From 8d9d55b861b91decf7db199f1ac24d86c71d7f24 Mon Sep 17 00:00:00 2001
From: Peter Bouda <pbouda@outlook.com>
Date: Tue, 8 Oct 2024 10:39:50 +0100
Subject: [PATCH] DEV: Check for authorization based on token

---
 config/initializers/scimitar.rb |  7 ++++++-
 plugin.rb                       | 12 ++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/config/initializers/scimitar.rb b/config/initializers/scimitar.rb
index 080f4f5..6bc1d92 100644
--- a/config/initializers/scimitar.rb
+++ b/config/initializers/scimitar.rb
@@ -3,7 +3,12 @@
 Rails.application.config.to_prepare do
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
     token_authenticator: Proc.new do | token, options |
-      true
+      api_key = ApiKey.active.with_key(token).first
+      allowed = false
+      if api_key
+        allowed = api_key.api_key_scopes.any? { |s| s.resource == "scim" || s.action == "access_scim_endpoints" }
+      end
+      allowed
     end
   })
 end
\ No newline at end of file
diff --git a/plugin.rb b/plugin.rb
index dc73a9e..32352b4 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -20,6 +20,18 @@ require "scimitar"
 
 enabled_site_setting :scim_enabled
 
+add_api_key_scope(
+    :scim,
+    {
+      access_scim_endpoints: {
+        actions: %w[scim_v2/users#index scim_v2/users#show scim_v2/users#create
+          scim_v2/users#replace scim_v2/users#update scim_v2/users#destroy
+          scim_v2/groups#index scim_v2/groups#show scim_v2/groups#create
+          scim_v2/groups#update],
+      },
+    },
+  )
+
 module ::DiscourseScimPlugin
   PLUGIN_NAME = "scim"