@strapi/admin 5.23.5 → 5.24.0

package/dist/admin/admin/src/utils/baseQuery.mjs

@@ -1,57 +1,93 @@
-import { getFetchClient, isFetchError } from './getFetchClient.mjs';
+import { logout, login } from '../reducer.mjs';
+import { isFetchError, getFetchClient } from './getFetchClient.mjs';
 
-const simpleQuery = async (query, { signal })=>{
-    try {
+let refreshPromise = null;
+const isAuthPath = (url)=>/^\/admin\/(login|logout|access-token)\b/.test(url);
+const simpleQuery = async (query, api)=>{
+    const { signal, dispatch } = api;
+    const executeQuery = async (queryToExecute)=>{
         const { get, post, del, put } = getFetchClient();
-        if (typeof query === 'string') {
-            const result = await get(query, {
+        if (typeof queryToExecute === 'string') {
+            const result = await get(queryToExecute, {
                 signal
             });
-            return {
-                data: result.data
-            };
-        } else {
-            const { url, method = 'GET', data, config } = query;
-            if (method === 'POST') {
-                const result = await post(url, data, {
-                    ...config,
-                    signal
-                });
-                return {
-                    data: result.data
-                };
-            }
-            if (method === 'DELETE') {
-                const result = await del(url, {
-                    ...config,
-                    signal
-                });
-                return {
-                    data: result.data
-                };
-            }
-            if (method === 'PUT') {
-                const result = await put(url, data, {
-                    ...config,
-                    signal
-                });
-                return {
-                    data: result.data
-                };
-            }
-            /**
-       * Default is GET.
-       */ const result = await get(url, {
+            return result;
+        }
+        const { url, method = 'GET', data, config } = queryToExecute;
+        if (method === 'POST') {
+            return post(url, data, {
                 ...config,
                 signal
             });
-            return {
-                data: result.data
-            };
         }
+        if (method === 'DELETE') {
+            return del(url, {
+                ...config,
+                signal
+            });
+        }
+        if (method === 'PUT') {
+            return put(url, data, {
+                ...config,
+                signal
+            });
+        }
+        return get(url, {
+            ...config,
+            signal
+        });
+    };
+    try {
+        const result = await executeQuery(query);
+        return {
+            data: result.data
+        };
     } catch (err) {
         // Handle error of type FetchError
         if (isFetchError(err)) {
+            // Attempt auto-refresh on 401 then retry once
+            if (err.status === 401) {
+                const url = typeof query === 'string' ? query : query.url;
+                if (!isAuthPath(url)) {
+                    if (!refreshPromise) {
+                        async function refreshAccessToken() {
+                            const { post } = getFetchClient();
+                            const res = await post('/admin/access-token');
+                            const token = res?.data?.data?.token;
+                            if (!token) {
+                                throw new Error('access_token_exchange_failed');
+                            }
+                            // Persist according to previous choice: localStorage presence implies persist
+                            const persist = Boolean(localStorage.getItem('jwtToken'));
+                            dispatch(login({
+                                token,
+                                persist
+                            }));
+                            return token;
+                        }
+                        refreshPromise = refreshAccessToken().finally(()=>{
+                            refreshPromise = null;
+                        });
+                    }
+                    try {
+                        await refreshPromise;
+                        // Retry original request once with updated Authorization
+                        const retry = await executeQuery(query);
+                        return {
+                            data: retry.data
+                        };
+                    } catch (refreshError) {
+                        try {
+                            const { post } = getFetchClient();
+                            await post('/admin/logout');
+                        } catch  {
+                        // no-op
+                        }
+                        dispatch(logout());
+                    // Fall through to return the original 401 error shape
+                    }
+                }
+            }
             if (typeof err.response?.data === 'object' && err.response?.data !== null && 'error' in err.response?.data) {
                 /**
          * This will most likely be ApiError

