strapi-plugin-oidc 1.1.2 → 1.2.0

package/dist/admin/{index-aBuEmqza.js → index-BzRgsk9F.js}

@@ -7,8 +7,7 @@ const react = require("react");
 const designSystem = require("@strapi/design-system");
 const icons = require("@strapi/icons");
 const reactIntl = require("react-intl");
-const index = require("./index-Csm9fJS0.js");
-const en = require("./en-8UlbiAHW.js");
+const index = require("./index-XREqyWao.js");
 const styled = require("styled-components");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
@@ -16,7 +15,7 @@ function getTrad(id) {
   const pluginIdWithId = `${index.pluginId}.${id}`;
   return {
     id: pluginIdWithId,
-    defaultMessage: en.default[id] || pluginIdWithId
+    defaultMessage: index.en[id] || pluginIdWithId
   };
 }
 function Role({ oidcRoles, roles, onChangeRole }) {

package/dist/admin/{index-DDUvU8_H.mjs → index-D2Fm7gNJ.mjs}

@@ -5,8 +5,7 @@ import { useState, useCallback, useEffect, memo } from "react";
 import { Typography, Flex, Box, MultiSelect, MultiSelectOption, Field, Button, Divider, Thead, Tr, Th, Tbody, Td, Dialog, IconButton, Pagination, PreviousLink, PageLink, NextLink, Table, Alert } from "@strapi/design-system";
 import { Plus, Trash, WarningCircle } from "@strapi/icons";
 import { useIntl } from "react-intl";
-import { p as pluginId } from "./index-DxsqJhUk.mjs";
-import en from "./en-DInn-mdh.mjs";
+import { e as en, p as pluginId } from "./index-bfZQKCve.mjs";
 import styled from "styled-components";
 function getTrad(id) {
   const pluginIdWithId = `${pluginId}.${id}`;

