@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

package/dist/modules/sso/services/scimService.js

@@ -0,0 +1,372 @@
+import { User, Session } from "@open-mercato/core/modules/auth/data/entities";
+import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
+import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { SsoIdentity, SsoUserDeactivation, ScimProvisioningLog } from "../data/entities.js";
+import { toScimUserResource, fromScimUserPayload } from "../lib/scim-mapper.js";
+import { coerceBoolean } from "../lib/scim-utils.js";
+import { parseScimFilter, scimFilterToWhere } from "../lib/scim-filter.js";
+import { buildListResponse } from "../lib/scim-response.js";
+class ScimService {
+  constructor(em) {
+    this.em = em;
+  }
+  async createUser(payload, scope, baseUrl) {
+    const parsed = fromScimUserPayload(payload);
+    const email = parsed.email ?? parsed.userName;
+    if (!email) {
+      throw new ScimServiceError(400, "userName or emails[0].value is required");
+    }
+    if (parsed.externalId) {
+      const existingIdentity = await this.em.findOne(SsoIdentity, {
+        ssoConfigId: scope.ssoConfigId,
+        externalId: parsed.externalId,
+        deletedAt: null
+      });
+      if (existingIdentity) {
+        const existingUser2 = await findOneWithDecryption(
+          this.em,
+          User,
+          { id: existingIdentity.userId, deletedAt: null },
+          {},
+          { tenantId: scope.tenantId ?? "", organizationId: scope.organizationId }
+        );
+        if (existingUser2) {
+          const deactivation = await this.em.findOne(SsoUserDeactivation, {
+            userId: existingUser2.id,
+            ssoConfigId: scope.ssoConfigId
+          });
+          await this.log(scope, "CREATE", existingIdentity.id, parsed.externalId, 200);
+          return {
+            resource: toScimUserResource(existingUser2, existingIdentity, baseUrl, deactivation),
+            status: 200
+          };
+        }
+      }
+    }
+    const emailHash = computeEmailHash(email);
+    const where = {
+      organizationId: scope.organizationId,
+      deletedAt: null,
+      $or: [{ email }, { emailHash }]
+    };
+    const existingUser = await findOneWithDecryption(
+      this.em,
+      User,
+      where,
+      {},
+      { tenantId: scope.tenantId ?? "", organizationId: scope.organizationId }
+    );
+    if (existingUser) {
+      const existingLink = await this.em.findOne(SsoIdentity, {
+        ssoConfigId: scope.ssoConfigId,
+        userId: existingUser.id,
+        deletedAt: null
+      });
+      if (existingLink) {
+        throw new ScimServiceError(409, `User with email ${email} is already linked to this SSO configuration`);
+      }
+      const now = /* @__PURE__ */ new Date();
+      const identity = this.em.create(SsoIdentity, {
+        tenantId: scope.tenantId ?? null,
+        organizationId: scope.organizationId,
+        ssoConfigId: scope.ssoConfigId,
+        userId: existingUser.id,
+        idpSubject: parsed.externalId ?? email,
+        idpEmail: email,
+        idpName: buildDisplayName(parsed),
+        idpGroups: [],
+        externalId: parsed.externalId ?? null,
+        provisioningMethod: "scim",
+        createdAt: now,
+        updatedAt: now
+      });
+      await this.em.persistAndFlush(identity);
+      const deactivation = parsed.active === false ? await this.createDeactivation(existingUser.id, scope) : null;
+      await this.log(scope, "CREATE", identity.id, parsed.externalId, 201);
+      return {
+        resource: toScimUserResource(existingUser, identity, baseUrl, deactivation),
+        status: 201
+      };
+    }
+    return this.em.transactional(async (txEm) => {
+      const user = txEm.create(User, {
+        tenantId: scope.tenantId ?? null,
+        organizationId: scope.organizationId,
+        email,
+        emailHash: computeEmailHash(email),
+        name: buildDisplayName(parsed) ?? void 0,
+        passwordHash: null,
+        isConfirmed: true,
+        createdAt: /* @__PURE__ */ new Date()
+      });
+      await txEm.persistAndFlush(user);
+      const now = /* @__PURE__ */ new Date();
+      const identity = txEm.create(SsoIdentity, {
+        tenantId: scope.tenantId ?? null,
+        organizationId: scope.organizationId,
+        ssoConfigId: scope.ssoConfigId,
+        userId: user.id,
+        idpSubject: parsed.externalId ?? email,
+        idpEmail: email,
+        idpName: buildDisplayName(parsed),
+        idpGroups: [],
+        externalId: parsed.externalId ?? null,
+        provisioningMethod: "scim",
+        createdAt: now,
+        updatedAt: now
+      });
+      await txEm.persistAndFlush(identity);
+      const deactivation = parsed.active === false ? await this.createDeactivationTx(txEm, user.id, scope) : null;
+      await this.logTx(txEm, scope, "CREATE", identity.id, parsed.externalId, 201);
+      return {
+        resource: toScimUserResource(user, identity, baseUrl, deactivation),
+        status: 201
+      };
+    });
+  }
+  async getUser(scimId, scope, baseUrl) {
+    const identity = await this.em.findOne(SsoIdentity, {
+      id: scimId,
+      ssoConfigId: scope.ssoConfigId,
+      organizationId: scope.organizationId,
+      deletedAt: null
+    });
+    if (!identity) throw new ScimServiceError(404, "User not found");
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      { id: identity.userId, deletedAt: null },
+      {},
+      { tenantId: scope.tenantId ?? "", organizationId: scope.organizationId }
+    );
+    if (!user) throw new ScimServiceError(404, "User not found");
+    const deactivation = await this.em.findOne(SsoUserDeactivation, {
+      userId: user.id,
+      ssoConfigId: scope.ssoConfigId
+    });
+    return toScimUserResource(user, identity, baseUrl, deactivation);
+  }
+  async listUsers(filter, startIndex, count, scope, baseUrl) {
+    const conditions = parseScimFilter(filter);
+    const where = scimFilterToWhere(conditions, scope.ssoConfigId, scope.organizationId);
+    const offset = Math.max(0, startIndex - 1);
+    const [identities, total] = await this.em.findAndCount(SsoIdentity, where, {
+      orderBy: { createdAt: "asc" },
+      limit: count,
+      offset
+    });
+    const userIds = identities.map((i) => i.userId);
+    const users = userIds.length > 0 ? await findWithDecryption(
+      this.em,
+      User,
+      { id: { $in: userIds }, deletedAt: null },
+      {},
+      { tenantId: scope.tenantId ?? "", organizationId: scope.organizationId }
+    ) : [];
+    const userMap = new Map(users.map((u) => [u.id, u]));
+    const deactivations = userIds.length > 0 ? await this.em.find(SsoUserDeactivation, {
+      userId: { $in: userIds },
+      ssoConfigId: scope.ssoConfigId
+    }) : [];
+    const deactivationMap = new Map(deactivations.map((d) => [d.userId, d]));
+    const resources = [];
+    for (const identity of identities) {
+      const user = userMap.get(identity.userId);
+      if (!user) continue;
+      const deactivation = deactivationMap.get(user.id) ?? null;
+      resources.push(toScimUserResource(user, identity, baseUrl, deactivation));
+    }
+    return buildListResponse(resources, total, startIndex, resources.length);
+  }
+  async patchUser(scimId, operations, scope, baseUrl) {
+    const identity = await this.em.findOne(SsoIdentity, {
+      id: scimId,
+      ssoConfigId: scope.ssoConfigId,
+      organizationId: scope.organizationId,
+      deletedAt: null
+    });
+    if (!identity) throw new ScimServiceError(404, "User not found");
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      { id: identity.userId, deletedAt: null },
+      {},
+      { tenantId: scope.tenantId ?? "", organizationId: scope.organizationId }
+    );
+    if (!user) throw new ScimServiceError(404, "User not found");
+    for (const op of operations) {
+      const normalizedOp = op.op.toLowerCase();
+      if (normalizedOp === "replace" || normalizedOp === "add") {
+        this.applyPatchValue(user, identity, op.path, op.value);
+      }
+      if (normalizedOp === "remove" && op.path) {
+        this.applyPatchValue(user, identity, op.path, null);
+      }
+    }
+    const activeOp = operations.find(
+      (op) => op.path?.toLowerCase() === "active" || !op.path && op.value && typeof op.value === "object" && "active" in op.value
+    );
+    if (activeOp) {
+      const activeValue = activeOp.path ? coerceBoolean(activeOp.value) : coerceBoolean(activeOp.value.active);
+      if (activeValue === false) {
+        await this.deactivateUser(user.id, scope);
+      } else if (activeValue === true) {
+        await this.reactivateUser(user.id, scope);
+      }
+    }
+    await this.em.flush();
+    const deactivation = await this.em.findOne(SsoUserDeactivation, {
+      userId: user.id,
+      ssoConfigId: scope.ssoConfigId
+    });
+    await this.log(scope, "PATCH", identity.id, identity.externalId, 200);
+    return toScimUserResource(user, identity, baseUrl, deactivation);
+  }
+  async deleteUser(scimId, scope) {
+    const identity = await this.em.findOne(SsoIdentity, {
+      id: scimId,
+      ssoConfigId: scope.ssoConfigId,
+      organizationId: scope.organizationId,
+      deletedAt: null
+    });
+    if (!identity) throw new ScimServiceError(404, "User not found");
+    await this.deactivateUser(identity.userId, scope);
+    await this.log(scope, "DELETE", identity.id, identity.externalId, 204);
+  }
+  applyPatchValue(user, identity, path, value) {
+    if (!path) {
+      if (value && typeof value === "object") {
+        const obj = value;
+        for (const [key, val] of Object.entries(obj)) {
+          this.applyPatchValue(user, identity, key, val);
+        }
+      }
+      return;
+    }
+    const normalizedPath = path.toLowerCase();
+    switch (normalizedPath) {
+      case "displayname":
+        user.name = value || void 0;
+        identity.idpName = value ?? null;
+        break;
+      case "name.givenname": {
+        const currentParts = (user.name ?? "").split(" ");
+        currentParts[0] = value ?? "";
+        user.name = currentParts.join(" ").trim() || void 0;
+        break;
+      }
+      case "name.familyname": {
+        const currentParts = (user.name ?? "").split(" ");
+        const given = currentParts[0] ?? "";
+        user.name = value ? `${given} ${value}`.trim() : given || void 0;
+        break;
+      }
+      case "username":
+        identity.idpEmail = value ?? identity.idpEmail;
+        break;
+      case "externalid":
+        identity.externalId = value ?? null;
+        break;
+      case "active":
+        break;
+    }
+  }
+  async deactivateUser(userId, scope) {
+    let deactivation = await this.em.findOne(SsoUserDeactivation, {
+      userId,
+      ssoConfigId: scope.ssoConfigId
+    });
+    if (deactivation) {
+      deactivation.deactivatedAt = /* @__PURE__ */ new Date();
+      deactivation.reactivatedAt = null;
+    } else {
+      deactivation = this.em.create(SsoUserDeactivation, {
+        tenantId: scope.tenantId ?? null,
+        organizationId: scope.organizationId,
+        userId,
+        ssoConfigId: scope.ssoConfigId,
+        deactivatedAt: /* @__PURE__ */ new Date()
+      });
+      this.em.persist(deactivation);
+    }
+    await this.em.flush();
+    const sessionWhere = { user: userId };
+    await this.em.nativeDelete(Session, sessionWhere);
+  }
+  async reactivateUser(userId, scope) {
+    const deactivation = await this.em.findOne(SsoUserDeactivation, {
+      userId,
+      ssoConfigId: scope.ssoConfigId
+    });
+    if (deactivation && !deactivation.reactivatedAt) {
+      deactivation.reactivatedAt = /* @__PURE__ */ new Date();
+      await this.em.flush();
+    }
+  }
+  async createDeactivation(userId, scope) {
+    const deactivation = this.em.create(SsoUserDeactivation, {
+      tenantId: scope.tenantId ?? null,
+      organizationId: scope.organizationId,
+      userId,
+      ssoConfigId: scope.ssoConfigId,
+      deactivatedAt: /* @__PURE__ */ new Date()
+    });
+    await this.em.persistAndFlush(deactivation);
+    return deactivation;
+  }
+  async createDeactivationTx(txEm, userId, scope) {
