scimgateway 5.0.10 → 5.0.12

package/README.md

@@ -18,7 +18,7 @@ Latest news:
 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
-- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway
+- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. E.g., using Entra ID application OAuth
 - Supports OAuth Client Credentials authentication
 - Major version **v4.0.0** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure IP-range  
@@ -1111,6 +1111,24 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.12
+
+[Fixed]
+
+- HelperRest doRequest() incorrect Auth PassThrough handling
+
+[Improved]  
+
+- Dependencies bump  
+
+
+### v5.0.11
+
+[Fixed]
+
+- OAuth token response on error missing error_description in v5
+- HelperRest doRequest() now also includes retry logic on invalid token that has not expired - will renew token 
+
 ### v5.0.10
 
 [Improved]

package/lib/helper-rest.ts

@@ -43,31 +43,6 @@ export class HelperRest {
     if (errMsg) this.scimgateway.logError('undefined', errMsg)
   }
 
-  /**
-  * getClientIdentifier returns a unique client identifier having format user_secret
-  * @param ctx having format { autorization: "<type>:xxxxx" }
-  * @returns user_secret
-  **/
-  private getClientIdentifier(ctx: Record<string, any> | undefined): string {
-    if (!ctx?.headers?.authorization) return 'undefined'
-    const [user, secret] = this.getCtxAuth(ctx)
-    return `${encodeURIComponent(user)}_${encodeURIComponent(secret)}` // user_password or undefined_password
-  }
-
-  /**
-  * getCtxAuth returns [username, secret] based on Auth PassThrough autorization header included in ctx
-  * @param ctx includes Auth PassThrough having format {headers:{autorization:"<type>:xxxxx"}}
-  * @returns [username, secret]
-  **/
-  private getCtxAuth(ctx: Record<string, any> | undefined): any[] {
-    if (!ctx?.headers?.authorization) return []
-    const [authType, authToken] = (ctx.headers.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
-    let username, password
-    if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
-    if (username) return [username, password] // basic auth
-    else return [undefined, authToken] // bearer auth
-  }
-
   /**
    * getAccessToken returns oauth accesstoken object
    * @param baseEntity 
@@ -76,12 +51,11 @@ export class HelperRest {
    */
   public async getAccessToken(baseEntity: string, ctx?: Record<string, any> | undefined) { // public in case token is needed for other logic e.g. sending mail
     await this.lock.acquire()
-    const clientIdentifier = this.getClientIdentifier(ctx)
     const d = Math.floor(Date.now() / 1000) // seconds (unix time)
-    if (this._serviceClient[baseEntity] && this._serviceClient[baseEntity][clientIdentifier] && this._serviceClient[baseEntity][clientIdentifier].accessToken
-      && (this._serviceClient[baseEntity][clientIdentifier].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
+    if (this._serviceClient[baseEntity] && this._serviceClient[baseEntity].accessToken
+      && (this._serviceClient[baseEntity].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
       this.lock.release()
-      return this._serviceClient[baseEntity][clientIdentifier].accessToken
+      return this._serviceClient[baseEntity].accessToken
     }
 
