strapi-identity 0.4.2 → 0.5.0

package/dist/server/src/content-types/temp-mfa/schema.json.d.ts

@@ -0,0 +1,35 @@
+declare const _default: {
+  "kind": "collectionType",
+  "collectionName": "mfa-temps",
+  "info": {
+    "singularName": "mfa-temp",
+    "pluralName": "mfa-temps",
+    "displayName": "MFA Temp"
+  },
+  "options": {
+    "draftAndPublish": false
+  },
+  "pluginOptions": {
+    "content-manager": {
+      "visible": false
+    },
+    "content-type-builder": {
+      "visible": false
+    }
+  },
+  "attributes": {
+    "admin_user": {
+      "type": "relation",
+      "relation": "oneToOne",
+      "target": "admin::user"
+    },
+    "secret": {
+      "type": "string",
+      "required": false,
+      "private": true
+    }
+  }
+}
+;
+
+export default _default;

package/dist/server/src/controllers/admin.d.ts

@@ -0,0 +1,4 @@
+import { Plugin } from '@strapi/types';
+type controller = Plugin.LoadedPlugin['controllers'][string];
+declare const _default: controller;
+export default _default;

package/dist/server/src/controllers/config.d.ts

@@ -0,0 +1,4 @@
+import { Plugin } from '@strapi/types';
+type controller = Plugin.LoadedPlugin['controllers'][string];
+declare const _default: controller;
+export default _default;

package/dist/server/src/controllers/controller.d.ts

@@ -0,0 +1,8 @@
+import { Core } from '@strapi/strapi';
+import { Plugin } from '@strapi/types';
+type controller = Plugin.LoadedPlugin['controllers'][string];
+declare const controller: ({ strapi }: {
+    strapi: Core.Strapi;
+}) => controller;
+declare const _default: controller;
+export default _default;

package/dist/server/src/controllers/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/strapi';
+declare const controllers: Plugin.LoadedPlugin['controllers'];
+export default controllers;

package/dist/server/src/destroy.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const destroy: Plugin.LoadedPlugin['destroy'];
+export default destroy;

package/dist/server/src/middlewares/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const middlewares: Plugin.LoadedPlugin['middlewares'];
+export default middlewares;

package/dist/server/src/policies/has-mfa.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const policy: Plugin.LoadedPlugin['policies'][string];
+export default policy;

package/dist/server/src/policies/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const policies: Plugin.LoadedPlugin['policies'];
+export default policies;

package/dist/server/src/register.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const register: Plugin.LoadedPlugin['register'];
+export default register;

package/dist/server/src/routes/admin/admin.json.d.ts

@@ -0,0 +1,35 @@
+declare const _default: [
+  {
+    "method": "GET",
+    "path": "/admin/user/:id",
+    "handler": "admin.isEnabled",
+    "info": { "apiName": "isEnabled", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "policies": [
+        "admin::isAuthenticatedAdmin",
+        {
+          "name": "admin::hasPermissions",
+          "config": { "actions": ["plugin::strapi-identity.settings.read"] }
+        }
+      ]
+    }
+  },
+  {
+    "method": "DELETE",
+    "path": "/admin/user/:id",
+    "handler": "admin.reset",
+    "info": { "apiName": "reset", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "policies": [
+        "admin::isAuthenticatedAdmin",
+        {
+          "name": "admin::hasPermissions",
+          "config": { "actions": ["plugin::strapi-identity.settings.update"] }
+        }
+      ]
+    }
+  }
+]
+;
+
+export default _default;

package/dist/server/src/routes/admin/config.json.d.ts

@@ -0,0 +1,50 @@
+declare const _default: [
+  {
+    "method": "GET",
+    "path": "/config/enabled",
+    "handler": "config.isEnabled",
+    "info": { "apiName": "isEnabled", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "policies": [
+        "admin::isAuthenticatedAdmin",
+        {
+          "name": "admin::hasPermissions",
+          "config": { "actions": ["plugin::strapi-identity.settings.read"] }
+        }
+      ]
+    }
+  },
+  {
+    "method": "GET",
+    "path": "/config",
+    "handler": "config.getConfig",
+    "info": { "apiName": "getConfig", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "policies": [
+        "admin::isAuthenticatedAdmin",
+        {
+          "name": "admin::hasPermissions",
+          "config": { "actions": ["plugin::strapi-identity.settings.read"] }
+        }
+      ]
+    }
+  },
+  {
+    "method": "PUT",
+    "path": "/config",
+    "handler": "config.updateConfig",
+    "info": { "apiName": "updateConfig", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "policies": [
+        "admin::isAuthenticatedAdmin",
+        {
+          "name": "admin::hasPermissions",
+          "config": { "actions": ["plugin::strapi-identity.settings.update"] }
+        }
+      ]
+    }
+  }
+]
+;
+
+export default _default;

package/dist/server/src/routes/admin/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const _default: Plugin.LoadedPlugin["routes"]["admin"];
+export default _default;

