scimgateway 5.3.8 → 5.4.0

package/README.md

@@ -19,10 +19,7 @@ Latest news:
 - [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound communication — with just one minute of configuration
 - [ETag](https://datatracker.ietf.org/doc/html/rfc7644#section-3.14) is now supported
 - [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) is now supported
-- Remote real-time log subscription for monitoring and centralized logging  
-using browser and url: `https://<host>/logger`  
-`curl -N https://<host>/logger -u user:password`  
-custom client API, see configuration notes  
+- Remote real-time log subscription for centralized logging and monitoring. Using browser `https://<host>/logger`, curl or custom client API - see configuration notes  
 - By configuring the chainingBaseUrl, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
 - Email, onError and sendMail() supports more secure RESTful OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlBearer, oauthJwtBearer and Auth PassTrough 
 - Major version **v5.0.0** marks a shift from JavaScript to native TypeScript and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
@@ -139,7 +136,7 @@ If internet connection is blocked, we could install on another machine and copy
 	http://localhost:8880/Groups
 	=> Logon using gwadmin/password and two users and groups should be listed  
 
-	Start a new browser for log monitoring (might not be supported by Safari) 
+	Start a new browser for remote log monitoring
 	using url: http://localhost:8880/logger
 
 	http://localhost:8880/Users/bjensen
@@ -397,7 +394,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **log.loglevel.console** - off, debug, info, warn or error. Default off. Output to stdout and errors to stderr
 
-- **log.loglevel.push** - off, debug, info, warn or error. Default info. Push to stream that can be used by client subscriber
+- **log.loglevel.push** - off, debug, info, warn or error. Default info. Push to stream used by remote real-time log subscription
 
 - **log.logDirectory** - custom defined log directory e.g. `/var/log/scimgateway` that will override default `<scimgateway path>/logs`. If not exist it will be created.
 
@@ -750,9 +747,11 @@ Please see code editor method HelperRest doRequest() IntelliSense for type and o
 Using remote real-time log subscription we may implement custom logic like monitoring and centralized logging
 
 - using browser and url: https://host/logger  
-- curl -N https://host/logger -u gwread:password  
-- curl -N https://host/logger -H "Authorization: Bearer secret"  
-- custom client API
+- curl -Ns https://host/logger -u gwread:password | sed 's/\xE2\x80\x8B//g'  
+- curl -Ns https://host/logger -H "Authorization: Bearer secret" | sed 's/\xE2\x80\x8B//g'  
+	(-s and sed to ignore keep-alive character)
+- custom client API (see example below)
+- not supported by Azure Relay
 
 We may configure read-only user/secret for log collection purpose    
 
@@ -781,8 +780,8 @@ We may configure read-only user/secret for log collection purpose
 	  ...
 	}
 
-push logger using default `info` log level  
-push log level may be customized by configuration  
+Remote log subscription is configured by log.loglevel.push and the push logger has default loglevel set to `info` 
+Example using debug loglevel:
 
 	"log": {
 	  "loglevel": {
@@ -790,57 +789,71 @@ push log level may be customized by configuration
 	  }
 	}
 
-Example code implementing subscriber for real-time log messages collection  
+Example code implementing remote real-time log subscription and custom message handling  
 
-	let headers = new Headers()
-	headers.append('Authorization', 'Basic ' + btoa('gwadmin' + ':' + 'password'))
-	
-	// message handling and custom logic
-	// we could also do JSON.parse(message) and granular filtering on log "level"
-	const messageHandler = async (message: string) => {
-	  console.log(message)
-	}
-	
-	let ignoreCatch = false
-	do { // retry loop when connection closed or service unavailable
-	  if (ignoreCatch) ignoreCatch = false
-	
-	  try {
-	    const resp = await fetch("http://localhost:8880/logger", {
-	      method: "GET",
-	      headers: headers,
-	    })
-	
-	    const reader = resp.body.pipeThrough(new TextDecoderStream()).getReader()
-	    console.log('Now awaiting log events...\n')
-	
-	    while (true) {
-	      const { value, done } = await reader.read()
-	      if (done) break
-	      if (value.at(-1) !== '\n') continue
-	      const message = value.slice(0, -1)
-	      messageHandler(message)
-	    }
-	
-	    // shouldn't be here... authentication failure?
-	    const e = {
- 	     url: resp.url,
-	      status: resp.status,
-	      statusText: resp.statusText
-	    }
-	    console.error('error', e)
-	
-	  } catch (err: any) {
-	    if (['ConnectionClosed', 'ConnectionRefused', 'ECONNRESET'].includes(err.code)) {
-	      console.log('Connection closed or service unavailable')
-	      ignoreCatch = true
-	      await Bun.sleep(10 * 1000)
-	    } else console.error(err)
-	  }
-	
-	} while (ignoreCatch)
-	
-	console.log('\n\ndone!')
+```
+// startup: bun <scriptname.ts>
+// update url (ws or wss) and the auth according to environment used
+const url = 'ws://localhost:8880/logger'
+const auth = 'Basic ' + btoa('gwadmin' + ':' + 'password') // const auth = 'Bearer ' + 'secret'
+
+const tls: any = {}
+if (url.startsWith('wss:')) {
+    tls.ca = [Bun.file('/path/to/self-signed-cert.pem')], // only needed for self-signed certs
+    tls.rejectUnauthorized = false
+}
+
+// messageHandler implements message handling and custom logic
+// could also use JSON.parse(message) and granular filtering on log "level"
+const messageHandler = async (message: string) => {
+    console.log(message)
+}
+
+const startWebSocket = async () => {
+    try {
+        const ws = new WebSocket(url, {
+            headers: {
+                Authorization: auth,
+            },
+            tls,
+        })
+
+        // message is received
+        ws.addEventListener("message", event => {
+            messageHandler(event.data)
+        });
+
+        // socket opened
+        ws.addEventListener("open", event => {
+            console.log('✅ Now awaiting log events...\n')
+        });
+
+        // socket closed
+        ws.addEventListener("close", event => {
+            let addInfo = ''
+            if (event.code === 1002) addInfo = ' => most likely authentication failure?'
+            console.warn(`⚠️ Connection closed (${event.code}): ${event.reason || 'no reason'}${addInfo}`)
+            retry()
+        });
+
+        // error handler
+        ws.addEventListener("error", event => {
+            // console.error('❌ WebSocket error:', event.message)
+        });
+
+    } catch (err: any) {
+        console.error('❌ Unexpected error:', err)
+    }
+}
+
+const retry = async () => {
+    console.log('🔁 Retry in 10 seconds...')
+    await Bun.sleep(10 * 1000)
+    startWebSocket()
+}
+
+startWebSocket()
+```
 
 ### Configuration notes - Azure Relay
 
@@ -1460,7 +1473,11 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
-## Change log  
+### v5.4.0
+
+[Improved]
+
+- Remote real-time log subscription now prioritize using WebSocket over SSE. Using browser will show loglevel colors. If running Node.js, WebSocket is not supported and SSE will be used. Remote logger is not supported by Azure Relay.
 
 ### v5.3.8
 

package/lib/scimgateway.ts

@@ -26,8 +26,6 @@ import * as utils from './utils.ts'
 import * as utilsScim from './utils-scim.ts'
 import * as stream from './scim-stream.js'
 export * from './helper-rest.ts'
-// @ts-expect-error: has no declaration
-import * as hycoPkg from 'hyco-https'
 
 export class ScimGateway {
   private config: any
@@ -39,6 +37,7 @@ export class ScimGateway {
   private getMemberOf: any
   private getAppRoles: any
   private pub: any
+  private Nonce = new utils.TimerMapCache(2000)
   // @ts-expect-error: has no initializer
   private helperRest: HelperRest
   /** pluginName is the name of plugin e.g., plugin-loki */
@@ -566,7 +565,7 @@ export class ScimGateway {
     }
 
     const logResult = async (ctx: Context) => {
-      if (ctx.path === '/ping' || ctx.path === '/favicon.ico') return
+      if (ctx.path === '/ping' || ctx.path === '/favicon.ico' || ctx.path.startsWith('/apple-touch-icon')) return
       const ellapsed = performance.now() - ctx.perfStart
       let userName
       const [authType, authToken] = (ctx.request.headers.get('authorization') || '').split(' ') // [0] = 'Basic' or 'Bearer'
@@ -774,7 +773,7 @@ export class ScimGateway {
 
