npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/modules/sso/widgets/injection/login-sso/widget.client.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/widgets/injection/login-sso/widget.client.tsx"],
+  "sourcesContent": ["\"use client\"\nimport { useCallback, useEffect, useRef, useState } from 'react'\nimport type { InjectionWidgetComponentProps } from '@open-mercato/shared/modules/widgets/injection'\nimport type { LoginFormWidgetContext } from '@open-mercato/core/modules/auth/frontend/login-injection'\nimport { apiCall } from '@open-mercato/ui/backend/utils/apiCall'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\nimport { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'\n\nconst SSO_ERROR_CODES = [\n  'sso_failed',\n  'sso_missing_config',\n  'sso_email_not_verified',\n  'sso_state_missing',\n  'sso_idp_error',\n  'sso_missing_params',\n] as const\n\nconst HRD_DEBOUNCE_MS = 300\n\ntype HrdResponse = {\n  hasSso: boolean\n  configId?: string\n  protocol?: string\n}\n\nexport default function SsoLoginWidget({ context }: InjectionWidgetComponentProps<LoginFormWidgetContext>) {\n  const t = useT()\n  const translate = useCallback(\n    (key: string, fallback: string) => translateWithFallback(t, key, fallback),\n    [t],\n  )\n  const [ssoActive, setSsoActive] = useState(false)\n  const lastCheckedEmail = useRef('')\n  const debounceTimer = useRef<ReturnType<typeof setTimeout> | null>(null)\n\n  useEffect(() => {\n    const errorParam = context.searchParams.get('error')\n    if (!errorParam) return\n\n    const errorMessages: Record<string, string> = {\n      sso_failed: translate('sso.login.errors.failed', 'SSO login failed. Please try again.'),\n      sso_missing_config: translate('sso.login.errors.missingConfig', 'SSO is not configured for this account.'),\n      sso_email_not_verified: translate('sso.login.errors.emailNotVerified', 'Your email address is not verified by the identity provider. Please verify your email and try again.'),\n      sso_state_missing: translate('sso.login.errors.stateMissing', 'SSO session expired. Please try again.'),\n      sso_idp_error: translate('sso.login.errors.idpError', 'The identity provider returned an error. Please try again or contact your administrator.'),\n      sso_missing_params: translate('sso.login.errors.missingParams', 'SSO callback was incomplete. Please try again.'),\n    }\n\n    if (SSO_ERROR_CODES.includes(errorParam as typeof SSO_ERROR_CODES[number])) {\n      context.setError(errorMessages[errorParam] ?? errorMessages.sso_failed)\n    }\n  }, [context.searchParams, context.setError, translate])\n\n  const checkHrd = useCallback(async (email: string) => {\n    if (!email || !email.includes('@')) {\n      context.setAuthOverride(null)\n      setSsoActive(false)\n      lastCheckedEmail.current = ''\n      return\n    }\n\n    if (email === lastCheckedEmail.current) return\n    lastCheckedEmail.current = email\n\n    try {\n      const body: Record<string, string> = { email }\n      if (context.tenantId) {\n        body.tenantId = context.tenantId\n      }\n\n      const res = await apiCall<HrdResponse>(\n        '/api/sso/hrd',\n        { method: 'POST', body: JSON.stringify(body), headers: { 'Content-Type': 'application/json' } },\n      )\n\n      if (res.result?.hasSso && res.result.configId) {\n        const configId = res.result.configId\n        setSsoActive(true)\n        context.setAuthOverride({\n          providerId: 'sso',\n          providerLabel: translate('sso.login.continueWithSso', 'Continue with SSO'),\n          onSubmit: () => {\n            const