npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/modules/sso/i18n/pl.json ADDED Viewed

@@ -0,0 +1,146 @@
+{
+  "common.activating": "Aktywowanie...",
+  "common.add": "Dodaj",
+  "common.back": "Wstecz",
+  "common.cancel": "Anuluj",
+  "common.copied": "Skopiowano do schowka",
+  "common.copy": "Kopiuj",
+  "common.create": "Utwórz",
+  "common.creating": "Tworzenie...",
+  "common.delete": "Usuń",
+  "common.disabled": "Wyłączone",
+  "common.dismiss": "Zamknij",
+  "common.edit": "Edytuj",
+  "common.enabled": "Włączone",
+  "common.loading": "Ładowanie...",
+  "common.next": "Dalej",
+  "common.notFound": "Nie znaleziono",
+  "common.remove": "Usuń",
+  "common.save": "Zapisz",
+  "common.saving": "Zapisywanie...",
+  "settings.sections.auth": "Autoryzacja",
+  "sso.admin.action.activate": "Aktywuj",
+  "sso.admin.action.deactivate": "Dezaktywuj",
+  "sso.admin.action.test": "Zweryfikuj Discovery",
+  "sso.admin.activated": "Konfiguracja SSO aktywowana",
+  "sso.admin.activity.empty": "Brak aktywności logowania SSO. Aktywność pojawi się tutaj, gdy użytkownicy zaczną logować się przez SSO.",
+  "sso.admin.banner.activateNow": "Aktywuj teraz",
+  "sso.admin.banner.created": "Konfiguracja SSO została utworzona. Czy chcesz ją teraz aktywować?",
+  "sso.admin.banner.notYet": "Jeszcze nie",
+  "sso.admin.column.created": "Utworzono",
+  "sso.admin.column.domains": "Domeny",
+  "sso.admin.column.name": "Nazwa",
+  "sso.admin.column.protocol": "Protokół",
+  "sso.admin.column.status": "Status",
+  "sso.admin.create.title": "Skonfiguruj SSO",
+  "sso.admin.created": "Konfiguracja SSO została utworzona",
+  "sso.admin.deactivated": "Konfiguracja SSO dezaktywowana",
+  "sso.admin.delete.confirm": "Czy na pewno? Spowoduje to usunięcie konfiguracji SSO. Użytkownicy z powiązanymi tożsamościami SSO będą musieli logować się hasłem.",
+  "sso.admin.delete.success": "Konfiguracja SSO została usunięta",
+  "sso.admin.delete.title": "Usuń konfigurację SSO",
+  "sso.admin.detail.backToList": "Powrót do SSO",
+  "sso.admin.detail.title": "Konfiguracja SSO",
+  "sso.admin.domains.empty": "Brak skonfigurowanych domen. Dodaj co najmniej jedną domenę przed aktywacją SSO.",
+  "sso.admin.empty.cta": "Skonfiguruj SSO",
+  "sso.admin.empty.description": "Skonfiguruj Single Sign-On, aby umożliwić użytkownikom logowanie przez dostawcę tożsamości.",
+  "sso.admin.empty.title": "Brak konfiguracji SSO",
+  "sso.admin.error.activationFailed": "Nie udało się zmienić statusu aktywacji",
+  "sso.admin.error.alreadyExists": "Konfiguracja SSO już istnieje dla tej organizacji",
+  "sso.admin.error.createFailed": "Nie udało się utworzyć konfiguracji SSO",
+  "sso.admin.error.deleteActive": "Nie można usunąć aktywnej konfiguracji SSO — najpierw ją dezaktywuj",
+  "sso.admin.error.deleteFailed": "Nie udało się usunąć konfiguracji SSO",
+  "sso.admin.error.domainAddFailed": "Nie udało się dodać domeny",
+  "sso.admin.error.domainRemoveFailed": "Nie udało się usunąć domeny",
+  "sso.admin.error.loadFailed": "Nie udało się załadować konfiguracji SSO",
+  "sso.admin.error.noDomainsForActivation": "Dodaj co najmniej jedną dozwoloną domenę e-mail przed aktywacją",
+  "sso.admin.error.saveFailed": "Nie udało się zapisać konfiguracji SSO",
+  "sso.admin.error.testFailed": "Test połączenia nie powiódł się",
+  "sso.admin.field.autoLinkByEmail": "Automatyczne łączenie po e-mailu",
+  "sso.admin.field.autoLinkByEmailDesc": "Automatycznie łącz istniejących użytkowników po adresie e-mail",
+  "sso.admin.field.changeSecret": "Zmień",
+  "sso.admin.field.clientId": "Client ID",
+  "sso.admin.field.clientSecret": "Client Secret",
+  "sso.admin.field.issuer": "Adres URL wystawcy",
+  "sso.admin.field.jitDisabledByScim": "Niedostępne — synchronizacja katalogów SCIM jest aktywna. Odwołaj tokeny SCIM, aby włączyć JIT.",
+  "sso.admin.field.jitEnabled": "Provisioning Just-in-Time",
+  "sso.admin.field.jitEnabledDesc": "Automatycznie twórz konta użytkowników przy pierwszym logowaniu SSO",
+  "sso.admin.field.name": "Nazwa konfiguracji",
+  "sso.admin.field.protocol": "Protokół",
+  "sso.admin.field.secretPlaceholder": "Wprowadź nowy secret, aby zastąpić istniejący",
+  "sso.admin.field.secretRequired": "Wprowadź client secret",
+  "sso.admin.field.secretSet": "Client secret jest skonfigurowany",
+  "sso.admin.new": "Nowa konfiguracja SSO",
+  "sso.admin.roles.description": "Mapuj nazwy ról IdP na lokalne role. Przy każdym logowaniu SSO role źródłowe SSO są synchronizowane — role nieotrzymane od IdP są usuwane, role przypisane ręcznie są zachowane.",
+  "sso.admin.roles.empty": "Brak skonfigurowanych mapowań ról. Nazwy ról IdP będą dopasowywane bezpośrednio do nazw lokalnych ról.",
+  "sso.admin.roles.error.duplicate": "Ta rola IdP jest już zmapowana",
+  "sso.admin.roles.error.emptyIdpRole": "Nazwa roli IdP jest wymagana",
+  "sso.admin.roles.error.emptyLocalRole": "Wybierz lokalną rolę",
+  "sso.admin.roles.error.saveFailed": "Nie udało się zapisać mapowań ról",
+  "sso.admin.roles.idpRole": "Nazwa roli IdP",
+  "sso.admin.roles.idpRolePlaceholder": "np. OpenMercato.Admin",
+  "sso.admin.roles.localRole": "Lokalna rola",
+  "sso.admin.roles.saved": "Mapowania ról zapisane",
+  "sso.admin.saved": "Konfiguracja SSO zapisana",
+  "sso.admin.scim.endpointCopied": "Adres URL endpointu SCIM skopiowany",
+  "sso.admin.scim.endpointUrl": "Adres URL endpointu SCIM",
+  "sso.admin.scim.error.createFailed": "Nie udało się utworzyć tokena SCIM",
+  "sso.admin.scim.error.revokeFailed": "Nie udało się odwołać tokena",
+  "sso.admin.scim.generateToken": "Wygeneruj token",
+  "sso.admin.scim.googleNotSupported": "Google Workspace nie obsługuje provisioningu SCIM. Użytkownicy są tworzeni przez Just-In-Time (JIT) przy pierwszym logowaniu.",
+  "sso.admin.scim.jitActiveWarning": "Provisioning SCIM jest niedostępny, gdy provisioning JIT jest włączony. Wyłącz JIT w zakładce Ogólne, aby skonfigurować SCIM.",
+  "sso.admin.scim.log.error": "Błąd",
+  "sso.admin.scim.log.operation": "Operacja",
+  "sso.admin.scim.log.resource": "Zasób",
+  "sso.admin.scim.log.status": "Status",
+  "sso.admin.scim.log.time": "Czas",
+  "sso.admin.scim.noTokens": "Provisioning SCIM nie jest skonfigurowany. Wygeneruj token bearer, aby umożliwić dostawcy tożsamości automatyczną synchronizację użytkowników.",
+  "sso.admin.scim.recentActivity": "Ostatnia aktywność provisioningu",
+  "sso.admin.scim.revoke.action": "Odwołaj",
+  "sso.admin.scim.revoke.confirm": "Czy na pewno? Ten token nie będzie już uwierzytelniał żądań SCIM.",
+  "sso.admin.scim.revoke.title": "Odwołaj token",
+  "sso.admin.scim.revoked": "Token odwołany",
+  "sso.admin.scim.tokenActive": "Aktywny",
+  "sso.admin.scim.tokenCopied": "Token skopiowany do schowka",
+  "sso.admin.scim.tokenCreated": "Twój token SCIM został utworzony. Skopiuj go teraz — nie będzie ponownie wyświetlony.",
+  "sso.admin.scim.tokenNamePlaceholder": "Nazwa tokena (np. Entra ID Produkcja)",
+  "sso.admin.scim.tokenRevoked": "Odwołany",
+  "sso.admin.scim.tokens": "Tokeny Bearer",
+  "sso.admin.search": "Szukaj po nazwie lub wystawcy...",
+  "sso.admin.section.allowedDomains": "Dozwolone domeny",
+  "sso.admin.section.oidcSettings": "Ustawienia OIDC",
+  "sso.admin.status.active": "Aktywny",
+  "sso.admin.status.inactive": "Nieaktywny",
+  "sso.admin.tab.activity": "Aktywność",
+  "sso.admin.tab.domains": "Domeny",
+  "sso.admin.tab.general": "Ogólne",
+  "sso.admin.tab.roles": "Mapowanie ról",
+  "sso.admin.tab.scim": "Provisioning",
+  "sso.admin.test.failed": "Weryfikacja Discovery nie powiodła się",
+  "sso.admin.test.success": "Weryfikacja Discovery udana — wystawca jest osiągalny",
+  "sso.admin.title": "Single Sign-On",
+  "sso.admin.wizard.credentials.callbackUrl": "Redirect URI (skopiuj do swojego IdP)",
+  "sso.admin.wizard.credentials.namePlaceholder": "np. Zitadel Produkcja",
+  "sso.admin.wizard.credentials.title": "Dane uwierzytelniające OIDC",
+  "sso.admin.wizard.domain.duplicate": "Domena już dodana",
+  "sso.admin.wizard.domain.invalid": "Nieprawidłowy format domeny",
+  "sso.admin.wizard.domain.limit": "Maksymalnie 20 domen na konfigurację",
+  "sso.admin.wizard.domains.description": "Użytkownicy z adresami e-mail pasującymi do tych domen będą przekierowywani do dostawcy SSO.",
+  "sso.admin.wizard.domains.placeholder": "example.com",
+  "sso.admin.wizard.domains.title": "Dozwolone domeny e-mail",
+  "sso.admin.wizard.options.title": "Opcje",
+  "sso.admin.wizard.protocol.oidcDesc": "Działa z Zitadel, Microsoft Entra ID, Google Workspace, Okta i innymi",
+  "sso.admin.wizard.protocol.samlDesc": "Wkrótce",
+  "sso.admin.wizard.protocol.title": "Wybierz protokół",
+  "sso.admin.wizard.review.note": "Konfiguracja zostanie utworzona jako nieaktywna. Możesz ją aktywować na stronie szczegółów po zweryfikowaniu poprawności ustawień.",
+  "sso.admin.wizard.review.save": "Utwórz konfigurację",
+  "sso.admin.wizard.review.testing": "Testowanie...",
+  "sso.admin.wizard.review.title": "Przegląd i zapis",
+  "sso.login.continueWithSso": "Kontynuuj przez SSO",
+  "sso.login.errors.emailNotVerified": "Twój adres e-mail nie został zweryfikowany przez dostawcę tożsamości. Zweryfikuj swój e-mail i spróbuj ponownie.",
+  "sso.login.errors.failed": "Logowanie SSO nie powiodło się. Spróbuj ponownie.",
+  "sso.login.errors.idpError": "Dostawca tożsamości zwrócił błąd. Spróbuj ponownie lub skontaktuj się z administratorem.",
+  "sso.login.errors.missingConfig": "SSO nie jest skonfigurowane dla tego konta.",
+  "sso.login.errors.missingParams": "Callback SSO był niekompletny. Spróbuj ponownie.",
+  "sso.login.errors.stateMissing": "Sesja SSO wygasła. Spróbuj ponownie.",
+  "sso.login.ssoEnabled": "SSO jest włączone dla tego konta"
+}

