scimgateway 6.2.1 → 6.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/CHANGELOG.md +127 -0
  2. package/README.md +992 -3467
  3. package/config/plugin-entra-id.json +28 -4
  4. package/lib/helper-rest.ts +17 -14
  5. package/lib/plugin-entra-id.ts +713 -233
  6. package/lib/plugin-generic.ts +11 -0
  7. package/lib/plugin-ldap.ts +15 -2
  8. package/lib/plugin-loki.ts +11 -0
  9. package/lib/plugin-mongodb.ts +11 -0
  10. package/lib/plugin-mssql.ts +11 -0
  11. package/lib/plugin-saphana.ts +11 -0
  12. package/lib/plugin-soap.ts +11 -0
  13. package/lib/scimgateway.ts +56 -38
  14. package/package.json +1 -1
package/CHANGELOG.md ADDED
@@ -0,0 +1,127 @@
1
+ # Change Log
2
+
3
+ ### v6.2.3
4
+ - **[Improved]** `plugin-entra-id` now includes information on whether a user has registered for MFA (has an MFA-capable method registered).
5
+
6
+ ### v6.2.2
7
+ - **[Improved]** `plugin-entra-id` now supports Entra ID IGA Access Packages. For required API permissions, see Entra ID App Registration
8
+
9
+ ### v6.2.1
10
+ - `HelperRest`: fixed minor log cosmetics introduced in v6.2.0
11
+
12
+ ### v6.2.0
13
+ - **[Fixed]** `HelperRest`: failed on Bun v1.3.14 due to stricter Fetch standards compliance
14
+ - **[Improved]** New `plugin-generic` replaces `plugin-scim`. Uses `endpointMapper` with the new `valueMap` option for group allowlisting and name mapping. Default config uses one-to-one SCIM mapping with plugin-loki as the target endpoint.
15
+ - **[Improved]** `endpointMapper` now supports `valueMap`:
16
+
17
+ ```json
18
+ "map": {
19
+ "group": {
20
+ "displayName": {
21
+ "mapTo": "displayName",
22
+ "type": "string",
23
+ "valueMap": {
24
+ "outboundEndpointGrp1": "inboundScimGrp1",
25
+ "Employees": "Admins"
26
+ }
27
+ }
28
+ }
29
+ }
30
+ ```
31
+
32
+ Clients only see and manage the SCIM-named groups (`inboundScimGrp1`, `Admins`), mapped to their endpoint counterparts (`outboundEndpointGrp1`, `Employees`). Useful for allowlisting specific groups or supporting different inbound/outbound names.
33
+
34
+ ### v6.1.20
35
+ - `plugin-entra-id`: roles introduced in v6.1.19 were missing when retrieving a single user
36
+
37
+ ### v6.1.19
38
+ - **[Fixed]** SCIM v2.0 ResourceType endpoint schemas using incorrect id
39
+ - **[Improved]** `GET /Roles` and `GET /Entitlements` endpoint support, with user management via SCIM `roles` and `entitlements` attributes
40
+ - **[Improved]** `plugin-entra-id`: `entitlements` for Entra ID licenses (read-only); `roles` for Permanent and Eligible PIM roles (full management)
41
+ - PIM Eligible roles: requires `RoleEligibilitySchedule.ReadWrite.All`
42
+ - PIM Permanent roles: requires `RoleManagement.ReadWrite.Directory`
43
+ - Remove `map.user.roles` if above conditions are not met
44
+ - `skipSignInActivity` option (v6.1.17) no longer used; `signInActivity` and PIM role permissions are validated at startup
45
+
46
+ ### v6.1.18
47
+ - `createUser` and `modifyUser` now return the full user object, ensuring returned data reflects what was modified even when the endpoint hasn't internally synced yet
48
+
49
+ ### v6.1.17
50
+ - `plugin-entra-id`: fixed broken `filter=userName eq "user_upn"` introduced in v6.1.11 when using updated config with `map.user.signInActivity`
51
+ - `plugin-entra-id`: new option `endpoint.entity.[baseEntity].skipSignInActivity = true` to exclude `signInActivity` (requires Entra ID Premium + `AuditLog.Read.All`)
52
+
53
+ ### v6.1.16
54
+ - `plugin-entra-id`: `GET /Entitlements` now uses `derivedIncludes` with full recursive expansion
55
+
56
+ ### v6.1.15
57
+ - `plugin-entra-id`: fixed `filter=entitlements pr`
58
+
59
+ ### v6.1.14
60
+ - Support for filter `attribute not pr`
61
+ - Dependencies bump
62
+
63