package/dist/admin/index-XREqyWao.js

@@ -0,0 +1,254 @@
+"use strict";
+const react = require("react");
+const __variableDynamicImportRuntimeHelper = (glob, path, segs) => {
+  const v = glob[path];
+  if (v) {
+    return typeof v === "function" ? v() : Promise.resolve(v);
+  }
+  return new Promise((_, reject) => {
+    (typeof queueMicrotask === "function" ? queueMicrotask : setTimeout)(
+      reject.bind(
+        null,
+        new Error(
+          "Unknown variable dynamic import: " + path + (path.split("/").length !== segs ? ". Note that variables only represent file names one level deep." : "")
+        )
+      )
+    );
+  });
+};
+const name$1 = "strapi-plugin-oidc";
+const strapi = { "displayName": "OIDC Plugin" };
+const pluginPkg = {
+  name: name$1,
+  strapi
+};
+const pluginId = pluginPkg.name.replace(/^@strapi\/plugin-/i, "");
+function getTranslation(id) {
+  return `${pluginId}.${id}`;
+}
+function Initializer({ setPlugin }) {
+  const ref = react.useRef();
+  ref.current = setPlugin;
+  react.useEffect(() => {
+    if (ref.current) {
+      ref.current(pluginId);
+    }
+  }, []);
+  return null;
+}
+const en = {
+  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
+  "page.title": "Configure OIDC default role(s) and access controls.",
+  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
+  "page.save": "Save Changes",
+  "page.save.success": "Updated settings",
+  "page.save.error": "Update failed.",
+  "page.add": "Add",
+  "page.cancel": "Cancel",
+  "page.ok": "OK",
+  "roles.title": "Default Role(s)",
+  "roles.placeholder": "Select default role(s)",
+  "whitelist.title": "Whitelist",
+  "whitelist.error.unique": "Already registered email address.",
+  "whitelist.enabled": "Whitelist is currently enabled.",
+  "whitelist.disabled": "Whitelist is currently disabled.",
+  "whitelist.description": "Restrict OIDC authentication to specific email addresses and optionally assign them custom role(s).",
+  "whitelist.user_exists": "User already exists, matching existing role(s)",
+  "whitelist.users_exists": "Users already exist, matching existing role(s)",
+  "whitelist.table.no": "No.",
+  "whitelist.table.email": "Email",
+  "whitelist.table.created": "Created At",
+  "whitelist.delete.title": "Confirmation",
+  "whitelist.delete.description": "Are you sure you want to delete:",
+  "whitelist.delete.note": "This will not delete the user account in Strapi.",
+  "whitelist.toggle.enabled": "Enabled",
+  "whitelist.toggle.disabled": "Disabled",
+  "whitelist.email.placeholder": "Email address",
+  "whitelist.roles.placeholder": "Select specific role(s)",
+  "whitelist.table.roles": "Role(s)",
+  "whitelist.table.roles.default": "Default",
+  "whitelist.table.empty": "No email addresses",
+  "whitelist.delete.label": "Delete",
+  "page.title.oidc": "OIDC",
+  "enforce.title": "Enforce OIDC Login",
+  "enforce.toggle.enabled": "Enabled",
+  "enforce.toggle.disabled": "Disabled",
+  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
+  "login.sso": "Login via SSO"
+};
+const en$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  default: en
+}, Symbol.toStringTag, { value: "Module" }));
+const name = pluginPkg.strapi.displayName;
+const index = {
+  register(app) {
+    app.addSettingsLink(
+      {
+        id: "oidc",
+        intlLabel: {
+          id: `${pluginId}.settings.section`,
+          defaultMessage: "OIDC"
+        }
+      },
+      {
+        id: "configuration",
+        to: `/settings/${pluginId}`,
+        intlLabel: {
+          id: `${pluginId}.settings.configuration`,
+          defaultMessage: "Configuration"
+        },
+        Component: async () => {
+          return await Promise.resolve().then(() => require("./index-BzRgsk9F.js"));
+        },
+        permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
+      }
+    );
+    app.registerPlugin({
+      id: pluginId,
+      initializer: Initializer,
+      name
+    });
+  },
+  bootstrap() {
+    let isLogoutInProgress = false;
+    let historyPatched = false;
+    const ENFORCE_CACHE_KEY = "strapi_oidc_enforced";
+    const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
+    const patchHistory = () => {
+      if (historyPatched) return;
+      historyPatched = true;
+      const interceptHistory = (originalMethod) => {
+        return function(...args) {
+          const url = args[2];
+          if (url && typeof url === "string") {
+            const urlWithoutQuery = url.split("?")[0].split("#")[0];
+            if (isAuthRoute(urlWithoutQuery)) {
+              if (isLogoutInProgress) {
+                return;
+              }
+              window.location.href = "/strapi-plugin-oidc/oidc";
+              return;
+            }
+          }
+          return originalMethod.apply(window.history, args);
+        };
+      };
+      window.history.pushState = interceptHistory(window.history.pushState);
+      window.history.replaceState = interceptHistory(window.history.replaceState);
+      if (isAuthRoute(window.location.pathname)) {
+        window.location.replace("/strapi-plugin-oidc/oidc");
+      }
+    };
+    let ssoButtonInjected = false;
+    let ssoObserver = null;
+    const injectSSOButton = () => {
+      if (ssoButtonInjected) return;
+      if (!isAuthRoute(window.location.pathname)) return;
+      if (document.getElementById("strapi-oidc-sso-btn")) return;
+      const submitButton = document.querySelector('form button[type="submit"]');
+      if (!submitButton?.parentNode) return;
+      const btn = document.createElement("button");
+      btn.id = "strapi-oidc-sso-btn";
+      btn.type = "button";
+      btn.className = submitButton.className;
+      btn.style.marginTop = "8px";
+      btn.onclick = () => {
+        window.location.href = "/strapi-plugin-oidc/oidc";
+      };
+      const innerSpan = submitButton.querySelector("span");
+      const span = document.createElement("span");
+      if (innerSpan) span.className = innerSpan.className;
+      span.textContent = en["login.sso"];
+      btn.appendChild(span);
+      submitButton.parentNode.insertBefore(btn, submitButton.nextSibling);
+      ssoButtonInjected = true;
+    };
+    const startSSOButtonObserver = () => {
+      if (ssoObserver) return;
+      injectSSOButton();
+      ssoObserver = new MutationObserver(() => {
+        if (isAuthRoute(window.location.pathname)) injectSSOButton();
+      });
+      ssoObserver.observe(document.body, { childList: true, subtree: true });
+    };
+    const stopSSOButtonObserver = () => {
+      ssoObserver?.disconnect();
+      ssoObserver = null;
+      document.getElementById("strapi-oidc-sso-btn")?.remove();
+      ssoButtonInjected = false;
+    };
+    if (localStorage.getItem(ENFORCE_CACHE_KEY) === "1") {
+      patchHistory();
+    }
+    const checkEnforceOIDC = async () => {
+      try {
+        const response = await window.fetch("/strapi-plugin-oidc/settings/public");
+        if (response.ok) {
+          const data = await response.json();
+          if (data.enforceOIDC) {
+            localStorage.setItem(ENFORCE_CACHE_KEY, "1");
+            stopSSOButtonObserver();
+            patchHistory();
+          } else {
+            localStorage.removeItem(ENFORCE_CACHE_KEY);
+            startSSOButtonObserver();
+          }
+        }
+      } catch (error) {
+        console.error("Failed to check OIDC enforcement setting:", error);
+      }
+    };
+    checkEnforceOIDC();
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const url = typeof args[0] === "string" ? args[0] : args[0].url;
+      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
+      if (isLogout) {
+        isLogoutInProgress = true;
+      }
+      const response = await originalFetch(...args);
+      if (isLogout && response.ok) {
+        window.localStorage.removeItem("jwtToken");
+        window.localStorage.removeItem("isLoggedIn");
+        window.sessionStorage.removeItem("jwtToken");
+        window.sessionStorage.removeItem("isLoggedIn");
+        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
+        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
+        window.location.href = "/strapi-plugin-oidc/logout";
+        return new Promise(() => {
+        });
+      } else if (isLogout) {
+        isLogoutInProgress = false;
+      }
+      return response;
+    };
+  },
+  async registerTrads({ locales }) {
+    const importedTrads = await Promise.all(
+      locales.map((locale) => {
+        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({ "./translations/en.json": () => Promise.resolve().then(() => en$1) }), `./translations/${locale}.json`, 3).then(({ default: data }) => {
+          const newData = Object.fromEntries(
+            Object.entries(data).map(([key, value]) => [
+              key.startsWith("global.") ? key : getTranslation(key),
+              value
+            ])
+          );
+          return {
+            data: newData,
+            locale
+          };
+        }).catch(() => {
+          return {
+            data: {},
+            locale
+          };
+        });
+      })
+    );
+    return Promise.resolve(importedTrads);
+  }
+};
+exports.en = en;
+exports.index = index;
+exports.pluginId = pluginId;