     // end auth methods - used by auth
 
-    const isAuthorized = async (ctx: Context): Promise<boolean> => { // authentication/authorization 
+    const isAuthorized = async (ctx: Context): Promise<boolean> => { // authentication/authorization
       const [authType, authToken] = (ctx.request.headers.get('authorization') || '').split(' ') // [0] = 'Basic' or 'Bearer'
       try { // authenticate
         const arrResolve = await Promise.all([
@@ -799,7 +798,7 @@ export class ScimGateway {
         }
         if (authType === 'Bearer') ctx.response.headers.set('WWW-Authenticate', 'Bearer realm=""')
         else if (found.Basic) ctx.response.headers.set('WWW-Authenticate', 'Basic realm=""')
-        if (ctx.request.url !== '/favicon.ico') logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${err.message}`)
+        if (ctx.request.url !== '/favicon.ico' && !ctx.request.url.startsWith('/apple-touch-icon')) logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${err.message}`)
         return false
       } catch (err: any) {
         if (authType === 'Bearer') {
@@ -877,7 +876,7 @@ export class ScimGateway {
     funcHandler.getHandlerServiceProviderConfig = getHandlerServiceProviderConfig
 
     // getHandlerLogger implements SSE based online publisher for log events
-    const getHandlerLogger = async (ctx: Context) => {
+    const getHandlerLoggerSSE = async (ctx: Context) => {
       const levelInt = logger.levelToInt(this.config?.scimgateway?.log?.loglevel?.push || 'info')
       const encoder = new TextEncoder()
 
@@ -900,6 +899,7 @@ export class ScimGateway {
               clearInterval(keepAliveInterval)
               logger.unsubscribe(sub)
               controller.close()
+              logger.info(`${gwName}[${pluginName}] remote logger disconnected from ip address ${ctx.ip}`)
             }
 
             ctx.request.signal.onabort = cleanup // Bun
@@ -1108,7 +1108,6 @@ export class ScimGateway {
           } else if (eTagIfNoneMatch && (eTagIfNoneMatch.includes(eTag) || eTagIfNoneMatch.includes('*'))) {
             ctx.response.headers.set('ETag', eTag)
             ctx.response.status = 304 // Not Modified
-            ctx.response.body = ''
             return
           }
         }
@@ -1623,7 +1622,6 @@ export class ScimGateway {
           } else if (eTagIfNoneMatch && (eTagIfNoneMatch.includes(eTag) || eTagIfNoneMatch.includes('*'))) {
             ctx.response.headers.set('ETag', eTag)
             ctx.response.status = 412 // Precondition Failed
-            ctx.response.body = ''
             return
           }
       }
@@ -1901,7 +1899,6 @@ export class ScimGateway {
         ctx.request.headers.delete('if-none-match')
         await getHandlerId(ctx) // ctx.response.body now updated with userObject to be returned
         if (ctx.response.status && ctx.response.status !== 200) { // clear any get error
-          ctx.response.body = undefined
           ctx.response.status = 204
         }
       } catch (err: any) {
@@ -2534,6 +2531,7 @@ export class ScimGateway {
       if (ctx.path === '/ping') {
         ctx.response.status = 200
         ctx.response.body = 'hello'
+        ctx.response.headers.set('content-type', 'text/plain')
         return ctx
       }
       if (ctx.path === '/_ah/start' || ctx.path === '/_ah/stop') {
@@ -2590,6 +2588,7 @@ export class ScimGateway {
           ctx.response.body = JSON.stringify(result.body)
         } catch (err) {
           ctx.response.body = result.body
+          ctx.response.headers.set('content-type', 'text/plain')
         }
       } catch (err: any) {
         try {
@@ -2622,24 +2621,34 @@ export class ScimGateway {
       if (!ctx.response.status) ctx.response.status = 200
       switch (ctx.response.status) {
         case 401:
-          if (!ctx.response.body) ctx.response.body = 'Unauthorized'
+          if (!ctx.response.body) {
+            ctx.response.body = 'Unauthorized'
+            ctx.response.headers.set('content-type', 'text/plain')
+          }
           break
         case 403:
-          if (!ctx.response.body) ctx.response.body = 'Forbidden'
+          if (!ctx.response.body) {
+            ctx.response.body = 'Forbidden'
+            ctx.response.headers.set('content-type', 'text/plain')
+          }
           break
         case 404:
-          if (!ctx.response.body) ctx.response.body = 'NOT_FOUND'
+          if (!ctx.response.body) {
+            ctx.response.body = 'NOT_FOUND'
+            ctx.response.headers.set('content-type', 'text/plain')
+          }
           break
         case 500:
-          if (!ctx.response.body) ctx.response.body = 'Internal Server Error'
+          if (!ctx.response.body) {
+            ctx.response.body = 'Internal Server Error'
+            ctx.response.headers.set('content-type', 'text/plain')
+          }
           break
       }
-      const body = ctx.response.body
-      if (body) {
-        try {
-          JSON.parse(body)
-          ctx.response.headers.set('content-type', 'application/scim+json; charset=utf-8')
-        } catch (err) { void 0 }
+      let body = ctx.response.body
+      if (body === '') body = undefined
+      if (body && !ctx.response.headers.has('content-type')) {
+        ctx.response.headers.set('content-type', 'application/scim+json; charset=utf-8')
       }
       const response = new Response(body, { status: ctx.response.status, headers: ctx.response.headers })
       logResult(ctx)
@@ -2693,7 +2702,42 @@ export class ScimGateway {
       const isPublisherEnabled = this.config.scimgateway.stream.publisher.enabled
       const isChainingEnabled = this.config.scimgateway.chainingBaseUrl
 
