strapi-plugin-oidc 1.0.0 → 1.0.3

package/README.md

@@ -1,6 +1,6 @@
 <div align="center">
-  <img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/main/assets/icon.png" width="140" alt="OIDC Plugin for Strapi Logo"/>
-  <h1>OIDC Plugin for Strapi</h1>
+  <img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/main/assets/icon.png" width="140" alt="OIDC Login for Strapi Logo"/>
+  <h1>OIDC Login for Strapi</h1>
   <p>
     <a href="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml">
       <img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml/badge.svg" alt="Tests">
@@ -8,7 +8,7 @@
   </p>
 </div>
 
-A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel. 
+A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.
 
 This plugin allows your administrators to log in to the Strapi administration interface using external OIDC identity providers such as Zitadel, Keycloak, Auth0, AWS Cognito, and others.
 
@@ -43,22 +43,22 @@ module.exports = ({ env }) => ({
       OIDC_CLIENT_SECRET: '[Client Secret from OpenID Provider]',
 
       OIDC_SCOPES: 'openid profile email', // Standard OIDC scopes
-      
+
       // API Endpoints required for OIDC provider
       OIDC_AUTHORIZATION_ENDPOINT: '[Authorization Endpoint]',
       OIDC_TOKEN_ENDPOINT: '[Token Endpoint]',
       OIDC_USER_INFO_ENDPOINT: '[User Info Endpoint]',
       OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
-      OIDC_GRANT_TYPE: 'authorization_code', 
-      
+      OIDC_GRANT_TYPE: 'authorization_code',
+
       // Customizable user field mapping for user creation
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      
+
       // Redirect to OIDC provider's logout page when users log out of Strapi
-      OIDC_LOGOUT_URL: '[OIDC Provider Logout URL]' 
-    }
-  }
+      OIDC_LOGOUT_URL: '[OIDC Provider Logout URL]',
+    },
+  },
   // ...
 });
 ```
@@ -71,13 +71,14 @@ Once the plugin is installed and configured, you can manage the OIDC settings fr
 
 - **Whitelist Management**: Restrict login to specific users by adding their email addresses to the whitelist. You can also whitelist entire email domains (e.g., `*@company.com`). If the whitelist is empty, any user who successfully authenticates via your OIDC provider will be able to log in and an account will be automatically created for them.
 - **Default Role Assignment**: Select the default Strapi admin role that will be assigned to newly created users when they log in for the first time via OIDC.
-- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled, forcing all administrators to log in using your OIDC provider. *(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel).*
+- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled, forcing all administrators to log in using your OIDC provider. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
 
 ## Credits & Changes
 
 This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) created by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
 
 ### Changes made to the original codebase:
+
 - Removed alternative SSO methods to simplify the plugin.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
 - Added an OIDC logout redirect URL.
@@ -85,4 +86,4 @@ This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
 - Upgraded to use newer versions of Node.js.
-- Added misc. quality of life improvements and bug fixes.
+- Added misc. quality of life improvements and bug fixes.

package/dist/server/index.js

@@ -75,6 +75,8 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
+    REMEMBER_ME_DURATION: 30 * 24 * 60 * 60 * 1e3,
+    // 30 days in milliseconds
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -546,10 +548,13 @@ function oauthService({ strapi: strapi2 }) {
         ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
       }
       const modelDef = strapi2.getModel("admin::user");
-      const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput({
-        schema: modelDef,
-        getModel: (uid2) => strapi2.getModel(uid2)
-      }, user);
+      const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput(
+        {
+          schema: modelDef,
+          getModel: (uid2) => strapi2.getModel(uid2)
+        },
+        user
+      );
       eventHub.emit(ENTRY_CREATE, {
         model: modelDef.modelName,
         entry: sanitizedEntity
@@ -606,19 +611,39 @@ function oauthService({ strapi: strapi2 }) {
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
       if (!sessionManager) {
-        throw new Error("sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.");
+        throw new Error(
+          "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
+        );
       }
       const userId = String(user.id);
       const deviceId = node_crypto.randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const rememberMe = !!REMEMBER_ME;
-      const { token: refreshToken } = await sessionManager(
-        "admin"
-      ).generateRefreshToken(userId, deviceId, {
-        type: rememberMe ? "refresh" : "session"
-      });
-      const cookieOptions = {};
+      const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
+        userId,
+        deviceId,
+        {
+          type: rememberMe ? "refresh" : "session"
+        }
+      );
+      const isProduction = strapi2.config.get("environment") === "production";
+      const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
+      const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
+      const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isProduction,
+        overwrite: true,
+        domain,
+        path,
+        sameSite
+      };