package/dist/admin/index-bfZQKCve.mjs

@@ -0,0 +1,255 @@
+import { useRef, useEffect } from "react";
+const __variableDynamicImportRuntimeHelper = (glob, path, segs) => {
+  const v = glob[path];
+  if (v) {
+    return typeof v === "function" ? v() : Promise.resolve(v);
+  }
+  return new Promise((_, reject) => {
+    (typeof queueMicrotask === "function" ? queueMicrotask : setTimeout)(
+      reject.bind(
+        null,
+        new Error(
+          "Unknown variable dynamic import: " + path + (path.split("/").length !== segs ? ". Note that variables only represent file names one level deep." : "")
+        )
+      )
+    );
+  });
+};
+const name$1 = "strapi-plugin-oidc";
+const strapi = { "displayName": "OIDC Plugin" };
+const pluginPkg = {
+  name: name$1,
+  strapi
+};
+const pluginId = pluginPkg.name.replace(/^@strapi\/plugin-/i, "");
+function getTranslation(id) {
+  return `${pluginId}.${id}`;
+}
+function Initializer({ setPlugin }) {
+  const ref = useRef();
+  ref.current = setPlugin;
+  useEffect(() => {
+    if (ref.current) {
+      ref.current(pluginId);
+    }
+  }, []);
+  return null;
+}
+const en = {
+  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
+  "page.title": "Configure OIDC default role(s) and access controls.",
+  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
+  "page.save": "Save Changes",
+  "page.save.success": "Updated settings",
+  "page.save.error": "Update failed.",
+  "page.add": "Add",
+  "page.cancel": "Cancel",
+  "page.ok": "OK",
+  "roles.title": "Default Role(s)",
+  "roles.placeholder": "Select default role(s)",
+  "whitelist.title": "Whitelist",
+  "whitelist.error.unique": "Already registered email address.",
+  "whitelist.enabled": "Whitelist is currently enabled.",
+  "whitelist.disabled": "Whitelist is currently disabled.",
+  "whitelist.description": "Restrict OIDC authentication to specific email addresses and optionally assign them custom role(s).",
+  "whitelist.user_exists": "User already exists, matching existing role(s)",
+  "whitelist.users_exists": "Users already exist, matching existing role(s)",
+  "whitelist.table.no": "No.",
+  "whitelist.table.email": "Email",
+  "whitelist.table.created": "Created At",
+  "whitelist.delete.title": "Confirmation",
+  "whitelist.delete.description": "Are you sure you want to delete:",
+  "whitelist.delete.note": "This will not delete the user account in Strapi.",
+  "whitelist.toggle.enabled": "Enabled",
+  "whitelist.toggle.disabled": "Disabled",
+  "whitelist.email.placeholder": "Email address",
+  "whitelist.roles.placeholder": "Select specific role(s)",
+  "whitelist.table.roles": "Role(s)",
+  "whitelist.table.roles.default": "Default",
+  "whitelist.table.empty": "No email addresses",
+  "whitelist.delete.label": "Delete",
+  "page.title.oidc": "OIDC",
+  "enforce.title": "Enforce OIDC Login",
+  "enforce.toggle.enabled": "Enabled",
+  "enforce.toggle.disabled": "Disabled",
+  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
+  "login.sso": "Login via SSO"
+};
+const en$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  default: en
+}, Symbol.toStringTag, { value: "Module" }));
+const name = pluginPkg.strapi.displayName;
+const index = {
+  register(app) {
+    app.addSettingsLink(
+      {
+        id: "oidc",
+        intlLabel: {
+          id: `${pluginId}.settings.section`,
+          defaultMessage: "OIDC"
+        }
+      },
+      {
+        id: "configuration",
+        to: `/settings/${pluginId}`,
+        intlLabel: {
+          id: `${pluginId}.settings.configuration`,
+          defaultMessage: "Configuration"
+        },
+        Component: async () => {
+          return await import("./index-D2Fm7gNJ.mjs");
+        },
+        permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
+      }
+    );
+    app.registerPlugin({
+      id: pluginId,
+      initializer: Initializer,
+      name
+    });
+  },
+  bootstrap() {
+    let isLogoutInProgress = false;
+    let historyPatched = false;
+    const ENFORCE_CACHE_KEY = "strapi_oidc_enforced";
+    const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
+    const patchHistory = () => {
+      if (historyPatched) return;
+      historyPatched = true;
+      const interceptHistory = (originalMethod) => {
+        return function(...args) {
+          const url = args[2];
+          if (url && typeof url === "string") {
+            const urlWithoutQuery = url.split("?")[0].split("#")[0];
+            if (isAuthRoute(urlWithoutQuery)) {
+              if (isLogoutInProgress) {
+                return;
+              }
+              window.location.href = "/strapi-plugin-oidc/oidc";
+              return;
+            }
+          }
+          return originalMethod.apply(window.history, args);
+        };
+      };
+      window.history.pushState = interceptHistory(window.history.pushState);
+      window.history.replaceState = interceptHistory(window.history.replaceState);
+      if (isAuthRoute(window.location.pathname)) {
+        window.location.replace("/strapi-plugin-oidc/oidc");
+      }
+    };
+    let ssoButtonInjected = false;
+    let ssoObserver = null;
+    const injectSSOButton = () => {
+      if (ssoButtonInjected) return;
+      if (!isAuthRoute(window.location.pathname)) return;
+      if (document.getElementById("strapi-oidc-sso-btn")) return;
+      const submitButton = document.querySelector('form button[type="submit"]');
+      if (!submitButton?.parentNode) return;
+      const btn = document.createElement("button");
+      btn.id = "strapi-oidc-sso-btn";
+      btn.type = "button";
+      btn.className = submitButton.className;
+      btn.style.marginTop = "8px";
+      btn.onclick = () => {
+        window.location.href = "/strapi-plugin-oidc/oidc";
+      };
+      const innerSpan = submitButton.querySelector("span");
+      const span = document.createElement("span");
+      if (innerSpan) span.className = innerSpan.className;
+      span.textContent = en["login.sso"];
+      btn.appendChild(span);
+      submitButton.parentNode.insertBefore(btn, submitButton.nextSibling);
+      ssoButtonInjected = true;
+    };
+    const startSSOButtonObserver = () => {
+      if (ssoObserver) return;
+      injectSSOButton();
+      ssoObserver = new MutationObserver(() => {
+        if (isAuthRoute(window.location.pathname)) injectSSOButton();
+      });
+      ssoObserver.observe(document.body, { childList: true, subtree: true });
+    };
+    const stopSSOButtonObserver = () => {
+      ssoObserver?.disconnect();
+      ssoObserver = null;
+      document.getElementById("strapi-oidc-sso-btn")?.remove();
+      ssoButtonInjected = false;
+    };
+    if (localStorage.getItem(ENFORCE_CACHE_KEY) === "1") {
+      patchHistory();
+    }
+    const checkEnforceOIDC = async () => {
+      try {
+        const response = await window.fetch("/strapi-plugin-oidc/settings/public");
+        if (response.ok) {
+          const data = await response.json();
+          if (data.enforceOIDC) {
+            localStorage.setItem(ENFORCE_CACHE_KEY, "1");
+            stopSSOButtonObserver();
+            patchHistory();
+          } else {
+            localStorage.removeItem(ENFORCE_CACHE_KEY);
+            startSSOButtonObserver();
+          }
+        }
+      } catch (error) {
+        console.error("Failed to check OIDC enforcement setting:", error);
+      }
+    };
+    checkEnforceOIDC();
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const url = typeof args[0] === "string" ? args[0] : args[0].url;
+      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
+      if (isLogout) {
+        isLogoutInProgress = true;
+      }
+      const response = await originalFetch(...args);
+      if (isLogout && response.ok) {
+        window.localStorage.removeItem("jwtToken");
+        window.localStorage.removeItem("isLoggedIn");
+        window.sessionStorage.removeItem("jwtToken");
+        window.sessionStorage.removeItem("isLoggedIn");
+        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
+        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
+        window.location.href = "/strapi-plugin-oidc/logout";
+        return new Promise(() => {
+        });
+      } else if (isLogout) {
+        isLogoutInProgress = false;
+      }
+      return response;
+    };
+  },
+  async registerTrads({ locales }) {
+    const importedTrads = await Promise.all(
+      locales.map((locale) => {
+        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({ "./translations/en.json": () => Promise.resolve().then(() => en$1) }), `./translations/${locale}.json`, 3).then(({ default: data }) => {
+          const newData = Object.fromEntries(
+            Object.entries(data).map(([key, value]) => [
+              key.startsWith("global.") ? key : getTranslation(key),
+              value
+            ])
+          );
+          return {
+            data: newData,
+            locale
+          };
+        }).catch(() => {
+          return {
+            data: {},
+            locale
+          };
+        });
+      })
+    );
+    return Promise.resolve(importedTrads);
+  }
+};
+export {
+  en as e,
+  index as i,
+  pluginId as p
+};