-      async function route(req: Request & { raw: IncomingMessage }, ip: string): Promise<Response> {
+      const wssInit = `
+      <!DOCTYPE html>
+      <html>
+      <body>
+        <h3>SCIM Gateway remote logger</h3>
+        <pre id="log"></pre>
+        <script>
+          const logElem = document.getElementById('log')
+          const ws = new WebSocket('{{protocol}}//' + location.host + '/logger')
+          ws.onmessage = function(event) {
+            event.data.split('\\n').forEach(function(line) {
+              if (!line.trim()) return
+              // Highlight only the log level
+              var htmlLine = line.replace(
+                /(level":"\\s*)(debug|info|warn|error)/i,
+                function(match, p1, p2) {
+                  var color = ''
+                  switch (p2.toLowerCase()) {
+                    case 'debug': color = '#888'; break
+                    case 'info':  color = 'blue'; break
+                    case 'warn':  color = 'orange'; break
+                    case 'error': color = 'red'; break
+                    default: color = 'black'
+                  }
+                  return p1 + '<span style="color:' + color + ';font-weight:bold">' + p2 + '</span>'
+                }
+              );
+              logElem.innerHTML += htmlLine + '<br>'
+            })
+          }
+        </script>
+      </body>
+      </html>
+      `
+
+      const route = async (req: Request & { raw: IncomingMessage }, ip: string): Promise<Response> => {
         const ctx = await onBeforeHandle(req, ip)
         if (ctx.response.status) { // 401/Unauthorized - 404/NOT_FOUND
           return await onAfterHandle(ctx)
@@ -2728,8 +2772,29 @@ export class ScimGateway {
           case 'GET serviceproviderconfigs':
             await getHandlerServiceProviderConfig(ctx)
             return await onAfterHandle(ctx)
-          case 'GET logger':
-            return await getHandlerLogger(ctx) // no onAfterHandle
+          case 'GET logger': // no onAfterHandle
+            if (req.headers.get('upgrade')?.toLowerCase() === 'websocket') { // browser step 2, and other Bun ws(s) clients
+              logger.info(`${gwName}[${pluginName}] remote logger connected from ip address ${ctx.ip}`)
+              return server.upgrade(req, { // after upgrade, the server will handle the WebSocket connection configured in Bun.serve()
+                data: { // passed to WebSocket server Bun open handler
+                  headers: req.headers,
+                  url: req.url,
+                  ip: ctx.ip,
+                  nonce: this.Nonce.createItem(crypto.randomUUID()),
+                },
+              })
+            }
+            if (req.headers.has('sec-fetch-dest') && typeof Bun !== 'undefined') { // client is browser and not supporting WebSocket on Node.js
+              const url = new URL(ctx.origin)
+              const protocol = (url.protocol === 'https:' ? 'wss:' : 'ws:')
+              const js = wssInit.replace('{{protocol}}', protocol)
+              return new Response(js, { // browser step 1 => force WebSocket by sending javascript
+                status: 200,
+                headers: {
+                  'Content-Type': 'text/html; charset=utf-8',
+                },
+              })
+            } else return await getHandlerLoggerSSE(ctx) // using SSE for none WebSocket/wss e.g. curl -Ns http://localhost:8880/logger -u gwadmin:password | sed 's/\xE2\x80\x8B//g'
           case 'PATCH users':
           case 'PATCH groups':
             await patchHandler(ctx)
@@ -2779,14 +2844,44 @@ export class ScimGateway {
           idleTimeout,
           hostname, // hostname === 'localhost' ? hostname : undefined, // bun defaults to '0.0.0.0', but using '0.0.0.0.' or other ip like '127.0.0.1' becomes extremly slow - bun bug
           tls,
-          async fetch(req, srv) {
-            // start route processing and return response
+          fetch: async (req, srv) => {
+            // start route handlers
             const reqWithRaw = req as Request & { raw: IncomingMessage }
             return await route(reqWithRaw, srv.requestIP(req)?.address || '')
           },
-          error(err) {
-            logger.error(`${gwName} internal error: ${err.message}`)
-            return new Response('Internal Server Error', { status: 500 })
+          websocket: {
+            open: (ws) => {
+              const data = ws.data as { headers: Headers, url: string, ip: string, nonce: string } || {}
+              let isAuthorized = false // client is already authenticated by initial http/https upgrade to websocket, anyhow passing data to be validated
+              if (data?.nonce && this.Nonce.isItemValid(data.nonce)) {
+                if (data.headers.has('authorization')) {
+                  if (data.url.endsWith('/logger')) isAuthorized = true
+                }
+              }
+              if (!isAuthorized) {
+                logger.error(`${gwName}[${pluginName}] remote logger ip address ${data.ip} - WebSocket connection error: invalid nonce`)
+                ws.close(3000, 'Unauthorized')
+                return
+              }
+
+              const levelInt = logger.levelToInt(this.config?.scimgateway?.log?.loglevel?.push || 'info')
+              const sub = async (msgObj: Record<string, any>) => {
+                if (logger.levelToInt(msgObj.level) < levelInt) return
+                ws.send(`${JSON.stringify(msgObj)}`)
+              }
+              logger.subscribe(sub)
+              ;(ws as any)._sub = sub
+              ;(ws as any)._ip = data.ip
+            },
+            close: (ws) => {
+              const sub = (ws as any)._sub
+              const ip = (ws as any)._ip
+              if (sub) {
+                logger.unsubscribe(sub)
