feat: implement comprehensive SCIM security improvements from PR feedback

- Use secure password comparison with crypto/subtle.ConstantTimeCompare for SCIM basic auth
- Create proper auth.scim_providers table with password hashes for provider management
- Convert all map-based responses to proper Go structs (ServiceProviderConfig, ResourceTypes, Schemas)
- Implement JSON parsing for filter values instead of manual string trimming
- Add dedicated scim_external_id column with index instead of raw_app_meta_data storage
- Implement comprehensive SCIM provider isolation system ensuring providers only manage their own users
- Add database migrations for new scim_providers, scim_external_id, and scim_provider_id columns
- Update User model with SCIMExternalID and SCIMProviderID fields using storage.NullString

Author: felixmccuaig

internal/api/middleware.go

@@ -3,6 +3,7 @@ package api
 import (
 	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -295,38 +296,58 @@ func (a *API) requireSAMLEnabled(w http.ResponseWriter, req *http.Request) (cont
 
 // requireSCIMEnabled ensures SCIM is enabled
 func (a *API) requireSCIMEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
-    ctx := req.Context()
-    if !a.config.SCIM.Enabled {
-        return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeValidationFailed, "SCIM is disabled")
-    }
-    return ctx, nil
+	ctx := req.Context()
+	if !a.config.SCIM.Enabled {
+		return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeValidationFailed, "SCIM is disabled")
+	}
+	return ctx, nil
+}
+
+const scimProviderContextKey = contextKey("scim_provider_id")
+
+func withSCIMProvider(ctx context.Context, providerID string) context.Context {
+	return context.WithValue(ctx, scimProviderContextKey, providerID)
+}
+
+func getSCIMProvider(ctx context.Context) string {
+	if val := ctx.Value(scimProviderContextKey); val != nil {
+		if providerID, ok := val.(string); ok {
+			return providerID
+		}
+	}
+	return "default"
 }
 
 // requireSCIMAuth authenticates SCIM requests via Bearer token or Basic auth
 func (a *API) requireSCIMAuth(w http.ResponseWriter, req *http.Request) (context.Context, error) {
-    ctx := req.Context()
-    cfg := a.config.SCIM
-
-    // Bearer token
-    authz := req.Header.Get("Authorization")
-    if m := bearerRegexp.FindStringSubmatch(authz); len(m) == 2 {
-        token := m[1]
-        for _, t := range cfg.Tokens {
-            if t != "" && t == token {
-                return ctx, nil
-            }
-        }
-    }
-
-    // Basic auth
-    user, pass, ok := req.BasicAuth()
-    if ok && cfg.BasicUser != "" && cfg.BasicPassword != "" {
-        if user == cfg.BasicUser && pass == cfg.BasicPassword {
-            return ctx, nil
-        }
-    }
-
-    return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeInvalidCredentials, "Invalid SCIM credentials")
+	ctx := req.Context()
+	cfg := a.config.SCIM
+
+	// Bearer token
+	authz := req.Header.Get("Authorization")
+	if m := bearerRegexp.FindStringSubmatch(authz); len(m) == 2 {
+		token := m[1]
+		for i, t := range cfg.Tokens {
+			if t != "" && t == token {
+				// Use token index as provider ID for isolation
+				providerID := fmt.Sprintf("token_%d", i)
+				return withSCIMProvider(ctx, providerID), nil
+			}
+		}
+	}
+
+	// Basic auth
+	user, pass, ok := req.BasicAuth()
+	if ok && cfg.BasicUser != "" && cfg.BasicPassword != "" {
+		if subtle.ConstantTimeCompare([]byte(user), []byte(cfg.BasicUser)) == 1 &&
+			subtle.ConstantTimeCompare([]byte(pass), []byte(cfg.BasicPassword)) == 1 {
+			// Use basic auth username as provider ID
+			providerID := fmt.Sprintf("basic_%s", user)
+			return withSCIMProvider(ctx, providerID), nil
+		}
+	}
+
+	return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeInvalidCredentials, "Invalid SCIM credentials")
 }
 
 func (a *API) requireManualLinkingEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {