeader;
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
+    try {
+      const response = await fetch(url, {
+        method: options.method,
+        headers,
+        body: bodyString,
+        signal: controller.signal,
+        credentials: authHeader ? void 0 : "include"
+      });
+      clearTimeout(timeoutId);
+      this.logger.info("Request completed", {
+        method: options.method,
+        path: options.path,
+        status: response.status
+      });
+      return this.handleResponse(response);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        this.logger.error("Request timeout", {
+          method: options.method,
+          path: options.path,
+          timeoutMs: this.config.timeout
+        });
+        throw new NetworkError(`Request timeout after ${this.config.timeout}ms`);
+      }
+      if (error instanceof NetworkError || error instanceof ApiError) {
+        throw error;
+      }
+      this.logger.error("Network request failed", {
+        method: options.method,
+        path: options.path,
+        error: error instanceof Error ? error.message : "Unknown error"
+      });
+      throw new NetworkError(
+        `Network request failed: ${error instanceof Error ? error.message : "Unknown error"}`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  };
+  /**
+   * Handles HTTP response
+   *
+   * Maps HTTP status codes to specific error types and parses response body.
+   *
+   * @template T - Response type
+   * @param {Response} response - Fetch API response
+   * @returns {Promise<T>} Parsed response body
+   * @throws {ApiError} When API returns an error status
+   * @private
+   */
+  handleResponse = async (response) => {
+    if (response.ok) {
+      if (response.status === 204) {
+        return { success: true };
+      }
+      const contentType = response.headers.get("content-type");
+      if (!contentType?.includes("application/json")) {
+        throw new ApiError("Expected JSON response", response.status, "INVALID_RESPONSE");
+      }
+      return response.json();
+    }
+    let errorBody;
+    try {
+      const json = await response.json();
+      errorBody = json;
+    } catch {
+    }
+    const message = errorBody?.error ?? `HTTP ${response.status}: ${response.statusText}`;
+    const code = errorBody?.code ?? "UNKNOWN_ERROR";
+    switch (response.status) {
+      case 400:
+        throw new ValidationError(message);
+      case 401:
+        throw new AuthenticationError(message);
+      case 403:
+        throw new AuthorizationError(message);
+      case 404:
+        throw new NotFoundError(message, code);
+      case 409:
+        throw new ConflictError(message, code);
+      case 429: {
+        const retryAfter = response.headers.get("retry-after");
+        throw new RateLimitError(message, retryAfter ? parseInt(retryAfter, 10) : void 0);
+      }
+      default:
+        if (errorBody) {
+          throw ApiError.fromResponse(response.status, errorBody);
+        }
+        throw new ApiError(message, response.status, code);
+    }
+  };
+  /**
+   * Performs a GET request
+   *
+   * @template T - Response type
+   * @param {string} path - Request path
+   * @param {Record<string, string>} [headers] - Additional headers
+   * @returns {Promise<T>} Parsed response body
+   */
+  get = (path, headers) => {
+    return this.request({ method: "GET", path, headers });
+  };
+  /**
+   * Performs a POST request
+   *
+   * @template T - Response type
+   * @param {string} path - Request path
+   * @param {unknown} [body] - Request body
+   * @param {Record<string, string>} [headers] - Additional headers
+   * @returns {Promise<T>} Parsed response body
+   */
+  post = (path, body, headers) => {
+    return this.request({ method: "POST", path, body, headers });
+  };
+  /**
+   * Performs a PATCH request
+   *
+   * @template T - Response type
+   * @param {string} path - Request path
+   * @param {unknown} [body] - Request body
+   * @param {Record<string, string>} [headers] - Additional headers
+   * @returns {Promise<T>} Parsed response body
+   */
+  patch = (path, body, headers) => {
+    return this.request({ method: "PATCH", path, body, headers });
+  };
+  /**
+   * Performs a DELETE request
+   *
+   * @template T - Response type
+   * @param {string} path - Request path
+   * @param {Record<string, string>} [headers] - Additional headers
+   * @returns {Promise<T>} Parsed response body
+   */
+  delete = (path, headers) => {
+    return this.request({ method: "DELETE", path, headers });
+  };
+};
+
+// src/lib/index.ts
+var import_tslog = require("tslog");
+
+// src/LdapRestClient.ts
+var import_tslog2 = require("tslog");
+
+// src/resources/BaseResource.ts
+var BaseResource = class {
+  /**
+   * Creates a base resource instance
+   *
+   * @param {HttpClient} http - HTTP client for making requests
+   * @protected
+   */
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Builds a query string from parameters
+   *
+   * Filters out undefined and null values, and properly encodes
+   * parameter names and values for URL use.
