WIP

app/server/lib/scim/index.ts

@@ -0,0 +1,24 @@
+import * as express from 'express';
+import { buildUsersRoute, checkPermissionToUsersEndpoint } from './v2/users';
+import { HomeDBManager } from 'app/gen-server/lib/homedb/HomeDBManager';
+import SCIMMY from "scimmy";
+import SCIMMYRouters from "scimmy-routers";
+
+type SCIMMYResource = typeof SCIMMY.Types.Resource;
+
+const buildScimRouter = (dbManager: HomeDBManager) => {
+  const v2 = express.Router();
+  v2.use('/Users', checkPermissionToUsersEndpoint, buildUsersRoute(dbManager));
+
+  SCIMMY.Resources.User.ingress(handler)
+  SCIMMY.Resources.declare(SCIMMY.Resources.User)
+    .ingress((resource: SCIMMYResource, data) => {
+
+
+    });
+  const scim = express.Router();
+  scim.use('/v2', v2);
+  return scim;
+};
+
+export { buildScimRouter };

app/server/lib/scim/v2/users.ts

@@ -0,0 +1,37 @@
+import express, { NextFunction, Request, Response } from 'express';
+import { HomeDBManager } from 'app/gen-server/lib/homedb/HomeDBManager';
+import { expressWrap } from '../../expressWrap';
+import { integerParam } from '../../requestUtils';
+import { ApiError } from 'app/common/ApiError';
+import { RequestWithLogin } from '../../Authorizer';
+
+function checkPermissionToUsersEndpoint(req: Request, res: Response, next: NextFunction) {
+  const mreq = req as RequestWithLogin;
+  const adminEmail = process.env.GRIST_DEFAULT_EMAIL;
+  if (!adminEmail || mreq.user?.loginEmail !== adminEmail) {
+    throw new ApiError('Permission denied', 403);
+  }
+  return next();
+}
+
+const buildUsersRoute = (dbManager: HomeDBManager) => {
+  const userRoute = express.Router();
+
+  async function findUserOrFail(userId: number) {
+    const user = await dbManager.getUser(userId);
+    if (!user) {
+      throw new ApiError('User not found', 404);
+    }
+    return user;
+  }
+
+
+  userRoute.get('/:id', expressWrap(async (req, res) => {
+    const userId = integerParam(req.params.id, 'id');
+    const user = await findUserOrFail(userId);
+    res.status(200).json(user);
+  }));
+  return userRoute;
+};
+
+export { buildUsersRoute, checkPermissionToUsersEndpoint };

package.json

@@ -189,6 +189,7 @@
     "redis": "3.1.1",
     "redlock": "3.1.2",
     "saml2-js": "4.0.2",
+    "scimmy-routers": "^1.2.0",
     "short-uuid": "3.1.1",
     "slugify": "1.6.6",
     "swagger-ui-dist": "5.11.0",

yarn.lock

@@ -3801,7 +3801,7 @@ express-rate-limit@7.2.0:
   resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.2.0.tgz#06ce387dd5388f429cab8263c514fc07bf90a445"
   integrity sha512-T7nul1t4TNyfZMJ7pKRKkdeVJWa2CqB8NA1P8BwYaoDI5QSBZARv5oMS43J7b7I5P+4asjVXjb7ONuwDKucahg==
 
-express@4.19.2:
+express@4.19.2, express@^4.18.2:
   version "4.19.2"
   resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465"
   integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==
@@ -7346,6 +7346,19 @@ schema-utils@^3.2.0:
     ajv "^6.12.5"
     ajv-keywords "^3.5.2"
 
+scimmy-routers@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/scimmy-routers/-/scimmy-routers-1.2.0.tgz#42090c616f127aefce194ebf4a3c8f4a4f62e30b"
+  integrity sha512-+dT8yRglz2gMu0X1LlUYTi/PDgW6Zzu1YRWiv362I/wA64kud24XjYIoufNiW5OhskvBPQGT/P1aYOffcmxxsQ==
+  dependencies:
+    express "^4.18.2"
+    scimmy "^1.2.0"
+
+scimmy@^1.2.0:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/scimmy/-/scimmy-1.2.3.tgz#56ca9dbf11749b272e18090c923f81dbad4bc911"
+  integrity sha512-16oXCvnieVeKxTDQqi275bLuyOCwXci8Jywm2/M+4dWNNYoduUz0Crj1nFY0ETYMsuYvCdareWov6/Mebu92xA==
+
 selenium-webdriver@^4.20.0:
   version "4.20.0"
   resolved "https://registry.yarnpkg.com/selenium-webdriver/-/selenium-webdriver-4.20.0.tgz#14941ab4a59e8956a5e4b4491a8ba2bd6619d1ac"