     const action = 'getAccessToken'
@@ -166,13 +140,11 @@ export class HelperRest {
       const response = await this.doRequest(baseEntity, method, tokenUrl, form, ctx, connOpt)
       if (!response.body) {
         const err = new Error(`[${action}] No data retrieved from: ${method} ${tokenUrl}`)
-        this.lock.release()
         throw (err)
       }
       const jbody = response.body
       if (jbody.error) {
         const err = new Error(`[${action}] Error message: ${jbody.error_description}`)
-        this.lock.release()
         throw (err)
       }
       if (this.config_entity[baseEntity]?.connection?.auth?.type === 'token') { // in case response using token instead of access_token
@@ -180,7 +152,6 @@ export class HelperRest {
         else if (jbody.accessToken) jbody.access_token = jbody.accessToken
       }
       if (!jbody.access_token) {
-        this.lock.release()
         const err = new Error(`[${action}] Error message: Retrieved invalid token response`)
         throw (err)
       }
@@ -216,20 +187,19 @@ export class HelperRest {
       //
       // path (no url) - default approach and client will be cached based on config
       //
-      const clientIdentifier = this.getClientIdentifier(ctx)
-      if (this._serviceClient[baseEntity] && this._serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist - token specific
+      if (this._serviceClient[baseEntity]) { // serviceClient already exist - token specific
         this.scimgateway.logDebug(baseEntity, `${action}: Using existing client`)
-        if (this._serviceClient[baseEntity][clientIdentifier].accessToken) {
+        if (this._serviceClient[baseEntity].accessToken) {
           // check if token refresh is needed when using oauth
           const d = Math.floor(Date.now() / 1000) // seconds (unix time)
-          if (this._serviceClient[baseEntity][clientIdentifier].accessToken.validTo < d + 30) { // less than 30 sec before token expiration
-            this.scimgateway.logDebug(baseEntity, `${action}: Accesstoken about to expire in ${this._serviceClient[baseEntity][clientIdentifier].accessToken.validTo - d} seconds`)
+          if (this._serviceClient[baseEntity].accessToken.validTo < d + 30) { // less than 30 sec before token expiration
+            this.scimgateway.logDebug(baseEntity, `${action}: Accesstoken about to expire in ${this._serviceClient[baseEntity].accessToken.validTo - d} seconds`)
             try {
               const accessToken = await this.getAccessToken(baseEntity, ctx)
-              this._serviceClient[baseEntity][clientIdentifier].accessToken = accessToken
-              this._serviceClient[baseEntity][clientIdentifier].options.headers['Authorization'] = ` Bearer ${accessToken.access_token}`
+              this._serviceClient[baseEntity].accessToken = accessToken
+              this._serviceClient[baseEntity].options.headers['Authorization'] = ` Bearer ${accessToken.access_token}`
             } catch (err) {
-              delete this._serviceClient[baseEntity][clientIdentifier]
+              delete this._serviceClient[baseEntity]
               const newErr = err
               throw newErr
             }
@@ -263,53 +233,49 @@ export class HelperRest {
         }
 
         // Supporting  no auth, header based auth (e.g., config {"options":{"headers":{"APIkey":"123"}}}),
-        // basicAuth, bearerAuth, oauth, tokenAuth and auth PassTrough using request header authorization
-        if (ctx?.headers?.authorization) { // Auth PassThrough using ctx header
-          param.options.headers['Authorization'] = ctx.headers.authorization
-        } else {
-          switch (this.config_entity[baseEntity]?.connection?.auth?.type) {
-            case 'basic':
-              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.username || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
-                const err = new Error(`auth type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
-                throw err
-              }
-              param.options.headers['Authorization'] = 'Basic ' + Buffer.from(`${this.config_entity[baseEntity].connection.auth.options.username}:${this.config_entity[baseEntity].connection.auth.options.password}`).toString('base64')
-              break
-            case 'oauth':
-              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.clientSecret) {
-                const err = new Error(`auth type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
-                throw err
-              }
-              param.accessToken = await this.getAccessToken(baseEntity, ctx)
-              param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
-              break
-            case 'token':
-              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
-                const err = new Error(`missing configuration entity.${baseEntity}.connection.auth.options.tokenUrl/password`)
-                throw err
-              }
-              param.accessToken = await this.getAccessToken(baseEntity, ctx)
-              param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
-              break
-            case 'bearer':
-              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.token) {
-                const err = new Error(`missing configuration entity.${baseEntity}.connection.auth.options.token`)
-                throw err
-              }
-              param.options.headers['Authorization'] = 'Bearer ' + Buffer.from(this.config_entity[baseEntity].connection.auth.options.token).toString('base64')
-              break
-            case 'oauthSamlAssertion':
-              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
-                || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
-                const err = new Error(`auth type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
-                throw err
-              }
-              param.accessToken = await this.getAccessToken(baseEntity, ctx)
-              param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
-              break
-            default:
-            // no auth
-          }
+        // basicAuth, bearerAuth, oauth, tokenAuth, oauthSamlAssertion and auth PassTrough using request header authorization
+        switch (this.config_entity[baseEntity]?.connection?.auth?.type) {
+          case 'basic':
+            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.username || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
+              const err = new Error(`auth type 'basic' - missing configuration entity.${baseEntity}.connection.auth.options.username/password`)
+              throw err
+            }
+            param.options.headers['Authorization'] = 'Basic ' + Buffer.from(`${this.config_entity[baseEntity].connection.auth.options.username}:${this.config_entity[baseEntity].connection.auth.options.password}`).toString('base64')
+            break
+          case 'oauth':
+            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.clientSecret) {
+              const err = new Error(`auth type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
+              throw err
+            }
+            param.accessToken = await this.getAccessToken(baseEntity, ctx)
+            param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'token':
+            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tokenUrl || !this.config_entity[baseEntity]?.connection?.auth?.options?.password) {
+              const err = new Error(`missing configuration entity.${baseEntity}.connection.auth.options.tokenUrl/password`)
+              throw err
+            }
+            param.accessToken = await this.getAccessToken(baseEntity, ctx)
+            param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'bearer':
+            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.token) {
+              const err = new Error(`missing configuration entity.${baseEntity}.connection.auth.options.token`)
+              throw err
+            }
+            param.options.headers['Authorization'] = 'Bearer ' + Buffer.from(this.config_entity[baseEntity].connection.auth.options.token).toString('base64')
+            break
+          case 'oauthSamlAssertion':
+            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
+              || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
+              const err = new Error(`auth type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+              throw err
+            }
+            param.accessToken = await this.getAccessToken(baseEntity, ctx)
+            param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+            break
+          default:
+            // no auth or PassTrough
         }
 
