scimgateway 4.4.2 → 4.4.4

package/README.md

@@ -207,8 +207,8 @@ Below shows an example of config\plugin-saphana.json
         "payloadSize": null,
         "scim": {
           "version": "2.0",
-          "customSchema": null,
           "skipTypeConvert" : false,
+          "skipMetaLocation" false,
           "usePutSoftSync" : false,
           "usePutGroupMemberOfUser": false
         },
@@ -339,14 +339,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **port** - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway.  
 
-- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted (gateway must then be installed on the CA Connector Server).  
+- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.  
 
 - **payloadSize** - if not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size  
 
-- **scim.version** - "1.1" or "2.0". Default is "2.0". For Symantec/Broadcom/CA Identity Manager "1.1" should be used.  
-
-- **scim.customSchema** - filename of JSON file located in `<package-root>\config\schemas` containing custom schema attributes, see configuration notes 
-  **additional information**: Schemas, ServiceProviderConfig and ResourceType can be customized if `lib/scimdef-v2.js (or scimdef-v1.js)` exists. Original scimdef-v2.js/scimdef-v1.js can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
+- **scim.version** - "1.1" or "2.0". Default is "2.0".  
 
 - **scim.skipTypeConvert** - true or false, default false. Multivalue attributes supporting types e.g. emails, phoneNumbers, ims, photos, addresses, entitlements and x509Certificates (but not roles, groups and members) will be become "type converted objects" when sent to modifyUser and createUser. This for simplicity of checking attributes included and also for the endpointMapper method (used by plugin-ldap and plugin-entra-id), e.g.: 
 
@@ -364,6 +361,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		  {"value": "jsmith@hotmail.com"}
 		]  
 
+- **scim.skipMetaLocation** - true or false, default false. If set to true, `meta.location` which contains protocol and hostname from request-url, will be excluded from response e.g. `"{...,meta":{"location":"https://my-company.com/<...>"}}`. If using reverse proxy and not including headers `X-Forwarded-Proto` and `X-Forwarded-Host`, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
 
 - **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If set to `true`, only PUT body content will be replaced. Any additional existing user attributes and groups supported by plugin will remain as-is.
 
@@ -406,7 +404,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
     `<FQDN>` is Fully Qualified Domain Name of the host having SCIM Gateway installed
   
-    Note, when using Broadcom/CA Provisioning, the "certificate authority - CA" also have to be imported on the Connector Server. For self-signed certificate CA and the certificate (public key) is the same.  
+    Note, when using Symantec/Broadcom/CA Provisioning, the "certificate authority - CA" also have to be imported on the Connector Server. For self-signed certificate CA and the certificate (public key) is the same.  
 
     PFX / PKCS#12 bundle can be used instead of key/cert/ca e.g: 
 
@@ -450,10 +448,12 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
  
 #### Configuration notes
 
-- Setting environment variable `SEED` will override default password seeding logic.  
+- Custom Schemas, ServiceProviderConfig and ResourceType can be used if `./lib/scimdef-v2.js or scimdef-v1.js` exists. Original scimdef-v2.js/scimdef-v1.js can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
+- Using reverse proxy and we want ipAllowList and correct meta.location response, following headers must be set by proxy: `X-Forwarded-For`, `X-Forwarded-Proto` and `X-Forwarded-Host`  
+- Setting environment variable `SEED` with some random characters will override default password seeding logic. This also allow copying configuration file with encrypted secrets from one machine to another.  
 - All configuration can be set based on environment variables. Syntax will then be `"process.env.<ENVIRONMENT>"` where `<ENVIRONMENT>` is the environment variable used. E.g. scimgateway.port could have value "process.env.PORT", then using environment variable PORT.
-- All configuration can be set based on corresponding JSON-content (dot notation) in external file using plugin name as parent JSON object. Syntax will then be `"process.file.<path>"` where `<path>` is the file used. E.g. endpoint.password could have value "process.file./var/run/vault/secrets.json"  
-- Also, individual secret file may be used for a plain text secret per file. Syntax will then be `"process.text.<path>"` where `<path>` is the file which contains raw (`UTF-8`) character value. E.g. endpoint.password could have value "process.text./var/run/vault/endpoint.password". This enables that the config file itself be loaded from a ConfigMap while specific values are mounted either from `secrets.json` style files as mentioned above OR from traditional secrets files mounted in the file system, one value per file.
+- All configuration values can be moved to a single external file having JSON dot notation content with plugin name as parent JSON object. Syntax in original configuration file used by the gateway will then be `"process.file.<path>"` where `<path>` is the file used. E.g. key endpoint.password could have value "process.file./var/run/vault/secrets.json" 
+- All configuration values can be moved to multiple external files, each file containing one single value. Syntax in original configuration file used by the gateway will then be `"process.text.<path>"` where `<path>` is the file which contains raw (`UTF-8`) character value. E.g. key endpoint.password could have value "process.text./var/run/vault/endpoint.password".
 