package/dist/modules/sso/index.js ADDED Viewed

@@ -0,0 +1,11 @@
+const metadata = {
+  id: "sso",
+  version: "0.1.0",
+  enterprise: true
+};
+import { features } from "./acl.js";
+export {
+  features,
+  metadata
+};
+//# sourceMappingURL=index.js.map

package/dist/modules/sso/index.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/sso/index.ts"],
+  "sourcesContent": ["export const metadata = {\n  id: 'sso',\n  version: '0.1.0',\n  enterprise: true,\n} as const\n\nexport { features } from './acl'\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,IAAI;AAAA,EACJ,SAAS;AAAA,EACT,YAAY;AACd;AAEA,SAAS,gBAAgB;",
+  "names": []
+}

package/dist/modules/sso/lib/domains.js ADDED Viewed

@@ -0,0 +1,30 @@
+const DOMAIN_REGEX = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/;
+const MAX_DOMAINS_PER_CONFIG = 20;
+function normalizeDomain(domain) {
+  return domain.trim().toLowerCase();
+}
+function validateDomain(domain) {
+  const normalized = normalizeDomain(domain);
+  if (!normalized) return { valid: false, error: "Domain cannot be empty" };
+  if (normalized.length > 253) return { valid: false, error: "Domain exceeds maximum length of 253 characters" };
+  if (!DOMAIN_REGEX.test(normalized)) return { valid: false, error: "Invalid domain format \u2014 only DNS hostnames are accepted" };
+  if (!normalized.includes(".")) return { valid: false, error: "Domain must include at least one dot (e.g., example.com)" };
+  return { valid: true };
+}
+function uniqueDomains(domains) {
+  return [...new Set(domains.map(normalizeDomain).filter(Boolean))];
+}
+function checkDomainLimit(currentCount, adding) {
+  if (currentCount + adding > MAX_DOMAINS_PER_CONFIG) {
+    return { ok: false, error: `Maximum ${MAX_DOMAINS_PER_CONFIG} domains per SSO configuration` };
+  }
+  return { ok: true };
+}
+export {
+  MAX_DOMAINS_PER_CONFIG,
+  checkDomainLimit,
+  normalizeDomain,
+  uniqueDomains,
+  validateDomain
+};
+//# sourceMappingURL=domains.js.map

