feat: teams + SCIM

.github/workflows/backend.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.12'
           cache: 'pip'
 
       - name: Install dependencies

backend/api/auth.py

@@ -164,24 +164,18 @@ def authenticate(self, request):
                     raise exceptions.AuthenticationFailed(
                         "Service account cannot access this environment"
                     )
+            except (exceptions.AuthenticationFailed, exceptions.NotFound):
+                raise  # Let DRF exceptions propagate with their specific messages
             except Exception as ex:
-                # Distinguish between ServiceAccount not found and other potential errors
+                logger.debug(f"ServiceAccount authentication error: {ex}")
+                # Distinguish between ServiceAccount not found and other errors
                 ServiceAccount = apps.get_model("api", "ServiceAccount")
                 try:
-                    # Attempt to get the service account again to confirm if it exists
                     get_service_account_from_token(auth_token)
-                    # If it exists, the error was likely the environment access check
-                    raise exceptions.AuthenticationFailed(
-                        "Service account cannot access this environment"
-                    )
                 except ServiceAccount.DoesNotExist:
                     raise exceptions.NotFound("Service account not found")
-                except (
-                    Exception
-                ) as ex:  # Catch any other unexpected error during the re-check
-                    logger.debug(f"Authentication error: {ex}")
-                    raise exceptions.AuthenticationFailed(
-                        f"Authentication error. Please check your authentication token or App / Environment access."
-                    )
+                raise exceptions.AuthenticationFailed(
+                    "Authentication error. Please check your authentication token or App / Environment access."
+                )
 
         return (user, auth)

backend/api/authentication/adapters/social.py

@@ -0,0 +1,67 @@
+import logging
+
+from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
+from allauth.socialaccount.models import SocialAccount
+from django.contrib.auth import get_user_model
+
+logger = logging.getLogger(__name__)
+
+User = get_user_model()
+
+
+class AutoLinkSocialAccountAdapter(DefaultSocialAccountAdapter):
+    """
+    Custom SocialAccountAdapter that automatically links social logins
+    to existing users with matching email addresses.
+
+    This is essential for SCIM-provisioned users: SCIM creates the
+    CustomUser + OrganisationMember but no SocialAccount. Without this
+    adapter, the first SSO login would fail with "User is already
+    registered with this e-mail address."
+    """
+
+    def pre_social_login(self, request, sociallogin):
+        # If the social account is already linked, nothing to do
+        if sociallogin.is_existing:
+            return
+
+        email = sociallogin.user.email
+        if not email:
+            return
+
+        # Defense-in-depth: never auto-link when the IdP explicitly
+        # marks the email unverified. Mirrors the SSO callback's gate.
+        extra_data = sociallogin.account.extra_data or {}
+        if extra_data.get("email_verified") is False:
+            logger.warning(
+                f"Refused auto-link: provider={sociallogin.account.provider} "
+                f"email={email} not verified by IdP."
+            )
+            return
+
+        try:
+            existing_user = User.objects.get(email=email)
+        except User.DoesNotExist:
+            return
+
+        # Link the social account to the existing user
+        sociallogin.user = existing_user
+        social_account, created = SocialAccount.objects.get_or_create(
+            provider=sociallogin.account.provider,
+            uid=sociallogin.account.uid,
+            defaults={
+                "user": existing_user,
+                "extra_data": sociallogin.account.extra_data,
+            },
+        )
+
+        if not created:
+            social_account.extra_data = sociallogin.account.extra_data
+            social_account.save()
+
+        sociallogin.account = social_account
+
+        logger.info(
+            f"Auto-linked social account ({sociallogin.account.provider}) "
+            f"to existing user {email}"
+        )

backend/api/migrations/0123_add_team_models.py

@@ -0,0 +1,73 @@
+# Generated by Django 4.2.29 on 2026-03-30 11:38
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0122_sso_audit_fks_set_null'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Team',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('description', models.TextField(blank=True, null=True)),
+                ('is_scim_managed', models.BooleanField(default=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('created_by', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='created_teams', to='api.organisationmember')),
+                ('member_role', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='teams_as_member_role', to='api.role')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='teams', to='api.organisation')),
+                ('service_account_role', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='teams_as_sa_role', to='api.role')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='TeamMembership',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('org_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='team_memberships', to='api.organisationmember')),
+                ('service_account', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='team_memberships', to='api.serviceaccount')),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='memberships', to='api.team')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='TeamAppEnvironment',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('app', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.app')),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='app_environments', to='api.team')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='EnvironmentKeyGrant',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('grant_type', models.CharField(choices=[('individual', 'Individual'), ('team', 'Team')], max_length=20)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('environment_key', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='grants', to='api.environmentkey')),
+                ('team', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='key_grants', to='api.team')),
+            ],
+        ),
+        migrations.AddConstraint(
+            model_name='teammembership',
+            constraint=models.UniqueConstraint(condition=models.Q(('org_member__isnull', False)), fields=('team', 'org_member'), name='unique_team_user'),
+        ),
+        migrations.AddConstraint(
+            model_name='teammembership',
+            constraint=models.UniqueConstraint(condition=models.Q(('service_account__isnull', False)), fields=('team', 'service_account'), name='unique_team_sa'),
+        ),
+        migrations.AddConstraint(
+            model_name='teamappenvironment',
+            constraint=models.UniqueConstraint(fields=('team', 'environment'), name='unique_team_env'),
+        ),
+    ]