returnUrl = context.searchParams.get('returnUrl') || '/backend'\n            window.location.href = `/api/sso/initiate?configId=${encodeURIComponent(configId)}&returnUrl=${encodeURIComponent(returnUrl)}`\n          },\n          hidePassword: true,\n          hideRememberMe: true,\n          hideForgotPassword: true,\n        })\n      } else {\n        setSsoActive(false)\n        context.setAuthOverride(null)\n      }\n    } catch {\n      setSsoActive(false)\n      context.setAuthOverride(null)\n    }\n  }, [context, translate])\n\n  useEffect(() => {\n    if (debounceTimer.current) {\n      clearTimeout(debounceTimer.current)\n    }\n\n    if (!context.email) {\n      setSsoActive(false)\n      context.setAuthOverride(null)\n      lastCheckedEmail.current = ''\n      return\n    }\n\n    debounceTimer.current = setTimeout(() => {\n      checkHrd(context.email)\n    }, HRD_DEBOUNCE_MS)\n\n    return () => {\n      if (debounceTimer.current) {\n        clearTimeout(debounceTimer.current)\n      }\n    }\n  }, [context.email, checkHrd])\n\n  if (!ssoActive) return null\n\n  return (\n    <div className=\"rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-800\">\n      {translate('sso.login.ssoEnabled', 'SSO is enabled for this account')}\n    </div>\n  )\n}\n"],
+  "mappings": ";AA6HI;AA5HJ,SAAS,aAAa,WAAW,QAAQ,gBAAgB;AAGzD,SAAS,eAAe;AACxB,SAAS,YAAY;AACrB,SAAS,6BAA6B;AAEtC,MAAM,kBAAkB;AAAA,EACtB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,MAAM,kBAAkB;AAQT,SAAR,eAAgC,EAAE,QAAQ,GAA0D;AACzG,QAAM,IAAI,KAAK;AACf,QAAM,YAAY;AAAA,IAChB,CAAC,KAAa,aAAqB,sBAAsB,GAAG,KAAK,QAAQ;AAAA,IACzE,CAAC,CAAC;AAAA,EACJ;AACA,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,KAAK;AAChD,QAAM,mBAAmB,OAAO,EAAE;AAClC,QAAM,gBAAgB,OAA6C,IAAI;AAEvE,YAAU,MAAM;AACd,UAAM,aAAa,QAAQ,aAAa,IAAI,OAAO;AACnD,QAAI,CAAC,WAAY;AAEjB,UAAM,gBAAwC;AAAA,MAC5C,YAAY,UAAU,2BAA2B,qCAAqC;AAAA,MACtF,oBAAoB,UAAU,kCAAkC,yCAAyC;AAAA,MACzG,wBAAwB,UAAU,qCAAqC,sGAAsG;AAAA,MAC7K,mBAAmB,UAAU,iCAAiC,wCAAwC;AAAA,MACtG,eAAe,UAAU,6BAA6B,0FAA0F;AAAA,MAChJ,oBAAoB,UAAU,kCAAkC,gDAAgD;AAAA,IAClH;AAEA,QAAI,gBAAgB,SAAS,UAA4C,GAAG;AAC1E,cAAQ,SAAS,cAAc,UAAU,KAAK,cAAc,UAAU;AAAA,IACxE;AAAA,EACF,GAAG,CAAC,QAAQ,cAAc,QAAQ,UAAU,SAAS,CAAC;AAEtD,QAAM,WAAW,YAAY,OAAO,UAAkB;AACpD,QAAI,CAAC,SAAS,CAAC,MAAM,SAAS,GAAG,GAAG;AAClC,cAAQ,gBAAgB,IAAI;AAC5B,mBAAa,KAAK;AAClB,uBAAiB,UAAU;AAC3B;AAAA,IACF;AAEA,QAAI,UAAU,iBAAiB,QAAS;AACxC,qBAAiB,UAAU;AAE3B,QAAI;AACF,YAAM,OAA+B,EAAE,MAAM;AAC7C,UAAI,QAAQ,UAAU;AACpB,aAAK,WAAW,QAAQ;AAAA,MAC1B;AAEA,YAAM,MAAM,MAAM;AAAA,QAChB;AAAA,QACA,EAAE,QAAQ,QAAQ,MAAM,KAAK,UAAU,IAAI,GAAG,SAAS,EAAE,gBAAgB,mBAAmB,EAAE;AAAA,MAChG;AAEA,UAAI,IAAI,QAAQ,UAAU,IAAI,OAAO,UAAU;AAC7C,cAAM,WAAW,IAAI,OAAO;AAC5B,qBAAa,IAAI;AACjB,gBAAQ,gBAAgB;AAAA,UACtB,YAAY;AAAA,UACZ,eAAe,UAAU,6BAA6B,mBAAmB;AAAA,UACzE,UAAU,MAAM;AACd,kBAAM,YAAY,QAAQ,aAAa,IAAI,WAAW,KAAK;AAC3D,mBAAO,SAAS,OAAO,8BAA8B,mBAAmB,QAAQ,CAAC,cAAc,mBAAmB,SAAS,CAAC;AAAA,UAC9H;AAAA,UACA,cAAc;AAAA,UACd,gBAAgB;AAAA,UAChB,oBAAoB;AAAA,QACtB,CAAC;AAAA,MACH,OAAO;AACL,qBAAa,KAAK;AAClB,gBAAQ,gBAAgB,IAAI;AAAA,MAC9B;AAAA,IACF,QAAQ;AACN,mBAAa,KAAK;AAClB,cAAQ,gBAAgB,IAAI;AAAA,IAC9B;AAAA,EACF,GAAG,CAAC,SAAS,SAAS,CAAC;AAEvB,YAAU,MAAM;AACd,QAAI,cAAc,SAAS;AACzB,mBAAa,cAAc,OAAO;AAAA,IACpC;AAEA,QAAI,CAAC,QAAQ,OAAO;AAClB,mBAAa,KAAK;AAClB,cAAQ,gBAAgB,IAAI;AAC5B,uBAAiB,UAAU;AAC3B;AAAA,IACF;AAEA,kBAAc,UAAU,WAAW,MAAM;AACvC,eAAS,QAAQ,KAAK;AAAA,IACxB,GAAG,eAAe;AAElB,WAAO,MAAM;AACX,UAAI,cAAc,SAAS;AACzB,qBAAa,cAAc,OAAO;AAAA,MACpC;AAAA,IACF;AAAA,EACF,GAAG,CAAC,QAAQ,OAAO,QAAQ,CAAC;AAE5B,MAAI,CAAC,UAAW,QAAO;AAEvB,SACE,oBAAC,SAAI,WAAU,4FACZ,oBAAU,wBAAwB,iCAAiC,GACtE;AAEJ;",
+  "names": []
+}