         // proxy
@@ -345,19 +311,21 @@ export class HelperRest {
         }
 
         if (!this._serviceClient[baseEntity]) this._serviceClient[baseEntity] = {}
-        if (!this._serviceClient[baseEntity][clientIdentifier]) this._serviceClient[baseEntity][clientIdentifier] = {}
-        this._serviceClient[baseEntity][clientIdentifier] = param // serviceClient created
+        this._serviceClient[baseEntity] = param // serviceClient created
 
-        // OData support - note, not using [clientIdentifier]
+        // OData support
         this._serviceClient[baseEntity].nextLink = {} // OData pagination (Entra ID)
         this._serviceClient[baseEntity].nextLink.users = null
         this._serviceClient[baseEntity].nextLink.groups = null
       }
 
-      const cli: any = utils.copyObj(this._serviceClient[baseEntity][clientIdentifier]) // client ready
+      if (ctx?.headers?.get) { // Auth PassThrough using ctx header
+        this._serviceClient[baseEntity].options.headers['Authorization'] = ctx.headers.get('authorization')
+      }
+      const cli: any = utils.copyObj(this._serviceClient[baseEntity]) // client ready
 
       // failover support
-      path = this._serviceClient[baseEntity][clientIdentifier].baseUrl + path
+      path = this._serviceClient[baseEntity].baseUrl + path
       urlObj = new URL(path)
       cli.options.host = urlObj.hostname
       cli.options.port = urlObj.port
@@ -413,11 +381,10 @@ export class HelperRest {
   /**
    * updateServiceClient merges obj with _serviceClient
    * @param baseEntity 
-   * @param clientIdentifier 
    * @param obj 
    */
-  private updateServiceClient(baseEntity: string, clientIdentifier: string, obj: any) {
-    if (this._serviceClient[baseEntity] && this._serviceClient[baseEntity][clientIdentifier]) this._serviceClient[baseEntity][clientIdentifier] = utils.extendObj(this._serviceClient[baseEntity][clientIdentifier], obj)
+  private updateServiceClient(baseEntity: string, obj: any) {
+    if (this._serviceClient[baseEntity]) this._serviceClient[baseEntity] = utils.extendObj(this._serviceClient[baseEntity], obj)
   }
 
