fix(scim): improve unique constraint error detection for externalId

Bewinxed · Bewinxed · commit 7fe64d5d8173 · 2026-02-01T20:31:57.000Z
diff --git a/internal/api/scim.go b/internal/api/scim.go
@@ -16,6 +16,17 @@ import (
 	"github.com/supabase/auth/internal/utilities"
 )
 
+func isPostgresUniqueViolation(err error) bool {
+	errToCheck := err
+	if httpErr, ok := err.(*apierrors.HTTPError); ok && httpErr.InternalError != nil {
+		errToCheck = httpErr.InternalError
+	}
+	if pgErr := utilities.NewPostgresError(errToCheck); pgErr != nil && pgErr.IsUniqueConstraintViolated() {
+		return true
+	}
+	return false
+}
+
 func (a *API) requireSCIMAuthentication(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
 	db := a.db.WithContext(ctx)
@@ -418,7 +429,7 @@ func (a *API) scimReplaceUser(w http.ResponseWriter, r *http.Request) error {
 					user.Identities[i].IdentityData["external_id"] = params.ExternalID
 					user.Identities[i].IdentityData["sub"] = params.ExternalID
 					if err := tx.UpdateOnly(&user.Identities[i], "provider_id", "identity_data"); err != nil {
-						if models.IsUniqueConstraintViolatedError(err) {
+						if isPostgresUniqueViolation(err) {
 							return apierrors.NewSCIMConflictError("externalId already exists", "uniqueness")
 						}
 						return apierrors.NewInternalServerError("Error updating identity").WithInternalError(err)
@@ -568,7 +579,7 @@ func (a *API) applySCIMUserPatch(tx *storage.Connection, user *models.User, op S
 						user.Identities[i].IdentityData["external_id"] = externalID
 						user.Identities[i].IdentityData["sub"] = externalID
 						if err := tx.UpdateOnly(&user.Identities[i], "provider_id", "identity_data"); err != nil {
-							if models.IsUniqueConstraintViolatedError(err) {
+							if isPostgresUniqueViolation(err) {
 								return apierrors.NewSCIMConflictError("externalId already exists", "uniqueness")
 							}
 							return apierrors.NewInternalServerError("Error updating identity").WithInternalError(err)
@@ -669,7 +680,7 @@ func (a *API) applySCIMUserPatch(tx *storage.Connection, user *models.User, op S
 					user.Identities[i].IdentityData["external_id"] = externalID
 					user.Identities[i].IdentityData["sub"] = externalID
 					if err := tx.UpdateOnly(&user.Identities[i], "provider_id", "identity_data"); err != nil {
-						if models.IsUniqueConstraintViolatedError(err) {
+						if isPostgresUniqueViolation(err) {
 							return apierrors.NewSCIMConflictError("externalId already exists", "uniqueness")
 						}
 						return apierrors.NewInternalServerError("Error updating identity").WithInternalError(err)
@@ -802,7 +813,7 @@ func (a *API) applySCIMUserPatch(tx *storage.Connection, user *models.User, op S
 							user.Identities[i].IdentityData["external_id"] = externalID
 							user.Identities[i].IdentityData["sub"] = externalID
 							if err := tx.UpdateOnly(&user.Identities[i], "provider_id", "identity_data"); err != nil {
-								if models.IsUniqueConstraintViolatedError(err) {
+								if isPostgresUniqueViolation(err) {
 									return apierrors.NewSCIMConflictError("externalId already exists", "uniqueness")
 								}
 								return apierrors.NewInternalServerError("Error updating identity").WithInternalError(err)
diff --git a/internal/api/scim_test.go b/internal/api/scim_test.go
@@ -2869,7 +2869,7 @@ func (ts *SCIMTestSuite) TestSCIMPatchExternalIdConflict() {
 }
 
 func (ts *SCIMTestSuite) TestSCIMPatchNoPathWrongTypeReturns400() {
-	user := ts.createSCIMUser(testUser24)
+	user := ts.createSCIMUser(testUser24.UserName, testUser24.Email)
 
 	cases := []struct {
 		name string

Original file line number	Diff line number	Diff line change
`@@ -2869,7 +2869,7 @@ func (ts *SCIMTestSuite) TestSCIMPatchExternalIdConflict() {`
`2869`	`2869`	`}`
`2870`	`2870`
`2871`	`2871`	`func (ts *SCIMTestSuite) TestSCIMPatchNoPathWrongTypeReturns400() {`
`2872`		`- user := ts.createSCIMUser(testUser24)`
	`2872`	`+ user := ts.createSCIMUser(testUser24.UserName, testUser24.Email)`
`2873`	`2873`
`2874`	`2874`	`cases := []struct {`
`2875`	`2875`	`name string`