package/dist/admin/admin/src/utils/baseQuery.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"baseQuery.mjs","sources":["../../../../../admin/src/utils/baseQuery.ts"],"sourcesContent":["import { SerializedError } from '@reduxjs/toolkit';\nimport { BaseQueryFn } from '@reduxjs/toolkit/query';\n\nimport { getFetchClient, type FetchOptions, ApiError, isFetchError } from '../utils/getFetchClient';\n\ninterface QueryArguments {\n  url: string;\n  method?: 'GET' | 'POST' | 'DELETE' | 'PUT';\n  data?: unknown;\n  config?: FetchOptions;\n}\n\ninterface UnknownApiError {\n  name: 'UnknownError';\n  message: string;\n  details?: unknown;\n  status?: number;\n}\n\ntype BaseQueryError = ApiError | UnknownApiError;\n\nconst simpleQuery: BaseQueryFn<string | QueryArguments, unknown, BaseQueryError> = async (\n  query,\n  { signal }\n) => {\n  try {\n    const { get, post, del, put } = getFetchClient();\n\n    if (typeof query === 'string') {\n      const result = await get(query, { signal });\n      return { data: result.data };\n    } else {\n      const { url, method = 'GET', data, config } = query;\n\n      if (method === 'POST') {\n        const result = await post(url, data, {\n          ...config,\n          signal,\n        });\n        return { data: result.data };\n      }\n\n      if (method === 'DELETE') {\n        const result = await del(url, {\n          ...config,\n          signal,\n        });\n        return { data: result.data };\n      }\n\n      if (method === 'PUT') {\n        const result = await put(url, data, {\n          ...config,\n          signal,\n        });\n        return { data: result.data };\n      }\n\n      /**\n       * Default is GET.\n       */\n      const result = await get(url, {\n        ...config,\n        signal,\n      });\n      return { data: result.data };\n    }\n  } catch (err) {\n    // Handle error of type FetchError\n\n    if (isFetchError(err)) {\n      if (\n        typeof err.response?.data === 'object' &&\n        err.response?.data !== null &&\n        'error' in err.response?.data\n      ) {\n        /**\n         * This will most likely be ApiError\n         */\n        return { data: undefined, error: err.response?.data.error as any };\n      } else {\n        return {\n          data: undefined,\n          error: {\n            name: 'UnknownError',\n            message: err.message,\n            details: err.response,\n            status: err.status,\n          } as UnknownApiError,\n        };\n      }\n    }\n\n    const error = err as Error;\n    return {\n      data: undefined,\n      error: {\n        name: error.name,\n        message: error.message,\n        stack: error.stack,\n      } satisfies SerializedError,\n    };\n  }\n};\n\nconst fetchBaseQuery = () => simpleQuery;\n\nconst isBaseQueryError = (error: BaseQueryError | SerializedError): error is BaseQueryError => {\n  return error.name !== undefined;\n};\n\nexport { fetchBaseQuery, isBaseQueryError };\nexport type { BaseQueryError, UnknownApiError, QueryArguments };\n"],"names":["simpleQuery","query","signal","get","post","del","put","getFetchClient","result","data","url","method","config","err","isFetchError","response","undefined","error","name","message","details","status","stack","fetchBaseQuery","isBaseQueryError"],"mappings":";;AAqBA,MAAMA,WAA6E,GAAA,OACjFC,KACA,EAAA,EAAEC,MAAM,EAAE,GAAA;IAEV,IAAI;QACF,MAAM,EAAEC,GAAG,EAAEC,IAAI,EAAEC,GAAG,EAAEC,GAAG,EAAE,GAAGC,cAAAA,EAAAA;QAEhC,IAAI,OAAON,UAAU,QAAU,EAAA;YAC7B,MAAMO,MAAAA,GAAS,MAAML,GAAAA,CAAIF,KAAO,EAAA;AAAEC,gBAAAA;AAAO,aAAA,CAAA;YACzC,OAAO;AAAEO,gBAAAA,IAAAA,EAAMD,OAAOC;AAAK,aAAA;SACtB,MAAA;YACL,MAAM,EAAEC,GAAG,EAAEC,MAAS,GAAA,KAAK,EAAEF,IAAI,EAAEG,MAAM,EAAE,GAAGX,KAAAA;AAE9C,YAAA,IAAIU,WAAW,MAAQ,EAAA;AACrB,gBAAA,MAAMH,MAAS,GAAA,MAAMJ,IAAKM,CAAAA,GAAAA,EAAKD,IAAM,EAAA;AACnC,oBAAA,GAAGG,MAAM;AACTV,oBAAAA;AACF,iBAAA,CAAA;gBACA,OAAO;AAAEO,oBAAAA,IAAAA,EAAMD,OAAOC;AAAK,iBAAA;AAC7B;AAEA,YAAA,IAAIE,WAAW,QAAU,EAAA;gBACvB,MAAMH,MAAAA,GAAS,MAAMH,GAAAA,CAAIK,GAAK,EAAA;AAC5B,oBAAA,GAAGE,MAAM;AACTV,oBAAAA;AACF,iBAAA,CAAA;gBACA,OAAO;AAAEO,oBAAAA,IAAAA,EAAMD,OAAOC;AAAK,iBAAA;AAC7B;AAEA,YAAA,IAAIE,WAAW,KAAO,EAAA;AACpB,gBAAA,MAAMH,MAAS,GAAA,MAAMF,GAAII,CAAAA,GAAAA,EAAKD,IAAM,EAAA;AAClC,oBAAA,GAAGG,MAAM;AACTV,oBAAAA;AACF,iBAAA,CAAA;gBACA,OAAO;AAAEO,oBAAAA,IAAAA,EAAMD,OAAOC;AAAK,iBAAA;AAC7B;AAEA;;AAEC,UACD,MAAMD,MAAAA,GAAS,MAAML,GAAAA,CAAIO,GAAK,EAAA;AAC5B,gBAAA,GAAGE,MAAM;AACTV,gBAAAA;AACF,aAAA,CAAA;YACA,OAAO;AAAEO,gBAAAA,IAAAA,EAAMD,OAAOC;AAAK,aAAA;AAC7B;AACF,KAAA,CAAE,OAAOI,GAAK,EAAA;;AAGZ,QAAA,IAAIC,aAAaD,GAAM,CAAA,EAAA;AACrB,YAAA,IACE,OAAOA,GAAAA,CAAIE,QAAQ,EAAEN,SAAS,QAC9BI,IAAAA,GAAAA,CAAIE,QAAQ,EAAEN,SAAS,IACvB,IAAA,OAAA,IAAWI,GAAIE,CAAAA,QAAQ,EAAEN,IACzB,EAAA;AACA;;AAEC,YACD,OAAO;oBAAEA,IAAMO,EAAAA,SAAAA;oBAAWC,KAAOJ,EAAAA,GAAAA,CAAIE,QAAQ,EAAEN,IAAKQ,CAAAA;AAAa,iBAAA;aAC5D,MAAA;gBACL,OAAO;oBACLR,IAAMO,EAAAA,SAAAA;oBACNC,KAAO,EAAA;wBACLC,IAAM,EAAA,cAAA;AACNC,wBAAAA,OAAAA,EAASN,IAAIM,OAAO;AACpBC,wBAAAA,OAAAA,EAASP,IAAIE,QAAQ;AACrBM,wBAAAA,MAAAA,EAAQR,IAAIQ;AACd;AACF,iBAAA;AACF;AACF;AAEA,QAAA,MAAMJ,KAAQJ,GAAAA,GAAAA;QACd,OAAO;YACLJ,IAAMO,EAAAA,SAAAA;YACNC,KAAO,EAAA;AACLC,gBAAAA,IAAAA,EAAMD,MAAMC,IAAI;AAChBC,gBAAAA,OAAAA,EAASF,MAAME,OAAO;AACtBG,gBAAAA,KAAAA,EAAOL,MAAMK;AACf;AACF,SAAA;AACF;AACF,CAAA;AAEA,MAAMC,iBAAiB,IAAMvB;AAE7B,MAAMwB,mBAAmB,CAACP,KAAAA,GAAAA;IACxB,OAAOA,KAAAA,CAAMC,IAAI,KAAKF,SAAAA;AACxB;;;;"}
+{"version":3,"file":"baseQuery.mjs","sources":["../../../../../admin/src/utils/baseQuery.ts"],"sourcesContent":["import { SerializedError } from '@reduxjs/toolkit';\nimport { BaseQueryFn } from '@reduxjs/toolkit/query';\n\nimport { login as loginAction, logout as logoutAction } from '../reducer';\nimport { getFetchClient, type FetchOptions, ApiError, isFetchError } from '../utils/getFetchClient';\n\ninterface QueryArguments {\n  url: string;\n  method?: 'GET' | 'POST' | 'DELETE' | 'PUT';\n  data?: unknown;\n  config?: FetchOptions;\n}\n\ninterface UnknownApiError {\n  name: 'UnknownError';\n  message: string;\n  details?: unknown;\n  status?: number;\n}\n\ntype BaseQueryError = ApiError | UnknownApiError;\n\nlet refreshPromise: Promise<string> | null = null;\n\nconst isAuthPath = (url: string) => /^\\/admin\\/(login|logout|access-token)\\b/.test(url);\n\nconst simpleQuery: BaseQueryFn<string | QueryArguments, unknown, BaseQueryError> = async (\n  query,\n  api\n) => {\n  const { signal, dispatch } = api as { signal?: AbortSignal; dispatch: (a: any) => void };\n\n  const executeQuery = async (queryToExecute: string | QueryArguments) => {\n    const { get, post, del, put } = getFetchClient();\n    if (typeof queryToExecute === 'string') {\n      const result = await get(queryToExecute, { signal });\n      return result;\n    }\n\n    const { url, method = 'GET', data, config } = queryToExecute;\n    if (method === 'POST') {\n      return post(url, data, { ...config, signal });\n    }\n    if (method === 'DELETE') {\n      return del(url, { ...config, signal });\n    }\n    if (method === 'PUT') {\n      return put(url, data, { ...config, signal });\n    }\n    return get(url, { ...config, signal });\n  };\n\n  try {\n    const result = await executeQuery(query);\n    return { data: result.data };\n  } catch (err) {\n    // Handle error of type FetchError\n\n    if (isFetchError(err)) {\n      // Attempt auto-refresh on 401 then retry once\n      if (err.status === 401) {\n        const url = typeof query === 'string' ? query : query.url;\n\n        if (!isAuthPath(url)) {\n          if (!refreshPromise) {\n            async function refreshAccessToken(): Promise<string> {\n              const { post } = getFetchClient();\n\n              const res = await post('/admin/access-token');\n              const token = res?.data?.data?.token as string | undefined;\n              if (!token) {\n                throw new Error('access_token_exchange_failed');\n              }\n\n              // Persist according to previous choice: localStorage presence implies persist\n              const persist = Boolean(localStorage.getItem('jwtToken'));\n              dispatch(loginAction({ token, persist }));\n\n              return token;\n            }\n\n            refreshPromise = refreshAccessToken().finally(() => {\n              refreshPromise = null;\n            });\n          }\n\n          try {\n            await refreshPromise;\n            // Retry original request once with updated Authorization\n            const retry = await executeQuery(query);\n\n            return { data: retry.data };\n          } catch (refreshError) {\n            try {\n              const { post } = getFetchClient();\n              await post('/admin/logout');\n            } catch {\n              // no-op\n            }\n\n            dispatch(logoutAction());\n            // Fall through to return the original 401 error shape\n          }\n        }\n      }\n\n      if (\n        typeof err.response?.data === 'object' &&\n        err.response?.data !== null &&\n        'error' in err.response?.data\n      ) {\n        /**\n         * This will most likely be ApiError\n         */\n        return { data: undefined, error: err.response?.data.error as any };\n      } else {\n        return {\n          data: undefined,\n          error: {\n            name: 'UnknownError',\n            message: err.message,\n            details: err.response,\n            status: err.status,\n          } as UnknownApiError,\n        };\n      }\n    }\n\n    const error = err as Error;\n    return {\n      data: undefined,\n      error: {\n        name: error.name,\n        message: error.message,\n        stack: error.stack,\n      } satisfies SerializedError,\n    };\n  }\n};\n\nconst fetchBaseQuery = () => simpleQuery;\n\nconst isBaseQueryError = (error: BaseQueryError | SerializedError): error is BaseQueryError => {\n  return error.name !== undefined;\n};\n\nexport { fetchBaseQuery, isBaseQueryError };\nexport type { BaseQueryError, UnknownApiError, QueryArguments };\n"],"names":["refreshPromise","isAuthPath","url","test","simpleQuery","query","api","signal","dispatch","executeQuery","queryToExecute","get","post","del","put","getFetchClient","result","method","data","config","err","isFetchError","status","refreshAccessToken","res","token","Error","persist","Boolean","localStorage","getItem","loginAction","finally","retry","refreshError","logoutAction","response","undefined","error","name","message","details","stack","fetchBaseQuery","isBaseQueryError"],"mappings":";;;AAsBA,IAAIA,cAAyC,GAAA,IAAA;AAE7C,MAAMC,UAAa,GAAA,CAACC,GAAgB,GAAA,yCAAA,CAA0CC,IAAI,CAACD,GAAAA,CAAAA;AAEnF,MAAME,WAAAA,GAA6E,OACjFC,KACAC,EAAAA,GAAAA,GAAAA;AAEA,IAAA,MAAM,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGF,GAAAA;AAE7B,IAAA,MAAMG,eAAe,OAAOC,cAAAA,GAAAA;QAC1B,MAAM,EAAEC,GAAG,EAAEC,IAAI,EAAEC,GAAG,EAAEC,GAAG,EAAE,GAAGC,cAAAA,EAAAA;QAChC,IAAI,OAAOL,mBAAmB,QAAU,EAAA;YACtC,MAAMM,MAAAA,GAAS,MAAML,GAAAA,CAAID,cAAgB,EAAA;AAAEH,gBAAAA;AAAO,aAAA,CAAA;YAClD,OAAOS,MAAAA;AACT;QAEA,MAAM,EAAEd,GAAG,EAAEe,MAAS,GAAA,KAAK,EAAEC,IAAI,EAAEC,MAAM,EAAE,GAAGT,cAAAA;AAC9C,QAAA,IAAIO,WAAW,MAAQ,EAAA;YACrB,OAAOL,IAAAA,CAAKV,KAAKgB,IAAM,EAAA;AAAE,gBAAA,GAAGC,MAAM;AAAEZ,gBAAAA;AAAO,aAAA,CAAA;AAC7C;AACA,QAAA,IAAIU,WAAW,QAAU,EAAA;AACvB,YAAA,OAAOJ,IAAIX,GAAK,EAAA;AAAE,gBAAA,GAAGiB,MAAM;AAAEZ,gBAAAA;AAAO,aAAA,CAAA;AACtC;AACA,QAAA,IAAIU,WAAW,KAAO,EAAA;YACpB,OAAOH,GAAAA,CAAIZ,KAAKgB,IAAM,EAAA;AAAE,gBAAA,GAAGC,MAAM;AAAEZ,gBAAAA;AAAO,aAAA,CAAA;AAC5C;AACA,QAAA,OAAOI,IAAIT,GAAK,EAAA;AAAE,YAAA,GAAGiB,MAAM;AAAEZ,YAAAA;AAAO,SAAA,CAAA;AACtC,KAAA;IAEA,IAAI;QACF,MAAMS,MAAAA,GAAS,MAAMP,YAAaJ,CAAAA,KAAAA,CAAAA;QAClC,OAAO;AAAEa,YAAAA,IAAAA,EAAMF,OAAOE;AAAK,SAAA;AAC7B,KAAA,CAAE,OAAOE,GAAK,EAAA;;AAGZ,QAAA,IAAIC,aAAaD,GAAM,CAAA,EAAA;;YAErB,IAAIA,GAAAA,CAAIE,MAAM,KAAK,GAAK,EAAA;AACtB,gBAAA,MAAMpB,MAAM,OAAOG,KAAAA,KAAU,QAAWA,GAAAA,KAAAA,GAAQA,MAAMH,GAAG;gBAEzD,IAAI,CAACD,WAAWC,GAAM,CAAA,EAAA;AACpB,oBAAA,IAAI,CAACF,cAAgB,EAAA;wBACnB,eAAeuB,kBAAAA,GAAAA;4BACb,MAAM,EAAEX,IAAI,EAAE,GAAGG,cAAAA,EAAAA;4BAEjB,MAAMS,GAAAA,GAAM,MAAMZ,IAAK,CAAA,qBAAA,CAAA;4BACvB,MAAMa,KAAAA,GAAQD,GAAKN,EAAAA,IAAAA,EAAMA,IAAMO,EAAAA,KAAAA;AAC/B,4BAAA,IAAI,CAACA,KAAO,EAAA;AACV,gCAAA,MAAM,IAAIC,KAAM,CAAA,8BAAA,CAAA;AAClB;;AAGA,4BAAA,MAAMC,OAAUC,GAAAA,OAAAA,CAAQC,YAAaC,CAAAA,OAAO,CAAC,UAAA,CAAA,CAAA;AAC7CtB,4BAAAA,QAAAA,CAASuB,KAAY,CAAA;AAAEN,gCAAAA,KAAAA;AAAOE,gCAAAA;AAAQ,6BAAA,CAAA,CAAA;4BAEtC,OAAOF,KAAAA;AACT;wBAEAzB,cAAiBuB,GAAAA,kBAAAA,EAAAA,CAAqBS,OAAO,CAAC,IAAA;4BAC5ChC,cAAiB,GAAA,IAAA;AACnB,yBAAA,CAAA;AACF;oBAEA,IAAI;wBACF,MAAMA,cAAAA;;wBAEN,MAAMiC,KAAAA,GAAQ,MAAMxB,YAAaJ,CAAAA,KAAAA,CAAAA;wBAEjC,OAAO;AAAEa,4BAAAA,IAAAA,EAAMe,MAAMf;AAAK,yBAAA;AAC5B,qBAAA,CAAE,OAAOgB,YAAc,EAAA;wBACrB,IAAI;4BACF,MAAM,EAAEtB,IAAI,EAAE,GAAGG,cAAAA,EAAAA;AACjB,4BAAA,MAAMH,IAAK,CAAA,eAAA,CAAA;AACb,yBAAA,CAAE,OAAM;;AAER;wBAEAJ,QAAS2B,CAAAA,MAAAA,EAAAA,CAAAA;;AAEX;AACF;AACF;AAEA,YAAA,IACE,OAAOf,GAAAA,CAAIgB,QAAQ,EAAElB,SAAS,QAC9BE,IAAAA,GAAAA,CAAIgB,QAAQ,EAAElB,SAAS,IACvB,IAAA,OAAA,IAAWE,GAAIgB,CAAAA,QAAQ,EAAElB,IACzB,EAAA;AACA;;AAEC,YACD,OAAO;oBAAEA,IAAMmB,EAAAA,SAAAA;oBAAWC,KAAOlB,EAAAA,GAAAA,CAAIgB,QAAQ,EAAElB,IAAKoB,CAAAA;AAAa,iBAAA;aAC5D,MAAA;gBACL,OAAO;oBACLpB,IAAMmB,EAAAA,SAAAA;oBACNC,KAAO,EAAA;wBACLC,IAAM,EAAA,cAAA;AACNC,wBAAAA,OAAAA,EAASpB,IAAIoB,OAAO;AACpBC,wBAAAA,OAAAA,EAASrB,IAAIgB,QAAQ;AACrBd,wBAAAA,MAAAA,EAAQF,IAAIE;AACd;AACF,iBAAA;AACF;AACF;AAEA,QAAA,MAAMgB,KAAQlB,GAAAA,GAAAA;QACd,OAAO;YACLF,IAAMmB,EAAAA,SAAAA;YACNC,KAAO,EAAA;AACLC,gBAAAA,IAAAA,EAAMD,MAAMC,IAAI;AAChBC,gBAAAA,OAAAA,EAASF,MAAME,OAAO;AACtBE,gBAAAA,KAAAA,EAAOJ,MAAMI;AACf;AACF,SAAA;AACF;AACF,CAAA;AAEA,MAAMC,iBAAiB,IAAMvC;AAE7B,MAAMwC,mBAAmB,CAACN,KAAAA,GAAAA;IACxB,OAAOA,KAAAA,CAAMC,IAAI,KAAKF,SAAAA;AACxB;;;;"}