package/dist/modules/sso/widgets/injection/login-sso/widget.js ADDED Viewed

@@ -0,0 +1,16 @@
+import Widget from "./widget.client.js";
+const widgetModule = {
+  metadata: {
+    id: "sso.injection.login-sso",
+    title: "SSO Login",
+    features: [],
+    priority: 100,
+    enabled: true
+  },
+  Widget
+};
+var widget_default = widgetModule;
+export {
+  widget_default as default
+};
+//# sourceMappingURL=widget.js.map

package/dist/modules/sso/widgets/injection/login-sso/widget.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/widgets/injection/login-sso/widget.ts"],
+  "sourcesContent": ["import type { InjectionWidgetModule } from '@open-mercato/shared/modules/widgets/injection'\nimport type { LoginFormWidgetContext } from '@open-mercato/core/modules/auth/frontend/login-injection'\nimport Widget from './widget.client'\n\nconst widgetModule: InjectionWidgetModule<LoginFormWidgetContext> = {\n  metadata: {\n    id: 'sso.injection.login-sso',\n    title: 'SSO Login',\n    features: [],\n    priority: 100,\n    enabled: true,\n  },\n  Widget,\n}\n\nexport default widgetModule\n"],
+  "mappings": "AAEA,OAAO,YAAY;AAEnB,MAAM,eAA8D;AAAA,EAClE,UAAU;AAAA,IACR,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,UAAU,CAAC;AAAA,IACX,UAAU;AAAA,IACV,SAAS;AAAA,EACX;AAAA,EACA;AACF;AAEA,IAAO,iBAAQ;",
+  "names": []
+}

package/dist/modules/sso/widgets/injection-table.js ADDED Viewed

@@ -0,0 +1,14 @@
+const injectionTable = {
+  "auth.login:form": [
+    {
+      widgetId: "sso.injection.login-sso",
+      priority: 100
+    }
+  ]
+};
+var injection_table_default = injectionTable;
+export {
+  injection_table_default as default,
+  injectionTable
+};
+//# sourceMappingURL=injection-table.js.map

package/dist/modules/sso/widgets/injection-table.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/widgets/injection-table.ts"],
+  "sourcesContent": ["import type { ModuleInjectionTable } from '@open-mercato/shared/modules/widgets/injection'\n\nexport const injectionTable: ModuleInjectionTable = {\n  'auth.login:form': [\n    {\n      widgetId: 'sso.injection.login-sso',\n      priority: 100,\n    },\n  ],\n}\n\nexport default injectionTable\n"],
+  "mappings": "AAEO,MAAM,iBAAuC;AAAA,EAClD,mBAAmB;AAAA,IACjB;AAAA,MACE,UAAU;AAAA,MACV,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAEA,IAAO,0BAAQ;",
+  "names": []
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/enterprise",
-  "version": "0.4.6-develop-15c18897fc",
+  "version": "0.4.6-develop-34aa847ce6",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -64,9 +64,10 @@
     }
   },
   "dependencies": {
-    "@open-mercato/core": "0.4.6-develop-15c18897fc",
-    "@open-mercato/shared": "0.4.6-develop-15c18897fc",
-    "@open-mercato/ui": "0.4.6-develop-15c18897fc"
+    "@open-mercato/core": "0.4.6-develop-34aa847ce6",
+    "@open-mercato/shared": "0.4.6-develop-34aa847ce6",
+    "@open-mercato/ui": "0.4.6-develop-34aa847ce6",
+    "openid-client": "^6.3.3"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",