package/dist/server/src/routes/admin/mfa.json.d.ts

@@ -0,0 +1,94 @@
+declare const _default: [
+  {
+    "method": "GET",
+    "path": "/verify/info",
+    "handler": "controller.verifyInfo",
+    "info": { "apiName": "verifyInfo", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "auth": false,
+      "policies": ["has-mfa"]
+    }
+  },
+  {
+    "method": "POST",
+    "path": "/verify",
+    "handler": "controller.verify",
+    "info": { "apiName": "verify", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {
+      "auth": false,
+      "policies": ["has-mfa"],
+      "middlewares": ["admin::rateLimit"]
+    }
+  },
+  {
+    "method": "POST",
+    "path": "/enable",
+    "handler": "controller.enable",
+    "info": { "apiName": "enable", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "POST",
+    "path": "/setup",
+    "handler": "controller.setup",
+    "info": { "apiName": "setup", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "POST",
+    "path": "/disable",
+    "handler": "controller.disable",
+    "info": { "apiName": "disable", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "GET",
+    "path": "/status",
+    "handler": "controller.checkStatus",
+    "info": { "apiName": "checkStatus", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "POST",
+    "path": "/verify/resend",
+    "handler": "controller.resendVerifyOTP",
+    "info": {
+      "apiName": "resendVerifyOTP",
+      "pluginName": "strapi-identity",
+      "type": "content-api"
+    },
+    "config": {
+      "auth": false,
+      "policies": ["has-mfa"],
+      "middlewares": []
+    }
+  },
+  {
+    "method": "POST",
+    "path": "/enable-email",
+    "handler": "controller.enableEmail",
+    "info": { "apiName": "enableEmail", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "POST",
+    "path": "/setup-email",
+    "handler": "controller.setupEmail",
+    "info": { "apiName": "setupEmail", "pluginName": "strapi-identity", "type": "content-api" },
+    "config": {}
+  },
+  {
+    "method": "POST",
+    "path": "/disable-email/request",
+    "handler": "controller.requestDisableEmailOTP",
+    "info": {
+      "apiName": "requestDisableEmailOTP",
+      "pluginName": "strapi-identity",
+      "type": "content-api"
+    },
+    "config": {}
+  }
+]
+;
+
+export default _default;

package/dist/server/src/routes/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const routes: Plugin.LoadedPlugin['routes'];
+export default routes;

package/dist/server/src/services/admin.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Check if 2FA is enabled for a user by looking for an associated MFA token.
+ * @param id the user's ID to check for an associated MFA token, indicating that 2FA is enabled for that user
+ * @returns a boolean indicating whether 2FA is enabled for the user (true if an MFA token exists, false otherwise)
+ */
+export declare const isEnabled: (id: string) => false | Promise<boolean>;
+/**
+ * Resets 2FA for a user by deleting any existing MFA token and temporary secret associated with that user.
+ * @param id the user's ID for which to reset 2FA, which will delete any associated MFA token and temporary secret, effectively disabling 2FA for that user until they set it up again
+ */
+export declare const reset: (id: string) => Promise<void>;

package/dist/server/src/services/config.d.ts

@@ -0,0 +1,57 @@
+declare const defaultConfig: {
+    email_enabled: boolean;
+    enabled: boolean;
+    enforce: boolean;
+    from_email: string;
+    from_name: string;
+    issuer: string;
+    message: string;
+    response_email: string;
+    subject: string;
+    text: string;
+};
+/**
+ * Service for managing the Strapi Identity plugin configuration
+ * @returns an object containing functions to get and update the plugin configuration
+ */
+export declare const isEnabled: () => Promise<boolean>;
+/**
+ * Retrieves the current configuration for the Strapi Identity plugin
+ * @returns the current configuration
+ */
+export declare const getConfig: () => Promise<{
+    email_enabled: boolean;
+    enabled: boolean;
+    enforce: boolean;
+    from_email: string;
+    from_name: string;
+    issuer: string;
+    message: string;
+    response_email: string;
+    subject: string;
+    text: string;
+}>;
+/**
+ * Updates the Strapi Identity plugin configuration with the provided data
+ * @param data partial configuration data to update
+ * @returns  the updated configuration
+ */
+export declare const updateConfig: (data: Partial<typeof defaultConfig>) => Promise<{
+    email_enabled: boolean;
+    enabled: boolean;
+    enforce: boolean;
+    from_email: string;
+    from_name: string;
+    issuer: string;
+    message: string;
+    response_email: string;
+    subject: string;
+    text: string;
+}>;
+/**
+ * Checks if a user has MFA enabled by verifying the provided JWT token and checking for an associated MFA token in the database
+ * @param jwtToken the JWT token to verify and extract the user ID from
+ * @returns true if the user has MFA enabled, false otherwise
+ */
+export declare const checkUserByJWT: (jwtToken: string) => Promise<boolean>;
+export {};

package/dist/server/src/services/email.d.ts

@@ -0,0 +1,8 @@
+export declare const send: (to: string, otp: string) => Promise<any>;
+/**
+ * Replaces template variables in a string with their corresponding values.
+ * @param template The template string containing variables in the format <%= VARIABLE %>.
+ * @param variables An object containing the variable values to replace in the template.
+ * @returns The template string with variables replaced by their corresponding values.
+ */
+export declare const replaceTemplateVariables: <T extends Record<string, string>>(template: string, variables: T) => string;