+   *
+   * @param {Record<string, string | number | boolean | undefined>} params - Query parameters
+   * @returns {string} Formatted query string with leading '?' or empty string
+   * @protected
+   *
+   * @example
+   * ```typescript
+   * buildQueryString({ field: 'username', value: 'john' })
+   * // Returns: "?field=username&value=john"
+   * ```
+   */
+  buildQueryString = (params) => {
+    const entries = Object.entries(params).filter(
+      ([_, value]) => value !== void 0 && value !== null
+    );
+    if (entries.length === 0) {
+      return "";
+    }
+    const queryParams = entries.map(
+      ([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(String(value))}`
+    );
+    return `?${queryParams.join("&")}`;
+  };
+};
+
+// src/resources/UsersResource.ts
+var UsersResource = class extends BaseResource {
+  /**
+   * Creates a new user in the main LDAP branch
+   *
+   * @param {CreateUserRequest} data - User data including credentials and profile
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {ConflictError} When username/email/phone already exists
+   * @throws {ApiError} On other API errors
+   */
+  create = async (data) => {
+    return this.http.post("/api/v1/users", data);
+  };
+  /**
+   * Updates an existing user
+   *
+   * @param {string} userId - User identifier (username)
+   * @param {UpdateUserRequest} data - Fields to update
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user is not found
+   * @throws {ApiError} On other API errors
+   */
+  update = async (userId, data) => {
+    return this.http.patch(`/api/v1/users/${encodeURIComponent(userId)}`, data);
+  };
+  /**
+   * Disables a user account
+   *
+   * Sets pwdAccountLockedTime to lock the account using LDAP PPolicy.
+   *
+   * @param {string} userId - User identifier (username)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user is not found
+   * @throws {ApiError} On other API errors
+   */
+  disable = async (userId) => {
+    return this.http.post(`/api/v1/users/${encodeURIComponent(userId)}/disable`);
+  };
+  /**
+   * Deletes a user
+   *
+   * Permanently removes the user from LDAP.
+   *
+   * @param {string} userId - User identifier (username)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user is not found
+   * @throws {ApiError} On other API errors
+   */
+  delete = async (userId) => {
+    return this.http.delete(`/api/v1/users/${encodeURIComponent(userId)}`);
+  };
+  /**
+   * Checks if a username, phone, or email is available
+   *
+   * @param {CheckAvailabilityParams} params - Field and value to check
+   * @returns {Promise<CheckAvailabilityResponse>} Availability status
+   * @throws {ApiError} On API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.users.checkAvailability({
+   *   field: 'username',
+   *   value: 'johndoe'
+   * });
+   *
+   * ```
+   */
+  checkAvailability = async (params) => {
+    const query = this.buildQueryString(params);
+    return this.http.get(`/api/v1/users/check${query}`);
+  };
+  /**
+   * Fetches a user by identifier
+   *
+   * @param {FetchUserRequest} params - Fetch parameters (by, value, fields)
+   * @returns {Promise<User>} User data
+   * @throws {NotFoundError} When user is not found
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const user = await client.users.fetch({
+   *   by: 'username',
+   *   value: 'johndoe',
+   *   fields: 'cn,mail,mobile'
+   * });
+   * ```
+   */
+  fetch = async (params) => {
+    const query = this.buildQueryString(params);
+    return this.http.get(`/api/v1/users${query}`);
+  };
+};
+
+// src/resources/OrganizationsResource.ts
+var OrganizationsResource = class extends BaseResource {
+  /**
+   * Creates a new organization with dedicated LDAP branch
+   *
+   * @param {CreateOrganizationRequest} data - Organization data
+   * @returns {Promise<CreateOrganizationResponse>} Organization details including baseDN
+   * @throws {ConflictError} When organization already exists
+   * @throws {ApiError} On other API errors
+   */
+  create = async (data) => {
+    return this.http.post("/api/v1/organizations", data);
+  };
+  /**
+   * Checks if an organization identifier is available
+   *
+   * @param {CheckAvailabilityParams} params - Field and value to check
+   * @returns {Promise<CheckAvailabilityResponse>} Availability status
+   * @throws {ApiError} On API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.organizations.checkAvailability({
+   *   field: 'domain',
+   *   value: 'acme.example.com'
+   * });
+   * ```
+   */
+  checkAvailability = async (params) => {
+    const query = this.buildQueryString(params);