+    const deactivation = txEm.create(SsoUserDeactivation, {
+      tenantId: scope.tenantId ?? null,
+      organizationId: scope.organizationId,
+      userId,
+      ssoConfigId: scope.ssoConfigId,
+      deactivatedAt: /* @__PURE__ */ new Date()
+    });
+    await txEm.persistAndFlush(deactivation);
+    return deactivation;
+  }
+  async log(scope, operation, resourceId, externalId, responseStatus, errorMessage) {
+    const entry = this.em.create(ScimProvisioningLog, {
+      tenantId: scope.tenantId ?? null,
+      organizationId: scope.organizationId,
+      ssoConfigId: scope.ssoConfigId,
+      operation,
+      resourceType: "User",
+      resourceId: resourceId ?? null,
+      scimExternalId: externalId ?? null,
+      responseStatus,
+      errorMessage: errorMessage ?? null
+    });
+    await this.em.persistAndFlush(entry);
+  }
+  async logTx(txEm, scope, operation, resourceId, externalId, responseStatus) {
+    const entry = txEm.create(ScimProvisioningLog, {
+      tenantId: scope.tenantId ?? null,
+      organizationId: scope.organizationId,
+      ssoConfigId: scope.ssoConfigId,
+      operation,
+      resourceType: "User",
+      resourceId: resourceId ?? null,
+      scimExternalId: externalId ?? null,
+      responseStatus
+    });
+    await txEm.persistAndFlush(entry);
+  }
+}
+function buildDisplayName(parsed) {
+  if (parsed.displayName) return parsed.displayName;
+  const parts = [parsed.givenName, parsed.familyName].filter(Boolean);
+  return parts.length > 0 ? parts.join(" ") : null;
+}
+class ScimServiceError extends Error {
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "ScimServiceError";
+  }
+}
+export {
+  ScimService,
+  ScimServiceError
+};
+//# sourceMappingURL=scimService.js.map

package/dist/modules/sso/services/scimService.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/scimService.ts"],
+  "sourcesContent": ["import { EntityManager, type FilterQuery, type RequiredEntityData } from '@mikro-orm/postgresql'\nimport { User, Session } from '@open-mercato/core/modules/auth/data/entities'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { SsoIdentity, SsoUserDeactivation, ScimProvisioningLog } from '../data/entities'\nimport { toScimUserResource, fromScimUserPayload, type ScimUserResource, type ScimUserPayload } from '../lib/scim-mapper'\nimport { coerceBoolean } from '../lib/scim-utils'\nimport { parseScimFilter, scimFilterToWhere } from '../lib/scim-filter'\nimport { buildListResponse } from '../lib/scim-response'\nimport type { ScimScope } from '../api/scim/context'\nimport type { ScimPatchOperation } from '../lib/scim-patch'\n\nexport class ScimService {\n  constructor(private em: EntityManager) {}\n\n  async createUser(\n    payload: Record<string, unknown>,\n    scope: ScimScope,\n    baseUrl: string,\n  ): Promise<{ resource: ScimUserResource; status: number }> {\n    const parsed = fromScimUserPayload(payload)\n    const email = parsed.email ?? parsed.userName\n    if (!email) {\n      throw new ScimServiceError(400, 'userName or emails[0].value is required')\n    }\n\n    // Idempotency: if externalId already exists for this config, return existing\n    if (parsed.externalId) {\n      const existingIdentity = await this.em.findOne(SsoIdentity, {\n        ssoConfigId: scope.ssoConfigId,\n        externalId: parsed.externalId,\n        deletedAt: null,\n      })\n      if (existingIdentity) {\n        const existingUser = await findOneWithDecryption(\n          this.em, User,\n          { id: existingIdentity.userId, deletedAt: null },\n          {},\n          { tenantId: scope.tenantId ?? '', organizationId: scope.organizationId },\n        )\n        if (existingUser) {\n          const deactivation = await this.em.findOne(SsoUserDeactivation, {\n            userId: existingUser.id, ssoConfigId: scope.ssoConfigId,\n          })\n          await this.log(scope, 'CREATE', existingIdentity.id, parsed.externalId, 200)\n          return {\n            resource: toScimUserResource(existingUser, existingIdentity, baseUrl, deactivation),\n            status: 200,\n          }\n        }\n      }\n    }\n\n    // Check if user already exists by email\n    const emailHash = computeEmailHash(email)\n    const where: FilterQuery<User> = {\n      organizationId: scope.organizationId,\n      deletedAt: null,\n      $or: [{ email }, { emailHash }],\n    }\n    const existingUser = await findOneWithDecryption(\n      this.em, User,\n      where,\n      {},\n      { tenantId: scope.tenantId ?? '', organizationId: scope.organizationId },\n    )\n\n    if (existingUser) {\n      // Check if already linked to this SSO config\n      const existingLink = await this.em.findOne(SsoIdentity, {\n        ssoConfigId: scope.ssoConfigId,\n        userId: existingUser.id,\n        deletedAt: null,\n      })\n      if (existingLink) {\n        throw new ScimServiceError(409, `User with email ${email} is already linked to this SSO configuration`)\n      }\n\n      // Auto-link: create SsoIdentity for existing user\n      const now = new Date()\n      const identity = this.em.create(SsoIdentity, {\n        tenantId: scope.tenantId ?? null,\n        organizationId: scope.organizationId,\n        ssoConfigId: scope.ssoConfigId,\n        userId: existingUser.id,\n        idpSubject: parsed.externalId ?? email,\n        idpEmail: email,\n        idpName: buildDisplayName(parsed),\n        idpGroups: [],\n        externalId: parsed.externalId ?? null,\n        provisioningMethod: 'scim',\n        createdAt: now,\n        updatedAt: now,\n      } as RequiredEntityData<SsoIdentity>)\n      await this.em.persistAndFlush(identity)\n\n      const deactivation = parsed.active === false\n        ? await this.createDeactivation(existingUser.id, scope)\n        : null\n\n      await this.log(scope, 'CREATE', identity.id, parsed.externalId, 201)\n      return {\n        resource: toScimUserResource(existingUser, identity, baseUrl, deactivation),\n        status: 201,\n      }\n    }\n\n    // Create new user + identity\n    return this.em.transactional(async (txEm) => {\n      const user = txEm.create(User, {\n        