+              }
+              logger.info(`${gwName}[${pluginName}] remote logger disconnected from ip address ${ip}`)
+            },
+            message: () => {},
           },
         })
       } else {
@@ -2871,6 +2966,8 @@ export class ScimGateway {
                 const bodyText = await streamToString(response.body)
                 res.end(bodyText)
               }
+            } else {
+              res.end()
             }
           } catch (err: any) {
             logger.error(`${gwName} internal error: ${err.message}`)
@@ -2882,48 +2979,53 @@ export class ScimGateway {
         // create nodejs server and start listen
         if (this.config.scimgateway.azureRelay?.enabled === true) {
           // Azure Relay listener server
-          let url: URL = {} as URL
-          try {
-            url = new URL(this.config.scimgateway.azureRelay.connectionUrl) // Azure Relay hybrid connection URL: 'https://<namespace>.servicebus.windows.net/<hybrid-connection-name>'
-          } catch (err: any) {
-            logger.error(`${gwName}[${pluginName}] Azure Relay configuration scimgateway.azureRelay.connectionUrl - error: ${err.message}`)
-          }
-          const hyco = hycoPkg.default || hycoPkg
-          const ns = url.hostname// <namespace>.servicebus.windows.net
-          const path = url?.pathname?.replace(/^[\s\/]+|[\s\/]+$/g, '') // <hybrid-connection-name> - removing any leading/trailing whitespace and '/'  
-          const keyrule = this.config.scimgateway.azureRelay.keyRule || 'RootManageSharedAccessKey'
-          const key = this.config.scimgateway.azureRelay.apiKey || '' // Azure Relay - SAS Primary Key
-          const uri = hyco.createRelayListenUri(ns, path) // wss://<namespace>.servicebus.windows.net:443/$hc/<hybrid-connection-name>?sb-hc-action=listen
-
-          server = hyco.createRelayedServer(
-            {
-              server: uri,
-              token: () => hyco.createRelayToken(uri, keyrule, key),
-            },
-            async (req: IncomingMessage, res: ServerResponse) => {
-              doFetchApi(req, res)
-            })
-          server.listen()
-
-          { // check if Azure Relay listener is working by sending a 5 sec delayed ping request
-            let options = {
-              connection: {
-                options: {
-                  headers: {
-                    ServiceBusAuthorization: hyco.createRelayToken(uri, keyrule, key),
+          (async () => {
+            // @ts-expect-error: has no declaration
+            const hycoPkg = await import('hyco-https')
+            const hyco = hycoPkg.default || hycoPkg
+            let url: URL = {} as URL
+            try {
+              url = new URL(this.config.scimgateway.azureRelay.connectionUrl) // Azure Relay hybrid connection URL: 'https://<namespace>.servicebus.windows.net/<hybrid-connection-name>'
+            } catch (err: any) {
+              logger.error(`${gwName}[${pluginName}] Azure Relay configuration scimgateway.azureRelay.connectionUrl - error: ${err.message}`)
+            }
+
+            const ns = url.hostname// <namespace>.servicebus.windows.net
+            const path = url?.pathname?.replace(/^[\s\/]+|[\s\/]+$/g, '') // <hybrid-connection-name> - removing any leading/trailing whitespace and '/'  
+            const keyrule = this.config.scimgateway.azureRelay.keyRule || 'RootManageSharedAccessKey'
+            const key = this.config.scimgateway.azureRelay.apiKey || '' // Azure Relay - SAS Primary Key
+            const uri = hyco.createRelayListenUri(ns, path) // wss://<namespace>.servicebus.windows.net:443/$hc/<hybrid-connection-name>?sb-hc-action=listen
+
+            server = hyco.createRelayedServer(
+              {
+                server: uri,
+                token: () => hyco.createRelayToken(uri, keyrule, key),
+              },
+              async (req: IncomingMessage, res: ServerResponse) => {
+                doFetchApi(req, res)
+              })
+            server.listen()
+
+            { // check if Azure Relay listener is working by sending a 5 sec delayed ping request
+              let options = {
+                connection: {
+                  options: {
+                    headers: {
+                      ServiceBusAuthorization: hyco.createRelayToken(uri, keyrule, key),
+                    },
                   },
                 },
-              },
-            }
-            setTimeout(async () => {
-              try {
-                if (!this.helperRest) this.helperRest = this.newHelperRest()
-                await this.helperRest.doRequest('undefined', 'GET', `${this.config.scimgateway.azureRelay.connectionUrl}/ping`, null, null, options)
-              } catch (err: any) {
-                logger.error(`${gwName}[${pluginName}] Azure Relay listener failed to start - ping test doRequest() returned an error - please verify configuration scimgateway.azureRelay.connectionUrl/apiKey including the Azure Relay setup}`)
               }
-            }, 5 * 1000)
-          }
+              setTimeout(async () => {
+                try {
+                  if (!this.helperRest) this.helperRest = this.newHelperRest()
+                  await this.helperRest.doRequest('undefined', 'GET', `${this.config.scimgateway.azureRelay.connectionUrl}/ping`, null, null, options)
+                } catch (err: any) {
+                  logger.error(`${gwName}[${pluginName}] Azure Relay listener failed to start - ping test doRequest() returned an error - please verify configuration scimgateway.azureRelay.connectionUrl/apiKey including the Azure Relay setup}`)
+                }
+              }, 5 * 1000)
+            }
+          })()
         } else {
           // nodejs server
           if (tls.key) {

