scimgateway 6.2.4 → 6.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +3 -0
- package/README.md +1 -1
- package/lib/plugin-entra-id.ts +6 -1
- package/lib/scimgateway.ts +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
package/README.md
CHANGED
|
@@ -90,7 +90,7 @@ SCIM Gateway is a user provisioning bridge built with [Bun](https://bun.sh/) and
|
|
|
90
90
|
- **v6.0.0** — API method response bodies returned as-is; new `publicApi()` method for unauthenticated `/pub/api` routes; `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId`
|
|
91
91
|
- **Federated Identity Credentials** (Entra ID) — access Microsoft-protected resources without managing secrets, via internal JWKS
|
|
92
92
|
- **External JWKS** support for JWT authentication
|
|
93
|
-
- **Azure Relay** — secure outbound-only tunnel with one minute of setup
|
|
93
|
+
- **Azure Relay** — secure outbound-only tunnel with one minute of setup
|
|
94
94
|
- **ETag** and **Bulk Operations** support (SCIM RFC 7644)
|
|
95
95
|
- **Remote real-time log subscription** via browser, curl, or custom client at `https://<host>/logger`
|
|
96
96
|
- **Gateway chaining** — chain `gateway1 → gateway2 → gateway3 → endpoint` with reverse-proxy-style auth validation
|
package/lib/plugin-entra-id.ts
CHANGED
|
@@ -641,7 +641,12 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
|
|
|
641
641
|
if (Object.hasOwn(parsedAttrObj, 'mfa')) {
|
|
642
642
|
if (parsedAttrObj.mfa.reset === true) {
|
|
643
643
|
if (!permission[baseEntity]?.mfa || !permission[baseEntity]?.eligible) throw new Error(`${action} error: MFA reset is not supported by the endpoint - missing permissions.`)
|
|
644
|
-
const
|
|
644
|
+
const res = await scimgateway.getGroups(baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['id', 'displayName'], ctx)
|
|
645
|
+
let userGroups: Record<string, any>[] = []
|
|
646
|
+
if (res?.Resources && Array.isArray(res.Resources)) {
|
|
647
|
+
userGroups = res.Resources.map((r: Record<string, any>) => { return { value: r.id } })
|
|
648
|
+
}
|
|
649
|
+
const currentRoles = await getUserRoles(baseEntity, id, userGroups, true, ctx)
|
|
645
650
|
const isPrivileged = currentRoles.some(r => isPrivilegedRole(r.value))
|
|
646
651
|
if (isPrivileged) throw new Error(`${action} error: MFA reset is not allowed for users with high-privilege roles for security reasons.`)
|
|
647
652
|
await resetUserMfa(baseEntity, id, ctx)
|
package/lib/scimgateway.ts
CHANGED
|
@@ -4405,7 +4405,7 @@ Content-Transfer-Encoding: quoted-printable
|
|
|
4405
4405
|
// found logic
|
|
4406
4406
|
if (lastKey === 'password' && key.startsWith('scimgateway.auth.basic')) foundBasic = true
|
|
4407
4407
|
else if (lastKey === 'token' && key.startsWith('scimgateway.auth.bearerToken')) foundBearerToken = true
|
|
4408
|
-
else if ((lastKey === 'publicKey' || lastKey === 'secret' || lastKey === 'wellKnownUri' || 'azureTenantId') && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
|
|
4408
|
+
else if ((lastKey === 'publicKey' || lastKey === 'secret' || lastKey === 'wellKnownUri' || lastKey === 'azureTenantId') && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
|
|
4409
4409
|
else if (lastKey === 'clientSecret' && key.startsWith('scimgateway.auth.bearerOAuth')) foundBearerOAuth = true
|
|
4410
4410
|
|
|
4411
4411
|
// certificate full path
|
package/package.json
CHANGED