package/dist/modules/sso/lib/domains.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/domains.ts"],
+  "sourcesContent": ["const DOMAIN_REGEX = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/\n\nconst MAX_DOMAINS_PER_CONFIG = 20\n\nexport function normalizeDomain(domain: string): string {\n  return domain.trim().toLowerCase()\n}\n\nexport function validateDomain(domain: string): { valid: boolean; error?: string } {\n  const normalized = normalizeDomain(domain)\n\n  if (!normalized) return { valid: false, error: 'Domain cannot be empty' }\n  if (normalized.length > 253) return { valid: false, error: 'Domain exceeds maximum length of 253 characters' }\n  if (!DOMAIN_REGEX.test(normalized)) return { valid: false, error: 'Invalid domain format \u2014 only DNS hostnames are accepted' }\n  if (!normalized.includes('.')) return { valid: false, error: 'Domain must include at least one dot (e.g., example.com)' }\n\n  return { valid: true }\n}\n\nexport function uniqueDomains(domains: string[]): string[] {\n  return [...new Set(domains.map(normalizeDomain).filter(Boolean))]\n}\n\nexport function checkDomainLimit(currentCount: number, adding: number): { ok: boolean; error?: string } {\n  if (currentCount + adding > MAX_DOMAINS_PER_CONFIG) {\n    return { ok: false, error: `Maximum ${MAX_DOMAINS_PER_CONFIG} domains per SSO configuration` }\n  }\n  return { ok: true }\n}\n\nexport { MAX_DOMAINS_PER_CONFIG }\n"],
+  "mappings": "AAAA,MAAM,eAAe;AAErB,MAAM,yBAAyB;AAExB,SAAS,gBAAgB,QAAwB;AACtD,SAAO,OAAO,KAAK,EAAE,YAAY;AACnC;AAEO,SAAS,eAAe,QAAoD;AACjF,QAAM,aAAa,gBAAgB,MAAM;AAEzC,MAAI,CAAC,WAAY,QAAO,EAAE,OAAO,OAAO,OAAO,yBAAyB;AACxE,MAAI,WAAW,SAAS,IAAK,QAAO,EAAE,OAAO,OAAO,OAAO,kDAAkD;AAC7G,MAAI,CAAC,aAAa,KAAK,UAAU,EAAG,QAAO,EAAE,OAAO,OAAO,OAAO,+DAA0D;AAC5H,MAAI,CAAC,WAAW,SAAS,GAAG,EAAG,QAAO,EAAE,OAAO,OAAO,OAAO,2DAA2D;AAExH,SAAO,EAAE,OAAO,KAAK;AACvB;AAEO,SAAS,cAAc,SAA6B;AACzD,SAAO,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,eAAe,EAAE,OAAO,OAAO,CAAC,CAAC;AAClE;AAEO,SAAS,iBAAiB,cAAsB,QAAiD;AACtG,MAAI,eAAe,SAAS,wBAAwB;AAClD,WAAO,EAAE,IAAI,OAAO,OAAO,WAAW,sBAAsB,iCAAiC;AAAA,EAC/F;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;",
+  "names": []
+}

package/dist/modules/sso/lib/oidc-provider.js ADDED Viewed

@@ -0,0 +1,140 @@
+import * as client from "openid-client";
+class OidcProvider {
+  constructor() {
+    this.protocol = "oidc";
+  }
+  async buildAuthUrl(config, params) {
+    const oidcConfig = await this.discover(config, params.clientSecret);
+    const codeChallenge = params.codeVerifier ? await client.calculatePKCECodeChallenge(params.codeVerifier) : void 0;
+    const authUrl = client.buildAuthorizationUrl(oidcConfig, {
+      redirect_uri: params.redirectUri,
+      scope: "openid email profile",
+      state: params.state,
+      nonce: params.nonce,
+      ...codeChallenge ? { code_challenge: codeChallenge, code_challenge_method: "S256" } : {}
+    });
+    return authUrl.href;
+  }
+  async handleCallback(config, params) {
+    const oidcConfig = await this.discover(config, params.clientSecret);
+    const callbackUrl = new URL(params.redirectUri);
+    for (const [key, value] of Object.entries(params.callbackParams)) {
+      callbackUrl.searchParams.set(key, value);
+    }
+    const tokens = await client.authorizationCodeGrant(oidcConfig, callbackUrl, {
+      pkceCodeVerifier: params.codeVerifier,
+      expectedState: params.expectedState,
+      expectedNonce: params.expectedNonce
+    });
+    const claims = tokens.claims();
+    if (!claims) {
+      throw new Error("No ID token claims received from IdP");
+    }
+    const mergedClaims = await mergeWithUserInfoClaims(oidcConfig, tokens, claims);
+    const subject = String(mergedClaims.sub ?? claims.sub ?? "");
+    const rawEmail = mergedClaims.email;
+    const upnCandidate = mergedClaims.upn ?? mergedClaims.unique_name;
+    const upnAsEmail = typeof upnCandidate === "string" && upnCandidate.includes("@") ? upnCandidate : void 0;
+    const email = rawEmail ?? upnAsEmail;
+    if (!email) {
+      throw new Error("IdP did not return an email claim (checked: email, upn, unique_name)");
+    }
+    const emailVerified = mergedClaims.email_verified === true;
+    const groups = extractIdentityGroups(mergedClaims);
+    return {
+      subject,
+      email,
+      emailVerified,
+      name: mergedClaims.name ?? void 0,
+      groups
+    };
+  }
+  async validateConfig(config, params) {
+    try {
+      await this.discover(config, params?.clientSecret);
+      return { ok: true };
+    } catch (err) {
+      return {
+        ok: false,
+        error: err instanceof Error ? err.message : "Discovery failed"
+      };
+    }
+  }
+  async discover(config, clientSecret) {
+    if (!config.issuer) {
+      throw new Error("SSO config is missing issuer URL");
+    }
+    if (!config.clientId) {
+      throw new Error("SSO config is missing client ID");
+    }
+    return client.discovery(
+      new URL(config.issuer),
+      config.clientId,
+      clientSecret ?? void 0
+    );
+  }
+}
+async function mergeWithUserInfoClaims(oidcConfig, tokens, claims) {
+  const accessToken = tokens.access_token;
+  if (!accessToken) return claims;
+  try {
+    const userInfo = await client.fetchUserInfo(
+      oidcConfig,
+      accessToken,
+      client.skipSubjectCheck
+    );
+    return { ...userInfo, ...claims };
+  } catch {
+    return claims;
+  }
+}
+function extractIdentityGroups(claims) {
+  const groups = /* @__PURE__ */ new Set();
+  const add = (value) => {
+    for (const group of coerceClaimValues(value)) {
+      groups.add(group);
+    }
+  };
+  add(claims.groups);
+  add(claims.roles);
+  add(claims.role);
+  for (const [key, value] of Object.entries(claims)) {
+    if (!key.endsWith(":roles")) continue;
+    add(value);
+  }
+  return groups.size > 0 ? Array.from(groups) : void 0;
+}
+function coerceClaimValues(value) {
+  if (typeof value === "string") {
+    const normalized = value.trim();
+    return normalized ? [normalized] : [];
+  }
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => coerceClaimValues(entry));
+  }
+  if (value && typeof value === "object") {
+    const entries = Object.entries(value);
+    const out = /* @__PURE__ */ new Set();
+    for (const [key, nested] of entries) {
+      const normalizedKey = key.trim();
+      if (normalizedKey) out.add(normalizedKey);
+      if (typeof nested === "string") {
+        const normalizedNested = nested.trim();
+        if (normalizedNested) out.add(normalizedNested);
+      } else if (nested && typeof nested === "object") {
+        const nestedName = nested.name;
+        if (typeof nestedName === "string" && nestedName.trim()) {
+          out.add(nestedName.trim());
+        }
+      }
+    }
+    return Array.from(out);
+  }
+  return [];
+}
+export {
+  OidcProvider,
+  coerceClaimValues,
+  extractIdentityGroups
+};
+//# sourceMappingURL=oidc-provider.js.map