+    return this.http.get(`/api/v1/organizations/check${query}`);
+  };
+  /**
+   * Links a user as the first admin of an organization
+   *
+   * Associates an existing user account with an organization and grants
+   * admin privileges. Typically called after organization creation.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {CreateAdminRequest} data - Admin user details (username and email)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization or user is not found
+   * @throws {ConflictError} When user is already an admin
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.createAdmin('org_abc123', {
+   *   username: 'john.doe',
+   *   mail: 'john.doe@acme.example.com'
+   * });
+   * ```
+   */
+  createAdmin = async (organizationId, data) => {
+    return this.http.post(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/admin`,
+      data
+    );
+  };
+  /**
+   * Gets a list of organizations for the authenticated user
+   *
+   * Requires SSO cookie authentication. Returns organizations where the
+   * authenticated user has admin role.
+   *
+   * @returns {Promise<Organization[]>} Array of organizations
+   * @throws {ApiError} On API errors
+   *
+   * @example
+   * ```typescript
+   * const organizations = await client.organizations.list();
+   * ```
+   */
+  list = async () => {
+    return this.http.get("/api/v1/organizations");
+  };
+  /**
+   * Gets details of a specific organization
+   *
+   * Requires SSO cookie authentication.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @returns {Promise<Organization>} Organization details
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const org = await client.organizations.get('org_abc123');
+   * ```
+   */
+  get = async (organizationId) => {
+    return this.http.get(`/api/v1/organizations/${encodeURIComponent(organizationId)}`);
+  };
+  /**
+   * Updates an organization
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {UpdateOrganizationRequest} data - Fields to update
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.update('org_abc123', {
+   *   name: 'New Organization Name',
+   *   status: 'active'
+   * });
+   * ```
+   */
+  update = async (organizationId, data) => {
+    return this.http.patch(`/api/v1/organizations/${encodeURIComponent(organizationId)}`, data);
+  };
+  // ===== B2B User Management Methods =====
+  /**
+   * Creates a new user in an organization's LDAP branch
+   *
+   * Requires SSO cookie authentication and admin role in the target organization.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {CreateUserRequest} data - User data including credentials and profile
+   * @returns {Promise<CreateB2BUserResponse>} Response with user's baseDN
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ConflictError} When username/email/phone already exists
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.organizations.createUser('org_abc123', {
+   *   cn: 'john.doe',
+   *   uid: 'john.doe',
+   *   // ... other user fields
+   * });
+   * ```
+   */
+  createUser = async (organizationId, data) => {
+    return this.http.post(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users`,
+      data
+    );
+  };
+  /**
+   * Updates a user in an organization
+   *
+   * Requires SSO cookie authentication and admin role in the target organization.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} userId - User identifier (username)
+   * @param {UpdateUserRequest} data - Fields to update
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user or organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.updateUser('org_abc123', 'john.doe', {
+   *   mobile: '+33687654321'
+   * });
+   * ```
+   */
+  updateUser = async (organizationId, userId, data) => {
+    return this.http.patch(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users/${encodeURIComponent(userId)}`,
+      data
+    );
+  };
+  /**
+   * Disables a user in an organization
+   *
+   * Locks the account by setting pwdAccountLockedTime using LDAP PPolicy.
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} userId - User identifier (username)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user or organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.disableUser('org_abc123', 'john.doe');
+   * ```
+   */
+  disableUser = async (organizationId, userId) => {
+    return this.http.post(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users/${encodeURIComponent(userId)}/disable`
+    );
+  };
+  /**
+   * Deletes a user from an organization
+   *
+   * Permanently removes the user from the organization's LDAP branch.