package/lib/utils.ts

@@ -710,3 +710,49 @@ export const getEtag = function (obj: Record<string, any>): string {
   }
   return eTag
 }
+
+/**
+ * TimerMapCache caches items for specified time and also clear items on valdation
+  * @param obj full object to calculate ETag from
+  * @returns ETag string as W/"<hash>"
+ */
+export class TimerMapCache {
+  private itemCache = new Map<string, NodeJS.Timeout>()
+  private itemTimeout: number
+
+  constructor(itemTimeout: number = 5 * 1000) { // default 5 seconds in cache
+    this.itemCache = new Map<string, NodeJS.Timeout>()
+    this.itemTimeout = itemTimeout
+  }
+
+  /**
+   * createItem creates an item in cache that will be cleared when using isItemValid() or after timeout set by class initialization
+   * @param item
+   * @returns item
+  */
+  createItem(item: string): string {
+    if (!item) return ''
+    this.itemCache.set(item, setTimeout(() => {
+      console.log('deleting item')
+      this.itemCache.delete(item)
+    },
+    this.itemTimeout))
+    return item
+  }
+
+  /**
+   * isItemValid checks if item can be found in cache. If found, it will be removed from cache and return true
+   * @param item
+   * @returns true if valid, else false
+  */
+  isItemValid(item: string): boolean {
+    if (!item) return false
+    const timeout = this.itemCache.get(item)
+    const res = !!timeout
+    if (res) {
+      clearTimeout(timeout)
+      this.itemCache.delete(item)
+    }
+    return res
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.3.8",
+  "version": "5.4.0",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",