 	Example:  
 
@@ -489,7 +489,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		}  
 
 
-	secrets.json for plugin-soap - example (dot notation):  
+    jwt.secret file content example:  
+
+    	thisIsSecret
+
+	secrets.json file content example for plugin-soap:  
   
 		{
 		  "plugin-soap.scimgateway.auth.basic[0].username": "gwadmin",
@@ -498,62 +502,6 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		  "plugin-soap.endpoint.password": "secret"
 		}  
 
-- Custom schema attributes can be added by plugin configuration `scim.customSchema` having value set to filename of a JSON schema-file located in `<package-root>/config/schemas` e.g:  
-
-		"scim": {
-		  "version": "2.0",
-		  "customSchema": "plugin-soap-schema.json"
-		},
-
-	JSON file have following syntax:  
-
-		[
-		  { 
-		    "name": "User",
-		    "attributes": [...]
-		  },
-		  { 
-		    "name": "Group",
-		    "attributes": [...]
-		  }
-		]
-
-	Where array `attributes` contains custom attribute objects according to SCIM 1.1 or 2.0 spesification e.g:  
-
-		"attributes": [
-		  {
-		    "name": "musicPreference",
-			"type": "string",
-			"multiValued": false,
-			"description": "Music Preferences",
-			"readOnly": false,
-			"required": false,
-			"caseExact": false
-		  },
-		  {
-		    "name": "populations",
-			"type": "complex",
-			"multiValued": true,
-			"multiValuedAttributeChildName": "population",
-			"description": "Population array",
-			"readOnly": false,
-			"required": false,
-			"caseExact": false,
-			"subAttributes": [
-			  {
-			    "name": "value",
-			    "type": "string",
-			    "multiValued": false,
-			    "description": "Population value",
-			    "readOnly": false,
-			    "required": true,
-			    "caseExact": false
-			  }
-			]
-		  }
-		]
-
-	Note, custom schema attributes will be merged into core:1.0/2.0 schema, and names must not conflict with standard SCIM attribute names.
 
 
 ## Manual startup    
@@ -745,7 +693,7 @@ Some notes related to Entra ID:
 
 ## CA Identity Manager as IdP using SCIM Gateway  
 
-Using Symantec/Broadcom/CA Identity Manger, plugin configuration file must include **SCIM Version "1.1"** (scimgateway.scim.version).  
+Using Symantec/Broadcom/CA Identity Manger, plugin configuration might have to use **SCIM Version "1.1"** (scimgateway.scim.version).  
 
 In the Provisioning Manager we have to use  
 
@@ -1199,6 +1147,25 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.4.4  
+
+[Added]
+
+- New configuration: **scim.skipMetaLocation**  
+ true or false, default false. If set to true, `meta.location` which contains protocol and hostname from request-url, will be excluded from response e.g. `"{...,meta":{"location":"https://my-company.com/<...>"}}`. If using reverse proxy and not including headers `X-Forwarded-Proto` and `X-Forwarded-Host`, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
+
+Below is an example of nginx reverse proxy configuration supporting SCIM Gateway ipAllowList and correct meta.location response:  
+
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header X-Forwarded-Host $http_host;
+
+### v4.4.3
+  
+[Added]  
+
+- Dependencies bump  
+
 ### v4.4.2  
 
 [Added]

package/config/plugin-api.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-entra-id.json

@@ -5,9 +5,10 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "skipMetaLocation": false,
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-ldap.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-loki.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-mongodb.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-mssql.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-saphana.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-scim.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/config/plugin-soap.json