package/dist/modules/sso/lib/oidc-provider.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/oidc-provider.ts"],
+  "sourcesContent": ["import * as client from 'openid-client'\nimport type { SsoConfig } from '../data/entities'\nimport type { SsoIdentityPayload, SsoProtocolProvider } from './types'\n\nexport class OidcProvider implements SsoProtocolProvider {\n  readonly protocol = 'oidc' as const\n\n  async buildAuthUrl(\n    config: SsoConfig,\n    params: {\n      state: string\n      nonce: string\n      redirectUri: string\n      codeVerifier?: string\n      clientSecret?: string\n    },\n  ): Promise<string> {\n    const oidcConfig = await this.discover(config, params.clientSecret)\n\n    const codeChallenge = params.codeVerifier\n      ? await client.calculatePKCECodeChallenge(params.codeVerifier)\n      : undefined\n\n    const authUrl = client.buildAuthorizationUrl(oidcConfig, {\n      redirect_uri: params.redirectUri,\n      scope: 'openid email profile',\n      state: params.state,\n      nonce: params.nonce,\n      ...(codeChallenge\n        ? { code_challenge: codeChallenge, code_challenge_method: 'S256' }\n        : {}),\n    })\n\n    return authUrl.href\n  }\n\n  async handleCallback(\n    config: SsoConfig,\n    params: {\n      callbackParams: Record<string, string>\n      redirectUri: string\n      expectedState: string\n      expectedNonce: string\n      codeVerifier?: string\n      clientSecret?: string\n    },\n  ): Promise<SsoIdentityPayload> {\n    const oidcConfig = await this.discover(config, params.clientSecret)\n\n    const callbackUrl = new URL(params.redirectUri)\n    for (const [key, value] of Object.entries(params.callbackParams)) {\n      callbackUrl.searchParams.set(key, value)\n    }\n\n    const tokens = await client.authorizationCodeGrant(oidcConfig, callbackUrl, {\n      pkceCodeVerifier: params.codeVerifier,\n      expectedState: params.expectedState,\n      expectedNonce: params.expectedNonce,\n    })\n\n    const claims = tokens.claims()\n    if (!claims) {\n      throw new Error('No ID token claims received from IdP')\n    }\n\n    const mergedClaims = await mergeWithUserInfoClaims(oidcConfig, tokens, claims)\n\n    const subject = String(mergedClaims.sub ?? claims.sub ?? '')\n    const rawEmail = mergedClaims.email as string | undefined\n    const upnCandidate = (mergedClaims.upn ?? mergedClaims.unique_name) as string | undefined\n    const upnAsEmail = typeof upnCandidate === 'string' && upnCandidate.includes('@') ? upnCandidate : undefined\n    const email = rawEmail ?? upnAsEmail\n    if (!email) {\n      throw new Error('IdP did not return an email claim (checked: email, upn, unique_name)')\n    }\n\n    const emailVerified = mergedClaims.email_verified === true\n    const groups = extractIdentityGroups(mergedClaims)\n\n  \n\n    return {\n      subject,\n      email,\n      emailVerified,\n      name: (mergedClaims.name as string) ?? undefined,\n      groups,\n    }\n  }\n\n  async validateConfig(\n    config: SsoConfig,\n    params?: { clientSecret?: string },\n  ): Promise<{ ok: boolean; error?: string }> {\n    try {\n      await this.discover(config, params?.clientSecret)\n      return { ok: true }\n    } catch (err) {\n      return {\n        ok: false,\n        error: err instanceof Error ? err.message : 'Discovery failed',\n      }\n    }\n  }\n\n  private async discover(\n    config: SsoConfig,\n    clientSecret?: string,\n  ): Promise<client.Configuration> {\n    if (!config.issuer) {\n      throw new Error('SSO config is missing issuer URL')\n    }\n    if (!config.clientId) {\n      throw new Error('SSO config is missing client ID')\n    }\n\n    return client.discovery(\n      new URL(config.issuer),\n      config.clientId,\n      clientSecret ?? undefined,\n    )\n  }\n}\n\nasync function mergeWithUserInfoClaims(\n  oidcConfig: client.Configuration,\n  tokens: client.TokenEndpointResponse,\n  claims: Record<string, unknown>,\n): Promise<Record<string, unknown>> {\n  const accessToken = tokens.access_token\n  if (!accessToken) return claims\n\n  try {\n    const userInfo = await client.fetchUserInfo(\n      oidcConfig,\n      accessToken,\n      client.skipSubjectCheck,\n    )\n    return { ...(userInfo as Record<string, unknown>), ...claims }\n  } catch {\n    return claims\n  }\n}\n\nexport function extractIdentityGroups(claims: Record<string, unknown>): string[] | undefined {\n  const groups = new Set<string>()\n\n  const add = (value: unknown) => {\n    for (const group of coerceClaimValues(value)) {\n      groups.add(group)\n    }\n  }\n\n  add(claims.groups)\n  add(claims.roles)\n  add(claims.role)\n\n  for (const [key, value] of Object.entries(claims)) {\n    if (!key.endsWith(':roles')) continue\n    add(value)\n  }\n\n  return groups.size > 0 ? Array.from(groups) : undefined\n}\n\nexport function coerceClaimValues(value: unknown): string[] {\n  if (typeof value === 'string') {\n    const normalized = value.trim()\n    return normalized ? [normalized] : []\n  }\n\n  if (Array.isArray(value)) {\n    return value.flatMap((entry) => coerceClaimValues(entry))\n  }\n\n  if (value && typeof value === 'object') {\n    const entries = Object.entries(value as Record<string, unknown>)\n    const out = new Set<string>()\n    for (const [key, nested] of entries) {\n      const normalizedKey = key.trim()\n      if (normalizedKey) out.add(normalizedKey)\n      if (typeof nested === 'string') {\n        const normalizedNested = nested.trim()\n        if (normalizedNested) out.add(normalizedNested)\n      } else if (nested && typeof nested === 'object') {\n        const nestedName = (nested as Record<string, unknown>).name\n        if (typeof nestedName === 'string' && nestedName.trim()) {\n          out.add(nestedName.trim())\n        }\n      }\n    }\n    return Array.from(out)\n  }\n\n  return []\n}\n"],
+  "mappings": "AAAA,YAAY,YAAY;AAIjB,MAAM,aAA4C;AAAA,EAAlD;AACL,SAAS,WAAW;AAAA;AAAA,EAEpB,MAAM,aACJ,QACA,QAOiB;AACjB,UAAM,aAAa,MAAM,KAAK,SAAS,QAAQ,OAAO,YAAY;AAElE,UAAM,gBAAgB,OAAO,eACzB,MAAM,OAAO,2BAA2B,OAAO,YAAY,IAC3D;AAEJ,UAAM,UAAU,OAAO,sBAAsB,YAAY;AAAA,MACvD,cAAc,OAAO;AAAA,MACrB,OAAO;AAAA,MACP,OAAO,OAAO;AAAA,MACd,OAAO,OAAO;AAAA,MACd,GAAI,gBACA,EAAE,gBAAgB,eAAe,uBAAuB,OAAO,IAC/D,CAAC;AAAA,IACP,CAAC;AAED,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,eACJ,QACA,QAQ6B;AAC7B,UAAM,aAAa,MAAM,KAAK,SAAS,QAAQ,OAAO,YAAY;AAElE,UAAM,cAAc,IAAI,IAAI,OAAO,WAAW;AAC9C,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,cAAc,GAAG;AAChE,kBAAY,aAAa,IAAI,KAAK,KAAK;AAAA,IACzC;AAEA,UAAM,SAAS,MAAM,OAAO,uBAAuB,YAAY,aAAa;AAAA,MAC1E,kBAAkB,OAAO;AAAA,MACzB,eAAe,OAAO;AAAA,MACtB,eAAe,OAAO;AAAA,IACxB,CAAC;AAED,UAAM,SAAS,OAAO,OAAO;AAC7B,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,UAAM,eAAe,MAAM,wBAAwB,YAAY,QAAQ,MAAM;AAE7E,UAAM,UAAU,OAAO,aAAa,OAAO,OAAO,OAAO,EAAE;AAC3D,UAAM,WAAW,aAAa;AAC9B,UAAM,eAAgB,aAAa,OAAO,aAAa;AACvD,UAAM,aAAa,OAAO,iBAAiB,YAAY,aAAa,SAAS,GAAG,IAAI,eAAe;AACnG,UAAM,QAAQ,YAAY;AAC1B,QAAI,CAAC,OAAO;AACV,YAAM,IAAI,MAAM,sEAAsE;AAAA,IACxF;AAEA,UAAM,gBAAgB,aAAa,mBAAmB;AACtD,UAAM,SAAS,sBAAsB,YAAY;AAIjD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,MAAO,aAAa,QAAmB;AAAA,MACvC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,eACJ,QACA,QAC0C;AAC1C,QAAI;AACF,YAAM,KAAK,SAAS,QAAQ,QAAQ,YAAY;AAChD,aAAO,EAAE,IAAI,KAAK;AAAA,IACpB,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,SACZ,QACA,cAC+B;AAC/B,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACpD;AACA,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,MAAM,iCAAiC;AAAA,IACnD;AAEA,WAAO,OAAO;AAAA,MACZ,IAAI,IAAI,OAAO,MAAM;AAAA,MACrB,OAAO;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,EACF;AACF;AAEA,eAAe,wBACb,YACA,QACA,QACkC;AAClC,QAAM,cAAc,OAAO;AAC3B,MAAI,CAAC,YAAa,QAAO;AAEzB,MAAI;AACF,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AACA,WAAO,EAAE,GAAI,UAAsC,GAAG,OAAO;AAAA,EAC/D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAAsB,QAAuD;AAC3F,QAAM,SAAS,oBAAI,IAAY;AAE/B,QAAM,MAAM,CAAC,UAAmB;AAC9B,eAAW,SAAS,kBAAkB,KAAK,GAAG;AAC5C,aAAO,IAAI,KAAK;AAAA,IAClB;AAAA,EACF;AAEA,MAAI,OAAO,MAAM;AACjB,MAAI,OAAO,KAAK;AAChB,MAAI,OAAO,IAAI;AAEf,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,QAAI,CAAC,IAAI,SAAS,QAAQ,EAAG;AAC7B,QAAI,KAAK;AAAA,EACX;AAEA,SAAO,OAAO,OAAO,IAAI,MAAM,KAAK,MAAM,IAAI;AAChD;AAEO,SAAS,kBAAkB,OAA0B;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,aAAa,MAAM,KAAK;AAC9B,WAAO,aAAa,CAAC,UAAU,IAAI,CAAC;AAAA,EACtC;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,QAAQ,CAAC,UAAU,kBAAkB,KAAK,CAAC;AAAA,EAC1D;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,UAAU,OAAO,QAAQ,KAAgC;AAC/D,UAAM,MAAM,oBAAI,IAAY;AAC5B,eAAW,CAAC,KAAK,MAAM,KAAK,SAAS;AACnC,YAAM,gBAAgB,IAAI,KAAK;AAC/B,UAAI,cAAe,KAAI,IAAI,aAAa;AACxC,UAAI,OAAO,WAAW,UAAU;AAC9B,cAAM,mBAAmB,OAAO,KAAK;AACrC,YAAI,iBAAkB,KAAI,IAAI,gBAAgB;AAAA,MAChD,WAAW,UAAU,OAAO,WAAW,UAAU;AAC/C,cAAM,aAAc,OAAmC;AACvD,YAAI,OAAO,eAAe,YAAY,WAAW,KAAK,GAAG;AACvD,cAAI,IAAI,WAAW,KAAK,CAAC;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AACA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAEA,SAAO,CAAC;AACV;",
+  "names": []
+}