package/dist/admin/index.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-Csm9fJS0.js");
+const index = require("./index-XREqyWao.js");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-DxsqJhUk.mjs";
+import { i } from "./index-bfZQKCve.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -10,6 +10,23 @@ const strapiUtils__default = /* @__PURE__ */ _interopDefault(strapiUtils);
 const generator__default = /* @__PURE__ */ _interopDefault(generator);
 function register$1() {
 }
+function getExpiredCookieOptions(strapi2, ctx) {
+  const isProduction = strapi2.config.get("environment") === "production";
+  return {
+    httpOnly: true,
+    secure: isProduction && ctx.request.secure,
+    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
+    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
+    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
+    maxAge: 0,
+    expires: /* @__PURE__ */ new Date(0)
+  };
+}
+function clearAuthCookies(strapi2, ctx) {
+  const options2 = getExpiredCookieOptions(strapi2, ctx);
+  ctx.cookies.set("strapi_admin_refresh", "", options2);
+  ctx.cookies.set("oidc_authenticated", "", options2);
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -20,9 +37,10 @@ async function bootstrap({ strapi: strapi2 }) {
       `${adminUrl}/reset-password`
     ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
+    const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
     const isHtmlRequest = ctx.request.accepts("html", "json") === "html" && !ctx.request.path.match(/\.[a-zA-Z0-9]+$/);
     const isGetAdminHtml = ctx.request.method === "GET" && ctx.request.path.startsWith(adminUrl) && isHtmlRequest;
-    if (isPostAuth || isGetAdminHtml) {
+    if (isPostAuth || isTokenRefresh || isGetAdminHtml) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
         const settings = await whitelistService2.getSettings();
@@ -40,8 +58,27 @@ async function bootstrap({ strapi: strapi2 }) {
             };
             return;
           }
+          const hasOidcSession = !!ctx.cookies.get("oidc_authenticated");
+          if (isTokenRefresh && !hasOidcSession) {
+            ctx.status = 401;
+            ctx.body = {
+              data: null,
+              error: {
+                status: 401,
+                name: "UnauthorizedError",
+                message: "Session was not created via OIDC. Please log in again.",
+                details: {}
+              }
+            };
+            return;
+          }
           if (isGetAdminHtml) {
-            const hasRefreshCookie = ctx.cookies.get("strapi_admin_refresh");
+            const hasRefreshCookie = !!ctx.cookies.get("strapi_admin_refresh");
+            if (hasRefreshCookie && !hasOidcSession) {
+              clearAuthCookies(strapi2, ctx);
+              ctx.redirect("/strapi-plugin-oidc/oidc");
+              return;
+            }
             if (!hasRefreshCookie) {
               ctx.redirect("/strapi-plugin-oidc/oidc");
               return;
@@ -341,7 +378,9 @@ async function oidcSignInCallback(ctx) {
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const logoutUrl = config2.OIDC_LOGOUT_URL;
-  if (logoutUrl) {
+  const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  clearAuthCookies(strapi, ctx);
+  if (logoutUrl && isOidcSession) {
     ctx.redirect(logoutUrl);
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
@@ -917,6 +956,7 @@ function oauthService({ strapi: strapi2 }) {
         cookieOptions.expires = new Date(Date.now() + durationInMs);
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
+      ctx.cookies.set("oidc_authenticated", "1", cookieOptions);
       const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
       if ("error" in accessResult) {
         throw new Error(accessResult.error);
@@ -977,16 +1017,24 @@ function whitelistService({ strapi: strapi2 }) {
     name: "strapi-plugin-oidc"
   });
   const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+  let settingsCache = null;
+  const SETTINGS_CACHE_TTL_MS = 5 * 60 * 1e3;
   return {
     async getSettings() {
+      const now = Date.now();
+      if (settingsCache && now - settingsCache.ts < SETTINGS_CACHE_TTL_MS) {
+        return settingsCache.value;
+      }
       let settings = await getPluginStore().get({ key: "settings" });
       if (!settings) {
         settings = { useWhitelist: true, enforceOIDC: false };
         await getPluginStore().set({ key: "settings", value: settings });
       }
+      settingsCache = { value: settings, ts: now };
       return settings;
     },
     async setSettings(settings) {
+      settingsCache = null;
       await getPluginStore().set({ key: "settings", value: settings });
     },
     async getUsers() {
@@ -1004,14 +1052,12 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async checkWhitelistForEmail(email) {
       const settings = await this.getSettings();
-      console.log("checkWhitelistForEmail settings:", settings);
       if (!settings.useWhitelist) {
         return null;
       }
       const result = await getWhitelistQuery().findOne({
         where: { email }
       });
-      console.log("checkWhitelistForEmail result:", result);
       if (!result) {
         throw new Error("Not present in whitelist");
       }