package/src/index.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 export const enterprisePackage = {
   id: 'enterprise',
   description: 'Optional enterprise overlays and modules for Open Mercato.',
-  modules: ['security', 'record_locks'],
+  modules: ['security', 'sso','record_locks'],
 } as const
 export default enterprisePackage

package/src/modules/sso/acl.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export const features = [
+  { id: 'sso.config.view', title: 'View SSO configuration', module: 'sso' },
+  { id: 'sso.config.manage', title: 'Manage SSO configuration', module: 'sso' },
+  { id: 'sso.scim.manage', title: 'Manage SCIM provisioning tokens', module: 'sso' },
+]
+export default features

package/src/modules/sso/api/admin-context.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import type { SsoAdminScope } from '../services/ssoConfigService'
+export async function resolveSsoAdminContext(req: Request): Promise<{
+  auth: Awaited<ReturnType<typeof getAuthFromRequest>>
+  scope: SsoAdminScope
+}> {
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) throw new SsoAdminAuthError('Unauthorized', 401)
+  const isSuperAdmin = !!(auth as Record<string, unknown>).isSuperAdmin
+  const url = new URL(req.url)
+  return {
+    auth,
+    scope: {
+      isSuperAdmin,
+      organizationId: isSuperAdmin
+        ? url.searchParams.get('organizationId') ?? null
+        : auth.orgId ?? null,
+      tenantId: isSuperAdmin
+        ? url.searchParams.get('tenantId') ?? null
+        : auth.tenantId ?? null,
+    },
+  }
+}
+export class SsoAdminAuthError extends Error {
+  constructor(
+    message: string,
+    public readonly statusCode: number,
+  ) {
+    super(message)
+    this.name = 'SsoAdminAuthError'
+  }
+}

package/src/modules/sso/api/callback/oidc/route.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextResponse } from 'next/server'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { toAbsoluteUrl } from '@open-mercato/shared/lib/url'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { SsoService } from '../../../services/ssoService'
+import { emitSsoEvent } from '../../../events'
+function parseCookie(req: Request, name: string): string | null {
+  const cookie = req.headers.get('cookie') || ''
+  const m = cookie.match(new RegExp('(?:^|;\\s*)' + name + '=([^;]+)'))
+  return m ? decodeURIComponent(m[1]) : null
+}
+async function handleCallback(req: Request): Promise<NextResponse> {
+  try {
+    const url = new URL(req.url)
+    const callbackParams: Record<string, string> = {}
+    url.searchParams.forEach((value, key) => {
+      callbackParams[key] = value
+    })
+    if (req.method === 'POST') {
+      const contentType = req.headers.get('content-type') || ''
+      if (contentType.includes('application/x-www-form-urlencoded')) {
+        const form = await req.formData()
+        form.forEach((value, key) => {
+          callbackParams[key] = String(value)
+        })
+      }
+    }
+    const stateCookie = parseCookie(req, 'sso_state')
+    if (!stateCookie) {
+      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_state_missing'))
+    }
+    if (callbackParams.error) {
+      void emitSsoEvent('sso.login.failed', {
+        reason: callbackParams.error,
+      }).catch((e) => console.error('[SSO Event]', e))
+      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_idp_error'))
+    }
+    if (!callbackParams.code || !callbackParams.state) {
+      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_missing_params'))
+    }
+    const redirectUri = toAbsoluteUrl(req, '/api/sso/callback/oidc')
+    const container = await createRequestContainer()
+    const ssoService = container.resolve<SsoService>('ssoService')
+    const result = await ssoService.handleOidcCallback(callbackParams, stateCookie, redirectUri)
+    const res = NextResponse.redirect(toAbsoluteUrl(req, result.redirectUrl))
+    res.cookies.set('auth_token', result.token, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV !== 'development',
+      maxAge: 60 * 60 * 8,
+    })
+    res.cookies.set('session_token', result.sessionToken, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV !== 'development',
+      expires: result.sessionExpiresAt,
+    })
+    res.cookies.set('sso_state', '', { path: '/', maxAge: 0 })
+    return res
+  } catch (err) {
+    console.error('[SSO Callback] Error:', err)
+    void emitSsoEvent('sso.login.failed', {
+      reason: err instanceof Error ? err.message : 'callback_failed',
+    }).catch((e) => console.error('[SSO Event]', e))
+    const message = err instanceof Error ? err.message : ''
+    const errorCode = message.includes('email is not verified') ? 'sso_email_not_verified' : 'sso_failed'
+    return NextResponse.redirect(toAbsoluteUrl(req, `/login?error=${errorCode}`))
+  }
+}
+export async function GET(req: Request) {
+  return handleCallback(req)
+}
+export async function POST(req: Request) {
+  return handleCallback(req)
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'SSO',
+  summary: 'OIDC callback',
+  methods: {
+    GET: {
+      summary: 'Handle OIDC callback (GET)',
+      description: 'Receives the authorization code from the IdP, exchanges it for tokens, resolves the user, and issues auth cookies.',
+      tags: ['SSO'],
+      responses: [
+        { status: 302, description: 'Redirect to application with auth cookies set', mediaType: 'text/html' },
+      ],
+    },
+    POST: {
+      summary: 'Handle OIDC callback (POST)',
+      description: 'Some IdPs send the callback as a POST (form_post response mode). Handles the same flow as the GET variant.',
+      tags: ['SSO'],
+      responses: [
+        { status: 302, description: 'Redirect to application with auth cookies set', mediaType: 'text/html' },
+      ],
+    },
+  },
+}