package/dist/modules/sso/lib/registry.js ADDED Viewed

@@ -0,0 +1,15 @@
+class SsoProviderRegistry {
+  constructor() {
+    this.providers = /* @__PURE__ */ new Map();
+  }
+  register(provider) {
+    this.providers.set(provider.protocol, provider);
+  }
+  resolve(protocol) {
+    return this.providers.get(protocol);
+  }
+}
+export {
+  SsoProviderRegistry
+};
+//# sourceMappingURL=registry.js.map

package/dist/modules/sso/lib/registry.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/registry.ts"],
+  "sourcesContent": ["import type { SsoProtocolProvider } from './types'\n\nexport class SsoProviderRegistry {\n  private providers = new Map<string, SsoProtocolProvider>()\n\n  register(provider: SsoProtocolProvider): void {\n    this.providers.set(provider.protocol, provider)\n  }\n\n  resolve(protocol: string): SsoProtocolProvider | undefined {\n    return this.providers.get(protocol)\n  }\n}\n"],
+  "mappings": "AAEO,MAAM,oBAAoB;AAAA,EAA1B;AACL,SAAQ,YAAY,oBAAI,IAAiC;AAAA;AAAA,EAEzD,SAAS,UAAqC;AAC5C,SAAK,UAAU,IAAI,SAAS,UAAU,QAAQ;AAAA,EAChD;AAAA,EAEA,QAAQ,UAAmD;AACzD,WAAO,KAAK,UAAU,IAAI,QAAQ;AAAA,EACpC;AACF;",
+  "names": []
+}