@@ -5,8 +5,8 @@
     "payloadSize": null,
     "scim": {
       "version": "2.0",
-      "customSchema": null,
       "skipTypeConvert": false,
+      "skipMetaLocation": false,
       "usePutSoftSync": false,
       "usePutGroupMemberOfUser": false
     },

package/lib/scimgateway.js

@@ -36,7 +36,8 @@ const ScimGateway = function () {
   const startTime = utils.timestamp()
   const stack = callsite()
   const requester = stack[1].getFileName()
-  const pluginName = path.basename(requester, '.js')
+  let pluginName = path.basename(requester)
+  pluginName = pluginName.substring(0, pluginName.lastIndexOf('.')) || pluginName
   const pluginDir = path.dirname(requester)
   const configDir = path.join(pluginDir, '..', 'config')
   const configFile = path.join(`${configDir}`, `${pluginName}.json`) // config name prefix same as pluging name prefix
@@ -272,7 +273,7 @@ const ScimGateway = function () {
     else scimDef = require('../lib/scimdef-v1')
   }
 
-  if (config.scim.customSchema) { // merge plugin custom schema extension into core schemas
+  if (config.scim.customSchema) { // legacy - merge plugin custom schema extension into core schemas
     let custom
     try {
       custom = JSON.parse(fs.readFileSync(`${configDir}/schemas/${config.scim.customSchema}`, 'utf8'))
@@ -353,8 +354,8 @@ const ScimGateway = function () {
         ctx.response.body = { error: 'Access denied' }
         res.body = ctx.response.body
       }
-      logger.error(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ipcli} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
-    } else logger.info(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ipcli} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
+      logger.error(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ip} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
+    } else logger.info(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ip} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
     requestCounter += 1 // logged on exit (not win process termination)
     if (ctx.response.body && typeof ctx.response.body === 'object' && ctx.response.status !== 401) ctx.set('Content-Type', 'application/scim+json; charset=utf-8')
   }
@@ -604,7 +605,7 @@ const ScimGateway = function () {
         })
       }
     }
-  } // authentication
+  }
 
   const verifyContentType = (ctx, next) => {
     return new Promise((resolve) => {
@@ -622,18 +623,16 @@ const ScimGateway = function () {
 
   const ipAllowList = (ctx, next) => {
     return new Promise((resolve) => {
-      ctx.request.ipcli = ctx.req.headers['x-forwarded-for'] || ctx.req.connection.remoteAddress
-      ctx.request.ipcli = ctx.request.ipcli.split(',')[0] // used by logResult
       if (!ipAllowListChecker) return resolve(next())
-      if (ipAllowListChecker(ctx.request.ipcli)) return resolve(next())
-      logger.debug(`${gwName}[${pluginName}] client ip ${ctx.request.ipcli} not in ipAllowList`)
+      if (ipAllowListChecker(ctx.request.ip)) return resolve(next()) // if proxy, prereq: request includes header X-Forwarded-For and koa app.proxy=true
+      logger.debug(`${gwName}[${pluginName}] client ip ${ctx.request.ip} not in ipAllowList`)
       ctx.status = 401
       ctx.body = { error: 'Access denied' }
       resolve(ctx)
     })
   }
 
-  const app = new Koa()
+  const app = new Koa({ proxy: true })
   const router = new Router()
 
   // Middleware run in the order they are defined and communicates through ctx
@@ -652,7 +651,7 @@ const ScimGateway = function () {
   app.use(router.allowedMethods())
 
   app.on('error', (err, ctx) => { // catching none try/catch in app middleware, also bodyparser and body not json
-    logger.error(`${gwName}[${pluginName}] Koa method: ${ctx.method} url: ${ctx.origin + ctx.path} body: ${JSON.stringify(ctx.request.body)} error: ${err.message}`)
+    logger.error(`${gwName}[${pluginName}] Koa method: ${ctx.method} url: ${ctx.request.origin + ctx.path} body: ${JSON.stringify(ctx.request.body)} error: ${err.message}`)
   })
 
   router.get('/ping', async (ctx) => { // auth not required
@@ -663,9 +662,8 @@ const ScimGateway = function () {
 