tenantId: scope.tenantId ?? null,\n        organizationId: scope.organizationId,\n        email,\n        emailHash: computeEmailHash(email),\n        name: buildDisplayName(parsed) ?? undefined,\n        passwordHash: null,\n        isConfirmed: true,\n        createdAt: new Date(),\n      })\n      await txEm.persistAndFlush(user)\n\n      const now = new Date()\n      const identity = txEm.create(SsoIdentity, {\n        tenantId: scope.tenantId ?? null,\n        organizationId: scope.organizationId,\n        ssoConfigId: scope.ssoConfigId,\n        userId: user.id,\n        idpSubject: parsed.externalId ?? email,\n        idpEmail: email,\n        idpName: buildDisplayName(parsed),\n        idpGroups: [],\n        externalId: parsed.externalId ?? null,\n        provisioningMethod: 'scim',\n        createdAt: now,\n        updatedAt: now,\n      } as RequiredEntityData<SsoIdentity>)\n      await txEm.persistAndFlush(identity)\n\n      const deactivation = parsed.active === false\n        ? await this.createDeactivationTx(txEm, user.id, scope)\n        : null\n\n      await this.logTx(txEm, scope, 'CREATE', identity.id, parsed.externalId, 201)\n      return {\n        resource: toScimUserResource(user, identity, baseUrl, deactivation),\n        status: 201,\n      }\n    })\n  }\n\n  async getUser(scimId: string, scope: ScimScope, baseUrl: string): Promise<ScimUserResource> {\n    const identity = await this.em.findOne(SsoIdentity, {\n      id: scimId,\n      ssoConfigId: scope.ssoConfigId,\n      organizationId: scope.organizationId,\n      deletedAt: null,\n    })\n    if (!identity) throw new ScimServiceError(404, 'User not found')\n\n    const user = await findOneWithDecryption(\n      this.em, User,\n      { id: identity.userId, deletedAt: null },\n      {},\n      { tenantId: scope.tenantId ?? '', organizationId: scope.organizationId },\n    )\n    if (!user) throw new ScimServiceError(404, 'User not found')\n\n    const deactivation = await this.em.findOne(SsoUserDeactivation, {\n      userId: user.id, ssoConfigId: scope.ssoConfigId,\n    })\n\n    return toScimUserResource(user, identity, baseUrl, deactivation)\n  }\n\n  async listUsers(\n    filter: string | null,\n    startIndex: number,\n    count: number,\n    scope: ScimScope,\n    baseUrl: string,\n  ): Promise<Record<string, unknown>> {\n    const conditions = parseScimFilter(filter)\n    const where = scimFilterToWhere(conditions, scope.ssoConfigId, scope.organizationId)\n\n    const offset = Math.max(0, startIndex - 1)\n    const [identities, total] = await this.em.findAndCount(SsoIdentity, where, {\n      orderBy: { createdAt: 'asc' },\n      limit: count,\n      offset,\n    })\n\n    const userIds = identities.map((i) => i.userId)\n\n    const users = userIds.length > 0\n      ? await findWithDecryption(\n          this.em, User,\n          { id: { $in: userIds }, deletedAt: null },\n          {},\n          { tenantId: scope.tenantId ?? '', organizationId: scope.organizationId },\n        )\n      : []\n    const userMap = new Map(users.map((u) => [u.id, u]))\n\n    const deactivations = userIds.length > 0\n      ? await this.em.find(SsoUserDeactivation, {\n          userId: { $in: userIds }, ssoConfigId: scope.ssoConfigId,\n        })\n      : []\n    const deactivationMap = new Map(deactivations.map((d) => [d.userId, d]))\n\n    const resources: ScimUserResource[] = []\n    for (const identity of identities) {\n      const user = userMap.get(identity.userId)\n      if (!user) continue\n\n      const deactivation = deactivationMap.get(user.id) ?? null\n      resources.push(toScimUserResource(user, identity, baseUrl, deactivation))\n    }\n\n    return buildListResponse(resources, total, startIndex, resources.length)\n  }\n\n  async patchUser(\n    scimId: string,\n    operations: ScimPatchOperation[],\n    scope: ScimScope,\n    baseUrl: string,\n  ): Promise<ScimUserResource> {\n    const identity = await this.em.findOne(SsoIdentity, {\n      id: scimId,\n      ssoConfigId: scope.ssoConfigId,\n      organizationId: scope.organizationId,\n      deletedAt: null,\n    })\n    if (!identity) throw new ScimServiceError(404, 'User not found')\n\n    const user = await findOneWithDecryption(\n      this.em, User,\n      { id: identity.userId, deletedAt: null },\n      {},\n      { tenantId: scope.tenantId ?? '', organizationId: scope.organizationId },\n    )\n    if (!user) throw new ScimServiceError(404, 'User not found')\n\n    for (const op of operations) {\n      const normalizedOp = op.op.toLowerCase()\n      if (normalizedOp === 'replace' || normalizedOp === 'add') {\n        this.applyPatchValue(user, identity, op.path, op.value)\n      }\n      // 'remove' operations on optional fields \u2014 set to null\n      if (normalizedOp === 'remove' && op.path) {\n        this.applyPatchValue(user, identity, op.path, null)\n      }\n    }\n\n    // Handle active status changes\n    const activeOp = operations.find((op) =>\n      op.path?.toLowerCase() === 'active' ||\n      (!op.path && op.value && typeof op.value === 'object' && 'active' in (op.value as Record<string, unknown>)),\n    )\n\n    if (activeOp) {\n      const activeValue = activeOp.path\n        ? coerceBoolean(activeOp.value)\n        : coerceBoolean((activeOp.value as Record<string, unknown>).active)\n\n      if (activeValue === false) {\n        await this.deactivateUser(user.id, scope)\n      } else if (activeValue === true) {\n        await this.reactivateUser(user.id, scope)\n      }\n    }\n\n    await this.em.flush()\n\n    const deactivation = await this.em.findOne(SsoUserDeactivation, {\n      userId: user.id, ssoConfigId: scope.ssoConfigId,\n    })\n\n    await this.log(scope, 'PATCH', identity.id, identity.externalId, 200)\n    return toScimUserResource(user, identity, baseUrl, deactivation)\n  }\n\n  async deleteUser(scimId: string, scope: ScimScope): Promise<void> {\n    const identity = await this.em.findOne(SsoIdentity, {\n      id: scimId,\n      ssoConfigId: scope.ssoConfigId,\n      organizationId: scope.organizationId,\n      deletedAt: null,\n    })\n    if (!identity) throw new ScimServiceError(404, 'User not found')\n\n    await this.deactivateUser(identity.userId, scope)\n    await this.log(scope, 'DELETE', identity.id, identity.externalId, 204)\n  }\n\n  private applyPatchValue(\n    user: User,\n    identity: SsoIdentity,\n    path: string | undefined,\n    value: unknown,\n  ): void {\n    if (!path) {\n      // No path means value is an object with attribute keys\n      if (value && typeof value === 'object') {\n        const obj = value as Record<string, unknown>\n        for (const [key, val] of Object.entries(obj)) {\n          this.applyPatchValue(user, identity, key, val)\n        }\n      }\n      return\n    }\n\n    const normalizedPath = path.toLowerCase()\n    switch (normalizedPath) {\n      case 'displayname':\n        user.name = (value as string) || undefined\n        identity.idpName = (value as string) ?? null\n        break\n      case 'name.givenname': {\n        const currentParts = (user.name ?? '').split(' ')\n        currentParts[0] = (value as string) ?? ''\n        user.name = currentParts.join(' ').trim() || undefined\n        break\n      }\n      case 'name.familyname': {\n        const currentParts = (user.name ?? '').split(' ')\n        const given = currentParts[0] ?? ''\n        user.name = value ? `${given} ${value}`.trim() : given || undefined\n        break\n      }\n      case 'username':\n        identity.idpEmail = (value as string) ?? identity.idpEmail\n        break\n      case 'externalid':\n        identity.externalId = (value as string) ?? null\n        break\n      case 'active':\n        // Handled separately via deactivation logic\n        break\n    }\n  }\n\n  private async deactivateUser(userId: string, scope: ScimScope): Promise<void> {\n    let deactivation = await this.em.findOne(SsoUserDeactivation, {\n      userId, ssoConfigId: scope.ssoConfigId,\n    })\n\n    if (deactivation) {\n      deactivation.deactivatedAt = new Date()\n      deactivation.reactivatedAt = null\n    } else {\n      deactivation = this.em.create(SsoUserDeactivation, {\n        tenantId: scope.tenantId ?? null,\n        organizationId: scope.organizationId,\n        userId,\n        ssoConfigId: scope.ssoConfigId,\n        deactivatedAt: new Date(),\n      } as RequiredEntityData<SsoUserDeactivation>)\n      this.em.persist(deactivation)\n    }\n    await this.em.flush()\n\n    // Revoke all active sessions\n    const sessionWhere: FilterQuery<Session> = { user: userId }\n    await this.em.nativeDelete(Session, sessionWhere)\n  }\n\n  private async reactivateUser(userId: string, scope: ScimScope): Promise<void> {\n    const deactivation = await this.em.findOne(SsoUserDeactivation, {\n      userId, ssoConfigId: scope.ssoConfigId,\n    })\n    if (deactivation && !deactivation.reactivatedAt) {\n      deactivation.reactivatedAt = new Date()\n      await this.em.flush()\n    }\n  }\n\n  private async createDeactivation(userId: string, scope: ScimScope): Promise<SsoUserDeactivation> {\n    const deactivation = this.em.create(SsoUserDeactivation, {\n      tenantId: scope.tenantId ?? null,\n      organizationId: scope.organizationId,\n      userId,\n      ssoConfigId: scope.ssoConfigId,\n      deactivatedAt: new Date(),\n    } as RequiredEntityData<SsoUserDeactivation>)\n    await this.em.persistAndFlush(deactivation)\n    return deactivation\n  }\n\n  private async createDeactivationTx(txEm: EntityManager, userId: string, scope: ScimScope): Promise<SsoUserDeactivation> {\n    const deactivation = txEm.create(SsoUserDeactivation, {\n      tenantId: scope.tenantId ?? null,\n      organizationId: scope.organizationId,\n      userId,\n      ssoConfigId: scope.ssoConfigId,\n      deactivatedAt: new Date(),\n    } as RequiredEntityData<SsoUserDeactivation>)\n    await txEm.persistAndFlush(deactivation)\n    return deactivation\n  }\n\n  private async log(\n    scope: ScimScope,\n    operation: string,\n    resourceId: string | null | undefined,\n    externalId: string | null | undefined,\n    responseStatus: number,\n    errorMessage?: string,\n  ): Promise<void> {\n    const entry = this.em.create(ScimProvisioningLog, {\n      tenantId: scope.tenantId ?? null,\n      organizationId: scope.organizationId,\n      ssoConfigId: scope.ssoConfigId,\n      operation,\n      resourceType: 'User',\n      resourceId: resourceId ?? null,\n      scimExternalId: externalId ?? null,\n      responseStatus,\n      errorMessage: errorMessage ?? null,\n    } as RequiredEntityData<ScimProvisioningLog>)\n    await this.em.persistAndFlush(entry)\n  }\n\n  private async logTx(\n    txEm: EntityManager,\n    scope: ScimScope,\n    operation: string,\n    resourceId: string | null | undefined,\n    externalId: string | null | undefined,\n    responseStatus: number,\n  ): Promise<void> {\n    const entry = txEm.create(ScimProvisioningLog, {\n      tenantId: scope.tenantId ?? null,\n      organizationId: scope.organizationId,\n      ssoConfigId: scope.ssoConfigId,\n      operation,\n      resourceType: 'User',\n      resourceId: resourceId ?? null,\n      scimExternalId: externalId ?? null,\n      responseStatus,\n    } as RequiredEntityData<ScimProvisioningLog>)\n    await txEm.persistAndFlush(entry)\n  }\n}\n\nfunction buildDisplayName(parsed: ScimUserPayload): string | null {\n  if (parsed.displayName) return parsed.displayName\n  const parts = [parsed.givenName, parsed.familyName].filter(Boolean)\n  return parts.length > 0 ? parts.join(' ') : null\n}\n\nexport class ScimServiceError extends Error {\n  constructor(\n    public readonly statusCode: number,\n    message: string,\n  ) {\n    super(message)\n    this.name = 'ScimServiceError'\n  }\n}\n"],