package/dist/server/index.mjs

@@ -4,6 +4,23 @@ import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
 function register$1() {
 }
+function getExpiredCookieOptions(strapi2, ctx) {
+  const isProduction = strapi2.config.get("environment") === "production";
+  return {
+    httpOnly: true,
+    secure: isProduction && ctx.request.secure,
+    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
+    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
+    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
+    maxAge: 0,
+    expires: /* @__PURE__ */ new Date(0)
+  };
+}
+function clearAuthCookies(strapi2, ctx) {
+  const options2 = getExpiredCookieOptions(strapi2, ctx);
+  ctx.cookies.set("strapi_admin_refresh", "", options2);
+  ctx.cookies.set("oidc_authenticated", "", options2);
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -14,9 +31,10 @@ async function bootstrap({ strapi: strapi2 }) {
       `${adminUrl}/reset-password`
     ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
+    const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
     const isHtmlRequest = ctx.request.accepts("html", "json") === "html" && !ctx.request.path.match(/\.[a-zA-Z0-9]+$/);
     const isGetAdminHtml = ctx.request.method === "GET" && ctx.request.path.startsWith(adminUrl) && isHtmlRequest;
-    if (isPostAuth || isGetAdminHtml) {
+    if (isPostAuth || isTokenRefresh || isGetAdminHtml) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
         const settings = await whitelistService2.getSettings();
@@ -34,8 +52,27 @@ async function bootstrap({ strapi: strapi2 }) {
             };
             return;
           }
+          const hasOidcSession = !!ctx.cookies.get("oidc_authenticated");
+          if (isTokenRefresh && !hasOidcSession) {
+            ctx.status = 401;
+            ctx.body = {
+              data: null,
+              error: {
+                status: 401,
+                name: "UnauthorizedError",
+                message: "Session was not created via OIDC. Please log in again.",
+                details: {}
+              }
+            };
+            return;
+          }
           if (isGetAdminHtml) {
-            const hasRefreshCookie = ctx.cookies.get("strapi_admin_refresh");
+            const hasRefreshCookie = !!ctx.cookies.get("strapi_admin_refresh");
+            if (hasRefreshCookie && !hasOidcSession) {
+              clearAuthCookies(strapi2, ctx);
+              ctx.redirect("/strapi-plugin-oidc/oidc");
+              return;
+            }
             if (!hasRefreshCookie) {
               ctx.redirect("/strapi-plugin-oidc/oidc");
               return;
@@ -335,7 +372,9 @@ async function oidcSignInCallback(ctx) {
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const logoutUrl = config2.OIDC_LOGOUT_URL;
-  if (logoutUrl) {
+  const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  clearAuthCookies(strapi, ctx);
+  if (logoutUrl && isOidcSession) {
     ctx.redirect(logoutUrl);
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
@@ -911,6 +950,7 @@ function oauthService({ strapi: strapi2 }) {
         cookieOptions.expires = new Date(Date.now() + durationInMs);
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
+      ctx.cookies.set("oidc_authenticated", "1", cookieOptions);
       const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
       if ("error" in accessResult) {
         throw new Error(accessResult.error);
@@ -971,16 +1011,24 @@ function whitelistService({ strapi: strapi2 }) {
     name: "strapi-plugin-oidc"
   });
   const getWhitelistQuery = () => strapi2.query("plugin::strapi-plugin-oidc.whitelists");
+  let settingsCache = null;
+  const SETTINGS_CACHE_TTL_MS = 5 * 60 * 1e3;
   return {
     async getSettings() {
+      const now = Date.now();
+      if (settingsCache && now - settingsCache.ts < SETTINGS_CACHE_TTL_MS) {
+        return settingsCache.value;
+      }
       let settings = await getPluginStore().get({ key: "settings" });
       if (!settings) {
         settings = { useWhitelist: true, enforceOIDC: false };
         await getPluginStore().set({ key: "settings", value: settings });
       }
+      settingsCache = { value: settings, ts: now };
       return settings;
     },
     async setSettings(settings) {
+      settingsCache = null;
       await getPluginStore().set({ key: "settings", value: settings });
     },
     async getUsers() {
@@ -998,14 +1046,12 @@ function whitelistService({ strapi: strapi2 }) {
     },
     async checkWhitelistForEmail(email) {
       const settings = await this.getSettings();
-      console.log("checkWhitelistForEmail settings:", settings);
       if (!settings.useWhitelist) {
         return null;
       }
       const result = await getWhitelistQuery().findOne({
         where: { email }
       });
-      console.log("checkWhitelistForEmail result:", result);
       if (!result) {
         throw new Error("Not present in whitelist");
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",

package/dist/admin/en-8UlbiAHW.js

@@ -1,42 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const en = {
-  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
-  "page.title": "Configure OIDC default role(s) and access controls.",
-  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
-  "page.save": "Save Changes",
-  "page.save.success": "Updated settings",
-  "page.save.error": "Update failed.",
-  "page.add": "Add",
-  "page.cancel": "Cancel",
-  "page.ok": "OK",
-  "roles.title": "Default Role(s)",
-  "roles.placeholder": "Select default role(s)",
-  "whitelist.title": "Whitelist",
-  "whitelist.error.unique": "Already registered email address.",
-  "whitelist.enabled": "Whitelist is currently enabled.",
-  "whitelist.disabled": "Whitelist is currently disabled.",
-  "whitelist.description": "Restrict OIDC authentication to specific email addresses and optionally assign them custom role(s).",
-  "whitelist.user_exists": "User already exists, matching existing role(s)",
-  "whitelist.users_exists": "Users already exist, matching existing role(s)",
-  "whitelist.table.no": "No.",
-  "whitelist.table.email": "Email",
-  "whitelist.table.created": "Created At",
-  "whitelist.delete.title": "Confirmation",
-  "whitelist.delete.description": "Are you sure you want to delete:",
-  "whitelist.delete.note": "This will not delete the user account in Strapi.",
-  "whitelist.toggle.enabled": "Enabled",
-  "whitelist.toggle.disabled": "Disabled",
-  "whitelist.email.placeholder": "Email address",
-  "whitelist.roles.placeholder": "Select specific role(s)",
-  "whitelist.table.roles": "Role(s)",
-  "whitelist.table.roles.default": "Default",
-  "whitelist.table.empty": "No email addresses",
-  "whitelist.delete.label": "Delete",
-  "page.title.oidc": "OIDC",
-  "enforce.title": "Enforce OIDC Login",
-  "enforce.toggle.enabled": "Enabled",
-  "enforce.toggle.disabled": "Disabled",
-  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally."
-};
-exports.default = en;