package/dist/admin/admin/src/utils/deviceId.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const fallbackUUIDv4 = ()=>{
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    bytes[6] = bytes[6] & 0x0f | 0x40;
+    bytes[8] = bytes[8] & 0x3f | 0x80;
+    const hex = [
+        ...bytes
+    ].map((b)=>b.toString(16).padStart(2, '0'));
+    return [
+        hex.slice(0, 4).join(''),
+        hex.slice(4, 6).join(''),
+        hex.slice(6, 8).join(''),
+        hex.slice(8, 10).join(''),
+        hex.slice(10, 16).join('')
+    ].join('-');
+};
+/**
+ * Returns a stable device identifier for session-based authentication flows.
+ * Uses localStorage to persist a UUID between sessions on the same browser.
+ */ const getOrCreateDeviceId = ()=>{
+    const storageKey = 'strapi.admin.deviceId';
+    const existing = window.localStorage.getItem(storageKey);
+    if (existing) {
+        return existing;
+    }
+    // Use randomUUID in secure contexts, otherwise polyfill
+    const generated = typeof crypto?.randomUUID === 'function' ? crypto.randomUUID() : fallbackUUIDv4();
+    try {
+        window.localStorage.setItem(storageKey, generated);
+    } catch  {
+    // no-op
+    }
+    return generated;
+};
+
+exports.getOrCreateDeviceId = getOrCreateDeviceId;
+//# sourceMappingURL=deviceId.js.map

package/dist/admin/admin/src/utils/deviceId.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deviceId.js","sources":["../../../../../admin/src/utils/deviceId.ts"],"sourcesContent":["const fallbackUUIDv4 = (): string => {\n  const bytes = crypto.getRandomValues(new Uint8Array(16));\n\n  bytes[6] = (bytes[6] & 0x0f) | 0x40;\n  bytes[8] = (bytes[8] & 0x3f) | 0x80;\n\n  const hex = [...bytes].map((b) => b.toString(16).padStart(2, '0'));\n  return [\n    hex.slice(0, 4).join(''),\n    hex.slice(4, 6).join(''),\n    hex.slice(6, 8).join(''),\n    hex.slice(8, 10).join(''),\n    hex.slice(10, 16).join(''),\n  ].join('-');\n};\n\n/**\n * Returns a stable device identifier for session-based authentication flows.\n * Uses localStorage to persist a UUID between sessions on the same browser.\n */\nexport const getOrCreateDeviceId = (): string => {\n  const storageKey = 'strapi.admin.deviceId';\n\n  const existing = window.localStorage.getItem(storageKey);\n  if (existing) {\n    return existing;\n  }\n\n  // Use randomUUID in secure contexts, otherwise polyfill\n  const generated =\n    typeof crypto?.randomUUID === 'function' ? crypto.randomUUID() : fallbackUUIDv4();\n\n  try {\n    window.localStorage.setItem(storageKey, generated);\n  } catch {\n    // no-op\n  }\n\n  return generated;\n};\n"],"names":["fallbackUUIDv4","bytes","crypto","getRandomValues","Uint8Array","hex","map","b","toString","padStart","slice","join","getOrCreateDeviceId","storageKey","existing","window","localStorage","getItem","generated","randomUUID","setItem"],"mappings":";;AAAA,MAAMA,cAAiB,GAAA,IAAA;AACrB,IAAA,MAAMC,KAAQC,GAAAA,MAAAA,CAAOC,eAAe,CAAC,IAAIC,UAAW,CAAA,EAAA,CAAA,CAAA;IAEpDH,KAAK,CAAC,EAAE,GAAIA,KAAK,CAAC,CAAA,CAAE,GAAG,IAAQ,GAAA,IAAA;IAC/BA,KAAK,CAAC,EAAE,GAAIA,KAAK,CAAC,CAAA,CAAE,GAAG,IAAQ,GAAA,IAAA;AAE/B,IAAA,MAAMI,GAAM,GAAA;AAAIJ,QAAAA,GAAAA;KAAM,CAACK,GAAG,CAAC,CAACC,CAAMA,GAAAA,CAAAA,CAAEC,QAAQ,CAAC,EAAA,CAAA,CAAIC,QAAQ,CAAC,CAAG,EAAA,GAAA,CAAA,CAAA;IAC7D,OAAO;AACLJ,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,EAAA,CAAA,CAAIC,IAAI,CAAC,EAAA,CAAA;AACtBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,EAAI,EAAA,EAAA,CAAA,CAAIC,IAAI,CAAC,EAAA;AACxB,KAAA,CAACA,IAAI,CAAC,GAAA,CAAA;AACT,CAAA;AAEA;;;UAIaC,mBAAsB,GAAA,IAAA;AACjC,IAAA,MAAMC,UAAa,GAAA,uBAAA;AAEnB,IAAA,MAAMC,QAAWC,GAAAA,MAAAA,CAAOC,YAAY,CAACC,OAAO,CAACJ,UAAAA,CAAAA;AAC7C,IAAA,IAAIC,QAAU,EAAA;QACZ,OAAOA,QAAAA;AACT;;AAGA,IAAA,MAAMI,YACJ,OAAOhB,MAAAA,EAAQiB,eAAe,UAAajB,GAAAA,MAAAA,CAAOiB,UAAU,EAAKnB,GAAAA,cAAAA,EAAAA;IAEnE,IAAI;AACFe,QAAAA,MAAAA,CAAOC,YAAY,CAACI,OAAO,CAACP,UAAYK,EAAAA,SAAAA,CAAAA;AAC1C,KAAA,CAAE,OAAM;;AAER;IAEA,OAAOA,SAAAA;AACT;;;;"}