package/dist/modules/sso/lib/scim-filter.js ADDED Viewed

@@ -0,0 +1,43 @@
+function parseScimFilter(filter) {
+  if (!filter || !filter.trim()) return [];
+  const conditions = [];
+  const parts = filter.split(/\s+and\s+/i);
+  for (const part of parts) {
+    const match = part.trim().match(/^(\S+)\s+eq\s+"([^"]*)"$/i);
+    if (!match) continue;
+    const [, attribute, value] = match;
+    const normalizedAttr = attribute.toLowerCase();
+    const allowed = ["username", "externalid", "displayname", "active"];
+    if (!allowed.includes(normalizedAttr)) continue;
+    conditions.push({ attribute: normalizedAttr, value });
+  }
+  return conditions;
+}
+function scimFilterToWhere(conditions, ssoConfigId, organizationId) {
+  const where = {
+    ssoConfigId,
+    organizationId,
+    deletedAt: null
+  };
+  for (const { attribute, value } of conditions) {
+    switch (attribute) {
+      case "username":
+        where.idpEmail = value;
+        break;
+      case "externalid":
+        where.externalId = value;
+        break;
+      case "displayname":
+        where.idpName = value;
+        break;
+      case "active":
+        break;
+    }
+  }
+  return where;
+}
+export {
+  parseScimFilter,
+  scimFilterToWhere
+};
+//# sourceMappingURL=scim-filter.js.map

package/dist/modules/sso/lib/scim-filter.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/scim-filter.ts"],
+  "sourcesContent": ["/**\n * Minimal SCIM filter parser supporting `eq` operator with `and` combinator.\n * Supports: userName, externalId, displayName, active\n */\n\nexport interface ScimFilterCondition {\n  attribute: string\n  value: string\n}\n\nexport function parseScimFilter(filter: string | null | undefined): ScimFilterCondition[] {\n  if (!filter || !filter.trim()) return []\n\n  const conditions: ScimFilterCondition[] = []\n  const parts = filter.split(/\\s+and\\s+/i)\n\n  for (const part of parts) {\n    const match = part.trim().match(/^(\\S+)\\s+eq\\s+\"([^\"]*)\"$/i)\n    if (!match) continue\n\n    const [, attribute, value] = match\n    const normalizedAttr = attribute.toLowerCase()\n\n    const allowed = ['username', 'externalid', 'displayname', 'active']\n    if (!allowed.includes(normalizedAttr)) continue\n\n    conditions.push({ attribute: normalizedAttr, value })\n  }\n\n  return conditions\n}\n\nexport function scimFilterToWhere(\n  conditions: ScimFilterCondition[],\n  ssoConfigId: string,\n  organizationId: string,\n): Record<string, unknown> {\n  const where: Record<string, unknown> = {\n    ssoConfigId,\n    organizationId,\n    deletedAt: null,\n  }\n\n  for (const { attribute, value } of conditions) {\n    switch (attribute) {\n      case 'username':\n        where.idpEmail = value\n        break\n      case 'externalid':\n        where.externalId = value\n        break\n      case 'displayname':\n        where.idpName = value\n        break\n      case 'active':\n        // Handled at application level (requires SsoUserDeactivation lookup)\n        break\n    }\n  }\n\n  return where\n}\n"],
+  "mappings": "AAUO,SAAS,gBAAgB,QAA0D;AACxF,MAAI,CAAC,UAAU,CAAC,OAAO,KAAK,EAAG,QAAO,CAAC;AAEvC,QAAM,aAAoC,CAAC;AAC3C,QAAM,QAAQ,OAAO,MAAM,YAAY;AAEvC,aAAW,QAAQ,OAAO;AACxB,UAAM,QAAQ,KAAK,KAAK,EAAE,MAAM,2BAA2B;AAC3D,QAAI,CAAC,MAAO;AAEZ,UAAM,CAAC,EAAE,WAAW,KAAK,IAAI;AAC7B,UAAM,iBAAiB,UAAU,YAAY;AAE7C,UAAM,UAAU,CAAC,YAAY,cAAc,eAAe,QAAQ;AAClE,QAAI,CAAC,QAAQ,SAAS,cAAc,EAAG;AAEvC,eAAW,KAAK,EAAE,WAAW,gBAAgB,MAAM,CAAC;AAAA,EACtD;AAEA,SAAO;AACT;AAEO,SAAS,kBACd,YACA,aACA,gBACyB;AACzB,QAAM,QAAiC;AAAA,IACrC;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AAEA,aAAW,EAAE,WAAW,MAAM,KAAK,YAAY;AAC7C,YAAQ,WAAW;AAAA,MACjB,KAAK;AACH,cAAM,WAAW;AACjB;AAAA,MACF,KAAK;AACH,cAAM,aAAa;AACnB;AAAA,MACF,KAAK;AACH,cAAM,UAAU;AAChB;AAAA,MACF,KAAK;AAEH;AAAA,IACJ;AAAA,EACF;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/sso/lib/scim-mapper.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { coerceBoolean } from "./scim-utils.js";
+const SCIM_USER_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:User";
+function toScimUserResource(user, identity, baseUrl, deactivation) {
+  const isActive = !deactivation || deactivation.reactivatedAt != null;
+  const nameParts = (user.name ?? "").split(" ");
+  const givenName = nameParts[0] || void 0;
+  const familyName = nameParts.length > 1 ? nameParts.slice(1).join(" ") : void 0;
+  return {
+    schemas: [SCIM_USER_SCHEMA],
+    id: identity.id,
+    ...identity.externalId ? { externalId: identity.externalId } : {},
+    userName: identity.idpEmail,
+    displayName: user.name ?? void 0,
+    name: givenName || familyName ? { givenName, familyName, formatted: user.name ?? void 0 } : void 0,
+    emails: [{ value: identity.idpEmail, primary: true, type: "work" }],
+    active: isActive,
+    meta: {
+      resourceType: "User",
+      created: identity.createdAt.toISOString(),
+      lastModified: identity.updatedAt.toISOString(),
+      location: `${baseUrl}/api/sso/scim/v2/Users/${identity.id}`
+    }
+  };
+}
+function fromScimUserPayload(payload) {
+  const result = {};
+  if (typeof payload.userName === "string") result.userName = payload.userName;
+  if (typeof payload.externalId === "string") result.externalId = payload.externalId;
+  if (typeof payload.displayName === "string") result.displayName = payload.displayName;
+  if (payload.active !== void 0) {
+    result.active = coerceBoolean(payload.active);
+  }
+  const name = payload.name;
+  if (name && typeof name === "object") {
+    if (typeof name.givenName === "string") result.givenName = name.givenName;
+    if (typeof name.familyName === "string") result.familyName = name.familyName;
+  }
+  const emails = payload.emails;
+  if (Array.isArray(emails) && emails.length > 0) {
+    const primary = emails.find((e) => e.primary === true) ?? emails[0];
+    if (typeof primary?.value === "string") result.email = primary.value;
+  }
+  return result;
+}
+export {
+  fromScimUserPayload,
+  toScimUserResource
+};
+//# sourceMappingURL=scim-mapper.js.map