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} userId - User identifier (username)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user or organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.deleteUser('org_abc123', 'john.doe');
+   * ```
+   */
+  deleteUser = async (organizationId, userId) => {
+    return this.http.delete(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users/${encodeURIComponent(userId)}`
+    );
+  };
+  /**
+   * Fetches a user from an organization by identifier
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {FetchUserRequest} params - Fetch parameters (by, value, fields)
+   * @returns {Promise<User>} User data
+   * @throws {NotFoundError} When user or organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const user = await client.organizations.getUser('org_abc123', {
+   *   by: 'username',
+   *   value: 'john.doe',
+   *   fields: 'cn,mail,mobile'
+   * });
+   * ```
+   */
+  getUser = async (organizationId, params) => {
+    const query = this.buildQueryString(params);
+    return this.http.get(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users${query}`
+    );
+  };
+  /**
+   * Lists users in an organization with pagination and filtering
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {ListUsersParams} params - Pagination and filter parameters
+   * @returns {Promise<ListUsersResponse>} Paginated list of users
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.organizations.listUsers('org_abc123', {
+   *   page: 1,
+   *   limit: 20,
+   *   status: 'active',
+   *   search: 'john',
+   *   sortBy: 'createdAt',
+   *   sortOrder: 'desc'
+   * });
+   * ```
+   */
+  listUsers = async (organizationId, params) => {
+    const query = params ? this.buildQueryString(params) : "";
+    return this.http.get(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users${query}`
+    );
+  };
+  /**
+   * Checks if a username, phone, or email is available in an organization
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {CheckAvailabilityParams} params - Field and value to check
+   * @returns {Promise<CheckAvailabilityResponse>} Availability status
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.organizations.checkUserAvailability('org_abc123', {
+   *   field: 'username',
+   *   value: 'john.doe'
+   * });
+   * ```
+   */
+  checkUserAvailability = async (organizationId, params) => {
+    const query = this.buildQueryString(params);
+    return this.http.get(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users/check${query}`
+    );
+  };
+  /**
+   * Changes a user's role in an organization
+   *
+   * Available roles: admin, moderator, member.
+   * Requires SSO cookie authentication and admin role.
+   * Cannot change your own role or remove the last admin.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} userId - User identifier (username)
+   * @param {ChangeUserRoleRequest} data - New role
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When user or organization is not found
+   * @throws {ForbiddenError} When attempting self-demotion or removing last admin
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.organizations.changeUserRole('org_abc123', 'john.doe', {
+   *   role: 'moderator'
+   * });
+   * ```
+   */
+  changeUserRole = async (organizationId, userId, data) => {
+    return this.http.patch(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/users/${encodeURIComponent(userId)}/role`,
+      data
+    );
+  };
+};
+
+// src/resources/GroupsResource.ts
+var GroupsResource = class extends BaseResource {
+  /**
+   * Creates a new group in an organization
+   *
+   * Requires SSO cookie authentication and admin role in the target organization.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {CreateGroupRequest} data - Group data (name and optional description)
+   * @returns {Promise<CreateGroupResponse>} Created group details
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ConflictError} When group name already exists
+   * @throws {ApiError} On other API errors
+   *
+   * @examples
+   * ```typescript
+   * const result = await client.groups.create('org_abc123', {
+   *   name: 'engineering',
+   *   description: 'Engineering team'
+   * });
+   * ```
+   */
+  create = async (organizationId, data) => {
+    return this.http.post(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups`,
+      data
+    );
+  };
+  /**
+   * Lists all groups in an organization with pagination
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {ListGroupsParams} params - Pagination parameters (page, limit)
+   * @returns {Promise<ListGroupsResponse>} Paginated list of groups
+   * @throws {NotFoundError} When organization is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const result = await client.groups.list('org_abc123', {
+   *   page: 1,
+   *   limit: 20
+   * });
+   * ```
+   */
+  list = async (organizationId, params) => {
+    const query = params ? this.buildQueryString(params) : "";
+    return this.http.get(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups${query}`
+    );
+  };
+  /**
+   * Gets details of a specific group
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} groupId - Group identifier
+   * @returns {Promise<Group>} Group details including members
+   * @throws {NotFoundError} When organization or group is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * const group = await client.groups.get('org_abc123', 'grp_xyz789');
+   * ```
+   */
+  get = async (organizationId, groupId) => {
+    return this.http.get(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`
+    );
+  };
+  /**
+   * Updates a group's properties
+   *
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} groupId - Group identifier
+   * @param {UpdateGroupRequest} data - Fields to update (name, description)
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization or group is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ConflictError} When new group name already exists
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.groups.update('org_abc123', 'grp_xyz789', {
+   *   description: 'Updated description'
+   * });
+   * ```
+   */
+  update = async (organizationId, groupId, data) => {
+    return this.http.patch(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`,
+      data
+    );
+  };
+  /**
+   * Deletes a group from an organization
+   *
+   * Permanently removes the group. Members are not deleted, only the group itself.