package/dist/admin/admin/src/utils/deviceId.mjs

@@ -0,0 +1,36 @@
+const fallbackUUIDv4 = ()=>{
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    bytes[6] = bytes[6] & 0x0f | 0x40;
+    bytes[8] = bytes[8] & 0x3f | 0x80;
+    const hex = [
+        ...bytes
+    ].map((b)=>b.toString(16).padStart(2, '0'));
+    return [
+        hex.slice(0, 4).join(''),
+        hex.slice(4, 6).join(''),
+        hex.slice(6, 8).join(''),
+        hex.slice(8, 10).join(''),
+        hex.slice(10, 16).join('')
+    ].join('-');
+};
+/**
+ * Returns a stable device identifier for session-based authentication flows.
+ * Uses localStorage to persist a UUID between sessions on the same browser.
+ */ const getOrCreateDeviceId = ()=>{
+    const storageKey = 'strapi.admin.deviceId';
+    const existing = window.localStorage.getItem(storageKey);
+    if (existing) {
+        return existing;
+    }
+    // Use randomUUID in secure contexts, otherwise polyfill
+    const generated = typeof crypto?.randomUUID === 'function' ? crypto.randomUUID() : fallbackUUIDv4();
+    try {
+        window.localStorage.setItem(storageKey, generated);
+    } catch  {
+    // no-op
+    }
+    return generated;
+};
+
+export { getOrCreateDeviceId };
+//# sourceMappingURL=deviceId.mjs.map

package/dist/admin/admin/src/utils/deviceId.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"deviceId.mjs","sources":["../../../../../admin/src/utils/deviceId.ts"],"sourcesContent":["const fallbackUUIDv4 = (): string => {\n  const bytes = crypto.getRandomValues(new Uint8Array(16));\n\n  bytes[6] = (bytes[6] & 0x0f) | 0x40;\n  bytes[8] = (bytes[8] & 0x3f) | 0x80;\n\n  const hex = [...bytes].map((b) => b.toString(16).padStart(2, '0'));\n  return [\n    hex.slice(0, 4).join(''),\n    hex.slice(4, 6).join(''),\n    hex.slice(6, 8).join(''),\n    hex.slice(8, 10).join(''),\n    hex.slice(10, 16).join(''),\n  ].join('-');\n};\n\n/**\n * Returns a stable device identifier for session-based authentication flows.\n * Uses localStorage to persist a UUID between sessions on the same browser.\n */\nexport const getOrCreateDeviceId = (): string => {\n  const storageKey = 'strapi.admin.deviceId';\n\n  const existing = window.localStorage.getItem(storageKey);\n  if (existing) {\n    return existing;\n  }\n\n  // Use randomUUID in secure contexts, otherwise polyfill\n  const generated =\n    typeof crypto?.randomUUID === 'function' ? crypto.randomUUID() : fallbackUUIDv4();\n\n  try {\n    window.localStorage.setItem(storageKey, generated);\n  } catch {\n    // no-op\n  }\n\n  return generated;\n};\n"],"names":["fallbackUUIDv4","bytes","crypto","getRandomValues","Uint8Array","hex","map","b","toString","padStart","slice","join","getOrCreateDeviceId","storageKey","existing","window","localStorage","getItem","generated","randomUUID","setItem"],"mappings":"AAAA,MAAMA,cAAiB,GAAA,IAAA;AACrB,IAAA,MAAMC,KAAQC,GAAAA,MAAAA,CAAOC,eAAe,CAAC,IAAIC,UAAW,CAAA,EAAA,CAAA,CAAA;IAEpDH,KAAK,CAAC,EAAE,GAAIA,KAAK,CAAC,CAAA,CAAE,GAAG,IAAQ,GAAA,IAAA;IAC/BA,KAAK,CAAC,EAAE,GAAIA,KAAK,CAAC,CAAA,CAAE,GAAG,IAAQ,GAAA,IAAA;AAE/B,IAAA,MAAMI,GAAM,GAAA;AAAIJ,QAAAA,GAAAA;KAAM,CAACK,GAAG,CAAC,CAACC,CAAMA,GAAAA,CAAAA,CAAEC,QAAQ,CAAC,EAAA,CAAA,CAAIC,QAAQ,CAAC,CAAG,EAAA,GAAA,CAAA,CAAA;IAC7D,OAAO;AACLJ,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,CAAA,CAAA,CAAGC,IAAI,CAAC,EAAA,CAAA;AACrBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,CAAG,EAAA,EAAA,CAAA,CAAIC,IAAI,CAAC,EAAA,CAAA;AACtBN,QAAAA,GAAAA,CAAIK,KAAK,CAAC,EAAI,EAAA,EAAA,CAAA,CAAIC,IAAI,CAAC,EAAA;AACxB,KAAA,CAACA,IAAI,CAAC,GAAA,CAAA;AACT,CAAA;AAEA;;;UAIaC,mBAAsB,GAAA,IAAA;AACjC,IAAA,MAAMC,UAAa,GAAA,uBAAA;AAEnB,IAAA,MAAMC,QAAWC,GAAAA,MAAAA,CAAOC,YAAY,CAACC,OAAO,CAACJ,UAAAA,CAAAA;AAC7C,IAAA,IAAIC,QAAU,EAAA;QACZ,OAAOA,QAAAA;AACT;;AAGA,IAAA,MAAMI,YACJ,OAAOhB,MAAAA,EAAQiB,eAAe,UAAajB,GAAAA,MAAAA,CAAOiB,UAAU,EAAKnB,GAAAA,cAAAA,EAAAA;IAEnE,IAAI;AACFe,QAAAA,MAAAA,CAAOC,YAAY,CAACI,OAAO,CAACP,UAAYK,EAAAA,SAAAA,CAAAA;AAC1C,KAAA,CAAE,OAAM;;AAER;IAEA,OAAOA,SAAAA;AACT;;;;"}

package/dist/admin/src/services/auth.d.ts

@@ -11,29 +11,38 @@ declare const useCheckPermissionsQuery: import("@reduxjs/toolkit/dist/query/reac
     permissions: (Pick<import("../../../shared/contracts/shared").Permission, "action" | "subject"> & {
         field?: string | undefined;
     })[];
-}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", Check.Response, "adminApi">>, useGetMeQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", import("..").SanitizedAdminUser, "adminApi">>, useLoginMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<Pick<import("..").AdminUser, "email" | "password">, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
+}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", Check.Response, "adminApi">>, useGetMeQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", import("..").SanitizedAdminUser, "adminApi">>, useLoginMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<Pick<import("..").AdminUser, "email" | "password"> & {
+    deviceId?: string | undefined;
+    rememberMe?: boolean | undefined;
+}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     token: string;
+    accessToken?: string | undefined;
     user: Omit<import("..").SanitizedAdminUser, "permissions">;
-}, "adminApi">>, useRenewTokenMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<{
-    token: string;
-}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
+}, "adminApi">>, useAccessTokenExchangeMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<{} | undefined, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     token: string;
-}, "adminApi">>, useLogoutMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", void, "adminApi">>, useUpdateMeMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<UpdateMe.BaseRequestBody, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", import("..").SanitizedAdminUser, "adminApi">>, useResetPasswordMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<{
+}, "adminApi">>, useLogoutMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<void | {
+    deviceId?: string | undefined;
+}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", void, "adminApi">>, useUpdateMeMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<UpdateMe.BaseRequestBody, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", import("..").SanitizedAdminUser, "adminApi">>, useResetPasswordMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<{
     resetPasswordToken: string;
     password: string;
 }, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     token: string;
     user: Omit<import("..").SanitizedAdminUser, "permissions">;
-}, "adminApi">>, useRegisterAdminMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<Pick<import("..").AdminUser, "firstname" | "lastname" | "email" | "password">, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
-    token: string; /**
-     * Auth methods
-     */
+}, "adminApi">>, useRegisterAdminMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<Pick<import("..").AdminUser, "firstname" | "lastname" | "email" | "password"> & {
+    deviceId?: string | undefined;
+    rememberMe?: boolean | undefined;
+}, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
+    token: string;
+    accessToken?: string | undefined;
     user: Omit<import("..").SanitizedAdminUser, "permissions">;
 }, "adminApi">>, useRegisterUserMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<{
     registrationToken: string;
     userInfo: Pick<import("..").AdminUser, "firstname" | "lastname" | "email" | "password">;
+    deviceId?: string | undefined;
+    rememberMe?: boolean | undefined;
 }, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     token: string;
+    accessToken?: string | undefined;
     user: Omit<import("..").SanitizedAdminUser, "permissions">;
 }, "adminApi">>, useGetRegistrationInfoQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<string, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     email?: string | undefined;
@@ -44,4 +53,4 @@ declare const useCheckPermissionsQuery: import("@reduxjs/toolkit/dist/query/reac
 }, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", ForgotPassword.Response, "adminApi">>, useGetMyPermissionsQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", import("../../../shared/contracts/shared").Permission[], "adminApi">>, useIsSSOLockedQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", {
     isSSOLocked: boolean;
 }, "adminApi">>, useGetProvidersQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", GetProviders.Response, "adminApi">>, useGetProviderOptionsQuery: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseQuery<import("@reduxjs/toolkit/query").QueryDefinition<void, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", ProvidersOptions.SSOProviderOptions, "adminApi">>, useUpdateProviderOptionsMutation: import("@reduxjs/toolkit/dist/query/react/buildHooks").UseMutation<import("@reduxjs/toolkit/query").MutationDefinition<ProvidersOptions.SSOProviderOptions, import("@reduxjs/toolkit/query").BaseQueryFn<string | import("..").QueryArguments, unknown, import("..").BaseQueryError>, "GuidedTourMeta" | "HomepageKeyStatistics" | "User" | "Me" | "ProvidersOptions", ProvidersOptions.SSOProviderOptions, "adminApi">>;
-export { useCheckPermissionsQuery, useLazyCheckPermissionsQuery, useGetMeQuery, useLoginMutation, useRenewTokenMutation, useLogoutMutation, useUpdateMeMutation, useResetPasswordMutation, useRegisterAdminMutation, useRegisterUserMutation, useGetRegistrationInfoQuery, useForgotPasswordMutation, useGetMyPermissionsQuery, useIsSSOLockedQuery, useGetProvidersQuery, useGetProviderOptionsQuery, useUpdateProviderOptionsMutation, };
+export { useCheckPermissionsQuery, useLazyCheckPermissionsQuery, useGetMeQuery, useLoginMutation, useAccessTokenExchangeMutation, useLogoutMutation, useUpdateMeMutation, useResetPasswordMutation, useRegisterAdminMutation, useRegisterUserMutation, useGetRegistrationInfoQuery, useForgotPasswordMutation, useGetMyPermissionsQuery, useIsSSOLockedQuery, useGetProvidersQuery, useGetProviderOptionsQuery, useUpdateProviderOptionsMutation, };