+  "mappings": "AACA,SAAS,MAAM,eAAe;AAC9B,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,aAAa,qBAAqB,2BAA2B;AACtE,SAAS,oBAAoB,2BAAwE;AACrG,SAAS,qBAAqB;AAC9B,SAAS,iBAAiB,yBAAyB;AACnD,SAAS,yBAAyB;AAI3B,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,WACJ,SACA,OACA,SACyD;AACzD,UAAM,SAAS,oBAAoB,OAAO;AAC1C,UAAM,QAAQ,OAAO,SAAS,OAAO;AACrC,QAAI,CAAC,OAAO;AACV,YAAM,IAAI,iBAAiB,KAAK,yCAAyC;AAAA,IAC3E;AAGA,QAAI,OAAO,YAAY;AACrB,YAAM,mBAAmB,MAAM,KAAK,GAAG,QAAQ,aAAa;AAAA,QAC1D,aAAa,MAAM;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,WAAW;AAAA,MACb,CAAC;AACD,UAAI,kBAAkB;AACpB,cAAMA,gBAAe,MAAM;AAAA,UACzB,KAAK;AAAA,UAAI;AAAA,UACT,EAAE,IAAI,iBAAiB,QAAQ,WAAW,KAAK;AAAA,UAC/C,CAAC;AAAA,UACD,EAAE,UAAU,MAAM,YAAY,IAAI,gBAAgB,MAAM,eAAe;AAAA,QACzE;AACA,YAAIA,eAAc;AAChB,gBAAM,eAAe,MAAM,KAAK,GAAG,QAAQ,qBAAqB;AAAA,YAC9D,QAAQA,cAAa;AAAA,YAAI,aAAa,MAAM;AAAA,UAC9C,CAAC;AACD,gBAAM,KAAK,IAAI,OAAO,UAAU,iBAAiB,IAAI,OAAO,YAAY,GAAG;AAC3E,iBAAO;AAAA,YACL,UAAU,mBAAmBA,eAAc,kBAAkB,SAAS,YAAY;AAAA,YAClF,QAAQ;AAAA,UACV;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,YAAY,iBAAiB,KAAK;AACxC,UAAM,QAA2B;AAAA,MAC/B,gBAAgB,MAAM;AAAA,MACtB,WAAW;AAAA,MACX,KAAK,CAAC,EAAE,MAAM,GAAG,EAAE,UAAU,CAAC;AAAA,IAChC;AACA,UAAM,eAAe,MAAM;AAAA,MACzB,KAAK;AAAA,MAAI;AAAA,MACT;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,YAAY,IAAI,gBAAgB,MAAM,eAAe;AAAA,IACzE;AAEA,QAAI,cAAc;AAEhB,YAAM,eAAe,MAAM,KAAK,GAAG,QAAQ,aAAa;AAAA,QACtD,aAAa,MAAM;AAAA,QACnB,QAAQ,aAAa;AAAA,QACrB,WAAW;AAAA,MACb,CAAC;AACD,UAAI,cAAc;AAChB,cAAM,IAAI,iBAAiB,KAAK,mBAAmB,KAAK,8CAA8C;AAAA,MACxG;AAGA,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,WAAW,KAAK,GAAG,OAAO,aAAa;AAAA,QAC3C,UAAU,MAAM,YAAY;AAAA,QAC5B,gBAAgB,MAAM;AAAA,QACtB,aAAa,MAAM;AAAA,QACnB,QAAQ,aAAa;AAAA,QACrB,YAAY,OAAO,cAAc;AAAA,QACjC,UAAU;AAAA,QACV,SAAS,iBAAiB,MAAM;AAAA,QAChC,WAAW,CAAC;AAAA,QACZ,YAAY,OAAO,cAAc;AAAA,QACjC,oBAAoB;AAAA,QACpB,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAoC;AACpC,YAAM,KAAK,GAAG,gBAAgB,QAAQ;AAEtC,YAAM,eAAe,OAAO,WAAW,QACnC,MAAM,KAAK,mBAAmB,aAAa,IAAI,KAAK,IACpD;AAEJ,YAAM,KAAK,IAAI,OAAO,UAAU,SAAS,IAAI,OAAO,YAAY,GAAG;AACnE,aAAO;AAAA,QACL,UAAU,mBAAmB,cAAc,UAAU,SAAS,YAAY;AAAA,QAC1E,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,WAAO,KAAK,GAAG,cAAc,OAAO,SAAS;AAC3C,YAAM,OAAO,KAAK,OAAO,MAAM;AAAA,QAC7B,UAAU,MAAM,YAAY;AAAA,QAC5B,gBAAgB,MAAM;AAAA,QACtB;AAAA,QACA,WAAW,iBAAiB,KAAK;AAAA,QACjC,MAAM,iBAAiB,MAAM,KAAK;AAAA,QAClC,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,YAAM,KAAK,gBAAgB,IAAI;AAE/B,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,WAAW,KAAK,OAAO,aAAa;AAAA,QACxC,UAAU,MAAM,YAAY;AAAA,QAC5B,gBAAgB,MAAM;AAAA,QACtB,aAAa,MAAM;AAAA,QACnB,QAAQ,KAAK;AAAA,QACb,YAAY,OAAO,cAAc;AAAA,QACjC,UAAU;AAAA,QACV,SAAS,iBAAiB,MAAM;AAAA,QAChC,WAAW,CAAC;AAAA,QACZ,YAAY,OAAO,cAAc;AAAA,QACjC,oBAAoB;AAAA,QACpB,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAoC;AACpC,YAAM,KAAK,gBAAgB,QAAQ;AAEnC,YAAM,eAAe,OAAO,WAAW,QACnC,MAAM,KAAK,qBAAqB,MAAM,KAAK,IAAI,KAAK,IACpD;AAEJ,YAAM,KAAK,MAAM,MAAM,OAAO,UAAU,SAAS,IAAI,OAAO,YAAY,GAAG;AAC3E,aAAO;AAAA,QACL,UAAU,mBAAmB,MAAM,UAAU,SAAS,YAAY;AAAA,QAClE,QAAQ;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,QAAQ,QAAgB,OAAkB,SAA4C;AAC1F,UAAM,WAAW,MAAM,KAAK,GAAG,QAAQ,aAAa;AAAA,MAClD,IAAI;AAAA,MACJ,aAAa,MAAM;AAAA,MACnB,gBAAgB,MAAM;AAAA,MACtB,WAAW;AAAA,IACb,CAAC;AACD,QAAI,CAAC,SAAU,OAAM,IAAI,iBAAiB,KAAK,gBAAgB;AAE/D,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MAAI;AAAA,MACT,EAAE,IAAI,SAAS,QAAQ,WAAW,KAAK;AAAA,MACvC,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,YAAY,IAAI,gBAAgB,MAAM,eAAe;AAAA,IACzE;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,iBAAiB,KAAK,gBAAgB;AAE3D,UAAM,eAAe,MAAM,KAAK,GAAG,QAAQ,qBAAqB;AAAA,MAC9D,QAAQ,KAAK;AAAA,MAAI,aAAa,MAAM;AAAA,IACtC,CAAC;AAED,WAAO,mBAAmB,MAAM,UAAU,SAAS,YAAY;AAAA,EACjE;AAAA,EAEA,MAAM,UACJ,QACA,YACA,OACA,OACA,SACkC;AAClC,UAAM,aAAa,gBAAgB,MAAM;AACzC,UAAM,QAAQ,kBAAkB,YAAY,MAAM,aAAa,MAAM,cAAc;AAEnF,UAAM,SAAS,KAAK,IAAI,GAAG,aAAa,CAAC;AACzC,UAAM,CAAC,YAAY,KAAK,IAAI,MAAM,KAAK,GAAG,aAAa,aAAa,OAAO;AAAA,MACzE,SAAS,EAAE,WAAW,MAAM;AAAA,MAC5B,OAAO;AAAA,MACP;AAAA,IACF,CAAC;AAED,UAAM,UAAU,WAAW,IAAI,CAAC,MAAM,EAAE,MAAM;AAE9C,UAAM,QAAQ,QAAQ,SAAS,IAC3B,MAAM;AAAA,MACJ,KAAK;AAAA,MAAI;AAAA,MACT,EAAE,IAAI,EAAE,KAAK,QAAQ,GAAG,WAAW,KAAK;AAAA,MACxC,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,YAAY,IAAI,gBAAgB,MAAM,eAAe;AAAA,IACzE,IACA,CAAC;AACL,UAAM,UAAU,IAAI,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAEnD,UAAM,gBAAgB,QAAQ,SAAS,IACnC,MAAM,KAAK,GAAG,KAAK,qBAAqB;AAAA,MACtC,QAAQ,EAAE,KAAK,QAAQ;AAAA,MAAG,aAAa,MAAM;AAAA,IAC/C,CAAC,IACD,CAAC;AACL,UAAM,kBAAkB,IAAI,IAAI,cAAc,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEvE,UAAM,YAAgC,CAAC;AACvC,eAAW,YAAY,YAAY;AACjC,YAAM,OAAO,QAAQ,IAAI,SAAS,MAAM;AACxC,UAAI,CAAC,KAAM;AAEX,YAAM,eAAe,gBAAgB,IAAI,KAAK,EAAE,KAAK;AACrD,gBAAU,KAAK,mBAAmB,MAAM,UAAU,SAAS,YAAY,CAAC;AAAA,IAC1E;AAEA,WAAO,kBAAkB,WAAW,OAAO,YAAY,UAAU,MAAM;AAAA,EACzE;AAAA,EAEA,MAAM,UACJ,QACA,YACA,OACA,SAC2B;AAC3B,UAAM,WAAW,MAAM,KAAK,GAAG,QAAQ,aAAa;AAAA,MAClD,IAAI;AAAA,MACJ,aAAa,MAAM;AAAA,MACnB,gBAAgB,MAAM;AAAA,MACtB,WAAW;AAAA,IACb,CAAC;AACD,QAAI,CAAC,SAAU,OAAM,IAAI,iBAAiB,KAAK,gBAAgB;AAE/D,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MAAI;AAAA,MACT,EAAE,IAAI,SAAS,QAAQ,WAAW,KAAK;AAAA,MACvC,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,YAAY,IAAI,gBAAgB,MAAM,eAAe;AAAA,IACzE;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,iBAAiB,KAAK,gBAAgB;AAE3D,eAAW,MAAM,YAAY;AAC3B,YAAM,eAAe,GAAG,GAAG,YAAY;AACvC,UAAI,iBAAiB,aAAa,iBAAiB,OAAO;AACxD,aAAK,gBAAgB,MAAM,UAAU,GAAG,MAAM,GAAG,KAAK;AAAA,MACxD;AAEA,UAAI,iBAAiB,YAAY,GAAG,MAAM;AACxC,aAAK,gBAAgB,MAAM,UAAU,GAAG,MAAM,IAAI;AAAA,MACpD;AAAA,IACF;AAGA,UAAM,WAAW,WAAW;AAAA,MAAK,CAAC,OAChC,GAAG,MAAM,YAAY,MAAM,YAC1B,CAAC,GAAG,QAAQ,GAAG,SAAS,OAAO,GAAG,UAAU,YAAY,YAAa,GAAG;AAAA,IAC3E;AAEA,QAAI,UAAU;AACZ,YAAM,cAAc,SAAS,OACzB,cAAc,SAAS,KAAK,IAC5B,cAAe,SAAS,MAAkC,MAAM;AAEpE,UAAI,gBAAgB,OAAO;AACzB,cAAM,KAAK,eAAe,KAAK,IAAI,KAAK;AAAA,MAC1C,WAAW,gBAAgB,MAAM;AAC/B,cAAM,KAAK,eAAe,KAAK,IAAI,KAAK;AAAA,MAC1C;AAAA,IACF;AAEA,UAAM,KAAK,GAAG,MAAM;AAEpB,UAAM,eAAe,MAAM,KAAK,GAAG,QAAQ,qBAAqB;AAAA,MAC9D,QAAQ,KAAK;AAAA,MAAI,aAAa,MAAM;AAAA,IACtC,CAAC;AAED,UAAM,KAAK,IAAI,OAAO,SAAS,SAAS,IAAI,SAAS,YAAY,GAAG;AACpE,WAAO,mBAAmB,MAAM,UAAU,SAAS,YAAY;AAAA,EACjE;AAAA,EAEA,MAAM,WAAW,QAAgB,OAAiC;AAChE,UAAM,WAAW,MAAM,KAAK,GAAG,QAAQ,aAAa;AAAA,MAClD,IAAI;AAAA,MACJ,aAAa,MAAM;AAAA,MACnB,gBAAgB,MAAM;AAAA,MACtB,WAAW;AAAA,IACb,CAAC;AACD,QAAI,CAAC,SAAU,OAAM,IAAI,iBAAiB,KAAK,gBAAgB;AAE/D,UAAM,KAAK,eAAe,SAAS,QAAQ,KAAK;AAChD,UAAM,KAAK,IAAI,OAAO,UAAU,SAAS,IAAI,SAAS,YAAY,GAAG;AAAA,EACvE;AAAA,EAEQ,gBACN,MACA,UACA,MACA,OACM;AACN,QAAI,CAAC,MAAM;AAET,UAAI,SAAS,OAAO,UAAU,UAAU;AACtC,cAAM,MAAM;AACZ,mBAAW,CAAC,KAAK,GAAG,KAAK,OAAO,QAAQ,GAAG,GAAG;AAC5C,eAAK,gBAAgB,MAAM,UAAU,KAAK,GAAG;AAAA,QAC/C;AAAA,MACF;AACA;AAAA,IACF;AAEA,UAAM,iBAAiB,KAAK,YAAY;AACxC,YAAQ,gBAAgB;AAAA,MACtB,KAAK;AACH,aAAK,OAAQ,SAAoB;AACjC,iBAAS,UAAW,SAAoB;AACxC;AAAA,MACF,KAAK,kBAAkB;AACrB,cAAM,gBAAgB,KAAK,QAAQ,IAAI,MAAM,GAAG;AAChD,qBAAa,CAAC,IAAK,SAAoB;AACvC,aAAK,OAAO,aAAa,KAAK,GAAG,EAAE,KAAK,KAAK;AAC7C;AAAA,MACF;AAAA,MACA,KAAK,mBAAmB;AACtB,cAAM,gBAAgB,KAAK,QAAQ,IAAI,MAAM,GAAG;AAChD,cAAM,QAAQ,aAAa,CAAC,KAAK;AACjC,aAAK,OAAO,QAAQ,GAAG,KAAK,IAAI,KAAK,GAAG,KAAK,IAAI,SAAS;AAC1D;AAAA,MACF;AAAA,MACA,KAAK;AACH,iBAAS,WAAY,SAAoB,SAAS;AAClD;AAAA,MACF,KAAK;AACH,iBAAS,aAAc,SAAoB;AAC3C;AAAA,MACF,KAAK;AAEH;AAAA,IACJ;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,QAAgB,OAAiC;AAC5E,QAAI,eAAe,MAAM,KAAK,GAAG,QAAQ,qBAAqB;AAAA,MAC5D;AAAA,MAAQ,aAAa,MAAM;AAAA,IAC7B,CAAC;AAED,QAAI,cAAc;AAChB,mBAAa,gBAAgB,oBAAI,KAAK;AACtC,mBAAa,gBAAgB;AAAA,IAC/B,OAAO;AACL,qBAAe,KAAK,GAAG,OAAO,qBAAqB;AAAA,QACjD,UAAU,MAAM,YAAY;AAAA,QAC5B,gBAAgB,MAAM;AAAA,QACtB;AAAA,QACA,aAAa,MAAM;AAAA,QACnB,eAAe,oBAAI,KAAK;AAAA,MAC1B,CAA4C;AAC5C,WAAK,GAAG,QAAQ,YAAY;AAAA,IAC9B;AACA,UAAM,KAAK,GAAG,MAAM;AAGpB,UAAM,eAAqC,EAAE,MAAM,OAAO;AAC1D,UAAM,KAAK,GAAG,aAAa,SAAS,YAAY;AAAA,EAClD;AAAA,EAEA,MAAc,eAAe,QAAgB,OAAiC;AAC5E,UAAM,eAAe,MAAM,KAAK,GAAG,QAAQ,qBAAqB;AAAA,MAC9D;AAAA,MAAQ,aAAa,MAAM;AAAA,IAC7B,CAAC;AACD,QAAI,gBAAgB,CAAC,aAAa,eAAe;AAC/C,mBAAa,gBAAgB,oBAAI,KAAK;AACtC,YAAM,KAAK,GAAG,MAAM;AAAA,IACtB;AAAA,EACF;AAAA,EAEA,MAAc,mBAAmB,QAAgB,OAAgD;AAC/F,UAAM,eAAe,KAAK,GAAG,OAAO,qBAAqB;AAAA,MACvD,UAAU,MAAM,YAAY;AAAA,MAC5B,gBAAgB,MAAM;AAAA,MACtB;AAAA,MACA,aAAa,MAAM;AAAA,MACnB,eAAe,oBAAI,KAAK;AAAA,IAC1B,CAA4C;AAC5C,UAAM,KAAK,GAAG,gBAAgB,YAAY;AAC1C,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,qBAAqB,MAAqB,QAAgB,OAAgD;AACtH,UAAM,eAAe,KAAK,OAAO,qBAAqB;AAAA,MACpD,UAAU,MAAM,YAAY;AAAA,MAC5B,gBAAgB,MAAM;AAAA,MACtB;AAAA,MACA,aAAa,MAAM;AAAA,MACnB,eAAe,oBAAI,KAAK;AAAA,IAC1B,CAA4C;AAC5C,UAAM,KAAK,gBAAgB,YAAY;AACvC,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,IACZ,OACA,WACA,YACA,YACA,gBACA,cACe;AACf,UAAM,QAAQ,KAAK,GAAG,OAAO,qBAAqB;AAAA,MAChD,UAAU,MAAM,YAAY;AAAA,MAC5B,gBAAgB,MAAM;AAAA,MACtB,aAAa,MAAM;AAAA,MACnB;AAAA,MACA,cAAc;AAAA,MACd,YAAY,cAAc;AAAA,MAC1B,gBAAgB,cAAc;AAAA,MAC9B;AAAA,MACA,cAAc,gBAAgB;AAAA,IAChC,CAA4C;AAC5C,UAAM,KAAK,GAAG,gBAAgB,KAAK;AAAA,EACrC;AAAA,EAEA,MAAc,MACZ,MACA,OACA,WACA,YACA,YACA,gBACe;AACf,UAAM,QAAQ,KAAK,OAAO,qBAAqB;AAAA,MAC7C,UAAU,MAAM,YAAY;AAAA,MAC5B,gBAAgB,MAAM;AAAA,MACtB,aAAa,MAAM;AAAA,MACnB;AAAA,MACA,cAAc;AAAA,MACd,YAAY,cAAc;AAAA,MAC1B,gBAAgB,cAAc;AAAA,MAC9B;AAAA,IACF,CAA4C;AAC5C,UAAM,KAAK,gBAAgB,KAAK;AAAA,EAClC;AACF;AAEA,SAAS,iBAAiB,QAAwC;AAChE,MAAI,OAAO,YAAa,QAAO,OAAO;AACtC,QAAM,QAAQ,CAAC,OAAO,WAAW,OAAO,UAAU,EAAE,OAAO,OAAO;AAClE,SAAO,MAAM,SAAS,IAAI,MAAM,KAAK,GAAG,IAAI;AAC9C;AAEO,MAAM,yBAAyB,MAAM;AAAA,EAC1C,YACkB,YAChB,SACA;AACA,UAAM,OAAO;AAHG;AAIhB,SAAK,OAAO;AAAA,EACd;AACF;",
+  "names": ["existingUser"]
+}

package/dist/modules/sso/services/scimTokenService.js

@@ -0,0 +1,94 @@
+import { randomBytes } from "node:crypto";
+import { hash, compare } from "bcryptjs";
+import { ScimToken, SsoConfig } from "../data/entities.js";
+const BCRYPT_COST = 10;
+const TOKEN_PREFIX = "omscim_";
+class ScimTokenService {
+  constructor(em) {
+    this.em = em;
+  }
+  async generateToken(ssoConfigId, name, scope) {
+    const where = { id: ssoConfigId, deletedAt: null };
+    if (!scope.isSuperAdmin && scope.organizationId) {
+      where.organizationId = scope.organizationId;
+    }
+    const config = await this.em.findOne(SsoConfig, where);
+    if (!config) throw new ScimTokenError("SSO configuration not found", 404);
+    if (config.jitEnabled) {
+      throw new ScimTokenError("Cannot create SCIM tokens while JIT provisioning is enabled. Disable JIT first.", 409);
+    }
+    const raw = TOKEN_PREFIX + randomBytes(32).toString("hex");
+    const tokenHash = await hash(raw, BCRYPT_COST);
+    const tokenPrefix = raw.slice(0, 12);
+    const token = this.em.create(ScimToken, {
+      ssoConfigId,
+      name,
+      tokenHash,
+      tokenPrefix,
+      isActive: true,
+      createdBy: null,
+      tenantId: scope.tenantId,
+      organizationId: scope.organizationId
+    });
+    await this.em.persistAndFlush(token);
+    return { id: token.id, token: raw, prefix: tokenPrefix, name };
+  }
+  async verifyToken(rawToken) {
+    const prefix = rawToken.slice(0, 12);
+    const candidates = await this.em.find(ScimToken, {
+      tokenPrefix: prefix,
+      isActive: true
+    });
+    if (candidates.length === 0) {
+      await hash(rawToken, BCRYPT_COST);
+      return null;
+    }
+    for (const candidate of candidates) {
+      const isValid = await compare(rawToken, candidate.tokenHash);
+      if (isValid) {
+        return {
+          ssoConfigId: candidate.ssoConfigId,
+          organizationId: candidate.organizationId,
+          tenantId: candidate.tenantId ?? null
+        };
+      }
+    }
+    return null;
+  }
+  async revokeToken(tokenId, scope) {
+    const where = { id: tokenId };
+    if (!scope.isSuperAdmin) where.organizationId = scope.organizationId;
+    const token = await this.em.findOne(ScimToken, where);
+    if (!token) throw new ScimTokenError("SCIM token not found", 404);
+    token.isActive = false;
+    await this.em.flush();
+  }
+  async listTokens(ssoConfigId, scope) {
+    const where = { ssoConfigId };
+    if (!scope.isSuperAdmin) where.organizationId = scope.organizationId;
+    const tokens = await this.em.find(ScimToken, where, {
+      orderBy: { createdAt: "desc" }
+    });
+    return tokens.map((t) => ({
+      id: t.id,
+      ssoConfigId: t.ssoConfigId,
+      name: t.name,
+      tokenPrefix: t.tokenPrefix,
+      isActive: t.isActive,
+      createdBy: t.createdBy ?? null,
+      createdAt: t.createdAt
+    }));
+  }
+}
+class ScimTokenError extends Error {
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "ScimTokenError";
+  }
+}
+export {
+  ScimTokenError,
+  ScimTokenService
+};
+//# sourceMappingURL=scimTokenService.js.map