+ ### v6.1.13
64
+ - `plugin-entra-id`: `signInActivity` attributes are now filterable
65
+
66
+ ### v6.1.12
67
+ - Filter operator `pr` (presence) now forwarded to plugins (previously rejected)
68
+ - `plugin-entra-id`: handles `pr` filter on entitlements
69
+
70
+ ### v6.1.11
71
+ - **[Fixed]** Incorrect schema generation when using `endpointMapper` (regression from v6.1.6)
72
+ - **[Improved]** New `GET /Entitlements` endpoint and `scimgateway.getEntitlements()` method
73
+ - `plugin-entra-id`: user license information via `entitlements`; remove `map.user.signInActivity` if Entra ID Premium is unavailable
74
+
75
+ ### v6.1.10
76
+ - `plugin-entra-id`: group membership now includes nested (transitive) groups (`direct` and `indirect`)
77
+ - Fixed missing Docker files: `config/docker/.dockerignore` and `docker-compose-mssql.yml`
78
+
79
+ ### v6.1.9
80
+ - `createUser`/`createGroup` responses now correctly include the generated ID
81
+
82
+ ### v6.1.8 / v6.1.7
83
+ - Fixed incorrect masking of secrets in request info log messages
84
+ - `plugin-entra-id`: fixed edge case where `createUser` with a manager could fail
85
+
86
+ ### v6.1.6
87
+ - Fixed `plugin-loki` and `plugin-mongodb` returning empty results when using extension schema attributes in search
88
+ - Auth failure due to `readOnly` now returns HTTP 405 instead of 401
89
+ - `postinstall` ensures `"type": "module"` is set in `package.json`
90
+ - `endpointMapper` now generates a custom schema; supports `"x-agent-schema"` for AI MCP tool instructions
91
+
92
+ ### v6.1.5
93
+ - Complex filtering (`and`/`or`) handled by the gateway using the plugin's simple filter logic
94
+ - `modifyGroup` now returns HTTP 204 instead of 200
95
+ - New `/auth` endpoint for validating external authentication
96
+ - `plugin-entra-id`: supports `sw` (startsWith) filter
97
+
98
+ ### v6.1.4
99
+ - Fixed OData paging in `plugin-entra-id` and `helper-rest` — missing users/groups/members in large directories
100
+ - Fixed incomplete group membership when paging not fully iterated
101
+
102
+ ### v6.1.3
103
+ - Azure Relay: improved recovery on failure
104
+ - `plugin-ldap`: improvements for Active Directory and `objectGUID`/`mS-DS-ConsistencyGuid`
105
+ - `modifyGroup`: adding an existing member or removing a non-existent member now returns 200 OK instead of an error
106
+
107
+ ### v6.1.2
108
+ - Fixed SMTP mail failure caused by an updated dependency
109
+ - Fixed `endpointMapper` when `mapTo` contained multiple comma-separated attributes including a multivalued one
110
+
111
+ ### v6.1.1
112
+ - `plugin-ldap`: fixed race condition where `createUser` immediately followed by `readUser` could fail on some systems (e.g. Samba AD)
113
+ - Final info log message now includes full JSON serialization (durationMs, status, requestBody, responseBody, …)
114
+
115
+ ### v6.1.0
116
+ - `tsx` included — SCIM Gateway now runs as ES module (TypeScript) in Node.js: `node --import=tsx ./index.ts`
117
+ - Simplified mandatory plugin initialization using static `import`
118
+ - `index.ts` updated to use static imports
119
+ - Bun binary builds now supported (see Single Binary Deployment)
120
+
121
+ ### v6.0.0 — Major
122
+ - API method response bodies returned as-is (previously wrapped in `{ result: <content> }`) — **clients parsing responses must be updated**
123
+ - New `scimgateway.publicApi()` for unauthenticated `/pub/api` routes
124
+ - `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId` — **existing configurations must be updated**
125
+
126
+ ### v5.x — Previous Major Series
127
+ For v5.x change history (Bun/TypeScript migration, Azure Relay, Bulk Operations, SCIM Stream, HelperRest, Docker, email OAuth, and more), see the GitHub commit history.