package/dist/modules/sso/lib/scim-mapper.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/scim-mapper.ts"],
+  "sourcesContent": ["import type { User } from '@open-mercato/core/modules/auth/data/entities'\nimport type { SsoIdentity, SsoUserDeactivation } from '../data/entities'\nimport { coerceBoolean } from './scim-utils'\n\nconst SCIM_USER_SCHEMA = 'urn:ietf:params:scim:schemas:core:2.0:User'\n\nexport interface ScimUserResource {\n  schemas: string[]\n  id: string\n  externalId?: string\n  userName: string\n  displayName?: string\n  name?: { givenName?: string; familyName?: string; formatted?: string }\n  emails?: Array<{ value: string; primary: boolean; type: string }>\n  active: boolean\n  meta: {\n    resourceType: string\n    created: string\n    lastModified: string\n    location: string\n  }\n}\n\nexport function toScimUserResource(\n  user: User,\n  identity: SsoIdentity,\n  baseUrl: string,\n  deactivation?: SsoUserDeactivation | null,\n): ScimUserResource {\n  const isActive = !deactivation || deactivation.reactivatedAt != null\n\n  const nameParts = (user.name ?? '').split(' ')\n  const givenName = nameParts[0] || undefined\n  const familyName = nameParts.length > 1 ? nameParts.slice(1).join(' ') : undefined\n\n  return {\n    schemas: [SCIM_USER_SCHEMA],\n    id: identity.id,\n    ...(identity.externalId ? { externalId: identity.externalId } : {}),\n    userName: identity.idpEmail,\n    displayName: user.name ?? undefined,\n    name: (givenName || familyName) ? { givenName, familyName, formatted: user.name ?? undefined } : undefined,\n    emails: [{ value: identity.idpEmail, primary: true, type: 'work' }],\n    active: isActive,\n    meta: {\n      resourceType: 'User',\n      created: identity.createdAt.toISOString(),\n      lastModified: identity.updatedAt.toISOString(),\n      location: `${baseUrl}/api/sso/scim/v2/Users/${identity.id}`,\n    },\n  }\n}\n\nexport interface ScimUserPayload {\n  userName?: string\n  externalId?: string\n  displayName?: string\n  givenName?: string\n  familyName?: string\n  email?: string\n  active?: boolean\n}\n\nexport function fromScimUserPayload(payload: Record<string, unknown>): ScimUserPayload {\n  const result: ScimUserPayload = {}\n\n  if (typeof payload.userName === 'string') result.userName = payload.userName\n  if (typeof payload.externalId === 'string') result.externalId = payload.externalId\n  if (typeof payload.displayName === 'string') result.displayName = payload.displayName\n\n  if (payload.active !== undefined) {\n    result.active = coerceBoolean(payload.active)\n  }\n\n  const name = payload.name as Record<string, unknown> | undefined\n  if (name && typeof name === 'object') {\n    if (typeof name.givenName === 'string') result.givenName = name.givenName\n    if (typeof name.familyName === 'string') result.familyName = name.familyName\n  }\n\n  const emails = payload.emails as Array<Record<string, unknown>> | undefined\n  if (Array.isArray(emails) && emails.length > 0) {\n    const primary = emails.find((e) => e.primary === true) ?? emails[0]\n    if (typeof primary?.value === 'string') result.email = primary.value\n  }\n\n  return result\n}\n"],
+  "mappings": "AAEA,SAAS,qBAAqB;AAE9B,MAAM,mBAAmB;AAmBlB,SAAS,mBACd,MACA,UACA,SACA,cACkB;AAClB,QAAM,WAAW,CAAC,gBAAgB,aAAa,iBAAiB;AAEhE,QAAM,aAAa,KAAK,QAAQ,IAAI,MAAM,GAAG;AAC7C,QAAM,YAAY,UAAU,CAAC,KAAK;AAClC,QAAM,aAAa,UAAU,SAAS,IAAI,UAAU,MAAM,CAAC,EAAE,KAAK,GAAG,IAAI;AAEzE,SAAO;AAAA,IACL,SAAS,CAAC,gBAAgB;AAAA,IAC1B,IAAI,SAAS;AAAA,IACb,GAAI,SAAS,aAAa,EAAE,YAAY,SAAS,WAAW,IAAI,CAAC;AAAA,IACjE,UAAU,SAAS;AAAA,IACnB,aAAa,KAAK,QAAQ;AAAA,IAC1B,MAAO,aAAa,aAAc,EAAE,WAAW,YAAY,WAAW,KAAK,QAAQ,OAAU,IAAI;AAAA,IACjG,QAAQ,CAAC,EAAE,OAAO,SAAS,UAAU,SAAS,MAAM,MAAM,OAAO,CAAC;AAAA,IAClE,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,cAAc;AAAA,MACd,SAAS,SAAS,UAAU,YAAY;AAAA,MACxC,cAAc,SAAS,UAAU,YAAY;AAAA,MAC7C,UAAU,GAAG,OAAO,0BAA0B,SAAS,EAAE;AAAA,IAC3D;AAAA,EACF;AACF;AAYO,SAAS,oBAAoB,SAAmD;AACrF,QAAM,SAA0B,CAAC;AAEjC,MAAI,OAAO,QAAQ,aAAa,SAAU,QAAO,WAAW,QAAQ;AACpE,MAAI,OAAO,QAAQ,eAAe,SAAU,QAAO,aAAa,QAAQ;AACxE,MAAI,OAAO,QAAQ,gBAAgB,SAAU,QAAO,cAAc,QAAQ;AAE1E,MAAI,QAAQ,WAAW,QAAW;AAChC,WAAO,SAAS,cAAc,QAAQ,MAAM;AAAA,EAC9C;AAEA,QAAM,OAAO,QAAQ;AACrB,MAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,QAAI,OAAO,KAAK,cAAc,SAAU,QAAO,YAAY,KAAK;AAChE,QAAI,OAAO,KAAK,eAAe,SAAU,QAAO,aAAa,KAAK;AAAA,EACpE;AAEA,QAAM,SAAS,QAAQ;AACvB,MAAI,MAAM,QAAQ,MAAM,KAAK,OAAO,SAAS,GAAG;AAC9C,UAAM,UAAU,OAAO,KAAK,CAAC,MAAM,EAAE,YAAY,IAAI,KAAK,OAAO,CAAC;AAClE,QAAI,OAAO,SAAS,UAAU,SAAU,QAAO,QAAQ,QAAQ;AAAA,EACjE;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/sso/lib/scim-patch.js ADDED Viewed

@@ -0,0 +1,63 @@
+import { coerceBoolean } from "./scim-utils.js";
+const ALLOWED_PATHS = /* @__PURE__ */ new Set([
+  "active",
+  "displayname",
+  "name.givenname",
+  "name.familyname",
+  "username",
+  "externalid"
+]);
+function parseScimPatchOperations(body) {
+  const operations = body.Operations;
+  if (!Array.isArray(operations)) {
+    throw new ScimPatchError("PatchOp body must contain Operations array");
+  }
+  return operations.map((rawOp) => {
+    const op = String(rawOp.op ?? "").toLowerCase();
+    if (!["add", "replace", "remove"].includes(op)) {
+      throw new ScimPatchError(`Unsupported SCIM PatchOp: ${rawOp.op}`);
+    }
+    const path = rawOp.path ? String(rawOp.path) : void 0;
+    if (path) {
+      const normalizedPath = path.toLowerCase();
+      if (!ALLOWED_PATHS.has(normalizedPath)) {
+        return { op, path, value: void 0 };
+      }
+    }
+    const value = normalizePatchValue(rawOp.value, path);
+    return { op, path, value };
+  }).filter((op) => {
+    if (op.op !== "remove" && op.value === void 0 && op.path) return false;
+    return true;
+  });
+}
+function normalizePatchValue(value, path) {
+  if (value === void 0 || value === null) return value;
+  if (path && path.toLowerCase() === "active") {
+    return coerceBoolean(value);
+  }
+  if (!path && typeof value === "object" && value !== null) {
+    const obj = value;
+    const normalized = {};
+    for (const [key, val] of Object.entries(obj)) {
+      if (key.toLowerCase() === "active") {
+        normalized[key] = coerceBoolean(val);
+      } else {
+        normalized[key] = val;
+      }
+    }
+    return normalized;
+  }
+  return value;
+}
+class ScimPatchError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ScimPatchError";
+  }
+}
+export {
+  ScimPatchError,
+  parseScimPatchOperations
+};
+//# sourceMappingURL=scim-patch.js.map

