chore: implement better 404 for unimplemented scim endpoints (#15232)

Prior to this, html was returned.
2025-07-09 11:45:56 +00:00 · 2024-10-25 13:23:12 -04:00
parent 487b37b228
commit 900e2cd39c
3 changed files with 10 additions and 14 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -455,7 +455,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	if len(options.SCIMAPIKey) != 0 {
 		api.AGPL.RootHandler.Route("/scim/v2", func(r chi.Router) {
 			r.Use(
-				api.scimEnabledMW,
+				api.RequireFeatureMW(codersdk.FeatureSCIM),
 			)
 			r.Post("/Users", api.scimPostUser)
 			r.Route("/Users", func(r chi.Router) {
@ -464,6 +464,13 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				r.Get("/{id}", api.scimGetUser)
 				r.Patch("/{id}", api.scimPatchUser)
 			})
+			r.NotFound(func(w http.ResponseWriter, r *http.Request) {
+				u := r.URL.String()
+				httpapi.Write(r.Context(), w, http.StatusNotFound, codersdk.Response{
+					Message: fmt.Sprintf("SCIM endpoint %s not found", u),
+					Detail:  "This endpoint is not implemented. If it is correct and required, please contact support.",
+				})
+			})
 		})
 	} else {
 		// Show a helpful 404 error. Because this is not under the /api/v2 routes,
--- a/enterprise/coderd/scim.go
+++ b/enterprise/coderd/scim.go
@ -23,17 +23,6 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )

-func (api *API) scimEnabledMW(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		if !api.Entitlements.Enabled(codersdk.FeatureSCIM) {
-			httpapi.RouteNotFound(rw)
-			return
-		}
-
-		next.ServeHTTP(rw, r)
-	})
-}
-
 func (api *API) scimVerifyAuthHeader(r *http.Request) bool {
 	bearer := []byte("Bearer ")
 	hdr := []byte(r.Header.Get("Authorization"))
--- a/enterprise/coderd/scim_test.go
+++ b/enterprise/coderd/scim_test.go
@ -88,7 +88,7 @@ func TestScim(t *testing.T) {
 			res, err := client.Request(ctx, "POST", "/scim/v2/Users", struct{}{})
 			require.NoError(t, err)
 			defer res.Body.Close()
-			assert.Equal(t, http.StatusNotFound, res.StatusCode)
+			assert.Equal(t, http.StatusForbidden, res.StatusCode)
 		})

 		t.Run("noAuth", func(t *testing.T) {
@ -424,7 +424,7 @@ func TestScim(t *testing.T) {
 			require.NoError(t, err)
 			_, _ = io.Copy(io.Discard, res.Body)
 			_ = res.Body.Close()
-			assert.Equal(t, http.StatusNotFound, res.StatusCode)
+			assert.Equal(t, http.StatusForbidden, res.StatusCode)
 		})

 		t.Run("noAuth", func(t *testing.T) {