package/dist/modules/sso/services/scimTokenService.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/scimTokenService.ts"],
+  "sourcesContent": ["import { randomBytes } from 'node:crypto'\nimport type { RequiredEntityData } from '@mikro-orm/core'\nimport { EntityManager } from '@mikro-orm/postgresql'\nimport { hash, compare } from 'bcryptjs'\nimport { ScimToken, SsoConfig } from '../data/entities'\nimport type { SsoAdminScope } from './ssoConfigService'\n\nconst BCRYPT_COST = 10\nconst TOKEN_PREFIX = 'omscim_'\n\nexport interface ScimTokenPublic {\n  id: string\n  ssoConfigId: string\n  name: string\n  tokenPrefix: string\n  isActive: boolean\n  createdBy: string | null\n  createdAt: Date\n}\n\nexport interface ScimTokenCreateResult {\n  id: string\n  token: string\n  prefix: string\n  name: string\n}\n\nexport class ScimTokenService {\n  constructor(private em: EntityManager) {}\n\n  async generateToken(\n    ssoConfigId: string,\n    name: string,\n    scope: SsoAdminScope,\n  ): Promise<ScimTokenCreateResult> {\n    const where: Record<string, unknown> = { id: ssoConfigId, deletedAt: null }\n    if (!scope.isSuperAdmin && scope.organizationId) {\n      where.organizationId = scope.organizationId\n    }\n    const config = await this.em.findOne(SsoConfig, where)\n    if (!config) throw new ScimTokenError('SSO configuration not found', 404)\n    if (config.jitEnabled) {\n      throw new ScimTokenError('Cannot create SCIM tokens while JIT provisioning is enabled. Disable JIT first.', 409)\n    }\n\n    const raw = TOKEN_PREFIX + randomBytes(32).toString('hex')\n    const tokenHash = await hash(raw, BCRYPT_COST)\n    const tokenPrefix = raw.slice(0, 12)\n\n    const token = this.em.create(ScimToken, {\n      ssoConfigId,\n      name,\n      tokenHash,\n      tokenPrefix,\n      isActive: true,\n      createdBy: null,\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId!,\n    } as RequiredEntityData<ScimToken>)\n\n    await this.em.persistAndFlush(token)\n\n    return { id: token.id, token: raw, prefix: tokenPrefix, name }\n  }\n\n  async verifyToken(rawToken: string): Promise<{\n    ssoConfigId: string\n    organizationId: string\n    tenantId: string | null\n  } | null> {\n    const prefix = rawToken.slice(0, 12)\n\n    const candidates = await this.em.find(ScimToken, {\n      tokenPrefix: prefix,\n      isActive: true,\n    })\n\n    if (candidates.length === 0) {\n      await hash(rawToken, BCRYPT_COST)\n      return null\n    }\n\n    for (const candidate of candidates) {\n      const isValid = await compare(rawToken, candidate.tokenHash)\n      if (isValid) {\n        return {\n          ssoConfigId: candidate.ssoConfigId,\n          organizationId: candidate.organizationId,\n          tenantId: candidate.tenantId ?? null,\n        }\n      }\n    }\n\n    return null\n  }\n\n  async revokeToken(tokenId: string, scope: SsoAdminScope): Promise<void> {\n    const where: Record<string, unknown> = { id: tokenId }\n    if (!scope.isSuperAdmin) where.organizationId = scope.organizationId\n\n    const token = await this.em.findOne(ScimToken, where)\n    if (!token) throw new ScimTokenError('SCIM token not found', 404)\n\n    token.isActive = false\n    await this.em.flush()\n  }\n\n  async listTokens(ssoConfigId: string, scope: SsoAdminScope): Promise<ScimTokenPublic[]> {\n    const where: Record<string, unknown> = { ssoConfigId }\n    if (!scope.isSuperAdmin) where.organizationId = scope.organizationId\n\n    const tokens = await this.em.find(ScimToken, where, {\n      orderBy: { createdAt: 'desc' },\n    })\n\n    return tokens.map((t) => ({\n      id: t.id,\n      ssoConfigId: t.ssoConfigId,\n      name: t.name,\n      tokenPrefix: t.tokenPrefix,\n      isActive: t.isActive,\n      createdBy: t.createdBy ?? null,\n      createdAt: t.createdAt,\n    }))\n  }\n}\n\nexport class ScimTokenError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode: number,\n  ) {\n    super(message)\n    this.name = 'ScimTokenError'\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,mBAAmB;AAG5B,SAAS,MAAM,eAAe;AAC9B,SAAS,WAAW,iBAAiB;AAGrC,MAAM,cAAc;AACpB,MAAM,eAAe;AAmBd,MAAM,iBAAiB;AAAA,EAC5B,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,cACJ,aACA,MACA,OACgC;AAChC,UAAM,QAAiC,EAAE,IAAI,aAAa,WAAW,KAAK;AAC1E,QAAI,CAAC,MAAM,gBAAgB,MAAM,gBAAgB;AAC/C,YAAM,iBAAiB,MAAM;AAAA,IAC/B;AACA,UAAM,SAAS,MAAM,KAAK,GAAG,QAAQ,WAAW,KAAK;AACrD,QAAI,CAAC,OAAQ,OAAM,IAAI,eAAe,+BAA+B,GAAG;AACxE,QAAI,OAAO,YAAY;AACrB,YAAM,IAAI,eAAe,mFAAmF,GAAG;AAAA,IACjH;AAEA,UAAM,MAAM,eAAe,YAAY,EAAE,EAAE,SAAS,KAAK;AACzD,UAAM,YAAY,MAAM,KAAK,KAAK,WAAW;AAC7C,UAAM,cAAc,IAAI,MAAM,GAAG,EAAE;AAEnC,UAAM,QAAQ,KAAK,GAAG,OAAO,WAAW;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU;AAAA,MACV,WAAW;AAAA,MACX,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,IACxB,CAAkC;AAElC,UAAM,KAAK,GAAG,gBAAgB,KAAK;AAEnC,WAAO,EAAE,IAAI,MAAM,IAAI,OAAO,KAAK,QAAQ,aAAa,KAAK;AAAA,EAC/D;AAAA,EAEA,MAAM,YAAY,UAIR;AACR,UAAM,SAAS,SAAS,MAAM,GAAG,EAAE;AAEnC,UAAM,aAAa,MAAM,KAAK,GAAG,KAAK,WAAW;AAAA,MAC/C,aAAa;AAAA,MACb,UAAU;AAAA,IACZ,CAAC;AAED,QAAI,WAAW,WAAW,GAAG;AAC3B,YAAM,KAAK,UAAU,WAAW;AAChC,aAAO;AAAA,IACT;AAEA,eAAW,aAAa,YAAY;AAClC,YAAM,UAAU,MAAM,QAAQ,UAAU,UAAU,SAAS;AAC3D,UAAI,SAAS;AACX,eAAO;AAAA,UACL,aAAa,UAAU;AAAA,UACvB,gBAAgB,UAAU;AAAA,UAC1B,UAAU,UAAU,YAAY;AAAA,QAClC;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,YAAY,SAAiB,OAAqC;AACtE,UAAM,QAAiC,EAAE,IAAI,QAAQ;AACrD,QAAI,CAAC,MAAM,aAAc,OAAM,iBAAiB,MAAM;AAEtD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,KAAK;AACpD,QAAI,CAAC,MAAO,OAAM,IAAI,eAAe,wBAAwB,GAAG;AAEhE,UAAM,WAAW;AACjB,UAAM,KAAK,GAAG,MAAM;AAAA,EACtB;AAAA,EAEA,MAAM,WAAW,aAAqB,OAAkD;AACtF,UAAM,QAAiC,EAAE,YAAY;AACrD,QAAI,CAAC,MAAM,aAAc,OAAM,iBAAiB,MAAM;AAEtD,UAAM,SAAS,MAAM,KAAK,GAAG,KAAK,WAAW,OAAO;AAAA,MAClD,SAAS,EAAE,WAAW,OAAO;AAAA,IAC/B,CAAC;AAED,WAAO,OAAO,IAAI,CAAC,OAAO;AAAA,MACxB,IAAI,EAAE;AAAA,MACN,aAAa,EAAE;AAAA,MACf,MAAM,EAAE;AAAA,MACR,aAAa,EAAE;AAAA,MACf,UAAU,EAAE;AAAA,MACZ,WAAW,EAAE,aAAa;AAAA,MAC1B,WAAW,EAAE;AAAA,IACf,EAAE;AAAA,EACJ;AACF;AAEO,MAAM,uBAAuB,MAAM;AAAA,EACxC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;",
+  "names": []
+}