package/dist/modules/sso/lib/scim-patch.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/scim-patch.ts"],
+  "sourcesContent": ["/**\n * SCIM PatchOp parser with Entra ID quirks:\n * - Case-insensitive `op` (e.g., \"Replace\" vs \"replace\")\n * - Boolean leniency (\"False\"/\"True\" strings \u2192 boolean)\n * - Strict attribute allowlist\n */\n\nimport { coerceBoolean } from './scim-utils'\n\nexport interface ScimPatchOperation {\n  op: string\n  path?: string\n  value?: unknown\n}\n\nconst ALLOWED_PATHS = new Set([\n  'active',\n  'displayname',\n  'name.givenname',\n  'name.familyname',\n  'username',\n  'externalid',\n])\n\nexport function parseScimPatchOperations(body: Record<string, unknown>): ScimPatchOperation[] {\n  const operations = body.Operations as Array<Record<string, unknown>> | undefined\n  if (!Array.isArray(operations)) {\n    throw new ScimPatchError('PatchOp body must contain Operations array')\n  }\n\n  return operations.map((rawOp) => {\n    const op = String(rawOp.op ?? '').toLowerCase()\n    if (!['add', 'replace', 'remove'].includes(op)) {\n      throw new ScimPatchError(`Unsupported SCIM PatchOp: ${rawOp.op}`)\n    }\n\n    const path = rawOp.path ? String(rawOp.path) : undefined\n\n    // Validate path against allowlist if present\n    if (path) {\n      const normalizedPath = path.toLowerCase()\n      if (!ALLOWED_PATHS.has(normalizedPath)) {\n        // Silently ignore unsupported attributes (Entra sends many)\n        return { op, path, value: undefined }\n      }\n    }\n\n    const value = normalizePatchValue(rawOp.value, path)\n\n    return { op, path, value }\n  }).filter((op) => {\n    // Filter out no-ops (unsupported paths where value was set to undefined)\n    if (op.op !== 'remove' && op.value === undefined && op.path) return false\n    return true\n  })\n}\n\nfunction normalizePatchValue(value: unknown, path?: string): unknown {\n  if (value === undefined || value === null) return value\n\n  // Handle boolean leniency for the `active` attribute\n  if (path && path.toLowerCase() === 'active') {\n    return coerceBoolean(value)\n  }\n\n  // Handle value objects (no-path operations)\n  if (!path && typeof value === 'object' && value !== null) {\n    const obj = value as Record<string, unknown>\n    const normalized: Record<string, unknown> = {}\n    for (const [key, val] of Object.entries(obj)) {\n      if (key.toLowerCase() === 'active') {\n        normalized[key] = coerceBoolean(val)\n      } else {\n        normalized[key] = val\n      }\n    }\n    return normalized\n  }\n\n  return value\n}\n\nexport class ScimPatchError extends Error {\n  constructor(message: string) {\n    super(message)\n    this.name = 'ScimPatchError'\n  }\n}\n"],
+  "mappings": "AAOA,SAAS,qBAAqB;AAQ9B,MAAM,gBAAgB,oBAAI,IAAI;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,yBAAyB,MAAqD;AAC5F,QAAM,aAAa,KAAK;AACxB,MAAI,CAAC,MAAM,QAAQ,UAAU,GAAG;AAC9B,UAAM,IAAI,eAAe,4CAA4C;AAAA,EACvE;AAEA,SAAO,WAAW,IAAI,CAAC,UAAU;AAC/B,UAAM,KAAK,OAAO,MAAM,MAAM,EAAE,EAAE,YAAY;AAC9C,QAAI,CAAC,CAAC,OAAO,WAAW,QAAQ,EAAE,SAAS,EAAE,GAAG;AAC9C,YAAM,IAAI,eAAe,6BAA6B,MAAM,EAAE,EAAE;AAAA,IAClE;AAEA,UAAM,OAAO,MAAM,OAAO,OAAO,MAAM,IAAI,IAAI;AAG/C,QAAI,MAAM;AACR,YAAM,iBAAiB,KAAK,YAAY;AACxC,UAAI,CAAC,cAAc,IAAI,cAAc,GAAG;AAEtC,eAAO,EAAE,IAAI,MAAM,OAAO,OAAU;AAAA,MACtC;AAAA,IACF;AAEA,UAAM,QAAQ,oBAAoB,MAAM,OAAO,IAAI;AAEnD,WAAO,EAAE,IAAI,MAAM,MAAM;AAAA,EAC3B,CAAC,EAAE,OAAO,CAAC,OAAO;AAEhB,QAAI,GAAG,OAAO,YAAY,GAAG,UAAU,UAAa,GAAG,KAAM,QAAO;AACpE,WAAO;AAAA,EACT,CAAC;AACH;AAEA,SAAS,oBAAoB,OAAgB,MAAwB;AACnE,MAAI,UAAU,UAAa,UAAU,KAAM,QAAO;AAGlD,MAAI,QAAQ,KAAK,YAAY,MAAM,UAAU;AAC3C,WAAO,cAAc,KAAK;AAAA,EAC5B;AAGA,MAAI,CAAC,QAAQ,OAAO,UAAU,YAAY,UAAU,MAAM;AACxD,UAAM,MAAM;AACZ,UAAM,aAAsC,CAAC;AAC7C,eAAW,CAAC,KAAK,GAAG,KAAK,OAAO,QAAQ,GAAG,GAAG;AAC5C,UAAI,IAAI,YAAY,MAAM,UAAU;AAClC,mBAAW,GAAG,IAAI,cAAc,GAAG;AAAA,MACrC,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,MAAM,uBAAuB,MAAM;AAAA,EACxC,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;",
+  "names": []
+}

package/dist/modules/sso/lib/scim-response.js ADDED Viewed

@@ -0,0 +1,34 @@
+const SCIM_CONTENT_TYPE = "application/scim+json";
+const SCIM_ERROR_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:Error";
+const SCIM_LIST_SCHEMA = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+function scimJson(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": SCIM_CONTENT_TYPE }
+  });
+}
+function buildScimError(status, detail, scimType) {
+  const body = {
+    schemas: [SCIM_ERROR_SCHEMA],
+    status: String(status),
+    detail
+  };
+  if (scimType) body.scimType = scimType;
+  return body;
+}
+function buildListResponse(resources, totalResults, startIndex, itemsPerPage) {
+  return {
+    schemas: [SCIM_LIST_SCHEMA],
+    totalResults,
+    startIndex,
+    itemsPerPage,
+    Resources: resources
+  };
+}
+export {
+  SCIM_CONTENT_TYPE,
+  buildListResponse,
+  buildScimError,
+  scimJson
+};
+//# sourceMappingURL=scim-response.js.map