package/dist/admin/en-DInn-mdh.mjs

@@ -1,42 +0,0 @@
-const en = {
-  "global.plugins.strapi-plugin-oidc": "OIDC Plugin",
-  "page.title": "Configure OIDC default role(s) and access controls.",
-  "roles.notes": "Select the default role(s) assigned to new users upon their first login. This setting does not affect existing users.",
-  "page.save": "Save Changes",
-  "page.save.success": "Updated settings",
-  "page.save.error": "Update failed.",
-  "page.add": "Add",
-  "page.cancel": "Cancel",
-  "page.ok": "OK",
-  "roles.title": "Default Role(s)",
-  "roles.placeholder": "Select default role(s)",
-  "whitelist.title": "Whitelist",
-  "whitelist.error.unique": "Already registered email address.",
-  "whitelist.enabled": "Whitelist is currently enabled.",
-  "whitelist.disabled": "Whitelist is currently disabled.",
-  "whitelist.description": "Restrict OIDC authentication to specific email addresses and optionally assign them custom role(s).",
-  "whitelist.user_exists": "User already exists, matching existing role(s)",
-  "whitelist.users_exists": "Users already exist, matching existing role(s)",
-  "whitelist.table.no": "No.",
-  "whitelist.table.email": "Email",
-  "whitelist.table.created": "Created At",
-  "whitelist.delete.title": "Confirmation",
-  "whitelist.delete.description": "Are you sure you want to delete:",
-  "whitelist.delete.note": "This will not delete the user account in Strapi.",
-  "whitelist.toggle.enabled": "Enabled",
-  "whitelist.toggle.disabled": "Disabled",
-  "whitelist.email.placeholder": "Email address",
-  "whitelist.roles.placeholder": "Select specific role(s)",
-  "whitelist.table.roles": "Role(s)",
-  "whitelist.table.roles.default": "Default",
-  "whitelist.table.empty": "No email addresses",
-  "whitelist.delete.label": "Delete",
-  "page.title.oidc": "OIDC",
-  "enforce.title": "Enforce OIDC Login",
-  "enforce.toggle.enabled": "Enabled",
-  "enforce.toggle.disabled": "Disabled",
-  "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally."
-};
-export {
-  en as default
-};

package/dist/admin/index-Csm9fJS0.js

@@ -1,155 +0,0 @@
-"use strict";
-const react = require("react");
-const __variableDynamicImportRuntimeHelper = (glob, path, segs) => {
-  const v = glob[path];
-  if (v) {
-    return typeof v === "function" ? v() : Promise.resolve(v);
-  }
-  return new Promise((_, reject) => {
-    (typeof queueMicrotask === "function" ? queueMicrotask : setTimeout)(
-      reject.bind(
-        null,
-        new Error(
-          "Unknown variable dynamic import: " + path + (path.split("/").length !== segs ? ". Note that variables only represent file names one level deep." : "")
-        )
-      )
-    );
-  });
-};
-const name$1 = "strapi-plugin-oidc";
-const strapi = { "displayName": "OIDC Plugin" };
-const pluginPkg = {
-  name: name$1,
-  strapi
-};
-const pluginId = pluginPkg.name.replace(/^@strapi\/plugin-/i, "");
-function getTranslation(id) {
-  return `${pluginId}.${id}`;
-}
-function Initializer({ setPlugin }) {
-  const ref = react.useRef();
-  ref.current = setPlugin;
-  react.useEffect(() => {
-    if (ref.current) {
-      ref.current(pluginId);
-    }
-  }, []);
-  return null;
-}
-const name = pluginPkg.strapi.displayName;
-const index = {
-  register(app) {
-    app.addSettingsLink(
-      {
-        id: "oidc",
-        intlLabel: {
-          id: `${pluginId}.settings.section`,
-          defaultMessage: "OIDC"
-        }
-      },
-      {
-        id: "configuration",
-        to: `/settings/${pluginId}`,
-        intlLabel: {
-          id: `${pluginId}.settings.configuration`,
-          defaultMessage: "Configuration"
-        },
-        Component: async () => {
-          return await Promise.resolve().then(() => require("./index-aBuEmqza.js"));
-        },
-        permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
-      }
-    );
-    app.registerPlugin({
-      id: pluginId,
-      initializer: Initializer,
-      name
-    });
-  },
-  bootstrap() {
-    let isLogoutInProgress = false;
-    const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
-    const checkEnforceOIDC = async () => {
-      try {
-        const response = await window.fetch("/strapi-plugin-oidc/settings/public");
-        if (response.ok) {
-          const data = await response.json();
-          if (data.enforceOIDC) {
-            const interceptHistory = (originalMethod) => {
-              return function(...args) {
-                const url = args[2];
-                if (url && typeof url === "string") {
-                  const urlWithoutQuery = url.split("?")[0].split("#")[0];
-                  if (isAuthRoute(urlWithoutQuery)) {
-                    if (isLogoutInProgress) {
-                      return;
-                    }
-                    window.location.href = "/strapi-plugin-oidc/oidc";
-                    return;
-                  }
-                }
-                return originalMethod.apply(window.history, args);
-              };
-            };
-            window.history.pushState = interceptHistory(window.history.pushState);
-            window.history.replaceState = interceptHistory(window.history.replaceState);
-          }
-        }
-      } catch (error) {
-        console.error("Failed to check OIDC enforcement setting:", error);
-      }
-    };
-    checkEnforceOIDC();
-    const originalFetch = window.fetch;
-    window.fetch = async (...args) => {
-      const url = typeof args[0] === "string" ? args[0] : args[0].url;
-      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
-      if (isLogout) {
-        isLogoutInProgress = true;
-      }
-      const response = await originalFetch(...args);
-      if (isLogout && response.ok) {
-        window.localStorage.removeItem("jwtToken");
-        window.localStorage.removeItem("isLoggedIn");
-        window.sessionStorage.removeItem("jwtToken");
-        window.sessionStorage.removeItem("isLoggedIn");
-        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
-        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        document.cookie = "strapi_admin_refresh=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
-        document.cookie = "strapi_admin_refresh=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
-        return new Promise(() => {
-        });
-      } else if (isLogout) {
-        isLogoutInProgress = false;
-      }
-      return response;
-    };
-  },
-  async registerTrads({ locales }) {
-    const importedTrads = await Promise.all(
-      locales.map((locale) => {
-        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({ "./translations/en.json": () => Promise.resolve().then(() => require("./en-8UlbiAHW.js")) }), `./translations/${locale}.json`, 3).then(({ default: data }) => {
-          const newData = Object.fromEntries(
-            Object.entries(data).map(([key, value]) => [
-              key.startsWith("global.") ? key : getTranslation(key),
-              value
-            ])
-          );
-          return {
-            data: newData,
-            locale
-          };
-        }).catch(() => {
-          return {
-            data: {},
-            locale
-          };
-        });
-      })
-    );
-    return Promise.resolve(importedTrads);
-  }
-};
-exports.index = index;
-exports.pluginId = pluginId;

