feat: SCIM 2.0 research

Dschoordsch · Dschoordsch · commit 9a161aecbd70 · 2025-03-24T10:23:20.000+01:00
diff --git a/codegen.json b/codegen.json
@@ -31,6 +31,7 @@
           "RemoveFeatureFlagOwnerSuccess": "./types/RemoveFeatureFlagOwnerSuccess#RemoveFeatureFlagOwnerSuccessSource",
           "RetrospectiveMeeting": "../../postgres/types/Meeting#RetrospectiveMeeting",
           "SAML": "./types/SAML#SAMLSource",
+          "ScimCreateUserSuccess": "./types/ScimCreateUserSuccess#ScimCreateUserSuccessSource",
           "SetIsFreeMeetingTemplateSuccess": "./types/SetIsFreeMeetingTemplateSuccess#SetIsFreeMeetingTemplateSuccessSource",
           "SignupsPayload": "./types/SignupsPayload#SignupsPayloadSource",
           "StartTrialSuccess": "./types/StartTrialSuccess#StartTrialSuccessSource",
diff --git a/packages/server/graphql/private/mutations/scimCreateUser.ts b/packages/server/graphql/private/mutations/scimCreateUser.ts
@@ -0,0 +1,38 @@
+import {USER_PREFERRED_NAME_LIMIT} from '../../../postgres/constants'
+import User from '../../../database/types/User'
+import {MutationResolvers} from '../resolverTypes'
+import generateUID from '../../../generateUID'
+import {generateIdenticon} from '../../private/mutations/helpers/generateIdenticon'
+import {AuthIdentityTypeEnum} from '../../../../client/types/constEnums'
+import AuthIdentityLocal from '../../../database/types/AuthIdentityLocal'
+import bootstrapNewUser from '../../mutations/helpers/bootstrapNewUser'
+
+const scimCreateUser: MutationResolvers['scimCreateUser'] = async (
+  _source,
+  {email: denormEmail, preferredName},
+  {dataLoader}
+) => {
+  const email = denormEmail.toLowerCase().trim()
+  if (email.length > USER_PREFERRED_NAME_LIMIT) {
+    return {error: {message: 'Email is too long'}}
+  }
+
+  const userId = `local|${generateUID()}`
+  const newUser = new User({
+    id: userId,
+    preferredName,
+    email,
+    picture: await generateIdenticon(userId, preferredName),
+    identities: []
+  })
+  const identityId = `${userId}:${AuthIdentityTypeEnum.LOCAL}`
+  newUser.identities.push(new AuthIdentityLocal({hashedPassword: 'foo', id: identityId, isEmailVerified: true}))
+  await bootstrapNewUser(newUser, false, dataLoader)
+ 
+  return {
+    userId: newUser.id,
+    isNewUser: true
+  }
+}
+
+export default scimCreateUser
diff --git a/packages/server/graphql/private/typeDefs/Mutation.graphql b/packages/server/graphql/private/typeDefs/Mutation.graphql
@@ -436,6 +436,11 @@ type Mutation {
     samlName: ID!
   ): UserLogInPayload!
 