   /**
@@ -517,17 +484,16 @@ export class HelperRest {
     } catch (err: any) { // includes failover/retry logic based on config baseUrls array
       let statusCode
       try { statusCode = JSON.parse(err.message).statusCode } catch (e) { void 0 }
-      if (statusCode === 404) { // not logged as error, let caller decide e.g. getUser-manager
-        this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
-      } else this.scimgateway.logError(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
-      const clientIdentifier = this.getClientIdentifier(ctx)
       if (err.message.includes('ratelimit')) { // have seen throttling not follow standard 429/retry-after, but instead using 500 and error message only
         if (!retryAfter) retryAfter = 60
       }
       if (!retryCount) retryCount = 0
       let urlObj
       try { urlObj = new URL(path) } catch (err) { void 0 }
-      if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || retryAfter)) {
+      let isServiceClient = !urlObj && this._serviceClient[baseEntity] && !this.lock.isLocked() // !isLocked to avoid retry ongoing doRequest with failing getAccessToken()
+      let oAuthTokeErr = statusCode === 401 && this.config_entity[baseEntity].connection?.auth?.type && this.config_entity[baseEntity].connection.auth.type.startsWith('oauth')
+      if (isServiceClient && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || oAuthTokeErr || retryAfter)) {
+        this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
         if (retryAfter) {
           this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
           await new Promise(resolve => setTimeout(function () {
@@ -536,18 +502,25 @@ export class HelperRest {
         }
         if (retryCount < this.config_entity[baseEntity].connection.baseUrls.length) {
           retryCount++
-          this.updateServiceClient(baseEntity, clientIdentifier, { baseUrl: this.config_entity[baseEntity].connection.baseUrls[retryCount - 1] })
+          this.updateServiceClient(baseEntity, { baseUrl: this.config_entity[baseEntity].connection.baseUrls[retryCount - 1] })
           this.scimgateway.logDebug(baseEntity, `${(this.config_entity[baseEntity].connection.baseUrls.length > 1) ? 'failover ' : ''}retry[${retryCount}] using baseUrl = ${this._serviceClient[baseEntity].baseUrl}`)
+          if (oAuthTokeErr) {
+            delete this._serviceClient[baseEntity] // ensure new getAccessToken request - token used should not have been expired, but rejected for other reason e.g. token server restart and no persistent token store?
+          }
           const ret = await this.doRequestHandler(baseEntity, method, path, body, ctx, opt, retryCount) // retry
           return ret // problem fixed
         } else {
+          if (statusCode === 404) { // not logged as error e.g. getUser-manager
+            this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+          } else this.scimgateway.logError(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
           throw err
         }
       } else {
-        if (statusCode === 401 && this._serviceClient[baseEntity]) {
-          delete this._serviceClient[baseEntity][clientIdentifier]
-        }
-        throw err // CA IM retries getUser failure once (retry 6 times on ECONNREFUSED)
+        if (statusCode === 404) { // not logged as error e.g. getUser-manager
+          this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+        } else this.scimgateway.logError(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+        if (statusCode === 401) delete this._serviceClient[baseEntity]
+        throw err
       }
     }
   }