package/dist/admin/index-DxsqJhUk.mjs

@@ -1,156 +0,0 @@
-import { useRef, useEffect } from "react";
-const __variableDynamicImportRuntimeHelper = (glob, path, segs) => {
-  const v = glob[path];
-  if (v) {
-    return typeof v === "function" ? v() : Promise.resolve(v);
-  }
-  return new Promise((_, reject) => {
-    (typeof queueMicrotask === "function" ? queueMicrotask : setTimeout)(
-      reject.bind(
-        null,
-        new Error(
-          "Unknown variable dynamic import: " + path + (path.split("/").length !== segs ? ". Note that variables only represent file names one level deep." : "")
-        )
-      )
-    );
-  });
-};
-const name$1 = "strapi-plugin-oidc";
-const strapi = { "displayName": "OIDC Plugin" };
-const pluginPkg = {
-  name: name$1,
-  strapi
-};
-const pluginId = pluginPkg.name.replace(/^@strapi\/plugin-/i, "");
-function getTranslation(id) {
-  return `${pluginId}.${id}`;
-}
-function Initializer({ setPlugin }) {
-  const ref = useRef();
-  ref.current = setPlugin;
-  useEffect(() => {
-    if (ref.current) {
-      ref.current(pluginId);
-    }
-  }, []);
-  return null;
-}
-const name = pluginPkg.strapi.displayName;
-const index = {
-  register(app) {
-    app.addSettingsLink(
-      {
-        id: "oidc",
-        intlLabel: {
-          id: `${pluginId}.settings.section`,
-          defaultMessage: "OIDC"
-        }
-      },
-      {
-        id: "configuration",
-        to: `/settings/${pluginId}`,
-        intlLabel: {
-          id: `${pluginId}.settings.configuration`,
-          defaultMessage: "Configuration"
-        },
-        Component: async () => {
-          return await import("./index-DDUvU8_H.mjs");
-        },
-        permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
-      }
-    );
-    app.registerPlugin({
-      id: pluginId,
-      initializer: Initializer,
-      name
-    });
-  },
-  bootstrap() {
-    let isLogoutInProgress = false;
-    const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
-    const checkEnforceOIDC = async () => {
-      try {
-        const response = await window.fetch("/strapi-plugin-oidc/settings/public");
-        if (response.ok) {
-          const data = await response.json();
-          if (data.enforceOIDC) {
-            const interceptHistory = (originalMethod) => {
-              return function(...args) {
-                const url = args[2];
-                if (url && typeof url === "string") {
-                  const urlWithoutQuery = url.split("?")[0].split("#")[0];
-                  if (isAuthRoute(urlWithoutQuery)) {
-                    if (isLogoutInProgress) {
-                      return;
-                    }
-                    window.location.href = "/strapi-plugin-oidc/oidc";
-                    return;
-                  }
-                }
-                return originalMethod.apply(window.history, args);
-              };
-            };
-            window.history.pushState = interceptHistory(window.history.pushState);
-            window.history.replaceState = interceptHistory(window.history.replaceState);
-          }
-        }
-      } catch (error) {
-        console.error("Failed to check OIDC enforcement setting:", error);
-      }
-    };
-    checkEnforceOIDC();
-    const originalFetch = window.fetch;
-    window.fetch = async (...args) => {
-      const url = typeof args[0] === "string" ? args[0] : args[0].url;
-      const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
-      if (isLogout) {
-        isLogoutInProgress = true;
-      }
-      const response = await originalFetch(...args);
-      if (isLogout && response.ok) {
-        window.localStorage.removeItem("jwtToken");
-        window.localStorage.removeItem("isLoggedIn");
-        window.sessionStorage.removeItem("jwtToken");
-        window.sessionStorage.removeItem("isLoggedIn");
-        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
-        document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        document.cookie = "strapi_admin_refresh=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
-        document.cookie = "strapi_admin_refresh=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        window.location.href = "/strapi-plugin-oidc/logout";
-        return new Promise(() => {
-        });
-      } else if (isLogout) {
-        isLogoutInProgress = false;
-      }
-      return response;
-    };
-  },
-  async registerTrads({ locales }) {
-    const importedTrads = await Promise.all(
-      locales.map((locale) => {
-        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({ "./translations/en.json": () => import("./en-DInn-mdh.mjs") }), `./translations/${locale}.json`, 3).then(({ default: data }) => {
-          const newData = Object.fromEntries(
-            Object.entries(data).map(([key, value]) => [
-              key.startsWith("global.") ? key : getTranslation(key),
-              value
-            ])
-          );
-          return {
-            data: newData,
-            locale
-          };
-        }).catch(() => {
-          return {
-            data: {},
-            locale
-          };
-        });
-      })
-    );
-    return Promise.resolve(importedTrads);
-  }
-};
-export {
-  index as i,
-  pluginId as p
-};