+  scimCreateUser(
+    email: ID!
+    preferredName: String!
+  ): ScimCreateUserPayload!
+
   """
   Log in with email from a trusted Mattermost
   """
diff --git a/packages/server/graphql/private/typeDefs/ScimCreateUserPayload.graphql b/packages/server/graphql/private/typeDefs/ScimCreateUserPayload.graphql
@@ -0,0 +1,5 @@
+"""
+Return type of ScimCreateUser
+"""
+union ScimCreateUserPayload = ErrorPayload | ScimCreateUserSuccess
+
diff --git a/packages/server/graphql/private/typeDefs/ScimCreateUserSuccess.graphql b/packages/server/graphql/private/typeDefs/ScimCreateUserSuccess.graphql
@@ -0,0 +1,16 @@
+"""
+Generic payload when a user was created via SCIM
+"""
+type ScimCreateUserSuccess {
+  userId: ID
+
+  """
+  if a new user is created
+  """
+  isNewUser: Boolean
+
+  """
+  the newly created user, or the existing user
+  """
+  user: User
+}
diff --git a/packages/server/graphql/private/types/ScimCreateUserSuccess.ts b/packages/server/graphql/private/types/ScimCreateUserSuccess.ts
@@ -0,0 +1,14 @@
+import {ScimCreateUserSuccessResolvers} from '../resolverTypes'
+
+export type ScimCreateUserSuccessSource = {
+  userId: string
+  isNewUser: boolean
+}
+
+const ScimCreateUserSuccess: ScimCreateUserSuccessResolvers = {
+  user: ({userId}, _args, {dataLoader}) => {
+    return dataLoader.get('users').loadNonNull(userId)
+  }
+}
+
+export default ScimCreateUserSuccess
diff --git a/packages/server/package.json b/packages/server/package.json
@@ -139,6 +139,7 @@
     "rrule-rust": "^2.0.2",
     "samlify": "^2.8.2",
     "sanitize-html": "^2.13.0",
+    "scimmy": "^1.3.5",
     "sharp": "^0.32.6",
     "string-similarity": "^3.0.0",
     "stripe": "^9.13.0",
diff --git a/packages/server/scim/SCIMHandler.ts b/packages/server/scim/SCIMHandler.ts
@@ -0,0 +1,226 @@
+import {HttpRequest, HttpResponse} from 'uWebSockets.js'
+import uWSAsyncHandler from '../graphql/uWSAsyncHandler'
+import parseBody from '../parseBody'
+import querystring from 'querystring'
+import publishWebhookGQL from '../utils/publishWebhookGQL'
+import SCIMMY from 'scimmy'
+
+const ROUTE_PREFIX = '/scim'
+const PROTO = process.env.PROTO
+const HOST = process.env.HOST
+const PORT = Number(__PRODUCTION__ ? process.env.PORT : process.env.SOCKET_PORT)
+
+const ROUTE = `${PROTO}://${HOST}${ROUTE_PREFIX}`
+
+const createUser = `
+mutation ScimCreateUser($email: ID!, $preferredName: String!) {
+  scimCreateUser(email: $email, preferredName: $preferredName) {
+    ... on ErrorPayload {
+      error {
+        message
+      }
+    }
+    ...on ScimCreateUserSuccess {
+      user {
+        id
+        email
+      }
+    }
+  }
+}
+`
+
+const getUser = `
+query User($userId: ID!) {
+  user(userId: $userId) {
+    id
+    email
+  }
+}
+`
+
+// With both shorthand and full syntax
+SCIMMY.Config.set({
+   //documentationUri: "https://example.com/docs/scim.html",
+   patch: false,
+   filter: false,
+   bulk: false,/*{
+       supported: true,
+       maxPayloadSize: 2097152
+   },*/
+   authenticationSchemes: {
+     name: 'OAuth Bearer Token',
+     description: 'Authentication scheme using the OAuth Bearer Token Standard',
+     specUri: 'http://www.rfc-editor.org/info/rfc6750',
+     type: 'oauthbearertoken'
+   }
+});
+
+// Basic usage with provided resource type implementations
+SCIMMY.Resources.declare(SCIMMY.Resources.User)
+    .ingress(async (_resource, data) => {
+      console.log('GEORG User ingress', data.id, data.userName)
+      const { userName, displayName, emails } = data
+      const email = (emails?.find((email) => email.primary) ?? emails?.[0])?.value
+      console.log('GEORG User ingress', displayName, userName, email)
+
+      const newUser = await publishWebhookGQL(createUser, {
+        email,
+        preferredName: displayName ?? userName
+      })
+      console.log('GEORG User ingress newUser', newUser)
+      const {id, email: normalizedEmail} = (newUser as any).data.scimCreateUser.user
+      return {
+        id,
+        userName: normalizedEmail
+      }
+    })
+    .egress(async (_resource, userId) => {
+      console.log('GEORG User egress', userId)
+      const user = await publishWebhookGQL(getUser, {userId})
+      console.log('GEORG User egress', user)
+      const {id, email} = (user as any).data.user
+      console.log('GEORG User egress', id, email)
+      return {
+        id,
+        userName: email
+      }
+    })
+    .degress((resource) => {
+      console.log('GEORG User degress', resource)
+    });
+
+SCIMMY.Resources.Schema.basepath(ROUTE)
+SCIMMY.Resources.ResourceType.basepath(ROUTE)
+SCIMMY.Resources.ServiceProviderConfig.basepath(ROUTE)
+for (let Resource of Object.values(SCIMMY.Resources.declared())) {
+  Resource.basepath(ROUTE)
+}
+
+const SCIMHandler = uWSAsyncHandler(async (res: HttpResponse, req: HttpRequest) => {