package/dist/admin/src/utils/deviceId.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Returns a stable device identifier for session-based authentication flows.
+ * Uses localStorage to persist a UUID between sessions on the same browser.
+ */
+export declare const getOrCreateDeviceId: () => string;

package/dist/ee/server/src/controllers/authentication-utils/middlewares.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middlewares.d.ts","sourceRoot":"","sources":["../../../../../../ee/server/src/controllers/authentication-utils/middlewares.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAO1C,eAAO,MAAM,YAAY,EAAE,IAAI,CAAC,iBA0B/B,CAAC;AA4DF,eAAO,MAAM,gBAAgB,EAAE,IAAI,CAAC,iBAmBnC,CAAC;;;;;AAEF,wBAGE"}
+{"version":3,"file":"middlewares.d.ts","sourceRoot":"","sources":["../../../../../../ee/server/src/controllers/authentication-utils/middlewares.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAa1C,eAAO,MAAM,YAAY,EAAE,IAAI,CAAC,iBA0B/B,CAAC;AA4DF,eAAO,MAAM,gBAAgB,EAAE,IAAI,CAAC,iBAuDnC,CAAC;;;;;AAEF,wBAGE"}

package/dist/ee/server/src/services/user.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../../../../ee/server/src/services/user.ts"],"names":[],"mappings":";;;;;;;;AAkOA,wBAOE"}
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../../../../ee/server/src/services/user.ts"],"names":[],"mappings":";;;;;;;;AAmPA,wBAOE"}

package/dist/server/ee/server/src/controllers/authentication-utils/middlewares.js

@@ -5,6 +5,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var passport = require('koa-passport');
 var index = require('../../utils/index.js');
 var utils = require('./utils.js');
+var sessionAuth = require('../../../../../shared/utils/session-auth.js');
 
 const defaultConnectionError = ()=>new Error('Invalid connection payload');
 const authenticate = async (ctx, next)=>{
@@ -84,26 +85,51 @@ const nonExistingUserScenario = (ctx, next)=>async (profile, provider)=>{
         });
         return next();
     };
-const redirectWithAuth = (ctx)=>{
+const redirectWithAuth = async (ctx)=>{
     const { params: { provider } } = ctx;
     const redirectUrls = utils.default.getPrefixedRedirectUrls();
-    const domain = strapi.config.get('admin.auth.domain');
     const { user } = ctx.state;
-    const jwt = index.getService('token').createJwtToken(user);
-    const isProduction = strapi.config.get('environment') === 'production';
-    const cookiesOptions = {
-        httpOnly: false,
-        secure: isProduction,
-        overwrite: true,
-        domain
-    };
-    const sanitizedUser = index.getService('user').sanitizeUser(user);
-    strapi.eventHub.emit('admin.auth.success', {
-        user: sanitizedUser,
-        provider
-    });
-    ctx.cookies.set('jwtToken', jwt, cookiesOptions);
-    ctx.redirect(redirectUrls.success);
+    try {
+        const sessionManager = sessionAuth.getSessionManager();
+        if (!sessionManager) {
+            strapi.log.error('SessionManager not available for SSO authentication');
+            return ctx.redirect(redirectUrls.error);
+        }
+        const userId = String(user.id);
+        const deviceId = sessionAuth.generateDeviceId();
+        const { token: refreshToken, absoluteExpiresAt } = await sessionManager('admin').generateRefreshToken(userId, deviceId, {
+            type: 'refresh'
+        });
+        const cookieOptions = sessionAuth.buildCookieOptionsWithExpiry('refresh', absoluteExpiresAt);
+        ctx.cookies.set(sessionAuth.REFRESH_COOKIE_NAME, refreshToken, cookieOptions);
+        const accessResult = await sessionManager('admin').generateAccessToken(refreshToken);
+        if ('error' in accessResult) {
+            strapi.log.error('Failed to generate access token for SSO user');
+            return ctx.redirect(redirectUrls.error);
+        }
+        const { token: accessToken } = accessResult;
+        const isProduction = strapi.config.get('environment') === 'production';
+        const domain = strapi.config.get('admin.auth.domain');
+        ctx.cookies.set('jwtToken', accessToken, {
+            httpOnly: false,
+            secure: isProduction,
+            overwrite: true,
+            domain
+        });
+        const sanitizedUser = index.getService('user').sanitizeUser(user);
+        strapi.eventHub.emit('admin.auth.success', {
+            user: sanitizedUser,
+            provider
+        });
+        ctx.redirect(redirectUrls.success);
+    } catch (error) {
+        strapi.log.error('SSO authentication failed during token generation', error);
+        strapi.eventHub.emit('admin.auth.error', {
+            error: error instanceof Error ? error : new Error('Unknown SSO error'),
+            provider
+        });
+        return ctx.redirect(redirectUrls.error);
+    }
 };
 var middlewares = {
     authenticate,

package/dist/server/ee/server/src/controllers/authentication-utils/middlewares.js.map