   // Google App Engine B-class instance start/stop request
   router.get(['/_ah/start', '/_ah/stop'], async (ctx) => {
-    const cli = ctx.request.ipcli
     const ver = process.env.GAE_VERSION
-    if (!cli || cli !== '0.1.0.3' || !ver || !ctx.origin.includes(`.${ver}.`)) { // ctx.origin = http://<instance>.<version>.<project-id>.<region>.r.appspot.com
+    if (ctx.request.ip !== '0.1.0.3' || !ver || !ctx.request.origin.includes(`.${ver}.`)) { // ctx.request.origin = http://<instance>.<version>.<project-id>.<region>.r.appspot.com
       ctx.status = 403 // request not coming from GCP App Engine
       return
     }
@@ -679,14 +677,16 @@ const ScimGateway = function () {
   router.get(['/(|scim/)(ServiceProviderConfigs|ServiceProviderConfig)',
     '/:baseEntity/(|scim/)(ServiceProviderConfigs|ServiceProviderConfig)'], async (ctx) => {
     const tx = scimDef.ServiceProviderConfigs
-    const location = ctx.origin + ctx.path
-    if (tx.meta) tx.meta.location = location
-    else {
-      tx.meta = {}
-      tx.meta.location = location
+    if (!config.scim.skipMetaLocation) {
+      const location = ctx.request.origin + ctx.path
+      if (tx.meta) tx.meta.location = location
+      else {
+        tx.meta = {}
+        tx.meta.location = location
+      }
     }
     ctx.body = tx
-    logger.debug(`${gwName}[${pluginName}] GET ${ctx.originalUrl} Response = ${JSON.stringify(tx)}`)
+    logger.debug(`${gwName}[${pluginName}] GET ${ctx.request.originalUrl} Response = ${JSON.stringify(tx)}`)
   })
 
   // Initial connection, step #2: GET /Schemas
@@ -819,7 +819,7 @@ const ScimGateway = function () {
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
     if (ctx.query.attributes) ctx.query.attributes = ctx.query.attributes.split(',').map(item => item.trim()).join()
     if (ctx.query.excludedAttributes) ctx.query.excludedAttributes = ctx.query.excludedAttributes.split(',').map(item => item.trim()).join()
-    let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
+    let u = ctx.request.originalUrl.substr(0, ctx.request.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
     const id = decodeURIComponent(require('path').basename(ctx.params.id, '.json')) // supports <id>.json
@@ -882,14 +882,16 @@ const ScimGateway = function () {
           }
         }
       }
-      const location = ctx.origin + ctx.path
       userObj = addPrimaryAttrs(userObj)
       scimdata = utils.stripObj(userObj, ctx.query.attributes, ctx.query.excludedAttributes)
       scimdata = addSchemas(scimdata, handle.description, isScimv2)
-      if (scimdata.meta) scimdata.meta.location = location
-      else {
-        scimdata.meta = {}
-        scimdata.meta.location = location
+      if (!config.scim.skipMetaLocation) {
+        const location = ctx.request.origin + ctx.path
+        if (scimdata.meta) scimdata.meta.location = location
+        else {
+          scimdata.meta = {}
+          scimdata.meta.location = location
+        }
       }
       ctx.body = scimdata
     } catch (err) {
@@ -908,7 +910,7 @@ const ScimGateway = function () {
     '/:baseEntity/(|scim/)(Users|Groups|servicePlans|AppRoles)'], async (ctx) => {
     if (ctx.query.attributes) ctx.query.attributes = ctx.query.attributes.split(',').map(item => item.trim()).join()
     if (ctx.query.excludedAttributes) ctx.query.excludedAttributes = ctx.query.excludedAttributes.split(',').map(item => item.trim()).join()
-    let u = ctx.originalUrl.substr(ctx.originalUrl.lastIndexOf('/') + 1) // u = Users, Groups, servicePlans, ...
+    let u = ctx.request.originalUrl.substr(ctx.request.originalUrl.lastIndexOf('/') + 1) // u = Users, Groups, servicePlans, ...
     const ui = u.indexOf('?')
     if (ui > 0) u = u.substr(0, ui)
     const handle = handler[u]
@@ -1088,8 +1090,9 @@ const ScimGateway = function () {
         }
       }
 
