strapi-plugin-oidc 1.2.4 → 1.3.1

package/dist/admin/{index-B2dKk7YS.mjs → index-D1ypRUlq.mjs}

@@ -49,11 +49,15 @@ const en = {
   "roles.placeholder": "Select default role(s)",
   "whitelist.title": "Whitelist",
   "whitelist.error.unique": "Already registered email address.",
-  "whitelist.enabled": "Whitelist is currently enabled.",
-  "whitelist.disabled": "Whitelist is currently disabled.",
   "whitelist.description": "Restrict OIDC authentication to specific email addresses and optionally assign them custom role(s).",
   "whitelist.user_exists": "User already exists, matching existing role(s)",
   "whitelist.users_exists": "Users already exist, matching existing role(s)",
+  "alert.title.success": "Success",
+  "alert.title.error": "Error",
+  "alert.title.info": "Info",
+  "pagination.previous": "Go to previous page",
+  "pagination.page": "Go to page {page}",
+  "pagination.next": "Go to next page",
   "whitelist.table.no": "No.",
   "whitelist.table.email": "Email",
   "whitelist.table.created": "Created At",
@@ -65,7 +69,6 @@ const en = {
   "whitelist.email.placeholder": "Email address",
   "whitelist.roles.placeholder": "Select specific role(s)",
   "whitelist.table.roles": "Role(s)",
-  "whitelist.table.roles.default": "Default",
   "whitelist.table.empty": "No email addresses",
   "whitelist.delete.label": "Delete",
   "page.title.oidc": "OIDC",
@@ -73,15 +76,20 @@ const en = {
   "enforce.toggle.enabled": "Enabled",
   "enforce.toggle.disabled": "Disabled",
   "enforce.warning": "Make sure OIDC is setup correctly before saving changes, you won't be able to login normally.",
+  "enforce.config.info": "Enforcement is controlled by the OIDC_ENFORCE config variable and cannot be changed here.",
   "login.settings.title": "Login Settings",
-  "login.sso": "Login via SSO",
-  "login.sso.show": "Add button for OIDC on login screen",
-  "login.sso.button.text.label": "Login button text"
+  "login.sso": "Login via SSO"
 };
-const en$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
-  __proto__: null,
-  default: en
-}, Symbol.toStringTag, { value: "Module" }));
+function getTrad(id) {
+  const pluginIdWithId = `${pluginId}.${id}`;
+  return {
+    id: pluginIdWithId,
+    defaultMessage: en[id] || pluginIdWithId
+  };
+}
+function t(id) {
+  return en[id];
+}
 const name = pluginPkg.strapi.displayName;
 const index = {
   register(app) {
@@ -101,7 +109,7 @@ const index = {
           defaultMessage: "Configuration"
         },
         Component: async () => {
-          return await import("./index-BD7cK7Hf.mjs");
+          return await import("./index-CFmg9Kxl.mjs");
         },
         permissions: [{ action: "plugin::strapi-plugin-oidc.read", subject: null }]
       }
@@ -113,50 +121,11 @@ const index = {
     });
   },
   bootstrap() {
-    let isLogoutInProgress = false;
-    let historyPatched = false;
-    const ENFORCE_CACHE_KEY = "strapi_oidc_enforced";
+    const defaultButtonText = t("login.sso");
     const isAuthRoute = (path) => /\/auth\/(login|register|forgot-password|reset-password)/.test(path);
-    const patchHistory = () => {
-      if (historyPatched) return;
-      historyPatched = true;
-      const interceptHistory = (originalMethod) => {
-        return function(...args) {
-          const url = args[2];
-          if (url && typeof url === "string") {
-            const urlWithoutQuery = url.split("?")[0].split("#")[0];
-            if (isAuthRoute(urlWithoutQuery)) {
-              if (isLogoutInProgress) {
-                return;
-              }
-              if (sessionStorage.getItem("oidc_logout")) {
-                sessionStorage.removeItem("oidc_logout");
-                return originalMethod.apply(window.history, args);
-              }
-              document.documentElement.style.visibility = "hidden";
-              window.location.href = "/strapi-plugin-oidc/oidc";
-              return;
-            }
-          }
-          return originalMethod.apply(window.history, args);
-        };
-      };
-      window.history.pushState = interceptHistory(window.history.pushState);
-      window.history.replaceState = interceptHistory(window.history.replaceState);
-      if (isAuthRoute(window.location.pathname)) {
-        if (sessionStorage.getItem("oidc_logout")) {