backend/api/migrations/0124_backfill_environment_key_grants.py

@@ -0,0 +1,46 @@
+# Generated by Django 4.2.29 on 2026-03-30 11:38
+
+from django.db import migrations
+
+
+def backfill_grants(apps, schema_editor):
+    """
+    Create an 'individual' EnvironmentKeyGrant for every existing EnvironmentKey.
+    This ensures the grant-tracking system works from day one — all pre-existing
+    keys are attributed to individual access.
+    """
+    EnvironmentKey = apps.get_model("api", "EnvironmentKey")
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+
+    grants_to_create = []
+    for ek in EnvironmentKey.objects.filter(deleted_at__isnull=True).iterator():
+        grants_to_create.append(
+            EnvironmentKeyGrant(
+                environment_key=ek,
+                grant_type="individual",
+                team=None,
+            )
+        )
+        if len(grants_to_create) >= 1000:
+            EnvironmentKeyGrant.objects.bulk_create(grants_to_create, ignore_conflicts=True)
+            grants_to_create = []
+
+    if grants_to_create:
+        EnvironmentKeyGrant.objects.bulk_create(grants_to_create, ignore_conflicts=True)
+
+
+def reverse_backfill(apps, schema_editor):
+    """Remove all individual grants created by the forward migration."""
+    EnvironmentKeyGrant = apps.get_model("api", "EnvironmentKeyGrant")
+    EnvironmentKeyGrant.objects.filter(grant_type="individual", team__isnull=True).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0123_add_team_models"),
+    ]
+
+    operations = [
+        migrations.RunPython(backfill_grants, reverse_backfill),
+    ]

backend/api/migrations/0125_teams_and_scim.py

@@ -0,0 +1,121 @@
+# Generated by Django 4.2.29 on 2026-04-14 15:57
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0124_backfill_environment_key_grants'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='organisation',
+            name='scim_enabled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='serviceaccount',
+            name='team',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_service_accounts', to='api.team'),
+        ),
+        migrations.AddField(
+            model_name='team',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_teams', to='api.organisationmember'),
+        ),
+        migrations.CreateModel(
+            name='SCIMUser',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('external_id', models.CharField(max_length=255)),
+                ('email', models.EmailField(max_length=254)),
+                ('display_name', models.CharField(blank=True, max_length=255)),
+                ('active', models.BooleanField(default=True)),
+                ('scim_data', models.JSONField(default=dict)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('org_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.organisationmember')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_users', to='api.organisation')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SCIMToken',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('token_hash', models.CharField(db_index=True, max_length=128, unique=True)),
+                ('token_prefix', models.CharField(max_length=12)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('expires_at', models.DateTimeField(blank=True, null=True)),
+                ('last_used_at', models.DateTimeField(blank=True, null=True)),
+                ('is_active', models.BooleanField(default=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('created_by', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.organisationmember')),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_tokens', to='api.organisation')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SCIMGroup',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('external_id', models.CharField(max_length=255)),
+                ('display_name', models.CharField(max_length=255)),
+                ('scim_data', models.JSONField(default=dict)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_groups', to='api.organisation')),
+                ('team', models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='scim_group', to='api.team')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SCIMEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('event_type', models.CharField(choices=[('user_created', 'User Created'), ('user_updated', 'User Updated'), ('user_deactivated', 'User Deactivated'), ('user_reactivated', 'User Reactivated'), ('group_created', 'Group Created'), ('group_updated', 'Group Updated'), ('group_deleted', 'Group Deleted'), ('member_added', 'Member Added to Group'), ('member_removed', 'Member Removed from Group')], max_length=32)),
+                ('status', models.CharField(choices=[('success', 'Success'), ('error', 'Error')], default='success', max_length=8)),
+                ('resource_type', models.CharField(choices=[('user', 'User'), ('group', 'Group')], max_length=16)),
+                ('resource_id', models.TextField(blank=True)),
+                ('resource_name', models.CharField(blank=True, max_length=255)),
+                ('detail', models.JSONField(default=dict)),
+                ('request_method', models.CharField(blank=True, max_length=8)),
+                ('request_path', models.TextField(blank=True)),
+                ('request_body', models.JSONField(blank=True, null=True)),
+                ('response_status', models.IntegerField(blank=True, null=True)),
+                ('response_body', models.JSONField(blank=True, null=True)),
+                ('ip_address', models.GenericIPAddressField(blank=True, null=True)),
+                ('user_agent', models.TextField(blank=True, null=True)),
+                ('timestamp', models.DateTimeField(auto_now_add=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='scim_events', to='api.organisation')),
+                ('scim_token', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='events', to='api.scimtoken')),
+            ],
+            options={
+                'ordering': ['-timestamp'],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name='scimuser',
+            constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_user_external_id'),
+        ),
+        migrations.AddConstraint(
+            model_name='scimuser',
+            constraint=models.UniqueConstraint(fields=('email', 'organisation'), name='unique_scim_user_email'),
+        ),
+        migrations.AddConstraint(
+            model_name='scimgroup',
+            constraint=models.UniqueConstraint(fields=('external_id', 'organisation'), name='unique_scim_group_external_id'),
+        ),
+        migrations.AddIndex(
+            model_name='scimevent',
+            index=models.Index(fields=['organisation', '-timestamp'], name='scim_event_org_ts_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='scimevent',
+            index=models.Index(fields=['scim_token', '-timestamp'], name='scim_event_token_ts_idx'),
+        ),
+    ]

backend/api/migrations/0126_populate_team_owner.py

@@ -0,0 +1,25 @@
+from django.db import migrations, models
+
+
+def populate_team_owner(apps, schema_editor):
+    """Set owner = created_by for all existing teams."""
+    Team = apps.get_model("api", "Team")
+    Team.objects.filter(owner__isnull=True, created_by__isnull=False).update(
+        owner=models.F("created_by")
+    )
+
+
+def reverse(apps, schema_editor):
+    """No-op reverse — owner data is additive."""
+    pass
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0125_teams_and_scim'),
+    ]
+
+    operations = [
+        migrations.RunPython(populate_team_owner, reverse),
+    ]