package/lib/scimgateway.ts

@@ -698,7 +698,6 @@ export class ScimGateway {
           }
           if (tokenObj.baseEntities) {
             if (Array.isArray(tokenObj.baseEntities) && tokenObj.baseEntities.length > 0) {
-              if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerOAuth according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
               if (!tokenObj.baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerOAuth according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
             }
           }
@@ -706,7 +705,11 @@ export class ScimGateway {
           return resolve(true)
         } else {
           for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared because of a gateway restart
-            if (utils.getEncrypted(authToken, arr[i].client_secret) === arr[i].client_secret && !arr[i].isTokenRequested) {
+            if (arr[i].isTokenRequested || !arr[i].clientSecret) continue
+            if (arr[i].baseEntities && Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
+              if (!arr[i].baseEntities.includes(baseEntity)) continue
+            }
+            if (utils.getEncrypted(authToken, arr[i].clientSecret) === arr[i].clientSecret) {
               arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements because token will also be cleared when expired
               const baseEntities = utils.copyObj(arr[i].baseEntities)
               let expires
@@ -774,8 +777,21 @@ export class ScimGateway {
         if (ctx.request.url !== '/favicon.ico') logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${err.message}`)
         return false
       } catch (err: any) {
-        if (authType === 'Bearer') ctx.response.headers.set('WWW-Authenticate', 'Bearer realm=""')
-        else ctx.response.headers.set('WWW-Authenticate', 'Basic realm=""')
+        if (authType === 'Bearer') {
+          let str = 'realm=""'
+          if (err?.name === 'invalid_token') {
+            str += `, error="${err.name}"`
+            if (err.message) {
+              str += `, error_description="${err.message}"`
+              const errMsg = {
+                error: err.name,
+                error_description: err.message,
+              }
+              ctx.response.body = JSON.stringify(errMsg)
+            }
+          }
+          ctx.response.headers.set('WWW-Authenticate', `Bearer ${str}`)
+        } else ctx.response.headers.set('WWW-Authenticate', 'Basic realm=""')
         if (pwErrCount < 3) {
           pwErrCount += 1
           logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ctx.request.url} ${err.message}`)
@@ -826,21 +842,16 @@ export class ScimGateway {
         ctx.response.status = 500
         return
       }
-
       let jsonBody = ctx.request.body
       try {
         if (!jsonBody) throw new Error('missing body')
-        if (typeof jsonBody !== 'object') { // might have application/x-www-form-urlencoded body, but incorrect Content-Type header
+        if (typeof jsonBody !== 'object') { // might have application/x-www-form-urlencoded or multipart/form-data body, but incorrect Content-Type header
           logger.debug(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] continue request validation even though incorrect body vs header Content-Type: ${ctx.request.headers.get('content-type')}`)
-          const arr = jsonBody.split('&')
-          const body: Record<string, any> = {}
-          arr.forEach((kv: string) => {
-            const a = kv.split('=')
-            if (a.length === 2) {
-              body[a[0]] = decodeURIComponent(a[1])
-            }
-          })
-          if (Object.keys(body).length < 1) throw new Error('body is not JSON nor application/x-www-form-urlencoded')
+          let body = utils.formUrlEncodedToJSON(jsonBody)
+          if (Object.keys(body).length < 1) {
+            body = utils.formDataMultipartToJSON(jsonBody)
+            if (Object.keys(body).length < 1) throw new Error('body is not JSON, application/x-www-form-urlencoded nor multipart/form-data')
+          }
           ctx.request.body = body // now json - ensure final info log will be masked
           jsonBody = body
         }
@@ -2294,14 +2305,9 @@ export class ScimGateway {
       } catch (err: any) {
         const contentType = request.headers.get('content-type')
         if (contentType && contentType.toLowerCase().startsWith('application/x-www-form-urlencoded')) {
-          const arr = bodyString.split('&') // "grant_type=client_credentials&client_id=id&client_secret=secret"
-          body = {}
-          arr.forEach((kv: string) => {
-            const a = kv.split('=')
-            if (a.length === 2) {
-              body[a[0]] = decodeURIComponent(a[1])
-            }
-          })
+          body = utils.formUrlEncodedToJSON(bodyString)
+        } else if (contentType && contentType.toLowerCase().startsWith('multipart/form-data')) {
+          body = utils.formDataMultipartToJSON(bodyString)
         } else if (bodyString) body = bodyString
       }
 

package/lib/utils.ts

@@ -14,18 +14,20 @@ import fs from 'node:fs'
 import path from 'node:path'
 import { EventEmitter } from 'node:events'
 
-// mutual exclusion ref: https://thecodebarbarian.com/mutual-exclusion-patterns-with-node-promises
+/** Lock implements mutual exclusion
+ *  reference: https://thecodebarbarian.com/mutual-exclusion-patterns-with-node-promises
+ */
 export class Lock {
-  private _locked: boolean
+  private _locked = false
   private _ee: any
   constructor() {
     this._locked = false
     this._ee = new EventEmitter()
   }
 