@@ -1 +1 @@
-{"version":3,"file":"middlewares.js","sources":["../../../../../../../ee/server/src/controllers/authentication-utils/middlewares.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\nimport passport from 'koa-passport';\nimport { getService } from '../../utils';\nimport utils from './utils';\n\nconst defaultConnectionError = () => new Error('Invalid connection payload');\n\nexport const authenticate: Core.MiddlewareHandler = async (ctx, next) => {\n  const {\n    params: { provider },\n  } = ctx;\n  const redirectUrls = utils.getPrefixedRedirectUrls();\n\n  // @ts-expect-error - can not use null to authenticate\n  return passport.authenticate(provider, null, async (error, profile) => {\n    if (error || !profile || !profile.email) {\n      if (error) {\n        strapi.log.error(error);\n      }\n\n      strapi.eventHub.emit('admin.auth.error', {\n        error: error || defaultConnectionError(),\n        provider,\n      });\n\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const user = await getService('user').findOneByEmail(profile.email);\n    const scenario = user ? existingUserScenario : nonExistingUserScenario;\n\n    return scenario(ctx, next)(user || profile, provider);\n  })(ctx, next);\n};\n\nconst existingUserScenario: Core.MiddlewareHandler =\n  (ctx, next) => async (user: any, provider: any) => {\n    const redirectUrls = utils.getPrefixedRedirectUrls();\n\n    if (!user.isActive) {\n      strapi.eventHub.emit('admin.auth.error', {\n        error: new Error(`Deactivated user tried to login (${user.id})`),\n        provider,\n      });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    ctx.state.user = user;\n    return next();\n  };\n\nconst nonExistingUserScenario: Core.MiddlewareHandler =\n  (ctx, next) => async (profile: any, provider: any) => {\n    const { email, firstname, lastname, username } = profile;\n    const redirectUrls = utils.getPrefixedRedirectUrls();\n    const adminStore = await utils.getAdminStore();\n    const { providers } = (await adminStore.get({ key: 'auth' })) as any;\n\n    // We need at least the username or the firstname/lastname combination to register a new user\n    const isMissingRegisterFields = !username && (!firstname || !lastname);\n\n    if (!providers.autoRegister || !providers.defaultRole || isMissingRegisterFields) {\n      strapi.eventHub.emit('admin.auth.error', { error: defaultConnectionError(), provider });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const defaultRole = await getService('role').findOne({ id: providers.defaultRole });\n\n    // If the default role has been misconfigured, redirect with an error\n    if (!defaultRole) {\n      strapi.eventHub.emit('admin.auth.error', { error: defaultConnectionError(), provider });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    // Register a new user with the information given by the provider and login with it\n    ctx.state.user = await getService('user').create({\n      email,\n      username,\n      firstname,\n      lastname,\n      roles: [defaultRole.id],\n      isActive: true,\n      registrationToken: null,\n    });\n\n    strapi.eventHub.emit('admin.auth.autoRegistration', {\n      user: ctx.state.user,\n      provider,\n    });\n\n    return next();\n  };\n\nexport const redirectWithAuth: Core.MiddlewareHandler = (ctx) => {\n  const {\n    params: { provider },\n  } = ctx;\n  const redirectUrls = utils.getPrefixedRedirectUrls();\n  const domain: string | undefined = strapi.config.get('admin.auth.domain');\n  const { user } = ctx.state;\n\n  const jwt = getService('token').createJwtToken(user);\n\n  const isProduction = strapi.config.get('environment') === 'production';\n\n  const cookiesOptions = { httpOnly: false, secure: isProduction, overwrite: true, domain };\n\n  const sanitizedUser = getService('user').sanitizeUser(user);\n  strapi.eventHub.emit('admin.auth.success', { user: sanitizedUser, provider });\n\n  ctx.cookies.set('jwtToken', jwt, cookiesOptions);\n  ctx.redirect(redirectUrls.success);\n};\n\nexport default {\n  authenticate,\n  redirectWithAuth,\n};\n"],"names":["defaultConnectionError","Error","authenticate","ctx","next","params","provider","redirectUrls","utils","getPrefixedRedirectUrls","passport","error","profile","email","strapi","log","eventHub","emit","redirect","user","getService","findOneByEmail","scenario","existingUserScenario","nonExistingUserScenario","isActive","id","state","firstname","lastname","username","adminStore","getAdminStore","providers","get","key","isMissingRegisterFields","autoRegister","defaultRole","findOne","create","roles","registrationToken","redirectWithAuth","domain","config","jwt","createJwtToken","isProduction","cookiesOptions","httpOnly","secure","overwrite","sanitizedUser","sanitizeUser","cookies","set","success"],"mappings":";;;;;;;;AAKA,MAAMA,sBAAAA,GAAyB,IAAM,IAAIC,KAAM,CAAA,4BAAA,CAAA;AAExC,MAAMC,YAAuC,GAAA,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;AAC9D,IAAA,MAAM,EACJC,MAAQ,EAAA,EAAEC,QAAQ,EAAE,EACrB,GAAGH,GAAAA;IACJ,MAAMI,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;;AAGlD,IAAA,OAAOC,SAASR,YAAY,CAACI,QAAU,EAAA,IAAA,EAAM,OAAOK,KAAOC,EAAAA,OAAAA,GAAAA;AACzD,QAAA,IAAID,SAAS,CAACC,OAAAA,IAAW,CAACA,OAAAA,CAAQC,KAAK,EAAE;AACvC,YAAA,IAAIF,KAAO,EAAA;gBACTG,MAAOC,CAAAA,GAAG,CAACJ,KAAK,CAACA,KAAAA,CAAAA;AACnB;AAEAG,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;AACvCN,gBAAAA,KAAAA,EAAOA,KAASX,IAAAA,sBAAAA,EAAAA;AAChBM,gBAAAA;AACF,aAAA,CAAA;AAEA,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AAEA,QAAA,MAAMQ,OAAO,MAAMC,gBAAAA,CAAW,QAAQC,cAAc,CAACT,QAAQC,KAAK,CAAA;QAClE,MAAMS,QAAAA,GAAWH,OAAOI,oBAAuBC,GAAAA,uBAAAA;AAE/C,QAAA,OAAOF,QAASnB,CAAAA,GAAAA,EAAKC,IAAMe,CAAAA,CAAAA,IAAAA,IAAQP,OAASN,EAAAA,QAAAA,CAAAA;AAC9C,KAAA,CAAA,CAAGH,GAAKC,EAAAA,IAAAA,CAAAA;AACV;AAEA,MAAMmB,oBACJ,GAAA,CAACpB,GAAKC,EAAAA,IAAAA,GAAS,OAAOe,IAAWb,EAAAA,QAAAA,GAAAA;QAC/B,MAAMC,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;QAElD,IAAI,CAACU,IAAKM,CAAAA,QAAQ,EAAE;AAClBX,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBACvCN,KAAO,EAAA,IAAIV,MAAM,CAAC,iCAAiC,EAAEkB,IAAKO,CAAAA,EAAE,CAAC,CAAC,CAAC,CAAA;AAC/DpB,gBAAAA;AACF,aAAA,CAAA;AACA,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;QAEAR,GAAIwB,CAAAA,KAAK,CAACR,IAAI,GAAGA,IAAAA;QACjB,OAAOf,IAAAA,EAAAA;AACT,KAAA;AAEF,MAAMoB,uBACJ,GAAA,CAACrB,GAAKC,EAAAA,IAAAA,GAAS,OAAOQ,OAAcN,EAAAA,QAAAA,GAAAA;QAClC,MAAM,EAAEO,KAAK,EAAEe,SAAS,EAAEC,QAAQ,EAAEC,QAAQ,EAAE,GAAGlB,OAAAA;QACjD,MAAML,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;QAClD,MAAMsB,UAAAA,GAAa,MAAMvB,aAAAA,CAAMwB,aAAa,EAAA;AAC5C,QAAA,MAAM,EAAEC,SAAS,EAAE,GAAI,MAAMF,UAAAA,CAAWG,GAAG,CAAC;YAAEC,GAAK,EAAA;AAAO,SAAA,CAAA;;AAG1D,QAAA,MAAMC,0BAA0B,CAACN,QAAAA,KAAa,CAACF,SAAAA,IAAa,CAACC,QAAO,CAAA;QAEpE,IAAI,CAACI,UAAUI,YAAY,IAAI,CAACJ,SAAUK,CAAAA,WAAW,IAAIF,uBAAyB,EAAA;AAChFtB,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBAAEN,KAAOX,EAAAA,sBAAAA,EAAAA;AAA0BM,gBAAAA;AAAS,aAAA,CAAA;AACrF,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AAEA,QAAA,MAAM2B,WAAc,GAAA,MAAMlB,gBAAW,CAAA,MAAA,CAAA,CAAQmB,OAAO,CAAC;AAAEb,YAAAA,EAAAA,EAAIO,UAAUK;AAAY,SAAA,CAAA;;AAGjF,QAAA,IAAI,CAACA,WAAa,EAAA;AAChBxB,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBAAEN,KAAOX,EAAAA,sBAAAA,EAAAA;AAA0BM,gBAAAA;AAAS,aAAA,CAAA;AACrF,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;;QAGAR,GAAIwB,CAAAA,KAAK,CAACR,IAAI,GAAG,MAAMC,gBAAW,CAAA,MAAA,CAAA,CAAQoB,MAAM,CAAC;AAC/C3B,YAAAA,KAAAA;AACAiB,YAAAA,QAAAA;AACAF,YAAAA,SAAAA;AACAC,YAAAA,QAAAA;YACAY,KAAO,EAAA;AAACH,gBAAAA,WAAAA,CAAYZ;AAAG,aAAA;YACvBD,QAAU,EAAA,IAAA;YACViB,iBAAmB,EAAA;AACrB,SAAA,CAAA;AAEA5B,QAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,6BAA+B,EAAA;YAClDE,IAAMhB,EAAAA,GAAAA,CAAIwB,KAAK,CAACR,IAAI;AACpBb,YAAAA;AACF,SAAA,CAAA;QAEA,OAAOF,IAAAA,EAAAA;AACT,KAAA;AAEK,MAAMuC,mBAA2C,CAACxC,GAAAA,GAAAA;AACvD,IAAA,MAAM,EACJE,MAAQ,EAAA,EAAEC,QAAQ,EAAE,EACrB,GAAGH,GAAAA;IACJ,MAAMI,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;AAClD,IAAA,MAAMmC,MAA6B9B,GAAAA,MAAAA,CAAO+B,MAAM,CAACX,GAAG,CAAC,mBAAA,CAAA;AACrD,IAAA,MAAM,EAAEf,IAAI,EAAE,GAAGhB,IAAIwB,KAAK;AAE1B,IAAA,MAAMmB,GAAM1B,GAAAA,gBAAAA,CAAW,OAAS2B,CAAAA,CAAAA,cAAc,CAAC5B,IAAAA,CAAAA;AAE/C,IAAA,MAAM6B,eAAelC,MAAO+B,CAAAA,MAAM,CAACX,GAAG,CAAC,aAAmB,CAAA,KAAA,YAAA;AAE1D,IAAA,MAAMe,cAAiB,GAAA;QAAEC,QAAU,EAAA,KAAA;QAAOC,MAAQH,EAAAA,YAAAA;QAAcI,SAAW,EAAA,IAAA;AAAMR,QAAAA;AAAO,KAAA;AAExF,IAAA,MAAMS,aAAgBjC,GAAAA,gBAAAA,CAAW,MAAQkC,CAAAA,CAAAA,YAAY,CAACnC,IAAAA,CAAAA;AACtDL,IAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,oBAAsB,EAAA;QAAEE,IAAMkC,EAAAA,aAAAA;AAAe/C,QAAAA;AAAS,KAAA,CAAA;AAE3EH,IAAAA,GAAAA,CAAIoD,OAAO,CAACC,GAAG,CAAC,YAAYV,GAAKG,EAAAA,cAAAA,CAAAA;IACjC9C,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAakD,OAAO,CAAA;AACnC;AAEA,kBAAe;AACbvD,IAAAA,YAAAA;AACAyC,IAAAA;AACF,CAAE;;;;;;"}