-      let location = ctx.origin + ctx.path
+      let location = ctx.request.origin + ctx.path
       if (ctx.query.attributes || (ctx.query.excludedAttributes && ctx.query.excludedAttributes.includes('meta'))) location = null
+      if (config.scim.skipMetaLocation) location = null
       for (let i = 0; i < scimdata.Resources.length; i++) {
         scimdata.Resources[i] = addPrimaryAttrs(scimdata.Resources[i])
         scimdata.Resources[i] = utils.stripObj(scimdata.Resources[i], ctx.query.attributes, ctx.query.excludedAttributes)
@@ -1124,7 +1127,7 @@ const ScimGateway = function () {
   //
   router.post([`/(|scim/)(!${undefined}|Users|Groups)(|.json)(|.xml)`,
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups)(|.json)(|.xml)`], async (ctx) => {
-    let u = ctx.originalUrl.substr(ctx.originalUrl.lastIndexOf('/') + 1) // u = Users<.json|.xml>, Groups<.json|.xml>
+    let u = ctx.request.originalUrl.substr(ctx.request.originalUrl.lastIndexOf('/') + 1) // u = Users<.json|.xml>, Groups<.json|.xml>
     u = u.split('?')[0] // Users?AzureAdScimPatch062020
     const handle = handler[u.split('.')[0]]
     logger.debug(`${gwName}[${pluginName}] [Create ${handle.description}]`)
@@ -1153,7 +1156,7 @@ const ScimGateway = function () {
       return
     }
 
-    logger.debug(`${gwName}[${pluginName}] POST ${ctx.originalUrl} body=${strBody}`)
+    logger.debug(`${gwName}[${pluginName}] POST ${ctx.request.originalUrl} body=${strBody}`)
     jsonBody = JSON.parse(strBody) // using a copy
     const [scimdata, err] = ScimGateway.prototype.convertedScim(jsonBody)
     logger.debug(`${gwName}[${pluginName}] convertedBody=${JSON.stringify(scimdata)}`)
@@ -1196,12 +1199,14 @@ const ScimGateway = function () {
         if (obj && obj.id) jsonBody = obj // id found, using returned object
       }
 
-      const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
-      if (!jsonBody.meta) jsonBody.meta = {}
-      jsonBody.meta.location = location
+      if (!config.scim.skipMetaLocation) {
+        const location = `${ctx.request.origin}${ctx.path}/${jsonBody.id}`
+        if (!jsonBody.meta) jsonBody.meta = {}
+        jsonBody.meta.location = location
+        ctx.set('Location', location)
+      }
       delete jsonBody.password
       jsonBody = addPrimaryAttrs(jsonBody)
-      ctx.set('Location', location)
       ctx.status = 201
       ctx.body = jsonBody
     } catch (err) {
@@ -1227,7 +1232,7 @@ const ScimGateway = function () {
   //
   router.delete([`/(|scim/)(!${undefined}|Users|Groups)/:id`,
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups)/:id`], async (ctx) => {
-    let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
+    let u = ctx.request.originalUrl.substr(0, ctx.request.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
     const id = ctx.params.id
@@ -1273,7 +1278,7 @@ const ScimGateway = function () {
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
     if (ctx.query.attributes) ctx.query.attributes = ctx.query.attributes.split(',').map(item => item.trim()).join()
     if (ctx.query.excludedAttributes) ctx.query.excludedAttributes = ctx.query.excludedAttributes.split(',').map(item => item.trim()).join()
-    let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
+    let u = ctx.request.originalUrl.substr(0, ctx.request.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
     const id = decodeURIComponent(ctx.params.id)
@@ -1325,8 +1330,10 @@ const ScimGateway = function () {
           return
         }
 
-        const location = ctx.origin + ctx.path
-        ctx.set('Location', location)
+        if (!config.scim.skipMetaLocation) {
+          const location = ctx.request.origin + ctx.path
+          ctx.set('Location', location)
+        }
         const userObj = addPrimaryAttrs(scimdata.Resources[0])
         scimdata = utils.stripObj(userObj, ctx.query.attributes, ctx.query.excludedAttributes)
         scimdata = addSchemas(scimdata, handle.description, isScimv2)
@@ -1351,7 +1358,7 @@ const ScimGateway = function () {
   })
 
   const replaceUsrGrp = async (ctx) => {
-    let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
+    let u = ctx.request.originalUrl.substr(0, ctx.request.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
     const id = ctx.params.id
@@ -1364,7 +1371,7 @@ const ScimGateway = function () {
       if (customErrorCode) ctx.status = customErrorCode
       ctx.body = e
     } else {
-      logger.debug(`${gwName}[${pluginName}] PUT ${ctx.originalUrl} body=${strBody}`)
+      logger.debug(`${gwName}[${pluginName}] PUT ${ctx.request.originalUrl} body=${strBody}`)
       try {
         // get current object
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
@@ -1553,8 +1560,10 @@ const ScimGateway = function () {
           }
         }
 