-          sessionStorage.removeItem("oidc_logout");
-          document.documentElement.style.visibility = "";
-        } else {
-          document.documentElement.style.visibility = "hidden";
-          window.location.replace("/strapi-plugin-oidc/oidc");
-        }
-      }
-    };
     let ssoButtonInjected = false;
-    let ssoObserver = null;
-    let ssoButtonText = en["login.sso"];
-    const injectSSOButton = () => {
+    let loginObserver = null;
+    const injectSSOButton = (buttonText) => {
       if (ssoButtonInjected) return;
       if (!isAuthRoute(window.location.pathname)) return;
       if (document.getElementById("strapi-oidc-sso-btn")) return;
@@ -166,74 +135,75 @@ const index = {
       btn.id = "strapi-oidc-sso-btn";
       btn.type = "button";
       btn.className = submitButton.className;
-      btn.style.marginTop = "8px";
       btn.onclick = () => {
         window.location.href = "/strapi-plugin-oidc/oidc";
       };
       const innerSpan = submitButton.querySelector("span");
       const span = document.createElement("span");
       if (innerSpan) span.className = innerSpan.className;
-      span.textContent = ssoButtonText;
+      span.style.display = "inline-flex";
+      span.style.alignItems = "center";
+      span.style.gap = "8px";
+      const svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
+      svg.setAttribute("width", "16");
+      svg.setAttribute("height", "16");
+      svg.setAttribute("viewBox", "0 0 24 24");
+      svg.setAttribute("fill", "none");
+      svg.setAttribute("stroke", "currentColor");
+      svg.setAttribute("stroke-width", "2");
+      svg.setAttribute("stroke-linecap", "round");
+      svg.setAttribute("stroke-linejoin", "round");
+      svg.setAttribute("aria-hidden", "true");
+      svg.innerHTML = '<path d="M2.586 17.414A2 2 0 0 0 2 18.828V21a1 1 0 0 0 1 1h3a1 1 0 0 0 1-1v-1a1 1 0 0 1 1-1h1a1 1 0 0 0 1-1v-1a1 1 0 0 1 1-1h.172a2 2 0 0 0 1.414-.586l.814-.814a6.5 6.5 0 1 0-4-4z"/><circle cx="16.5" cy="7.5" r=".5" fill="currentColor"/>';
+      span.appendChild(svg);
+      span.appendChild(document.createTextNode(buttonText));
       btn.appendChild(span);
       submitButton.parentNode.insertBefore(btn, submitButton.nextSibling);
       ssoButtonInjected = true;
     };
-    const startSSOButtonObserver = () => {
-      if (ssoObserver) return;
-      injectSSOButton();
-      ssoObserver = new MutationObserver(() => {
-        if (isAuthRoute(window.location.pathname)) injectSSOButton();
+    const removeEnforcedElements = () => {
+      [
+        'form > div > div:has(input[name="email"])',
+        'form > div > div:has(input[name="password"])',
+        'form > div > div:has(button[role="checkbox"])',
+        'form > div > button[type="submit"]:not(#strapi-oidc-sso-btn)'
+      ].forEach((selector) => {
+        document.querySelectorAll(selector).forEach((el) => el.remove());
+      });
+      document.querySelectorAll('a[href*="forgot-password"]').forEach((el) => {
+        (el.closest("div")?.parentElement ?? el).remove();
       });
-      ssoObserver.observe(document.body, { childList: true, subtree: true });
     };
-    const stopSSOButtonObserver = () => {
-      ssoObserver?.disconnect();
-      ssoObserver = null;
-      document.getElementById("strapi-oidc-sso-btn")?.remove();
-      ssoButtonInjected = false;
+    const startLoginObserver = (buttonText, enforced) => {
+      if (loginObserver) return;
+      const tick = () => {
+        if (!isAuthRoute(window.location.pathname)) return;
+        injectSSOButton(buttonText);
+        if (enforced) removeEnforcedElements();
+      };
+      tick();
+      loginObserver = new MutationObserver(tick);
+      loginObserver.observe(document.body, { childList: true, subtree: true });
     };
-    if (!localStorage.getItem("jwtToken") && !sessionStorage.getItem("oidc_logout")) {
-      document.documentElement.style.visibility = "hidden";
-    }
-    if (localStorage.getItem(ENFORCE_CACHE_KEY) === "1") {
-      patchHistory();
-    }
-    if (isAuthRoute(window.location.pathname)) {
-      document.documentElement.style.visibility = "hidden";
-    }
-    const checkEnforceOIDC = async () => {
+    const applySettings = async () => {
       try {
