fix: audit scim user deleted events (#10322)

SCIM users deleted in bulk are not captured in the event log. We just add an event like this: ![image](https://github.com/user-attachments/assets/2d7078b2-61d6-475e-8151-63b5b5ed7449) This prevents partial user sync because we don't get an event when the user was deleted.
2025-10-27 11:02:16 +01:00 · 2025-07-07 12:17:37 +02:00 · 2025-07-07 12:17:37 +02:00 · 5901475c9e
commit 5901475c9e
parent f7e39df386
4 changed files with 27 additions and 11 deletions
--- a/src/lib/features/users/user-store.ts
+++ b/src/lib/features/users/user-store.ts
@ -290,8 +290,12 @@ export class UserStore implements IUserStore {
        await this.activeUsers().del();
    }
-    async deleteScimUsers(): Promise<void> {
+    async deleteScimUsers(): Promise<User[]> {
-        await this.db(TABLE).whereNotNull('scim_id').del();
+        const rows = await this.db(TABLE)
            .whereNotNull('scim_id')
            .del()
            .returning(USER_COLUMNS);
        return rows.map(rowToUser);
    }
    async count(): Promise<number> {
--- a/src/lib/services/user-service.ts
+++ b/src/lib/services/user-service.ts
@ -403,14 +403,26 @@ class UserService {
    }
    async deleteScimUsers(auditUser: IAuditUser): Promise<void> {
-        await this.store.deleteScimUsers();
+        const users = await this.store.deleteScimUsers();
-
+        // Note: after deletion we can't get the role for the user
-        await this.eventService.storeEvent(
+        const viewerRole = await this.accessService.getPredefinedRole(
            RoleName.VIEWER,
        );
        if (users.length > 0) {
            const deletions = users.map((user) => {
                return new UserDeletedEvent({
                    deletedUser: { ...user, rootRole: viewerRole.id },
                    auditUser,
                });
            });
            await this.eventService.storeEvents([
                ...deletions,
                new ScimUsersDeleted({
                    data: null,
                    auditUser,
                }),
-        );
+            ]);
        }
    }
    async loginUser(
--- a/src/lib/types/stores/user-store.ts
+++ b/src/lib/types/stores/user-store.ts
@ -46,5 +46,5 @@ export interface IUserStore extends Store<IUser, number> {
    count(): Promise<number>;
    countRecentlyDeleted(): Promise<number>;
    countServiceAccounts(): Promise<number>;
-    deleteScimUsers(): Promise<void>;
+    deleteScimUsers(): Promise<IUser[]>;
 }
--- a/src/test/fixtures/fake-user-store.ts
+++ b/src/test/fixtures/fake-user-store.ts
@ -159,7 +159,7 @@ class UserStoreMock implements IUserStore {
        return Promise.resolve(undefined);
    }
-    deleteScimUsers(): Promise<void> {
+    deleteScimUsers(): Promise<User[]> {
        throw new Error('Method not implemented.');
    }