+{"version":3,"file":"middlewares.js","sources":["../../../../../../../ee/server/src/controllers/authentication-utils/middlewares.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\nimport passport from 'koa-passport';\nimport { getService } from '../../utils';\nimport utils from './utils';\nimport {\n  REFRESH_COOKIE_NAME,\n  buildCookieOptionsWithExpiry,\n  getSessionManager,\n  generateDeviceId,\n} from '../../../../../shared/utils/session-auth';\n\nconst defaultConnectionError = () => new Error('Invalid connection payload');\n\nexport const authenticate: Core.MiddlewareHandler = async (ctx, next) => {\n  const {\n    params: { provider },\n  } = ctx;\n  const redirectUrls = utils.getPrefixedRedirectUrls();\n\n  // @ts-expect-error - can not use null to authenticate\n  return passport.authenticate(provider, null, async (error, profile) => {\n    if (error || !profile || !profile.email) {\n      if (error) {\n        strapi.log.error(error);\n      }\n\n      strapi.eventHub.emit('admin.auth.error', {\n        error: error || defaultConnectionError(),\n        provider,\n      });\n\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const user = await getService('user').findOneByEmail(profile.email);\n    const scenario = user ? existingUserScenario : nonExistingUserScenario;\n\n    return scenario(ctx, next)(user || profile, provider);\n  })(ctx, next);\n};\n\nconst existingUserScenario: Core.MiddlewareHandler =\n  (ctx, next) => async (user: any, provider: any) => {\n    const redirectUrls = utils.getPrefixedRedirectUrls();\n\n    if (!user.isActive) {\n      strapi.eventHub.emit('admin.auth.error', {\n        error: new Error(`Deactivated user tried to login (${user.id})`),\n        provider,\n      });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    ctx.state.user = user;\n    return next();\n  };\n\nconst nonExistingUserScenario: Core.MiddlewareHandler =\n  (ctx, next) => async (profile: any, provider: any) => {\n    const { email, firstname, lastname, username } = profile;\n    const redirectUrls = utils.getPrefixedRedirectUrls();\n    const adminStore = await utils.getAdminStore();\n    const { providers } = (await adminStore.get({ key: 'auth' })) as any;\n\n    // We need at least the username or the firstname/lastname combination to register a new user\n    const isMissingRegisterFields = !username && (!firstname || !lastname);\n\n    if (!providers.autoRegister || !providers.defaultRole || isMissingRegisterFields) {\n      strapi.eventHub.emit('admin.auth.error', { error: defaultConnectionError(), provider });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const defaultRole = await getService('role').findOne({ id: providers.defaultRole });\n\n    // If the default role has been misconfigured, redirect with an error\n    if (!defaultRole) {\n      strapi.eventHub.emit('admin.auth.error', { error: defaultConnectionError(), provider });\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    // Register a new user with the information given by the provider and login with it\n    ctx.state.user = await getService('user').create({\n      email,\n      username,\n      firstname,\n      lastname,\n      roles: [defaultRole.id],\n      isActive: true,\n      registrationToken: null,\n    });\n\n    strapi.eventHub.emit('admin.auth.autoRegistration', {\n      user: ctx.state.user,\n      provider,\n    });\n\n    return next();\n  };\n\nexport const redirectWithAuth: Core.MiddlewareHandler = async (ctx) => {\n  const {\n    params: { provider },\n  } = ctx;\n  const redirectUrls = utils.getPrefixedRedirectUrls();\n  const { user } = ctx.state;\n\n  try {\n    const sessionManager = getSessionManager();\n    if (!sessionManager) {\n      strapi.log.error('SessionManager not available for SSO authentication');\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const userId = String(user.id);\n    const deviceId = generateDeviceId();\n\n    const { token: refreshToken, absoluteExpiresAt } = await sessionManager(\n      'admin'\n    ).generateRefreshToken(userId, deviceId, {\n      type: 'refresh',\n    });\n\n    const cookieOptions = buildCookieOptionsWithExpiry('refresh', absoluteExpiresAt);\n    ctx.cookies.set(REFRESH_COOKIE_NAME, refreshToken, cookieOptions);\n\n    const accessResult = await sessionManager('admin').generateAccessToken(refreshToken);\n    if ('error' in accessResult) {\n      strapi.log.error('Failed to generate access token for SSO user');\n      return ctx.redirect(redirectUrls.error);\n    }\n\n    const { token: accessToken } = accessResult;\n\n    const isProduction = strapi.config.get('environment') === 'production';\n    const domain: string | undefined = strapi.config.get('admin.auth.domain');\n    ctx.cookies.set('jwtToken', accessToken, {\n      httpOnly: false,\n      secure: isProduction,\n      overwrite: true,\n      domain,\n    });\n\n    const sanitizedUser = getService('user').sanitizeUser(user);\n    strapi.eventHub.emit('admin.auth.success', { user: sanitizedUser, provider });\n\n    ctx.redirect(redirectUrls.success);\n  } catch (error) {\n    strapi.log.error('SSO authentication failed during token generation', error);\n    strapi.eventHub.emit('admin.auth.error', {\n      error: error instanceof Error ? error : new Error('Unknown SSO error'),\n      provider,\n    });\n    return ctx.redirect(redirectUrls.error);\n  }\n};\n\nexport default {\n  authenticate,\n  redirectWithAuth,\n};\n"],"names":["defaultConnectionError","Error","authenticate","ctx","next","params","provider","redirectUrls","utils","getPrefixedRedirectUrls","passport","error","profile","email","strapi","log","eventHub","emit","redirect","user","getService","findOneByEmail","scenario","existingUserScenario","nonExistingUserScenario","isActive","id","state","firstname","lastname","username","adminStore","getAdminStore","providers","get","key","isMissingRegisterFields","autoRegister","defaultRole","findOne","create","roles","registrationToken","redirectWithAuth","sessionManager","getSessionManager","userId","String","deviceId","generateDeviceId","token","refreshToken","absoluteExpiresAt","generateRefreshToken","type","cookieOptions","buildCookieOptionsWithExpiry","cookies","set","REFRESH_COOKIE_NAME","accessResult","generateAccessToken","accessToken","isProduction","config","domain","httpOnly","secure","overwrite","sanitizedUser","sanitizeUser","success"],"mappings":";;;;;;;;;AAWA,MAAMA,sBAAAA,GAAyB,IAAM,IAAIC,KAAM,CAAA,4BAAA,CAAA;AAExC,MAAMC,YAAuC,GAAA,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;AAC9D,IAAA,MAAM,EACJC,MAAQ,EAAA,EAAEC,QAAQ,EAAE,EACrB,GAAGH,GAAAA;IACJ,MAAMI,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;;AAGlD,IAAA,OAAOC,SAASR,YAAY,CAACI,QAAU,EAAA,IAAA,EAAM,OAAOK,KAAOC,EAAAA,OAAAA,GAAAA;AACzD,QAAA,IAAID,SAAS,CAACC,OAAAA,IAAW,CAACA,OAAAA,CAAQC,KAAK,EAAE;AACvC,YAAA,IAAIF,KAAO,EAAA;gBACTG,MAAOC,CAAAA,GAAG,CAACJ,KAAK,CAACA,KAAAA,CAAAA;AACnB;AAEAG,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;AACvCN,gBAAAA,KAAAA,EAAOA,KAASX,IAAAA,sBAAAA,EAAAA;AAChBM,gBAAAA;AACF,aAAA,CAAA;AAEA,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AAEA,QAAA,MAAMQ,OAAO,MAAMC,gBAAAA,CAAW,QAAQC,cAAc,CAACT,QAAQC,KAAK,CAAA;QAClE,MAAMS,QAAAA,GAAWH,OAAOI,oBAAuBC,GAAAA,uBAAAA;AAE/C,QAAA,OAAOF,QAASnB,CAAAA,GAAAA,EAAKC,IAAMe,CAAAA,CAAAA,IAAAA,IAAQP,OAASN,EAAAA,QAAAA,CAAAA;AAC9C,KAAA,CAAA,CAAGH,GAAKC,EAAAA,IAAAA,CAAAA;AACV;AAEA,MAAMmB,oBACJ,GAAA,CAACpB,GAAKC,EAAAA,IAAAA,GAAS,OAAOe,IAAWb,EAAAA,QAAAA,GAAAA;QAC/B,MAAMC,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;QAElD,IAAI,CAACU,IAAKM,CAAAA,QAAQ,EAAE;AAClBX,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBACvCN,KAAO,EAAA,IAAIV,MAAM,CAAC,iCAAiC,EAAEkB,IAAKO,CAAAA,EAAE,CAAC,CAAC,CAAC,CAAA;AAC/DpB,gBAAAA;AACF,aAAA,CAAA;AACA,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;QAEAR,GAAIwB,CAAAA,KAAK,CAACR,IAAI,GAAGA,IAAAA;QACjB,OAAOf,IAAAA,EAAAA;AACT,KAAA;AAEF,MAAMoB,uBACJ,GAAA,CAACrB,GAAKC,EAAAA,IAAAA,GAAS,OAAOQ,OAAcN,EAAAA,QAAAA,GAAAA;QAClC,MAAM,EAAEO,KAAK,EAAEe,SAAS,EAAEC,QAAQ,EAAEC,QAAQ,EAAE,GAAGlB,OAAAA;QACjD,MAAML,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;QAClD,MAAMsB,UAAAA,GAAa,MAAMvB,aAAAA,CAAMwB,aAAa,EAAA;AAC5C,QAAA,MAAM,EAAEC,SAAS,EAAE,GAAI,MAAMF,UAAAA,CAAWG,GAAG,CAAC;YAAEC,GAAK,EAAA;AAAO,SAAA,CAAA;;AAG1D,QAAA,MAAMC,0BAA0B,CAACN,QAAAA,KAAa,CAACF,SAAAA,IAAa,CAACC,QAAO,CAAA;QAEpE,IAAI,CAACI,UAAUI,YAAY,IAAI,CAACJ,SAAUK,CAAAA,WAAW,IAAIF,uBAAyB,EAAA;AAChFtB,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBAAEN,KAAOX,EAAAA,sBAAAA,EAAAA;AAA0BM,gBAAAA;AAAS,aAAA,CAAA;AACrF,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AAEA,QAAA,MAAM2B,WAAc,GAAA,MAAMlB,gBAAW,CAAA,MAAA,CAAA,CAAQmB,OAAO,CAAC;AAAEb,YAAAA,EAAAA,EAAIO,UAAUK;AAAY,SAAA,CAAA;;AAGjF,QAAA,IAAI,CAACA,WAAa,EAAA;AAChBxB,YAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;gBAAEN,KAAOX,EAAAA,sBAAAA,EAAAA;AAA0BM,gBAAAA;AAAS,aAAA,CAAA;AACrF,YAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;;QAGAR,GAAIwB,CAAAA,KAAK,CAACR,IAAI,GAAG,MAAMC,gBAAW,CAAA,MAAA,CAAA,CAAQoB,MAAM,CAAC;AAC/C3B,YAAAA,KAAAA;AACAiB,YAAAA,QAAAA;AACAF,YAAAA,SAAAA;AACAC,YAAAA,QAAAA;YACAY,KAAO,EAAA;AAACH,gBAAAA,WAAAA,CAAYZ;AAAG,aAAA;YACvBD,QAAU,EAAA,IAAA;YACViB,iBAAmB,EAAA;AACrB,SAAA,CAAA;AAEA5B,QAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,6BAA+B,EAAA;YAClDE,IAAMhB,EAAAA,GAAAA,CAAIwB,KAAK,CAACR,IAAI;AACpBb,YAAAA;AACF,SAAA,CAAA;QAEA,OAAOF,IAAAA,EAAAA;AACT,KAAA;AAEK,MAAMuC,mBAA2C,OAAOxC,GAAAA,GAAAA;AAC7D,IAAA,MAAM,EACJE,MAAQ,EAAA,EAAEC,QAAQ,EAAE,EACrB,GAAGH,GAAAA;IACJ,MAAMI,YAAAA,GAAeC,cAAMC,uBAAuB,EAAA;AAClD,IAAA,MAAM,EAAEU,IAAI,EAAE,GAAGhB,IAAIwB,KAAK;IAE1B,IAAI;AACF,QAAA,MAAMiB,cAAiBC,GAAAA,6BAAAA,EAAAA;AACvB,QAAA,IAAI,CAACD,cAAgB,EAAA;YACnB9B,MAAOC,CAAAA,GAAG,CAACJ,KAAK,CAAC,qDAAA,CAAA;AACjB,YAAA,OAAOR,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;QAEA,MAAMmC,MAAAA,GAASC,MAAO5B,CAAAA,IAAAA,CAAKO,EAAE,CAAA;AAC7B,QAAA,MAAMsB,QAAWC,GAAAA,4BAAAA,EAAAA;AAEjB,QAAA,MAAM,EAAEC,KAAAA,EAAOC,YAAY,EAAEC,iBAAiB,EAAE,GAAG,MAAMR,cACvD,CAAA,OAAA,CAAA,CACAS,oBAAoB,CAACP,QAAQE,QAAU,EAAA;YACvCM,IAAM,EAAA;AACR,SAAA,CAAA;QAEA,MAAMC,aAAAA,GAAgBC,yCAA6B,SAAWJ,EAAAA,iBAAAA,CAAAA;AAC9DjD,QAAAA,GAAAA,CAAIsD,OAAO,CAACC,GAAG,CAACC,iCAAqBR,YAAcI,EAAAA,aAAAA,CAAAA;AAEnD,QAAA,MAAMK,YAAe,GAAA,MAAMhB,cAAe,CAAA,OAAA,CAAA,CAASiB,mBAAmB,CAACV,YAAAA,CAAAA;AACvE,QAAA,IAAI,WAAWS,YAAc,EAAA;YAC3B9C,MAAOC,CAAAA,GAAG,CAACJ,KAAK,CAAC,8CAAA,CAAA;AACjB,YAAA,OAAOR,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AAEA,QAAA,MAAM,EAAEuC,KAAAA,EAAOY,WAAW,EAAE,GAAGF,YAAAA;AAE/B,QAAA,MAAMG,eAAejD,MAAOkD,CAAAA,MAAM,CAAC9B,GAAG,CAAC,aAAmB,CAAA,KAAA,YAAA;AAC1D,QAAA,MAAM+B,MAA6BnD,GAAAA,MAAAA,CAAOkD,MAAM,CAAC9B,GAAG,CAAC,mBAAA,CAAA;AACrD/B,QAAAA,GAAAA,CAAIsD,OAAO,CAACC,GAAG,CAAC,YAAYI,WAAa,EAAA;YACvCI,QAAU,EAAA,KAAA;YACVC,MAAQJ,EAAAA,YAAAA;YACRK,SAAW,EAAA,IAAA;AACXH,YAAAA;AACF,SAAA,CAAA;AAEA,QAAA,MAAMI,aAAgBjD,GAAAA,gBAAAA,CAAW,MAAQkD,CAAAA,CAAAA,YAAY,CAACnD,IAAAA,CAAAA;AACtDL,QAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,oBAAsB,EAAA;YAAEE,IAAMkD,EAAAA,aAAAA;AAAe/D,YAAAA;AAAS,SAAA,CAAA;QAE3EH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAagE,OAAO,CAAA;AACnC,KAAA,CAAE,OAAO5D,KAAO,EAAA;AACdG,QAAAA,MAAAA,CAAOC,GAAG,CAACJ,KAAK,CAAC,mDAAqDA,EAAAA,KAAAA,CAAAA;AACtEG,QAAAA,MAAAA,CAAOE,QAAQ,CAACC,IAAI,CAAC,kBAAoB,EAAA;AACvCN,YAAAA,KAAAA,EAAOA,KAAiBV,YAAAA,KAAAA,GAAQU,KAAQ,GAAA,IAAIV,KAAM,CAAA,mBAAA,CAAA;AAClDK,YAAAA;AACF,SAAA,CAAA;AACA,QAAA,OAAOH,GAAIe,CAAAA,QAAQ,CAACX,YAAAA,CAAaI,KAAK,CAAA;AACxC;AACF;AAEA,kBAAe;AACbT,IAAAA,YAAAA;AACAyC,IAAAA;AACF,CAAE;;;;;;"}