         const response = await window.fetch("/strapi-plugin-oidc/settings/public");
         if (response.ok) {
           const data = await response.json();
-          if (data.enforceOIDC) {
-            localStorage.setItem(ENFORCE_CACHE_KEY, "1");
-            stopSSOButtonObserver();
-            patchHistory();
-          } else {
-            localStorage.removeItem(ENFORCE_CACHE_KEY);
-            document.documentElement.style.visibility = "";
-            if (data.showSSOButton !== false) {
-              ssoButtonText = data.ssoButtonText || en["login.sso"];
-              startSSOButtonObserver();
-            } else {
-              stopSSOButtonObserver();
-            }
-          }
+          startLoginObserver(data.ssoButtonText || defaultButtonText, !!data.enforceOIDC);
+        } else {
+          startLoginObserver(defaultButtonText, false);
         }
       } catch (error) {
-        document.documentElement.style.visibility = "";
-        console.error("Failed to check OIDC enforcement setting:", error);
+        startLoginObserver(defaultButtonText, false);
+        console.error("Failed to fetch OIDC settings:", error);
       }
     };
-    checkEnforceOIDC();
+    applySettings();
     const originalFetch = window.fetch;
     window.fetch = async (...args) => {
       const url = typeof args[0] === "string" ? args[0] : args[0].url;
       const isLogout = url && url.endsWith("/admin/logout") && args[1]?.method?.toUpperCase() === "POST";
-      if (isLogout) {
-        isLogoutInProgress = true;
-      }
       const response = await originalFetch(...args);
       if (isLogout && response.ok) {
         window.localStorage.removeItem("jwtToken");
@@ -242,43 +212,32 @@ const index = {
         window.sessionStorage.removeItem("isLoggedIn");
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/";
         document.cookie = "jwtToken=;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/admin";
-        sessionStorage.setItem("oidc_logout", "1");
         window.location.href = "/strapi-plugin-oidc/logout";
         return new Promise(() => {
         });
-      } else if (isLogout) {
-        isLogoutInProgress = false;
       }
       return response;
     };
   },
   async registerTrads({ locales }) {
+    const transformKeys = (data) => Object.fromEntries(
+      Object.entries(data).map(([key, value]) => [
+        key.startsWith("global.") ? key : getTranslation(key),
+        value
+      ])
+    );
     const importedTrads = await Promise.all(
       locales.map((locale) => {
-        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({ "./translations/en.json": () => Promise.resolve().then(() => en$1) }), `./translations/${locale}.json`, 3).then(({ default: data }) => {
-          const newData = Object.fromEntries(
-            Object.entries(data).map(([key, value]) => [
-              key.startsWith("global.") ? key : getTranslation(key),
-              value
-            ])
-          );
-          return {
-            data: newData,
-            locale
-          };
-        }).catch(() => {
-          return {
-            data: {},
-            locale
-          };
-        });
+        if (locale === "en") {
+          return Promise.resolve({ data: transformKeys(en), locale });
+        }
+        return __variableDynamicImportRuntimeHelper(/* @__PURE__ */ Object.assign({}), `./translations/locales/${locale}.json`, 4).then(({ default: data }) => ({ data: transformKeys(data), locale })).catch(() => ({ data: {}, locale }));
       })
     );
-    return Promise.resolve(importedTrads);
+    return importedTrads;
   }
 };
 export {
-  en as e,
-  index as i,
-  pluginId as p
+  getTrad as g,
+  index as i
 };

package/dist/admin/index.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
-const index = require("./index-Cxj6lwW7.js");
+const index = require("./index-Cse9ex24.js");
 exports.default = index.index;

package/dist/admin/index.mjs

@@ -1,4 +1,4 @@
-import { i } from "./index-B2dKk7YS.mjs";
+import { i } from "./index-D1ypRUlq.mjs";
 export {
   i as default
 };

package/dist/server/index.js

@@ -10,22 +10,19 @@ const strapiUtils__default = /* @__PURE__ */ _interopDefault(strapiUtils);
 const generator__default = /* @__PURE__ */ _interopDefault(generator);
 function register$1() {
 }