-        const location = ctx.origin + ctx.path
-        ctx.set('Location', location)
+        if (!config.scim.skipMetaLocation) {
+          const location = ctx.request.origin + ctx.path
+          ctx.set('Location', location)
+        }
         scimdata = addSchemas(scimdata, handle.description, isScimv2)
         ctx.status = 200
         ctx.body = scimdata
@@ -1587,10 +1596,8 @@ const ScimGateway = function () {
       ctx.body = apiErr(pluginName, err)
     } else {
       logger.debug(`${gwName}[${pluginName}] calling "postApi" and awaiting result`)
-
       try {
         let result = await this.postApi(ctx.params.baseEntity, apiObj, ctx.ctxCopy)
-        const location = ctx.origin + ctx.path
         if (result) {
           if (typeof result === 'object') result = { result: result }
           else {
@@ -1603,7 +1610,10 @@ const ScimGateway = function () {
         } else result = {}
         if (!result.meta) result.meta = {}
         result.meta.result = 'success'
-        result.meta.location = location
+        if (!config.scim.skipMetaLocation) {
+          const location = ctx.request.origin + ctx.path
+          result.meta.location = location
+        }
         ctx.status = 201
         ctx.body = result
       } catch (err) {
@@ -1636,7 +1646,6 @@ const ScimGateway = function () {
 
       try {
         let result = await this.putApi(ctx.params.baseEntity, id, apiObj, ctx.ctxCopy)
-        const location = ctx.origin + ctx.path
         if (result) {
           if (typeof result === 'object') result = { result: result }
           else {
@@ -1649,7 +1658,10 @@ const ScimGateway = function () {
         } else result = {}
         if (!result.meta) result.meta = {}
         result.meta.result = 'success'
-        result.meta.location = location
+        if (!config.scim.skipMetaLocation) {
+          const location = ctx.request.origin + ctx.path
+          result.meta.location = location
+        }
         ctx.status = 200
         ctx.body = result
       } catch (err) {
@@ -1682,7 +1694,6 @@ const ScimGateway = function () {
 
       try {
         let result = await this.patchApi(ctx.params.baseEntity, id, apiObj, ctx.ctxCopy)
-        const location = ctx.origin + ctx.path
         if (result) {
           if (typeof result === 'object') result = { result: result }
           else {
@@ -1695,7 +1706,10 @@ const ScimGateway = function () {
         } else result = {}
         if (!result.meta) result.meta = {}
         result.meta.result = 'success'
-        result.meta.location = location
+        if (!config.scim.skipMetaLocation) {
+          const location = ctx.request.origin + ctx.path
+          result.meta.location = location
+        }
         ctx.status = 200
         ctx.body = result
       } catch (err) {
@@ -1726,7 +1740,6 @@ const ScimGateway = function () {
 
     try {
       let result = await this.getApi(ctx.params.baseEntity, ctx.params.id, ctx.query, apiObj, ctx.ctxCopy)
-      const location = ctx.origin + ctx.path
       if (result) {
         if (typeof result === 'object') result = { result: result }
         else {
@@ -1739,7 +1752,10 @@ const ScimGateway = function () {
       } else result = {}
       if (!result.meta) result.meta = {}
       result.meta.result = 'success'
-      result.meta.location = location
+      if (!config.scim.skipMetaLocation) {
+        const location = ctx.request.origin + ctx.path
+        result.meta.location = location
+      }
       ctx.status = 200
       ctx.body = result
     } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.4.2",
+  "version": "4.4.4",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -43,9 +43,9 @@
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
     "mongodb": "^6.3.0",
-    "nats": "^2.18.0",
+    "nats": "^2.19.0",
     "node-machine-id": "1.1.9",
-    "nodemailer": "^6.9.8",
+    "nodemailer": "^6.9.9",
     "passport": "^0.7.0",
     "passport-azure-ad": "^4.3.5",
     "tedious": "^16.6.1",