package/dist/server/src/services/index.d.ts

@@ -0,0 +1,3 @@
+import { Plugin } from '@strapi/types';
+declare const services: Plugin.LoadedPlugin['services'];
+export default services;

package/dist/server/src/services/mfa.d.ts

@@ -0,0 +1,82 @@
+import { Secret } from 'otpauth';
+/**
+ * Validates a TOTP token against the temporary secret for a given user
+ * @param userId id of the user to validate against
+ * @param token TOTP token to validate
+ * @returns {Promise<boolean>} is the token valid
+ */
+export declare const validateTempToken: (userId: string, token: string) => Promise<boolean>;
+/**
+ * Validates a code against both the user's active TOTP secret and their recovery codes
+ * @param userId id of the user to validate against
+ * @param code code to validate (either TOTP token or recovery code)
+ * @returns {Promise<boolean>} is the code valid
+ */
+export declare const validateTokenOrRecoveryCode: (userId: string, code: string) => Promise<boolean>;
+/**
+ * Sets up a temporary secret for a user during MFA setup
+ * @param userId id of the user to set up MFA for
+ * @return {Promise<Secret>} the generated temporary secret
+ */
+export declare const setupTemporarySecret: (userId: string) => Promise<Secret>;
+/**
+ * Finalizes MFA setup by moving the temporary secret to the main token document and generating recovery codes
+ * @param userId id of the user to finalize MFA setup for
+ * @returns {Promise<string[]>} the generated recovery codes
+ */
+export declare const setupFullSecret: (userId: string) => Promise<string[]>;
+/**
+ * Generates a 6-digit email OTP for a user, stores it hashed with expiry, and returns the plaintext code
+ * @param userId id of the user to generate an OTP for
+ * @param purpose the purpose of the OTP: 'login', 'setup', or 'disable'
+ * @returns {Promise<string>} the plaintext OTP
+ */
+export declare const generateEmailOTP: (userId: string, purpose?: "login" | "setup" | "disable") => Promise<string>;
+/**
+ * Validates an email OTP for a given user and purpose.
+ * Increments attempt count, rejects on expiry or too many attempts, removes the record on success.
+ * @param userId id of the user to validate against
+ * @param code plaintext OTP to validate
+ * @param purpose the purpose of the OTP
+ * @returns {Promise<boolean>} whether the code is valid
+ */
+export declare const validateEmailOTP: (userId: string, code: string, purpose?: "login" | "setup" | "disable") => Promise<boolean>;
+/**
+ * Enables email OTP MFA for a user, creating or updating their mfa-token record
+ * @param userId id of the user to enable email MFA for
+ */
+export declare const enableEmailMFA: (userId: string) => Promise<void>;
+/**
+ * Returns the MFA status and method type for a given user
+ * @param userId id of the user to check
+ * @returns the status and type of MFA, or null if not enabled
+ */
+export declare const getMFAInfo: (userId: string) => Promise<{
+    status: "full";
+    type: "totp" | "email";
+} | null>;
+/**
+ * Disables MFA for a user after validating the provided code.
+ * For TOTP, validates against TOTP token or recovery code.
+ * For email OTP, validates against a previously generated disable OTP.
+ * @param userId id of the user to disable MFA for
+ * @param code a valid TOTP token, recovery code, or email OTP
+ */
+export declare const disableSecret: (userId: string, code: string) => Promise<void>;
+/**
+ * Disables the temporary secret for a user, effectively canceling the MFA setup process
+ * @param userId id of the user to disable the temporary secret for
+ */
+export declare const disableTempSecret: (userId: string) => Promise<void>;
+/**
+ * Checks if MFA is currently enabled for a given user
+ * @param userId id of the user to check
+ * @returns {Promise<'full' | null>} is MFA enabled for the user
+ */
+export declare const isMFAEnabled: (userId: string) => Promise<"full" | null>;
+/**
+ * Generates a secure random recovery code of the specified length
+ * @param length length of the recovery code to generate (default: 8)
+ * @returns {string} the generated recovery code
+ */
+export declare const generateRecoveryCode: (length?: number) => string;

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.2",
+  "version": "0.5.0",
   "keywords": [
     "strapi",
     "plugin",
@@ -43,16 +43,17 @@
     "strapi-admin-portal": "^0.3.0"
   },
   "devDependencies": {
-    "@strapi/sdk-plugin": "^6.0.1",
-    "@strapi/typescript-utils": "^5.40.0",
+    "@strapi/sdk-plugin": "^6.1.0",
+    "@strapi/typescript-utils": "^5.43.0",
     "@types/bcryptjs": "^2.4.6",
-    "@types/react": "^18.3.27",
+    "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "prettier": "^3.8.1",
+    "prettier": "^3.8.3",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {
     "@strapi/design-system": "^2.1.2",
+    "koa2-ratelimit": "^1.1.3",
     "@strapi/email": "^5.39.0",
     "@strapi/icons": "^2.1.2",
     "@strapi/sdk-plugin": "^5.4.0",