-function getExpiredCookieOptions(strapi2, ctx) {
-  const isProduction = strapi2.config.get("environment") === "production";
-  return {
-    httpOnly: true,
-    secure: isProduction && ctx.request.secure,
-    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
-    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
-    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
-    maxAge: 0,
-    expires: /* @__PURE__ */ new Date(0)
-  };
+function getEnforceOIDCConfig(strapi2) {
+  const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
+  const val = config2.OIDC_ENFORCE;
+  if (val === null || val === void 0) return null;
+  if (typeof val === "boolean") return val;
+  if (val === "true") return true;
+  if (val === "false") return false;
+  return null;
 }
-function clearAuthCookies(strapi2, ctx) {
-  const options2 = getExpiredCookieOptions(strapi2, ctx);
-  ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+function resolveEnforceOIDC(strapi2, dbValue) {
+  const configValue = getEnforceOIDCConfig(strapi2);
+  if (configValue !== null) return configValue;
+  return dbValue ?? false;
 }
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
@@ -38,13 +35,12 @@ async function bootstrap({ strapi: strapi2 }) {
     ];
     const isPostAuth = authRoutes.includes(ctx.request.path) && ctx.request.method === "POST";
     const isTokenRefresh = ctx.request.path === `${adminUrl}/token/refresh` && ctx.request.method === "POST";
-    const isHtmlRequest = ctx.request.accepts("html", "json") === "html" && !ctx.request.path.match(/\.[a-zA-Z0-9]+$/);
-    const isGetAdminHtml = ctx.request.method === "GET" && ctx.request.path.startsWith(adminUrl) && isHtmlRequest;
-    if (isPostAuth || isTokenRefresh || isGetAdminHtml) {
+    if (isPostAuth || isTokenRefresh) {
       try {
         const whitelistService2 = strapi2.plugin("strapi-plugin-oidc").service("whitelist");
         const settings = await whitelistService2.getSettings();
-        if (settings?.enforceOIDC) {
+        const enforceOIDC = resolveEnforceOIDC(strapi2, settings?.enforceOIDC);
+        if (enforceOIDC) {
           if (isPostAuth) {
             ctx.status = 403;
             ctx.body = {
@@ -72,18 +68,6 @@ async function bootstrap({ strapi: strapi2 }) {
             };
             return;
           }
-          if (isGetAdminHtml) {
-            const hasRefreshCookie = !!ctx.cookies.get("strapi_admin_refresh");
-            if (hasRefreshCookie && !hasOidcSession) {
-              clearAuthCookies(strapi2, ctx);
-              ctx.redirect("/strapi-plugin-oidc/oidc");
-              return;
-            }
-            if (!hasRefreshCookie) {
-              ctx.redirect("/strapi-plugin-oidc/oidc");
-              return;
-            }
-          }
         }
       } catch (err) {
         strapi2.log.error("Error checking OIDC enforcement in middleware:", err);
@@ -158,8 +142,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    REMEMBER_ME_DAYS: 30,
-    // 30 days
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -171,7 +153,10 @@ const config = {
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: ""
+    OIDC_LOGOUT_URL: "",
+    OIDC_SSO_BUTTON_TEXT: "Login via SSO",
+    OIDC_ENFORCE: null
+    // null = use DB setting; true/false = override DB (useful for lockout recovery)
   },
   validator() {
   }
@@ -206,6 +191,23 @@ const contentTypes = {
   roles,
   whitelists
 };
+function getExpiredCookieOptions(strapi2, ctx) {
+  const isProduction = strapi2.config.get("environment") === "production";
+  return {
+    httpOnly: true,
+    secure: isProduction && ctx.request.secure,
+    path: strapi2.config.get("admin.auth.cookie.path", "/admin"),
+    domain: strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain"),
+    sameSite: strapi2.config.get("admin.auth.cookie.sameSite", "lax"),
+    maxAge: 0,
+    expires: /* @__PURE__ */ new Date(0)
+  };
+}
+function clearAuthCookies(strapi2, ctx) {
+  const options2 = getExpiredCookieOptions(strapi2, ctx);
+  ctx.cookies.set("strapi_admin_refresh", "", options2);
+  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+}
 function configValidation() {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const requiredKeys = [
@@ -345,6 +347,8 @@ async function oidcSignInCallback(ctx) {
   }