+  const method = req.getMethod();
+  const url = req.getUrl(); // Full URL path
+  const query = req.getQuery();
+  const parsedQuery = Object.fromEntries(new URLSearchParams(query).entries())
+
+  console.log(`GEORG [${method}] ${url}`);
+
+  if (url === "/scim/ServiceProviderConfig" && method === "get") {
+    res.writeHeader("Content-Type", "application/json").end(JSON.stringify(await new SCIMMY.Resources.ServiceProviderConfig(req.getQuery()).read()));
+    return
+  }
+
+  if (url.startsWith("/scim/ResourceTypes") && method === "get") {
+    const idMatch = url.match(/^\/scim\/ResourceTypes\/(.+)$/);
+    if (!idMatch) {
+      try {
+        const resourceTypes = await new SCIMMY.Resources.ResourceType(query).read()
+        res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(resourceTypes))
+      } catch (err) {
+        res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }))
+      }
+    }
+    else {
+      const id = querystring.unescape(idMatch[1] ?? '');
+      try {
+        const resourceTypes = await new SCIMMY.Resources.ResourceType(id, parsedQuery).read()
+        res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(resourceTypes))
+      } catch (err) {
+        res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }))
+      }
+    }
+    return
+  }
+
+  if (url.startsWith("/scim/Schemas") && method === "get") {
+    const idMatch = url.match(/^\/scim\/Schemas\/(.+)$/);
+    if (!idMatch) {
+      try {
+        const resourceTypes = await new SCIMMY.Resources.Schema(query).read()
+        res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(resourceTypes))
+      } catch (err) {
+        res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }))
+      }
+    }
+    else {
+      const id = querystring.unescape(idMatch[1] ?? '');
+      try {
+        const resourceTypes = await new SCIMMY.Resources.Schema(id, parsedQuery).read()
+        res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(resourceTypes))
+      } catch (err) {
+        res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }))
+      }
+    }
+    return
+  }
+
+  if (url.startsWith("/scim/Users")) {
+    const idMatch = url.match(/^\/scim\/Users\/(.+)$/);
+    if (!idMatch) {
+      if (method === "get") {
+        const users = await new SCIMMY.Resources.User(query).read();
+        res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(users));
+        return
+      }
+
+      if (method === "post") {
+        const body = await parseBody({res})
+        if (body === null) {
+          res.writeStatus("400 Bad Request")
+          return
+        }
+        try {
+          const user = await new SCIMMY.Resources.User(query).write(body)
+          res.writeStatus("201 Created").writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(user));
+        } catch (err) {
+          res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }));
+        }
+        return
+      }
+    } else {
+      const id = querystring.unescape(idMatch[1] ?? '');
+      console.log('GEORG User id', id)
+
+      if (method === "get") {
+        try {
+          const user = await new SCIMMY.Resources.User(query).read(id)
+          res.writeHeader("Content-Type", "application/scim+json")
+          res.end(JSON.stringify(user))
+        } catch (err) {
+          res.writeStatus("404 Not Found").end(JSON.stringify({ error: "User not found" }))
+        }
+        return
+      }
+
+      if (method === "patch") {
+        const body = await parseBody({res})
+        if (body === null) {
+          res.writeStatus("400 Bad Request")
+          return
+        }
+        try {
+          const updatedUser = await new SCIMMY.Resources.User(id, parsedQuery).patch(body as any);
+          res.writeHeader("Content-Type", "application/scim+json").end(JSON.stringify(updatedUser));
+        } catch (err) {
+          res.writeStatus("400 Bad Request").end(JSON.stringify({ error: String(err) }));
+        }
+        return
+      }
+
+      if (method === "delete") {
+        try {
+          await new SCIMMY.Resources.User(id).dispose();
+          res.writeStatus("204 No Content").end();
+        } catch (err) {
+          res.writeStatus("404 Not Found").end(JSON.stringify({ error: "User not found" }));
+        }
+        return
+      }
+    }
+  }
+
+  res.writeStatus("404 Not Found").end(JSON.stringify({ error: "Endpoint not found" }));
+  return
+})
+
+export default SCIMHandler
diff --git a/packages/server/server.ts b/packages/server/server.ts
@@ -25,6 +25,7 @@ import SSEPingHandler from './sse/SSEPingHandler'
 import {createStaticFileHandler} from './staticFileHandler'
 import {Logger} from './utils/Logger'
 import SAMLHandler from './utils/SAMLHandler'
+import SCIMHandler from './scim/SCIMHandler'
 