+      if (rememberMe) {
+        const REMEMBER_ME_DURATION = config2["REMEMBER_ME_DURATION"] || 30 * 24 * 60 * 60 * 1e3;
+        cookieOptions.maxAge = REMEMBER_ME_DURATION;
+        cookieOptions.expires = new Date(Date.now() + REMEMBER_ME_DURATION);
+      }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
       if ("error" in accessResult) {

package/dist/server/index.mjs

@@ -68,6 +68,8 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
+    REMEMBER_ME_DURATION: 30 * 24 * 60 * 60 * 1e3,
+    // 30 days in milliseconds
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -539,10 +541,13 @@ function oauthService({ strapi: strapi2 }) {
         ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
       }
       const modelDef = strapi2.getModel("admin::user");
-      const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput({
-        schema: modelDef,
-        getModel: (uid2) => strapi2.getModel(uid2)
-      }, user);
+      const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
+        {
+          schema: modelDef,
+          getModel: (uid2) => strapi2.getModel(uid2)
+        },
+        user
+      );
       eventHub.emit(ENTRY_CREATE, {
         model: modelDef.modelName,
         entry: sanitizedEntity
@@ -599,19 +604,39 @@ function oauthService({ strapi: strapi2 }) {
     async generateToken(user, ctx) {
       const sessionManager = strapi2.sessionManager;
       if (!sessionManager) {
-        throw new Error("sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.");
+        throw new Error(
+          "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
+        );
       }
       const userId = String(user.id);
       const deviceId = randomUUID();
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const rememberMe = !!REMEMBER_ME;
-      const { token: refreshToken } = await sessionManager(
-        "admin"
-      ).generateRefreshToken(userId, deviceId, {
-        type: rememberMe ? "refresh" : "session"
-      });
-      const cookieOptions = {};
+      const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
+        userId,
+        deviceId,
+        {
+          type: rememberMe ? "refresh" : "session"
+        }
+      );
+      const isProduction = strapi2.config.get("environment") === "production";
+      const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
+      const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
+      const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isProduction,
+        overwrite: true,
+        domain,
+        path,
+        sameSite
+      };
+      if (rememberMe) {
+        const REMEMBER_ME_DURATION = config2["REMEMBER_ME_DURATION"] || 30 * 24 * 60 * 60 * 1e3;
+        cookieOptions.maxAge = REMEMBER_ME_DURATION;
+        cookieOptions.expires = new Date(Date.now() + REMEMBER_ME_DURATION);
+      }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
       if ("error" in accessResult) {

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.0.0",
-  "description": "OIDC plugin for Strapi!",
+  "version": "1.0.3",
+  "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
     "name": "strapi-plugin-oidc",
-    "description": "Provides OIDC middleware for Strapi instances",
+    "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
     "kind": "plugin"
   },
   "scripts": {

package/dist/_chunks/en-AsM8uCFB.mjs

@@ -1,23 +0,0 @@
-const en = {
-  "page.title": "Default role setting at first login",
-  "page.notes": "This will not be reflected for already registered users.",
-  "page.save": "Save",
-  "page.save.success": "Updated settings",
-  "page.save.error": "Update failed.",
-  "page.cancel": "Cancel",
-  "page.ok": "OK",
-  "tab.roles": "Roles",
-  "tab.whitelist": "Whitelist",
-  "tab.whitelist.error.unique": "Already registered email address.",
-  "tab.whitelist.enabled": "Whitelist is currently enabled.",
-  "tab.whitelist.disabled": "Whitelist is currently disabled.",
-  "tab.whitelist.description": "Only the following email addresses are allowed to authenticate with SSO.",
-  "tab.whitelist.table.no": "No",
-  "tab.whitelist.table.email": "Email",
-  "tab.whitelist.table.created": "Created At",
-  "tab.whitelist.delete.title": "Confirmation",
-  "tab.whitelist.delete.description": "Are you sure you want to delete this?"
-};
-export {
-  en as default
-};

package/dist/_chunks/en-BbQ9XzfO.js

@@ -1,23 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const en = {
-  "page.title": "Default role setting at first login",
-  "page.notes": "This will not be reflected for already registered users.",
-  "page.save": "Save",
-  "page.save.success": "Updated settings",
-  "page.save.error": "Update failed.",
-  "page.cancel": "Cancel",
-  "page.ok": "OK",
-  "tab.roles": "Roles",
-  "tab.whitelist": "Whitelist",
-  "tab.whitelist.error.unique": "Already registered email address.",
-  "tab.whitelist.enabled": "Whitelist is currently enabled.",
-  "tab.whitelist.disabled": "Whitelist is currently disabled.",
-  "tab.whitelist.description": "Only the following email addresses are allowed to authenticate with SSO.",
-  "tab.whitelist.table.no": "No",
-  "tab.whitelist.table.email": "Email",
-  "tab.whitelist.table.created": "Created At",
-  "tab.whitelist.delete.title": "Confirmation",
-  "tab.whitelist.delete.description": "Are you sure you want to delete this?"
-};
-exports.default = en;

package/dist/_chunks/fr-C8Qw4iPZ.js

@@ -1,4 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const fr = {};
-exports.default = fr;

package/dist/_chunks/fr-hkSxFuzl.mjs

@@ -1,4 +0,0 @@
-const fr = {};
-export {
-  fr as default
-};