   const oidcState = ctx.cookies.get("oidc_state");
   const codeVerifier = ctx.cookies.get("oidc_code_verifier");
+  ctx.cookies.set("oidc_state", null);
+  ctx.cookies.set("oidc_code_verifier", null);
   if (!ctx.query.state || ctx.query.state !== oidcState) {
     return ctx.send(oauthService2.renderSignUpError("Invalid state"));
   }
@@ -425,14 +429,13 @@ async function info(ctx) {
   const whitelistUsers = await whitelistService2.getUsers();
   ctx.body = {
     useWhitelist: settings.useWhitelist,
-    enforceOIDC: settings.enforceOIDC || false,
-    showSSOButton: settings.showSSOButton !== false,
-    ssoButtonText: settings.ssoButtonText || "Login via SSO",
+    enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
+    enforceOIDCConfig: getEnforceOIDCConfig(strapi),
     whitelistUsers
   };
 }
 async function updateSettings(ctx) {
-  let { useWhitelist, enforceOIDC, showSSOButton, ssoButtonText } = ctx.request.body;
+  let { useWhitelist, enforceOIDC } = ctx.request.body;
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   if (useWhitelist && enforceOIDC) {
     const users = await whitelistService2.getUsers();
@@ -440,16 +443,16 @@ async function updateSettings(ctx) {
       enforceOIDC = false;
     }
   }
-  await whitelistService2.setSettings({ useWhitelist, enforceOIDC, showSSOButton, ssoButtonText });
-  ctx.body = { useWhitelist, enforceOIDC, showSSOButton, ssoButtonText };
+  await whitelistService2.setSettings({ useWhitelist, enforceOIDC });
+  ctx.body = { useWhitelist, enforceOIDC };
 }
 async function publicSettings(ctx) {
   const whitelistService2 = strapi.plugin("strapi-plugin-oidc").service("whitelist");
   const settings = await whitelistService2.getSettings();
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   ctx.body = {
-    enforceOIDC: settings.enforceOIDC || false,
-    showSSOButton: settings.showSSOButton !== false,
-    ssoButtonText: settings.ssoButtonText || "Login via SSO"
+    enforceOIDC: resolveEnforceOIDC(strapi, settings.enforceOIDC),
+    ssoButtonText: config2.OIDC_SSO_BUTTON_TEXT
   };
 }
 async function register(ctx) {
@@ -934,13 +937,11 @@ function oauthService({ strapi: strapi2 }) {
       const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
       const REMEMBER_ME = config2["REMEMBER_ME"];
       const rememberMe = !!REMEMBER_ME;
-      const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
-        userId,
-        deviceId,
-        {
-          type: rememberMe ? "refresh" : "session"
-        }
-      );
+      const { token: refreshToken, absoluteExpiresAt } = await sessionManager(
+        "admin"
+      ).generateRefreshToken(userId, deviceId, {
+        type: rememberMe ? "refresh" : "session"
+      });
       const isProduction = strapi2.config.get("environment") === "production";
       const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
       const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
@@ -954,10 +955,16 @@ function oauthService({ strapi: strapi2 }) {
         sameSite
       };
       if (rememberMe) {
-        const REMEMBER_ME_DAYS = config2["REMEMBER_ME_DAYS"] || 30;
-        const durationInMs = REMEMBER_ME_DAYS * 24 * 60 * 60 * 1e3;
-        cookieOptions.maxAge = durationInMs;
-        cookieOptions.expires = new Date(Date.now() + durationInMs);
+        const idleLifespanSec = strapi2.config.get(
+          "admin.auth.sessions.idleRefreshTokenLifespan",
+          1209600
+          // 14 days — Strapi default
+        );
+        const idleMs = idleLifespanSec * 1e3;
+        const absoluteMs = new Date(absoluteExpiresAt).getTime() - Date.now();
+        const ms = Math.min(idleMs, absoluteMs);
+        cookieOptions.maxAge = ms;
+        cookieOptions.expires = new Date(Date.now() + ms);
       }
       ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
       ctx.cookies.set("oidc_authenticated", "1", { ...cookieOptions, path: "/" });
@@ -1033,9 +1040,7 @@ function whitelistService({ strapi: strapi2 }) {
       if (!settings) {
         settings = {
           useWhitelist: true,
-          enforceOIDC: false,
-          showSSOButton: true,
-          ssoButtonText: "Login via SSO"
+          enforceOIDC: false
         };
         await getPluginStore().set({ key: "settings", value: settings });
       }