package/src/modules/sso/api/config/[id]/activate/route.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import { NextResponse } from 'next/server'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { SsoConfigService } from '../../../../services/ssoConfigService'
+import { ssoActivateSchema } from '../../../../data/validators'
+import { resolveSsoAdminContext } from '../../../admin-context'
+import { handleSsoAdminApiError } from '../../../error-handler'
+type RouteContext = { params: Promise<{ id: string }> }
+export const metadata = {
+  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+}
+export async function POST(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const body = await req.json()
+    const parsed = ssoActivateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request' }, { status: 400 })
+    }
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.activate(scope, id, parsed.data.active)
+    return NextResponse.json(config)
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'SSO',
+  summary: 'Activate/Deactivate SSO Configuration',
+  methods: {
+    POST: {
+      summary: 'Activate or deactivate SSO configuration',
+      description: 'Activation requires at least one domain and a successful OIDC discovery test.',
+      tags: ['SSO'],
+      requestBody: { contentType: 'application/json', schema: ssoActivateSchema },
+      responses: [{ status: 200, description: 'Config activation status updated' }],
+      errors: [
+        { status: 400, description: 'Activation failed — no domains or discovery failed' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Config not found' },
+      ],
+    },
+  },
+}

package/src/modules/sso/api/config/[id]/domains/route.ts ADDED Viewed

@@ -0,0 +1,107 @@
+import { NextResponse } from 'next/server'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { SsoConfigService } from '../../../../services/ssoConfigService'
+import { ssoDomainAddSchema } from '../../../../data/validators'
+import { resolveSsoAdminContext } from '../../../admin-context'
+import { handleSsoAdminApiError } from '../../../error-handler'
+type RouteContext = { params: Promise<{ id: string }> }
+export const metadata = {
+  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },
+  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+  DELETE: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+}
+export async function GET(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.getById(scope, id)
+    if (!config) {
+      return NextResponse.json({ error: 'SSO configuration not found' }, { status: 404 })
+    }
+    return NextResponse.json({ domains: config.allowedDomains })
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export async function POST(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const body = await req.json()
+    const parsed = ssoDomainAddSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })
+    }
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.addDomain(scope, id, parsed.data.domain)
+    return NextResponse.json({ domains: config.allowedDomains })
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export async function DELETE(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const url = new URL(req.url)
+    const domain = url.searchParams.get('domain')
+    if (!domain) {
+      return NextResponse.json({ error: 'Missing domain query parameter' }, { status: 400 })
+    }
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.removeDomain(scope, id, domain)
+    return NextResponse.json({ domains: config.allowedDomains })
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'SSO',
+  summary: 'SSO Domain Management',
+  methods: {
+    GET: {
+      summary: 'List allowed domains',
+      tags: ['SSO'],
+      responses: [{ status: 200, description: 'List of allowed domains' }],
+      errors: [{ status: 404, description: 'Config not found' }],
+    },
+    POST: {
+      summary: 'Add an allowed domain',
+      tags: ['SSO'],
+      requestBody: { contentType: 'application/json', schema: ssoDomainAddSchema },
+      responses: [{ status: 200, description: 'Domain added' }],
+      errors: [
+        { status: 400, description: 'Invalid domain or limit reached' },
+        { status: 404, description: 'Config not found' },
+      ],
+    },
+    DELETE: {
+      summary: 'Remove an allowed domain',
+      description: 'Pass domain as query parameter: ?domain=example.com',
+      tags: ['SSO'],
+      responses: [{ status: 200, description: 'Domain removed' }],
+      errors: [{ status: 404, description: 'Config not found' }],
+    },
+  },
+}