package/dist/server/ee/server/src/controllers/authentication-utils/middlewares.mjs

@@ -1,6 +1,7 @@
 import passport from 'koa-passport';
 import { getService } from '../../utils/index.mjs';
 import utils from './utils.mjs';
+import { getSessionManager, generateDeviceId, buildCookieOptionsWithExpiry, REFRESH_COOKIE_NAME } from '../../../../../shared/utils/session-auth.mjs';
 
 const defaultConnectionError = ()=>new Error('Invalid connection payload');
 const authenticate = async (ctx, next)=>{
@@ -80,26 +81,51 @@ const nonExistingUserScenario = (ctx, next)=>async (profile, provider)=>{
         });
         return next();
     };
-const redirectWithAuth = (ctx)=>{
+const redirectWithAuth = async (ctx)=>{
     const { params: { provider } } = ctx;
     const redirectUrls = utils.getPrefixedRedirectUrls();
-    const domain = strapi.config.get('admin.auth.domain');
     const { user } = ctx.state;
-    const jwt = getService('token').createJwtToken(user);
-    const isProduction = strapi.config.get('environment') === 'production';
-    const cookiesOptions = {
-        httpOnly: false,
-        secure: isProduction,
-        overwrite: true,
-        domain
-    };
-    const sanitizedUser = getService('user').sanitizeUser(user);
-    strapi.eventHub.emit('admin.auth.success', {
-        user: sanitizedUser,
-        provider
-    });
-    ctx.cookies.set('jwtToken', jwt, cookiesOptions);
-    ctx.redirect(redirectUrls.success);
+    try {
+        const sessionManager = getSessionManager();
+        if (!sessionManager) {
+            strapi.log.error('SessionManager not available for SSO authentication');
+            return ctx.redirect(redirectUrls.error);
+        }
+        const userId = String(user.id);
+        const deviceId = generateDeviceId();
+        const { token: refreshToken, absoluteExpiresAt } = await sessionManager('admin').generateRefreshToken(userId, deviceId, {
+            type: 'refresh'
+        });
+        const cookieOptions = buildCookieOptionsWithExpiry('refresh', absoluteExpiresAt);
+        ctx.cookies.set(REFRESH_COOKIE_NAME, refreshToken, cookieOptions);
+        const accessResult = await sessionManager('admin').generateAccessToken(refreshToken);
+        if ('error' in accessResult) {
+            strapi.log.error('Failed to generate access token for SSO user');
+            return ctx.redirect(redirectUrls.error);
+        }
+        const { token: accessToken } = accessResult;
+        const isProduction = strapi.config.get('environment') === 'production';
+        const domain = strapi.config.get('admin.auth.domain');
+        ctx.cookies.set('jwtToken', accessToken, {
+            httpOnly: false,
+            secure: isProduction,
+            overwrite: true,
+            domain
+        });
+        const sanitizedUser = getService('user').sanitizeUser(user);
+        strapi.eventHub.emit('admin.auth.success', {
+            user: sanitizedUser,
+            provider
+        });
+        ctx.redirect(redirectUrls.success);
+    } catch (error) {
+        strapi.log.error('SSO authentication failed during token generation', error);
+        strapi.eventHub.emit('admin.auth.error', {
+            error: error instanceof Error ? error : new Error('Unknown SSO error'),
+            provider
+        });
+        return ctx.redirect(redirectUrls.error);
+    }
 };
 var middlewares = {
     authenticate,