 export const RECONNECT_WINDOW = process.env.WEB_SERVER_RECONNECT_WINDOW
   ? parseInt(process.env.WEB_SERVER_RECONNECT_WINDOW, 10) * 1000
@@ -72,6 +73,7 @@ uws
   .post('/graphql', httpGraphQLHandler)
   .post('/intranet-graphql', intranetGraphQLHandler)
   .post('/saml/:domain', SAMLHandler)
+  .any('/scim/*', SCIMHandler)
   .ws('/*', {
     compression: SHARED_COMPRESSOR,
     idleTimeout: 0,
diff --git a/yarn.lock b/yarn.lock
@@ -9922,9 +9922,9 @@ available-typed-arrays@^1.0.7:
     possible-typed-array-names "^1.0.0"
 
 axios@^1.0.0, axios@^1.6.0, axios@^1.7.4, axios@^1.7.8:
-  version "1.8.2"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.2.tgz#fabe06e241dfe83071d4edfbcaa7b1c3a40f7979"
-  integrity sha512-ls4GYBm5aig9vWx8AWDSGLpnpDQRtWAfrjU+EuytuODrFBkqesN2RkOQCBzrA1RQNHw1SmRMSDDDSwzNAYQ6Rg==
+  version "1.8.4"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.4.tgz#78990bb4bc63d2cae072952d374835950a82f447"
+  integrity sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw==
   dependencies:
     follow-redirects "^1.15.6"
     form-data "^4.0.0"
@@ -10612,9 +10612,9 @@ camelize@^1.0.0:
   integrity sha512-dU+Tx2fsypxTgtLoE36npi3UqcjSSMNYfkqgmoEhtZrraP5VWq0K7FkWVTYa8eMPtnU/G2txVsfdCJTn9uzpuQ==
 
 caniuse-lite@^1.0.30001646, caniuse-lite@^1.0.30001669, caniuse-lite@~1.0.0:
-  version "1.0.30001702"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001702.tgz#cde16fa8adaa066c04aec2967b6cde46354644c4"
-  integrity sha512-LoPe/D7zioC0REI5W73PeR1e1MLCipRGq/VkovJnd6Df+QVqT+vT33OXCp8QUd7kA7RZrHWxb1B36OQKI/0gOA==
+  version "1.0.30001706"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001706.tgz#902c3f896f4b2968031c3a546ab2ef8b465a2c8f"
+  integrity sha512-3ZczoTApMAZwPKYWmwVbQMFpXBDds3/0VciVoUwPUbldlYyVLmRVuRs/PcUZtHpbLRpzzDvrvnFuREsGt6lUug==
 
 capital-case@^1.0.4:
   version "1.0.4"
@@ -17943,9 +17943,9 @@ nan@^2.19.0, nan@^2.20.0:
   integrity sha512-nbajikzWTMwsW+eSsNm3QwlOs7het9gGJU5dDZzRTQGk03vyBOauxgI4VakDzE0PtsGTmXPsXTbbjVhRwR5mpw==
 
 nanoid@^2.0.0, nanoid@^3.1.31, nanoid@^3.3.7, nanoid@^3.3.8:
-  version "3.3.9"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.9.tgz#e0097d8e026b3343ff053e9ccd407360a03f503a"
-  integrity sha512-SppoicMGpZvbF1l3z4x7No3OlIjP7QJvC9XR7AhZr1kL133KHnKPztkKDc+Ir4aJ/1VhTySrtKhrsycmrMQfvg==
+  version "3.3.11"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.11.tgz#4f4f112cefbe303202f2199838128936266d185b"
+  integrity sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==
 
 napi-build-utils@^1.0.1:
   version "1.0.2"
@@ -21520,6 +21520,11 @@ schema-utils@^4.0.0, schema-utils@^4.2.0:
     ajv-formats "^2.1.1"
     ajv-keywords "^5.1.0"
 
+scimmy@^1.3.5:
+  version "1.3.5"
+  resolved "https://registry.yarnpkg.com/scimmy/-/scimmy-1.3.5.tgz#bd73f8fa8af46dcfeb32d342b504f56ce85f1320"
+  integrity sha512-JTrUOoqH1gMH2zZhgk01hGgY7cH9v4qUli5b3OGVVOzjAwY8h4Z2mSNH8kXjW2pz8ypzpiRuMEtFGBaWQWJz7w==
+
 scuid@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/scuid/-/scuid-1.1.0.tgz#d3f9f920956e737a60f72d0e4ad280bf324d5dab"