package/src/modules/sso/api/config/[id]/route.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import { NextResponse } from 'next/server'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { SsoConfigService } from '../../../services/ssoConfigService'
+import { ssoConfigAdminUpdateSchema } from '../../../data/validators'
+import { resolveSsoAdminContext } from '../../admin-context'
+import { handleSsoAdminApiError } from '../../error-handler'
+import { ScimToken } from '../../../data/entities'
+import type { EntityManager } from '@mikro-orm/postgresql'
+type RouteContext = { params: Promise<{ id: string }> }
+export const metadata = {
+  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },
+  PUT: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+  DELETE: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+}
+export async function GET(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.getById(scope, id)
+    if (!config) {
+      return NextResponse.json({ error: 'SSO configuration not found' }, { status: 404 })
+    }
+    const em = container.resolve<EntityManager>('em')
+    const activeScimCount = await em.count(ScimToken, { ssoConfigId: id, isActive: true })
+    return NextResponse.json({ ...config, hasActiveScimTokens: activeScimCount > 0 })
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export async function PUT(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const body = await req.json()
+    const parsed = ssoConfigAdminUpdateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })
+    }
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const config = await service.update(scope, id, parsed.data)
+    return NextResponse.json(config)
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export async function DELETE(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    await service.delete(scope, id)
+    return NextResponse.json({ ok: true })
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'SSO',
+  summary: 'SSO Configuration Detail',
+  methods: {
+    GET: {
+      summary: 'Get SSO configuration by ID',
+      tags: ['SSO'],
+      responses: [{ status: 200, description: 'SSO config detail' }],
+      errors: [
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Config not found' },
+      ],
+    },
+    PUT: {
+      summary: 'Update SSO configuration',
+      tags: ['SSO'],
+      requestBody: { contentType: 'application/json', schema: ssoConfigAdminUpdateSchema },
+      responses: [{ status: 200, description: 'SSO config updated' }],
+      errors: [
+        { status: 400, description: 'Invalid input' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Config not found' },
+        { status: 409, description: 'Conflict — JIT and SCIM are mutually exclusive' },
+      ],
+    },
+    DELETE: {
+      summary: 'Delete SSO configuration',
+      description: 'Soft-deletes the config. Must be deactivated first.',
+      tags: ['SSO'],
+      responses: [{ status: 200, description: 'Config deleted' }],
+      errors: [
+        { status: 400, description: 'Cannot delete active config' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Config not found' },
+      ],
+    },
+  },
+}

package/src/modules/sso/api/config/[id]/test/route.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import { NextResponse } from 'next/server'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { SsoConfigService } from '../../../../services/ssoConfigService'
+import { resolveSsoAdminContext } from '../../../admin-context'
+import { handleSsoAdminApiError } from '../../../error-handler'
+type RouteContext = { params: Promise<{ id: string }> }
+export const metadata = {
+  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },
+}
+export async function POST(req: Request, ctx: RouteContext) {
+  try {
+    const { id } = await ctx.params
+    const { scope } = await resolveSsoAdminContext(req)
+    const container = await createRequestContainer()
+    const service = container.resolve<SsoConfigService>('ssoConfigService')
+    const result = await service.testConnection(scope, id)
+    return NextResponse.json(result)
+  } catch (err) {
+    return handleSsoAdminApiError(err, 'SSO Config API')
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'SSO',
+  summary: 'Test SSO Connection',
+  methods: {
+    POST: {
+      summary: 'Test OIDC discovery',
+      description: 'Verifies that the issuer URL is reachable and returns a valid OIDC discovery document. Does not verify client credentials.',
+      tags: ['SSO'],
+      responses: [{ status: 200, description: 'Test result with ok/error' }],
+      errors: [
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Config not found' },
+      ],
+    },
+  },
+}