+  /** If nobody has the lock, take it and resolve immediately else wait until released */
   acquire() {
     return new Promise((resolve) => {
-      // If nobody has the lock, take it and resolve immediately
       if (!this._locked) {
         // Safe because JS doesn't interrupt you on synchronous operations,
         // so no need for compare-and-swap or anything like that.
@@ -45,11 +47,16 @@ export class Lock {
     })
   }
 
+  /** Release the lock immediately */
   release() {
-    // Release the lock immediately
     this._locked = false
     setImmediate(() => this._ee.emit('release'))
   }
+
+  /** Return status of lock true/false */
+  isLocked(): boolean {
+    return this._locked
+  }
 }
 
 export const getSecret = function (dotNotationAttr: string, configFile: string) {
@@ -606,3 +613,53 @@ export const createRandomPassword = function (len: number, ...set: string[]) {
   }
   return res
 }
+
+/**
+ * formUrlEncodedToJSON converts application/x-www-form-urlencoded request body to json
+  * @param body http request body string
+  * @returns json formatted body
+ */
+export const formUrlEncodedToJSON = function (body?: string): Record<string, any> {
+  if (!body) return {}
+  const arr = body.split('&') // "grant_type=client_credentials&client_id=id&client_secret=secret"
+  const json: Record<string, any> = {}
+  for (const kv of arr) {
+    const a = kv.split('=')
+    if (a.length === 2) {
+      try {
+        json[a[0]] = decodeURIComponent(a[1])
+      } catch (err) { return {} }
+    }
+  }
+  return json
+}
+
+/**
+ * formDataMultipartToJSON converts multipart/form-data request body to json - Content-Type: multipart/form-data;boundary="<some-delimiter>"
+  * @param body request body
+  * @param boundary the boundary/delimiter defiend in header Content-Type: multipart/form-data;boundary="<some-delimiter>"
+  * @returns json formatted body
+ */
+export const formDataMultipartToJSON = function (body?: string, boundary?: string): Record<string, any> {
+  if (!body) return {} // --delimiter123\nContent-Disposition: form-data; name="field1"\n\nvalue1\n--delimiter123\nContent-Disposition: form-data; name="field2"; filename="example.txt"\n\nvalue2
+  if (!boundary) { // if boundary is missing, try to infer it
+    const inferredBoundary = body.match(/^--([^\r\n]+)/)
+    if (inferredBoundary) {
+      boundary = inferredBoundary[1]
+    } else return {} // No boundary found
+  }
+  const parts = body.split(`--${boundary}`).filter(part => part.trim() && !part.includes('--'))
+  const json: Record<string, any> = {}
+  for (const part of parts) {
+    const [headers, value] = part.split(/\r?\n\r?\n/)
+    const nameMatch = headers.match(/name="([^"]+)"/)
+    if (nameMatch) {
+      const key = nameMatch[1]
+      json[key] = value.trim()
+      try {
+        json[key] = decodeURIComponent(json[key])
+      } catch (err) { return {} }
+    }
+  }
+  return json
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.10",
+  "version": "5.0.12",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
@@ -41,19 +41,19 @@
     "@types/tedious": "^4.0.14",
     "dot-object": "^2.1.5",
     "fold-to-ascii": "^5.0.1",
-    "https-proxy-agent": "^7.0.4",
+    "https-proxy-agent": "^7.0.6",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^9.0.2",
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
-    "mongodb": "^6.6.2",
+    "mongodb": "^6.12.0",
     "nats": "^2.28.2",
     "node-machine-id": "1.1.12",
-    "nodemailer": "^6.9.13",
+    "nodemailer": "^6.9.16",
     "passport": "^0.7.0",
     "passport-azure-ad": "^4.3.5",
     "saml": "^3.0.1",
-    "winston": "^3.13.0"
+    "winston": "^3.17.0"
   },
   "peerDependencies": {
     "typescript": "^5.0.0"