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} groupId - Group identifier
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization or group is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.groups.delete('org_abc123', 'grp_xyz789');
+   * ```
+   */
+  delete = async (organizationId, groupId) => {
+    return this.http.delete(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}`
+    );
+  };
+  /**
+   * Adds users to a group
+   *
+   * Adds one or more users to the group's member list.
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} groupId - Group identifier
+   * @param {AddGroupMembersRequest} data - Usernames to add
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization, group, or users are not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.groups.addMembers('org_abc123', 'grp_xyz789', {
+   *   usernames: ['alice.johnson', 'bob.wilson']
+   * });
+   * ```
+   */
+  addMembers = async (organizationId, groupId, data) => {
+    return this.http.post(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}/members`,
+      data
+    );
+  };
+  /**
+   * Removes a user from a group
+   *
+   * Removes a specific user from the group's member list.
+   * Requires SSO cookie authentication and admin role.
+   *
+   * @param {string} organizationId - Organization identifier
+   * @param {string} groupId - Group identifier
+   * @param {string} userId - User identifier (username) to remove
+   * @returns {Promise<{ success: true }>} Success response
+   * @throws {NotFoundError} When organization, group, or user is not found
+   * @throws {ForbiddenError} When user lacks admin privileges
+   * @throws {ApiError} On other API errors
+   *
+   * @example
+   * ```typescript
+   * await client.groups.removeMember('org_abc123', 'grp_xyz789', 'bob.wilson');
+   * ```
+   */
+  removeMember = async (organizationId, groupId, userId) => {
+    return this.http.delete(
+      `/api/v1/organizations/${encodeURIComponent(organizationId)}/groups/${encodeURIComponent(groupId)}/members/${encodeURIComponent(userId)}`
+    );
+  };
+};
+
+// src/LdapRestClient.ts
+var LdapRestClient = class {
+  users;
+  organizations;
+  groups;
+  config;
+  /**
+   * Creates a new LDAP-REST client instance
+   *
+   * @param {ClientConfig} config - Client configuration
+   * @throws {Error} When configuration is invalid
+   */
+  constructor(config) {
+    ConfigValidator.validate(config);
+    this.config = ConfigValidator.normalize(config);
+    const logger = new import_tslog2.Logger({
+      name: "LDAP-REST-CLIENT",
+      minLevel: 0,
+      ...this.config.logger
+    });
+    logger.info("Initializing LDAP-REST client", {
+      baseUrl: this.config.baseUrl,
+      authType: this.config.auth.type
+    });
+    const auth = this.config.auth.type === "hmac" ? new HmacAuth(this.config.auth) : void 0;
+    const http = new HttpClient(ConfigValidator.toHttpConfig(this.config), auth, logger);
+    this.users = new UsersResource(http);
+    this.organizations = new OrganizationsResource(http);
+    this.groups = new GroupsResource(http);
+  }
+  /**
+   * Gets the configured base URL
+   *
+   * @returns {string} The base URL of the LDAP-REST API
+   */
+  getBaseUrl = () => {
+    return this.config.baseUrl;
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApiError,
+  AuthenticationError,
+  AuthorizationError,
+  ConflictError,
+  GroupsResource,
+  LdapRestClient,
+  LdapRestError,
+  NetworkError,
+  NotFoundError,
+  OrganizationsResource,
+  RateLimitError,
+  UsersResource,
+  ValidationError
+});